@prover-coder-ai/docker-git 1.0.42 → 1.0.44

package/dist/src/docker-git/main.js

@@ -269,6 +269,8 @@ var defaultTemplateConfig = {
 	codexAuthPath: "./.docker-git/.orch/auth/codex",
 	codexSharedAuthPath: "./.docker-git/.orch/auth/codex",
 	codexHome: "/home/dev/.codex",
+	geminiAuthPath: "./.docker-git/.orch/auth/gemini",
+	geminiHome: "/home/dev/.gemini",
 	cpuLimit: "30%",
 	ramLimit: "30%",
 	dockerNetworkMode: defaultDockerNetworkMode,
@@ -809,6 +811,10 @@ var buildDockerAuthSpec = (input) => ({
 	args: input.args,
 	interactive: input.interactive
 });
+var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
 //#endregion
 //#region ../lib/src/usecases/auth-sync-helpers.ts
 var JsonValueSchema = Schema.suspend(() => Schema.Union(Schema.Null, Schema.Boolean, Schema.String, Schema.JsonNumber, Schema.Array(JsonValueSchema), Schema.Record({
@@ -876,7 +882,7 @@ var autoOptionError = (reason) => ({
 	option: "--auto",
 	reason
 });
-var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
 	if (!(yield* _(fs.exists(filePath)))) return false;
 	return (yield* _(fs.stat(filePath))).type === "File";
 });
@@ -892,8 +898,8 @@ var resolveClaudeAccountPath$1 = (rootPath, label) => {
 var hasClaudeAuth = (fs, rootPath, label) => Effect.gen(function* (_) {
 	for (const accountPath of resolveClaudeAccountPath$1(rootPath, label)) {
 		if (yield* _(hasNonEmptyFile(fs, `${accountPath}/.oauth-token`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.credentials.json`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.claude/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.claude/.credentials.json`))) return true;
 	}
 	return false;
 });
@@ -1211,6 +1217,38 @@ var ensureGhAuthImage = (fs, path, cwd, buildLabel) => ensureDockerImage(fs, pat
 	buildLabel
 });
 //#endregion
+//#region ../lib/src/usecases/github-api-helpers.ts
+/**
+* Run `gh api <args>` inside the auth Docker container and return trimmed stdout.
+*
+* @pure false
+* @effect CommandExecutor (Docker)
+* @invariant exits with CommandFailedError on non-zero exit code
+* @complexity O(1)
+*/
+var runGhApiCapture = (cwd, hostPath, token, args) => runDockerAuthCapture(buildDockerAuthSpec({
+	cwd,
+	image: ghImageName,
+	hostPath,
+	containerPath: ghAuthDir,
+	env: `GH_TOKEN=${token}`,
+	args: ["api", ...args],
+	interactive: false
+}), [0], (exitCode) => new CommandFailedError({
+	command: `gh api ${args.join(" ")}`,
+	exitCode
+})).pipe(Effect.map((raw) => raw.trim()));
+/**
+* Like `runGhApiCapture` but returns `null` instead of failing on API errors
+* (e.g. HTTP 404 / non-zero exit code).
+*
+* @pure false
+* @effect CommandExecutor (Docker)
+* @invariant never fails — errors become null
+* @complexity O(1)
+*/
+var runGhApiNullable = (cwd, hostPath, token, args) => runGhApiCapture(cwd, hostPath, token, args).pipe(Effect.catchTag("CommandFailedError", () => Effect.succeed("")), Effect.map((raw) => raw.length === 0 ? null : raw));
+//#endregion
 //#region ../lib/src/usecases/runtime.ts
 var withFsPathContext = (run) => Effect.gen(function* (_) {
 	return yield* _(run({
@@ -1228,20 +1266,7 @@ var resolveGithubToken$1 = (envText) => {
 	const labeled = entries.find((entry) => entry.key.startsWith("GITHUB_TOKEN__"));
 	return labeled && labeled.value.trim().length > 0 ? labeled.value.trim() : null;
 };
-var runGhApiCapture = (cwd, hostPath, token, args) => runDockerAuthCapture(buildDockerAuthSpec({
-	cwd,
-	image: ghImageName,
-	hostPath,
-	containerPath: ghAuthDir,
-	env: `GH_TOKEN=${token}`,
-	args: ["api", ...args],
-	interactive: false
-}), [0], (exitCode) => new CommandFailedError({
-	command: `gh api ${args.join(" ")}`,
-	exitCode
-})).pipe(Effect.map((raw) => raw.trim()));
-var runGhApiCloneUrl = (cwd, hostPath, token, args) => runGhApiCapture(cwd, hostPath, token, args).pipe(Effect.catchTag("CommandFailedError", () => Effect.succeed("")), Effect.map((raw) => raw.length === 0 ? null : raw));
-var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
+var resolveViewerLogin$1 = (cwd, hostPath, token) => Effect.gen(function* (_) {
 	const command = "gh api /user --jq .login";
 	const raw = yield* _(runGhApiCapture(cwd, hostPath, token, [
 		"/user",
@@ -1254,12 +1279,12 @@ var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
 	})));
 	return raw;
 });
-var resolveRepoCloneUrl = (cwd, hostPath, token, fullName) => runGhApiCloneUrl(cwd, hostPath, token, [
+var resolveRepoCloneUrl = (cwd, hostPath, token, fullName) => runGhApiNullable(cwd, hostPath, token, [
 	`/repos/${fullName}`,
 	"--jq",
 	".clone_url"
 ]);
-var createFork = (cwd, hostPath, token, owner, repo) => runGhApiCloneUrl(cwd, hostPath, token, [
+var createFork = (cwd, hostPath, token, owner, repo) => runGhApiNullable(cwd, hostPath, token, [
 	"-X",
 	"POST",
 	`/repos/${owner}/${repo}/forks`,
@@ -1277,7 +1302,7 @@ var resolveGithubForkUrl = (repoUrl, envGlobalPath) => withFsPathContext(({ cwd,
 	const ghRoot = resolvePathFromCwd(path, cwd, ghAuthRoot);
 	yield* _(fs.makeDirectory(ghRoot, { recursive: true }));
 	yield* _(ensureGhAuthImage(fs, path, cwd, "gh api"));
-	const viewer = yield* _(resolveViewerLogin(cwd, ghRoot, token));
+	const viewer = yield* _(resolveViewerLogin$1(cwd, ghRoot, token));
 	if (viewer.toLowerCase() === repo.owner.toLowerCase()) return null;
 	const existingFork = yield* _(resolveRepoCloneUrl(cwd, ghRoot, token, `${viewer}/${repo.repo}`));
 	if (existingFork !== null) return existingFork;
@@ -1338,6 +1363,9 @@ var TemplateConfigSchema = Schema.Struct({
 	codexAuthPath: Schema.String,
 	codexSharedAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.codexSharedAuthPath }),
 	codexHome: Schema.String,
+	geminiAuthLabel: Schema.optional(Schema.String),
+	geminiAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiAuthPath }),
+	geminiHome: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiHome }),
 	cpuLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.cpuLimit }),
 	ramLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.ramLimit }),
 	dockerNetworkMode: Schema.optionalWith(Schema.Literal("shared", "project"), { default: () => defaultTemplateConfig.dockerNetworkMode }),
@@ -1588,28 +1616,15 @@ var resolveComposeResourceLimits = (template, hostResources) => {
 //#region ../lib/src/usecases/resource-limits.ts
 var resolveTemplateResourceLimits = (template) => Effect.succeed(withDefaultResourceLimitIntent(template));
 //#endregion
-//#region ../lib/src/usecases/state-repo/env.ts
-var isTruthyEnv = (value) => {
-	const normalized = value.trim().toLowerCase();
-	return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
-};
-var isFalsyEnv = (value) => {
-	const normalized = value.trim().toLowerCase();
-	return normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off";
-};
-var autoSyncStrictEnvKey = "DOCKER_GIT_STATE_AUTO_SYNC_STRICT";
-var defaultSyncMessage = "chore(state): sync";
-var isAutoSyncEnabled = (envValue, hasRemote) => {
-	if (envValue === void 0) return hasRemote;
-	if (envValue.trim().length === 0) return hasRemote;
-	if (isFalsyEnv(envValue)) return false;
-	if (isTruthyEnv(envValue)) return true;
-	return true;
-};
-//#endregion
 //#region ../lib/src/usecases/state-repo/git-commands.ts
 var successExitCode = Number(ExitCode(0));
-var gitBaseEnv$1 = { GIT_TERMINAL_PROMPT: "0" };
+var gitBaseEnv$1 = {
+	GIT_TERMINAL_PROMPT: "0",
+	GIT_AUTHOR_NAME: "docker-git",
+	GIT_AUTHOR_EMAIL: "docker-git@users.noreply.github.com",
+	GIT_COMMITTER_NAME: "docker-git",
+	GIT_COMMITTER_EMAIL: "docker-git@users.noreply.github.com"
+};
 var git = (cwd, args, env = gitBaseEnv$1) => runCommandWithExitCodes({
 	cwd,
 	command: "git",
@@ -1641,6 +1656,68 @@ var hasOriginRemote = (root) => Effect.map(gitExitCode(root, [
 	"origin"
 ]), (exit) => exit === successExitCode);
 //#endregion
+//#region ../lib/src/usecases/state-repo/adopt-remote.ts
+var adoptRemoteHistoryIfOrphan = (root, repoRef, env) => Effect.gen(function* (_) {
+	const fetchExit = yield* _(gitExitCode(root, [
+		"fetch",
+		"origin",
+		repoRef
+	], env));
+	if (fetchExit !== successExitCode) {
+		yield* _(Effect.logWarning(`git fetch origin ${repoRef} failed (exit ${fetchExit}); starting fresh history`));
+		return;
+	}
+	const remoteRef = `origin/${repoRef}`;
+	if ((yield* _(gitExitCode(root, [
+		"show-ref",
+		"--verify",
+		"--quiet",
+		`refs/remotes/${remoteRef}`
+	], env))) !== successExitCode) return;
+	if ((yield* _(gitExitCode(root, ["rev-parse", "HEAD"], env))) !== successExitCode) {
+		yield* _(git(root, ["reset", remoteRef], env));
+		yield* _(gitExitCode(root, ["checkout-index", "--all"], env));
+		yield* _(Effect.log(`Adopted remote history from ${remoteRef}`));
+		return;
+	}
+	if ((yield* _(gitExitCode(root, [
+		"merge-base",
+		"HEAD",
+		remoteRef
