fix(shell): harden auth snapshots and isolate compose projects

Author: skulidropek

packages/app/src/lib/core/domain.ts

@@ -268,4 +268,19 @@ export const resolveComposeNetworkName = (
 export const resolveProjectBootstrapVolumeName = (
   config: Pick<TemplateConfig, "volumeName">
 ): string => `${config.volumeName}-bootstrap`
+
+// CHANGE: derive a stable docker compose project name from typed template config
+// WHY: managed project lifecycle must not depend on the output directory basename, otherwise "docker compose down -v"
+// can target an unrelated stack that happens to share the same folder name (for example the controller repo itself).
+// QUOTE(ТЗ): "Весь процесс должен быть высроен так что основной бекенд крутится в docker"
+// REF: user-request-2026-04-03-compose-project-isolation
+// SOURCE: n/a
+// FORMAT THEOREM: ∀cfg: resolveComposeProjectName(cfg) = p -> deterministic(p) ∧ isolated_compose_project(p)
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: compose project identity is derived solely from serviceName, never cwd basename
+// COMPLEXITY: O(1)
+export const resolveComposeProjectName = (
+  config: Pick<TemplateConfig, "serviceName">
+): string => config.serviceName
 /* jscpd:ignore-end */

packages/app/src/lib/core/templates/docker-compose.ts

@@ -1,5 +1,6 @@
 /* jscpd:ignore-start */
 import {
+  resolveComposeProjectName,
   dockerGitSharedCacheVolumeName,
   dockerGitSharedCodexVolumeName,
   resolveComposeNetworkName,
@@ -213,6 +214,7 @@ export const renderDockerCompose = (
 ): string => {
   const fragments = buildComposeFragments(config, resourceLimits)
   return [
+    `name: ${resolveComposeProjectName(config)}`,
     renderComposeServices(config, fragments, resourceLimits),
     renderComposeNetworks(fragments.networkMode, fragments.networkName),
     renderComposeVolumes(config, fragments.maybeBrowserVolume)

packages/app/src/lib/usecases/actions/prepare-files.ts

@@ -21,6 +21,7 @@ import {
   resolveAuthorizedKeysPath
 } from "../path-helpers.js"
 import { withFsPathContext } from "../runtime.js"
+import { writeFileStringEnsuringParent } from "../volatile-files.js"
 import { resolvePathFromBase } from "./paths.js"
 
 type ExistingFileState = "exists" | "missing"
@@ -49,6 +50,7 @@ const ensureFileReady = (
 
 const appendKeyIfMissing = (
   fs: FileSystem.FileSystem,
+  path: Path.Path,
   resolved: string,
   source: string,
   desiredContents: string
@@ -69,7 +71,7 @@ const appendKeyIfMissing = (
       ? `${desiredContents}\n`
       : `${normalizedCurrent}\n${desiredContents}\n`
 
-    yield* _(fs.writeFileString(resolved, nextContents))
+    yield* _(writeFileStringEnsuringParent(fs, path, resolved, nextContents))
     yield* _(Effect.log(`Authorized keys appended from ${source} to ${resolved}`))
   })
 
@@ -111,8 +113,7 @@ const ensureMissingAuthorizedKeysPlaceholder = (
 ): Effect.Effect<void, PlatformError> =>
   Effect.gen(function*(_) {
     if (state === "missing") {
-      yield* _(fs.makeDirectory(path.dirname(resolved), { recursive: true }))
-      yield* _(fs.writeFileString(resolved, ""))
+      yield* _(writeFileStringEnsuringParent(fs, path, resolved, ""))
     }
 
     yield* _(
@@ -160,13 +161,12 @@ const syncAuthorizedKeysTarget = ({
   Effect.gen(function*(_) {
     if (state === "exists") {
       if (overwriteExisting || resolved === managedDefaultAuthorizedKeys) {
-        yield* _(appendKeyIfMissing(fs, resolved, source, desiredContents))
+        yield* _(appendKeyIfMissing(fs, path, resolved, source, desiredContents))
       }
       return
     }
 
-    yield* _(fs.makeDirectory(path.dirname(resolved), { recursive: true }))
-    yield* _(fs.copyFile(source, resolved))
+    yield* _(writeFileStringEnsuringParent(fs, path, resolved, `${desiredContents}\n`))
     yield* _(Effect.log(`Authorized keys copied from ${source} to ${resolved}`))
   })
 
