fix(auth): harden claude global auth fallback and compose retries

Author: skulidropek

packages/app/src/docker-git/menu-project-auth-data.ts

@@ -195,21 +195,31 @@ const updateProjectGitDisconnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<s
   return Effect.succeed(clearProjectGitLabels(withoutUser))
 }
 
+const resolveClaudeAccountCandidates = (
+  claudeAuthPath: string,
+  accountLabel: string
+): ReadonlyArray<string> =>
+  accountLabel === "default"
+    ? [`${claudeAuthPath}/default`, claudeAuthPath]
+    : [`${claudeAuthPath}/${accountLabel}`]
+
 const updateProjectClaudeConnect = (spec: ProjectEnvUpdateSpec): Effect.Effect<string, AppError> => {
   const accountLabel = normalizeAccountLabel(spec.rawLabel, "default")
-  const accountPath = `${spec.claudeAuthPath}/${accountLabel}`
+  const accountCandidates = resolveClaudeAccountCandidates(spec.claudeAuthPath, accountLabel)
   return Effect.gen(function*(_) {
-    const exists = yield* _(spec.fs.exists(accountPath))
-    if (!exists) {
-      return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))
-    }
+    for (const accountPath of accountCandidates) {
+      const exists = yield* _(spec.fs.exists(accountPath))
+      if (!exists) {
+        continue
+      }
 
-    const hasCredentials = yield* _(
-      hasClaudeAccountCredentials(spec.fs, accountPath),
-      Effect.orElseSucceed(() => false)
-    )
-    if (hasCredentials) {
-      return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
+      const hasCredentials = yield* _(
+        hasClaudeAccountCredentials(spec.fs, accountPath),
+        Effect.orElseSucceed(() => false)
+      )
+      if (hasCredentials) {
+        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel)
+      }
     }
 
     return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)))

packages/app/tests/docker-git/entrypoint-auth.test.ts

@@ -40,6 +40,8 @@ describe("renderEntrypoint auth bridge", () => {
       expect(entrypoint).toContain("CLAUDE_SETTINGS_FILE=\"$CLAUDE_CONFIG_DIR/.claude.json\"")
       expect(entrypoint).toContain("nextServers.playwright = {")
       expect(entrypoint).toContain("command: \"docker-git-playwright-mcp\"")
+      expect(entrypoint).toContain("CLAUDE_ROOT_TOKEN_FILE=\"$CLAUDE_AUTH_ROOT/.oauth-token\"")
+      expect(entrypoint).toContain("CLAUDE_ROOT_CONFIG_FILE=\"$CLAUDE_AUTH_ROOT/.config.json\"")
       expect(entrypoint).toContain("CLAUDE_GLOBAL_PROMPT_FILE=\"/home/dev/.claude/CLAUDE.md\"")
       expect(entrypoint).toContain("CLAUDE_AUTO_SYSTEM_PROMPT=\"${CLAUDE_AUTO_SYSTEM_PROMPT:-1}\"")
       expect(entrypoint).toContain("docker-git-managed:claude-md")

packages/lib/src/core/templates-entrypoint/claude.ts

@@ -19,6 +19,16 @@ fi
 
 CLAUDE_AUTH_ROOT="${claudeAuthRootContainerPath(config.sshUser)}"
 CLAUDE_CONFIG_DIR="$CLAUDE_AUTH_ROOT/$CLAUDE_LABEL_NORM"
+
+# Backward compatibility: if default auth is stored directly under claude root, reuse it.
+if [[ "$CLAUDE_LABEL_NORM" == "default" ]]; then
+  CLAUDE_ROOT_TOKEN_FILE="$CLAUDE_AUTH_ROOT/.oauth-token"
+  CLAUDE_ROOT_CONFIG_FILE="$CLAUDE_AUTH_ROOT/.config.json"
+  if [[ -f "$CLAUDE_ROOT_TOKEN_FILE" ]] || [[ -f "$CLAUDE_ROOT_CONFIG_FILE" ]]; then
+    CLAUDE_CONFIG_DIR="$CLAUDE_AUTH_ROOT"
+  fi
+fi
+
 export CLAUDE_CONFIG_DIR
 
 mkdir -p "$CLAUDE_CONFIG_DIR" || true

packages/lib/src/shell/docker.ts

@@ -2,7 +2,7 @@ import * as Command from "@effect/platform/Command"
 import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import { ExitCode } from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
-import { Effect, pipe } from "effect"
+import { Duration, Effect, Schedule, pipe } from "effect"
 
 import { runCommandCapture, runCommandExitCode, runCommandWithExitCodes } from "./command-runner.js"
 import { CommandFailedError, DockerCommandError } from "./errors.js"
@@ -51,6 +51,24 @@ const runComposeCapture = (
     (exitCode) => new DockerCommandError({ exitCode })
   )
 
