npm - @prover-coder-ai/docker-git - Versions diffs - 1.0.44 → 1.0.45 - Mend

@prover-coder-ai/docker-git 1.0.44 → 1.0.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/src/docker-git/main.js +279 -111
package/dist/src/docker-git/main.js.map +1 -1
package/package.json +1 -1

package/dist/src/docker-git/main.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { NodeContext, NodeRuntime } from "@effect/platform-node";
-import { Data, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
+import { Data, Deferred, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
 import * as FileSystem from "@effect/platform/FileSystem";
 import * as Path from "@effect/platform/Path";
 import * as Command from "@effect/platform/Command";
@@ -2178,6 +2178,7 @@ elif [[ "$TARGET_DIR" == "~/"* ]]; then
 fi
 CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 CODEX_AUTH_LABEL="\${CODEX_AUTH_LABEL:-}"
+GEMINI_AUTH_LABEL="\${GEMINI_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-x-access-token}}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
 GH_TOKEN="\${GH_TOKEN:-\${GIT_AUTH_TOKEN:-}}"
@@ -2980,8 +2981,8 @@ var renderEntrypointAgentsNotice = (config) => entrypointAgentsNoticeTemplate.re
 //#endregion
 //#region ../lib/src/core/templates-entrypoint/gemini.ts
 var geminiAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/gemini`;
-var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_API_KEY for SSH sessions (API key stored under ~/.docker-git/.orch/auth/gemini)
-GEMINI_LABEL_RAW="${"$"}{GEMINI_AUTH_LABEL:-}"
+var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_HOME for sessions (OAuth cache lives under ~/.docker-git/.orch/auth/gemini)
+GEMINI_LABEL_RAW="$GEMINI_AUTH_LABEL"
 if [[ -z "$GEMINI_LABEL_RAW" ]]; then
   GEMINI_LABEL_RAW="default"
 fi
@@ -2994,29 +2995,16 @@ if [[ -z "$GEMINI_LABEL_NORM" ]]; then
 fi
 GEMINI_AUTH_ROOT="__GEMINI_AUTH_ROOT__"
-GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
+export GEMINI_CONFIG_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
-# Backward compatibility: if default auth is stored directly under gemini root, reuse it.
-if [[ "$GEMINI_LABEL_NORM" == "default" ]]; then
-  GEMINI_ROOT_ENV_FILE="$GEMINI_AUTH_ROOT/.env"
-  if [[ -f "$GEMINI_ROOT_ENV_FILE" ]]; then
-    GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT"
-  fi
-fi
-mkdir -p "$GEMINI_AUTH_DIR" || true
+mkdir -p "$GEMINI_CONFIG_DIR" || true
 GEMINI_HOME_DIR="__GEMINI_HOME_DIR__"
 mkdir -p "$GEMINI_HOME_DIR" || true
-GEMINI_API_KEY_FILE="$GEMINI_AUTH_DIR/.api-key"
-GEMINI_ENV_FILE="$GEMINI_AUTH_DIR/.env"
-GEMINI_HOME_ENV_FILE="$GEMINI_HOME_DIR/.env"
 docker_git_link_gemini_file() {
   local source_path="$1"
   local link_path="$2"
-  # Preserve user-created regular files and seed config dir once.
