fix(shell): remove client sudo bootstrap and harden github auth

Author: skulidropek

docker-compose.yml

@@ -3,6 +3,8 @@ services:
     build:
       context: .
       dockerfile: packages/api/Dockerfile
+      args:
+        DOCKER_GIT_CONTROLLER_REV: ${DOCKER_GIT_CONTROLLER_REV:-unknown}
     container_name: docker-git-api
     environment:
       DOCKER_GIT_API_PORT: ${DOCKER_GIT_API_PORT:-3334}

packages/api/Dockerfile

@@ -1,6 +1,10 @@
 FROM ubuntu:24.04
 
+ARG DOCKER_GIT_CONTROLLER_REV=unknown
+LABEL io.prover-coder-ai.docker-git.controller-rev=$DOCKER_GIT_CONTROLLER_REV
+
 ENV DEBIAN_FRONTEND=noninteractive
+ENV DOCKER_GIT_CONTROLLER_REV=$DOCKER_GIT_CONTROLLER_REV
 WORKDIR /workspace
 
 RUN apt-get update && apt-get install -y --no-install-recommends \

packages/api/src/services/auth.ts

@@ -6,7 +6,10 @@ import { parseGithubRepoUrl } from "@effect-template/lib/core/repo"
 import { authGithubLogin as runGithubLogin, authGithubLogout as runGithubLogout } from "@effect-template/lib/usecases/auth-github"
 import { readEnvText } from "@effect-template/lib/usecases/env-file"
 import {
+  githubRepoAccessMessage,
+  githubRepoAccessWarning,
   githubInvalidTokenMessage,
+  probeGithubRepoAccess,
   resolveGithubCloneAuthToken
 } from "@effect-template/lib/usecases/github-token-preflight"
 import { validateGithubToken, type GithubTokenValidationResult } from "@effect-template/lib/usecases/github-token-validation"
@@ -26,7 +29,10 @@ import type {
 import { ApiAuthRequiredError, ApiBadRequestError } from "../api/errors.js"
 
 export const githubAuthRequiredCommand = "docker-git auth github login --web"
-export const githubAuthRequiredMessage = "GitHub authentication is required. Run: docker-git auth github login --web"
+export const githubAuthRequiredMessage = [
+  "GitHub auth is missing: no GitHub token/key was found for this repository.",
+  "If the repository requires access, run: docker-git auth github login --web"
+].join("\n")
 export const githubAuthEnvGlobalPath = defaultTemplateConfig.envGlobalPath
 export const codexAuthPath = defaultTemplateConfig.codexAuthPath
 
@@ -260,7 +266,7 @@ export const ensureGithubAuthForCreate = (config: {
   readonly gitTokenLabel?: string | undefined
   readonly skipGithubAuth?: boolean | undefined
   readonly envGlobalPath: string
-}): Effect.Effect<void, ApiAuthRequiredError | PlatformError, FileSystem.FileSystem | Path.Path> =>
+}): Effect.Effect<void, ApiAuthRequiredError | ApiBadRequestError | PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
     if (parseGithubRepoUrl(config.repoUrl) === null) {
       return
@@ -284,12 +290,27 @@ export const ensureGithubAuthForCreate = (config: {
     }
 
     const validation: GithubTokenValidationResult = yield* _(validateGithubToken(token))
-    return yield* _(
+    yield* _(
       Match.value(validation.status).pipe(
         Match.when("valid", () => Effect.void),
         Match.when("invalid", () => Effect.fail(githubAuthError(githubInvalidTokenMessage))),
         Match.when("unknown", () => Effect.logWarning("Unable to validate GitHub token before create; continuing.")),
         Match.exhaustive
       )
     )
+
+    const access = yield* _(probeGithubRepoAccess(config.repoUrl, token))
+    return yield* _(
+      Match.value(access).pipe(
+        Match.when("accessible", () => Effect.void),
+        Match.when("notAccessible", () =>
+          Effect.fail(
+            new ApiBadRequestError({
+              message: githubRepoAccessMessage(config.repoUrl, true)
+            })
+          )),
+        Match.when("unknown", () => Effect.logWarning(githubRepoAccessWarning)),
+        Match.exhaustive
+      )
+    )
   })

packages/api/tests/auth.test.ts

@@ -5,6 +5,8 @@ import { describe, expect, it } from "@effect/vitest"
 import { Effect } from "effect"
 import { vi } from "vitest"
 
