npm - @prover-coder-ai/docker-git - Versions diffs - 1.0.43 → 1.0.44 - Mend

@prover-coder-ai/docker-git 1.0.43 → 1.0.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/src/docker-git/main.js +719 -151
package/dist/src/docker-git/main.js.map +1 -1
package/package.json +1 -1

package/dist/src/docker-git/main.js CHANGED Viewed

@@ -269,6 +269,8 @@ var defaultTemplateConfig = {
 	codexAuthPath: "./.docker-git/.orch/auth/codex",
 	codexSharedAuthPath: "./.docker-git/.orch/auth/codex",
 	codexHome: "/home/dev/.codex",
+	geminiAuthPath: "./.docker-git/.orch/auth/gemini",
+	geminiHome: "/home/dev/.gemini",
 	cpuLimit: "30%",
 	ramLimit: "30%",
 	dockerNetworkMode: defaultDockerNetworkMode,
@@ -809,6 +811,10 @@ var buildDockerAuthSpec = (input) => ({
 	args: input.args,
 	interactive: input.interactive
 });
+var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
 //#endregion
 //#region ../lib/src/usecases/auth-sync-helpers.ts
 var JsonValueSchema = Schema.suspend(() => Schema.Union(Schema.Null, Schema.Boolean, Schema.String, Schema.JsonNumber, Schema.Array(JsonValueSchema), Schema.Record({
@@ -876,7 +882,7 @@ var autoOptionError = (reason) => ({
 	option: "--auto",
 	reason
 });
-var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
 	if (!(yield* _(fs.exists(filePath)))) return false;
 	return (yield* _(fs.stat(filePath))).type === "File";
 });
@@ -892,8 +898,8 @@ var resolveClaudeAccountPath$1 = (rootPath, label) => {
 var hasClaudeAuth = (fs, rootPath, label) => Effect.gen(function* (_) {
 	for (const accountPath of resolveClaudeAccountPath$1(rootPath, label)) {
 		if (yield* _(hasNonEmptyFile(fs, `${accountPath}/.oauth-token`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.credentials.json`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.claude/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.claude/.credentials.json`))) return true;
 	}
 	return false;
 });
@@ -1357,6 +1363,9 @@ var TemplateConfigSchema = Schema.Struct({
 	codexAuthPath: Schema.String,
 	codexSharedAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.codexSharedAuthPath }),
 	codexHome: Schema.String,
+	geminiAuthLabel: Schema.optional(Schema.String),
+	geminiAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiAuthPath }),
+	geminiHome: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiHome }),
 	cpuLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.cpuLimit }),
 	ramLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.ramLimit }),
 	dockerNetworkMode: Schema.optionalWith(Schema.Literal("shared", "project"), { default: () => defaultTemplateConfig.dockerNetworkMode }),
@@ -2969,6 +2978,143 @@ if [[ -f "$LEGACY_AGENTS_PATH" && -f "$AGENTS_PATH" ]]; then
 fi`;
 var renderEntrypointAgentsNotice = (config) => entrypointAgentsNoticeTemplate.replaceAll("__CODEX_HOME__", config.codexHome).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__TARGET_DIR__", config.targetDir);
 //#endregion
+//#region ../lib/src/core/templates-entrypoint/gemini.ts
+var geminiAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/gemini`;
+var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_API_KEY for SSH sessions (API key stored under ~/.docker-git/.orch/auth/gemini)
+GEMINI_LABEL_RAW="${"$"}{GEMINI_AUTH_LABEL:-}"
+if [[ -z "$GEMINI_LABEL_RAW" ]]; then
+  GEMINI_LABEL_RAW="default"
+fi
+GEMINI_LABEL_NORM="$(printf "%s" "$GEMINI_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$GEMINI_LABEL_NORM" ]]; then
+  GEMINI_LABEL_NORM="default"
+fi
+GEMINI_AUTH_ROOT="__GEMINI_AUTH_ROOT__"
+GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
+# Backward compatibility: if default auth is stored directly under gemini root, reuse it.
+if [[ "$GEMINI_LABEL_NORM" == "default" ]]; then
+  GEMINI_ROOT_ENV_FILE="$GEMINI_AUTH_ROOT/.env"
+  if [[ -f "$GEMINI_ROOT_ENV_FILE" ]]; then
+    GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT"
+  fi
+fi
+mkdir -p "$GEMINI_AUTH_DIR" || true
+GEMINI_HOME_DIR="__GEMINI_HOME_DIR__"
+mkdir -p "$GEMINI_HOME_DIR" || true
+GEMINI_API_KEY_FILE="$GEMINI_AUTH_DIR/.api-key"
+GEMINI_ENV_FILE="$GEMINI_AUTH_DIR/.env"
+GEMINI_HOME_ENV_FILE="$GEMINI_HOME_DIR/.env"
+docker_git_link_gemini_file() {
+  local source_path="$1"
+  local link_path="$2"
+  # Preserve user-created regular files and seed config dir once.
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    return 0
+  fi
+  ln -sfn "$source_path" "$link_path" || true
+}
+# Link Gemini .env file from auth dir to home dir
+docker_git_link_gemini_file "$GEMINI_ENV_FILE" "$GEMINI_HOME_ENV_FILE"
+docker_git_refresh_gemini_api_key() {
+  local api_key=""
+  # Try to read from dedicated API key file first
+  if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
+    api_key="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
+  fi
+  # Fall back to .env file
+  if [[ -z "$api_key" && -f "$GEMINI_ENV_FILE" ]]; then
+    api_key="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
+  fi
+  if [[ -n "$api_key" ]]; then
+    export GEMINI_API_KEY="$api_key"
+  else
+    unset GEMINI_API_KEY || true
+  fi
+}
+docker_git_refresh_gemini_api_key`;
+var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", `/home/${config.sshUser}/.gemini`);
+var renderGeminiCliInstall = () => String.raw`# Gemini CLI: ensure CLI command exists (non-blocking startup self-heal)
+docker_git_ensure_gemini_cli() {
+  if command -v gemini >/dev/null 2>&1; then
+    return 0
+  fi
+  if ! command -v npm >/dev/null 2>&1; then
+    return 0
+  fi
+  NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+  GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
+  if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
+    echo "docker-git: gemini cli.js not found under npm global root; skip shim restore" >&2
+    return 0
+  fi
+  # Rebuild a minimal shim when npm package exists but binary link is missing.
