@prover-coder-ai/docker-git 1.0.43 → 1.0.45

package/dist/src/docker-git/main.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { NodeContext, NodeRuntime } from "@effect/platform-node";
-import { Data, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
+import { Data, Deferred, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
 import * as FileSystem from "@effect/platform/FileSystem";
 import * as Path from "@effect/platform/Path";
 import * as Command from "@effect/platform/Command";
@@ -269,6 +269,8 @@ var defaultTemplateConfig = {
 	codexAuthPath: "./.docker-git/.orch/auth/codex",
 	codexSharedAuthPath: "./.docker-git/.orch/auth/codex",
 	codexHome: "/home/dev/.codex",
+	geminiAuthPath: "./.docker-git/.orch/auth/gemini",
+	geminiHome: "/home/dev/.gemini",
 	cpuLimit: "30%",
 	ramLimit: "30%",
 	dockerNetworkMode: defaultDockerNetworkMode,
@@ -809,6 +811,10 @@ var buildDockerAuthSpec = (input) => ({
 	args: input.args,
 	interactive: input.interactive
 });
+var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
 //#endregion
 //#region ../lib/src/usecases/auth-sync-helpers.ts
 var JsonValueSchema = Schema.suspend(() => Schema.Union(Schema.Null, Schema.Boolean, Schema.String, Schema.JsonNumber, Schema.Array(JsonValueSchema), Schema.Record({
@@ -876,7 +882,7 @@ var autoOptionError = (reason) => ({
 	option: "--auto",
 	reason
 });
-var isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
 	if (!(yield* _(fs.exists(filePath)))) return false;
 	return (yield* _(fs.stat(filePath))).type === "File";
 });
@@ -892,8 +898,8 @@ var resolveClaudeAccountPath$1 = (rootPath, label) => {
 var hasClaudeAuth = (fs, rootPath, label) => Effect.gen(function* (_) {
 	for (const accountPath of resolveClaudeAccountPath$1(rootPath, label)) {
 		if (yield* _(hasNonEmptyFile(fs, `${accountPath}/.oauth-token`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.credentials.json`))) return true;
-		if (yield* _(isRegularFile$1(fs, `${accountPath}/.claude/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.credentials.json`))) return true;
+		if (yield* _(isRegularFile(fs, `${accountPath}/.claude/.credentials.json`))) return true;
 	}
 	return false;
 });
@@ -1357,6 +1363,9 @@ var TemplateConfigSchema = Schema.Struct({
 	codexAuthPath: Schema.String,
 	codexSharedAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.codexSharedAuthPath }),
 	codexHome: Schema.String,
+	geminiAuthLabel: Schema.optional(Schema.String),
+	geminiAuthPath: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiAuthPath }),
+	geminiHome: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.geminiHome }),
 	cpuLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.cpuLimit }),
 	ramLimit: Schema.optionalWith(Schema.String, { default: () => defaultTemplateConfig.ramLimit }),
 	dockerNetworkMode: Schema.optionalWith(Schema.Literal("shared", "project"), { default: () => defaultTemplateConfig.dockerNetworkMode }),
@@ -2169,6 +2178,7 @@ elif [[ "$TARGET_DIR" == "~/"* ]]; then
 fi
 CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 CODEX_AUTH_LABEL="\${CODEX_AUTH_LABEL:-}"
+GEMINI_AUTH_LABEL="\${GEMINI_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-x-access-token}}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
 GH_TOKEN="\${GH_TOKEN:-\${GIT_AUTH_TOKEN:-}}"
@@ -2969,6 +2979,209 @@ if [[ -f "$LEGACY_AGENTS_PATH" && -f "$AGENTS_PATH" ]]; then
 fi`;
 var renderEntrypointAgentsNotice = (config) => entrypointAgentsNoticeTemplate.replaceAll("__CODEX_HOME__", config.codexHome).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__TARGET_DIR__", config.targetDir);
 //#endregion
+//#region ../lib/src/core/templates-entrypoint/gemini.ts
+var geminiAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/gemini`;
+var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_HOME for sessions (OAuth cache lives under ~/.docker-git/.orch/auth/gemini)
+GEMINI_LABEL_RAW="$GEMINI_AUTH_LABEL"
+if [[ -z "$GEMINI_LABEL_RAW" ]]; then
+  GEMINI_LABEL_RAW="default"
+fi
+
+GEMINI_LABEL_NORM="$(printf "%s" "$GEMINI_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$GEMINI_LABEL_NORM" ]]; then
+  GEMINI_LABEL_NORM="default"
+fi
+
+GEMINI_AUTH_ROOT="__GEMINI_AUTH_ROOT__"
+export GEMINI_CONFIG_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
+
+mkdir -p "$GEMINI_CONFIG_DIR" || true
+GEMINI_HOME_DIR="__GEMINI_HOME_DIR__"
+mkdir -p "$GEMINI_HOME_DIR" || true
+
+docker_git_link_gemini_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    return 0
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+# Link .api-key and .env from central auth storage to container home
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.api-key" "$GEMINI_HOME_DIR/.api-key"
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.env" "$GEMINI_HOME_DIR/.env"
+
+# Ensure gemini YOLO wrapper exists
+GEMINI_REAL_BIN="$(command -v gemini || echo "/usr/local/bin/gemini")"
+GEMINI_WRAPPER_BIN="/usr/local/bin/gemini-wrapper"
+if [[ -f "$GEMINI_REAL_BIN" && "$GEMINI_REAL_BIN" != "$GEMINI_WRAPPER_BIN" ]]; then
+  if [[ ! -f "$GEMINI_WRAPPER_BIN" ]]; then
+    cat <<'EOF' > "$GEMINI_WRAPPER_BIN"
+#!/usr/bin/env bash
+GEMINI_ORIGINAL_BIN="__GEMINI_REAL_BIN__"
+exec "$GEMINI_ORIGINAL_BIN" --yolo "$@"
+EOF
+    sed -i "s#__GEMINI_REAL_BIN__#$GEMINI_REAL_BIN#g" "$GEMINI_WRAPPER_BIN" || true
+    chmod 0755 "$GEMINI_WRAPPER_BIN" || true
+    # Create an alias or symlink if needed, but here we just ensure it exists
+  fi
+fi
+
+# Special case for .gemini folder: we want the folder itself to be the link if it doesn't exist
+# or its content to be linked if we want to manage it.
+if [[ -d "$GEMINI_CONFIG_DIR/.gemini" ]]; then
+  if [[ -L "$GEMINI_HOME_DIR" ]]; then
+    rm -f "$GEMINI_HOME_DIR"
+  elif [[ -d "$GEMINI_HOME_DIR" ]]; then
+    # If it's a real directory, move it aside if it's empty or just has our managed files
+    mv "$GEMINI_HOME_DIR" "$GEMINI_HOME_DIR.bak-$(date +%s)" || true
+  fi
+  ln -sfn "$GEMINI_CONFIG_DIR/.gemini" "$GEMINI_HOME_DIR"
+fi
+
+docker_git_refresh_gemini_env() {
+  # If .api-key exists, export it as GEMINI_API_KEY
+  if [[ -f "$GEMINI_HOME_DIR/.api-key" ]]; then
+    export GEMINI_API_KEY="$(cat "$GEMINI_HOME_DIR/.api-key" | tr -d '\r\n')"
+  elif [[ -f "$GEMINI_HOME_DIR/.env" ]]; then
+    # Parse GEMINI_API_KEY from .env
+    API_KEY="$(grep "^GEMINI_API_KEY=" "$GEMINI_HOME_DIR/.env" | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//")"
+    if [[ -n "$API_KEY" ]]; then
+      export GEMINI_API_KEY="$API_KEY"
+    fi
+  fi
+}
+
+docker_git_refresh_gemini_env`;
+var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", config.geminiHome);
+var renderGeminiPermissionSettingsConfig = (config) => String.raw`# Gemini CLI: keep trust settings in sync with docker-git defaults
+GEMINI_SETTINGS_DIR="${config.geminiHome}"
+GEMINI_TRUST_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/trustedFolders.json"
+GEMINI_CONFIG_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/settings.json"
+
+# Wait for symlink to be established by the auth config step
+mkdir -p "$GEMINI_SETTINGS_DIR" || true
+
+# Disable folder trust prompt and enable auto-approval in settings.json
+if [[ ! -f "$GEMINI_CONFIG_SETTINGS_FILE" ]]; then
+  cat <<'EOF' > "$GEMINI_CONFIG_SETTINGS_FILE"
+{
+  "security": {
+    "folderTrust": {
+      "enabled": false
+    },
+    "approvalPolicy": "never"
+  }
+}
+EOF
+fi
+
+# Pre-trust important directories in trustedFolders.json
+# Use flat mapping as required by recent Gemini CLI versions
+cat <<'EOF' > "$GEMINI_TRUST_SETTINGS_FILE"
+{
+  "/": "TRUST_FOLDER",
+  "${config.geminiHome}": "TRUST_FOLDER",
+  "${config.targetDir}": "TRUST_FOLDER"
+}
+EOF
+
+chown -R 1000:1000 "$GEMINI_SETTINGS_DIR" || true
+chmod 0600 "$GEMINI_TRUST_SETTINGS_FILE" "$GEMINI_CONFIG_SETTINGS_FILE" 2>/dev/null || true`;
+var renderGeminiSudoConfig = (config) => String.raw`# Gemini CLI: allow passwordless sudo for agent tasks
+if [[ -d /etc/sudoers.d ]]; then
+  echo "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/gemini-agent
+  chmod 0440 /etc/sudoers.d/gemini-agent
+fi`;
+var renderGeminiMcpPlaywrightConfig = (_config) => String.raw`# Gemini CLI: keep Playwright MCP config in sync (TODO: Gemini CLI MCP integration format)
+# For now, Gemini CLI uses MCP via ~/.gemini/settings.json or command line.
