feat(auth): add Grok authentication support

.gitkeep

@@ -0,0 +1 @@
+# .gitkeep file auto-generated at 2026-05-15T13:19:37.296Z for PR creation at branch issue-304-3b5ced26375c for issue https://github.com/ProverCoderAI/docker-git/issues/304

packages/api/src/api/contracts.ts

@@ -1,6 +1,6 @@
 export type ProjectStatus = "running" | "stopped" | "unknown"
 
-export type AgentProvider = "codex" | "opencode" | "claude" | "custom"
+export type AgentProvider = "codex" | "opencode" | "claude" | "grok" | "custom"
 
 export type AgentStatus = "starting" | "running" | "stopping" | "stopped" | "exited" | "failed"
 
@@ -183,19 +183,23 @@ export type AuthMenuFlow =
   | "ClaudeLogout"
   | "GeminiApiKey"
   | "GeminiLogout"
+  | "GrokApiKey"
+  | "GrokLogout"
 
-export type AuthTerminalFlow = "ClaudeOauth" | "GeminiOauth"
+export type AuthTerminalFlow = "ClaudeOauth" | "GeminiOauth" | "GrokOauth"
 
 export type AuthSnapshot = {
   readonly globalEnvPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly totalEntries: number
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly gitUserEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
 }
 
 export type AuthMenuRequest = {
@@ -249,6 +253,8 @@ export type ProjectAuthFlow =
   | "ProjectClaudeDisconnect"
   | "ProjectGeminiConnect"
   | "ProjectGeminiDisconnect"
+  | "ProjectGrokConnect"
+  | "ProjectGrokDisconnect"
 
 export type ProjectAuthSnapshot = {
   readonly projectDir: string
@@ -257,22 +263,25 @@ export type ProjectAuthSnapshot = {
   readonly envProjectPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
   readonly activeGithubLabel: string | null
   readonly activeGitLabel: string | null
   readonly activeClaudeLabel: string | null
   readonly activeGeminiLabel: string | null
+  readonly activeGrokLabel: string | null
 }
 
 export type ProjectAuthRequest = {
   readonly flow: ProjectAuthFlow
   readonly label?: string | null | undefined
 }
 
-export type ProjectPromptKind = "claude" | "codex" | "gemini"
+export type ProjectPromptKind = "claude" | "codex" | "gemini" | "grok"
 
 export type ProjectPromptFile = {
   readonly kind: ProjectPromptKind
@@ -302,6 +311,7 @@ export type ProjectSkillScope =
   | "claude/skills"
   | "codex/skills"
   | "gemini/skills"
+  | "grok/skills"
 
 export type ProjectSkillFile = {
   readonly id: string
@@ -394,6 +404,8 @@ export type CreateProjectRequest = {
   readonly skipGithubAuth?: boolean | undefined
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
+  readonly geminiTokenLabel?: string | undefined
+  readonly grokTokenLabel?: string | undefined
   readonly agentAutoMode?: string | undefined
   readonly up?: boolean | undefined
   readonly openSsh?: boolean | undefined

packages/api/src/api/schema.ts

@@ -32,6 +32,8 @@ export const CreateProjectRequestSchema = Schema.Struct({
   skipGithubAuth: OptionalBoolean,
   codexTokenLabel: OptionalString,
   claudeTokenLabel: OptionalString,
+  geminiTokenLabel: OptionalString,
+  grokTokenLabel: OptionalString,
   agentAutoMode: OptionalString,
   up: OptionalBoolean,
   openSsh: OptionalBoolean,
@@ -58,10 +60,12 @@ export const AuthMenuFlowSchema = Schema.Literal(
   "GitRemove",
   "ClaudeLogout",
   "GeminiApiKey",
-  "GeminiLogout"
+  "GeminiLogout",
+  "GrokApiKey",
+  "GrokLogout"
 )
 
