packages/

Author: skulidropek

packages/lib/src/usecases/actions/create-project.ts

@@ -11,6 +11,7 @@ import { ensureDockerDaemonAccess } from "../../shell/docker.js"
 import { CommandFailedError } from "../../shell/errors.js"
 import type {
   AgentFailedError,
+  AuthError,
   CloneFailedError,
   DockerAccessError,
   DockerCommandError,
@@ -21,6 +22,7 @@ import { logDockerAccessInfo } from "../access-log.js"
 import { resolveAutoAgentMode } from "../agent-auto-select.js"
 import { renderError } from "../errors.js"
 import { applyGithubForkConfig } from "../github-fork.js"
+import { validateGithubCloneAuthTokenPreflight } from "../github-token-preflight.js"
 import { defaultProjectsRoot } from "../menu-helpers.js"
 import { findSshPrivateKey } from "../path-helpers.js"
 import { buildSshCommand, getContainerIpIfInsideContainer } from "../projects-core.js"
@@ -38,6 +40,7 @@ type CreateProjectError =
   | FileExistsError
   | CloneFailedError
   | AgentFailedError
+  | AuthError
   | DockerAccessError
   | DockerCommandError
   | PortProbeError
@@ -66,15 +69,14 @@ const resolveRootedConfig = (command: CreateCommand, ctx: CreateContext): Create
 })
 
 const resolveCreateConfig = (
-  command: CreateCommand,
-  ctx: CreateContext,
+  rootedConfig: CreateCommand["config"],
   resolvedOutDir: string
 ): Effect.Effect<
   CreateCommand["config"],
   PortProbeError | PlatformError,
   FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 > =>
-  resolveSshPort(resolveRootedConfig(command, ctx), resolvedOutDir).pipe(
+  resolveSshPort(rootedConfig, resolvedOutDir).pipe(
     Effect.flatMap((config) => applyGithubForkConfig(config)),
     Effect.flatMap((config) => resolveTemplateResourceLimits(config))
   )
@@ -245,8 +247,11 @@ const runCreateProject = (
 
     const ctx = makeCreateContext(path, process.cwd())
     const resolvedOutDir = path.resolve(ctx.resolveRootPath(command.outDir))
+    const rootedConfig = resolveRootedConfig(command, ctx)
+
+    yield* _(validateGithubCloneAuthTokenPreflight(rootedConfig))
 
-    const resolvedConfig = yield* _(resolveCreateConfig(command, ctx, resolvedOutDir))
+    const resolvedConfig = yield* _(resolveCreateConfig(rootedConfig, resolvedOutDir))
     const finalConfig = yield* _(resolveFinalAgentConfig(resolvedConfig))
     const { globalConfig, projectConfig } = buildProjectConfigs(path, ctx.baseDir, resolvedOutDir, finalConfig)
 