+  cat <<'EOF' > /usr/local/bin/gemini
+#!/usr/bin/env bash
+set -euo pipefail
+if ! command -v npm >/dev/null 2>&1; then
+  echo "gemini: npm is required but missing" >&2
+  exit 127
+fi
+NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
+if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
+  echo "gemini: cli.js not found under npm global root" >&2
+  exit 127
+fi
+exec node "$GEMINI_CLI_JS" "$@"
+EOF
+  chmod 0755 /usr/local/bin/gemini || true
+  ln -sf /usr/local/bin/gemini /usr/bin/gemini || true
+}
+docker_git_ensure_gemini_cli`;
+var renderGeminiProfileSetup = () => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
+printf "export GEMINI_AUTH_LABEL=%q\n" "${"$"}{GEMINI_AUTH_LABEL:-default}" > "$GEMINI_PROFILE"
+cat <<'EOF' >> "$GEMINI_PROFILE"
+GEMINI_API_KEY_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.api-key"
+GEMINI_ENV_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.env"
+if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
+  export GEMINI_API_KEY="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
+elif [[ -f "$GEMINI_ENV_FILE" ]]; then
+  GEMINI_KEY="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
+  if [[ -n "$GEMINI_KEY" ]]; then
+    export GEMINI_API_KEY="$GEMINI_KEY"
+  fi
+fi
+EOF
+chmod 0644 "$GEMINI_PROFILE" || true
+docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "${"$"}{GEMINI_AUTH_LABEL:-default}"
+docker_git_upsert_ssh_env "GEMINI_API_KEY" "${"$"}{GEMINI_API_KEY:-}"`;
+var renderEntrypointGeminiConfig = (config) => [
+	renderGeminiAuthConfig(config),
+	renderGeminiCliInstall(),
+	renderGeminiProfileSetup()
+].join("\n\n");
+//#endregion
 //#region ../lib/src/core/templates-entrypoint/git.ts
 var renderAuthLabelResolution = () => String.raw`# 2) Ensure GitHub auth vars are available for SSH sessions.
 # Prefer a label-selected token (same selection model as clone/create) when present.
@@ -3871,6 +4017,7 @@ var renderEntrypoint = (config) => [
 	renderEntrypointDockerSocket(config),
 	renderEntrypointGitConfig(config),
 	renderEntrypointClaudeConfig(config),
+	renderEntrypointGeminiConfig(config),
 	renderEntrypointGitHooks(),
 	renderEntrypointBackgroundTasks(config),
 	renderEntrypointBaseline(),
@@ -4427,7 +4574,7 @@ var resolveOriginPushTarget = (originUrl) => {
 	const trimmed = originUrl?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : "origin";
 };
-var resolveSyncMessage = (value) => {
+var resolveSyncMessage$1 = (value) => {
 	const trimmed = value?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : defaultSyncMessage;
 };
@@ -4508,7 +4655,7 @@ var runStateSyncOps = (root, originUrl, message, env, options) => Effect.gen(fun
 	yield* _(normalizeLegacyStateProjects(root));
 	const baseBranch = resolveBaseBranch(yield* _(getCurrentBranch(root, env)));
 	yield* _(pullRemoteAndRestoreLocal(root, baseBranch, env));
-	yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env));
+	yield* _(commitAllIfNeeded(root, resolveSyncMessage$1(message), env));
 	const pushExit = yield* _(gitExitCode(root, [
 		"push",
 		"--no-verify",
@@ -5921,12 +6068,7 @@ var applyProjectConfig = (command) => runApplyForProjectDir(command.projectDir,
 	return yield* _(runApplyForProjectDir(inferredProjectDir, command));
 }) : Effect.fail(error)));
 //#endregion
-//#region ../lib/src/usecases/auth-claude-oauth.ts
-var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
-var tokenMarker = "Your OAuth token (valid for 1 year):";
-var tokenFooterMarker = "Store this token securely.";
-var outputWindowSize = 262144;
-var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
+//#region ../lib/src/shell/ansi-strip.ts
 var ansiEscape = "\x1B";
 var ansiBell = "\x07";
 var isAnsiFinalByte = (codePoint) => codePoint !== void 0 && codePoint >= 64 && codePoint <= 126;
@@ -5970,6 +6112,20 @@ var stripAnsi = (raw) => {
 	}
 	return cleaned.join("");
 };
+var writeChunkToFd = (fd, chunk) => {
+	if (fd === 2) {
+		process.stderr.write(chunk);
+		return;
+	}
+	process.stdout.write(chunk);
+};
+//#endregion
+//#region ../lib/src/usecases/auth-claude-oauth.ts
+var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
+var tokenMarker = "Your OAuth token (valid for 1 year):";
+var tokenFooterMarker = "Store this token securely.";
+var outputWindowSize$1 = 262144;
+var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
 var extractOauthToken = (rawOutput) => {
 	const normalized = stripAnsi(rawOutput).replaceAll("\r", "\n");
 	const markerIndex = normalized.lastIndexOf(tokenMarker);
@@ -6024,21 +6180,14 @@ var buildDockerSetupTokenArgs = (spec) => {
 		...spec.args
 	];
 };
-var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
-var writeChunkToFd = (fd, chunk) => {
-	if (fd === 2) {
-		process.stderr.write(chunk);
-		return;
-	}
-	process.stdout.write(chunk);
-};
-var pumpDockerOutput = (source, fd, tokenBox) => {
+var startDockerProcess$1 = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput$1 = (source, fd, tokenBox) => {
 	const decoder = new TextDecoder("utf-8");
 	let outputWindow = "";
 	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
 		writeChunkToFd(fd, chunk);
 		outputWindow += decoder.decode(chunk);
-		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (outputWindow.length > outputWindowSize$1) outputWindow = outputWindow.slice(-outputWindowSize$1);
 		if (tokenBox.value !== null) return;
 		const parsed = extractOauthToken(outputWindow);
 		if (parsed !== null) tokenBox.value = parsed;
@@ -6060,10 +6209,10 @@ var runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
 	const envToken = oauthTokenFromEnv();
 	if (envToken !== null) return ensureOauthToken(envToken);
 	return Effect.scoped(Effect.gen(function* (_) {
-		const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+		const proc = yield* _(startDockerProcess$1(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
 		const tokenBox = { value: null };
-		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, tokenBox)));
-		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, tokenBox)));
+		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stdout, 1, tokenBox)));
+		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stderr, 2, tokenBox)));
 		const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
 		yield* _(Fiber$1.join(stdoutFiber));
 		yield* _(Fiber$1.join(stderrFiber));
@@ -6084,19 +6233,15 @@ var claudeOauthTokenPath = (accountPath) => `${accountPath}/${claudeOauthTokenFi
 var claudeConfigPath = (accountPath) => `${accountPath}/${claudeConfigFileName}`;
 var claudeCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsFileName}`;
