fix(shell): route codex auth through controller state

Author: skulidropek

docker-compose.api.yml

@@ -3,7 +3,7 @@ services:
     build:
       context: .
       dockerfile: packages/api/Dockerfile
-    container_name: docker-git-api
+    container_name: ${DOCKER_GIT_API_CONTAINER_NAME:-docker-git-api}
     environment:
       DOCKER_GIT_API_PORT: ${DOCKER_GIT_API_PORT:-3334}
       DOCKER_GIT_PROJECTS_ROOT: ${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}

docker-compose.yml

@@ -5,7 +5,7 @@ services:
       dockerfile: packages/api/Dockerfile
       args:
         DOCKER_GIT_CONTROLLER_REV: ${DOCKER_GIT_CONTROLLER_REV:-unknown}
-    container_name: docker-git-api
+    container_name: ${DOCKER_GIT_API_CONTAINER_NAME:-docker-git-api}
     environment:
       DOCKER_GIT_API_PORT: ${DOCKER_GIT_API_PORT:-3334}
       DOCKER_GIT_PROJECTS_ROOT: ${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}

packages/api/src/http.ts

@@ -191,6 +191,8 @@ const configuredFederationPublicOrigin =
 
 const configuredFederationActorUsername =
   process.env["DOCKER_GIT_FEDERATION_ACTOR"] ?? "docker-git"
+const controllerRevision =
+  process.env["DOCKER_GIT_CONTROLLER_REV"]?.trim() ?? null
 
 const readHeader = (
   request: HttpServerRequest.HttpServerRequest,
@@ -245,7 +247,7 @@ export const makeRouter = () => {
     ),
     HttpRouter.get("/ui/styles.css", textResponse(uiStyles, "text/css; charset=utf-8", 200)),
     HttpRouter.get("/ui/app.js", textResponse(uiScript, "application/javascript; charset=utf-8", 200)),
-    HttpRouter.get("/health", jsonResponse({ ok: true }, 200)),
+    HttpRouter.get("/health", jsonResponse({ ok: true, revision: controllerRevision }, 200)),
     HttpRouter.get(
       "/auth/github/status",
       Effect.gen(function*(_) {

packages/app/src/docker-git/controller-docker.ts

@@ -19,7 +19,7 @@ export type ControllerRuntime =
   | FileSystem.FileSystem
   | Path.Path
 
-export const controllerContainerName = "docker-git-api"
+export const controllerContainerName = process.env["DOCKER_GIT_API_CONTAINER_NAME"]?.trim() || "docker-git-api"
 
 const inspectNetworksTemplate = String
   .raw`{{range $k,$v := .NetworkSettings.Networks}}{{printf "%s=%s\n" $k $v.IPAddress}}{{end}}`

packages/app/src/docker-git/controller.ts

@@ -31,6 +31,11 @@ export { buildApiBaseUrlCandidates, isRemoteDockerHost } from "./controller-reac
 
 let selectedApiBaseUrl: string | undefined
 
+type HealthProbeResult = {
+  readonly apiBaseUrl: string
+  readonly revision: string | null
+}
+
 const controllerBootstrapError = (message: string): ControllerBootstrapError => ({
   _tag: "ControllerBootstrapError",
   message
@@ -43,13 +48,30 @@ const rememberSelectedApiBaseUrl = (value: string): void => {
 export const resolveApiBaseUrl = (): string =>
   resolveExplicitApiBaseUrl() ?? selectedApiBaseUrl ?? resolveConfiguredApiBaseUrl()
 
-const probeHealth = (apiBaseUrl: string): Effect.Effect<void, ControllerBootstrapError> =>
+const parseHealthRevision = (text: string): string | null => {
+  try {
+    const parsed: unknown = JSON.parse(text)
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return null
+    }
+    const revision = Reflect.get(parsed, "revision")
+    return typeof revision === "string" && revision.trim().length > 0 ? revision.trim() : null
+  } catch {
+    return null
+  }
+}
+
+const probeHealth = (apiBaseUrl: string): Effect.Effect<HealthProbeResult, ControllerBootstrapError> =>
   Effect.gen(function*(_) {
     const client = yield* _(HttpClient.HttpClient)
     const response = yield* _(client.get(`${apiBaseUrl}/health`, { headers: { accept: "application/json" } }))
+    const bodyText = yield* _(response.text)
 
