Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/api/src/auth-terminal-runner.ts`:
- Around line 7-8: parseFlow currently maps any invalid or undefined value to
"ClaudeOauth" silently; change it to fail-fast instead: in the parseFlow
function (returning AuthTerminalRunnerFlow) validate that value is exactly one
of "ClaudeOauth" | "GeminiOauth" | "GrokOauth" and return it, otherwise throw a
descriptive Error (include the invalid value) so callers don't silently proceed
with the wrong provider; update any call sites expecting a default accordingly.

In `@packages/api/src/services/auth-terminal-sessions.ts`:
- Around line 72-76: The nested ternary that maps request.flow to a command
string should be replaced with an exhaustive Match-based switch to ensure
compile-time coverage of all AuthTerminalFlow variants: use
Match.value(request.flow).pipe(...) with Match.when handlers for "ClaudeOauth",
"GeminiOauth", and "GrokOauth" that each return the appropriate backtick string
including the existing suffix, and finish with Match.exhaustive() so new flows
cannot silently fall through to the wrong label; update the return expression
accordingly where request.flow is used.

In `@packages/api/src/services/project-auth.ts`:
- Around line 239-258: Add a TSDoc comment for the hasGrokAccountCredentials
function describing its purpose (checks for GROK API credentials in three
locations), its parameters (fs: FileSystem.FileSystem, accountPath: string), the
return type (Effect.Effect<boolean, PlatformError> indicating success boolean or
PlatformError), and the behavior/side-effects (it checks .api-key via
hasFileAtPath, GROK_API_KEY in .env via hasApiKeyInEnvFile, and OAuth token in
.grok/user-settings.json via hasNonEmptyOauthToken), and note possible errors
propagated from PlatformError; place the comment immediately above the
hasGrokAccountCredentials declaration.

In `@packages/app/src/docker-git/frontend-lib/core/command-builders-template.ts`:
- Around line 28-71: Add full TSDoc and functional comments to the CORE pure
function buildTemplateConfigBase: include `@pure` (true/false), `@effect` (required
services or "none"), `@invariant` (any mathematical invariants), `@precondition`
(valid shape/constraints of input Pick<BuildTemplateConfigInput,...>),
`@postcondition` (returned object matches CreateCommand["config"] subset), and
`@complexity` (time and space). Also add the functional comment block with CHANGE,
WHY, QUOTE (or n/a), REF, SOURCE (or n/a), FORMAT THEOREM, PURITY, INVARIANT,
COMPLEXITY describing intent, rationale, references and guarantees for
buildTemplateConfigBase and reference the function name and the exact fields it
maps (containerName, serviceName, sshUser, sshPort, repoUrl, repoRef, targetDir,
volumeName, dockerGitPath, authorizedKeysPath, envGlobalPath, envProjectPath,
codexAuthPath, codexSharedAuthPath, codexHome, geminiAuthPath, geminiHome,
grokAuthPath, grokHome) to make clear mapping and postconditions.
- Around line 73-93: The exported CORE function buildTemplateConfig lacks the
required comprehensive TSDoc; add a full TSDoc block immediately above the
exported function buildTemplateConfig describing the function purpose, each
parameter in BuildTemplateConfigInput (`@param`), the return type
CreateCommand["config"] (`@returns`), and include the required tags: `@pure`,
`@effect` (list any external deps such as buildTemplateConfigBase and
defaultTemplateConfig), `@invariant` (describe any invariants about returned
config), `@precondition` (validations on input fields like cpuLimit/ramLimit/gpu),
`@postcondition` (what properties will always be present in the returned config),
and `@complexity` (Big-O for any significant work); ensure references to internal
symbols buildTemplateConfigBase and defaultTemplateConfig are mentioned in the
text so readers can locate dependencies.

In `@packages/app/src/lib/core/auto-agent-flags.ts`:
- Line 23: Update the error string that sets the `reason` (currently "expected
one of: claude, codex, gemini, grok") to include "auto" so it matches the
accepted mode (`requested === "auto"`); ensure the `reason` value lists all
supported modes including "auto" and stays synchronized with any validation
logic that references `requested`.

In `@packages/app/src/lib/core/command-builders-template.ts`:
- Around line 28-94: The two exported functions buildTemplateConfigBase and
buildTemplateConfig are missing the required comprehensive TSDoc and functional
markers; add TSDoc blocks above each function documenting parameters and return
types and include the mandated tags/markers: `@pure`, `@invariant`, `@precondition`,
`@postcondition`, `@complexity` (with O-notation), and the functional comment fields
(CHANGE, WHY, QUOTE or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY
(CORE|SHELL), EFFECT signature if applicable, INVARIANT, COMPLEXITY). Ensure the
docs reference the function signature symbols buildTemplateConfigBase and
buildTemplateConfig and succinctly describe input: BuildTemplateConfigInput and
output: CreateCommand["config"], plus any important invariants (e.g., which
fields are mapped/copied), and place the blocks immediately above each function
declaration.

