@prover-coder-ai/docker-git 1.0.45 → 1.0.47

package/dist/src/docker-git/main.js

@@ -286,7 +286,7 @@ var runCommandWithExitCodes = (spec, okExitCodes, onFailure) => Effect.gen(funct
 	const exitCode = yield* _(Command.exitCode(buildCommand(spec, "inherit", "inherit", "inherit")));
 	yield* _(ensureExitCode(Number(exitCode), okExitCodes, onFailure));
 });
-var runCommandExitCode = (spec) => Effect.map(Command.exitCode(buildCommand(spec, "pipe", "pipe", "inherit")), Number);
+var runCommandExitCode = (spec) => Effect.map(Command.exitCode(buildCommand(spec, "pipe", "pipe", "pipe")), Number);
 var collectUint8Array$1 = (chunks) => Chunk.reduce(chunks, new Uint8Array(), (acc, curr) => {
 	const next = new Uint8Array(acc.length + curr.length);
 	next.set(acc);
@@ -1394,7 +1394,7 @@ var readProjectConfig = (baseDir) => Effect.gen(function* (_) {
 //#endregion
 //#region ../lib/src/usecases/docker-git-config-search.ts
 var isDockerGitConfig = (entry) => entry.endsWith("docker-git.json");
-var shouldSkipDir = (entry) => entry === ".git" || entry === ".orch" || entry === ".docker-git" || entry === ".cache";
+var shouldSkipDir = (entry) => entry === ".git" || entry === ".orch" || entry === ".docker-git" || entry === ".cache" || entry === "node_modules";
 var isNotFoundStatError = (error) => error._tag === "SystemError" && error.reason === "NotFound";
 var processDockerGitEntry = (fs, path, dir, entry, state) => Effect.gen(function* (_) {
 	if (shouldSkipDir(entry)) return;
@@ -1426,7 +1426,15 @@ var findDockerGitConfigPaths = (fs, path, rootDir) => Effect.gen(function* (_) {
 //#endregion
 //#region ../lib/src/usecases/projects-core.ts
 var sshOptions = "-tt -Y -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
-var buildSshCommand = (config, sshKey) => sshKey === null ? `ssh ${sshOptions} -p ${config.sshPort} ${config.sshUser}@localhost` : `ssh -i ${sshKey} ${sshOptions} -p ${config.sshPort} ${config.sshUser}@localhost`;
+var buildSshCommand = (config, sshKey, ipAddress) => {
+	const host = ipAddress ?? "localhost";
+	const port = ipAddress ? 22 : config.sshPort;
+	return sshKey === null ? `ssh ${sshOptions} -p ${port} ${config.sshUser}@${host}` : `ssh -i ${sshKey} ${sshOptions} -p ${port} ${config.sshUser}@${host}`;
+};
+var getContainerIpIfInsideContainer = (fs, projectDir, containerName) => Effect.gen(function* (_) {
+	if (!(yield* _(fs.exists("/.dockerenv")))) return;
+	return yield* _(runDockerInspectContainerIp(projectDir, containerName).pipe(Effect.orElse(() => Effect.succeed("")), Effect.map((ip) => ip.length > 0 ? ip : void 0)));
+});
 var loadProjectBase = (configPath) => Effect.gen(function* (_) {
 	const { fs, path, resolved } = yield* _(resolveBaseDir(configPath));
 	const projectDir = path.dirname(resolved);
@@ -1440,12 +1448,14 @@ var loadProjectBase = (configPath) => Effect.gen(function* (_) {
 var findProjectConfigPaths = (projectsRoot) => withFsPathContext(({ fs, path }) => findDockerGitConfigPaths(fs, path, path.resolve(projectsRoot)));
 var loadProjectSummary = (configPath, sshKey) => Effect.gen(function* (_) {
 	const { config, fs, path, projectDir } = yield* _(loadProjectBase(configPath));
+	const ipAddress = yield* _(getContainerIpIfInsideContainer(fs, projectDir, config.template.containerName));
 	const resolvedAuthorizedKeys = resolveAuthorizedKeysPath(path, projectDir, config.template.authorizedKeysPath);
 	const authExists = yield* _(fs.exists(resolvedAuthorizedKeys));
 	return {
 		projectDir,
 		config,
-		sshCommand: buildSshCommand(config.template, sshKey),
+		sshCommand: buildSshCommand(config.template, sshKey, ipAddress),
+		ipAddress,
 		authorizedKeysPath: resolvedAuthorizedKeys,
 		authorizedKeysExists: authExists
 	};
@@ -1466,9 +1476,10 @@ var formatDisplayName = (repoUrl) => {
 var loadProjectItem = (configPath, sshKey) => Effect.gen(function* (_) {
 	const { config, fs, path, projectDir } = yield* _(loadProjectBase(configPath));
