diff --git a/README.md b/README.md
index 84c9ca20..17a6f001 100644
--- a/README.md
+++ b/README.md
@@ -25,8 +25,14 @@ bun run docker-git --help
 docker-git auth github login --web
 docker-git auth codex login --web
 docker-git auth claude login --web
+docker-git auth grok login --web
 ```
 
+Grok support uses the official xAI CLI installer from `https://x.ai/cli/install.sh`
+and the CLI device-code login flow. API-key auth can also be stored under the
+selected Grok account label via `GROK_DEPLOYMENT_KEY`, `GROK_API_KEY`, or
+`XAI_API_KEY`.
+
 ## CLI пример
 
 Можно передавать ссылку на репозиторий, ветку (`/tree/...`), issue или PR.
@@ -44,8 +50,8 @@ docker-git clone https://github.com/ProverCoderAI/docker-git/issues/122 --force
 docker-git clone https://github.com/ProverCoderAI/docker-git/issues/122 --force --auto
 ```
 
-- `--auto` сам выбирает Claude или Codex по доступной авторизации. Если доступны оба, выбор случайный.
-- `--auto=claude` или `--auto=codex` принудительно выбирает агента.
+- `--auto` сам выбирает Claude, Codex, Gemini или Grok по доступной авторизации. Если доступно несколько, выбор случайный.
+- `--auto=claude`, `--auto=codex`, `--auto=gemini` или `--auto=grok` принудительно выбирает агента.
 - В auto-режиме агент сам выполняет задачу, создаёт PR и после завершения контейнер очищается.
 
 Применение конфигурации:
diff --git a/packages/api/src/api/contracts.ts b/packages/api/src/api/contracts.ts
index 874d0759..6117d0f4 100644
--- a/packages/api/src/api/contracts.ts
+++ b/packages/api/src/api/contracts.ts
@@ -1,6 +1,6 @@
 export type ProjectStatus = "running" | "stopped" | "unknown"
 
-export type AgentProvider = "codex" | "opencode" | "claude" | "custom"
+export type AgentProvider = "codex" | "opencode" | "claude" | "grok" | "custom"
 
 export type AgentStatus = "starting" | "running" | "stopping" | "stopped" | "exited" | "failed"
 
@@ -183,19 +183,23 @@ export type AuthMenuFlow =
   | "ClaudeLogout"
   | "GeminiApiKey"
   | "GeminiLogout"
+  | "GrokApiKey"
+  | "GrokLogout"
 
-export type AuthTerminalFlow = "ClaudeOauth" | "GeminiOauth"
+export type AuthTerminalFlow = "ClaudeOauth" | "GeminiOauth" | "GrokOauth"
 
 export type AuthSnapshot = {
   readonly globalEnvPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly totalEntries: number
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly gitUserEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
 }
 
 export type AuthMenuRequest = {
@@ -249,6 +253,8 @@ export type ProjectAuthFlow =
   | "ProjectClaudeDisconnect"
   | "ProjectGeminiConnect"
   | "ProjectGeminiDisconnect"
+  | "ProjectGrokConnect"
+  | "ProjectGrokDisconnect"
 
 export type ProjectAuthSnapshot = {
   readonly projectDir: string
@@ -257,14 +263,17 @@ export type ProjectAuthSnapshot = {
   readonly envProjectPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
   readonly activeGithubLabel: string | null
   readonly activeGitLabel: string | null
   readonly activeClaudeLabel: string | null
   readonly activeGeminiLabel: string | null
+  readonly activeGrokLabel: string | null
 }
 
 export type ProjectAuthRequest = {
@@ -272,7 +281,7 @@ export type ProjectAuthRequest = {
   readonly label?: string | null | undefined
 }
 
-export type ProjectPromptKind = "claude" | "codex" | "gemini"
+export type ProjectPromptKind = "claude" | "codex" | "gemini" | "grok"
 
 export type ProjectPromptFile = {
   readonly kind: ProjectPromptKind
@@ -302,6 +311,7 @@ export type ProjectSkillScope =
   | "claude/skills"
   | "codex/skills"
   | "gemini/skills"
+  | "grok/skills"
 
