feat(auth): add generic per-host git connections via token (#368)

[konard]

Что и зачем

Закрывает #368.

Два запроса из issue:

1. Подключения к git-хостам, отличным от GitHub/GitLab (Gitea, Bitbucket, self-hosted и т.д.).
2. Настройка GitHub/GitLab без OAuth — просто токеном (--token).

Решение

Добавлен универсальный провайдер git, который настраивает подключение
парой «хост + токен». Токены сохраняются в общий env-файл как host-scoped
ключи GIT_AUTH_TOKEN__<HOST> / GIT_AUTH_USER__<HOST>, а внутри
контейнера git credential helper по HTTPS сам подбирает нужный токен по хосту.

CLI

# github/gitlab без OAuth — просто токеном
docker-git auth github login --token <token>
docker-git auth gitlab login --token <token>

# любой другой git-хост
docker-git auth git login --host git.example.com --token <token>
docker-git auth git login --host git.example.com --token <token> --user deploy-bot
docker-git auth git status
docker-git auth git logout --host git.example.com

API

• GET /auth/git/status — возвращает только host и HTTPS-пользователя.
• POST /auth/git/login — { host, token, user? }.
• POST /auth/git/logout — { host }.

Контейнер

docker-git-credential-helper для HTTPS-remote сначала резолвит
per-host токен GIT_AUTH_TOKEN__<HOST_KEY> (нормализация хоста совпадает с
CLI/web: uppercase, не-alphanumeric → _, обрезка _), затем падает на
дефолты github.com/gitlab.com и глобальный GIT_AUTH_TOKEN. Host-scoped
креды также экспортируются в login/SSH-шеллы, чтобы clone/push
работали вне entrypoint.

Безопасность

Значения токенов никогда не логируются и не возвращаются API — status
показывает только хост и имя пользователя.

Как воспроизвести / проверить

bun run docker-git auth git login --host git.example.com --token <token> --user deploy-bot
bun run docker-git auth git status     # -> Git connections (1): - GIT_EXAMPLE_COM (user: deploy-bot)
bun run docker-git auth git logout --host git.example.com

Тесты

• packages/lib/tests/usecases/auth-git.test.ts — login/status/logout, дефолт
  пользователя x-access-token, типизированный AuthError при пустом хосте,
  чистые хелперы (normalizeGitHost, buildGitTokenKey, gitHostFromKey,
  listGitConnections).
• packages/api/tests/auth.test.ts — API login/status/logout без утечки токена.
• packages/app/tests/docker-git/parser-auth.test.ts — парсинг CLI (host/token/
  user обязательны/опциональны, --scopes отклоняется).
• packages/lib/tests/core/templates.test.ts — рендер per-host credential helper
  и экспорт host-scoped env.

Локально зелёные: bun run lint (0 ошибок, 0 дубликатов), bun run check,
bun run lint:effect, bun run test (lib 289), bun run api:test (187).

Fixes #368

[coderabbitai]

Warning

Review limit reached

@konard, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 41 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0f1ad541-f95c-4daf-91a4-f0d390499638

📥 Commits

Reviewing files that changed from the base of the PR and between 8889c5c and b38f259.

📒 Files selected for processing (29)

• .changeset/generic-git-auth-connections.md
• README.md
• packages/api/src/api/contracts.ts
• packages/api/src/api/schema.ts
• packages/api/src/http.ts
• packages/api/src/services/auth.ts
• packages/api/tests/auth.test.ts
• packages/app/src/docker-git/api-client-auth.ts
• packages/app/src/docker-git/api-client.ts
• packages/app/src/docker-git/cli/parser-auth.ts
• packages/app/src/docker-git/cli/parser-options.ts
• packages/app/src/docker-git/cli/usage.ts
• packages/app/src/docker-git/frontend-lib/core/auth-domain.ts
• packages/app/src/docker-git/frontend-lib/core/command-options.ts
• packages/app/src/docker-git/frontend-lib/core/domain.ts
• packages/app/src/docker-git/program-auth.ts
• packages/app/src/lib/core/auth-domain.ts
• packages/app/src/lib/core/command-options.ts
• packages/app/src/lib/core/domain.ts
• packages/app/src/lib/core/templates-entrypoint/git.ts
• packages/app/src/lib/usecases/auth-git.ts
• packages/app/tests/docker-git/parser-auth.test.ts
• packages/lib/src/core/auth-domain.ts
• packages/lib/src/core/command-options.ts
• packages/lib/src/core/domain.ts
• packages/lib/src/core/templates-entrypoint/git.ts
• packages/lib/src/usecases/auth-git.ts
• packages/lib/tests/core/templates.test.ts
• packages/lib/tests/usecases/auth-git.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[konard]

Working session summary

The work on issue #368 is complete. Here's a summary of what was accomplished this session and the final state.