 	const template = config.template;
+	const ipAddress = yield* _(getContainerIpIfInsideContainer(fs, projectDir, template.containerName));
 	const resolvedAuthorizedKeys = resolveAuthorizedKeysPath(path, projectDir, template.authorizedKeysPath);
 	const authExists = yield* _(fs.exists(resolvedAuthorizedKeys));
-	const sshCommand = buildSshCommand(template, sshKey);
+	const sshCommand = buildSshCommand(template, sshKey, ipAddress);
 	return {
 		projectDir,
 		displayName: formatDisplayName(template.repoUrl),
@@ -1480,6 +1491,7 @@ var loadProjectItem = (configPath, sshKey) => Effect.gen(function* (_) {
 		sshPort: template.sshPort,
 		targetDir: template.targetDir,
 		sshCommand,
+		ipAddress,
 		sshKeyPath: sshKey,
 		authorizedKeysPath: resolvedAuthorizedKeys,
 		authorizedKeysExists: authExists,
@@ -1620,6 +1632,7 @@ var resolveTemplateResourceLimits = (template) => Effect.succeed(withDefaultReso
 var successExitCode = Number(ExitCode(0));
 var gitBaseEnv$1 = {
 	GIT_TERMINAL_PROMPT: "0",
+	GIT_SSH_COMMAND: "ssh -o BatchMode=yes",
 	GIT_AUTHOR_NAME: "docker-git",
 	GIT_AUTHOR_EMAIL: "docker-git@users.noreply.github.com",
 	GIT_COMMITTER_NAME: "docker-git",
@@ -3063,6 +3076,62 @@ docker_git_refresh_gemini_env() {
 
 docker_git_refresh_gemini_env`;
 var renderGeminiAuthConfig = (config) => geminiAuthConfigTemplate.replaceAll("__GEMINI_AUTH_ROOT__", geminiAuthRootContainerPath(config.sshUser)).replaceAll("__GEMINI_HOME_DIR__", config.geminiHome);
+var geminiSettingsJsonTemplate = `{
+  "model": {
+    "name": "gemini-3.1-pro-preview-yolo",
+    "compressionThreshold": 0.9,
+    "disableLoopDetection": true
+  },
+  "modelConfigs": {
+    "customAliases": {
+      "yolo-ultra": {
+        "modelConfig": {
+          "model": "gemini-3.1-pro-preview-yolo",
+          "generateContentConfig": {
+            "tools": [
+              {
+                "googleSearch": {}
+              },
+              {
+                "urlContext": {}
+              }
+            ]
+          }
+        }
+      }
+    }
+  },
+  "general": {
+    "defaultApprovalMode": "auto_edit"
+  },
+  "tools": {
+    "allowed": [
+      "run_shell_command",
+      "write_file",
+      "googleSearch",
+      "urlContext"
+    ]
+  },
+  "sandbox": {
+    "enabled": false
+  },
+  "security": {
+    "folderTrust": {
+      "enabled": false
+    },
+    "auth": {
+      "selectedType": "oauth-personal"
+    },
+    "disableYoloMode": false
+  },
+  "mcpServers": {
+    "playwright": {
+      "command": "docker-git-playwright-mcp",
+      "args": [],
+      "trust": true
+    }
+  }
+}`;
 var renderGeminiPermissionSettingsConfig = (config) => String.raw`# Gemini CLI: keep trust settings in sync with docker-git defaults
 GEMINI_SETTINGS_DIR="${config.geminiHome}"
 GEMINI_TRUST_SETTINGS_FILE="$GEMINI_SETTINGS_DIR/trustedFolders.json"
@@ -3074,14 +3143,7 @@ mkdir -p "$GEMINI_SETTINGS_DIR" || true
 # Disable folder trust prompt and enable auto-approval in settings.json
 if [[ ! -f "$GEMINI_CONFIG_SETTINGS_FILE" ]]; then
   cat <<'EOF' > "$GEMINI_CONFIG_SETTINGS_FILE"
-{
-  "security": {
-    "folderTrust": {
-      "enabled": false
-    },
-    "approvalPolicy": "never"
-  }
-}
+${geminiSettingsJsonTemplate}
 EOF
 fi
 
@@ -5520,18 +5582,24 @@ var runDockerComposeUpWithPortCheck = (projectDir) => Effect.gen(function* (_) {
 //#endregion
 //#region ../lib/src/usecases/projects-ssh.ts
 var buildSshArgs$1 = (item) => {
+	const host = item.ipAddress ?? "localhost";
+	const port = item.ipAddress ? 22 : item.sshPort;
 	const args = [];
 	if (item.sshKeyPath !== null) args.push("-i", item.sshKeyPath);
-	args.push("-tt", "-Y", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(item.sshPort), `${item.sshUser}@localhost`);
+	args.push("-tt", "-Y", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(port), `${item.sshUser}@${host}`);
 	return args;
 };
 var buildSshProbeArgs = (item) => {
+	const host = item.ipAddress ?? "localhost";