+	], env))) === successExitCode) return;
+	yield* _(Effect.logWarning(`Local history has no common ancestor with ${remoteRef}; merging unrelated histories`));
+	if ((yield* _(gitExitCode(root, [
+		"merge",
+		"--allow-unrelated-histories",
+		"--no-edit",
+		remoteRef
+	], env))) === successExitCode) {
+		yield* _(Effect.log(`Merged unrelated histories from ${remoteRef}`));
+		return;
+	}
+	yield* _(gitExitCode(root, ["merge", "--abort"], env));
+	yield* _(Effect.logWarning(`Merge conflict with ${remoteRef}; sync will open a PR for manual resolution`));
+});
+//#endregion
+//#region ../lib/src/usecases/state-repo/env.ts
+var isTruthyEnv = (value) => {
+	const normalized = value.trim().toLowerCase();
+	return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+};
+var isFalsyEnv = (value) => {
+	const normalized = value.trim().toLowerCase();
+	return normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off";
+};
+var autoSyncStrictEnvKey = "DOCKER_GIT_STATE_AUTO_SYNC_STRICT";
+var defaultSyncMessage = "chore(state): sync";
+var isAutoSyncEnabled = (envValue, hasRemote) => {
+	if (envValue === void 0) return hasRemote;
+	if (envValue.trim().length === 0) return hasRemote;
+	if (isFalsyEnv(envValue)) return false;
+	if (isTruthyEnv(envValue)) return true;
+	return true;
+};
+//#endregion
 //#region ../lib/src/usecases/state-repo/github-auth.ts
 var githubTokenKey = "GITHUB_TOKEN";
 var githubHttpsRemoteRe = /^https:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?$/;
@@ -2901,6 +2978,143 @@ if [[ -f "$LEGACY_AGENTS_PATH" && -f "$AGENTS_PATH" ]]; then
 fi`;
 var renderEntrypointAgentsNotice = (config) => entrypointAgentsNoticeTemplate.replaceAll("__CODEX_HOME__", config.codexHome).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__TARGET_DIR__", config.targetDir);
 //#endregion
+//#region ../lib/src/core/templates-entrypoint/gemini.ts
+var geminiAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/gemini`;
+var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_API_KEY for SSH sessions (API key stored under ~/.docker-git/.orch/auth/gemini)
+GEMINI_LABEL_RAW="${"$"}{GEMINI_AUTH_LABEL:-}"
+if [[ -z "$GEMINI_LABEL_RAW" ]]; then
+  GEMINI_LABEL_RAW="default"
+fi
+
+GEMINI_LABEL_NORM="$(printf "%s" "$GEMINI_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$GEMINI_LABEL_NORM" ]]; then
+  GEMINI_LABEL_NORM="default"
+fi
+
+GEMINI_AUTH_ROOT="__GEMINI_AUTH_ROOT__"
+GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
+
+# Backward compatibility: if default auth is stored directly under gemini root, reuse it.
+if [[ "$GEMINI_LABEL_NORM" == "default" ]]; then
+  GEMINI_ROOT_ENV_FILE="$GEMINI_AUTH_ROOT/.env"
+  if [[ -f "$GEMINI_ROOT_ENV_FILE" ]]; then
+    GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT"
+  fi
+fi
+
+mkdir -p "$GEMINI_AUTH_DIR" || true
+GEMINI_HOME_DIR="__GEMINI_HOME_DIR__"
+mkdir -p "$GEMINI_HOME_DIR" || true
+
+GEMINI_API_KEY_FILE="$GEMINI_AUTH_DIR/.api-key"
+GEMINI_ENV_FILE="$GEMINI_AUTH_DIR/.env"
+GEMINI_HOME_ENV_FILE="$GEMINI_HOME_DIR/.env"
+
+docker_git_link_gemini_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  # Preserve user-created regular files and seed config dir once.
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    return 0
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+# Link Gemini .env file from auth dir to home dir
+docker_git_link_gemini_file "$GEMINI_ENV_FILE" "$GEMINI_HOME_ENV_FILE"
+
+docker_git_refresh_gemini_api_key() {
+  local api_key=""
+  # Try to read from dedicated API key file first
+  if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
+    api_key="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
+  fi
+  # Fall back to .env file
+  if [[ -z "$api_key" && -f "$GEMINI_ENV_FILE" ]]; then
+    api_key="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
+  fi
+  if [[ -n "$api_key" ]]; then
+    export GEMINI_API_KEY="$api_key"
+  else
+    unset GEMINI_API_KEY || true
+  fi
+}
+
+docker_git_refresh_gemini_api_key`;
+var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", `/home/${config.sshUser}/.gemini`);
+var renderGeminiCliInstall = () => String.raw`# Gemini CLI: ensure CLI command exists (non-blocking startup self-heal)
+docker_git_ensure_gemini_cli() {
+  if command -v gemini >/dev/null 2>&1; then
+    return 0
+  fi
+
+  if ! command -v npm >/dev/null 2>&1; then
+    return 0
+  fi
+
+  NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+  GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
+  if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
+    echo "docker-git: gemini cli.js not found under npm global root; skip shim restore" >&2
+    return 0
+  fi
+
+  # Rebuild a minimal shim when npm package exists but binary link is missing.
+  cat <<'EOF' > /usr/local/bin/gemini
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v npm >/dev/null 2>&1; then
+  echo "gemini: npm is required but missing" >&2
+  exit 127
+fi
+
+NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
+if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
+  echo "gemini: cli.js not found under npm global root" >&2
+  exit 127
+fi
+
+exec node "$GEMINI_CLI_JS" "$@"
+EOF
+  chmod 0755 /usr/local/bin/gemini || true
+  ln -sf /usr/local/bin/gemini /usr/bin/gemini || true
+}
+
+docker_git_ensure_gemini_cli`;
+var renderGeminiProfileSetup = () => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
+printf "export GEMINI_AUTH_LABEL=%q\n" "${"$"}{GEMINI_AUTH_LABEL:-default}" > "$GEMINI_PROFILE"
+cat <<'EOF' >> "$GEMINI_PROFILE"
+GEMINI_API_KEY_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.api-key"
+GEMINI_ENV_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.env"
+if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
+  export GEMINI_API_KEY="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
+elif [[ -f "$GEMINI_ENV_FILE" ]]; then
+  GEMINI_KEY="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
+  if [[ -n "$GEMINI_KEY" ]]; then
+    export GEMINI_API_KEY="$GEMINI_KEY"
+  fi
+fi
+EOF
+chmod 0644 "$GEMINI_PROFILE" || true
+
+docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "${"$"}{GEMINI_AUTH_LABEL:-default}"
+docker_git_upsert_ssh_env "GEMINI_API_KEY" "${"$"}{GEMINI_API_KEY:-}"`;
+var renderEntrypointGeminiConfig = (config) => [
+	renderGeminiAuthConfig(config),
+	renderGeminiCliInstall(),
+	renderGeminiProfileSetup()
+].join("\n\n");
+//#endregion
 //#region ../lib/src/core/templates-entrypoint/git.ts
 var renderAuthLabelResolution = () => String.raw`# 2) Ensure GitHub auth vars are available for SSH sessions.
 # Prefer a label-selected token (same selection model as clone/create) when present.
@@ -3803,6 +4017,7 @@ var renderEntrypoint = (config) => [
 	renderEntrypointDockerSocket(config),
 	renderEntrypointGitConfig(config),
 	renderEntrypointClaudeConfig(config),
+	renderEntrypointGeminiConfig(config),
 	renderEntrypointGitHooks(),
 	renderEntrypointBackgroundTasks(config),
 	renderEntrypointBaseline(),
@@ -4359,7 +4574,7 @@ var resolveOriginPushTarget = (originUrl) => {
 	const trimmed = originUrl?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : "origin";
 };
-var resolveSyncMessage = (value) => {
+var resolveSyncMessage$1 = (value) => {
 	const trimmed = value?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : defaultSyncMessage;
 };
@@ -4378,7 +4593,7 @@ var commitAllIfNeeded = (root, message, env) => Effect.gen(function* (_) {
 	], env));
 });
 var sanitizeBranchComponent = (value) => value.trim().replaceAll(" ", "-").replaceAll(":", "-").replaceAll("..", "-").replaceAll("@{", "-").replaceAll("\\", "-").replaceAll("^", "-").replaceAll("~", "-");
-var rebaseOntoOriginIfPossible = (root, baseBranch, env) => Effect.gen(function* (_) {
+var pullRemoteAndRestoreLocal = (root, baseBranch, env) => Effect.gen(function* (_) {
 	const fetchExit = yield* _(gitExitCode(root, [
 		"fetch",
 		"origin",
@@ -4393,10 +4608,26 @@ var rebaseOntoOriginIfPossible = (root, baseBranch, env) => Effect.gen(function*
 		"--verify",
 		"--quiet",
 		`refs/remotes/origin/${baseBranch}`
-	], env))) !== successExitCode) return "skipped";
-	if ((yield* _(gitExitCode(root, ["rebase", `origin/${baseBranch}`], env))) === successExitCode) return "ok";
-	yield* _(gitExitCode(root, ["rebase", "--abort"], env));
-	return "conflict";
+	], env))) !== successExitCode) return;
+	yield* _(git(root, ["add", "-A"], env));
+	const stashExit = yield* _(gitExitCode(root, ["stash", "--include-untracked"], env));
+	yield* _(git(root, [
+		"reset",
+		"--hard",
+		`origin/${baseBranch}`
+	], env));
+	if (stashExit === successExitCode) {
+		if ((yield* _(gitExitCode(root, ["stash", "pop"], env))) !== successExitCode) {
+			yield* _(gitExitCode(root, [
+				"checkout",
+				"--theirs",
+				"--",
+				"."
