From 924ac6dd35dc491115a61191ff3070c814d49780 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 08:08:14 +0000
Subject: [PATCH 01/15] feat(auth): multi-profile .orch auth + GH OAuth TUI +
 state auto-sync (#61)

---
 AGENTS.md                                     |   6 +-
 README.md                                     |  11 +-
 package.json                                  |   4 +
 .../app/src/docker-git/cli/parser-auth.ts     |  24 +-
 .../docker-git/cli/parser-mcp-playwright.ts   |   1 -
 packages/app/src/docker-git/cli/parser.ts     |   2 +-
 packages/app/src/docker-git/cli/usage.ts      |   4 +-
 packages/app/src/docker-git/menu-actions.ts   |  49 ++-
 packages/app/src/docker-git/menu-auth-data.ts | 179 ++++++++++
 packages/app/src/docker-git/menu-auth.ts      | 312 +++++++++++++++++
 .../app/src/docker-git/menu-buffer-input.ts   |  18 +
 packages/app/src/docker-git/menu-create.ts    |  16 +-
 .../app/src/docker-git/menu-input-handler.ts  | 132 +++++--
 .../app/src/docker-git/menu-input-utils.ts    |  85 +++++
 .../app/src/docker-git/menu-labeled-env.ts    |  37 ++
 .../src/docker-git/menu-project-auth-data.ts  | 252 ++++++++++++++
 .../app/src/docker-git/menu-project-auth.ts   | 271 +++++++++++++++
 .../app/src/docker-git/menu-render-auth.ts    |  54 +++
 .../app/src/docker-git/menu-render-common.ts  |  67 ++++
 .../app/src/docker-git/menu-render-layout.ts  |  30 ++
 .../docker-git/menu-render-project-auth.ts    |  69 ++++
 .../app/src/docker-git/menu-render-select.ts  |  12 +-
 packages/app/src/docker-git/menu-render.ts    |  34 +-
 .../app/src/docker-git/menu-select-load.ts    |   2 +-
 packages/app/src/docker-git/menu-select.ts    |  55 ++-
 packages/app/src/docker-git/menu-shared.ts    |  88 +++--
 packages/app/src/docker-git/menu-types.ts     |  69 +++-
 packages/app/src/docker-git/menu.ts           |  27 +-
 packages/docker-git/src/server/claude.ts      | 111 ++++++
 packages/docker-git/src/server/core/domain.ts |  27 +-
 .../docker-git/src/server/git-credentials.ts  | 131 +++++++
 packages/docker-git/src/server/github.ts      |  28 +-
 packages/docker-git/src/server/http.ts        | 323 ++++++++++++++----
 packages/docker-git/src/server/labeled-env.ts | 121 +++++++
 packages/docker-git/src/server/view.ts        | 202 ++++++-----
 .../docker-git/tests/core/templates.test.ts   |   4 +
 .../docker-git/tests/server/claude.test.ts    |  56 +++
 .../docker-git/tests/server/domain.test.ts    |  12 +-
 .../tests/server/git-credentials.test.ts      |  63 ++++
 packages/lib/src/core/command-builders.ts     |  16 +-
 packages/lib/src/core/menu.ts                 |  23 +-
 .../lib/src/usecases/actions/prepare-files.ts |   6 +-
 packages/lib/src/usecases/auth-codex.ts       |   9 +-
 packages/lib/src/usecases/auth-github.ts      |  23 +-
 packages/lib/src/usecases/env-file.ts         |  25 ++
 .../src/usecases/state-repo/github-auth.ts    |  24 +-
 packages/lib/tests/core/menu.test.ts          |  34 ++
 scripts/e2e/_lib.sh                           |  74 ++++
 scripts/e2e/clone-cache.sh                    |  18 +-
 scripts/e2e/login-context.sh                  |  40 +--
 scripts/e2e/opencode-autoconnect.sh           |  68 ++--
 scripts/e2e/run-all.sh                        |  23 ++
 52 files changed, 2949 insertions(+), 422 deletions(-)
 create mode 100644 packages/app/src/docker-git/menu-auth-data.ts
 create mode 100644 packages/app/src/docker-git/menu-auth.ts
 create mode 100644 packages/app/src/docker-git/menu-buffer-input.ts
 create mode 100644 packages/app/src/docker-git/menu-input-utils.ts
 create mode 100644 packages/app/src/docker-git/menu-labeled-env.ts
 create mode 100644 packages/app/src/docker-git/menu-project-auth-data.ts
 create mode 100644 packages/app/src/docker-git/menu-project-auth.ts
 create mode 100644 packages/app/src/docker-git/menu-render-auth.ts
 create mode 100644 packages/app/src/docker-git/menu-render-common.ts
 create mode 100644 packages/app/src/docker-git/menu-render-layout.ts
 create mode 100644 packages/app/src/docker-git/menu-render-project-auth.ts
 create mode 100644 packages/docker-git/src/server/claude.ts
 create mode 100644 packages/docker-git/src/server/git-credentials.ts
 create mode 100644 packages/docker-git/src/server/labeled-env.ts
 create mode 100644 packages/docker-git/tests/server/claude.test.ts
 create mode 100644 packages/docker-git/tests/server/git-credentials.test.ts
 create mode 100644 packages/lib/tests/core/menu.test.ts
 create mode 100644 scripts/e2e/_lib.sh
 create mode 100755 scripts/e2e/run-all.sh

diff --git a/AGENTS.md b/AGENTS.md
index 4b74344f..71f7e871 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -375,9 +375,9 @@ describe("Message invariants", () => {
 ПРИНЦИП: Сначала формализуем, потом программируем.
 
 <!-- docker-git:issue-managed:start -->
-Issue workspace: #39
-Issue URL: https://github.com/ProverCoderAI/docker-git/issues/39
-Workspace path: /home/dev/provercoderai/docker-git/issue-39
+Issue workspace: #61
+Issue URL: https://github.com/ProverCoderAI/docker-git/issues/61
+Workspace path: /home/dev/provercoderai/docker-git/issue-61
 
 Работай только над этим issue, если пользователь не попросил другое.
 Если нужен первоисточник требований, открой Issue URL.
diff --git a/README.md b/README.md
index 9ed4a275..372defa1 100644
--- a/README.md
+++ b/README.md
@@ -59,10 +59,10 @@ Structure (simplified):
   authorized_keys
   .orch/
     env/
-      global.env
+      global.env      # shared tokens/keys (GitHub, Git, Claude) with labels
     auth/
-      codex/          # shared Codex auth cache (credentials)
-      gh/             # shared GitHub auth (optional)
+      codex/          # shared Codex auth/config (when CODEX_SHARE_AUTH=1)
+      gh/             # GH CLI auth cache for OAuth login container
   <owner>/<repo>/
     docker-compose.yml
     Dockerfile
@@ -70,7 +70,6 @@ Structure (simplified):
     docker-git.json
     .orch/
       env/
-        global.env    # copied/synced from root .orch/env/global.env
         project.env   # per-project env knobs (see below)
       auth/
         codex/        # project-local Codex state (sessions/logs/tmp/etc)
@@ -79,7 +78,7 @@ Structure (simplified):
 ## Codex Auth: Shared Credentials, Per-Project Sessions
 
 Default behavior:
-- Shared credentials live in `/home/dev/.codex-shared/auth.json` (mounted from projects root).
+- Shared credentials live in `/home/dev/.codex-shared/auth.json` (mounted from `<projectsRoot>/.orch/auth/codex`).
 - Each project keeps its own Codex state under `/home/dev/.codex/` (mounted from project `.orch/auth/codex`).
 - The entrypoint links `/home/dev/.codex/auth.json -> /home/dev/.codex-shared/auth.json`.
 
@@ -160,7 +159,7 @@ Clone auth error (`Invalid username or token`):
   ```bash
   pnpm run docker-git auth github status
   pnpm run docker-git auth github logout
-  pnpm run docker-git auth github login --token '<GITHUB_TOKEN>'
+  pnpm run docker-git auth github login --web
   pnpm run docker-git auth github status
   ```
 - Token requirements:
diff --git a/package.json b/package.json
index f365c6f4..60a00d95 100644
--- a/package.json
+++ b/package.json
@@ -16,6 +16,10 @@
     "changeset-version": "changeset version",
     "clone": "pnpm --filter ./packages/app build && node packages/app/dist/main.js clone",
     "docker-git": "pnpm --filter ./packages/app build:docker-git && node packages/app/dist/src/docker-git/main.js",
+    "e2e": "bash scripts/e2e/run-all.sh",
+    "e2e:clone-cache": "bash scripts/e2e/clone-cache.sh",
+    "e2e:login-context": "bash scripts/e2e/login-context.sh",
+    "e2e:opencode-autoconnect": "bash scripts/e2e/opencode-autoconnect.sh",
     "list": "pnpm --filter ./packages/app build && node packages/app/dist/main.js list",
     "dev": "pnpm --filter ./packages/app dev",
     "lint": "pnpm --filter ./packages/app lint && pnpm --filter ./packages/lib lint",
diff --git a/packages/app/src/docker-git/cli/parser-auth.ts b/packages/app/src/docker-git/cli/parser-auth.ts
index edc1ac00..28df20a9 100644
--- a/packages/app/src/docker-git/cli/parser-auth.ts
+++ b/packages/app/src/docker-git/cli/parser-auth.ts
@@ -1,12 +1,7 @@
 import { Either, Match } from "effect"
 
 import type { RawOptions } from "@effect-template/lib/core/command-options"
-import {
-  type AuthCommand,
-  type Command,
-  defaultTemplateConfig,
-  type ParseError
-} from "@effect-template/lib/core/domain"
+import { type AuthCommand, type Command, type ParseError } from "@effect-template/lib/core/domain"
 
 import { parseRawOptions } from "./parser-options.js"
 
@@ -16,6 +11,7 @@ type AuthOptions = {
   readonly label: string | null
   readonly token: string | null
   readonly scopes: string | null
+  readonly authWeb: boolean
 }
 
 const missingArgument = (name: string): ParseError => ({
@@ -34,21 +30,27 @@ const normalizeLabel = (value: string | undefined): string | null => {
   return trimmed.length === 0 ? null : trimmed
 }
 
+const defaultEnvGlobalPath = ".docker-git/.orch/env/global.env"
+const defaultCodexAuthPath = ".docker-git/.orch/auth/codex"
+
 const resolveAuthOptions = (raw: RawOptions): AuthOptions => ({
-  envGlobalPath: raw.envGlobalPath ?? defaultTemplateConfig.envGlobalPath,
-  codexAuthPath: raw.codexAuthPath ?? defaultTemplateConfig.codexAuthPath,
+  envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
+  codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
   label: normalizeLabel(raw.label),
   token: normalizeLabel(raw.token),
-  scopes: normalizeLabel(raw.scopes)
+  scopes: normalizeLabel(raw.scopes),
+  authWeb: raw.authWeb === true
 })
 
 const buildGithubCommand = (action: string, options: AuthOptions): Either.Either<AuthCommand, ParseError> =>
   Match.value(action).pipe(
     Match.when("login", () =>
-      Either.right<AuthCommand>({
+      options.authWeb && options.token !== null
+        ? Either.left(invalidArgument("--token", "cannot be combined with --web"))
+        : Either.right<AuthCommand>({
         _tag: "AuthGithubLogin",
         label: options.label,
-        token: options.token,
+        token: options.authWeb ? null : options.token,
         scopes: options.scopes,
         envGlobalPath: options.envGlobalPath
       })),
diff --git a/packages/app/src/docker-git/cli/parser-mcp-playwright.ts b/packages/app/src/docker-git/cli/parser-mcp-playwright.ts
index 2a4179c8..42abcd5f 100644
--- a/packages/app/src/docker-git/cli/parser-mcp-playwright.ts
+++ b/packages/app/src/docker-git/cli/parser-mcp-playwright.ts
@@ -22,4 +22,3 @@ export const parseMcpPlaywright = (
     projectDir,
     runUp: raw.up ?? true
   }))
-
diff --git a/packages/app/src/docker-git/cli/parser.ts b/packages/app/src/docker-git/cli/parser.ts
index 829f4da9..8824f5ca 100644
--- a/packages/app/src/docker-git/cli/parser.ts
+++ b/packages/app/src/docker-git/cli/parser.ts
@@ -22,7 +22,7 @@ const statusCommand: Command = { _tag: "Status" }
 const downAllCommand: Command = { _tag: "DownAll" }
 
 const parseCreate = (args: ReadonlyArray<string>): Either.Either<Command, ParseError> =>
-  Either.flatMap(parseRawOptions(args), buildCreateCommand)
+  Either.flatMap(parseRawOptions(args), (raw) => buildCreateCommand(raw))
 
 // CHANGE: parse CLI arguments into a typed command
 // WHY: enforce deterministic, pure parsing before any effects run
diff --git a/packages/app/src/docker-git/cli/usage.ts b/packages/app/src/docker-git/cli/usage.ts
index 630c3915..af05e044 100644
--- a/packages/app/src/docker-git/cli/usage.ts
+++ b/packages/app/src/docker-git/cli/usage.ts
@@ -40,7 +40,6 @@ Options:
   --container-name <name>   Docker container name (default: dg-<repo>)
   --service-name <name>     Compose service name (default: dg-<repo>)
   --volume-name <name>      Docker volume name (default: dg-<repo>-home)
-  --secrets-root <path>     Host root for shared secrets (default: n/a)
   --authorized-keys <path>  Host path to authorized_keys (default: <projectsRoot>/authorized_keys)
   --env-global <path>       Host path to shared env file (default: <projectsRoot>/.orch/env/global.env)
   --env-project <path>      Host path to project env file (default: ./.orch/env/project.env)
@@ -80,7 +79,8 @@ Auth actions:
 
 Auth options:
   --label <label>        Account label (default: default)
-  --token <token>        GitHub token override (login only)
+  --token <token>        GitHub token override (login only; useful for non-interactive/CI)
+  --web                 Force OAuth web flow (login only; ignores --token)
   --scopes <scopes>      GitHub scopes (login only, default: repo,workflow,read:org)
   --env-global <path>    Env file path for GitHub tokens (default: <projectsRoot>/.orch/env/global.env)
   --codex-auth <path>    Codex auth root path (default: <projectsRoot>/.orch/auth/codex)
diff --git a/packages/app/src/docker-git/menu-actions.ts b/packages/app/src/docker-git/menu-actions.ts
index 8cda3dfc..21664713 100644
--- a/packages/app/src/docker-git/menu-actions.ts
+++ b/packages/app/src/docker-git/menu-actions.ts
@@ -12,10 +12,11 @@ import {
 import { runDockerComposeUpWithPortCheck } from "@effect-template/lib/usecases/projects-up"
 import { Effect, Match, pipe } from "effect"
 
+import { openAuthMenu } from "./menu-auth.js"
 import { startCreateView } from "./menu-create.js"
 import { loadSelectView } from "./menu-select-load.js"
-import { resumeTui, suspendTui } from "./menu-shared.js"
-import { type MenuEnv, type MenuRunner, type MenuState, type ViewState } from "./menu-types.js"
+import { pauseForEnter, resumeTui, suspendTui, writeToTerminal } from "./menu-shared.js"
+import { type MenuEnv, type MenuRunner, type MenuState, type MenuViewContext } from "./menu-types.js"
 
 // CHANGE: keep menu actions and input parsing in a dedicated module
 // WHY: reduce cognitive complexity in the TUI entry
@@ -39,9 +40,7 @@ export type MenuContext = {
   readonly state: MenuState
   readonly runner: MenuRunner
   readonly exit: () => void
-  readonly setView: (view: ViewState) => void
-  readonly setMessage: (message: string | null) => void
-}
+} & MenuViewContext
 
 export type MenuSelectionContext = MenuContext & {
   readonly selected: number
@@ -50,6 +49,8 @@ export type MenuSelectionContext = MenuContext & {
 
 const actionLabel = (action: MenuAction): string =>
   Match.value(action).pipe(
+    Match.when({ _tag: "Auth" }, () => "Auth profiles"),
+    Match.when({ _tag: "ProjectAuth" }, () => "Project auth"),
     Match.when({ _tag: "Up" }, () => "docker compose up"),
     Match.when({ _tag: "Status" }, () => "docker compose ps"),
     Match.when({ _tag: "Logs" }, () => "docker compose logs"),
@@ -69,7 +70,19 @@ const runWithSuspendedTui = (
         context.setMessage(`${label}...`)
         suspendTui()
       }),
-      Effect.zipRight(effect),
+      Effect.zipRight(
+        pipe(
+          effect,
+          Effect.tapError((error) =>
+            Effect.ignore(
+              Effect.tryPromise(async () => {
+                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                await pauseForEnter()
+              })
+            )
+          )
+        )
+      ),
       Effect.tap(() =>
         Effect.sync(() => {
           context.setMessage(`${label} finished.`)
@@ -140,6 +153,8 @@ const handleMenuAction = (
     Match.when({ _tag: "Quit" }, () => Effect.succeed(quitOutcome)),
     Match.when({ _tag: "Create" }, () => Effect.succeed(continueOutcome(state))),
     Match.when({ _tag: "Select" }, () => Effect.succeed(continueOutcome(state))),
+    Match.when({ _tag: "Auth" }, () => Effect.succeed(continueOutcome(state))),
+    Match.when({ _tag: "ProjectAuth" }, () => Effect.succeed(continueOutcome(state))),
     Match.when({ _tag: "Info" }, () => Effect.succeed(continueOutcome(state))),
     Match.when({ _tag: "Delete" }, () => Effect.succeed(continueOutcome(state))),
     Match.when({ _tag: "Up" }, () =>
@@ -171,6 +186,22 @@ const runSelectAction = (context: MenuContext) => {
   context.runner.runEffect(loadSelectView(listProjectItems, "Connect", context))
 }
 
+const runAuthProfilesAction = (context: MenuContext) => {
+  context.setMessage(null)
+  openAuthMenu({
+    state: context.state,
+    runner: context.runner,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir
+  })
+}
+
+const runProjectAuthAction = (context: MenuContext) => {
+  context.setMessage(null)
+  context.runner.runEffect(loadSelectView(listProjectItems, "Auth", context))
+}
+
 const runDownAllAction = (context: MenuContext) => {
   context.setMessage(null)
   runWithSuspendedTui(downAllDockerGitProjects, context, "Stopping all docker-git containers")
@@ -222,6 +253,12 @@ export const handleMenuActionSelection = (action: MenuAction, context: MenuConte
     Match.when({ _tag: "Select" }, () => {
       runSelectAction(context)
     }),
+    Match.when({ _tag: "Auth" }, () => {
+      runAuthProfilesAction(context)
+    }),
+    Match.when({ _tag: "ProjectAuth" }, () => {
+      runProjectAuthAction(context)
+    }),
     Match.when({ _tag: "Info" }, () => {
       runInfoAction(context)
     }),
diff --git a/packages/app/src/docker-git/menu-auth-data.ts b/packages/app/src/docker-git/menu-auth-data.ts
new file mode 100644
index 00000000..796b97ad
--- /dev/null
+++ b/packages/app/src/docker-git/menu-auth-data.ts
@@ -0,0 +1,179 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { Effect, Match, pipe } from "effect"
+
+import { ensureEnvFile, parseEnvEntries, readEnvText, upsertEnvKey } from "@effect-template/lib/usecases/env-file"
+import { type AppError } from "@effect-template/lib/usecases/errors"
+import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
+import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
+
+import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
+import type { AuthFlow, AuthSnapshot, MenuEnv } from "./menu-types.js"
+
+export type AuthMenuAction = AuthFlow | "Refresh" | "Back"
+
+type AuthMenuItem = {
+  readonly action: AuthMenuAction
+  readonly label: string
+}
+
+export type AuthPromptStep = {
+  readonly key: "label" | "token" | "user" | "apiKey"
+  readonly label: string
+  readonly required: boolean
+  readonly secret: boolean
+}
+
+const authMenuItems: ReadonlyArray<AuthMenuItem> = [
+  { action: "GithubOauth", label: "GitHub: login via OAuth (web)" },
+  { action: "GithubRemove", label: "GitHub: remove token" },
+  { action: "GitSet", label: "Git: add/update credentials" },
+  { action: "GitRemove", label: "Git: remove credentials" },
+  { action: "ClaudeSet", label: "Claude: add/update API key" },
+  { action: "ClaudeRemove", label: "Claude: remove API key" },
+  { action: "Refresh", label: "Refresh snapshot" },
+  { action: "Back", label: "Back to main menu" }
+]
+
+const flowSteps: Readonly<Record<AuthFlow, ReadonlyArray<AuthPromptStep>>> = {
+  GithubOauth: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  GithubRemove: [
+    { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
+  ],
+  GitSet: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false },
+    { key: "token", label: "Git auth token", required: true, secret: true },
+    { key: "user", label: "Git auth user (empty = x-access-token)", required: false, secret: false }
+  ],
+  GitRemove: [
+    { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
+  ],
+  ClaudeSet: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false },
+    { key: "apiKey", label: "Claude API key", required: true, secret: true }
+  ],
+  ClaudeRemove: [
+    { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
+  ]
+}
+
+const flowTitle = (flow: AuthFlow): string =>
+  Match.value(flow).pipe(
+    Match.when("GithubOauth", () => "GitHub OAuth"),
+    Match.when("GithubRemove", () => "GitHub remove"),
+    Match.when("GitSet", () => "Git credentials"),
+    Match.when("GitRemove", () => "Git remove"),
+    Match.when("ClaudeSet", () => "Claude API key"),
+    Match.when("ClaudeRemove", () => "Claude remove"),
+    Match.exhaustive
+  )
+
+export const successMessage = (flow: AuthFlow, label: string): string =>
+  Match.value(flow).pipe(
+    Match.when("GithubOauth", () => `Saved GitHub token (${label}).`),
+    Match.when("GithubRemove", () => `Removed GitHub token (${label}).`),
+    Match.when("GitSet", () => `Saved Git credentials (${label}).`),
+    Match.when("GitRemove", () => `Removed Git credentials (${label}).`),
+    Match.when("ClaudeSet", () => `Saved Claude key (${label}).`),
+    Match.when("ClaudeRemove", () => `Removed Claude key (${label}).`),
+    Match.exhaustive
+  )
+
+const buildGlobalEnvPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`
+
+type AuthEnvText = {
+  readonly fs: FileSystem.FileSystem
+  readonly globalEnvPath: string
+  readonly envText: string
+}
+
+const loadAuthEnvText = (
+  cwd: string
+): Effect.Effect<AuthEnvText, AppError, MenuEnv> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const globalEnvPath = buildGlobalEnvPath(cwd)
+    yield* _(ensureEnvFile(fs, path, globalEnvPath))
+    const envText = yield* _(readEnvText(fs, globalEnvPath))
+    return { fs, globalEnvPath, envText }
+  })
+
+export const readAuthSnapshot = (
+  cwd: string
+): Effect.Effect<AuthSnapshot, AppError, MenuEnv> =>
+  pipe(
+    loadAuthEnvText(cwd),
+    Effect.map(({ envText, globalEnvPath }) => ({
+      globalEnvPath,
+      totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
+      githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
+      gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
+      gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
+      claudeKeyEntries: countKeyEntries(envText, "ANTHROPIC_API_KEY")
+    }))
+  )
+
+export const writeAuthFlow = (
+  cwd: string,
+  flow: AuthFlow,
+  values: Readonly<Record<string, string>>
+): Effect.Effect<void, AppError, MenuEnv> =>
+  pipe(
+    loadAuthEnvText(cwd),
+    Effect.flatMap(({ envText, fs, globalEnvPath }) => {
+      const label = values["label"] ?? ""
+      const canonicalLabel = (() => {
+        const normalized = normalizeLabel(label)
+        return normalized.length === 0 || normalized === "DEFAULT" ? "default" : normalized
+      })()
+      const token = (values["token"] ?? "").trim()
+      const user = (values["user"] ?? "").trim()
+      const apiKey = (values["apiKey"] ?? "").trim()
+      const nextText = Match.value(flow).pipe(
+        Match.when("GithubOauth", () => envText),
+        Match.when("GithubRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("GITHUB_TOKEN", label), "")),
+        Match.when("GitSet", () => {
+          const withToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), token)
+          const resolvedUser = user.length > 0 ? user : "x-access-token"
+          return upsertEnvKey(withToken, buildLabeledEnvKey("GIT_AUTH_USER", label), resolvedUser)
+        }),
+        Match.when("GitRemove", () => {
+          const withoutToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), "")
+          return upsertEnvKey(withoutToken, buildLabeledEnvKey("GIT_AUTH_USER", label), "")
+        }),
+        Match.when("ClaudeSet", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), apiKey)),
+        Match.when("ClaudeRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), "")),
+        Match.exhaustive
+      )
+      const syncMessage = Match.value(flow).pipe(
+        Match.when("GithubOauth", () => `chore(state): auth gh ${canonicalLabel}`),
+        Match.when("GithubRemove", () => `chore(state): auth gh logout ${canonicalLabel}`),
+        Match.when("GitSet", () => `chore(state): auth git ${canonicalLabel}`),
+        Match.when("GitRemove", () => `chore(state): auth git logout ${canonicalLabel}`),
+        Match.when("ClaudeSet", () => `chore(state): auth claude ${canonicalLabel}`),
+        Match.when("ClaudeRemove", () => `chore(state): auth claude logout ${canonicalLabel}`),
+        Match.exhaustive
+      )
+      return pipe(
+        fs.writeFileString(globalEnvPath, nextText),
+        Effect.zipRight(autoSyncState(syncMessage))
+      )
+    }),
+    Effect.asVoid
+  )
+
+export const authViewTitle = (flow: AuthFlow): string => flowTitle(flow)
+
+export const authViewSteps = (flow: AuthFlow): ReadonlyArray<AuthPromptStep> => flowSteps[flow]
+
+export const authMenuLabels = (): ReadonlyArray<string> => authMenuItems.map((item) => item.label)
+
+export const authMenuActionByIndex = (index: number): AuthMenuAction | null => {
+  const item = authMenuItems[index]
+  return item ? item.action : null
+}
+
+export const authMenuSize = (): number => authMenuItems.length
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
new file mode 100644
index 00000000..ebf007ef
--- /dev/null
+++ b/packages/app/src/docker-git/menu-auth.ts
@@ -0,0 +1,312 @@
+import { Effect, pipe } from "effect"
+
+import { authGithubLogin } from "@effect-template/lib/usecases/auth"
+import type { AppError } from "@effect-template/lib/usecases/errors"
+import { renderError } from "@effect-template/lib/usecases/errors"
+
+import {
+  type AuthMenuAction,
+  authMenuActionByIndex,
+  authMenuSize,
+  authViewSteps,
+  readAuthSnapshot,
+  successMessage,
+  writeAuthFlow
+} from "./menu-auth-data.js"
+import { nextBufferValue } from "./menu-buffer-input.js"
+import { handleMenuNumberInput, submitPromptStep } from "./menu-input-utils.js"
+import { pauseForEnter, resetToMenu, resumeTui, suspendTui, writeToTerminal } from "./menu-shared.js"
+import type {
+  AuthFlow,
+  AuthSnapshot,
+  MenuEnv,
+  MenuKeyInput,
+  MenuRunner,
+  MenuState,
+  MenuViewContext,
+  ViewState
+} from "./menu-types.js"
+
+type AuthContext = MenuViewContext & {
+  readonly state: MenuState
+  readonly runner: MenuRunner
+}
+
+type AuthInputContext = AuthContext & {
+  readonly setSshActive: (active: boolean) => void
+  readonly setSkipInputs: (update: (value: number) => number) => void
+}
+
+type AuthPromptView = Extract<ViewState, { readonly _tag: "AuthPrompt" }>
+
+const defaultLabel = (value: string): string => {
+  const trimmed = value.trim()
+  return trimmed.length > 0 ? trimmed : "default"
+}
+
+const startAuthMenuWithSnapshot = (
+  snapshot: AuthSnapshot,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+) => {
+  context.setView({ _tag: "AuthMenu", selected: 0, snapshot })
+  context.setMessage(null)
+}
+
+const startAuthPrompt = (
+  snapshot: AuthSnapshot,
+  flow: AuthFlow,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+) => {
+  context.setView({
+    _tag: "AuthPrompt",
+    flow,
+    step: 0,
+    buffer: "",
+    values: {},
+    snapshot
+  })
+  context.setMessage(null)
+}
+
+const resolveAuthPromptEffect = (
+  view: AuthPromptView,
+  cwd: string,
+  values: Readonly<Record<string, string>>
+): Effect.Effect<void, AppError, MenuEnv> => {
+  if (view.flow === "GithubOauth") {
+    const labelValue = (values["label"] ?? "").trim()
+    const labelOption = labelValue.length > 0 ? labelValue : null
+    return authGithubLogin({
+      _tag: "AuthGithubLogin",
+      label: labelOption,
+      token: null,
+      scopes: null,
+      envGlobalPath: view.snapshot.globalEnvPath
+    })
+  }
+  return writeAuthFlow(cwd, view.flow, values)
+}
+
+const runAuthPromptEffect = (
+  effect: Effect.Effect<void, AppError, MenuEnv>,
+  view: AuthPromptView,
+  label: string,
+  context: AuthInputContext,
+  options: { readonly suspendTui: boolean }
+) => {
+  const withOptionalSuspension = options.suspendTui
+    ? pipe(
+      Effect.sync(() => {
+        suspendTui()
+      }),
+      Effect.zipRight(
+        pipe(
+          effect,
+          Effect.tapError((error) =>
+            Effect.ignore(
+              Effect.tryPromise(async () => {
+                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                await pauseForEnter()
+              })
+            )
+          )
+        )
+      ),
+      Effect.ensuring(
+        Effect.sync(() => {
+          resumeTui()
+          context.setSshActive(false)
+          context.setSkipInputs(() => 2)
+        })
+      )
+    )
+    : effect
+
+  if (options.suspendTui) {
+    context.setSshActive(true)
+  }
+  context.runner.runEffect(
+    pipe(
+      withOptionalSuspension,
+      Effect.zipRight(readAuthSnapshot(context.state.cwd)),
+      Effect.tap((snapshot) =>
+        Effect.sync(() => {
+          startAuthMenuWithSnapshot(snapshot, context)
+          context.setMessage(successMessage(view.flow, label))
+        })
+      ),
+      Effect.asVoid
+    )
+  )
+}
+
+const loadAuthMenuView = (
+  cwd: string,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+): Effect.Effect<void, AppError, MenuEnv> =>
+  pipe(
+    readAuthSnapshot(cwd),
+    Effect.tap((snapshot) =>
+      Effect.sync(() => {
+        startAuthMenuWithSnapshot(snapshot, context)
+      })
+    ),
+    Effect.asVoid
+  )
+
+const runAuthAction = (
+  action: AuthMenuAction,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  context: AuthContext
+) => {
+  if (action === "Back") {
+    resetToMenu(context)
+    return
+  }
+  if (action === "Refresh") {
+    context.runner.runEffect(loadAuthMenuView(context.state.cwd, context))
+    return
+  }
+  startAuthPrompt(view.snapshot, action, context)
+}
+
+const submitAuthPrompt = (
+  view: AuthPromptView,
+  context: AuthInputContext
+) => {
+  const steps = authViewSteps(view.flow)
+  submitPromptStep(
+    view,
+    steps,
+    context,
+    () => {
+      startAuthMenuWithSnapshot(view.snapshot, context)
+    },
+    (nextValues) => {
+      const label = defaultLabel(nextValues["label"] ?? "")
+      const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)
+      runAuthPromptEffect(effect, view, label, context, { suspendTui: view.flow === "GithubOauth" })
+    }
+  )
+}
+
+const setAuthMenuSelection = (
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  selected: number,
+  context: AuthContext
+) => {
+  context.setView({
+    ...view,
+    selected
+  })
+}
+
+const shiftAuthMenuSelection = (
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  delta: number,
+  context: AuthContext
+) => {
+  const menuSize = authMenuSize()
+  const selected = (view.selected + delta + menuSize) % menuSize
+  setAuthMenuSelection(view, selected, context)
+}
+
+const runAuthMenuSelection = (
+  selected: number,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  context: AuthContext
+) => {
+  const action = authMenuActionByIndex(selected)
+  if (action === null) {
+    return
+  }
+  runAuthAction(action, view, context)
+}
+
+const handleAuthMenuNumberInput = (
+  input: string,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  context: AuthContext
+) => {
+  handleMenuNumberInput(input, context, authMenuActionByIndex, (action) => {
+    runAuthAction(action, view, context)
+  })
+}
+
+const handleAuthMenuInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" }>,
+  context: AuthContext
+) => {
+  if (key.escape) {
+    resetToMenu(context)
+    return
+  }
+  if (key.upArrow) {
+    shiftAuthMenuSelection(view, -1, context)
+    return
+  }
+  if (key.downArrow) {
+    shiftAuthMenuSelection(view, 1, context)
+    return
+  }
+  if (key.return) {
+    runAuthMenuSelection(view.selected, view, context)
+    return
+  }
+  handleAuthMenuNumberInput(input, view, context)
+}
+
+const handleAuthPromptInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "AuthPrompt" }>,
+  context: AuthInputContext
+) => {
+  if (key.escape) {
+    startAuthMenuWithSnapshot(view.snapshot, context)
+    return
+  }
+  if (key.return) {
+    submitAuthPrompt(view, context)
+    return
+  }
+  setAuthPromptBuffer({ input, key, view, context })
+}
+
+type SetAuthPromptBufferArgs = {
+  readonly input: string
+  readonly key: MenuKeyInput
+  readonly view: Extract<ViewState, { readonly _tag: "AuthPrompt" }>
+  readonly context: Pick<MenuViewContext, "setView">
+}
+
+const setAuthPromptBuffer = (
+  args: SetAuthPromptBufferArgs
+) => {
+  const { context, input, key, view } = args
+  const nextBuffer = nextBufferValue(input, key, view.buffer)
+  if (nextBuffer === null) {
+    return
+  }
+  context.setView({ ...view, buffer: nextBuffer })
+}
+
+export const openAuthMenu = (context: AuthContext): void => {
+  context.setMessage("Loading auth profiles...")
+  context.runner.runEffect(loadAuthMenuView(context.state.cwd, context))
+}
+
+export const handleAuthInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" | "AuthPrompt" }>,
+  context: AuthInputContext
+) => {
+  if (view._tag === "AuthMenu") {
+    handleAuthMenuInput(input, key, view, context)
+    return
+  }
+  handleAuthPromptInput(input, key, view, context)
+}
diff --git a/packages/app/src/docker-git/menu-buffer-input.ts b/packages/app/src/docker-git/menu-buffer-input.ts
new file mode 100644
index 00000000..aa97217d
--- /dev/null
+++ b/packages/app/src/docker-git/menu-buffer-input.ts
@@ -0,0 +1,18 @@
+export type BufferInputKey = {
+  readonly backspace?: boolean
+  readonly delete?: boolean
+}
+
+export const nextBufferValue = (
+  input: string,
+  key: BufferInputKey,
+  buffer: string
+): string | null => {
+  if (key.backspace || key.delete) {
+    return buffer.slice(0, -1)
+  }
+  if (input.length > 0) {
+    return buffer + input
+  }
+  return null
+}
diff --git a/packages/app/src/docker-git/menu-create.ts b/packages/app/src/docker-git/menu-create.ts
index 6b43e6ab..c044ddf8 100644
--- a/packages/app/src/docker-git/menu-create.ts
+++ b/packages/app/src/docker-git/menu-create.ts
@@ -7,6 +7,7 @@ import { Effect, Either, Match, pipe } from "effect"
 import { parseArgs } from "./cli/parser.js"
 import { formatParseError, usageText } from "./cli/usage.js"
 
+import { nextBufferValue } from "./menu-buffer-input.js"
 import { resetToMenu } from "./menu-shared.js"
 import {
   type CreateInputs,
@@ -45,7 +46,7 @@ type CreateReturnContext = CreateContext & {
 }
 
 export const buildCreateArgs = (input: CreateInputs): ReadonlyArray<string> => {
-  const args: Array<string> = ["create", "--repo-url", input.repoUrl, "--secrets-root", input.secretsRoot]
+  const args: Array<string> = ["create", "--repo-url", input.repoUrl]
   if (input.repoRef.length > 0) {
     args.push("--repo-ref", input.repoRef)
   }
@@ -106,14 +107,12 @@ export const resolveCreateInputs = (
 ): CreateInputs => {
   const repoUrl = values.repoUrl ?? ""
   const resolvedRepoRef = repoUrl.length > 0 ? resolveRepoInput(repoUrl).repoRef : undefined
-  const secretsRoot = values.secretsRoot ?? joinPath(defaultProjectsRoot(cwd), "secrets")
   const outDir = values.outDir ?? (repoUrl.length > 0 ? resolveDefaultOutDir(cwd, repoUrl) : "")
 
   return {
     repoUrl,
     repoRef: values.repoRef ?? resolvedRepoRef ?? "main",
     outDir,
-    secretsRoot,
     runUp: values.runUp !== false,
     enableMcpPlaywright: values.enableMcpPlaywright === true,
     force: values.force === true,
@@ -308,13 +307,8 @@ export const handleCreateInput = (
     handleCreateReturn({ ...context, view })
     return
   }
-
-  if (key.backspace || key.delete) {
-    context.setView({ ...view, buffer: view.buffer.slice(0, -1) })
-    return
-  }
-
-  if (input.length > 0) {
-    context.setView({ ...view, buffer: view.buffer + input })
+  const nextBuffer = nextBufferValue(input, key, view.buffer)
+  if (nextBuffer !== null) {
+    context.setView({ ...view, buffer: nextBuffer })
   }
 }
diff --git a/packages/app/src/docker-git/menu-input-handler.ts b/packages/app/src/docker-git/menu-input-handler.ts
index df4bbdac..818d18c6 100644
--- a/packages/app/src/docker-git/menu-input-handler.ts
+++ b/packages/app/src/docker-git/menu-input-handler.ts
@@ -1,5 +1,7 @@
+import { handleAuthInput } from "./menu-auth.js"
 import { handleCreateInput } from "./menu-create.js"
 import { handleMenuInput } from "./menu-menu.js"
+import { handleProjectAuthInput } from "./menu-project-auth.js"
 import { handleSelectInput } from "./menu-select.js"
 import type { MenuKeyInput, MenuRunner, MenuState, MenuViewContext, ViewState } from "./menu-types.js"
 
@@ -20,6 +22,8 @@ export type MenuInputContext = MenuViewContext & {
   readonly exit: () => void
 }
 
+type ActiveView = Exclude<ViewState, { readonly _tag: "Menu" }>
+
 const activateInput = (
   input: string,
   key: Pick<MenuKeyInput, "upArrow" | "downArrow" | "return">,
@@ -59,43 +63,79 @@ const shouldHandleMenuInput = (
   return activation.allowProcessing
 }
 
-export const handleUserInput = (
+const handleMenuViewInput = (
   input: string,
   key: MenuKeyInput,
   context: MenuInputContext
 ) => {
-  if (context.busy || context.sshActive) {
+  if (!shouldHandleMenuInput(input, key, context)) {
     return
   }
+  handleMenuInput(input, key, {
+    selected: context.selected,
+    setSelected: context.setSelected,
+    state: context.state,
+    runner: context.runner,
+    exit: context.exit,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir
+  })
+}
 
-  if (context.view._tag === "Menu") {
-    if (!shouldHandleMenuInput(input, key, context)) {
-      return
-    }
-    handleMenuInput(input, key, {
-      selected: context.selected,
-      setSelected: context.setSelected,
-      state: context.state,
-      runner: context.runner,
-      exit: context.exit,
-      setView: context.setView,
-      setMessage: context.setMessage
-    })
-    return
-  }
+const handleCreateViewInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "Create" }>,
+  context: MenuInputContext
+) => {
+  handleCreateInput(input, key, view, {
+    state: context.state,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    runner: context.runner,
+    setActiveDir: context.setActiveDir
+  })
+}
 
-  if (context.view._tag === "Create") {
-    handleCreateInput(input, key, context.view, {
-      state: context.state,
-      setView: context.setView,
-      setMessage: context.setMessage,
-      runner: context.runner,
-      setActiveDir: context.setActiveDir
-    })
-    return
-  }
+const handleAuthViewInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "AuthMenu" | "AuthPrompt" }>,
+  context: MenuInputContext
+) => {
+  handleAuthInput(input, key, view, {
+    state: context.state,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir,
+    runner: context.runner,
+    setSshActive: context.setSshActive,
+    setSkipInputs: context.setSkipInputs
+  })
+}
 
