feat(auth): claude code oauth profiles

Author: skulidropek

packages/app/src/docker-git/cli/parser-auth.ts

@@ -8,6 +8,7 @@ import { parseRawOptions } from "./parser-options.js"
 type AuthOptions = {
   readonly envGlobalPath: string
   readonly codexAuthPath: string
+  readonly claudeAuthPath: string
   readonly label: string | null
   readonly token: string | null
   readonly scopes: string | null
@@ -32,10 +33,12 @@ const normalizeLabel = (value: string | undefined): string | null => {
 
 const defaultEnvGlobalPath = ".docker-git/.orch/env/global.env"
 const defaultCodexAuthPath = ".docker-git/.orch/auth/codex"
+const defaultClaudeAuthPath = ".docker-git/.orch/auth/claude"
 
 const resolveAuthOptions = (raw: RawOptions): AuthOptions => ({
   envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
   codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
+  claudeAuthPath: defaultClaudeAuthPath,
   label: normalizeLabel(raw.label),
   token: normalizeLabel(raw.token),
   scopes: normalizeLabel(raw.scopes),
@@ -91,6 +94,29 @@ const buildCodexCommand = (action: string, options: AuthOptions): Either.Either<
     Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
   )
 
+const buildClaudeCommand = (action: string, options: AuthOptions): Either.Either<AuthCommand, ParseError> =>
+  Match.value(action).pipe(
+    Match.when("login", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeLogin",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.when("status", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeStatus",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.when("logout", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthClaudeLogout",
+        label: options.label,
+        claudeAuthPath: options.claudeAuthPath
+      })),
+    Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
+  )
+
 const buildAuthCommand = (
   provider: string,
   action: string,
@@ -100,6 +126,8 @@ const buildAuthCommand = (
     Match.when("github", () => buildGithubCommand(action, options)),
     Match.when("gh", () => buildGithubCommand(action, options)),
     Match.when("codex", () => buildCodexCommand(action, options)),
+    Match.when("claude", () => buildClaudeCommand(action, options)),
+    Match.when("cc", () => buildClaudeCommand(action, options)),
     Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`)))
   )
 

packages/app/src/docker-git/cli/usage.ts

@@ -28,7 +28,7 @@ Commands:
   sessions            List/kill/log container terminal processes
   ps, status          Show docker compose status for all docker-git projects
   down-all            Stop all docker-git containers (docker compose down)
-  auth                Manage GitHub/Codex auth for docker-git
+  auth                Manage GitHub/Codex/Claude Code auth for docker-git
   state               Manage docker-git state directory via git (sync across machines)
 
 Options:
@@ -71,6 +71,7 @@ Container runtime env (set via .orch/env/project.env):
 Auth providers:
   github, gh         GitHub CLI auth (tokens saved to env file)
   codex             Codex CLI auth (stored under .orch/auth/codex)
+  claude, cc        Claude Code CLI auth (OAuth cache stored under .orch/auth/claude)
 
 Auth actions:
   login             Run login flow and store credentials

packages/app/src/docker-git/menu-auth-data.ts

@@ -7,6 +7,7 @@ import { type AppError } from "@effect-template/lib/usecases/errors"
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
 import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 
+import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 import { buildLabeledEnvKey, countKeyEntries, normalizeLabel } from "./menu-labeled-env.js"
 import type { AuthFlow, AuthSnapshot, MenuEnv } from "./menu-types.js"
 
@@ -17,8 +18,10 @@ type AuthMenuItem = {
   readonly label: string
 }
 
+export type AuthEnvFlow = Extract<AuthFlow, "GithubRemove" | "GitSet" | "GitRemove">
+
 export type AuthPromptStep = {
-  readonly key: "label" | "token" | "user" | "apiKey"
+  readonly key: "label" | "token" | "user"
   readonly label: string
   readonly required: boolean
   readonly secret: boolean
@@ -29,8 +32,8 @@ const authMenuItems: ReadonlyArray<AuthMenuItem> = [
   { action: "GithubRemove", label: "GitHub: remove token" },
   { action: "GitSet", label: "Git: add/update credentials" },
   { action: "GitRemove", label: "Git: remove credentials" },
-  { action: "ClaudeSet", label: "Claude: add/update API key" },
-  { action: "ClaudeRemove", label: "Claude: remove API key" },
+  { action: "ClaudeOauth", label: "Claude Code: login via OAuth (web)" },
+  { action: "ClaudeLogout", label: "Claude Code: logout (clear cache)" },
   { action: "Refresh", label: "Refresh snapshot" },
   { action: "Back", label: "Back to main menu" }
 ]
@@ -50,12 +53,11 @@ const flowSteps: Readonly<Record<AuthFlow, ReadonlyArray<AuthPromptStep>>> = {
   GitRemove: [
     { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
   ],
-  ClaudeSet: [
-    { key: "label", label: "Label (empty = default)", required: false, secret: false },
-    { key: "apiKey", label: "Claude API key", required: true, secret: true }
+  ClaudeOauth: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
   ],
-  ClaudeRemove: [
-    { key: "label", label: "Label to remove (empty = default)", required: false, secret: false }
+  ClaudeLogout: [
+    { key: "label", label: "Label to logout (empty = default)", required: false, secret: false }
   ]
 }
 