 var claudeNestedCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsDirName}/${claudeCredentialsFileName}`;
-var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var syncClaudeCredentialsFile = (fs, accountPath) => Effect.gen(function* (_) {
 	const nestedPath = claudeNestedCredentialsPath(accountPath);
 	const rootPath = claudeCredentialsPath(accountPath);
-	if (yield* _(isRegularFile(fs, nestedPath))) {
+	if (yield* _(isRegularFile$1(fs, nestedPath))) {
 		yield* _(fs.copyFile(nestedPath, rootPath));
 		yield* _(fs.chmod(rootPath, 384), Effect.orElseSucceed(() => void 0));
 		return;
 	}
-	if (yield* _(isRegularFile(fs, rootPath))) {
+	if (yield* _(isRegularFile$1(fs, rootPath))) {
 		const nestedDirPath = `${accountPath}/${claudeCredentialsDirName}`;
 		yield* _(fs.makeDirectory(nestedDirPath, { recursive: true }));
 		yield* _(fs.copyFile(rootPath, nestedPath));
@@ -6109,12 +6254,12 @@ var clearClaudeSessionCredentials = (fs, accountPath) => Effect.gen(function* (_
 });
 var hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return false;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
 });
 var readOauthToken = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return null;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return null;
 	const token = (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim();
 	return token.length > 0 ? token : null;
 });
@@ -6124,7 +6269,7 @@ var resolveClaudeAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
 		return "oauth-token";
 	}
 	yield* _(syncClaudeCredentialsFile(fs, accountPath));
-	return (yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
+	return (yield* _(isRegularFile$1(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
 });
 var buildClaudeAuthEnv = (interactive, oauthToken = null) => [...interactive ? [
 	`HOME=${claudeContainerHomeDir}`,
@@ -6349,6 +6494,259 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
+//#region ../lib/src/usecases/auth-gemini-oauth.ts
+var outputWindowSize = 262144;
+var authSuccessPatterns = [
+	"Authentication succeeded",
+	"Authentication successful",
+	"Successfully authenticated",
+	"Logged in as",
+	"You are now logged in"
+];
+var authFailurePatterns = [
+	"Authentication failed",
+	"Failed to authenticate",
+	"Authorization failed",
+	"Authentication timed out",
+	"Authentication cancelled"
+];
+var detectAuthResult = (output) => {
+	const normalized = stripAnsi(output).toLowerCase();
+	for (const pattern of authSuccessPatterns) if (normalized.includes(pattern.toLowerCase())) return "success";
+	for (const pattern of authFailurePatterns) if (normalized.includes(pattern.toLowerCase())) return "failure";
+	return "pending";
+};
+var geminiOauthCallbackPort = 38751;
+var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath) => ({
+	cwd,
+	image,
+	hostPath: accountPath,
+	containerPath,
+	callbackPort: geminiOauthCallbackPort,
+	env: [
+		`HOME=${containerPath}`,
+		"NO_BROWSER=true",
+		"GEMINI_CLI_NONINTERACTIVE=false",
+		`OAUTH_CALLBACK_PORT=${geminiOauthCallbackPort}`,
+		"OAUTH_CALLBACK_HOST=0.0.0.0"
+	]
+});
+var buildDockerGeminiAuthArgs = (spec) => {
+	const base = [
+		"run",
+		"--rm",
+		"-i",
+		"-t",
+		"-v",
+		`${spec.hostPath}:${spec.containerPath}`,
+		"-p",
+		`${spec.callbackPort}:${spec.callbackPort}`
+	];
+	const dockerUser = resolveDefaultDockerUser();
+	if (dockerUser !== null) base.push("--user", dockerUser);
+	for (const entry of spec.env) {
+		const trimmed = entry.trim();
+		if (trimmed.length === 0) continue;
+		base.push("-e", trimmed);
+	}
+	return [
+		...base,
+		spec.image,
+		"gemini",
+		"--debug"
+	];
+};
+var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerGeminiAuthArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput = (source, fd, resultBox) => {
+	const decoder = new TextDecoder("utf-8");
+	let outputWindow = "";
+	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
+		writeChunkToFd(fd, chunk);
+		outputWindow += decoder.decode(chunk);
+		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (resultBox.value !== "pending") return;
+		const result = detectAuthResult(outputWindow);
+		if (result !== "pending") resultBox.value = result;
+	}).pipe(Effect.asVoid))).pipe(Effect.asVoid);
+};
+var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
+	if (result === "success") {
+		if (exitCode !== 0) yield* _(Effect.logWarning(`Gemini CLI returned exit=${exitCode}, but authentication appears successful; continuing.`));
+		return;
+	}
+	if (result === "failure") yield* _(Effect.fail(new AuthError({ message: "Gemini CLI OAuth authentication failed. Please try again." })));
+	if (exitCode !== 0) yield* _(Effect.fail(new CommandFailedError({
+		command: "gemini",
+		exitCode
+	})));
+});
+var printOauthInstructions = () => Effect.sync(() => {
+	const port = geminiOauthCallbackPort;
+	process.stderr.write("\n");
+	process.stderr.write("╔═══════════════════════════════════════════════════════════════════════════╗\n");
+	process.stderr.write("║                    Gemini CLI OAuth Authentication                        ║\n");
+	process.stderr.write("╠═══════════════════════════════════════════════════════════════════════════╣\n");
+	process.stderr.write("║ 1. Copy the auth URL shown below and open it in your browser              ║\n");
+	process.stderr.write("║ 2. Sign in with your Google account                                       ║\n");
+	process.stderr.write(`║ 3. After authentication, the browser will redirect to localhost:${port}    ║\n`);
+	process.stderr.write("║ 4. The callback will be captured automatically (port is forwarded)        ║\n");
+	process.stderr.write("╚═══════════════════════════════════════════════════════════════════════════╝\n");
+	process.stderr.write("\n");
+});
+var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped(Effect.gen(function* (_) {
+	yield* _(printOauthInstructions());
+	const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerGeminiAuthSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+	const resultBox = { value: "pending" };
+	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox)));
+	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox)));
+	const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
+	yield* _(Fiber$1.join(stdoutFiber));
+	yield* _(Fiber$1.join(stderrFiber));
+	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
+}));
+//#endregion
+//#region ../lib/src/usecases/auth-gemini.ts
+var geminiImageName = "docker-git-auth-gemini:latest";
+var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
+var geminiContainerHomeDir = "/gemini-home";
+var geminiCredentialsDir$1 = ".gemini";
