fix(shell): sanitize compose env files and gate docker-git build

Author: skulidropek

.github/workflows/check.yml

@@ -23,6 +23,8 @@ jobs:
       - uses: actions/checkout@v6
       - name: Install dependencies
         uses: ./.github/actions/setup
+      - name: Build (docker-git package)
+        run: pnpm --filter ./packages/app build
 
   types:
     name: Types

packages/lib/src/usecases/compose-env-files.ts

@@ -0,0 +1,50 @@
+import type { PlatformError } from "@effect/platform/Error"
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { Effect } from "effect"
+
+import type { TemplateConfig } from "../core/domain.js"
+import { resolvePathFromBase } from "./auth-sync-helpers.js"
+import { sanitizeComposeEnvFile } from "./env-file.js"
+
+const formatInvalidLineNumbers = (lineNumbers: ReadonlyArray<number>): string => lineNumbers.join(", ")
+
+const sanitizeTemplateEnvPath = (
+  fs: FileSystem.FileSystem,
+  envPath: string
+): Effect.Effect<void, PlatformError> =>
+  sanitizeComposeEnvFile(fs, envPath).pipe(
+    Effect.flatMap((invalidLines) =>
+      invalidLines.length === 0
+        ? Effect.void
+        : Effect.logWarning(
+          `Sanitized ${envPath} for docker compose by removing invalid lines: ${
+            formatInvalidLineNumbers(invalidLines.map((entry) => entry.lineNumber))
+          }.`
+        )
+    )
+  )
+
+// CHANGE: sanitize project env files before docker compose consumes them
+// WHY: docker compose rejects merge markers and shell-only syntax in env_file inputs
+// QUOTE(ТЗ): n/a
+// REF: user-request-2026-02-26-invalid-project-env
+// SOURCE: n/a
+// FORMAT THEOREM: ∀cfg: sanitize(cfg) → compose_safe(env_global(cfg)) ∧ compose_safe(env_project(cfg))
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError, FileSystem | Path>
+// INVARIANT: only project env files are rewritten; missing files are ignored
+// COMPLEXITY: O(n) where n = |env_global| + |env_project|
+export const sanitizeTemplateComposeEnvFiles = (
+  baseDir: string,
+  template: Pick<TemplateConfig, "envGlobalPath" | "envProjectPath">
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    const fs = yield* _(FileSystem.FileSystem)
+    const path = yield* _(Path.Path)
+    const globalEnvPath = resolvePathFromBase(path, baseDir, template.envGlobalPath)
+    const projectEnvPath = resolvePathFromBase(path, baseDir, template.envProjectPath)
+
+    yield* _(sanitizeTemplateEnvPath(fs, globalEnvPath))
+    yield* _(sanitizeTemplateEnvPath(fs, projectEnvPath))
+  })

packages/lib/src/usecases/env-file.ts

@@ -8,6 +8,16 @@ type EnvEntry = {
   readonly value: string
 }
 
+export type InvalidComposeEnvLine = {
+  readonly lineNumber: number
+  readonly content: string
+}
+
+export type ComposeEnvInspection = {
+  readonly sanitized: string
+  readonly invalidLines: ReadonlyArray<InvalidComposeEnvLine>
+}
+
 const splitLines = (input: string): ReadonlyArray<string> =>
   input.replaceAll("\r\n", "\n").replaceAll("\r", "\n").split("\n")
 
@@ -70,6 +80,19 @@ const parseEnvLine = (line: string): EnvEntry | null => {
   return { key, value }
 }
 
+const inspectComposeEnvLine = (line: string): string | null => {
+  const trimmed = line.trim()
+  if (trimmed.length === 0) {
+    return ""
+  }
+  if (trimmed.startsWith("#")) {
+    return trimmed
+  }
+
+  const parsed = parseEnvLine(line)
+  return parsed ? `${parsed.key}=${parsed.value}` : null
+}
+
 // CHANGE: parse env file contents into key/value entries
 // WHY: allow updating shared auth env deterministically
 // QUOTE(ТЗ): "система авторизации"
@@ -151,6 +174,73 @@ export const upsertEnvKey = (input: string, key: string, value: string): string
 // COMPLEXITY: O(n) where n = |lines|
 export const removeEnvKey = (input: string, key: string): string => upsertEnvKey(input, key, "")
 