+			], env));
+			yield* _(git(root, ["add", "-A"], env));
+			yield* _(gitExitCode(root, ["stash", "drop"], env));
+		}
+	}
 });
 var pushToNewBranch = (root, baseBranch, originPushTarget, env) => Effect.gen(function* (_) {
 	const headShort = yield* _(gitCapture$1(root, [
@@ -4422,15 +4653,9 @@ var getCurrentBranch = (root, env) => gitCapture$1(root, [
 var runStateSyncOps = (root, originUrl, message, env, options) => Effect.gen(function* (_) {
 	const originPushTarget = resolveOriginPushTarget(options?.originPushUrlOverride ?? null);
 	yield* _(normalizeLegacyStateProjects(root));
-	yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env));
 	const baseBranch = resolveBaseBranch(yield* _(getCurrentBranch(root, env)));
-	if ((yield* _(rebaseOntoOriginIfPossible(root, baseBranch, env))) === "conflict") {
-		const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushTarget, env));
-		const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch);
-		yield* _(Effect.logWarning(`State sync needs manual merge: pushed changes to branch '${prBranch}'.`));
-		yield* _(logOpenPr(originUrl, baseBranch, prBranch, compareUrl));
-		return;
-	}
+	yield* _(pullRemoteAndRestoreLocal(root, baseBranch, env));
+	yield* _(commitAllIfNeeded(root, resolveSyncMessage$1(message), env));
 	const pushExit = yield* _(gitExitCode(root, [
 		"push",
 		"--no-verify",
@@ -4517,7 +4742,7 @@ var autoSyncState = (message) => Effect.gen(function* (_) {
 	onFailure: (error) => Effect.logWarning(`State auto-sync failed: ${String(error)}`),
 	onSuccess: () => Effect.void
 }), Effect.asVoid);
-var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
+var cloneStateRepo = (root, input, env) => Effect.gen(function* (_) {
 	const cloneBranchExit = yield* _(runCommandExitCode({
 		cwd: root,
 		command: "git",
@@ -4528,7 +4753,7 @@ var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
 			input.repoUrl,
 			root
 		],
-		env: gitBaseEnv$1
+		env
 	}));
 	if (cloneBranchExit === successExitCode) return;
 	yield* _(Effect.logWarning(`git clone --branch ${input.repoRef} failed (exit ${cloneBranchExit}); retrying without --branch`));
@@ -4540,58 +4765,63 @@ var cloneStateRepo = (root, input) => Effect.gen(function* (_) {
 			input.repoUrl,
 			root
 		],
-		env: gitBaseEnv$1
+		env
 	}));
 	if (cloneDefaultExit !== successExitCode) return yield* _(Effect.fail(new CommandFailedError({
 		command: "git clone",
 		exitCode: cloneDefaultExit
 	})));
 }).pipe(Effect.asVoid);
-var initRepoIfNeeded = (fs, path, root, input) => Effect.gen(function* (_) {
+var initRepoIfNeeded = (fs, path, root, input, env) => Effect.gen(function* (_) {
 	yield* _(fs.makeDirectory(root, { recursive: true }));
 	const gitDir = path.join(root, ".git");
 	if (yield* _(fs.exists(gitDir))) return;
 	if ((yield* _(fs.readDirectory(root))).length === 0) {
-		yield* _(cloneStateRepo(root, input));
+		yield* _(cloneStateRepo(root, input, env));
 		yield* _(Effect.log(`State dir cloned: ${root}`));
 		return;
 	}
-	yield* _(git(root, ["init"], gitBaseEnv$1));
+	yield* _(git(root, ["init", "--initial-branch=main"], env));
 }).pipe(Effect.asVoid);
-var ensureOriginRemote = (root, repoUrl) => Effect.gen(function* (_) {
+var ensureOriginRemote = (root, repoUrl, env) => Effect.gen(function* (_) {
 	if ((yield* _(gitExitCode(root, [
 		"remote",
 		"set-url",
 		"origin",
 		repoUrl
-	], gitBaseEnv$1))) === successExitCode) return;
+	], env))) === successExitCode) return;
 	yield* _(git(root, [
 		"remote",
 		"add",
 		"origin",
 		repoUrl
-	], gitBaseEnv$1));
+	], env));
 });
-var checkoutBranchBestEffort = (root, repoRef) => Effect.gen(function* (_) {
+var checkoutBranchBestEffort = (root, repoRef, env) => Effect.gen(function* (_) {
 	const checkoutExit = yield* _(gitExitCode(root, [
 		"checkout",
 		"-B",
 		repoRef
-	], gitBaseEnv$1));
+	], env));
 	if (checkoutExit === successExitCode) return;
 	yield* _(Effect.logWarning(`git checkout -B ${repoRef} failed (exit ${checkoutExit})`));
 });
-var stateInit = (input) => Effect.gen(function* (_) {
-	const fs = yield* _(FileSystem.FileSystem);
-	const path = yield* _(Path.Path);
-	const root = resolveStateRoot(path, process.cwd());
-	yield* _(initRepoIfNeeded(fs, path, root, input));
-	yield* _(ensureOriginRemote(root, input.repoUrl));
-	yield* _(checkoutBranchBestEffort(root, input.repoRef));
-	yield* _(ensureStateGitignore(fs, path, root));
-	yield* _(Effect.log(`State dir ready: ${root}`));
-	yield* _(Effect.log(`Remote: ${input.repoUrl}`));
-}).pipe(Effect.asVoid);
+var stateInit = (input) => {
+	const doInit = (env) => Effect.gen(function* (_) {
+		const fs = yield* _(FileSystem.FileSystem);
+		const path = yield* _(Path.Path);
+		const root = resolveStateRoot(path, process.cwd());
+		yield* _(initRepoIfNeeded(fs, path, root, input, env));
+		yield* _(ensureOriginRemote(root, input.repoUrl, env));
+		yield* _(adoptRemoteHistoryIfOrphan(root, input.repoRef, env));
+		yield* _(checkoutBranchBestEffort(root, input.repoRef, env));
+		yield* _(ensureStateGitignore(fs, path, root));
+		yield* _(Effect.log(`State dir ready: ${root}`));
+		yield* _(Effect.log(`Remote: ${input.repoUrl}`));
+	}).pipe(Effect.asVoid);
+	const token = input.token?.trim() ?? "";
+	return token.length > 0 && isGithubHttpsRemote(input.repoUrl) ? withGithubAskpassEnv(token, doInit) : doInit(gitBaseEnv$1);
+};
 var stateStatus = Effect.gen(function* (_) {
 	const output = yield* _(gitCapture$1(resolveStateRoot(yield* _(Path.Path), process.cwd()), [
 		"status",
@@ -5838,12 +6068,7 @@ var applyProjectConfig = (command) => runApplyForProjectDir(command.projectDir,
 	return yield* _(runApplyForProjectDir(inferredProjectDir, command));
 }) : Effect.fail(error)));
 //#endregion
-//#region ../lib/src/usecases/auth-claude-oauth.ts
-var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
-var tokenMarker = "Your OAuth token (valid for 1 year):";
-var tokenFooterMarker = "Store this token securely.";
-var outputWindowSize = 262144;
-var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
+//#region ../lib/src/shell/ansi-strip.ts
 var ansiEscape = "\x1B";
 var ansiBell = "\x07";
 var isAnsiFinalByte = (codePoint) => codePoint !== void 0 && codePoint >= 64 && codePoint <= 126;
@@ -5887,6 +6112,20 @@ var stripAnsi = (raw) => {
 	}
 	return cleaned.join("");
 };
+var writeChunkToFd = (fd, chunk) => {
+	if (fd === 2) {
+		process.stderr.write(chunk);
+		return;
+	}
+	process.stdout.write(chunk);
+};
+//#endregion
+//#region ../lib/src/usecases/auth-claude-oauth.ts
+var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
+var tokenMarker = "Your OAuth token (valid for 1 year):";
+var tokenFooterMarker = "Store this token securely.";
+var outputWindowSize$1 = 262144;
+var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
 var extractOauthToken = (rawOutput) => {
 	const normalized = stripAnsi(rawOutput).replaceAll("\r", "\n");
 	const markerIndex = normalized.lastIndexOf(tokenMarker);
@@ -5941,21 +6180,14 @@ var buildDockerSetupTokenArgs = (spec) => {
 		...spec.args
 	];
 };
-var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
-var writeChunkToFd = (fd, chunk) => {
-	if (fd === 2) {
-		process.stderr.write(chunk);
-		return;
-	}
-	process.stdout.write(chunk);
-};
-var pumpDockerOutput = (source, fd, tokenBox) => {
+var startDockerProcess$1 = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput$1 = (source, fd, tokenBox) => {
 	const decoder = new TextDecoder("utf-8");
 	let outputWindow = "";
 	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
 		writeChunkToFd(fd, chunk);
 		outputWindow += decoder.decode(chunk);
-		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (outputWindow.length > outputWindowSize$1) outputWindow = outputWindow.slice(-outputWindowSize$1);
 		if (tokenBox.value !== null) return;
 		const parsed = extractOauthToken(outputWindow);
 		if (parsed !== null) tokenBox.value = parsed;
@@ -5977,10 +6209,10 @@ var runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
 	const envToken = oauthTokenFromEnv();
 	if (envToken !== null) return ensureOauthToken(envToken);
 	return Effect.scoped(Effect.gen(function* (_) {
-		const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+		const proc = yield* _(startDockerProcess$1(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
 		const tokenBox = { value: null };
-		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, tokenBox)));
-		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, tokenBox)));
+		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stdout, 1, tokenBox)));
+		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stderr, 2, tokenBox)));
 		const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
 		yield* _(Fiber$1.join(stdoutFiber));
 		yield* _(Fiber$1.join(stderrFiber));
@@ -6001,19 +6233,15 @@ var claudeOauthTokenPath = (accountPath) => `${accountPath}/${claudeOauthTokenFi
 var claudeConfigPath = (accountPath) => `${accountPath}/${claudeConfigFileName}`;
 var claudeCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsFileName}`;
 var claudeNestedCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsDirName}/${claudeCredentialsFileName}`;
-var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var syncClaudeCredentialsFile = (fs, accountPath) => Effect.gen(function* (_) {
 	const nestedPath = claudeNestedCredentialsPath(accountPath);
 	const rootPath = claudeCredentialsPath(accountPath);
-	if (yield* _(isRegularFile(fs, nestedPath))) {
+	if (yield* _(isRegularFile$1(fs, nestedPath))) {