+var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
+var geminiApiKeyFileName = ".api-key";
+var geminiEnvFileName = ".env";
+var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
+var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
+var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
+var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && node -v \
+  && npm -v \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @google/gemini-cli@latest
+ENTRYPOINT ["/bin/bash", "-c"]
+`;
+var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath: defaultTemplateConfig.envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ".docker-git/.orch/auth/gh",
+	claudeAuthPath: ".docker-git/.orch/auth/claude",
+	geminiAuthPath: ".docker-git/.orch/auth/gemini"
+});
+var resolveGeminiAccountPath = (path, rootPath, label) => {
+	const accountLabel = normalizeAccountLabel(label, "default");
+	return {
+		accountLabel,
+		accountPath: path.join(rootPath, accountLabel)
+	};
+};
+var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGeminiOrchLayout(cwd));
+	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
+	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
+	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
+		imageName: geminiImageName,
+		imageDir: geminiImageDir,
+		dockerfile: renderGeminiDockerfile(),
+		buildLabel: "gemini auth"
+	}));
+	return yield* _(run({
+		accountLabel,
+		accountPath,
+		cwd,
+		fs
+	}));
+}));
+var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
+	const apiKeyFilePath = geminiApiKeyPath(accountPath);
+	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
+		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
+		if (trimmed.length > 0) return trimmed;
+	}
+	const envFilePath = geminiEnvFilePath(accountPath);
+	if (yield* _(isRegularFile$1(fs, envFilePath))) {
+		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("GEMINI_API_KEY=")) {
+				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
+				if (value.length > 0) return value;
+			}
+		}
+	}
+	return null;
+});
+var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	if (!(yield* _(fs.exists(credentialsDir)))) return false;
+	const possibleFiles = [
+		`${credentialsDir}/oauth-tokens.json`,
+		`${credentialsDir}/credentials.json`,
+		`${credentialsDir}/application_default_credentials.json`
+	];
+	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
+	return false;
+});
+var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
+	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
+});
+var authGeminiLogin = (command, apiKey) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		const apiKeyFilePath = geminiApiKeyPath(accountPath);
+		yield* _(fs.writeFileString(apiKeyFilePath, `${apiKey.trim()}\n`));
+		yield* _(fs.chmod(apiKeyFilePath, 384), Effect.orElseSucceed(() => void 0));
+	})).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini ${accountLabel}`)));
+};
+var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
+	yield* _(Effect.log("Gemini CLI supports two authentication methods:"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("1. API Key (recommended for simplicity):"));
+	yield* _(Effect.log("   - Go to https://ai.google.dev/aistudio"));
+	yield* _(Effect.log("   - Create or retrieve your API key"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: set API key"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("2. OAuth (Sign in with Google):"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: login via OAuth"));
+	yield* _(Effect.log("   - Follow the prompts to authenticate with your Google account"));
+});
+var authGeminiLoginOauth = (command) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
+		const credentialsDir = geminiCredentialsPath(accountPath);
+		yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+		yield* _(runGeminiOauthLoginWithPrompt(cwd, accountPath, {
+			image: geminiImageName,
+			containerPath: geminiContainerHomeDir
+		}));
+	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
+};
+var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
+	const authMethod = yield* _(resolveGeminiAuthMethod(fs, accountPath));
+	if (authMethod === "none") {
+		yield* _(Effect.log(`Gemini not connected (${accountLabel}).`));
+		return;
+	}
+	yield* _(Effect.log(`Gemini connected (${accountLabel}, ${authMethod}).`));
+}));
+var authGeminiLogout = (command) => Effect.gen(function* (_) {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	yield* _(withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		yield* _(fs.remove(geminiApiKeyPath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiEnvFilePath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiCredentialsPath(accountPath), {
+			recursive: true,
+			force: true
+		}));
+	})));
+	yield* _(autoSyncState(`chore(state): auth gemini logout ${accountLabel}`));
+}).pipe(Effect.asVoid);
+//#endregion
 //#region ../lib/src/usecases/state-repo-github.ts
 var dotDockerGitRepoName = ".docker-git";
 var defaultStateRef = "main";
@@ -7646,10 +8044,12 @@ var normalizeLabel$1 = (value) => {
 var defaultEnvGlobalPath = ".docker-git/.orch/env/global.env";
 var defaultCodexAuthPath = ".docker-git/.orch/auth/codex";
 var defaultClaudeAuthPath = ".docker-git/.orch/auth/claude";
+var defaultGeminiAuthPath = ".docker-git/.orch/auth/gemini";
 var resolveAuthOptions = (raw) => ({
 	envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
 	codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
 	claudeAuthPath: defaultClaudeAuthPath,
+	geminiAuthPath: defaultGeminiAuthPath,
 	label: normalizeLabel$1(raw.label),
 	token: normalizeLabel$1(raw.token),
 	scopes: normalizeLabel$1(raw.scopes),
@@ -7695,7 +8095,20 @@ var buildClaudeCommand = (action, options) => Match.value(action).pipe(Match.whe
 	label: options.label,
 	claudeAuthPath: options.claudeAuthPath
 })), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
-var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
+var buildGeminiCommand = (action, options) => Match.value(action).pipe(Match.when("login", () => Either.right({
+	_tag: "AuthGeminiLogin",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.when("status", () => Either.right({
+	_tag: "AuthGeminiStatus",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.when("logout", () => Either.right({
+	_tag: "AuthGeminiLogout",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
+var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.when("gemini", () => buildGeminiCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
 var parseAuth = (args) => {
