fix(lib): bootstrap nested docker-git auth and compose v2

Author: skulidropek

packages/lib/src/core/command-builders.ts

@@ -104,6 +104,7 @@ const resolveNames = (
   })
 
 type PathConfig = {
+  readonly dockerGitPath: string
   readonly authorizedKeysPath: string
   readonly envGlobalPath: string
   readonly envProjectPath: string
@@ -126,6 +127,9 @@ const resolvePaths = (
     const defaultAuthorizedKeysPath = normalizedSecretsRoot === undefined
       ? defaultTemplateConfig.authorizedKeysPath
       : `${normalizedSecretsRoot}/authorized_keys`
+    const defaultDockerGitPath = normalizedSecretsRoot === undefined
+      ? defaultTemplateConfig.dockerGitPath
+      : normalizedSecretsRoot
     const defaultEnvGlobalPath = normalizedSecretsRoot === undefined
       ? defaultTemplateConfig.envGlobalPath
       : `${normalizedSecretsRoot}/global.env`
@@ -135,6 +139,7 @@ const resolvePaths = (
     const defaultCodexAuthPath = normalizedSecretsRoot === undefined
       ? defaultTemplateConfig.codexAuthPath
       : `${normalizedSecretsRoot}/codex`
+    const dockerGitPath = defaultDockerGitPath
     const authorizedKeysPath = yield* _(
       nonEmpty("--authorized-keys", raw.authorizedKeysPath, defaultAuthorizedKeysPath)
     )
@@ -149,7 +154,16 @@ const resolvePaths = (
     const codexHome = yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome))
     const outDir = yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 
-    return { authorizedKeysPath, envGlobalPath, envProjectPath, codexAuthPath, codexSharedAuthPath, codexHome, outDir }
+    return {
+      dockerGitPath,
+      authorizedKeysPath,
+      envGlobalPath,
+      envProjectPath,
+      codexAuthPath,
+      codexSharedAuthPath,
+      codexHome,
+      outDir
+    }
   })
 
 // CHANGE: build a typed create command from raw options (CLI or API)
@@ -190,6 +204,7 @@ export const buildCreateCommand = (
         repoRef: repo.repoRef,
         targetDir: repo.targetDir,
         volumeName: names.volumeName,
+        dockerGitPath: paths.dockerGitPath,
         authorizedKeysPath: paths.authorizedKeysPath,
         envGlobalPath: paths.envGlobalPath,
         envProjectPath: paths.envProjectPath,

packages/lib/src/core/domain.ts

@@ -12,6 +12,7 @@ export interface TemplateConfig {
   readonly forkRepoUrl?: string
   readonly targetDir: string
   readonly volumeName: string
+  readonly dockerGitPath: string
   readonly authorizedKeysPath: string
   readonly envGlobalPath: string
   readonly envProjectPath: string
@@ -194,6 +195,7 @@ export const defaultTemplateConfig = {
   repoRef: "main",
   targetDir: "/home/dev/app",
   volumeName: "dev_home",
+  dockerGitPath: "./.docker-git",
   authorizedKeysPath: "./.docker-git/authorized_keys",
   envGlobalPath: "./.docker-git/.orch/env/global.env",
   envProjectPath: "./.orch/env/project.env",

packages/lib/src/core/templates-entrypoint.ts

@@ -15,6 +15,7 @@ import {
   renderEntrypointCodexHome,
   renderEntrypointCodexResumeHint,
   renderEntrypointCodexSharedAuth,
+  renderEntrypointDockerGitBootstrap,
   renderEntrypointMcpPlaywright
 } from "./templates-entrypoint/codex.js"
 import { renderEntrypointGitConfig, renderEntrypointGitHooks } from "./templates-entrypoint/git.js"
@@ -32,6 +33,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointAuthorizedKeys(config),
     renderEntrypointCodexHome(config),
     renderEntrypointCodexSharedAuth(config),
+    renderEntrypointDockerGitBootstrap(config),
     renderEntrypointMcpPlaywright(config),
     renderEntrypointZshShell(config),
     renderEntrypointZshUserRc(config),

packages/lib/src/core/templates-entrypoint/codex.ts

@@ -33,6 +33,97 @@ if [[ "$CODEX_SHARE_AUTH" == "1" ]]; then
   ln -sf "$SHARED_AUTH_FILE" "$AUTH_FILE"
 fi`
 