 		yield* _(fs.copyFile(nestedPath, rootPath));
 		yield* _(fs.chmod(rootPath, 384), Effect.orElseSucceed(() => void 0));
 		return;
 	}
-	if (yield* _(isRegularFile(fs, rootPath))) {
+	if (yield* _(isRegularFile$1(fs, rootPath))) {
 		const nestedDirPath = `${accountPath}/${claudeCredentialsDirName}`;
 		yield* _(fs.makeDirectory(nestedDirPath, { recursive: true }));
 		yield* _(fs.copyFile(rootPath, nestedPath));
@@ -6026,12 +6254,12 @@ var clearClaudeSessionCredentials = (fs, accountPath) => Effect.gen(function* (_
 });
 var hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return false;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
 });
 var readOauthToken = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return null;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return null;
 	const token = (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim();
 	return token.length > 0 ? token : null;
 });
@@ -6041,7 +6269,7 @@ var resolveClaudeAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
 		return "oauth-token";
 	}
 	yield* _(syncClaudeCredentialsFile(fs, accountPath));
-	return (yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
+	return (yield* _(isRegularFile$1(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
 });
 var buildClaudeAuthEnv = (interactive, oauthToken = null) => [...interactive ? [
 	`HOME=${claudeContainerHomeDir}`,
@@ -6266,53 +6494,387 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
-//#region ../lib/src/usecases/auth-github.ts
-var ensureGithubOrchLayout = (cwd, envGlobalPath) => migrateLegacyOrchLayout(cwd, {
-	envGlobalPath,
-	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath,
-	ghAuthPath: ghAuthRoot,
-	claudeAuthPath: ".docker-git/.orch/auth/claude"
-});
-var normalizeGithubLabel = (value) => {
-	const trimmed = value?.trim() ?? "";
-	if (trimmed.length === 0) return "";
-	const cleaned = trimRightChar(trimLeftChar(trimmed.toUpperCase().replaceAll(/[^A-Z0-9]+/g, "_"), "_"), "_");
-	return cleaned.length > 0 ? cleaned : "";
-};
-var tokenKey = "GITHUB_TOKEN";
-var tokenPrefix = "GITHUB_TOKEN__";
-var buildGithubTokenKey = (label) => {
-	const normalized = normalizeGithubLabel(label);
-	if (normalized === "DEFAULT" || normalized.length === 0) return tokenKey;
-	return `${tokenPrefix}${normalized}`;
-};
-var labelFromKey = (key) => key.startsWith(tokenPrefix) ? key.slice(14) : "default";
-var listGithubTokens = (envText) => parseEnvEntries(envText).filter((entry) => entry.key === tokenKey || entry.key.startsWith(tokenPrefix)).map((entry) => ({
-	key: entry.key,
-	label: labelFromKey(entry.key),
-	token: entry.value
-})).filter((entry) => entry.token.trim().length > 0);
-var defaultGithubScopes = "repo,workflow,read:org";
-var normalizeGithubScopes = (value) => {
-	const raw = value?.trim() ?? "";
-	const scopes = (raw.length === 0 ? defaultGithubScopes : raw).split(/[,\s]+/g).map((scope) => scope.trim()).filter((scope) => scope.length > 0 && scope !== "delete_repo");
-	return scopes.length === 0 ? defaultGithubScopes.split(",") : scopes;
-};
-var withEnvContext = (envGlobalPath, run) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
-	yield* _(ensureGithubOrchLayout(cwd, envGlobalPath));
-	const envPath = resolvePathFromCwd(path, cwd, envGlobalPath);
-	return yield* _(run({
-		fs,
-		envPath,
-		current: yield* _(readEnvText(fs, envPath))
-	}));
-}));
-var resolveGithubTokenFromGh = (cwd, accountPath) => runDockerAuthCapture(buildDockerAuthSpec({
+//#region ../lib/src/usecases/auth-gemini-oauth.ts
+var outputWindowSize = 262144;
+var authSuccessPatterns = [
+	"Authentication succeeded",
+	"Authentication successful",
+	"Successfully authenticated",
+	"Logged in as",
+	"You are now logged in"
+];
+var authFailurePatterns = [
+	"Authentication failed",
+	"Failed to authenticate",
+	"Authorization failed",
+	"Authentication timed out",
+	"Authentication cancelled"
+];
+var detectAuthResult = (output) => {
+	const normalized = stripAnsi(output).toLowerCase();
+	for (const pattern of authSuccessPatterns) if (normalized.includes(pattern.toLowerCase())) return "success";
+	for (const pattern of authFailurePatterns) if (normalized.includes(pattern.toLowerCase())) return "failure";
+	return "pending";
+};
+var geminiOauthCallbackPort = 38751;
+var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath) => ({
 	cwd,
-	image: ghImageName,
+	image,
 	hostPath: accountPath,
-	containerPath: ghAuthDir,
+	containerPath,
+	callbackPort: geminiOauthCallbackPort,
+	env: [
+		`HOME=${containerPath}`,
+		"NO_BROWSER=true",
+		"GEMINI_CLI_NONINTERACTIVE=false",
+		`OAUTH_CALLBACK_PORT=${geminiOauthCallbackPort}`,
+		"OAUTH_CALLBACK_HOST=0.0.0.0"
+	]
+});
+var buildDockerGeminiAuthArgs = (spec) => {
+	const base = [
+		"run",
+		"--rm",
+		"-i",
+		"-t",
+		"-v",
+		`${spec.hostPath}:${spec.containerPath}`,
+		"-p",
+		`${spec.callbackPort}:${spec.callbackPort}`
+	];
+	const dockerUser = resolveDefaultDockerUser();
+	if (dockerUser !== null) base.push("--user", dockerUser);
+	for (const entry of spec.env) {
+		const trimmed = entry.trim();
+		if (trimmed.length === 0) continue;
+		base.push("-e", trimmed);
+	}
+	return [
+		...base,
+		spec.image,
+		"gemini",
+		"--debug"
+	];
+};
+var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerGeminiAuthArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput = (source, fd, resultBox) => {
+	const decoder = new TextDecoder("utf-8");
+	let outputWindow = "";
+	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
+		writeChunkToFd(fd, chunk);
+		outputWindow += decoder.decode(chunk);
+		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (resultBox.value !== "pending") return;
+		const result = detectAuthResult(outputWindow);
+		if (result !== "pending") resultBox.value = result;
+	}).pipe(Effect.asVoid))).pipe(Effect.asVoid);
+};
+var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
+	if (result === "success") {
+		if (exitCode !== 0) yield* _(Effect.logWarning(`Gemini CLI returned exit=${exitCode}, but authentication appears successful; continuing.`));
+		return;
+	}
+	if (result === "failure") yield* _(Effect.fail(new AuthError({ message: "Gemini CLI OAuth authentication failed. Please try again." })));
+	if (exitCode !== 0) yield* _(Effect.fail(new CommandFailedError({
+		command: "gemini",
+		exitCode
+	})));
+});
+var printOauthInstructions = () => Effect.sync(() => {
+	const port = geminiOauthCallbackPort;
+	process.stderr.write("\n");
+	process.stderr.write("╔═══════════════════════════════════════════════════════════════════════════╗\n");
+	process.stderr.write("║                    Gemini CLI OAuth Authentication                        ║\n");
+	process.stderr.write("╠═══════════════════════════════════════════════════════════════════════════╣\n");
+	process.stderr.write("║ 1. Copy the auth URL shown below and open it in your browser              ║\n");
+	process.stderr.write("║ 2. Sign in with your Google account                                       ║\n");
+	process.stderr.write(`║ 3. After authentication, the browser will redirect to localhost:${port}    ║\n`);
+	process.stderr.write("║ 4. The callback will be captured automatically (port is forwarded)        ║\n");
+	process.stderr.write("╚═══════════════════════════════════════════════════════════════════════════╝\n");
+	process.stderr.write("\n");
+});
+var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped(Effect.gen(function* (_) {
+	yield* _(printOauthInstructions());
+	const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerGeminiAuthSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+	const resultBox = { value: "pending" };
+	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox)));
+	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox)));
+	const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
+	yield* _(Fiber$1.join(stdoutFiber));
+	yield* _(Fiber$1.join(stderrFiber));
+	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
+}));
+//#endregion
+//#region ../lib/src/usecases/auth-gemini.ts
+var geminiImageName = "docker-git-auth-gemini:latest";
+var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
+var geminiContainerHomeDir = "/gemini-home";
+var geminiCredentialsDir$1 = ".gemini";
+var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
+var geminiApiKeyFileName = ".api-key";
+var geminiEnvFileName = ".env";
+var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
+var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
+var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
+var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && node -v \
+  && npm -v \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @google/gemini-cli@latest
+ENTRYPOINT ["/bin/bash", "-c"]
+`;
+var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath: defaultTemplateConfig.envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ".docker-git/.orch/auth/gh",
+	claudeAuthPath: ".docker-git/.orch/auth/claude",
+	geminiAuthPath: ".docker-git/.orch/auth/gemini"
+});
+var resolveGeminiAccountPath = (path, rootPath, label) => {
+	const accountLabel = normalizeAccountLabel(label, "default");
+	return {
+		accountLabel,
+		accountPath: path.join(rootPath, accountLabel)
+	};
+};
+var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGeminiOrchLayout(cwd));
+	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
+	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
+	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
+		imageName: geminiImageName,
