fix(auth): stabilize claude auth sync and container bootstrap

Author: skulidropek

packages/app/src/docker-git/menu-project-auth-claude.ts

@@ -4,6 +4,8 @@ import { Effect } from "effect"
 
 const oauthTokenFileName = ".oauth-token"
 const legacyConfigFileName = ".config.json"
+const credentialsFileName = ".credentials.json"
+const nestedCredentialsFileName = ".claude/.credentials.json"
 
 const hasFileAtPath = (
   fs: FileSystem.FileSystem,
@@ -53,7 +55,19 @@ export const hasClaudeAccountCredentials = (
   fs: FileSystem.FileSystem,
   accountPath: string
 ): Effect.Effect<boolean, PlatformError> =>
-  hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`).pipe(
+  hasFileAtPath(fs, `${accountPath}/${credentialsFileName}`).pipe(
+    Effect.flatMap((hasCredentialsFile) => {
+      if (hasCredentialsFile) {
+        return Effect.succeed(true)
+      }
+      return hasFileAtPath(fs, `${accountPath}/${nestedCredentialsFileName}`)
+    }),
+    Effect.flatMap((hasNestedCredentialsFile) => {
+      if (hasNestedCredentialsFile) {
+        return Effect.succeed(true)
+      }
+      return hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`)
+    }),
     Effect.flatMap((hasConfig) => {
       if (hasConfig) {
         return Effect.succeed(true)

packages/app/tests/docker-git/entrypoint-auth.test.ts

@@ -37,11 +37,21 @@ describe("renderEntrypoint auth bridge", () => {
       expect(entrypoint).toContain("CLAUDE_CONFIG_DIR=\"${CLAUDE_CONFIG_DIR:-$HOME/.claude}\"")
       expect(entrypoint).toContain("docker_git_ensure_claude_cli()")
       expect(entrypoint).toContain("claude cli.js not found under npm global root; skip shim restore")
-      expect(entrypoint).toContain("CLAUDE_SETTINGS_FILE=\"$CLAUDE_CONFIG_DIR/.claude.json\"")
+      expect(entrypoint).toContain("CLAUDE_CREDENTIALS_FILE=\"$CLAUDE_CONFIG_DIR/.credentials.json\"")
+      expect(entrypoint).toContain("if [[ -s \"$CLAUDE_CREDENTIALS_FILE\" ]]; then")
+      expect(entrypoint).toContain("CLAUDE_SETTINGS_FILE=\"${CLAUDE_HOME_JSON:-$CLAUDE_CONFIG_DIR/.claude.json}\"")
       expect(entrypoint).toContain("nextServers.playwright = {")
       expect(entrypoint).toContain("command: \"docker-git-playwright-mcp\"")
       expect(entrypoint).toContain("CLAUDE_ROOT_TOKEN_FILE=\"$CLAUDE_AUTH_ROOT/.oauth-token\"")
       expect(entrypoint).toContain("CLAUDE_ROOT_CONFIG_FILE=\"$CLAUDE_AUTH_ROOT/.config.json\"")
+      expect(entrypoint).toContain("CLAUDE_HOME_DIR=\"/home/dev/.claude\"")
+      expect(entrypoint).toContain("CLAUDE_HOME_JSON=\"/home/dev/.claude.json\"")
+      expect(entrypoint).toContain("docker_git_link_claude_home_file()")
+      expect(entrypoint).toContain("docker_git_link_claude_home_file \".oauth-token\"")
+      expect(entrypoint).toContain("docker_git_link_claude_home_file \".config.json\"")
+      expect(entrypoint).toContain("docker_git_link_claude_home_file \".claude.json\"")
+      expect(entrypoint).toContain("docker_git_link_claude_home_file \".credentials.json\"")
+      expect(entrypoint).toContain("docker_git_link_claude_file \"$CLAUDE_CONFIG_DIR/.claude.json\" \"$CLAUDE_HOME_JSON\"")
       expect(entrypoint).toContain("CLAUDE_GLOBAL_PROMPT_FILE=\"/home/dev/.claude/CLAUDE.md\"")
       expect(entrypoint).toContain("CLAUDE_AUTO_SYSTEM_PROMPT=\"${CLAUDE_AUTO_SYSTEM_PROMPT:-1}\"")
       expect(entrypoint).toContain("docker-git-managed:claude-md")

packages/lib/src/core/templates-entrypoint/claude.ts

@@ -1,6 +1,7 @@
 import type { TemplateConfig } from "../domain.js"
 
 const claudeAuthRootContainerPath = (sshUser: string): string => `/home/${sshUser}/.docker-git/.orch/auth/claude`
+const claudeHomeContainerPath = (sshUser: string): string => `/home/${sshUser}/.claude`
 