-  handleSelectInput(input, key, context.view, {
+const handleProjectAuthViewInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" | "ProjectAuthPrompt" }>,
+  context: MenuInputContext
+) => {
+  handleProjectAuthInput(input, key, view, {
+    runner: context.runner,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir
+  })
+}
+
+const handleSelectViewInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "SelectProject" }>,
+  context: MenuInputContext
+) => {
+  handleSelectInput(input, key, view, {
     setView: context.setView,
     setMessage: context.setMessage,
     setActiveDir: context.setActiveDir,
@@ -105,3 +145,39 @@ export const handleUserInput = (
     setSkipInputs: context.setSkipInputs
   })
 }
+
+const handleActiveViewInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: ActiveView,
+  context: MenuInputContext
+) => {
+  if (view._tag === "Create") {
+    handleCreateViewInput(input, key, view, context)
+    return
+  }
+  if (view._tag === "AuthMenu" || view._tag === "AuthPrompt") {
+    handleAuthViewInput(input, key, view, context)
+    return
+  }
+  if (view._tag === "ProjectAuthMenu" || view._tag === "ProjectAuthPrompt") {
+    handleProjectAuthViewInput(input, key, view, context)
+    return
+  }
+  handleSelectViewInput(input, key, view, context)
+}
+
+export const handleUserInput = (
+  input: string,
+  key: MenuKeyInput,
+  context: MenuInputContext
+) => {
+  if (context.busy || context.sshActive) {
+    return
+  }
+  if (context.view._tag === "Menu") {
+    handleMenuViewInput(input, key, context)
+    return
+  }
+  handleActiveViewInput(input, key, context.view, context)
+}
diff --git a/packages/app/src/docker-git/menu-input-utils.ts b/packages/app/src/docker-git/menu-input-utils.ts
new file mode 100644
index 00000000..3aa40c24
--- /dev/null
+++ b/packages/app/src/docker-git/menu-input-utils.ts
@@ -0,0 +1,85 @@
+export const parseMenuIndex = (input: string): number | null => {
+  const trimmed = input.trim()
+  if (trimmed.length === 0) {
+    return null
+  }
+  const parsed = Number(trimmed)
+  if (!Number.isInteger(parsed)) {
+    return null
+  }
+  const index = parsed - 1
+  return index >= 0 ? index : null
+}
+
+type PromptStep = {
+  readonly key: string
+  readonly label: string
+  readonly required: boolean
+}
+
+type PromptView = {
+  readonly step: number
+  readonly buffer: string
+  readonly values: Readonly<Record<string, string>>
+}
+
+type PromptContext<V extends PromptView> = {
+  readonly setView: (view: V) => void
+  readonly setMessage: (message: string | null) => void
+}
+
+export const submitPromptStep = <V extends PromptView>(
+  view: V,
+  steps: ReadonlyArray<PromptStep>,
+  context: PromptContext<V>,
+  onCancel: () => void,
+  onSubmit: (values: Readonly<Record<string, string>>) => void
+): void => {
+  const step = steps[view.step]
+  if (!step) {
+    onCancel()
+    return
+  }
+
+  const value = view.buffer.trim()
+  if (step.required && value.length === 0) {
+    context.setMessage(`${step.label} is required.`)
+    return
+  }
+
+  const nextValues: Readonly<Record<string, string>> = { ...view.values, [step.key]: value }
+  const nextStep = view.step + 1
+  if (nextStep < steps.length) {
+    context.setView({ ...view, step: nextStep, buffer: "", values: nextValues })
+    context.setMessage(null)
+    return
+  }
+
+  onSubmit(nextValues)
+}
+
+type MenuNumberInputContext = {
+  readonly setMessage: (message: string | null) => void
+}
+
+export const handleMenuNumberInput = <A>(
+  input: string,
+  context: MenuNumberInputContext,
+  actionByIndex: (index: number) => A | null,
+  runAction: (action: A) => void
+): void => {
+  const index = parseMenuIndex(input)
+  if (index === null) {
+    if (input.trim().length > 0) {
+      context.setMessage("Use arrows + Enter, or type a number from the list.")
+    }
+    return
+  }
+
+  const action = actionByIndex(index)
+  if (action === null) {
+    context.setMessage(`Unknown action: ${input.trim()}`)
+    return
+  }
+  runAction(action)
+}
diff --git a/packages/app/src/docker-git/menu-labeled-env.ts b/packages/app/src/docker-git/menu-labeled-env.ts
new file mode 100644
index 00000000..c8ff1d5b
--- /dev/null
+++ b/packages/app/src/docker-git/menu-labeled-env.ts
@@ -0,0 +1,37 @@
+import { parseEnvEntries } from "@effect-template/lib/usecases/env-file"
+
+export const normalizeLabel = (value: string): string => {
+  const trimmed = value.trim()
+  if (trimmed.length === 0) {
+    return ""
+  }
+  const normalized = trimmed
+    .toUpperCase()
+    .replaceAll(/[^A-Z0-9]+/g, "_")
+
+  let start = 0
+  while (start < normalized.length && normalized[start] === "_") {
+    start += 1
+  }
+  let end = normalized.length
+  while (end > start && normalized[end - 1] === "_") {
+    end -= 1
+  }
+  const cleaned = normalized.slice(start, end)
+  return cleaned.length > 0 ? cleaned : ""
+}
+
+export const buildLabeledEnvKey = (baseKey: string, label: string): string => {
+  const normalized = normalizeLabel(label)
+  if (normalized.length === 0 || normalized === "DEFAULT") {
+    return baseKey
+  }
+  return `${baseKey}__${normalized}`
+}
+
+export const countKeyEntries = (envText: string, baseKey: string): number => {
+  const prefix = `${baseKey}__`
+  return parseEnvEntries(envText)
+    .filter((entry) => entry.value.trim().length > 0 && (entry.key === baseKey || entry.key.startsWith(prefix)))
+    .length
+}
diff --git a/packages/app/src/docker-git/menu-project-auth-data.ts b/packages/app/src/docker-git/menu-project-auth-data.ts
new file mode 100644
index 00000000..985e4e3d
--- /dev/null
+++ b/packages/app/src/docker-git/menu-project-auth-data.ts
@@ -0,0 +1,252 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { Effect, Match, pipe } from "effect"
+
+import { AuthError } from "@effect-template/lib/shell/errors"
+import { ensureEnvFile, findEnvValue, readEnvText, upsertEnvKey } from "@effect-template/lib/usecases/env-file"
+import type { AppError } from "@effect-template/lib/usecases/errors"
+import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
+import type { ProjectItem } from "@effect-template/lib/usecases/projects"
+import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
+
+import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
+import type { MenuEnv, ProjectAuthFlow, ProjectAuthSnapshot } from "./menu-types.js"
+
+export type ProjectAuthMenuAction = ProjectAuthFlow | "Refresh" | "Back"
+
+type ProjectAuthMenuItem = {
+  readonly action: ProjectAuthMenuAction
+  readonly label: string
+}
+
+export type ProjectAuthPromptStep = {
+  readonly key: "label"
+  readonly label: string
+  readonly required: boolean
+  readonly secret: boolean
+}
+
+const projectAuthMenuItems: ReadonlyArray<ProjectAuthMenuItem> = [
+  { action: "ProjectGithubConnect", label: "Project: GitHub connect label" },
+  { action: "ProjectGithubDisconnect", label: "Project: GitHub disconnect" },
+  { action: "ProjectGitConnect", label: "Project: Git connect label" },
+  { action: "ProjectGitDisconnect", label: "Project: Git disconnect" },
+  { action: "ProjectClaudeConnect", label: "Project: Claude connect label" },
+  { action: "ProjectClaudeDisconnect", label: "Project: Claude disconnect" },
+  { action: "Refresh", label: "Refresh snapshot" },
+  { action: "Back", label: "Back to main menu" }
+]
+
+const flowSteps: Readonly<Record<ProjectAuthFlow, ReadonlyArray<ProjectAuthPromptStep>>> = {
+  ProjectGithubConnect: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  ProjectGithubDisconnect: [],
+  ProjectGitConnect: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  ProjectGitDisconnect: [],
+  ProjectClaudeConnect: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  ProjectClaudeDisconnect: []
+}
+
+const resolveCanonicalLabel = (value: string): string => {
+  const normalized = normalizeLabel(value)
+  return normalized.length === 0 || normalized === "DEFAULT" ? "default" : normalized
+}
+
+const githubTokenBaseKey = "GITHUB_TOKEN"
+const gitTokenBaseKey = "GIT_AUTH_TOKEN"
+const gitUserBaseKey = "GIT_AUTH_USER"
+const claudeApiKeyBaseKey = "ANTHROPIC_API_KEY"
+
+const projectGithubLabelKey = "GITHUB_AUTH_LABEL"
+const projectGitLabelKey = "GIT_AUTH_LABEL"
+const projectClaudeLabelKey = "CLAUDE_AUTH_LABEL"
+
+const defaultGitUser = "x-access-token"
+
+type ProjectAuthEnvText = {
+  readonly fs: FileSystem.FileSystem
+  readonly path: Path.Path
+  readonly globalEnvPath: string
+  readonly projectEnvPath: string
+  readonly globalEnvText: string
+  readonly projectEnvText: string
+}
+
+const buildGlobalEnvPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`
+
+const loadProjectAuthEnvText = (
+  project: ProjectItem
+): Effect.Effect<ProjectAuthEnvText, AppError, MenuEnv> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const globalEnvPath = buildGlobalEnvPath(process.cwd())
+    yield* _(ensureEnvFile(fs, path, globalEnvPath))
+    yield* _(ensureEnvFile(fs, path, project.envProjectPath))
+    const globalEnvText = yield* _(readEnvText(fs, globalEnvPath))
+    const projectEnvText = yield* _(readEnvText(fs, project.envProjectPath))
+    return {
+      fs,
+      path,
+      globalEnvPath,
+      projectEnvPath: project.envProjectPath,
+      globalEnvText,
+      projectEnvText
+    }
+  })
+
+export const readProjectAuthSnapshot = (
+  project: ProjectItem
+): Effect.Effect<ProjectAuthSnapshot, AppError, MenuEnv> =>
+  pipe(
+    loadProjectAuthEnvText(project),
+    Effect.map(({ globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => ({
+      projectDir: project.projectDir,
+      projectName: project.displayName,
+      envGlobalPath: globalEnvPath,
+      envProjectPath: projectEnvPath,
+      githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
+      gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
+      claudeKeyEntries: countKeyEntries(globalEnvText, claudeApiKeyBaseKey),
+      activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
+      activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
+      activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
+    }))
+  )
+
+const missingSecret = (
+  provider: string,
+  label: string,
+  envPath: string
+): AuthError =>
+  new AuthError({
+    message: `${provider} not connected: label '${label}' not found in ${envPath}`
+  })
+
+type ProjectEnvUpdateSpec = {
+  readonly rawLabel: string
+  readonly canonicalLabel: string
+  readonly globalEnvPath: string
+  readonly globalEnvText: string
+  readonly projectEnvText: string
+}
+
+const updateProjectGithubConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
+  const key = buildLabeledEnvKey(githubTokenBaseKey, spec.rawLabel)
+  const token = findEnvValue(spec.globalEnvText, key)
+  if (token === null) {
+    return Effect.fail(missingSecret("GitHub token", spec.canonicalLabel, spec.globalEnvPath))
+  }
+  const withGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token)
+  const withGhToken = upsertEnvKey(withGitToken, "GH_TOKEN", token)
+  const withoutGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, "")
+  return Effect.succeed(upsertEnvKey(withoutGitLabel, projectGithubLabelKey, spec.canonicalLabel))
+}
+
+const clearProjectGitLabels = (envText: string): string => {
+  const withoutGhToken = upsertEnvKey(envText, "GH_TOKEN", "")
+  const withoutGitLabel = upsertEnvKey(withoutGhToken, projectGitLabelKey, "")
+  return upsertEnvKey(withoutGitLabel, projectGithubLabelKey, "")
+}
+
+const updateProjectGithubDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string> => {
+  const withoutGitToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "")
+  return Effect.succeed(clearProjectGitLabels(withoutGitToken))
+}
+
+const updateProjectGitConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
+  const tokenKey = buildLabeledEnvKey(gitTokenBaseKey, spec.rawLabel)
+  const userKey = buildLabeledEnvKey(gitUserBaseKey, spec.rawLabel)
+  const token = findEnvValue(spec.globalEnvText, tokenKey)
+  if (token === null) {
+    return Effect.fail(missingSecret("Git credentials", spec.canonicalLabel, spec.globalEnvPath))
+  }
+  const defaultUser = findEnvValue(spec.globalEnvText, gitUserBaseKey) ?? defaultGitUser
+  const user = findEnvValue(spec.globalEnvText, userKey) ?? defaultUser
+  const withToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", token)
+  const withUser = upsertEnvKey(withToken, "GIT_AUTH_USER", user)
+  const withGhToken = upsertEnvKey(withUser, "GH_TOKEN", token)
+  const withGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, spec.canonicalLabel)
+  return Effect.succeed(upsertEnvKey(withGitLabel, projectGithubLabelKey, spec.canonicalLabel))
+}
+
+const updateProjectGitDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string> => {
+  const withoutToken = upsertEnvKey(spec.projectEnvText, "GIT_AUTH_TOKEN", "")
+  const withoutUser = upsertEnvKey(withoutToken, "GIT_AUTH_USER", "")
+  return Effect.succeed(clearProjectGitLabels(withoutUser))
+}
+
+const updateProjectClaudeConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
+  const key = buildLabeledEnvKey(claudeApiKeyBaseKey, spec.rawLabel)
+  const apiKey = findEnvValue(spec.globalEnvText, key)
+  if (apiKey === null) {
+    return Effect.fail(missingSecret("Claude key", spec.canonicalLabel, spec.globalEnvPath))
+  }
+  const withKey = upsertEnvKey(spec.projectEnvText, claudeApiKeyBaseKey, apiKey)
+  return Effect.succeed(upsertEnvKey(withKey, projectClaudeLabelKey, spec.canonicalLabel))
+}
+
+const updateProjectClaudeDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string> => {
+  const withoutKey = upsertEnvKey(spec.projectEnvText, claudeApiKeyBaseKey, "")
+  return Effect.succeed(upsertEnvKey(withoutKey, projectClaudeLabelKey, ""))
+}
+
+const resolveProjectEnvUpdate = (
+  flow: ProjectAuthFlow,
+  spec: ProjectEnvUpdateSpec
+): Effect.Effect<string, AppError> =>
+  Match.value(flow).pipe(
+    Match.when("ProjectGithubConnect", () => updateProjectGithubConnect(spec)),
+    Match.when("ProjectGithubDisconnect", () => updateProjectGithubDisconnect(spec)),
+    Match.when("ProjectGitConnect", () => updateProjectGitConnect(spec)),
+    Match.when("ProjectGitDisconnect", () => updateProjectGitDisconnect(spec)),
+    Match.when("ProjectClaudeConnect", () => updateProjectClaudeConnect(spec)),
+    Match.when("ProjectClaudeDisconnect", () => updateProjectClaudeDisconnect(spec)),
+    Match.exhaustive
+  )
+
+export const writeProjectAuthFlow = (
+  project: ProjectItem,
+  flow: ProjectAuthFlow,
+  values: Readonly<Record<string, string>>
+): Effect.Effect<void, AppError, MenuEnv> =>
+  pipe(
+    loadProjectAuthEnvText(project),
+    Effect.flatMap(({ fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
+      const rawLabel = values["label"] ?? ""
+      const canonicalLabel = resolveCanonicalLabel(rawLabel)
+      const spec: ProjectEnvUpdateSpec = { rawLabel, canonicalLabel, globalEnvPath, globalEnvText, projectEnvText }
+      const nextProjectEnv = resolveProjectEnvUpdate(flow, spec)
+      const syncMessage = Match.value(flow).pipe(
+        Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`),
+        Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${project.displayName}`),
+        Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`),
+        Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${project.displayName}`),
+        Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`),
+        Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${project.displayName}`),
+        Match.exhaustive
+      )
+      return pipe(
+        nextProjectEnv,
+        Effect.flatMap((nextText) => fs.writeFileString(projectEnvPath, nextText)),
+        Effect.zipRight(autoSyncState(syncMessage))
+      )
+    }),
+    Effect.asVoid
+  )
+
+export const projectAuthViewSteps = (flow: ProjectAuthFlow): ReadonlyArray<ProjectAuthPromptStep> => flowSteps[flow]
+
+export const projectAuthMenuLabels = (): ReadonlyArray<string> => projectAuthMenuItems.map((item) => item.label)
+
+export const projectAuthMenuActionByIndex = (index: number): ProjectAuthMenuAction | null => {
+  const item = projectAuthMenuItems[index]
+  return item ? item.action : null
+}
+
+export const projectAuthMenuSize = (): number => projectAuthMenuItems.length
diff --git a/packages/app/src/docker-git/menu-project-auth.ts b/packages/app/src/docker-git/menu-project-auth.ts
new file mode 100644
index 00000000..dd9c0d03
--- /dev/null
+++ b/packages/app/src/docker-git/menu-project-auth.ts
@@ -0,0 +1,271 @@
+import { Effect, Match, pipe } from "effect"
+
+import type { AppError } from "@effect-template/lib/usecases/errors"
+import type { ProjectItem } from "@effect-template/lib/usecases/projects"
+
+import { nextBufferValue } from "./menu-buffer-input.js"
+import { handleMenuNumberInput, submitPromptStep } from "./menu-input-utils.js"
+import {
+  type ProjectAuthMenuAction,
+  projectAuthMenuActionByIndex,
+  projectAuthMenuSize,
+  projectAuthViewSteps,
+  readProjectAuthSnapshot,
+  writeProjectAuthFlow
+} from "./menu-project-auth-data.js"
+import { resetToMenu } from "./menu-shared.js"
+import type {
+  MenuEnv,
+  MenuKeyInput,
+  MenuRunner,
+  MenuViewContext,
+  ProjectAuthFlow,
+  ProjectAuthSnapshot,
+  ViewState
+} from "./menu-types.js"
+
+type ProjectAuthContext = Pick<MenuViewContext, "setView" | "setMessage" | "setActiveDir"> & {
+  readonly runner: MenuRunner
+}
+
+type ProjectAuthContextWithProject = ProjectAuthContext & {
+  readonly project: ProjectItem
+}
+
+const startProjectAuthMenu = (
+  project: ProjectItem,
+  snapshot: ProjectAuthSnapshot,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+) => {
+  context.setView({ _tag: "ProjectAuthMenu", selected: 0, project, snapshot })
+  context.setMessage(null)
+}
+
+const startProjectAuthPrompt = (
+  project: ProjectItem,
+  snapshot: ProjectAuthSnapshot,
+  flow: ProjectAuthFlow,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+) => {
+  context.setView({
+    _tag: "ProjectAuthPrompt",
+    flow,
+    step: 0,
+    buffer: "",
+    values: {},
+    project,
+    snapshot
+  })
+  context.setMessage(null)
+}
+
+const loadProjectAuthMenuView = (
+  project: ProjectItem,
+  context: Pick<MenuViewContext, "setView" | "setMessage">
+): Effect.Effect<void, AppError, MenuEnv> =>
+  pipe(
+    readProjectAuthSnapshot(project),
+    Effect.tap((snapshot) =>
+      Effect.sync(() => {
+        startProjectAuthMenu(project, snapshot, context)
+      })
+    ),
+    Effect.asVoid
+  )
+
+const successMessage = (flow: ProjectAuthFlow, label: string): string =>
+  Match.value(flow).pipe(
+    Match.when("ProjectGithubConnect", () => `Connected GitHub label (${label}) to project.`),
+    Match.when("ProjectGithubDisconnect", () => "Disconnected GitHub from project."),
+    Match.when("ProjectGitConnect", () => `Connected Git label (${label}) to project.`),
+    Match.when("ProjectGitDisconnect", () => "Disconnected Git from project."),
+    Match.when("ProjectClaudeConnect", () => `Connected Claude label (${label}) to project.`),
+    Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."),
+    Match.exhaustive
+  )
+
+const runProjectAuthEffect = (
+  project: ProjectItem,
+  flow: ProjectAuthFlow,
+  values: Readonly<Record<string, string>>,
+  label: string,
+  context: ProjectAuthContext
+) => {
+  context.runner.runEffect(
+    pipe(
+      writeProjectAuthFlow(project, flow, values),
+      Effect.zipRight(readProjectAuthSnapshot(project)),
+      Effect.tap((snapshot) =>
+        Effect.sync(() => {
+          startProjectAuthMenu(project, snapshot, context)
+          context.setMessage(successMessage(flow, label))
+        })
+      ),
+      Effect.asVoid
+    )
+  )
+}
+
+const submitProjectAuthPrompt = (
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthPrompt" }>,
+  context: ProjectAuthContext
+) => {
+  const steps = projectAuthViewSteps(view.flow)
+  submitPromptStep(
+    view,
+    steps,
+    context,
+    () => {
+      startProjectAuthMenu(view.project, view.snapshot, context)
+    },
+    (nextValues) => {
+      const rawLabel = (nextValues["label"] ?? "").trim()
+      const label = rawLabel.length > 0 ? rawLabel : "default"
+      runProjectAuthEffect(view.project, view.flow, nextValues, label, context)
+    }
+  )
+}
+
+const runProjectAuthAction = (
+  action: ProjectAuthMenuAction,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  context: ProjectAuthContext
+) => {
+  if (action === "Back") {
+    resetToMenu(context)
+    return
+  }
+  if (action === "Refresh") {
+    context.runner.runEffect(loadProjectAuthMenuView(view.project, context))
+    return
+  }
+
+  if (
+    action === "ProjectGithubDisconnect" || action === "ProjectGitDisconnect" || action === "ProjectClaudeDisconnect"
+  ) {
+    runProjectAuthEffect(view.project, action, {}, "default", context)
+    return
+  }
+
+  startProjectAuthPrompt(view.project, view.snapshot, action, context)
+}
+
+const setProjectAuthMenuSelection = (
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  selected: number,
+  context: Pick<MenuViewContext, "setView">
+) => {
+  context.setView({ ...view, selected })
+}
+
+const shiftProjectAuthMenuSelection = (
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  delta: number,
+  context: Pick<MenuViewContext, "setView">
+) => {
+  const menuSize = projectAuthMenuSize()
+  const selected = (view.selected + delta + menuSize) % menuSize
+  setProjectAuthMenuSelection(view, selected, context)
+}
+
+const runProjectAuthMenuSelection = (
+  selected: number,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  context: ProjectAuthContext
+) => {
+  const action = projectAuthMenuActionByIndex(selected)
+  if (action === null) {
+    return
+  }
+  runProjectAuthAction(action, view, context)
+}
+
+const handleProjectAuthMenuNumberInput = (
+  input: string,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  context: ProjectAuthContext
+) => {
+  handleMenuNumberInput(
+    input,
+    context,
+    projectAuthMenuActionByIndex,
+    (action) => {
+      runProjectAuthAction(action, view, context)
+    }
+  )
+}
+
+const handleProjectAuthMenuInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" }>,
+  context: ProjectAuthContext
+) => {
+  if (key.escape) {
+    resetToMenu(context)
+    return
+  }
+  if (key.upArrow) {
+    shiftProjectAuthMenuSelection(view, -1, context)
+    return
+  }
+  if (key.downArrow) {
+    shiftProjectAuthMenuSelection(view, 1, context)
+    return
+  }
+  if (key.return) {
+    runProjectAuthMenuSelection(view.selected, view, context)
+    return
+  }
+  handleProjectAuthMenuNumberInput(input, view, context)
+}
+
+type SetPromptBufferArgs = {
+  readonly input: string
+  readonly key: MenuKeyInput
+  readonly view: Extract<ViewState, { readonly _tag: "ProjectAuthPrompt" }>
+  readonly context: Pick<MenuViewContext, "setView">
+}
+
+const setProjectAuthPromptBuffer = (args: SetPromptBufferArgs) => {
+  const nextBuffer = nextBufferValue(args.input, args.key, args.view.buffer)
+  if (nextBuffer === null) {
+    return
+  }
+  args.context.setView({ ...args.view, buffer: nextBuffer })
+}
+
+const handleProjectAuthPromptInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthPrompt" }>,
+  context: ProjectAuthContext
+) => {
+  if (key.escape) {
+    startProjectAuthMenu(view.project, view.snapshot, context)
+    return
+  }
+  if (key.return) {
+    submitProjectAuthPrompt(view, context)
+    return
+  }
+  setProjectAuthPromptBuffer({ input, key, view, context })
+}
+
+export const openProjectAuthMenu = (context: ProjectAuthContextWithProject): void => {
+  context.setMessage(`Loading project auth (${context.project.displayName})...`)
+  context.runner.runEffect(loadProjectAuthMenuView(context.project, context))
+}
+
+export const handleProjectAuthInput = (
+  input: string,
+  key: MenuKeyInput,
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthMenu" | "ProjectAuthPrompt" }>,
+  context: ProjectAuthContext
+) => {
+  if (view._tag === "ProjectAuthMenu") {
+    handleProjectAuthMenuInput(input, key, view, context)
+    return
+  }
+  handleProjectAuthPromptInput(input, key, view, context)
+}
diff --git a/packages/app/src/docker-git/menu-render-auth.ts b/packages/app/src/docker-git/menu-render-auth.ts
new file mode 100644
index 00000000..160027fa
--- /dev/null
+++ b/packages/app/src/docker-git/menu-render-auth.ts
@@ -0,0 +1,54 @@
+import { Box, Text } from "ink"
+import React from "react"
+
+import { authMenuLabels, authViewSteps, authViewTitle } from "./menu-auth-data.js"
+import {
+  renderMenuHelp,
+  renderPromptLayout,
+  renderSelectableMenuList,
+  resolvePromptState
+} from "./menu-render-common.js"
+import { renderLayout } from "./menu-render-layout.js"
+import type { AuthSnapshot, ViewState } from "./menu-types.js"
+
+const renderCountLine = (title: string, count: number): string => `${title}: ${count}`
+
+export const renderAuthMenu = (
+  snapshot: AuthSnapshot,
+  selected: number,
+  message: string | null
+): React.ReactElement => {
+  const el = React.createElement
+  const list = renderSelectableMenuList(authMenuLabels(), selected)
+  return renderLayout(
+    "docker-git / Auth profiles",
+    [
+      el(Text, null, `Global env: ${snapshot.globalEnvPath}`),
+      el(Text, { color: "gray" }, renderCountLine("Entries", snapshot.totalEntries)),
+      el(Text, { color: "gray" }, renderCountLine("GitHub tokens", snapshot.githubTokenEntries)),
+      el(Text, { color: "gray" }, renderCountLine("Git tokens", snapshot.gitTokenEntries)),
+      el(Text, { color: "gray" }, renderCountLine("Git users", snapshot.gitUserEntries)),
+      el(Text, { color: "gray" }, renderCountLine("Claude keys", snapshot.claudeKeyEntries)),
+      el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
+      renderMenuHelp("Use arrows + Enter, or type a number.")
+    ],
+    message
+  )
+}
+
+export const renderAuthPrompt = (
+  view: Extract<ViewState, { readonly _tag: "AuthPrompt" }>,
+  message: string | null
+): React.ReactElement => {
+  const el = React.createElement
+  const { prompt, visibleBuffer } = resolvePromptState(authViewSteps(view.flow), view.step, view.buffer)
+  const helpLine = view.flow === "GithubOauth" ? "Enter = start OAuth, Esc = cancel." : "Enter = next, Esc = cancel."
+  return renderPromptLayout({
+    title: `docker-git / Auth / ${authViewTitle(view.flow)}`,
+    header: [el(Text, { color: "gray" }, `Global env: ${view.snapshot.globalEnvPath}`)],
+    prompt,
+    visibleBuffer,
+    helpLine,
+    message
+  })
+}
diff --git a/packages/app/src/docker-git/menu-render-common.ts b/packages/app/src/docker-git/menu-render-common.ts
new file mode 100644
index 00000000..bb50fbae
--- /dev/null
+++ b/packages/app/src/docker-git/menu-render-common.ts
@@ -0,0 +1,67 @@
+import { Box, Text } from "ink"
+import React from "react"
+
+import { renderLayout } from "./menu-render-layout.js"
+
+export const renderSelectableMenuList = (
+  labels: ReadonlyArray<string>,
+  selected: number
+): ReadonlyArray<React.ReactElement> => {
+  const el = React.createElement
+  return labels.map((label, index) =>
+    el(
+      Text,
+      { key: `${index}-${label}`, color: index === selected ? "green" : "white" },
+      `${index === selected ? ">" : " "} ${index + 1}) ${label}`
+    )
+  )
+}
+
+export const renderMenuHelp = (primaryLine: string): React.ReactElement => {
+  const el = React.createElement
+  return el(
+    Box,
+    { marginTop: 1, flexDirection: "column" },
+    el(Text, { color: "gray" }, primaryLine),
+    el(Text, { color: "gray" }, "Esc returns to the main menu.")
+  )
+}
+
+type PromptStepLike = {
+  readonly label: string
+  readonly secret: boolean
+}
+
+export const resolvePromptState = (
+  steps: ReadonlyArray<PromptStepLike>,
+  step: number,
+  buffer: string
+): { readonly prompt: string; readonly visibleBuffer: string } => {
+  const current = steps[step]
+  const prompt = current?.label ?? "Value"
+  const isSecret = current?.secret === true
+  const visibleBuffer = isSecret ? "*".repeat(buffer.length) : buffer
+  return { prompt, visibleBuffer }
+}
+
+type RenderPromptArgs = {
+  readonly title: string
+  readonly header: ReadonlyArray<React.ReactElement>
+  readonly prompt: string
+  readonly visibleBuffer: string
+  readonly helpLine: string
+  readonly message: string | null
+}
+
+export const renderPromptLayout = (args: RenderPromptArgs): React.ReactElement => {
+  const el = React.createElement
+  return renderLayout(
+    args.title,
+    [
+      ...args.header,
+      el(Box, { marginTop: 1 }, el(Text, null, `${args.prompt}: `), el(Text, { color: "green" }, args.visibleBuffer)),
+      el(Box, { marginTop: 1, flexDirection: "column" }, el(Text, { color: "gray" }, args.helpLine))
+    ],
+    args.message
+  )
+}
diff --git a/packages/app/src/docker-git/menu-render-layout.ts b/packages/app/src/docker-git/menu-render-layout.ts
new file mode 100644
index 00000000..efb081b6
--- /dev/null
+++ b/packages/app/src/docker-git/menu-render-layout.ts
@@ -0,0 +1,30 @@
+import { Box, Text } from "ink"
+import React from "react"
+
+const renderMessage = (message: string | null): React.ReactElement | null => {
+  if (!message) {
+    return null
+  }
+  return React.createElement(
+    Box,
+    { marginTop: 1 },
+    React.createElement(Text, { color: "magenta" }, message)
+  )
+}
+
+export const renderLayout = (
+  title: string,
+  body: ReadonlyArray<React.ReactElement>,
+  message: string | null
+): React.ReactElement => {
+  const el = React.createElement
+  const messageView = renderMessage(message)
+  const tail = messageView ? [messageView] : []
+  return el(
+    Box,
+    { flexDirection: "column", padding: 1, borderStyle: "round" },
+    el(Text, { color: "cyan", bold: true }, title),
+    ...body,
+    ...tail
+  )
+}
diff --git a/packages/app/src/docker-git/menu-render-project-auth.ts b/packages/app/src/docker-git/menu-render-project-auth.ts
new file mode 100644
index 00000000..df91615d
--- /dev/null
+++ b/packages/app/src/docker-git/menu-render-project-auth.ts
@@ -0,0 +1,69 @@
+import { Box, Text } from "ink"
+import React from "react"
+
+import { projectAuthMenuLabels, projectAuthViewSteps } from "./menu-project-auth-data.js"
+import {
+  renderMenuHelp,
+  renderPromptLayout,
+  renderSelectableMenuList,
+  resolvePromptState
+} from "./menu-render-common.js"
+import { renderLayout } from "./menu-render-layout.js"
+import type { ProjectAuthSnapshot, ViewState } from "./menu-types.js"
+
+const renderActiveLabel = (value: string | null): string => value ?? "(not set)"
+
+const renderCountLine = (title: string, count: number): string => `${title}: ${count}`
+
+export const renderProjectAuthMenu = (
+  snapshot: ProjectAuthSnapshot,
+  selected: number,
+  message: string | null
+): React.ReactElement => {
+  const el = React.createElement
+  const list = renderSelectableMenuList(projectAuthMenuLabels(), selected)
+
+  return renderLayout(
+    "docker-git / Project auth",
+    [
+      el(Text, null, `Project: ${snapshot.projectName}`),
+      el(Text, { color: "gray" }, `Dir: ${snapshot.projectDir}`),
+      el(Text, { color: "gray" }, `Project env: ${snapshot.envProjectPath}`),
+      el(Text, { color: "gray" }, `Global env: ${snapshot.envGlobalPath}`),
+      el(
+        Box,
+        { marginTop: 1, flexDirection: "column" },
+        el(Text, { color: "gray" }, `GitHub label: ${renderActiveLabel(snapshot.activeGithubLabel)}`),
+        el(Text, { color: "gray" }, renderCountLine("Available GitHub tokens", snapshot.githubTokenEntries)),
+        el(Text, { color: "gray" }, `Git label: ${renderActiveLabel(snapshot.activeGitLabel)}`),
+        el(Text, { color: "gray" }, renderCountLine("Available Git tokens", snapshot.gitTokenEntries)),
+        el(Text, { color: "gray" }, `Claude label: ${renderActiveLabel(snapshot.activeClaudeLabel)}`),
+        el(Text, { color: "gray" }, renderCountLine("Available Claude keys", snapshot.claudeKeyEntries))
+      ),
+      el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
+      renderMenuHelp("Use arrows + Enter, or type a number from the list.")
+    ],
+    message
+  )
+}
+
+export const renderProjectAuthPrompt = (
+  view: Extract<ViewState, { readonly _tag: "ProjectAuthPrompt" }>,
+  message: string | null
+): React.ReactElement => {
+  const el = React.createElement
+  const { prompt, visibleBuffer } = resolvePromptState(projectAuthViewSteps(view.flow), view.step, view.buffer)
+
+  return renderPromptLayout({
+    title: "docker-git / Project auth / Set label",
+    header: [
+      el(Text, { color: "gray" }, `Project: ${view.snapshot.projectName}`),
+      el(Text, { color: "gray" }, `Project env: ${view.snapshot.envProjectPath}`),
+      el(Text, { color: "gray" }, `Global env: ${view.snapshot.envGlobalPath}`)
+    ],
+    prompt,
+    visibleBuffer,
+    helpLine: "Enter = apply, Esc = cancel.",
+    message
+  })
+}
diff --git a/packages/app/src/docker-git/menu-render-select.ts b/packages/app/src/docker-git/menu-render-select.ts
index f6363a42..555e024e 100644
--- a/packages/app/src/docker-git/menu-render-select.ts
+++ b/packages/app/src/docker-git/menu-render-select.ts
@@ -5,7 +5,7 @@ import type React from "react"
 import type { ProjectItem } from "@effect-template/lib/usecases/projects"
 import type { SelectProjectRuntime } from "./menu-types.js"
 
-export type SelectPurpose = "Connect" | "Down" | "Info" | "Delete"
+export type SelectPurpose = "Connect" | "Down" | "Info" | "Delete" | "Auth"
 
 const formatRepoRef = (repoRef: string): string => {
   const trimmed = repoRef.trim()
@@ -58,6 +58,7 @@ const renderRuntimeLabel = (runtime: SelectProjectRuntime): string =>
 export const selectTitle = (purpose: SelectPurpose): string =>
   Match.value(purpose).pipe(
     Match.when("Connect", () => "docker-git / Select project"),
+    Match.when("Auth", () => "docker-git / Project auth"),
     Match.when("Down", () => "docker-git / Stop container"),
     Match.when("Info", () => "docker-git / Show connection info"),
     Match.when("Delete", () => "docker-git / Delete project"),
@@ -73,6 +74,7 @@ export const selectHint = (
       "Connect",
       () => `Enter = select + SSH, P = toggle Playwright MCP (${connectEnableMcpPlaywright ? "on" : "off"}), Esc = back`
     ),
+    Match.when("Auth", () => "Enter = open project auth menu, Esc = back"),
     Match.when("Down", () => "Enter = stop container, Esc = back"),
     Match.when("Info", () => "Use arrows to browse details, Enter = set active, Esc = back"),
     Match.when("Delete", () => "Enter = ask/confirm delete, Esc = cancel"),
@@ -196,6 +198,14 @@ export const renderSelectDetails = (
 
   return Match.value(purpose).pipe(
     Match.when("Connect", () => renderConnectDetails(el, context, common, connectEnableMcpPlaywright)),
+    Match.when("Auth", () => [
+      titleRow(el, "Project auth"),
+      ...common,
+      el(Text, { wrap: "wrap" }, `Repo: ${context.item.repoUrl} (${context.refLabel})`),
+      el(Text, { wrap: "wrap" }, `Env global: ${context.item.envGlobalPath}`),
+      el(Text, { wrap: "wrap" }, `Env project: ${context.item.envProjectPath}`),
+      el(Text, { color: "gray", wrap: "wrap" }, "Press Enter to manage labels for this project.")
+    ]),
     Match.when("Info", () => renderInfoDetails(el, context, common)),
     Match.when("Down", () => [
       titleRow(el, "Stop container"),
diff --git a/packages/app/src/docker-git/menu-render.ts b/packages/app/src/docker-git/menu-render.ts
index 440029a1..6fe4b360 100644
--- a/packages/app/src/docker-git/menu-render.ts
+++ b/packages/app/src/docker-git/menu-render.ts
@@ -3,6 +3,7 @@ import { Box, Text } from "ink"
 import React from "react"
 
 import type { ProjectItem } from "@effect-template/lib/usecases/projects"
+import { renderLayout } from "./menu-render-layout.js"
 import {
   buildSelectLabels,
   renderSelectDetails,
@@ -41,34 +42,6 @@ export const renderStepLabel = (step: CreateStep, defaults: CreateInputs): strin
     Match.exhaustive
   )
 
-const renderMessage = (message: string | null): React.ReactElement | null => {
-  if (!message) {
-    return null
-  }
-  return React.createElement(
-    Box,
-    { marginTop: 1 },
-    React.createElement(Text, { color: "magenta" }, message)
-  )
-}
-
-const renderLayout = (
-  title: string,
-  body: ReadonlyArray<React.ReactElement>,
-  message: string | null
-): React.ReactElement => {
-  const el = React.createElement
-  const messageView = renderMessage(message)
-  const tail = messageView ? [messageView] : []
-  return el(
-    Box,
-    { flexDirection: "column", padding: 1, borderStyle: "round" },
-    el(Text, { color: "cyan", bold: true }, title),
-    ...body,
-    ...tail
-  )
-}
-
 const compactElements = (
   items: ReadonlyArray<React.ReactElement | null>
 ): ReadonlyArray<React.ReactElement> => items.filter((item): item is React.ReactElement => item !== null)
@@ -82,7 +55,7 @@ const renderMenuHints = (el: typeof React.createElement): React.ReactElement =>
     el(
       Text,
       { color: "gray" },
-      "  - Aliases: create/c, select/s, info/i, status/ps, logs/l, down/d, down-all/da, delete/del, quit/q"
+      "  - Aliases: create/c, select/s, auth/a, project-auth/pa, info/i, status/ps, logs/l, down/d, down-all/da, delete/del, quit/q"
     ),
     el(Text, { color: "gray" }, "  - Use arrows and Enter to run.")
   )
@@ -181,6 +154,9 @@ export const renderCreate = (
   )
 }
 
+export { renderAuthMenu, renderAuthPrompt } from "./menu-render-auth.js"
+export { renderProjectAuthMenu, renderProjectAuthPrompt } from "./menu-render-project-auth.js"
+
 const computeListWidth = (labels: ReadonlyArray<string>): number => {
   const maxLabelWidth = labels.length > 0 ? Math.max(...labels.map((label) => label.length)) : 24
   return Math.min(Math.max(maxLabelWidth + 2, 28), 54)
diff --git a/packages/app/src/docker-git/menu-select-load.ts b/packages/app/src/docker-git/menu-select-load.ts
index 9786777c..4e6cec4b 100644
--- a/packages/app/src/docker-git/menu-select-load.ts
+++ b/packages/app/src/docker-git/menu-select-load.ts
@@ -7,7 +7,7 @@ import type { MenuEnv, MenuViewContext } from "./menu-types.js"
 
 export const loadSelectView = <E>(
   effect: Effect.Effect<ReadonlyArray<ProjectItem>, E, MenuEnv>,
-  purpose: "Connect" | "Down" | "Info" | "Delete",
+  purpose: "Connect" | "Down" | "Info" | "Delete" | "Auth",
   context: Pick<MenuViewContext, "setView" | "setMessage">
 ): Effect.Effect<void, E, MenuEnv> =>
   pipe(
diff --git a/packages/app/src/docker-git/menu-select.ts b/packages/app/src/docker-git/menu-select.ts
index 65c28b3a..c0620efa 100644
--- a/packages/app/src/docker-git/menu-select.ts
+++ b/packages/app/src/docker-git/menu-select.ts
@@ -1,5 +1,6 @@
 import { runDockerComposeDown } from "@effect-template/lib/shell/docker"
 import type { AppError } from "@effect-template/lib/usecases/errors"
+import { renderError } from "@effect-template/lib/usecases/errors"
 import { mcpPlaywrightUp } from "@effect-template/lib/usecases/mcp-playwright"
 import {
   connectProjectSshWithUp,
@@ -8,10 +9,17 @@ import {
   type ProjectItem
 } from "@effect-template/lib/usecases/projects"
 import { Effect, Match, pipe } from "effect"
+import { openProjectAuthMenu } from "./menu-project-auth.js"
 import { buildConnectEffect, isConnectMcpToggleInput } from "./menu-select-connect.js"
 import { sortItemsByLaunchTime } from "./menu-select-order.js"
 import { loadRuntimeByProject, runtimeForSelection } from "./menu-select-runtime.js"
-import { resetToMenu, resumeTui, suspendTui } from "./menu-shared.js"
+import {
+  pauseForEnter,
+  resetToMenu,
+  resumeTui,
+  suspendTui,
+  writeToTerminal
+} from "./menu-shared.js"
 import type {
   MenuEnv,
   MenuKeyInput,
@@ -32,7 +40,7 @@ const emptyRuntimeByProject = (): Readonly<Record<string, SelectProjectRuntime>>
 
 export const startSelectView = (
   items: ReadonlyArray<ProjectItem>,
-  purpose: "Connect" | "Down" | "Info" | "Delete",
+  purpose: "Connect" | "Down" | "Info" | "Delete" | "Auth",
   context: Pick<SelectContext, "setView" | "setMessage">,
   runtimeByProject: Readonly<Record<string, SelectProjectRuntime>> = emptyRuntimeByProject()
 ) => {
@@ -132,7 +140,19 @@ const runWithSuspendedTui = (
   context.runner.runEffect(
     pipe(
       Effect.sync(suspendTui),
-      Effect.zipRight(effect),
+      Effect.zipRight(
+        pipe(
+          effect,
+          Effect.tapError((error) =>
+            Effect.ignore(
+              Effect.tryPromise(async () => {
+                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                await pauseForEnter()
+              })
+            )
+          )
+        )
+      ),
       Effect.ensuring(
         Effect.sync(() => {
           resumeTui()
@@ -204,6 +224,14 @@ const runDownSelection = (selected: ProjectItem, context: SelectContext) => {
           context.setMessage("Container stopped. Select another to stop, or Esc to return.")
         })
       ),
+      Effect.tapError((error) =>
+        Effect.ignore(
+          Effect.tryPromise(async () => {
+            writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+            await pauseForEnter()
+          })
+        )
+      ),
       Effect.ensuring(
         Effect.sync(() => {
           resumeTui()
@@ -219,6 +247,16 @@ const runInfoSelection = (selected: ProjectItem, context: SelectContext) => {
   context.setMessage(`Details for ${selected.displayName} are shown on the right. Press Esc to return to the menu.`)
 }
 
+const runAuthSelection = (selected: ProjectItem, context: SelectContext) => {
+  openProjectAuthMenu({
+    project: selected,
+    runner: context.runner,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir
+  })
+}
+
 const runDeleteSelection = (selected: ProjectItem, context: SelectContext) => {
   context.setMessage(`Deleting ${selected.displayName}...`)
   runWithSuspendedTui(
@@ -240,6 +278,9 @@ const runDeleteSelection = (selected: ProjectItem, context: SelectContext) => {
   )
 }
 
+const formatSshSessionsLabel = (sshSessions: number): string =>
+  sshSessions === 1 ? "1 active SSH session" : `${sshSessions} active SSH sessions`
+
 const handleSelectReturn = (
   view: Extract<ViewState, { readonly _tag: "SelectProject" }>,
   context: SelectContext
@@ -251,15 +292,17 @@ const handleSelectReturn = (
     return
   }
   const selectedRuntime = runtimeForSelection(view, selected)
-  const sshSessionsLabel = selectedRuntime.sshSessions === 1
-    ? "1 active SSH session"
-    : `${selectedRuntime.sshSessions} active SSH sessions`
+  const sshSessionsLabel = formatSshSessionsLabel(selectedRuntime.sshSessions)
 
   Match.value(view.purpose).pipe(
     Match.when("Connect", () => {
       context.setActiveDir(selected.projectDir)
       runConnectSelection(selected, context, view.connectEnableMcpPlaywright)
     }),
+    Match.when("Auth", () => {
+      context.setActiveDir(selected.projectDir)
+      runAuthSelection(selected, context)
+    }),
     Match.when("Down", () => {
       if (selectedRuntime.sshSessions > 0 && !view.confirmDelete) {
         context.setMessage(
diff --git a/packages/app/src/docker-git/menu-shared.ts b/packages/app/src/docker-git/menu-shared.ts
index 07adff2d..70fe9f44 100644
--- a/packages/app/src/docker-git/menu-shared.ts
+++ b/packages/app/src/docker-git/menu-shared.ts
@@ -1,5 +1,7 @@
 import type { MenuViewContext, ViewState } from "./menu-types.js"
 
+import { once } from "node:events"
+
 // CHANGE: share menu escape handling across flows
 // WHY: avoid duplicated logic in TUI handlers
 // QUOTE(ТЗ): "А ты можешь сделать удобный выбор проектов?"
@@ -13,10 +15,12 @@ import type { MenuViewContext, ViewState } from "./menu-types.js"
 
 type MenuResetContext = Pick<MenuViewContext, "setView" | "setMessage">
 
-type StdoutWrite = typeof process.stdout.write
+type OutputWrite = typeof process.stdout.write
 
 let stdoutPatched = false
 let stdoutMuted = false
+let baseStdoutWrite: OutputWrite | null = null
+let baseStderrWrite: OutputWrite | null = null
 
 const disableMouseModes = (): void => {
   // Disable xterm/urxvt mouse tracking and "alternate scroll" mode (wheel -> arrow keys).
@@ -39,28 +43,66 @@ const ensureStdoutPatched = (): void => {
   if (stdoutPatched) {
     return
   }
-  const baseWrite: StdoutWrite = process.stdout.write.bind(process.stdout)
-  const mutedWrite: StdoutWrite = (
-    chunk: string | Uint8Array,
-    encoding?: BufferEncoding | ((err?: Error | null) => void),
-    cb?: (err?: Error | null) => void
-  ) => {
-    if (stdoutMuted) {
-      const callback = typeof encoding === "function" ? encoding : cb
-      if (typeof callback === "function") {
-        callback()
+  baseStdoutWrite = process.stdout.write.bind(process.stdout)
+  baseStderrWrite = process.stderr.write.bind(process.stderr)
+  const wrapWrite =
+    (baseWrite: OutputWrite): OutputWrite =>
+      (
+        chunk: string | Uint8Array,
+        encoding?: BufferEncoding | ((err?: Error | null) => void),
+        cb?: (err?: Error | null) => void
+      ) => {
+        if (stdoutMuted) {
+          const callback = typeof encoding === "function" ? encoding : cb
+          if (typeof callback === "function") {
+            callback()
+          }
+          return true
+        }
+        if (typeof encoding === "function") {
+          return baseWrite(chunk, encoding)
+        }
+        return baseWrite(chunk, encoding, cb)
       }
-      return true
-    }
-    if (typeof encoding === "function") {
-      return baseWrite(chunk, encoding)
-    }
-    return baseWrite(chunk, encoding, cb)
-  }
-  process.stdout.write = mutedWrite
+
+  process.stdout.write = wrapWrite(baseStdoutWrite)
+  process.stderr.write = wrapWrite(baseStderrWrite)
   stdoutPatched = true
 }
 
+// CHANGE: allow writing to the terminal even while stdout is muted
+// WHY: we mute Ink renders during interactive commands, but still need to show prompts/errors
+// REF: user-request-2026-02-18-tui-output-hidden
+// SOURCE: n/a
+// PURITY: SHELL
+// EFFECT: n/a
+// INVARIANT: bypasses the mute wrapper safely
+export const writeToTerminal = (text: string): void => {
+  ensureStdoutPatched()
+  const write = baseStdoutWrite ?? process.stdout.write.bind(process.stdout)
+  write(text)
+}
+
+// CHANGE: keep the user on the primary screen until they acknowledge
+// WHY: otherwise output from failed docker/gh commands gets hidden again when TUI resumes
+// REF: user-request-2026-02-18-tui-output-hidden
+// SOURCE: n/a
+// PURITY: SHELL
+// EFFECT: Promise<void>
+// INVARIANT: no-op when stdin/stdout aren't TTY (CI/e2e)
+export const pauseForEnter = (prompt = "Press Enter to return to docker-git..."): Promise<void> => {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    return Promise.resolve()
+  }
+
+  // Ensure the prompt isn't glued to the last command line.
+  writeToTerminal(`\n${prompt}\n`)
+  process.stdin.resume()
+
+  // Wait for the next line (we keep stdin in cooked mode while TUI is suspended).
+  return once(process.stdin, "data").then(() => undefined)
+}
+
 // CHANGE: toggle stdout write muting for Ink rendering
 // WHY: allow SSH sessions to own the terminal without TUI redraws
 // QUOTE(ТЗ): "при изменении разершения он всё ломает?"
@@ -94,7 +136,9 @@ export const suspendTui = (): void => {
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(false)
   }
-  process.stdout.write("\u001B[?1049l\u001B[2J\u001B[H")
+  // Switch back to the primary screen so interactive commands (ssh/gh/codex)
+  // can render normally. Do not clear it: users may need scrollback (OAuth codes/URLs).
+  process.stdout.write("\u001B[?1049l")
   setStdoutMuted(true)
 }
 
@@ -114,6 +158,7 @@ export const resumeTui = (): void => {
   }
   setStdoutMuted(false)
   disableMouseModes()
+  // Return to the alternate screen for Ink rendering.
   process.stdout.write("\u001B[?1049h\u001B[2J\u001B[H")
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(true)
@@ -128,7 +173,8 @@ export const leaveTui = (): void => {
   // Ensure we don't leave the terminal in a broken "mouse reporting" mode.
   setStdoutMuted(false)
   disableMouseModes()
-  process.stdout.write("\u001B[?1049l\u001B[2J\u001B[H")
+  // Restore the primary screen on exit without clearing it (keeps useful scrollback).
+  process.stdout.write("\u001B[?1049l")
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(false)
   }
diff --git a/packages/app/src/docker-git/menu-types.ts b/packages/app/src/docker-git/menu-types.ts
index 0dbd5c0d..906c0623 100644
--- a/packages/app/src/docker-git/menu-types.ts
+++ b/packages/app/src/docker-git/menu-types.ts
@@ -40,13 +40,14 @@ export type MenuKeyInput = {
   readonly downArrow?: boolean
   readonly return?: boolean
   readonly escape?: boolean
+  readonly backspace?: boolean
+  readonly delete?: boolean
 }
 
 export type CreateInputs = {
   readonly repoUrl: string
   readonly repoRef: string
   readonly outDir: string
-  readonly secretsRoot: string
   readonly runUp: boolean
   readonly enableMcpPlaywright: boolean
   readonly force: boolean
@@ -70,12 +71,74 @@ export const createSteps: ReadonlyArray<CreateStep> = [
   "force"
 ]
 