-export const AuthTerminalFlowSchema = Schema.Literal("ClaudeOauth", "GeminiOauth")
+export const AuthTerminalFlowSchema = Schema.Literal("ClaudeOauth", "GeminiOauth", "GrokOauth")
 
 export const AuthMenuRequestSchema = Schema.Struct({
   flow: AuthMenuFlowSchema,
@@ -105,15 +109,17 @@ export const ProjectAuthFlowSchema = Schema.Literal(
   "ProjectClaudeConnect",
   "ProjectClaudeDisconnect",
   "ProjectGeminiConnect",
-  "ProjectGeminiDisconnect"
+  "ProjectGeminiDisconnect",
+  "ProjectGrokConnect",
+  "ProjectGrokDisconnect"
 )
 
 export const ProjectAuthRequestSchema = Schema.Struct({
   flow: ProjectAuthFlowSchema,
   label: OptionalNullableString
 })
 
-export const ProjectPromptKindSchema = Schema.Literal("claude", "codex", "gemini")
+export const ProjectPromptKindSchema = Schema.Literal("claude", "codex", "gemini", "grok")
 
 export const ProjectPromptUpdateRequestSchema = Schema.Struct({
   content: Schema.String
@@ -125,7 +131,8 @@ export const ProjectSkillScopeSchema = Schema.Literal(
   "agents/.skills",
   "claude/skills",
   "codex/skills",
-  "gemini/skills"
+  "gemini/skills",
+  "grok/skills"
 )
 
 export const ProjectSkillUpdateRequestSchema = Schema.Struct({
@@ -236,7 +243,7 @@ export const ProjectDatabaseForwardSchema = Schema.Struct({
   targetPort: Schema.Number
 })
 
-export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "custom")
+export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "grok", "custom")
 
 export const AgentEnvVarSchema = Schema.Struct({
   key: Schema.String,

packages/api/src/auth-terminal-runner.ts

@@ -1,11 +1,11 @@
 import { NodeContext, NodeRuntime } from "@effect/platform-node"
-import { authClaudeLogin, authGeminiLoginOauth } from "@effect-template/lib"
+import { authClaudeLogin, authGeminiLoginOauth, authGrokLoginOauth } from "@effect-template/lib"
 import { Effect, Match } from "effect"
 
-type AuthTerminalRunnerFlow = "ClaudeOauth" | "GeminiOauth"
+type AuthTerminalRunnerFlow = "ClaudeOauth" | "GeminiOauth" | "GrokOauth"
 
 const parseFlow = (value: string | undefined): AuthTerminalRunnerFlow =>
-  value === "ClaudeOauth" || value === "GeminiOauth" ? value : "ClaudeOauth"
+  value === "ClaudeOauth" || value === "GeminiOauth" || value === "GrokOauth" ? value : "ClaudeOauth"
 
 const parseLabel = (value: string | undefined): string | null => {
   const trimmed = value?.trim() ?? ""
@@ -29,6 +29,13 @@ const program = Match.value(flow).pipe(
       geminiAuthPath: ".docker-git/.orch/auth/gemini",
       isWeb: false
     })),
+  Match.when("GrokOauth", () =>
+    authGrokLoginOauth({
+      _tag: "AuthGrokLogin",
+      label,
+      grokAuthPath: ".docker-git/.orch/auth/grok",
+      isWeb: false
+    })),
   Match.exhaustive
 )
 

packages/api/src/http.ts

@@ -178,7 +178,7 @@ const ProjectDatabaseProfileParamsSchema = Schema.Struct({
 
 const ProjectPromptParamsSchema = Schema.Struct({
   projectId: Schema.String,
-  kind: Schema.Literal("claude", "codex", "gemini")
+  kind: Schema.Literal("claude", "codex", "gemini", "grok")
 })
 
 const ProjectSkillParamsSchema = Schema.Struct({
@@ -435,6 +435,8 @@ const skillScopeFromId = (scopeId: string): ProjectSkillScope | null => {
       return "codex/skills"
     case "gemini-skills":
       return "gemini/skills"
+    case "grok-skills":
+      return "grok/skills"
     default:
       return null
   }
@@ -454,6 +456,8 @@ export const skillScopeToId = (scope: ProjectSkillScope): string => {
       return "codex-skills"
     case "gemini/skills":
       return "gemini-skills"
+    case "grok/skills":
+      return "grok-skills"
   }
 }
 
