feat: make GEMINI_AUTH=oauth authenticate in Docker
Some checks failed
Release / semantic-release (push) Successful in 25s
tests / Unit tests (Linux, Python 3.11) (push) Failing after 5m17s
Release / build-linux (push) Failing after 7m8s
Release / build-windows (push) Has been cancelled
Release / build-macos (arm64, macos-latest) (push) Has been cancelled
Release / build-macos (x64, macos-15-intel) (push) Has been cancelled
Release / release-main (push) Has been cancelled
Release / release-develop (push) Has been cancelled

OAuth cannot be done interactively in the headless container, so the login
must be seeded into the mounted ~/.gemini. Three problems are fixed:

- Mount fragility on the Windows Docker Desktop target: the creds mount
  defaulted to ${HOME}/.config/javis/gemini, but ${HOME} is often unset when
  compose runs outside a WSL shell, silently mounting the wrong dir. Default is
  now the project-local ./docker/gemini-oauth (cross-platform), GEMINI_OAUTH_DIR
  still overrides.
- No visibility: when oauth is selected but no login is seeded, the path
  silently degraded to DDG/Brave. Added gemini_oauth_ready() + a one-time debug
  hint and a startup entrypoint warning (skipped on the browser role, fail-open).
- Seeding guidance: oauth_creds.json is the essential credential (refresh token;
  GOOGLE_GENAI_USE_GCA=true forces OAuth), which is what the readiness check and
  warning verify; docs recommend copying the whole ~/.gemini for convenience.

Adds docker/gemini-oauth/ seed dir (.gitkeep) with the login files gitignored,
GEMINI_OAUTH_DIR in .env.example, and updates DEPLOY.md, stream_browser_modes.md
and llm_contexts.md. Covered by 3 new tests (10 passed total).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
javis-bot
2026-06-22 18:05:22 +09:00
parent 53be1567b1
commit 5b6a67963a
10 changed files with 154 additions and 14 deletions

View File

@@ -61,9 +61,19 @@ human-style input (visible on its VNC).
- Install the NVIDIA driver on Windows and enable GPU in Docker Desktop
(Settings → Resources → WSL Integration). Use the `gpu-windows.yml` override.
- Paths: named volumes are cross-platform. The Gemini OAuth bind mount defaults
to `${HOME}/.config/javis/gemini` (works under WSL); override `GEMINI_OAUTH_DIR`
if needed.
- Paths: named volumes are cross-platform. The Gemini OAuth login (for
`GEMINI_AUTH=oauth`) is bind-mounted from the project-local `./docker/gemini-oauth`
into the container's `~/.gemini`. A project-relative path is used so it resolves
the same on Windows Docker Desktop and Linux (`${HOME}` is often unset when
compose runs from PowerShell/cmd). Seed it once from a machine with a browser and
the logged-in Gemini CLI (`npm i -g @google/gemini-cli`, then `gemini` ->
"Sign in with Google"), copying the login state:
`cp -r ~/.gemini/. docker/gemini-oauth/`. The essential file is `oauth_creds.json`
(it holds the refresh token; `GOOGLE_GENAI_USE_GCA=true` forces OAuth, so that is
the file the startup readiness check looks for) - copying the whole dir simply also
carries the cached account/settings. To reuse an existing host login without
copying, set `GEMINI_OAUTH_DIR=~/.gemini` in `.env`. If unseeded, real-time search
fail-opens to DDG/Brave and the container logs a `🔑` warning on startup.
## Known limitation