packages/lib/src/usecases/github-token-preflight.ts

@@ -0,0 +1,138 @@
+import { FetchHttpClient, HttpClient } from "@effect/platform"
+import type { PlatformError } from "@effect/platform/Error"
+import * as FileSystem from "@effect/platform/FileSystem"
+import { Effect } from "effect"
+
+import type { TemplateConfig } from "../core/domain.js"
+import { parseGithubRepoUrl } from "../core/repo.js"
+import { normalizeGitTokenLabel } from "../core/token-labels.js"
+import { AuthError } from "../shell/errors.js"
+import { findEnvValue, readEnvText } from "./env-file.js"
+
+const githubTokenValidationUrl = "https://api.github.com/user"
+const githubTokenValidationWarning = "Unable to validate GitHub token before start; continuing."
+export const githubInvalidTokenMessage =
+  "GitHub token is invalid. Register GitHub again: docker-git auth github login --web"
+
+const defaultGithubTokenKeys: ReadonlyArray<string> = [
+  "GIT_AUTH_TOKEN",
+  "GITHUB_TOKEN",
+  "GH_TOKEN"
+]
+
+const findFirstEnvValue = (input: string, keys: ReadonlyArray<string>): string | null => {
+  for (const key of keys) {
+    const value = findEnvValue(input, key)
+    if (value !== null) {
+      return value
+    }
+  }
+  return null
+}
+
+const resolvePreferredGithubTokenLabel = (
+  config: Pick<TemplateConfig, "repoUrl" | "gitTokenLabel">
+): string | undefined => {
+  const explicit = normalizeGitTokenLabel(config.gitTokenLabel)
+  if (explicit !== undefined) {
+    return explicit
+  }
+
+  const repo = parseGithubRepoUrl(config.repoUrl)
+  if (repo === null) {
+    return undefined
+  }
+
+  return normalizeGitTokenLabel(repo.owner)
+}
+
+// CHANGE: resolve the GitHub token that clone will actually use for a repo URL
+// WHY: preflight must validate the same labeled/default token selection as the entrypoint
+// QUOTE(ТЗ): "ПУсть всегда проверяет токен гитхаба перед запуском"
+// REF: user-request-2026-03-19-github-token-preflight
+// SOURCE: n/a
+// FORMAT THEOREM: ∀cfg,env: resolve(cfg, env) = token_clone(cfg, env) ∨ null
+// PURITY: CORE
+// INVARIANT: labeled token has priority; falls back to default token keys
+// COMPLEXITY: O(k) where k = |token keys|
+export const resolveGithubCloneAuthToken = (
+  envText: string,
+  config: Pick<TemplateConfig, "repoUrl" | "gitTokenLabel">
+): string | null => {
+  if (parseGithubRepoUrl(config.repoUrl) === null) {
+    return null
+  }
+
+  const preferredLabel = resolvePreferredGithubTokenLabel(config)
+  if (preferredLabel !== undefined) {
+    const labeledKeys = defaultGithubTokenKeys.map((key) => `${key}__${preferredLabel}`)
+    const labeledToken = findFirstEnvValue(envText, labeledKeys)
+    if (labeledToken !== null) {
+      return labeledToken
+    }
+  }
+
+  return findFirstEnvValue(envText, defaultGithubTokenKeys)
+}
+
+type GithubTokenValidationStatus = "valid" | "invalid" | "unknown"
+
+const unknownGithubTokenValidationStatus = (): GithubTokenValidationStatus => "unknown"
+
+const mapGithubTokenValidationStatus = (status: number): GithubTokenValidationStatus => {
+  if (status === 401) {
+    return "invalid"
+  }
+  return status >= 200 && status < 300 ? "valid" : "unknown"
+}
+
+const validateGithubTokenStatus = (token: string): Effect.Effect<GithubTokenValidationStatus> =>
+  Effect.gen(function*(_) {
+    const client = yield* _(HttpClient.HttpClient)
+    const response = yield* _(
+      client.get(githubTokenValidationUrl, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json"
+        }
+      })
+    )
+    return mapGithubTokenValidationStatus(response.status)
+  }).pipe(
+    Effect.provide(FetchHttpClient.layer),
+    Effect.match({
+      onFailure: unknownGithubTokenValidationStatus,
+      onSuccess: (status) => status
+    })
+  )
+
+// CHANGE: validate GitHub auth token before clone/create starts mutating the project
+// WHY: dead tokens make git clone fail later with a misleading branch/auth error inside the container
+// QUOTE(ТЗ): "Если токен мёртв то пусть пишет что надо зарегистрировать github используй docker-git auth github login --web"
+// REF: user-request-2026-03-19-github-token-preflight
+// SOURCE: n/a
+// FORMAT THEOREM: ∀cfg: invalid_token(cfg) → fail_before_start(cfg)
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | PlatformError, FileSystem>
+// INVARIANT: only GitHub repo URLs with a configured token are validated
+// COMPLEXITY: O(|env|) + O(1) network round-trip
+export const validateGithubCloneAuthTokenPreflight = (
+  config: Pick<TemplateConfig, "repoUrl" | "gitTokenLabel" | "envGlobalPath">
+): Effect.Effect<void, AuthError | PlatformError, FileSystem.FileSystem> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const envText = yield* _(readEnvText(fs, config.envGlobalPath))
+    const token = resolveGithubCloneAuthToken(envText, config)
+
+    if (token === null) {
+      return
+    }
+
+    const status = yield* _(validateGithubTokenStatus(token))
+    if (status === "invalid") {
+      return yield* _(Effect.fail(new AuthError({ message: githubInvalidTokenMessage })))
+    }
+    if (status === "unknown") {
+      yield* _(Effect.logWarning(githubTokenValidationWarning))
+    }
+  })