+		imageDir: geminiImageDir,
+		dockerfile: renderGeminiDockerfile(),
+		buildLabel: "gemini auth"
+	}));
+	return yield* _(run({
+		accountLabel,
+		accountPath,
+		cwd,
+		fs
+	}));
+}));
+var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
+	const apiKeyFilePath = geminiApiKeyPath(accountPath);
+	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
+		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
+		if (trimmed.length > 0) return trimmed;
+	}
+	const envFilePath = geminiEnvFilePath(accountPath);
+	if (yield* _(isRegularFile$1(fs, envFilePath))) {
+		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("GEMINI_API_KEY=")) {
+				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
+				if (value.length > 0) return value;
+			}
+		}
+	}
+	return null;
+});
+var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	if (!(yield* _(fs.exists(credentialsDir)))) return false;
+	const possibleFiles = [
+		`${credentialsDir}/oauth-tokens.json`,
+		`${credentialsDir}/credentials.json`,
+		`${credentialsDir}/application_default_credentials.json`
+	];
+	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
+	return false;
+});
+var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
+	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
+});
+var authGeminiLogin = (command, apiKey) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		const apiKeyFilePath = geminiApiKeyPath(accountPath);
+		yield* _(fs.writeFileString(apiKeyFilePath, `${apiKey.trim()}\n`));
+		yield* _(fs.chmod(apiKeyFilePath, 384), Effect.orElseSucceed(() => void 0));
+	})).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini ${accountLabel}`)));
+};
+var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
+	yield* _(Effect.log("Gemini CLI supports two authentication methods:"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("1. API Key (recommended for simplicity):"));
+	yield* _(Effect.log("   - Go to https://ai.google.dev/aistudio"));
+	yield* _(Effect.log("   - Create or retrieve your API key"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: set API key"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("2. OAuth (Sign in with Google):"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: login via OAuth"));
+	yield* _(Effect.log("   - Follow the prompts to authenticate with your Google account"));
+});
+var authGeminiLoginOauth = (command) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
+		const credentialsDir = geminiCredentialsPath(accountPath);
+		yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+		yield* _(runGeminiOauthLoginWithPrompt(cwd, accountPath, {
+			image: geminiImageName,
+			containerPath: geminiContainerHomeDir
+		}));
+	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
+};
+var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
+	const authMethod = yield* _(resolveGeminiAuthMethod(fs, accountPath));
+	if (authMethod === "none") {
+		yield* _(Effect.log(`Gemini not connected (${accountLabel}).`));
+		return;
+	}
+	yield* _(Effect.log(`Gemini connected (${accountLabel}, ${authMethod}).`));
+}));
+var authGeminiLogout = (command) => Effect.gen(function* (_) {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	yield* _(withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		yield* _(fs.remove(geminiApiKeyPath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiEnvFilePath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiCredentialsPath(accountPath), {
+			recursive: true,
+			force: true
+		}));
+	})));
+	yield* _(autoSyncState(`chore(state): auth gemini logout ${accountLabel}`));
+}).pipe(Effect.asVoid);
+//#endregion
+//#region ../lib/src/usecases/state-repo-github.ts
+var dotDockerGitRepoName = ".docker-git";
+var defaultStateRef = "main";
+var resolveViewerLogin = (cwd, hostPath, token) => Effect.gen(function* (_) {
+	const raw = yield* _(runGhApiCapture(cwd, hostPath, token, [
+		"/user",
+		"--jq",
+		".login"
+	]));
+	if (raw.length === 0) return yield* _(Effect.fail(new CommandFailedError({
+		command: "gh api /user --jq .login",
+		exitCode: 1
+	})));
+	return raw;
+});
+var getRepoCloneUrl = (cwd, hostPath, token, login) => runGhApiNullable(cwd, hostPath, token, [
+	`/repos/${login}/${dotDockerGitRepoName}`,
+	"--jq",
+	".clone_url"
+]);
+var createStateRepo = (cwd, hostPath, token) => runGhApiNullable(cwd, hostPath, token, [
+	"-X",
+	"POST",
+	"/user/repos",
+	"-f",
+	`name=${dotDockerGitRepoName}`,
+	"-f",
+	"private=false",
+	"-f",
+	"auto_init=true",
+	"--jq",
+	".clone_url"
+]);
+/**
+* Ensures the .docker-git state repository exists on GitHub and is initialised locally.
+*
+* On GitHub auth, immediately:
+* 1. Resolve the authenticated user's login via the GitHub API
+* 2. Check whether `<login>/.docker-git` exists on GitHub
+* 3. If missing, create the repository (public, auto-initialised with a README)
+* 4. Initialise the local `~/.docker-git` directory as a clone of that repository
+*
+* All failures are swallowed and logged as warnings so they never abort the auth
+* flow itself.
+*
+* @param token - A valid GitHub personal-access or OAuth token
+* @returns Effect<void, never, GithubStateRepoRuntime>
+*
+* @pure false
+* @effect FileSystem, CommandExecutor (Docker gh CLI, git)
+* @invariant ∀token ∈ ValidTokens: ensureStateDotDockerGitRepo(token) → cloned(~/.docker-git) ∨ warned
+* @precondition token.length > 0
+* @postcondition ~/.docker-git is a git repo with origin pointing to github.com/<login>/.docker-git
+* @complexity O(1) API calls
+* @throws Never - all errors are caught and logged
+*/
+var ensureStateDotDockerGitRepo = (token) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	const ghRoot = resolvePathFromCwd(path, cwd, ghAuthRoot);
+	yield* _(fs.makeDirectory(ghRoot, { recursive: true }));
+	yield* _(ensureGhAuthImage(fs, path, cwd, "gh api"));
+	const login = yield* _(resolveViewerLogin(cwd, ghRoot, token));
+	let cloneUrl = yield* _(getRepoCloneUrl(cwd, ghRoot, token, login));
+	if (cloneUrl === null) {
+		yield* _(Effect.log(`Creating .docker-git repository for ${login}...`));
+		cloneUrl = yield* _(createStateRepo(cwd, ghRoot, token));
+	}
+	if (cloneUrl === null) {
+		yield* _(Effect.logWarning(`Could not resolve or create .docker-git repository for ${login}`));
+		return;
+	}
+	yield* _(Effect.log(`Initializing state repository: ${cloneUrl}`));
+	yield* _(stateInit({
+		repoUrl: cloneUrl,
+		repoRef: defaultStateRef,
+		token
+	}));
+})).pipe(Effect.matchEffect({
+	onFailure: (error) => Effect.logWarning(`State repo setup failed: ${error instanceof Error ? error.message : String(error)}`),
+	onSuccess: () => Effect.void
+}));
+//#endregion
+//#region ../lib/src/usecases/auth-github.ts
+var ensureGithubOrchLayout = (cwd, envGlobalPath) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ghAuthRoot,
+	claudeAuthPath: ".docker-git/.orch/auth/claude"
+});
+var normalizeGithubLabel = (value) => {
+	const trimmed = value?.trim() ?? "";
+	if (trimmed.length === 0) return "";
+	const cleaned = trimRightChar(trimLeftChar(trimmed.toUpperCase().replaceAll(/[^A-Z0-9]+/g, "_"), "_"), "_");
+	return cleaned.length > 0 ? cleaned : "";
+};
+var tokenKey = "GITHUB_TOKEN";
+var tokenPrefix = "GITHUB_TOKEN__";
+var buildGithubTokenKey = (label) => {
+	const normalized = normalizeGithubLabel(label);
+	if (normalized === "DEFAULT" || normalized.length === 0) return tokenKey;
+	return `${tokenPrefix}${normalized}`;
+};
+var labelFromKey = (key) => key.startsWith(tokenPrefix) ? key.slice(14) : "default";
+var listGithubTokens = (envText) => parseEnvEntries(envText).filter((entry) => entry.key === tokenKey || entry.key.startsWith(tokenPrefix)).map((entry) => ({
+	key: entry.key,
+	label: labelFromKey(entry.key),
+	token: entry.value
+})).filter((entry) => entry.token.trim().length > 0);
+var defaultGithubScopes = "repo,workflow,read:org";
+var normalizeGithubScopes = (value) => {
+	const raw = value?.trim() ?? "";
+	const scopes = (raw.length === 0 ? defaultGithubScopes : raw).split(/[,\s]+/g).map((scope) => scope.trim()).filter((scope) => scope.length > 0 && scope !== "delete_repo");
+	return scopes.length === 0 ? defaultGithubScopes.split(",") : scopes;
+};
+var withEnvContext = (envGlobalPath, run) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGithubOrchLayout(cwd, envGlobalPath));
+	const envPath = resolvePathFromCwd(path, cwd, envGlobalPath);
+	return yield* _(run({
+		fs,
+		envPath,
+		current: yield* _(readEnvText(fs, envPath))
+	}));
+}));
+var resolveGithubTokenFromGh = (cwd, accountPath) => runDockerAuthCapture(buildDockerAuthSpec({
+	cwd,
+	image: ghImageName,
+	hostPath: accountPath,
+	containerPath: ghAuthDir,
 	env: `GH_CONFIG_DIR=${ghAuthDir}`,
 	args: ["auth", "token"],
 	interactive: false
@@ -6363,6 +6925,7 @@ var runGithubInteractiveLogin = (cwd, fs, path, envPath, command) => Effect.gen(
 	const resolved = yield* _(resolveGithubTokenFromGh(cwd, accountPath));
 	yield* _(ensureEnvFile$1(fs, path, envPath));
 	yield* _(persistGithubToken(fs, envPath, buildGithubTokenKey(command.label), resolved));
+	return resolved;
 });
 var authGithubLogin = (command) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
 	yield* _(ensureGithubOrchLayout(cwd, command.envGlobalPath));
@@ -6373,10 +6936,11 @@ var authGithubLogin = (command) => withFsPathContext(({ cwd, fs, path }) => Effe
 	if (token.length > 0) {
 		yield* _(ensureEnvFile$1(fs, path, envPath));
 		yield* _(persistGithubToken(fs, envPath, key, token));
+		yield* _(ensureStateDotDockerGitRepo(token));