 	if (args.length < 2) return Either.left(missingArgument(args.length === 0 ? "auth provider" : "auth action"));
 	const provider = args[0] ?? "";
@@ -7802,13 +8215,15 @@ var buildDefaultPathConfig = (normalizedSecretsRoot) => normalizedSecretsRoot ==
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: defaultTemplateConfig.envGlobalPath,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	geminiAuthPath: defaultTemplateConfig.geminiAuthPath
 } : {
 	dockerGitPath: defaultTemplateConfig.dockerGitPath,
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: `${normalizedSecretsRoot}/global.env`,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: `${normalizedSecretsRoot}/codex`
+	codexAuthPath: `${normalizedSecretsRoot}/codex`,
+	geminiAuthPath: `${normalizedSecretsRoot}/gemini`
 };
 var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 	const defaults = buildDefaultPathConfig(resolveNormalizedSecretsRoot(raw.secretsRoot));
@@ -7825,6 +8240,8 @@ var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 		codexAuthPath,
 		codexSharedAuthPath: codexAuthPath,
 		codexHome: yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome)),
+		geminiAuthPath: defaults.geminiAuthPath,
+		geminiHome: defaultTemplateConfig.geminiHome,
 		outDir: yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 	};
 });
@@ -7854,6 +8271,8 @@ var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLab
 	codexAuthPath: paths.codexAuthPath,
 	codexSharedAuthPath: paths.codexSharedAuthPath,
 	codexHome: paths.codexHome,
+	geminiAuthPath: paths.geminiAuthPath,
+	geminiHome: paths.geminiHome,
 	cpuLimit,
 	ramLimit,
 	dockerNetworkMode,
@@ -8935,6 +9354,12 @@ var countAuthAccountDirectories = (fs, path, root) => Effect.gen(function* (_) {
 	return count;
 });
 //#endregion
+//#region src/docker-git/menu-auth-snapshot-builder.ts
+var countAuthAccountEntries = (fs, path, claudeAuthPath, geminiAuthPath) => pipe(Effect.all({
+	claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthPath),
+	geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthPath)
+}));
+//#endregion
 //#region src/docker-git/menu-labeled-env.ts
 var normalizeLabel = (value) => {
 	const trimmed = value.trim();
@@ -8983,6 +9408,18 @@ var authMenuItems = [
 		action: "ClaudeLogout",
 		label: "Claude Code: logout (clear cache)"
 	},
+	{
+		action: "GeminiOauth",
+		label: "Gemini CLI: login via OAuth (Google account)"
+	},
+	{
+		action: "GeminiApiKey",
+		label: "Gemini CLI: set API key"
+	},
+	{
+		action: "GeminiLogout",
+		label: "Gemini CLI: logout (clear credentials)"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -9042,34 +9479,62 @@ var flowSteps$1 = {
 		label: "Label to logout (empty = default)",
 		required: false,
 		secret: false
+	}],
+	GeminiOauth: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	GeminiApiKey: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}, {
+		key: "apiKey",
+		label: "Gemini API key (from ai.google.dev)",
+		required: true,
+		secret: true
+	}],
+	GeminiLogout: [{
+		key: "label",
+		label: "Label to logout (empty = default)",
+		required: false,
+		secret: false
 	}]
 };
-var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.exhaustive);
-var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.exhaustive);
+var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.when("GeminiOauth", () => "Gemini CLI OAuth"), Match.when("GeminiApiKey", () => "Gemini CLI API key"), Match.when("GeminiLogout", () => "Gemini CLI logout"), Match.exhaustive);
+var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.when("GeminiOauth", () => `Saved Gemini CLI OAuth login (${label}).`), Match.when("GeminiApiKey", () => `Saved Gemini API key (${label}).`), Match.when("GeminiLogout", () => `Logged out Gemini CLI (${label}).`), Match.exhaustive);
 var buildGlobalEnvPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadAuthEnvText = (cwd) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath$1(cwd);
 	const claudeAuthPath = buildClaudeAuthPath$1(cwd);
+	const geminiAuthPath = buildGeminiAuthPath$1(cwd);
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	return {
 		fs,
 		path,
 		globalEnvPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		envText: yield* _(readEnvText(fs, globalEnvPath))
 	};
 });
-var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, globalEnvPath, path }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, geminiAuthPath, globalEnvPath, path }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	globalEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
 	githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
 	gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
 	gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
-	claudeAuthEntries
+	claudeAuthEntries,
+	geminiAuthEntries
 })))));
 var writeAuthFlow = (cwd, flow, values) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ envText, fs, globalEnvPath }) => {
 	const label = values["label"] ?? "";
@@ -9098,6 +9563,67 @@ var authMenuActionByIndex = (index) => {
 };
 var authMenuSize = () => authMenuItems.length;
 //#endregion
+//#region src/docker-git/menu-auth-effects.ts
+var resolveLabelOption = (values) => {
+	const labelValue = (values["label"] ?? "").trim();
+	return labelValue.length > 0 ? labelValue : null;
+};
+var resolveGithubOauthEffect = (labelOption, globalEnvPath) => authGithubLogin({
+	_tag: "AuthGithubLogin",
+	label: labelOption,
+	token: null,
+	scopes: null,
+	envGlobalPath: globalEnvPath
+});
+var resolveClaudeOauthEffect = (labelOption) => authClaudeLogin({
+	_tag: "AuthClaudeLogin",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveClaudeLogoutEffect = (labelOption) => authClaudeLogout({
+	_tag: "AuthClaudeLogout",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveGeminiOauthEffect = (labelOption) => authGeminiLoginOauth({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+});
+var resolveGeminiApiKeyEffect = (labelOption, apiKey) => authGeminiLogin({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+}, apiKey);
+var resolveGeminiLogoutEffect = (labelOption) => authGeminiLogout({
+	_tag: "AuthGeminiLogout",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+});
+var resolveAuthPromptEffect = (view, cwd, values) => {
+	const labelOption = resolveLabelOption(values);
+	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => resolveGithubOauthEffect(labelOption, view.snapshot.globalEnvPath)), Match.when("ClaudeOauth", () => resolveClaudeOauthEffect(labelOption)), Match.when("ClaudeLogout", () => resolveClaudeLogoutEffect(labelOption)), Match.when("GeminiOauth", () => resolveGeminiOauthEffect(labelOption)), Match.when("GeminiApiKey", () => resolveGeminiApiKeyEffect(labelOption, (values["apiKey"] ?? "").trim())), Match.when("GeminiLogout", () => resolveGeminiLogoutEffect(labelOption)), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