   if [[ -e "$link_path" && ! -L "$link_path" ]]; then
     if [[ -f "$link_path" && ! -e "$source_path" ]]; then
       cp "$link_path" "$source_path" || true
@@ -3028,91 +3016,170 @@ docker_git_link_gemini_file() {
   ln -sfn "$source_path" "$link_path" || true
 }
-# Link Gemini .env file from auth dir to home dir
-docker_git_link_gemini_file "$GEMINI_ENV_FILE" "$GEMINI_HOME_ENV_FILE"
+# Link .api-key and .env from central auth storage to container home
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.api-key" "$GEMINI_HOME_DIR/.api-key"
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.env" "$GEMINI_HOME_DIR/.env"
-docker_git_refresh_gemini_api_key() {
-  local api_key=""
-  # Try to read from dedicated API key file first
-  if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
-    api_key="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
-  fi
-  # Fall back to .env file
-  if [[ -z "$api_key" && -f "$GEMINI_ENV_FILE" ]]; then
-    api_key="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
-  fi
-  if [[ -n "$api_key" ]]; then
-    export GEMINI_API_KEY="$api_key"
-  else
-    unset GEMINI_API_KEY || true
+# Ensure gemini YOLO wrapper exists
+GEMINI_REAL_BIN="$(command -v gemini || echo "/usr/local/bin/gemini")"
+GEMINI_WRAPPER_BIN="/usr/local/bin/gemini-wrapper"
+if [[ -f "$GEMINI_REAL_BIN" && "$GEMINI_REAL_BIN" != "$GEMINI_WRAPPER_BIN" ]]; then
+  if [[ ! -f "$GEMINI_WRAPPER_BIN" ]]; then
+    cat <<'EOF' > "$GEMINI_WRAPPER_BIN"
+#!/usr/bin/env bash
+GEMINI_ORIGINAL_BIN="__GEMINI_REAL_BIN__"
+exec "$GEMINI_ORIGINAL_BIN" --yolo "$@"
+EOF
+    sed -i "s#__GEMINI_REAL_BIN__#$GEMINI_REAL_BIN#g" "$GEMINI_WRAPPER_BIN" || true
+    chmod 0755 "$GEMINI_WRAPPER_BIN" || true
+    # Create an alias or symlink if needed, but here we just ensure it exists
   fi
-}
+fi
-docker_git_refresh_gemini_api_key`;
-var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", `/home/${config.sshUser}/.gemini`);
-var renderGeminiCliInstall = () => String.raw`# Gemini CLI: ensure CLI command exists (non-blocking startup self-heal)
-docker_git_ensure_gemini_cli() {
-  if command -v gemini >/dev/null 2>&1; then
-    return 0
+# Special case for .gemini folder: we want the folder itself to be the link if it doesn't exist
+# or its content to be linked if we want to manage it.
+if [[ -d "$GEMINI_CONFIG_DIR/.gemini" ]]; then
+  if [[ -L "$GEMINI_HOME_DIR" ]]; then
+    rm -f "$GEMINI_HOME_DIR"
+  elif [[ -d "$GEMINI_HOME_DIR" ]]; then
+    # If it's a real directory, move it aside if it's empty or just has our managed files
+    mv "$GEMINI_HOME_DIR" "$GEMINI_HOME_DIR.bak-$(date +%s)" || true
   fi
+  ln -sfn "$GEMINI_CONFIG_DIR/.gemini" "$GEMINI_HOME_DIR"
+fi
-  if ! command -v npm >/dev/null 2>&1; then
-    return 0
+docker_git_refresh_gemini_env() {
+  # If .api-key exists, export it as GEMINI_API_KEY
+  if [[ -f "$GEMINI_HOME_DIR/.api-key" ]]; then
+    export GEMINI_API_KEY="$(cat "$GEMINI_HOME_DIR/.api-key" | tr -d '\r\n')"
+  elif [[ -f "$GEMINI_HOME_DIR/.env" ]]; then
+    # Parse GEMINI_API_KEY from .env
+    API_KEY="$(grep "^GEMINI_API_KEY=" "$GEMINI_HOME_DIR/.env" | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//")"
+    if [[ -n "$API_KEY" ]]; then
+      export GEMINI_API_KEY="$API_KEY"
+    fi
   fi
+}
-  NPM_ROOT="$(npm root -g 2>/dev/null || true)"
-  GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
-  if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
-    echo "docker-git: gemini cli.js not found under npm global root; skip shim restore" >&2
-    return 0
-  fi
+docker_git_refresh_gemini_env`;
+var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", config.geminiHome);
+var renderGeminiPermissionSettingsConfig = (config) => String.raw`# Gemini CLI: keep trust settings in sync with docker-git defaults
+GEMINI_SETTINGS_DIR="${config.geminiHome}"
+GEMINI_TRUST_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/trustedFolders.json"
+GEMINI_CONFIG_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/settings.json"
-  # Rebuild a minimal shim when npm package exists but binary link is missing.
