fix(docker): harden clone and shared-network fallback

Author: skulidropek

packages/lib/src/core/templates-entrypoint/tasks.ts

@@ -139,22 +139,15 @@ const renderCloneBodyRef = (config: TemplateConfig): string =>
       fi
     else
       if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS --branch '$REPO_REF' '$AUTH_REPO_URL' '$TARGET_DIR'"; then
-        DEFAULT_REF="$(git ls-remote --symref "$AUTH_REPO_URL" HEAD 2>/dev/null | awk '/^ref:/ {print $2}' | head -n 1 || true)"
-        DEFAULT_BRANCH="$(printf "%s" "$DEFAULT_REF" | sed 's#^refs/heads/##')"
-        if [[ -n "$DEFAULT_BRANCH" ]]; then
-          echo "[clone] branch '$REPO_REF' missing; retrying with '$DEFAULT_BRANCH'"
-          if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS --branch '$DEFAULT_BRANCH' '$AUTH_REPO_URL' '$TARGET_DIR'"; then
-            echo "[clone] git clone failed for $REPO_URL"
-            CLONE_OK=0
-          elif [[ "$REPO_REF" == issue-* ]]; then
-            if ! su - ${config.sshUser} -c "cd '$TARGET_DIR' && git checkout -B '$REPO_REF'"; then
-              echo "[clone] failed to create local branch '$REPO_REF'"
-              CLONE_OK=0
-            fi
-          fi
-        else
+        echo "[clone] branch '$REPO_REF' missing; retrying without --branch"
+        if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS '$AUTH_REPO_URL' '$TARGET_DIR'"; then
           echo "[clone] git clone failed for $REPO_URL"
           CLONE_OK=0
+        elif [[ "$REPO_REF" == issue-* ]]; then
+          if ! su - ${config.sshUser} -c "cd '$TARGET_DIR' && git checkout -B '$REPO_REF'"; then
+            echo "[clone] failed to create local branch '$REPO_REF'"
+            CLONE_OK=0
+          fi
         fi
       fi
     fi

packages/lib/src/shell/docker.ts

@@ -381,6 +381,31 @@ export const runDockerNetworkCreateBridge = (
     (exitCode) => new DockerCommandError({ exitCode })
   )
 
+// CHANGE: create a Docker bridge network with an explicit subnet
+// WHY: allow callers to bypass default address-pool allocation when it is exhausted
+// QUOTE(ТЗ): "научилось создавать сети правильно"
+// REF: user-request-2026-02-20-network-fallback
+// SOURCE: n/a
+// FORMAT THEOREM: ∀(n,s): create(n,s)=0 -> exists(n) ∧ subnet(n)=s
+// PURITY: SHELL
+// EFFECT: Effect<void, DockerCommandError | PlatformError, CommandExecutor>
+// INVARIANT: network driver is always `bridge`
+// COMPLEXITY: O(command)
+export const runDockerNetworkCreateBridgeWithSubnet = (
+  cwd: string,
+  networkName: string,
+  subnet: string
+): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor> =>
+  runCommandWithExitCodes(
+    {
+      cwd,
+      command: "docker",
+      args: ["network", "create", "--driver", "bridge", "--subnet", subnet, networkName]
+    },
+    [Number(ExitCode(0))],
+    (exitCode) => new DockerCommandError({ exitCode })
+  )
+
 // CHANGE: inspect how many containers are attached to a network
 // WHY: network GC must remove only detached networks
 // QUOTE(ТЗ): "Только так что бы текущие проекты не ложились"

packages/lib/src/usecases/docker-network-gc.ts

@@ -10,6 +10,7 @@ import {
 import {
   runDockerNetworkContainerCount,
   runDockerNetworkCreateBridge,
+  runDockerNetworkCreateBridgeWithSubnet,
   runDockerNetworkExists,
   runDockerNetworkRemove
 } from "../shell/docker.js"
@@ -20,6 +21,54 @@ const protectedNetworkNames = new Set(["bridge", "host", "none"])
 const isProtectedNetwork = (networkName: string, sharedNetworkName: string): boolean =>
   protectedNetworkNames.has(networkName) || networkName === sharedNetworkName
 