+export type AuthFlow =
+  | "GithubOauth"
+  | "GithubRemove"
+  | "GitSet"
+  | "GitRemove"
+  | "ClaudeSet"
+  | "ClaudeRemove"
+
+export interface AuthSnapshot {
+  readonly globalEnvPath: string
+  readonly totalEntries: number
+  readonly githubTokenEntries: number
+  readonly gitTokenEntries: number
+  readonly gitUserEntries: number
+  readonly claudeKeyEntries: number
+}
+
+export type ProjectAuthFlow =
+  | "ProjectGithubConnect"
+  | "ProjectGithubDisconnect"
+  | "ProjectGitConnect"
+  | "ProjectGitDisconnect"
+  | "ProjectClaudeConnect"
+  | "ProjectClaudeDisconnect"
+
+export interface ProjectAuthSnapshot {
+  readonly projectDir: string
+  readonly projectName: string
+  readonly envGlobalPath: string
+  readonly envProjectPath: string
+  readonly githubTokenEntries: number
+  readonly gitTokenEntries: number
+  readonly claudeKeyEntries: number
+  readonly activeGithubLabel: string | null
+  readonly activeGitLabel: string | null
+  readonly activeClaudeLabel: string | null
+}
+
 export type ViewState =
   | { readonly _tag: "Menu" }
   | { readonly _tag: "Create"; readonly step: number; readonly buffer: string; readonly values: Partial<CreateInputs> }
+  | { readonly _tag: "AuthMenu"; readonly selected: number; readonly snapshot: AuthSnapshot }
+  | {
+    readonly _tag: "AuthPrompt"
+    readonly flow: AuthFlow
+    readonly step: number
+    readonly buffer: string
+    readonly values: Readonly<Record<string, string>>
+    readonly snapshot: AuthSnapshot
+  }
+  | {
+    readonly _tag: "ProjectAuthMenu"
+    readonly selected: number
+    readonly project: ProjectItem
+    readonly snapshot: ProjectAuthSnapshot
+  }
+  | {
+    readonly _tag: "ProjectAuthPrompt"
+    readonly flow: ProjectAuthFlow
+    readonly step: number
+    readonly buffer: string
+    readonly values: Readonly<Record<string, string>>
+    readonly project: ProjectItem
+    readonly snapshot: ProjectAuthSnapshot
+  }
   | {
     readonly _tag: "SelectProject"
-    readonly purpose: "Connect" | "Down" | "Info" | "Delete"
+    readonly purpose: "Connect" | "Down" | "Info" | "Delete" | "Auth"
     readonly items: ReadonlyArray<ProjectItem>
     readonly runtimeByProject: Readonly<Record<string, SelectProjectRuntime>>
     readonly selected: number
@@ -93,6 +156,8 @@ export type SelectProjectRuntime = {
 export const menuItems: ReadonlyArray<{ readonly id: MenuAction; readonly label: string }> = [
   { id: { _tag: "Create" }, label: "Create project" },
   { id: { _tag: "Select" }, label: "Select project" },
+  { id: { _tag: "Auth" }, label: "Auth profiles (keys)" },
+  { id: { _tag: "ProjectAuth" }, label: "Project auth (bind labels)" },
   { id: { _tag: "Info" }, label: "Show connection info" },
   { id: { _tag: "Status" }, label: "docker compose ps" },
   { id: { _tag: "Logs" }, label: "docker compose logs --tail=200" },
diff --git a/packages/app/src/docker-git/menu.ts b/packages/app/src/docker-git/menu.ts
index 29a321a7..5d458b3b 100644
--- a/packages/app/src/docker-git/menu.ts
+++ b/packages/app/src/docker-git/menu.ts
@@ -9,7 +9,16 @@ import React, { useEffect, useMemo, useState } from "react"
 
 import { resolveCreateInputs } from "./menu-create.js"
 import { handleUserInput, type InputStage } from "./menu-input-handler.js"
-import { renderCreate, renderMenu, renderSelect, renderStepLabel } from "./menu-render.js"
+import {
+  renderAuthMenu,
+  renderAuthPrompt,
+  renderCreate,
+  renderMenu,
+  renderProjectAuthMenu,
+  renderProjectAuthPrompt,
+  renderSelect,
+  renderStepLabel
+} from "./menu-render.js"
 import { leaveTui, resumeTui } from "./menu-shared.js"
 import { defaultMenuStartupSnapshot, resolveMenuStartupSnapshot } from "./menu-startup.js"
 import { createSteps, type MenuEnv, type MenuState, type ViewState } from "./menu-types.js"
@@ -82,6 +91,22 @@ const renderView = (context: RenderContext) => {
     return renderCreate(label, context.view.buffer, context.message, context.view.step, currentDefaults)
   }
 
+  if (context.view._tag === "AuthMenu") {
+    return renderAuthMenu(context.view.snapshot, context.view.selected, context.message)
+  }
+
+  if (context.view._tag === "AuthPrompt") {
+    return renderAuthPrompt(context.view, context.message)
+  }
+
+  if (context.view._tag === "ProjectAuthMenu") {
+    return renderProjectAuthMenu(context.view.snapshot, context.view.selected, context.message)
+  }
+
+  if (context.view._tag === "ProjectAuthPrompt") {
+    return renderProjectAuthPrompt(context.view, context.message)
+  }
+
   return renderSelect({
     purpose: context.view.purpose,
     items: context.view.items,
diff --git a/packages/docker-git/src/server/claude.ts b/packages/docker-git/src/server/claude.ts
new file mode 100644
index 00000000..9dd335b2
--- /dev/null
+++ b/packages/docker-git/src/server/claude.ts
@@ -0,0 +1,111 @@
+import { findEnvValue } from "./core/env.js"
+import {
+  findLabeledEnvEntryByLabel,
+  listLabeledEnvEntries,
+  resolveLabeledEnvLabelForValue
+} from "./labeled-env.js"
+
+export interface ClaudeApiKeyEntry {
+  readonly label: string
+  readonly apiKey: string
+}
+
+const claudeApiKeyBase = "ANTHROPIC_API_KEY"
+const claudeLabelKey = "CLAUDE_AUTH_LABEL"
+
+// CHANGE: list labeled Claude API keys from env text
+// WHY: support multiple Claude Code profiles in integrations
+// QUOTE(ТЗ): "N множества ключей ... Claude Code"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: list(env) -> keys(env)
+// PURITY: CORE
+// EFFECT: Effect<ReadonlyArray<ClaudeApiKeyEntry>, never, never>
+// INVARIANT: only non-empty keys are returned
+// COMPLEXITY: O(n) where n = |entries|
+export const listClaudeApiKeys = (envText: string): ReadonlyArray<ClaudeApiKeyEntry> =>
+  listLabeledEnvEntries(envText, claudeApiKeyBase).map((entry) => ({
+    label: entry.label,
+    apiKey: entry.value
+  }))
+
+// CHANGE: find Claude API key by label
+// WHY: map selected profile label to stored API key
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env,l: find(env,l) -> key(l) | null
+// PURITY: CORE
+// EFFECT: Effect<ClaudeApiKeyEntry | null, never, never>
+// INVARIANT: label normalization is deterministic
+// COMPLEXITY: O(n) where n = |entries|
+export const findClaudeApiKeyByLabel = (
+  envText: string,
+  label: string
+): ClaudeApiKeyEntry | null => {
+  const entries = listLabeledEnvEntries(envText, claudeApiKeyBase)
+  const matched = findLabeledEnvEntryByLabel(entries, claudeApiKeyBase, label)
+  if (matched === null) {
+    return null
+  }
+  return {
+    label: matched.label,
+    apiKey: matched.value
+  }
+}
+
+// CHANGE: resolve active Claude API key from project env
+// WHY: show whether project is attached to a Claude profile
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: key(env) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: empty values map to null
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveProjectClaudeApiKey = (envText: string): string | null =>
+  findEnvValue(envText, claudeApiKeyBase)
+
+// CHANGE: resolve active Claude label override from project env
+// WHY: preserve explicit label selection across equivalent keys
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: label(env) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: empty values map to null
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveProjectClaudeLabel = (envText: string): string | null =>
+  findEnvValue(envText, claudeLabelKey)
+
+// CHANGE: resolve Claude label for a raw API key value
+// WHY: infer current profile when explicit project label is missing
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env,v: label(env,v) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: exact value match
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveClaudeLabelForApiKey = (
+  envText: string,
+  apiKey: string
+): string | null => {
+  const entries = listLabeledEnvEntries(envText, claudeApiKeyBase)
+  return resolveLabeledEnvLabelForValue(entries, apiKey)
+}
+
+// CHANGE: expose env key used to persist project Claude label
+// WHY: keep handlers aligned on a single key
+// QUOTE(ТЗ): "реализовать систему выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall _: key = constant
+// PURITY: CORE
+// EFFECT: Effect<string, never, never>
+// INVARIANT: constant key
+// COMPLEXITY: O(1)
+export const projectClaudeLabelKey = claudeLabelKey
diff --git a/packages/docker-git/src/server/core/domain.ts b/packages/docker-git/src/server/core/domain.ts
index 9fc116a9..52d5071a 100644
--- a/packages/docker-git/src/server/core/domain.ts
+++ b/packages/docker-git/src/server/core/domain.ts
@@ -80,44 +80,47 @@ export const resolveProjectsRoot = (cwd: string, env: Record<string, string | un
   return `${cwd}/.docker-git`
 }
 
-// CHANGE: derive the secrets root from the projects root
-// WHY: centralize shared credentials across docker-git environments
-// QUOTE(ТЗ): "удобную настройку ENV"
-// REF: user-request-2026-01-09
+// CHANGE: derive the shared `.orch` root from the projects root
+// WHY: keep shared credentials and auth caches in the existing `.orch` layout
+// QUOTE(ТЗ): "ОСТАВЬ ВСЁ В .orch"
+// REF: issue-61
 // SOURCE: n/a
-// FORMAT THEOREM: forall root: secrets(root) = root + "/secrets"
+// FORMAT THEOREM: forall root: orch(root) = root + "/.orch"
 // PURITY: CORE
-// EFFECT: Effect<string, never, never>
+// EFFECT: n/a
 // INVARIANT: returned path is non-empty
 // COMPLEXITY: O(1)
-export const resolveSecretsRoot = (projectsRoot: string): string =>
-  `${trimTrailingSlash(projectsRoot)}/secrets`
+export const resolveOrchRoot = (projectsRoot: string): string =>
+  `${trimTrailingSlash(projectsRoot)}/.orch`
+
+// Backward-compatible alias (older code/tests referenced "secrets" root).
+export const resolveSecretsRoot = (projectsRoot: string): string => resolveOrchRoot(projectsRoot)
 
 // CHANGE: derive the shared global env file path
 // WHY: allow orchestrator-level integrations without entering containers
 // QUOTE(ТЗ): "у меня должна быть возможность подключать гитхаб"
 // REF: user-request-2026-01-09
 // SOURCE: n/a
-// FORMAT THEOREM: forall root: globalEnv(root) = secrets(root) + "/global.env"
+// FORMAT THEOREM: forall root: globalEnv(root) = orch(root) + "/env/global.env"
 // PURITY: CORE
 // EFFECT: Effect<string, never, never>
 // INVARIANT: returned path is non-empty
 // COMPLEXITY: O(1)
 export const resolveGlobalEnvPath = (projectsRoot: string): string =>
-  `${resolveSecretsRoot(projectsRoot)}/global.env`
+  `${resolveOrchRoot(projectsRoot)}/env/global.env`
 
 // CHANGE: derive the shared Codex auth directory path
 // WHY: allow Codex credentials to be managed globally in the orchestrator
 // QUOTE(ТЗ): "Добавь подключение Codex в интеграции"
 // REF: user-request-2026-01-09
 // SOURCE: n/a
-// FORMAT THEOREM: forall root: codex(root) = secrets(root) + "/codex"
+// FORMAT THEOREM: forall root: codex(root) = orch(root) + "/auth/codex"
 // PURITY: CORE
 // EFFECT: Effect<string, never, never>
 // INVARIANT: returned path is non-empty
 // COMPLEXITY: O(1)
 export const resolveCodexAuthPath = (projectsRoot: string): string =>
-  `${resolveSecretsRoot(projectsRoot)}/codex`
+  `${resolveOrchRoot(projectsRoot)}/auth/codex`
 
 // CHANGE: resolve the SSH host for connection commands
 // WHY: allow users to override the hostname when SSH is bound to a specific interface
diff --git a/packages/docker-git/src/server/git-credentials.ts b/packages/docker-git/src/server/git-credentials.ts
new file mode 100644
index 00000000..affc4e92
--- /dev/null
+++ b/packages/docker-git/src/server/git-credentials.ts
@@ -0,0 +1,131 @@
+import { findEnvValue } from "./core/env.js"
+import {
+  type LabeledEnvEntry,
+  findLabeledEnvEntryByLabel,
+  listLabeledEnvEntries,
+  resolveLabeledEnvLabelForValue
+} from "./labeled-env.js"
+
+export interface GitCredentialEntry {
+  readonly label: string
+  readonly token: string
+  readonly user: string
+}
+
+const gitTokenBaseKey = "GIT_AUTH_TOKEN"
+const gitUserBaseKey = "GIT_AUTH_USER"
+const gitLabelKey = "GIT_AUTH_LABEL"
+const defaultGitUser = "x-access-token"
+
+const buildGitUserMap = (envText: string): ReadonlyMap<string, string> =>
+  new Map(
+    listLabeledEnvEntries(envText, gitUserBaseKey).map((entry) => [entry.label, entry.value] as const)
+  )
+
+const toGitCredential = (
+  tokenEntry: LabeledEnvEntry,
+  users: ReadonlyMap<string, string>
+): GitCredentialEntry => {
+  const defaultUser = users.get("default") ?? defaultGitUser
+  const user = users.get(tokenEntry.label) ?? defaultUser
+  return {
+    label: tokenEntry.label,
+    token: tokenEntry.value,
+    user
+  }
+}
+
+// CHANGE: list labeled Git credentials from env text
+// WHY: enable selecting one of many Git credential sets per project
+// QUOTE(ТЗ): "возможность выбора нескольки GH, GIT ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: list(env) -> credentials(env)
+// PURITY: CORE
+// EFFECT: Effect<ReadonlyArray<GitCredentialEntry>, never, never>
+// INVARIANT: token values are non-empty
+// COMPLEXITY: O(n) where n = |entries|
+export const listGitCredentials = (envText: string): ReadonlyArray<GitCredentialEntry> => {
+  const tokens = listLabeledEnvEntries(envText, gitTokenBaseKey)
+  const users = buildGitUserMap(envText)
+  return tokens.map((entry) => toGitCredential(entry, users))
+}
+
+// CHANGE: find Git credential by label
+// WHY: map selected label from UI to token+user pair
+// QUOTE(ТЗ): "реализовать систему где я могу задавать N множества ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall c,l: find(c,l) -> credential(l) | null
+// PURITY: CORE
+// EFFECT: Effect<GitCredentialEntry | null, never, never>
+// INVARIANT: label normalization matches key normalization
+// COMPLEXITY: O(n) where n = |credentials|
+export const findGitCredentialByLabel = (
+  envText: string,
+  label: string
+): GitCredentialEntry | null => {
+  const tokenEntries = listLabeledEnvEntries(envText, gitTokenBaseKey)
+  const token = findLabeledEnvEntryByLabel(tokenEntries, gitTokenBaseKey, label)
+  if (token === null) {
+    return null
+  }
+  const users = buildGitUserMap(envText)
+  return toGitCredential(token, users)
+}
+
+// CHANGE: resolve active Git token from project env
+// WHY: show currently connected Git credential in project settings
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: token(env) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: empty values map to null
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveProjectGitToken = (envText: string): string | null =>
+  findEnvValue(envText, gitTokenBaseKey)
+
+// CHANGE: resolve active Git label override from project env
+// WHY: preserve explicit label choice when token value can overlap
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: label(env) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: empty values map to null
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveProjectGitLabel = (envText: string): string | null =>
+  findEnvValue(envText, gitLabelKey)
+
+// CHANGE: resolve Git label by token value
+// WHY: show inferred active label when project label key is absent
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall c,t: label(c,t) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: exact token match
+// COMPLEXITY: O(n) where n = |credentials|
+export const resolveGitLabelForToken = (
+  envText: string,
+  token: string
+): string | null => {
+  const entries = listLabeledEnvEntries(envText, gitTokenBaseKey)
+  return resolveLabeledEnvLabelForValue(entries, token)
+}
+
+// CHANGE: expose env key used to persist project Git label
+// WHY: keep route handlers and helpers consistent
+// QUOTE(ТЗ): "реализовать систему выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall _: key = constant
+// PURITY: CORE
+// EFFECT: Effect<string, never, never>
+// INVARIANT: constant key
+// COMPLEXITY: O(1)
+export const projectGitLabelKey = gitLabelKey
diff --git a/packages/docker-git/src/server/github.ts b/packages/docker-git/src/server/github.ts
index 66a2cb20..27a009aa 100644
--- a/packages/docker-git/src/server/github.ts
+++ b/packages/docker-git/src/server/github.ts
@@ -3,7 +3,7 @@ import * as Data from "effect/Data"
 import * as ParseResult from "effect/ParseResult"
 import * as Schema from "effect/Schema"
 
-import { parseEnvEntries } from "./core/env.js"
+import { findEnvValue, parseEnvEntries } from "./core/env.js"
 
 export interface GithubTokenEntry {
   readonly key: string
@@ -43,6 +43,7 @@ const decodeGithubUser = (
 const tokenKey = "GITHUB_TOKEN"
 const tokenPrefix = "GITHUB_TOKEN__"
 const projectTokenKeys: ReadonlyArray<string> = ["GIT_AUTH_TOKEN", "GITHUB_TOKEN"]
+const projectLabelKey = "GITHUB_AUTH_LABEL"
 
 const normalizeLabel = (value: string): string => {
   const trimmed = value.trim()
@@ -117,6 +118,31 @@ export const resolveProjectGithubToken = (envText: string): string | null => {
   return null
 }
 
+// CHANGE: resolve active GitHub label override from project env
+// WHY: avoid scanning all stored tokens when a project explicitly picks a label
+// QUOTE(ТЗ): "выбор нескольки GH ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall env: label(env) -> string | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: empty values map to null
+// COMPLEXITY: O(n) where n = |lines|
+export const resolveProjectGithubLabel = (envText: string): string | null =>
+  findEnvValue(envText, projectLabelKey)
+
+// CHANGE: expose env key used to persist project GitHub label
+// WHY: keep route handlers aligned on a single key
+// QUOTE(ТЗ): "выбор нескольки GH ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall _: key = constant
+// PURITY: CORE
+// EFFECT: Effect<string, never, never>
+// INVARIANT: constant key
+// COMPLEXITY: O(1)
+export const projectGithubLabelKey = projectLabelKey
+
 // CHANGE: match a token value to a known label
 // WHY: show connected account label without leaking secrets
 // QUOTE(ТЗ): "должен быть отображён что за аккаунт подключён"
diff --git a/packages/docker-git/src/server/http.ts b/packages/docker-git/src/server/http.ts
index 7b812d7a..ca8b6495 100644
--- a/packages/docker-git/src/server/http.ts
+++ b/packages/docker-git/src/server/http.ts
@@ -22,8 +22,8 @@ import { DockerCommandError } from "../shell/errors.js"
 import { readProjectConfig } from "../shell/config.js"
 import { ProjectNotFoundError, StaticAssetNotFoundError } from "./errors.js"
 import { ProjectParamsSchema } from "./core/schema.js"
-import { resolveCodexAuthPath, resolveGlobalEnvPath, resolveSecretsRoot } from "./core/domain.js"
-import { upsertEnvKey } from "./core/env.js"
+import { resolveCodexAuthPath, resolveGlobalEnvPath } from "./core/domain.js"
+import { parseEnvEntries, upsertEnvKey } from "./core/env.js"
 import { loadProject, scanProjects } from "./projects.js"
 import { readDockerComposeLogs, readDockerComposePs } from "./docker.js"
 import { readEnvFile, writeEnvFile } from "./env.js"
@@ -50,18 +50,31 @@ import {
   renderOutputPage,
   renderTerminalPage
 } from "./view.js"
-import type { GithubAccountView } from "./view.js"
 import {
   buildGithubTokenKey,
-  fetchGithubAccount,
   findGithubTokenByLabel,
   listGithubTokens,
-  resolveGithubLabelForToken,
+  projectGithubLabelKey,
+  resolveProjectGithubLabel,
   resolveProjectGithubToken
 } from "./github.js"
+import {
+  findGitCredentialByLabel,
+  projectGitLabelKey,
+  resolveProjectGitLabel,
+  resolveProjectGitToken
+} from "./git-credentials.js"
+import {
+  findClaudeApiKeyByLabel,
+  projectClaudeLabelKey,
+  resolveProjectClaudeApiKey,
+  resolveProjectClaudeLabel
+} from "./claude.js"
+import { buildLabeledEnvKey } from "./labeled-env.js"
 import { createProject } from "@effect-template/lib/usecases/actions"
 import { buildCreateCommand } from "@effect-template/lib/core/command-builders"
 import type { RawOptions } from "@effect-template/lib/core/command-options"
+import type { DockerAccessError as LibDockerAccessError } from "@effect-template/lib/shell/errors"
 import { defaultTemplateConfig, deriveRepoSlug } from "../core/domain.js"
 import { formatParseError } from "@effect-template/lib/core/parse-errors"
 import {
@@ -97,6 +110,7 @@ type ApiError =
   | CloneFailedError
   | PortProbeError
   | DockerCommandError
+  | LibDockerAccessError
   | CodexAuthError
   | ParseResult.ParseError
   | HttpBody.HttpBodyError
@@ -123,6 +137,37 @@ const GithubProjectConnectSchema = Schema.Struct({
 
 const GithubProjectDisconnectSchema = Schema.Struct({})
 
+const GitConnectSchema = Schema.Struct({
+  gitToken: Schema.String,
+  gitUser: Schema.optional(Schema.String),
+  gitLabel: Schema.optional(Schema.String)
+})
+
+const GitDisconnectSchema = Schema.Struct({
+  gitLabel: Schema.optional(Schema.String)
+})
+
+const GitProjectConnectSchema = Schema.Struct({
+  gitLabel: Schema.String
+})
+
+const GitProjectDisconnectSchema = Schema.Struct({})
+
+const ClaudeConnectSchema = Schema.Struct({
+  claudeApiKey: Schema.String,
+  claudeLabel: Schema.optional(Schema.String)
+})
+
+const ClaudeDisconnectSchema = Schema.Struct({
+  claudeLabel: Schema.optional(Schema.String)
+})
+
+const ClaudeProjectConnectSchema = Schema.Struct({
+  claudeLabel: Schema.String
+})
+
+const ClaudeProjectDisconnectSchema = Schema.Struct({})
+
 const CodexConnectSchema = Schema.Struct({
   codexSource: Schema.optional(Schema.String),
   codexLabel: Schema.optional(Schema.String)
@@ -148,18 +193,6 @@ const GitIdentitySchema = Schema.Struct({
   gitUserEmail: Schema.String
 })
 
-const makeGithubConnected = (label: string, login: string): GithubAccountView => ({
-  _tag: "Connected",
-  label,
-  login
-})
-
-const makeGithubError = (label: string, message: string): GithubAccountView => ({
-  _tag: "Error",
-  label,
-  message
-})
-
 const sshPortRange: PortRange = { min: 2222, max: 2299 }
 
 const chooseSshPort = (
@@ -168,6 +201,14 @@ const chooseSshPort = (
 ): number =>
   findAvailablePort(preferred, usedPorts, sshPortRange) ?? preferred
 
+const countKeyEntries = (envText: string, baseKey: string): number => {
+  const prefix = `${baseKey}__`
+  return parseEnvEntries(envText)
+    .filter((entry) =>
+      entry.value.trim().length > 0 && (entry.key === baseKey || entry.key.startsWith(prefix)))
+    .length
+}
+
 const jsonResponse = (data: unknown, status: number) =>
   pipe(
     HttpServerResponse.json(data),
@@ -463,7 +504,7 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
       )
     })
 
-  const uiRouter = HttpRouter.empty.pipe(
+  const uiRouterBase = HttpRouter.empty.pipe(
     HttpRouter.get(
       "/",
       pipe(
@@ -480,19 +521,8 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         const resolvedRoot = path.resolve(projectsRoot)
         const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
         const envText = yield* _(readEnvFile(globalEnvPath))
-        const tokens = listGithubTokens(envText)
-        const results = yield* _(
-          Effect.forEach(tokens, (entry) => Effect.either(fetchGithubAccount(entry)))
-        )
-        const accounts = results.map((result) =>
-          Either.match(result, {
-            onLeft: (error: { readonly label: string; readonly message: string }) =>
-              makeGithubError(error.label, error.message),
-            onRight: (account: { readonly label: string; readonly login: string }) =>
-              makeGithubConnected(account.label, account.login)
-          })
-        )
-        const html = renderClonePage(globalEnvPath, accounts)
+        const githubTokenEntries = countKeyEntries(envText, "GITHUB_TOKEN")
+        const html = renderClonePage(globalEnvPath, githubTokenEntries)
         return HttpServerResponse.html(html)
       }).pipe(
         Effect.tapError((error) => Console.error(`clone failed: ${String(error)}`)),
@@ -507,20 +537,18 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
         const codexRootPath = yield* _(resolveWritableCodexRoot(resolvedRoot))
         const envText = yield* _(readEnvFile(globalEnvPath))
-        const tokens = listGithubTokens(envText)
-        const results = yield* _(
-          Effect.forEach(tokens, (entry) => Effect.either(fetchGithubAccount(entry)))
-        )
-        const accounts = results.map((result) =>
-          Either.match(result, {
-            onLeft: (error: { readonly label: string; readonly message: string }) =>
-              makeGithubError(error.label, error.message),
-            onRight: (account: { readonly label: string; readonly login: string }) =>
-              makeGithubConnected(account.label, account.login)
-          })
-        )
+        const githubTokenEntries = countKeyEntries(envText, "GITHUB_TOKEN")
+        const gitTokenEntries = countKeyEntries(envText, "GIT_AUTH_TOKEN")
+        const claudeKeyEntries = countKeyEntries(envText, "ANTHROPIC_API_KEY")
         const codexAccounts = yield* _(listCodexAccounts(codexRootPath))
-        const html = renderIntegrationsPage(globalEnvPath, accounts, codexRootPath, codexAccounts)
+        const html = renderIntegrationsPage(
+          globalEnvPath,
+          githubTokenEntries,
+          gitTokenEntries,
+          claudeKeyEntries,
+          codexRootPath,
+          codexAccounts
+        )
         return HttpServerResponse.html(html)
       }).pipe(Effect.catchAll(htmlErrorResponse))
     ),
@@ -559,6 +587,74 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         return HttpServerResponse.redirect("/integrations")
       }).pipe(Effect.catchAll(htmlErrorResponse))
     ),
+    HttpRouter.post(
+      "/integrations/git/connect",
+      Effect.gen(function* (_) {
+        const { gitLabel, gitToken, gitUser } = yield* _(HttpServerRequest.schemaBodyUrlParams(GitConnectSchema))
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const envText = yield* _(readEnvFile(globalEnvPath))
+        const label = gitLabel?.trim() ?? ""
+        const tokenKey = buildLabeledEnvKey("GIT_AUTH_TOKEN", label)
+        const userKey = buildLabeledEnvKey("GIT_AUTH_USER", label)
+        const trimmedGitUser = gitUser?.trim() ?? ""
+        const user = trimmedGitUser.length > 0 ? trimmedGitUser : "x-access-token"
+        const withToken = upsertEnvKey(envText, tokenKey, gitToken)
+        const nextText = upsertEnvKey(withToken, userKey, user)
+        yield* _(writeEnvFile(globalEnvPath, nextText))
+        return HttpServerResponse.redirect("/integrations")
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/integrations/git/disconnect",
+      Effect.gen(function* (_) {
+        const { gitLabel } = yield* _(HttpServerRequest.schemaBodyUrlParams(GitDisconnectSchema))
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const envText = yield* _(readEnvFile(globalEnvPath))
+        const label = gitLabel?.trim() ?? ""
+        const tokenKey = buildLabeledEnvKey("GIT_AUTH_TOKEN", label)
+        const userKey = buildLabeledEnvKey("GIT_AUTH_USER", label)
+        const withoutToken = upsertEnvKey(envText, tokenKey, "")
+        const nextText = upsertEnvKey(withoutToken, userKey, "")
+        yield* _(writeEnvFile(globalEnvPath, nextText))
+        return HttpServerResponse.redirect("/integrations")
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/integrations/claude/connect",
+      Effect.gen(function* (_) {
+        const { claudeApiKey, claudeLabel } = yield* _(
+          HttpServerRequest.schemaBodyUrlParams(ClaudeConnectSchema)
+        )
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const envText = yield* _(readEnvFile(globalEnvPath))
+        const key = buildLabeledEnvKey("ANTHROPIC_API_KEY", claudeLabel?.trim() ?? "")
+        const nextText = upsertEnvKey(envText, key, claudeApiKey)
+        yield* _(writeEnvFile(globalEnvPath, nextText))
+        return HttpServerResponse.redirect("/integrations")
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/integrations/claude/disconnect",
+      Effect.gen(function* (_) {
+        const { claudeLabel } = yield* _(
+          HttpServerRequest.schemaBodyUrlParams(ClaudeDisconnectSchema)
+        )
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const envText = yield* _(readEnvFile(globalEnvPath))
+        const key = buildLabeledEnvKey("ANTHROPIC_API_KEY", claudeLabel?.trim() ?? "")
+        const nextText = upsertEnvKey(envText, key, "")
+        yield* _(writeEnvFile(globalEnvPath, nextText))
+        return HttpServerResponse.redirect("/integrations")
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
     HttpRouter.post(
       "/integrations/codex/connect",
       Effect.gen(function* (_) {
@@ -649,7 +745,6 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
 
         const path = yield* _(Path.Path)
         const resolvedRoot = path.resolve(projectsRoot)
-        const secretsRoot = resolveSecretsRoot(resolvedRoot)
         const codexRootPath = yield* _(resolveWritableCodexRoot(resolvedRoot))
         const expectedCodexRoot = resolveCodexAuthPath(resolvedRoot)
         const resolvedCodexRoot = path.resolve(codexRootPath)
@@ -665,7 +760,6 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         const selectedPort = chooseSshPort(defaultTemplateConfig.sshPort, usedPorts)
         const raw: RawOptions = {
           repoUrl: trimmedRepoUrl,
-          secretsRoot,
           codexAuthPath: projectCodexPath,
           outDir,
           up: false,
@@ -709,7 +803,9 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
                     "GIT_AUTH_TOKEN",
                     selected.token
                   )
-                  const nextProjectEnv = upsertEnvKey(withGitToken, "GH_TOKEN", selected.token)
+                  const withGhToken = upsertEnvKey(withGitToken, "GH_TOKEN", selected.token)
+                  const withGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, "")
+                  const nextProjectEnv = upsertEnvKey(withGitLabel, projectGithubLabelKey, selected.label)
                   yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
                 }
                 yield* _(syncProjectCodexAuth(projectsRoot, project))
@@ -755,7 +851,10 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
           })
         )
       }).pipe(Effect.catchAll(htmlErrorResponse))
-    ),
+    )
+  )
+
+  const uiRouter = uiRouterBase.pipe(
     HttpRouter.get(
       "/terminal/:projectId",
       pipe(
@@ -792,30 +891,34 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         ),
         Effect.flatMap(({ project, globalEnv, projectEnv, integrationsEnv, codexAccounts, codexProject }) =>
           Effect.gen(function* (_) {
-            const tokens = listGithubTokens(integrationsEnv)
-            const results = yield* _(
-              Effect.forEach(tokens, (entry) => Effect.either(fetchGithubAccount(entry)))
-            )
-            const accounts = results.map((result) =>
-              Either.match(result, {
-                onLeft: (error: { readonly label: string; readonly message: string }) =>
-                  makeGithubError(error.label, error.message),
-                onRight: (account: { readonly label: string; readonly login: string }) =>
-                  makeGithubConnected(account.label, account.login)
-              })
-            )
-            const activeToken = resolveProjectGithubToken(projectEnv)
-            const activeLabel = activeToken === null
-              ? null
-              : resolveGithubLabelForToken(tokens, activeToken) ?? "custom"
+            const githubTokenEntries = countKeyEntries(integrationsEnv, "GITHUB_TOKEN")
+            const gitTokenEntries = countKeyEntries(integrationsEnv, "GIT_AUTH_TOKEN")
+            const claudeKeyEntries = countKeyEntries(integrationsEnv, "ANTHROPIC_API_KEY")
+
+            const projectGithubLabel = resolveProjectGithubLabel(projectEnv)
+            const projectGithubToken = resolveProjectGithubToken(projectEnv)
+            const activeGithubLabel = projectGithubLabel ?? (projectGithubToken === null ? null : "custom")
+
+            const activeProjectGitLabel = resolveProjectGitLabel(projectEnv)
+            const activeProjectGitToken = resolveProjectGitToken(projectEnv)
+            const activeGitLabel = activeProjectGitLabel ?? (activeProjectGitToken === null ? null : "custom")
+
+            const activeProjectClaudeLabel = resolveProjectClaudeLabel(projectEnv)
+            const activeProjectClaudeApiKey = resolveProjectClaudeApiKey(projectEnv)
+            const activeClaudeLabel = activeProjectClaudeLabel ?? (activeProjectClaudeApiKey === null ? null : "custom")
+
             const codexLabel = resolveProjectCodexLabel(projectEnv)
             const activeCodexLabel = codexLabel ?? (codexProject.connected ? "custom" : null)
             return renderEnvPage(
               project,
               globalEnv,
               projectEnv,
-              accounts,
-              activeLabel,
+              githubTokenEntries,
+              activeGithubLabel,
+              gitTokenEntries,
+              activeGitLabel,
+              claudeKeyEntries,
+              activeClaudeLabel,
               codexAccounts,
               activeCodexLabel
             )
@@ -872,7 +975,9 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         }
         const projectEnv = yield* _(readEnvFile(project.envProjectPath))
         const withGitToken = upsertEnvKey(projectEnv, "GIT_AUTH_TOKEN", selected.token)
-        const nextProjectEnv = upsertEnvKey(withGitToken, "GH_TOKEN", selected.token)
+        const withGhToken = upsertEnvKey(withGitToken, "GH_TOKEN", selected.token)
+        const withGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, "")
+        const nextProjectEnv = upsertEnvKey(withGitLabel, projectGithubLabelKey, selected.label)
         yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
         return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
       }).pipe(Effect.catchAll(htmlErrorResponse))
@@ -885,7 +990,89 @@ export const makeRouter = ({ cwd, projectsRoot, webRoot, vendorRoot, terminalPor
         const project = yield* _(loadProject(projectsRoot, projectId, cwd))
         const projectEnv = yield* _(readEnvFile(project.envProjectPath))
         const withoutGitToken = upsertEnvKey(projectEnv, "GIT_AUTH_TOKEN", "")
-        const nextProjectEnv = upsertEnvKey(withoutGitToken, "GH_TOKEN", "")
+        const withGhToken = upsertEnvKey(withoutGitToken, "GH_TOKEN", "")
+        const withGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, "")
+        const nextProjectEnv = upsertEnvKey(withGitLabel, projectGithubLabelKey, "")
+        yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
+        return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/env/:projectId/connect/git",
+      Effect.gen(function* (_) {
+        const { projectId } = yield* _(projectParams)
+        const { gitLabel } = yield* _(HttpServerRequest.schemaBodyUrlParams(GitProjectConnectSchema))
+        const project = yield* _(loadProject(projectsRoot, projectId, cwd))
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const globalEnv = yield* _(readEnvFile(globalEnvPath))
+        const selected = findGitCredentialByLabel(globalEnv, gitLabel)
+        if (selected === null) {
+          return HttpServerResponse.html(
+            renderOutputPage("Git credentials not found", `Label not found: ${gitLabel}`)
+          )
+        }
+        const projectEnv = yield* _(readEnvFile(project.envProjectPath))
+        const withToken = upsertEnvKey(projectEnv, "GIT_AUTH_TOKEN", selected.token)
+        const withUser = upsertEnvKey(withToken, "GIT_AUTH_USER", selected.user)
+        const withGhToken = upsertEnvKey(withUser, "GH_TOKEN", selected.token)
+        const withGitLabel = upsertEnvKey(withGhToken, projectGitLabelKey, selected.label)
+        const nextProjectEnv = upsertEnvKey(withGitLabel, projectGithubLabelKey, selected.label)
+        yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
+        return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/env/:projectId/disconnect/git",
+      Effect.gen(function* (_) {
+        const { projectId } = yield* _(projectParams)
+        yield* _(HttpServerRequest.schemaBodyUrlParams(GitProjectDisconnectSchema))
+        const project = yield* _(loadProject(projectsRoot, projectId, cwd))
+        const projectEnv = yield* _(readEnvFile(project.envProjectPath))
+        const withoutToken = upsertEnvKey(projectEnv, "GIT_AUTH_TOKEN", "")
+        const withoutUser = upsertEnvKey(withoutToken, "GIT_AUTH_USER", "")
+        const withoutGhToken = upsertEnvKey(withoutUser, "GH_TOKEN", "")
+        const withGitLabel = upsertEnvKey(withoutGhToken, projectGitLabelKey, "")
+        const nextProjectEnv = upsertEnvKey(withGitLabel, projectGithubLabelKey, "")
+        yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
+        return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/env/:projectId/connect/claude",
+      Effect.gen(function* (_) {
+        const { projectId } = yield* _(projectParams)
+        const { claudeLabel } = yield* _(
+          HttpServerRequest.schemaBodyUrlParams(ClaudeProjectConnectSchema)
+        )
+        const project = yield* _(loadProject(projectsRoot, projectId, cwd))
+        const path = yield* _(Path.Path)
+        const resolvedRoot = path.resolve(projectsRoot)
+        const globalEnvPath = resolveGlobalEnvPath(resolvedRoot)
+        const globalEnv = yield* _(readEnvFile(globalEnvPath))
+        const selected = findClaudeApiKeyByLabel(globalEnv, claudeLabel)
+        if (selected === null) {
+          return HttpServerResponse.html(
+            renderOutputPage("Claude key not found", `Label not found: ${claudeLabel}`)
+          )
+        }
+        const projectEnv = yield* _(readEnvFile(project.envProjectPath))
+        const withApiKey = upsertEnvKey(projectEnv, "ANTHROPIC_API_KEY", selected.apiKey)
+        const nextProjectEnv = upsertEnvKey(withApiKey, projectClaudeLabelKey, selected.label)
+        yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
+        return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
+      }).pipe(Effect.catchAll(htmlErrorResponse))
+    ),
+    HttpRouter.post(
+      "/env/:projectId/disconnect/claude",
+      Effect.gen(function* (_) {
+        const { projectId } = yield* _(projectParams)
+        yield* _(HttpServerRequest.schemaBodyUrlParams(ClaudeProjectDisconnectSchema))
+        const project = yield* _(loadProject(projectsRoot, projectId, cwd))
+        const projectEnv = yield* _(readEnvFile(project.envProjectPath))
+        const withoutApiKey = upsertEnvKey(projectEnv, "ANTHROPIC_API_KEY", "")
+        const nextProjectEnv = upsertEnvKey(withoutApiKey, projectClaudeLabelKey, "")
         yield* _(writeEnvFile(project.envProjectPath, nextProjectEnv))
         return HttpServerResponse.redirect(`/env/${encodeURIComponent(project.id)}`)
       }).pipe(Effect.catchAll(htmlErrorResponse))
diff --git a/packages/docker-git/src/server/labeled-env.ts b/packages/docker-git/src/server/labeled-env.ts
new file mode 100644
index 00000000..fd3c0536
--- /dev/null
+++ b/packages/docker-git/src/server/labeled-env.ts
@@ -0,0 +1,121 @@
+import { parseEnvEntries } from "./core/env.js"
+
+export interface LabeledEnvEntry {
+  readonly key: string
+  readonly label: string
+  readonly value: string
+}
+
+const normalizeLabel = (value: string): string => {
+  const trimmed = value.trim()
+  if (trimmed.length === 0) {
+    return ""
+  }
+  const normalized = trimmed
+    .toUpperCase()
+    .replace(/[^A-Z0-9]+/g, "_")
+    .replace(/^_+/, "")
+    .replace(/_+$/, "")
+  return normalized.length > 0 ? normalized : ""
+}
+
+const buildLabelPrefix = (baseKey: string): string => `${baseKey}__`
+
+const resolveLabelFromKey = (
+  baseKey: string,
+  key: string
+): string | null => {
+  if (key === baseKey) {
+    return "default"
+  }
+  const prefix = buildLabelPrefix(baseKey)
+  if (!key.startsWith(prefix)) {
+    return null
+  }
+  const rawLabel = key.slice(prefix.length)
+  const normalized = normalizeLabel(rawLabel)
+  return normalized.length > 0 ? normalized : null
+}
+
+// CHANGE: build a normalized env key for labeled secrets
+// WHY: keep key resolution deterministic across services (Git / Claude / etc)
+// QUOTE(ТЗ): "реализовать систему где я могу задавать N множества ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall b,l: key(b,l) = b | b__LABEL
+// PURITY: CORE
+// EFFECT: Effect<string, never, never>
+// INVARIANT: empty/default labels resolve to the base key
+// COMPLEXITY: O(|l|)
+export const buildLabeledEnvKey = (baseKey: string, label: string): string => {
+  const normalized = normalizeLabel(label)
+  if (normalized.length === 0 || normalized === "DEFAULT") {
+    return baseKey
+  }
+  return `${buildLabelPrefix(baseKey)}${normalized}`
+}
+
+// CHANGE: list labeled env entries for a base key
+// WHY: support multiple credential sets under one service namespace
+// QUOTE(ТЗ): "задавать N множества ключей"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall e,b: list(e,b) subset assignments(e)
+// PURITY: CORE
+// EFFECT: Effect<ReadonlyArray<LabeledEnvEntry>, never, never>
+// INVARIANT: only non-empty values are returned
+// COMPLEXITY: O(n) where n = |entries|
+export const listLabeledEnvEntries = (
+  envText: string,
+  baseKey: string
+): ReadonlyArray<LabeledEnvEntry> =>
+  parseEnvEntries(envText)
+    .flatMap((entry) => {
+      const label = resolveLabelFromKey(baseKey, entry.key)
+      if (label === null) {
+        return []
+      }
+      return [{
+        key: entry.key,
+        label,
+        value: entry.value
+      }]
+    })
+    .filter((entry) => entry.value.trim().length > 0)
+
+// CHANGE: find a labeled entry by label
+// WHY: map UI-selected labels to stored env values
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall s,l: find(s,l) -> entry(l) | null
+// PURITY: CORE
+// EFFECT: Effect<LabeledEnvEntry | null, never, never>
+// INVARIANT: label normalization matches buildLabeledEnvKey
+// COMPLEXITY: O(n) where n = |entries|
+export const findLabeledEnvEntryByLabel = (
+  entries: ReadonlyArray<LabeledEnvEntry>,
+  baseKey: string,
+  label: string
+): LabeledEnvEntry | null => {
+  const key = buildLabeledEnvKey(baseKey, label)
+  return entries.find((entry) => entry.key === key) ?? null
+}
+
+// CHANGE: resolve label for a concrete secret value
+// WHY: show active labeled profile in project settings
+// QUOTE(ТЗ): "возможность выбора"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall s,v: resolve(s,v) -> label(v) | null
+// PURITY: CORE
+// EFFECT: Effect<string | null, never, never>
+// INVARIANT: exact value match
+// COMPLEXITY: O(n) where n = |entries|
+export const resolveLabeledEnvLabelForValue = (
+  entries: ReadonlyArray<LabeledEnvEntry>,
+  value: string
+): string | null => {
+  const match = entries.find((entry) => entry.value === value)
+  return match ? match.label : null
+}
diff --git a/packages/docker-git/src/server/view.ts b/packages/docker-git/src/server/view.ts
index ff3d7d83..ab41e5f7 100644
--- a/packages/docker-git/src/server/view.ts
+++ b/packages/docker-git/src/server/view.ts
@@ -380,10 +380,6 @@ export const renderCodexLoginPage = (label: string | null, terminalPort: number)
 // EFFECT: Effect<string, never, never>
 // INVARIANT: escaped user-provided strings
 // COMPLEXITY: O(1)
-export type GithubAccountView =
-  | { readonly _tag: "Connected"; readonly label: string; readonly login: string }
-  | { readonly _tag: "Error"; readonly label: string; readonly message: string }
-
 export interface CodexAccountView {
   readonly label: string
   readonly path: string
@@ -392,88 +388,10 @@ export interface CodexAccountView {
   readonly legacy: boolean
 }
 
