fix(shell): align clone and gh auth with labeled tokens

Author: skulidropek

packages/app/src/docker-git/cli/parser-clone.ts

@@ -18,7 +18,7 @@ const applyCloneDefaults = (
     ...raw,
     repoUrl: rawRepoUrl,
     outDir: raw.outDir ?? `.docker-git/${repoPath}`,
-    targetDir: raw.targetDir ?? `${targetHome}/.docker-git/workspaces/${repoPath}`
+    targetDir: raw.targetDir ?? `${targetHome}/workspaces/${repoPath}`
   }
 }
 

packages/app/src/docker-git/cli/usage.ts

@@ -34,7 +34,7 @@ Commands:
 Options:
   --repo-ref <ref>          Git ref/branch (default: main)
   --branch, -b <ref>        Alias for --repo-ref
-  --target-dir <path>       Target dir inside container (create default: /home/dev/app, clone default: ~/.docker-git/workspaces/<org>/<repo>[/issue-<id>|/pr-<id>])
+  --target-dir <path>       Target dir inside container (create default: /home/dev/app, clone default: ~/workspaces/<org>/<repo>[/issue-<id>|/pr-<id>])
   --ssh-port <port>         Local SSH port (default: 2222)
   --ssh-user <user>         SSH user inside container (default: dev)
   --container-name <name>   Docker container name (default: dg-<repo>)

packages/app/tests/docker-git/entrypoint-auth.test.ts

@@ -17,12 +17,19 @@ describe("renderEntrypoint auth bridge", () => {
         "GIT_AUTH_TOKEN=\"${GIT_AUTH_TOKEN:-${GITHUB_TOKEN:-${GH_TOKEN:-}}}\""
       )
       expect(entrypoint).toContain("GITHUB_TOKEN=\"${GITHUB_TOKEN:-${GH_TOKEN:-}}\"")
-      expect(entrypoint).toContain("if [[ -n \"$GH_TOKEN\" || -n \"$GITHUB_TOKEN\" ]]; then")
+      expect(entrypoint).toContain("AUTH_LABEL_RAW=\"${GIT_AUTH_LABEL:-${GITHUB_AUTH_LABEL:-}}\"")
+      expect(entrypoint).toContain("LABELED_GITHUB_TOKEN_KEY=\"GITHUB_TOKEN__$RESOLVED_AUTH_LABEL\"")
+      expect(entrypoint).toContain("LABELED_GIT_TOKEN_KEY=\"GIT_AUTH_TOKEN__$RESOLVED_AUTH_LABEL\"")
+      expect(entrypoint).toContain("if [[ -n \"$EFFECTIVE_GH_TOKEN\" ]]; then")
       expect(entrypoint).toContain(String.raw`printf "export GITHUB_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN"`)
+      expect(entrypoint).toContain(String.raw`printf "export GH_TOKEN=%q\n" "$EFFECTIVE_GH_TOKEN"`)
+      expect(entrypoint).toContain(String.raw`printf "export GIT_AUTH_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN"`)
       expect(entrypoint).toContain("docker_git_upsert_ssh_env \"GITHUB_TOKEN\" \"$EFFECTIVE_GITHUB_TOKEN\"")
+      expect(entrypoint).toContain("docker_git_upsert_ssh_env \"GH_TOKEN\" \"$EFFECTIVE_GH_TOKEN\"")
+      expect(entrypoint).toContain("docker_git_upsert_ssh_env \"GIT_AUTH_TOKEN\" \"$EFFECTIVE_GITHUB_TOKEN\"")
       expect(entrypoint).toContain("GIT_CREDENTIAL_HELPER_PATH=\"/usr/local/bin/docker-git-credential-helper\"")
-      expect(entrypoint).toContain("token=\"$GITHUB_TOKEN\"")
-      expect(entrypoint).toContain("token=\"$GH_TOKEN\"")
+      expect(entrypoint).toContain("token=\"${GITHUB_TOKEN:-}\"")
+      expect(entrypoint).toContain("token=\"${GH_TOKEN:-}\"")
       expect(entrypoint).toContain(String.raw`printf "%s\n" "password=$token"`)
       expect(entrypoint).toContain("git config --global credential.helper")
     }))

packages/app/tests/docker-git/parser.test.ts

@@ -87,7 +87,7 @@ describe("parseArgs", () => {
       expect(command.openSsh).toBe(true)
       expect(command.waitForClone).toBe(true)
       expect(command.config.targetDir).toBe(
-        expandDefaultTargetDir("~/.docker-git/workspaces/org/repo")
+        expandDefaultTargetDir("~/workspaces/org/repo")
       )
     }))
 
