fix(shell): harden codex auth bootstrap seeding

Author: skulidropek

packages/app/src/lib/usecases/shared-volume-seed.ts

@@ -16,25 +16,35 @@ import type { DockerCommandError } from "../shell/errors.js"
 
 type SharedVolumeSeedEnvironment = CommandExecutor | FileSystem.FileSystem | Path.Path
 
+const isNotFoundSystemError = (error: PlatformError): boolean =>
+  error._tag === "SystemError" && error.reason === "NotFound"
+
 const resolvePathFromBase = (
   path: Path.Path,
   baseDir: string,
   targetPath: string
 ): string => (path.isAbsolute(targetPath) ? targetPath : path.resolve(baseDir, targetPath))
 
+const statIfPresent = (
+  fs: FileSystem.FileSystem,
+  targetPath: string
+): Effect.Effect<FileSystem.File.Info | null, PlatformError> =>
+  fs.stat(targetPath).pipe(
+    Effect.catchTag("SystemError", (error) =>
+      isNotFoundSystemError(error)
+        ? Effect.succeed(null)
+        : Effect.fail(error))
+  )
+
 const copyDirRecursive = (
   fs: FileSystem.FileSystem,
   path: Path.Path,
   sourceDir: string,
   targetDir: string
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    const exists = yield* _(fs.exists(sourceDir))
-    if (!exists) {
-      return
-    }
-    const info = yield* _(fs.stat(sourceDir))
-    if (info.type !== "Directory") {
+    const info = yield* _(statIfPresent(fs, sourceDir))
+    if (info === null || info.type !== "Directory") {
       return
     }
 
@@ -43,7 +53,10 @@ const copyDirRecursive = (
     for (const entry of entries) {
       const sourceEntry = path.join(sourceDir, entry)
       const targetEntry = path.join(targetDir, entry)
-      const entryInfo = yield* _(fs.stat(sourceEntry))
+      const entryInfo = yield* _(statIfPresent(fs, sourceEntry))
+      if (entryInfo === null) {
+        continue
+      }
       if (entryInfo.type === "Directory") {
         yield* _(copyDirRecursive(fs, path, sourceEntry, targetEntry))
       } else if (entryInfo.type === "File") {
@@ -60,18 +73,48 @@ const copyFileIfPresent = (
   targetPath: string
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    const exists = yield* _(fs.exists(sourcePath))
-    if (!exists) {
-      return
-    }
-    const info = yield* _(fs.stat(sourcePath))
-    if (info.type !== "File") {
+    const info = yield* _(statIfPresent(fs, sourcePath))
+    if (info === null || info.type !== "File") {
       return
     }
     yield* _(fs.makeDirectory(path.dirname(targetPath), { recursive: true }))
     yield* _(fs.copyFile(sourcePath, targetPath))
   })
 
+const copyCodexAuthFileIfPresent = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sourceDir: string,
+  targetDir: string,
+  fileName: "auth.json" | "config.toml"
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  copyFileIfPresent(fs, path, path.join(sourceDir, fileName), path.join(targetDir, fileName))
+
+const copyLabeledCodexFiles = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sourceRoot: string,
+  targetRoot: string,
+  fileName: "auth.json" | "config.toml"
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const sourceInfo = yield* _(statIfPresent(fs, sourceRoot))
+    if (sourceInfo === null || sourceInfo.type !== "Directory") {
+      return
+    }
+
+    const entries = yield* _(fs.readDirectory(sourceRoot))
+    for (const entry of entries) {
+      const sourceEntry = path.join(sourceRoot, entry)
+      const entryInfo = yield* _(statIfPresent(fs, sourceEntry))
+      if (entryInfo === null || entryInfo.type !== "Directory") {
+        continue
+      }
+
+      yield* _(copyCodexAuthFileIfPresent(fs, path, sourceEntry, path.join(targetRoot, entry), fileName))
+    }
+  })
+
 type BootstrapSeedConfig = Pick<
   TemplateConfig,
   "authorizedKeysPath" | "envGlobalPath" | "envProjectPath" | "codexAuthPath" | "codexSharedAuthPath"
@@ -163,12 +206,18 @@ const copyBootstrapSnapshotAuthDirs = (
   targets: BootstrapSnapshotTargets
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    yield* _(copyDirRecursive(fs, path, sources.codexAuthSource, targets.projectCodexTarget))
+    yield* _(copyCodexAuthFileIfPresent(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "auth.json"))
+    yield* _(copyCodexAuthFileIfPresent(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "config.toml"))
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "auth.json"))
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "config.toml"))
     yield* _(copyDirRecursive(fs, path, sources.claudeAuthSource, targets.projectClaudeTarget))
-    yield* _(copyDirRecursive(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget))
+    yield* _(
+      copyCodexAuthFileIfPresent(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget, "auth.json")
+    )
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget, "auth.json"))
   })
 