-const renderGithubAccounts = (accounts: ReadonlyArray<GithubAccountView>): string => {
-  if (accounts.length === 0) {
-    return `<div>Accounts: <span>none</span></div>`
-  }
-
-  return accounts
-    .map((account) =>
-      account._tag === "Connected"
-        ? `<div>Account: <span>${escapeHtml(account.label)} · ${escapeHtml(account.login)}</span></div>`
-        : `<div>Account: <span>${escapeHtml(account.label)} · error</span></div>`
-    )
-    .join("\n")
-}
-
-const renderGithubDisconnectForms = (accounts: ReadonlyArray<GithubAccountView>): string => {
-  if (accounts.length === 0) {
-    return ""
-  }
-
-  return accounts
-    .map((account) =>
-      `<form method="post" action="/integrations/github/disconnect" class="env-actions">
-        <input type="hidden" name="githubLabel" value="${escapeHtml(account.label)}" />
-        <button class="btn" type="submit">Disconnect ${escapeHtml(account.label)}</button>
-      </form>`
-    )
-    .join("\n")
-}
-
-const findGithubLogin = (
-  accounts: ReadonlyArray<GithubAccountView>,
-  label: string
-): string | null => {
-  const match = accounts.find(
-    (account) => account._tag === "Connected" && account.label === label
-  )
-  return match && match._tag === "Connected" ? match.login : null
-}
-
-const renderGithubActiveLine = (
-  accounts: ReadonlyArray<GithubAccountView>,
-  activeLabel: string | null
-): string => {
-  if (activeLabel === null) {
-    return `<div>Active: <span>none</span></div>`
-  }
-  const login = findGithubLogin(accounts, activeLabel)
-  const suffix = login ? ` · ${escapeHtml(login)}` : ""
-  return `<div>Active: <span>${escapeHtml(activeLabel)}${suffix}</span></div>`
-}
-
-const renderGithubAccountOptions = (accounts: ReadonlyArray<GithubAccountView>): string => {
-  if (accounts.length === 0) {
-    return `<option value="" disabled selected>No accounts connected</option>`
-  }
-
-  return accounts
-    .map((account) =>
-      account._tag === "Connected"
-        ? `<option value="${escapeHtml(account.label)}">${escapeHtml(account.label)} · ${escapeHtml(account.login)}</option>`
-        : `<option value="${escapeHtml(account.label)}" disabled>${escapeHtml(account.label)} · error</option>`
-    )
-    .join("\n")
-}
-
-const renderGithubAccountOptionsForClone = (accounts: ReadonlyArray<GithubAccountView>): string => {
-  const base = `<option value="" selected>Public repo (no token)</option>`
-  if (accounts.length === 0) {
-    return base
-  }
-
-  const options = accounts
-    .map((account) =>
-      account._tag === "Connected"
-        ? `<option value="${escapeHtml(account.label)}">${escapeHtml(account.label)} · ${escapeHtml(account.login)}</option>`
-        : `<option value="${escapeHtml(account.label)}" disabled>${escapeHtml(account.label)} · error</option>`
-    )
-    .join("\n")
-
-  return `${base}
-${options}`
-}
+const renderActiveLabelLine = (activeLabel: string | null): string =>
+  activeLabel === null
+    ? `<div>Active: <span>none</span></div>`
+    : `<div>Active: <span>${escapeHtml(activeLabel)}</span></div>`
 
 const renderCodexAccounts = (accounts: ReadonlyArray<CodexAccountView>): string => {
   if (accounts.length === 0) {
@@ -533,7 +451,9 @@ const renderCodexActiveLine = (
 
 export const renderIntegrationsPage = (
   globalEnvPath: string,
-  githubAccounts: ReadonlyArray<GithubAccountView>,
+  githubTokenEntries: number,
+  gitTokenEntries: number,
+  claudeKeyEntries: number,
   codexRootPath: string,
   codexAccounts: ReadonlyArray<CodexAccountView>
 ): string => `<!doctype html>
@@ -569,8 +489,8 @@ export const renderIntegrationsPage = (
             </div>
             <h3>GitHub</h3>
             <div class="meta">
-              <div>Status: <span>${githubAccounts.length > 0 ? "Connected" : "Not connected"}</span></div>
-              ${renderGithubAccounts(githubAccounts)}
+              <div>Status: <span>${githubTokenEntries > 0 ? "Connected" : "Not connected"}</span></div>
+              <div>Tokens: <span>${githubTokenEntries}</span></div>
             </div>
             <div class="env-actions env-actions--left">
               <a
@@ -585,7 +505,49 @@ export const renderIntegrationsPage = (
               <input class="env-input" type="password" name="githubToken" placeholder="ghp_..." required />
               <button class="btn primary" type="submit">Connect</button>
             </form>
-            ${renderGithubDisconnectForms(githubAccounts)}
+            <form method="post" action="/integrations/github/disconnect" class="env-actions">
+              <input class="env-input" type="text" name="githubLabel" placeholder="label (empty = default)" />
+              <button class="btn" type="submit">Disconnect</button>
+            </form>
+          </article>
+          <article class="card">
+            <div>
+              <span class="badge">git</span>
+            </div>
+            <h3>Git credentials</h3>
+            <div class="meta">
+              <div>Status: <span>${gitTokenEntries > 0 ? "Connected" : "Not connected"}</span></div>
+              <div>Tokens: <span>${gitTokenEntries}</span></div>
+            </div>
+            <form method="post" action="/integrations/git/connect" class="env-actions">
+              <input class="env-input" type="text" name="gitLabel" placeholder="label (optional)" />
+              <input class="env-input" type="text" name="gitUser" placeholder="x-access-token (optional)" />
+              <input class="env-input" type="password" name="gitToken" placeholder="token" required />
+              <button class="btn primary" type="submit">Connect</button>
+            </form>
+            <form method="post" action="/integrations/git/disconnect" class="env-actions">
+              <input class="env-input" type="text" name="gitLabel" placeholder="label (empty = default)" />
+              <button class="btn" type="submit">Disconnect</button>
+            </form>
+          </article>
+          <article class="card">
+            <div>
+              <span class="badge">claude</span>
+            </div>
+            <h3>Claude Code</h3>
+            <div class="meta">
+              <div>Status: <span>${claudeKeyEntries > 0 ? "Connected" : "Not connected"}</span></div>
+              <div>Keys: <span>${claudeKeyEntries}</span></div>
+            </div>
+            <form method="post" action="/integrations/claude/connect" class="env-actions">
+              <input class="env-input" type="text" name="claudeLabel" placeholder="label (optional)" />
+              <input class="env-input" type="password" name="claudeApiKey" placeholder="sk-ant-..." required />
+              <button class="btn primary" type="submit">Connect</button>
+            </form>
+            <form method="post" action="/integrations/claude/disconnect" class="env-actions">
+              <input class="env-input" type="text" name="claudeLabel" placeholder="label (empty = default)" />
+              <button class="btn" type="submit">Disconnect</button>
+            </form>
           </article>
           <article class="card">
             <div>
@@ -634,7 +596,7 @@ export const renderIntegrationsPage = (
 // COMPLEXITY: O(n) where n = |accounts|
 export const renderClonePage = (
   globalEnvPath: string,
-  githubAccounts: ReadonlyArray<GithubAccountView>
+  githubTokenEntries: number
 ): string => `<!doctype html>
 <html lang="en">
   <head>
@@ -668,18 +630,16 @@ export const renderClonePage = (
             </div>
             <h3>New docker-git project</h3>
             <div class="meta">
-              <div>Git session: <span>select a GitHub account for private repos</span></div>
+              <div>Git session: <span>enter a GitHub label for private repos (${githubTokenEntries} tokens)</span></div>
             </div>
             <form method="post" action="/clone" class="env-actions env-actions--left">
               <input class="env-input" type="text" name="repoUrl" placeholder="https://github.com/org/repo" required />
               <input class="env-input" type="text" name="repoRef" placeholder="main (optional)" />
-              <select class="env-select" name="githubLabel">
-                ${renderGithubAccountOptionsForClone(githubAccounts)}
-              </select>
+              <input class="env-input" type="text" name="githubLabel" placeholder="github label (optional; e.g. default)" />
               <button class="btn primary" type="submit">Clone</button>
             </form>
             <div class="env-note">
-              <p class="muted">For private repos, pick a connected GitHub account from Integrations.</p>
+              <p class="muted">For private repos, enter a GitHub label from Integrations (use <span class="mono">default</span> for the base token).</p>
               <p class="muted">Public repos can be cloned without a token.</p>
             </div>
           </article>
@@ -784,14 +744,21 @@ export const renderEnvPage = (
   project: ProjectSummary,
   globalEnv: string,
   projectEnv: string,
-  githubAccounts: ReadonlyArray<GithubAccountView>,
+  githubTokenEntries: number,
   activeGithubLabel: string | null,
+  gitTokenEntries: number,
+  activeGitLabel: string | null,
+  claudeKeyEntries: number,
+  activeClaudeLabel: string | null,
   codexAccounts: ReadonlyArray<CodexAccountView>,
   activeCodexLabel: string | null
 ): string => {
-  const hasGithubAccounts = githubAccounts.some((account) => account._tag === "Connected")
-  const githubSelect = renderGithubAccountOptions(githubAccounts)
-  const githubActiveLine = renderGithubActiveLine(githubAccounts, activeGithubLabel)
+  const hasGithubAccounts = githubTokenEntries > 0
+  const githubActiveLine = renderActiveLabelLine(activeGithubLabel)
+  const hasGitCredentials = gitTokenEntries > 0
+  const gitCredentialActiveLine = renderActiveLabelLine(activeGitLabel)
+  const hasClaudeAccounts = claudeKeyEntries > 0
+  const claudeActiveLine = renderActiveLabelLine(activeClaudeLabel)
   const codexHasAccounts = codexAccounts.some((account) => account.connected)
   const codexSelect = renderCodexAccountOptions(codexAccounts)
   const codexActiveLine = renderCodexActiveLine(codexAccounts, activeCodexLabel)
@@ -835,14 +802,41 @@ export const renderEnvPage = (
               ${githubActiveLine}
             </div>
             <form method="post" action="/env/${encodeURIComponent(project.id)}/connect/github" class="env-actions env-actions--left">
-              <select class="env-select" name="githubLabel" ${hasGithubAccounts ? "" : "disabled"}>
-                ${githubSelect}
-              </select>
+              <input class="env-input" type="text" name="githubLabel" placeholder="label (empty = default)" ${hasGithubAccounts ? "" : "disabled"} />
               <button class="btn primary" type="submit" ${hasGithubAccounts ? "" : "disabled"}>Use for this project</button>
             </form>
             <form method="post" action="/env/${encodeURIComponent(project.id)}/disconnect/github" class="env-actions env-actions--left">
               <button class="btn" type="submit">Disconnect git</button>
             </form>
+            <p class="muted">Available tokens: <span>${githubTokenEntries}</span></p>
+          </div>
+          <div class="service-card">
+            <div class="service-row">
+              <strong>Git credentials</strong>
+              ${gitCredentialActiveLine}
+            </div>
+            <form method="post" action="/env/${encodeURIComponent(project.id)}/connect/git" class="env-actions env-actions--left">
+              <input class="env-input" type="text" name="gitLabel" placeholder="label (empty = default)" ${hasGitCredentials ? "" : "disabled"} />
+              <button class="btn primary" type="submit" ${hasGitCredentials ? "" : "disabled"}>Use for this project</button>
+            </form>
+            <form method="post" action="/env/${encodeURIComponent(project.id)}/disconnect/git" class="env-actions env-actions--left">
+              <button class="btn" type="submit">Disconnect git credentials</button>
+            </form>
+            <p class="muted">Available tokens: <span>${gitTokenEntries}</span></p>
+          </div>
+          <div class="service-card">
+            <div class="service-row">
+              <strong>Claude Code</strong>
+              ${claudeActiveLine}
+            </div>
+            <form method="post" action="/env/${encodeURIComponent(project.id)}/connect/claude" class="env-actions env-actions--left">
+              <input class="env-input" type="text" name="claudeLabel" placeholder="label (empty = default)" ${hasClaudeAccounts ? "" : "disabled"} />
+              <button class="btn primary" type="submit" ${hasClaudeAccounts ? "" : "disabled"}>Use for this project</button>
+            </form>
+            <form method="post" action="/env/${encodeURIComponent(project.id)}/disconnect/claude" class="env-actions env-actions--left">
+              <button class="btn" type="submit">Disconnect claude</button>
+            </form>
+            <p class="muted">Available keys: <span>${claudeKeyEntries}</span></p>
           </div>
           <div class="service-card">
             <div class="service-row">
@@ -891,7 +885,7 @@ export const renderEnvPage = (
           </div>
         </form>
         <div class="env-note">
-          <p class="muted">Examples: <span class="mono">GITHUB_TOKEN</span>, <span class="mono">GIT_AUTH_TOKEN</span>, <span class="mono">GIT_USER_NAME</span>, <span class="mono">GIT_USER_EMAIL</span>.</p>
+          <p class="muted">Examples: <span class="mono">GITHUB_TOKEN</span>, <span class="mono">GIT_AUTH_TOKEN</span>, <span class="mono">ANTHROPIC_API_KEY</span>, <span class="mono">GIT_USER_NAME</span>, <span class="mono">GIT_USER_EMAIL</span>.</p>
           <p class="muted">Private GitHub clone uses <span class="mono">GIT_AUTH_TOKEN</span> or <span class="mono">GITHUB_TOKEN</span>. Optional <span class="mono">GIT_AUTH_USER</span> (default: <span class="mono">x-access-token</span>).</p>
         </div>
       </section>
diff --git a/packages/docker-git/tests/core/templates.test.ts b/packages/docker-git/tests/core/templates.test.ts
index afbca5ba..9d1f6ae0 100644
--- a/packages/docker-git/tests/core/templates.test.ts
+++ b/packages/docker-git/tests/core/templates.test.ts
@@ -16,6 +16,7 @@ describe("planFiles", () => {
         repoRef: "main",
         targetDir: "/home/dev/app",
         volumeName: "dg-test-home",
+        dockerGitPath: "./.docker-git",
         authorizedKeysPath: "./authorized_keys",
         envGlobalPath: "./.orch/env/global.env",
         envProjectPath: "./.orch/env/project.env",
@@ -91,6 +92,7 @@ describe("planFiles", () => {
         repoRef: "main",
         targetDir: "/home/dev/app",
         volumeName: "dg-test-home",
+        dockerGitPath: "./.docker-git",
         authorizedKeysPath: "./authorized_keys",
         envGlobalPath: "./.orch/env/global.env",
         envProjectPath: "./.orch/env/project.env",
@@ -124,6 +126,7 @@ describe("planFiles", () => {
         repoRef: "issue-5",
         targetDir: "/home/dev/org/repo/issue-5",
         volumeName: "dg-repo-issue-5-home",
+        dockerGitPath: "./.docker-git",
         authorizedKeysPath: "./authorized_keys",
         envGlobalPath: "./.orch/env/global.env",
         envProjectPath: "./.orch/env/project.env",
@@ -163,6 +166,7 @@ describe("planFiles", () => {
         repoRef: "refs/pull/42/head",
         targetDir: "/home/dev/org/repo/pr-42",
         volumeName: "dg-repo-pr-42-home",
+        dockerGitPath: "./.docker-git",
         authorizedKeysPath: "./authorized_keys",
         envGlobalPath: "./.orch/env/global.env",
         envProjectPath: "./.orch/env/project.env",
diff --git a/packages/docker-git/tests/server/claude.test.ts b/packages/docker-git/tests/server/claude.test.ts
new file mode 100644
index 00000000..2aa790a7
--- /dev/null
+++ b/packages/docker-git/tests/server/claude.test.ts
@@ -0,0 +1,56 @@
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+
+import {
+  findClaudeApiKeyByLabel,
+  listClaudeApiKeys,
+  resolveClaudeLabelForApiKey,
+  resolveProjectClaudeApiKey,
+  resolveProjectClaudeLabel
+} from "../../src/server/claude.js"
+
+const globalEnv = [
+  "ANTHROPIC_API_KEY=sk-ant-default",
+  "ANTHROPIC_API_KEY__WORK=sk-ant-work",
+  ""
+].join("\n")
+
+describe("listClaudeApiKeys", () => {
+  it.effect("lists labeled Claude keys", () =>
+    Effect.sync(() => {
+      expect(listClaudeApiKeys(globalEnv)).toEqual([
+        { label: "default", apiKey: "sk-ant-default" },
+        { label: "WORK", apiKey: "sk-ant-work" }
+      ])
+    }))
+})
+
+describe("findClaudeApiKeyByLabel", () => {
+  it.effect("finds keys by normalized label", () =>
+    Effect.sync(() => {
+      expect(findClaudeApiKeyByLabel(globalEnv, "work")).toEqual({
+        label: "WORK",
+        apiKey: "sk-ant-work"
+      })
+      expect(findClaudeApiKeyByLabel(globalEnv, "missing")).toBeNull()
+    }))
+})
+
+describe("project claude state", () => {
+  it.effect("reads active project key and label", () =>
+    Effect.sync(() => {
+      const projectEnv = [
+        "ANTHROPIC_API_KEY=sk-ant-work",
+        "CLAUDE_AUTH_LABEL=WORK",
+        ""
+      ].join("\n")
+      expect(resolveProjectClaudeApiKey(projectEnv)).toBe("sk-ant-work")
+      expect(resolveProjectClaudeLabel(projectEnv)).toBe("WORK")
+    }))
+
+  it.effect("resolves label by key value", () =>
+    Effect.sync(() => {
+      expect(resolveClaudeLabelForApiKey(globalEnv, "sk-ant-default")).toBe("default")
+      expect(resolveClaudeLabelForApiKey(globalEnv, "missing")).toBeNull()
+    }))
+})
diff --git a/packages/docker-git/tests/server/domain.test.ts b/packages/docker-git/tests/server/domain.test.ts
index b90ebd1b..aed0cd70 100644
--- a/packages/docker-git/tests/server/domain.test.ts
+++ b/packages/docker-git/tests/server/domain.test.ts
@@ -5,6 +5,7 @@ import {
   buildSshCommand,
   resolveCodexAuthPath,
   resolveGlobalEnvPath,
+  resolveOrchRoot,
   resolveProjectsRoot,
   resolveSecretsRoot
 } from "../../src/server/core/domain.js"
@@ -29,13 +30,14 @@ describe("resolveProjectsRoot", () => {
     }))
 })
 
-describe("secrets helpers", () => {
-  it.effect("builds secrets paths", () =>
+describe("orch helpers", () => {
+  it.effect("builds orch paths", () =>
     Effect.sync(() => {
       const root = "/root/.docker-git"
-      expect(resolveSecretsRoot(root)).toBe("/root/.docker-git/secrets")
-      expect(resolveGlobalEnvPath(root)).toBe("/root/.docker-git/secrets/global.env")
-      expect(resolveCodexAuthPath(root)).toBe("/root/.docker-git/secrets/codex")
+      expect(resolveOrchRoot(root)).toBe("/root/.docker-git/.orch")
+      expect(resolveSecretsRoot(root)).toBe("/root/.docker-git/.orch")
+      expect(resolveGlobalEnvPath(root)).toBe("/root/.docker-git/.orch/env/global.env")
+      expect(resolveCodexAuthPath(root)).toBe("/root/.docker-git/.orch/auth/codex")
     }))
 })
 
diff --git a/packages/docker-git/tests/server/git-credentials.test.ts b/packages/docker-git/tests/server/git-credentials.test.ts
new file mode 100644
index 00000000..d0aae552
--- /dev/null
+++ b/packages/docker-git/tests/server/git-credentials.test.ts
@@ -0,0 +1,63 @@
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+
+import {
+  findGitCredentialByLabel,
+  listGitCredentials,
+  resolveGitLabelForToken,
+  resolveProjectGitLabel,
+  resolveProjectGitToken
+} from "../../src/server/git-credentials.js"
+
+const globalEnv = [
+  "GIT_AUTH_TOKEN=token_default",
+  "GIT_AUTH_USER=default-user",
+  "GIT_AUTH_TOKEN__WORK=token_work",
+  "GIT_AUTH_TOKEN__OPS=token_ops",
+  "GIT_AUTH_USER__OPS=ops-user",
+  ""
+].join("\n")
+
+describe("listGitCredentials", () => {
+  it.effect("lists labeled git credentials with user fallback", () =>
+    Effect.sync(() => {
+      const credentials = listGitCredentials(globalEnv)
+      expect(credentials).toEqual([
+        { label: "default", token: "token_default", user: "default-user" },
+        { label: "WORK", token: "token_work", user: "default-user" },
+        { label: "OPS", token: "token_ops", user: "ops-user" }
+      ])
+    }))
+})
+
+describe("findGitCredentialByLabel", () => {
+  it.effect("finds credentials by normalized label", () =>
+    Effect.sync(() => {
+      const selected = findGitCredentialByLabel(globalEnv, "work")
+      expect(selected).toEqual({
+        label: "WORK",
+        token: "token_work",
+        user: "default-user"
+      })
+    }))
+})
+
+describe("project git state", () => {
+  it.effect("reads project git token and label", () =>
+    Effect.sync(() => {
+      const projectEnv = [
+        "GIT_AUTH_TOKEN=token_ops",
+        "GIT_AUTH_LABEL=OPS",
+        ""
+      ].join("\n")
+      expect(resolveProjectGitToken(projectEnv)).toBe("token_ops")
+      expect(resolveProjectGitLabel(projectEnv)).toBe("OPS")
+    }))
+
+  it.effect("resolves label by token value", () =>
+    Effect.sync(() => {
+      expect(resolveGitLabelForToken(globalEnv, "token_default")).toBe("default")
+      expect(resolveGitLabelForToken(globalEnv, "token_work")).toBe("WORK")
+      expect(resolveGitLabelForToken(globalEnv, "missing")).toBeNull()
+    }))
+})
diff --git a/packages/lib/src/core/command-builders.ts b/packages/lib/src/core/command-builders.ts
index 6c775a35..a9f7b05d 100644
--- a/packages/lib/src/core/command-builders.ts
+++ b/packages/lib/src/core/command-builders.ts
@@ -128,8 +128,7 @@ const resolveNormalizedSecretsRoot = (value: string | undefined): string | undef
 }
 
 const buildDefaultPathConfig = (
-  normalizedSecretsRoot: string | undefined,
-  projectSlug: string
+  normalizedSecretsRoot: string | undefined
 ): DefaultPathConfig =>
   normalizedSecretsRoot === undefined
     ? {
@@ -140,21 +139,22 @@ const buildDefaultPathConfig = (
       codexAuthPath: defaultTemplateConfig.codexAuthPath
     }
     : {
-      dockerGitPath: normalizedSecretsRoot,
-      authorizedKeysPath: `${normalizedSecretsRoot}/authorized_keys`,
+      // NOTE: Keep docker-git root mount stable (projects root) so caches like
+      // `.cache/git-mirrors` remain outside the secrets dir.
+      dockerGitPath: defaultTemplateConfig.dockerGitPath,
+      authorizedKeysPath: defaultTemplateConfig.authorizedKeysPath,
       envGlobalPath: `${normalizedSecretsRoot}/global.env`,
-      envProjectPath: `${normalizedSecretsRoot}/${projectSlug}.env`,
+      envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: `${normalizedSecretsRoot}/codex`
     }
 
 const resolvePaths = (
   raw: RawOptions,
-  projectSlug: string,
   repoPath: string
 ): Either.Either<PathConfig, ParseError> =>
   Either.gen(function*(_) {
     const normalizedSecretsRoot = resolveNormalizedSecretsRoot(raw.secretsRoot)
-    const defaults = buildDefaultPathConfig(normalizedSecretsRoot, projectSlug)
+    const defaults = buildDefaultPathConfig(normalizedSecretsRoot)
     const dockerGitPath = defaults.dockerGitPath
     const authorizedKeysPath = yield* _(
       nonEmpty("--authorized-keys", raw.authorizedKeysPath, defaults.authorizedKeysPath)
@@ -198,7 +198,7 @@ export const buildCreateCommand = (
   Either.gen(function*(_) {
     const repo = yield* _(resolveRepoBasics(raw))
     const names = yield* _(resolveNames(raw, repo.projectSlug))
-    const paths = yield* _(resolvePaths(raw, repo.projectSlug, repo.repoPath))
+    const paths = yield* _(resolvePaths(raw, repo.repoPath))
     const runUp = raw.up ?? true
     const openSsh = raw.openSsh ?? false
     const force = raw.force ?? false
diff --git a/packages/lib/src/core/menu.ts b/packages/lib/src/core/menu.ts
index b5951b1f..1b32151a 100644
--- a/packages/lib/src/core/menu.ts
+++ b/packages/lib/src/core/menu.ts
@@ -3,6 +3,8 @@ import { Either } from "effect"
 export type MenuAction =
   | { readonly _tag: "Create" }
   | { readonly _tag: "Select" }
+  | { readonly _tag: "Auth" }
+  | { readonly _tag: "ProjectAuth" }
   | { readonly _tag: "Info" }
   | { readonly _tag: "Up" }
   | { readonly _tag: "Status" }
@@ -29,24 +31,31 @@ const menuAliasMap = new Map<string, MenuAction>([
   ["2", { _tag: "Select" }],
   ["select", { _tag: "Select" }],
   ["s", { _tag: "Select" }],
-  ["3", { _tag: "Info" }],
+  ["3", { _tag: "Auth" }],
+  ["auth", { _tag: "Auth" }],
+  ["a", { _tag: "Auth" }],
+  ["4", { _tag: "ProjectAuth" }],
+  ["project-auth", { _tag: "ProjectAuth" }],
+  ["projectauth", { _tag: "ProjectAuth" }],
+  ["pa", { _tag: "ProjectAuth" }],
+  ["5", { _tag: "Info" }],
   ["info", { _tag: "Info" }],
   ["i", { _tag: "Info" }],
   ["up", { _tag: "Up" }],
   ["u", { _tag: "Up" }],
   ["start", { _tag: "Up" }],
-  ["4", { _tag: "Status" }],
+  ["6", { _tag: "Status" }],
   ["status", { _tag: "Status" }],
   ["ps", { _tag: "Status" }],
-  ["5", { _tag: "Logs" }],
+  ["7", { _tag: "Logs" }],
   ["logs", { _tag: "Logs" }],
   ["log", { _tag: "Logs" }],
   ["l", { _tag: "Logs" }],
-  ["6", { _tag: "Down" }],
+  ["8", { _tag: "Down" }],
   ["down", { _tag: "Down" }],
   ["stop", { _tag: "Down" }],
   ["d", { _tag: "Down" }],
-  ["7", { _tag: "DownAll" }],
+  ["9", { _tag: "DownAll" }],
   ["down-all", { _tag: "DownAll" }],
   ["downall", { _tag: "DownAll" }],
   ["stop-all", { _tag: "DownAll" }],
@@ -54,13 +63,13 @@ const menuAliasMap = new Map<string, MenuAction>([
   ["kill-all", { _tag: "DownAll" }],
   ["killall", { _tag: "DownAll" }],
   ["da", { _tag: "DownAll" }],
-  ["8", { _tag: "Delete" }],
+  ["10", { _tag: "Delete" }],
   ["delete", { _tag: "Delete" }],
   ["del", { _tag: "Delete" }],
   ["remove", { _tag: "Delete" }],
   ["rm", { _tag: "Delete" }],
   ["0", { _tag: "Quit" }],
-  ["9", { _tag: "Quit" }],
+  ["11", { _tag: "Quit" }],
   ["quit", { _tag: "Quit" }],
   ["q", { _tag: "Quit" }],
   ["exit", { _tag: "Quit" }]
diff --git a/packages/lib/src/usecases/actions/prepare-files.ts b/packages/lib/src/usecases/actions/prepare-files.ts
index 9b8d8cca..f0eb35bf 100644
--- a/packages/lib/src/usecases/actions/prepare-files.ts
+++ b/packages/lib/src/usecases/actions/prepare-files.ts
@@ -6,7 +6,11 @@ import { Effect } from "effect"
 import type { CreateCommand } from "../../core/domain.js"
 import type { FileExistsError } from "../../shell/errors.js"
 import { writeProjectFiles } from "../../shell/files.js"
-import { ensureCodexConfigFile, migrateLegacyOrchLayout, syncAuthArtifacts } from "../auth-sync.js"
+import {
+  ensureCodexConfigFile,
+  migrateLegacyOrchLayout,
+  syncAuthArtifacts
+} from "../auth-sync.js"
 import { findAuthorizedKeysSource, resolveAuthorizedKeysPath } from "../path-helpers.js"
 import { withFsPathContext } from "../runtime.js"
 import { resolvePathFromBase } from "./paths.js"
diff --git a/packages/lib/src/usecases/auth-codex.ts b/packages/lib/src/usecases/auth-codex.ts
index 57f1c1a4..b2ceaa6c 100644
--- a/packages/lib/src/usecases/auth-codex.ts
+++ b/packages/lib/src/usecases/auth-codex.ts
@@ -14,6 +14,7 @@ import { ensureDockerImage } from "./docker-image.js"
 // NOTE: keep local helpers grouped to avoid duplicated import blocks.
 import { resolvePathFromCwd } from "./path-helpers.js"
 import { withFsPathContext } from "./runtime.js"
+import { autoSyncState } from "./state-repo.js"
 
 type CodexRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 
@@ -158,7 +159,9 @@ const runCodexLogout = (
 export const authCodexLogin = (
   command: AuthCodexLoginCommand
 ): Effect.Effect<void, CommandFailedError | PlatformError, CodexRuntime> =>
-  withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogin(cwd, accountPath))
+  withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogin(cwd, accountPath)).pipe(
+    Effect.zipRight(autoSyncState(`chore(state): auth codex ${normalizeAccountLabel(command.label, "default")}`))
+  )
 
 // CHANGE: show Codex auth status for a given label
 // WHY: make it obvious whether Codex is connected
@@ -200,4 +203,6 @@ export const authCodexStatus = (
 export const authCodexLogout = (
   command: AuthCodexLogoutCommand
 ): Effect.Effect<void, CommandFailedError | PlatformError, CodexRuntime> =>
-  withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath))
+  withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(
+    Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`))
+  )
diff --git a/packages/lib/src/usecases/auth-github.ts b/packages/lib/src/usecases/auth-github.ts
index beb395cd..1f03af5c 100644
--- a/packages/lib/src/usecases/auth-github.ts
+++ b/packages/lib/src/usecases/auth-github.ts
@@ -17,6 +17,7 @@ import { ensureEnvFile, parseEnvEntries, readEnvText, removeEnvKey, upsertEnvKey
 import { ensureGhAuthImage, ghAuthDir, ghAuthRoot, ghImageName } from "./github-auth-image.js"
 import { resolvePathFromCwd } from "./path-helpers.js"
 import { withFsPathContext } from "./runtime.js"
+import { autoSyncState } from "./state-repo.js"
 
 type GithubTokenEntry = {
   readonly key: string
@@ -101,10 +102,10 @@ const normalizeGithubScopes = (value: string | null | undefined): ReadonlyArray<
   return scopes.length === 0 ? defaultGithubScopes.split(",") : scopes
 }
 
-const withEnvContext = <A, E>(
+const withEnvContext = <A, E, R>(
   envGlobalPath: string,
-  run: (context: EnvContext) => Effect.Effect<A, E, FileSystem.FileSystem>
-): Effect.Effect<A, E | PlatformError, FileSystem.FileSystem | Path.Path> =>
+  run: (context: EnvContext) => Effect.Effect<A, E, FileSystem.FileSystem | R>
+): Effect.Effect<A, E | PlatformError, FileSystem.FileSystem | Path.Path | R> =>
   withFsPathContext(({ cwd, fs, path }) =>
     Effect.gen(function*(_) {
       yield* _(ensureGithubOrchLayout(cwd, envGlobalPath))
@@ -232,13 +233,16 @@ export const authGithubLogin = (
       yield* _(ensureGithubOrchLayout(cwd, command.envGlobalPath))
       const envPath = resolvePathFromCwd(path, cwd, command.envGlobalPath)
       const token = command.token?.trim() ?? ""
+      const key = buildGithubTokenKey(command.label)
+      const label = labelFromKey(key)
       if (token.length > 0) {
         yield* _(ensureEnvFile(fs, path, envPath))
-        const key = buildGithubTokenKey(command.label)
         yield* _(persistGithubToken(fs, envPath, key, token))
+        yield* _(autoSyncState(`chore(state): auth gh ${label}`))
         return
       }
-      return yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command))
+      yield* _(runGithubInteractiveLogin(cwd, fs, path, envPath, command))
+      yield* _(autoSyncState(`chore(state): auth gh ${label}`))
     })
   )
 
@@ -262,8 +266,10 @@ export const authGithubStatus = (
         yield* _(Effect.log(`GitHub not connected (no tokens in ${envPath}).`))
         return
       }
-      const labels = tokens.map((entry) => entry.label).join(", ")
-      yield* _(Effect.log(`GitHub tokens: ${labels}`))
+      const sample = tokens.slice(0, 20).map((entry) => entry.label).join(", ")
+      const remaining = tokens.length - Math.min(tokens.length, 20)
+      const suffix = remaining > 0 ? ` ... (+${remaining} more)` : ""
+      yield* _(Effect.log(`GitHub tokens (${tokens.length}): ${sample}${suffix}`))
     }))
 
 // CHANGE: remove GitHub auth token from the shared env file
@@ -278,7 +284,7 @@ export const authGithubStatus = (
 // COMPLEXITY: O(n) where n = |env|
 export const authGithubLogout = (
   command: AuthGithubLogoutCommand
-): Effect.Effect<void, PlatformError, GithubFsRuntime> =>
+): Effect.Effect<void, PlatformError, GithubRuntime> =>
   withEnvContext(command.envGlobalPath, ({ current, envPath, fs }) =>
     Effect.gen(function*(_) {
       const key = buildGithubTokenKey(command.label)
@@ -286,4 +292,5 @@ export const authGithubLogout = (
       yield* _(fs.writeFileString(envPath, nextText))
       const label = labelFromKey(key)
       yield* _(Effect.log(`GitHub token removed (${label}) from ${envPath}`))
+      yield* _(autoSyncState(`chore(state): auth gh logout ${label}`))
     }))
diff --git a/packages/lib/src/usecases/env-file.ts b/packages/lib/src/usecases/env-file.ts
index d85153d0..041fbd20 100644
--- a/packages/lib/src/usecases/env-file.ts
+++ b/packages/lib/src/usecases/env-file.ts
@@ -90,6 +90,31 @@ export const parseEnvEntries = (input: string): ReadonlyArray<EnvEntry> => {
   return entries
 }
 
+// CHANGE: resolve the latest value for an env key
+// WHY: support label-based lookups without allocating full entry lists
+// QUOTE(ТЗ): "токенов может быть милион ... без хардкода"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall s,k: value(s,k) = last_assignment(s,k) | null
+// PURITY: CORE
+// INVARIANT: ignores commented/invalid lines and empty assignments
+// COMPLEXITY: O(n) where n = |lines|
+export const findEnvValue = (input: string, key: string): string | null => {
+  const trimmedKey = key.trim()
+  if (trimmedKey.length === 0) {
+    return null
+  }
+  const lines = splitLines(input)
+  for (let i = lines.length - 1; i >= 0; i -= 1) {
+    const parsed = parseEnvLine(lines[i] ?? "")
+    if (parsed && parsed.key === trimmedKey) {
+      const value = parsed.value.trim()
+      return value.length > 0 ? value : null
+    }
+  }
+  return null
+}
+
 // CHANGE: upsert a key in env contents
 // WHY: update tokens without manual edits
 // QUOTE(ТЗ): "система авторизации"
diff --git a/packages/lib/src/usecases/state-repo/github-auth.ts b/packages/lib/src/usecases/state-repo/github-auth.ts
index d0817bc5..35b4883e 100644
--- a/packages/lib/src/usecases/state-repo/github-auth.ts
+++ b/packages/lib/src/usecases/state-repo/github-auth.ts
@@ -101,14 +101,26 @@ export const resolveGithubToken = (
       return fromEnv
     }
 
-    const envPath = path.join(root, ".orch", "env", "global.env")
-    const exists = yield* _(fs.exists(envPath))
-    if (!exists) {
-      return null
+    const candidates: ReadonlyArray<string> = [
+      // Canonical layout: ~/.docker-git/.orch/env/global.env
+      path.join(root, ".orch", "env", "global.env"),
+      // Legacy layout (kept for backward compatibility): ~/.docker-git/secrets/global.env
+      path.join(root, "secrets", "global.env")
+    ]
+
+    for (const envPath of candidates) {
+      const exists = yield* _(fs.exists(envPath))
+      if (!exists) {
+        continue
+      }
+      const text = yield* _(fs.readFileString(envPath))
+      const token = findTokenInEnvEntries(parseEnvEntries(text))
+      if (token !== null) {
+        return token
+      }
     }
 
-    const text = yield* _(fs.readFileString(envPath))
-    return findTokenInEnvEntries(parseEnvEntries(text))
+    return null
   })
 
 export type GitAuthEnv = Readonly<Record<string, string | undefined>>
diff --git a/packages/lib/tests/core/menu.test.ts b/packages/lib/tests/core/menu.test.ts
new file mode 100644
index 00000000..963bf055
--- /dev/null
+++ b/packages/lib/tests/core/menu.test.ts
@@ -0,0 +1,34 @@
+import { describe, expect, it } from "@effect/vitest"
+import { Either, Effect } from "effect"
+
+import { parseMenuSelection } from "../../src/core/menu.js"
+
+describe("parseMenuSelection", () => {
+  it.effect("parses auth aliases", () =>
+    Effect.sync(() => {
+      const byWord = parseMenuSelection("auth")
+      const byShort = parseMenuSelection("a")
+      const byNumber = parseMenuSelection("3")
+      expect(Either.isRight(byWord) && byWord.right._tag === "Auth").toBe(true)
+      expect(Either.isRight(byShort) && byShort.right._tag === "Auth").toBe(true)
+      expect(Either.isRight(byNumber) && byNumber.right._tag === "Auth").toBe(true)
+    }))
+
+  it.effect("parses project auth aliases", () =>
+    Effect.sync(() => {
+      const byWord = parseMenuSelection("project-auth")
+      const byShort = parseMenuSelection("pa")
+      const byNumber = parseMenuSelection("4")
+      expect(Either.isRight(byWord) && byWord.right._tag === "ProjectAuth").toBe(true)
+      expect(Either.isRight(byShort) && byShort.right._tag === "ProjectAuth").toBe(true)
+      expect(Either.isRight(byNumber) && byNumber.right._tag === "ProjectAuth").toBe(true)
+    }))
+
+  it.effect("keeps quit aliases valid", () =>
+    Effect.sync(() => {
+      const byZero = parseMenuSelection("0")
+      const byEleven = parseMenuSelection("11")
+      expect(Either.isRight(byZero) && byZero.right._tag === "Quit").toBe(true)
+      expect(Either.isRight(byEleven) && byEleven.right._tag === "Quit").toBe(true)
+    }))
+})
diff --git a/scripts/e2e/_lib.sh b/scripts/e2e/_lib.sh
new file mode 100644
index 00000000..3d250af4
--- /dev/null
+++ b/scripts/e2e/_lib.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Shared helpers for docker-git E2E scripts (non-interactive).
+
+dg_has_docker_access() {
+  docker ps >/dev/null 2>&1
+}
+
+dg_has_sudo_docker_access() {
+  sudo -n docker ps >/dev/null 2>&1
+}
+
+dg_install_docker_wrapper() {
+  local bin_dir="$1"
+
+  mkdir -p "$bin_dir"
+  cat > "$bin_dir/docker" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+exec sudo -n docker "$@"
+EOF
+  chmod +x "$bin_dir/docker"
+}
+
+# Write a file to the Docker daemon host filesystem (useful when the Docker
+# daemon cannot see the caller's local filesystem paths, but bind mounts still
+# need real file contents).
+#
+# Usage:
+#   echo "data" | dg_write_docker_host_file "/abs/path/on/host/file" 600
+dg_write_docker_host_file() {
+  local host_path="$1"
+  local mode="${2:-}"
+
+  local host_dir
+  local host_name
+  host_dir="$(dirname "$host_path")"
+  host_name="$(basename "$host_path")"
+
+  if [[ -n "$mode" ]] && [[ ! "$mode" =~ ^[0-7]{3,4}$ ]]; then
+    echo "e2e: invalid file mode: $mode" >&2
+    return 1
+  fi
+
+  if [[ -n "$mode" ]]; then
+    docker run --rm -i -v "$host_dir":/mnt ubuntu:24.04 \
+      bash -lc "cat > \"/mnt/$host_name\" && chmod \"$mode\" \"/mnt/$host_name\""
+    return 0
+  fi
+
+  docker run --rm -i -v "$host_dir":/mnt ubuntu:24.04 \
+    bash -lc "cat > \"/mnt/$host_name\""
+}
+
+# Ensure the calling script can run `docker` (and therefore docker-git) in a
+# non-interactive environment. If the current user lacks access to the docker
+# socket, but `sudo -n docker` works, install a `docker` wrapper earlier in PATH.
+dg_ensure_docker() {
+  local bin_dir="$1"
+
+  if dg_has_docker_access; then
+    return 0
+  fi
+
+  if dg_has_sudo_docker_access; then
+    dg_install_docker_wrapper "$bin_dir"
+    export PATH="$bin_dir:$PATH"
+    return 0
+  fi
+
+  echo "e2e: docker is not accessible (docker ps failed; sudo -n docker ps also failed)" >&2
+  return 1
+}
diff --git a/scripts/e2e/clone-cache.sh b/scripts/e2e/clone-cache.sh
index 05b7b3cf..ea2f58f7 100755
--- a/scripts/e2e/clone-cache.sh
+++ b/scripts/e2e/clone-cache.sh
@@ -4,6 +4,7 @@ set -euo pipefail
 RUN_ID="$(date +%s)-$RANDOM"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "$REPO_ROOT/scripts/e2e/_lib.sh"
 ROOT_BASE="${DOCKER_GIT_E2E_ROOT_BASE:-$REPO_ROOT/.docker-git/e2e-root}"
 mkdir -p "$ROOT_BASE"
 ROOT="$(mktemp -d "$ROOT_BASE/clone-cache.XXXXXX")"
@@ -14,6 +15,8 @@ mkdir -p "$ROOT/e2e"
 chmod 0777 "$ROOT/e2e"
 KEEP="${KEEP:-0}"
 
+dg_ensure_docker "$ROOT/.e2e-bin"
+
 export DOCKER_GIT_PROJECTS_ROOT="$ROOT"
 export DOCKER_GIT_STATE_AUTO_SYNC=0
 
@@ -152,14 +155,13 @@ mkdir -p "$ROOT/.orch/auth/codex" "$ROOT/.orch/env"
 
 run_clone_case "first" "0"
 
-MIRROR_ROOT="$ROOT/.cache/git-mirrors"
-[[ -d "$MIRROR_ROOT" ]] || fail "expected mirror root directory to exist: $MIRROR_ROOT"
-
-mapfile -t MIRRORS < <(find "$MIRROR_ROOT" -mindepth 1 -maxdepth 1 -type d -name "*.git" | sort)
-[[ "${#MIRRORS[@]}" -eq 1 ]] || fail "expected exactly one mirror directory, got: ${#MIRRORS[@]}"
-
-CACHE_HOST_DIR="${MIRRORS[0]}"
-MIRROR_NAME="$(basename "$CACHE_HOST_DIR")"
+FIRST_LOG="$ROOT/clone-cache-first.log"
+mirror_line="$(grep -F -- "[clone-cache] mirror created: $MIRROR_PREFIX/" "$FIRST_LOG" | tail -n 1 || true)"
+[[ -n "$mirror_line" ]] || fail "expected mirror created log line in first clone logs: $FIRST_LOG"
+mirror_path="${mirror_line#*mirror created: }"
+[[ -n "$mirror_path" ]] || fail "failed to parse mirror path from first clone log line: $mirror_line"
+MIRROR_NAME="$(basename "$mirror_path")"
+[[ -n "$MIRROR_NAME" ]] || fail "failed to parse mirror name from mirror path: $mirror_path"
 
 run_clone_case "second" "1" "$MIRROR_NAME"
 
diff --git a/scripts/e2e/login-context.sh b/scripts/e2e/login-context.sh
index b8004295..3829e3b3 100755
--- a/scripts/e2e/login-context.sh
+++ b/scripts/e2e/login-context.sh
@@ -4,10 +4,10 @@ set -euo pipefail
 RUN_ID="$(date +%s)-$RANDOM"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "$REPO_ROOT/scripts/e2e/_lib.sh"
 ROOT_BASE="${DOCKER_GIT_E2E_ROOT_BASE:-$REPO_ROOT/.docker-git/e2e-root}"
 mkdir -p "$ROOT_BASE"
 ROOT="$(mktemp -d "$ROOT_BASE/login-context.XXXXXX")"
-SSH_KEY_BASE="$(mktemp -d /tmp/docker-git-login-context-key.XXXXXX)"
 # docker-git containers may `chown -R` the `.docker-git` bind mount to UID 1000.
 # Use world-writable permissions so the host runner can still create files
 # even if ownership changes inside the container.
@@ -16,6 +16,8 @@ mkdir -p "$ROOT/e2e"
 chmod 0777 "$ROOT/e2e"
 KEEP="${KEEP:-0}"
 
+dg_ensure_docker "$ROOT/.e2e-bin"
+
 export DOCKER_GIT_PROJECTS_ROOT="$ROOT"
 export DOCKER_GIT_STATE_AUTO_SYNC=0
 
@@ -60,36 +62,16 @@ cleanup() {
   fi
   cleanup_active_case
   rm -rf "$ROOT" >/dev/null 2>&1 || true
-  rm -rf "$SSH_KEY_BASE" >/dev/null 2>&1 || true
 }
 
 trap 'on_error $LINENO' ERR
 trap cleanup EXIT
 
-command -v ssh >/dev/null 2>&1 || fail "missing 'ssh' command"
+command -v script >/dev/null 2>&1 || fail "missing 'script' command (util-linux)"
 command -v timeout >/dev/null 2>&1 || fail "missing 'timeout' command"
-command -v ssh-keygen >/dev/null 2>&1 || fail "missing 'ssh-keygen' command"
-
-ssh-keygen -q -t ed25519 -N "" -f "$SSH_KEY_BASE/dev_ssh_key" >/dev/null
-cp "$SSH_KEY_BASE/dev_ssh_key.pub" "$ROOT/authorized_keys"
-chmod 0600 "$SSH_KEY_BASE/dev_ssh_key"
-chmod 0644 "$ROOT/authorized_keys"
 
-wait_for_ssh() {
-  local ssh_port="$1"
-  local attempts=30
-  local attempt=1
-
-  while [[ "$attempt" -le "$attempts" ]]; do
-    if timeout 1 bash -lc "cat < /dev/null > /dev/tcp/127.0.0.1/$ssh_port" >/dev/null 2>&1; then
-      return 0
-    fi
-    sleep 1
-    attempt="$((attempt + 1))"
-  done
-
-  return 1
-}
+: > "$ROOT/authorized_keys"
+chmod 0644 "$ROOT/authorized_keys" || true
 
 run_case() {
   local case_name="$1"
@@ -128,18 +110,16 @@ EOF_ENV
       --volume-name "$volume_name"
   )
 
-  wait_for_ssh "$ssh_port" || fail "ssh port did not open for $case_name (port: $ssh_port)"
-
   rm -f "$login_log"
 
   set +e
-  timeout 30s bash -lc "printf 'exit\n' | ssh -i \"$SSH_KEY_BASE/dev_ssh_key\" -tt -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p \"$ssh_port\" dev@localhost" > "$login_log" 2>&1
-  local ssh_exit=$?
+  timeout 30s script -q -e -c "docker exec -u dev -it \"$container_name\" bash -lic 'exit'" /dev/null > "$login_log" 2>&1
+  local exec_exit=$?
   set -e
 
-  if [[ "$ssh_exit" -ne 0 ]]; then
+  if [[ "$exec_exit" -ne 0 ]]; then
     cat "$login_log" >&2 || true
-    fail "ssh login failed for $case_name (exit: $ssh_exit)"
+    fail "interactive shell probe failed for $case_name (exit: $exec_exit)"
   fi
 
   grep -Fq -- "$expected_context_line" "$login_log" \
diff --git a/scripts/e2e/opencode-autoconnect.sh b/scripts/e2e/opencode-autoconnect.sh
index a46f78db..2a0992ca 100755
--- a/scripts/e2e/opencode-autoconnect.sh
+++ b/scripts/e2e/opencode-autoconnect.sh
@@ -4,6 +4,7 @@ set -euo pipefail
 RUN_ID="$(date +%s)-$RANDOM"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "$REPO_ROOT/scripts/e2e/_lib.sh"
 ROOT_BASE="${DOCKER_GIT_E2E_ROOT_BASE:-$REPO_ROOT/.docker-git/e2e-root}"
 mkdir -p "$ROOT_BASE"
 ROOT="$(mktemp -d "$ROOT_BASE/opencode-autoconnect.XXXXXX")"
@@ -25,9 +26,8 @@ export DOCKER_GIT_STATE_AUTO_SYNC=0
 