+export const renderEntrypointDockerGitBootstrap = (config: TemplateConfig): string =>
+  `# Bootstrap ~/.docker-git for nested docker-git usage inside this container.
+DOCKER_GIT_HOME="/home/${config.sshUser}/.docker-git"
+DOCKER_GIT_AUTH_DIR="$DOCKER_GIT_HOME/.orch/auth/codex"
+DOCKER_GIT_ENV_DIR="$DOCKER_GIT_HOME/.orch/env"
+DOCKER_GIT_ENV_GLOBAL="$DOCKER_GIT_ENV_DIR/global.env"
+DOCKER_GIT_ENV_PROJECT="$DOCKER_GIT_ENV_DIR/project.env"
+DOCKER_GIT_AUTH_KEYS="$DOCKER_GIT_HOME/authorized_keys"
+
+mkdir -p "$DOCKER_GIT_AUTH_DIR" "$DOCKER_GIT_ENV_DIR" "$DOCKER_GIT_HOME/.orch/auth/gh"
+
+if [[ -f "/home/${config.sshUser}/.ssh/authorized_keys" ]]; then
+  cp "/home/${config.sshUser}/.ssh/authorized_keys" "$DOCKER_GIT_AUTH_KEYS"
+elif [[ -f /authorized_keys ]]; then
+  cp /authorized_keys "$DOCKER_GIT_AUTH_KEYS"
+fi
+if [[ -f "$DOCKER_GIT_AUTH_KEYS" ]]; then
+  chmod 600 "$DOCKER_GIT_AUTH_KEYS" || true
+fi
+
+if [[ ! -f "$DOCKER_GIT_ENV_GLOBAL" ]]; then
+  cat <<'EOF' > "$DOCKER_GIT_ENV_GLOBAL"
+# docker-git env
+# KEY=value
+EOF
+fi
+if [[ ! -f "$DOCKER_GIT_ENV_PROJECT" ]]; then
+  cat <<'EOF' > "$DOCKER_GIT_ENV_PROJECT"
+# docker-git project env defaults
+CODEX_SHARE_AUTH=1
+CODEX_AUTO_UPDATE=1
+DOCKER_GIT_ZSH_AUTOSUGGEST=1
+DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic
+DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion
+MCP_PLAYWRIGHT_ISOLATED=1
+EOF
+fi
+
+upsert_env_var() {
+  local file="$1"
+  local key="$2"
+  local value="$3"
+  local tmp
+  tmp="$(mktemp)"
+  awk -v key="$key" 'index($0, key "=") != 1 { print }' "$file" > "$tmp"
+  printf "%s=%s\\n" "$key" "$value" >> "$tmp"
+  mv "$tmp" "$file"
+}
+
+copy_if_distinct_file() {
+  local source="$1"
+  local target="$2"
+  if [[ ! -f "$source" ]]; then
+    return 1
+  fi
+  local source_real=""
+  local target_real=""
+  source_real="$(readlink -f "$source" 2>/dev/null || true)"
+  target_real="$(readlink -f "$target" 2>/dev/null || true)"
+  if [[ -n "$source_real" && -n "$target_real" && "$source_real" == "$target_real" ]]; then
+    return 0
+  fi
+  cp "$source" "$target"
+  return 0
+}
+
+if [[ -n "$GH_TOKEN" ]]; then
+  upsert_env_var "$DOCKER_GIT_ENV_GLOBAL" "GH_TOKEN" "$GH_TOKEN"
+fi
+if [[ -n "$GITHUB_TOKEN" ]]; then
+  upsert_env_var "$DOCKER_GIT_ENV_GLOBAL" "GITHUB_TOKEN" "$GITHUB_TOKEN"
+elif [[ -n "$GH_TOKEN" ]]; then
+  upsert_env_var "$DOCKER_GIT_ENV_GLOBAL" "GITHUB_TOKEN" "$GH_TOKEN"
+fi
+
+SOURCE_CODEX_CONFIG="${config.codexHome}/config.toml"
+copy_if_distinct_file "$SOURCE_CODEX_CONFIG" "$DOCKER_GIT_AUTH_DIR/config.toml" || true
+
+SOURCE_SHARED_AUTH="${config.codexHome}-shared/auth.json"
+SOURCE_LOCAL_AUTH="${config.codexHome}/auth.json"
+if [[ -f "$SOURCE_SHARED_AUTH" ]]; then
+  copy_if_distinct_file "$SOURCE_SHARED_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
+elif [[ -f "$SOURCE_LOCAL_AUTH" ]]; then
+  copy_if_distinct_file "$SOURCE_LOCAL_AUTH" "$DOCKER_GIT_AUTH_DIR/auth.json" || true
+fi
+if [[ -f "$DOCKER_GIT_AUTH_DIR/auth.json" ]]; then
+  chmod 600 "$DOCKER_GIT_AUTH_DIR/auth.json" || true
+fi
+
+chown -R 1000:1000 "$DOCKER_GIT_HOME" || true`
+
 const entrypointMcpPlaywrightTemplate = String.raw`# Optional: configure Playwright MCP for Codex (browser automation)
 CODEX_CONFIG_FILE="__CODEX_HOME__/config.toml"
 