+const dockerComposeUpRetrySchedule = Schedule.addDelay(
+  Schedule.recurs(2),
+  () => Duration.seconds(2)
+)
+
+const retryDockerComposeUp = (
+  cwd: string,
+  effect: Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor>
+): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor> =>
+  effect.pipe(
+    Effect.tapError(() =>
+      Effect.logWarning(
+        `docker compose up failed in ${cwd}; retrying (possible transient Docker Hub/DNS issue)...`
+      )
+    ),
+    Effect.retry(dockerComposeUpRetrySchedule)
+  )
+
 // CHANGE: run docker compose up -d --build in the target directory
 // WHY: provide a controlled shell effect for image creation
 // QUOTE(ТЗ): "создавать докер образы"
@@ -64,7 +82,10 @@ const runComposeCapture = (
 export const runDockerComposeUp = (
   cwd: string
 ): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor> =>
-  runCompose(cwd, ["up", "-d", "--build"], [Number(ExitCode(0))])
+  retryDockerComposeUp(
+    cwd,
+    runCompose(cwd, ["up", "-d", "--build"], [Number(ExitCode(0))])
+  )
 
 export const dockerComposeUpRecreateArgs: ReadonlyArray<string> = [
   "up",
@@ -86,7 +107,10 @@ export const dockerComposeUpRecreateArgs: ReadonlyArray<string> = [
 export const runDockerComposeUpRecreate = (
   cwd: string
 ): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor> =>
-  runCompose(cwd, dockerComposeUpRecreateArgs, [Number(ExitCode(0))])
+  retryDockerComposeUp(
+    cwd,
+    runCompose(cwd, dockerComposeUpRecreateArgs, [Number(ExitCode(0))])
+  )
 
 // CHANGE: run docker compose down in the target directory
 // WHY: allow stopping managed containers from the CLI/menu

packages/lib/src/usecases/actions/prepare-files.ts

@@ -169,5 +169,6 @@ export const migrateProjectOrchLayout = (
     globalConfig.envGlobalPath,
     globalConfig.envProjectPath,
     globalConfig.codexAuthPath,
-    resolveRootPath(".docker-git/.orch/auth/gh")
+    resolveRootPath(".docker-git/.orch/auth/gh"),
+    resolveRootPath(".docker-git/.orch/auth/claude")
   )

packages/lib/src/usecases/auth-claude.ts

@@ -45,7 +45,8 @@ const ensureClaudeOrchLayout = (
     defaultTemplateConfig.envGlobalPath,
     defaultTemplateConfig.envProjectPath,
     defaultTemplateConfig.codexAuthPath,
-    ".docker-git/.orch/auth/gh"
+    ".docker-git/.orch/auth/gh",
+    ".docker-git/.orch/auth/claude"
   )
 
 const renderClaudeDockerfile = (): string =>

packages/lib/src/usecases/auth-codex.ts

@@ -36,7 +36,8 @@ const ensureCodexOrchLayout = (
     defaultTemplateConfig.envGlobalPath,
     defaultTemplateConfig.envProjectPath,
     codexAuthPath,
-    ".docker-git/.orch/auth/gh"
+    ".docker-git/.orch/auth/gh",
+    ".docker-git/.orch/auth/claude"
   )
 
 const renderCodexDockerfile = (): string =>

packages/lib/src/usecases/auth-github.ts

@@ -43,7 +43,8 @@ const ensureGithubOrchLayout = (
     envGlobalPath,
     defaultTemplateConfig.envProjectPath,
     defaultTemplateConfig.codexAuthPath,
-    ghAuthRoot
+    ghAuthRoot,
+    ".docker-git/.orch/auth/claude"
   )
 
 const normalizeGithubLabel = (value: string | null): string => {

packages/lib/src/usecases/auth-sync.ts

@@ -277,7 +277,8 @@ export const migrateLegacyOrchLayout = (
   envGlobalPath: string,
   envProjectPath: string,
   codexAuthPath: string,
-  ghAuthPath: string
+  ghAuthPath: string,
+  claudeAuthPath: string
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   withFsPathContext(({ fs, path }) =>
     Effect.gen(function*(_) {
@@ -295,15 +296,18 @@ export const migrateLegacyOrchLayout = (
       const legacyEnvProject = path.join(legacyRoot, "env", "project.env")
       const legacyCodex = path.join(legacyRoot, "auth", "codex")
       const legacyGh = path.join(legacyRoot, "auth", "gh")
+      const legacyClaude = path.join(legacyRoot, "auth", "claude")
 
       const resolvedEnvGlobal = resolvePathFromBase(path, baseDir, envGlobalPath)
       const resolvedEnvProject = resolvePathFromBase(path, baseDir, envProjectPath)
       const resolvedCodex = resolvePathFromBase(path, baseDir, codexAuthPath)
       const resolvedGh = resolvePathFromBase(path, baseDir, ghAuthPath)
+      const resolvedClaude = resolvePathFromBase(path, baseDir, claudeAuthPath)
 
       yield* _(copyFileIfNeeded(legacyEnvGlobal, resolvedEnvGlobal))
       yield* _(copyFileIfNeeded(legacyEnvProject, resolvedEnvProject))
       yield* _(copyDirIfEmpty(fs, path, legacyCodex, resolvedCodex, "Codex auth"))
       yield* _(copyDirIfEmpty(fs, path, legacyGh, resolvedGh, "GH auth"))
+      yield* _(copyDirIfEmpty(fs, path, legacyClaude, resolvedClaude, "Claude auth"))
     })
   )

packages/lib/src/usecases/errors.ts

@@ -82,7 +82,8 @@ const renderPrimaryError = (error: NonParseError): string | null =>
         `docker compose failed with exit code ${exitCode}`,
         "Hint: ensure Docker daemon is running and current user can access /var/run/docker.sock (for example via the docker group).",
         "Hint: if output above contains 'port is already allocated', retry with a free SSH port via --ssh-port <port> (for example --ssh-port 2235), or stop the conflicting project/container.",
-        "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`)."
+        "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`).",
+        "Hint: if output above contains 'lookup auth.docker.io' or 'read udp ... [::1]:53 ... connection refused', fix Docker DNS resolver (set working DNS in host/daemon config) and retry."
       ].join("\n")),
     Match.when({ _tag: "DockerAccessError" }, ({ details, issue }) =>
       [