-  cat <<'EOF' > /usr/local/bin/gemini
-#!/usr/bin/env bash
-set -euo pipefail
+# Wait for symlink to be established by the auth config step
+mkdir -p "$GEMINI_SETTINGS_DIR" || true
-if ! command -v npm >/dev/null 2>&1; then
-  echo "gemini: npm is required but missing" >&2
-  exit 127
-fi
-NPM_ROOT="$(npm root -g 2>/dev/null || true)"
-GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
-if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
-  echo "gemini: cli.js not found under npm global root" >&2
-  exit 127
+# Disable folder trust prompt and enable auto-approval in settings.json
+if [[ ! -f "$GEMINI_CONFIG_SETTINGS_FILE" ]]; then
+  cat <<'EOF' > "$GEMINI_CONFIG_SETTINGS_FILE"
+{
+  "security": {
+    "folderTrust": {
+      "enabled": false
+    },
+    "approvalPolicy": "never"
+  }
+}
+EOF
 fi
-exec node "$GEMINI_CLI_JS" "$@"
-EOF
-  chmod 0755 /usr/local/bin/gemini || true
-  ln -sf /usr/local/bin/gemini /usr/bin/gemini || true
+# Pre-trust important directories in trustedFolders.json
+# Use flat mapping as required by recent Gemini CLI versions
+cat <<'EOF' > "$GEMINI_TRUST_SETTINGS_FILE"
+{
+  "/": "TRUST_FOLDER",
+  "${config.geminiHome}": "TRUST_FOLDER",
+  "${config.targetDir}": "TRUST_FOLDER"
 }
+EOF
-docker_git_ensure_gemini_cli`;
-var renderGeminiProfileSetup = () => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
-printf "export GEMINI_AUTH_LABEL=%q\n" "${"$"}{GEMINI_AUTH_LABEL:-default}" > "$GEMINI_PROFILE"
+chown -R 1000:1000 "$GEMINI_SETTINGS_DIR" || true
+chmod 0600 "$GEMINI_TRUST_SETTINGS_FILE" "$GEMINI_CONFIG_SETTINGS_FILE" 2>/dev/null || true`;
+var renderGeminiSudoConfig = (config) => String.raw`# Gemini CLI: allow passwordless sudo for agent tasks
+if [[ -d /etc/sudoers.d ]]; then
+  echo "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/gemini-agent
+  chmod 0440 /etc/sudoers.d/gemini-agent
+fi`;
+var renderGeminiMcpPlaywrightConfig = (_config) => String.raw`# Gemini CLI: keep Playwright MCP config in sync (TODO: Gemini CLI MCP integration format)
+# For now, Gemini CLI uses MCP via ~/.gemini/settings.json or command line.
+# We'll ensure it has the same Playwright capability as Claude/Codex once format is confirmed.`;
+var renderGeminiProfileSetup = (config) => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
+printf "export GEMINI_AUTH_LABEL=%q\n" "$GEMINI_AUTH_LABEL" > "$GEMINI_PROFILE"
+printf "export GEMINI_HOME=%q\n" "${config.geminiHome}" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_DISABLE_UPDATE_CHECK=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_NONINTERACTIVE=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_APPROVAL_MODE=yolo\n" >> "$GEMINI_PROFILE"
+printf "alias gemini='/usr/local/bin/gemini-wrapper'\n" >> "$GEMINI_PROFILE"
 cat <<'EOF' >> "$GEMINI_PROFILE"
-GEMINI_API_KEY_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.api-key"
-GEMINI_ENV_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.env"
-if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
-  export GEMINI_API_KEY="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
-elif [[ -f "$GEMINI_ENV_FILE" ]]; then
-  GEMINI_KEY="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
-  if [[ -n "$GEMINI_KEY" ]]; then
-    export GEMINI_API_KEY="$GEMINI_KEY"
-  fi
+if [[ -f "$GEMINI_HOME/.api-key" ]]; then
+  export GEMINI_API_KEY="$(cat "$GEMINI_HOME/.api-key" | tr -d '\r\n')"
 fi
 EOF
 chmod 0644 "$GEMINI_PROFILE" || true
-docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "${"$"}{GEMINI_AUTH_LABEL:-default}"
-docker_git_upsert_ssh_env "GEMINI_API_KEY" "${"$"}{GEMINI_API_KEY:-}"`;
+docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "$GEMINI_AUTH_LABEL"
+docker_git_upsert_ssh_env "GEMINI_API_KEY" "\${GEMINI_API_KEY:-}"
+docker_git_upsert_ssh_env "GEMINI_CLI_DISABLE_UPDATE_CHECK" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_NONINTERACTIVE" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_APPROVAL_MODE" "yolo"`;
+var entrypointGeminiNoticeTemplate = String.raw`# Ensure global GEMINI.md exists for container context