+	const port = item.ipAddress ? 22 : item.sshPort;
 	const args = [];
 	if (item.sshKeyPath !== null) args.push("-i", item.sshKeyPath);
-	args.push("-T", "-o", "BatchMode=yes", "-o", "ConnectTimeout=2", "-o", "ConnectionAttempts=1", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(item.sshPort), `${item.sshUser}@localhost`, "true");
+	args.push("-T", "-o", "BatchMode=yes", "-o", "ConnectTimeout=2", "-o", "ConnectionAttempts=1", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(port), `${item.sshUser}@${host}`, "true");
 	return args;
 };
 var waitForSshReady = (item) => {
+	const host = item.ipAddress ?? "localhost";
+	const port = item.ipAddress ? 22 : item.sshPort;
 	const probe = Effect.gen(function* (_) {
 		const exitCode = yield* _(runCommandExitCode({
 			cwd: process.cwd(),
@@ -5543,7 +5611,7 @@ var waitForSshReady = (item) => {
 			exitCode
 		})));
 	});
-	return pipe(Effect.log(`Waiting for SSH on localhost:${item.sshPort} ...`), Effect.zipRight(Effect.retry(probe, pipe(Schedule.spaced(Duration.seconds(2)), Schedule.intersect(Schedule.recurs(30))))), Effect.tap(() => Effect.log("SSH is ready.")));
+	return pipe(Effect.log(`Waiting for SSH on ${host}:${port} ...`), Effect.zipRight(Effect.retry(probe, pipe(Schedule.spaced(Duration.seconds(2)), Schedule.intersect(Schedule.recurs(30))))), Effect.tap(() => Effect.log("SSH is ready.")));
 };
 var connectProjectSsh = (item) => pipe(ensureTerminalCursorVisible(), Effect.zipRight(runCommandWithExitCodes({
 	cwd: process.cwd(),
@@ -5553,14 +5621,34 @@ var connectProjectSsh = (item) => pipe(ensureTerminalCursorVisible(), Effect.zip
 	command: "ssh",
 	exitCode
 }))), Effect.ensuring(ensureTerminalCursorVisible()));
-var connectProjectSshWithUp = (item) => pipe(Effect.log(`Starting docker compose for ${item.displayName} ...`), Effect.zipRight(runDockerComposeUpWithPortCheck(item.projectDir)), Effect.map((template) => ({
-	...item,
-	sshPort: template.sshPort
-})), Effect.tap((updated) => waitForSshReady(updated)), Effect.flatMap((updated) => connectProjectSsh(updated)));
-var listProjectStatus = Effect.asVoid(withProjectIndexAndSsh((index, sshKey) => forEachProjectStatus(index.configPaths, (status) => pipe(Effect.log(renderProjectStatusHeader(status)), Effect.zipRight(Effect.log(`SSH access: ${buildSshCommand(status.config.template, sshKey)}`)), Effect.zipRight(runDockerComposePsFormatted(status.projectDir).pipe(Effect.map((raw) => parseComposePsOutput(raw)), Effect.map((rows) => formatComposeRows(rows)), Effect.flatMap((text) => Effect.log(text)), Effect.matchEffect({
+var connectProjectSshWithUp = (item) => Effect.gen(function* (_) {
+	const fs = yield* _(FileSystem.FileSystem);
+	yield* _(Effect.log(`Starting docker compose for ${item.displayName} ...`));
+	const template = yield* _(runDockerComposeUpWithPortCheck(item.projectDir));
+	const isInsideContainer = yield* _(fs.exists("/.dockerenv"));
+	let ipAddress;
+	if (isInsideContainer) {
+		const containerIp = yield* _(runDockerInspectContainerIp(item.projectDir, template.containerName).pipe(Effect.orElse(() => Effect.succeed(""))));
+		if (containerIp.length > 0) ipAddress = containerIp;
+	}
+	const updated = {
+		...item,
+		sshPort: template.sshPort,
+		ipAddress
+	};
+	yield* _(waitForSshReady(updated));
+	yield* _(connectProjectSsh(updated));
+});
+var listProjectStatus = withProjectIndexAndSsh((index, sshKey) => forEachProjectStatus(index.configPaths, (status) => Effect.gen(function* (_) {
+	const ipAddress = yield* _(getContainerIpIfInsideContainer(yield* _(FileSystem.FileSystem), status.projectDir, status.config.template.containerName));
+	yield* _(Effect.log(renderProjectStatusHeader(status)));
+	yield* _(Effect.log(`SSH access: ${buildSshCommand(status.config.template, sshKey, ipAddress)}`));
+	const text = formatComposeRows(parseComposePsOutput(yield* _(runDockerComposePsFormatted(status.projectDir))));
+	yield* _(Effect.log(text));
+}).pipe(Effect.matchEffect({
