@prover-coder-ai/docker-git 1.0.44 → 1.0.46

package/dist/src/docker-git/main.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { NodeContext, NodeRuntime } from "@effect/platform-node";
-import { Data, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
+import { Data, Deferred, Duration, Effect, Either, Fiber, Match, Option, Schedule, pipe } from "effect";
 import * as FileSystem from "@effect/platform/FileSystem";
 import * as Path from "@effect/platform/Path";
 import * as Command from "@effect/platform/Command";
@@ -286,7 +286,7 @@ var runCommandWithExitCodes = (spec, okExitCodes, onFailure) => Effect.gen(funct
 	const exitCode = yield* _(Command.exitCode(buildCommand(spec, "inherit", "inherit", "inherit")));
 	yield* _(ensureExitCode(Number(exitCode), okExitCodes, onFailure));
 });
-var runCommandExitCode = (spec) => Effect.map(Command.exitCode(buildCommand(spec, "pipe", "pipe", "inherit")), Number);
+var runCommandExitCode = (spec) => Effect.map(Command.exitCode(buildCommand(spec, "pipe", "pipe", "pipe")), Number);
 var collectUint8Array$1 = (chunks) => Chunk.reduce(chunks, new Uint8Array(), (acc, curr) => {
 	const next = new Uint8Array(acc.length + curr.length);
 	next.set(acc);
@@ -1394,7 +1394,7 @@ var readProjectConfig = (baseDir) => Effect.gen(function* (_) {
 //#endregion
 //#region ../lib/src/usecases/docker-git-config-search.ts
 var isDockerGitConfig = (entry) => entry.endsWith("docker-git.json");
-var shouldSkipDir = (entry) => entry === ".git" || entry === ".orch" || entry === ".docker-git" || entry === ".cache";
+var shouldSkipDir = (entry) => entry === ".git" || entry === ".orch" || entry === ".docker-git" || entry === ".cache" || entry === "node_modules";
 var isNotFoundStatError = (error) => error._tag === "SystemError" && error.reason === "NotFound";
 var processDockerGitEntry = (fs, path, dir, entry, state) => Effect.gen(function* (_) {
 	if (shouldSkipDir(entry)) return;
@@ -1620,6 +1620,7 @@ var resolveTemplateResourceLimits = (template) => Effect.succeed(withDefaultReso
 var successExitCode = Number(ExitCode(0));
 var gitBaseEnv$1 = {
 	GIT_TERMINAL_PROMPT: "0",
+	GIT_SSH_COMMAND: "ssh -o BatchMode=yes",
 	GIT_AUTHOR_NAME: "docker-git",
 	GIT_AUTHOR_EMAIL: "docker-git@users.noreply.github.com",
 	GIT_COMMITTER_NAME: "docker-git",
@@ -2178,6 +2179,7 @@ elif [[ "$TARGET_DIR" == "~/"* ]]; then
 fi
 CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 CODEX_AUTH_LABEL="\${CODEX_AUTH_LABEL:-}"
+GEMINI_AUTH_LABEL="\${GEMINI_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-x-access-token}}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
 GH_TOKEN="\${GH_TOKEN:-\${GIT_AUTH_TOKEN:-}}"
@@ -2980,8 +2982,8 @@ var renderEntrypointAgentsNotice = (config) => entrypointAgentsNoticeTemplate.re
 //#endregion
 //#region ../lib/src/core/templates-entrypoint/gemini.ts
 var geminiAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/gemini`;
-var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_API_KEY for SSH sessions (API key stored under ~/.docker-git/.orch/auth/gemini)
-GEMINI_LABEL_RAW="${"$"}{GEMINI_AUTH_LABEL:-}"
+var geminiAuthConfigTemplate = String.raw`# Gemini CLI: expose GEMINI_HOME for sessions (OAuth cache lives under ~/.docker-git/.orch/auth/gemini)
+GEMINI_LABEL_RAW="$GEMINI_AUTH_LABEL"
 if [[ -z "$GEMINI_LABEL_RAW" ]]; then
   GEMINI_LABEL_RAW="default"
 fi
@@ -2994,29 +2996,16 @@ if [[ -z "$GEMINI_LABEL_NORM" ]]; then
 fi
 
 GEMINI_AUTH_ROOT="__GEMINI_AUTH_ROOT__"
-GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
+export GEMINI_CONFIG_DIR="$GEMINI_AUTH_ROOT/$GEMINI_LABEL_NORM"
 
-# Backward compatibility: if default auth is stored directly under gemini root, reuse it.
-if [[ "$GEMINI_LABEL_NORM" == "default" ]]; then
-  GEMINI_ROOT_ENV_FILE="$GEMINI_AUTH_ROOT/.env"
-  if [[ -f "$GEMINI_ROOT_ENV_FILE" ]]; then
-    GEMINI_AUTH_DIR="$GEMINI_AUTH_ROOT"
-  fi
-fi
-
-mkdir -p "$GEMINI_AUTH_DIR" || true
+mkdir -p "$GEMINI_CONFIG_DIR" || true
 GEMINI_HOME_DIR="__GEMINI_HOME_DIR__"
 mkdir -p "$GEMINI_HOME_DIR" || true
 
