feat(cli): add --git-token label selection for clone/create auth

Author: skulidropek

packages/app/src/docker-git/cli/parser-options.ts

@@ -23,6 +23,7 @@ interface ValueOptionSpec {
     | "archivePath"
     | "scrapMode"
     | "label"
+    | "gitTokenLabel"
     | "token"
     | "scopes"
     | "message"
@@ -51,6 +52,7 @@ const valueOptionSpecs: ReadonlyArray<ValueOptionSpec> = [
   { flag: "--archive", key: "archivePath" },
   { flag: "--mode", key: "scrapMode" },
   { flag: "--label", key: "label" },
+  { flag: "--git-token", key: "gitTokenLabel" },
   { flag: "--token", key: "token" },
   { flag: "--scopes", key: "scopes" },
   { flag: "--message", key: "message" },
@@ -99,6 +101,7 @@ const valueFlagUpdaters: { readonly [K in ValueKey]: (raw: RawOptions, value: st
   archivePath: (raw, value) => ({ ...raw, archivePath: value }),
   scrapMode: (raw, value) => ({ ...raw, scrapMode: value }),
   label: (raw, value) => ({ ...raw, label: value }),
+  gitTokenLabel: (raw, value) => ({ ...raw, gitTokenLabel: value }),
   token: (raw, value) => ({ ...raw, token: value }),
   scopes: (raw, value) => ({ ...raw, scopes: value }),
   message: (raw, value) => ({ ...raw, message: value }),
@@ -132,6 +135,19 @@ export const parseRawOptions = (args: ReadonlyArray<string>): Either.Either<RawO
 
   while (index < args.length) {
     const token = args[index] ?? ""
+    const equalIndex = token.indexOf("=")
+    if (equalIndex > 0 && token.startsWith("-")) {
+      const flag = token.slice(0, equalIndex)
+      const inlineValue = token.slice(equalIndex + 1)
+      const nextRaw = applyCommandValueFlag(raw, flag, inlineValue)
+      if (Either.isLeft(nextRaw)) {
+        return Either.left(nextRaw.left)
+      }
+      raw = nextRaw.right
+      index += 1
+      continue
+    }
+
     const booleanApplied = applyCommandBooleanFlag(raw, token)
     if (booleanApplied !== null) {
       raw = booleanApplied

packages/app/src/docker-git/cli/usage.ts

@@ -49,6 +49,7 @@ Options:
   --project-dir <path>      Project directory for attach (default: .)
   --archive <path>          Scrap snapshot directory (default: .orch/scrap/session)
   --mode <session>          Scrap mode (default: session)
+  --git-token <label>       Token label for clone/create (maps to GITHUB_TOKEN__<LABEL>, example: agiens)
   --wipe | --no-wipe        Wipe workspace before scrap import (default: --wipe)
   --lines <n>               Tail last N lines for sessions logs (default: 200)
   --include-default         Show default/system processes in sessions list

packages/app/tests/docker-git/parser.test.ts

@@ -101,6 +101,11 @@ describe("parseArgs", () => {
       expect(command.openSsh).toBe(false)
     }))
 
+  it.effect("parses clone git token label from inline option and normalizes it", () =>
+    expectCreateCommand(["clone", "https://github.com/org/repo.git", "--git-token=#agiens"], (command) => {
+      expect(command.config.gitTokenLabel).toBe("AGIENS")
+    }))
+
   it.effect("supports enabling SSH auto-open for create", () =>
     expectCreateCommand(["create", "--repo-url", "https://github.com/org/repo.git", "--ssh"], (command) => {
       expect(command.openSsh).toBe(true)

packages/lib/src/core/command-builders.ts

@@ -48,6 +48,22 @@ export const nonEmpty = (
 
 const normalizeSecretsRoot = (value: string): string => trimRightChar(value, "/")
 
+const normalizeGitTokenLabel = (value: string | undefined): string | undefined => {
+  const trimmed = value?.trim() ?? ""
+  if (trimmed.length === 0) {
+    return undefined
+  }
+  const normalized = trimmed
+    .toUpperCase()
+    .replaceAll(/[^A-Z0-9]+/g, "_")
+  const withoutLeading = normalized.replace(/^_+/, "")
+  const cleaned = withoutLeading.replace(/_+$/, "")
+  if (cleaned.length === 0 || cleaned === "DEFAULT") {
+    return undefined
+  }
+  return cleaned
+}
+
 type RepoBasics = {
   readonly repoUrl: string
   readonly repoSlug: string
@@ -206,6 +222,7 @@ export const buildCreateCommand = (
     const force = raw.force ?? false
     const forceEnv = raw.forceEnv ?? false
     const enableMcpPlaywright = raw.enableMcpPlaywright ?? false
+    const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel)
 