 export type ProjectSkillFile = {
   readonly id: string
@@ -400,6 +410,8 @@ export type CreateProjectRequest = {
   readonly skipGithubAuth?: boolean | undefined
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
+  readonly geminiTokenLabel?: string | undefined
+  readonly grokTokenLabel?: string | undefined
   readonly agentAutoMode?: string | undefined
   readonly up?: boolean | undefined
   readonly openSsh?: boolean | undefined
diff --git a/packages/api/src/api/schema.ts b/packages/api/src/api/schema.ts
index ac73bb6f..31271a85 100644
--- a/packages/api/src/api/schema.ts
+++ b/packages/api/src/api/schema.ts
@@ -34,6 +34,8 @@ export const CreateProjectRequestSchema = Schema.Struct({
   skipGithubAuth: OptionalBoolean,
   codexTokenLabel: OptionalString,
   claudeTokenLabel: OptionalString,
+  geminiTokenLabel: OptionalString,
+  grokTokenLabel: OptionalString,
   agentAutoMode: OptionalString,
   up: OptionalBoolean,
   openSsh: OptionalBoolean,
@@ -60,10 +62,12 @@ export const AuthMenuFlowSchema = Schema.Literal(
   "GitRemove",
   "ClaudeLogout",
   "GeminiApiKey",
-  "GeminiLogout"
+  "GeminiLogout",
+  "GrokApiKey",
+  "GrokLogout"
 )
 
-export const AuthTerminalFlowSchema = Schema.Literal("ClaudeOauth", "GeminiOauth")
+export const AuthTerminalFlowSchema = Schema.Literal("ClaudeOauth", "GeminiOauth", "GrokOauth")
 
 export const AuthMenuRequestSchema = Schema.Struct({
   flow: AuthMenuFlowSchema,
@@ -107,7 +111,9 @@ export const ProjectAuthFlowSchema = Schema.Literal(
   "ProjectClaudeConnect",
   "ProjectClaudeDisconnect",
   "ProjectGeminiConnect",
-  "ProjectGeminiDisconnect"
+  "ProjectGeminiDisconnect",
+  "ProjectGrokConnect",
+  "ProjectGrokDisconnect"
 )
 
 export const ProjectAuthRequestSchema = Schema.Struct({
@@ -115,7 +121,7 @@ export const ProjectAuthRequestSchema = Schema.Struct({
   label: OptionalNullableString
 })
 
-export const ProjectPromptKindSchema = Schema.Literal("claude", "codex", "gemini")
+export const ProjectPromptKindSchema = Schema.Literal("claude", "codex", "gemini", "grok")
 
 export const ProjectPromptUpdateRequestSchema = Schema.Struct({
   content: Schema.String
@@ -127,7 +133,8 @@ export const ProjectSkillScopeSchema = Schema.Literal(
   "agents/.skills",
   "claude/skills",
   "codex/skills",
-  "gemini/skills"
+  "gemini/skills",
+  "grok/skills"
 )
 
 export const ProjectSkillUpdateRequestSchema = Schema.Struct({
@@ -246,7 +253,7 @@ export const ProjectDatabaseForwardSchema = Schema.Struct({
   targetPort: Schema.Number
 })
 
-export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "custom")
+export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "grok", "custom")
 
 export const AgentEnvVarSchema = Schema.Struct({
   key: Schema.String,
diff --git a/packages/api/src/auth-terminal-runner.ts b/packages/api/src/auth-terminal-runner.ts
index 2b624d6d..4bc5007d 100644
--- a/packages/api/src/auth-terminal-runner.ts
+++ b/packages/api/src/auth-terminal-runner.ts
@@ -1,11 +1,16 @@
 import { NodeContext, NodeRuntime } from "@effect/platform-node"
-import { authClaudeLogin, authGeminiLoginOauth } from "@effect-template/lib"
+import { authClaudeLogin, authGeminiLoginOauth, authGrokLoginOauth } from "@effect-template/lib"
 import { Effect, Match } from "effect"
 
-type AuthTerminalRunnerFlow = "ClaudeOauth" | "GeminiOauth"
+type AuthTerminalRunnerFlow = "ClaudeOauth" | "GeminiOauth" | "GrokOauth"
 
-const parseFlow = (value: string | undefined): AuthTerminalRunnerFlow =>
-  value === "ClaudeOauth" || value === "GeminiOauth" ? value : "ClaudeOauth"
+const parseFlow = (value: string | undefined): AuthTerminalRunnerFlow => {
+  if (value === "ClaudeOauth" || value === "GeminiOauth" || value === "GrokOauth") {
+    return value
+  }
+  process.stderr.write(`Unsupported auth terminal flow: ${value ?? "<empty>"}\n`)
+  process.exit(2)
+}
 