@@ -129,7 +129,7 @@ describe("parseArgs", () => {
       expect(command.config.repoRef).toBe("vova-fork")
       expect(command.outDir).toBe(".docker-git/agiens/crm")
       expect(command.config.targetDir).toBe(
-        expandDefaultTargetDir("~/.docker-git/workspaces/agiens/crm")
+        expandDefaultTargetDir("~/workspaces/agiens/crm")
       )
     }))
 
@@ -139,7 +139,7 @@ describe("parseArgs", () => {
       expect(command.config.repoRef).toBe("issue-5")
       expect(command.outDir).toBe(".docker-git/org/repo/issue-5")
       expect(command.config.targetDir).toBe(
-        expandDefaultTargetDir("~/.docker-git/workspaces/org/repo/issue-5")
+        expandDefaultTargetDir("~/workspaces/org/repo/issue-5")
       )
       expect(command.config.containerName).toBe("dg-repo-issue-5")
       expect(command.config.serviceName).toBe("dg-repo-issue-5")
@@ -152,7 +152,7 @@ describe("parseArgs", () => {
       expect(command.config.repoRef).toBe("refs/pull/42/head")
       expect(command.outDir).toBe(".docker-git/org/repo/pr-42")
       expect(command.config.targetDir).toBe(
-        expandDefaultTargetDir("~/.docker-git/workspaces/org/repo/pr-42")
+        expandDefaultTargetDir("~/workspaces/org/repo/pr-42")
       )
       expect(command.config.containerName).toBe("dg-repo-pr-42")
       expect(command.config.serviceName).toBe("dg-repo-pr-42")

packages/docker-git/tests/core/templates.test.ts

@@ -72,7 +72,13 @@ describe("planFiles", () => {
         expect(entrypointSpec.contents).toContain(
           "GIT_CREDENTIAL_HELPER_PATH=\"/usr/local/bin/docker-git-credential-helper\""
         )
-        expect(entrypointSpec.contents).toContain("token=\"$GITHUB_TOKEN\"")
+        expect(entrypointSpec.contents).toContain("AUTH_LABEL_RAW=\"${GIT_AUTH_LABEL:-${GITHUB_AUTH_LABEL:-}}\"")
+        expect(entrypointSpec.contents).toContain("LABELED_GITHUB_TOKEN_KEY=\"GITHUB_TOKEN__$RESOLVED_AUTH_LABEL\"")
+        expect(entrypointSpec.contents).toContain("LABELED_GIT_TOKEN_KEY=\"GIT_AUTH_TOKEN__$RESOLVED_AUTH_LABEL\"")
+        expect(entrypointSpec.contents).toContain("SAFE_GH_TOKEN=\"$(printf \"%q\" \"$EFFECTIVE_GH_TOKEN\")\"")
+        expect(entrypointSpec.contents).toContain("docker_git_upsert_ssh_env \"GIT_AUTH_TOKEN\" \"$EFFECTIVE_GITHUB_TOKEN\"")
+        expect(entrypointSpec.contents).toContain("token=\"${GITHUB_TOKEN:-}\"")
+        expect(entrypointSpec.contents).toContain("token=\"${GH_TOKEN:-}\"")
         expect(entrypointSpec.contents).toContain("issue_managed_start='<!-- docker-git:issue-managed:start -->'")
         expect(entrypointSpec.contents).toContain("check_issue_managed_block_range")
         expect(entrypointSpec.contents).toContain(
@@ -90,6 +96,8 @@ describe("planFiles", () => {
         expect(entrypointSpec.contents).toContain("[clone-cache] using mirror: $CACHE_REPO_DIR")
         expect(entrypointSpec.contents).toContain("git clone --progress $CLONE_CACHE_ARGS")
         expect(entrypointSpec.contents).toContain("[clone-cache] mirror created: $CACHE_REPO_DIR")
+        expect(entrypointSpec.contents).toContain("CACHE_REPO_DIR=\"${CACHE_REPO_DIR:-}\"")
+        expect(entrypointSpec.contents).toContain("fetch --progress --prune '$AUTH_REPO_URL' '+refs/*:refs/*'")
       }
     }))
 