Resolution

I cleared the two remaining lint blockers, then finalized and verified the PR.

1. jscpd duplications (bun run --filter @prover-coder-ai/docker-git lint) — fixed in auth-git.ts (kept byte-identical across packages/lib/src/usecases/ and packages/app/src/lib/usecases/):

• Extracted a shared withGitHostEnv prologue used by both authGitLogin and authGitLogout (killed the two self-clones).
• Rewrote normalizeGitHost to drop the trim/empty boilerplate it shared with auth-gitlab.ts, delegating to a small stripGitHostPath helper.
• Converted the @effect/platform type imports from namespace to named imports, breaking the 5-line import-header clone with controller-docker.ts.

2. max-lines-per-function in templates-entrypoint/git.ts (lib eslint, not caught by app lint) — the two template renderers I had expanded exceeded 50 lines. Split renderAuthBridgeFinalize into github/gitlab/generic bridge helpers, and split the credential-helper script into head/tail renderers. Rendered output is byte-identical (templates test still green). Synced to the packages/app/src/lib/ copy.

Verification (all local, green)

• bun run lint — 0 errors, 0 duplicates across all packages
• bun run check and bun run lint:effect — exit 0
• bun run test — lib 289 passed; app+lib exit 0
• bun run api:test — 187 passed (185 baseline + 2 new git tests)

PR #393 finalized

• Removed the auto-generated .gitkeep task placeholder (per its own removal contract).
• Title → feat(auth): add generic per-host git connections via token (#368); description rewritten with reproduction steps, security note, and test inventory.
• Marked ready for review.
• CI passing on the latest commit b38f2593 (conclusion: success): Build, Lint, Lint Effect-TS, Test, Types, Snapshot, all 8 E2E jobs, Final build on all 3 OSes, dist-deps-prune. The only non-passing check is CodeRabbit, which failed on "Insufficient review credits" — an external billing limit, not a code issue.

PR: #393

The feature delivers both halves of the issue: a generic git provider for non-GitHub/GitLab hosts (auth git login/status/logout --host/--token/--user, persisted as host-scoped GIT_AUTH_TOKEN__<HOST>/GIT_AUTH_USER__<HOST> and resolved per-host by the in-container HTTPS credential helper), plus token-based (--token) non-interactive setup for GitHub/GitLab. Token values are never logged or returned by the API.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $23.410767

📊 Context and tokens usage:

Claude Opus 4.8: (6 sub-sessions)

1. 117.4K / 1M (12%) input tokens, 25.8K / 128K (20%) output tokens
2. 117.3K / 1M (12%) input tokens, 30.0K / 128K (23%) output tokens
3. 117.0K / 1M (12%) input tokens, 30.8K / 128K (24%) output tokens
4. 115.4K / 1M (12%) input tokens, 23.4K / 128K (18%) output tokens
5. 110.2K / 1M (11%) input tokens, 38.0K / 128K (30%) output tokens
6. 109.0K / 1M (11%) input tokens, 34.4K / 128K (27%) output tokens

Total: (98.8K new + 702.1K cache writes + 25.2M cache reads) input tokens, 224.0K output tokens, $23.083574 cost

Claude Haiku 4.5:

• 77.5K / 200K (39%) input tokens, 9.1K / 64K (14%) output tokens

Total: (164 new + 77.4K cache writes + 1.8M cache reads) input tokens, 9.1K output tokens, $0.327193 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Main model: Claude Opus 4.8 (claude-opus-4-8)
• Additional models:
  • Claude Haiku 4.5 (claude-haiku-4-5-20251001)

📎 Log file uploaded as Gist (10685KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag