feat(app): route host docker-git through controller api

Author: skulidropek

packages/api/Dockerfile

@@ -14,6 +14,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
 
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml tsconfig.base.json tsconfig.json ./
 COPY patches ./patches
+COPY scripts ./scripts
 COPY packages ./packages
 
 RUN pnpm install --frozen-lockfile

packages/api/src/api/contracts.ts

@@ -54,6 +54,10 @@ export type ApplyAllRequest = {
   readonly activeOnly?: boolean | undefined
 }
 
+export type UpProjectRequest = {
+  readonly authorizedKeysContents?: string | undefined
+}
+
 export type ApiAuthRequired = {
   readonly provider: "github"
   readonly message: string
@@ -71,6 +75,7 @@ export type CreateProjectRequest = {
   readonly volumeName?: string | undefined
   readonly secretsRoot?: string | undefined
   readonly authorizedKeysPath?: string | undefined
+  readonly authorizedKeysContents?: string | undefined
   readonly envGlobalPath?: string | undefined
   readonly envProjectPath?: string | undefined
   readonly codexAuthPath?: string | undefined
@@ -82,6 +87,7 @@ export type CreateProjectRequest = {
   readonly enableMcpPlaywright?: boolean | undefined
   readonly outDir?: string | undefined
   readonly gitTokenLabel?: string | undefined
+  readonly skipGithubAuth?: boolean | undefined
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
   readonly agentAutoMode?: string | undefined

packages/api/src/api/schema.ts

@@ -15,6 +15,7 @@ export const CreateProjectRequestSchema = Schema.Struct({
   volumeName: OptionalString,
   secretsRoot: OptionalString,
   authorizedKeysPath: OptionalString,
+  authorizedKeysContents: OptionalString,
   envGlobalPath: OptionalString,
   envProjectPath: OptionalString,
   codexAuthPath: OptionalString,
@@ -26,6 +27,7 @@ export const CreateProjectRequestSchema = Schema.Struct({
   enableMcpPlaywright: OptionalBoolean,
   outDir: OptionalString,
   gitTokenLabel: OptionalString,
+  skipGithubAuth: OptionalBoolean,
   codexTokenLabel: OptionalString,
   claudeTokenLabel: OptionalString,
   agentAutoMode: OptionalString,
@@ -50,6 +52,10 @@ export const ApplyAllRequestSchema = Schema.Struct({
   activeOnly: OptionalBoolean
 })
 
+export const UpProjectRequestSchema = Schema.Struct({
+  authorizedKeysContents: OptionalString
+})
+
 export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "custom")
 
 export const AgentEnvVarSchema = Schema.Struct({
@@ -103,5 +109,6 @@ export type CreateProjectRequestInput = Schema.Schema.Type<typeof CreateProjectR
 export type GithubAuthLoginRequestInput = Schema.Schema.Type<typeof GithubAuthLoginRequestSchema>
 export type GithubAuthLogoutRequestInput = Schema.Schema.Type<typeof GithubAuthLogoutRequestSchema>
 export type ApplyAllRequestInput = Schema.Schema.Type<typeof ApplyAllRequestSchema>
+export type UpProjectRequestInput = Schema.Schema.Type<typeof UpProjectRequestSchema>
 export type CreateAgentRequestInput = Schema.Schema.Type<typeof CreateAgentRequestSchema>
 export type CreateFollowRequestInput = Schema.Schema.Type<typeof CreateFollowRequestSchema>

packages/api/src/http.ts

@@ -10,7 +10,15 @@ import * as ParseResult from "effect/ParseResult"
 import * as Schema from "effect/Schema"
 
 import { ApiAuthRequiredError, ApiBadRequestError, ApiConflictError, ApiInternalError, ApiNotFoundError, describeUnknown } from "./api/errors.js"
-import { ApplyAllRequestSchema, CreateAgentRequestSchema, CreateFollowRequestSchema, CreateProjectRequestSchema, GithubAuthLoginRequestSchema, GithubAuthLogoutRequestSchema } from "./api/schema.js"
+import {
+  ApplyAllRequestSchema,
+  CreateAgentRequestSchema,
+  CreateFollowRequestSchema,
+  CreateProjectRequestSchema,
+  GithubAuthLoginRequestSchema,
+  GithubAuthLogoutRequestSchema,
+  UpProjectRequestSchema
+} from "./api/schema.js"
 import { uiHtml, uiScript, uiStyles } from "./ui.js"
 import { loginGithubAuth, logoutGithubAuth, readGithubAuthStatus } from "./services/auth.js"
 import { getAgent, getAgentAttachInfo, listAgents, readAgentLogs, startAgent, stopAgent } from "./services/agents.js"
@@ -142,6 +150,10 @@ const readCreateFollowRequest = () => HttpServerRequest.schemaBodyJson(CreateFol
 const readGithubAuthLoginRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLoginRequestSchema)
 const readGithubAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLogoutRequestSchema)
 const readApplyAllRequest = () => HttpServerRequest.schemaBodyJson(ApplyAllRequestSchema)
+const readUpProjectRequest = () =>
+  HttpServerRequest.schemaBodyJson(UpProjectRequestSchema).pipe(
+    Effect.catchAll(() => Effect.succeed({ authorizedKeysContents: undefined }))
+  )
 const readInboxPayload = () => HttpServerRequest.schemaBodyJson(Schema.Unknown)
 