@@ -465,6 +469,7 @@ const skillScopeFromBody = (scope: string): ProjectSkillScope | null => {
     case "claude/skills":
     case "codex/skills":
     case "gemini/skills":
+    case "grok/skills":
       return scope as ProjectSkillScope
     default:
       return null

packages/api/src/services/agents.ts

@@ -67,6 +67,9 @@ const pickDefaultCommand = (provider: CreateAgentRequest["provider"]): string =>
   if (provider === "claude") {
     return "MCP_PLAYWRIGHT_ISOLATED=1 claude"
   }
+  if (provider === "grok") {
+    return "MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox"
+  }
   return ""
 }
 

packages/api/src/services/auth-menu.ts

@@ -2,7 +2,7 @@ import * as FileSystem from "@effect/platform/FileSystem"
 import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
 import * as Path from "@effect/platform/Path"
-import { authClaudeLogout, authGeminiLogin, authGeminiLogout } from "@effect-template/lib/usecases/auth"
+import { authClaudeLogout, authGeminiLogin, authGeminiLogout, authGrokLogin, authGrokLogout } from "@effect-template/lib/usecases/auth"
 import { ensureEnvFile, parseEnvEntries, readEnvText, upsertEnvKey } from "@effect-template/lib/usecases/env-file"
 import { renderError, type AppError } from "@effect-template/lib/usecases/errors"
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
@@ -16,6 +16,7 @@ type MenuAuthRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.Comma
 
 const claudeAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/claude`
 const geminiAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/gemini`
+const grokAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/grok`
 const globalEnvPath = `${defaultProjectsRoot(process.cwd())}/.orch/env/global.env`
 
 const normalizeLabel = (value: string): string => {
@@ -102,18 +103,21 @@ export const readAuthMenuSnapshot = (): Effect.Effect<AuthSnapshot, PlatformErro
     Effect.flatMap(({ envText, fs, path }) =>
       Effect.all({
         claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthRoot),
-        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot)
+        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot),
+        grokAuthEntries: countAuthAccountDirectories(fs, path, grokAuthRoot)
       }).pipe(
-        Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
+        Effect.map(({ claudeAuthEntries, geminiAuthEntries, grokAuthEntries }) => ({
           globalEnvPath,
           claudeAuthPath: claudeAuthRoot,
           geminiAuthPath: geminiAuthRoot,
+          grokAuthPath: grokAuthRoot,
           totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
           githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
           gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
           gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
           claudeAuthEntries,
-          geminiAuthEntries
+          geminiAuthEntries,
+          grokAuthEntries
         }))
       )
     )
@@ -135,7 +139,11 @@ const syncMessage = (request: AuthMenuRequest): string =>
           ? `chore(state): auth claude logout ${canonicalLabel(request.label)}`
           : request.flow === "GeminiApiKey"
             ? `chore(state): auth gemini ${canonicalLabel(request.label)}`
-            : `chore(state): auth gemini logout ${canonicalLabel(request.label)}`
+            : request.flow === "GeminiLogout"
+              ? `chore(state): auth gemini logout ${canonicalLabel(request.label)}`
+              : request.flow === "GrokApiKey"
+                ? `chore(state): auth grok ${canonicalLabel(request.label)}`
+                : `chore(state): auth grok logout ${canonicalLabel(request.label)}`
 
