From fa75cef03ca882c23ddc91951e97c23ff3096f70 Mon Sep 17 00:00:00 2001
From: ilya-bov <111734093+ilya-bov@users.noreply.github.com>
Date: Fri, 6 Mar 2026 23:32:44 +0300
Subject: [PATCH] Fix OAuth file permissions automatically on Docker startup

---
 Dockerfile                   |  4 +++-
 README.md                    |  4 ++--
 scripts/docker-entrypoint.sh | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 scripts/docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index ec48fb2..192d1a6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -67,11 +67,13 @@ RUN npm install --omit=dev --no-package-lock
 COPY --from=builder /app/.next ./.next
 COPY --from=builder /app/next.config.mjs ./next.config.mjs
 COPY --from=builder /app/bundled-skills ./bundled-skills
+COPY --from=builder /app/scripts/docker-entrypoint.sh ./scripts/docker-entrypoint.sh
 
 RUN mkdir -p /app/data/tmp /app/data/ms-playwright /app/data/npm-cache /app/data/.cache \
+  && chmod +x /app/scripts/docker-entrypoint.sh \
   && chown -R node:node /app "${PYTHON_VENV}"
 
 USER node
 EXPOSE 3000
 
-CMD ["npm", "run", "start"]
+CMD ["/app/scripts/docker-entrypoint.sh"]
diff --git a/README.md b/README.md
index 40b5c85..295d708 100644
--- a/README.md
+++ b/README.md
@@ -262,8 +262,8 @@ Use one host consistently. Browser storage/cookies are origin-scoped.
 Run `docker compose logs --tail 200 app` and verify `.env` values.
 
 3. Codex/Gemini OAuth says "token file was not found" on VPS  
-Eggent reads OAuth files from the runtime user home (for Docker default user this is `/home/node`).
-Run CLI login as that same user (`docker compose exec -u node app codex login`, `docker compose exec -u node app gemini`) or set `CODEX_AUTH_FILE` / `GEMINI_OAUTH_CREDS_FILE` / `GEMINI_SETTINGS_FILE` in `.env`.
+Eggent auto-discovers OAuth files in common home directories and in `data/.codex` + `data/.gemini`.
+For Docker, place files in `data/.codex/auth.json`, `data/.gemini/oauth_creds.json`, `data/.gemini/settings.json`, then recreate container (`docker compose up -d --build --force-recreate app`) so startup hook can normalize file permissions for `node`.
 
 4. Linux Docker permissions issues  
 Try with `sudo docker ...` or add your user to the `docker` group.
diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh
new file mode 100644
index 0000000..9f5bc69
--- /dev/null
+++ b/scripts/docker-entrypoint.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+fix_auth_dir() {
+  local dir="$1"
+  if [[ ! -d "$dir" ]]; then
+    return 0
+  fi
+
+  # data/ can be bind-mounted with root ownership from host;
+  # fix only OAuth directories to keep startup fast and scoped.
+  sudo chown node:node "$dir" >/dev/null 2>&1 || true
+  sudo chmod 700 "$dir" >/dev/null 2>&1 || true
+}
+
+fix_auth_file() {
+  local file_path="$1"
+  if [[ ! -f "$file_path" ]]; then
+    return 0
+  fi
+
+  sudo chown node:node "$file_path" >/dev/null 2>&1 || true
+  sudo chmod 600 "$file_path" >/dev/null 2>&1 || true
+}
+
+fix_auth_dir "/app/data/.codex"
+fix_auth_dir "/app/data/.gemini"
+
+fix_auth_file "/app/data/.codex/auth.json"
+fix_auth_file "/app/data/.gemini/oauth_creds.json"
+fix_auth_file "/app/data/.gemini/settings.json"
+
+exec npm run start