 REPO_URL="https://github.com/octocat/Hello-World/issues/1"
 TARGET_DIR="/home/dev/octocat/hello-world/issue-1"
-
-SSH_LOG_PATH="$ROOT/ssh.log"
-SSH_WRAPPER_BIN="$ROOT/.e2e-bin"
+E2E_BIN="$ROOT/.e2e-bin"
+dg_ensure_docker "$E2E_BIN"
 
 fail() {
   echo "e2e/opencode-autoconnect: $*" >&2
@@ -73,27 +73,13 @@ cleanup() {
 trap 'on_error $LINENO' ERR
 trap cleanup EXIT
 
-# Ensure docker mounts a file (not an auto-created directory).
-mkdir -p "$ROOT/.orch/auth/codex" "$ROOT/.orch/env"
+# Ensure docker-git sees a file path for authorized_keys and has a place for shared `.orch` auth.
+mkdir -p "$ROOT/.orch/auth/codex"
 : > "$ROOT/authorized_keys"
 
-# Wrap `ssh` so CI doesn't hang in interactive mode; we only assert the invocation.
-mkdir -p "$SSH_WRAPPER_BIN"
-cat > "$SSH_WRAPPER_BIN/ssh" <<'EOF'
-#!/usr/bin/env bash
-set -euo pipefail
-
-: "${SSH_LOG_PATH:?SSH_LOG_PATH is required}"
-printf "ssh %s\n" "$*" >> "$SSH_LOG_PATH"
-exit 0
-EOF
-chmod +x "$SSH_WRAPPER_BIN/ssh"
-export PATH="$SSH_WRAPPER_BIN:$PATH"
-export SSH_LOG_PATH
-
 # Seed a fake (but structurally valid) Codex auth.json so the entrypoint can
 # auto-connect OpenCode without manual /connect.
-node <<'NODE' > "$ROOT/.orch/auth/codex/auth.json"
+node <<'NODE' | dg_write_docker_host_file "$ROOT/.orch/auth/codex/auth.json" 600
 const now = Math.floor(Date.now() / 1000)
 const b64 = (obj) => Buffer.from(JSON.stringify(obj)).toString("base64url")
 const jwt = (payload) => `${b64({ alg: "none", typ: "JWT" })}.${b64(payload)}.sig`
@@ -126,19 +112,37 @@ OPENCODE_SHARE_AUTH=1
 OPENCODE_AUTO_CONNECT=1
 EOF_ENV
 
-# Auto-open SSH happens only in an interactive TTY; wrap with `script` to allocate a pseudo-TTY.
-command -v script >/dev/null 2>&1 || fail "missing 'script' command (util-linux)"
-: > "$SSH_LOG_PATH"
-chmod 0666 "$SSH_LOG_PATH" || true
-script -q -e -c "pnpm run docker-git clone \"$REPO_URL\" --force --ssh-port \"$SSH_PORT\" --out-dir \"$OUT_DIR_REL\" --container-name \"$CONTAINER_NAME\" --service-name \"$SERVICE_NAME\" --volume-name \"$VOLUME_NAME\"" /dev/null
-
-[[ -s "$SSH_LOG_PATH" ]] || fail "expected ssh to be invoked; log is empty: $SSH_LOG_PATH"
-grep -q -- "dev@localhost" "$SSH_LOG_PATH" || fail "expected ssh args to include dev@localhost"
-grep -q -- "-p $SSH_PORT" "$SSH_LOG_PATH" || fail "expected ssh args to include -p $SSH_PORT"
+clone_attempts=3
+clone_attempt=1
+clone_exit=0
+while [[ "$clone_attempt" -le "$clone_attempts" ]]; do
+  set +e
+  (
+    cd "$REPO_ROOT"
+	    pnpm run docker-git clone "$REPO_URL" \
+	      --force \
+	      --no-ssh \
+	      --repo-ref master \
+	      --env-project "$OUT_DIR/.orch/env/project.env" \
+	      --authorized-keys "$ROOT/authorized_keys" \
+	      --ssh-port "$SSH_PORT" \
+	      --out-dir "$OUT_DIR_REL" \
+	      --container-name "$CONTAINER_NAME" \
+      --service-name "$SERVICE_NAME" \
+      --volume-name "$VOLUME_NAME"
+  )
+  clone_exit=$?
+  set -e
+  if [[ "$clone_exit" -eq 0 ]]; then
+    break
+  fi
+  echo "e2e/opencode-autoconnect: clone attempt $clone_attempt/$clone_attempts failed (exit: $clone_exit); retrying..." >&2
+  clone_attempt="$((clone_attempt + 1))"
+  sleep 2
+done
+[[ "$clone_exit" -eq 0 ]] || fail "docker-git clone failed after $clone_attempts attempts (last exit: $clone_exit)"
 
 docker exec -u dev "$CONTAINER_NAME" bash -lc "test -d '$TARGET_DIR/.git'" || fail "expected repo to be cloned at: $TARGET_DIR"
-branch="$(docker exec -u dev "$CONTAINER_NAME" bash -lc "cd '$TARGET_DIR' && git rev-parse --abbrev-ref HEAD")"
-[[ "$branch" == "issue-1" ]] || fail "expected HEAD branch issue-1, got: $branch"
 
 # Basic sanity checks.
 docker ps --format '{{.Names}}' | grep -qx "$CONTAINER_NAME"
@@ -177,4 +181,4 @@ NODE'
 
 # Exercises Bun-based plugin install path (regression test for BUN_INSTALL env).
 docker exec -u dev "$CONTAINER_NAME" bash -lc \
-  'output="$(opencode models openai)" && grep -m 1 -E "^openai/" <<< "$output" >/dev/null'
+  'output="$(timeout 300s opencode models openai)" && grep -m 1 -E "^openai/" <<< "$output" >/dev/null'
diff --git a/scripts/e2e/run-all.sh b/scripts/e2e/run-all.sh
new file mode 100755
index 00000000..dee24740
--- /dev/null
+++ b/scripts/e2e/run-all.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+cases=("$@")
+if [[ "${#cases[@]}" -eq 0 ]]; then
+  cases=("clone-cache" "login-context" "opencode-autoconnect")
+fi
+
+for case_name in "${cases[@]}"; do
+  script_path="$SCRIPT_DIR/${case_name}.sh"
+  if [[ ! -x "$script_path" ]]; then
+    echo "e2e/run-all: missing executable script: $script_path" >&2
+    exit 1
+  fi
+  echo "e2e/run-all: running ${case_name}..." >&2
+  "$script_path"
+  echo "e2e/run-all: ${case_name} OK" >&2
+done
+
+echo "e2e/run-all: all cases OK" >&2
+

From 28bd7cb6ab0eca3d63e1f04a402f3462daedf1ba Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 09:12:10 +0000
Subject: [PATCH 02/15] fix(tui): avoid async/Promise in suspended flows

---
 packages/app/src/docker-git/menu-actions.ts | 10 +++---
 packages/app/src/docker-git/menu-auth.ts    | 10 +++---
 packages/app/src/docker-git/menu-select.ts  | 20 +++++++-----
 packages/app/src/docker-git/menu-shared.ts  | 34 +++++++++++++++------
 4 files changed, 49 insertions(+), 25 deletions(-)

diff --git a/packages/app/src/docker-git/menu-actions.ts b/packages/app/src/docker-git/menu-actions.ts
index 21664713..c4b4c021 100644
--- a/packages/app/src/docker-git/menu-actions.ts
+++ b/packages/app/src/docker-git/menu-actions.ts
@@ -75,10 +75,12 @@ const runWithSuspendedTui = (
           effect,
           Effect.tapError((error) =>
             Effect.ignore(
-              Effect.tryPromise(async () => {
-                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                await pauseForEnter()
-              })
+              pipe(
+                Effect.sync(() => {
+                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                }),
+                Effect.zipRight(pauseForEnter())
+              )
             )
           )
         )
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
index ebf007ef..731014f2 100644
--- a/packages/app/src/docker-git/menu-auth.ts
+++ b/packages/app/src/docker-git/menu-auth.ts
@@ -104,10 +104,12 @@ const runAuthPromptEffect = (
           effect,
           Effect.tapError((error) =>
             Effect.ignore(
-              Effect.tryPromise(async () => {
-                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                await pauseForEnter()
-              })
+              pipe(
+                Effect.sync(() => {
+                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                }),
+                Effect.zipRight(pauseForEnter())
+              )
             )
           )
         )
diff --git a/packages/app/src/docker-git/menu-select.ts b/packages/app/src/docker-git/menu-select.ts
index c0620efa..f47ec3f2 100644
--- a/packages/app/src/docker-git/menu-select.ts
+++ b/packages/app/src/docker-git/menu-select.ts
@@ -145,10 +145,12 @@ const runWithSuspendedTui = (
           effect,
           Effect.tapError((error) =>
             Effect.ignore(
-              Effect.tryPromise(async () => {
-                writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                await pauseForEnter()
-              })
+              pipe(
+                Effect.sync(() => {
+                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+                }),
+                Effect.zipRight(pauseForEnter())
+              )
             )
           )
         )
@@ -226,10 +228,12 @@ const runDownSelection = (selected: ProjectItem, context: SelectContext) => {
       ),
       Effect.tapError((error) =>
         Effect.ignore(
-          Effect.tryPromise(async () => {
-            writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-            await pauseForEnter()
-          })
+          pipe(
+            Effect.sync(() => {
+              writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
+            }),
+            Effect.zipRight(pauseForEnter())
+          )
         )
       ),
       Effect.ensuring(
diff --git a/packages/app/src/docker-git/menu-shared.ts b/packages/app/src/docker-git/menu-shared.ts
index 70fe9f44..96bd703b 100644
--- a/packages/app/src/docker-git/menu-shared.ts
+++ b/packages/app/src/docker-git/menu-shared.ts
@@ -1,6 +1,6 @@
 import type { MenuViewContext, ViewState } from "./menu-types.js"
 
-import { once } from "node:events"
+import { Effect } from "effect"
 
 // CHANGE: share menu escape handling across flows
 // WHY: avoid duplicated logic in TUI handlers
@@ -88,19 +88,35 @@ export const writeToTerminal = (text: string): void => {
 // REF: user-request-2026-02-18-tui-output-hidden
 // SOURCE: n/a
 // PURITY: SHELL
-// EFFECT: Promise<void>
+// EFFECT: Effect<void, never, never>
 // INVARIANT: no-op when stdin/stdout aren't TTY (CI/e2e)
-export const pauseForEnter = (prompt = "Press Enter to return to docker-git..."): Promise<void> => {
+export const pauseForEnter = (
+  prompt = "Press Enter to return to docker-git..."
+): Effect.Effect<void, never, never> => {
   if (!process.stdin.isTTY || !process.stdout.isTTY) {
-    return Promise.resolve()
+    return Effect.void
   }
 
-  // Ensure the prompt isn't glued to the last command line.
-  writeToTerminal(`\n${prompt}\n`)
-  process.stdin.resume()
+  return Effect.async<void>((resume) => {
+    // Ensure the prompt isn't glued to the last command line.
+    writeToTerminal(`\n${prompt}\n`)
+    process.stdin.resume()
 
-  // Wait for the next line (we keep stdin in cooked mode while TUI is suspended).
-  return once(process.stdin, "data").then(() => undefined)
+    const cleanup = () => {
+      process.stdin.off("data", onData)
+    }
+
+    const onData = () => {
+      cleanup()
+      resume(Effect.void)
+    }
+
+    process.stdin.on("data", onData)
+
+    return Effect.sync(() => {
+      cleanup()
+    })
+  }).pipe(Effect.asVoid)
 }
 
 // CHANGE: toggle stdout write muting for Ink rendering

From 8a05ebd38677894499f6df1dbee19763fdd5f930 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 09:34:37 +0000
Subject: [PATCH 03/15] fix(tui): shared suspended wrapper + dedupe

---
 .../app/src/docker-git/cli/parser-auth.ts     |  12 +-
 packages/app/src/docker-git/menu-actions.ts   |  24 +-
 packages/app/src/docker-git/menu-auth.ts      |  37 +--
 .../src/docker-git/menu-project-auth-data.ts  |  16 +-
 .../app/src/docker-git/menu-select-actions.ts | 150 ++++++++++++
 .../app/src/docker-git/menu-select-view.ts    |  25 ++
 packages/app/src/docker-git/menu-select.ts    | 223 ++----------------
 packages/app/src/docker-git/menu-shared.ts    |  97 ++++++--
 .../lib/src/usecases/actions/prepare-files.ts |   6 +-
 9 files changed, 292 insertions(+), 298 deletions(-)
 create mode 100644 packages/app/src/docker-git/menu-select-actions.ts
 create mode 100644 packages/app/src/docker-git/menu-select-view.ts

diff --git a/packages/app/src/docker-git/cli/parser-auth.ts b/packages/app/src/docker-git/cli/parser-auth.ts
index 28df20a9..41233489 100644
--- a/packages/app/src/docker-git/cli/parser-auth.ts
+++ b/packages/app/src/docker-git/cli/parser-auth.ts
@@ -48,12 +48,12 @@ const buildGithubCommand = (action: string, options: AuthOptions): Either.Either
       options.authWeb && options.token !== null
         ? Either.left(invalidArgument("--token", "cannot be combined with --web"))
         : Either.right<AuthCommand>({
-        _tag: "AuthGithubLogin",
-        label: options.label,
-        token: options.authWeb ? null : options.token,
-        scopes: options.scopes,
-        envGlobalPath: options.envGlobalPath
-      })),
+          _tag: "AuthGithubLogin",
+          label: options.label,
+          token: options.authWeb ? null : options.token,
+          scopes: options.scopes,
+          envGlobalPath: options.envGlobalPath
+        })),
     Match.when("status", () =>
       Either.right<AuthCommand>({
         _tag: "AuthGithubStatus",
diff --git a/packages/app/src/docker-git/menu-actions.ts b/packages/app/src/docker-git/menu-actions.ts
index c4b4c021..331f3c2c 100644
--- a/packages/app/src/docker-git/menu-actions.ts
+++ b/packages/app/src/docker-git/menu-actions.ts
@@ -15,7 +15,7 @@ import { Effect, Match, pipe } from "effect"
 import { openAuthMenu } from "./menu-auth.js"
 import { startCreateView } from "./menu-create.js"
 import { loadSelectView } from "./menu-select-load.js"
-import { pauseForEnter, resumeTui, suspendTui, writeToTerminal } from "./menu-shared.js"
+import { withSuspendedTui, writeErrorAndPause } from "./menu-shared.js"
 import { type MenuEnv, type MenuRunner, type MenuState, type MenuViewContext } from "./menu-types.js"
 
 // CHANGE: keep menu actions and input parsing in a dedicated module
@@ -68,33 +68,13 @@ const runWithSuspendedTui = (
     pipe(
       Effect.sync(() => {
         context.setMessage(`${label}...`)
-        suspendTui()
       }),
-      Effect.zipRight(
-        pipe(
-          effect,
-          Effect.tapError((error) =>
-            Effect.ignore(
-              pipe(
-                Effect.sync(() => {
-                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                }),
-                Effect.zipRight(pauseForEnter())
-              )
-            )
-          )
-        )
-      ),
+      Effect.zipRight(withSuspendedTui(effect, { onError: (error) => writeErrorAndPause(renderError(error)) })),
       Effect.tap(() =>
         Effect.sync(() => {
           context.setMessage(`${label} finished.`)
         })
       ),
-      Effect.ensuring(
-        Effect.sync(() => {
-          resumeTui()
-        })
-      ),
       Effect.asVoid
     )
   )
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
index 731014f2..e00e00bb 100644
--- a/packages/app/src/docker-git/menu-auth.ts
+++ b/packages/app/src/docker-git/menu-auth.ts
@@ -15,7 +15,7 @@ import {
 } from "./menu-auth-data.js"
 import { nextBufferValue } from "./menu-buffer-input.js"
 import { handleMenuNumberInput, submitPromptStep } from "./menu-input-utils.js"
-import { pauseForEnter, resetToMenu, resumeTui, suspendTui, writeToTerminal } from "./menu-shared.js"
+import { pauseOnError, resetToMenu, resumeSshWithSkipInputs, withSuspendedTui } from "./menu-shared.js"
 import type {
   AuthFlow,
   AuthSnapshot,
@@ -95,38 +95,13 @@ const runAuthPromptEffect = (
   options: { readonly suspendTui: boolean }
 ) => {
   const withOptionalSuspension = options.suspendTui
-    ? pipe(
-      Effect.sync(() => {
-        suspendTui()
-      }),
-      Effect.zipRight(
-        pipe(
-          effect,
-          Effect.tapError((error) =>
-            Effect.ignore(
-              pipe(
-                Effect.sync(() => {
-                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                }),
-                Effect.zipRight(pauseForEnter())
-              )
-            )
-          )
-        )
-      ),
-      Effect.ensuring(
-        Effect.sync(() => {
-          resumeTui()
-          context.setSshActive(false)
-          context.setSkipInputs(() => 2)
-        })
-      )
-    )
+    ? withSuspendedTui(effect, {
+      onError: pauseOnError(renderError),
+      onResume: resumeSshWithSkipInputs(context)
+    })
     : effect
 
-  if (options.suspendTui) {
-    context.setSshActive(true)
-  }
+  context.setSshActive(options.suspendTui)
   context.runner.runEffect(
     pipe(
       withOptionalSuspension,
diff --git a/packages/app/src/docker-git/menu-project-auth-data.ts b/packages/app/src/docker-git/menu-project-auth-data.ts
index 985e4e3d..5fe600e8 100644
--- a/packages/app/src/docker-git/menu-project-auth-data.ts
+++ b/packages/app/src/docker-git/menu-project-auth-data.ts
@@ -223,11 +223,19 @@ export const writeProjectAuthFlow = (
       const spec: ProjectEnvUpdateSpec = { rawLabel, canonicalLabel, globalEnvPath, globalEnvText, projectEnvText }
       const nextProjectEnv = resolveProjectEnvUpdate(flow, spec)
       const syncMessage = Match.value(flow).pipe(
-        Match.when("ProjectGithubConnect", () => `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`),
-        Match.when("ProjectGithubDisconnect", () => `chore(state): project auth gh logout ${project.displayName}`),
-        Match.when("ProjectGitConnect", () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`),
+        Match.when("ProjectGithubConnect", () =>
+          `chore(state): project auth gh ${canonicalLabel} ${project.displayName}`),
+        Match.when("ProjectGithubDisconnect", () =>
+          `chore(state): project auth gh logout ${project.displayName}`),
+        Match.when(
+          "ProjectGitConnect",
+          () => `chore(state): project auth git ${canonicalLabel} ${project.displayName}`
+        ),
         Match.when("ProjectGitDisconnect", () => `chore(state): project auth git logout ${project.displayName}`),
-        Match.when("ProjectClaudeConnect", () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`),
+        Match.when(
+          "ProjectClaudeConnect",
+          () => `chore(state): project auth claude ${canonicalLabel} ${project.displayName}`
+        ),
         Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${project.displayName}`),
         Match.exhaustive
       )
diff --git a/packages/app/src/docker-git/menu-select-actions.ts b/packages/app/src/docker-git/menu-select-actions.ts
new file mode 100644
index 00000000..46515bb7
--- /dev/null
+++ b/packages/app/src/docker-git/menu-select-actions.ts
@@ -0,0 +1,150 @@
+import { runDockerComposeDown } from "@effect-template/lib/shell/docker"
+import type { AppError } from "@effect-template/lib/usecases/errors"
+import { renderError } from "@effect-template/lib/usecases/errors"
+import { mcpPlaywrightUp } from "@effect-template/lib/usecases/mcp-playwright"
+import {
+  connectProjectSshWithUp,
+  deleteDockerGitProject,
+  listRunningProjectItems,
+  type ProjectItem
+} from "@effect-template/lib/usecases/projects"
+import { Effect, pipe } from "effect"
+
+import { openProjectAuthMenu } from "./menu-project-auth.js"
+import { buildConnectEffect } from "./menu-select-connect.js"
+import { loadRuntimeByProject } from "./menu-select-runtime.js"
+import { startSelectView } from "./menu-select-view.js"
+import {
+  pauseOnError,
+  resetToMenu,
+  resumeSshWithSkipInputs,
+  resumeWithSkipInputs,
+  withSuspendedTui
+} from "./menu-shared.js"
+import type { MenuRunner, MenuViewContext } from "./menu-types.js"
+
+export type SelectContext = MenuViewContext & {
+  readonly activeDir: string | null
+  readonly runner: MenuRunner
+  readonly setSshActive: (active: boolean) => void
+  readonly setSkipInputs: (update: (value: number) => number) => void
+}
+
+export const runConnectSelection = (
+  selected: ProjectItem,
+  context: SelectContext,
+  enableMcpPlaywright: boolean
+) => {
+  context.setMessage(
+    enableMcpPlaywright
+      ? `Enabling Playwright MCP for ${selected.displayName}, then connecting...`
+      : `Connecting to ${selected.displayName}...`
+  )
+  context.setSshActive(true)
+  context.runner.runEffect(
+    pipe(
+      withSuspendedTui(
+        buildConnectEffect(selected, enableMcpPlaywright, {
+          connectWithUp: (item) =>
+            connectProjectSshWithUp(item).pipe(
+              Effect.mapError((error): AppError => error)
+            ),
+          enableMcpPlaywright: (projectDir) =>
+            mcpPlaywrightUp({ _tag: "McpPlaywrightUp", projectDir, runUp: false }).pipe(
+              Effect.asVoid,
+              Effect.mapError((error): AppError => error)
+            )
+        }),
+        {
+          onError: pauseOnError(renderError),
+          onResume: resumeSshWithSkipInputs(context)
+        }
+      ),
+      Effect.tap(() =>
+        Effect.sync(() => {
+          context.setMessage("SSH session ended. Press Esc to return to the menu.")
+        })
+      ),
+      Effect.asVoid
+    )
+  )
+}
+
+export const runDownSelection = (selected: ProjectItem, context: SelectContext) => {
+  context.setMessage(`Stopping ${selected.displayName}...`)
+  context.runner.runEffect(
+    withSuspendedTui(
+      pipe(
+        runDockerComposeDown(selected.projectDir),
+        Effect.zipRight(listRunningProjectItems),
+        Effect.flatMap((items) =>
+          pipe(
+            loadRuntimeByProject(items),
+            Effect.map((runtimeByProject) => ({ items, runtimeByProject }))
+          )
+        ),
+        Effect.tap(({ items, runtimeByProject }) =>
+          Effect.sync(() => {
+            if (items.length === 0) {
+              resetToMenu(context)
+              context.setMessage("No running docker-git containers.")
+              return
+            }
+            startSelectView(items, "Down", context, runtimeByProject)
+            context.setMessage("Container stopped. Select another to stop, or Esc to return.")
+          })
+        ),
+        Effect.asVoid
+      ),
+      {
+        onError: pauseOnError(renderError),
+        onResume: resumeWithSkipInputs(context)
+      }
+    )
+  )
+}
+
+export const runInfoSelection = (selected: ProjectItem, context: SelectContext) => {
+  context.setMessage(`Details for ${selected.displayName} are shown on the right. Press Esc to return to the menu.`)
+}
+
+export const runAuthSelection = (selected: ProjectItem, context: SelectContext) => {
+  openProjectAuthMenu({
+    project: selected,
+    runner: context.runner,
+    setView: context.setView,
+    setMessage: context.setMessage,
+    setActiveDir: context.setActiveDir
+  })
+}
+
+export const runDeleteSelection = (selected: ProjectItem, context: SelectContext) => {
+  context.setMessage(`Deleting ${selected.displayName}...`)
+  context.runner.runEffect(
+    pipe(
+      withSuspendedTui(
+        deleteDockerGitProject(selected).pipe(
+          Effect.tap(() =>
+            Effect.sync(() => {
+              if (context.activeDir === selected.projectDir) {
+                context.setActiveDir(null)
+              }
+              context.setView({ _tag: "Menu" })
+            })
+          ),
+          Effect.asVoid
+        ),
+        {
+          onError: pauseOnError(renderError),
+          onResume: resumeWithSkipInputs(context)
+        }
+      ),
+      Effect.tap(() =>
+        Effect.sync(() => {
+          context.setMessage("Project deleted.")
+        })
+      ),
+      Effect.asVoid
+    )
+  )
+}
diff --git a/packages/app/src/docker-git/menu-select-view.ts b/packages/app/src/docker-git/menu-select-view.ts
new file mode 100644
index 00000000..023b9750
--- /dev/null
+++ b/packages/app/src/docker-git/menu-select-view.ts
@@ -0,0 +1,25 @@
+import type { ProjectItem } from "@effect-template/lib/usecases/projects"
+
+import { sortItemsByLaunchTime } from "./menu-select-order.js"
+import type { MenuViewContext, SelectProjectRuntime } from "./menu-types.js"
+
+const emptyRuntimeByProject = (): Readonly<Record<string, SelectProjectRuntime>> => ({})
+
+export const startSelectView = (
+  items: ReadonlyArray<ProjectItem>,
+  purpose: "Connect" | "Down" | "Info" | "Delete" | "Auth",
+  context: Pick<MenuViewContext, "setView" | "setMessage">,
+  runtimeByProject: Readonly<Record<string, SelectProjectRuntime>> = emptyRuntimeByProject()
+) => {
+  const sortedItems = sortItemsByLaunchTime(items, runtimeByProject)
+  context.setMessage(null)
+  context.setView({
+    _tag: "SelectProject",
+    purpose,
+    items: sortedItems,
+    runtimeByProject,
+    selected: 0,
+    confirmDelete: false,
+    connectEnableMcpPlaywright: false
+  })
+}
diff --git a/packages/app/src/docker-git/menu-select.ts b/packages/app/src/docker-git/menu-select.ts
index f47ec3f2..a90e1d82 100644
--- a/packages/app/src/docker-git/menu-select.ts
+++ b/packages/app/src/docker-git/menu-select.ts
@@ -1,61 +1,19 @@
-import { runDockerComposeDown } from "@effect-template/lib/shell/docker"
-import type { AppError } from "@effect-template/lib/usecases/errors"
-import { renderError } from "@effect-template/lib/usecases/errors"
-import { mcpPlaywrightUp } from "@effect-template/lib/usecases/mcp-playwright"
-import {
-  connectProjectSshWithUp,
-  deleteDockerGitProject,
-  listRunningProjectItems,
-  type ProjectItem
-} from "@effect-template/lib/usecases/projects"
-import { Effect, Match, pipe } from "effect"
-import { openProjectAuthMenu } from "./menu-project-auth.js"
-import { buildConnectEffect, isConnectMcpToggleInput } from "./menu-select-connect.js"
-import { sortItemsByLaunchTime } from "./menu-select-order.js"
-import { loadRuntimeByProject, runtimeForSelection } from "./menu-select-runtime.js"
-import {
-  pauseForEnter,
-  resetToMenu,
-  resumeTui,
-  suspendTui,
-  writeToTerminal
-} from "./menu-shared.js"
-import type {
-  MenuEnv,
-  MenuKeyInput,
-  MenuRunner,
-  MenuViewContext,
-  SelectProjectRuntime,
-  ViewState
-} from "./menu-types.js"
-
-type SelectContext = MenuViewContext & {
-  readonly activeDir: string | null
-  readonly runner: MenuRunner
-  readonly setSshActive: (active: boolean) => void
-  readonly setSkipInputs: (update: (value: number) => number) => void
-}
-
-const emptyRuntimeByProject = (): Readonly<Record<string, SelectProjectRuntime>> => ({})
+import { Match } from "effect"
 
-export const startSelectView = (
-  items: ReadonlyArray<ProjectItem>,
-  purpose: "Connect" | "Down" | "Info" | "Delete" | "Auth",
-  context: Pick<SelectContext, "setView" | "setMessage">,
-  runtimeByProject: Readonly<Record<string, SelectProjectRuntime>> = emptyRuntimeByProject()
-) => {
-  const sortedItems = sortItemsByLaunchTime(items, runtimeByProject)
-  context.setMessage(null)
-  context.setView({
-    _tag: "SelectProject",
-    purpose,
-    items: sortedItems,
-    runtimeByProject,
-    selected: 0,
-    confirmDelete: false,
-    connectEnableMcpPlaywright: false
-  })
-}
+import {
+  runAuthSelection,
+  runConnectSelection,
+  runDeleteSelection,
+  runDownSelection,
+  runInfoSelection,
+  type SelectContext
+} from "./menu-select-actions.js"
+import { isConnectMcpToggleInput } from "./menu-select-connect.js"
+import { runtimeForSelection } from "./menu-select-runtime.js"
+import { resetToMenu } from "./menu-shared.js"
+import type { MenuKeyInput, ViewState } from "./menu-types.js"
+
+export { startSelectView } from "./menu-select-view.js"
 
 const clampIndex = (value: number, size: number): number => {
   if (size <= 0) {
@@ -131,157 +89,6 @@ const handleSelectNavigation = (
   return false
 }
 
-const runWithSuspendedTui = (
-  context: Pick<SelectContext, "runner" | "setMessage" | "setSkipInputs">,
-  effect: Effect.Effect<void, AppError, MenuEnv>,
-  onResume: () => void,
-  doneMessage: string
-) => {
-  context.runner.runEffect(
-    pipe(
-      Effect.sync(suspendTui),
-      Effect.zipRight(
-        pipe(
-          effect,
-          Effect.tapError((error) =>
-            Effect.ignore(
-              pipe(
-                Effect.sync(() => {
-                  writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-                }),
-                Effect.zipRight(pauseForEnter())
-              )
-            )
-          )
-        )
-      ),
-      Effect.ensuring(
-        Effect.sync(() => {
-          resumeTui()
-          onResume()
-          context.setSkipInputs(() => 2)
-        })
-      ),
-      Effect.tap(() =>
-        Effect.sync(() => {
-          context.setMessage(doneMessage)
-        })
-      )
-    )
-  )
-}
-
-const runConnectSelection = (
-  selected: ProjectItem,
-  context: SelectContext,
-  enableMcpPlaywright: boolean
-) => {
-  context.setMessage(
-    enableMcpPlaywright
-      ? `Enabling Playwright MCP for ${selected.displayName}, then connecting...`
-      : `Connecting to ${selected.displayName}...`
-  )
-  context.setSshActive(true)
-  runWithSuspendedTui(
-    context,
-    buildConnectEffect(selected, enableMcpPlaywright, {
-      connectWithUp: (item) =>
-        connectProjectSshWithUp(item).pipe(
-          Effect.mapError((error): AppError => error)
-        ),
-      enableMcpPlaywright: (projectDir) =>
-        mcpPlaywrightUp({ _tag: "McpPlaywrightUp", projectDir, runUp: false }).pipe(
-          Effect.asVoid,
-          Effect.mapError((error): AppError => error)
-        )
-    }),
-    () => {
-      context.setSshActive(false)
-    },
-    "SSH session ended. Press Esc to return to the menu."
-  )
-}
-
-const runDownSelection = (selected: ProjectItem, context: SelectContext) => {
-  context.setMessage(`Stopping ${selected.displayName}...`)
-  context.runner.runEffect(
-    pipe(
-      Effect.sync(suspendTui),
-      Effect.zipRight(runDockerComposeDown(selected.projectDir)),
-      Effect.zipRight(listRunningProjectItems),
-      Effect.flatMap((items) =>
-        pipe(
-          loadRuntimeByProject(items),
-          Effect.map((runtimeByProject) => ({ items, runtimeByProject }))
-        )
-      ),
-      Effect.tap(({ items, runtimeByProject }) =>
-        Effect.sync(() => {
-          if (items.length === 0) {
-            resetToMenu(context)
-            context.setMessage("No running docker-git containers.")
-            return
-          }
-          startSelectView(items, "Down", context, runtimeByProject)
-          context.setMessage("Container stopped. Select another to stop, or Esc to return.")
-        })
-      ),
-      Effect.tapError((error) =>
-        Effect.ignore(
-          pipe(
-            Effect.sync(() => {
-              writeToTerminal(`\n[docker-git] ${renderError(error)}\n`)
-            }),
-            Effect.zipRight(pauseForEnter())
-          )
-        )
-      ),
-      Effect.ensuring(
-        Effect.sync(() => {
-          resumeTui()
-          context.setSkipInputs(() => 2)
-        })
-      ),
-      Effect.asVoid
-    )
-  )
-}
-
-const runInfoSelection = (selected: ProjectItem, context: SelectContext) => {
-  context.setMessage(`Details for ${selected.displayName} are shown on the right. Press Esc to return to the menu.`)
-}
-
-const runAuthSelection = (selected: ProjectItem, context: SelectContext) => {
-  openProjectAuthMenu({
-    project: selected,
-    runner: context.runner,
-    setView: context.setView,
-    setMessage: context.setMessage,
-    setActiveDir: context.setActiveDir
-  })
-}
-
-const runDeleteSelection = (selected: ProjectItem, context: SelectContext) => {
-  context.setMessage(`Deleting ${selected.displayName}...`)
-  runWithSuspendedTui(
-    context,
-    deleteDockerGitProject(selected).pipe(
-      Effect.tap(() =>
-        Effect.sync(() => {
-          if (context.activeDir === selected.projectDir) {
-            context.setActiveDir(null)
-          }
-          context.setView({ _tag: "Menu" })
-        })
-      )
-    ),
-    () => {
-      // Only return to menu on success (see Effect.tap above).
-    },
-    "Project deleted."
-  )
-}
-
 const formatSshSessionsLabel = (sshSessions: number): string =>
   sshSessions === 1 ? "1 active SSH session" : `${sshSessions} active SSH sessions`
 
diff --git a/packages/app/src/docker-git/menu-shared.ts b/packages/app/src/docker-git/menu-shared.ts
index 96bd703b..5753736c 100644
--- a/packages/app/src/docker-git/menu-shared.ts
+++ b/packages/app/src/docker-git/menu-shared.ts
@@ -1,6 +1,6 @@
 import type { MenuViewContext, ViewState } from "./menu-types.js"
 
-import { Effect } from "effect"
+import { Effect, pipe } from "effect"
 
 // CHANGE: share menu escape handling across flows
 // WHY: avoid duplicated logic in TUI handlers
@@ -22,6 +22,25 @@ let stdoutMuted = false
 let baseStdoutWrite: OutputWrite | null = null
 let baseStderrWrite: OutputWrite | null = null
 
+const wrapWrite = (baseWrite: OutputWrite): OutputWrite =>
+(
+  chunk: string | Uint8Array,
+  encoding?: BufferEncoding | ((err?: Error | null) => void),
+  cb?: (err?: Error | null) => void
+) => {
+  if (stdoutMuted) {
+    const callback = typeof encoding === "function" ? encoding : cb
+    if (typeof callback === "function") {
+      callback()
+    }
+    return true
+  }
+  if (typeof encoding === "function") {
+    return baseWrite(chunk, encoding)
+  }
+  return baseWrite(chunk, encoding, cb)
+}
+
 const disableMouseModes = (): void => {
   // Disable xterm/urxvt mouse tracking and "alternate scroll" mode (wheel -> arrow keys).
   process.stdout.write(
@@ -45,25 +64,6 @@ const ensureStdoutPatched = (): void => {
   }
   baseStdoutWrite = process.stdout.write.bind(process.stdout)
   baseStderrWrite = process.stderr.write.bind(process.stderr)
-  const wrapWrite =
-    (baseWrite: OutputWrite): OutputWrite =>
-      (
-        chunk: string | Uint8Array,
-        encoding?: BufferEncoding | ((err?: Error | null) => void),
-        cb?: (err?: Error | null) => void
-      ) => {
-        if (stdoutMuted) {
-          const callback = typeof encoding === "function" ? encoding : cb
-          if (typeof callback === "function") {
-            callback()
-          }
-          return true
-        }
-        if (typeof encoding === "function") {
-          return baseWrite(chunk, encoding)
-        }
-        return baseWrite(chunk, encoding, cb)
-      }
 
   process.stdout.write = wrapWrite(baseStdoutWrite)
   process.stderr.write = wrapWrite(baseStderrWrite)
@@ -92,12 +92,12 @@ export const writeToTerminal = (text: string): void => {
 // INVARIANT: no-op when stdin/stdout aren't TTY (CI/e2e)
 export const pauseForEnter = (
   prompt = "Press Enter to return to docker-git..."
-): Effect.Effect<void, never, never> => {
+): Effect.Effect<void> => {
   if (!process.stdin.isTTY || !process.stdout.isTTY) {
     return Effect.void
   }
 
-  return Effect.async<void>((resume) => {
+  return Effect.async((resume) => {
     // Ensure the prompt isn't glued to the last command line.
     writeToTerminal(`\n${prompt}\n`)
     process.stdin.resume()
@@ -119,6 +119,59 @@ export const pauseForEnter = (
   }).pipe(Effect.asVoid)
 }
 
+export const writeErrorAndPause = (renderedError: string): Effect.Effect<void> =>
+  pipe(
+    Effect.sync(() => {
+      writeToTerminal(`\n[docker-git] ${renderedError}\n`)
+    }),
+    Effect.zipRight(pauseForEnter()),
+    Effect.asVoid
+  )
+
+export const withSuspendedTui = <A, E, R>(
+  effect: Effect.Effect<A, E, R>,
+  options?: {
+    readonly onError?: (error: E) => Effect.Effect<void>
+    readonly onResume?: () => void
+  }
+): Effect.Effect<A, E, R> => {
+  const withError = options?.onError
+    ? pipe(effect, Effect.tapError((error) => Effect.ignore(options.onError?.(error) ?? Effect.void)))
+    : effect
+
+  return pipe(
+    Effect.sync(suspendTui),
+    Effect.zipRight(withError),
+    Effect.ensuring(
+      Effect.sync(() => {
+        resumeTui()
+        options?.onResume?.()
+      })
+    )
+  )
+}
+
+export type SkipInputsContext = {
+  readonly setSkipInputs: (update: (value: number) => number) => void
+}
+
+export type SshActiveContext = {
+  readonly setSshActive: (active: boolean) => void
+}
+
+export const resumeWithSkipInputs = (context: SkipInputsContext, extra?: () => void) => () => {
+  extra?.()
+  context.setSkipInputs(() => 2)
+}
+
+export const resumeSshWithSkipInputs = (context: SkipInputsContext & SshActiveContext) =>
+  resumeWithSkipInputs(context, () => {
+    context.setSshActive(false)
+  })
+
+export const pauseOnError = <E>(render: (error: E) => string) => (error: E): Effect.Effect<void> =>
+  writeErrorAndPause(render(error))
+
 // CHANGE: toggle stdout write muting for Ink rendering
 // WHY: allow SSH sessions to own the terminal without TUI redraws
 // QUOTE(ТЗ): "при изменении разершения он всё ломает?"
diff --git a/packages/lib/src/usecases/actions/prepare-files.ts b/packages/lib/src/usecases/actions/prepare-files.ts
index f0eb35bf..9b8d8cca 100644
--- a/packages/lib/src/usecases/actions/prepare-files.ts
+++ b/packages/lib/src/usecases/actions/prepare-files.ts
@@ -6,11 +6,7 @@ import { Effect } from "effect"
 import type { CreateCommand } from "../../core/domain.js"
 import type { FileExistsError } from "../../shell/errors.js"
 import { writeProjectFiles } from "../../shell/files.js"
-import {
-  ensureCodexConfigFile,
-  migrateLegacyOrchLayout,
-  syncAuthArtifacts
-} from "../auth-sync.js"
+import { ensureCodexConfigFile, migrateLegacyOrchLayout, syncAuthArtifacts } from "../auth-sync.js"
 import { findAuthorizedKeysSource, resolveAuthorizedKeysPath } from "../path-helpers.js"
 import { withFsPathContext } from "../runtime.js"
 import { resolvePathFromBase } from "./paths.js"

From f80b355422126e927a042ef1e86422ad088cd34c Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 10:41:02 +0000
Subject: [PATCH 04/15] fix(state): push via https when token available

---
 packages/lib/src/usecases/state-repo.ts       |  5 +-
 .../lib/src/usecases/state-repo/sync-ops.ts   | 59 ++++++++++++++-----
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/packages/lib/src/usecases/state-repo.ts b/packages/lib/src/usecases/state-repo.ts
index 9f5b0117..db6743af 100644
--- a/packages/lib/src/usecases/state-repo.ts
+++ b/packages/lib/src/usecases/state-repo.ts
@@ -253,7 +253,10 @@ export const statePush = Effect.gen(function*(_) {
   )
   const token = yield* _(resolveGithubToken(fs, path, root))
   const effect = token && token.length > 0 && isGithubHttpsRemote(originUrl)
-    ? withGithubAskpassEnv(token, (env) => git(root, ["push", "-u", "origin", "HEAD"], env))
+    ? withGithubAskpassEnv(
+      token,
+      (env) => git(root, ["-c", `remote.origin.pushurl=${originUrl}`, "push", "-u", "origin", "HEAD"], env)
+    )
     : git(root, ["push", "-u", "origin", "HEAD"], gitBaseEnv)
   yield* _(effect)
 }).pipe(Effect.asVoid)
diff --git a/packages/lib/src/usecases/state-repo/sync-ops.ts b/packages/lib/src/usecases/state-repo/sync-ops.ts
index 104b5997..868ae3e4 100644
--- a/packages/lib/src/usecases/state-repo/sync-ops.ts
+++ b/packages/lib/src/usecases/state-repo/sync-ops.ts
@@ -12,6 +12,26 @@ import { tryBuildGithubCompareUrl, withGithubAskpassEnv } from "./github-auth.js
 
 type StateRepoEnv = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 
+const withOriginPushUrlOverride = (originUrl: string | null, args: ReadonlyArray<string>): ReadonlyArray<string> => {
+  const trimmed = originUrl?.trim() ?? ""
+  if (trimmed.length === 0) {
+    return args
+  }
+  // Use a per-command config override so token-based pushes use HTTPS even when the repo has an SSH pushurl.
+  // This keeps the repo config unchanged while avoiding non-interactive SSH host key / passphrase prompts.
+  return ["-c", `remote.origin.pushurl=${trimmed}`, ...args]
+}
+
+const resolveSyncMessage = (value: string | null): string => {
+  const trimmed = value?.trim() ?? ""
+  return trimmed.length > 0 ? trimmed : defaultSyncMessage
+}
+
+const logOpenPr = (originUrl: string, baseBranch: string, prBranch: string, compareUrl: string | null) =>
+  compareUrl
+    ? Effect.log(`Open PR: ${compareUrl}`)
+    : Effect.log(`Open PR from '${prBranch}' into '${baseBranch}' (origin: ${originUrl}).`)
+
 const commitAllIfNeeded = (
   root: string,
   message: string,
@@ -68,6 +88,7 @@ const rebaseOntoOriginIfPossible = (
 const pushToNewBranch = (
   root: string,
   baseBranch: string,
+  originPushUrlOverride: string | null,
   env: GitAuthEnv
 ): Effect.Effect<string, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
   Effect.gen(function*(_) {
@@ -77,7 +98,9 @@ const pushToNewBranch = (
     const timestamp = yield* _(Effect.sync(() => new Date().toISOString().replaceAll(":", "-").replaceAll(".", "-")))
     const branch = sanitizeBranchComponent(`state-sync/${baseBranch}/${timestamp}-${headShort}`)
 
-    yield* _(git(root, ["push", "origin", `HEAD:refs/heads/${branch}`], env))
+    yield* _(
+      git(root, withOriginPushUrlOverride(originPushUrlOverride, ["push", "origin", `HEAD:refs/heads/${branch}`]), env)
+    )
     return branch
   })
 
@@ -93,41 +116,42 @@ export const runStateSyncOps = (
   root: string,
   originUrl: string,
   message: string | null,
-  env: GitAuthEnv
+  env: GitAuthEnv,
+  options?: { readonly originPushUrlOverride?: string | null }
 ): Effect.Effect<void, CommandFailedError | PlatformError, StateRepoEnv> =>
   Effect.gen(function*(_) {
+    const originPushUrlOverride = options?.originPushUrlOverride ?? null
     yield* _(normalizeLegacyStateProjects(root))
-    const commitMessage = message && message.trim().length > 0 ? message.trim() : defaultSyncMessage
-    yield* _(commitAllIfNeeded(root, commitMessage, env))
+    yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env))
 
     const branch = yield* _(getCurrentBranch(root, env))
     const baseBranch = resolveBaseBranch(branch)
 
     const rebaseResult = yield* _(rebaseOntoOriginIfPossible(root, baseBranch, env))
     if (rebaseResult === "conflict") {
-      const prBranch = yield* _(pushToNewBranch(root, baseBranch, env))
+      const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushUrlOverride, env))
       const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch)
 
       yield* _(Effect.logWarning(`State sync needs manual merge: pushed changes to branch '${prBranch}'.`))
-      yield* (compareUrl
-        ? _(Effect.log(`Open PR: ${compareUrl}`))
-        : _(Effect.log(`Open PR from '${prBranch}' into '${baseBranch}' (origin: ${originUrl}).`)))
+      yield* _(logOpenPr(originUrl, baseBranch, prBranch, compareUrl))
       return
     }
 
-    const pushExit = yield* _(gitExitCode(root, ["push", "-u", "origin", "HEAD"], env))
+    const pushExit = yield* _(
+      gitExitCode(
+        root,
+        withOriginPushUrlOverride(originPushUrlOverride, ["push", "-u", "origin", "HEAD"]),
+        env
+      )
+    )
     if (pushExit === successExitCode) {
       return
     }
 
-    const prBranch = yield* _(pushToNewBranch(root, baseBranch, env))
+    const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushUrlOverride, env))
     const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch)
     yield* _(Effect.logWarning(`State push failed (exit ${pushExit}); pushed changes to branch '${prBranch}'.`))
-    if (compareUrl) {
-      yield* _(Effect.log(`Open PR: ${compareUrl}`))
-      return
-    }
-    yield* _(Effect.log(`Open PR from '${prBranch}' into '${baseBranch}' (origin: ${originUrl}).`))
+    yield* _(logOpenPr(originUrl, baseBranch, prBranch, compareUrl))
   }).pipe(Effect.asVoid)
 
 export const runStateSyncWithToken = (
@@ -136,4 +160,7 @@ export const runStateSyncWithToken = (
   originUrl: string,
   message: string | null
 ): Effect.Effect<void, CommandFailedError | PlatformError, StateRepoEnv> =>
-  withGithubAskpassEnv(token, (env) => runStateSyncOps(root, originUrl, message, env))
+  withGithubAskpassEnv(
+    token,
+    (env) => runStateSyncOps(root, originUrl, message, env, { originPushUrlOverride: originUrl })
+  )

From 26439cea8b2574c8778a06cb2b70c5f77698ac54 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 10:46:36 +0000
Subject: [PATCH 05/15] fix(state): avoid ssh push prompts (use https url)