 const renderClaudeAuthConfig = (config: TemplateConfig): string =>
   String
@@ -32,14 +33,55 @@ fi
 export CLAUDE_CONFIG_DIR
 
 mkdir -p "$CLAUDE_CONFIG_DIR" || true
+CLAUDE_HOME_DIR="${claudeHomeContainerPath(config.sshUser)}"
+CLAUDE_HOME_JSON="/home/${config.sshUser}/.claude.json"
+mkdir -p "$CLAUDE_HOME_DIR" || true
+
+docker_git_link_claude_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  # Preserve user-created regular files and seed config dir once.
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    return 0
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+docker_git_link_claude_home_file() {
+  local relative_path="$1"
+  local source_path="$CLAUDE_CONFIG_DIR/$relative_path"
+  local link_path="$CLAUDE_HOME_DIR/$relative_path"
+  docker_git_link_claude_file "$source_path" "$link_path"
+}
+
+docker_git_link_claude_home_file ".oauth-token"
+docker_git_link_claude_home_file ".config.json"
+docker_git_link_claude_home_file ".claude.json"
+docker_git_link_claude_home_file ".credentials.json"
+docker_git_link_claude_file "$CLAUDE_CONFIG_DIR/.claude.json" "$CLAUDE_HOME_JSON"
 
 CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
 docker_git_refresh_claude_oauth_token() {
   local token=""
+  if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+    unset CLAUDE_CODE_OAUTH_TOKEN || true
+    return 0
+  fi
   if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
     token="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
   fi
-  export CLAUDE_CODE_OAUTH_TOKEN="$token"
+  if [[ -n "$token" ]]; then
+    export CLAUDE_CODE_OAUTH_TOKEN="$token"
+  else
+    unset CLAUDE_CODE_OAUTH_TOKEN || true
+  fi
 }
 
 docker_git_refresh_claude_oauth_token`
@@ -89,7 +131,7 @@ docker_git_ensure_claude_cli`
 
 const renderClaudeMcpPlaywrightConfig = (): string =>
   String.raw`# Claude Code: keep Playwright MCP config in sync with container settings
-CLAUDE_SETTINGS_FILE="$CLAUDE_CONFIG_DIR/.claude.json"
+CLAUDE_SETTINGS_FILE="${"$"}{CLAUDE_HOME_JSON:-$CLAUDE_CONFIG_DIR/.claude.json}"
 docker_git_sync_claude_playwright_mcp() {
   CLAUDE_SETTINGS_FILE="$CLAUDE_SETTINGS_FILE" MCP_PLAYWRIGHT_ENABLE="$MCP_PLAYWRIGHT_ENABLE" node - <<'NODE'
 const fs = require("node:fs")
@@ -248,8 +290,11 @@ set -euo pipefail
 CLAUDE_REAL_BIN="__CLAUDE_REAL_BIN__"
 CLAUDE_CONFIG_DIR="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}"
 CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
 
-if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+  unset CLAUDE_CODE_OAUTH_TOKEN || true
+elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
   CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
   export CLAUDE_CODE_OAUTH_TOKEN
 else
@@ -270,7 +315,10 @@ printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
 printf "export CLAUDE_AUTO_SYSTEM_PROMPT=%q\n" "$CLAUDE_AUTO_SYSTEM_PROMPT" >> "$CLAUDE_PROFILE"
 cat <<'EOF' >> "$CLAUDE_PROFILE"
 CLAUDE_TOKEN_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.oauth-token"
-if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+CLAUDE_CREDENTIALS_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.credentials.json"
+if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+  unset CLAUDE_CODE_OAUTH_TOKEN || true
+elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
   export CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
 else
   unset CLAUDE_CODE_OAUTH_TOKEN || true
@@ -280,7 +328,7 @@ chmod 0644 "$CLAUDE_PROFILE" || true
 
 docker_git_upsert_ssh_env "CLAUDE_AUTH_LABEL" "$CLAUDE_AUTH_LABEL"
 docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"
-docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "$CLAUDE_CODE_OAUTH_TOKEN"
+docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "${"$"}{CLAUDE_CODE_OAUTH_TOKEN:-}"
 docker_git_upsert_ssh_env "CLAUDE_AUTO_SYSTEM_PROMPT" "$CLAUDE_AUTO_SYSTEM_PROMPT"`
 
 export const renderEntrypointClaudeConfig = (config: TemplateConfig): string =>

packages/lib/src/shell/docker-auth.ts

@@ -14,11 +14,21 @@ export type DockerAuthSpec = {
   readonly image: string
   readonly volume: DockerVolume
   readonly entrypoint?: string
+  readonly user?: string
   readonly env?: string | ReadonlyArray<string>
   readonly args: ReadonlyArray<string>
   readonly interactive: boolean
 }
 