+import { githubRepoAccessMessage } from "@effect-template/lib/usecases/github-token-preflight"
+
 import { ApiAuthRequiredError } from "../src/api/errors.js"
 import {
   ensureGithubAuthForCreate,
@@ -47,6 +49,13 @@ const withWorkingDirectory = <A, E, R>(
       })
   )
 
+const resolveFetchUrl = (input: Parameters<typeof globalThis.fetch>[0]): string =>
+  typeof input === "string"
+    ? input
+    : input instanceof URL
+      ? input.toString()
+      : input.url
+
 const withProjectsRoot = <A, E, R>(
   projectsRoot: string,
   effect: Effect.Effect<A, E, R>
@@ -192,6 +201,63 @@ describe("api auth", () => {
       })
     ).pipe(Effect.provide(NodeContext.layer)))
 
+  it.effect("returns bad request when the selected GitHub token cannot access the repository", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const envDir = path.join(projectsRoot, ".orch", "env")
+        const envPath = path.join(envDir, "global.env")
+        const repoUrl = "https://github.com/TestOrganization123213/openclaw_autodeployer"
+        const fetchMock = vi.fn<typeof globalThis.fetch>((input) => {
+          const url = resolveFetchUrl(input)
+
+          if (url === "https://api.github.com/user") {
+            return Effect.runPromise(
+              Effect.succeed(
+                new Response(JSON.stringify({ login: "octocat" }), {
+                  status: 200,
+                  headers: {
+                    "content-type": "application/json"
+                  }
+                })
+              )
+            )
+          }
+
+          return Effect.runPromise(Effect.succeed(new Response(null, { status: 404 })))
+        })
+
+        yield* _(fs.makeDirectory(envDir, { recursive: true }))
+        yield* _(fs.writeFileString(envPath, "GITHUB_TOKEN=live-token\n"))
+
+        const failure = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            withWorkingDirectory(
+              root,
+              withPatchedFetch(
+                fetchMock,
+                ensureGithubAuthForCreate({
+                  repoUrl,
+                  gitTokenLabel: undefined,
+                  skipGithubAuth: false,
+                  envGlobalPath: ".docker-git/.orch/env/global.env"
+                }).pipe(Effect.flip)
+              )
+            )
+          )
+        )
+
+        expect(failure._tag).toBe("ApiBadRequestError")
+        if (failure._tag === "ApiBadRequestError") {
+          expect(failure.message).toBe(githubRepoAccessMessage(repoUrl, true))
+        }
+        expect(fetchMock).toHaveBeenCalledTimes(2)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
   it.effect("imports Codex auth into the controller-owned auth directory", () =>
     withTempDir((root) =>
       Effect.gen(function*(_) {

packages/app/src/docker-git/controller-docker.ts

@@ -7,6 +7,7 @@ import { Effect } from "effect"
 import { runCommandCapture, runCommandExitCode } from "@lib/shell/command-runner"
 
 import { type DockerNetworkIps, parseDockerNetworkIps, uniqueStrings } from "./controller-reachability.js"
+import { computeLocalControllerRevision, controllerRevisionEnvKey, parseControllerRevisionEnvOutput } from "./controller-revision.js"
 import type { ControllerBootstrapError } from "./host-errors.js"
 
 export type ControllerRuntime =
@@ -18,6 +19,7 @@ export const controllerContainerName = "docker-git-api"
 
 const inspectNetworksTemplate = String
   .raw`{{range $k,$v := .NetworkSettings.Networks}}{{printf "%s=%s\n" $k $v.IPAddress}}{{end}}`
+const inspectEnvTemplate = String.raw`{{range .Config.Env}}{{println .}}{{end}}`
 
 const controllerBootstrapError = (message: string): ControllerBootstrapError => ({
   _tag: "ControllerBootstrapError",
@@ -48,6 +50,17 @@ const composeFilePath = (): Effect.Effect<string, PlatformError, FileSystem.File
 const mapComposePathError = (error: PlatformError): ControllerBootstrapError =>
   controllerBootstrapError(`Failed to resolve docker-compose.yml path.\nDetails: ${String(error)}`)
 