+# We'll ensure it has the same Playwright capability as Claude/Codex once format is confirmed.`;
+var renderGeminiProfileSetup = (config) => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
+printf "export GEMINI_AUTH_LABEL=%q\n" "$GEMINI_AUTH_LABEL" > "$GEMINI_PROFILE"
+printf "export GEMINI_HOME=%q\n" "${config.geminiHome}" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_DISABLE_UPDATE_CHECK=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_NONINTERACTIVE=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_APPROVAL_MODE=yolo\n" >> "$GEMINI_PROFILE"
+printf "alias gemini='/usr/local/bin/gemini-wrapper'\n" >> "$GEMINI_PROFILE"
+cat <<'EOF' >> "$GEMINI_PROFILE"
+if [[ -f "$GEMINI_HOME/.api-key" ]]; then
+  export GEMINI_API_KEY="$(cat "$GEMINI_HOME/.api-key" | tr -d '\r\n')"
+fi
+EOF
+chmod 0644 "$GEMINI_PROFILE" || true
+
+docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "$GEMINI_AUTH_LABEL"
+docker_git_upsert_ssh_env "GEMINI_API_KEY" "\${GEMINI_API_KEY:-}"
+docker_git_upsert_ssh_env "GEMINI_CLI_DISABLE_UPDATE_CHECK" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_NONINTERACTIVE" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_APPROVAL_MODE" "yolo"`;
+var entrypointGeminiNoticeTemplate = String.raw`# Ensure global GEMINI.md exists for container context
+GEMINI_MD_PATH="__GEMINI_HOME__/GEMINI.md"
+GEMINI_WORKSPACE_CONTEXT="Контекст workspace: repository"
+if [[ "$REPO_REF" == issue-* ]]; then
+  ISSUE_ID="$(printf "%s" "$REPO_REF" | sed -E 's#^issue-##')"
+  ISSUE_URL=""
+  if [[ "$REPO_URL" == https://github.com/* ]]; then
+    ISSUE_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO" ]]; then
+      ISSUE_URL="https://github.com/$ISSUE_REPO/issues/$ISSUE_ID"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID ($ISSUE_URL)"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID"
+  fi
+elif [[ "$REPO_REF" == refs/pull/*/head ]]; then
+  PR_ID="$(printf "%s" "$REPO_REF" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL=""
+  if [[ "$REPO_URL" == https://github.com/* && -n "$PR_ID" ]]; then
+    PR_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO" ]]; then
+      PR_URL="https://github.com/$PR_REPO/pull/$PR_ID"
+    fi
+  fi
+  if [[ -n "$PR_ID" && -n "$PR_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID ($PR_URL)"
+  elif [[ -n "$PR_ID" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF)"
+  fi
+fi
+
+cat <<EOF > "$GEMINI_MD_PATH"
+<!-- docker-git-managed:gemini-md -->
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, gemini, claude, opencode, oh-my-opencode, sshpass, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$GEMINI_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Для решения задач обязательно используй subagents. Сам агент обязан выполнять финальную проверку, интеграцию и валидацию результата перед ответом пользователю.
+Если ты видишь файлы AGENTS.md, GEMINI.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+<!-- /docker-git-managed:gemini-md -->
+EOF
+chown 1000:1000 "$GEMINI_MD_PATH" || true`;
+var renderEntrypointGeminiNotice = (config) => entrypointGeminiNoticeTemplate.replaceAll("__GEMINI_HOME__", config.geminiHome).replaceAll("__TARGET_DIR__", config.targetDir);
+var renderEntrypointGeminiConfig = (config) => [
+	renderGeminiAuthConfig(config),
+	renderGeminiPermissionSettingsConfig(config),
+	renderGeminiMcpPlaywrightConfig(config),
+	renderGeminiSudoConfig(config),
+	renderGeminiProfileSetup(config),
+	renderEntrypointGeminiNotice(config)
+].join("\n\n");
+//#endregion
 //#region ../lib/src/core/templates-entrypoint/git.ts
 var renderAuthLabelResolution = () => String.raw`# 2) Ensure GitHub auth vars are available for SSH sessions.
 # Prefer a label-selected token (same selection model as clone/create) when present.
@@ -3534,6 +3747,7 @@ AGENT_ENV_FILE="/run/docker-git/agent-env.sh"
 {
   [[ -f /etc/profile.d/gh-token.sh ]] && cat /etc/profile.d/gh-token.sh
   [[ -f /etc/profile.d/claude-config.sh ]] && cat /etc/profile.d/claude-config.sh
+  [[ -f /etc/profile.d/gemini-config.sh ]] && cat /etc/profile.d/gemini-config.sh
 } > "$AGENT_ENV_FILE" 2>/dev/null || true
 chmod 644 "$AGENT_ENV_FILE"`,
 	renderAgentPrompt(),
@@ -3543,7 +3757,7 @@ if [[ -n "$AGENT_PROMPT" ]]; then
   chmod 644 "$AGENT_PROMPT_FILE"
 fi`
 ].join("\n\n");
-var renderAgentPromptCommand = (mode) => mode === "claude" ? String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"` : String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`;
+var renderAgentPromptCommand = (mode) => Match.value(mode).pipe(Match.when("claude", () => String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("codex", () => String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.exhaustive);
 var renderAgentAutoLaunchCommand = (config, mode) => String.raw`su - ${config.sshUser} -s /bin/bash -c "bash -lc '. /etc/profile 2>/dev/null || true; . \"$AGENT_ENV_FILE\" 2>/dev/null || true; cd \"$TARGET_DIR\" && ${renderAgentPromptCommand(mode)}'"`;
 var renderAgentModeBlock = (config, mode) => {
 	const startMessage = `[agent] starting ${mode}...`;
@@ -3564,6 +3778,7 @@ var renderAgentModeCase = (config) => [
 	String.raw`case "$AGENT_MODE" in`,
 	indentBlock(renderAgentModeBlock(config, "claude")),
 	indentBlock(renderAgentModeBlock(config, "codex")),
+	indentBlock(renderAgentModeBlock(config, "gemini")),
 	indentBlock(String.raw`*)
   echo "[agent] unknown agent mode: $AGENT_MODE"
   ;;`),
@@ -3871,6 +4086,7 @@ var renderEntrypoint = (config) => [
 	renderEntrypointDockerSocket(config),
 	renderEntrypointGitConfig(config),
 	renderEntrypointClaudeConfig(config),
+	renderEntrypointGeminiConfig(config),
 	renderEntrypointGitHooks(),
 	renderEntrypointBackgroundTasks(config),
 	renderEntrypointBaseline(),
@@ -4035,7 +4251,9 @@ RUN set -eu; \
   npm install -g oh-my-opencode@latest "oh-my-opencode-linux-\${OH_MY_OPENCODE_ARCH}@latest"
 RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
-RUN claude --version`;
+RUN claude --version
+RUN npm install -g @google/gemini-cli@latest --force
+RUN gemini --version`;
 var renderDockerfileOpenCode = () => `# Tooling: OpenCode (binary)
 RUN set -eu; \
   for attempt in 1 2 3 4 5; do \
@@ -4427,7 +4645,7 @@ var resolveOriginPushTarget = (originUrl) => {
 	const trimmed = originUrl?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : "origin";
 };
-var resolveSyncMessage = (value) => {
+var resolveSyncMessage$1 = (value) => {
 	const trimmed = value?.trim() ?? "";
 	return trimmed.length > 0 ? trimmed : defaultSyncMessage;
 };
@@ -4508,7 +4726,7 @@ var runStateSyncOps = (root, originUrl, message, env, options) => Effect.gen(fun
 	yield* _(normalizeLegacyStateProjects(root));
 	const baseBranch = resolveBaseBranch(yield* _(getCurrentBranch(root, env)));
 	yield* _(pullRemoteAndRestoreLocal(root, baseBranch, env));
-	yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env));
+	yield* _(commitAllIfNeeded(root, resolveSyncMessage$1(message), env));
 	const pushExit = yield* _(gitExitCode(root, [
 		"push",
 		"--no-verify",
@@ -5921,12 +6139,7 @@ var applyProjectConfig = (command) => runApplyForProjectDir(command.projectDir,
 	return yield* _(runApplyForProjectDir(inferredProjectDir, command));
 }) : Effect.fail(error)));
 //#endregion
-//#region ../lib/src/usecases/auth-claude-oauth.ts
-var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
-var tokenMarker = "Your OAuth token (valid for 1 year):";
-var tokenFooterMarker = "Store this token securely.";
-var outputWindowSize = 262144;
-var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
+//#region ../lib/src/shell/ansi-strip.ts
 var ansiEscape = "\x1B";
 var ansiBell = "\x07";
 var isAnsiFinalByte = (codePoint) => codePoint !== void 0 && codePoint >= 64 && codePoint <= 126;
@@ -5970,6 +6183,20 @@ var stripAnsi = (raw) => {
 	}
 	return cleaned.join("");
 };
+var writeChunkToFd = (fd, chunk) => {
+	if (fd === 2) {
+		process.stderr.write(chunk);
+		return;
+	}
+	process.stdout.write(chunk);
+};
+//#endregion
+//#region ../lib/src/usecases/auth-claude-oauth.ts
+var oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
+var tokenMarker = "Your OAuth token (valid for 1 year):";
+var tokenFooterMarker = "Store this token securely.";
+var outputWindowSize$1 = 262144;
+var oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
 var extractOauthToken = (rawOutput) => {
