fix(shell): move docker-git runtime state into volumes

Author: skulidropek

README.md

@@ -1,7 +1,7 @@
 # docker-git
 
 `docker-git` создаёт отдельную Docker-среду для каждого репозитория, issue или PR.
-По умолчанию проекты лежат в `~/.docker-git`.
+По умолчанию управляющие файлы проекта лежат в `~/.docker-git`, а runtime workspace, `.docker-git` state и auth живут внутри Docker-managed volumes контейнера.
 
 ## Что нужно
 

packages/app/tests/docker-git/fixtures/project-item.ts

@@ -14,11 +14,11 @@ export const makeProjectItem = (
   targetDir: "/home/dev/org/repo",
   sshCommand: "ssh -p 2222 dev@localhost",
   sshKeyPath: null,
-  authorizedKeysPath: "/home/dev/.docker-git/org-repo/.docker-git/authorized_keys",
+  authorizedKeysPath: "/home/dev/.docker-git/org-repo/authorized_keys",
   authorizedKeysExists: true,
-  envGlobalPath: "/home/dev/.orch/env/global.env",
+  envGlobalPath: "/home/dev/.docker-git/org-repo/.orch/env/global.env",
   envProjectPath: "/home/dev/.docker-git/org-repo/.orch/env/project.env",
-  codexAuthPath: "/home/dev/.orch/auth/codex",
+  codexAuthPath: "/home/dev/.docker-git/org-repo/.orch/auth/codex",
   codexHome: "/home/dev/.codex",
   ...overrides
 })

packages/app/tests/docker-git/menu-select-connect.test.ts

@@ -20,10 +20,10 @@ const makeConnectDeps = (events: Array<string>) => ({
 const workspaceProject = () =>
   makeProjectItem({
     projectDir: "/home/dev/provercoderai/docker-git/workspaces/org/repo",
-    authorizedKeysPath: "/home/dev/provercoderai/docker-git/workspaces/org/repo/.docker-git/authorized_keys",
-    envGlobalPath: "/home/dev/provercoderai/docker-git/.orch/env/global.env",
+    authorizedKeysPath: "/home/dev/provercoderai/docker-git/workspaces/org/repo/authorized_keys",
+    envGlobalPath: "/home/dev/provercoderai/docker-git/workspaces/org/repo/.orch/env/global.env",
     envProjectPath: "/home/dev/provercoderai/docker-git/workspaces/org/repo/.orch/env/project.env",
-    codexAuthPath: "/home/dev/provercoderai/docker-git/.orch/auth/codex"
+    codexAuthPath: "/home/dev/provercoderai/docker-git/workspaces/org/repo/.orch/auth/codex"
   })
 
 describe("menu-select-connect", () => {

packages/lib/src/core/domain.ts

@@ -9,6 +9,7 @@ export type DockerNetworkMode = "shared" | "project"
 export const defaultDockerNetworkMode: DockerNetworkMode = "shared"
 
 export const defaultDockerSharedNetworkName = "docker-git-shared"
+export const dockerGitSharedCodexVolumeName = "docker-git-shared-codex"
 
 export interface TemplateConfig {
   readonly containerName: string

packages/lib/src/core/templates-entrypoint.ts

@@ -34,11 +34,11 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
   [
     renderEntrypointHeader(config),
     renderEntrypointPackageCache(config),
+    renderEntrypointDockerGitBootstrap(config),
     renderEntrypointAuthorizedKeys(config),
     renderEntrypointCodexHome(config),
     renderEntrypointCodexSharedAuth(config),
     renderEntrypointOpenCodeConfig(config),
-    renderEntrypointDockerGitBootstrap(config),
     renderEntrypointMcpPlaywright(config),
     renderEntrypointZshShell(config),
     renderEntrypointZshUserRc(config),

packages/lib/src/core/templates-entrypoint/base.ts

@@ -51,7 +51,7 @@ docker_git_upsert_ssh_env() {
 }`
 
 export const renderEntrypointPackageCache = (config: TemplateConfig): string =>
-  `# Share package manager caches across all docker-git containers
+  `# Keep package manager caches inside the project home volume
 PACKAGE_CACHE_ROOT="/home/${config.sshUser}/.docker-git/.cache/packages"
 PACKAGE_PNPM_STORE="\${npm_config_store_dir:-\${PNPM_STORE_DIR:-$PACKAGE_CACHE_ROOT/pnpm/store}}"
 PACKAGE_NPM_CACHE="\${npm_config_cache:-\${NPM_CONFIG_CACHE:-$PACKAGE_CACHE_ROOT/npm}}"
@@ -76,12 +76,13 @@ docker_git_upsert_ssh_env "npm_config_cache" "$PACKAGE_NPM_CACHE"
 docker_git_upsert_ssh_env "YARN_CACHE_FOLDER" "$PACKAGE_YARN_CACHE"`
 