+// CHANGE: inspect compose env text and canonicalize supported assignments
+// WHY: docker compose env_file rejects merge markers and shell-only syntax
+// QUOTE(ТЗ): n/a
+// REF: user-request-2026-02-26-invalid-project-env
+// SOURCE: n/a
+// FORMAT THEOREM: ∀l ∈ lines(input): valid_env(l) ∨ comment(l) ∨ empty(l) → l ∈ sanitized(input)
+// PURITY: CORE
+// INVARIANT: invalid non-comment lines are removed and reported with 1-based line numbers
+// COMPLEXITY: O(n) where n = |lines|
+export const inspectComposeEnvText = (input: string): ComposeEnvInspection => {
+  const sanitizedLines: Array<string> = []
+  const invalidLines: Array<InvalidComposeEnvLine> = []
+  const lines = splitLines(input)
+
+  for (const [index, line] of lines.entries()) {
+    const sanitizedLine = inspectComposeEnvLine(line)
+
+    if (sanitizedLine === null) {
+      invalidLines.push({
+        lineNumber: index + 1,
+        content: line
+      })
+      continue
+    }
+
+    sanitizedLines.push(sanitizedLine)
+  }
+
+  return {
+    sanitized: normalizeEnvText(joinLines(sanitizedLines)),
+    invalidLines
+  }
+}
+
+// CHANGE: sanitize compose env file contents in place
+// WHY: make docker compose env_file inputs deterministic and parseable
+// QUOTE(ТЗ): n/a
+// REF: user-request-2026-02-26-invalid-project-env
+// SOURCE: n/a
+// FORMAT THEOREM: ∀p: exists_file(p) → compose_safe(read(p)) after sanitize(p)
+// PURITY: SHELL
+// EFFECT: Effect<ReadonlyArray<InvalidComposeEnvLine>, PlatformError, FileSystem>
+// INVARIANT: missing or non-file paths are ignored
+// COMPLEXITY: O(n) where n = |file|
+export const sanitizeComposeEnvFile = (
+  fs: FileSystem.FileSystem,
+  envPath: string
+): Effect.Effect<ReadonlyArray<InvalidComposeEnvLine>, PlatformError> =>
+  Effect.gen(function*(_) {
+    const exists = yield* _(fs.exists(envPath))
+    if (!exists) {
+      return []
+    }
+
+    const info = yield* _(fs.stat(envPath))
+    if (info.type !== "File") {
+      return []
+    }
+
+    const current = yield* _(fs.readFileString(envPath))
+    const inspected = inspectComposeEnvText(current)
+    if (inspected.sanitized !== normalizeEnvText(current)) {
+      yield* _(fs.writeFileString(envPath, inspected.sanitized))
+    }
+    return inspected.invalidLines
+  })
+
 export const defaultEnvContents = "# docker-git env\n# KEY=value\n"
 
 // CHANGE: ensure env file exists

packages/lib/tests/usecases/env-file.test.ts

@@ -0,0 +1,80 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+
+import { inspectComposeEnvText, sanitizeComposeEnvFile } from "../../src/usecases/env-file.js"
+
+const withTempDir = <A, E, R>(
+  use: (tempDir: string) => Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R | FileSystem.FileSystem> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const fs = yield* _(FileSystem.FileSystem)
+      const tempDir = yield* _(
+        fs.makeTempDirectoryScoped({
+          prefix: "docker-git-env-file-"
+        })
+      )
+      return yield* _(use(tempDir))
+    })
+  )
+
+describe("inspectComposeEnvText", () => {
+  it("drops merge conflict markers and canonicalizes docker compose env assignments", () => {
+    const input = [
+      "# docker-git env",
+      " export GITHUB_TOKEN = token-1 ",
+      "<<<<<<< Updated upstream",
+      "=======",
+      ">>>>>>> Stashed changes",
+      " CODEX_SHARE_AUTH = 1 ",
+      ""
+    ].join("\n")
+
+    const inspected = inspectComposeEnvText(input)
+
+    expect(inspected.invalidLines.map((line) => line.lineNumber)).toEqual([3, 4, 5])
+    expect(inspected.sanitized).toBe([
+      "# docker-git env",
+      "GITHUB_TOKEN=token-1",
+      "CODEX_SHARE_AUTH=1",
+      ""
+    ].join("\n"))
+  })
+
+  it.effect("sanitizes compose env files in place before docker compose reads them", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const envPath = path.join(root, "project.env")
+
+        yield* _(
+          fs.writeFileString(
+            envPath,
+            [
+              "# docker-git env",
+              " export GITHUB_TOKEN = token-1 ",
+              "<<<<<<< Updated upstream",
+              "BAD LINE",
+              " CODEX_SHARE_AUTH = 1 ",
+              ""
+            ].join("\n")
+          )
+        )
+
+        const invalidLines = yield* _(sanitizeComposeEnvFile(fs, envPath))
+        const sanitized = yield* _(fs.readFileString(envPath))
+
+        expect(invalidLines.map((line) => line.lineNumber)).toEqual([3, 4])
+        expect(sanitized).toBe([
+          "# docker-git env",
+          "GITHUB_TOKEN=token-1",
+          "CODEX_SHARE_AUTH=1",
+          ""
+        ].join("\n"))
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+})