 	const normalized = stripAnsi(rawOutput).replaceAll("\r", "\n");
 	const markerIndex = normalized.lastIndexOf(tokenMarker);
@@ -6024,21 +6251,14 @@ var buildDockerSetupTokenArgs = (spec) => {
 		...spec.args
 	];
 };
-var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
-var writeChunkToFd = (fd, chunk) => {
-	if (fd === 2) {
-		process.stderr.write(chunk);
-		return;
-	}
-	process.stdout.write(chunk);
-};
-var pumpDockerOutput = (source, fd, tokenBox) => {
+var startDockerProcess$1 = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerSetupTokenArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput$1 = (source, fd, tokenBox) => {
 	const decoder = new TextDecoder("utf-8");
 	let outputWindow = "";
 	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
 		writeChunkToFd(fd, chunk);
 		outputWindow += decoder.decode(chunk);
-		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (outputWindow.length > outputWindowSize$1) outputWindow = outputWindow.slice(-outputWindowSize$1);
 		if (tokenBox.value !== null) return;
 		const parsed = extractOauthToken(outputWindow);
 		if (parsed !== null) tokenBox.value = parsed;
@@ -6060,10 +6280,10 @@ var runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
 	const envToken = oauthTokenFromEnv();
 	if (envToken !== null) return ensureOauthToken(envToken);
 	return Effect.scoped(Effect.gen(function* (_) {
-		const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+		const proc = yield* _(startDockerProcess$1(yield* _(CommandExecutor.CommandExecutor), buildDockerSetupTokenSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
 		const tokenBox = { value: null };
-		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, tokenBox)));
-		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, tokenBox)));
+		const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stdout, 1, tokenBox)));
+		const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput$1(proc.stderr, 2, tokenBox)));
 		const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
 		yield* _(Fiber$1.join(stdoutFiber));
 		yield* _(Fiber$1.join(stderrFiber));
@@ -6084,19 +6304,15 @@ var claudeOauthTokenPath = (accountPath) => `${accountPath}/${claudeOauthTokenFi
 var claudeConfigPath = (accountPath) => `${accountPath}/${claudeConfigFileName}`;
 var claudeCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsFileName}`;
 var claudeNestedCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsDirName}/${claudeCredentialsFileName}`;
-var isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var syncClaudeCredentialsFile = (fs, accountPath) => Effect.gen(function* (_) {
 	const nestedPath = claudeNestedCredentialsPath(accountPath);
 	const rootPath = claudeCredentialsPath(accountPath);
-	if (yield* _(isRegularFile(fs, nestedPath))) {
+	if (yield* _(isRegularFile$1(fs, nestedPath))) {
 		yield* _(fs.copyFile(nestedPath, rootPath));
 		yield* _(fs.chmod(rootPath, 384), Effect.orElseSucceed(() => void 0));
 		return;
 	}
-	if (yield* _(isRegularFile(fs, rootPath))) {
+	if (yield* _(isRegularFile$1(fs, rootPath))) {
 		const nestedDirPath = `${accountPath}/${claudeCredentialsDirName}`;
 		yield* _(fs.makeDirectory(nestedDirPath, { recursive: true }));
 		yield* _(fs.copyFile(rootPath, nestedPath));
@@ -6109,12 +6325,12 @@ var clearClaudeSessionCredentials = (fs, accountPath) => Effect.gen(function* (_
 });
 var hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return false;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
 });
 var readOauthToken = (fs, accountPath) => Effect.gen(function* (_) {
 	const tokenPath = claudeOauthTokenPath(accountPath);
-	if (!(yield* _(isRegularFile(fs, tokenPath)))) return null;
+	if (!(yield* _(isRegularFile$1(fs, tokenPath)))) return null;
 	const token = (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim();
 	return token.length > 0 ? token : null;
 });
@@ -6124,7 +6340,7 @@ var resolveClaudeAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
 		return "oauth-token";
 	}
 	yield* _(syncClaudeCredentialsFile(fs, accountPath));
-	return (yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
+	return (yield* _(isRegularFile$1(fs, claudeCredentialsPath(accountPath)))) ? "claude-ai-session" : "none";
 });
 var buildClaudeAuthEnv = (interactive, oauthToken = null) => [...interactive ? [
 	`HOME=${claudeContainerHomeDir}`,
@@ -6349,6 +6565,353 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
+//#region ../lib/src/usecases/auth-gemini-oauth.ts
+var outputWindowSize = 262144;
+var authSuccessPatterns = [
+	"Authentication succeeded",
+	"Authentication successful",
+	"Successfully authenticated",
+	"Logged in as",
+	"You are now logged in",
+	"Logged in with Google"
+];
+var authFailurePatterns = [
+	"Authentication failed",
+	"Failed to authenticate",
+	"Authorization failed",
+	"Authentication timed out",
+	"Authentication cancelled"
+];
+var detectAuthResult = (output) => {
+	const normalized = stripAnsi(output).toLowerCase();
+	const authInitiated = [
+		"please visit the following url",
+		"enter the authorization code",
+		"authorized the application"
+	].some((m) => normalized.includes(m));
+	if (authSuccessPatterns.some((pattern) => normalized.includes(pattern.toLowerCase()) && (authInitiated || normalized.includes("logged in with google")))) return "success";
+	if (authFailurePatterns.some((pattern) => normalized.includes(pattern.toLowerCase()))) return "failure";
+	return "pending";
+};
+var defaultGeminiOauthCallbackPort = 38751;
+var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath, port) => ({
+	cwd,
+	image,
+	hostPath: accountPath,
+	containerPath,
+	callbackPort: port,
+	env: [
+		`HOME=${containerPath}`,
+		"NO_BROWSER=true",
+		"GEMINI_CLI_NONINTERACTIVE=true",
+		"GEMINI_CLI_TRUST_ALL=true",
+		`OAUTH_CALLBACK_PORT=${port}`,
+		"OAUTH_CALLBACK_HOST=0.0.0.0"
+	]
+});
+var buildDockerGeminiAuthArgs = (spec) => {
+	const base = [
+		"run",
+		"--rm",
+		"-i",
+		"-t",
+		"-v",
+		`${spec.hostPath}:${spec.containerPath}`,
+		"-p",
+		`${spec.callbackPort}:${spec.callbackPort}`
+	];
+	for (const entry of spec.env) {
+		const trimmed = entry.trim();
+		if (trimmed.length === 0) continue;
+		base.push("-e", trimmed);
+	}
+	return [
+		...base,
+		spec.image,
+		"gemini",
+		"login",
+		"--debug"
+	];
+};
+var cleanupExistingContainers = (port) => Effect.gen(function* (_) {
+	const ids = (yield* _(runCommandCapture({
+		cwd: process.cwd(),
+		command: "docker",
+		args: [
+			"ps",
+			"-q",
+			"--filter",
+			`publish=${port}`
+		]
+	}, [0], () => /* @__PURE__ */ new Error("docker ps failed")).pipe(Effect.map((value) => value.trim()), Effect.orElseSucceed(() => "")))).split("\n").filter(Boolean);
+	if (ids.length > 0) {
+		yield* _(Effect.logInfo(`Cleaning up existing containers using port ${port}: ${ids.join(", ")}`));
+		yield* _(runCommandExitCode({
+			cwd: process.cwd(),
+			command: "docker",
+			args: [
+				"rm",
+				"-f",
+				...ids
+			]
+		}).pipe(Effect.orElse(() => Effect.succeed(0))));
+	}
+});
+var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerGeminiAuthArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
+var pumpDockerOutput = (source, fd, resultBox, authDeferred) => {
+	const decoder = new TextDecoder("utf-8");
+	let outputWindow = "";
+	return pipe(source, Stream.runForEach((chunk) => Effect.gen(function* (_) {
+		yield* _(Effect.sync(() => {
+			writeChunkToFd(fd, chunk);
+		}));
+		outputWindow += decoder.decode(chunk);
+		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
+		if (resultBox.value !== "pending") return;
+		const result = detectAuthResult(outputWindow);
+		if (result !== "pending") {
+			resultBox.value = result;
+			if (result === "success") yield* _(Deferred.succeed(authDeferred, void 0));
+		}
+	}))).pipe(Effect.asVoid);
+};
+var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
+	if (result === "success") {
+		if (exitCode !== 0) yield* _(Effect.logWarning(`Gemini CLI returned exit=${exitCode}, but authentication appears successful; continuing.`));
+		return;
+	}
+	if (result === "failure") yield* _(Effect.fail(new AuthError({ message: "Gemini CLI OAuth authentication failed. Please try again." })));
+	if (exitCode !== 0) yield* _(Effect.fail(new CommandFailedError({
+		command: "gemini",
+		exitCode
+	})));
+});
+var printOauthInstructions = () => Effect.sync(() => {