 	onFailure: (error) => Effect.logWarning(`docker compose ps failed for ${status.projectDir}: ${renderError(error)}`),
 	onSuccess: () => Effect.void
-})))))));
+})))).pipe(Effect.asVoid);
 //#endregion
 //#region ../lib/src/usecases/actions/docker-up.ts
 var clonePollInterval = Duration.seconds(1);
@@ -5572,9 +5660,15 @@ var agentFailPath = "/run/docker-git/agent.failed";
 var logSshAccess = (baseDir, config) => Effect.gen(function* (_) {
 	const fs = yield* _(FileSystem.FileSystem);
 	const path = yield* _(Path.Path);
+	const isInsideContainer = yield* _(fs.exists("/.dockerenv"));
+	let ipAddress;
+	if (isInsideContainer) {
+		const containerIp = yield* _(runDockerInspectContainerIp(baseDir, config.containerName).pipe(Effect.orElse(() => Effect.succeed(""))));
+		if (containerIp.length > 0) ipAddress = containerIp;
+	}
 	const resolvedAuthorizedKeys = resolveAuthorizedKeysPath(path, baseDir, config.authorizedKeysPath);
 	const authExists = yield* _(fs.exists(resolvedAuthorizedKeys));
-	const sshCommand = buildSshCommand(config, yield* _(findSshPrivateKey(fs, path, process.cwd())));
+	const sshCommand = buildSshCommand(config, yield* _(findSshPrivateKey(fs, path, process.cwd())), ipAddress);
 	yield* _(Effect.log(`SSH access: ${sshCommand}`));
 	if (!authExists) yield* _(Effect.logWarning(`Authorized keys file missing: ${resolvedAuthorizedKeys} (SSH may fail without a matching key).`));
 });
@@ -5817,23 +5911,28 @@ var formatStateSyncLabel = (repoUrl) => {
 	return repoPath.length > 0 ? repoPath : repoUrl;
 };
 var isInteractiveTty = () => process.stdin.isTTY && process.stdout.isTTY;
-var buildSshArgs = (config, sshKeyPath, remoteCommand) => {
+var buildSshArgs = (config, sshKeyPath, remoteCommand, ipAddress) => {
+	const host = ipAddress ?? "localhost";
+	const port = ipAddress ? 22 : config.sshPort;
 	const args = [];
 	if (sshKeyPath !== null) args.push("-i", sshKeyPath);
-	args.push("-tt", "-Y", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(config.sshPort), `${config.sshUser}@localhost`);
+	args.push("-tt", "-Y", "-o", "LogLevel=ERROR", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-p", String(port), `${config.sshUser}@${host}`);
 	if (remoteCommand !== void 0) args.push(remoteCommand);
 	return args;
 };
 var openSshBestEffort = (template, remoteCommand) => Effect.gen(function* (_) {
-	const sshKey = yield* _(findSshPrivateKey(yield* _(FileSystem.FileSystem), yield* _(Path.Path), process.cwd()));
-	const sshCommand = buildSshCommand(template, sshKey);
+	const fs = yield* _(FileSystem.FileSystem);
+	const path = yield* _(Path.Path);
+	const ipAddress = yield* _(getContainerIpIfInsideContainer(fs, process.cwd(), template.containerName).pipe(Effect.orElse(() => Effect.succeed(""))));
+	const sshKey = yield* _(findSshPrivateKey(fs, path, process.cwd()));
+	const sshCommand = buildSshCommand(template, sshKey, ipAddress);
 	const remoteCommandLabel = remoteCommand === void 0 ? "" : ` (${remoteCommand})`;
 	yield* _(Effect.log(`Opening SSH: ${sshCommand}${remoteCommandLabel}`));
 	yield* _(ensureTerminalCursorVisible());
 	yield* _(runCommandWithExitCodes({
 		cwd: process.cwd(),
 		command: "ssh",
-		args: buildSshArgs(template, sshKey, remoteCommand)
+		args: buildSshArgs(template, sshKey, remoteCommand, ipAddress)
 	}, [0, 130], (exitCode) => new CommandFailedError({
 		command: "ssh",
 		exitCode
@@ -6565,6 +6664,165 @@ var authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd })
 }));
 var authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`)));
 //#endregion
+//#region ../lib/src/usecases/auth-gemini-helpers.ts
+var geminiImageName = "docker-git-auth-gemini:latest";
+var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
+var geminiContainerHomeDir = "/gemini-home";
+var geminiCredentialsDir$1 = ".gemini";
+var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
+var geminiApiKeyFileName = ".api-key";
+var geminiEnvFileName = ".env";