 		yield* _(autoSyncState(`chore(state): auth gh ${label}`));
 		return;
 	}
-	yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command));
+	yield* _(ensureStateDotDockerGitRepo(yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command))));
 	yield* _(autoSyncState(`chore(state): auth gh ${label}`));
 }));
 var authGithubStatus = (command) => withEnvContext(command.envGlobalPath, ({ current, envPath }) => Effect.gen(function* (_) {
@@ -7480,10 +8044,12 @@ var normalizeLabel$1 = (value) => {
 var defaultEnvGlobalPath = ".docker-git/.orch/env/global.env";
 var defaultCodexAuthPath = ".docker-git/.orch/auth/codex";
 var defaultClaudeAuthPath = ".docker-git/.orch/auth/claude";
+var defaultGeminiAuthPath = ".docker-git/.orch/auth/gemini";
 var resolveAuthOptions = (raw) => ({
 	envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
 	codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
 	claudeAuthPath: defaultClaudeAuthPath,
+	geminiAuthPath: defaultGeminiAuthPath,
 	label: normalizeLabel$1(raw.label),
 	token: normalizeLabel$1(raw.token),
 	scopes: normalizeLabel$1(raw.scopes),
@@ -7529,7 +8095,20 @@ var buildClaudeCommand = (action, options) => Match.value(action).pipe(Match.whe
 	label: options.label,
 	claudeAuthPath: options.claudeAuthPath
 })), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
-var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
+var buildGeminiCommand = (action, options) => Match.value(action).pipe(Match.when("login", () => Either.right({
+	_tag: "AuthGeminiLogin",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.when("status", () => Either.right({
+	_tag: "AuthGeminiStatus",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.when("logout", () => Either.right({
+	_tag: "AuthGeminiLogout",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
+var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.when("gemini", () => buildGeminiCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
 var parseAuth = (args) => {
 	if (args.length < 2) return Either.left(missingArgument(args.length === 0 ? "auth provider" : "auth action"));
 	const provider = args[0] ?? "";
@@ -7636,13 +8215,15 @@ var buildDefaultPathConfig = (normalizedSecretsRoot) => normalizedSecretsRoot ==
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: defaultTemplateConfig.envGlobalPath,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	geminiAuthPath: defaultTemplateConfig.geminiAuthPath
 } : {
 	dockerGitPath: defaultTemplateConfig.dockerGitPath,
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: `${normalizedSecretsRoot}/global.env`,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: `${normalizedSecretsRoot}/codex`
+	codexAuthPath: `${normalizedSecretsRoot}/codex`,
+	geminiAuthPath: `${normalizedSecretsRoot}/gemini`
 };
 var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 	const defaults = buildDefaultPathConfig(resolveNormalizedSecretsRoot(raw.secretsRoot));
@@ -7659,6 +8240,8 @@ var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 		codexAuthPath,
 		codexSharedAuthPath: codexAuthPath,
 		codexHome: yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome)),
+		geminiAuthPath: defaults.geminiAuthPath,
+		geminiHome: defaultTemplateConfig.geminiHome,
 		outDir: yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 	};
 });
@@ -7688,6 +8271,8 @@ var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLab
 	codexAuthPath: paths.codexAuthPath,
 	codexSharedAuthPath: paths.codexSharedAuthPath,
 	codexHome: paths.codexHome,
+	geminiAuthPath: paths.geminiAuthPath,
+	geminiHome: paths.geminiHome,
 	cpuLimit,
 	ramLimit,
 	dockerNetworkMode,
@@ -8769,6 +9354,12 @@ var countAuthAccountDirectories = (fs, path, root) => Effect.gen(function* (_) {
 	return count;
 });
 //#endregion
+//#region src/docker-git/menu-auth-snapshot-builder.ts
+var countAuthAccountEntries = (fs, path, claudeAuthPath, geminiAuthPath) => pipe(Effect.all({
+	claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthPath),
+	geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthPath)
+}));
+//#endregion
 //#region src/docker-git/menu-labeled-env.ts
 var normalizeLabel = (value) => {
 	const trimmed = value.trim();
@@ -8817,6 +9408,18 @@ var authMenuItems = [
 		action: "ClaudeLogout",
 		label: "Claude Code: logout (clear cache)"
 	},
+	{
+		action: "GeminiOauth",
+		label: "Gemini CLI: login via OAuth (Google account)"
+	},
+	{
+		action: "GeminiApiKey",
+		label: "Gemini CLI: set API key"
+	},
+	{
+		action: "GeminiLogout",
+		label: "Gemini CLI: logout (clear credentials)"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -8876,34 +9479,62 @@ var flowSteps$1 = {
 		label: "Label to logout (empty = default)",
 		required: false,
 		secret: false
+	}],
+	GeminiOauth: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	GeminiApiKey: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}, {
+		key: "apiKey",
+		label: "Gemini API key (from ai.google.dev)",
+		required: true,
+		secret: true
+	}],
+	GeminiLogout: [{
+		key: "label",
+		label: "Label to logout (empty = default)",
+		required: false,
+		secret: false
 	}]
 };
-var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.exhaustive);
-var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.exhaustive);
+var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.when("GeminiOauth", () => "Gemini CLI OAuth"), Match.when("GeminiApiKey", () => "Gemini CLI API key"), Match.when("GeminiLogout", () => "Gemini CLI logout"), Match.exhaustive);
+var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.when("GeminiOauth", () => `Saved Gemini CLI OAuth login (${label}).`), Match.when("GeminiApiKey", () => `Saved Gemini API key (${label}).`), Match.when("GeminiLogout", () => `Logged out Gemini CLI (${label}).`), Match.exhaustive);
 var buildGlobalEnvPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadAuthEnvText = (cwd) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath$1(cwd);
 	const claudeAuthPath = buildClaudeAuthPath$1(cwd);
+	const geminiAuthPath = buildGeminiAuthPath$1(cwd);
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	return {
 		fs,
 		path,
 		globalEnvPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		envText: yield* _(readEnvText(fs, globalEnvPath))
 	};
 });
-var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, globalEnvPath, path }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, geminiAuthPath, globalEnvPath, path }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	globalEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
 	githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
 	gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
 	gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
-	claudeAuthEntries
+	claudeAuthEntries,
+	geminiAuthEntries
 })))));
 var writeAuthFlow = (cwd, flow, values) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ envText, fs, globalEnvPath }) => {
 	const label = values["label"] ?? "";
@@ -8932,6 +9563,67 @@ var authMenuActionByIndex = (index) => {
 };
 var authMenuSize = () => authMenuItems.length;
 //#endregion
+//#region src/docker-git/menu-auth-effects.ts
+var resolveLabelOption = (values) => {
+	const labelValue = (values["label"] ?? "").trim();
+	return labelValue.length > 0 ? labelValue : null;
+};
+var resolveGithubOauthEffect = (labelOption, globalEnvPath) => authGithubLogin({
+	_tag: "AuthGithubLogin",
+	label: labelOption,
+	token: null,
+	scopes: null,
+	envGlobalPath: globalEnvPath
+});
+var resolveClaudeOauthEffect = (labelOption) => authClaudeLogin({
+	_tag: "AuthClaudeLogin",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveClaudeLogoutEffect = (labelOption) => authClaudeLogout({
+	_tag: "AuthClaudeLogout",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveGeminiOauthEffect = (labelOption) => authGeminiLoginOauth({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+});
+var resolveGeminiApiKeyEffect = (labelOption, apiKey) => authGeminiLogin({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+}, apiKey);
+var resolveGeminiLogoutEffect = (labelOption) => authGeminiLogout({
+	_tag: "AuthGeminiLogout",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+});
+var resolveAuthPromptEffect = (view, cwd, values) => {
+	const labelOption = resolveLabelOption(values);
+	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => resolveGithubOauthEffect(labelOption, view.snapshot.globalEnvPath)), Match.when("ClaudeOauth", () => resolveClaudeOauthEffect(labelOption)), Match.when("ClaudeLogout", () => resolveClaudeLogoutEffect(labelOption)), Match.when("GeminiOauth", () => resolveGeminiOauthEffect(labelOption)), Match.when("GeminiApiKey", () => resolveGeminiApiKeyEffect(labelOption, (values["apiKey"] ?? "").trim())), Match.when("GeminiLogout", () => resolveGeminiLogoutEffect(labelOption)), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
+};
+var startAuthMenuWithSnapshot = (snapshot, context) => {
+	context.setView({
+		_tag: "AuthMenu",
+		selected: 0,
+		snapshot
+	});
+	context.setMessage(null);
+};
+var runAuthPromptEffect = (effect, view, label, context, options) => {
+	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
+		onError: pauseOnError(renderError),
+		onResume: resumeSshWithSkipInputs(context)
+	}) : effect;
+	context.setSshActive(options.suspendTui);
+	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
+		startAuthMenuWithSnapshot(snapshot, context);
+		context.setMessage(successMessage$1(view.flow, label));
+	})), Effect.asVoid));
+};
+//#endregion