@@ -254,8 +254,7 @@ const ensureEnvFile = (
         return
       }
 
-      yield* _(fs.makeDirectory(path.dirname(resolved), { recursive: true }))
-      yield* _(fs.writeFileString(resolved, defaultContents))
+      yield* _(writeFileStringEnsuringParent(fs, path, resolved, defaultContents))
     })
   )
 

packages/app/src/lib/usecases/auth-claude.ts

@@ -17,6 +17,7 @@ import { ensureDockerImage } from "./docker-image.js"
 import { resolvePathFromCwd } from "./path-helpers.js"
 import { withFsPathContext } from "./runtime.js"
 import { autoSyncState } from "./state-repo.js"
+import { readFileStringIfPresent, writeFileStringEnsuringParent } from "./volatile-files.js"
 
 type ClaudeRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
 type ClaudeAuthMethod = "none" | "oauth-token" | "claude-ai-session"
@@ -26,6 +27,7 @@ type ClaudeAccountContext = {
   readonly accountPath: string
   readonly cwd: string
   readonly fs: FileSystem.FileSystem
+  readonly path: Path.Path
 }
 
 export const claudeAuthRoot = ".docker-git/.orch/auth/claude"
@@ -46,23 +48,29 @@ const claudeNestedCredentialsPath = (accountPath: string): string =>
 
 const syncClaudeCredentialsFile = (
   fs: FileSystem.FileSystem,
+  path: Path.Path,
   accountPath: string
 ): Effect.Effect<void, PlatformError> =>
   Effect.gen(function*(_) {
     const nestedPath = claudeNestedCredentialsPath(accountPath)
     const rootPath = claudeCredentialsPath(accountPath)
     const nestedExists = yield* _(isRegularFile(fs, nestedPath))
     if (nestedExists) {
-      yield* _(fs.copyFile(nestedPath, rootPath))
-      yield* _(fs.chmod(rootPath, 0o600), Effect.orElseSucceed(() => void 0))
+      const nestedText = yield* _(readFileStringIfPresent(fs, nestedPath))
+      if (nestedText !== null) {
+        yield* _(writeFileStringEnsuringParent(fs, path, rootPath, nestedText))
+        yield* _(fs.chmod(rootPath, 0o600), Effect.orElseSucceed(() => void 0))
+      }
       return
     }
 
     const rootExists = yield* _(isRegularFile(fs, rootPath))
     if (rootExists) {
-      const nestedDirPath = `${accountPath}/${claudeCredentialsDirName}`
-      yield* _(fs.makeDirectory(nestedDirPath, { recursive: true }))
-      yield* _(fs.copyFile(rootPath, nestedPath))
+      const rootText = yield* _(readFileStringIfPresent(fs, rootPath))
+      if (rootText === null) {
+        return
+      }
+      yield* _(writeFileStringEnsuringParent(fs, path, nestedPath, rootText))
       yield* _(fs.chmod(nestedPath, 0o600), Effect.orElseSucceed(() => void 0))
     }
   })
@@ -108,6 +116,7 @@ const readOauthToken = (
 
 const resolveClaudeAuthMethod = (
   fs: FileSystem.FileSystem,
+  path: Path.Path,
   accountPath: string
 ): Effect.Effect<ClaudeAuthMethod, PlatformError> =>
   Effect.gen(function*(_) {
@@ -117,7 +126,7 @@ const resolveClaudeAuthMethod = (
       return "oauth-token"
     }
 
-    yield* _(syncClaudeCredentialsFile(fs, accountPath))
+    yield* _(syncClaudeCredentialsFile(fs, path, accountPath))
     const hasCredentials = yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)))
     return hasCredentials ? "claude-ai-session" : "none"
   })
@@ -187,7 +196,7 @@ const withClaudeAuth = <A, E>(
           buildLabel: "claude auth"
         })
       )
-      return yield* _(run({ accountLabel, accountPath, cwd, fs }))
+      return yield* _(run({ accountLabel, accountPath, cwd, fs, path }))
     })
   )
 