-GEMINI_API_KEY_FILE="$GEMINI_AUTH_DIR/.api-key"
-GEMINI_ENV_FILE="$GEMINI_AUTH_DIR/.env"
-GEMINI_HOME_ENV_FILE="$GEMINI_HOME_DIR/.env"
-
 docker_git_link_gemini_file() {
   local source_path="$1"
   local link_path="$2"
 
-  # Preserve user-created regular files and seed config dir once.
   if [[ -e "$link_path" && ! -L "$link_path" ]]; then
     if [[ -f "$link_path" && ! -e "$source_path" ]]; then
       cp "$link_path" "$source_path" || true
@@ -3028,91 +3017,170 @@ docker_git_link_gemini_file() {
   ln -sfn "$source_path" "$link_path" || true
 }
 
-# Link Gemini .env file from auth dir to home dir
-docker_git_link_gemini_file "$GEMINI_ENV_FILE" "$GEMINI_HOME_ENV_FILE"
-
-docker_git_refresh_gemini_api_key() {
-  local api_key=""
-  # Try to read from dedicated API key file first
-  if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
-    api_key="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
-  fi
-  # Fall back to .env file
-  if [[ -z "$api_key" && -f "$GEMINI_ENV_FILE" ]]; then
-    api_key="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
-  fi
-  if [[ -n "$api_key" ]]; then
-    export GEMINI_API_KEY="$api_key"
-  else
-    unset GEMINI_API_KEY || true
-  fi
-}
+# Link .api-key and .env from central auth storage to container home
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.api-key" "$GEMINI_HOME_DIR/.api-key"
+docker_git_link_gemini_file "$GEMINI_CONFIG_DIR/.env" "$GEMINI_HOME_DIR/.env"
 
-docker_git_refresh_gemini_api_key`;
-var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", `/home/${config.sshUser}/.gemini`);
-var renderGeminiCliInstall = () => String.raw`# Gemini CLI: ensure CLI command exists (non-blocking startup self-heal)
-docker_git_ensure_gemini_cli() {
-  if command -v gemini >/dev/null 2>&1; then
-    return 0
+# Ensure gemini YOLO wrapper exists
+GEMINI_REAL_BIN="$(command -v gemini || echo "/usr/local/bin/gemini")"
+GEMINI_WRAPPER_BIN="/usr/local/bin/gemini-wrapper"
+if [[ -f "$GEMINI_REAL_BIN" && "$GEMINI_REAL_BIN" != "$GEMINI_WRAPPER_BIN" ]]; then
+  if [[ ! -f "$GEMINI_WRAPPER_BIN" ]]; then
+    cat <<'EOF' > "$GEMINI_WRAPPER_BIN"
+#!/usr/bin/env bash
+GEMINI_ORIGINAL_BIN="__GEMINI_REAL_BIN__"
+exec "$GEMINI_ORIGINAL_BIN" --yolo "$@"
+EOF
+    sed -i "s#__GEMINI_REAL_BIN__#$GEMINI_REAL_BIN#g" "$GEMINI_WRAPPER_BIN" || true
+    chmod 0755 "$GEMINI_WRAPPER_BIN" || true
+    # Create an alias or symlink if needed, but here we just ensure it exists
   fi
+fi
 
-  if ! command -v npm >/dev/null 2>&1; then
-    return 0
+# Special case for .gemini folder: we want the folder itself to be the link if it doesn't exist
+# or its content to be linked if we want to manage it.
+if [[ -d "$GEMINI_CONFIG_DIR/.gemini" ]]; then
+  if [[ -L "$GEMINI_HOME_DIR" ]]; then
+    rm -f "$GEMINI_HOME_DIR"
+  elif [[ -d "$GEMINI_HOME_DIR" ]]; then
+    # If it's a real directory, move it aside if it's empty or just has our managed files
+    mv "$GEMINI_HOME_DIR" "$GEMINI_HOME_DIR.bak-$(date +%s)" || true
   fi
+  ln -sfn "$GEMINI_CONFIG_DIR/.gemini" "$GEMINI_HOME_DIR"
+fi
 
-  NPM_ROOT="$(npm root -g 2>/dev/null || true)"
-  GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
-  if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
-    echo "docker-git: gemini cli.js not found under npm global root; skip shim restore" >&2
-    return 0
+docker_git_refresh_gemini_env() {
+  # If .api-key exists, export it as GEMINI_API_KEY
+  if [[ -f "$GEMINI_HOME_DIR/.api-key" ]]; then
+    export GEMINI_API_KEY="$(cat "$GEMINI_HOME_DIR/.api-key" | tr -d '\r\n')"
+  elif [[ -f "$GEMINI_HOME_DIR/.env" ]]; then
+    # Parse GEMINI_API_KEY from .env
+    API_KEY="$(grep "^GEMINI_API_KEY=" "$GEMINI_HOME_DIR/.env" | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//")"
+    if [[ -n "$API_KEY" ]]; then
+      export GEMINI_API_KEY="$API_KEY"
+    fi
   fi
+}
 
-  # Rebuild a minimal shim when npm package exists but binary link is missing.
-  cat <<'EOF' > /usr/local/bin/gemini
-#!/usr/bin/env bash
-set -euo pipefail
+docker_git_refresh_gemini_env`;
+var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", config.geminiHome);
+var renderGeminiPermissionSettingsConfig = (config) => String.raw`# Gemini CLI: keep trust settings in sync with docker-git defaults
+GEMINI_SETTINGS_DIR="${config.geminiHome}"
+GEMINI_TRUST_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/trustedFolders.json"
+GEMINI_CONFIG_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/settings.json"
 