+	const port = defaultGeminiOauthCallbackPort;
+	process.stderr.write("\n");
+	process.stderr.write("╔═══════════════════════════════════════════════════════════════════════════╗\n");
+	process.stderr.write("║                    Gemini CLI OAuth Authentication                        ║\n");
+	process.stderr.write("╠═══════════════════════════════════════════════════════════════════════════╣\n");
+	process.stderr.write("║ 1. Copy the auth URL shown below and open it in your browser              ║\n");
+	process.stderr.write("║ 2. Sign in with your Google account                                       ║\n");
+	process.stderr.write(`║ 3. After authentication, the browser will redirect to localhost:${port}    ║\n`);
+	process.stderr.write("║ 4. The callback will be captured automatically (port is forwarded)        ║\n");
+	process.stderr.write("╚═══════════════════════════════════════════════════════════════════════════╝\n");
+	process.stderr.write("\n");
+});
+var fixGeminiAuthPermissions = (hostPath, containerPath) => runCommandExitCode({
+	cwd: process.cwd(),
+	command: "docker",
+	args: [
+		"run",
+		"--rm",
+		"-v",
+		`${hostPath}:${containerPath}`,
+		"alpine",
+		"chmod",
+		"-R",
+		"777",
+		containerPath
+	]
+}).pipe(Effect.tapError((err) => Effect.logWarning(`Failed to fix Gemini auth permissions: ${String(err)}`)), Effect.orElse(() => Effect.succeed(0)));
+var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped(Effect.gen(function* (_) {
+	const port = defaultGeminiOauthCallbackPort;
+	yield* _(cleanupExistingContainers(port));
+	yield* _(printOauthInstructions());
+	const executor = yield* _(CommandExecutor.CommandExecutor);
+	const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath));
+	const spec = buildDockerGeminiAuthSpec(cwd, hostPath, options.image, options.containerPath, port);
+	const proc = yield* _(startDockerProcess(executor, spec));
+	const authDeferred = yield* _(Deferred.make());
+	const resultBox = { value: "pending" };
+	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox, authDeferred)));
+	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox, authDeferred)));
+	const exitCode = yield* _(Effect.race(proc.exitCode.pipe(Effect.map(Number)), pipe(Deferred.await(authDeferred), Effect.flatMap(() => proc.kill()), Effect.map(() => 0))));
+	yield* _(Fiber$1.join(stdoutFiber));
+	yield* _(Fiber$1.join(stderrFiber));
+	yield* _(fixGeminiAuthPermissions(hostPath, spec.containerPath));
+	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
+}));
+//#endregion
+//#region ../lib/src/usecases/auth-gemini.ts
+var geminiImageName = "docker-git-auth-gemini:latest";
+var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
+var geminiContainerHomeDir = "/gemini-home";
+var geminiCredentialsDir$1 = ".gemini";
+var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
+var geminiApiKeyFileName = ".api-key";
+var geminiEnvFileName = ".env";
+var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
+var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
+var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
+var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && node -v \
+  && npm -v \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @google/gemini-cli@latest
+ENTRYPOINT ["/bin/bash", "-c"]
+`;
+var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath: defaultTemplateConfig.envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ".docker-git/.orch/auth/gh",
+	claudeAuthPath: ".docker-git/.orch/auth/claude",
+	geminiAuthPath: ".docker-git/.orch/auth/gemini"
+});
+var resolveGeminiAccountPath = (path, rootPath, label) => {
+	const accountLabel = normalizeAccountLabel(label, "default");
+	return {
+		accountLabel,
+		accountPath: path.join(rootPath, accountLabel)
+	};
+};
+var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGeminiOrchLayout(cwd));
+	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
+	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
+	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
+		imageName: geminiImageName,
+		imageDir: geminiImageDir,
+		dockerfile: renderGeminiDockerfile(),
+		buildLabel: "gemini auth"
+	}));
+	return yield* _(run({
+		accountLabel,
+		accountPath,
+		cwd,
+		fs
+	}));
+}));
+var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
+	const apiKeyFilePath = geminiApiKeyPath(accountPath);
+	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
+		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
+		if (trimmed.length > 0) return trimmed;
+	}
+	const envFilePath = geminiEnvFilePath(accountPath);
+	if (yield* _(isRegularFile$1(fs, envFilePath))) {
+		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("GEMINI_API_KEY=")) {
+				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
+				if (value.length > 0) return value;
+			}
+		}
+	}
+	return null;
+});
+var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	if (!(yield* _(fs.exists(credentialsDir)))) return false;
+	const possibleFiles = [
+		`${credentialsDir}/oauth-tokens.json`,
+		`${credentialsDir}/credentials.json`,
+		`${credentialsDir}/application_default_credentials.json`
+	];
+	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
+	return false;
+});
+var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
+	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
+});
+var authGeminiLogin = (command, apiKey) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		const apiKeyFilePath = geminiApiKeyPath(accountPath);
+		yield* _(fs.writeFileString(apiKeyFilePath, `${apiKey.trim()}\n`));
+		yield* _(fs.chmod(apiKeyFilePath, 384), Effect.orElseSucceed(() => void 0));
+	})).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini ${accountLabel}`)));
+};
+var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
+	yield* _(Effect.log("Gemini CLI supports two authentication methods:"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("1. API Key (recommended for simplicity):"));
+	yield* _(Effect.log("   - Go to https://ai.google.dev/aistudio"));
+	yield* _(Effect.log("   - Create or retrieve your API key"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: set API key"));
+	yield* _(Effect.log(""));
+	yield* _(Effect.log("2. OAuth (Sign in with Google):"));
+	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: login via OAuth"));
+	yield* _(Effect.log("   - Follow the prompts to authenticate with your Google account"));
+});
+var prepareGeminiCredentialsDir = (cwd, accountPath, fs) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	const removeFallback = pipe(runCommandExitCode({
+		cwd,
+		command: "docker",
+		args: [
+			"run",
+			"--rm",
+			"-v",
+			`${accountPath}:/target`,
+			"alpine",
+			"rm",
+			"-rf",
+			"/target/.gemini"
+		]
+	}), Effect.asVoid, Effect.orElse(() => Effect.void));
+	yield* _(fs.remove(credentialsDir, {
+		recursive: true,
+		force: true
+	}).pipe(Effect.orElse(() => removeFallback)));
+	yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+	return credentialsDir;
+});
+var writeInitialSettings = (credentialsDir, fs) => Effect.gen(function* (_) {
+	const settingsPath = `${credentialsDir}/settings.json`;
+	yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: { folderTrust: { enabled: false } } })));
+	const trustedFoldersPath = `${credentialsDir}/trustedFolders.json`;
+	yield* _(fs.writeFileString(trustedFoldersPath, JSON.stringify({
+		"/": "TRUST_FOLDER",
+		[geminiContainerHomeDir]: "TRUST_FOLDER"
+	})));
+	return settingsPath;
+});
+var authGeminiLoginOauth = (command) => {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
+		const settingsPath = yield* _(writeInitialSettings(yield* _(prepareGeminiCredentialsDir(cwd, accountPath, fs)), fs));
+		yield* _(runGeminiOauthLoginWithPrompt(cwd, accountPath, {
+			image: geminiImageName,
+			containerPath: geminiContainerHomeDir
+		}));
+		yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: {
+			folderTrust: { enabled: false },
+			auth: { selectedType: "oauth-personal" },
+			approvalPolicy: "never"
+		} }, null, 2) + "\n"));
+	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
+};
+var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
+	const authMethod = yield* _(resolveGeminiAuthMethod(fs, accountPath));
+	if (authMethod === "none") {
+		yield* _(Effect.log(`Gemini not connected (${accountLabel}).`));
+		return;
+	}
+	yield* _(Effect.log(`Gemini connected (${accountLabel}, ${authMethod}).`));