@@ -249,7 +258,7 @@ export const authClaudeLogin = (
   command: AuthClaudeLoginCommand
 ): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, ClaudeRuntime> => {
   const accountLabel = normalizeAccountLabel(command.label, "default")
-  return withClaudeAuth(command, ({ accountPath, cwd, fs }) =>
+  return withClaudeAuth(command, ({ accountPath, cwd, fs, path }) =>
     Effect.gen(function*(_) {
       const token = yield* _(
         runClaudeOauthLoginWithPrompt(cwd, accountPath, {
@@ -259,7 +268,7 @@ export const authClaudeLogin = (
       )
       yield* _(fs.writeFileString(claudeOauthTokenPath(accountPath), `${token}\n`))
       yield* _(fs.chmod(claudeOauthTokenPath(accountPath), 0o600), Effect.orElseSucceed(() => void 0))
-      yield* _(resolveClaudeAuthMethod(fs, accountPath))
+      yield* _(resolveClaudeAuthMethod(fs, path, accountPath))
       const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath, token))
       if (probeExitCode !== 0) {
         yield* _(
@@ -289,9 +298,9 @@ export const authClaudeLogin = (
 export const authClaudeStatus = (
   command: AuthClaudeStatusCommand
 ): Effect.Effect<void, CommandFailedError | PlatformError, ClaudeRuntime> =>
-  withClaudeAuth(command, ({ accountLabel, accountPath, cwd, fs }) =>
+  withClaudeAuth(command, ({ accountLabel, accountPath, cwd, fs, path }) =>
     Effect.gen(function*(_) {
-      const method = yield* _(resolveClaudeAuthMethod(fs, accountPath))
+      const method = yield* _(resolveClaudeAuthMethod(fs, path, accountPath))
       if (method === "none") {
         yield* _(Effect.log(`Claude not connected (${accountLabel}).`))
         return

packages/app/src/lib/usecases/auth-copy.ts

@@ -4,21 +4,9 @@ import type * as FileSystem from "@effect/platform/FileSystem"
 import type * as Path from "@effect/platform/Path"
 import { Effect } from "effect"
 
-const shouldSkipCopiedDir = (entry: string): boolean => entry === "tmp"
-
-const isNotFoundSystemError = (error: PlatformError): boolean =>
-  error._tag === "SystemError" && error.reason === "NotFound"
+import { readFileStringIfPresent, statIfPresent, writeFileStringEnsuringParent } from "./volatile-files.js"
 
-const statIfPresent = (
-  fs: FileSystem.FileSystem,
-  targetPath: string
-) =>
-  fs.stat(targetPath).pipe(
-    Effect.catchTag("SystemError", (error) =>
-      isNotFoundSystemError(error)
-        ? Effect.succeed(null)
-        : Effect.fail(error))
-  )
+const shouldSkipCopiedDir = (entry: string): boolean => entry === "tmp"
 
 const copyDirRecursive = (
   fs: FileSystem.FileSystem,
@@ -49,7 +37,11 @@ const copyDirRecursive = (
       if (entryInfo.type === "Directory") {
         yield* _(copyDirRecursive(fs, path, sourceEntry, targetEntry))
       } else if (entryInfo.type === "File") {
-        yield* _(fs.copyFile(sourceEntry, targetEntry))
+        const sourceText = yield* _(readFileStringIfPresent(fs, sourceEntry))
+        if (sourceText === null) {
+          continue
+        }
+        yield* _(writeFileStringEnsuringParent(fs, path, targetEntry, sourceText))
       }
     }
   })
@@ -89,23 +81,21 @@ export const copyCodexFile = (
   Effect.gen(function*(_) {
     const sourceFile = path.join(spec.sourceDir, spec.fileName)
     const targetFile = path.join(spec.targetDir, spec.fileName)
-    const sourceExists = yield* _(fs.exists(sourceFile))
-    if (!sourceExists) {
+    const sourceText = yield* _(readFileStringIfPresent(fs, sourceFile))
+    if (sourceText === null) {
       return
     }
-    const sourceText = yield* _(fs.readFileString(sourceFile))
-    const targetExists = yield* _(fs.exists(targetFile))
-    if (targetExists) {
-      const targetText = yield* _(fs.readFileString(targetFile))
-      if (targetText === sourceText) {
-        return
-      }
-      yield* _(fs.writeFileString(targetFile, sourceText))
-      yield* _(Effect.log(`Synced Codex ${spec.label} from ${sourceFile} to ${targetFile}`))
+    yield* _(fs.makeDirectory(spec.targetDir, { recursive: true }))
+    const targetText = yield* _(readFileStringIfPresent(fs, targetFile))
+    if (targetText === sourceText) {
       return
     }
-    yield* _(fs.copyFile(sourceFile, targetFile))
-    yield* _(Effect.log(`Copied Codex ${spec.label} from ${sourceFile} to ${targetFile}`))
+    yield* _(writeFileStringEnsuringParent(fs, path, targetFile, sourceText))
+    yield* _(
+      Effect.log(
+        `${targetText === null ? "Copied" : "Synced"} Codex ${spec.label} from ${sourceFile} to ${targetFile}`
+      )
+    )
   })
 
