Fix Grok auth flow and auth terminal cleanup

Author: skulidropek

packages/api/src/api/contracts.ts

@@ -257,6 +257,18 @@ export type CodexAuthStatus = {
   readonly account: string | null
 }
 
+export type GrokAuthStatus = {
+  readonly label: string
+  readonly message: string
+  readonly connected: boolean
+  readonly authPath: string
+  readonly method: "none" | "api-key" | "oauth"
+}
+
+export type GrokAuthLogoutRequest = {
+  readonly label?: string | null | undefined
+}
+
 export type CodexAuthLogoutRequest = {
   readonly label?: string | null | undefined
 }

packages/api/src/api/schema.ts

@@ -99,6 +99,10 @@ export const CodexAuthLoginRequestSchema = Schema.Struct({
   label: OptionalNullableString
 })
 
+export const GrokAuthLogoutRequestSchema = Schema.Struct({
+  label: OptionalNullableString
+})
+
 export const CodexAuthLogoutRequestSchema = Schema.Struct({
   label: OptionalNullableString
 })
@@ -345,6 +349,7 @@ export type GithubAuthLogoutRequestInput = Schema.Schema.Type<typeof GithubAuthL
 export type GitlabAuthLogoutRequestInput = Schema.Schema.Type<typeof GitlabAuthLogoutRequestSchema>
 export type CodexAuthImportRequestInput = Schema.Schema.Type<typeof CodexAuthImportRequestSchema>
 export type CodexAuthLoginRequestInput = Schema.Schema.Type<typeof CodexAuthLoginRequestSchema>
+export type GrokAuthLogoutRequestInput = Schema.Schema.Type<typeof GrokAuthLogoutRequestSchema>
 export type CodexAuthLogoutRequestInput = Schema.Schema.Type<typeof CodexAuthLogoutRequestSchema>
 export type ProjectAuthRequestInput = Schema.Schema.Type<typeof ProjectAuthRequestSchema>
 export type ProjectPromptKindInput = Schema.Schema.Type<typeof ProjectPromptKindSchema>

packages/api/src/http.ts

@@ -28,6 +28,7 @@ import {
   ExchangeSubscribeRequestSchema,
   GitlabAuthLoginRequestSchema,
   GitlabAuthLogoutRequestSchema,
+  GrokAuthLogoutRequestSchema,
   GithubAuthLoginRequestSchema,
   GithubAuthLogoutRequestSchema,
   ProjectDatabaseProfileRequestSchema,
@@ -50,9 +51,11 @@ import {
   loginGitlabAuth,
   loginGithubAuth,
   logoutCodexAuth,
+  logoutGrokAuth,
   logoutGitlabAuth,
   logoutGithubAuth,
   readCodexAuthStatus,
+  readGrokAuthStatus,
   readGitlabAuthStatus,
   readGithubAuthStatus,
 } from "./services/auth.js"
@@ -426,6 +429,7 @@ const readAuthMenuRequest = () => HttpServerRequest.schemaBodyJson(AuthMenuReque
 const readAuthTerminalSessionRequest = () => HttpServerRequest.schemaBodyJson(AuthTerminalSessionRequestSchema)
 const readCodexAuthImportRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthImportRequestSchema)
 const readCodexAuthLoginRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthLoginRequestSchema)
+const readGrokAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(GrokAuthLogoutRequestSchema)
 const readCodexAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(CodexAuthLogoutRequestSchema)
 const readProjectAuthRequest = () => HttpServerRequest.schemaBodyJson(ProjectAuthRequestSchema)
 const readProjectPromptUpdateRequest = () => HttpServerRequest.schemaBodyJson(ProjectPromptUpdateRequestSchema)
@@ -835,6 +839,15 @@ export const makeRouter = () => {
         return yield* _(jsonResponse({ status }, 200))
       }).pipe(Effect.catchAll(errorResponse))
     ),
+    HttpRouter.get(
+      "/auth/grok/status",
+      Effect.gen(function*(_) {
+        const request = yield* _(HttpServerRequest.HttpServerRequest)
+        const label = new URL(request.url, "http://localhost").searchParams.get("label")
+        const status = yield* _(readGrokAuthStatus(label))
+        return yield* _(jsonResponse({ status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
     HttpRouter.get(
       "/auth/menu",
       Effect.gen(function*(_) {
@@ -938,6 +951,14 @@ export const makeRouter = () => {
         return yield* _(jsonResponse({ ok: true, status }, 200))
       }).pipe(Effect.catchAll(errorResponse))
     ),
+    HttpRouter.post(
+      "/auth/grok/logout",
+      Effect.gen(function*(_) {
+        const request = yield* _(readGrokAuthLogoutRequest())
+        const status = yield* _(logoutGrokAuth(request))
+        return yield* _(jsonResponse({ ok: true, status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
     HttpRouter.get(
       "/auth/codex/status",
       Effect.gen(function*(_) {