 export const renderEntrypointAuthorizedKeys = (config: TemplateConfig): string =>
-  `# 1) Authorized keys are mounted from host at /authorized_keys
+  `# 1) Mirror authorized_keys from the project home volume into ~/.ssh
+DOCKER_GIT_AUTH_KEYS="/home/${config.sshUser}/.docker-git/authorized_keys"
 mkdir -p /home/${config.sshUser}/.ssh
 chmod 700 /home/${config.sshUser}/.ssh
 
-if [[ -f /authorized_keys ]]; then
-  cp /authorized_keys /home/${config.sshUser}/.ssh/authorized_keys
+if [[ -f "$DOCKER_GIT_AUTH_KEYS" ]]; then
+  cp "$DOCKER_GIT_AUTH_KEYS" /home/${config.sshUser}/.ssh/authorized_keys
   chmod 600 /home/${config.sshUser}/.ssh/authorized_keys
 fi
 

packages/lib/src/core/templates-entrypoint/codex.ts

@@ -2,8 +2,10 @@ import type { TemplateConfig } from "../domain.js"
 
 export const renderEntrypointCodexHome = (config: TemplateConfig): string =>
   `# Ensure Codex home exists if mounted
-mkdir -p ${config.codexHome}
-chown -R 1000:1000 ${config.codexHome}
+mkdir -p ${config.codexHome} && chown -R 1000:1000 ${config.codexHome}
+
+DOCKER_GIT_CODEX_BOOTSTRAP="/home/${config.sshUser}/.docker-git/.orch/auth/codex/config.toml"
+if [[ -f "$DOCKER_GIT_CODEX_BOOTSTRAP" && ! -f "${config.codexHome}/config.toml" ]]; then cp "$DOCKER_GIT_CODEX_BOOTSTRAP" "${config.codexHome}/config.toml"; chown 1000:1000 "${config.codexHome}/config.toml" || true; fi
 
 # Ensure home ownership matches the dev UID/GID (volumes may be stale)
 HOME_OWNER="$(stat -c "%u:%g" /home/${config.sshUser} 2>/dev/null || echo "")"
@@ -22,15 +24,13 @@ if [[ "$CODEX_SHARE_AUTH" == "1" ]]; then
     | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
   if [[ -z "$CODEX_LABEL_NORM" ]]; then CODEX_LABEL_NORM="default"; fi
   CODEX_AUTH_LABEL="$CODEX_LABEL_NORM"
-  CODEX_SHARED_HOME="${config.codexHome}-shared"
-  mkdir -p "$CODEX_SHARED_HOME"
-  chown -R 1000:1000 "$CODEX_SHARED_HOME" || true
-  AUTH_FILE="${config.codexHome}/auth.json"
-  SHARED_AUTH_FILE="$CODEX_SHARED_HOME/auth.json"
+  DOCKER_GIT_CODEX_AUTH_ROOT="/home/${config.sshUser}/.docker-git/.orch/auth/codex"; CODEX_SHARED_HOME="${config.codexHome}-shared"
+  mkdir -p "$CODEX_SHARED_HOME" && chown -R 1000:1000 "$CODEX_SHARED_HOME" || true
+  AUTH_FILE="${config.codexHome}/auth.json"; SHARED_AUTH_FILE="$CODEX_SHARED_HOME/auth.json"; SHARED_AUTH_SEED="$DOCKER_GIT_CODEX_AUTH_ROOT/auth.json"
   if [[ "$CODEX_LABEL_NORM" != "default" ]]; then
-    SHARED_AUTH_FILE="$CODEX_SHARED_HOME/$CODEX_LABEL_NORM/auth.json"
-    mkdir -p "$(dirname "$SHARED_AUTH_FILE")"
+    SHARED_AUTH_FILE="$CODEX_SHARED_HOME/$CODEX_LABEL_NORM/auth.json"; SHARED_AUTH_SEED="$DOCKER_GIT_CODEX_AUTH_ROOT/$CODEX_LABEL_NORM/auth.json"; mkdir -p "$(dirname "$SHARED_AUTH_FILE")"
   fi
+  if [[ ! -f "$SHARED_AUTH_FILE" && -f "$SHARED_AUTH_SEED" ]]; then cp "$SHARED_AUTH_SEED" "$SHARED_AUTH_FILE"; chmod 600 "$SHARED_AUTH_FILE" || true; chown 1000:1000 "$SHARED_AUTH_FILE" || true; fi
   # Guard against a bad bind mount creating a directory at auth.json.
   if [[ -d "$AUTH_FILE" ]]; then
     mv "$AUTH_FILE" "$AUTH_FILE.bak-$(date +%s)" || true
@@ -319,4 +319,5 @@ export const renderEntrypointAgentsNotice = (config: TemplateConfig): string =>
   entrypointAgentsNoticeTemplate.replaceAll("__CODEX_HOME__", config.codexHome).replaceAll(
     "__SSH_USER__",
     config.sshUser
-  ).replaceAll("__TARGET_DIR__", config.targetDir)
+  )
+    .replaceAll("__TARGET_DIR__", config.targetDir)