 //#region src/docker-git/menu-input-utils.ts
 var parseMenuIndex = (input) => {
 	const trimmed = input.trim();
@@ -8988,14 +9680,6 @@ var defaultLabel = (value) => {
 	const trimmed = value.trim();
 	return trimmed.length > 0 ? trimmed : "default";
 };
-var startAuthMenuWithSnapshot = (snapshot, context) => {
-	context.setView({
-		_tag: "AuthMenu",
-		selected: 0,
-		snapshot
-	});
-	context.setMessage(null);
-};
 var startAuthPrompt = (snapshot, flow, context) => {
 	context.setView({
 		_tag: "AuthPrompt",
@@ -9007,39 +9691,6 @@ var startAuthPrompt = (snapshot, flow, context) => {
 	});
 	context.setMessage(null);
 };
-var resolveLabelOption = (values) => {
-	const labelValue = (values["label"] ?? "").trim();
-	return labelValue.length > 0 ? labelValue : null;
-};
-var resolveAuthPromptEffect = (view, cwd, values) => {
-	const labelOption = resolveLabelOption(values);
-	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => authGithubLogin({
-		_tag: "AuthGithubLogin",
-		label: labelOption,
-		token: null,
-		scopes: null,
-		envGlobalPath: view.snapshot.globalEnvPath
-	})), Match.when("ClaudeOauth", () => authClaudeLogin({
-		_tag: "AuthClaudeLogin",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("ClaudeLogout", () => authClaudeLogout({
-		_tag: "AuthClaudeLogout",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
-};
-var runAuthPromptEffect = (effect, view, label, context, options) => {
-	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
-		onError: pauseOnError(renderError),
-		onResume: resumeSshWithSkipInputs(context)
-	}) : effect;
-	context.setSshActive(options.suspendTui);
-	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.state.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
-		startAuthMenuWithSnapshot(snapshot, context);
-		context.setMessage(successMessage$1(view.flow, label));
-	})), Effect.asVoid));
-};
 var loadAuthMenuView = (cwd, context) => pipe(readAuthSnapshot(cwd), Effect.tap((snapshot) => Effect.sync(() => {
 	startAuthMenuWithSnapshot(snapshot, context);
 })), Effect.asVoid);
@@ -9059,7 +9710,10 @@ var submitAuthPrompt = (view, context) => {
 		startAuthMenuWithSnapshot(view.snapshot, context);
 	}, (nextValues) => {
 		const label = defaultLabel(nextValues["label"] ?? "");
-		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, context, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" });
+		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, {
+			...context,
+			cwd: context.state.cwd
+		}, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" || view.flow === "GeminiOauth" });
 	});
 };
 var setAuthMenuSelection = (view, selected, context) => {
@@ -9101,6 +9755,15 @@ var handleAuthMenuInput = (input, key, view, context) => {
 	}
 	handleAuthMenuNumberInput(input, view, context);
 };
+var setAuthPromptBuffer = (args) => {
+	const { context, input, key, view } = args;
+	const nextBuffer = nextBufferValue(input, key, view.buffer);
+	if (nextBuffer === null) return;
+	context.setView({
+		...view,
+		buffer: nextBuffer
+	});
+};
 var handleAuthPromptInput = (input, key, view, context) => {
 	if (key.escape) {
 		startAuthMenuWithSnapshot(view.snapshot, context);
@@ -9117,15 +9780,6 @@ var handleAuthPromptInput = (input, key, view, context) => {
 		context
 	});
 };
-var setAuthPromptBuffer = (args) => {
-	const { context, input, key, view } = args;
-	const nextBuffer = nextBufferValue(input, key, view.buffer);
-	if (nextBuffer === null) return;
-	context.setView({
-		...view,
-		buffer: nextBuffer
-	});
-};
 var openAuthMenu = (context) => {
 	context.setMessage("Loading auth profiles...");
 	context.runner.runEffect(loadAuthMenuView(context.state.cwd, context));
@@ -9218,15 +9872,17 @@ var loadRuntimeByProject = (items) => pipe(runDockerPsNames(process.cwd()), Effe
 }));
 var runtimeForSelection = (view, selected) => view.runtimeByProject[selected.projectDir] ?? stoppedRuntime$1();
 //#endregion
+//#region src/docker-git/menu-project-auth-helpers.ts
+var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
+//#endregion
 //#region src/docker-git/menu-project-auth-claude.ts
 var oauthTokenFileName = ".oauth-token";
 var legacyConfigFileName = ".config.json";
 var credentialsFileName = ".credentials.json";
 var nestedCredentialsFileName = ".claude/.credentials.json";
-var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var hasNonEmptyOauthToken = (fs, tokenPath) => Effect.gen(function* (_) {
 	if (!(yield* _(hasFileAtPath(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
@@ -9253,6 +9909,107 @@ var hasClaudeAccountCredentials = (fs, accountPath) => hasFileAtPath(fs, `${acco
 	}));
 }));
 //#endregion
+//#region src/docker-git/menu-project-auth-gemini.ts
+var apiKeyFileName = ".api-key";
+var envFileName = ".env";
+var geminiCredentialsDir = ".gemini";
+var hasNonEmptyApiKey = (fs, apiKeyPath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, apiKeyPath)))) return false;
+	return (yield* _(fs.readFileString(apiKeyPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
+});
+var hasApiKeyInEnvFile = (fs, envFilePath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, envFilePath)))) return false;
+	const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+	for (const line of lines) {
+		const trimmed = line.trim();
+		if (trimmed.startsWith("GEMINI_API_KEY=")) {
+			if (trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim().length > 0) return true;
+		}
+	}
+	return false;
+});
+var geminiOauthCredentialFiles = [
+	"oauth-tokens.json",
+	"credentials.json",
+	"application_default_credentials.json"
+];
+var checkAnyFileExists = (fs, basePath, fileNames) => {
+	const [first, ...rest] = fileNames;
+	if (first === void 0) return Effect.succeed(false);
+	return hasFileAtPath(fs, `${basePath}/${first}`).pipe(Effect.flatMap((exists) => exists ? Effect.succeed(true) : checkAnyFileExists(fs, basePath, rest)));
+};
+var hasOauthCredentials = (fs, accountPath) => {
+	const credentialsDir = `${accountPath}/${geminiCredentialsDir}`;
+	return hasFileAtPath(fs, credentialsDir).pipe(Effect.flatMap((dirExists) => dirExists ? checkAnyFileExists(fs, credentialsDir, geminiOauthCredentialFiles) : Effect.succeed(false)));
+};
+var hasGeminiAccountCredentials = (fs, accountPath) => hasNonEmptyApiKey(fs, `${accountPath}/${apiKeyFileName}`).pipe(Effect.flatMap((hasApiKey) => {
+	if (hasApiKey) return Effect.succeed(true);
+	return hasApiKeyInEnvFile(fs, `${accountPath}/${envFileName}`).pipe(Effect.flatMap((hasEnvApiKey) => {
+		if (hasEnvApiKey) return Effect.succeed(true);
+		return hasOauthCredentials(fs, accountPath);
+	}));
+}));
+//#endregion
+//#region src/docker-git/menu-project-auth-flows.ts
+var githubTokenBaseKey$1 = "GITHUB_TOKEN";
+var gitTokenBaseKey$1 = "GIT_AUTH_TOKEN";
+var gitUserBaseKey = "GIT_AUTH_USER";
+var projectGithubLabelKey$1 = "GITHUB_AUTH_LABEL";
+var projectGitLabelKey$1 = "GIT_AUTH_LABEL";
+var projectClaudeLabelKey$1 = "CLAUDE_AUTH_LABEL";
+var projectGeminiLabelKey$1 = "GEMINI_AUTH_LABEL";
+var defaultGitUser = "x-access-token";
+var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
+var clearProjectGitLabels = (envText) => {
+	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey$1, ""), projectGithubLabelKey$1, "");
+};
+var updateProjectGithubConnect = (spec) => {
+	const key = buildLabeledEnvKey(githubTokenBaseKey$1, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, key);
+	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
+	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey$1, "");
+	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGithubDisconnect = (spec) => {
+	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
+	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
+};
+var updateProjectGitConnect = (spec) => {
+	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey$1, spec.rawLabel);
+	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, tokenKey);
+	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
+	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
+	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
+	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey$1, spec.canonicalLabel);
+	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGitDisconnect = (spec) => {
+	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
+	return Effect.succeed(clearProjectGitLabels(withoutUser));
+};
+var resolveAccountCandidates = (authPath, accountLabel) => accountLabel === "default" ? [`${authPath}/default`, authPath] : [`${authPath}/${accountLabel}`];
+var findFirstCredentialsMatch = (fs, candidates, hasCredentials) => Effect.gen(function* (_) {
+	for (const accountPath of candidates) {
+		if (!(yield* _(fs.exists(accountPath)))) continue;
+		if (yield* _(hasCredentials(fs, accountPath), Effect.orElseSucceed(() => false))) return accountPath;
+	}
+	return null;
+});
+var updateProjectClaudeConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.claudeAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasClaudeAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectClaudeDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, ""));
+var updateProjectGeminiConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.geminiAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasGeminiAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Gemini CLI API key", spec.canonicalLabel, spec.geminiAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectGeminiDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, ""));