packages/lib/tests/usecases/github-token-preflight.test.ts

@@ -0,0 +1,137 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+import { vi } from "vitest"
+
+import type { CreateCommand, TemplateConfig } from "../../src/core/domain.js"
+import { createProject } from "../../src/usecases/actions/create-project.js"
+import {
+  githubInvalidTokenMessage,
+  resolveGithubCloneAuthToken
+} from "../../src/usecases/github-token-preflight.js"
+
+const withTempDir = <A, E, R>(
+  use: (tempDir: string) => Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R | FileSystem.FileSystem> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const fs = yield* _(FileSystem.FileSystem)
+      const tempDir = yield* _(
+        fs.makeTempDirectoryScoped({
+          prefix: "docker-git-github-token-preflight-"
+        })
+      )
+      return yield* _(use(tempDir))
+    })
+  )
+
+const withPatchedFetch = <A, E, R>(
+  fetchImpl: typeof globalThis.fetch,
+  effect: Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R> =>
+  Effect.acquireUseRelease(
+    Effect.sync(() => {
+      const previous = globalThis.fetch
+      globalThis.fetch = fetchImpl
+      return previous
+    }),
+    () => effect,
+    (previous) =>
+      Effect.sync(() => {
+        globalThis.fetch = previous
+      })
+  )
+
+const makeCommand = (root: string, outDir: string, path: Path.Path): CreateCommand => {
+  const template: TemplateConfig = {
+    containerName: "dg-test",
+    serviceName: "dg-test",
+    sshUser: "dev",
+    sshPort: 2222,
+    repoUrl: "https://github.com/TelegramGPT/go-login-ozon.git",
+    repoRef: "main",
+    targetDir: "/home/dev/workspaces/telegramgpt/go-login-ozon",
+    volumeName: "dg-test-home",
+    dockerGitPath: path.join(root, ".docker-git"),
+    authorizedKeysPath: path.join(root, "authorized_keys"),
+    envGlobalPath: path.join(root, ".orch/env/global.env"),
+    envProjectPath: path.join(root, ".orch/env/project.env"),
+    codexAuthPath: path.join(root, ".orch/auth/codex"),
+    codexSharedAuthPath: path.join(root, ".orch/auth/codex-shared"),
+    codexHome: "/home/dev/.codex",
+    dockerNetworkMode: "shared",
+    dockerSharedNetworkName: "docker-git-shared",
+    enableMcpPlaywright: false,
+    pnpmVersion: "10.27.0"
+  }
+
+  return {
+    _tag: "Create",
+    config: template,
+    outDir,
+    runUp: false,
+    openSsh: false,
+    force: true,
+    forceEnv: false,
+    waitForClone: true
+  }
+}
+
+describe("github token preflight", () => {
+  it("prefers the owner-labeled token over the default token", () => {
+    const envText = [
+      "# docker-git env",
+      "GITHUB_TOKEN=default-token",
+      "GITHUB_TOKEN__TELEGRAMGPT=labeled-token",
+      ""
+    ].join("\n")
+
+    const token = resolveGithubCloneAuthToken(envText, {
+      repoUrl: "https://github.com/TelegramGPT/go-login-ozon.git",
+      gitTokenLabel: undefined
+    })
+
+    expect(token).toBe("labeled-token")
+  })
+
+  it.effect("fails createProject before writing files when the selected GitHub token is invalid", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const outDir = path.join(root, "project")
+        const command = makeCommand(root, outDir, path)
+        const fetchMock = vi.fn<typeof globalThis.fetch>(() =>
+          Effect.runPromise(Effect.succeed(new Response(null, { status: 401 })))
+        )
+
+        yield* _(fs.makeDirectory(path.join(root, ".orch", "env"), { recursive: true }))
+        yield* _(
+          fs.writeFileString(
+            command.config.envGlobalPath,
+            [
+              "# docker-git env",
+              "GITHUB_TOKEN=dead-token",
+              ""
+            ].join("\n")
+          )
+        )
+
+        const error = yield* _(
+          withPatchedFetch(
+            fetchMock,
+            createProject(command).pipe(Effect.flip)
+          )
+        )
+
+        expect(error._tag).toBe("AuthError")
+        expect(error.message).toBe(githubInvalidTokenMessage)
+        expect(fetchMock).toHaveBeenCalledTimes(1)
+
+        const outDirExists = yield* _(fs.exists(outDir))
+        expect(outDirExists).toBe(false)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+})