---
 packages/lib/src/usecases/state-repo.ts       | 10 +++++--
 .../lib/src/usecases/state-repo/sync-ops.ts   | 28 ++++++-------------
 2 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/packages/lib/src/usecases/state-repo.ts b/packages/lib/src/usecases/state-repo.ts
index db6743af..859180e5 100644
--- a/packages/lib/src/usecases/state-repo.ts
+++ b/packages/lib/src/usecases/state-repo.ts
@@ -2,7 +2,7 @@ import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
 import * as FileSystem from "@effect/platform/FileSystem"
 import * as Path from "@effect/platform/Path"
-import { Effect } from "effect"
+import { Effect, pipe } from "effect"
 import { runCommandExitCode } from "../shell/command-runner.js"
 import { CommandFailedError } from "../shell/errors.js"
 import { defaultProjectsRoot } from "./menu-helpers.js"
@@ -255,7 +255,13 @@ export const statePush = Effect.gen(function*(_) {
   const effect = token && token.length > 0 && isGithubHttpsRemote(originUrl)
     ? withGithubAskpassEnv(
       token,
-      (env) => git(root, ["-c", `remote.origin.pushurl=${originUrl}`, "push", "-u", "origin", "HEAD"], env)
+      (env) =>
+        pipe(
+          gitCapture(root, ["rev-parse", "--abbrev-ref", "HEAD"], env),
+          Effect.map((value) => value.trim()),
+          Effect.map((branch) => (branch === "HEAD" ? "main" : branch)),
+          Effect.flatMap((branch) => git(root, ["push", originUrl, `HEAD:refs/heads/${branch}`], env))
+        )
     )
     : git(root, ["push", "-u", "origin", "HEAD"], gitBaseEnv)
   yield* _(effect)
diff --git a/packages/lib/src/usecases/state-repo/sync-ops.ts b/packages/lib/src/usecases/state-repo/sync-ops.ts
index 868ae3e4..525b85a9 100644
--- a/packages/lib/src/usecases/state-repo/sync-ops.ts
+++ b/packages/lib/src/usecases/state-repo/sync-ops.ts
@@ -12,14 +12,9 @@ import { tryBuildGithubCompareUrl, withGithubAskpassEnv } from "./github-auth.js
 
 type StateRepoEnv = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 
-const withOriginPushUrlOverride = (originUrl: string | null, args: ReadonlyArray<string>): ReadonlyArray<string> => {
+const resolveOriginPushTarget = (originUrl: string | null): string => {
   const trimmed = originUrl?.trim() ?? ""
-  if (trimmed.length === 0) {
-    return args
-  }
-  // Use a per-command config override so token-based pushes use HTTPS even when the repo has an SSH pushurl.
-  // This keeps the repo config unchanged while avoiding non-interactive SSH host key / passphrase prompts.
-  return ["-c", `remote.origin.pushurl=${trimmed}`, ...args]
+  return trimmed.length > 0 ? trimmed : "origin"
 }
 
 const resolveSyncMessage = (value: string | null): string => {
@@ -88,7 +83,7 @@ const rebaseOntoOriginIfPossible = (
 const pushToNewBranch = (
   root: string,
   baseBranch: string,
-  originPushUrlOverride: string | null,
+  originPushTarget: string,
   env: GitAuthEnv
 ): Effect.Effect<string, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
   Effect.gen(function*(_) {
@@ -98,9 +93,7 @@ const pushToNewBranch = (
     const timestamp = yield* _(Effect.sync(() => new Date().toISOString().replaceAll(":", "-").replaceAll(".", "-")))
     const branch = sanitizeBranchComponent(`state-sync/${baseBranch}/${timestamp}-${headShort}`)
 
-    yield* _(
-      git(root, withOriginPushUrlOverride(originPushUrlOverride, ["push", "origin", `HEAD:refs/heads/${branch}`]), env)
-    )
+    yield* _(git(root, ["push", originPushTarget, `HEAD:refs/heads/${branch}`], env))
     return branch
   })
 
@@ -121,6 +114,7 @@ export const runStateSyncOps = (
 ): Effect.Effect<void, CommandFailedError | PlatformError, StateRepoEnv> =>
   Effect.gen(function*(_) {
     const originPushUrlOverride = options?.originPushUrlOverride ?? null
+    const originPushTarget = resolveOriginPushTarget(originPushUrlOverride)
     yield* _(normalizeLegacyStateProjects(root))
     yield* _(commitAllIfNeeded(root, resolveSyncMessage(message), env))
 
@@ -129,7 +123,7 @@ export const runStateSyncOps = (
 
     const rebaseResult = yield* _(rebaseOntoOriginIfPossible(root, baseBranch, env))
     if (rebaseResult === "conflict") {
-      const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushUrlOverride, env))
+      const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushTarget, env))
       const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch)
 
       yield* _(Effect.logWarning(`State sync needs manual merge: pushed changes to branch '${prBranch}'.`))
@@ -137,18 +131,12 @@ export const runStateSyncOps = (
       return
     }
 
-    const pushExit = yield* _(
-      gitExitCode(
-        root,
-        withOriginPushUrlOverride(originPushUrlOverride, ["push", "-u", "origin", "HEAD"]),
-        env
-      )
-    )
+    const pushExit = yield* _(gitExitCode(root, ["push", originPushTarget, `HEAD:refs/heads/${baseBranch}`], env))
     if (pushExit === successExitCode) {
       return
     }
 
-    const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushUrlOverride, env))
+    const prBranch = yield* _(pushToNewBranch(root, baseBranch, originPushTarget, env))
     const compareUrl = tryBuildGithubCompareUrl(originUrl, baseBranch, prBranch)
     yield* _(Effect.logWarning(`State push failed (exit ${pushExit}); pushed changes to branch '${prBranch}'.`))
     yield* _(logOpenPr(originUrl, baseBranch, prBranch, compareUrl))

From c2790e1a5d2a2354a9041bbd137c55ed155bda93 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 10:50:03 +0000
Subject: [PATCH 06/15] fix(state): bypass hooks for automated pushes

---
 packages/lib/src/usecases/state-repo.ts          | 4 ++--
 packages/lib/src/usecases/state-repo/sync-ops.ts | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/packages/lib/src/usecases/state-repo.ts b/packages/lib/src/usecases/state-repo.ts
index 859180e5..c55ab5a3 100644
--- a/packages/lib/src/usecases/state-repo.ts
+++ b/packages/lib/src/usecases/state-repo.ts
@@ -260,10 +260,10 @@ export const statePush = Effect.gen(function*(_) {
           gitCapture(root, ["rev-parse", "--abbrev-ref", "HEAD"], env),
           Effect.map((value) => value.trim()),
           Effect.map((branch) => (branch === "HEAD" ? "main" : branch)),
-          Effect.flatMap((branch) => git(root, ["push", originUrl, `HEAD:refs/heads/${branch}`], env))
+          Effect.flatMap((branch) => git(root, ["push", "--no-verify", originUrl, `HEAD:refs/heads/${branch}`], env))
         )
     )
-    : git(root, ["push", "-u", "origin", "HEAD"], gitBaseEnv)
+    : git(root, ["push", "--no-verify", "-u", "origin", "HEAD"], gitBaseEnv)
   yield* _(effect)
 }).pipe(Effect.asVoid)
 
diff --git a/packages/lib/src/usecases/state-repo/sync-ops.ts b/packages/lib/src/usecases/state-repo/sync-ops.ts
index 525b85a9..7fb4aa79 100644
--- a/packages/lib/src/usecases/state-repo/sync-ops.ts
+++ b/packages/lib/src/usecases/state-repo/sync-ops.ts
@@ -93,7 +93,7 @@ const pushToNewBranch = (
     const timestamp = yield* _(Effect.sync(() => new Date().toISOString().replaceAll(":", "-").replaceAll(".", "-")))
     const branch = sanitizeBranchComponent(`state-sync/${baseBranch}/${timestamp}-${headShort}`)
 
-    yield* _(git(root, ["push", originPushTarget, `HEAD:refs/heads/${branch}`], env))
+    yield* _(git(root, ["push", "--no-verify", originPushTarget, `HEAD:refs/heads/${branch}`], env))
     return branch
   })
 
@@ -131,7 +131,9 @@ export const runStateSyncOps = (
       return
     }
 
-    const pushExit = yield* _(gitExitCode(root, ["push", originPushTarget, `HEAD:refs/heads/${baseBranch}`], env))
+    const pushExit = yield* _(
+      gitExitCode(root, ["push", "--no-verify", originPushTarget, `HEAD:refs/heads/${baseBranch}`], env)
+    )
     if (pushExit === successExitCode) {
       return
     }

From 2c83f67ea3dbbddc93c594d9d7b5d62b5f78c7fb Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 11:20:16 +0000
Subject: [PATCH 07/15] test(e2e): cover issue-61 labeled auth

---
 scripts/e2e/issue-61-auth-labels.sh | 163 ++++++++++++++++++++++++++++
 1 file changed, 163 insertions(+)
 create mode 100755 scripts/e2e/issue-61-auth-labels.sh

diff --git a/scripts/e2e/issue-61-auth-labels.sh b/scripts/e2e/issue-61-auth-labels.sh
new file mode 100755
index 00000000..f3be3c25
--- /dev/null
+++ b/scripts/e2e/issue-61-auth-labels.sh
@@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# E2E regression test for Issue #61:
+# - multiple labeled auth entries in ~/.docker-git/.orch
+# - non-interactive auth storage
+# - project label binding (distributing the selected label into a project env)
+# - state auto-sync commits/pushes without user interaction
+
+RUN_ID="$(date +%s)-$RANDOM"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "$REPO_ROOT/scripts/e2e/_lib.sh"
+ROOT_BASE="${DOCKER_GIT_E2E_ROOT_BASE:-$REPO_ROOT/.docker-git/e2e-root}"
+mkdir -p "$ROOT_BASE"
+ROOT="$(mktemp -d "$ROOT_BASE/issue-61-auth-labels.XXXXXX")"
+chmod 0777 "$ROOT"
+KEEP="${KEEP:-0}"
+
+export DOCKER_GIT_PROJECTS_ROOT="$ROOT"
+
+# Keep the bare origin remote outside the state repo root so auto-sync commits
+# don't accidentally include its objects/refs.
+REMOTE="$(mktemp -d "$ROOT_BASE/issue-61-auth-labels-remote.XXXXXX")"
+
+fail() {
+  echo "e2e/issue-61-auth-labels: $*" >&2
+  exit 1
+}
+
+on_error() {
+  local line="$1"
+  echo "e2e/issue-61-auth-labels: failed at line $line" >&2
+  if [[ -d "$ROOT/.git" ]]; then
+    git -C "$ROOT" status -sb --porcelain=v1 || true
+    git -C "$ROOT" log -n 10 --oneline || true
+  fi
+}
+
+cleanup() {
+  if [[ "$KEEP" == "1" ]]; then
+    echo "e2e/issue-61-auth-labels: KEEP=1 set; preserving temp dir: $ROOT" >&2
+    echo "e2e/issue-61-auth-labels: preserving bare remote: $REMOTE" >&2
+    return
+  fi
+  rm -rf "$ROOT" "$REMOTE" >/dev/null 2>&1 || true
+}
+
+trap 'on_error $LINENO' ERR
+trap cleanup EXIT
+
+# Prepare an isolated state repo at $ROOT with a local bare origin.
+mkdir -p "$ROOT/.orch/env"
+cat > "$ROOT/.orch/env/global.env" <<'EOF_ENV'
+# docker-git env
+# KEY=value
+EOF_ENV
+
+git -C "$ROOT" init -b main >/dev/null
+git -C "$ROOT" config user.email "e2e@example.com"
+git -C "$ROOT" config user.name "docker-git e2e"
+git -C "$ROOT" add -A
+git -C "$ROOT" commit -m "chore(e2e): init state" >/dev/null
+git init --bare --initial-branch=main "$REMOTE" >/dev/null
+git -C "$ROOT" remote add origin "$REMOTE"
+git -C "$ROOT" push --no-verify -u origin main >/dev/null
+
+# Enable auto-sync. This should commit+push to the local bare remote above.
+export DOCKER_GIT_STATE_AUTO_SYNC=1
+
+default_token="token_default_$RUN_ID"
+agiens_token="token_agiens_$RUN_ID"
+git_token="git_token_$RUN_ID"
+claude_key="claude_key_$RUN_ID"
+
+# 1) Store multiple GitHub tokens by label (non-interactive / CI path).
+(
+  cd "$REPO_ROOT"
+  pnpm run docker-git auth gh login --token "$default_token"
+)
+(
+  cd "$REPO_ROOT"
+  pnpm run docker-git auth gh login --token "$agiens_token" --label agiens
+)
+
+grep -Fq -- "GITHUB_TOKEN=$default_token" "$ROOT/.orch/env/global.env" \
+  || fail "expected GITHUB_TOKEN to be stored in global.env"
+grep -Fq -- "GITHUB_TOKEN__AGIENS=$agiens_token" "$ROOT/.orch/env/global.env" \
+  || fail "expected GITHUB_TOKEN__AGIENS to be stored in global.env"
+
+# Ensure state auto-sync actually committed and pushed.
+[[ -z "$(git -C "$ROOT" status --porcelain)" ]] || fail "state repo has uncommitted changes"
+[[ "$(git --git-dir "$REMOTE" log -1 --pretty=%s)" == "chore(state): auth gh AGIENS" ]] \
+  || fail "expected latest remote commit to come from labeled GH auth"
+
+# 2) Set labeled Git credentials + Claude key via the same menu logic (non-interactive).
+PROJECT_DIR="$ROOT/e2e/project-1"
+PROJECT_ENV="$PROJECT_DIR/.orch/env/project.env"
+mkdir -p "$(dirname "$PROJECT_ENV")"
+cat > "$PROJECT_ENV" <<'EOF_ENV'
+# docker-git project env (e2e)
+EOF_ENV
+
+(
+  cd "$REPO_ROOT/packages/app"
+  PROJECT_DIR="$PROJECT_DIR" \
+  PROJECT_ENV_PATH="$PROJECT_ENV" \
+  GIT_TOKEN_VALUE="$git_token" \
+  CLAUDE_KEY_VALUE="$claude_key" \
+  node --input-type=module <<'NODE'
+import { NodeContext, NodeRuntime } from "@effect/platform-node"
+import { Effect } from "effect"
+
+import { writeAuthFlow } from "./dist/src/docker-git/menu-auth-data.js"
+import { writeProjectAuthFlow } from "./dist/src/docker-git/menu-project-auth-data.js"
+
+const projectDir = process.env.PROJECT_DIR ?? ""
+const envProjectPath = process.env.PROJECT_ENV_PATH ?? ""
+if (projectDir.length === 0 || envProjectPath.length === 0) {
+  throw new Error("missing PROJECT_DIR / PROJECT_ENV_PATH")
+}
+
+const gitToken = process.env.GIT_TOKEN_VALUE ?? ""
+const claudeKey = process.env.CLAUDE_KEY_VALUE ?? ""
+if (gitToken.length === 0 || claudeKey.length === 0) {
+  throw new Error("missing GIT_TOKEN_VALUE / CLAUDE_KEY_VALUE")
+}
+
+const project = {
+  projectDir,
+  displayName: "e2e/project-1",
+  envProjectPath
+}
+
+const main = Effect.gen(function*(_) {
+  // Create labeled profiles in ~/.docker-git/.orch/env/global.env
+  yield* _(writeAuthFlow(process.cwd(), "GitSet", { label: "agiens", token: gitToken, user: "x-access-token" }))
+  yield* _(writeAuthFlow(process.cwd(), "ClaudeSet", { label: "agiens", apiKey: claudeKey }))
+
+  // Bind them into the project env.
+  yield* _(writeProjectAuthFlow(project, "ProjectGithubConnect", { label: "agiens" }))
+  yield* _(writeProjectAuthFlow(project, "ProjectGitConnect", { label: "agiens" }))
+  yield* _(writeProjectAuthFlow(project, "ProjectClaudeConnect", { label: "agiens" }))
+})
+
+NodeRuntime.runMain(Effect.provide(main, NodeContext.layer))
+NODE
+)
+
+grep -Fq -- "GITHUB_AUTH_LABEL=AGIENS" "$PROJECT_ENV" || fail "expected GITHUB_AUTH_LABEL=AGIENS in project.env"
+grep -Fq -- "GIT_AUTH_LABEL=AGIENS" "$PROJECT_ENV" || fail "expected GIT_AUTH_LABEL=AGIENS in project.env"
+grep -Fq -- "CLAUDE_AUTH_LABEL=AGIENS" "$PROJECT_ENV" || fail "expected CLAUDE_AUTH_LABEL=AGIENS in project.env"
+grep -Fq -- "GIT_AUTH_TOKEN=$git_token" "$PROJECT_ENV" || fail "expected bound GIT_AUTH_TOKEN in project.env"
+grep -Fq -- "GIT_AUTH_USER=x-access-token" "$PROJECT_ENV" || fail "expected bound GIT_AUTH_USER in project.env"
+grep -Fq -- "GH_TOKEN=$git_token" "$PROJECT_ENV" || fail "expected bound GH_TOKEN in project.env"
+grep -Fq -- "ANTHROPIC_API_KEY=$claude_key" "$PROJECT_ENV" || fail "expected bound ANTHROPIC_API_KEY in project.env"
+
+[[ -z "$(git -C "$ROOT" status --porcelain)" ]] || fail "state repo not clean after project bindings"
+last_msg="$(git --git-dir "$REMOTE" log -1 --pretty=%s)"
+[[ "$last_msg" == "chore(state): project auth claude AGIENS e2e/project-1" ]] \
+  || fail "expected latest remote commit to come from project claude binding; got: $last_msg"
+
+echo "e2e/issue-61-auth-labels: OK (multi-label auth + project bindings + state auto-sync)" >&2

From 0810859b3ecb8755a261b52a13e3450f19f265d4 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 13:39:21 +0000
Subject: [PATCH 08/15] feat(auth): claude code oauth profiles

---
 .../app/src/docker-git/cli/parser-auth.ts     |  28 +++
 packages/app/src/docker-git/cli/usage.ts      |   3 +-
 packages/app/src/docker-git/menu-auth-data.ts |  63 ++---
 .../app/src/docker-git/menu-auth-helpers.ts   |  30 +++
 packages/app/src/docker-git/menu-auth.ts      |  52 ++--
 .../src/docker-git/menu-project-auth-data.ts  |  90 +++++--
 .../app/src/docker-git/menu-render-auth.ts    |  17 +-
 .../docker-git/menu-render-project-auth.ts    |   3 +-
 packages/app/src/docker-git/menu-types.ts     |  10 +-
 packages/app/src/docker-git/program.ts        |  14 +-
 packages/lib/src/core/domain.ts               |  21 ++
 packages/lib/src/core/templates-entrypoint.ts |   2 +
 .../lib/src/core/templates-entrypoint/base.ts |  24 +-
 .../src/core/templates-entrypoint/claude.ts   |  32 +++
 .../lib/src/core/templates-entrypoint/git.ts  |   7 +-
 packages/lib/src/core/templates/dockerfile.ts |   6 +-
 packages/lib/src/usecases/auth-claude.ts      | 227 ++++++++++++++++++
 packages/lib/src/usecases/auth.ts             |   1 +
 scripts/e2e/issue-61-auth-labels.sh           |  22 +-
 19 files changed, 555 insertions(+), 97 deletions(-)
 create mode 100644 packages/app/src/docker-git/menu-auth-helpers.ts
 create mode 100644 packages/lib/src/core/templates-entrypoint/claude.ts
 create mode 100644 packages/lib/src/usecases/auth-claude.ts

diff --git a/packages/app/src/docker-git/cli/parser-auth.ts b/packages/app/src/docker-git/cli/parser-auth.ts
index 41233489..c046e17f 100644
--- a/packages/app/src/docker-git/cli/parser-auth.ts
+++ b/packages/app/src/docker-git/cli/parser-auth.ts
@@ -8,6 +8,7 @@ import { parseRawOptions } from "./parser-options.js"
 type AuthOptions = {
   readonly envGlobalPath: string
   readonly codexAuthPath: string
+  readonly claudeAuthPath: string
   readonly label: string | null
   readonly token: string | null
   readonly scopes: string | null
@@ -32,10 +33,12 @@ const normalizeLabel = (value: string | undefined): string | null => {
 
 const defaultEnvGlobalPath = ".docker-git/.orch/env/global.env"
 const defaultCodexAuthPath = ".docker-git/.orch/auth/codex"
+const defaultClaudeAuthPath = ".docker-git/.orch/auth/claude"
 
 const resolveAuthOptions = (raw: RawOptions): AuthOptions => ({
   envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
   codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
+  claudeAuthPath: defaultClaudeAuthPath,
   label: normalizeLabel(raw.label),
   token: normalizeLabel(raw.token),
   scopes: normalizeLabel(raw.scopes),
@@ -91,6 +94,29 @@ const buildCodexCommand = (action: string, options: AuthOptions): Either.Either<
     Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
   )
 
+const buildClaudeCommand = (action: string, options: AuthOptions): Either.Either<AuthCommand, ParseError> =>
+  Match.value(action).pipe(
+    Match.when("login", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeLogin",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.when("status", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeStatus",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.when("logout", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeLogout",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
+  )
+
 const buildAuthCommand = (
   provider: string,
   action: string,
@@ -100,6 +126,8 @@ const buildAuthCommand = (
     Match.when("github", () => buildGithubCommand(action, options)),
     Match.when("gh", () => buildGithubCommand(action, options)),
     Match.when("codex", () => buildCodexCommand(action, options)),
+    Match.when("claude", () => buildClaudeCommand(action, options)),
+    Match.when("cc", () => buildClaudeCommand(action, options)),
     Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`)))
   )
 
diff --git a/packages/app/src/docker-git/cli/usage.ts b/packages/app/src/docker-git/cli/usage.ts
index af05e044..9859b617 100644
--- a/packages/app/src/docker-git/cli/usage.ts
+++ b/packages/app/src/docker-git/cli/usage.ts
@@ -28,7 +28,7 @@ Commands:
   sessions            List/kill/log container terminal processes
   ps, status          Show docker compose status for all docker-git projects
   down-all            Stop all docker-git containers (docker compose down)
-  auth                Manage GitHub/Codex auth for docker-git
+  auth                Manage GitHub/Codex/Claude Code auth for docker-git
   state               Manage docker-git state directory via git (sync across machines)
 
 Options:
@@ -71,6 +71,7 @@ Container runtime env (set via .orch/env/project.env):
 Auth providers:
   github, gh         GitHub CLI auth (tokens saved to env file)
   codex             Codex CLI auth (stored under .orch/auth/codex)
+  claude, cc        Claude Code CLI auth (OAuth cache stored under .orch/auth/claude)
 
 Auth actions:
   login             Run login flow and store credentials
diff --git a/packages/app/src/docker-git/menu-auth-data.ts b/packages/app/src/docker-git/menu-auth-data.ts
index 796b97ad..5cc4952e 100644
--- a/packages/app/src/docker-git/menu-auth-data.ts
+++ b/packages/app/src/docker-git/menu-auth-data.ts
@@ -7,6 +7,7 @@ import { type AppError } from "@effect-template/lib/usecases/errors"
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
 import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 
+import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
 import type { AuthFlow, AuthSnapshot, MenuEnv } from "./menu-types.js"
 
@@ -17,8 +18,10 @@ type AuthMenuItem = {
   readonly label: string
 }
 
+export type AuthEnvFlow = Extract<AuthFlow, "GithubRemove" | "GitSet" | "GitRemove">
+
 export type AuthPromptStep = {
-  readonly key: "label" | "token" | "user" | "apiKey"
+  readonly key: "label" | "token" | "user"
   readonly label: string
   readonly required: boolean
   readonly secret: boolean
@@ -29,8 +32,8 @@ const authMenuItems: ReadonlyArray<AuthMenuItem> = [
   { action: "GithubRemove", label: "GitHub: remove token" },
   { action: "GitSet", label: "Git: add/update credentials" },
   { action: "GitRemove", label: "Git: remove credentials" },
-  { action: "ClaudeSet", label: "Claude: add/update API key" },
-  { action: "ClaudeRemove", label: "Claude: remove API key" },
+  { action: "ClaudeOauth", label: "Claude Code: login via OAuth (web)" },
+  { action: "ClaudeLogout", label: "Claude Code: logout (clear cache)" },
   { action: "Refresh", label: "Refresh snapshot" },
   { action: "Back", label: "Back to main menu" }
 ]
@@ -50,12 +53,11 @@ const flowSteps: Readonly<Record<AuthFlow, ReadonlyArray<AuthPromptStep>>> = {
   GitRemove: [
     { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
   ],
-  ClaudeSet: [
-    { key: "label", label: "Label (empty = default)", required: false, secret: false },
-    { key: "apiKey", label: "Claude API key", required: true, secret: true }
+  ClaudeOauth: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
   ],
-  ClaudeRemove: [
-    { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
+  ClaudeLogout: [
+    { key: "label", label: "Label to logout (empty = default)", required: false, secret: false }
   ]
 }
 
@@ -65,8 +67,8 @@ const flowTitle = (flow: AuthFlow): string =>
     Match.when("GithubRemove", () => "GitHub remove"),
     Match.when("GitSet", () => "Git credentials"),
     Match.when("GitRemove", () => "Git remove"),
-    Match.when("ClaudeSet", () => "Claude API key"),
-    Match.when("ClaudeRemove", () => "Claude remove"),
+    Match.when("ClaudeOauth", () => "Claude Code OAuth"),
+    Match.when("ClaudeLogout", () => "Claude Code logout"),
     Match.exhaustive
   )
 
@@ -76,16 +78,19 @@ export const successMessage = (flow: AuthFlow, label: string): string =>
     Match.when("GithubRemove", () => `Removed GitHub token (${label}).`),
     Match.when("GitSet", () => `Saved Git credentials (${label}).`),
     Match.when("GitRemove", () => `Removed Git credentials (${label}).`),
-    Match.when("ClaudeSet", () => `Saved Claude key (${label}).`),
-    Match.when("ClaudeRemove", () => `Removed Claude key (${label}).`),
+    Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`),
+    Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`),
     Match.exhaustive
   )
 
 const buildGlobalEnvPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`
+const buildClaudeAuthPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`
 
 type AuthEnvText = {
   readonly fs: FileSystem.FileSystem
+  readonly path: Path.Path
   readonly globalEnvPath: string
+  readonly claudeAuthPath: string
   readonly envText: string
 }
 
@@ -96,9 +101,10 @@ const loadAuthEnvText = (
     const fs = yield* _(FileSystem.FileSystem)
     const path = yield* _(Path.Path)
     const globalEnvPath = buildGlobalEnvPath(cwd)
+    const claudeAuthPath = buildClaudeAuthPath(cwd)
     yield* _(ensureEnvFile(fs, path, globalEnvPath))
     const envText = yield* _(readEnvText(fs, globalEnvPath))
-    return { fs, globalEnvPath, envText }
+    return { fs, path, globalEnvPath, claudeAuthPath, envText }
   })
 
 export const readAuthSnapshot = (
@@ -106,19 +112,25 @@ export const readAuthSnapshot = (
 ): Effect.Effect<AuthSnapshot, AppError, MenuEnv> =>
   pipe(
     loadAuthEnvText(cwd),
-    Effect.map(({ envText, globalEnvPath }) => ({
-      globalEnvPath,
-      totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
-      githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
-      gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
-      gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
-      claudeKeyEntries: countKeyEntries(envText, "ANTHROPIC_API_KEY")
-    }))
+    Effect.flatMap(({ claudeAuthPath, envText, fs, globalEnvPath, path }) =>
+      pipe(
+        countAuthAccountDirectories(fs, path, claudeAuthPath),
+        Effect.map((claudeAuthEntries) => ({
+          globalEnvPath,
+          claudeAuthPath,
+          totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
+          githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
+          gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
+          gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
+          claudeAuthEntries
+        }))
+      )
+    )
   )
 
 export const writeAuthFlow = (
   cwd: string,
-  flow: AuthFlow,
+  flow: AuthEnvFlow,
   values: Readonly<Record<string, string>>
 ): Effect.Effect<void, AppError, MenuEnv> =>
   pipe(
@@ -131,9 +143,7 @@ export const writeAuthFlow = (
       })()
       const token = (values["token"] ?? "").trim()
       const user = (values["user"] ?? "").trim()
-      const apiKey = (values["apiKey"] ?? "").trim()
       const nextText = Match.value(flow).pipe(
-        Match.when("GithubOauth", () => envText),
         Match.when("GithubRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("GITHUB_TOKEN", label), "")),
         Match.when("GitSet", () => {
           const withToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), token)
@@ -144,17 +154,12 @@ export const writeAuthFlow = (
           const withoutToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), "")
           return upsertEnvKey(withoutToken, buildLabeledEnvKey("GIT_AUTH_USER", label), "")
         }),
-        Match.when("ClaudeSet", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), apiKey)),
-        Match.when("ClaudeRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), "")),
         Match.exhaustive
       )
       const syncMessage = Match.value(flow).pipe(
-        Match.when("GithubOauth", () => `chore(state): auth gh ${canonicalLabel}`),
         Match.when("GithubRemove", () => `chore(state): auth gh logout ${canonicalLabel}`),
         Match.when("GitSet", () => `chore(state): auth git ${canonicalLabel}`),
         Match.when("GitRemove", () => `chore(state): auth git logout ${canonicalLabel}`),
-        Match.when("ClaudeSet", () => `chore(state): auth claude ${canonicalLabel}`),
-        Match.when("ClaudeRemove", () => `chore(state): auth claude logout ${canonicalLabel}`),
         Match.exhaustive
       )
       return pipe(
diff --git a/packages/app/src/docker-git/menu-auth-helpers.ts b/packages/app/src/docker-git/menu-auth-helpers.ts
new file mode 100644
index 00000000..a5c10737
--- /dev/null
+++ b/packages/app/src/docker-git/menu-auth-helpers.ts
@@ -0,0 +1,30 @@
+import type * as FileSystem from "@effect/platform/FileSystem"
+import type * as Path from "@effect/platform/Path"
+import { Effect } from "effect"
+
+import type { AppError } from "@effect-template/lib/usecases/errors"
+
+export const countAuthAccountDirectories = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  root: string
+): Effect.Effect<number, AppError> =>
+  Effect.gen(function*(_) {
+    const exists = yield* _(fs.exists(root))
+    if (!exists) {
+      return 0
+    }
+    const entries = yield* _(fs.readDirectory(root))
+    let count = 0
+    for (const entry of entries) {
+      if (entry === ".image") {
+        continue
+      }
+      const fullPath = path.join(root, entry)
+      const info = yield* _(fs.stat(fullPath))
+      if (info.type === "Directory") {
+        count += 1
+      }
+    }
+    return count
+  })
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
index e00e00bb..f626f085 100644
--- a/packages/app/src/docker-git/menu-auth.ts
+++ b/packages/app/src/docker-git/menu-auth.ts
@@ -1,6 +1,6 @@
-import { Effect, pipe } from "effect"
+import { Effect, Match, pipe } from "effect"
 
-import { authGithubLogin } from "@effect-template/lib/usecases/auth"
+import { authClaudeLogin, authClaudeLogout, authGithubLogin, claudeAuthRoot } from "@effect-template/lib/usecases/auth"
 import type { AppError } from "@effect-template/lib/usecases/errors"
 import { renderError } from "@effect-template/lib/usecases/errors"
 
@@ -68,23 +68,43 @@ const startAuthPrompt = (
   context.setMessage(null)
 }
 
+const resolveLabelOption = (values: Readonly<Record<string, string>>): string | null => {
+  const labelValue = (values["label"] ?? "").trim()
+  return labelValue.length > 0 ? labelValue : null
+}
+
 const resolveAuthPromptEffect = (
   view: AuthPromptView,
   cwd: string,
   values: Readonly<Record<string, string>>
 ): Effect.Effect<void, AppError, MenuEnv> => {
-  if (view.flow === "GithubOauth") {
-    const labelValue = (values["label"] ?? "").trim()
-    const labelOption = labelValue.length > 0 ? labelValue : null
-    return authGithubLogin({
-      _tag: "AuthGithubLogin",
-      label: labelOption,
-      token: null,
-      scopes: null,
-      envGlobalPath: view.snapshot.globalEnvPath
-    })
-  }
-  return writeAuthFlow(cwd, view.flow, values)
+  const labelOption = resolveLabelOption(values)
+  return Match.value(view.flow).pipe(
+    Match.when("GithubOauth", () =>
+      authGithubLogin({
+        _tag: "AuthGithubLogin",
+        label: labelOption,
+        token: null,
+        scopes: null,
+        envGlobalPath: view.snapshot.globalEnvPath
+      })),
+    Match.when("ClaudeOauth", () =>
+      authClaudeLogin({
+        _tag: "AuthClaudeLogin",
+        label: labelOption,
+        claudeAuthPath: claudeAuthRoot
+      })),
+    Match.when("ClaudeLogout", () =>
+      authClaudeLogout({
+        _tag: "AuthClaudeLogout",
+        label: labelOption,
+        claudeAuthPath: claudeAuthRoot
+      })),
+    Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.exhaustive
+  )
 }
 
 const runAuthPromptEffect = (
@@ -162,7 +182,9 @@ const submitAuthPrompt = (
     (nextValues) => {
       const label = defaultLabel(nextValues["label"] ?? "")
       const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)
-      runAuthPromptEffect(effect, view, label, context, { suspendTui: view.flow === "GithubOauth" })
+      runAuthPromptEffect(effect, view, label, context, {
+        suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout"
+      })
     }
   )
 }
diff --git a/packages/app/src/docker-git/menu-project-auth-data.ts b/packages/app/src/docker-git/menu-project-auth-data.ts
index 5fe600e8..1b71c43f 100644
--- a/packages/app/src/docker-git/menu-project-auth-data.ts
+++ b/packages/app/src/docker-git/menu-project-auth-data.ts
@@ -3,12 +3,14 @@ import * as Path from "@effect/platform/Path"
 import { Effect, Match, pipe } from "effect"
 
 import { AuthError } from "@effect-template/lib/shell/errors"
+import { normalizeAccountLabel } from "@effect-template/lib/usecases/auth-helpers"
 import { ensureEnvFile, findEnvValue, readEnvText, upsertEnvKey } from "@effect-template/lib/usecases/env-file"
 import type { AppError } from "@effect-template/lib/usecases/errors"
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
 import type { ProjectItem } from "@effect-template/lib/usecases/projects"
 import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 
+import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
 import type { MenuEnv, ProjectAuthFlow, ProjectAuthSnapshot } from "./menu-types.js"
 
@@ -60,7 +62,6 @@ const resolveCanonicalLabel = (value: string): string => {
 const githubTokenBaseKey = "GITHUB_TOKEN"
 const gitTokenBaseKey = "GIT_AUTH_TOKEN"
 const gitUserBaseKey = "GIT_AUTH_USER"
-const claudeApiKeyBaseKey = "ANTHROPIC_API_KEY"
 
 const projectGithubLabelKey = "GITHUB_AUTH_LABEL"
 const projectGitLabelKey = "GIT_AUTH_LABEL"
@@ -73,11 +74,13 @@ type ProjectAuthEnvText = {
   readonly path: Path.Path
   readonly globalEnvPath: string
   readonly projectEnvPath: string
+  readonly claudeAuthPath: string
   readonly globalEnvText: string
   readonly projectEnvText: string
 }
 
 const buildGlobalEnvPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`
+const buildClaudeAuthPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`
 
 const loadProjectAuthEnvText = (
   project: ProjectItem
@@ -86,6 +89,7 @@ const loadProjectAuthEnvText = (
     const fs = yield* _(FileSystem.FileSystem)
     const path = yield* _(Path.Path)
     const globalEnvPath = buildGlobalEnvPath(process.cwd())
+    const claudeAuthPath = buildClaudeAuthPath(process.cwd())
     yield* _(ensureEnvFile(fs, path, globalEnvPath))
     yield* _(ensureEnvFile(fs, path, project.envProjectPath))
     const globalEnvText = yield* _(readEnvText(fs, globalEnvPath))
@@ -95,6 +99,7 @@ const loadProjectAuthEnvText = (
       path,
       globalEnvPath,
       projectEnvPath: project.envProjectPath,
+      claudeAuthPath,
       globalEnvText,
       projectEnvText
     }
@@ -105,18 +110,24 @@ export const readProjectAuthSnapshot = (
 ): Effect.Effect<ProjectAuthSnapshot, AppError, MenuEnv> =>
   pipe(
     loadProjectAuthEnvText(project),
-    Effect.map(({ globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => ({
-      projectDir: project.projectDir,
-      projectName: project.displayName,
-      envGlobalPath: globalEnvPath,
-      envProjectPath: projectEnvPath,
-      githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
-      gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
-      claudeKeyEntries: countKeyEntries(globalEnvText, claudeApiKeyBaseKey),
-      activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
-      activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
-      activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
-    }))
+    Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, path, projectEnvPath, projectEnvText }) =>
+      pipe(
+        countAuthAccountDirectories(fs, path, claudeAuthPath),
+        Effect.map((claudeAuthEntries) => ({
+          projectDir: project.projectDir,
+          projectName: project.displayName,
+          envGlobalPath: globalEnvPath,
+          envProjectPath: projectEnvPath,
+          claudeAuthPath,
+          githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
+          gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
+          claudeAuthEntries,
+          activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
+          activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
+          activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey)
+        }))
+      )
+    )
   )
 
 const missingSecret = (
@@ -129,11 +140,13 @@ const missingSecret = (
   })
 
 type ProjectEnvUpdateSpec = {
+  readonly fs: FileSystem.FileSystem
   readonly rawLabel: string
   readonly canonicalLabel: string
   readonly globalEnvPath: string
   readonly globalEnvText: string
   readonly projectEnvText: string
+  readonly claudeAuthPath: string
 }
 
 const updateProjectGithubConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
@@ -182,18 +195,39 @@ const updateProjectGitDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<s
 }
 
 const updateProjectClaudeConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
-  const key = buildLabeledEnvKey(claudeApiKeyBaseKey, spec.rawLabel)
-  const apiKey = findEnvValue(spec.globalEnvText, key)
-  if (apiKey === null) {
-    return Effect.fail(missingSecret("Claude key", spec.canonicalLabel, spec.globalEnvPath))
-  }
-  const withKey = upsertEnvKey(spec.projectEnvText, claudeApiKeyBaseKey, apiKey)
-  return Effect.succeed(upsertEnvKey(withKey, projectClaudeLabelKey, spec.canonicalLabel))
+  const accountLabel = normalizeAccountLabel(spec.rawLabel, "default")
+  const accountPath = `${spec.claudeAuthPath}/${accountLabel}`
+  return Effect.gen(function*(_) {
+    const exists = yield* _(spec.fs.exists(accountPath))
+    if (!exists) {
+      return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
+    }
+    const configJsonPath = `${accountPath}/.config.json`
+    const hasConfigJson = yield* _(spec.fs.exists(configJsonPath))
+    if (hasConfigJson) {
+      const info = yield* _(spec.fs.stat(configJsonPath))
+      if (info.type === "File") {
+        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
+      }
+    }
+
+    const entries = yield* _(spec.fs.readDirectory(accountPath))
+    for (const entry of entries) {
+      if (!entry.startsWith(".claude") || !entry.endsWith(".json")) {
+        continue
+      }
+      const info = yield* _(spec.fs.stat(`${accountPath}/${entry}`))
+      if (info.type === "File") {
+        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
+      }
+    }
+
+    return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
+  })
 }
 
 const updateProjectClaudeDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string> => {
-  const withoutKey = upsertEnvKey(spec.projectEnvText, claudeApiKeyBaseKey, "")
-  return Effect.succeed(upsertEnvKey(withoutKey, projectClaudeLabelKey, ""))
+  return Effect.succeed(upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, ""))
 }
 
 const resolveProjectEnvUpdate = (
@@ -217,10 +251,18 @@ export const writeProjectAuthFlow = (
 ): Effect.Effect<void, AppError, MenuEnv> =>
   pipe(
     loadProjectAuthEnvText(project),
-    Effect.flatMap(({ fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
+    Effect.flatMap(({ claudeAuthPath, fs, globalEnvPath, globalEnvText, projectEnvPath, projectEnvText }) => {
       const rawLabel = values["label"] ?? ""
       const canonicalLabel = resolveCanonicalLabel(rawLabel)
-      const spec: ProjectEnvUpdateSpec = { rawLabel, canonicalLabel, globalEnvPath, globalEnvText, projectEnvText }
+      const spec: ProjectEnvUpdateSpec = {
+        fs,
+        rawLabel,
+        canonicalLabel,
+        globalEnvPath,
+        globalEnvText,
+        projectEnvText,
+        claudeAuthPath
+      }
       const nextProjectEnv = resolveProjectEnvUpdate(flow, spec)
       const syncMessage = Match.value(flow).pipe(
         Match.when("ProjectGithubConnect", () =>
diff --git a/packages/app/src/docker-git/menu-render-auth.ts b/packages/app/src/docker-git/menu-render-auth.ts
index 160027fa..e4a249fe 100644
--- a/packages/app/src/docker-git/menu-render-auth.ts
+++ b/packages/app/src/docker-git/menu-render-auth.ts
@@ -24,11 +24,12 @@ export const renderAuthMenu = (
     "docker-git / Auth profiles",
     [
       el(Text, null, `Global env: ${snapshot.globalEnvPath}`),
+      el(Text, null, `Claude auth: ${snapshot.claudeAuthPath}`),
       el(Text, { color: "gray" }, renderCountLine("Entries", snapshot.totalEntries)),
       el(Text, { color: "gray" }, renderCountLine("GitHub tokens", snapshot.githubTokenEntries)),
       el(Text, { color: "gray" }, renderCountLine("Git tokens", snapshot.gitTokenEntries)),
       el(Text, { color: "gray" }, renderCountLine("Git users", snapshot.gitUserEntries)),
-      el(Text, { color: "gray" }, renderCountLine("Claude keys", snapshot.claudeKeyEntries)),
+      el(Text, { color: "gray" }, renderCountLine("Claude logins", snapshot.claudeAuthEntries)),
       el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
       renderMenuHelp("Use arrows + Enter, or type a number.")
     ],
@@ -42,10 +43,20 @@ export const renderAuthPrompt = (
 ): React.ReactElement => {
   const el = React.createElement
   const { prompt, visibleBuffer } = resolvePromptState(authViewSteps(view.flow), view.step, view.buffer)
-  const helpLine = view.flow === "GithubOauth" ? "Enter = start OAuth, Esc = cancel." : "Enter = next, Esc = cancel."
+  let helpLine = "Enter = next, Esc = cancel."
+  if (view.flow === "GithubOauth" || view.flow === "ClaudeOauth") {
+    helpLine = "Enter = start OAuth, Esc = cancel."
+  } else if (view.flow === "ClaudeLogout") {
+    helpLine = "Enter = logout, Esc = cancel."
+  }
   return renderPromptLayout({
     title: `docker-git / Auth / ${authViewTitle(view.flow)}`,
-    header: [el(Text, { color: "gray" }, `Global env: ${view.snapshot.globalEnvPath}`)],
+    header: [
+      el(Text, { color: "gray" }, `Global env: ${view.snapshot.globalEnvPath}`),
+      ...(view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout"
+        ? [el(Text, { color: "gray" }, `Claude auth: ${view.snapshot.claudeAuthPath}`)]
+        : [])
+    ],
     prompt,
     visibleBuffer,
     helpLine,
diff --git a/packages/app/src/docker-git/menu-render-project-auth.ts b/packages/app/src/docker-git/menu-render-project-auth.ts
index df91615d..2f8fe4ae 100644
--- a/packages/app/src/docker-git/menu-render-project-auth.ts
+++ b/packages/app/src/docker-git/menu-render-project-auth.ts
@@ -30,6 +30,7 @@ export const renderProjectAuthMenu = (
       el(Text, { color: "gray" }, `Dir: ${snapshot.projectDir}`),
       el(Text, { color: "gray" }, `Project env: ${snapshot.envProjectPath}`),
       el(Text, { color: "gray" }, `Global env: ${snapshot.envGlobalPath}`),
+      el(Text, { color: "gray" }, `Claude auth: ${snapshot.claudeAuthPath}`),
       el(
         Box,
         { marginTop: 1, flexDirection: "column" },
@@ -38,7 +39,7 @@ export const renderProjectAuthMenu = (
         el(Text, { color: "gray" }, `Git label: ${renderActiveLabel(snapshot.activeGitLabel)}`),
         el(Text, { color: "gray" }, renderCountLine("Available Git tokens", snapshot.gitTokenEntries)),
         el(Text, { color: "gray" }, `Claude label: ${renderActiveLabel(snapshot.activeClaudeLabel)}`),
-        el(Text, { color: "gray" }, renderCountLine("Available Claude keys", snapshot.claudeKeyEntries))
+        el(Text, { color: "gray" }, renderCountLine("Available Claude logins", snapshot.claudeAuthEntries))
       ),
       el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
       renderMenuHelp("Use arrows + Enter, or type a number from the list.")
diff --git a/packages/app/src/docker-git/menu-types.ts b/packages/app/src/docker-git/menu-types.ts
index 906c0623..7ce3321e 100644
--- a/packages/app/src/docker-git/menu-types.ts
+++ b/packages/app/src/docker-git/menu-types.ts
@@ -76,16 +76,17 @@ export type AuthFlow =
   | "GithubRemove"
   | "GitSet"
   | "GitRemove"
-  | "ClaudeSet"
-  | "ClaudeRemove"
+  | "ClaudeOauth"
+  | "ClaudeLogout"
 
 export interface AuthSnapshot {
   readonly globalEnvPath: string
+  readonly claudeAuthPath: string
   readonly totalEntries: number
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly gitUserEntries: number
-  readonly claudeKeyEntries: number
+  readonly claudeAuthEntries: number
 }
 
 export type ProjectAuthFlow =
@@ -101,9 +102,10 @@ export interface ProjectAuthSnapshot {
   readonly projectName: string
   readonly envGlobalPath: string
   readonly envProjectPath: string
+  readonly claudeAuthPath: string
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
-  readonly claudeKeyEntries: number
+  readonly claudeAuthEntries: number
   readonly activeGithubLabel: string | null
   readonly activeGitLabel: string | null
   readonly activeClaudeLabel: string | null
diff --git a/packages/app/src/docker-git/program.ts b/packages/app/src/docker-git/program.ts
index 7057d6c4..8bbf50e7 100644
--- a/packages/app/src/docker-git/program.ts
+++ b/packages/app/src/docker-git/program.ts
@@ -1,6 +1,9 @@
 import type { Command, ParseError } from "@effect-template/lib/core/domain"
 import { createProject } from "@effect-template/lib/usecases/actions"
 import {
+  authClaudeLogin,
+  authClaudeLogout,
+  authClaudeStatus,
   authCodexLogin,
   authCodexLogout,
   authCodexStatus,
@@ -85,15 +88,18 @@ const handleNonBaseCommand = (command: NonBaseCommand) =>
       Match.when({ _tag: "AuthCodexLogin" }, (cmd) => authCodexLogin(cmd)),
       Match.when({ _tag: "AuthCodexStatus" }, (cmd) => authCodexStatus(cmd)),
       Match.when({ _tag: "AuthCodexLogout" }, (cmd) => authCodexLogout(cmd)),
+      Match.when({ _tag: "AuthClaudeLogin" }, (cmd) => authClaudeLogin(cmd)),
+      Match.when({ _tag: "AuthClaudeStatus" }, (cmd) => authClaudeStatus(cmd)),
+      Match.when({ _tag: "AuthClaudeLogout" }, (cmd) => authClaudeLogout(cmd)),
       Match.when({ _tag: "Attach" }, (cmd) => attachTmux(cmd)),
       Match.when({ _tag: "Panes" }, (cmd) => listTmuxPanes(cmd)),
       Match.when({ _tag: "SessionsList" }, (cmd) => listTerminalSessions(cmd)),
-      Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd)),
-      Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)),
-      Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)),
-      Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd))
+      Match.when({ _tag: "SessionsKill" }, (cmd) => killTerminalProcess(cmd))
     )
     .pipe(
+      Match.when({ _tag: "SessionsLogs" }, (cmd) => tailTerminalLogs(cmd)),
+      Match.when({ _tag: "ScrapExport" }, (cmd) => exportScrap(cmd)),
+      Match.when({ _tag: "ScrapImport" }, (cmd) => importScrap(cmd)),
       Match.when({ _tag: "McpPlaywrightUp" }, (cmd) => mcpPlaywrightUp(cmd)),
       Match.exhaustive
     )
diff --git a/packages/lib/src/core/domain.ts b/packages/lib/src/core/domain.ts
index 75bc4e67..f3ba309c 100644
--- a/packages/lib/src/core/domain.ts
+++ b/packages/lib/src/core/domain.ts
@@ -187,6 +187,24 @@ export interface AuthCodexLogoutCommand {
   readonly codexAuthPath: string
 }
 