packages/lib/src/core/templates-entrypoint/nested-docker-git.ts

@@ -4,28 +4,70 @@ const entrypointDockerGitBootstrapTemplate = String
   .raw`# Bootstrap ~/.docker-git for nested docker-git usage inside this container.
 DOCKER_GIT_HOME="/home/__SSH_USER__/.docker-git"
 DOCKER_GIT_AUTH_DIR="$DOCKER_GIT_HOME/.orch/auth/codex"
+DOCKER_GIT_CLAUDE_AUTH_DIR="$DOCKER_GIT_HOME/.orch/auth/claude"
 DOCKER_GIT_ENV_DIR="$DOCKER_GIT_HOME/.orch/env"
 DOCKER_GIT_ENV_GLOBAL="$DOCKER_GIT_ENV_DIR/global.env"
 DOCKER_GIT_ENV_PROJECT="$DOCKER_GIT_ENV_DIR/project.env"
 DOCKER_GIT_AUTH_KEYS="$DOCKER_GIT_HOME/authorized_keys"
+BOOTSTRAP_ROOT="/opt/docker-git/bootstrap"
+BOOTSTRAP_ORCH_ROOT="$BOOTSTRAP_ROOT/.orch"
+BOOTSTRAP_AUTH_KEYS="$BOOTSTRAP_ROOT/authorized_keys"
+BOOTSTRAP_CODEX_AUTH_DIR="$BOOTSTRAP_ORCH_ROOT/auth/codex"
+BOOTSTRAP_CLAUDE_AUTH_DIR="$BOOTSTRAP_ORCH_ROOT/auth/claude"
+BOOTSTRAP_ENV_GLOBAL="$BOOTSTRAP_ORCH_ROOT/env/global.env"
+BOOTSTRAP_ENV_PROJECT="$BOOTSTRAP_ORCH_ROOT/env/project.env"
 
-mkdir -p "$DOCKER_GIT_AUTH_DIR" "$DOCKER_GIT_ENV_DIR" "$DOCKER_GIT_HOME/.orch/auth/gh"
+mkdir -p "$DOCKER_GIT_AUTH_DIR" "$DOCKER_GIT_CLAUDE_AUTH_DIR" "$DOCKER_GIT_ENV_DIR" "$DOCKER_GIT_HOME/.orch/auth/gh"
 