+}));
+var authGeminiLogout = (command) => Effect.gen(function* (_) {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	yield* _(withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		yield* _(fs.remove(geminiApiKeyPath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiEnvFilePath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiCredentialsPath(accountPath), {
+			recursive: true,
+			force: true
+		}));
+	})));
+	yield* _(autoSyncState(`chore(state): auth gemini logout ${accountLabel}`));
+}).pipe(Effect.asVoid);
+//#endregion
 //#region ../lib/src/usecases/state-repo-github.ts
 var dotDockerGitRepoName = ".docker-git";
 var defaultStateRef = "main";
@@ -7646,10 +8209,12 @@ var normalizeLabel$1 = (value) => {
 var defaultEnvGlobalPath = ".docker-git/.orch/env/global.env";
 var defaultCodexAuthPath = ".docker-git/.orch/auth/codex";
 var defaultClaudeAuthPath = ".docker-git/.orch/auth/claude";
+var defaultGeminiAuthPath = ".docker-git/.orch/auth/gemini";
 var resolveAuthOptions = (raw) => ({
 	envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
 	codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
 	claudeAuthPath: defaultClaudeAuthPath,
+	geminiAuthPath: defaultGeminiAuthPath,
 	label: normalizeLabel$1(raw.label),
 	token: normalizeLabel$1(raw.token),
 	scopes: normalizeLabel$1(raw.scopes),
@@ -7695,7 +8260,21 @@ var buildClaudeCommand = (action, options) => Match.value(action).pipe(Match.whe
 	label: options.label,
 	claudeAuthPath: options.claudeAuthPath
 })), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
-var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
+var buildGeminiCommand = (action, options) => Match.value(action).pipe(Match.when("login", () => Either.right({
+	_tag: "AuthGeminiLogin",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath,
+	isWeb: options.authWeb
+})), Match.when("status", () => Either.right({
+	_tag: "AuthGeminiStatus",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.when("logout", () => Either.right({
+	_tag: "AuthGeminiLogout",
+	label: options.label,
+	geminiAuthPath: options.geminiAuthPath
+})), Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`))));
+var buildAuthCommand = (provider, action, options) => Match.value(provider).pipe(Match.when("github", () => buildGithubCommand(action, options)), Match.when("gh", () => buildGithubCommand(action, options)), Match.when("codex", () => buildCodexCommand(action, options)), Match.when("claude", () => buildClaudeCommand(action, options)), Match.when("cc", () => buildClaudeCommand(action, options)), Match.when("gemini", () => buildGeminiCommand(action, options)), Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`))));
 var parseAuth = (args) => {
 	if (args.length < 2) return Either.left(missingArgument(args.length === 0 ? "auth provider" : "auth action"));
 	const provider = args[0] ?? "";
@@ -7802,13 +8381,15 @@ var buildDefaultPathConfig = (normalizedSecretsRoot) => normalizedSecretsRoot ==
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: defaultTemplateConfig.envGlobalPath,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	geminiAuthPath: defaultTemplateConfig.geminiAuthPath
 } : {
 	dockerGitPath: defaultTemplateConfig.dockerGitPath,
 	authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
 	envGlobalPath: `${normalizedSecretsRoot}/global.env`,
 	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: `${normalizedSecretsRoot}/codex`
+	codexAuthPath: `${normalizedSecretsRoot}/codex`,
+	geminiAuthPath: `${normalizedSecretsRoot}/gemini`
 };
 var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 	const defaults = buildDefaultPathConfig(resolveNormalizedSecretsRoot(raw.secretsRoot));
@@ -7825,6 +8406,8 @@ var resolvePaths = (raw, repoPath) => Either.gen(function* (_) {
 		codexAuthPath,
 		codexSharedAuthPath: codexAuthPath,
 		codexHome: yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome)),
+		geminiAuthPath: defaults.geminiAuthPath,
+		geminiHome: defaultTemplateConfig.geminiHome,
 		outDir: yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 	};
 });
@@ -7854,6 +8437,8 @@ var buildTemplateConfig = ({ agentAuto, agentMode, claudeAuthLabel, codexAuthLab
 	codexAuthPath: paths.codexAuthPath,
 	codexSharedAuthPath: paths.codexSharedAuthPath,
 	codexHome: paths.codexHome,
+	geminiAuthPath: paths.geminiAuthPath,
+	geminiHome: paths.geminiHome,
 	cpuLimit,
 	ramLimit,
 	dockerNetworkMode,
@@ -8935,6 +9520,12 @@ var countAuthAccountDirectories = (fs, path, root) => Effect.gen(function* (_) {
 	return count;
 });
 //#endregion
+//#region src/docker-git/menu-auth-snapshot-builder.ts
+var countAuthAccountEntries = (fs, path, claudeAuthPath, geminiAuthPath) => pipe(Effect.all({
+	claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthPath),
+	geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthPath)
+}));
+//#endregion
 //#region src/docker-git/menu-labeled-env.ts
 var normalizeLabel = (value) => {
 	const trimmed = value.trim();
@@ -8983,6 +9574,18 @@ var authMenuItems = [
 		action: "ClaudeLogout",
 		label: "Claude Code: logout (clear cache)"
 	},
+	{
+		action: "GeminiOauth",
+		label: "Gemini CLI: login via OAuth (Google account)"
+	},
+	{
+		action: "GeminiApiKey",
+		label: "Gemini CLI: set API key"
+	},
+	{
+		action: "GeminiLogout",
+		label: "Gemini CLI: logout (clear credentials)"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -9042,34 +9645,62 @@ var flowSteps$1 = {
 		label: "Label to logout (empty = default)",
 		required: false,
 		secret: false
+	}],
+	GeminiOauth: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	GeminiApiKey: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}, {
+		key: "apiKey",
+		label: "Gemini API key (from ai.google.dev)",
+		required: true,
+		secret: true
+	}],
+	GeminiLogout: [{
+		key: "label",
+		label: "Label to logout (empty = default)",
+		required: false,
+		secret: false
 	}]
 };
-var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.exhaustive);
-var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.exhaustive);
+var flowTitle = (flow) => Match.value(flow).pipe(Match.when("GithubOauth", () => "GitHub OAuth"), Match.when("GithubRemove", () => "GitHub remove"), Match.when("GitSet", () => "Git credentials"), Match.when("GitRemove", () => "Git remove"), Match.when("ClaudeOauth", () => "Claude Code OAuth"), Match.when("ClaudeLogout", () => "Claude Code logout"), Match.when("GeminiOauth", () => "Gemini CLI OAuth"), Match.when("GeminiApiKey", () => "Gemini CLI API key"), Match.when("GeminiLogout", () => "Gemini CLI logout"), Match.exhaustive);
+var successMessage$1 = (flow, label) => Match.value(flow).pipe(Match.when("GithubOauth", () => `Saved GitHub token (${label}).`), Match.when("GithubRemove", () => `Removed GitHub token (${label}).`), Match.when("GitSet", () => `Saved Git credentials (${label}).`), Match.when("GitRemove", () => `Removed Git credentials (${label}).`), Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`), Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`), Match.when("GeminiOauth", () => `Saved Gemini CLI OAuth login (${label}).`), Match.when("GeminiApiKey", () => `Saved Gemini API key (${label}).`), Match.when("GeminiLogout", () => `Logged out Gemini CLI (${label}).`), Match.exhaustive);
 var buildGlobalEnvPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath$1 = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadAuthEnvText = (cwd) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath$1(cwd);
 	const claudeAuthPath = buildClaudeAuthPath$1(cwd);
+	const geminiAuthPath = buildGeminiAuthPath$1(cwd);
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	return {
 		fs,
 		path,
 		globalEnvPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		envText: yield* _(readEnvText(fs, globalEnvPath))
 	};
 });
-var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, globalEnvPath, path }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readAuthSnapshot = (cwd) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ claudeAuthPath, envText, fs, geminiAuthPath, globalEnvPath, path }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	globalEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
 	githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
 	gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
 	gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