+const mapControllerRevisionError = (error: PlatformError): ControllerBootstrapError =>
+  controllerBootstrapError(`Failed to compute docker-git controller revision.\nDetails: ${String(error)}`)
+
+const renderDockerAccessDeniedMessage = (): string =>
+  [
+    "docker-git host CLI cannot access Docker from the client process.",
+    "Client-side sudo fallback is disabled.",
+    "Keep the docker-git backend container running and reach it via DOCKER_GIT_API_URL or the default local API port, or grant this user direct Docker access (docker group/rootless Docker).",
+    "Probe command: docker info"
+  ].join("\n")
+
 const runExitCode = (
   command: string,
   args: ReadonlyArray<string>
@@ -65,18 +78,16 @@ const runExitCode = (
 
 export const resolveDockerCommand = (): Effect.Effect<
   ReadonlyArray<string>,
-  never,
+  ControllerBootstrapError,
   CommandExecutor.CommandExecutor
 > =>
-  Effect.gen(function*(_) {
-    const dockerInfoExit = yield* _(runExitCode("docker", ["info"]))
-    if (dockerInfoExit === 0) {
-      return ["docker"]
-    }
-
-    const sudoDockerInfoExit = yield* _(runExitCode("sudo", ["-n", "docker", "info"]))
-    return sudoDockerInfoExit === 0 ? ["sudo", "docker"] : ["docker"]
-  })
+  runExitCode("docker", ["info"]).pipe(
+    Effect.flatMap((dockerInfoExit) =>
+      dockerInfoExit === 0
+        ? Effect.succeed<ReadonlyArray<string>>(["docker"])
+        : Effect.fail(controllerBootstrapError(renderDockerAccessDeniedMessage()))
+    )
+  )
 
 type DockerInvocation = {
   readonly command: string
@@ -104,7 +115,7 @@ const formatDockerInvocationFailure = (
 
 const runDockerExitCodeCommand = (
   args: ReadonlyArray<string>
-): Effect.Effect<number, never, ControllerRuntime> =>
+): Effect.Effect<number, ControllerBootstrapError, ControllerRuntime> =>
   Effect.gen(function*(_) {
     const dockerCommand = yield* _(resolveDockerCommand())
     const invocation = buildDockerInvocation(dockerCommand, args)
@@ -166,6 +177,37 @@ export const runCompose = (
     )
   })
 
+export const controllerExists = (): Effect.Effect<boolean, ControllerBootstrapError, ControllerRuntime> =>
+  runDockerExitCodeCommand(["inspect", controllerContainerName]).pipe(
+    Effect.map((exitCode) => exitCode === 0)
+  )
+
+export const inspectControllerRevision = (): Effect.Effect<string | null, ControllerBootstrapError, ControllerRuntime> =>
+  controllerExists().pipe(
+    Effect.flatMap((exists) =>
+      exists
+        ? runDockerCapture(
+            ["inspect", "-f", inspectEnvTemplate, controllerContainerName],
+            `Failed to inspect env for ${controllerContainerName}`
+          ).pipe(
+            Effect.map(parseControllerRevisionEnvOutput),
+            Effect.orElseSucceed((): string | null => null)
+          )
+        : Effect.succeed<string | null>(null))
+  )
+
+export const prepareLocalControllerRevision = (): Effect.Effect<string, ControllerBootstrapError, ControllerRuntime> =>
+  Effect.gen(function*(_) {
+    const composePath = yield* _(composeFilePath().pipe(Effect.mapError(mapComposePathError)))
+    const revision = yield* _(computeLocalControllerRevision(composePath).pipe(Effect.mapError(mapControllerRevisionError)))
+    yield* _(
+      Effect.sync(() => {
+        process.env[controllerRevisionEnvKey] = revision
+      })
+    )
+    return revision
+  })
+
 export const inspectContainerNetworks = (
   containerName: string
 ): Effect.Effect<DockerNetworkIps, never, ControllerRuntime> =>
@@ -197,7 +239,10 @@ const connectControllerToNetworkBestEffort = (
     return Effect.void
   }
 
-  return runDockerExitCodeCommand(["network", "connect", trimmed, controllerContainerName]).pipe(Effect.asVoid)
+  return runDockerExitCodeCommand(["network", "connect", trimmed, controllerContainerName]).pipe(
+    Effect.asVoid,
+    Effect.orElseSucceed(() => undefined)
+  )
 }
 
 export const ensureControllerReachabilityNetworks = (