packages/api/src/services/auth.ts

@@ -6,6 +6,7 @@ import { defaultTemplateConfig } from "@effect-template/lib/core/template-defaul
 import { parseGithubRepoUrl, parseGitlabRepoUrl } from "@effect-template/lib/core/repo"
 import { CommandFailedError } from "@effect-template/lib/shell/errors"
 import { authCodexLogin as runCodexLogin } from "@effect-template/lib/usecases/auth-codex"
+import { authGrokLogout as runGrokLogout } from "@effect-template/lib/usecases/auth-grok-logout"
 import { authGitlabLogin as runGitlabLogin, authGitlabLogout as runGitlabLogout, listGitlabTokens } from "@effect-template/lib/usecases/auth-gitlab"
 import { authGithubLogin as runGithubLogin, authGithubLogout as runGithubLogout } from "@effect-template/lib/usecases/auth-github"
 import { readEnvText } from "@effect-template/lib/usecases/env-file"
@@ -25,6 +26,7 @@ import {
   resolveGithubCloneAuthToken
 } from "@effect-template/lib/usecases/github-token-preflight"
 import { validateGithubToken, type GithubTokenValidationResult } from "@effect-template/lib/usecases/github-token-validation"
+import { resolveGrokAccountPath, resolveGrokAuthMethod } from "@effect-template/lib/usecases/auth-grok-helpers"
 import { normalizeAccountLabel } from "@effect-template/lib/usecases/auth-helpers"
 import { resolvePathFromCwd } from "@effect-template/lib/usecases/path-helpers"
 import { Effect, Logger, Match } from "effect"
@@ -34,6 +36,8 @@ import type {
   CodexAuthLoginRequest,
   CodexAuthLogoutRequest,
   CodexAuthStatus,
+  GrokAuthLogoutRequest,
+  GrokAuthStatus,
   GitlabAuthLoginRequest,
   GitlabAuthLogoutRequest,
   GitlabAuthStatus,
@@ -57,6 +61,7 @@ export const gitlabAuthRequiredMessage = [
 ].join("\n")
 export const githubAuthEnvGlobalPath = defaultTemplateConfig.envGlobalPath
 export const codexAuthPath = defaultTemplateConfig.codexAuthPath
+export const grokAuthPath = defaultTemplateConfig.grokAuthPath
 
 const githubTokenKey = "GITHUB_TOKEN"
 const githubTokenPrefix = "GITHUB_TOKEN__"
@@ -70,6 +75,7 @@ type GithubTokenEntry = {
 type JsonRecord = Readonly<Record<string, unknown>>
 type CodexRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 type CodexCommandError = CommandFailedError | PlatformError
+type GrokCommandError = CommandFailedError | PlatformError
 
 const labelFromKey = (key: string): string =>
   key.startsWith(githubTokenPrefix) ? key.slice(githubTokenPrefix.length) : "default"
@@ -138,6 +144,16 @@ const toCodexApiError = (error: CodexCommandError): ApiBadRequestError | ApiInte
       cause: error
     })
 
+const toGrokApiError = (error: GrokCommandError): ApiBadRequestError | ApiInternalError =>
+  error._tag === "CommandFailedError"
+    ? new ApiBadRequestError({
+      message: `${error.command} failed (exit ${error.exitCode}).`
+    })
+    : new ApiInternalError({
+      message: String(error),
+      cause: error
+    })
+
 const runWithCapturedLogs = <R>(
   effect: Effect.Effect<void, CodexCommandError, R>,
   fallbackOutput: string
@@ -406,6 +422,32 @@ const codexAuthStatus = (
   account
 })
 
+const grokAuthStatus = (
+  label: string,
+  authPath: string,
+  method: GrokAuthStatus["method"]
+): GrokAuthStatus => ({
+  label,
+  message: method === "none"
+    ? `Grok not connected (${label}).`
+    : `Grok connected (${label}, ${method}).`,
+  connected: method !== "none",
+  authPath,
+  method
+})
+
+export const readGrokAuthStatus = (
+  label?: string | null | undefined
+): Effect.Effect<GrokAuthStatus, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const rootPath = resolvePathFromCwd(path, process.cwd(), grokAuthPath)
+    const { accountLabel, accountPath } = resolveGrokAccountPath(path, rootPath, label ?? null)
+    const method = yield* _(resolveGrokAuthMethod(fs, accountPath))
+    return grokAuthStatus(accountLabel, accountPath, method)
+  })
+
 export const readCodexAuthStatus = (
   label?: string | null | undefined
 ): Effect.Effect<CodexAuthStatus, PlatformError, FileSystem.FileSystem | Path.Path> =>
@@ -489,6 +531,25 @@ export const logoutCodexAuth = (
     return yield* _(readCodexAuthStatus(request.label))
   })
 