packages/lib/src/core/templates-entrypoint/git.ts

@@ -1,25 +1,60 @@
 import type { TemplateConfig } from "../domain.js"
 
 const renderEntrypointAuthEnvBridge = (config: TemplateConfig): string =>
-  String.raw`# 2) Ensure GitHub auth vars are available for SSH sessions if provided
-if [[ -n "$GH_TOKEN" || -n "$GITHUB_TOKEN" ]]; then
-  EFFECTIVE_GITHUB_TOKEN="$GITHUB_TOKEN"
-  if [[ -z "$EFFECTIVE_GITHUB_TOKEN" ]]; then
-    EFFECTIVE_GITHUB_TOKEN="$GH_TOKEN"
+  String.raw`# 2) Ensure GitHub auth vars are available for SSH sessions.
+# Prefer a label-selected token (same selection model as clone/create) when present.
+RESOLVED_AUTH_LABEL=""
+AUTH_LABEL_RAW="${"${"}GIT_AUTH_LABEL:-${"${"}GITHUB_AUTH_LABEL:-}}"
+
+if [[ -z "$AUTH_LABEL_RAW" && "$REPO_URL" == https://github.com/* ]]; then
+  AUTH_LABEL_RAW="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##' | cut -d/ -f1)"
+fi
+
+if [[ -n "$AUTH_LABEL_RAW" ]]; then
+  RESOLVED_AUTH_LABEL="$(printf "%s" "$AUTH_LABEL_RAW" | tr '[:lower:]' '[:upper:]' | sed -E 's/[^A-Z0-9]+/_/g; s/^_+//; s/_+$//')"
+  if [[ "$RESOLVED_AUTH_LABEL" == "DEFAULT" ]]; then
+    RESOLVED_AUTH_LABEL=""
   fi
+fi
 
-  EFFECTIVE_GH_TOKEN="$GH_TOKEN"
-  if [[ -z "$EFFECTIVE_GH_TOKEN" ]]; then
-    EFFECTIVE_GH_TOKEN="$EFFECTIVE_GITHUB_TOKEN"
+EFFECTIVE_GITHUB_TOKEN="$GITHUB_TOKEN"
+if [[ -z "$EFFECTIVE_GITHUB_TOKEN" ]]; then
+  EFFECTIVE_GITHUB_TOKEN="$GH_TOKEN"
+fi
+if [[ -z "$EFFECTIVE_GITHUB_TOKEN" ]]; then
+  EFFECTIVE_GITHUB_TOKEN="$GIT_AUTH_TOKEN"
+fi
+
+if [[ -n "$RESOLVED_AUTH_LABEL" ]]; then
+  LABELED_GIT_TOKEN_KEY="GIT_AUTH_TOKEN__$RESOLVED_AUTH_LABEL"
+  LABELED_GITHUB_TOKEN_KEY="GITHUB_TOKEN__$RESOLVED_AUTH_LABEL"
+  LABELED_GH_TOKEN_KEY="GH_TOKEN__$RESOLVED_AUTH_LABEL"
+
+  LABELED_GIT_TOKEN="${"${"}!LABELED_GIT_TOKEN_KEY-}"
+  LABELED_GITHUB_TOKEN="${"${"}!LABELED_GITHUB_TOKEN_KEY-}"
+  LABELED_GH_TOKEN="${"${"}!LABELED_GH_TOKEN_KEY-}"
+
+  if [[ -n "$LABELED_GIT_TOKEN" ]]; then
+    EFFECTIVE_GITHUB_TOKEN="$LABELED_GIT_TOKEN"
+  elif [[ -n "$LABELED_GITHUB_TOKEN" ]]; then
+    EFFECTIVE_GITHUB_TOKEN="$LABELED_GITHUB_TOKEN"
+  elif [[ -n "$LABELED_GH_TOKEN" ]]; then
+    EFFECTIVE_GITHUB_TOKEN="$LABELED_GH_TOKEN"
   fi
+fi
+
+EFFECTIVE_GH_TOKEN="$EFFECTIVE_GITHUB_TOKEN"
 