-	claudeAuthEntries
+	claudeAuthEntries,
+	geminiAuthEntries
 })))));
 var writeAuthFlow = (cwd, flow, values) => pipe(loadAuthEnvText(cwd), Effect.flatMap(({ envText, fs, globalEnvPath }) => {
 	const label = values["label"] ?? "";
@@ -9098,6 +9729,69 @@ var authMenuActionByIndex = (index) => {
 };
 var authMenuSize = () => authMenuItems.length;
 //#endregion
+//#region src/docker-git/menu-auth-effects.ts
+var resolveLabelOption = (values) => {
+	const labelValue = (values["label"] ?? "").trim();
+	return labelValue.length > 0 ? labelValue : null;
+};
+var resolveGithubOauthEffect = (labelOption, globalEnvPath) => authGithubLogin({
+	_tag: "AuthGithubLogin",
+	label: labelOption,
+	token: null,
+	scopes: null,
+	envGlobalPath: globalEnvPath
+});
+var resolveClaudeOauthEffect = (labelOption) => authClaudeLogin({
+	_tag: "AuthClaudeLogin",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveClaudeLogoutEffect = (labelOption) => authClaudeLogout({
+	_tag: "AuthClaudeLogout",
+	label: labelOption,
+	claudeAuthPath: claudeAuthRoot
+});
+var resolveGeminiOauthEffect = (labelOption) => authGeminiLoginOauth({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
+});
+var resolveGeminiApiKeyEffect = (labelOption, apiKey) => authGeminiLogin({
+	_tag: "AuthGeminiLogin",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
+}, apiKey);
+var resolveGeminiLogoutEffect = (labelOption) => authGeminiLogout({
+	_tag: "AuthGeminiLogout",
+	label: labelOption,
+	geminiAuthPath: geminiAuthRoot
+});
+var resolveAuthPromptEffect = (view, cwd, values) => {
+	const labelOption = resolveLabelOption(values);
+	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => resolveGithubOauthEffect(labelOption, view.snapshot.globalEnvPath)), Match.when("ClaudeOauth", () => resolveClaudeOauthEffect(labelOption)), Match.when("ClaudeLogout", () => resolveClaudeLogoutEffect(labelOption)), Match.when("GeminiOauth", () => resolveGeminiOauthEffect(labelOption)), Match.when("GeminiApiKey", () => resolveGeminiApiKeyEffect(labelOption, (values["apiKey"] ?? "").trim())), Match.when("GeminiLogout", () => resolveGeminiLogoutEffect(labelOption)), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
+};
+var startAuthMenuWithSnapshot = (snapshot, context) => {
+	context.setView({
+		_tag: "AuthMenu",
+		selected: 0,
+		snapshot
+	});
+	context.setMessage(null);
+};
+var runAuthPromptEffect = (effect, view, label, context, options) => {
+	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
+		onError: pauseOnError(renderError),
+		onResume: resumeSshWithSkipInputs(context)
+	}) : effect;
+	context.setSshActive(options.suspendTui);
+	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
+		startAuthMenuWithSnapshot(snapshot, context);
+		context.setMessage(successMessage$1(view.flow, label));
+	})), Effect.asVoid));
+};
+//#endregion
 //#region src/docker-git/menu-input-utils.ts
 var parseMenuIndex = (input) => {
 	const trimmed = input.trim();
@@ -9154,14 +9848,6 @@ var defaultLabel = (value) => {
 	const trimmed = value.trim();
 	return trimmed.length > 0 ? trimmed : "default";
 };
-var startAuthMenuWithSnapshot = (snapshot, context) => {
-	context.setView({
-		_tag: "AuthMenu",
-		selected: 0,
-		snapshot
-	});
-	context.setMessage(null);
-};
 var startAuthPrompt = (snapshot, flow, context) => {
 	context.setView({
 		_tag: "AuthPrompt",
@@ -9173,39 +9859,6 @@ var startAuthPrompt = (snapshot, flow, context) => {
 	});
 	context.setMessage(null);
 };
-var resolveLabelOption = (values) => {
-	const labelValue = (values["label"] ?? "").trim();
-	return labelValue.length > 0 ? labelValue : null;
-};
-var resolveAuthPromptEffect = (view, cwd, values) => {
-	const labelOption = resolveLabelOption(values);
-	return Match.value(view.flow).pipe(Match.when("GithubOauth", () => authGithubLogin({
-		_tag: "AuthGithubLogin",
-		label: labelOption,
-		token: null,
-		scopes: null,
-		envGlobalPath: view.snapshot.globalEnvPath
-	})), Match.when("ClaudeOauth", () => authClaudeLogin({
-		_tag: "AuthClaudeLogin",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("ClaudeLogout", () => authClaudeLogout({
-		_tag: "AuthClaudeLogout",
-		label: labelOption,
-		claudeAuthPath: claudeAuthRoot
-	})), Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)), Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)), Match.exhaustive);
-};
-var runAuthPromptEffect = (effect, view, label, context, options) => {
-	const withOptionalSuspension = options.suspendTui ? withSuspendedTui(effect, {
-		onError: pauseOnError(renderError),
-		onResume: resumeSshWithSkipInputs(context)
-	}) : effect;
-	context.setSshActive(options.suspendTui);
-	context.runner.runEffect(pipe(withOptionalSuspension, Effect.zipRight(readAuthSnapshot(context.state.cwd)), Effect.tap((snapshot) => Effect.sync(() => {
-		startAuthMenuWithSnapshot(snapshot, context);
-		context.setMessage(successMessage$1(view.flow, label));
-	})), Effect.asVoid));
-};
 var loadAuthMenuView = (cwd, context) => pipe(readAuthSnapshot(cwd), Effect.tap((snapshot) => Effect.sync(() => {
 	startAuthMenuWithSnapshot(snapshot, context);
 })), Effect.asVoid);
@@ -9225,7 +9878,10 @@ var submitAuthPrompt = (view, context) => {
 		startAuthMenuWithSnapshot(view.snapshot, context);
 	}, (nextValues) => {
 		const label = defaultLabel(nextValues["label"] ?? "");
-		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, context, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" });
+		runAuthPromptEffect(resolveAuthPromptEffect(view, context.state.cwd, nextValues), view, label, {
+			...context,
+			cwd: context.state.cwd
+		}, { suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" || view.flow === "GeminiOauth" });
 	});
 };
 var setAuthMenuSelection = (view, selected, context) => {
@@ -9267,6 +9923,15 @@ var handleAuthMenuInput = (input, key, view, context) => {
 	}
 	handleAuthMenuNumberInput(input, view, context);
 };
+var setAuthPromptBuffer = (args) => {
+	const { context, input, key, view } = args;
+	const nextBuffer = nextBufferValue(input, key, view.buffer);
+	if (nextBuffer === null) return;
+	context.setView({
+		...view,
+		buffer: nextBuffer
+	});
+};
 var handleAuthPromptInput = (input, key, view, context) => {
 	if (key.escape) {
 		startAuthMenuWithSnapshot(view.snapshot, context);
@@ -9283,15 +9948,6 @@ var handleAuthPromptInput = (input, key, view, context) => {
 		context
 	});
 };
-var setAuthPromptBuffer = (args) => {
-	const { context, input, key, view } = args;
-	const nextBuffer = nextBufferValue(input, key, view.buffer);
-	if (nextBuffer === null) return;
-	context.setView({
-		...view,
-		buffer: nextBuffer
-	});
-};
 var openAuthMenu = (context) => {
 	context.setMessage("Loading auth profiles...");
 	context.runner.runEffect(loadAuthMenuView(context.state.cwd, context));
@@ -9384,15 +10040,17 @@ var loadRuntimeByProject = (items) => pipe(runDockerPsNames(process.cwd()), Effe
 }));
 var runtimeForSelection = (view, selected) => view.runtimeByProject[selected.projectDir] ?? stoppedRuntime$1();
 //#endregion
+//#region src/docker-git/menu-project-auth-helpers.ts
+var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists(filePath)))) return false;
+	return (yield* _(fs.stat(filePath))).type === "File";
+});
+//#endregion
 //#region src/docker-git/menu-project-auth-claude.ts
 var oauthTokenFileName = ".oauth-token";
 var legacyConfigFileName = ".config.json";
 var credentialsFileName = ".credentials.json";
 var nestedCredentialsFileName = ".claude/.credentials.json";
-var hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
-	if (!(yield* _(fs.exists(filePath)))) return false;
-	return (yield* _(fs.stat(filePath))).type === "File";
-});
 var hasNonEmptyOauthToken = (fs, tokenPath) => Effect.gen(function* (_) {
 	if (!(yield* _(hasFileAtPath(fs, tokenPath)))) return false;
 	return (yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
@@ -9419,6 +10077,107 @@ var hasClaudeAccountCredentials = (fs, accountPath) => hasFileAtPath(fs, `${acco
 	}));
 }));
 //#endregion
+//#region src/docker-git/menu-project-auth-gemini.ts
+var apiKeyFileName = ".api-key";
+var envFileName = ".env";
+var geminiCredentialsDir = ".gemini";
+var hasNonEmptyApiKey = (fs, apiKeyPath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, apiKeyPath)))) return false;
+	return (yield* _(fs.readFileString(apiKeyPath), Effect.orElseSucceed(() => ""))).trim().length > 0;