-const stageBootstrapSnapshot = (
+export const stageBootstrapSnapshot = (
   stagingDir: string,
   projectDir: string,
   config: BootstrapSeedConfig

packages/lib/src/usecases/shared-volume-seed.ts

@@ -15,25 +15,35 @@ import type { DockerCommandError } from "../shell/errors.js"
 
 type SharedVolumeSeedEnvironment = CommandExecutor | FileSystem.FileSystem | Path.Path
 
+const isNotFoundSystemError = (error: PlatformError): boolean =>
+  error._tag === "SystemError" && error.reason === "NotFound"
+
 const resolvePathFromBase = (
   path: Path.Path,
   baseDir: string,
   targetPath: string
 ): string => (path.isAbsolute(targetPath) ? targetPath : path.resolve(baseDir, targetPath))
 
+const statIfPresent = (
+  fs: FileSystem.FileSystem,
+  targetPath: string
+): Effect.Effect<FileSystem.File.Info | null, PlatformError> =>
+  fs.stat(targetPath).pipe(
+    Effect.catchTag("SystemError", (error) =>
+      isNotFoundSystemError(error)
+        ? Effect.succeed(null)
+        : Effect.fail(error))
+  )
+
 const copyDirRecursive = (
   fs: FileSystem.FileSystem,
   path: Path.Path,
   sourceDir: string,
   targetDir: string
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    const exists = yield* _(fs.exists(sourceDir))
-    if (!exists) {
-      return
-    }
-    const info = yield* _(fs.stat(sourceDir))
-    if (info.type !== "Directory") {
+    const info = yield* _(statIfPresent(fs, sourceDir))
+    if (info === null || info.type !== "Directory") {
       return
     }
 
@@ -42,7 +52,10 @@ const copyDirRecursive = (
     for (const entry of entries) {
       const sourceEntry = path.join(sourceDir, entry)
       const targetEntry = path.join(targetDir, entry)
-      const entryInfo = yield* _(fs.stat(sourceEntry))
+      const entryInfo = yield* _(statIfPresent(fs, sourceEntry))
+      if (entryInfo === null) {
+        continue
+      }
       if (entryInfo.type === "Directory") {
         yield* _(copyDirRecursive(fs, path, sourceEntry, targetEntry))
       } else if (entryInfo.type === "File") {
@@ -59,18 +72,48 @@ const copyFileIfPresent = (
   targetPath: string
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    const exists = yield* _(fs.exists(sourcePath))
-    if (!exists) {
-      return
-    }
-    const info = yield* _(fs.stat(sourcePath))
-    if (info.type !== "File") {
+    const info = yield* _(statIfPresent(fs, sourcePath))
+    if (info === null || info.type !== "File") {
       return
     }
     yield* _(fs.makeDirectory(path.dirname(targetPath), { recursive: true }))
     yield* _(fs.copyFile(sourcePath, targetPath))
   })
 
+const copyCodexAuthFileIfPresent = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sourceDir: string,
+  targetDir: string,
+  fileName: "auth.json" | "config.toml"
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  copyFileIfPresent(fs, path, path.join(sourceDir, fileName), path.join(targetDir, fileName))
+
+const copyLabeledCodexFiles = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sourceRoot: string,
+  targetRoot: string,
+  fileName: "auth.json" | "config.toml"
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const sourceInfo = yield* _(statIfPresent(fs, sourceRoot))
+    if (sourceInfo === null || sourceInfo.type !== "Directory") {
+      return
+    }
+
+    const entries = yield* _(fs.readDirectory(sourceRoot))
+    for (const entry of entries) {
+      const sourceEntry = path.join(sourceRoot, entry)
+      const entryInfo = yield* _(statIfPresent(fs, sourceEntry))
+      if (entryInfo === null || entryInfo.type !== "Directory") {
+        continue
+      }
+
+      yield* _(copyCodexAuthFileIfPresent(fs, path, sourceEntry, path.join(targetRoot, entry), fileName))
+    }
+  })
+
 type BootstrapSeedConfig = Pick<
   TemplateConfig,
   "authorizedKeysPath" | "envGlobalPath" | "envProjectPath" | "codexAuthPath" | "codexSharedAuthPath"
@@ -162,12 +205,16 @@ const copyBootstrapSnapshotAuthDirs = (
   targets: BootstrapSnapshotTargets
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
-    yield* _(copyDirRecursive(fs, path, sources.codexAuthSource, targets.projectCodexTarget))
+    yield* _(copyCodexAuthFileIfPresent(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "auth.json"))
+    yield* _(copyCodexAuthFileIfPresent(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "config.toml"))
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "auth.json"))
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexAuthSource, targets.projectCodexTarget, "config.toml"))
     yield* _(copyDirRecursive(fs, path, sources.claudeAuthSource, targets.projectClaudeTarget))
-    yield* _(copyDirRecursive(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget))
+    yield* _(copyCodexAuthFileIfPresent(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget, "auth.json"))
+    yield* _(copyLabeledCodexFiles(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget, "auth.json"))
   })
 