+const sharedNetworkFallbackSubnets: ReadonlyArray<string> = [
+  "10.250.0.0/24",
+  "10.251.0.0/24",
+  "10.252.0.0/24",
+  "10.253.0.0/24",
+  "172.31.250.0/24",
+  "172.31.251.0/24",
+  "172.31.252.0/24",
+  "172.31.253.0/24",
+  "192.168.250.0/24",
+  "192.168.251.0/24"
+]
+
+const createSharedNetworkWithSubnetFallback = (
+  cwd: string,
+  networkName: string
+): Effect.Effect<boolean, PlatformError, CommandExecutor> =>
+  Effect.gen(function*(_) {
+    for (const subnet of sharedNetworkFallbackSubnets) {
+      const created = yield* _(
+        runDockerNetworkCreateBridgeWithSubnet(cwd, networkName, subnet).pipe(
+          Effect.as(true),
+          Effect.catchTag("DockerCommandError", (error) =>
+            Effect.logWarning(
+              `Shared network create fallback failed (${networkName}, subnet ${subnet}, exit ${error.exitCode}); trying next subnet.`
+            ).pipe(Effect.as(false))
+          )
+        )
+      )
+      if (created) {
+        yield* _(Effect.log(`Created shared Docker network ${networkName} with subnet ${subnet}.`))
+        return true
+      }
+    }
+    return false
+  })
+
+const ensureSharedNetworkExists = (
+  cwd: string,
+  networkName: string
+): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor> =>
+  runDockerNetworkCreateBridge(cwd, networkName).pipe(
+    Effect.catchTag("DockerCommandError", (error) =>
+      createSharedNetworkWithSubnetFallback(cwd, networkName).pipe(
+        Effect.flatMap((created) => (created ? Effect.void : Effect.fail(error)))
+      ))
+  )
+
 // CHANGE: ensure shared docker network exists before compose up
 // WHY: avoid compose failures when using `external: true` shared network mode
 // QUOTE(ТЗ): "Что бы текущие проекты не ложились"
@@ -44,7 +93,7 @@ export const ensureComposeNetworkReady = (
       exists
         ? Effect.void
         : Effect.log(`Creating shared Docker network: ${networkName}`).pipe(
-          Effect.zipRight(runDockerNetworkCreateBridge(cwd, networkName))
+          Effect.zipRight(ensureSharedNetworkExists(cwd, networkName))
         ))
   )
 }

packages/lib/tests/usecases/docker-network-gc.test.ts

@@ -21,6 +21,10 @@ type FakeState = {
   readonly containerCountByNetwork: Map<string, number>
 }
 
+type FakeExecutorOptions = {
+  readonly failNetworkCreateWithoutSubnet: boolean
+}
+
 type SharedTemplate = {
   readonly serviceName: string
   readonly dockerNetworkMode: "shared"
@@ -38,7 +42,8 @@ const encode = (value: string): Uint8Array => new TextEncoder().encode(value)
 const makeFakeExecutor = (
   recorded: Array<RecordedCommand>,
   initialNetworks: ReadonlyArray<string>,
-  containerCounts: ReadonlyArray<readonly [string, number]>
+  containerCounts: ReadonlyArray<readonly [string, number]>,
+  options: FakeExecutorOptions = { failNetworkCreateWithoutSubnet: false }
 ): CommandExecutor.CommandExecutor => {
   const state: FakeState = {
     existingNetworks: new Set(initialNetworks),
@@ -78,8 +83,13 @@ const makeFakeExecutor = (
       }
 
       if (isDockerNetworkCreate) {
-        const networkName = args[4] ?? ""
-        if (networkName.length > 0) {
+        const subnetFlagIndex = args.indexOf("--subnet")
+        const hasSubnet = subnetFlagIndex >= 0
+        const networkName = hasSubnet ? (args[subnetFlagIndex + 2] ?? "") : (args[4] ?? "")
+
+        if (!hasSubnet && options.failNetworkCreateWithoutSubnet) {
+          exitCode = 1
+        } else if (networkName.length > 0) {
           state.existingNetworks.add(networkName)
           if (!state.containerCountByNetwork.has(networkName)) {
             state.containerCountByNetwork.set(networkName, 0)
@@ -173,6 +183,45 @@ describe("docker network shared mode", () => {
       )
       expect(created).toBe(false)
     }))
+
+  it.effect("falls back to explicit subnet when default network create fails", () =>
+    Effect.gen(function*(_) {
+      const recorded: Array<RecordedCommand> = []
+      const executor = makeFakeExecutor(
+        recorded,
+        [],
+        [],
+        { failNetworkCreateWithoutSubnet: true }
+      )
+      const template: SharedTemplate = {
+        serviceName: "dg-test",
+        dockerNetworkMode: "shared",
+        dockerSharedNetworkName: "docker-git-shared"
+      }
+
+      yield* _(
+        ensureComposeNetworkReady("/tmp", template).pipe(
+          Effect.provideService(CommandExecutor.CommandExecutor, executor)
+        )
+      )
+
+      const defaultCreateTried = recorded.some(
+        (entry) =>
+          entry.command === "docker" &&
+          entry.args[0] === "network" &&
+          entry.args[1] === "create" &&
+          !entry.args.includes("--subnet")
+      )
+      const subnetCreateTried = recorded.some(
+        (entry) =>
+          entry.command === "docker" &&
+          entry.args[0] === "network" &&
+          entry.args[1] === "create" &&
+          entry.args.includes("--subnet")
+      )
+      expect(defaultCreateTried).toBe(true)
+      expect(subnetCreateTried).toBe(true)
+    }))
 })
 
 describe("docker network gc", () => {

packages/lib/tests/usecases/prepare-files.test.ts

@@ -128,6 +128,8 @@ describe("prepareProjectFiles", () => {
         expect(entrypoint).toContain('OPENCODE_SHARED_HOME="/home/dev/.codex-shared/opencode"')
         expect(entrypoint).toContain('OPENCODE_CONFIG_DIR="/home/dev/.config/opencode"')
         expect(entrypoint).toContain('"plugin": ["oh-my-opencode"]')
+        expect(entrypoint).toContain("branch '$REPO_REF' missing; retrying without --branch")
+        expect(entrypoint).not.toContain("git ls-remote --symref")
         expect(composeBefore).toContain(":/home/dev/.docker-git")
         expect(composeBefore).not.toContain("dg-test-browser")
         expect(composeBefore).toContain("docker-git-shared")