+GEMINI_MD_PATH="__GEMINI_HOME__/GEMINI.md"
+GEMINI_WORKSPACE_CONTEXT="Контекст workspace: repository"
+if [[ "$REPO_REF" == issue-* ]]; then
+  ISSUE_ID="$(printf "%s" "$REPO_REF" | sed -E 's#^issue-##')"
+  ISSUE_URL=""
+  if [[ "$REPO_URL" == https://github.com/* ]]; then
+    ISSUE_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO" ]]; then
+      ISSUE_URL="https://github.com/$ISSUE_REPO/issues/$ISSUE_ID"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID ($ISSUE_URL)"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID"
+  fi
+elif [[ "$REPO_REF" == refs/pull/*/head ]]; then
+  PR_ID="$(printf "%s" "$REPO_REF" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL=""
+  if [[ "$REPO_URL" == https://github.com/* && -n "$PR_ID" ]]; then
+    PR_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO" ]]; then
+      PR_URL="https://github.com/$PR_REPO/pull/$PR_ID"
+    fi
+  fi
+  if [[ -n "$PR_ID" && -n "$PR_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID ($PR_URL)"
+  elif [[ -n "$PR_ID" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF)"
+  fi
+fi
+cat <<EOF > "$GEMINI_MD_PATH"
+<!-- docker-git-managed:gemini-md -->
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, gemini, claude, opencode, oh-my-opencode, sshpass, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$GEMINI_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Для решения задач обязательно используй subagents. Сам агент обязан выполнять финальную проверку, интеграцию и валидацию результата перед ответом пользователю.
+Если ты видишь файлы AGENTS.md, GEMINI.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+<!-- /docker-git-managed:gemini-md -->
+EOF
+chown 1000:1000 "$GEMINI_MD_PATH" || true`;
+var renderEntrypointGeminiNotice = (config) => entrypointGeminiNoticeTemplate.replaceAll("__GEMINI_HOME__", config.geminiHome).replaceAll("__TARGET_DIR__", config.targetDir);
 var renderEntrypointGeminiConfig = (config) => [
 	renderGeminiAuthConfig(config),
-	renderGeminiCliInstall(),
-	renderGeminiProfileSetup()
+	renderGeminiPermissionSettingsConfig(config),
+	renderGeminiMcpPlaywrightConfig(config),
+	renderGeminiSudoConfig(config),
+	renderGeminiProfileSetup(config),
+	renderEntrypointGeminiNotice(config)
 ].join("\n\n");
 //#endregion
 //#region ../lib/src/core/templates-entrypoint/git.ts
@@ -3680,6 +3747,7 @@ AGENT_ENV_FILE="/run/docker-git/agent-env.sh"
 {
   [[ -f /etc/profile.d/gh-token.sh ]] && cat /etc/profile.d/gh-token.sh
   [[ -f /etc/profile.d/claude-config.sh ]] && cat /etc/profile.d/claude-config.sh
+  [[ -f /etc/profile.d/gemini-config.sh ]] && cat /etc/profile.d/gemini-config.sh
 } > "$AGENT_ENV_FILE" 2>/dev/null || true
 chmod 644 "$AGENT_ENV_FILE"`,
 	renderAgentPrompt(),
@@ -3689,7 +3757,7 @@ if [[ -n "$AGENT_PROMPT" ]]; then
   chmod 644 "$AGENT_PROMPT_FILE"
 fi`
 ].join("\n\n");
-var renderAgentPromptCommand = (mode) => mode === "claude" ? String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"` : String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`;
+var renderAgentPromptCommand = (mode) => Match.value(mode).pipe(Match.when("claude", () => String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("codex", () => String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.exhaustive);
 var renderAgentAutoLaunchCommand = (config, mode) => String.raw`su - ${config.sshUser} -s /bin/bash -c "bash -lc '. /etc/profile 2>/dev/null || true; . \"$AGENT_ENV_FILE\" 2>/dev/null || true; cd \"$TARGET_DIR\" && ${renderAgentPromptCommand(mode)}'"`;
 var renderAgentModeBlock = (config, mode) => {
 	const startMessage = `[agent] starting ${mode}...`;
@@ -3710,6 +3778,7 @@ var renderAgentModeCase = (config) => [
 	String.raw`case "$AGENT_MODE" in`,
 	indentBlock(renderAgentModeBlock(config, "claude")),
 	indentBlock(renderAgentModeBlock(config, "codex")),
+	indentBlock(renderAgentModeBlock(config, "gemini")),
 	indentBlock(String.raw`*)
   echo "[agent] unknown agent mode: $AGENT_MODE"
   ;;`),
@@ -4182,7 +4251,9 @@ RUN set -eu; \