 const configuredFederationPublicOrigin =
@@ -351,9 +363,12 @@ export const makeRouter = () => {
     ),
     HttpRouter.post(
       "/projects/:projectId/up",
-      projectParams.pipe(
-        Effect.flatMap(({ projectId }) => upProject(projectId)),
-        Effect.flatMap(() => jsonResponse({ ok: true }, 200)),
+      Effect.gen(function*(_) {
+        const { projectId } = yield* _(projectParams)
+        const request = yield* _(readUpProjectRequest())
+        yield* _(upProject(projectId, request.authorizedKeysContents))
+        return yield* _(jsonResponse({ ok: true }, 200))
+      }).pipe(
         Effect.catchAll(errorResponse)
       )
     ),

packages/api/src/services/auth.ts

@@ -147,13 +147,18 @@ export const logoutGithubAuth = (request: GithubAuthLogoutRequest) =>
 export const ensureGithubAuthForCreate = (config: {
   readonly repoUrl: string
   readonly gitTokenLabel?: string | undefined
+  readonly skipGithubAuth?: boolean | undefined
   readonly envGlobalPath: string
 }): Effect.Effect<void, ApiAuthRequiredError | PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
     if (parseGithubRepoUrl(config.repoUrl) === null) {
       return
     }
 
+    if (config.skipGithubAuth === true) {
+      return
+    }
+
     const fs = yield* _(FileSystem.FileSystem)
     const path = yield* _(Path.Path)
     const resolvedEnvPath = resolveControllerEnvPath(path, config.envGlobalPath)

packages/api/src/services/projects.ts

@@ -8,8 +8,11 @@ import {
   readProjectConfig,
   runDockerComposeUpWithPortCheck
 } from "@effect-template/lib"
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
 import { runCommandCapture } from "@effect-template/lib/shell/command-runner"
 import { CommandFailedError } from "@effect-template/lib/shell/errors"
+import { defaultProjectsRoot, resolvePathFromCwd } from "@effect-template/lib/usecases/path-helpers"
 import { deleteDockerGitProject } from "@effect-template/lib/usecases/projects"
 import type { RawOptions } from "@effect-template/lib/core/command-options"
 import type { ProjectItem } from "@effect-template/lib/usecases/projects"
@@ -159,6 +162,52 @@ const resolveCreatedProject = (
     })
   )
 
+const normalizeAuthorizedKeys = (value: string): ReadonlyArray<string> =>
+  value
+    .split(/\r?\n/u)
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+
+const mergeAuthorizedKeys = (
+  current: ReadonlyArray<string>,
+  next: ReadonlyArray<string>
+): string => {
+  const merged = [...current]
+  for (const line of next) {
+    if (!merged.includes(line)) {
+      merged.push(line)
+    }
+  }
+  return merged.length === 0 ? "" : `${merged.join("\n")}\n`
+}
+
+export const seedAuthorizedKeysForCreate = (
+  outDir: string,
+  authorizedKeysContents: string | undefined
+) =>
+  Effect.gen(function*(_) {
+    const normalized = normalizeAuthorizedKeys(authorizedKeysContents ?? "")
+    if (normalized.length === 0) {
+      return
+    }
+
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const defaultAuthorizedKeysPath = path.join(defaultProjectsRoot(process.cwd()), "authorized_keys")
+    const resolvedOutDir = resolvePathFromCwd(path, process.cwd(), outDir)
+    const projectAuthorizedKeysPath = path.join(resolvedOutDir, "authorized_keys")
+    const targets = Array.from(new Set([defaultAuthorizedKeysPath, projectAuthorizedKeysPath]))
+
+    for (const target of targets) {
+      const exists = yield* _(fs.exists(target))
+      const current = exists ? yield* _(fs.readFileString(target)) : ""
+      const merged = mergeAuthorizedKeys(normalizeAuthorizedKeys(current), normalized)
+
+      yield* _(fs.makeDirectory(path.dirname(target), { recursive: true }))
+      yield* _(fs.writeFileString(target, merged))
+    }
+  })
+
 export const listProjects = () =>
   listProjectItems.pipe(
     Effect.flatMap((projects) => Effect.forEach(projects, withProjectRuntime, { concurrency: "unbounded" })),
@@ -218,6 +267,7 @@ export const createProjectFromRequest = (
       ...(request.enableMcpPlaywright === undefined ? {} : { enableMcpPlaywright: request.enableMcpPlaywright }),
       ...(request.outDir === undefined ? {} : { outDir: request.outDir }),
       ...(request.gitTokenLabel === undefined ? {} : { gitTokenLabel: request.gitTokenLabel }),
+      ...(request.skipGithubAuth === undefined ? {} : { skipGithubAuth: request.skipGithubAuth }),
       ...(request.codexTokenLabel === undefined ? {} : { codexTokenLabel: request.codexTokenLabel }),
       ...(request.claudeTokenLabel === undefined ? {} : { claudeTokenLabel: request.claudeTokenLabel }),
       ...(request.agentAutoMode === undefined ? {} : { agentAutoMode: request.agentAutoMode }),
@@ -245,6 +295,8 @@ export const createProjectFromRequest = (
       waitForClone: request.waitForClone ?? parsed.right.waitForClone
     }
 