+});
+var hasApiKeyInEnvFile = (fs, envFilePath) => Effect.gen(function* (_) {
+	if (!(yield* _(hasFileAtPath(fs, envFilePath)))) return false;
+	const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+	for (const line of lines) {
+		const trimmed = line.trim();
+		if (trimmed.startsWith("GEMINI_API_KEY=")) {
+			if (trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim().length > 0) return true;
+		}
+	}
+	return false;
+});
+var geminiOauthCredentialFiles = [
+	"oauth-tokens.json",
+	"credentials.json",
+	"application_default_credentials.json"
+];
+var checkAnyFileExists = (fs, basePath, fileNames) => {
+	const [first, ...rest] = fileNames;
+	if (first === void 0) return Effect.succeed(false);
+	return hasFileAtPath(fs, `${basePath}/${first}`).pipe(Effect.flatMap((exists) => exists ? Effect.succeed(true) : checkAnyFileExists(fs, basePath, rest)));
+};
+var hasOauthCredentials = (fs, accountPath) => {
+	const credentialsDir = `${accountPath}/${geminiCredentialsDir}`;
+	return hasFileAtPath(fs, credentialsDir).pipe(Effect.flatMap((dirExists) => dirExists ? checkAnyFileExists(fs, credentialsDir, geminiOauthCredentialFiles) : Effect.succeed(false)));
+};
+var hasGeminiAccountCredentials = (fs, accountPath) => hasNonEmptyApiKey(fs, `${accountPath}/${apiKeyFileName}`).pipe(Effect.flatMap((hasApiKey) => {
+	if (hasApiKey) return Effect.succeed(true);
+	return hasApiKeyInEnvFile(fs, `${accountPath}/${envFileName}`).pipe(Effect.flatMap((hasEnvApiKey) => {
+		if (hasEnvApiKey) return Effect.succeed(true);
+		return hasOauthCredentials(fs, accountPath);
+	}));
+}));
+//#endregion
+//#region src/docker-git/menu-project-auth-flows.ts
+var githubTokenBaseKey$1 = "GITHUB_TOKEN";
+var gitTokenBaseKey$1 = "GIT_AUTH_TOKEN";
+var gitUserBaseKey = "GIT_AUTH_USER";
+var projectGithubLabelKey$1 = "GITHUB_AUTH_LABEL";
+var projectGitLabelKey$1 = "GIT_AUTH_LABEL";
+var projectClaudeLabelKey$1 = "CLAUDE_AUTH_LABEL";
+var projectGeminiLabelKey$1 = "GEMINI_AUTH_LABEL";
+var defaultGitUser = "x-access-token";
+var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
+var clearProjectGitLabels = (envText) => {
+	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey$1, ""), projectGithubLabelKey$1, "");
+};
+var updateProjectGithubConnect = (spec) => {
+	const key = buildLabeledEnvKey(githubTokenBaseKey$1, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, key);
+	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
+	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey$1, "");
+	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGithubDisconnect = (spec) => {
+	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
+	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
+};
+var updateProjectGitConnect = (spec) => {
+	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey$1, spec.rawLabel);
+	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
+	const token = findEnvValue(spec.globalEnvText, tokenKey);
+	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
+	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
+	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
+	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey$1, spec.canonicalLabel);
+	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey$1, spec.canonicalLabel));
+};
+var updateProjectGitDisconnect = (spec) => {
+	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
+	return Effect.succeed(clearProjectGitLabels(withoutUser));
+};
+var resolveAccountCandidates = (authPath, accountLabel) => accountLabel === "default" ? [`${authPath}/default`, authPath] : [`${authPath}/${accountLabel}`];
+var findFirstCredentialsMatch = (fs, candidates, hasCredentials) => Effect.gen(function* (_) {
+	for (const accountPath of candidates) {
+		if (!(yield* _(fs.exists(accountPath)))) continue;
+		if (yield* _(hasCredentials(fs, accountPath), Effect.orElseSucceed(() => false))) return accountPath;
+	}
+	return null;
+});
+var updateProjectClaudeConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.claudeAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasClaudeAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectClaudeDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey$1, ""));
+var updateProjectGeminiConnect = (spec) => {
+	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
+	const accountCandidates = resolveAccountCandidates(spec.geminiAuthPath, accountLabel);
+	return findFirstCredentialsMatch(spec.fs, accountCandidates, hasGeminiAccountCredentials).pipe(Effect.flatMap((matched) => matched === null ? Effect.fail(missingSecret("Gemini CLI API key", spec.canonicalLabel, spec.geminiAuthPath)) : Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, spec.canonicalLabel))));
+};
+var updateProjectGeminiDisconnect = (spec) => Effect.succeed(upsertEnvKey(spec.projectEnvText, projectGeminiLabelKey$1, ""));
+var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.when("ProjectGeminiConnect", () => updateProjectGeminiConnect(spec)), Match.when("ProjectGeminiDisconnect", () => updateProjectGeminiDisconnect(spec)), Match.exhaustive);
+//#endregion
 //#region src/docker-git/menu-project-auth-data.ts
 var projectAuthMenuItems = [
 	{
@@ -9445,6 +10204,14 @@ var projectAuthMenuItems = [
 		action: "ProjectClaudeDisconnect",
 		label: "Project: Claude disconnect"
 	},
+	{
+		action: "ProjectGeminiConnect",
+		label: "Project: Gemini connect label"
+	},
+	{
+		action: "ProjectGeminiDisconnect",
+		label: "Project: Gemini disconnect"
+	},
 	{
 		action: "Refresh",
 		label: "Refresh snapshot"
@@ -9475,7 +10242,14 @@ var flowSteps = {
 		required: false,
 		secret: false
 	}],
-	ProjectClaudeDisconnect: []
+	ProjectClaudeDisconnect: [],
+	ProjectGeminiConnect: [{
+		key: "label",
+		label: "Label (empty = default)",
+		required: false,
+		secret: false
+	}],
+	ProjectGeminiDisconnect: []
 };
 var resolveCanonicalLabel = (value) => {
 	const normalized = normalizeLabel(value);
@@ -9483,18 +10257,19 @@ var resolveCanonicalLabel = (value) => {
 };
 var githubTokenBaseKey = "GITHUB_TOKEN";
 var gitTokenBaseKey = "GIT_AUTH_TOKEN";
-var gitUserBaseKey = "GIT_AUTH_USER";
 var projectGithubLabelKey = "GITHUB_AUTH_LABEL";
 var projectGitLabelKey = "GIT_AUTH_LABEL";
 var projectClaudeLabelKey = "CLAUDE_AUTH_LABEL";
-var defaultGitUser = "x-access-token";
+var projectGeminiLabelKey = "GEMINI_AUTH_LABEL";
 var buildGlobalEnvPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`;
 var buildClaudeAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`;
+var buildGeminiAuthPath = (cwd) => `${defaultProjectsRoot(cwd)}/.orch/auth/gemini`;
 var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
 	const globalEnvPath = buildGlobalEnvPath(process.cwd());
 	const claudeAuthPath = buildClaudeAuthPath(process.cwd());
+	const geminiAuthPath = buildGeminiAuthPath(process.cwd());
 	yield* _(ensureEnvFile$1(fs, path, globalEnvPath));
 	yield* _(ensureEnvFile$1(fs, path, project.envProjectPath));
 	const globalEnvText = yield* _(readEnvText(fs, globalEnvPath));
@@ -9505,69 +10280,29 @@ var loadProjectAuthEnvText = (project) => Effect.gen(function* (_) {
 		globalEnvPath,
 		projectEnvPath: project.envProjectPath,
 		claudeAuthPath,
+		geminiAuthPath,
 		globalEnvText,
 		projectEnvText
 	};
 });
-var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => pipe(countAuthAccountDirectories(fs, path, claudeAuthPath), Effect.map((claudeAuthEntries) => ({
+var readProjectAuthSnapshot = (project) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) => countAuthAccountEntries(fs, path, claudeAuthPath, geminiAuthPath).pipe(Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
 	projectDir: project.projectDir,
 	projectName: project.displayName,
 	envGlobalPath: globalEnvPath,
 	envProjectPath: projectEnvPath,
 	claudeAuthPath,
+	geminiAuthPath,
 	githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
 	gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
 	claudeAuthEntries,
+	geminiAuthEntries,
 	activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
 	activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
-	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
+	activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey),
+	activeGeminiLabel: findEnvValue(projectEnvText, projectGeminiLabelKey)
 })))));