+if [[ -n "$EFFECTIVE_GH_TOKEN" ]]; then
   printf "export GH_TOKEN=%q\n" "$EFFECTIVE_GH_TOKEN" > /etc/profile.d/gh-token.sh
   printf "export GITHUB_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN" >> /etc/profile.d/gh-token.sh
+  printf "export GIT_AUTH_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN" >> /etc/profile.d/gh-token.sh
   chmod 0644 /etc/profile.d/gh-token.sh
   docker_git_upsert_ssh_env "GH_TOKEN" "$EFFECTIVE_GH_TOKEN"
   docker_git_upsert_ssh_env "GITHUB_TOKEN" "$EFFECTIVE_GITHUB_TOKEN"
+  docker_git_upsert_ssh_env "GIT_AUTH_TOKEN" "$EFFECTIVE_GITHUB_TOKEN"
 
-  SAFE_GH_TOKEN="$(printf "%q" "$GH_TOKEN")"
+  SAFE_GH_TOKEN="$(printf "%q" "$EFFECTIVE_GH_TOKEN")"
   # Keep git+https auth in sync with gh auth so push/pull works without manual setup.
   su - ${config.sshUser} -c "GH_TOKEN=$SAFE_GH_TOKEN gh auth setup-git --hostname github.com --force" || true
 
@@ -47,9 +82,9 @@ if [[ "$#" -lt 1 || "$1" != "get" ]]; then
   exit 0
 fi
 
-token="$GITHUB_TOKEN"
+token="${"${"}GITHUB_TOKEN:-}"
 if [[ -z "$token" ]]; then
-  token="$GH_TOKEN"
+  token="${"${"}GH_TOKEN:-}"
 fi
 
 if [[ -z "$token" ]]; then

packages/lib/src/core/templates-entrypoint/tasks.ts

@@ -101,7 +101,7 @@ else
     chown 1000:1000 "$CACHE_ROOT" || true
     if [[ -d "$CACHE_REPO_DIR" ]]; then
       if su - ${config.sshUser} -c "git --git-dir '$CACHE_REPO_DIR' rev-parse --is-bare-repository >/dev/null 2>&1"; then
-        if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git --git-dir '$CACHE_REPO_DIR' fetch --progress --prune '$REPO_URL' '+refs/*:refs/*'"; then
+        if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git --git-dir '$CACHE_REPO_DIR' fetch --progress --prune '$AUTH_REPO_URL' '+refs/*:refs/*'"; then
           echo "[clone-cache] mirror refresh failed for $REPO_URL"
         fi
         CLONE_CACHE_ARGS="--reference-if-able '$CACHE_REPO_DIR' --dissociate"
@@ -155,7 +155,8 @@ const renderCloneBodyRef = (config: TemplateConfig): string =>
   fi`
 
 const renderCloneCacheFinalize = (config: TemplateConfig): string =>
-  `if [[ "$CLONE_OK" -eq 1 && -d "$TARGET_DIR/.git" && -n "$CACHE_REPO_DIR" && ! -d "$CACHE_REPO_DIR" ]]; then
+  `CACHE_REPO_DIR="\${CACHE_REPO_DIR:-}"
+if [[ "$CLONE_OK" -eq 1 && -d "$TARGET_DIR/.git" && -n "$CACHE_REPO_DIR" && ! -d "$CACHE_REPO_DIR" ]]; then
   CACHE_TMP_DIR="$CACHE_REPO_DIR.tmp-$$"
   if su - ${config.sshUser} -c "rm -rf '$CACHE_TMP_DIR' && GIT_TERMINAL_PROMPT=0 git clone --mirror --progress '$TARGET_DIR/.git' '$CACHE_TMP_DIR'"; then
     if mv "$CACHE_TMP_DIR" "$CACHE_REPO_DIR" 2>/dev/null; then