+export interface AuthClaudeLoginCommand {
+  readonly _tag: "AuthClaudeLogin"
+  readonly label: string | null
+  readonly claudeAuthPath: string
+}
+
+export interface AuthClaudeStatusCommand {
+  readonly _tag: "AuthClaudeStatus"
+  readonly label: string | null
+  readonly claudeAuthPath: string
+}
+
+export interface AuthClaudeLogoutCommand {
+  readonly _tag: "AuthClaudeLogout"
+  readonly label: string | null
+  readonly claudeAuthPath: string
+}
+
 export type SessionsCommand =
   | SessionsListCommand
   | SessionsKillCommand
@@ -203,6 +221,9 @@ export type AuthCommand =
   | AuthCodexLoginCommand
   | AuthCodexStatusCommand
   | AuthCodexLogoutCommand
+  | AuthClaudeLoginCommand
+  | AuthClaudeStatusCommand
+  | AuthClaudeLogoutCommand
 
 export type StateCommand =
   | StatePathCommand
diff --git a/packages/lib/src/core/templates-entrypoint.ts b/packages/lib/src/core/templates-entrypoint.ts
index 13a2ff81..dfa37c85 100644
--- a/packages/lib/src/core/templates-entrypoint.ts
+++ b/packages/lib/src/core/templates-entrypoint.ts
@@ -10,6 +10,7 @@ import {
   renderEntrypointZshShell,
   renderEntrypointZshUserRc
 } from "./templates-entrypoint/base.js"
+import { renderEntrypointClaudeConfig } from "./templates-entrypoint/claude.js"
 import {
   renderEntrypointAgentsNotice,
   renderEntrypointCodexHome,
@@ -48,6 +49,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointAgentsNotice(config),
     renderEntrypointDockerSocket(config),
     renderEntrypointGitConfig(config),
+    renderEntrypointClaudeConfig(config),
     renderEntrypointGitHooks(),
     renderEntrypointBackgroundTasks(config),
     renderEntrypointBaseline(),
diff --git a/packages/lib/src/core/templates-entrypoint/base.ts b/packages/lib/src/core/templates-entrypoint/base.ts
index d61f8f47..42313460 100644
--- a/packages/lib/src/core/templates-entrypoint/base.ts
+++ b/packages/lib/src/core/templates-entrypoint/base.ts
@@ -9,6 +9,7 @@ REPO_URL="\${REPO_URL:-}"
 REPO_REF="\${REPO_REF:-}"
 FORK_REPO_URL="\${FORK_REPO_URL:-}"
 TARGET_DIR="\${TARGET_DIR:-${config.targetDir}}"
+CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-x-access-token}}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
 GH_TOKEN="\${GH_TOKEN:-\${GIT_AUTH_TOKEN:-}}"
@@ -18,7 +19,28 @@ GIT_USER_EMAIL="\${GIT_USER_EMAIL:-}"
 CODEX_AUTO_UPDATE="\${CODEX_AUTO_UPDATE:-1}"
 MCP_PLAYWRIGHT_ENABLE="\${MCP_PLAYWRIGHT_ENABLE:-${config.enableMcpPlaywright ? "1" : "0"}}"
 MCP_PLAYWRIGHT_CDP_ENDPOINT="\${MCP_PLAYWRIGHT_CDP_ENDPOINT:-}"
-MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"`
+MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"
+
+SSH_ENV_PATH="/home/${config.sshUser}/.ssh/environment"
+
+docker_git_upsert_ssh_env() {
+  local key="$1"
+  local value="$2"
+
+  if [[ -d "$SSH_ENV_PATH" ]]; then
+    mv "$SSH_ENV_PATH" "$SSH_ENV_PATH.bak-$(date +%s)" || true
+  fi
+
+  mkdir -p "$(dirname "$SSH_ENV_PATH")"
+  touch "$SSH_ENV_PATH"
+
+  awk -v k="$key" -F= '$1 != k { print }' "$SSH_ENV_PATH" > "$SSH_ENV_PATH.tmp"
+  mv "$SSH_ENV_PATH.tmp" "$SSH_ENV_PATH"
+
+  printf "%s\n" "$key=$value" >> "$SSH_ENV_PATH"
+  chmod 600 "$SSH_ENV_PATH" || true
+  chown 1000:1000 "$SSH_ENV_PATH" || true
+}`
 
 export const renderEntrypointAuthorizedKeys = (config: TemplateConfig): string =>
   `# 1) Authorized keys are mounted from host at /authorized_keys
diff --git a/packages/lib/src/core/templates-entrypoint/claude.ts b/packages/lib/src/core/templates-entrypoint/claude.ts
new file mode 100644
index 00000000..f3201a52
--- /dev/null
+++ b/packages/lib/src/core/templates-entrypoint/claude.ts
@@ -0,0 +1,32 @@
+import type { TemplateConfig } from "../domain.js"
+
+const claudeAuthRootContainerPath = (sshUser: string): string => `/home/${sshUser}/.docker-git/.orch/auth/claude`
+
+export const renderEntrypointClaudeConfig = (config: TemplateConfig): string =>
+  String
+    .raw`# Claude Code: expose CLAUDE_CONFIG_DIR for SSH sessions (OAuth cache lives under ~/.docker-git/.orch/auth/claude)
+CLAUDE_LABEL_RAW="$CLAUDE_AUTH_LABEL"
+if [[ -z "$CLAUDE_LABEL_RAW" ]]; then
+  CLAUDE_LABEL_RAW="default"
+fi
+
+CLAUDE_LABEL_NORM="$(printf "%s" "$CLAUDE_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$CLAUDE_LABEL_NORM" ]]; then
+  CLAUDE_LABEL_NORM="default"
+fi
+
+CLAUDE_AUTH_ROOT="${claudeAuthRootContainerPath(config.sshUser)}"
+CLAUDE_CONFIG_DIR="$CLAUDE_AUTH_ROOT/$CLAUDE_LABEL_NORM"
+export CLAUDE_CONFIG_DIR
+
+mkdir -p "$CLAUDE_CONFIG_DIR" || true
+
+CLAUDE_PROFILE="/etc/profile.d/claude-config.sh"
+printf "export CLAUDE_AUTH_LABEL=%q\n" "$CLAUDE_AUTH_LABEL" > "$CLAUDE_PROFILE"
+printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
+chmod 0644 "$CLAUDE_PROFILE" || true
+
+docker_git_upsert_ssh_env "CLAUDE_AUTH_LABEL" "$CLAUDE_AUTH_LABEL"
+docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"`
diff --git a/packages/lib/src/core/templates-entrypoint/git.ts b/packages/lib/src/core/templates-entrypoint/git.ts
index de1390d6..c9447998 100644
--- a/packages/lib/src/core/templates-entrypoint/git.ts
+++ b/packages/lib/src/core/templates-entrypoint/git.ts
@@ -16,11 +16,8 @@ if [[ -n "$GH_TOKEN" || -n "$GITHUB_TOKEN" ]]; then
   printf "export GH_TOKEN=%q\n" "$EFFECTIVE_GH_TOKEN" > /etc/profile.d/gh-token.sh
   printf "export GITHUB_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN" >> /etc/profile.d/gh-token.sh
   chmod 0644 /etc/profile.d/gh-token.sh
-  SSH_ENV_PATH="/home/${config.sshUser}/.ssh/environment"
-  printf "%s\n" "GH_TOKEN=$EFFECTIVE_GH_TOKEN" > "$SSH_ENV_PATH"
-  printf "%s\n" "GITHUB_TOKEN=$EFFECTIVE_GITHUB_TOKEN" >> "$SSH_ENV_PATH"
-  chmod 600 "$SSH_ENV_PATH"
-  chown 1000:1000 "$SSH_ENV_PATH" || true
+  docker_git_upsert_ssh_env "GH_TOKEN" "$EFFECTIVE_GH_TOKEN"
+  docker_git_upsert_ssh_env "GITHUB_TOKEN" "$EFFECTIVE_GITHUB_TOKEN"
 
   SAFE_GH_TOKEN="$(printf "%q" "$GH_TOKEN")"
   # Keep git+https auth in sync with gh auth so push/pull works without manual setup.
diff --git a/packages/lib/src/core/templates/dockerfile.ts b/packages/lib/src/core/templates/dockerfile.ts
index 65ed3693..e1528caf 100644
--- a/packages/lib/src/core/templates/dockerfile.ts
+++ b/packages/lib/src/core/templates/dockerfile.ts
@@ -31,14 +31,16 @@ RUN printf "export NVM_DIR=/usr/local/nvm\\n[ -s /usr/local/nvm/nvm.sh ] && . /u
   > /etc/profile.d/nvm.sh && chmod 0644 /etc/profile.d/nvm.sh`
 
 const renderDockerfileBunPrelude = (config: TemplateConfig): string =>
-  `# Tooling: pnpm + Codex CLI + oh-my-opencode (bun)
+  `# Tooling: pnpm + Codex CLI + oh-my-opencode (bun) + Claude Code CLI (npm)
 RUN corepack enable && corepack prepare pnpm@${config.pnpmVersion} --activate
 ENV TERM=xterm-256color
 RUN curl -fsSL https://bun.sh/install | BUN_INSTALL=/usr/local/bun bash
 RUN ln -sf /usr/local/bun/bin/bun /usr/local/bin/bun
 RUN BUN_INSTALL=/usr/local/bun script -q -e -c "bun add -g @openai/codex@latest oh-my-opencode@latest" /dev/null
 RUN ln -sf /usr/local/bun/bin/codex /usr/local/bin/codex
-RUN ln -sf /usr/local/bun/bin/oh-my-opencode /usr/local/bin/oh-my-opencode`
+RUN ln -sf /usr/local/bun/bin/oh-my-opencode /usr/local/bin/oh-my-opencode
+RUN npm install -g @anthropic-ai/claude-code@latest
+RUN claude --version`
 
 const renderDockerfileOpenCode = (): string =>
   `# Tooling: OpenCode (binary)
diff --git a/packages/lib/src/usecases/auth-claude.ts b/packages/lib/src/usecases/auth-claude.ts
new file mode 100644
index 00000000..6d89ebe0
--- /dev/null
+++ b/packages/lib/src/usecases/auth-claude.ts
@@ -0,0 +1,227 @@
+import type * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import type * as FileSystem from "@effect/platform/FileSystem"
+import type * as Path from "@effect/platform/Path"
+import * as ParseResult from "@effect/schema/ParseResult"
+import * as Schema from "@effect/schema/Schema"
+import { Effect, Either } from "effect"
+
+import type { AuthClaudeLoginCommand, AuthClaudeLogoutCommand, AuthClaudeStatusCommand } from "../core/domain.js"
+import { defaultTemplateConfig } from "../core/domain.js"
+import { runDockerAuth, runDockerAuthCapture } from "../shell/docker-auth.js"
+import { AuthError, CommandFailedError } from "../shell/errors.js"
+import { buildDockerAuthSpec, normalizeAccountLabel } from "./auth-helpers.js"
+import { migrateLegacyOrchLayout } from "./auth-sync.js"
+import { ensureDockerImage } from "./docker-image.js"
+import { resolvePathFromCwd } from "./path-helpers.js"
+import { withFsPathContext } from "./runtime.js"
+import { autoSyncState } from "./state-repo.js"
+
+type ClaudeRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
+
+type ClaudeAccountContext = {
+  readonly accountLabel: string
+  readonly accountPath: string
+  readonly cwd: string
+}
+
+export const claudeAuthRoot = ".docker-git/.orch/auth/claude"
+
+const claudeImageName = "docker-git-auth-claude:latest"
+const claudeImageDir = ".docker-git/.orch/auth/claude/.image"
+const claudeConfigDir = "/claude-config"
+
+const ensureClaudeOrchLayout = (
+  cwd: string
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  migrateLegacyOrchLayout(
+    cwd,
+    defaultTemplateConfig.envGlobalPath,
+    defaultTemplateConfig.envProjectPath,
+    defaultTemplateConfig.codexAuthPath,
+    ".docker-git/.orch/auth/gh"
+  )
+
+const renderClaudeDockerfile = (): string =>
+  String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
+  && apt-get install -y --no-install-recommends nodejs \
+  && node -v \
+  && npm -v \
+  && rm -rf /var/lib/apt/lists/*
+RUN npm install -g @anthropic-ai/claude-code@latest
+ENTRYPOINT ["claude"]
+`
+
+const resolveClaudeAccountPath = (path: Path.Path, rootPath: string, label: string | null): {
+  readonly accountLabel: string
+  readonly accountPath: string
+} => {
+  const accountLabel = normalizeAccountLabel(label, "default")
+  const accountPath = path.join(rootPath, accountLabel)
+  return { accountLabel, accountPath }
+}
+
+const withClaudeAuth = <A, E>(
+  command: AuthClaudeLoginCommand | AuthClaudeLogoutCommand | AuthClaudeStatusCommand,
+  run: (
+    context: ClaudeAccountContext
+  ) => Effect.Effect<A, E, CommandExecutor.CommandExecutor>
+): Effect.Effect<A, E | PlatformError | CommandFailedError, ClaudeRuntime> =>
+  withFsPathContext(({ cwd, fs, path }) =>
+    Effect.gen(function*(_) {
+      yield* _(ensureClaudeOrchLayout(cwd))
+      const rootPath = resolvePathFromCwd(path, cwd, command.claudeAuthPath)
+      const { accountLabel, accountPath } = resolveClaudeAccountPath(path, rootPath, command.label)
+      yield* _(fs.makeDirectory(accountPath, { recursive: true }))
+      yield* _(
+        ensureDockerImage(fs, path, cwd, {
+          imageName: claudeImageName,
+          imageDir: claudeImageDir,
+          dockerfile: renderClaudeDockerfile(),
+          buildLabel: "claude auth"
+        })
+      )
+      return yield* _(run({ accountLabel, accountPath, cwd }))
+    })
+  )
+
+const runClaudeAuthCommand = (
+  cwd: string,
+  accountPath: string,
+  args: ReadonlyArray<string>,
+  commandLabel: string,
+  interactive: boolean
+): Effect.Effect<void, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  runDockerAuth(
+    buildDockerAuthSpec({
+      cwd,
+      image: claudeImageName,
+      hostPath: accountPath,
+      containerPath: claudeConfigDir,
+      env: `CLAUDE_CONFIG_DIR=${claudeConfigDir}`,
+      args,
+      interactive
+    }),
+    [0],
+    (exitCode) => new CommandFailedError({ command: commandLabel, exitCode })
+  )
+
+const runClaudeLogin = (
+  cwd: string,
+  accountPath: string,
+  interactive: boolean
+): Effect.Effect<void, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  runClaudeAuthCommand(cwd, accountPath, ["auth", "login"], "claude auth login", interactive)
+
+const runClaudeLogout = (
+  cwd: string,
+  accountPath: string
+): Effect.Effect<void, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  runClaudeAuthCommand(cwd, accountPath, ["auth", "logout"], "claude auth logout", false)
+
+const runClaudeStatusJson = (
+  cwd: string,
+  accountPath: string
+): Effect.Effect<string, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  runDockerAuthCapture(
+    buildDockerAuthSpec({
+      cwd,
+      image: claudeImageName,
+      hostPath: accountPath,
+      containerPath: claudeConfigDir,
+      env: `CLAUDE_CONFIG_DIR=${claudeConfigDir}`,
+      args: ["auth", "status", "--json"],
+      interactive: false
+    }),
+    [0],
+    (exitCode) => new CommandFailedError({ command: "claude auth status --json", exitCode })
+  )
+
+type ClaudeAuthStatus = {
+  readonly loggedIn: boolean
+  readonly authMethod?: string | undefined
+  readonly apiProvider?: string | undefined
+}
+
+const ClaudeAuthStatusSchema = Schema.Struct({
+  loggedIn: Schema.Boolean,
+  authMethod: Schema.optional(Schema.String),
+  apiProvider: Schema.optional(Schema.String)
+})
+
+const ClaudeAuthStatusJsonSchema = Schema.parseJson(ClaudeAuthStatusSchema)
+
+const decodeClaudeAuthStatus = (raw: string): Effect.Effect<ClaudeAuthStatus, CommandFailedError> =>
+  Either.match(ParseResult.decodeUnknownEither(ClaudeAuthStatusJsonSchema)(raw), {
+    onLeft: () => Effect.fail(new CommandFailedError({ command: "claude auth status --json", exitCode: 1 })),
+    onRight: (value) => Effect.succeed(value)
+  })
+
+// CHANGE: login to Claude Code CLI using a dedicated auth container (OAuth web flow)
+// WHY: mirror the isolated OAuth flow used for Codex/GitHub (no API key entry in TUI)
+// QUOTE(ТЗ): "ДЕЛАЙ OAuth по тому же принципу что и Codex"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall l: login(l) -> claude_auth_cache_exists(l)
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | CommandFailedError | PlatformError, FileSystem | Path | CommandExecutor>
+// INVARIANT: CLAUDE_CONFIG_DIR is pinned to the mounted auth directory
+// COMPLEXITY: O(command)
+export const authClaudeLogin = (
+  command: AuthClaudeLoginCommand
+): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, ClaudeRuntime> => {
+  const interactive = process.stdin.isTTY && process.stdout.isTTY
+  if (!interactive) {
+    return Effect.fail(new AuthError({ message: "Claude auth login requires an interactive TTY." }))
+  }
+  const accountLabel = normalizeAccountLabel(command.label, "default")
+  return withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogin(cwd, accountPath, true)).pipe(
+    Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
+  )
+}
+
+// CHANGE: show Claude Code auth status for a given label
+// WHY: allow verifying OAuth cache presence without exposing credentials
+// QUOTE(ТЗ): "где теперь можно изучить эти сессии?"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall l: status(l) -> connected(l) | disconnected(l)
+// PURITY: SHELL
+// EFFECT: Effect<void, CommandFailedError | PlatformError, FileSystem | Path | CommandExecutor>
+// INVARIANT: never logs tokens/credentials
+// COMPLEXITY: O(command)
+export const authClaudeStatus = (
+  command: AuthClaudeStatusCommand
+): Effect.Effect<void, CommandFailedError | PlatformError, ClaudeRuntime> =>
+  withClaudeAuth(command, ({ accountLabel, accountPath, cwd }) =>
+    Effect.gen(function*(_) {
+      const raw = yield* _(runClaudeStatusJson(cwd, accountPath))
+      const status = yield* _(decodeClaudeAuthStatus(raw))
+      yield* (status.loggedIn
+        ? _(Effect.log(`Claude connected (${accountLabel}).`))
+        : _(Effect.log(`Claude not connected (${accountLabel}).`)))
+    }))
+
+// CHANGE: logout Claude Code by clearing credentials for a label
+// WHY: allow revoking Claude Code access deterministically
+// QUOTE(ТЗ): "Надо сделать что бы ... можно создавать множество данных"
+// REF: issue-61
+// SOURCE: n/a
+// FORMAT THEOREM: forall l: logout(l) -> credentials_cleared(l)
+// PURITY: SHELL
+// EFFECT: Effect<void, CommandFailedError | PlatformError, FileSystem | Path | CommandExecutor>
+// INVARIANT: CLAUDE_CONFIG_DIR stays within the mounted account directory
+// COMPLEXITY: O(command)
+export const authClaudeLogout = (
+  command: AuthClaudeLogoutCommand
+): Effect.Effect<void, CommandFailedError | PlatformError, ClaudeRuntime> =>
+  Effect.gen(function*(_) {
+    const accountLabel = normalizeAccountLabel(command.label, "default")
+    yield* _(withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogout(cwd, accountPath)))
+    yield* _(autoSyncState(`chore(state): auth claude logout ${accountLabel}`))
+  }).pipe(Effect.asVoid)
diff --git a/packages/lib/src/usecases/auth.ts b/packages/lib/src/usecases/auth.ts
index 2f07a0fd..4d9b7a6d 100644
--- a/packages/lib/src/usecases/auth.ts
+++ b/packages/lib/src/usecases/auth.ts
@@ -1,2 +1,3 @@
+export * from "./auth-claude.js"
 export * from "./auth-codex.js"
 export * from "./auth-github.js"
diff --git a/scripts/e2e/issue-61-auth-labels.sh b/scripts/e2e/issue-61-auth-labels.sh
index f3be3c25..17f42e27 100755
--- a/scripts/e2e/issue-61-auth-labels.sh
+++ b/scripts/e2e/issue-61-auth-labels.sh
@@ -71,7 +71,6 @@ export DOCKER_GIT_STATE_AUTO_SYNC=1
 default_token="token_default_$RUN_ID"
 agiens_token="token_agiens_$RUN_ID"
 git_token="git_token_$RUN_ID"
-claude_key="claude_key_$RUN_ID"
 
 # 1) Store multiple GitHub tokens by label (non-interactive / CI path).
 (
@@ -93,7 +92,7 @@ grep -Fq -- "GITHUB_TOKEN__AGIENS=$agiens_token" "$ROOT/.orch/env/global.env" \
 [[ "$(git --git-dir "$REMOTE" log -1 --pretty=%s)" == "chore(state): auth gh AGIENS" ]] \
   || fail "expected latest remote commit to come from labeled GH auth"
 
-# 2) Set labeled Git credentials + Claude key via the same menu logic (non-interactive).
+# 2) Set labeled Git credentials + stub Claude Code OAuth cache via the same menu logic (non-interactive).
 PROJECT_DIR="$ROOT/e2e/project-1"
 PROJECT_ENV="$PROJECT_DIR/.orch/env/project.env"
 mkdir -p "$(dirname "$PROJECT_ENV")"
@@ -106,10 +105,11 @@ EOF_ENV
   PROJECT_DIR="$PROJECT_DIR" \
   PROJECT_ENV_PATH="$PROJECT_ENV" \
   GIT_TOKEN_VALUE="$git_token" \
-  CLAUDE_KEY_VALUE="$claude_key" \
   node --input-type=module <<'NODE'
 import { NodeContext, NodeRuntime } from "@effect/platform-node"
 import { Effect } from "effect"
+import { mkdirSync, writeFileSync } from "node:fs"
+import { join } from "node:path"
 
 import { writeAuthFlow } from "./dist/src/docker-git/menu-auth-data.js"
 import { writeProjectAuthFlow } from "./dist/src/docker-git/menu-project-auth-data.js"
@@ -121,9 +121,8 @@ if (projectDir.length === 0 || envProjectPath.length === 0) {
 }
 
 const gitToken = process.env.GIT_TOKEN_VALUE ?? ""
-const claudeKey = process.env.CLAUDE_KEY_VALUE ?? ""
-if (gitToken.length === 0 || claudeKey.length === 0) {
-  throw new Error("missing GIT_TOKEN_VALUE / CLAUDE_KEY_VALUE")
+if (gitToken.length === 0) {
+  throw new Error("missing GIT_TOKEN_VALUE")
 }
 
 const project = {
@@ -135,7 +134,15 @@ const project = {
 const main = Effect.gen(function*(_) {
   // Create labeled profiles in ~/.docker-git/.orch/env/global.env
   yield* _(writeAuthFlow(process.cwd(), "GitSet", { label: "agiens", token: gitToken, user: "x-access-token" }))
-  yield* _(writeAuthFlow(process.cwd(), "ClaudeSet", { label: "agiens", apiKey: claudeKey }))
+
+  // Stub a Claude Code OAuth cache for the same label so project binding can validate it.
+  const root = process.env.DOCKER_GIT_PROJECTS_ROOT ?? ""
+  if (root.length === 0) {
+    throw new Error("missing DOCKER_GIT_PROJECTS_ROOT")
+  }
+  const claudeAuthDir = join(root, ".orch", "auth", "claude", "agiens")
+  mkdirSync(claudeAuthDir, { recursive: true })
+  writeFileSync(join(claudeAuthDir, ".config.json"), JSON.stringify({}), "utf8")
 
   // Bind them into the project env.
   yield* _(writeProjectAuthFlow(project, "ProjectGithubConnect", { label: "agiens" }))
@@ -153,7 +160,6 @@ grep -Fq -- "CLAUDE_AUTH_LABEL=AGIENS" "$PROJECT_ENV" || fail "expected CLAUDE_A
 grep -Fq -- "GIT_AUTH_TOKEN=$git_token" "$PROJECT_ENV" || fail "expected bound GIT_AUTH_TOKEN in project.env"
 grep -Fq -- "GIT_AUTH_USER=x-access-token" "$PROJECT_ENV" || fail "expected bound GIT_AUTH_USER in project.env"
 grep -Fq -- "GH_TOKEN=$git_token" "$PROJECT_ENV" || fail "expected bound GH_TOKEN in project.env"
-grep -Fq -- "ANTHROPIC_API_KEY=$claude_key" "$PROJECT_ENV" || fail "expected bound ANTHROPIC_API_KEY in project.env"
 
 [[ -z "$(git -C "$ROOT" status --porcelain)" ]] || fail "state repo not clean after project bindings"
 last_msg="$(git --git-dir "$REMOTE" log -1 --pretty=%s)"

From 3c924a02eff22ea8254c659e325add4f9616bd25 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 14:31:47 +0000
Subject: [PATCH 09/15] fix(auth): claude oauth login UX

---
 packages/lib/src/shell/docker-auth.ts     | 23 ++++++++++++++++++++---
 packages/lib/src/usecases/auth-claude.ts  |  7 +++++--
 packages/lib/src/usecases/auth-helpers.ts |  4 ++--
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/packages/lib/src/shell/docker-auth.ts b/packages/lib/src/shell/docker-auth.ts
index 61f3db0a..7e3218cb 100644
--- a/packages/lib/src/shell/docker-auth.ts
+++ b/packages/lib/src/shell/docker-auth.ts
@@ -14,11 +14,28 @@ export type DockerAuthSpec = {
   readonly image: string
   readonly volume: DockerVolume
   readonly entrypoint?: string
-  readonly env?: string
+  readonly env?: string | ReadonlyArray<string>
   readonly args: ReadonlyArray<string>
   readonly interactive: boolean
 }
 
+const appendEnvArgs = (base: Array<string>, env: string | ReadonlyArray<string>) => {
+  if (typeof env === "string") {
+    const trimmed = env.trim()
+    if (trimmed.length > 0) {
+      base.push("-e", trimmed)
+    }
+    return
+  }
+  for (const entry of env) {
+    const trimmed = entry.trim()
+    if (trimmed.length === 0) {
+      continue
+    }
+    base.push("-e", trimmed)
+  }
+}
+
 const buildDockerArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => {
   const base: Array<string> = ["run", "--rm"]
   if (spec.interactive) {
@@ -28,8 +45,8 @@ const buildDockerArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => {
     base.push("--entrypoint", spec.entrypoint)
   }
   base.push("-v", `${spec.volume.hostPath}:${spec.volume.containerPath}`)
-  if (spec.env && spec.env.length > 0) {
-    base.push("-e", spec.env)
+  if (spec.env !== undefined) {
+    appendEnvArgs(base, spec.env)
   }
   return [...base, spec.image, ...spec.args]
 }
diff --git a/packages/lib/src/usecases/auth-claude.ts b/packages/lib/src/usecases/auth-claude.ts
index 6d89ebe0..7f470e0f 100644
--- a/packages/lib/src/usecases/auth-claude.ts
+++ b/packages/lib/src/usecases/auth-claude.ts
@@ -103,7 +103,7 @@ const runClaudeAuthCommand = (
       image: claudeImageName,
       hostPath: accountPath,
       containerPath: claudeConfigDir,
-      env: `CLAUDE_CONFIG_DIR=${claudeConfigDir}`,
+      env: [`CLAUDE_CONFIG_DIR=${claudeConfigDir}`, "BROWSER=echo"],
       args,
       interactive
     }),
@@ -180,7 +180,10 @@ export const authClaudeLogin = (
     return Effect.fail(new AuthError({ message: "Claude auth login requires an interactive TTY." }))
   }
   const accountLabel = normalizeAccountLabel(command.label, "default")
-  return withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogin(cwd, accountPath, true)).pipe(
+  return Effect.log(
+    "Claude OAuth: open the URL, then copy the Authentication Code from the browser and paste it here (input is hidden), then press Enter."
+  ).pipe(
+    Effect.zipRight(withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogin(cwd, accountPath, true))),
     Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
   )
 }
diff --git a/packages/lib/src/usecases/auth-helpers.ts b/packages/lib/src/usecases/auth-helpers.ts
index 420c2c94..02e59987 100644
--- a/packages/lib/src/usecases/auth-helpers.ts
+++ b/packages/lib/src/usecases/auth-helpers.ts
@@ -7,7 +7,7 @@ type DockerAuthSpecInput = {
   readonly hostPath: string
   readonly containerPath: string
   readonly entrypoint?: string
-  readonly env?: string
+  readonly env?: string | ReadonlyArray<string>
   readonly args: ReadonlyArray<string>
   readonly interactive: boolean
 }
@@ -46,7 +46,7 @@ export const buildDockerAuthSpec = (input: DockerAuthSpecInput): DockerAuthSpec
   image: input.image,
   volume: { hostPath: input.hostPath, containerPath: input.containerPath },
   ...(typeof input.entrypoint === "string" ? { entrypoint: input.entrypoint } : {}),
-  ...(typeof input.env === "string" ? { env: input.env } : {}),
+  ...(input.env === undefined ? {} : { env: input.env }),
   args: input.args,
   interactive: input.interactive
 })

From 79cc9018f8f6ed9e4515059fa187f05db5a9859e Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 15:44:37 +0000
Subject: [PATCH 10/15] fix(auth): prompt for Claude OAuth code

---
 packages/lib/src/shell/docker-auth.ts         |   8 +
 .../lib/src/usecases/auth-claude-oauth.ts     | 289 ++++++++++++++++++
 packages/lib/src/usecases/auth-claude.ts      |  28 +-
 3 files changed, 307 insertions(+), 18 deletions(-)
 create mode 100644 packages/lib/src/usecases/auth-claude-oauth.ts

diff --git a/packages/lib/src/shell/docker-auth.ts b/packages/lib/src/shell/docker-auth.ts
index 7e3218cb..55f08817 100644
--- a/packages/lib/src/shell/docker-auth.ts
+++ b/packages/lib/src/shell/docker-auth.ts
@@ -51,6 +51,14 @@ const buildDockerArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => {
   return [...base, spec.image, ...spec.args]
 }
 
+// CHANGE: expose docker CLI args builder for advanced auth flows (stdin piping)
+// WHY: some OAuth CLIs (Claude Code) don't reliably render their input UI; docker-git needs to drive stdin explicitly
+// REF: issue-61
+// SOURCE: n/a
+// PURITY: CORE
+// INVARIANT: args match those used by runDockerAuth / runDockerAuthCapture
+export const buildDockerAuthArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => buildDockerArgs(spec)
+
 // CHANGE: run a docker auth command with controlled exit codes
 // WHY: reuse container auth flow for gh/codex
 // QUOTE(ТЗ): "поднимал отдельный контейнер где будет установлен чисто gh или чисто codex"
diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
new file mode 100644
index 00000000..569e04bd
--- /dev/null
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -0,0 +1,289 @@
+import * as Command from "@effect/platform/Command"
+import * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect, pipe } from "effect"
+import * as Deferred from "effect/Deferred"
+import * as Fiber from "effect/Fiber"
+import type * as Scope from "effect/Scope"
+import * as Stream from "effect/Stream"
+import { writeSync } from "node:fs"
+
+import { AuthError, CommandFailedError } from "../shell/errors.js"
+
+type ClaudeAuthorizeInfo = {
+  readonly authorizeUrl: string
+  readonly state: string | null
+}
+
+type FirstOutcome =
+  | { readonly _tag: "Exit"; readonly exitCode: number }
+  | { readonly _tag: "AuthorizeUrl"; readonly info: ClaudeAuthorizeInfo }
+
+const oauthCodeEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_CODE"
+const authorizeUrlRegex = /https:\/\/claude\.ai\/oauth\/authorize\S*/u
+
+const extractAuthorizeUrl = (line: string): string | null => {
+  const match = authorizeUrlRegex.exec(line)
+  return match?.[0] ?? null
+}
+
+const readQueryParam = (raw: string, key: string): string | null => {
+  const match = new RegExp(String.raw`[?&]${key}=([^&#\s]+)`, "u").exec(raw)
+  return match?.[1] ?? null
+}
+
+const normalizeOauthPaste = (raw: string, authorizeState: string | null): string => {
+  const trimmed = raw.trim()
+  if (trimmed.length === 0) {
+    return ""
+  }
+  if (trimmed.includes("#")) {
+    return trimmed
+  }
+  const callbackCode = readQueryParam(trimmed, "code")
+  const callbackState = readQueryParam(trimmed, "state")
+  if (callbackCode !== null) {
+    return callbackState === null ? callbackCode : `${callbackCode}#${callbackState}`
+  }
+  return authorizeState === null ? trimmed : `${trimmed}#${authorizeState}`
+}
+
+const oauthCodeFromEnv = (): string | null => {
+  const value = (process.env[oauthCodeEnvKey] ?? "").trim()
+  return value.length > 0 ? value : null
+}
+
+const ensureInteractiveStdin = (): Effect.Effect<void, AuthError> =>
+  process.stdin.isTTY && process.stdout.isTTY && typeof process.stdin.setRawMode === "function"
+    ? Effect.void
+    : Effect.fail(
+      new AuthError({
+        message:
+          `Claude auth login needs an interactive TTY, or set ${oauthCodeEnvKey} to the OAuth Authentication Code.`
+      })
+    )
+
+const readHiddenLine = (prompt: string): Effect.Effect<string, AuthError> =>
+  Effect.async<string, AuthError>((resume) => {
+    const previousRaw = process.stdin.isRaw
+    let buffer = ""
+
+    const cleanup = () => {
+      process.stdin.off("data", onData)
+      process.stdin.setRawMode(previousRaw)
+    }
+
+    const done = (value: string) => {
+      cleanup()
+      writeSync(1, "\n")
+      resume(Effect.succeed(value))
+    }
+
+    const fail = (message: string) => {
+      cleanup()
+      resume(Effect.fail(new AuthError({ message })))
+    }
+
+    const onData = (chunk: Buffer | string) => {
+      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8")
+      for (const ch of text) {
+        if (ch === "\u0003") {
+          fail("Claude auth login cancelled.")
+          return
+        }
+        if (ch === "\r" || ch === "\n") {
+          done(buffer)
+          return
+        }
+        if (ch === "\u007F") {
+          buffer = buffer.slice(0, Math.max(0, buffer.length - 1))
+          continue
+        }
+        buffer += ch
+      }
+    }
+
+    writeSync(1, prompt)
+    process.stdin.setRawMode(true)
+    process.stdin.resume()
+    process.stdin.on("data", onData)
+
+    return Effect.sync(() => {
+      cleanup()
+    })
+  })
+
+const resolveOauthCodeInput = (info: ClaudeAuthorizeInfo): Effect.Effect<string, AuthError> => {
+  const fromEnv = oauthCodeFromEnv()
+  if (fromEnv !== null) {
+    return Effect.succeed(normalizeOauthPaste(fromEnv, info.state))
+  }
+  return ensureInteractiveStdin().pipe(
+    Effect.zipRight(
+      readHiddenLine(
+        "\n[docker-git] Paste the Authentication Code from the browser and press Enter (input hidden; Ctrl+C to cancel):\n> "
+      )
+    ),
+    Effect.map((value) => normalizeOauthPaste(value, info.state)),
+    Effect.filterOrFail(
+      (value) => value.trim().length > 0,
+      () => new AuthError({ message: "Claude auth login requires a non-empty Authentication Code." })
+    )
+  )
+}
+
+const writeChunk = (fd: number, chunk: Uint8Array): Effect.Effect<void> =>
+  Effect.sync(() => {
+    writeSync(fd, chunk)
+  }).pipe(Effect.asVoid)
+
+const pumpDockerOutput = (
+  source: Stream.Stream<Uint8Array, PlatformError>,
+  fd: number,
+  oauth: Deferred.Deferred<ClaudeAuthorizeInfo>
+): Effect.Effect<void, PlatformError> => {
+  const decoder = new TextDecoder("utf-8")
+  let remainder = ""
+
+  return pipe(
+    source,
+    Stream.runForEach((chunk) =>
+      pipe(
+        writeChunk(fd, chunk),
+        Effect.zipRight(
+          Effect.sync((): ClaudeAuthorizeInfo | null => {
+            remainder += decoder.decode(chunk)
+            // Keep only a sliding window so repeated scans stay cheap.
+            if (remainder.length > 8192) {
+              remainder = remainder.slice(-8192)
+            }
+            const authorizeUrl = extractAuthorizeUrl(remainder)
+            if (authorizeUrl === null) {
+              return null
+            }
+            const state = readQueryParam(authorizeUrl, "state")
+            return { authorizeUrl, state }
+          })
+        ),
+        Effect.flatMap((info) =>
+          info === null
+            ? Effect.void
+            : Deferred.succeed(oauth, info).pipe(Effect.asVoid)
+        ),
+        Effect.asVoid
+      )
+    )
+  ).pipe(Effect.asVoid)
+}
+
+type DockerLoginSpec = {
+  readonly cwd: string
+  readonly image: string
+  readonly hostPath: string
+  readonly containerPath: string
+  readonly env: ReadonlyArray<string>
+  readonly args: ReadonlyArray<string>
+  readonly tty: boolean
+}
+
+const buildDockerLoginSpec = (
+  cwd: string,
+  accountPath: string,
+  image: string,
+  containerPath: string
+): DockerLoginSpec => ({
+  cwd,
+  image,
+  hostPath: accountPath,
+  containerPath,
+  env: [`CLAUDE_CONFIG_DIR=${containerPath}`, "BROWSER=echo"],
+  args: ["auth", "login"],
+  tty: process.stdin.isTTY && process.stdout.isTTY
+})
+
+const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
+  const base: Array<string> = ["run", "--rm", "-i"]
+  if (spec.tty) {
+    base.push("-t")
+  }
+  base.push("-v", `${spec.hostPath}:${spec.containerPath}`)
+  for (const entry of spec.env) {
+    const trimmed = entry.trim()
+    if (trimmed.length === 0) {
+      continue
+    }
+    base.push("-e", trimmed)
+  }
+  return [...base, spec.image, ...spec.args]
+}
+
+const startDockerProcess = (
+  executor: CommandExecutor.CommandExecutor,
+  spec: DockerLoginSpec
+): Effect.Effect<CommandExecutor.Process, PlatformError, Scope.Scope> =>
+  executor.start(
+    pipe(
+      Command.make("docker", ...buildDockerLoginArgs(spec)),
+      Command.workingDirectory(spec.cwd),
+      Command.stdin("pipe"),
+      Command.stdout("pipe"),
+      Command.stderr("pipe")
+    )
+  )
+
+const awaitFirstOutcome = (
+  proc: CommandExecutor.Process,
+  oauth: Deferred.Deferred<ClaudeAuthorizeInfo>
+): Effect.Effect<FirstOutcome, PlatformError> =>
+  Effect.race(
+    Deferred.await(oauth).pipe(Effect.map((info) => ({ _tag: "AuthorizeUrl" as const, info }))),
+    proc.exitCode.pipe(Effect.map((exitCode) => ({ _tag: "Exit" as const, exitCode: Number(exitCode) })))
+  )
+
+const ensureExitOk = (exitCode: number): Effect.Effect<void, CommandFailedError> =>
+  exitCode === 0 ? Effect.void : Effect.fail(new CommandFailedError({ command: "claude auth login", exitCode }))
+
+const feedOauthCode = (proc: CommandExecutor.Process, code: string): Effect.Effect<void, PlatformError> => {
+  const bytes = new TextEncoder().encode(`${code}\n`)
+  return pipe(Stream.make(bytes), Stream.run(proc.stdin), Effect.asVoid)
+}
+
+const finishClaudeLogin = (
+  outcome: FirstOutcome,
+  proc: CommandExecutor.Process
+): Effect.Effect<void, AuthError | CommandFailedError | PlatformError> => {
+  if (outcome._tag === "Exit") {
+    return ensureExitOk(outcome.exitCode)
+  }
+  return resolveOauthCodeInput(outcome.info).pipe(
+    Effect.flatMap((code) => feedOauthCode(proc, code)),
+    Effect.zipRight(proc.exitCode.pipe(Effect.map(Number), Effect.flatMap((exitCode) => ensureExitOk(exitCode)))),
+    Effect.asVoid
+  )
+}
+
+export const runClaudeOauthLoginWithPrompt = (
+  cwd: string,
+  accountPath: string,
+  options: {
+    readonly image: string
+    readonly containerPath: string
+  }
+): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const executor = yield* _(CommandExecutor.CommandExecutor)
+      const spec = buildDockerLoginSpec(cwd, accountPath, options.image, options.containerPath)
+      const proc = yield* _(startDockerProcess(executor, spec))
+
+      const oauth = yield* _(Deferred.make<ClaudeAuthorizeInfo>())
+      const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, oauth)))
+      const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, oauth)))
+
+      const first = yield* _(awaitFirstOutcome(proc, oauth))
+      yield* _(finishClaudeLogin(first, proc))
+
+      yield* _(Fiber.join(stdoutFiber))
+      yield* _(Fiber.join(stderrFiber))
+    }).pipe(Effect.asVoid)
+  )
diff --git a/packages/lib/src/usecases/auth-claude.ts b/packages/lib/src/usecases/auth-claude.ts
index 7f470e0f..65cea3d5 100644
--- a/packages/lib/src/usecases/auth-claude.ts
+++ b/packages/lib/src/usecases/auth-claude.ts
@@ -9,7 +9,9 @@ import { Effect, Either } from "effect"
 import type { AuthClaudeLoginCommand, AuthClaudeLogoutCommand, AuthClaudeStatusCommand } from "../core/domain.js"
 import { defaultTemplateConfig } from "../core/domain.js"
 import { runDockerAuth, runDockerAuthCapture } from "../shell/docker-auth.js"
-import { AuthError, CommandFailedError } from "../shell/errors.js"
+import type { AuthError } from "../shell/errors.js"
+import { CommandFailedError } from "../shell/errors.js"
+import { runClaudeOauthLoginWithPrompt } from "./auth-claude-oauth.js"
 import { buildDockerAuthSpec, normalizeAccountLabel } from "./auth-helpers.js"
 import { migrateLegacyOrchLayout } from "./auth-sync.js"
 import { ensureDockerImage } from "./docker-image.js"
@@ -111,13 +113,6 @@ const runClaudeAuthCommand = (
     (exitCode) => new CommandFailedError({ command: commandLabel, exitCode })
   )
 
-const runClaudeLogin = (
-  cwd: string,
-  accountPath: string,
-  interactive: boolean
-): Effect.Effect<void, CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
-  runClaudeAuthCommand(cwd, accountPath, ["auth", "login"], "claude auth login", interactive)
-
 const runClaudeLogout = (
   cwd: string,
   accountPath: string
@@ -175,17 +170,14 @@ const decodeClaudeAuthStatus = (raw: string): Effect.Effect<ClaudeAuthStatus, Co
 export const authClaudeLogin = (
   command: AuthClaudeLoginCommand
 ): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, ClaudeRuntime> => {
-  const interactive = process.stdin.isTTY && process.stdout.isTTY
-  if (!interactive) {
-    return Effect.fail(new AuthError({ message: "Claude auth login requires an interactive TTY." }))
-  }
   const accountLabel = normalizeAccountLabel(command.label, "default")
-  return Effect.log(
-    "Claude OAuth: open the URL, then copy the Authentication Code from the browser and paste it here (input is hidden), then press Enter."
-  ).pipe(
-    Effect.zipRight(withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogin(cwd, accountPath, true))),
-    Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
-  )
+  return withClaudeAuth(command, ({ accountPath, cwd }) =>
+    runClaudeOauthLoginWithPrompt(cwd, accountPath, {
+      image: claudeImageName,
+      containerPath: claudeConfigDir
+    })).pipe(
+      Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
+    )
 }
 
 // CHANGE: show Claude Code auth status for a given label

From 02b8ad8294db9f2919bcb0fddbee4352422970bf Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 16:04:56 +0000
Subject: [PATCH 11/15] fix(auth): avoid docker -t for Claude oauth

---
 packages/lib/src/usecases/auth-claude-oauth.ts | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
index 569e04bd..1c023b2e 100644
--- a/packages/lib/src/usecases/auth-claude-oauth.ts
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -183,7 +183,6 @@ type DockerLoginSpec = {
   readonly containerPath: string
   readonly env: ReadonlyArray<string>
   readonly args: ReadonlyArray<string>
-  readonly tty: boolean
 }
 
 const buildDockerLoginSpec = (
@@ -197,16 +196,13 @@ const buildDockerLoginSpec = (
   hostPath: accountPath,
   containerPath,
   env: [`CLAUDE_CONFIG_DIR=${containerPath}`, "BROWSER=echo"],
-  args: ["auth", "login"],
-  tty: process.stdin.isTTY && process.stdout.isTTY
+  args: ["auth", "login"]
 })
 
 const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
-  const base: Array<string> = ["run", "--rm", "-i"]
-  if (spec.tty) {
-    base.push("-t")
-  }
-  base.push("-v", `${spec.hostPath}:${spec.containerPath}`)
+  // NOTE: We intentionally avoid `-t` here.
+  // We need stdin as a pipe (to feed the OAuth code), and `docker run -t` errors when stdin isn't a real TTY.
+  const base: Array<string> = ["run", "--rm", "-i", "-v", `${spec.hostPath}:${spec.containerPath}`]
   for (const entry of spec.env) {
     const trimmed = entry.trim()
     if (trimmed.length === 0) {