 const writeEnvBackedAuthFlow = (
   request: AuthMenuRequest
@@ -213,15 +221,45 @@ export const runAuthMenuFlow = (
             error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
           )
         )
-        : pipe(
-          authGeminiLogout({
-            _tag: "AuthGeminiLogout",
-            label: request.label ?? null,
-            geminiAuthPath: geminiAuthRoot
-          }),
-          Effect.mapError(mapMenuAuthError),
-          Effect.zipRight(readAuthMenuSnapshot()),
-          Effect.mapError((error) =>
-            error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+        : request.flow === "GeminiLogout"
+          ? pipe(
+            authGeminiLogout({
+              _tag: "AuthGeminiLogout",
+              label: request.label ?? null,
+              geminiAuthPath: geminiAuthRoot
+            }),
+            Effect.mapError(mapMenuAuthError),
+            Effect.zipRight(readAuthMenuSnapshot()),
+            Effect.mapError((error) =>
+              error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+            )
           )
-        )
+          : request.flow === "GrokApiKey"
+            ? pipe(
+              authGrokLogin(
+                {
+                  _tag: "AuthGrokLogin",
+                  label: request.label ?? null,
+                  grokAuthPath: grokAuthRoot,
+                  isWeb: true
+                },
+                request.apiKey ?? ""
+              ),
+              Effect.mapError(mapMenuAuthError),
+              Effect.zipRight(readAuthMenuSnapshot()),
+              Effect.mapError((error) =>
+                error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+              )
+            )
+            : pipe(
+              authGrokLogout({
+                _tag: "AuthGrokLogout",
+                label: request.label ?? null,
+                grokAuthPath: grokAuthRoot
+              }),
+              Effect.mapError(mapMenuAuthError),
+              Effect.zipRight(readAuthMenuSnapshot()),
+              Effect.mapError((error) =>
+                error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+              )
+            )

packages/api/src/services/auth-terminal-sessions.ts

@@ -71,7 +71,9 @@ const resolveCommandLabel = (request: AuthTerminalSessionRequest): string => {
   const suffix = label === undefined || label.length === 0 ? "" : ` [${label}]`
   return request.flow === "ClaudeOauth"
     ? `docker-git menu auth claude oauth${suffix}`
-    : `docker-git menu auth gemini oauth${suffix}`
+    : request.flow === "GeminiOauth"
+      ? `docker-git menu auth gemini oauth${suffix}`
+      : `docker-git menu auth grok oauth${suffix}`
 }
 
 const resolveRunnerArgs = (flow: AuthTerminalFlow, label: string | null | undefined): ReadonlyArray<string> => {

packages/api/src/services/container-tasks-core.ts

@@ -17,7 +17,7 @@ export type ManagedAgentPid = {
   readonly pid: number
 }
 
-const interactiveAgentPattern = /\b(codex|claude|opencode|gemini)\b/u
+const interactiveAgentPattern = /\b(codex|claude|opencode|gemini|grok)\b/u
 
 const hasInteractiveTty = (process: RawContainerProcess): boolean =>
   process.tty !== "?" && process.tty.trim().length > 0

packages/api/src/services/federation.ts

@@ -1695,7 +1695,7 @@ const resolveAgentProvider = (
   subscription: FollowSubscription | undefined
 ): AgentProvider => {
   const raw = subscription?.agentProvider ?? process.env["DOCKER_GIT_EXCHANGE_AGENT_PROVIDER"]
-  return raw === "claude" || raw === "opencode" || raw === "custom" ? raw : "codex"
+  return raw === "claude" || raw === "opencode" || raw === "grok" || raw === "custom" ? raw : "codex"
 }
 
 const buildTaskPrompt = (issue: FederationIssueRecord): string => {
@@ -1730,6 +1730,9 @@ const buildAgentCommand = (
   if (provider === "opencode") {
     return `opencode run ${shellEscape(prompt)}`
   }
+  if (provider === "grok") {
+    return `MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox -p ${shellEscape(prompt)}`
+  }
   if (provider === "custom") {
     return `sh -lc ${shellEscape(`printf '%s\n' ${shellEscape(prompt)}`)}`
   }