+};
+var startAuthMenuWithSnapshot = (snapshot, context) => {
+	context.setView({
+		_tag: "AuthMenu",
+		selected: 0,
+		snapshot
+	});
+	context.setMessage(null);
+};
+var runAuthPromptEffect = (effect, view, label, context, options) => {
+	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
+		onError: pauseOnError(renderError),
+		onResume: resumeSshWithSkipInputs(context)
+	}) : effect;
+	context.setSshActive(options.suspendTui);
+	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
+		startAuthMenuWithSnapshot(snapshot, context);
+		context.setMessage(successMessage$1(view.flow, label));
+	})), Effect.asVoid));
+};
+//#endregion
 //#region src/docker-git/menu-input-utils.ts
 var parseMenuIndex = (input) => {
 	const trimmed = input.trim();
@@ -9154,14 +9680,6 @@ var defaultLabel = (value) => {
 	const trimmed = value.trim();
 	return trimmed.length > 0 ? trimmed : "default";
 };
-var startAuthMenuWithSnapshot = (snapshot, context) => {
-	context.setView({
-		_tag: "AuthMenu",
-		selected: 0,
-		snapshot
-	});
-	context.setMessage(null);
-};
 var startAuthPrompt = (snapshot, flow, context) => {
 	context.setView({
 		_tag: "AuthPrompt",
@@ -9173,39 +9691,6 @@ var startAuthPrompt = (snapshot, flow, context) => {
 	});
 	context.setMessage(null);
 };
-var resolveLabelOption = (values) => {
-	const labelValue = (values["label"] ?? "").trim();
-	return labelValue.length > 0 ? labelValue : null;
-};
-var resolveAuthPromptEffect = (view, cwd, values) => {
-	const labelOption = resolveLabelOption(values);
-	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => authGithubLogin({
-		_tag: "AuthGithubLogin",
-		label: labelOption,
-		token: null,
-		scopes: null,
-		envGlobalPath: view.snapshot.globalEnvPath
-	})), Match.when("ClaudeOauth", () => authClaudeLogin({
-		_tag: "AuthClaudeLogin",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("ClaudeLogout", () => authClaudeLogout({
-		_tag: "AuthClaudeLogout",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
-};
-var runAuthPromptEffect = (effect, view, label, context, options) => {
-	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
-		onError: pauseOnError(renderError),
-		onResume: resumeSshWithSkipInputs(context)
-	}) : effect;
-	context.setSshActive(options.suspendTui);
-	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.state.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
-		startAuthMenuWithSnapshot(snapshot, context);
-		context.setMessage(successMessage$1(view.flow, label));
-	})), Effect.asVoid));
-};
 var loadAuthMenuView = (cwd, context) => pipe(readAuthSnapshot(cwd), Effect.tap((snapshot) => Effect.sync(() => {
 	startAuthMenuWithSnapshot(snapshot, context);
 })), Effect.asVoid);
@@ -9225,7 +9710,10 @@ var submitAuthPrompt = (view, context) => {
 		startAuthMenuWithSnapshot(view.snapshot, context);
 	}, (nextValues) => {
 		const label = defaultLabel(nextValues["label"] ?? "");
-		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, context, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" });
+		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, {
+			...context,
+			cwd: context.state.cwd
+		}, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" || view.flow === "GeminiOauth" });
 	});
 };
 var setAuthMenuSelection = (view, selected, context) => {
@@ -9267,6 +9755,15 @@ var handleAuthMenuInput = (input, key, view, context) => {
 	}
 	handleAuthMenuNumberInput(input, view, context);
 };
+var setAuthPromptBuffer = (args) => {
+	const { context, input, key, view } = args;
+	const nextBuffer = nextBufferValue(input, key, view.buffer);
+	if (nextBuffer === null) return;
+	context.setView({
+		...view,
+		buffer: nextBuffer
+	});
+};
 var handleAuthPromptInput = (input, key, view, context) => {
 	if (key.escape) {
 		startAuthMenuWithSnapshot(view.snapshot, context);
@@ -9283,15 +9780,6 @@ var handleAuthPromptInput = (input, key, view, context) => {
 		context
 	});
 };
-var setAuthPromptBuffer = (args) => {
-	const { context, input, key, view } = args;
-	const nextBuffer = nextBufferValue(input, key, view.buffer);
-	if (nextBuffer === null) return;
-	context.setView({
-		...view,
-		buffer: nextBuffer
-	});
-};
 var openAuthMenu = (context) => {
 	context.setMessage("Loading auth profiles...");
 	context.runner.runEffect(loadAuthMenuView(context.state.cwd, context));
@@ -9384,15 +9872,17 @@ var loadRuntimeByProject = (items) => pipe(runDockerPsNames(process.cwd()), Effe
 }));
 var runtimeForSelection = (view, selected) => view.runtimeByProject[selected.projectDir] ?? stoppedRuntime$1();
 //#endregion
+//#region src/docker-git/menu-project-auth-helpers.ts
+var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
+//#endregion
 //#region src/docker-git/menu-project-auth-claude.ts
 var oauthTokenFileName = ".oauth-token";
 var legacyConfigFileName = ".config.json";
 var credentialsFileName = ".credentials.json";
 var nestedCredentialsFileName = ".claude/.credentials.json";
-var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var hasNonEmptyOauthToken = (fs, tokenPath) => Effect.gen(function* (_) {
 	if (!(yield* _(hasFileAtPath(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
@@ -9419,6 +9909,107 @@ var hasClaudeAccountCredentials = (fs, accountPath) => hasFileAtPath(fs, `${acco
 	}));
 }));
 //#endregion
+//#region src/docker-git/menu-project-auth-gemini.ts
+var apiKeyFileName = ".api-key";
+var envFileName = ".env";
+var geminiCredentialsDir = ".gemini";
+var hasNonEmptyApiKey = (fs, apiKeyPath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, apiKeyPath)))) return false;
+	return (yield* _(fs.readFileString(apiKeyPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
+});
+var hasApiKeyInEnvFile = (fs, envFilePath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, envFilePath)))) return false;
+	const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+	for (const line of lines) {
+		const trimmed = line.trim();
+		if (trimmed.startsWith("GEMINI_API_KEY=")) {
+			if (trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim().length > 0) return true;
+		}
+	}
+	return false;
+});
+var geminiOauthCredentialFiles = [
+	"oauth-tokens.json",
+	"credentials.json",
+	"application_default_credentials.json"
+];
+var checkAnyFileExists = (fs, basePath, fileNames) => {
+	const [first, ...rest] = fileNames;
+	if (first === void 0) return Effect.succeed(false);
+	return hasFileAtPath(fs, `${basePath}/${first}`).pipe(Effect.flatMap((exists) => exists ? Effect.succeed(true) : checkAnyFileExists(fs, basePath, rest)));
+};
+var hasOauthCredentials = (fs, accountPath) => {
+	const credentialsDir = `${accountPath}/${geminiCredentialsDir}`;
+	return hasFileAtPath(fs, credentialsDir).pipe(Effect.flatMap((dirExists) => dirExists ? checkAnyFileExists(fs, credentialsDir, geminiOauthCredentialFiles) : Effect.succeed(false)));
+};
+var hasGeminiAccountCredentials = (fs, accountPath) => hasNonEmptyApiKey(fs, `${accountPath}/${apiKeyFileName}`).pipe(Effect.flatMap((hasApiKey) => {
+	if (hasApiKey) return Effect.succeed(true);
+	return hasApiKeyInEnvFile(fs, `${accountPath}/${envFileName}`).pipe(Effect.flatMap((hasEnvApiKey) => {
+		if (hasEnvApiKey) return Effect.succeed(true);
+		return hasOauthCredentials(fs, accountPath);
+	}));
+}));
+//#endregion
+//#region src/docker-git/menu-project-auth-flows.ts
+var githubTokenBaseKey$1 = "GITHUB_TOKEN";
+var gitTokenBaseKey$1 = "GIT_AUTH_TOKEN";
+var gitUserBaseKey = "GIT_AUTH_USER";
+var projectGithubLabelKey$1 = "GITHUB_AUTH_LABEL";
+var projectGitLabelKey$1 = "GIT_AUTH_LABEL";
+var projectClaudeLabelKey$1 = "CLAUDE_AUTH_LABEL";
+var projectGeminiLabelKey$1 = "GEMINI_AUTH_LABEL";
+var defaultGitUser = "x-access-token";
+var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
+var clearProjectGitLabels = (envText) => {
+	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey$1, ""), projectGithubLabelKey$1, "");
+};
+var updateProjectGithubConnect = (spec) => {
+	const key = buildLabeledEnvKey(githubTokenBaseKey$1, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, key);
+	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
+	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey$1, "");
+	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGithubDisconnect = (spec) => {
+	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
+	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
+};
+var updateProjectGitConnect = (spec) => {
+	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey$1, spec.rawLabel);
+	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, tokenKey);
+	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
+	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
+	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
+	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey$1, spec.canonicalLabel);
+	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGitDisconnect = (spec) => {
+	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
+	return Effect.succeed(clearProjectGitLabels(withoutUser));
+};
+var resolveAccountCandidates = (authPath, accountLabel) => accountLabel === "default" ? [`${authPath}/default`, authPath] : [`${authPath}/${accountLabel}`];
+var findFirstCredentialsMatch = (fs, candidates, hasCredentials) => Effect.gen(function* (_) {
+	for (const accountPath of candidates) {
+		if (!(yield* _(fs.exists(accountPath)))) continue;
+		if (yield* _(hasCredentials(fs, accountPath), Effect.orElseSucceed(() => false))) return accountPath;
+	}
+	return null;
+});
+var updateProjectClaudeConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.claudeAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasClaudeAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectClaudeDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, ""));
+var updateProjectGeminiConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.geminiAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasGeminiAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Gemini CLI API key", spec.canonicalLabel, spec.geminiAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectGeminiDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, ""));
+var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.when("ProjectGeminiConnect", () => updateProjectGeminiConnect(spec)), Match.when("ProjectGeminiDisconnect", () => updateProjectGeminiDisconnect(spec)), Match.exhaustive);
+//#endregion
 //#region src/docker-git/menu-project-auth-data.ts
 var projectAuthMenuItems = [
 	{
@@ -9445,6 +10036,14 @@ var projectAuthMenuItems = [
 		action: "ProjectClaudeDisconnect",
 		label: "Project: Claude disconnect"
 	},
+	{
+		action: "ProjectGeminiConnect",
+		label: "Project: Gemini connect label"
+	},
+	{
+		action: "ProjectGeminiDisconnect",
+		label: "Project: Gemini disconnect"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -9475,7 +10074,14 @@ var flowSteps = {
 		required: false,
 		secret: false
 	}],
-	ProjectClaudeDisconnect: []
+	ProjectClaudeDisconnect: [],
+	ProjectGeminiConnect: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	ProjectGeminiDisconnect: []
 };
 var resolveCanonicalLabel = (value) => {
 	const normalized = normalizeLabel(value);
@@ -9483,18 +10089,19 @@ var resolveCanonicalLabel = (value) => {
 };
 var githubTokenBaseKey = "GITHUB_TOKEN";
 var gitTokenBaseKey = "GIT_AUTH_TOKEN";
-var gitUserBaseKey = "GIT_AUTH_USER";
 var projectGithubLabelKey = "GITHUB_AUTH_LABEL";
 var projectGitLabelKey = "GIT_AUTH_LABEL";
 var projectClaudeLabelKey = "CLAUDE_AUTH_LABEL";
-var defaultGitUser = "x-access-token";
+var projectGeminiLabelKey = "GEMINI_AUTH_LABEL";
 var buildGlobalEnvPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath(process.cwd());
 	const claudeAuthPath = buildClaudeAuthPath(process.cwd());
+	const geminiAuthPath = buildGeminiAuthPath(process.cwd());
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	yield* _(ensureEnvFile$1(fs, path, project.envProjectPath));
 	const globalEnvText = yield* _(readEnvText(fs, globalEnvPath));
@@ -9505,69 +10112,29 @@ var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 		globalEnvPath,
 		projectEnvPath: project.envProjectPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		globalEnvText,
 		projectEnvText
 	};
 });
-var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	projectDir: project.projectDir,
 	projectName: project.displayName,
 	envGlobalPath: globalEnvPath,
 	envProjectPath: projectEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
 	gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
 	claudeAuthEntries,
+	geminiAuthEntries,
 	activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
 	activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
-	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
+	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey),
+	activeGeminiLabel: findEnvValue(projectEnvText, projectGeminiLabelKey)
 })))));
-var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
-var updateProjectGithubConnect = (spec) => {
-	const key = buildLabeledEnvKey(githubTokenBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, key);
-	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
-	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey, "");
-	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var clearProjectGitLabels = (envText) => {
-	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey, ""), projectGithubLabelKey, "");
-};
-var updateProjectGithubDisconnect = (spec) => {
-	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
-	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
-};
-var updateProjectGitConnect = (spec) => {
-	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey, spec.rawLabel);
-	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, tokenKey);
-	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
-	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
-	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
-	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey, spec.canonicalLabel);
-	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var updateProjectGitDisconnect = (spec) => {
-	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
-	return Effect.succeed(clearProjectGitLabels(withoutUser));
-};
-var resolveClaudeAccountCandidates = (claudeAuthPath, accountLabel) => accountLabel === "default" ? [`${claudeAuthPath}/default`, claudeAuthPath] : [`${claudeAuthPath}/${accountLabel}`];
-var updateProjectClaudeConnect = (spec) => {
-	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
-	const accountCandidates = resolveClaudeAccountCandidates(spec.claudeAuthPath, accountLabel);
-	return Effect.gen(function* (_) {
-		for (const accountPath of accountCandidates) {
-			if (!(yield* _(spec.fs.exists(accountPath)))) continue;
-			if (yield* _(hasClaudeAccountCredentials(spec.fs, accountPath), Effect.orElseSucceed(() => false))) return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel);
-		}
-		return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)));
-	});
-};
-var updateProjectClaudeDisconnect = (spec) => {
-	return Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, ""));
-};
-var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.exhaustive);
-var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
+var resolveSyncMessage = (flow, canonicalLabel, displayName) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${displayName}`), Match.when("ProjectGeminiConnect", () => `chore(state): project auth gemini ${canonicalLabel} ${displayName}`), Match.when("ProjectGeminiDisconnect", () => `chore(state): project auth gemini logout ${displayName}`), Match.exhaustive);
+var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
 	const rawLabel = values["label"] ?? "";
 	const canonicalLabel = resolveCanonicalLabel(rawLabel);
 	const nextProjectEnv = resolveProjectEnvUpdate(flow, {
@@ -9577,9 +10144,10 @@ var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvTex
 		globalEnvPath,
 		globalEnvText,
 		projectEnvText,
-		claudeAuthPath
+		claudeAuthPath,
+		geminiAuthPath
 	});
-	const syncMessage = Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${project.displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${project.displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${project.displayName}`), Match.exhaustive);
+	const syncMessage = resolveSyncMessage(flow, canonicalLabel, project.displayName);
 	return pipe(nextProjectEnv, Effect.flatMap((nextText) => fs.writeFileString(projectEnvPath, nextText)), Effect.zipRight(autoSyncState(syncMessage)));
 }), Effect.asVoid);
 var projectAuthViewSteps = (flow) => flowSteps[flow];
@@ -9615,7 +10183,7 @@ var startProjectAuthPrompt = (project, snapshot, flow, context) => {
 var loadProjectAuthMenuView = (project, context) => pipe(readProjectAuthSnapshot(project), Effect.tap((snapshot) => Effect.sync(() => {
 	startProjectAuthMenu(project, snapshot, context);
 })), Effect.asVoid);
-var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.exhaustive);
+var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.when("ProjectGeminiConnect", () => `Connected Gemini label (${label}) to project.`), Match.when("ProjectGeminiDisconnect", () => "Disconnected Gemini from project."), Match.exhaustive);
 var runProjectAuthEffect = (project, flow, values, label, context) => {
 	context.runner.runEffect(pipe(writeProjectAuthFlow(project, flow, values), Effect.zipRight(readProjectAuthSnapshot(project)), Effect.tap((snapshot) => Effect.sync(() => {
 		startProjectAuthMenu(project, snapshot, context);
@@ -9640,7 +10208,7 @@ var runProjectAuthAction$1 = (action, view, context) => {
 		context.runner.runEffect(loadProjectAuthMenuView(view.project, context));
 		return;
 	}
-	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect") {
+	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect" || action === "ProjectGeminiDisconnect") {
 		runProjectAuthEffect(view.project, action, {}, "default", context);
 		return;
 	}
@@ -10810,7 +11378,7 @@ var setExitCode = (code) => Effect.sync(() => {
 });
 var logWarningAndExit = (error) => pipe(Effect.logWarning(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
 var logErrorAndExit = (error) => pipe(Effect.logError(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
-var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd))).pipe(Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
+var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
 var program = pipe(readCommand, Effect.flatMap((command) => Match.value(command).pipe(Match.when({ _tag: "Help" }, ({ message }) => Effect.log(message)), Match.when({ _tag: "Create" }, (create) => createProject(create)), Match.when({ _tag: "Status" }, () => listProjectStatus), Match.when({ _tag: "DownAll" }, () => downAllDockerGitProjects), Match.when({ _tag: "Menu" }, () => runMenu), Match.orElse((cmd) => handleNonBaseCommand(cmd)))), Effect.catchTag("FileExistsError", (error) => pipe(Effect.logWarning(renderError(error)), Effect.asVoid)), Effect.catchTag("DockerAccessError", logWarningAndExit), Effect.catchTag("DockerCommandError", logWarningAndExit), Effect.catchTag("AuthError", logWarningAndExit), Effect.catchTag("AgentFailedError", logWarningAndExit), Effect.catchTag("CommandFailedError", logWarningAndExit), Effect.catchTag("ScrapArchiveNotFoundError", logErrorAndExit), Effect.catchTag("ScrapTargetDirUnsupportedError", logErrorAndExit), Effect.catchTag("ScrapWipeRefusedError", logErrorAndExit), Effect.matchEffect({
 	onFailure: (error) => isParseError(error) ? logErrorAndExit(error) : pipe(Effect.logError(renderError(error)), Effect.flatMap(() => Effect.fail(error))),
 	onSuccess: () => Effect.void