In `@packages/app/src/lib/core/templates/docker-compose.ts`:
- Around line 222-224: Комментарий после переменных окружения не соответствует
своему назначению: переменная fragments.maybeGrokAuthLabelEnv снабжена
комментарием, который сейчас стоит одновременно после
fragments.maybeAgentModeEnv и fragments.maybeAgentAutoEnv, что вводит в
заблуждение; исправьте шаблон в docker-compose.ts так, чтобы комментарий "#
Optional Grok account label selector (maps to GROK_AUTH_LABEL)" стоял
непосредственно после fragments.maybeGrokAuthLabelEnv, а для
fragments.maybeAgentModeEnv и fragments.maybeAgentAutoEnv добавьте свои
отдельные комментарии (или уберите их), чтобы каждый комментарий однозначно
относился к соответствующей переменной.

In `@packages/app/src/lib/core/templates/dockerfile.ts`:
- Around line 113-114: Строка, которая маскирует провал установки Grok CLI ("RUN
grok --version >/dev/null || true") должна быть исправлена: замените или удалите
конструкцию "|| true" и/или уберите перенаправление в /dev/null so that the
subsequent check fails the build when the CLI is not present; specifically
update the two Dockerfile RUN commands ("RUN npm install -g grok-dev@latest
--force" and the following "RUN grok --version >/dev/null || true") so that the
image build exits non‑zero if "grok --version" fails (e.g., use plain "RUN grok
--version" or an explicit check like "RUN command -v grok >/dev/null" without
"|| true").

In `@packages/app/src/lib/usecases/auth-grok-helpers.ts`:
- Around line 209-214: The code currently runs runCommandExitCode with "chmod -R
777" on credentialsDir which makes secrets world-readable/writable; change to
set owner-only permissions (e.g., directories 700 and files 600) or use a safe
recursive chmod like "chmod -R u+rwX,go-rwx" so only the owner can
read/write/execute, and remove the blanket Effect.orElse(() =>
Effect.succeed(0)) that silences failures so permission errors surface; update
the same pattern in the similar block referenced later (the other chmod usage
around the 230-255 region) to use the secure permission command and proper error
handling, locating the changes around the runCommandExitCode and credentialsDir
symbols.
- Around line 193-206: The cleanup fallback currently swallows errors
(removeFallback is defined with Effect.orElse(() => Effect.void)), so if both
fs.remove(credentialsDir) and the docker fallback fail the effect is treated as
success and code proceeds; remove the swallowing wrapper from removeFallback
(keep runCommandExitCode(...).pipe(Effect.asVoid) but do not orElse to
Effect.void) so that if the docker fallback fails the overall effect fails and
propagation stops; ensure fs.remove(...).pipe(Effect.orElse(() =>
removeFallback)) remains so the fallback is attempted but failures are not
suppressed.
- Around line 165-170: The current check in hasGrokCredentials (which uses
isRegularFile(grokUserSettingsPath(accountPath)) and then treats any non-empty
user-settings.json as valid) incorrectly treats bootstrap files created by
writeInitialGrokSettings(..., null) as authenticated; change hasGrokCredentials
to parse the JSON from fs.readFileString(grokUserSettingsPath(accountPath)) and
verify presence of real credential fields (e.g., non-null/non-empty token,
apiKey, or username fields your code uses) rather than mere file existence or
non-empty content, so resolveGrokAuthMethod() won't return "user-settings" for
bootstrap files; apply the same validation logic where similar checks exist
(around the other occurrence mentioned, lines ~250-255) and use
grokUserSettingsPath, hasGrokCredentials, resolveGrokAuthMethod, and
writeInitialGrokSettings names to locate the changes.
- Around line 55-63: The Dockerfile RUN step currently installs grok-dev using
the floating tag and force flag; replace the unstable install invocation that
uses "grok-dev@latest" and "--force" with a pinned install of grok-dev version
1.1.6 so the Docker build is deterministic (locate the RUN npm install -g
grok-dev... line in the auth-grok helper Docker snippet and change it to install
grok-dev@1.1.6 without --force).

In `@packages/app/src/lib/usecases/auth-grok-oauth.ts`:
- Around line 79-101: The fixGrokAuthPermissions function currently runs a
docker alpine container to chmod -R 777 on the Grok auth directory; change this
to set restrictive permissions or fix ownership instead: replace the chmod args
in fixGrokAuthPermissions to use "chmod -R 700" (or "750" if group-read is
required) or, preferably, run "chown -R <user>:<group>" inside the container
before applying more restrictive chmod; ensure the CommandFailedError and
runCommandWithExitCodes call remain unchanged but update the args array passed
to docker to reflect the safer permission/ownership commands.
- Around line 38-43: Replace the unsupported env vars in the env array
(currently `HOME=${containerPath}`, `NO_BROWSER=true`, `GROK_NO_BROWSER=true`,
`MCP_PLAYWRIGHT_ISOLATED=1`) with a supported approach: look up the
grok/grok-dev CLI docs and either (a) pass the official CLI flag to disable
browser opening (e.g., run the "grok login" command with the documented flag
such as "--no-browser" or the exact flag/name you find) or (b) if no flag/ENV
exists, remove `NO_BROWSER`/`GROK_NO_BROWSER` and implement a headless fallback
in the auth-grok-oauth flow that spawns "grok login", captures the printed
authorization URL from stdout, prompts the user to open it manually and paste
the callback, and include a runtime version check of grok-dev to ensure the
chosen method is supported; update the code that constructs the env array and
the place that calls "grok login" accordingly.