+var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.when("ProjectGeminiConnect", () => updateProjectGeminiConnect(spec)), Match.when("ProjectGeminiDisconnect", () => updateProjectGeminiDisconnect(spec)), Match.exhaustive);
+//#endregion
 //#region src/docker-git/menu-project-auth-data.ts
 var projectAuthMenuItems = [
 	{
@@ -9279,6 +10036,14 @@ var projectAuthMenuItems = [
 		action: "ProjectClaudeDisconnect",
 		label: "Project: Claude disconnect"
 	},
+	{
+		action: "ProjectGeminiConnect",
+		label: "Project: Gemini connect label"
+	},
+	{
+		action: "ProjectGeminiDisconnect",
+		label: "Project: Gemini disconnect"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -9309,7 +10074,14 @@ var flowSteps = {
 		required: false,
 		secret: false
 	}],
-	ProjectClaudeDisconnect: []
+	ProjectClaudeDisconnect: [],
+	ProjectGeminiConnect: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	ProjectGeminiDisconnect: []
 };
 var resolveCanonicalLabel = (value) => {
 	const normalized = normalizeLabel(value);
@@ -9317,18 +10089,19 @@ var resolveCanonicalLabel = (value) => {
 };
 var githubTokenBaseKey = "GITHUB_TOKEN";
 var gitTokenBaseKey = "GIT_AUTH_TOKEN";
-var gitUserBaseKey = "GIT_AUTH_USER";
 var projectGithubLabelKey = "GITHUB_AUTH_LABEL";
 var projectGitLabelKey = "GIT_AUTH_LABEL";
 var projectClaudeLabelKey = "CLAUDE_AUTH_LABEL";
-var defaultGitUser = "x-access-token";
+var projectGeminiLabelKey = "GEMINI_AUTH_LABEL";
 var buildGlobalEnvPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath(process.cwd());
 	const claudeAuthPath = buildClaudeAuthPath(process.cwd());
+	const geminiAuthPath = buildGeminiAuthPath(process.cwd());
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	yield* _(ensureEnvFile$1(fs, path, project.envProjectPath));
 	const globalEnvText = yield* _(readEnvText(fs, globalEnvPath));
@@ -9339,69 +10112,29 @@ var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 		globalEnvPath,
 		projectEnvPath: project.envProjectPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		globalEnvText,
 		projectEnvText
 	};
 });
-var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	projectDir: project.projectDir,
 	projectName: project.displayName,
 	envGlobalPath: globalEnvPath,
 	envProjectPath: projectEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
 	gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
 	claudeAuthEntries,
+	geminiAuthEntries,
 	activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
 	activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
-	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
+	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey),
+	activeGeminiLabel: findEnvValue(projectEnvText, projectGeminiLabelKey)
 })))));
-var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
-var updateProjectGithubConnect = (spec) => {
-	const key = buildLabeledEnvKey(githubTokenBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, key);
-	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
-	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey, "");
-	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var clearProjectGitLabels = (envText) => {
-	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey, ""), projectGithubLabelKey, "");
-};
-var updateProjectGithubDisconnect = (spec) => {
-	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
-	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
-};
-var updateProjectGitConnect = (spec) => {
-	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey, spec.rawLabel);
-	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, tokenKey);
-	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
-	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
-	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
-	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey, spec.canonicalLabel);
-	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var updateProjectGitDisconnect = (spec) => {
-	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
-	return Effect.succeed(clearProjectGitLabels(withoutUser));
-};
-var resolveClaudeAccountCandidates = (claudeAuthPath, accountLabel) => accountLabel === "default" ? [`${claudeAuthPath}/default`, claudeAuthPath] : [`${claudeAuthPath}/${accountLabel}`];
-var updateProjectClaudeConnect = (spec) => {
-	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
-	const accountCandidates = resolveClaudeAccountCandidates(spec.claudeAuthPath, accountLabel);
-	return Effect.gen(function* (_) {
-		for (const accountPath of accountCandidates) {
-			if (!(yield* _(spec.fs.exists(accountPath)))) continue;
-			if (yield* _(hasClaudeAccountCredentials(spec.fs, accountPath), Effect.orElseSucceed(() => false))) return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel);
-		}
-		return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)));
-	});
-};
-var updateProjectClaudeDisconnect = (spec) => {
-	return Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, ""));
-};
-var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.exhaustive);
-var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
+var resolveSyncMessage = (flow, canonicalLabel, displayName) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${displayName}`), Match.when("ProjectGeminiConnect", () => `chore(state): project auth gemini ${canonicalLabel} ${displayName}`), Match.when("ProjectGeminiDisconnect", () => `chore(state): project auth gemini logout ${displayName}`), Match.exhaustive);
+var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
 	const rawLabel = values["label"] ?? "";
 	const canonicalLabel = resolveCanonicalLabel(rawLabel);
 	const nextProjectEnv = resolveProjectEnvUpdate(flow, {
@@ -9411,9 +10144,10 @@ var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvTex
 		globalEnvPath,
 		globalEnvText,
 		projectEnvText,
-		claudeAuthPath
+		claudeAuthPath,
+		geminiAuthPath
 	});
-	const syncMessage = Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${project.displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${project.displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${project.displayName}`), Match.exhaustive);
+	const syncMessage = resolveSyncMessage(flow, canonicalLabel, project.displayName);
 	return pipe(nextProjectEnv, Effect.flatMap((nextText) => fs.writeFileString(projectEnvPath, nextText)), Effect.zipRight(autoSyncState(syncMessage)));
 }), Effect.asVoid);
 var projectAuthViewSteps = (flow) => flowSteps[flow];
@@ -9449,7 +10183,7 @@ var startProjectAuthPrompt = (project, snapshot, flow, context) => {
 var loadProjectAuthMenuView = (project, context) => pipe(readProjectAuthSnapshot(project), Effect.tap((snapshot) => Effect.sync(() => {
 	startProjectAuthMenu(project, snapshot, context);
 })), Effect.asVoid);
-var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.exhaustive);
+var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.when("ProjectGeminiConnect", () => `Connected Gemini label (${label}) to project.`), Match.when("ProjectGeminiDisconnect", () => "Disconnected Gemini from project."), Match.exhaustive);
 var runProjectAuthEffect = (project, flow, values, label, context) => {
 	context.runner.runEffect(pipe(writeProjectAuthFlow(project, flow, values), Effect.zipRight(readProjectAuthSnapshot(project)), Effect.tap((snapshot) => Effect.sync(() => {
 		startProjectAuthMenu(project, snapshot, context);
@@ -9474,7 +10208,7 @@ var runProjectAuthAction$1 = (action, view, context) => {
 		context.runner.runEffect(loadProjectAuthMenuView(view.project, context));
 		return;
 	}
-	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect") {
+	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect" || action === "ProjectGeminiDisconnect") {
 		runProjectAuthEffect(view.project, action, {}, "default", context);
 		return;
 	}
@@ -10644,7 +11378,7 @@ var setExitCode = (code) => Effect.sync(() => {
 });
 var logWarningAndExit = (error) => pipe(Effect.logWarning(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
 var logErrorAndExit = (error) => pipe(Effect.logError(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
-var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd))).pipe(Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
+var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
 var program = pipe(readCommand, Effect.flatMap((command) => Match.value(command).pipe(Match.when({ _tag: "Help" }, ({ message }) => Effect.log(message)), Match.when({ _tag: "Create" }, (create) => createProject(create)), Match.when({ _tag: "Status" }, () => listProjectStatus), Match.when({ _tag: "DownAll" }, () => downAllDockerGitProjects), Match.when({ _tag: "Menu" }, () => runMenu), Match.orElse((cmd) => handleNonBaseCommand(cmd)))), Effect.catchTag("FileExistsError", (error) => pipe(Effect.logWarning(renderError(error)), Effect.asVoid)), Effect.catchTag("DockerAccessError", logWarningAndExit), Effect.catchTag("DockerCommandError", logWarningAndExit), Effect.catchTag("AuthError", logWarningAndExit), Effect.catchTag("AgentFailedError", logWarningAndExit), Effect.catchTag("CommandFailedError", logWarningAndExit), Effect.catchTag("ScrapArchiveNotFoundError", logErrorAndExit), Effect.catchTag("ScrapTargetDirUnsupportedError", logErrorAndExit), Effect.catchTag("ScrapWipeRefusedError", logErrorAndExit), Effect.matchEffect({
 	onFailure: (error) => isParseError(error) ? logErrorAndExit(error) : pipe(Effect.logError(renderError(error)), Effect.flatMap(() => Effect.fail(error))),
 	onSuccess: () => Effect.void