packages/lib/src/core/templates/docker-compose.ts

@@ -38,6 +38,7 @@ ${maybePlaywrightEnv}${maybeDependsOn}    env_file:
       - "127.0.0.1:${config.sshPort}:22"
     volumes:
       - ${config.volumeName}:/home/${config.sshUser}
+      - ${config.dockerGitPath}:/home/${config.sshUser}/.docker-git
       - ${config.authorizedKeysPath}:/authorized_keys:ro
       - ${config.codexAuthPath}:${config.codexHome}
       - ${config.codexSharedAuthPath}:${config.codexHome}-shared

packages/lib/src/core/templates/dockerfile.ts

@@ -9,7 +9,7 @@ ENV NVM_DIR=/usr/local/nvm
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     openssh-server git gh ca-certificates curl unzip bsdutils sudo \
-    make docker.io docker-compose bash-completion zsh zsh-autosuggestions xauth \
+    make docker.io docker-compose-v2 bash-completion zsh zsh-autosuggestions xauth \
     ncurses-term \
  && rm -rf /var/lib/apt/lists/*
 

packages/lib/src/shell/config.ts

@@ -19,6 +19,9 @@ const TemplateConfigSchema = Schema.Struct({
   repoRef: Schema.String,
   targetDir: Schema.String,
   volumeName: Schema.String,
+  dockerGitPath: Schema.optionalWith(Schema.String, {
+    default: () => defaultTemplateConfig.dockerGitPath
+  }),
   authorizedKeysPath: Schema.String,
   envGlobalPath: Schema.optionalWith(Schema.String, {
     default: () => defaultTemplateConfig.envGlobalPath

packages/lib/src/usecases/actions/create-project.ts

@@ -46,6 +46,7 @@ const makeCreateContext = (path: Path.Path, baseDir: string): CreateContext => {
 
 const resolveRootedConfig = (command: CreateCommand, ctx: CreateContext): CreateCommand["config"] => ({
   ...command.config,
+  dockerGitPath: ctx.resolveRootPath(command.config.dockerGitPath),
   authorizedKeysPath: ctx.resolveRootPath(command.config.authorizedKeysPath),
   envGlobalPath: ctx.resolveRootPath(command.config.envGlobalPath),
   envProjectPath: ctx.resolveRootPath(command.config.envProjectPath),

packages/lib/src/usecases/actions/paths.ts

@@ -44,6 +44,7 @@ export const buildProjectConfigs = (
 
   const globalConfig = {
     ...resolvedConfig,
+    dockerGitPath: resolvePathFromBase(path, baseDir, resolvedConfig.dockerGitPath),
     authorizedKeysPath: resolvePathFromBase(path, baseDir, resolvedConfig.authorizedKeysPath),
     envGlobalPath: resolvePathFromBase(path, baseDir, resolvedConfig.envGlobalPath),
     envProjectPath: resolvePathFromBase(path, baseDir, resolvedConfig.envProjectPath),
@@ -52,6 +53,7 @@ export const buildProjectConfigs = (
   }
   const projectConfig = {
     ...resolvedConfig,
+    dockerGitPath: relativeFromOutDir(globalConfig.dockerGitPath),
     authorizedKeysPath: relativeFromOutDir(globalConfig.authorizedKeysPath),
     envGlobalPath: "./.orch/env/global.env",
     envProjectPath: path.isAbsolute(resolvedConfig.envProjectPath)

packages/lib/src/usecases/state-normalize.ts

@@ -27,7 +27,8 @@ const normalizeTemplateConfig = (
   projectDir: string,
   template: TemplateConfig
 ): TemplateConfig | null => {
-  const needs = shouldNormalizePath(path, template.authorizedKeysPath) ||
+  const needs = shouldNormalizePath(path, template.dockerGitPath) ||
+    shouldNormalizePath(path, template.authorizedKeysPath) ||
     shouldNormalizePath(path, template.envGlobalPath) ||
     shouldNormalizePath(path, template.envProjectPath) ||
     shouldNormalizePath(path, template.codexAuthPath) ||
@@ -40,6 +41,7 @@ const normalizeTemplateConfig = (
   // The state repo is shared across machines, so never persist absolute host paths in tracked files.
   const authorizedKeysAbs = path.join(projectsRoot, "authorized_keys")
   const authorizedKeysRel = toPosixPath(path.relative(projectDir, authorizedKeysAbs))
+  const dockerGitRel = toPosixPath(path.relative(projectDir, projectsRoot))
 
   const envGlobalPath = "./.orch/env/global.env"
   const envProjectPath = "./.orch/env/project.env"
@@ -49,6 +51,7 @@ const normalizeTemplateConfig = (
 
   return {
     ...template,
+    dockerGitPath: dockerGitRel.length > 0 ? dockerGitRel : "./.docker-git",
     authorizedKeysPath: authorizedKeysRel.length > 0 ? authorizedKeysRel : "./authorized_keys",
     envGlobalPath,
     envProjectPath,