 const parseLabel = (value: string | undefined): string | null => {
   const trimmed = value?.trim() ?? ""
@@ -29,6 +34,13 @@ const program = Match.value(flow).pipe(
       geminiAuthPath: ".docker-git/.orch/auth/gemini",
       isWeb: false
     })),
+  Match.when("GrokOauth", () =>
+    authGrokLoginOauth({
+      _tag: "AuthGrokLogin",
+      label,
+      grokAuthPath: ".docker-git/.orch/auth/grok",
+      isWeb: false
+    })),
   Match.exhaustive
 )
 
diff --git a/packages/api/src/http.ts b/packages/api/src/http.ts
index 266571fc..efdf486f 100644
--- a/packages/api/src/http.ts
+++ b/packages/api/src/http.ts
@@ -1,4 +1,4 @@
-import { Chunk, Duration, Effect, Ref } from "effect"
+import { Chunk, Duration, Effect, Match, Ref } from "effect"
 import * as Stream from "effect/Stream"
 import type { PlatformError } from "@effect/platform/Error"
 import type * as HttpBody from "@effect/platform/HttpBody"
@@ -182,7 +182,7 @@ const ProjectDatabaseProfileParamsSchema = Schema.Struct({
 
 const ProjectPromptParamsSchema = Schema.Struct({
   projectId: Schema.String,
-  kind: Schema.Literal("claude", "codex", "gemini")
+  kind: Schema.Literal("claude", "codex", "gemini", "grok")
 })
 
 const ProjectSkillParamsSchema = Schema.Struct({
@@ -427,55 +427,43 @@ const readProjectSkillUpdateRequest = () => HttpServerRequest.schemaBodyJson(Pro
 const readActiveProjectTerminalSessionRequest = () =>
   HttpServerRequest.schemaBodyJson(ActiveProjectTerminalSessionRequestSchema)
 
-const skillScopeFromId = (scopeId: string): ProjectSkillScope | null => {
-  switch (scopeId) {
-    case "skills":
-      return "skills"
-    case "agents-skills":
-      return "agents/skills"
-    case "agents-dot-skills":
-      return "agents/.skills"
-    case "claude-skills":
-      return "claude/skills"
-    case "codex-skills":
-      return "codex/skills"
-    case "gemini-skills":
-      return "gemini/skills"
-    default:
-      return null
-  }
-}
+const projectSkillScope = (scope: ProjectSkillScope): ProjectSkillScope => scope
+
+const skillScopeFromId = (scopeId: string): ProjectSkillScope | null =>
+  Match.value(scopeId).pipe(
+    Match.when("skills", () => projectSkillScope("skills")),
+    Match.when("agents-skills", () => projectSkillScope("agents/skills")),
+    Match.when("agents-dot-skills", () => projectSkillScope("agents/.skills")),
+    Match.when("claude-skills", () => projectSkillScope("claude/skills")),
+    Match.when("codex-skills", () => projectSkillScope("codex/skills")),
+    Match.when("gemini-skills", () => projectSkillScope("gemini/skills")),
+    Match.when("grok-skills", () => projectSkillScope("grok/skills")),
+    Match.orElse(() => null)
+  )
 
-export const skillScopeToId = (scope: ProjectSkillScope): string => {
-  switch (scope) {
-    case "skills":
-      return "skills"
-    case "agents/skills":
-      return "agents-skills"
-    case "agents/.skills":
-      return "agents-dot-skills"
-    case "claude/skills":
-      return "claude-skills"
-    case "codex/skills":
-      return "codex-skills"
-    case "gemini/skills":
-      return "gemini-skills"
-  }
-}
+export const skillScopeToId = (scope: ProjectSkillScope): string =>
+  Match.value(scope).pipe(
+    Match.when("skills", () => "skills"),
+    Match.when("agents/skills", () => "agents-skills"),
+    Match.when("agents/.skills", () => "agents-dot-skills"),
+    Match.when("claude/skills", () => "claude-skills"),
+    Match.when("codex/skills", () => "codex-skills"),
+    Match.when("gemini/skills", () => "gemini-skills"),
+    Match.when("grok/skills", () => "grok-skills"),
+    Match.exhaustive
+  )
 