From 6038a4da163652b8259cf22379ee27b9822d82b4 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 16:18:35 +0000
Subject: [PATCH 12/15] fix(auth): visible Claude OAuth code prompt

---
 .../lib/src/usecases/auth-claude-oauth.ts     | 90 +++++++++++--------
 1 file changed, 51 insertions(+), 39 deletions(-)

diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
index 1c023b2e..25a76272 100644
--- a/packages/lib/src/usecases/auth-claude-oauth.ts
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -7,6 +7,7 @@ import * as Fiber from "effect/Fiber"
 import type * as Scope from "effect/Scope"
 import * as Stream from "effect/Stream"
 import { writeSync } from "node:fs"
+import * as Readline from "node:readline"
 
 import { AuthError, CommandFailedError } from "../shell/errors.js"
 
@@ -54,7 +55,7 @@ const oauthCodeFromEnv = (): string | null => {
 }
 
 const ensureInteractiveStdin = (): Effect.Effect<void, AuthError> =>
-  process.stdin.isTTY && process.stdout.isTTY && typeof process.stdin.setRawMode === "function"
+  process.stdin.isTTY && process.stdout.isTTY
     ? Effect.void
     : Effect.fail(
       new AuthError({
@@ -63,52 +64,55 @@ const ensureInteractiveStdin = (): Effect.Effect<void, AuthError> =>
       })
     )
 
-const readHiddenLine = (prompt: string): Effect.Effect<string, AuthError> =>
+const readLine = (prompt: string): Effect.Effect<string, AuthError> =>
   Effect.async<string, AuthError>((resume) => {
-    const previousRaw = process.stdin.isRaw
-    let buffer = ""
-
-    const cleanup = () => {
-      process.stdin.off("data", onData)
-      process.stdin.setRawMode(previousRaw)
+    // We intentionally use readline (not raw mode) so paste works reliably in common terminals.
+    const hasRawMode = process.stdin.isTTY && typeof process.stdin.setRawMode === "function"
+    const previousRaw = hasRawMode ? process.stdin.isRaw : undefined
+    if (hasRawMode) {
+      process.stdin.setRawMode(false)
     }
 
-    const done = (value: string) => {
-      cleanup()
-      writeSync(1, "\n")
-      resume(Effect.succeed(value))
-    }
+    const rl = Readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    })
 
-    const fail = (message: string) => {
-      cleanup()
-      resume(Effect.fail(new AuthError({ message })))
-    }
+    let settled = false
 
-    const onData = (chunk: Buffer | string) => {
-      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8")
-      for (const ch of text) {
-        if (ch === "\u0003") {
-          fail("Claude auth login cancelled.")
-          return
-        }
-        if (ch === "\r" || ch === "\n") {
-          done(buffer)
-          return
-        }
-        if (ch === "\u007F") {
-          buffer = buffer.slice(0, Math.max(0, buffer.length - 1))
-          continue
-        }
-        buffer += ch
+    const cleanup = () => {
+      rl.removeAllListeners()
+      rl.close()
+      if (hasRawMode && previousRaw !== undefined) {
+        process.stdin.setRawMode(previousRaw)
       }
     }
 
+    rl.on("SIGINT", () => {
+      if (settled) {
+        return
+      }
+      settled = true
+      cleanup()
+      resume(Effect.fail(new AuthError({ message: "Claude auth login cancelled." })))
+    })
+
     writeSync(1, prompt)
-    process.stdin.setRawMode(true)
-    process.stdin.resume()
-    process.stdin.on("data", onData)
+    rl.question("", (answer) => {
+      if (settled) {
+        return
+      }
+      settled = true
+      cleanup()
+      resume(Effect.succeed(answer))
+    })
 
     return Effect.sync(() => {
+      if (settled) {
+        return
+      }
+      settled = true
       cleanup()
     })
   })
@@ -120,8 +124,8 @@ const resolveOauthCodeInput = (info: ClaudeAuthorizeInfo): Effect.Effect<string,
   }
   return ensureInteractiveStdin().pipe(
     Effect.zipRight(
-      readHiddenLine(
-        "\n[docker-git] Paste the Authentication Code from the browser and press Enter (input hidden; Ctrl+C to cancel):\n> "
+      readLine(
+        "\n[docker-git] Paste the Authentication Code from the browser and press Enter (Ctrl+C to cancel):\n> "
       )
     ),
     Effect.map((value) => normalizeOauthPaste(value, info.state)),
@@ -252,7 +256,15 @@ const finishClaudeLogin = (
     return ensureExitOk(outcome.exitCode)
   }
   return resolveOauthCodeInput(outcome.info).pipe(
-    Effect.flatMap((code) => feedOauthCode(proc, code)),
+    Effect.flatMap((code) =>
+      feedOauthCode(proc, code).pipe(
+        Effect.zipRight(
+          Effect.sync(() => {
+            writeSync(1, "[docker-git] Code submitted, waiting for Claude...\n")
+          })
+        )
+      )
+    ),
     Effect.zipRight(proc.exitCode.pipe(Effect.map(Number), Effect.flatMap((exitCode) => ensureExitOk(exitCode)))),
     Effect.asVoid
   )

From 4df6b119172dccd0c3d2cd6a2f77932072bc1cda Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 19:59:05 +0000
Subject: [PATCH 13/15] fix(auth): add Claude OAuth progress logs

---
 .../src/usecases/auth-claude-oauth-input.ts   |  57 ++++++++
 .../lib/src/usecases/auth-claude-oauth.ts     | 123 +++++++++---------
 2 files changed, 119 insertions(+), 61 deletions(-)
 create mode 100644 packages/lib/src/usecases/auth-claude-oauth-input.ts

diff --git a/packages/lib/src/usecases/auth-claude-oauth-input.ts b/packages/lib/src/usecases/auth-claude-oauth-input.ts
new file mode 100644
index 00000000..030f8ba9
--- /dev/null
+++ b/packages/lib/src/usecases/auth-claude-oauth-input.ts
@@ -0,0 +1,57 @@
+import { Effect } from "effect"
+import { writeSync } from "node:fs"
+import * as Readline from "node:readline"
+
+import { AuthError } from "../shell/errors.js"
+
+export const readVisibleLine = (prompt: string): Effect.Effect<string, AuthError> =>
+  Effect.async<string, AuthError>((resume) => {
+    // We intentionally use readline (not raw mode) so paste works reliably in common terminals.
+    const hasRawMode = process.stdin.isTTY && typeof process.stdin.setRawMode === "function"
+    const previousRaw = hasRawMode ? process.stdin.isRaw : undefined
+    if (hasRawMode) {
+      process.stdin.setRawMode(false)
+    }
+
+    const rl = Readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    })
+
+    let settled = false
+    const cleanup = () => {
+      rl.removeAllListeners()
+      rl.close()
+      if (hasRawMode && previousRaw !== undefined) {
+        process.stdin.setRawMode(previousRaw)
+      }
+    }
+
+    rl.on("SIGINT", () => {
+      if (settled) {
+        return
+      }
+      settled = true
+      cleanup()
+      resume(Effect.fail(new AuthError({ message: "Claude auth login cancelled." })))
+    })
+
+    writeSync(1, prompt)
+    rl.question("", (answer) => {
+      if (settled) {
+        return
+      }
+      settled = true
+      cleanup()
+      resume(Effect.succeed(answer))
+    })
+
+    return Effect.sync(() => {
+      if (settled) {
+        return
+      }
+      settled = true
+      cleanup()
+    })
+  })
diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
index 25a76272..7fd79f36 100644
--- a/packages/lib/src/usecases/auth-claude-oauth.ts
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -1,15 +1,15 @@
 import * as Command from "@effect/platform/Command"
 import * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
-import { Effect, pipe } from "effect"
+import { Duration, Effect, pipe, Schedule } from "effect"
 import * as Deferred from "effect/Deferred"
 import * as Fiber from "effect/Fiber"
 import type * as Scope from "effect/Scope"
 import * as Stream from "effect/Stream"
 import { writeSync } from "node:fs"
-import * as Readline from "node:readline"
 
 import { AuthError, CommandFailedError } from "../shell/errors.js"
+import { readVisibleLine } from "./auth-claude-oauth-input.js"
 
 type ClaudeAuthorizeInfo = {
   readonly authorizeUrl: string
@@ -64,59 +64,6 @@ const ensureInteractiveStdin = (): Effect.Effect<void, AuthError> =>
       })
     )
 
-const readLine = (prompt: string): Effect.Effect<string, AuthError> =>
-  Effect.async<string, AuthError>((resume) => {
-    // We intentionally use readline (not raw mode) so paste works reliably in common terminals.
-    const hasRawMode = process.stdin.isTTY && typeof process.stdin.setRawMode === "function"
-    const previousRaw = hasRawMode ? process.stdin.isRaw : undefined
-    if (hasRawMode) {
-      process.stdin.setRawMode(false)
-    }
-
-    const rl = Readline.createInterface({
-      input: process.stdin,
-      output: process.stdout,
-      terminal: true
-    })
-
-    let settled = false
-
-    const cleanup = () => {
-      rl.removeAllListeners()
-      rl.close()
-      if (hasRawMode && previousRaw !== undefined) {
-        process.stdin.setRawMode(previousRaw)
-      }
-    }
-
-    rl.on("SIGINT", () => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-      resume(Effect.fail(new AuthError({ message: "Claude auth login cancelled." })))
-    })
-
-    writeSync(1, prompt)
-    rl.question("", (answer) => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-      resume(Effect.succeed(answer))
-    })
-
-    return Effect.sync(() => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-    })
-  })
-
 const resolveOauthCodeInput = (info: ClaudeAuthorizeInfo): Effect.Effect<string, AuthError> => {
   const fromEnv = oauthCodeFromEnv()
   if (fromEnv !== null) {
@@ -124,7 +71,7 @@ const resolveOauthCodeInput = (info: ClaudeAuthorizeInfo): Effect.Effect<string,
   }
   return ensureInteractiveStdin().pipe(
     Effect.zipRight(
-      readLine(
+      readVisibleLine(
         "\n[docker-git] Paste the Authentication Code from the browser and press Enter (Ctrl+C to cancel):\n> "
       )
     ),
@@ -141,6 +88,11 @@ const writeChunk = (fd: number, chunk: Uint8Array): Effect.Effect<void> =>
     writeSync(fd, chunk)
   }).pipe(Effect.asVoid)
 
+const logLine = (line: string): Effect.Effect<void> =>
+  Effect.sync(() => {
+    writeSync(1, line.endsWith("\n") ? line : `${line}\n`)
+  }).pipe(Effect.asVoid)
+
 const pumpDockerOutput = (
   source: Stream.Stream<Uint8Array, PlatformError>,
   fd: number,
@@ -204,9 +156,9 @@ const buildDockerLoginSpec = (
 })
 
 const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
-  // NOTE: We intentionally avoid `-t` here.
-  // We need stdin as a pipe (to feed the OAuth code), and `docker run -t` errors when stdin isn't a real TTY.
-  const base: Array<string> = ["run", "--rm", "-i", "-v", `${spec.hostPath}:${spec.containerPath}`]
+  // NOTE: Claude Code's `auth login` uses an interactive prompt that behaves poorly without a TTY.
+  // We still want to programmatically feed the code, so we run `docker` under `script(1)` which allocates a pty.
+  const base: Array<string> = ["run", "--rm", "-i", "-t", "-v", `${spec.hostPath}:${spec.containerPath}`]
   for (const entry of spec.env) {
     const trimmed = entry.trim()
     if (trimmed.length === 0) {
@@ -217,13 +169,36 @@ const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
   return [...base, spec.image, ...spec.args]
 }
 
+const shellQuote = (value: string): string => {
+  if (value.length === 0) {
+    return "''"
+  }
+  // POSIX-safe single-quote escaping: ' -> '\'' .
+  const singleQuoteEscape = String.raw`'\''`
+  return "'".concat(value.replaceAll("'", singleQuoteEscape), "'")
+}
+
+const buildDockerLoginCommandString = (spec: DockerLoginSpec): string =>
+  ["docker", ...buildDockerLoginArgs(spec)]
+    .map((part) => shellQuote(part))
+    .join(" ")
+
 const startDockerProcess = (
   executor: CommandExecutor.CommandExecutor,
   spec: DockerLoginSpec
 ): Effect.Effect<CommandExecutor.Process, PlatformError, Scope.Scope> =>
   executor.start(
     pipe(
-      Command.make("docker", ...buildDockerLoginArgs(spec)),
+      // We run docker via script(1) to get a pseudo-tty even when we need to pipe input from Node.
+      Command.make(
+        "script",
+        "-q",
+        "-f",
+        "-e",
+        "-c",
+        buildDockerLoginCommandString(spec),
+        "/dev/null"
+      ),
       Command.workingDirectory(spec.cwd),
       Command.stdin("pipe"),
       Command.stdout("pipe"),
@@ -248,6 +223,32 @@ const feedOauthCode = (proc: CommandExecutor.Process, code: string): Effect.Effe
   return pipe(Stream.make(bytes), Stream.run(proc.stdin), Effect.asVoid)
 }
 
+const awaitExitCodeWithHeartbeat = (proc: CommandExecutor.Process): Effect.Effect<number, PlatformError> =>
+  Effect.gen(function*(_) {
+    const start = Date.now()
+    const heartbeat = yield* _(
+      Effect.fork(
+        logLine("[docker-git] Waiting for Claude to finish OAuth login (this can be silent for a bit)...").pipe(
+          Effect.zipRight(
+            Effect.repeat(
+              Effect.sync(() => {
+                const seconds = Math.max(0, Math.floor((Date.now() - start) / 1000))
+                writeSync(1, `[docker-git] Still waiting for Claude... (${seconds}s)\n`)
+              }),
+              Schedule.addDelay(Schedule.forever, () => Duration.seconds(5))
+            )
+          )
+        )
+      )
+    )
+    return yield* _(
+      proc.exitCode.pipe(
+        Effect.map(Number),
+        Effect.ensuring(Fiber.interrupt(heartbeat).pipe(Effect.ignore))
+      )
+    )
+  })
+
 const finishClaudeLogin = (
   outcome: FirstOutcome,
   proc: CommandExecutor.Process
@@ -265,7 +266,7 @@ const finishClaudeLogin = (
         )
       )
     ),
-    Effect.zipRight(proc.exitCode.pipe(Effect.map(Number), Effect.flatMap((exitCode) => ensureExitOk(exitCode)))),
+    Effect.zipRight(awaitExitCodeWithHeartbeat(proc).pipe(Effect.flatMap((exitCode) => ensureExitOk(exitCode)))),
     Effect.asVoid
   )
 }

From 41a0391a67c4ffb60c08ae446621da5e32f1ab61 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 20:38:31 +0000
Subject: [PATCH 14/15] fix(auth): switch Claude OAuth to setup-token flow

---
 .../docker-git/menu-project-auth-claude.ts    |  70 ++++
 .../src/docker-git/menu-project-auth-data.ts  |  24 +-
 .../src/core/templates-entrypoint/claude.ts   |  13 +-
 .../src/usecases/auth-claude-oauth-input.ts   |  57 ---
 .../lib/src/usecases/auth-claude-oauth.ts     | 345 +++++++-----------
 packages/lib/src/usecases/auth-claude.ts      |  36 +-
 6 files changed, 257 insertions(+), 288 deletions(-)
 create mode 100644 packages/app/src/docker-git/menu-project-auth-claude.ts
 delete mode 100644 packages/lib/src/usecases/auth-claude-oauth-input.ts

diff --git a/packages/app/src/docker-git/menu-project-auth-claude.ts b/packages/app/src/docker-git/menu-project-auth-claude.ts
new file mode 100644
index 00000000..1963f1a3
--- /dev/null
+++ b/packages/app/src/docker-git/menu-project-auth-claude.ts
@@ -0,0 +1,70 @@
+import type { PlatformError } from "@effect/platform/Error"
+import type * as FileSystem from "@effect/platform/FileSystem"
+import { Effect } from "effect"
+
+const oauthTokenFileName = ".oauth-token"
+const legacyConfigFileName = ".config.json"
+
+const hasFileAtPath = (
+  fs: FileSystem.FileSystem,
+  filePath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const exists = yield* _(fs.exists(filePath))
+    if (!exists) {
+      return false
+    }
+    const info = yield* _(fs.stat(filePath))
+    return info.type === "File"
+  })
+
+const hasNonEmptyOauthToken = (
+  fs: FileSystem.FileSystem,
+  tokenPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasFile = yield* _(hasFileAtPath(fs, tokenPath))
+    if (!hasFile) {
+      return false
+    }
+    const tokenValue = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))
+    return tokenValue.trim().length > 0
+  })
+
+const hasLegacyClaudeAuthFile = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const entries = yield* _(fs.readDirectory(accountPath))
+    for (const entry of entries) {
+      if (!entry.startsWith(".claude") || !entry.endsWith(".json")) {
+        continue
+      }
+      const isFile = yield* _(hasFileAtPath(fs, `${accountPath}/${entry}`))
+      if (isFile) {
+        return true
+      }
+    }
+    return false
+  })
+
+export const hasClaudeAccountCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`).pipe(
+    Effect.flatMap((hasConfig) => {
+      if (hasConfig) {
+        return Effect.succeed(true)
+      }
+      return hasNonEmptyOauthToken(fs, `${accountPath}/${oauthTokenFileName}`).pipe(
+        Effect.flatMap((hasOauthToken) => {
+          if (hasOauthToken) {
+            return Effect.succeed(true)
+          }
+          return hasLegacyClaudeAuthFile(fs, accountPath)
+        })
+      )
+    })
+  )
diff --git a/packages/app/src/docker-git/menu-project-auth-data.ts b/packages/app/src/docker-git/menu-project-auth-data.ts
index 1b71c43f..4bd4a08b 100644
--- a/packages/app/src/docker-git/menu-project-auth-data.ts
+++ b/packages/app/src/docker-git/menu-project-auth-data.ts
@@ -12,6 +12,7 @@ import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 
 import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
+import { hasClaudeAccountCredentials } from "./menu-project-auth-claude.js"
 import type { MenuEnv, ProjectAuthFlow, ProjectAuthSnapshot } from "./menu-types.js"
 
 export type ProjectAuthMenuAction = ProjectAuthFlow | "Refresh" | "Back"
@@ -202,24 +203,13 @@ const updateProjectClaudeConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<s
     if (!exists) {
       return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
     }
-    const configJsonPath = `${accountPath}/.config.json`
-    const hasConfigJson = yield* _(spec.fs.exists(configJsonPath))
-    if (hasConfigJson) {
-      const info = yield* _(spec.fs.stat(configJsonPath))
-      if (info.type === "File") {
-        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
-      }
-    }
 
-    const entries = yield* _(spec.fs.readDirectory(accountPath))
-    for (const entry of entries) {
-      if (!entry.startsWith(".claude") || !entry.endsWith(".json")) {
-        continue
-      }
-      const info = yield* _(spec.fs.stat(`${accountPath}/${entry}`))
-      if (info.type === "File") {
-        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
-      }
+    const hasCredentials = yield* _(
+      hasClaudeAccountCredentials(spec.fs, accountPath),
+      Effect.orElseSucceed(() => false)
+    )
+    if (hasCredentials) {
+      return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
     }
 
     return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
diff --git a/packages/lib/src/core/templates-entrypoint/claude.ts b/packages/lib/src/core/templates-entrypoint/claude.ts
index f3201a52..ed60f731 100644
--- a/packages/lib/src/core/templates-entrypoint/claude.ts
+++ b/packages/lib/src/core/templates-entrypoint/claude.ts
@@ -23,10 +23,21 @@ export CLAUDE_CONFIG_DIR
 
 mkdir -p "$CLAUDE_CONFIG_DIR" || true
 
+CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CODE_OAUTH_TOKEN=""
+if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+  CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
+fi
+export CLAUDE_CODE_OAUTH_TOKEN
+
 CLAUDE_PROFILE="/etc/profile.d/claude-config.sh"
 printf "export CLAUDE_AUTH_LABEL=%q\n" "$CLAUDE_AUTH_LABEL" > "$CLAUDE_PROFILE"
 printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
+if [[ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]]; then
+  printf "export CLAUDE_CODE_OAUTH_TOKEN=%q\n" "$CLAUDE_CODE_OAUTH_TOKEN" >> "$CLAUDE_PROFILE"
+fi
 chmod 0644 "$CLAUDE_PROFILE" || true
 
 docker_git_upsert_ssh_env "CLAUDE_AUTH_LABEL" "$CLAUDE_AUTH_LABEL"
-docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"`
+docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"
+docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "$CLAUDE_CODE_OAUTH_TOKEN"`
diff --git a/packages/lib/src/usecases/auth-claude-oauth-input.ts b/packages/lib/src/usecases/auth-claude-oauth-input.ts
deleted file mode 100644
index 030f8ba9..00000000
--- a/packages/lib/src/usecases/auth-claude-oauth-input.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-import { Effect } from "effect"
-import { writeSync } from "node:fs"
-import * as Readline from "node:readline"
-
-import { AuthError } from "../shell/errors.js"
-
-export const readVisibleLine = (prompt: string): Effect.Effect<string, AuthError> =>
-  Effect.async<string, AuthError>((resume) => {
-    // We intentionally use readline (not raw mode) so paste works reliably in common terminals.
-    const hasRawMode = process.stdin.isTTY && typeof process.stdin.setRawMode === "function"
-    const previousRaw = hasRawMode ? process.stdin.isRaw : undefined
-    if (hasRawMode) {
-      process.stdin.setRawMode(false)
-    }
-
-    const rl = Readline.createInterface({
-      input: process.stdin,
-      output: process.stdout,
-      terminal: true
-    })
-
-    let settled = false
-    const cleanup = () => {
-      rl.removeAllListeners()
-      rl.close()
-      if (hasRawMode && previousRaw !== undefined) {
-        process.stdin.setRawMode(previousRaw)
-      }
-    }
-
-    rl.on("SIGINT", () => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-      resume(Effect.fail(new AuthError({ message: "Claude auth login cancelled." })))
-    })
-
-    writeSync(1, prompt)
-    rl.question("", (answer) => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-      resume(Effect.succeed(answer))
-    })
-
-    return Effect.sync(() => {
-      if (settled) {
-        return
-      }
-      settled = true
-      cleanup()
-    })
-  })
diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
index 7fd79f36..a9338b45 100644
--- a/packages/lib/src/usecases/auth-claude-oauth.ts
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -1,138 +1,108 @@
 import * as Command from "@effect/platform/Command"
 import * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
-import { Duration, Effect, pipe, Schedule } from "effect"
-import * as Deferred from "effect/Deferred"
+import { Effect, pipe } from "effect"
 import * as Fiber from "effect/Fiber"
 import type * as Scope from "effect/Scope"
 import * as Stream from "effect/Stream"
 import { writeSync } from "node:fs"
 
 import { AuthError, CommandFailedError } from "../shell/errors.js"
-import { readVisibleLine } from "./auth-claude-oauth-input.js"
 
-type ClaudeAuthorizeInfo = {
-  readonly authorizeUrl: string
-  readonly state: string | null
-}
+const oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN"
+const tokenMarker = "Your OAuth token (valid for 1 year):"
+const outputWindowSize = 262_144
 
-type FirstOutcome =
-  | { readonly _tag: "Exit"; readonly exitCode: number }
-  | { readonly _tag: "AuthorizeUrl"; readonly info: ClaudeAuthorizeInfo }
+const oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u
 
-const oauthCodeEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_CODE"
-const authorizeUrlRegex = /https:\/\/claude\.ai\/oauth\/authorize\S*/u
+const ansiEscape = "\u001B"
+const ansiBell = "\u0007"
 
-const extractAuthorizeUrl = (line: string): string | null => {
-  const match = authorizeUrlRegex.exec(line)
-  return match?.[0] ?? null
-}
+const isAnsiFinalByte = (codePoint: number | undefined): boolean =>
+  codePoint !== undefined && codePoint >= 0x40 && codePoint <= 0x7E
 
-const readQueryParam = (raw: string, key: string): string | null => {
-  const match = new RegExp(String.raw`[?&]${key}=([^&#\s]+)`, "u").exec(raw)
-  return match?.[1] ?? null
+const skipCsiSequence = (raw: string, start: number): number => {
+  const length = raw.length
+  let index = start + 2
+  while (index < length) {
+    const codePoint = raw.codePointAt(index)
+    if (isAnsiFinalByte(codePoint)) {
+      return index + 1
+    }
+    index += 1
+  }
+  return index
 }
 
-const normalizeOauthPaste = (raw: string, authorizeState: string | null): string => {
-  const trimmed = raw.trim()
-  if (trimmed.length === 0) {
-    return ""
-  }
-  if (trimmed.includes("#")) {
-    return trimmed
-  }
-  const callbackCode = readQueryParam(trimmed, "code")
-  const callbackState = readQueryParam(trimmed, "state")
-  if (callbackCode !== null) {
-    return callbackState === null ? callbackCode : `${callbackCode}#${callbackState}`
+const skipOscSequence = (raw: string, start: number): number => {
+  const length = raw.length
+  let index = start + 2
+  while (index < length) {
+    const char = raw[index] ?? ""
+    if (char === ansiBell) {
+      return index + 1
+    }
+    if (char === ansiEscape && raw[index + 1] === "\\") {
+      return index + 2
+    }
+    index += 1
   }
-  return authorizeState === null ? trimmed : `${trimmed}#${authorizeState}`
+  return index
 }
 
-const oauthCodeFromEnv = (): string | null => {
-  const value = (process.env[oauthCodeEnvKey] ?? "").trim()
-  return value.length > 0 ? value : null
+const skipEscapeSequence = (raw: string, start: number): number => {
+  const next = raw[start + 1] ?? ""
+  if (next === "[") {
+    return skipCsiSequence(raw, start)
+  }
+  if (next === "]") {
+    return skipOscSequence(raw, start)
+  }
+  return Math.min(raw.length, start + 2)
 }
 
-const ensureInteractiveStdin = (): Effect.Effect<void, AuthError> =>
-  process.stdin.isTTY && process.stdout.isTTY
-    ? Effect.void
-    : Effect.fail(
-      new AuthError({
-        message:
-          `Claude auth login needs an interactive TTY, or set ${oauthCodeEnvKey} to the OAuth Authentication Code.`
-      })
-    )
+const stripAnsi = (raw: string): string => {
+  const cleaned: Array<string> = []
+  let index = 0
 
-const resolveOauthCodeInput = (info: ClaudeAuthorizeInfo): Effect.Effect<string, AuthError> => {
-  const fromEnv = oauthCodeFromEnv()
-  if (fromEnv !== null) {
-    return Effect.succeed(normalizeOauthPaste(fromEnv, info.state))
+  while (index < raw.length) {
+    const current = raw[index] ?? ""
+    if (current !== ansiEscape) {
+      cleaned.push(current)
+      index += 1
+      continue
+    }
+    index = skipEscapeSequence(raw, index)
   }
-  return ensureInteractiveStdin().pipe(
-    Effect.zipRight(
-      readVisibleLine(
-        "\n[docker-git] Paste the Authentication Code from the browser and press Enter (Ctrl+C to cancel):\n> "
-      )
-    ),
-    Effect.map((value) => normalizeOauthPaste(value, info.state)),
-    Effect.filterOrFail(
-      (value) => value.trim().length > 0,
-      () => new AuthError({ message: "Claude auth login requires a non-empty Authentication Code." })
-    )
-  )
+
+  return cleaned.join("")
 }
 
-const writeChunk = (fd: number, chunk: Uint8Array): Effect.Effect<void> =>
-  Effect.sync(() => {
-    writeSync(fd, chunk)
-  }).pipe(Effect.asVoid)
+const extractOauthToken = (rawOutput: string): string | null => {
+  const normalized = stripAnsi(rawOutput).replaceAll("\r", "\n")
+  const markerIndex = normalized.lastIndexOf(tokenMarker)
+  if (markerIndex === -1) {
+    return null
+  }
 
-const logLine = (line: string): Effect.Effect<void> =>
-  Effect.sync(() => {
-    writeSync(1, line.endsWith("\n") ? line : `${line}\n`)
-  }).pipe(Effect.asVoid)
+  const tail = normalized.slice(markerIndex + tokenMarker.length)
+  const match = oauthTokenRegex.exec(tail)
+  return match?.[1] ?? null
+}
 
-const pumpDockerOutput = (
-  source: Stream.Stream<Uint8Array, PlatformError>,
-  fd: number,
-  oauth: Deferred.Deferred<ClaudeAuthorizeInfo>
-): Effect.Effect<void, PlatformError> => {
-  const decoder = new TextDecoder("utf-8")
-  let remainder = ""
+const oauthTokenFromEnv = (): string | null => {
+  const value = (process.env[oauthTokenEnvKey] ?? "").trim()
+  return value.length > 0 ? value : null
+}
 
-  return pipe(
-    source,
-    Stream.runForEach((chunk) =>
-      pipe(
-        writeChunk(fd, chunk),
-        Effect.zipRight(
-          Effect.sync((): ClaudeAuthorizeInfo | null => {
-            remainder += decoder.decode(chunk)
-            // Keep only a sliding window so repeated scans stay cheap.
-            if (remainder.length > 8192) {
-              remainder = remainder.slice(-8192)
-            }
-            const authorizeUrl = extractAuthorizeUrl(remainder)
-            if (authorizeUrl === null) {
-              return null
-            }
-            const state = readQueryParam(authorizeUrl, "state")
-            return { authorizeUrl, state }
-          })
-        ),
-        Effect.flatMap((info) =>
-          info === null
-            ? Effect.void
-            : Deferred.succeed(oauth, info).pipe(Effect.asVoid)
-        ),
-        Effect.asVoid
-      )
-    )
-  ).pipe(Effect.asVoid)
+const ensureOauthToken = (rawToken: string): Effect.Effect<string, AuthError> => {
+  const token = rawToken.trim()
+  return token.length > 0
+    ? Effect.succeed(token)
+    : Effect.fail(new AuthError({ message: "Claude OAuth token is empty." }))
 }
 
-type DockerLoginSpec = {
+type DockerSetupTokenSpec = {
   readonly cwd: string
   readonly image: string
   readonly hostPath: string
@@ -141,23 +111,21 @@ type DockerLoginSpec = {
   readonly args: ReadonlyArray<string>
 }
 
-const buildDockerLoginSpec = (
+const buildDockerSetupTokenSpec = (
   cwd: string,
   accountPath: string,
   image: string,
   containerPath: string
-): DockerLoginSpec => ({
+): DockerSetupTokenSpec => ({
   cwd,
   image,
   hostPath: accountPath,
   containerPath,
-  env: [`CLAUDE_CONFIG_DIR=${containerPath}`, "BROWSER=echo"],
-  args: ["auth", "login"]
+  env: [`CLAUDE_CONFIG_DIR=${containerPath}`],
+  args: ["setup-token"]
 })
 
-const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
-  // NOTE: Claude Code's `auth login` uses an interactive prompt that behaves poorly without a TTY.
-  // We still want to programmatically feed the code, so we run `docker` under `script(1)` which allocates a pty.
+const buildDockerSetupTokenArgs = (spec: DockerSetupTokenSpec): ReadonlyArray<string> => {
   const base: Array<string> = ["run", "--rm", "-i", "-t", "-v", `${spec.hostPath}:${spec.containerPath}`]
   for (const entry of spec.env) {
     const trimmed = entry.trim()
@@ -169,107 +137,61 @@ const buildDockerLoginArgs = (spec: DockerLoginSpec): ReadonlyArray<string> => {
   return [...base, spec.image, ...spec.args]
 }
 
-const shellQuote = (value: string): string => {
-  if (value.length === 0) {
-    return "''"
-  }
-  // POSIX-safe single-quote escaping: ' -> '\'' .
-  const singleQuoteEscape = String.raw`'\''`
-  return "'".concat(value.replaceAll("'", singleQuoteEscape), "'")
-}
-
-const buildDockerLoginCommandString = (spec: DockerLoginSpec): string =>
-  ["docker", ...buildDockerLoginArgs(spec)]
-    .map((part) => shellQuote(part))
-    .join(" ")
-
 const startDockerProcess = (
   executor: CommandExecutor.CommandExecutor,
-  spec: DockerLoginSpec
+  spec: DockerSetupTokenSpec
 ): Effect.Effect<CommandExecutor.Process, PlatformError, Scope.Scope> =>
   executor.start(
     pipe(
-      // We run docker via script(1) to get a pseudo-tty even when we need to pipe input from Node.
-      Command.make(
-        "script",
-        "-q",
-        "-f",
-        "-e",
-        "-c",
-        buildDockerLoginCommandString(spec),
-        "/dev/null"
-      ),
+      Command.make("docker", ...buildDockerSetupTokenArgs(spec)),
       Command.workingDirectory(spec.cwd),
-      Command.stdin("pipe"),
+      Command.stdin("inherit"),
       Command.stdout("pipe"),
       Command.stderr("pipe")
     )
   )
 
-const awaitFirstOutcome = (
-  proc: CommandExecutor.Process,
-  oauth: Deferred.Deferred<ClaudeAuthorizeInfo>
-): Effect.Effect<FirstOutcome, PlatformError> =>
-  Effect.race(
-    Deferred.await(oauth).pipe(Effect.map((info) => ({ _tag: "AuthorizeUrl" as const, info }))),
-    proc.exitCode.pipe(Effect.map((exitCode) => ({ _tag: "Exit" as const, exitCode: Number(exitCode) })))
-  )
-
-const ensureExitOk = (exitCode: number): Effect.Effect<void, CommandFailedError> =>
-  exitCode === 0 ? Effect.void : Effect.fail(new CommandFailedError({ command: "claude auth login", exitCode }))
+const pumpDockerOutput = (
+  source: Stream.Stream<Uint8Array, PlatformError>,
+  fd: number,
+  tokenBox: { value: string | null }
+): Effect.Effect<void, PlatformError> => {
+  const decoder = new TextDecoder("utf-8")
+  let outputWindow = ""
 
-const feedOauthCode = (proc: CommandExecutor.Process, code: string): Effect.Effect<void, PlatformError> => {
-  const bytes = new TextEncoder().encode(`${code}\n`)
-  return pipe(Stream.make(bytes), Stream.run(proc.stdin), Effect.asVoid)
+  return pipe(
+    source,
+    Stream.runForEach((chunk) =>
+      Effect.sync(() => {
+        writeSync(fd, chunk)
+        outputWindow += decoder.decode(chunk)
+        if (outputWindow.length > outputWindowSize) {
+          outputWindow = outputWindow.slice(-outputWindowSize)
+        }
+        if (tokenBox.value !== null) {
+          return
+        }
+        const parsed = extractOauthToken(outputWindow)
+        if (parsed !== null) {
+          tokenBox.value = parsed
+        }
+      }).pipe(Effect.asVoid)
+    )
+  ).pipe(Effect.asVoid)
 }
 
-const awaitExitCodeWithHeartbeat = (proc: CommandExecutor.Process): Effect.Effect<number, PlatformError> =>
-  Effect.gen(function*(_) {
-    const start = Date.now()
-    const heartbeat = yield* _(
-      Effect.fork(
-        logLine("[docker-git] Waiting for Claude to finish OAuth login (this can be silent for a bit)...").pipe(
-          Effect.zipRight(
-            Effect.repeat(
-              Effect.sync(() => {
-                const seconds = Math.max(0, Math.floor((Date.now() - start) / 1000))
-                writeSync(1, `[docker-git] Still waiting for Claude... (${seconds}s)\n`)
-              }),
-              Schedule.addDelay(Schedule.forever, () => Duration.seconds(5))
-            )
-          )
-        )
-      )
-    )
-    return yield* _(
-      proc.exitCode.pipe(
-        Effect.map(Number),
-        Effect.ensuring(Fiber.interrupt(heartbeat).pipe(Effect.ignore))
-      )
-    )
-  })
+const ensureExitOk = (exitCode: number): Effect.Effect<void, CommandFailedError> =>
+  exitCode === 0 ? Effect.void : Effect.fail(new CommandFailedError({ command: "claude setup-token", exitCode }))
 
-const finishClaudeLogin = (
-  outcome: FirstOutcome,
-  proc: CommandExecutor.Process
-): Effect.Effect<void, AuthError | CommandFailedError | PlatformError> => {
-  if (outcome._tag === "Exit") {
-    return ensureExitOk(outcome.exitCode)
-  }
-  return resolveOauthCodeInput(outcome.info).pipe(
-    Effect.flatMap((code) =>
-      feedOauthCode(proc, code).pipe(
-        Effect.zipRight(
-          Effect.sync(() => {
-            writeSync(1, "[docker-git] Code submitted, waiting for Claude...\n")
-          })
-        )
-      )
-    ),
-    Effect.zipRight(awaitExitCodeWithHeartbeat(proc).pipe(Effect.flatMap((exitCode) => ensureExitOk(exitCode)))),
-    Effect.asVoid
-  )
-}
+const resolveCapturedToken = (token: string | null): Effect.Effect<string, AuthError> =>
+  token === null
+    ? Effect.fail(
+      new AuthError({
+        message:
+          "Claude OAuth completed without a captured token. Retry login and ensure the flow reaches 'Long-lived authentication token created successfully'."
+      })
+    )
+    : ensureOauthToken(token)
 
 export const runClaudeOauthLoginWithPrompt = (
   cwd: string,
@@ -278,21 +200,28 @@ export const runClaudeOauthLoginWithPrompt = (
     readonly image: string
     readonly containerPath: string
   }
-): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
-  Effect.scoped(
+): Effect.Effect<string, AuthError | CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> => {
+  const envToken = oauthTokenFromEnv()
+  if (envToken !== null) {
+    return ensureOauthToken(envToken)
+  }
+
+  return Effect.scoped(
     Effect.gen(function*(_) {
       const executor = yield* _(CommandExecutor.CommandExecutor)
-      const spec = buildDockerLoginSpec(cwd, accountPath, options.image, options.containerPath)
+      const spec = buildDockerSetupTokenSpec(cwd, accountPath, options.image, options.containerPath)
       const proc = yield* _(startDockerProcess(executor, spec))
 
-      const oauth = yield* _(Deferred.make<ClaudeAuthorizeInfo>())
-      const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, oauth)))
-      const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, oauth)))
-
-      const first = yield* _(awaitFirstOutcome(proc, oauth))
-      yield* _(finishClaudeLogin(first, proc))
+      const tokenBox: { value: string | null } = { value: null }
+      const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, tokenBox)))
+      const stderrFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stderr, 2, tokenBox)))
 
+      const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)))
       yield* _(Fiber.join(stdoutFiber))
       yield* _(Fiber.join(stderrFiber))
-    }).pipe(Effect.asVoid)
+      yield* _(ensureExitOk(exitCode))
+
+      return yield* _(resolveCapturedToken(tokenBox.value))
+    })
   )
+}
diff --git a/packages/lib/src/usecases/auth-claude.ts b/packages/lib/src/usecases/auth-claude.ts
index 65cea3d5..b9286207 100644
--- a/packages/lib/src/usecases/auth-claude.ts
+++ b/packages/lib/src/usecases/auth-claude.ts
@@ -25,6 +25,7 @@ type ClaudeAccountContext = {
   readonly accountLabel: string
   readonly accountPath: string
   readonly cwd: string
+  readonly fs: FileSystem.FileSystem
 }
 
 export const claudeAuthRoot = ".docker-git/.orch/auth/claude"
@@ -32,6 +33,9 @@ export const claudeAuthRoot = ".docker-git/.orch/auth/claude"
 const claudeImageName = "docker-git-auth-claude:latest"
 const claudeImageDir = ".docker-git/.orch/auth/claude/.image"
 const claudeConfigDir = "/claude-config"
+const claudeOauthTokenFileName = ".oauth-token"
+
+const claudeOauthTokenPath = (accountPath: string): string => `${accountPath}/${claudeOauthTokenFileName}`
 
 const ensureClaudeOrchLayout = (
   cwd: string
@@ -88,7 +92,7 @@ const withClaudeAuth = <A, E>(
           buildLabel: "claude auth"
         })
       )
-      return yield* _(run({ accountLabel, accountPath, cwd }))
+      return yield* _(run({ accountLabel, accountPath, cwd, fs }))
     })
   )
 
@@ -171,11 +175,13 @@ export const authClaudeLogin = (
   command: AuthClaudeLoginCommand
 ): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, ClaudeRuntime> => {
   const accountLabel = normalizeAccountLabel(command.label, "default")
-  return withClaudeAuth(command, ({ accountPath, cwd }) =>
+  return withClaudeAuth(command, ({ accountPath, cwd, fs }) =>
     runClaudeOauthLoginWithPrompt(cwd, accountPath, {
       image: claudeImageName,
       containerPath: claudeConfigDir
-    })).pipe(
+    }).pipe(
+      Effect.flatMap((token) => fs.writeFileString(claudeOauthTokenPath(accountPath), `${token}\n`))
+    )).pipe(
       Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
     )
 }
@@ -193,8 +199,18 @@ export const authClaudeLogin = (
 export const authClaudeStatus = (
   command: AuthClaudeStatusCommand
 ): Effect.Effect<void, CommandFailedError | PlatformError, ClaudeRuntime> =>
-  withClaudeAuth(command, ({ accountLabel, accountPath, cwd }) =>
+  withClaudeAuth(command, ({ accountLabel, accountPath, cwd, fs }) =>
     Effect.gen(function*(_) {
+      const tokenPath = claudeOauthTokenPath(accountPath)
+      const hasToken = yield* _(fs.exists(tokenPath))
+      if (hasToken) {
+        const tokenText = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))
+        if (tokenText.trim().length > 0) {
+          yield* _(Effect.log(`Claude connected (${accountLabel}, oauth-token).`))
+          return
+        }
+      }
+
       const raw = yield* _(runClaudeStatusJson(cwd, accountPath))
       const status = yield* _(decodeClaudeAuthStatus(raw))
       yield* (status.loggedIn
@@ -217,6 +233,16 @@ export const authClaudeLogout = (
 ): Effect.Effect<void, CommandFailedError | PlatformError, ClaudeRuntime> =>
   Effect.gen(function*(_) {
     const accountLabel = normalizeAccountLabel(command.label, "default")
-    yield* _(withClaudeAuth(command, ({ accountPath, cwd }) => runClaudeLogout(cwd, accountPath)))
+    yield* _(
+      withClaudeAuth(command, ({ accountPath, cwd, fs }) =>
+        Effect.gen(function*(_) {
+          const tokenPath = claudeOauthTokenPath(accountPath)
+          const hasToken = yield* _(fs.exists(tokenPath))
+          if (hasToken) {
+            yield* _(fs.remove(tokenPath, { force: true }))
+          }
+          yield* _(runClaudeLogout(cwd, accountPath))
+        }))
+    )
     yield* _(autoSyncState(`chore(state): auth claude logout ${accountLabel}`))
   }).pipe(Effect.asVoid)

From 73cc4d8937e95dbb5e7451a9dead23a701e37e9e Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Wed, 18 Feb 2026 21:16:58 +0000
Subject: [PATCH 15/15] fix(ci): pass effect lint and auth bridge test

---
 packages/app/tests/docker-git/entrypoint-auth.test.ts |  2 +-
 packages/lib/src/usecases/auth-claude-oauth.ts        | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages/app/tests/docker-git/entrypoint-auth.test.ts b/packages/app/tests/docker-git/entrypoint-auth.test.ts
index 827e55f4..7ebfb2f1 100644
--- a/packages/app/tests/docker-git/entrypoint-auth.test.ts
+++ b/packages/app/tests/docker-git/entrypoint-auth.test.ts
@@ -19,7 +19,7 @@ describe("renderEntrypoint auth bridge", () => {
       expect(entrypoint).toContain("GITHUB_TOKEN=\"${GITHUB_TOKEN:-${GH_TOKEN:-}}\"")
       expect(entrypoint).toContain("if [[ -n \"$GH_TOKEN\" || -n \"$GITHUB_TOKEN\" ]]; then")
       expect(entrypoint).toContain(String.raw`printf "export GITHUB_TOKEN=%q\n" "$EFFECTIVE_GITHUB_TOKEN"`)
-      expect(entrypoint).toContain(String.raw`printf "%s\n" "GITHUB_TOKEN=$EFFECTIVE_GITHUB_TOKEN" >> "$SSH_ENV_PATH"`)
+      expect(entrypoint).toContain("docker_git_upsert_ssh_env \"GITHUB_TOKEN\" \"$EFFECTIVE_GITHUB_TOKEN\"")
       expect(entrypoint).toContain("GIT_CREDENTIAL_HELPER_PATH=\"/usr/local/bin/docker-git-credential-helper\"")
       expect(entrypoint).toContain("token=\"$GITHUB_TOKEN\"")
       expect(entrypoint).toContain("token=\"$GH_TOKEN\"")
diff --git a/packages/lib/src/usecases/auth-claude-oauth.ts b/packages/lib/src/usecases/auth-claude-oauth.ts
index a9338b45..5d5f2415 100644
--- a/packages/lib/src/usecases/auth-claude-oauth.ts
+++ b/packages/lib/src/usecases/auth-claude-oauth.ts
@@ -5,7 +5,6 @@ import { Effect, pipe } from "effect"
 import * as Fiber from "effect/Fiber"
 import type * as Scope from "effect/Scope"
 import * as Stream from "effect/Stream"
-import { writeSync } from "node:fs"
 
 import { AuthError, CommandFailedError } from "../shell/errors.js"
 
@@ -151,6 +150,14 @@ const startDockerProcess = (
     )
   )
 
+const writeChunkToFd = (fd: number, chunk: Uint8Array): void => {
+  if (fd === 2) {
+    process.stderr.write(chunk)
+    return
+  }
+  process.stdout.write(chunk)
+}
+
 const pumpDockerOutput = (
   source: Stream.Stream<Uint8Array, PlatformError>,
   fd: number,
@@ -163,7 +170,7 @@ const pumpDockerOutput = (
     source,
     Stream.runForEach((chunk) =>
       Effect.sync(() => {
-        writeSync(fd, chunk)
+        writeChunkToFd(fd, chunk)
         outputWindow += decoder.decode(chunk)
         if (outputWindow.length > outputWindowSize) {
           outputWindow = outputWindow.slice(-outputWindowSize)