+var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
+var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
+var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
+var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @google/gemini-cli@0.33.2
+`;
+var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+	envGlobalPath: defaultTemplateConfig.envGlobalPath,
+	envProjectPath: defaultTemplateConfig.envProjectPath,
+	codexAuthPath: defaultTemplateConfig.codexAuthPath,
+	ghAuthPath: ".docker-git/.orch/auth/gh",
+	claudeAuthPath: ".docker-git/.orch/auth/claude",
+	geminiAuthPath: ".docker-git/.orch/auth/gemini"
+});
+var resolveGeminiAccountPath = (path, rootPath, label) => {
+	const accountLabel = normalizeAccountLabel(label, "default");
+	return {
+		accountLabel,
+		accountPath: path.join(rootPath, accountLabel)
+	};
+};
+var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
+	yield* _(ensureGeminiOrchLayout(cwd));
+	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
+	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
+	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
+		imageName: geminiImageName,
+		imageDir: geminiImageDir,
+		dockerfile: renderGeminiDockerfile(),
+		buildLabel: "gemini auth"
+	}));
+	return yield* _(run({
+		accountLabel,
+		accountPath,
+		cwd,
+		fs
+	}));
+}));
+var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
+	const apiKeyFilePath = geminiApiKeyPath(accountPath);
+	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
+		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
+		if (trimmed.length > 0) return trimmed;
+	}
+	const envFilePath = geminiEnvFilePath(accountPath);
+	if (yield* _(isRegularFile$1(fs, envFilePath))) {
+		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
+		for (const line of lines) {
+			const trimmed = line.trim();
+			if (trimmed.startsWith("GEMINI_API_KEY=")) {
+				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
+				if (value.length > 0) return value;
+			}
+		}
+	}
+	return null;
+});
+var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	if (!(yield* _(fs.exists(credentialsDir)))) return false;
+	const possibleFiles = [
+		`${credentialsDir}/oauth-tokens.json`,
+		`${credentialsDir}/credentials.json`,
+		`${credentialsDir}/application_default_credentials.json`
+	];
+	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
+	return false;
+});
+var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
+	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
+});
+var prepareGeminiCredentialsDir = (cwd, accountPath, fs) => Effect.gen(function* (_) {
+	const credentialsDir = geminiCredentialsPath(accountPath);
+	const removeFallback = pipe(runCommandExitCode({
+		cwd,
+		command: "docker",
+		args: [
+			"run",
+			"--rm",
+			"-v",
+			`${accountPath}:/target`,
+			"alpine",
+			"rm",
+			"-rf",
+			"/target/.gemini"
+		]
+	}), Effect.asVoid, Effect.orElse(() => Effect.void));
+	yield* _(fs.remove(credentialsDir, {
+		recursive: true,
+		force: true
+	}).pipe(Effect.orElse(() => removeFallback)));
+	yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+	yield* _(runCommandExitCode({
+		cwd,
+		command: "chmod",
+		args: [
+			"-R",
+			"777",
+			credentialsDir
+		]
+	}).pipe(Effect.orElse(() => Effect.succeed(0))));
+	return credentialsDir;
+});
+var defaultGeminiSettings = {
+	model: {
+		name: "gemini-3.1-pro-preview-yolo",
+		compressionThreshold: .9,
+		disableLoopDetection: true
+	},
+	modelConfigs: { customAliases: { "yolo-ultra": { "modelConfig": {
+		"model": "gemini-3.1-pro-preview-yolo",
+		"generateContentConfig": { "tools": [{ "googleSearch": {} }, { "urlContext": {} }] }
+	} } } },
+	general: { defaultApprovalMode: "auto_edit" },
+	tools: { allowed: [
+		"run_shell_command",
+		"write_file",
+		"googleSearch",
+		"urlContext"
+	] },
+	sandbox: { enabled: false },
+	security: {
+		folderTrust: { enabled: false },
+		auth: { selectedType: "oauth-personal" },