     if (response.status >= 200 && response.status < 300) {
-      return
+      return {
+        apiBaseUrl,
+        revision: parseHealthRevision(bodyText)
+      }
     }
 
     return yield* _(
@@ -74,6 +96,11 @@ const probeHealth = (apiBaseUrl: string): Effect.Effect<void, ControllerBootstra
 const findReachableApiBaseUrl = (
   candidateUrls: ReadonlyArray<string>
 ): Effect.Effect<string, ControllerBootstrapError> =>
+  findReachableHealthProbe(candidateUrls).pipe(Effect.map(({ apiBaseUrl }) => apiBaseUrl))
+
+const findReachableHealthProbe = (
+  candidateUrls: ReadonlyArray<string>
+): Effect.Effect<HealthProbeResult, ControllerBootstrapError> =>
   Effect.gen(function*(_) {
     if (candidateUrls.length === 0) {
       return yield* _(
@@ -85,14 +112,14 @@ const findReachableApiBaseUrl = (
       const healthy = yield* _(
         probeHealth(candidateUrl).pipe(
           Effect.match({
-            onFailure: () => false,
-            onSuccess: () => true
+            onFailure: () => undefined,
+            onSuccess: (result) => result
           })
         )
       )
 
-      if (healthy) {
-        return candidateUrl
+      if (healthy !== undefined) {
+        return healthy
       }
     }
 
@@ -176,10 +203,20 @@ const findReachableApiBaseUrlOption = (
     })
   )
 
-const findReachableDirectApiBaseUrl = (
+const findReachableHealthProbeOption = (
+  candidateUrls: ReadonlyArray<string>
+): Effect.Effect<HealthProbeResult | undefined, ControllerBootstrapError> =>
+  findReachableHealthProbe(candidateUrls).pipe(
+    Effect.match({
+      onFailure: (): HealthProbeResult | undefined => undefined,
+      onSuccess: (probe) => probe
+    })
+  )
+
+const findReachableDirectHealthProbe = (
   explicitApiBaseUrl: string | undefined
-): Effect.Effect<string | undefined, ControllerBootstrapError> =>
-  findReachableApiBaseUrlOption(
+): Effect.Effect<HealthProbeResult | undefined, ControllerBootstrapError> =>
+  findReachableHealthProbeOption(
     buildApiBaseUrlCandidates({
       explicitApiBaseUrl,
       cachedApiBaseUrl: selectedApiBaseUrl,
@@ -324,14 +361,25 @@ export const ensureControllerReady = (): Effect.Effect<void, ControllerBootstrap
   Effect.gen(function*(_) {
     yield* _(failIfRemoteDockerWithoutApiUrl())
     const explicitApiBaseUrl = resolveExplicitApiBaseUrl()
-    const reachableBeforeDocker = yield* _(findReachableDirectApiBaseUrl(explicitApiBaseUrl))
-
-    if (reachableBeforeDocker !== undefined) {
-      rememberSelectedApiBaseUrl(reachableBeforeDocker)
-      return
+    const localControllerRevision = yield* _(prepareLocalControllerRevision())
+    if (explicitApiBaseUrl !== undefined) {
+      const reachableBeforeDocker = yield* _(findReachableDirectHealthProbe(explicitApiBaseUrl))
+      if (reachableBeforeDocker !== undefined) {
+        rememberSelectedApiBaseUrl(reachableBeforeDocker.apiBaseUrl)
+        return
+      }
+      yield* _(failIfExplicitApiUrlIsUnreachable(explicitApiBaseUrl))
+    } else {
+      const reachableBeforeDocker = yield* _(findReachableDirectHealthProbe(undefined))
+      if (
+        reachableBeforeDocker !== undefined &&
+        reachableBeforeDocker.revision === localControllerRevision
+      ) {
+        rememberSelectedApiBaseUrl(reachableBeforeDocker.apiBaseUrl)
+        return
+      }
     }
 