+const resolveDefaultDockerUser = (): string | null => {
+  const getUid = (process as { readonly getuid?: () => number }).getuid
+  const getGid = (process as { readonly getgid?: () => number }).getgid
+  if (typeof getUid !== "function" || typeof getGid !== "function") {
+    return null
+  }
+  return `${getUid()}:${getGid()}`
+}
+
 const appendEnvArgs = (base: Array<string>, env: string | ReadonlyArray<string>) => {
   if (typeof env === "string") {
     const trimmed = env.trim()
@@ -38,6 +48,10 @@ const appendEnvArgs = (base: Array<string>, env: string | ReadonlyArray<string>)
 
 const buildDockerArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => {
   const base: Array<string> = ["run", "--rm"]
+  const dockerUser = (spec.user ?? "").trim() || resolveDefaultDockerUser()
+  if (dockerUser !== null) {
+    base.push("--user", dockerUser)
+  }
   if (spec.interactive) {
     base.push("-it")
   }

packages/lib/src/usecases/actions/prepare-files.ts

@@ -1,12 +1,17 @@
 import type { PlatformError } from "@effect/platform/Error"
 import type * as FileSystem from "@effect/platform/FileSystem"
-import type * as Path from "@effect/platform/Path"
+import * as Path from "@effect/platform/Path"
 import { Effect } from "effect"
 
 import type { CreateCommand } from "../../core/domain.js"
 import type { FileExistsError } from "../../shell/errors.js"
 import { writeProjectFiles } from "../../shell/files.js"
-import { ensureCodexConfigFile, migrateLegacyOrchLayout, syncAuthArtifacts } from "../auth-sync.js"
+import {
+  ensureClaudeAuthSeedFromHome,
+  ensureCodexConfigFile,
+  migrateLegacyOrchLayout,
+  syncAuthArtifacts
+} from "../auth-sync.js"
 import { findAuthorizedKeysSource, resolveAuthorizedKeysPath } from "../path-helpers.js"
 import { withFsPathContext } from "../runtime.js"
 import { resolvePathFromBase } from "./paths.js"
@@ -122,6 +127,7 @@ export const prepareProjectFiles = (
   options: PrepareProjectFilesOptions
 ): Effect.Effect<ReadonlyArray<string>, PrepareProjectFilesError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
+    const path = yield* _(Path.Path)
     const rewriteManagedFiles = options.force || options.forceEnv
     const envOnlyRefresh = options.forceEnv && !options.force
     const createdFiles = yield* _(
@@ -138,6 +144,8 @@ export const prepareProjectFiles = (
       )
     )
     yield* _(ensureCodexConfigFile(baseDir, globalConfig.codexAuthPath))
+    const globalClaudeAuthPath = path.join(path.dirname(globalConfig.codexAuthPath), "claude")
+    yield* _(ensureClaudeAuthSeedFromHome(baseDir, globalClaudeAuthPath))
     yield* _(
       syncAuthArtifacts({
         sourceBase: baseDir,

packages/lib/src/usecases/apply.ts

@@ -13,7 +13,7 @@ import type * as ShellErrors from "../shell/errors.js"
 import { writeProjectFiles } from "../shell/files.js"
 import { resolveBaseDir } from "../shell/paths.js"
 import { applyTemplateOverrides, hasApplyOverrides } from "./apply-overrides.js"
-import { ensureCodexConfigFile } from "./auth-sync.js"
+import { ensureClaudeAuthSeedFromHome, ensureCodexConfigFile } from "./auth-sync.js"
 import { findDockerGitConfigPaths } from "./docker-git-config-search.js"
 import { defaultProjectsRoot, findExistingUpwards } from "./path-helpers.js"
 import { runDockerComposeUpWithPortCheck } from "./projects-up.js"
@@ -45,6 +45,7 @@ export const applyProjectFiles = (
     const resolvedTemplate = applyTemplateOverrides(config.template, command)
     yield* _(writeProjectFiles(projectDir, resolvedTemplate, true))
     yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath))
+    yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"))
     return resolvedTemplate
   })
 