-if [[ -f "/home/__SSH_USER__/.ssh/authorized_keys" ]]; then
+copy_if_missing_file() {
+  local source="$1"
+  local target="$2"
+  if [[ ! -f "$source" || -e "$target" ]]; then
+    return 1
+  fi
+  mkdir -p "$(dirname "$target")"
+  cp "$source" "$target"
+  return 0
+}
+
+copy_dir_missing_entries() {
+  local source="$1"
+  local target="$2"
+  if [[ ! -d "$source" ]]; then
+    return 0
+  fi
+  mkdir -p "$target"
+  (
+    cd "$source"
+    find . -mindepth 1 -print
+  ) | while IFS= read -r entry; do
+    local source_entry="$source/$entry"
+    local target_entry="$target/$entry"
+    if [[ -d "$source_entry" ]]; then
+      mkdir -p "$target_entry"
+    elif [[ -f "$source_entry" && ! -e "$target_entry" ]]; then
+      mkdir -p "$(dirname "$target_entry")"
+      cp "$source_entry" "$target_entry"
+    fi
+  done
+}
+
+if [[ ! -f "$DOCKER_GIT_AUTH_KEYS" && -f "/home/__SSH_USER__/.ssh/authorized_keys" ]]; then
   cp "/home/__SSH_USER__/.ssh/authorized_keys" "$DOCKER_GIT_AUTH_KEYS"
-elif [[ -f /authorized_keys ]]; then
-  cp /authorized_keys "$DOCKER_GIT_AUTH_KEYS"
 fi
+copy_if_missing_file "$BOOTSTRAP_AUTH_KEYS" "$DOCKER_GIT_AUTH_KEYS" || true
 if [[ -f "$DOCKER_GIT_AUTH_KEYS" ]]; then
   chmod 600 "$DOCKER_GIT_AUTH_KEYS" || true
 fi
 
+copy_if_missing_file "$BOOTSTRAP_ENV_GLOBAL" "$DOCKER_GIT_ENV_GLOBAL" || true
 if [[ ! -f "$DOCKER_GIT_ENV_GLOBAL" ]]; then
   cat <<'EOF' > "$DOCKER_GIT_ENV_GLOBAL"
 # docker-git env
 # KEY=value
 EOF
 fi
+copy_if_missing_file "$BOOTSTRAP_ENV_PROJECT" "$DOCKER_GIT_ENV_PROJECT" || true
 if [[ ! -f "$DOCKER_GIT_ENV_PROJECT" ]]; then
   cat <<'EOF' > "$DOCKER_GIT_ENV_PROJECT"
 # docker-git project env defaults
@@ -66,6 +108,9 @@ copy_if_distinct_file() {
   return 0
 }
 
+copy_dir_missing_entries "$BOOTSTRAP_CODEX_AUTH_DIR" "$DOCKER_GIT_AUTH_DIR"
+copy_dir_missing_entries "$BOOTSTRAP_CLAUDE_AUTH_DIR" "$DOCKER_GIT_CLAUDE_AUTH_DIR"
+
 if [[ -n "$GH_TOKEN" ]]; then
   upsert_env_var "$DOCKER_GIT_ENV_GLOBAL" "GH_TOKEN" "$GH_TOKEN"
 fi

packages/lib/src/core/templates.ts

@@ -10,10 +10,12 @@ export type FileSpec =
 
 const renderGitignore = (): string =>
   `# docker-git project files
-# NOTE: this directory is intended to be committed to the docker-git state repository.
-# It intentionally does not ignore .orch/ or auth files; keep the state repo private.
+# NOTE: bootstrap secrets stay local-only and should not be committed.
 
 # Volatile Codex artifacts (do not commit)
+authorized_keys
+.orch/auth/codex/auth.json
+.orch/auth/claude/
 .orch/auth/codex/log/
 .orch/auth/codex/tmp/
 .orch/auth/codex/sessions/
@@ -22,8 +24,10 @@ const renderGitignore = (): string =>
 
 const renderDockerignore = (): string =>
   `# docker-git build context
-.orch/
-authorized_keys
+.orch/auth/codex/log/
+.orch/auth/codex/tmp/
+.orch/auth/codex/sessions/
+.orch/auth/codex/models_cache.json
 `
 
 const renderConfigJson = (config: TemplateConfig): string =>
@@ -52,6 +56,7 @@ export const planFiles = (config: TemplateConfig): ReadonlyArray<FileSpec> => {
     { _tag: "File", relativePath: ".gitignore", contents: renderGitignore() },
     ...maybePlaywrightFiles,
     { _tag: "Dir", relativePath: ".orch/auth/codex" },
+    { _tag: "Dir", relativePath: ".orch/auth/claude" },
     { _tag: "Dir", relativePath: ".orch/env" }
   ]
 }

packages/lib/src/core/templates/docker-compose.ts

@@ -1,4 +1,4 @@
-import { resolveComposeNetworkName, type TemplateConfig } from "../domain.js"
+import { dockerGitSharedCodexVolumeName, resolveComposeNetworkName, type TemplateConfig } from "../domain.js"
 
 type ComposeFragments = {
   readonly networkMode: TemplateConfig["dockerNetworkMode"]
@@ -11,14 +11,12 @@ type ComposeFragments = {
   readonly maybeDependsOn: string
   readonly maybePlaywrightEnv: string
   readonly maybeBrowserService: string
-  readonly maybeBrowserVolume: string
   readonly forkRepoUrl: string
 }
 