-if ! command -v npm >/dev/null 2>&1; then
-  echo "gemini: npm is required but missing" >&2
-  exit 127
-fi
+# Wait for symlink to be established by the auth config step
+mkdir -p "$GEMINI_SETTINGS_DIR" || true
 
-NPM_ROOT="$(npm root -g 2>/dev/null || true)"
-GEMINI_CLI_JS="$NPM_ROOT/@google/gemini-cli/build/cli.js"
-if [[ -z "$NPM_ROOT" || ! -f "$GEMINI_CLI_JS" ]]; then
-  echo "gemini: cli.js not found under npm global root" >&2
-  exit 127
+# Disable folder trust prompt and enable auto-approval in settings.json
+if [[ ! -f "$GEMINI_CONFIG_SETTINGS_FILE" ]]; then
+  cat <<'EOF' > "$GEMINI_CONFIG_SETTINGS_FILE"
+{
+  "security": {
+    "folderTrust": {
+      "enabled": false
+    },
+    "approvalPolicy": "never"
+  }
+}
+EOF
 fi
 
-exec node "$GEMINI_CLI_JS" "$@"
-EOF
-  chmod 0755 /usr/local/bin/gemini || true
-  ln -sf /usr/local/bin/gemini /usr/bin/gemini || true
+# Pre-trust important directories in trustedFolders.json
+# Use flat mapping as required by recent Gemini CLI versions
+cat <<'EOF' > "$GEMINI_TRUST_SETTINGS_FILE"
+{
+  "/": "TRUST_FOLDER",
+  "${config.geminiHome}": "TRUST_FOLDER",
+  "${config.targetDir}": "TRUST_FOLDER"
 }
+EOF
 
-docker_git_ensure_gemini_cli`;
-var renderGeminiProfileSetup = () => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
-printf "export GEMINI_AUTH_LABEL=%q\n" "${"$"}{GEMINI_AUTH_LABEL:-default}" > "$GEMINI_PROFILE"
+chown -R 1000:1000 "$GEMINI_SETTINGS_DIR" || true
+chmod 0600 "$GEMINI_TRUST_SETTINGS_FILE" "$GEMINI_CONFIG_SETTINGS_FILE" 2>/dev/null || true`;
+var renderGeminiSudoConfig = (config) => String.raw`# Gemini CLI: allow passwordless sudo for agent tasks
+if [[ -d /etc/sudoers.d ]]; then
+  echo "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/gemini-agent
+  chmod 0440 /etc/sudoers.d/gemini-agent
+fi`;
+var renderGeminiMcpPlaywrightConfig = (_config) => String.raw`# Gemini CLI: keep Playwright MCP config in sync (TODO: Gemini CLI MCP integration format)
+# For now, Gemini CLI uses MCP via ~/.gemini/settings.json or command line.
+# We'll ensure it has the same Playwright capability as Claude/Codex once format is confirmed.`;
+var renderGeminiProfileSetup = (config) => String.raw`GEMINI_PROFILE="/etc/profile.d/gemini-config.sh"
+printf "export GEMINI_AUTH_LABEL=%q\n" "$GEMINI_AUTH_LABEL" > "$GEMINI_PROFILE"
+printf "export GEMINI_HOME=%q\n" "${config.geminiHome}" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_DISABLE_UPDATE_CHECK=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_NONINTERACTIVE=true\n" >> "$GEMINI_PROFILE"
+printf "export GEMINI_CLI_APPROVAL_MODE=yolo\n" >> "$GEMINI_PROFILE"
+printf "alias gemini='/usr/local/bin/gemini-wrapper'\n" >> "$GEMINI_PROFILE"
 cat <<'EOF' >> "$GEMINI_PROFILE"
-GEMINI_API_KEY_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.api-key"
-GEMINI_ENV_FILE="${"$"}{GEMINI_AUTH_DIR:-$HOME/.gemini}/.env"
-if [[ -f "$GEMINI_API_KEY_FILE" ]]; then
-  export GEMINI_API_KEY="$(tr -d '\r\n' < "$GEMINI_API_KEY_FILE")"
-elif [[ -f "$GEMINI_ENV_FILE" ]]; then
-  GEMINI_KEY="$(grep -E '^GEMINI_API_KEY=' "$GEMINI_ENV_FILE" 2>/dev/null | head -1 | cut -d'=' -f2- | tr -d '\r\n' | sed "s/^['\"]//;s/['\"]$//")"
-  if [[ -n "$GEMINI_KEY" ]]; then
-    export GEMINI_API_KEY="$GEMINI_KEY"
-  fi
+if [[ -f "$GEMINI_HOME/.api-key" ]]; then
+  export GEMINI_API_KEY="$(cat "$GEMINI_HOME/.api-key" | tr -d '\r\n')"
 fi
 EOF
 chmod 0644 "$GEMINI_PROFILE" || true
 
-docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "${"$"}{GEMINI_AUTH_LABEL:-default}"
-docker_git_upsert_ssh_env "GEMINI_API_KEY" "${"$"}{GEMINI_API_KEY:-}"`;
+docker_git_upsert_ssh_env "GEMINI_AUTH_LABEL" "$GEMINI_AUTH_LABEL"
+docker_git_upsert_ssh_env "GEMINI_API_KEY" "\${GEMINI_API_KEY:-}"
+docker_git_upsert_ssh_env "GEMINI_CLI_DISABLE_UPDATE_CHECK" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_NONINTERACTIVE" "true"
+docker_git_upsert_ssh_env "GEMINI_CLI_APPROVAL_MODE" "yolo"`;
+var entrypointGeminiNoticeTemplate = String.raw`# Ensure global GEMINI.md exists for container context
+GEMINI_MD_PATH="__GEMINI_HOME__/GEMINI.md"
+GEMINI_WORKSPACE_CONTEXT="Контекст workspace: repository"
+if [[ "$REPO_REF" == issue-* ]]; then
+  ISSUE_ID="$(printf "%s" "$REPO_REF" | sed -E 's#^issue-##')"
+  ISSUE_URL=""
+  if [[ "$REPO_URL" == https://github.com/* ]]; then
+    ISSUE_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO" ]]; then
+      ISSUE_URL="https://github.com/$ISSUE_REPO/issues/$ISSUE_ID"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID ($ISSUE_URL)"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID"
+  fi
+elif [[ "$REPO_REF" == refs/pull/*/head ]]; then
+  PR_ID="$(printf "%s" "$REPO_REF" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL=""
+  if [[ "$REPO_URL" == https://github.com/* && -n "$PR_ID" ]]; then
+    PR_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO" ]]; then
+      PR_URL="https://github.com/$PR_REPO/pull/$PR_ID"
+    fi
+  fi
+  if [[ -n "$PR_ID" && -n "$PR_URL" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID ($PR_URL)"
+  elif [[ -n "$PR_ID" ]]; then
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID"
+  else
+    GEMINI_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF)"
+  fi
+fi
+
+cat <<EOF > "$GEMINI_MD_PATH"
+<!-- docker-git-managed:gemini-md -->
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, gemini, claude, opencode, oh-my-opencode, sshpass, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$GEMINI_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Для решения задач обязательно используй subagents. Сам агент обязан выполнять финальную проверку, интеграцию и валидацию результата перед ответом пользователю.
+Если ты видишь файлы AGENTS.md, GEMINI.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+<!-- /docker-git-managed:gemini-md -->
+EOF
+chown 1000:1000 "$GEMINI_MD_PATH" || true`;
+var renderEntrypointGeminiNotice = (config) => entrypointGeminiNoticeTemplate.replaceAll("__GEMINI_HOME__", config.geminiHome).replaceAll("__TARGET_DIR__", config.targetDir);
 var renderEntrypointGeminiConfig = (config) => [
 	renderGeminiAuthConfig(config),
-	renderGeminiCliInstall(),
-	renderGeminiProfileSetup()
+	renderGeminiPermissionSettingsConfig(config),
+	renderGeminiMcpPlaywrightConfig(config),
+	renderGeminiSudoConfig(config),
+	renderGeminiProfileSetup(config),
+	renderEntrypointGeminiNotice(config)
 ].join("\n\n");
 //#endregion
 //#region ../lib/src/core/templates-entrypoint/git.ts
@@ -3680,6 +3748,7 @@ AGENT_ENV_FILE="/run/docker-git/agent-env.sh"
 {
   [[ -f /etc/profile.d/gh-token.sh ]] && cat /etc/profile.d/gh-token.sh
   [[ -f /etc/profile.d/claude-config.sh ]] && cat /etc/profile.d/claude-config.sh
+  [[ -f /etc/profile.d/gemini-config.sh ]] && cat /etc/profile.d/gemini-config.sh
 } > "$AGENT_ENV_FILE" 2>/dev/null || true
 chmod 644 "$AGENT_ENV_FILE"`,
 	renderAgentPrompt(),
@@ -3689,7 +3758,7 @@ if [[ -n "$AGENT_PROMPT" ]]; then
   chmod 644 "$AGENT_PROMPT_FILE"
 fi`
 ].join("\n\n");
-var renderAgentPromptCommand = (mode) => mode === "claude" ? String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"` : String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`;
+var renderAgentPromptCommand = (mode) => Match.value(mode).pipe(Match.when("claude", () => String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("codex", () => String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`), Match.exhaustive);
 var renderAgentAutoLaunchCommand = (config, mode) => String.raw`su - ${config.sshUser} -s /bin/bash -c "bash -lc '. /etc/profile 2>/dev/null || true; . \"$AGENT_ENV_FILE\" 2>/dev/null || true; cd \"$TARGET_DIR\" && ${renderAgentPromptCommand(mode)}'"`;
 var renderAgentModeBlock = (config, mode) => {
 	const startMessage = `[agent] starting ${mode}...`;
@@ -3710,6 +3779,7 @@ var renderAgentModeCase = (config) => [
 	String.raw`case "$AGENT_MODE" in`,
 	indentBlock(renderAgentModeBlock(config, "claude")),
 	indentBlock(renderAgentModeBlock(config, "codex")),
+	indentBlock(renderAgentModeBlock(config, "gemini")),
 	indentBlock(String.raw`*)
   echo "[agent] unknown agent mode: $AGENT_MODE"
   ;;`),
@@ -4182,7 +4252,9 @@ RUN set -eu; \
   npm install -g oh-my-opencode@latest "oh-my-opencode-linux-\${OH_MY_OPENCODE_ARCH}@latest"
 RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
-RUN claude --version`;
+RUN claude --version
+RUN npm install -g @google/gemini-cli@latest --force
+RUN gemini --version`;
 var renderDockerfileOpenCode = () => `# Tooling: OpenCode (binary)
 RUN set -eu; \