@@ -321,6 +322,7 @@ const applyProjectWithUp = (
   Effect.gen(function*(_) {
     yield* _(Effect.log(`Applying docker-git config and refreshing container in ${projectDir}...`))
     yield* _(ensureDockerDaemonAccess(process.cwd()))
+    yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"))
     if (hasApplyOverrides(command)) {
       yield* _(applyProjectFiles(projectDir, command))
     }

packages/lib/src/usecases/auth-claude-oauth.ts

@@ -10,6 +10,7 @@ import { AuthError, CommandFailedError } from "../shell/errors.js"
 
 const oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN"
 const tokenMarker = "Your OAuth token (valid for 1 year):"
+const tokenFooterMarker = "Store this token securely."
 const outputWindowSize = 262_144
 
 const oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u
@@ -85,8 +86,23 @@ const extractOauthToken = (rawOutput: string): string | null => {
   }
 
   const tail = normalized.slice(markerIndex + tokenMarker.length)
-  const match = oauthTokenRegex.exec(tail)
-  return match?.[1] ?? null
+  const footerIndex = tail.indexOf(tokenFooterMarker)
+  const tokenSection = footerIndex === -1 ? tail : tail.slice(0, footerIndex)
+
+  // CHANGE: join wrapped lines in token section before parsing
+  // WHY: some terminals hard-wrap long OAuth tokens with newline characters
+  // REF: issue-377
+  // SOURCE: n/a
+  // PURITY: CORE
+  // INVARIANT: only whitespace is removed; token alphabet remains intact
+  const compactSection = tokenSection.replaceAll(/\s+/gu, "")
+  const compactMatch = oauthTokenRegex.exec(compactSection)
+  if (compactMatch?.[1] !== undefined) {
+    return compactMatch[1]
+  }
+
+  const directMatch = oauthTokenRegex.exec(tokenSection)
+  return directMatch?.[1] ?? null
 }
 
 const oauthTokenFromEnv = (): string | null => {
@@ -120,12 +136,17 @@ const buildDockerSetupTokenSpec = (
   image,
   hostPath: accountPath,
   containerPath,
-  env: [`CLAUDE_CONFIG_DIR=${containerPath}`],
+  env: [`CLAUDE_CONFIG_DIR=${containerPath}`, `HOME=${containerPath}`, "BROWSER=echo"],
   args: ["setup-token"]
 })
 
 const buildDockerSetupTokenArgs = (spec: DockerSetupTokenSpec): ReadonlyArray<string> => {
   const base: Array<string> = ["run", "--rm", "-i", "-t", "-v", `${spec.hostPath}:${spec.containerPath}`]
+  const getUid = (process as { readonly getuid?: () => number }).getuid
+  const getGid = (process as { readonly getgid?: () => number }).getgid
+  if (typeof getUid === "function" && typeof getGid === "function") {
+    base.push("--user", `${getUid()}:${getGid()}`)
+  }
   for (const entry of spec.env) {
     const trimmed = entry.trim()
     if (trimmed.length === 0) {
@@ -187,9 +208,6 @@ const pumpDockerOutput = (
   ).pipe(Effect.asVoid)
 }
 
-const ensureExitOk = (exitCode: number): Effect.Effect<void, CommandFailedError> =>
-  exitCode === 0 ? Effect.void : Effect.fail(new CommandFailedError({ command: "claude setup-token", exitCode }))
-
 const resolveCapturedToken = (token: string | null): Effect.Effect<string, AuthError> =>
   token === null
     ? Effect.fail(
@@ -200,6 +218,29 @@ const resolveCapturedToken = (token: string | null): Effect.Effect<string, AuthE
     )
     : ensureOauthToken(token)
 
+const resolveLoginResult = (
+  token: string | null,
+  exitCode: number
+): Effect.Effect<string, AuthError | CommandFailedError> =>
+  Effect.gen(function*(_) {
+    if (token !== null) {
+      if (exitCode !== 0) {
+        yield* _(
+          Effect.logWarning(
+            `claude setup-token returned exit=${exitCode}, but OAuth token was captured; continuing.`
+          )
+        )
+      }
+      return yield* _(ensureOauthToken(token))
+    }
+
+    if (exitCode !== 0) {
+      yield* _(Effect.fail(new CommandFailedError({ command: "claude setup-token", exitCode })))
+    }
+
+    return yield* _(resolveCapturedToken(token))
+  })
+
 export const runClaudeOauthLoginWithPrompt = (
   cwd: string,
   accountPath: string,
@@ -226,9 +267,7 @@ export const runClaudeOauthLoginWithPrompt = (
       const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)))
       yield* _(Fiber.join(stdoutFiber))
       yield* _(Fiber.join(stderrFiber))
-      yield* _(ensureExitOk(exitCode))
-
-      return yield* _(resolveCapturedToken(tokenBox.value))
+      return yield* _(resolveLoginResult(tokenBox.value, exitCode))
     })
   )
 }