     return {
       _tag: "Create",
@@ -222,6 +239,7 @@ export const buildCreateCommand = (
         sshPort: repo.sshPort,
         repoUrl: repo.repoUrl,
         repoRef: repo.repoRef,
+        ...(gitTokenLabel === undefined ? {} : { gitTokenLabel }),
         targetDir: repo.targetDir,
         volumeName: names.volumeName,
         dockerGitPath: paths.dockerGitPath,

packages/lib/src/core/command-options.ts

@@ -30,6 +30,7 @@ export interface RawOptions {
   readonly scrapMode?: string
   readonly wipe?: boolean
   readonly label?: string
+  readonly gitTokenLabel?: string
   readonly token?: string
   readonly scopes?: string
   readonly message?: string

packages/lib/src/core/domain.ts

@@ -10,6 +10,7 @@ export interface TemplateConfig {
   readonly repoUrl: string
   readonly repoRef: string
   readonly forkRepoUrl?: string
+  readonly gitTokenLabel?: string | undefined
   readonly targetDir: string
   readonly volumeName: string
   readonly dockerGitPath: string

packages/lib/src/core/templates-entrypoint/tasks.ts

@@ -43,9 +43,45 @@ else
   fi
   chown -R 1000:1000 /home/${config.sshUser}
 
+  RESOLVED_GIT_AUTH_USER="$GIT_AUTH_USER"
+  RESOLVED_GIT_AUTH_TOKEN="$GIT_AUTH_TOKEN"
+  RESOLVED_GIT_AUTH_LABEL=""
+  GIT_TOKEN_LABEL_RAW="\${GIT_AUTH_LABEL:-\${GITHUB_AUTH_LABEL:-}}"
+
+  if [[ -z "$GIT_TOKEN_LABEL_RAW" && "$REPO_URL" == https://github.com/* ]]; then
+    GIT_TOKEN_LABEL_RAW="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##' | cut -d/ -f1)"
+  fi
+
+  if [[ -n "$GIT_TOKEN_LABEL_RAW" ]]; then
+    RESOLVED_GIT_AUTH_LABEL="$(printf "%s" "$GIT_TOKEN_LABEL_RAW" | tr '[:lower:]' '[:upper:]' | sed -E 's/[^A-Z0-9]+/_/g; s/^_+//; s/_+$//')"
+    if [[ "$RESOLVED_GIT_AUTH_LABEL" == "DEFAULT" ]]; then
+      RESOLVED_GIT_AUTH_LABEL=""
+    fi
+  fi
+
+  if [[ -n "$RESOLVED_GIT_AUTH_LABEL" ]]; then
+    LABELED_GIT_TOKEN_KEY="GIT_AUTH_TOKEN__$RESOLVED_GIT_AUTH_LABEL"
+    LABELED_GITHUB_TOKEN_KEY="GITHUB_TOKEN__$RESOLVED_GIT_AUTH_LABEL"
+    LABELED_GIT_USER_KEY="GIT_AUTH_USER__$RESOLVED_GIT_AUTH_LABEL"
+
+    LABELED_GIT_TOKEN="\${!LABELED_GIT_TOKEN_KEY-}"
+    LABELED_GITHUB_TOKEN="\${!LABELED_GITHUB_TOKEN_KEY-}"
+    LABELED_GIT_USER="\${!LABELED_GIT_USER_KEY-}"
+
+    if [[ -n "$LABELED_GIT_TOKEN" ]]; then
+      RESOLVED_GIT_AUTH_TOKEN="$LABELED_GIT_TOKEN"
+    elif [[ -n "$LABELED_GITHUB_TOKEN" ]]; then
+      RESOLVED_GIT_AUTH_TOKEN="$LABELED_GITHUB_TOKEN"
+    fi
+
+    if [[ -n "$LABELED_GIT_USER" ]]; then
+      RESOLVED_GIT_AUTH_USER="$LABELED_GIT_USER"
+    fi
+  fi
+
   AUTH_REPO_URL="$REPO_URL"
-  if [[ -n "$GIT_AUTH_TOKEN" && "$REPO_URL" == https://* ]]; then
-    AUTH_REPO_URL="$(printf "%s" "$REPO_URL" | sed "s#^https://#https://\${GIT_AUTH_USER}:\${GIT_AUTH_TOKEN}@#")"
+  if [[ -n "$RESOLVED_GIT_AUTH_TOKEN" && "$REPO_URL" == https://* ]]; then
+    AUTH_REPO_URL="$(printf "%s" "$REPO_URL" | sed "s#^https://#https://\${RESOLVED_GIT_AUTH_USER}:\${RESOLVED_GIT_AUTH_TOKEN}@#")"
   fi
 