-const stageBootstrapSnapshot = (
+export const stageBootstrapSnapshot = (
   stagingDir: string,
   projectDir: string,
   config: BootstrapSeedConfig

packages/lib/tests/usecases/shared-volume-seed.test.ts

@@ -0,0 +1,114 @@
+import * as fs from "node:fs"
+
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+
+import { stageBootstrapSnapshot } from "../../src/usecases/shared-volume-seed.js"
+
+const withTempDir = <A, E, R>(
+  use: (tempDir: string) => Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R | FileSystem.FileSystem> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const fileSystem = yield* _(FileSystem.FileSystem)
+      const tempDir = yield* _(
+        fileSystem.makeTempDirectoryScoped({
+          prefix: "docker-git-shared-volume-seed-"
+        })
+      )
+      return yield* _(use(tempDir))
+    })
+  )
+
+describe("stageBootstrapSnapshot", () => {
+  it.effect("copies stable Codex auth files and skips transient broken tmp entries", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fileSystem = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+
+        const projectDir = path.join(root, "project")
+        const stagingDir = path.join(root, "staging")
+        const projectCodexDir = path.join(projectDir, ".orch", "auth", "codex")
+        const projectCodexLabelDir = path.join(projectCodexDir, "team-a")
+        const projectClaudeDir = path.join(projectDir, ".orch", "auth", "claude", "default")
+        const sharedCodexDir = path.join(root, ".docker-git", ".orch", "auth", "codex")
+        const sharedCodexLabelDir = path.join(sharedCodexDir, "team-a")
+        const envDir = path.join(projectDir, ".orch", "env")
+
+        yield* _(fileSystem.makeDirectory(projectCodexDir, { recursive: true }))
+        yield* _(fileSystem.makeDirectory(projectCodexLabelDir, { recursive: true }))
+        yield* _(fileSystem.makeDirectory(projectClaudeDir, { recursive: true }))
+        yield* _(fileSystem.makeDirectory(sharedCodexDir, { recursive: true }))
+        yield* _(fileSystem.makeDirectory(sharedCodexLabelDir, { recursive: true }))
+        yield* _(fileSystem.makeDirectory(envDir, { recursive: true }))
+        yield* _(fileSystem.writeFileString(path.join(projectDir, "authorized_keys"), "ssh-ed25519 test\n"))
+        yield* _(fileSystem.writeFileString(path.join(envDir, "global.env"), "GITHUB_TOKEN=test\n"))
+        yield* _(fileSystem.writeFileString(path.join(envDir, "project.env"), "CODEX_SHARE_AUTH=1\n"))
+        yield* _(fileSystem.writeFileString(path.join(projectCodexDir, "auth.json"), "{\"project\":true}\n"))
+        yield* _(fileSystem.writeFileString(path.join(projectCodexDir, "config.toml"), "model = \"gpt-5.4\"\n"))
+        yield* _(fileSystem.writeFileString(path.join(projectCodexLabelDir, "auth.json"), "{\"label\":\"team-a\"}\n"))
+        yield* _(fileSystem.writeFileString(path.join(projectCodexLabelDir, "config.toml"), "model = \"gpt-5.4\"\n"))
+        yield* _(fileSystem.writeFileString(path.join(projectClaudeDir, ".oauth-token"), "claude-token\n"))
+        yield* _(fileSystem.writeFileString(path.join(sharedCodexDir, "auth.json"), "{\"shared\":true}\n"))
+        yield* _(fileSystem.writeFileString(path.join(sharedCodexLabelDir, "auth.json"), "{\"shared\":\"team-a\"}\n"))
+
+        yield* _(
+          Effect.sync(() => {
+            const brokenShimDir = path.join(sharedCodexDir, "tmp", "arg0", "codex-arg0broken")
+            fs.mkdirSync(brokenShimDir, { recursive: true })
+            fs.symlinkSync(
+              "/usr/local/bun/install/global/node_modules/@openai/codex-linux-x64/vendor/x86_64-unknown-linux-musl/codex/codex",
