feat(auth): add Gemini CLI authentication support with OAuth

[konard]

Summary

Implements Gemini CLI authentication management for docker-git, following the same patterns as existing Claude Code and Codex integrations.

• Add docker-git auth gemini login|status|logout CLI commands
• Add Gemini auth flows to the TUI menu:
  • OAuth login (Sign in with Google) - for headless/Docker environments with port forwarding
  • API key entry - for simple setup with aistudio.google.com key
  • Logout (clear credentials)
• Add project-level Gemini auth binding (connect/disconnect)
• Add container entrypoint configuration for GEMINI_API_KEY environment variable
• Update template configuration with geminiAuthPath and geminiHome

OAuth Authentication with Docker Port Forwarding

The OAuth flow now works correctly in Docker environments:

1. Uses a fixed callback port (38751) for consistent Docker port forwarding
2. Maps the port between host and container (-p 38751:38751)
3. Sets OAUTH_CALLBACK_PORT and OAUTH_CALLBACK_HOST=0.0.0.0 environment variables
4. Runs Gemini CLI with --debug flag to ensure auth URL is displayed

How it works:

1. Run docker-git menu -> Auth profiles -> "Gemini CLI: login via OAuth (Google account)"
2. Enter a label (or press Enter for "default")
3. The system displays the OAuth URL
4. Open the URL in your browser, authenticate with Google
5. The browser redirects to http://localhost:38751/oauth2callback?...
6. The callback is captured automatically via the forwarded port

API Key Authentication

For simpler setup:

1. Go to https://ai.google.dev/aistudio
2. Create or retrieve your API key
3. Use docker-git menu -> Auth profiles -> "Gemini CLI: set API key"

Files Changed

New files:

• packages/lib/src/usecases/auth-gemini.ts - Gemini auth usecase (login, status, logout)
• packages/lib/src/usecases/auth-gemini-oauth.ts - OAuth flow with port forwarding
• packages/lib/src/core/templates-entrypoint/gemini.ts - Container entrypoint template
• packages/app/src/docker-git/menu-project-auth-gemini.ts - Gemini credentials check
• packages/lib/src/shell/ansi-strip.ts - Shared ANSI parsing utilities

Modified files:

• packages/lib/src/core/domain.ts - Auth command types, TemplateConfig
• packages/app/src/docker-git/cli/parser-auth.ts - CLI parsing for Gemini commands
• packages/app/src/docker-git/menu-types.ts - Gemini auth flow types
• packages/app/src/docker-git/menu-auth-data.ts - Menu items for Gemini
• packages/app/src/docker-git/menu-auth-effects.ts - Auth effect handlers
• packages/app/src/docker-git/menu-auth.ts - TUI suspension for OAuth flow
• packages/app/src/docker-git/program.ts - Command handlers

Test plan

• Typecheck passes (pnpm typecheck)
• Lint passes (pnpm lint)
• All tests pass (pnpm test - 76 tests in lib)
• Manual testing: docker-git menu -> Gemini CLI: login via OAuth
• Manual testing: docker-git menu -> Gemini CLI: set API key
• Manual testing: docker-git auth gemini status
• Manual testing: docker-git auth gemini logout

Fixes #146

🤖 Generated with Claude Code

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $17.982372
• Calculated by Anthropic: $12.117682 USD
• Difference: $-5.864690 (-32.61%)
  📎 Log file uploaded as Gist (3714KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[skulidropek]

Авторизация
Он мне даёт такого пана ссылку обратно
Мне ндо что бы он её умел принимать
Тиоп ждал пока мы вставим ссылку

Т.е он даёт нам ссылку и просит что бы мы ссылку вставили обратно
http://127.0.0.1:46847/oauth2callback?state=0eb1d1e1bbe349564503a0acfc&iss=https://accounts.google.com&code=4/0AfrIepB0lNuG8xATDajmJvzlGfADdJDtPa4WCsLvkpqH33tXb2h3siKYPxF6KkoYEn9pjw&scope=email%20profile%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&prompt=consent

[konard]

🔄 Auto-restart triggered (attempt 1)

Reason: New comment(s) from non-bot user(s): skulidropek

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[konard]

OAuth Support Added

@skulidropek Thank you for the feedback! I've added OAuth authentication support for Gemini CLI.

How to use OAuth login:

1. Run docker-git menu
2. Select "Auth profiles (keys)"
3. Select "Gemini CLI: login via OAuth (Google account)"
4. Enter a label (or press Enter for "default")
5. The system will start Gemini CLI with NO_BROWSER=true
6. You'll see an auth URL - open it in your browser
7. Complete Google authentication
8. Copy the authorization code shown after authentication
9. Paste it back into the CLI

This handles the scenario where the OAuth callback URL (like http://127.0.0.1:46847/oauth2callback?...) doesn't work because you're in a Docker/headless environment.

Alternative: API Key

You can also use the simpler API key method:

1. Go to https://ai.google.dev/aistudio
2. Create an API key
3. Use docker-git menu -> "Gemini CLI: set API key" to save it

CI is currently running. Let me know if you have any questions!

