fix(auth): switch Claude OAuth to setup-token flow

Author: skulidropek

packages/app/src/docker-git/menu-project-auth-claude.ts

@@ -0,0 +1,70 @@
+import type { PlatformError } from "@effect/platform/Error"
+import type * as FileSystem from "@effect/platform/FileSystem"
+import { Effect } from "effect"
+
+const oauthTokenFileName = ".oauth-token"
+const legacyConfigFileName = ".config.json"
+
+const hasFileAtPath = (
+  fs: FileSystem.FileSystem,
+  filePath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const exists = yield* _(fs.exists(filePath))
+    if (!exists) {
+      return false
+    }
+    const info = yield* _(fs.stat(filePath))
+    return info.type === "File"
+  })
+
+const hasNonEmptyOauthToken = (
+  fs: FileSystem.FileSystem,
+  tokenPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasFile = yield* _(hasFileAtPath(fs, tokenPath))
+    if (!hasFile) {
+      return false
+    }
+    const tokenValue = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""))
+    return tokenValue.trim().length > 0
+  })
+
+const hasLegacyClaudeAuthFile = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const entries = yield* _(fs.readDirectory(accountPath))
+    for (const entry of entries) {
+      if (!entry.startsWith(".claude") || !entry.endsWith(".json")) {
+        continue
+      }
+      const isFile = yield* _(hasFileAtPath(fs, `${accountPath}/${entry}`))
+      if (isFile) {
+        return true
+      }
+    }
+    return false
+  })
+
+export const hasClaudeAccountCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`).pipe(
+    Effect.flatMap((hasConfig) => {
+      if (hasConfig) {
+        return Effect.succeed(true)
+      }
+      return hasNonEmptyOauthToken(fs, `${accountPath}/${oauthTokenFileName}`).pipe(
+        Effect.flatMap((hasOauthToken) => {
+          if (hasOauthToken) {
+            return Effect.succeed(true)
+          }
+          return hasLegacyClaudeAuthFile(fs, accountPath)
+        })
+      )
+    })
+  )

packages/app/src/docker-git/menu-project-auth-data.ts

@@ -12,6 +12,7 @@ import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 
 import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
+import { hasClaudeAccountCredentials } from "./menu-project-auth-claude.js"
 import type { MenuEnv, ProjectAuthFlow, ProjectAuthSnapshot } from "./menu-types.js"
 
 export type ProjectAuthMenuAction = ProjectAuthFlow | "Refresh" | "Back"
@@ -202,24 +203,13 @@ const updateProjectClaudeConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<s
     if (!exists) {
       return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
     }
-    const configJsonPath = `${accountPath}/.config.json`
-    const hasConfigJson = yield* _(spec.fs.exists(configJsonPath))
-    if (hasConfigJson) {
-      const info = yield* _(spec.fs.stat(configJsonPath))
-      if (info.type === "File") {
-        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
-      }
-    }
 
-    const entries = yield* _(spec.fs.readDirectory(accountPath))
-    for (const entry of entries) {
-      if (!entry.startsWith(".claude") || !entry.endsWith(".json")) {
-        continue
-      }
-      const info = yield* _(spec.fs.stat(`${accountPath}/${entry}`))
-      if (info.type === "File") {
-        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
-      }
+    const hasCredentials = yield* _(
+      hasClaudeAccountCredentials(spec.fs, accountPath),
+      Effect.orElseSucceed(() => false)
+    )
+    if (hasCredentials) {
+      return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
     }
 
     return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))

packages/lib/src/core/templates-entrypoint/claude.ts

@@ -23,10 +23,21 @@ export CLAUDE_CONFIG_DIR
 
 mkdir -p "$CLAUDE_CONFIG_DIR" || true
 
+CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CODE_OAUTH_TOKEN=""
+if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+  CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
+fi
+export CLAUDE_CODE_OAUTH_TOKEN
+
 CLAUDE_PROFILE="/etc/profile.d/claude-config.sh"
 printf "export CLAUDE_AUTH_LABEL=%q\n" "$CLAUDE_AUTH_LABEL" > "$CLAUDE_PROFILE"
 printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
+if [[ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]]; then
+  printf "export CLAUDE_CODE_OAUTH_TOKEN=%q\n" "$CLAUDE_CODE_OAUTH_TOKEN" >> "$CLAUDE_PROFILE"
+fi
 chmod 0644 "$CLAUDE_PROFILE" || true
 
 docker_git_upsert_ssh_env "CLAUDE_AUTH_LABEL" "$CLAUDE_AUTH_LABEL"
-docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"`
+docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"
+docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "$CLAUDE_CODE_OAUTH_TOKEN"`