+export const logoutGrokAuth = (
+  request: GrokAuthLogoutRequest
+): Effect.Effect<
+  GrokAuthStatus,
+  PlatformError | ApiBadRequestError | ApiInternalError,
+  FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
+> =>
+  Effect.gen(function*(_) {
+    yield* _(
+      runGrokLogout({
+        _tag: "AuthGrokLogout",
+        label: request.label ?? null,
+        grokAuthPath
+      }).pipe(Effect.mapError(toGrokApiError))
+    )
+
+    return yield* _(readGrokAuthStatus(request.label))
+  })
+
 export const ensureGithubAuthForCreate = (config: {
   readonly repoUrl: string
   readonly gitTokenLabel?: string | undefined

packages/api/tests/auth.test.ts

@@ -16,7 +16,9 @@ import {
   ensureGitlabAuthForCreate,
   importCodexAuth,
   logoutCodexAuth,
+  logoutGrokAuth,
   readCodexAuthStatus,
+  readGrokAuthStatus,
   readGitlabAuthStatus,
   readGithubAuthStatus
 } from "../src/services/auth.js"
@@ -482,4 +484,57 @@ describe("api auth", () => {
         expect(removed.authPath).toBe(path.join(labeledAuthDir, "auth.json"))
       })
     ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("reads labeled Grok auth status from controller state", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const accountDir = path.join(projectsRoot, ".orch", "auth", "grok", "team-a")
+
+        yield* _(fs.makeDirectory(accountDir, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(accountDir, ".api-key"), "xai-test-key\n"))
+
+        const status = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(root, readGrokAuthStatus("team-a"))
+          )
+        )
+
+        expect(status.connected).toBe(true)
+        expect(status.label).toBe("team-a")
+        expect(status.method).toBe("api-key")
+        expect(status.authPath).toBe(accountDir)
+        expect(status.message).toBe("Grok connected (team-a, api-key).")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("removes labeled Grok auth from controller state", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const accountDir = path.join(projectsRoot, ".orch", "auth", "grok", "team-a")
+
+        yield* _(fs.makeDirectory(path.join(accountDir, ".grok"), { recursive: true }))
+        yield* _(fs.writeFileString(path.join(accountDir, ".api-key"), "xai-test-key\n"))
+        yield* _(fs.writeFileString(path.join(accountDir, ".grok", "user-settings.json"), "{\"apiKey\":\"xai-test-key\"}\n"))
+
+        const status = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(root, logoutGrokAuth({ label: "team-a" }))
+          )
+        )
+
+        expect(status.connected).toBe(false)
+        expect(status.label).toBe("team-a")
+        expect(status.method).toBe("none")
+        expect(status.authPath).toBe(accountDir)
+        expect(status.message).toBe("Grok not connected (team-a).")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
 })

packages/app/src/docker-git/api-client-auth.ts

@@ -25,6 +25,8 @@ import type {
   AuthGithubLoginCommand,
   AuthGithubLogoutCommand,
   AuthGithubStatusCommand,
+  AuthGrokLogoutCommand,
+  AuthGrokStatusCommand,
   AuthGitlabLoginCommand,
   AuthGitlabLogoutCommand,
   AuthGitlabStatusCommand
@@ -193,6 +195,16 @@ export const codexStatus = (command: AuthCodexStatusCommand) => {
   return request("GET", `/auth/codex/status${query}`)
 }
 
+export const grokStatus = (command: AuthGrokStatusCommand) => {
+  const query = command.label === null ? "" : `?label=${encodeURIComponent(command.label)}`
+  return request("GET", `/auth/grok/status${query}`)
+}
+
+export const grokLogout = (command: AuthGrokLogoutCommand) =>
+  requestVoid("POST", "/auth/grok/logout", {
+    label: command.label
+  })
+
 export const codexLogout = (command: AuthCodexLogoutCommand) =>
   requestVoid("POST", "/auth/codex/logout", {
     label: command.label

packages/app/src/docker-git/api-client.ts

@@ -31,6 +31,8 @@ export {
   githubLogin,
   githubLogout,
   githubStatus,
+  grokLogout,
+  grokStatus,
   gitlabLogin,
   gitlabLogout,
   gitlabStatus