   CLONE_CACHE_ARGS=""

packages/lib/src/core/templates/docker-compose.ts

@@ -3,6 +3,10 @@ import type { TemplateConfig } from "../domain.js"
 export const renderDockerCompose = (config: TemplateConfig): string => {
   const networkName = `${config.serviceName}-net`
   const forkRepoUrl = config.forkRepoUrl ?? ""
+  const gitTokenLabel = config.gitTokenLabel?.trim() ?? ""
+  const maybeGitTokenLabelEnv = gitTokenLabel.length > 0
+    ? `      GITHUB_AUTH_LABEL: "${gitTokenLabel}"\n      GIT_AUTH_LABEL: "${gitTokenLabel}"\n`
+    : ""
 
   const browserServiceName = `${config.serviceName}-browser`
   const browserContainerName = `${config.containerName}-browser`
@@ -29,6 +33,7 @@ export const renderDockerCompose = (config: TemplateConfig): string => {
       REPO_URL: "${config.repoUrl}"
       REPO_REF: "${config.repoRef}"
       FORK_REPO_URL: "${forkRepoUrl}"
+${maybeGitTokenLabelEnv}      # Optional token label selector (maps to GITHUB_TOKEN__<LABEL>/GIT_AUTH_TOKEN__<LABEL>)
       TARGET_DIR: "${config.targetDir}"
       CODEX_HOME: "${config.codexHome}"
 ${maybePlaywrightEnv}${maybeDependsOn}    env_file:

packages/lib/src/shell/config.ts

@@ -17,6 +17,7 @@ const TemplateConfigSchema = Schema.Struct({
   sshPort: Schema.Number.pipe(Schema.int()),
   repoUrl: Schema.String,
   repoRef: Schema.String,
+  gitTokenLabel: Schema.optional(Schema.String),
   targetDir: Schema.String,
   volumeName: Schema.String,
   dockerGitPath: Schema.optionalWith(Schema.String, {

packages/lib/tests/usecases/prepare-files.test.ts

@@ -29,6 +29,7 @@ const makeGlobalConfig = (root: string, path: Path.Path): TemplateConfig => ({
   sshPort: 2222,
   repoUrl: "https://github.com/org/repo.git",
   repoRef: "main",
+  gitTokenLabel: undefined,
   targetDir: "/home/dev/org/repo",
   volumeName: "dg-test-home",
   dockerGitPath: path.join(root, ".docker-git"),
@@ -45,14 +46,16 @@ const makeGlobalConfig = (root: string, path: Path.Path): TemplateConfig => ({
 const makeProjectConfig = (
   outDir: string,
   enableMcpPlaywright: boolean,
-  path: Path.Path
+  path: Path.Path,
+  gitTokenLabel?: string
 ): TemplateConfig => ({
   containerName: "dg-test",
   serviceName: "dg-test",
   sshUser: "dev",
   sshPort: 2222,
   repoUrl: "https://github.com/org/repo.git",
   repoRef: "main",
+  gitTokenLabel,
   targetDir: "/home/dev/org/repo",
   volumeName: "dg-test-home",
   dockerGitPath: path.join(outDir, ".docker-git"),
@@ -92,7 +95,7 @@ describe("prepareProjectFiles", () => {
         const outDir = path.join(root, "project")
         const globalConfig = makeGlobalConfig(root, path)
         const withoutMcp = makeProjectConfig(outDir, false, path)
-        const withMcp = makeProjectConfig(outDir, true, path)
+        const withMcp = makeProjectConfig(outDir, true, path, "AGIENS")
 
         yield* _(
           prepareProjectFiles(outDir, root, globalConfig, withoutMcp, {
@@ -128,6 +131,8 @@ describe("prepareProjectFiles", () => {
 
         expect(composeAfter).toContain("dg-test-browser")
         expect(composeAfter).toContain('MCP_PLAYWRIGHT_ENABLE: "1"')
+        expect(composeAfter).toContain('GITHUB_AUTH_LABEL: "AGIENS"')
+        expect(composeAfter).toContain('GIT_AUTH_LABEL: "AGIENS"')
         expect(readEnableMcpPlaywrightFlag(configAfter)).toBe(true)
       })
     ).pipe(Effect.provide(NodeContext.layer)))