   npm install -g oh-my-opencode@latest "oh-my-opencode-linux-\${OH_MY_OPENCODE_ARCH}@latest"
 RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
-RUN claude --version`;
+RUN claude --version
+RUN npm install -g @google/gemini-cli@latest --force
+RUN gemini --version`;
 var renderDockerfileOpenCode = () => `# Tooling: OpenCode (binary)
 RUN set -eu; \
   for attempt in 1 2 3 4 5; do \
@@ -6501,7 +6572,8 @@ var authSuccessPatterns = [
 	"Authentication successful",
 	"Successfully authenticated",
 	"Logged in as",
-	"You are now logged in"
+	"You are now logged in",
+	"Logged in with Google"
 ];
 var authFailurePatterns = [
 	"Authentication failed",
@@ -6512,22 +6584,28 @@ var authFailurePatterns = [
 ];
 var detectAuthResult = (output) => {
 	const normalized = stripAnsi(output).toLowerCase();
-	for (const pattern of authSuccessPatterns) if (normalized.includes(pattern.toLowerCase())) return "success";
-	for (const pattern of authFailurePatterns) if (normalized.includes(pattern.toLowerCase())) return "failure";
+	const authInitiated = [
+		"please visit the following url",
+		"enter the authorization code",
+		"authorized the application"
+	].some((m) => normalized.includes(m));
+	if (authSuccessPatterns.some((pattern) => normalized.includes(pattern.toLowerCase()) && (authInitiated || normalized.includes("logged in with google")))) return "success";
+	if (authFailurePatterns.some((pattern) => normalized.includes(pattern.toLowerCase()))) return "failure";
 	return "pending";
 };
-var geminiOauthCallbackPort = 38751;
-var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath) => ({
+var defaultGeminiOauthCallbackPort = 38751;
+var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath, port) => ({
 	cwd,
 	image,
 	hostPath: accountPath,
 	containerPath,
-	callbackPort: geminiOauthCallbackPort,
+	callbackPort: port,
 	env: [
 		`HOME=${containerPath}`,
 		"NO_BROWSER=true",
-		"GEMINI_CLI_NONINTERACTIVE=false",
-		`OAUTH_CALLBACK_PORT=${geminiOauthCallbackPort}`,
+		"GEMINI_CLI_NONINTERACTIVE=true",
+		"GEMINI_CLI_TRUST_ALL=true",
+		`OAUTH_CALLBACK_PORT=${port}`,
 		"OAUTH_CALLBACK_HOST=0.0.0.0"
 	]
 });
@@ -6542,8 +6620,6 @@ var buildDockerGeminiAuthArgs = (spec) => {
 		"-p",
 		`${spec.callbackPort}:${spec.callbackPort}`
 	];
-	const dockerUser = resolveDefaultDockerUser();
-	if (dockerUser !== null) base.push("--user", dockerUser);
 	for (const entry of spec.env) {
 		const trimmed = entry.trim();
 		if (trimmed.length === 0) continue;
@@ -6553,21 +6629,51 @@ var buildDockerGeminiAuthArgs = (spec) => {
 		...base,
 		spec.image,
 		"gemini",
+		"login",
 		"--debug"
 	];
 };
+var cleanupExistingContainers = (port) => Effect.gen(function* (_) {
+	const ids = (yield* _(runCommandCapture({
+		cwd: process.cwd(),
+		command: "docker",
+		args: [
+			"ps",
+			"-q",
+			"--filter",
+			`publish=${port}`
+		]
+	}, [0], () => /* @__PURE__ */ new Error("docker ps failed")).pipe(Effect.map((value) => value.trim()), Effect.orElseSucceed(() => "")))).split("\n").filter(Boolean);
+	if (ids.length > 0) {
+		yield* _(Effect.logInfo(`Cleaning up existing containers using port ${port}: ${ids.join(", ")}`));
+		yield* _(runCommandExitCode({
+			cwd: process.cwd(),
+			command: "docker",
+			args: [
+				"rm",
+				"-f",
+				...ids
+			]
+		}).pipe(Effect.orElse(() => Effect.succeed(0))));
+	}
+});
 var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerGeminiAuthArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
-var pumpDockerOutput = (source, fd, resultBox) => {
+var pumpDockerOutput = (source, fd, resultBox, authDeferred) => {
 	const decoder = new TextDecoder("utf-8");
 	let outputWindow = "";
-	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
-		writeChunkToFd(fd, chunk);
+	return pipe(source, Stream.runForEach((chunk) => Effect.gen(function* (_) {
+		yield* _(Effect.sync(() => {
+			writeChunkToFd(fd, chunk);
+		}));
 		outputWindow += decoder.decode(chunk);
 		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
 		if (resultBox.value !== "pending") return;
 		const result = detectAuthResult(outputWindow);
-		if (result !== "pending") resultBox.value = result;
-	}).pipe(Effect.asVoid))).pipe(Effect.asVoid);
+		if (result !== "pending") {
+			resultBox.value = result;
+			if (result === "success") yield* _(Deferred.succeed(authDeferred, void 0));
+		}
+	}))).pipe(Effect.asVoid);
 };
 var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
 	if (result === "success") {
@@ -6581,7 +6687,7 @@ var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
 	})));
 });
 var printOauthInstructions = () => Effect.sync(() => {
-	const port = geminiOauthCallbackPort;
+	const port = defaultGeminiOauthCallbackPort;
 	process.stderr.write("\n");
 	process.stderr.write("╔═══════════════════════════════════════════════════════════════════════════╗\n");
 	process.stderr.write("║                    Gemini CLI OAuth Authentication                        ║\n");
@@ -6593,15 +6699,37 @@ var printOauthInstructions = () => Effect.sync(() => {
 	process.stderr.write("╚═══════════════════════════════════════════════════════════════════════════╝\n");
 	process.stderr.write("\n");
 });
+var fixGeminiAuthPermissions = (hostPath, containerPath) => runCommandExitCode({
+	cwd: process.cwd(),
+	command: "docker",
+	args: [
+		"run",
+		"--rm",
+		"-v",
+		`${hostPath}:${containerPath}`,
+		"alpine",
+		"chmod",
+		"-R",
+		"777",
+		containerPath
+	]
+}).pipe(Effect.tapError((err) => Effect.logWarning(`Failed to fix Gemini auth permissions: ${String(err)}`)), Effect.orElse(() => Effect.succeed(0)));
 var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped(Effect.gen(function* (_) {
+	const port = defaultGeminiOauthCallbackPort;
+	yield* _(cleanupExistingContainers(port));
 	yield* _(printOauthInstructions());
-	const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerGeminiAuthSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+	const executor = yield* _(CommandExecutor.CommandExecutor);
+	const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath));
+	const spec = buildDockerGeminiAuthSpec(cwd, hostPath, options.image, options.containerPath, port);
+	const proc = yield* _(startDockerProcess(executor, spec));
+	const authDeferred = yield* _(Deferred.make());
 	const resultBox = { value: "pending" };
-	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox)));
-	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox)));
-	const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
+	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox, authDeferred)));
+	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox, authDeferred)));
+	const exitCode = yield* _(Effect.race(proc.exitCode.pipe(Effect.map(Number)), pipe(Deferred.await(authDeferred), Effect.flatMap(() => proc.kill()), Effect.map(() => 0))));
 	yield* _(Fiber$1.join(stdoutFiber));
 	yield* _(Fiber$1.join(stderrFiber));
+	yield* _(fixGeminiAuthPermissions(hostPath, spec.containerPath));
 	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
 }));
 //#endregion
@@ -6715,15 +6843,52 @@ var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
 	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: login via OAuth"));
 	yield* _(Effect.log("   - Follow the prompts to authenticate with your Google account"));
 });
+var prepareGeminiCredentialsDir = (cwd, accountPath, fs) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	const removeFallback = pipe(runCommandExitCode({
+		cwd,
+		command: "docker",
+		args: [
+			"run",
+			"--rm",
+			"-v",
+			`${accountPath}:/target`,
+			"alpine",
+			"rm",
+			"-rf",
+			"/target/.gemini"
+		]
+	}), Effect.asVoid, Effect.orElse(() => Effect.void));
+	yield* _(fs.remove(credentialsDir, {
+		recursive: true,
+		force: true
+	}).pipe(Effect.orElse(() => removeFallback)));
+	yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+	return credentialsDir;
+});
+var writeInitialSettings = (credentialsDir, fs) => Effect.gen(function* (_) {
+	const settingsPath = `${credentialsDir}/settings.json`;
+	yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: { folderTrust: { enabled: false } } })));
+	const trustedFoldersPath = `${credentialsDir}/trustedFolders.json`;
+	yield* _(fs.writeFileString(trustedFoldersPath, JSON.stringify({
+		"/": "TRUST_FOLDER",
+		[geminiContainerHomeDir]: "TRUST_FOLDER"
+	})));
+	return settingsPath;
+});
 var authGeminiLoginOauth = (command) => {
 	const accountLabel = normalizeAccountLabel(command.label, "default");
 	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
-		const credentialsDir = geminiCredentialsPath(accountPath);
-		yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+		const settingsPath = yield* _(writeInitialSettings(yield* _(prepareGeminiCredentialsDir(cwd, accountPath, fs)), fs));
 		yield* _(runGeminiOauthLoginWithPrompt(cwd, accountPath, {
 			image: geminiImageName,
 			containerPath: geminiContainerHomeDir
 		}));
+		yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: {
+			folderTrust: { enabled: false },
+			auth: { selectedType: "oauth-personal" },
+			approvalPolicy: "never"
+		} }, null, 2) + "\n"));
 	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
 };
 var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
@@ -8098,7 +8263,8 @@ var buildClaudeCommand = (action, options) => Match.value(action).pipe(Match.whe
 var buildGeminiCommand = (action, options) => Match.value(action).pipe(Match.when("login", () => Either.right({
 	_tag: "AuthGeminiLogin",
 	label: options.label,
-	geminiAuthPath: options.geminiAuthPath
+	geminiAuthPath: options.geminiAuthPath,
+	isWeb: options.authWeb
 })), Match.when("status", () => Either.right({
 	_tag: "AuthGeminiStatus",
 	label: options.label,
@@ -9588,12 +9754,14 @@ var resolveClaudeLogoutEffect = (labelOption) => authClaudeLogout({
 var resolveGeminiOauthEffect = (labelOption) => authGeminiLoginOauth({
 	_tag: "AuthGeminiLogin",
 	label: labelOption,
-	geminiAuthPath: geminiAuthRoot
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
 });
 var resolveGeminiApiKeyEffect = (labelOption, apiKey) => authGeminiLogin({
 	_tag: "AuthGeminiLogin",
 	label: labelOption,
-	geminiAuthPath: geminiAuthRoot
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
 }, apiKey);
 var resolveGeminiLogoutEffect = (labelOption) => authGeminiLogout({
 	_tag: "AuthGeminiLogout",
@@ -11378,7 +11546,7 @@ var setExitCode = (code) => Effect.sync(() => {
 });
 var logWarningAndExit = (error) => pipe(Effect.logWarning(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
 var logErrorAndExit = (error) => pipe(Effect.logError(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
-var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
+var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => cmd.isWeb ? authGeminiLoginOauth(cmd) : authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
 var program = pipe(readCommand, Effect.flatMap((command) => Match.value(command).pipe(Match.when({ _tag: "Help" }, ({ message }) => Effect.log(message)), Match.when({ _tag: "Create" }, (create) => createProject(create)), Match.when({ _tag: "Status" }, () => listProjectStatus), Match.when({ _tag: "DownAll" }, () => downAllDockerGitProjects), Match.when({ _tag: "Menu" }, () => runMenu), Match.orElse((cmd) => handleNonBaseCommand(cmd)))), Effect.catchTag("FileExistsError", (error) => pipe(Effect.logWarning(renderError(error)), Effect.asVoid)), Effect.catchTag("DockerAccessError", logWarningAndExit), Effect.catchTag("DockerCommandError", logWarningAndExit), Effect.catchTag("AuthError", logWarningAndExit), Effect.catchTag("AgentFailedError", logWarningAndExit), Effect.catchTag("CommandFailedError", logWarningAndExit), Effect.catchTag("ScrapArchiveNotFoundError", logErrorAndExit), Effect.catchTag("ScrapTargetDirUnsupportedError", logErrorAndExit), Effect.catchTag("ScrapWipeRefusedError", logErrorAndExit), Effect.matchEffect({
 	onFailure: (error) => isParseError(error) ? logErrorAndExit(error) : pipe(Effect.logError(renderError(error)), Effect.flatMap(() => Effect.fail(error))),
 	onSuccess: () => Effect.void