-const skillScopeFromBody = (scope: string): ProjectSkillScope | null => {
-  switch (scope) {
-    case "skills":
-    case "agents/skills":
-    case "agents/.skills":
-    case "claude/skills":
-    case "codex/skills":
-    case "gemini/skills":
-      return scope as ProjectSkillScope
-    default:
-      return null
-  }
-}
+const skillScopeFromBody = (scope: string): ProjectSkillScope | null =>
+  Match.value(scope).pipe(
+    Match.when("skills", () => projectSkillScope("skills")),
+    Match.when("agents/skills", () => projectSkillScope("agents/skills")),
+    Match.when("agents/.skills", () => projectSkillScope("agents/.skills")),
+    Match.when("claude/skills", () => projectSkillScope("claude/skills")),
+    Match.when("codex/skills", () => projectSkillScope("codex/skills")),
+    Match.when("gemini/skills", () => projectSkillScope("gemini/skills")),
+    Match.when("grok/skills", () => projectSkillScope("grok/skills")),
+    Match.orElse(() => null)
+  )
 const readProjectPortForwardRequest = () => HttpServerRequest.schemaBodyJson(ProjectPortForwardRequestSchema)
 const readProjectDatabaseProfileRequest = () => HttpServerRequest.schemaBodyJson(ProjectDatabaseProfileRequestSchema)
 const readStateInitRequest = () => HttpServerRequest.schemaBodyJson(StateInitRequestSchema)
diff --git a/packages/api/src/services/agents.ts b/packages/api/src/services/agents.ts
index 6c60670c..0b3bf3e9 100644
--- a/packages/api/src/services/agents.ts
+++ b/packages/api/src/services/agents.ts
@@ -69,6 +69,9 @@ const pickDefaultCommand = (provider: CreateAgentRequest["provider"]): string =>
   if (provider === "claude") {
     return "MCP_PLAYWRIGHT_ISOLATED=1 claude"
   }
+  if (provider === "grok") {
+    return "MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox"
+  }
   return ""
 }
 
diff --git a/packages/api/src/services/auth-menu.ts b/packages/api/src/services/auth-menu.ts
index ed948d95..4a86ce3b 100644
--- a/packages/api/src/services/auth-menu.ts
+++ b/packages/api/src/services/auth-menu.ts
@@ -2,7 +2,7 @@ import * as FileSystem from "@effect/platform/FileSystem"
 import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
 import * as Path from "@effect/platform/Path"
-import { authClaudeLogout, authGeminiLogin, authGeminiLogout } from "@effect-template/lib/usecases/auth"
+import { authClaudeLogout, authGeminiLogin, authGeminiLogout, authGrokLogin, authGrokLogout } from "@effect-template/lib/usecases/auth"
 import { ensureEnvFile, parseEnvEntries, readEnvText, upsertEnvKey } from "@effect-template/lib/usecases/env-file"
 import { renderError, type AppError } from "@effect-template/lib/usecases/errors"
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
@@ -16,6 +16,7 @@ type MenuAuthRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.Comma
 
 const claudeAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/claude`
 const geminiAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/gemini`
+const grokAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/grok`
 const globalEnvPath = `${defaultProjectsRoot(process.cwd())}/.orch/env/global.env`
 
 const normalizeLabel = (value: string): string => {
@@ -102,18 +103,21 @@ export const readAuthMenuSnapshot = (): Effect.Effect<AuthSnapshot, PlatformErro
     Effect.flatMap(({ envText, fs, path }) =>
       Effect.all({
         claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthRoot),
-        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot)
+        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot),
+        grokAuthEntries: countAuthAccountDirectories(fs, path, grokAuthRoot)
       }).pipe(
-        Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
+        Effect.map(({ claudeAuthEntries, geminiAuthEntries, grokAuthEntries }) => ({
           globalEnvPath,
           claudeAuthPath: claudeAuthRoot,
           geminiAuthPath: geminiAuthRoot,
+          grokAuthPath: grokAuthRoot,
           totalEntries: parseEnvEntries(envText).filter((entry) => entry.value.trim().length > 0).length,
           githubTokenEntries: countKeyEntries(envText, "GITHUB_TOKEN"),
           gitTokenEntries: countKeyEntries(envText, "GIT_AUTH_TOKEN"),
           gitUserEntries: countKeyEntries(envText, "GIT_AUTH_USER"),
           claudeAuthEntries,
-          geminiAuthEntries
+          geminiAuthEntries,
+          grokAuthEntries
         }))
       )
     )
@@ -135,7 +139,11 @@ const syncMessage = (request: AuthMenuRequest): string =>
           ? `chore(state): auth claude logout ${canonicalLabel(request.label)}`
           : request.flow === "GeminiApiKey"
             ? `chore(state): auth gemini ${canonicalLabel(request.label)}`
-            : `chore(state): auth gemini logout ${canonicalLabel(request.label)}`
+            : request.flow === "GeminiLogout"
+              ? `chore(state): auth gemini logout ${canonicalLabel(request.label)}`
+              : request.flow === "GrokApiKey"
+                ? `chore(state): auth grok ${canonicalLabel(request.label)}`
+                : `chore(state): auth grok logout ${canonicalLabel(request.label)}`
 