+		disableYoloMode: false
+	},
+	mcpServers: { playwright: {
+		command: "docker-git-playwright-mcp",
+		args: [],
+		trust: true
+	} }
+};
+var writeInitialSettings = (credentialsDir, fs) => Effect.gen(function* (_) {
+	const settingsPath = `${credentialsDir}/settings.json`;
+	yield* _(fs.writeFileString(settingsPath, JSON.stringify(defaultGeminiSettings, null, 2) + "\n"));
+	const trustedFoldersPath = `${credentialsDir}/trustedFolders.json`;
+	yield* _(fs.writeFileString(trustedFoldersPath, JSON.stringify({
+		"/": "TRUST_FOLDER",
+		[geminiContainerHomeDir]: "TRUST_FOLDER"
+	})));
+	return settingsPath;
+});
+//#endregion
 //#region ../lib/src/usecases/auth-gemini-oauth.ts
 var outputWindowSize = 262144;
 var authSuccessPatterns = [
@@ -6572,8 +6830,7 @@ var authSuccessPatterns = [
 	"Authentication successful",
 	"Successfully authenticated",
 	"Logged in as",
-	"You are now logged in",
-	"Logged in with Google"
+	"You are now logged in"
 ];
 var authFailurePatterns = [
 	"Authentication failed",
@@ -6605,6 +6862,7 @@ var buildDockerGeminiAuthSpec = (cwd, accountPath, image, containerPath, port) =
 		"NO_BROWSER=true",
 		"GEMINI_CLI_NONINTERACTIVE=true",
 		"GEMINI_CLI_TRUST_ALL=true",
+		"GEMINI_DISABLE_UPDATE_CHECK=true",
 		`OAUTH_CALLBACK_PORT=${port}`,
 		"OAUTH_CALLBACK_HOST=0.0.0.0"
 	]
@@ -6613,12 +6871,15 @@ var buildDockerGeminiAuthArgs = (spec) => {
 	const base = [
 		"run",
 		"--rm",
+		"--init",
 		"-i",
 		"-t",
 		"-v",
 		`${spec.hostPath}:${spec.containerPath}`,
 		"-p",
-		`${spec.callbackPort}:${spec.callbackPort}`
+		`${spec.callbackPort}:${spec.callbackPort}`,
+		"-w",
+		spec.containerPath
 	];
 	for (const entry of spec.env) {
 		const trimmed = entry.trim();
@@ -6629,7 +6890,8 @@ var buildDockerGeminiAuthArgs = (spec) => {
 		...base,
 		spec.image,
 		"gemini",
-		"login",
+		"mcp",
+		"list",
 		"--debug"
 	];
 };
@@ -6726,109 +6988,48 @@ var runGeminiOauthLoginWithPrompt = (cwd, accountPath, options) => Effect.scoped
 	const resultBox = { value: "pending" };
 	const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, resultBox, authDeferred)));
 	const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, resultBox, authDeferred)));
-	const exitCode = yield* _(Effect.race(proc.exitCode.pipe(Effect.map(Number)), pipe(Deferred.await(authDeferred), Effect.flatMap(() => proc.kill()), Effect.map(() => 0))));
-	yield* _(Fiber$1.join(stdoutFiber));
-	yield* _(Fiber$1.join(stderrFiber));
+	const exitCode = yield* _(Effect.race(proc.exitCode.pipe(Effect.map(Number)), pipe(Deferred.await(authDeferred), Effect.delay("500 millis"), Effect.flatMap(() => proc.kill()), Effect.map(() => 0))));
+	yield* _(Fiber$1.interrupt(stdoutFiber));
+	yield* _(Fiber$1.interrupt(stderrFiber));
 	yield* _(fixGeminiAuthPermissions(hostPath, spec.containerPath));
 	return yield* _(resolveGeminiLoginResult(resultBox.value, exitCode));
 }));
 //#endregion
-//#region ../lib/src/usecases/auth-gemini.ts
-var geminiImageName = "docker-git-auth-gemini:latest";
-var geminiImageDir = ".docker-git/.orch/auth/gemini/.image";
-var geminiContainerHomeDir = "/gemini-home";
-var geminiCredentialsDir$1 = ".gemini";
-var geminiAuthRoot = ".docker-git/.orch/auth/gemini";
-var geminiApiKeyFileName = ".api-key";
-var geminiEnvFileName = ".env";
-var geminiApiKeyPath = (accountPath) => `${accountPath}/${geminiApiKeyFileName}`;
-var geminiEnvFilePath = (accountPath) => `${accountPath}/${geminiEnvFileName}`;
-var geminiCredentialsPath = (accountPath) => `${accountPath}/${geminiCredentialsDir$1}`;
-var renderGeminiDockerfile = () => String.raw`FROM ubuntu:24.04
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
-  && rm -rf /var/lib/apt/lists/*
-RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
-  && apt-get install -y --no-install-recommends nodejs \
-  && node -v \
-  && npm -v \
-  && rm -rf /var/lib/apt/lists/*
-RUN npm install -g @google/gemini-cli@latest
-ENTRYPOINT ["/bin/bash", "-c"]
-`;
-var ensureGeminiOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
-	envGlobalPath: defaultTemplateConfig.envGlobalPath,
-	envProjectPath: defaultTemplateConfig.envProjectPath,
-	codexAuthPath: defaultTemplateConfig.codexAuthPath,
-	ghAuthPath: ".docker-git/.orch/auth/gh",
-	claudeAuthPath: ".docker-git/.orch/auth/claude",
-	geminiAuthPath: ".docker-git/.orch/auth/gemini"
-});
-var resolveGeminiAccountPath = (path, rootPath, label) => {
-	const accountLabel = normalizeAccountLabel(label, "default");
-	return {
-		accountLabel,
-		accountPath: path.join(rootPath, accountLabel)
-	};
-};
-var withGeminiAuth = (command, run, options = {}) => withFsPathContext(({ cwd, fs, path }) => Effect.gen(function* (_) {
-	yield* _(ensureGeminiOrchLayout(cwd));
-	const { accountLabel, accountPath } = resolveGeminiAccountPath(path, resolvePathFromCwd(path, cwd, command.geminiAuthPath), command.label);
-	yield* _(fs.makeDirectory(accountPath, { recursive: true }));
-	if (options.buildImage === true) yield* _(ensureDockerImage(fs, path, cwd, {
-		imageName: geminiImageName,
-		imageDir: geminiImageDir,
-		dockerfile: renderGeminiDockerfile(),
-		buildLabel: "gemini auth"
-	}));
-	return yield* _(run({
-		accountLabel,
-		accountPath,
-		cwd,
-		fs
-	}));
-}));
-var readApiKey = (fs, accountPath) => Effect.gen(function* (_) {
-	const apiKeyFilePath = geminiApiKeyPath(accountPath);
-	if (yield* _(isRegularFile$1(fs, apiKeyFilePath))) {
-		const trimmed = (yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))).trim();
-		if (trimmed.length > 0) return trimmed;
-	}
-	const envFilePath = geminiEnvFilePath(accountPath);
-	if (yield* _(isRegularFile$1(fs, envFilePath))) {
-		const lines = (yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))).split("\n");
-		for (const line of lines) {
-			const trimmed = line.trim();
-			if (trimmed.startsWith("GEMINI_API_KEY=")) {
-				const value = trimmed.slice(15).replaceAll(/^['"]|['"]$/g, "").trim();
-				if (value.length > 0) return value;
-			}
-		}
+//#region ../lib/src/usecases/auth-gemini-logout.ts
+var authGeminiLogout = (command) => Effect.gen(function* (_) {
+	const accountLabel = normalizeAccountLabel(command.label, "default");
+	yield* _(withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
+		yield* _(fs.remove(geminiApiKeyPath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiEnvFilePath(accountPath), { force: true }));
+		yield* _(fs.remove(geminiCredentialsPath(accountPath), {
+			recursive: true,
+			force: true
+		}));
+	})));
+	yield* _(autoSyncState(`chore(state): auth gemini logout ${accountLabel}`));
+}).pipe(Effect.asVoid);
+//#endregion
+//#region ../lib/src/usecases/auth-gemini-status.ts
+var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
+	const authMethod = yield* _(resolveGeminiAuthMethod(fs, accountPath));
+	if (authMethod === "none") {
+		yield* _(Effect.log(`Gemini not connected (${accountLabel}).`));
+		return;
 	}
-	return null;
-});
-var hasOauthCredentials$1 = (fs, accountPath) => Effect.gen(function* (_) {
-	const credentialsDir = geminiCredentialsPath(accountPath);
-	if (!(yield* _(fs.exists(credentialsDir)))) return false;
-	const possibleFiles = [
-		`${credentialsDir}/oauth-tokens.json`,
-		`${credentialsDir}/credentials.json`,
-		`${credentialsDir}/application_default_credentials.json`
-	];
-	for (const filePath of possibleFiles) if (yield* _(isRegularFile$1(fs, filePath))) return true;
-	return false;
-});
-var resolveGeminiAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
-	if ((yield* _(readApiKey(fs, accountPath))) !== null) return "api-key";
-	return (yield* _(hasOauthCredentials$1(fs, accountPath))) ? "oauth" : "none";
-});
+	yield* _(Effect.log(`Gemini connected (${accountLabel}, ${authMethod}).`));
+}));
+//#endregion
+//#region ../lib/src/usecases/auth-gemini.ts
 var authGeminiLogin = (command, apiKey) => {
 	const accountLabel = normalizeAccountLabel(command.label, "default");
 	return withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
 		const apiKeyFilePath = geminiApiKeyPath(accountPath);
 		yield* _(fs.writeFileString(apiKeyFilePath, `${apiKey.trim()}\n`));
 		yield* _(fs.chmod(apiKeyFilePath, 384), Effect.orElseSucceed(() => void 0));
+		const credentialsDir = geminiCredentialsPath(accountPath);
+		yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
+		const settingsPath = `${credentialsDir}/settings.json`;
+		yield* _(fs.writeFileString(settingsPath, JSON.stringify(defaultGeminiSettings, null, 2) + "\n"));
 	})).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini ${accountLabel}`)));
 };
 var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
@@ -6843,39 +7044,6 @@ var authGeminiLoginCli = (_command) => Effect.gen(function* (_) {
 	yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Gemini CLI: login via OAuth"));
 	yield* _(Effect.log("   - Follow the prompts to authenticate with your Google account"));
 });
-var prepareGeminiCredentialsDir = (cwd, accountPath, fs) => Effect.gen(function* (_) {
-	const credentialsDir = geminiCredentialsPath(accountPath);
-	const removeFallback = pipe(runCommandExitCode({
-		cwd,
-		command: "docker",
-		args: [
-			"run",
-			"--rm",
-			"-v",
-			`${accountPath}:/target`,
-			"alpine",
-			"rm",
-			"-rf",
-			"/target/.gemini"
-		]
-	}), Effect.asVoid, Effect.orElse(() => Effect.void));
-	yield* _(fs.remove(credentialsDir, {
-		recursive: true,
-		force: true
-	}).pipe(Effect.orElse(() => removeFallback)));
-	yield* _(fs.makeDirectory(credentialsDir, { recursive: true }));
-	return credentialsDir;
-});
-var writeInitialSettings = (credentialsDir, fs) => Effect.gen(function* (_) {
-	const settingsPath = `${credentialsDir}/settings.json`;
-	yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: { folderTrust: { enabled: false } } })));
-	const trustedFoldersPath = `${credentialsDir}/trustedFolders.json`;
-	yield* _(fs.writeFileString(trustedFoldersPath, JSON.stringify({
-		"/": "TRUST_FOLDER",
-		[geminiContainerHomeDir]: "TRUST_FOLDER"
-	})));
-	return settingsPath;
-});
 var authGeminiLoginOauth = (command) => {
 	const accountLabel = normalizeAccountLabel(command.label, "default");
 	return withGeminiAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
@@ -6884,33 +7052,9 @@ var authGeminiLoginOauth = (command) => {
 			image: geminiImageName,
 			containerPath: geminiContainerHomeDir
 		}));
-		yield* _(fs.writeFileString(settingsPath, JSON.stringify({ security: {
-			folderTrust: { enabled: false },
-			auth: { selectedType: "oauth-personal" },
-			approvalPolicy: "never"
-		} }, null, 2) + "\n"));
+		yield* _(fs.writeFileString(settingsPath, JSON.stringify(defaultGeminiSettings, null, 2) + "\n"));
 	}), { buildImage: true }).pipe(Effect.zipRight(autoSyncState(`chore(state): auth gemini oauth ${accountLabel}`)));
 };
-var authGeminiStatus = (command) => withGeminiAuth(command, ({ accountLabel, accountPath, fs }) => Effect.gen(function* (_) {
-	const authMethod = yield* _(resolveGeminiAuthMethod(fs, accountPath));
-	if (authMethod === "none") {
-		yield* _(Effect.log(`Gemini not connected (${accountLabel}).`));
-		return;
-	}
-	yield* _(Effect.log(`Gemini connected (${accountLabel}, ${authMethod}).`));
-}));
-var authGeminiLogout = (command) => Effect.gen(function* (_) {
-	const accountLabel = normalizeAccountLabel(command.label, "default");
-	yield* _(withGeminiAuth(command, ({ accountPath, fs }) => Effect.gen(function* (_) {
-		yield* _(fs.remove(geminiApiKeyPath(accountPath), { force: true }));
-		yield* _(fs.remove(geminiEnvFilePath(accountPath), { force: true }));
-		yield* _(fs.remove(geminiCredentialsPath(accountPath), {
-			recursive: true,
-			force: true
-		}));
-	})));
-	yield* _(autoSyncState(`chore(state): auth gemini logout ${accountLabel}`));
-}).pipe(Effect.asVoid);
 //#endregion
 //#region ../lib/src/usecases/state-repo-github.ts
 var dotDockerGitRepoName = ".docker-git";