-    yield* _(failIfExplicitApiUrlIsUnreachable(explicitApiBaseUrl))
     const bootstrapContext = yield* _(loadControllerBootstrapContext())
     const reusedExistingController = yield* _(reuseReachableControllerIfPossible(bootstrapContext))
     if (reusedExistingController) {

packages/app/src/lib/core/templates-entrypoint/nested-docker-git.ts

@@ -218,14 +218,6 @@ fi
 
 SOURCE_CODEX_CONFIG="__CODEX_HOME__/config.toml"
 copy_if_distinct_file "$SOURCE_CODEX_CONFIG" "$DOCKER_GIT_AUTH_DIR/config.toml" || true
-
-SOURCE_SHARED_AUTH="__CODEX_HOME__-shared/auth.json"
-SOURCE_LOCAL_AUTH="__CODEX_HOME__/auth.json"
-if [[ -f "$SOURCE_SHARED_AUTH" ]]; then
-  copy_if_distinct_file "$SOURCE_SHARED_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
-elif [[ -f "$SOURCE_LOCAL_AUTH" ]]; then
-  copy_if_distinct_file "$SOURCE_LOCAL_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
-fi
 if [[ -f "$DOCKER_GIT_AUTH_DIR/auth.json" ]]; then
   chmod 600 "$DOCKER_GIT_AUTH_DIR/auth.json" || true
 fi

packages/app/src/lib/core/templates-entrypoint/opencode.ts

@@ -124,10 +124,6 @@ if (!isRecord(codex)) process.exit(0)
 let opencode = readJson(opencodePath)
 if (!isRecord(opencode)) opencode = {}
 
-if (opencode.openai) {
-  process.exit(0)
-}
-
 const apiKey = codex.OPENAI_API_KEY
 if (typeof apiKey === "string" && apiKey.trim().length > 0) {
   opencode.openai = { type: "api", key: apiKey.trim() }

packages/app/src/lib/usecases/auth-copy.ts

@@ -93,8 +93,15 @@ export const copyCodexFile = (
     if (!sourceExists) {
       return
     }
+    const sourceText = yield* _(fs.readFileString(sourceFile))
     const targetExists = yield* _(fs.exists(targetFile))
     if (targetExists) {
+      const targetText = yield* _(fs.readFileString(targetFile))
+      if (targetText === sourceText) {
+        return
+      }
+      yield* _(fs.writeFileString(targetFile, sourceText))
+      yield* _(Effect.log(`Synced Codex ${spec.label} from ${sourceFile} to ${targetFile}`))
       return
     }
     yield* _(fs.copyFile(sourceFile, targetFile))

packages/lib/src/core/templates-entrypoint/nested-docker-git.ts

@@ -217,14 +217,6 @@ fi
 
 SOURCE_CODEX_CONFIG="__CODEX_HOME__/config.toml"
 copy_if_distinct_file "$SOURCE_CODEX_CONFIG" "$DOCKER_GIT_AUTH_DIR/config.toml" || true
-
-SOURCE_SHARED_AUTH="__CODEX_HOME__-shared/auth.json"
-SOURCE_LOCAL_AUTH="__CODEX_HOME__/auth.json"
-if [[ -f "$SOURCE_SHARED_AUTH" ]]; then
-  copy_if_distinct_file "$SOURCE_SHARED_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
-elif [[ -f "$SOURCE_LOCAL_AUTH" ]]; then
-  copy_if_distinct_file "$SOURCE_LOCAL_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
-fi
 if [[ -f "$DOCKER_GIT_AUTH_DIR/auth.json" ]]; then
   chmod 600 "$DOCKER_GIT_AUTH_DIR/auth.json" || true
 fi

packages/lib/src/core/templates-entrypoint/opencode.ts

@@ -123,10 +123,6 @@ if (!isRecord(codex)) process.exit(0)
 let opencode = readJson(opencodePath)
 if (!isRecord(opencode)) opencode = {}
 
-if (opencode.openai) {
-  process.exit(0)
-}
-
 const apiKey = codex.OPENAI_API_KEY
 if (typeof apiKey === "string" && apiKey.trim().length > 0) {
   opencode.openai = { type: "api", key: apiKey.trim() }