-var missingSecret = (provider, label, envPath) => new AuthError({ message: `${provider} not connected: label '${label}' not found in ${envPath}` });
-var updateProjectGithubConnect = (spec) => {
-	const key = buildLabeledEnvKey(githubTokenBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, key);
-	if (token === null) return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath));
-	const withoutGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GH_TOKEN", token), projectGitLabelKey, "");
-	return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var clearProjectGitLabels = (envText) => {
-	return upsertEnvKey(upsertEnvKey(upsertEnvKey(envText, "GH_TOKEN", ""), projectGitLabelKey, ""), projectGithubLabelKey, "");
-};
-var updateProjectGithubDisconnect = (spec) => {
-	const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "");
-	return Effect.succeed(clearProjectGitLabels(withoutGitToken));
-};
-var updateProjectGitConnect = (spec) => {
-	const tokenKey = buildLabeledEnvKey(gitTokenBaseKey, spec.rawLabel);
-	const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel);
-	const token = findEnvValue(spec.globalEnvText, tokenKey);
-	if (token === null) return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath));
-	const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser;
-	const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser;
-	const withGitLabel = upsertEnvKey(upsertEnvKey(upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token), "GIT_AUTH_USER", user), "GH_TOKEN", token), projectGitLabelKey, spec.canonicalLabel);
-	return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey, spec.canonicalLabel));
-};
-var updateProjectGitDisconnect = (spec) => {
-	const withoutUser = upsertEnvKey(upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", ""), "GIT_AUTH_USER", "");
-	return Effect.succeed(clearProjectGitLabels(withoutUser));
-};
-var resolveClaudeAccountCandidates = (claudeAuthPath, accountLabel) => accountLabel === "default" ? [`${claudeAuthPath}/default`, claudeAuthPath] : [`${claudeAuthPath}/${accountLabel}`];
-var updateProjectClaudeConnect = (spec) => {
-	const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
-	const accountCandidates = resolveClaudeAccountCandidates(spec.claudeAuthPath, accountLabel);
-	return Effect.gen(function* (_) {
-		for (const accountPath of accountCandidates) {
-			if (!(yield* _(spec.fs.exists(accountPath)))) continue;
-			if (yield* _(hasClaudeAccountCredentials(spec.fs, accountPath), Effect.orElseSucceed(() => false))) return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel);
-		}
-		return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)));
-	});
-};
-var updateProjectClaudeDisconnect = (spec) => {
-	return Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, ""));
-};
-var resolveProjectEnvUpdate = (flow, spec) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)), Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)), Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)), Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)), Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)), Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)), Match.exhaustive);
-var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
+var resolveSyncMessage = (flow, canonicalLabel, displayName) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${displayName}`), Match.when("ProjectGeminiConnect", () => `chore(state): project auth gemini ${canonicalLabel} ${displayName}`), Match.when("ProjectGeminiDisconnect", () => `chore(state): project auth gemini logout ${displayName}`), Match.exhaustive);
+var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvText(project), Effect.flatMap(({ claudeAuthPath, fs, geminiAuthPath, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
 	const rawLabel = values["label"] ?? "";
 	const canonicalLabel = resolveCanonicalLabel(rawLabel);
 	const nextProjectEnv = resolveProjectEnvUpdate(flow, {
@@ -9577,9 +10312,10 @@ var writeProjectAuthFlow = (project, flow, values) => pipe(loadProjectAuthEnvTex
 		globalEnvPath,
 		globalEnvText,
 		projectEnvText,
-		claudeAuthPath
+		claudeAuthPath,
+		geminiAuthPath
 	});
-	const syncMessage = Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${project.displayName}`), Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`), Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${project.displayName}`), Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`), Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${project.displayName}`), Match.exhaustive);
+	const syncMessage = resolveSyncMessage(flow, canonicalLabel, project.displayName);
 	return pipe(nextProjectEnv, Effect.flatMap((nextText) => fs.writeFileString(projectEnvPath, nextText)), Effect.zipRight(autoSyncState(syncMessage)));
 }), Effect.asVoid);
 var projectAuthViewSteps = (flow) => flowSteps[flow];
@@ -9615,7 +10351,7 @@ var startProjectAuthPrompt = (project, snapshot, flow, context) => {
 var loadProjectAuthMenuView = (project, context) => pipe(readProjectAuthSnapshot(project), Effect.tap((snapshot) => Effect.sync(() => {
 	startProjectAuthMenu(project, snapshot, context);
 })), Effect.asVoid);
-var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.exhaustive);
+var successMessage = (flow, label) => Match.value(flow).pipe(Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`), Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."), Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`), Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."), Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`), Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."), Match.when("ProjectGeminiConnect", () => `Connected Gemini label (${label}) to project.`), Match.when("ProjectGeminiDisconnect", () => "Disconnected Gemini from project."), Match.exhaustive);
 var runProjectAuthEffect = (project, flow, values, label, context) => {
 	context.runner.runEffect(pipe(writeProjectAuthFlow(project, flow, values), Effect.zipRight(readProjectAuthSnapshot(project)), Effect.tap((snapshot) => Effect.sync(() => {
 		startProjectAuthMenu(project, snapshot, context);
@@ -9640,7 +10376,7 @@ var runProjectAuthAction$1 = (action, view, context) => {
 		context.runner.runEffect(loadProjectAuthMenuView(view.project, context));
 		return;
 	}
-	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect") {
+	if (action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect" || action === "ProjectGeminiDisconnect") {
 		runProjectAuthEffect(view.project, action, {}, "default", context);
 		return;
 	}
@@ -10810,7 +11546,7 @@ var setExitCode = (code) => Effect.sync(() => {
 });
 var logWarningAndExit = (error) => pipe(Effect.logWarning(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
 var logErrorAndExit = (error) => pipe(Effect.logError(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
-var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd))).pipe(Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
+var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => cmd.isWeb ? authGeminiLoginOauth(cmd) : authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
 var program = pipe(readCommand, Effect.flatMap((command) => Match.value(command).pipe(Match.when({ _tag: "Help" }, ({ message }) => Effect.log(message)), Match.when({ _tag: "Create" }, (create) => createProject(create)), Match.when({ _tag: "Status" }, () => listProjectStatus), Match.when({ _tag: "DownAll" }, () => downAllDockerGitProjects), Match.when({ _tag: "Menu" }, () => runMenu), Match.orElse((cmd) => handleNonBaseCommand(cmd)))), Effect.catchTag("FileExistsError", (error) => pipe(Effect.logWarning(renderError(error)), Effect.asVoid)), Effect.catchTag("DockerAccessError", logWarningAndExit), Effect.catchTag("DockerCommandError", logWarningAndExit), Effect.catchTag("AuthError", logWarningAndExit), Effect.catchTag("AgentFailedError", logWarningAndExit), Effect.catchTag("CommandFailedError", logWarningAndExit), Effect.catchTag("ScrapArchiveNotFoundError", logErrorAndExit), Effect.catchTag("ScrapTargetDirUnsupportedError", logErrorAndExit), Effect.catchTag("ScrapWipeRefusedError", logErrorAndExit), Effect.matchEffect({
 	onFailure: (error) => isParseError(error) ? logErrorAndExit(error) : pipe(Effect.logError(renderError(error)), Effect.flatMap(() => Effect.fail(error))),
 	onSuccess: () => Effect.void