@@ -65,8 +67,8 @@ const flowTitle = (flow: AuthFlow): string =>
     Match.when("GithubRemove", () => "GitHub remove"),
     Match.when("GitSet", () => "Git credentials"),
     Match.when("GitRemove", () => "Git remove"),
-    Match.when("ClaudeSet", () => "Claude API key"),
-    Match.when("ClaudeRemove", () => "Claude remove"),
+    Match.when("ClaudeOauth", () => "Claude Code OAuth"),
+    Match.when("ClaudeLogout", () => "Claude Code logout"),
     Match.exhaustive
   )
 
@@ -76,16 +78,19 @@ export const successMessage = (flow: AuthFlow, label: string): string =>
     Match.when("GithubRemove", () => `Removed GitHub token (${label}).`),
     Match.when("GitSet", () => `Saved Git credentials (${label}).`),
     Match.when("GitRemove", () => `Removed Git credentials (${label}).`),
-    Match.when("ClaudeSet", () => `Saved Claude key (${label}).`),
-    Match.when("ClaudeRemove", () => `Removed Claude key (${label}).`),
+    Match.when("ClaudeOauth", () => `Saved Claude Code login (${label}).`),
+    Match.when("ClaudeLogout", () => `Logged out Claude Code (${label}).`),
     Match.exhaustive
   )
 
 const buildGlobalEnvPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/env/global.env`
+const buildClaudeAuthPath = (cwd: string): string => `${defaultProjectsRoot(cwd)}/.orch/auth/claude`
 
 type AuthEnvText = {
   readonly fs: FileSystem.FileSystem
+  readonly path: Path.Path
   readonly globalEnvPath: string
+  readonly claudeAuthPath: string
   readonly envText: string
 }
 
@@ -96,29 +101,36 @@ const loadAuthEnvText = (
     const fs = yield* _(FileSystem.FileSystem)
     const path = yield* _(Path.Path)
     const globalEnvPath = buildGlobalEnvPath(cwd)
+    const claudeAuthPath = buildClaudeAuthPath(cwd)
     yield* _(ensureEnvFile(fs, path, globalEnvPath))
     const envText = yield* _(readEnvText(fs, globalEnvPath))
-    return { fs, globalEnvPath, envText }
+    return { fs, path, globalEnvPath, claudeAuthPath, envText }
   })
 
 export const readAuthSnapshot = (
   cwd: string
 ): Effect.Effect<AuthSnapshot, AppError, MenuEnv> =>
   pipe(
     loadAuthEnvText(cwd),
-    Effect.map(({ envText, globalEnvPath }) => ({
-      globalEnvPath,
-      totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
-      githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
-      gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
-      gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
-      claudeKeyEntries: countKeyEntries(envText, "ANTHROPIC_API_KEY")
-    }))
+    Effect.flatMap(({ claudeAuthPath, envText, fs, globalEnvPath, path }) =>
+      pipe(
+        countAuthAccountDirectories(fs, path, claudeAuthPath),
+        Effect.map((claudeAuthEntries) => ({
+          globalEnvPath,
+          claudeAuthPath,
+          totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
+          githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
+          gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
+          gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
+          claudeAuthEntries
+        }))
+      )
+    )
   )
 