[skulidropek]

Я не хочу API KEY
Мне надо то бы мы сделали OAuth авторизацию

ecific for the best results

ℹ Attempting to open authentication page in your browser.
  Otherwise navigate to:
  https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2F127.0.0.1%3A46847%2Foauth2callback&access_type=offline&scope=
  ttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fw
  w.googleapis.com%2Fauth%2Fuserinfo.profile&state=0eb1d1e1bbe346efa8ebcbc54c04b350f830cecd3439b5bce9a9564503a0acfc&response_type=code
  client_id=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com

ℹ Waiting for authentication...

ℹ Attempting to open authentication page in your browser.
  Otherwise navigate to:
  https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2F127.0.0.1%3A40663%2Foauth2callback&access_type=offline&scope=
  ttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fw
  w.googleapis.com%2Fauth%2Fuserinfo.profile&state=cc5d28f7eda500868328c9110e5c596d8b55adaa26ac0120032fb3ca2dc33919&response_type=code
  client_id=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com

ℹ Waiting for authentication...

Система даёт ссылку и мы потом должны вставить ещё ссылку типо

Т.е он даёт нам ссылку и просит что бы мы ссылку вставили обратно
http://127.0.0.1:46847/oauth2callback?state=0eb1d1e1bbe349564503a0acfc&iss=https://accounts.google.com&code=4/0AfrIepB0lNuG8xATDajmJvzlGfADdJDtPa4WCsLvkpqH33tXb2h3siKYPxF6KkoYEn9pjw&scope=email%20profile%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&prompt=consent

Что бы он её открыл

[konard]

🤖 AI Work Session Started

Starting automated work session at 2026-03-16T17:26:46.980Z

The PR has been converted to draft mode while work is in progress.

This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback.

[konard]

🤖 Solution Draft Log

This log file contains the execution trace of the latest fix session.

Changes Made

Fixed CI lint failures:

1. Refactored hasOauthCredentials function in menu-project-auth-gemini.ts to use pipe-based composition instead of Effect.gen pattern to eliminate code duplication detected by the linter
2. Removed as const type assertion to comply with Effect-TS lint rules (casting restricted to src/core/axioms.ts)
3. Created a shared GeminiAuthResult type alias to satisfy the sonarjs/use-type-alias rule
4. Extracted ANSI utilities (stripAnsi, writeChunkToFd) to a new shared module packages/lib/src/shell/ansi-strip.ts to eliminate duplication between auth-claude-oauth.ts and auth-gemini-oauth.ts

CI Status:

• ✅ Build
• ✅ Types
• ✅ Lint
• ✅ Test
• ✅ Lint Effect-TS
• ✅ E2E (Local package CLI)
• ⏳ E2E (OpenCode, Clone cache, Login context) - still running

All core checks pass. The E2E tests are slow integration tests that involve Docker operations.

---

Working session completed. The PR is now ready for review.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $11.549210
• Calculated by Anthropic: $7.149191 USD
• Difference: $-4.400019 (-38.10%)
  📎 Log file uploaded as Gist (2019KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart 1/3

Detected uncommitted changes from previous run. Starting new session to review and commit them.

Uncommitted files:

?? ci-logs/

---

Auto-restart will stop after changes are committed or after 2 more iterations. Please wait until working session will end and give your feedback.

[konard]

OAuth Port Forwarding Implementation

@skulidropek I've implemented OAuth authentication with Docker port forwarding to address your feedback about needing to paste the callback URL.

What changed:

The OAuth flow now uses a fixed callback port (38751) with Docker port forwarding:

-p 38751:38751
OAUTH_CALLBACK_PORT=38751
OAUTH_CALLBACK_HOST=0.0.0.0

This means:

1. When you start the OAuth flow, Gemini CLI displays the auth URL
2. Open that URL in your browser and authenticate with Google
3. The browser redirects to http://localhost:38751/oauth2callback?...
4. The callback is captured automatically because port 38751 is forwarded to the Docker container

No need to paste anything back - the callback URL is now handled automatically via port forwarding.

CI Status:

• ✅ Types
• ✅ Lint
• ✅ Lint Effect-TS
• ✅ Build
• ✅ Test
• ✅ E2E (Local package CLI)
• ⏳ E2E (Login context, OpenCode, Clone cache) - slow Docker integration tests still running

---

Please let me know if you have any additional feedback!

[konard]

🔄 Auto-restart 1/3 Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $4.472503
• Calculated by Anthropic: $3.170965 USD
• Difference: $-1.301538 (-29.10%)
  📎 Log file uploaded as Gist (3254KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 1)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $15.249254
• Calculated by Anthropic: $9.172189 USD
• Difference: $-6.077065 (-39.85%)
  📎 Log file uploaded as Gist (6437KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (attempt 2)

Reason: New comment(s) from non-bot user(s): skulidropek; Uncommitted changes

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. Will continue until PR becomes mergeable.

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 2)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $0.909047
• Calculated by Anthropic: $0.337817 USD
• Difference: $-0.571230 (-62.84%)
  📎 Log file uploaded as Gist (6691KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.