   for attempt in 1 2 3 4 5; do \
@@ -6494,6 +6566,150 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
+//#region ../lib/src/usecases/auth-gemini-helpers.ts
+var geminiImageName = "docker-git-auth-gemini:latest";
+var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
+var geminiContainerHomeDir = "/gemini-home";
+var geminiCredentialsDir$1 = ".gemini";
+var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
+var geminiApiKeyFileName = ".api-key";
+var geminiEnvFileName = ".env";
+var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
+var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
+var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
+var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @google/gemini-cli@0.33.2
+`;
+var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath: defaultTemplateConfig.envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ".docker-git/.orch/auth/gh",
+	claudeAuthPath: ".docker-git/.orch/auth/claude",
+	geminiAuthPath: ".docker-git/.orch/auth/gemini"
+});
+var resolveGeminiAccountPath = (path, rootPath, label) => {
+	const accountLabel = normalizeAccountLabel(label, "default");
+	return {
+		accountLabel,
+		accountPath: path.join(rootPath, accountLabel)
+	};
+};
+var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGeminiOrchLayout(cwd));
+	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
+	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
+	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
+		imageName: geminiImageName,
+		imageDir: geminiImageDir,
+		dockerfile: renderGeminiDockerfile(),
+		buildLabel: "gemini auth"
+	}));
+	return yield* _(run({
+		accountLabel,
+		accountPath,
+		cwd,
+		fs
+	}));
+}));
+var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
+	const apiKeyFilePath = geminiApiKeyPath(accountPath);
+	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
+		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
+		if (trimmed.length > 0) return trimmed;
+	}
+	const envFilePath = geminiEnvFilePath(accountPath);
+	if (yield* _(isRegularFile$1(fs, envFilePath))) {
+		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("GEMINI_API_KEY=")) {
+				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
+				if (value.length > 0) return value;
+			}
+		}
+	}
+	return null;
+});
+var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	if (!(yield* _(fs.exists(credentialsDir)))) return false;
+	const possibleFiles = [
+		`${credentialsDir}/oauth-tokens.json`,
+		`${credentialsDir}/credentials.json`,
+		`${credentialsDir}/application_default_credentials.json`
+	];
+	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
+	return false;
+});
+var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
+	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
+});
+var prepareGeminiCredentialsDir = (cwd, accountPath, fs) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	const removeFallback = pipe(runCommandExitCode({
+		cwd,
+		command: "docker",
+		args: [
+			"run",
+			"--rm",
+			"-v",
+			`${accountPath}:/target`,
+			"alpine",
+			"rm",
+			"-rf",
+			"/target/.gemini"
+		]
+	}), Effect.asVoid, Effect.orElse(() => Effect.void));
+	yield* _(fs.remove(credentialsDir, {
+		recursive: true,
+		force: true
+	}).pipe(Effect.orElse(() => removeFallback)));
+	yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+	yield* _(runCommandExitCode({
+		cwd,
+		command: "chmod",
+		args: [
+			"-R",
+			"777",
+			credentialsDir
+		]
+	}).pipe(Effect.orElse(() => Effect.succeed(0))));
+	return credentialsDir;
+});
+var writeInitialSettings = (credentialsDir, fs) => Effect.gen(function* (_) {
+	const settingsPath = `${credentialsDir}/settings.json`;
+	yield* _(fs.writeFileString(settingsPath, JSON.stringify({
+		model: {
+			name: "gemini-2.0-flash",
+			compressionThreshold: .9,
+			disableLoopDetection: true
+		},
+		general: { defaultApprovalMode: "auto_edit" },
+		yolo: true,
+		sandbox: { enabled: false },
+		security: {
+			folderTrust: { enabled: false },
+			auth: { selectedType: "oauth-personal" },
+			approvalPolicy: "never"
+		}
+	}, null, 2)));
+	const trustedFoldersPath = `${credentialsDir}/trustedFolders.json`;
+	yield* _(fs.writeFileString(trustedFoldersPath, JSON.stringify({
+		"/": "TRUST_FOLDER",
+		[geminiContainerHomeDir]: "TRUST_FOLDER"
+	})));
+	return settingsPath;
+});
+//#endregion
 //#region ../lib/src/usecases/auth-gemini-oauth.ts
 var outputWindowSize = 262144;
 var authSuccessPatterns = [
@@ -6512,22 +6728,29 @@ var authFailurePatterns = [
 ];
 var detectAuthResult = (output) => {
 	const normalized = stripAnsi(output).toLowerCase();
-	for (const pattern of authSuccessPatterns) if (normalized.includes(pattern.toLowerCase())) return "success";
-	for (const pattern of authFailurePatterns) if (normalized.includes(pattern.toLowerCase())) return "failure";
+	const authInitiated = [
+		"please visit the following url",
+		"enter the authorization code",
+		"authorized the application"
+	].some((m) => normalized.includes(m));
+	if (authSuccessPatterns.some((pattern) => normalized.includes(pattern.toLowerCase()) && (authInitiated || normalized.includes("logged in with google")))) return "success";
+	if (authFailurePatterns.some((pattern) => normalized.includes(pattern.toLowerCase()))) return "failure";
 	return "pending";
 };
-var geminiOauthCallbackPort = 38751;
-var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath) => ({
+var defaultGeminiOauthCallbackPort = 38751;
+var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath, port) => ({
 	cwd,
 	image,
 	hostPath: accountPath,
 	containerPath,
-	callbackPort: geminiOauthCallbackPort,
+	callbackPort: port,
 	env: [
 		`HOME=${containerPath}`,
 		"NO_BROWSER=true",
-		"GEMINI_CLI_NONINTERACTIVE=false",
-		`OAUTH_CALLBACK_PORT=${geminiOauthCallbackPort}`,
+		"GEMINI_CLI_NONINTERACTIVE=true",
+		"GEMINI_CLI_TRUST_ALL=true",
+		"GEMINI_DISABLE_UPDATE_CHECK=true",
+		`OAUTH_CALLBACK_PORT=${port}`,
 		"OAUTH_CALLBACK_HOST=0.0.0.0"
 	]
 });
@@ -6535,15 +6758,16 @@ var buildDockerGeminiAuthArgs = (spec) => {
 	const base = [
 		"run",
 		"--rm",
+		"--init",
 		"-i",
 		"-t",
 		"-v",
 		`${spec.hostPath}:${spec.containerPath}`,
 		"-p",
-		`${spec.callbackPort}:${spec.callbackPort}`
+		`${spec.callbackPort}:${spec.callbackPort}`,
+		"-w",
+		spec.containerPath
 	];
-	const dockerUser = resolveDefaultDockerUser();
-	if (dockerUser !== null) base.push("--user", dockerUser);
 	for (const entry of spec.env) {
 		const trimmed = entry.trim();
 		if (trimmed.length === 0) continue;
@@ -6553,21 +6777,52 @@ var buildDockerGeminiAuthArgs = (spec) => {
 		...base,
 		spec.image,
 		"gemini",
+		"mcp",
+		"list",
 		"--debug"
 	];
 };
+var cleanupExistingContainers = (port) => Effect.gen(function* (_) {
+	const ids = (yield* _(runCommandCapture({
+		cwd: process.cwd(),
+		command: "docker",
+		args: [
+			"ps",
+			"-q",
+			"--filter",
+			`publish=${port}`
+		]
+	}, [0], () => /* @__PURE__ */ new Error("docker ps failed")).pipe(Effect.map((value) => value.trim()), Effect.orElseSucceed(() => "")))).split("\n").filter(Boolean);
+	if (ids.length > 0) {
+		yield* _(Effect.logInfo(`Cleaning up existing containers using port ${port}: ${ids.join(", ")}`));
+		yield* _(runCommandExitCode({
+			cwd: process.cwd(),
+			command: "docker",
+			args: [
+				"rm",
+				"-f",
+				...ids
+			]
+		}).pipe(Effect.orElse(() => Effect.succeed(0))));
+	}
+});
 var startDockerProcess = (executor, spec) => executor.start(pipe(Command.make("docker", ...buildDockerGeminiAuthArgs(spec)), Command.workingDirectory(spec.cwd), Command.stdin("inherit"), Command.stdout("pipe"), Command.stderr("pipe")));
-var pumpDockerOutput = (source, fd, resultBox) => {
+var pumpDockerOutput = (source, fd, resultBox, authDeferred) => {
 	const decoder = new TextDecoder("utf-8");
 	let outputWindow = "";
-	return pipe(source, Stream.runForEach((chunk) => Effect.sync(() => {
-		writeChunkToFd(fd, chunk);
+	return pipe(source, Stream.runForEach((chunk) => Effect.gen(function* (_) {
+		yield* _(Effect.sync(() => {
+			writeChunkToFd(fd, chunk);
+		}));
 		outputWindow += decoder.decode(chunk);
 		if (outputWindow.length > outputWindowSize) outputWindow = outputWindow.slice(-outputWindowSize);
 		if (resultBox.value !== "pending") return;
 		const result = detectAuthResult(outputWindow);
-		if (result !== "pending") resultBox.value = result;
-	}).pipe(Effect.asVoid))).pipe(Effect.asVoid);
+		if (result !== "pending") {
+			resultBox.value = result;
+			if (result === "success") yield* _(Deferred.succeed(authDeferred, void 0));
+		}
+	}))).pipe(Effect.asVoid);
 };
 var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
 	if (result === "success") {
@@ -6581,7 +6836,7 @@ var resolveGeminiLoginResult = (result, exitCode) => Effect.gen(function* (_) {
 	})));
 });
 var printOauthInstructions = () => Effect.sync(() => {
-	const port = geminiOauthCallbackPort;
+	const port = defaultGeminiOauthCallbackPort;
 	process.stderr.write("\n");
 	process.stderr.write("╔═══════════════════════════════════════════════════════════════════════════╗\n");
 	process.stderr.write("║                    Gemini CLI OAuth Authentication                        ║\n");
@@ -6593,108 +6848,41 @@ var printOauthInstructions = () => Effect.sync(() => {
 	process.stderr.write("╚═══════════════════════════════════════════════════════════════════════════╝\n");
 	process.stderr.write("\n");
 });
+var fixGeminiAuthPermissions = (hostPath, containerPath) => runCommandExitCode({
+	cwd: process.cwd(),
+	command: "docker",
+	args: [
+		"run",
+		"--rm",
+		"-v",
+		`${hostPath}:${containerPath}`,
+		"alpine",
+		"chmod",
+		"-R",
+		"777",
+		containerPath
+	]
+}).pipe(Effect.tapError((err) => Effect.logWarning(`Failed to fix Gemini auth permissions: ${String(err)}`)), Effect.orElse(() => Effect.succeed(0)));
 var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped(Effect.gen(function* (_) {
+	const port = defaultGeminiOauthCallbackPort;
+	yield* _(cleanupExistingContainers(port));
 	yield* _(printOauthInstructions());
-	const proc = yield* _(startDockerProcess(yield* _(CommandExecutor.CommandExecutor), buildDockerGeminiAuthSpec(cwd, yield* _(resolveDockerVolumeHostPath(cwd, accountPath)), options.image, options.containerPath)));