 export const writeAuthFlow = (
   cwd: string,
-  flow: AuthFlow,
+  flow: AuthEnvFlow,
   values: Readonly<Record<string, string>>
 ): Effect.Effect<void, AppError, MenuEnv> =>
   pipe(
@@ -131,9 +143,7 @@ export const writeAuthFlow = (
       })()
       const token = (values["token"] ?? "").trim()
       const user = (values["user"] ?? "").trim()
-      const apiKey = (values["apiKey"] ?? "").trim()
       const nextText = Match.value(flow).pipe(
-        Match.when("GithubOauth", () => envText),
         Match.when("GithubRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("GITHUB_TOKEN", label), "")),
         Match.when("GitSet", () => {
           const withToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), token)
@@ -144,17 +154,12 @@ export const writeAuthFlow = (
           const withoutToken = upsertEnvKey(envText, buildLabeledEnvKey("GIT_AUTH_TOKEN", label), "")
           return upsertEnvKey(withoutToken, buildLabeledEnvKey("GIT_AUTH_USER", label), "")
         }),
-        Match.when("ClaudeSet", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), apiKey)),
-        Match.when("ClaudeRemove", () => upsertEnvKey(envText, buildLabeledEnvKey("ANTHROPIC_API_KEY", label), "")),
         Match.exhaustive
       )
       const syncMessage = Match.value(flow).pipe(
-        Match.when("GithubOauth", () => `chore(state): auth gh ${canonicalLabel}`),
         Match.when("GithubRemove", () => `chore(state): auth gh logout ${canonicalLabel}`),
         Match.when("GitSet", () => `chore(state): auth git ${canonicalLabel}`),
         Match.when("GitRemove", () => `chore(state): auth git logout ${canonicalLabel}`),
-        Match.when("ClaudeSet", () => `chore(state): auth claude ${canonicalLabel}`),
-        Match.when("ClaudeRemove", () => `chore(state): auth claude logout ${canonicalLabel}`),
         Match.exhaustive
       )
       return pipe(

packages/app/src/docker-git/menu-auth-helpers.ts

@@ -0,0 +1,30 @@
+import type * as FileSystem from "@effect/platform/FileSystem"
+import type * as Path from "@effect/platform/Path"
+import { Effect } from "effect"
+
+import type { AppError } from "@effect-template/lib/usecases/errors"
+
+export const countAuthAccountDirectories = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  root: string
+): Effect.Effect<number, AppError> =>
+  Effect.gen(function*(_) {
+    const exists = yield* _(fs.exists(root))
+    if (!exists) {
+      return 0
+    }
+    const entries = yield* _(fs.readDirectory(root))
+    let count = 0
+    for (const entry of entries) {
+      if (entry === ".image") {
+        continue
+      }
+      const fullPath = path.join(root, entry)
+      const info = yield* _(fs.stat(fullPath))
+      if (info.type === "Directory") {
+        count += 1
+      }
+    }
+    return count
+  })

packages/app/src/docker-git/menu-auth.ts

@@ -1,6 +1,6 @@
-import { Effect, pipe } from "effect"
+import { Effect, Match, pipe } from "effect"
 
-import { authGithubLogin } from "@effect-template/lib/usecases/auth"
+import { authClaudeLogin, authClaudeLogout, authGithubLogin, claudeAuthRoot } from "@effect-template/lib/usecases/auth"
 import type { AppError } from "@effect-template/lib/usecases/errors"
 import { renderError } from "@effect-template/lib/usecases/errors"
 
@@ -68,23 +68,43 @@ const startAuthPrompt = (
   context.setMessage(null)
 }
 
+const resolveLabelOption = (values: Readonly<Record<string, string>>): string | null => {
+  const labelValue = (values["label"] ?? "").trim()
+  return labelValue.length > 0 ? labelValue : null
+}
+
 const resolveAuthPromptEffect = (
   view: AuthPromptView,
   cwd: string,
   values: Readonly<Record<string, string>>
 ): Effect.Effect<void, AppError, MenuEnv> => {
-  if (view.flow === "GithubOauth") {
-    const labelValue = (values["label"] ?? "").trim()
-    const labelOption = labelValue.length > 0 ? labelValue : null
-    return authGithubLogin({
-      _tag: "AuthGithubLogin",
-      label: labelOption,
-      token: null,
-      scopes: null,
-      envGlobalPath: view.snapshot.globalEnvPath
-    })
-  }
-  return writeAuthFlow(cwd, view.flow, values)
+  const labelOption = resolveLabelOption(values)
+  return Match.value(view.flow).pipe(
+    Match.when("GithubOauth", () =>
+      authGithubLogin({
+        _tag: "AuthGithubLogin",
+        label: labelOption,
+        token: null,
+        scopes: null,
+        envGlobalPath: view.snapshot.globalEnvPath
+      })),
+    Match.when("ClaudeOauth", () =>
+      authClaudeLogin({
+        _tag: "AuthClaudeLogin",
+        label: labelOption,
+        claudeAuthPath: claudeAuthRoot
+      })),
+    Match.when("ClaudeLogout", () =>
+      authClaudeLogout({
+        _tag: "AuthClaudeLogout",
+        label: labelOption,
+        claudeAuthPath: claudeAuthRoot
+      })),
+    Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.exhaustive
+  )
 }
 
 const runAuthPromptEffect = (
@@ -162,7 +182,9 @@ const submitAuthPrompt = (
     (nextValues) => {
       const label = defaultLabel(nextValues["label"] ?? "")
       const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)
-      runAuthPromptEffect(effect, view, label, context, { suspendTui: view.flow === "GithubOauth" })
+      runAuthPromptEffect(effect, view, label, context, {
+        suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout"
+      })
     }
   )
 }