-type PlaywrightFragments = Pick<
-  ComposeFragments,
-  "maybeDependsOn" | "maybePlaywrightEnv" | "maybeBrowserService" | "maybeBrowserVolume"
->
+type PlaywrightFragments = Pick<ComposeFragments, "maybeDependsOn" | "maybePlaywrightEnv" | "maybeBrowserService">
+
+const sharedCodexVolumeKey = "docker_git_shared_codex"
 
 const renderGitTokenLabelEnv = (gitTokenLabel: string): string =>
   gitTokenLabel.length > 0
@@ -45,12 +43,6 @@ const renderAgentAutoEnv = (agentAuto: boolean | undefined): string =>
     ? `      AGENT_AUTO: "1"\n`
     : ""
 
-const renderProjectsRootHostMount = (projectsRoot: string): string =>
-  `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}`
-
-const renderSharedCodexHostMount = (projectsRoot: string): string =>
-  `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}/.orch/auth/codex`
-
 const buildPlaywrightFragments = (
   config: TemplateConfig,
   networkName: string
@@ -59,8 +51,7 @@ const buildPlaywrightFragments = (
     return {
       maybeDependsOn: "",
       maybePlaywrightEnv: "",
-      maybeBrowserService: "",
-      maybeBrowserVolume: ""
+      maybeBrowserService: ""
     }
   }
 
@@ -75,8 +66,7 @@ const buildPlaywrightFragments = (
     maybePlaywrightEnv:
       `      MCP_PLAYWRIGHT_ENABLE: "1"\n      MCP_PLAYWRIGHT_CDP_ENDPOINT: "${browserCdpEndpoint}"\n`,
     maybeBrowserService:
-      `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
-    maybeBrowserVolume: `  ${browserVolumeName}:\n`
+      `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`
   }
 }
 
@@ -105,7 +95,6 @@ const buildComposeFragments = (config: TemplateConfig): ComposeFragments => {
     maybeDependsOn: playwright.maybeDependsOn,
     maybePlaywrightEnv: playwright.maybePlaywrightEnv,
     maybeBrowserService: playwright.maybeBrowserService,
-    maybeBrowserVolume: playwright.maybeBrowserVolume,
     forkRepoUrl
   }
 }
@@ -132,10 +121,7 @@ ${fragments.maybePlaywrightEnv}${fragments.maybeDependsOn}    env_file:
       - "127.0.0.1:${config.sshPort}:22"
     volumes:
       - ${config.volumeName}:/home/${config.sshUser}
-      - ${renderProjectsRootHostMount(config.dockerGitPath)}:/home/${config.sshUser}/.docker-git
-      - ${config.authorizedKeysPath}:/authorized_keys:ro
-      - ${config.codexAuthPath}:${config.codexHome}
-      - ${renderSharedCodexHostMount(config.dockerGitPath)}:${config.codexHome}-shared
+      - ${sharedCodexVolumeKey}:${config.codexHome}-shared
       - /var/run/docker.sock:/var/run/docker.sock
     networks:
       - ${fragments.networkName}
@@ -153,16 +139,21 @@ const renderComposeNetworks = (
   ${networkName}:
     driver: bridge`
 
-const renderComposeVolumes = (config: TemplateConfig, maybeBrowserVolume: string): string =>
-  `volumes:
-  ${config.volumeName}:
-${maybeBrowserVolume}`
+const renderComposeVolumes = (config: TemplateConfig, enableMcpPlaywright: boolean): string =>
+  [
+    "volumes:",
+    `  ${config.volumeName}:`,
+    `  ${sharedCodexVolumeKey}:`,
+    "    external: true",
+    `    name: ${dockerGitSharedCodexVolumeName}`,
+    ...(enableMcpPlaywright ? [`  ${config.volumeName}-browser:`] : [])
+  ].join("\n")
 
 export const renderDockerCompose = (config: TemplateConfig): string => {
   const fragments = buildComposeFragments(config)
   return [
     renderComposeServices(config, fragments),
     renderComposeNetworks(fragments.networkMode, fragments.networkName),
-    renderComposeVolumes(config, fragments.maybeBrowserVolume)
+    renderComposeVolumes(config, config.enableMcpPlaywright)
   ].join("\n\n")
 }