+	const executor = yield* _(CommandExecutor.CommandExecutor);
+	const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath));
+	const spec = buildDockerGeminiAuthSpec(cwd, hostPath, options.image, options.containerPath, port);
+	const proc = yield* _(startDockerProcess(executor, spec));
+	const authDeferred = yield* _(Deferred.make());
 	const resultBox = { value: "pending" };
-	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox)));
-	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox)));
-	const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
-	yield* _(Fiber$1.join(stdoutFiber));
-	yield* _(Fiber$1.join(stderrFiber));
+	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox, authDeferred)));
+	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox, authDeferred)));
+	const exitCode = yield* _(Effect.race(proc.exitCode.pipe(Effect.map(Number)), pipe(Deferred.await(authDeferred), Effect.delay("500 millis"), Effect.flatMap(() => proc.kill()), Effect.map(() => 0))));
+	yield* _(Fiber$1.interrupt(stdoutFiber));
+	yield* _(Fiber$1.interrupt(stderrFiber));
+	yield* _(fixGeminiAuthPermissions(hostPath, spec.containerPath));
 	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
 }));
 //#endregion
 //#region ../lib/src/usecases/auth-gemini.ts
-var geminiImageName = "docker-git-auth-gemini:latest";
-var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
-var geminiContainerHomeDir = "/gemini-home";
-var geminiCredentialsDir$1 = ".gemini";
-var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
-var geminiApiKeyFileName = ".api-key";
-var geminiEnvFileName = ".env";
-var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
-var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
-var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
-var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
-  && rm -rf /var/lib/apt/lists/*
-RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
-  && apt-get install -y --no-install-recommends nodejs \
-  && node -v \
-  && npm -v \
-  && rm -rf /var/lib/apt/lists/*
-RUN npm install -g @google/gemini-cli@latest
-ENTRYPOINT ["/bin/bash", "-c"]
-`;
-var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
-	envGlobalPath: defaultTemplateConfig.envGlobalPath,
-	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath,
-	ghAuthPath: ".docker-git/.orch/auth/gh",
-	claudeAuthPath: ".docker-git/.orch/auth/claude",
-	geminiAuthPath: ".docker-git/.orch/auth/gemini"
-});
-var resolveGeminiAccountPath = (path, rootPath, label) => {
-	const accountLabel = normalizeAccountLabel(label, "default");
-	return {
-		accountLabel,
-		accountPath: path.join(rootPath, accountLabel)
-	};
-};
-var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
-	yield* _(ensureGeminiOrchLayout(cwd));
-	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
-	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
-	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
-		imageName: geminiImageName,
-		imageDir: geminiImageDir,
-		dockerfile: renderGeminiDockerfile(),
-		buildLabel: "gemini auth"
-	}));
-	return yield* _(run({
-		accountLabel,
-		accountPath,
-		cwd,
-		fs
-	}));
-}));
-var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
-	const apiKeyFilePath = geminiApiKeyPath(accountPath);
-	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
-		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
-		if (trimmed.length > 0) return trimmed;
-	}
-	const envFilePath = geminiEnvFilePath(accountPath);
-	if (yield* _(isRegularFile$1(fs, envFilePath))) {
-		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
-		for (const line of lines) {
-			const trimmed = line.trim();
-			if (trimmed.startsWith("GEMINI_API_KEY=")) {
-				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
-				if (value.length > 0) return value;
-			}
-		}
-	}
-	return null;
-});
-var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
-	const credentialsDir = geminiCredentialsPath(accountPath);
-	if (!(yield* _(fs.exists(credentialsDir)))) return false;
-	const possibleFiles = [
-		`${credentialsDir}/oauth-tokens.json`,
-		`${credentialsDir}/credentials.json`,
-		`${credentialsDir}/application_default_credentials.json`
-	];
-	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
-	return false;
-});
-var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
-	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
-	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
-});
 var authGeminiLogin = (command, apiKey) => {
 	const accountLabel = normalizeAccountLabel(command.label, "default");
 	return withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
@@ -6718,12 +6906,16 @@ var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
 var authGeminiLoginOauth = (command) => {
 	const accountLabel = normalizeAccountLabel(command.label, "default");
 	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
-		const credentialsDir = geminiCredentialsPath(accountPath);