In `@packages/app/src/lib/usecases/auth-grok.ts`:
- Line 40: The chmod call for apiKeyFilePath is currently wrapped with
orElseSucceed which suppresses failures; change this so permission-setting
errors are not swallowed—remove the orElseSucceed around
fs.chmod(apiKeyFilePath, 0o600) (or replace it with explicit error handling that
logs and rethrows) so that failures propagate and cause the operation to fail;
locate the call to fs.chmod and the use of orElseSucceed in
usecases/auth-grok.ts (reference symbols: fs.chmod, apiKeyFilePath,
orElseSucceed) and ensure the code fails on chmod errors rather than continuing
silently.

In `@packages/app/tests/docker-git/parser-auth.test.ts`:
- Around line 22-41: Add a fast-check property-based test that repeatedly runs
parseOrThrow for Grok auth commands with generated valid label strings and
asserts the invariants instead of a single static case: generate labels
(non-empty, trimmed, maybe alphanumeric/spaces) and for each value call
parseOrThrow(["auth","grok","login","--label", label, "--web"]),
parseOrThrow(["auth","grok","status","--label", label]) and
parseOrThrow(["auth","grok","logout","--label", label]) and assert the returned
tags are AuthGrokLogin/AuthGrokStatus/AuthGrokLogout respectively, that
login.isWeb === true, and that .grokAuthPath === ".docker-git/.orch/auth/grok"
for all three results; integrate fast-check into the existing it.effect test (or
add a new one) and fail on any counterexample so the parser invariants are
validated across many generated labels.

In `@packages/lib/src/core/auto-agent-flags.ts`:
- Line 22: The error message for the --auto flag omits "auto" in the
allowed-values text; update the `reason` string in
packages/lib/src/core/auto-agent-flags.ts (the `reason` property for the --auto
flag) to include "auto" alongside "claude, codex, gemini, grok" so the hint
correctly reflects that "auto" is a valid option.

In `@packages/lib/src/core/domain.ts`:
- Line 58: The public type AgentMode was extended to include "grok" and needs a
functional comment block above the AgentMode declaration documenting the CHANGE,
WHY, QUOTE (requirement), and REF markers; update the comment for the AgentMode
type to state that "grok" was added (CHANGE), explain the architectural reason
or compatibility rationale (WHY), cite the requirement or ticket text that
mandated the addition (QUOTE), and include a reference ID (REF), ensuring the
comment is adjacent to the AgentMode type declaration to keep the public API
change discoverable.

In `@packages/lib/src/core/templates-entrypoint/agent.ts`:
- Around line 43-45: The generated AGENT_ENV_FILE currently ends up
world-readable because the script writes /etc/profile.d/grok-config.sh contents
then sets mode via "chmod 644", exposing secrets; change the post-write steps to
chown the file to the runtime user and group and tighten permissions (e.g., set
to 640 or 600) and ensure group is the runtime group used by the agent; update
the sequence around AGENT_ENV_FILE, replacing the chmod 644 usage with a chown
to the agent runtime user/group (use your runtime user symbol/variable) followed
by chmod 640 (or 600) so only the agent user/group can read the file.

In `@packages/lib/src/core/templates/docker-compose.ts`:
- Around line 221-223: Split the combined env fragment line into two separate
lines so each fragment has the correct comment: render
fragments.maybeGrokAuthLabelEnv on its own line with the "Optional Grok account
label selector (maps to GROK_AUTH_LABEL)" comment, and render
fragments.maybeAgentModeEnv and fragments.maybeAgentAutoEnv together on the next
line with a distinct comment like "Optional agent mode and auto-start
configuration"; update the template where these symbols appear so comments align
with the corresponding fragments (maybeGrokAuthLabelEnv, maybeAgentModeEnv,
maybeAgentAutoEnv).

In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 113-114: В шаблоне Dockerfile замените установку неофициального
пакета и мягкую проверку на официальную установку или явное, зафиксированное
стороннее решение: вместо "RUN npm install -g grok-dev@latest --force" и "RUN
grok --version >/dev/null || true" либо (предпочтительно) скачайте и установите
официальное xAI Grok Build через curl/официальный инсталлятор (подставив
проверяемую версию/хеш), либо если оставляете сторонний пакет — уберите
"--force", зафиксируйте конкретную версию вместо "latest", удалите "|| true" и
добавьте явную проверку выхода с ошибкой при неуспешной установке; если
выбираете сторонний пакет, потребуйте security review/approval перед мерджем.