 export const copyDirIfEmpty = (
@@ -153,13 +143,16 @@ const copyMissingRecursive = (
       return
     }
 
-    const targetExists = yield* _(fs.exists(targetPath))
-    if (targetExists) {
+    const targetInfo = yield* _(statIfPresent(fs, targetPath))
+    if (targetInfo !== null) {
       return
     }
 
-    yield* _(fs.makeDirectory(path.dirname(targetPath), { recursive: true }))
-    yield* _(fs.copyFile(sourcePath, targetPath))
+    const sourceText = yield* _(readFileStringIfPresent(fs, sourcePath))
+    if (sourceText === null) {
+      return
+    }
+    yield* _(writeFileStringEnsuringParent(fs, path, targetPath, sourceText))
   })
 
 export const copyDirMissingEntries = (

packages/app/src/lib/usecases/auth-sync-claude-seed.ts

@@ -12,6 +12,7 @@ import {
   resolvePathFromBase
 } from "./auth-sync-helpers.js"
 import { withFsPathContext } from "./runtime.js"
+import { readFileStringIfPresent, statIfPresent, writeFileStringEnsuringParent } from "./volatile-files.js"
 
 type ClaudeJsonSyncSpec = {
   readonly sourcePath: string
@@ -28,40 +29,36 @@ const syncClaudeJsonFile = (
   spec: ClaudeJsonSyncSpec
 ): Effect.Effect<void, PlatformError> =>
   Effect.gen(function*(_) {
-    const sourceExists = yield* _(fs.exists(spec.sourcePath))
-    if (!sourceExists) {
+    const sourceInfo = yield* _(statIfPresent(fs, spec.sourcePath))
+    if (sourceInfo === null || sourceInfo.type !== "File") {
       return
     }
 
-    const sourceInfo = yield* _(fs.stat(spec.sourcePath))
-    if (sourceInfo.type !== "File") {
+    const sourceText = yield* _(readFileStringIfPresent(fs, spec.sourcePath))
+    if (sourceText === null) {
       return
     }
-
-    const sourceText = yield* _(fs.readFileString(spec.sourcePath))
     const sourceJson = yield* _(parseJsonRecord(sourceText))
     if (!spec.hasRequiredData(sourceJson)) {
       return
     }
 
-    const targetExists = yield* _(fs.exists(spec.targetPath))
-    if (!targetExists) {
-      yield* _(fs.makeDirectory(path.dirname(spec.targetPath), { recursive: true }))
-      yield* _(fs.copyFile(spec.sourcePath, spec.targetPath))
+    const targetInfo = yield* _(statIfPresent(fs, spec.targetPath))
+    if (targetInfo === null) {
+      yield* _(writeFileStringEnsuringParent(fs, path, spec.targetPath, sourceText))
       yield* _(spec.onWrite(spec.targetPath))
       yield* _(Effect.log(`Seeded ${spec.seedLabel} from ${spec.sourcePath} to ${spec.targetPath}`))
       return
     }
 
-    const targetInfo = yield* _(fs.stat(spec.targetPath))
     if (targetInfo.type !== "File") {
       return
     }
 
     const targetText = yield* _(fs.readFileString(spec.targetPath), Effect.orElseSucceed(() => ""))
     const targetJson = yield* _(parseJsonRecord(targetText))
     if (!spec.hasRequiredData(targetJson)) {
-      yield* _(fs.writeFileString(spec.targetPath, sourceText))
+      yield* _(writeFileStringEnsuringParent(fs, path, spec.targetPath, sourceText))
       yield* _(spec.onWrite(spec.targetPath))
       yield* _(Effect.log(`Updated ${spec.updateLabel} from ${spec.sourcePath} to ${spec.targetPath}`))
     }