-		yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+		const settingsPath = yield* _(writeInitialSettings(yield* _(prepareGeminiCredentialsDir(cwd, accountPath, fs)), fs));
 		yield* _(runGeminiOauthLoginWithPrompt(cwd, accountPath, {
 			image: geminiImageName,
 			containerPath: geminiContainerHomeDir
 		}));
+		yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: {
+			folderTrust: { enabled: false },
+			auth: { selectedType: "oauth-personal" },
+			approvalPolicy: "never"
+		} }, null, 2) + "\n"));
 	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
 };
 var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
@@ -8098,7 +8290,8 @@ var buildClaudeCommand = (action, options) => Match.value(action).pipe(Match.whe
 var buildGeminiCommand = (action, options) => Match.value(action).pipe(Match.when("login", () => Either.right({
 	_tag: "AuthGeminiLogin",
 	label: options.label,
-	geminiAuthPath: options.geminiAuthPath
+	geminiAuthPath: options.geminiAuthPath,
+	isWeb: options.authWeb
 })), Match.when("status", () => Either.right({
 	_tag: "AuthGeminiStatus",
 	label: options.label,
@@ -9588,12 +9781,14 @@ var resolveClaudeLogoutEffect = (labelOption) => authClaudeLogout({
 var resolveGeminiOauthEffect = (labelOption) => authGeminiLoginOauth({
 	_tag: "AuthGeminiLogin",
 	label: labelOption,
-	geminiAuthPath: geminiAuthRoot
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
 });
 var resolveGeminiApiKeyEffect = (labelOption, apiKey) => authGeminiLogin({
 	_tag: "AuthGeminiLogin",
 	label: labelOption,
-	geminiAuthPath: geminiAuthRoot
+	geminiAuthPath: geminiAuthRoot,
+	isWeb: false
 }, apiKey);
 var resolveGeminiLogoutEffect = (labelOption) => authGeminiLogout({
 	_tag: "AuthGeminiLogout",
@@ -11378,7 +11573,7 @@ var setExitCode = (code) => Effect.sync(() => {
 });
 var logWarningAndExit = (error) => pipe(Effect.logWarning(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
 var logErrorAndExit = (error) => pipe(Effect.logError(renderError(error)), Effect.tap(() => setExitCode(1)), Effect.asVoid);
-var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
+var handleNonBaseCommand = (command) => Match.value(command).pipe(Match.when({ _tag: "StatePath" }, () => statePath), Match.when({ _tag: "StateInit" }, (cmd) => stateInit(cmd)), Match.when({ _tag: "StateStatus" }, () => stateStatus), Match.when({ _tag: "StatePull" }, () => statePull), Match.when({ _tag: "StateCommit" }, (cmd) => stateCommit(cmd.message)), Match.when({ _tag: "StatePush" }, () => statePush), Match.when({ _tag: "StateSync" }, (cmd) => stateSync(cmd.message)), Match.when({ _tag: "AuthGithubLogin" }, (cmd) => authGithubLogin(cmd)), Match.when({ _tag: "AuthGithubStatus" }, (cmd) => authGithubStatus(cmd)), Match.when({ _tag: "AuthGithubLogout" }, (cmd) => authGithubLogout(cmd)), Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)), Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)), Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)), Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)), Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)), Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)), Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)), Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)), Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd))).pipe(Match.when({ _tag: "AuthGeminiLogin" }, (cmd) => cmd.isWeb ? authGeminiLoginOauth(cmd) : authGeminiLoginCli(cmd)), Match.when({ _tag: "AuthGeminiStatus" }, (cmd) => authGeminiStatus(cmd)), Match.when({ _tag: "AuthGeminiLogout" }, (cmd) => authGeminiLogout(cmd)), Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)), Match.when({ _tag: "Apply" }, (cmd) => applyProjectConfig(cmd)), Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)), Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)), Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)), Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)), Match.exhaustive);
 var program = pipe(readCommand, Effect.flatMap((command) => Match.value(command).pipe(Match.when({ _tag: "Help" }, ({ message }) => Effect.log(message)), Match.when({ _tag: "Create" }, (create) => createProject(create)), Match.when({ _tag: "Status" }, () => listProjectStatus), Match.when({ _tag: "DownAll" }, () => downAllDockerGitProjects), Match.when({ _tag: "Menu" }, () => runMenu), Match.orElse((cmd) => handleNonBaseCommand(cmd)))), Effect.catchTag("FileExistsError", (error) => pipe(Effect.logWarning(renderError(error)), Effect.asVoid)), Effect.catchTag("DockerAccessError", logWarningAndExit), Effect.catchTag("DockerCommandError", logWarningAndExit), Effect.catchTag("AuthError", logWarningAndExit), Effect.catchTag("AgentFailedError", logWarningAndExit), Effect.catchTag("CommandFailedError", logWarningAndExit), Effect.catchTag("ScrapArchiveNotFoundError", logErrorAndExit), Effect.catchTag("ScrapTargetDirUnsupportedError", logErrorAndExit), Effect.catchTag("ScrapWipeRefusedError", logErrorAndExit), Effect.matchEffect({
 	onFailure: (error) => isParseError(error) ? logErrorAndExit(error) : pipe(Effect.logError(renderError(error)), Effect.flatMap(() => Effect.fail(error))),
 	onSuccess: () => Effect.void