In `@packages/lib/src/usecases/auth-grok-helpers.ts`:
- Around line 208-214: The chmod 777 call in the runCommandExitCode invocation
grants excessive permissions to credentialsDir; replace it with a safer,
restrictive approach: run commands that set directories to 700 and files to 600
(e.g., use find to apply chmod 700 to all directories under credentialsDir and
chmod 600 to all files) instead of ["-R","777",credentialsDir], keeping the call
site runCommandExitCode({ cwd, command: "chmod", args: ... }) and credentialsDir
variable; preserve the Effect.orElse(() => Effect.succeed(0)) error handling
around the command(s).
- Around line 59-63: Replace the npm global install that uses an unpredictable
latest tag and --force: find occurrences of the literal string "npm install -g
grok-dev@latest --force" in the Dockerfile template generators and change them
to a pinned, explicit version like "npm install -g grok-dev@1.1.6" and remove
the "--force" flag; update each template function that emits the Dockerfile
snippet (the Dockerfile template generator(s) that produce the RUN curl ... &&
apt-get ... && npm install -g ... line) so they hardcode the stable version
instead of `@latest` and do not pass --force.

In `@packages/lib/src/usecases/auth-grok-oauth.ts`:
- Around line 79-101: The function fixGrokAuthPermissions currently runs chmod
-R 777 via runCommandWithExitCodes which grants world-writable access to Grok
credentials; change the chmod invocation in the args passed to
runCommandWithExitCodes (the array containing "chmod", "-R", "777",
containerPath) to a safe permission such as "700" (or "755" if group/other read
is required) so only the owner can read/write/execute the credentials directory;
keep the CommandFailedError creation and the Effect.tapError/Effect.orElse
handling unchanged.
- Around line 103-130: Add a TSDoc block above the exported
runGrokOauthLoginWithPrompt function that documents its purpose and behavior and
includes the required tags: `@pure`, `@effect` (describe the Effect type and failure
channels AuthError | CommandFailedError | PlatformError), `@invariant` (state
invariants such as cwd/accountPath resolution), `@precondition` (valid cwd and
accountPath, docker available), `@postcondition` (prints OAuth instructions, runs
docker auth flow, fixes permissions), and `@complexity` (time/space complexity).
Also document parameters (cwd, accountPath, options.image,
options.containerPath) and the return type (Effect.Effect<void, AuthError |
CommandFailedError | PlatformError, CommandExecutor.CommandExecutor>) so the
public API is fully covered for runGrokOauthLoginWithPrompt.
- Around line 46-67: Add full TSDoc to the exported function
buildDockerGrokAuthArgs (include `@pure`, `@effect`, `@invariant`, `@precondition`,
`@postcondition`, `@complexity`) and implement input validation for
spec.containerPath (referencing DockerGrokAuthSpec and buildDockerGrokAuthArgs)
so the function rejects or throws a clear error when containerPath is empty,
contains null bytes, contains path traversal patterns (e.g., "..") or is not an
absolute/normalized path; ensure you validate before using it in the args array
and document the precondition/postcondition that containerPath will be a
normalized absolute path and that the returned array contains the Docker run
args including the validated mount and workdir.

In `@packages/lib/src/usecases/auth-grok.ts`:
- Around line 50-62: Параметр _command в сигнатуре функции authGrokLoginCli не
используется; либо удалите его из сигнатуры (заменив экспорт на
authGrokLoginCli(): Effect.Effect<...>) либо начните явно использовать его
внутри Effect.gen (например передав необходимые поля в логи/логику) to satisfy
the interface; обновите все вызовы/auth signatures accordingly so they match the
new signature or continue accepting the parameter if required for interface
compatibility.
- Around line 76-78: The code currently calls prepareGrokCredentialsDir(...)
then immediately writeInitialGrokSettings(..., null) which can leave a null API
key on disk if the subsequent OAuth flow fails; update the flow in auth-grok.ts
so you only call writeInitialGrokSettings after the OAuth process completes
successfully (or, alternatively, perform the write as part of a transactional
sequence and remove/rollback the created settings on any OAuth error).
Concretely, move the writeInitialGrokSettings call to after the successful
return of the OAuth routine (or add a catch/finally that deletes or restores the
credentials file on failure), referencing prepareGrokCredentialsDir and
writeInitialGrokSettings to locate where to change behavior.
- Line 40: Хранится молчаливое подавление ошибки chmod при установке прав на
файл API-ключа: в месте с вызовом fs.chmod внутри usecases/auth-grok.ts удалите
использование Effect.orElseSucceed(() => void 0) и позвольте ошибке/эффекту
проброситься (или замените на явный Effect.fail с информативным сообщением),
чтобы не продолжать работу при неудачной установке прав; убедитесь, что ошибка
содержит контекст (путь файла и причину) и приводит к отказу
аутентификации/завершению процесса вместо бесшумного продолжения.