+              path.join(brokenShimDir, "apply_patch")
+            )
+            fs.writeFileSync(path.join(brokenShimDir, ".lock"), "")
+            fs.mkdirSync(path.join(sharedCodexDir, "log"), { recursive: true })
+            fs.writeFileSync(path.join(sharedCodexDir, "log", "codex-login.log"), "transient log\n")
+            fs.mkdirSync(path.join(sharedCodexDir, ".image"), { recursive: true })
+            fs.writeFileSync(path.join(sharedCodexDir, ".image", "Dockerfile"), "FROM scratch\n")
+          })
+        )
+
+        yield* _(
+          stageBootstrapSnapshot(stagingDir, projectDir, {
+            volumeName: "dg-test-home",
+            authorizedKeysPath: path.join(projectDir, "authorized_keys"),
+            envGlobalPath: path.join(projectDir, ".orch", "env", "global.env"),
+            envProjectPath: path.join(projectDir, ".orch", "env", "project.env"),
+            codexAuthPath: path.join(projectDir, ".orch", "auth", "codex"),
+            codexSharedAuthPath: sharedCodexDir
+          })
+        )
+
+        expect(yield* _(fileSystem.readFileString(path.join(stagingDir, "project-auth", "codex", "auth.json")))).toBe(
+          "{\"project\":true}\n"
+        )
+        expect(
+          yield* _(fileSystem.readFileString(path.join(stagingDir, "project-auth", "codex", "config.toml")))
+        ).toBe("model = \"gpt-5.4\"\n")
+        expect(
+          yield* _(fileSystem.readFileString(path.join(stagingDir, "project-auth", "codex", "team-a", "auth.json")))
+        ).toBe("{\"label\":\"team-a\"}\n")
+        expect(
+          yield* _(fileSystem.readFileString(path.join(stagingDir, "project-auth", "codex", "team-a", "config.toml")))
+        ).toBe("model = \"gpt-5.4\"\n")
+        expect(yield* _(fileSystem.readFileString(path.join(stagingDir, "shared-auth", "codex", "auth.json")))).toBe(
+          "{\"shared\":true}\n"
+        )
+        expect(
+          yield* _(fileSystem.readFileString(path.join(stagingDir, "shared-auth", "codex", "team-a", "auth.json")))
+        ).toBe("{\"shared\":\"team-a\"}\n")
+        expect(
+          yield* _(fileSystem.readFileString(path.join(stagingDir, "project-auth", "claude", "default", ".oauth-token")))
+        ).toBe("claude-token\n")
+
+        expect(yield* _(fileSystem.exists(path.join(stagingDir, "shared-auth", "codex", "tmp")))).toBe(false)
+        expect(yield* _(fileSystem.exists(path.join(stagingDir, "shared-auth", "codex", "log")))).toBe(false)
+        expect(yield* _(fileSystem.exists(path.join(stagingDir, "shared-auth", "codex", ".image")))).toBe(false)
+        expect(yield* _(fileSystem.exists(path.join(stagingDir, "project-auth", "codex", "tmp")))).toBe(false)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+})

scripts/e2e/opencode-autoconnect.sh

@@ -119,14 +119,9 @@ AUTH_LOG="$ROOT/codex-auth.log"
   pnpm run docker-git auth codex status --codex-auth "$ROOT/.orch/auth/codex"
 ) >"$AUTH_LOG" 2>&1
 
-grep -Fq -- "Codex auth imported into controller state." "$AUTH_LOG" \
-  || fail "expected controller-owned Codex auth import confirmation"
-
-grep -Fq -- '"present": true' "$AUTH_LOG" \
-  || fail "expected controller-owned Codex auth status confirmation"
-
-grep -Fq -- '"authPath":' "$AUTH_LOG" \
-  || fail "expected controller-owned Codex auth status payload"
+auth_confirmation_count="$(grep -Fc -- "Codex auth imported into controller state (account: ci@example.com)." "$AUTH_LOG" || true)"
+[[ "$auth_confirmation_count" -ge 2 ]] \
+  || fail "expected controller-owned Codex auth import + status confirmations"
 
 clone_attempts=3
 clone_attempt=1