+    yield* _(seedAuthorizedKeysForCreate(command.outDir, request.authorizedKeysContents))
+
     yield* _(ensureGithubAuthForCreate(command.config))
 
     yield* _(
@@ -297,13 +349,89 @@ const markDeployment = (projectId: string, phase: string, message: string) =>
     emitProjectEvent(projectId, "project.deployment.status", { phase, message })
   })
 
+const syncContainerAuthorizedKeys = (
+  project: ProjectItem
+) =>
+  Effect.gen(function*(_) {
+    const path = yield* _(Path.Path)
+    const sourcePath = path.join(project.projectDir, "authorized_keys")
+
+    yield* _(
+      runCommandCapture(
+        {
+          cwd: project.projectDir,
+          command: "docker",
+          args: [
+            "exec",
+            project.containerName,
+            "sh",
+            "-c",
+            [
+              "set -eu",
+              `mkdir -p /home/${project.sshUser}/.docker-git`,
+              `mkdir -p /home/${project.sshUser}/.ssh`
+            ].join("; ")
+          ]
+        },
+        [0],
+        (exitCode) => new CommandFailedError({ command: "docker exec prepare authorized_keys sync", exitCode })
+      ).pipe(Effect.asVoid)
+    )
+
+    yield* _(
+      runCommandCapture(
+        {
+          cwd: project.projectDir,
+          command: "docker",
+          args: [
+            "cp",
+            sourcePath,
+            `${project.containerName}:/home/${project.sshUser}/.docker-git/authorized_keys`
+          ]
+        },
+        [0],
+        (exitCode) => new CommandFailedError({ command: "docker cp authorized_keys", exitCode })
+      ).pipe(Effect.asVoid)
+    )
+
+    yield* _(
+      runCommandCapture(
+        {
+          cwd: project.projectDir,
+          command: "docker",
+          args: [
+            "exec",
+            project.containerName,
+            "sh",
+            "-c",
+            [
+              "set -eu",
+              `cp /home/${project.sshUser}/.docker-git/authorized_keys /home/${project.sshUser}/.ssh/authorized_keys`,
+              `chown ${project.sshUser}:${project.sshUser} /home/${project.sshUser}/.docker-git/authorized_keys`,
+              `chmod 600 /home/${project.sshUser}/.docker-git/authorized_keys`,
+              `chown ${project.sshUser}:${project.sshUser} /home/${project.sshUser}/.ssh/authorized_keys`,
+              `chmod 600 /home/${project.sshUser}/.ssh/authorized_keys`
+            ].join("; ")
+          ]
+        },
+        [0],
+        (exitCode) => new CommandFailedError({ command: "docker exec sync authorized_keys", exitCode })
+      ).pipe(Effect.asVoid)
+    )
+  })
+
 export const upProject = (
-  projectId: string
+  projectId: string,
+  authorizedKeysContents?: string
 ) =>
   Effect.gen(function*(_) {
     const project = yield* _(findProjectById(projectId))
+    yield* _(seedAuthorizedKeysForCreate(project.projectDir, authorizedKeysContents))
     yield* _(markDeployment(projectId, "build", "docker compose up -d --build"))
     yield* _(runDockerComposeUpWithPortCheck(project.projectDir))
+    if ((authorizedKeysContents ?? "").trim().length > 0) {
+      yield* _(syncContainerAuthorizedKeys(project))
+    }
     yield* _(markDeployment(projectId, "running", "Container running"))
   })
 

packages/api/tests/auth.test.ts

@@ -6,7 +6,7 @@ import { Effect } from "effect"
 import { vi } from "vitest"
 
 import { ApiAuthRequiredError } from "../src/api/errors.js"
-import { readGithubAuthStatus } from "../src/services/auth.js"
+import { ensureGithubAuthForCreate, readGithubAuthStatus } from "../src/services/auth.js"
 import { createProjectFromRequest } from "../src/services/projects.js"
 
 const withTempDir = <A, E, R>(
@@ -156,4 +156,33 @@ describe("api auth", () => {
         expect(status.tokens[0]?.login).toBe("octocat")
       })
     ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("skips API GitHub auth gate when anonymous clone override is enabled", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const envDir = path.join(projectsRoot, ".orch", "env")
+        const envPath = path.join(envDir, "global.env")
+
+        yield* _(fs.makeDirectory(envDir, { recursive: true }))
+        yield* _(fs.writeFileString(envPath, "# docker-git env\n"))
+
+        yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(
+              root,
+              ensureGithubAuthForCreate({
+                repoUrl: "https://github.com/ProverCoderAI/docker-git",
+                gitTokenLabel: undefined,
+                skipGithubAuth: true,
+                envGlobalPath: ".docker-git/.orch/env/global.env"
+              })
+            )
+          )
+        )
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
 })