In `@packages/lib/tests/usecases/auth-grok.test.ts`:
- Around line 10-23: Добавьте краткую TSDoc над helper-функцией withTempDir,
объясняющую её назначение (создаёт временную директорию для теста и передаёт её
в callback), описывающую использование Effect.scoped для управления жизненным
циклом ресурса, перечисляющую параметр use (callback, получающий tempDir:
string) и возвращаемое значение (Effect, который может содержать результат теста
или FileSystem.FileSystem), и упомяните префикс временной директории; ссылаясь
на сimbols withTempDir, Effect.scoped и FileSystem.FileSystem, чтобы облегчить
поиск места вставки документации.

---

Outside diff comments:
In `@packages/api/src/services/auth-menu.ts`:
- Around line 131-146: The syncMessage function currently uses deeply nested
ternary operators to map AuthMenuRequest.flow to commit message strings; replace
that chain with a clear Match.value() pattern match over request.flow (using
Match.value(request.flow).pipe(...).exhaustive()) that returns the same strings
by calling canonicalLabel(request.label) where needed; update syncMessage to
switch on each flow case (GithubRemove, GitSet, GitRemove, ClaudeLogout,
GeminiApiKey, GeminiLogout, GrokApiKey, GrokLogout) and return the exact
corresponding message for each case, ensuring exhaustiveness for the union type
AuthMenuRequest so future flows cause a compile-time error.

In `@packages/api/src/services/federation.ts`:
- Around line 1694-1699: The resolver resolveAgentProvider must use
Effect.Match.exhaustive to perform exhaustive pattern matching on the raw
provider string instead of the current ternary; update the function to compute
raw from subscription?.agentProvider ||
process.env["DOCKER_GIT_EXCHANGE_AGENT_PROVIDER"] and then call Match.exhaustive
with cases for "claude", "opencode", "grok", "custom", and "codex" (mapping each
to the corresponding AgentProvider) and an explicit default branch that returns
"codex" so all union values are handled; ensure you import Effect.Match and keep
the function signature types (FollowSubscription, AgentProvider) unchanged.

In `@packages/api/src/services/project-auth.ts`:
- Around line 173-197: Add a TSDoc block to the hasApiKeyInEnvFile function that
explains its purpose (checks whether a non-empty env variable named by the `key`
exists in a file), documents parameters `fs: FileSystem.FileSystem`,
`envFilePath: string`, and `key: string`, and states the return type
`Effect.Effect<boolean, PlatformError>` along with behavior on missing files or
read errors (returns false or uses provided Effect error handling). Mention
examples of expected env line formats (e.g., KEY=value, KEY="value") and note
that quotes are stripped and whitespace trimmed so only non-empty values return
true. Ensure the TSDoc appears immediately above the hasApiKeyInEnvFile
declaration.

In `@packages/app/src/docker-git/menu-auth.ts`:
- Around line 89-107: Replace the boolean OR chain used to compute suspendTui
inside submitAuthPrompt with an exhaustive pattern match over view.flow (use
Effect.Match.exhaustive or Match.exhaustive per coding guidelines) so all union
cases are handled; update the suspendTui argument passed to runAuthPromptEffect
(inside submitAuthPrompt) to be the result of that exhaustive match, and ensure
the match returns a boolean for each flow variant so future OAuth flows will
cause a compile-time failure if not handled.

In `@packages/app/src/docker-git/menu-project-auth.ts`:
- Around line 132-138: Replace the manual if-chain checking action
(ProjectGithubDisconnect | ProjectGitDisconnect | ProjectClaudeDisconnect |
ProjectGeminiDisconnect | ProjectGrokDisconnect) with an exhaustive pattern
match using Match.value(action).pipe(..., Match.exhaustive) to guarantee
compile-time coverage of the ProjectAuthMenuAction union; follow the same
pattern used in projectAuthSuccessMessage
(Match.value(...).pipe(Match.when(...), Match.exhaustive)), creating Match.when
clauses for each connect/disconnect branch and delegating to
startProjectAuthPrompt or the appropriate disconnect handling so any new union
variant will force a compile-time handling decision rather than silently falling
through.

In `@packages/app/src/lib/core/templates-entrypoint/rtk.ts`:
- Around line 9-44: The FORMAT THEOREM claims RTK configures "grok" but RTK has
no --grok flag, so update renderEntrypointRtkConfig to remove grok references:
change the FORMAT THEOREM token list to configured(codex, claude, gemini,
opencode) and delete "/home/__SSH_USER__/.grok" from the mkdir and chown paths
in the template body (and any related log text), leaving the four actual
docker_git_rtk_init_as_user invocations unchanged; this preserves the invariant
without adding unsupported RTK behavior.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/app/src/docker-git/cli/usage.ts`:
- Line 79: The help text advertises Gemini but the auto-selection logic and
types lack Gemini support; update AvailableAgentAuth to include geminiAvailable,
extend availableAgentModes (in packages/lib/src/usecases/agent-auto-select.ts,
function availableAgentModes) to check available.geminiAvailable and include
AgentMode.Gemini in the returned modes when present, update the error message
that currently says "no Claude, Codex or Grok auth found" to mention Gemini, and
add/adjust unit tests to cover the Gemini path; alternatively, if you prefer to
postpone Gemini, remove "gemini" from the --auto help text and AgentMode enum
usages so the doc and logic remain consistent.

In `@packages/app/src/lib/usecases/agent-auto-select.ts`:
- Around line 137-141: Add comprehensive TSDoc to the pure CORE helper
availableAgentModes: mark it with `@pure` true, add functional comments describing
PURITY (CORE) and `@effect` (none/required services = none), specify `@invariant`
such as "∀available: |result| ≤ 3 ∧ result ⊆ {claude, codex, grok}", document
`@precondition` (none) and `@postcondition` (returns array of AgentMode containing
only enabled modes), and state `@complexity` as "time O(1), space O(1)". Place
this TSDoc immediately above the availableAgentModes declaration so tools and
reviewers can pick it up.
- Around line 143-153: Add comprehensive TSDoc to the pickRandomAutoAgentMode
function: document `@pure` false (uses process.hrtime.bigint()), `@effect`
describing the Effect<AgentMode, ParseError> and any required services,
`@invariant` stating the result ∈ availableAgentModes(available), `@precondition`
that availableAgentModes(available) is non-empty, `@postcondition` that the
returned AgentMode is one of the available modes or an error, and `@complexity`
O(n) where n = number of modes; reference the helper availableAgentModes and the
non-deterministic selection via process.hrtime.bigint() when describing WHY and
EFFECT.
- Around line 53-60: The new function hasGrokAuth lacks the required TSDoc; add
a comprehensive TSDoc block above hasGrokAuth that documents `@pure` false,
`@effect` FileSystem (since it uses FileSystem.FileSystem and returns an Effect),
`@precondition` (rootPath is a valid path string and label may be undefined),
`@postcondition` (returns true if valid Grok credentials are found at
normalizeAccountLabel(label ?? null, "default") within rootPath), `@complexity`
(time and space complexity of hasGrokCredentials call), and include the
functional comments PURITY (SHELL), EFFECT (Effect<boolean, PlatformError,
FileSystem>), and INVARIANT describing the relationship between normalized label
and lookup path; reference the helper functions normalizeAccountLabel and
hasGrokCredentials in the comment for clarity.
- Around line 24-26: The three constants claudeMode, codexMode and grokMode are
defined as one-element ReadonlyArray<AgentMode>, which is unnecessary because
availableAgentModes later spreads them; change them to use simple string
literals or single AgentMode values and insert those directly into
availableAgentModes (e.g., replace the one-item arrays with 'claude', 'codex',
'grok' or define each as const claudeMode: AgentMode = 'claude') to remove the
extra array layer and keep type-safety.

In `@packages/lib/tests/usecases/agent-auto-select.test.ts`:
- Around line 42-45: The test suite adds geminiAuthPath and geminiHome to
makeConfig but no Gemini test-cases exist; either add three tests mirroring
Grok's coverage (in packages/lib/tests/usecases/agent-auto-select.test.ts) named
it.effect("chooses Gemini when only Gemini auth exists", ...), it.effect("keeps
explicit Gemini mode when Gemini auth exists", ...), and it.effect("fails
explicit Gemini mode when Gemini auth is missing", ...) exercising the same
setup/teardowns and assertions used for Grok, or if Gemini is out of scope for
this PR, remove or comment out geminiAuthPath/geminiHome from makeConfig and add
a "// TODO: Gemini tests" comment to explain why they are omitted.

---

Outside diff comments:
In `@packages/lib/src/usecases/agent-auto-select.ts`:
- Around line 1-181: This file duplicates logic from packages/app; remove
duplication by centralizing the agent selection code into the shared lib and
have packages/app import it (or create a single shared module/workspace
reference) and, in this file, replace the duplicated implementation with an
import; while consolidating, add TSDoc and the repository's functional comment
blocks (CHANGE/WHY/PURITY/EFFECT/INVARIANT/COMPLEXITY) for the functions
hasGrokAuth, availableAgentModes, and pickRandomAutoAgentMode, and simplify the
single-element constants claudeMode, codexMode, grokMode to plain string
literals where used (or export simple string constants) to reduce unnecessary
arrays; update resolveAvailableAgentAuth, resolveExplicitAutoAgentMode, and
pickRandomAutoAgentMode call sites to use the centralized implementation and
ensure exports/signatures match between packages.

In `@packages/lib/tests/usecases/agent-auto-select.test.ts`:
- Around line 119-219: The new Grok unit tests lack property-based tests as
required; add fast-check property tests in
packages/lib/tests/usecases/agent-auto-select.test.ts that exercise
resolveAutoAgentMode across randomized availability combinations: import fc from
"fast-check" and add it.effect cases that generate boolean flags
(claudeAvailable, codexAvailable, grokAvailable) filtered to at least one true,
create auth files in the temp dir based on those flags (using
FileSystem.FileSystem and Path.Path as in existing tests), call
resolveAutoAgentMode(config) and assert the invariants: (1) if exactly one mode
is available the result equals that mode, (2) result is one of the available
modes, (3) when agentMode is explicitly set to an available mode result equals
that explicit mode, and (4) when explicit mode is set but its auth is missing
the effect fails with InvalidOption; use fc.assert to run the property and wrap
inside the existing withTempDir/Effect.gen pattern.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/app/src/lib/core/templates-entrypoint/grok.ts`:
- Around line 1-2: The file packages/app src lib core templates-entrypoint
grok.ts duplicates logic present in
packages/lib/src/core/templates-entrypoint/grok.ts; remove the duplicate by
extracting the shared code (including the TemplateConfig-related logic and any
exported helpers) into a single shared module or the lib package and have
packages/app re-export or import that module (e.g., export/import the same
symbols instead of re-defining them). Update the grok.ts in packages/app to
import TemplateConfig and any functions from the shared location (or re-export
from packages/lib) so only one source of truth remains and jscpd markers are no
longer needed.
- Around line 259-266: Экспортная функция renderEntrypointGrokConfig не имеет
TSDoc — добавьте подробный TSDoc над объявлением функции
renderEntrypointGrokConfig, описывающий назначение функции, параметры (config:
TemplateConfig) и возвращаемое значение (string), а также любые побочные эффекты
или примечания; используйте стиль и уровень детализации, согласованный с другими
файлами (например, packages/lib/src/core/templates-entrypoint/grok.ts), включая
пример использования при необходимости.

In `@packages/lib/src/core/templates-entrypoint/grok.ts`:
- Around line 258-265: Add a comprehensive TSDoc block to the exported function
renderEntrypointGrokConfig describing its purpose and behavior, and include the
required tags: `@pure`, `@effect` (describe side effects or "none"), `@invariant`,
`@precondition` (e.g., valid TemplateConfig), `@postcondition` (what string
structure is returned), and `@complexity` (time/space complexity). Place the
comment immediately above the renderEntrypointGrokConfig declaration and
reference the parameter config and returned string in the descriptions so that
consumers and linters get the full contract for this exported function.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/api/src/services/project-auth.ts`:
- Around line 239-259: The oauth marker /"oauth"\s*:/u is too permissive and
flags an oauth block even when empty; update the
grokUserSettingsCredentialMarkers array (used by hasGrokUserSettingsCredentials)
to replace the current oauth regex with a stricter pattern that requires a
non-empty credential inside the oauth object (e.g. require a string-valued key
like "token", "accessToken", "apiKey" or "access_token" with a non-empty value),
so the detector only returns true when an actual secret is present.

In `@packages/lib/tests/core/templates.test.ts`:
- Around line 218-226: Тест "installs Grok CLI for generated project containers"
asserts the Dockerfile contains the hardcoded string "npm install -g
grok-dev@latest --force", which is brittle once the version is pinned; update
the test in packages/lib/tests/core/templates.test.ts to assert on a less
fragile pattern by checking for "npm install -g grok-dev" (or a regex like "npm
install -g grok-dev(@|@\\d+)") instead of the exact "`@latest` --force" token,
locating the assertion in the spec that calls
renderDockerfile(makeTemplateConfig()) and adjusts the
expectContainsAll/expect(...) checks accordingly.

In `@packages/lib/tests/usecases/auth-grok.test.ts`:
- Around line 56-106: Add a negative test that verifies authGrokLogin rejects
empty and whitespace-only API keys: create a new it.effect in the same test
suite (use withTempDir and withPatchedEnv like the existing test) and call
authGrokLogin with "" and with "   " (space-only) providing FileSystem and Path
via Effect.provideService; assert the Effect fails (typed-failure) rather than
succeeds by inspecting the Effect exit/error (e.g., run/exit or expecting a
failure/error type/message) and ensure the failure matches the login validation
invariant for empty API keys rather than writing files; reference authGrokLogin,
withTempDir, withPatchedEnv, FileSystem.FileSystem and Path.Path to locate where
to add the checks.
- Around line 107-143: Add fast-check property-based tests to auth-grok.test.ts
that generate many JSON payloads and assert the invariants for
hasGrokCredentials: use fc.property to produce (1) valid JSON objects that
always include an "apiKey" string and verify hasGrokCredentials(fs, accountPath)
returns true, and (2) valid JSON objects that explicitly do NOT include "apiKey"
but match bootstrap-like shapes (e.g., may include "sandboxMode" or
"confirmBeforeToolUse") and verify hasGrokCredentials(...) returns false; reuse
the existing withTempDir, FileSystem.FileSystem and Path.Path setup, write the
generated JSON to path.join(credentialsDir, "user-settings.json"), and call
fc.assert with reasonable limits to integrate into the test suite.

---

Outside diff comments:
In `@packages/api/src/http.ts`:
- Around line 429-448: Replace the switch-based, asserted mappings in
skillScopeFromId, skillScopeToId, and skillScopeFromBody with exhaustive pattern
matches using Match.exhaustive(); specifically, remove any "as
ProjectSkillScope" assertions, import and use Match (e.g. from ts-pattern) to
match each possible string/enum case and return the correctly typed
ProjectSkillScope or id string, and ensure the match is exhaustive so the
default/null branch is handled by Match.exhaustive() instead of a fallback
switch/default. Use the function names skillScopeFromId, skillScopeToId, and
skillScopeFromBody as anchors when applying the refactor.

---

Duplicate comments:
In `@packages/app/src/lib/usecases/auth-grok-helpers.ts`:
- Around line 54-65: The Dockerfile generator renderGrokDockerfile currently
installs grok-dev with "npm install -g grok-dev@latest --force", which makes
builds nondeterministic; change that line in renderGrokDockerfile to pin a
specific semantic version (e.g. grok-dev@X.Y.Z) and remove the "--force" flag so
the image is reproducible and not forced to override versions. Update the string
returned by renderGrokDockerfile to use the chosen fixed version token in place
of "`@latest` --force".
- Around line 204-218: В текущем Effect.gen блоке удаление credentialsDir
использует fs.remove(...).pipe(Effect.orElse(() => removeFallback)) и затем
removeFallback обёрнут в Effect.asVoid, из-за чего ошибки обоих путей
подавляются; исправьте так, чтобы при провале и fs.remove, и runCommandExitCode
(removeFallback) ошибка пробрасывалась: уберите Effect.asVoid с removeFallback,
вместо Effect.orElse используйте объединяющий обработчик (например,
Effect.orElseFail/Effect.catchAll) который собирает/пробрасывает оригинальную
ошибку или новый агрегированный Error и возвращает Effect.fail; сослаться на
символы grokCredentialsPath, removeFallback, runCommandExitCode, fs.remove и
Effect.asVoid при правке.

In `@packages/lib/src/usecases/auth-grok-helpers.ts`:
- Around line 203-218: The fallback deletion in Effect.gen around
grokCredentialsPath uses fs.remove(...).pipe(Effect.orElse(() =>
removeFallback)) which swallows errors if both fs.remove and removeFallback
fail; update this to rethrow a composed/error from the failures instead of
suppressing it: replace the Effect.orElse call so that on fs.remove failure you
run removeFallback and if removeFallback also fails you propagate an error
(e.g., using Effect.orElseFail or Effect.catchAll to map the second failure into
a failing Effect) so the overall effect fails instead of being silently ignored;
reference symbols: Effect.gen, grokCredentialsPath, removeFallback,
runCommandExitCode, fs.remove.
- Around line 53-64: The Dockerfile generator renderGrokDockerfile currently
installs grok-dev using an undetermined tag ("grok-dev@latest --force"), making
builds non-deterministic; change the npm install line inside
renderGrokDockerfile to pin a specific released version (e.g.
"grok-dev@<MAJOR.MINOR.PATCH>") and remove the --force flag so the image is
reproducible and predictable, then update any docs/tests that expect the
previous behavior to use the pinned version.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/app/src/lib/usecases/auth-grok-helpers.ts`:
- Around line 176-185: The OAuth regex in grokUserSettingsCredentialMarkers uses
[^}]* which fails on nested objects; update the OAuth marker (or the detection
strategy in hasGrokUserSettingsCredentials) to handle nested content by
replacing the [^}]* with a non-greedy dot-all style pattern (e.g., [\s\S]*? )
or, better, parse the content as JSON and look up oauth keys
(apiKey|accessToken|access_token|authToken|refreshToken|refresh_token|token)
programmatically; adjust the grokUserSettingsCredentialMarkers array or the
detection flow to use the new pattern or JSON-based check so nested objects like
{"oauth":{"meta":{},"accessToken":"x"}} are correctly detected.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/api/src/services/project-auth.ts`:
- Around line 261-280: The current hasGrokAccountCredentials only checks for the
presence of `${accountPath}/.api-key` via hasFileAtPath and treats an empty file
as valid; change it to read and validate the file contents and only
succeed(true) when the trimmed contents are non-empty (consistent with
readGrokApiKey behavior). Concretely, inside hasGrokAccountCredentials replace
the hasFileAtPath branch with a readFile (or existing read helper) for
`${accountPath}/.api-key`, check that the result is a non-empty string after
trimming, return Effect.succeed(true) only then, and otherwise fall back to
hasApiKeyInEnvFile and hasGrokUserSettingsCredentials (or return false) to
preserve the existing flow.