 const writeEnvBackedAuthFlow = (
   request: AuthMenuRequest
@@ -213,15 +221,45 @@ export const runAuthMenuFlow = (
             error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
           )
         )
-        : pipe(
-          authGeminiLogout({
-            _tag: "AuthGeminiLogout",
-            label: request.label ?? null,
-            geminiAuthPath: geminiAuthRoot
-          }),
-          Effect.mapError(mapMenuAuthError),
-          Effect.zipRight(readAuthMenuSnapshot()),
-          Effect.mapError((error) =>
-            error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+        : request.flow === "GeminiLogout"
+          ? pipe(
+            authGeminiLogout({
+              _tag: "AuthGeminiLogout",
+              label: request.label ?? null,
+              geminiAuthPath: geminiAuthRoot
+            }),
+            Effect.mapError(mapMenuAuthError),
+            Effect.zipRight(readAuthMenuSnapshot()),
+            Effect.mapError((error) =>
+              error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+            )
           )
-        )
+          : request.flow === "GrokApiKey"
+            ? pipe(
+              authGrokLogin(
+                {
+                  _tag: "AuthGrokLogin",
+                  label: request.label ?? null,
+                  grokAuthPath: grokAuthRoot,
+                  isWeb: true
+                },
+                request.apiKey ?? ""
+              ),
+              Effect.mapError(mapMenuAuthError),
+              Effect.zipRight(readAuthMenuSnapshot()),
+              Effect.mapError((error) =>
+                error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+              )
+            )
+            : pipe(
+              authGrokLogout({
+                _tag: "AuthGrokLogout",
+                label: request.label ?? null,
+                grokAuthPath: grokAuthRoot
+              }),
+              Effect.mapError(mapMenuAuthError),
+              Effect.zipRight(readAuthMenuSnapshot()),
+              Effect.mapError((error) =>
+                error instanceof ApiBadRequestError ? error : new ApiBadRequestError({ message: String(error) })
+              )
+            )
diff --git a/packages/api/src/services/auth-terminal-sessions.ts b/packages/api/src/services/auth-terminal-sessions.ts
index 0ffc5781..4580f9b7 100644
--- a/packages/api/src/services/auth-terminal-sessions.ts
+++ b/packages/api/src/services/auth-terminal-sessions.ts
@@ -1,6 +1,6 @@
 import * as ParseResult from "@effect/schema/ParseResult"
 import * as Schema from "@effect/schema/Schema"
-import { Either, Effect } from "effect"
+import { Either, Effect, Match } from "effect"
 import { randomUUID } from "node:crypto"
 import { fileURLToPath } from "node:url"
 import type { IncomingMessage, Server as HttpServer } from "node:http"
@@ -69,9 +69,12 @@ const nowIso = (): string => new Date().toISOString()
 const resolveCommandLabel = (request: AuthTerminalSessionRequest): string => {
   const label = request.label?.trim()
   const suffix = label === undefined || label.length === 0 ? "" : ` [${label}]`
-  return request.flow === "ClaudeOauth"
-    ? `docker-git menu auth claude oauth${suffix}`
-    : `docker-git menu auth gemini oauth${suffix}`
+  return Match.value(request.flow).pipe(
+    Match.when("ClaudeOauth", () => `docker-git menu auth claude oauth${suffix}`),
+    Match.when("GeminiOauth", () => `docker-git menu auth gemini oauth${suffix}`),
+    Match.when("GrokOauth", () => `docker-git menu auth grok oauth${suffix}`),
+    Match.exhaustive
+  )
 }
 
 const resolveRunnerArgs = (flow: AuthTerminalFlow, label: string | null | undefined): ReadonlyArray<string> => {
diff --git a/packages/api/src/services/container-tasks-core.ts b/packages/api/src/services/container-tasks-core.ts
index 4aac9901..1b9850fd 100644
--- a/packages/api/src/services/container-tasks-core.ts
+++ b/packages/api/src/services/container-tasks-core.ts
@@ -17,7 +17,7 @@ export type ManagedAgentPid = {
   readonly pid: number
 }
 
-const interactiveAgentPattern = /\b(codex|claude|opencode|gemini)\b/u
+const interactiveAgentPattern = /\b(codex|claude|opencode|gemini|grok)\b/u
 
 const hasInteractiveTty = (process: RawContainerProcess): boolean =>
   process.tty !== "?" && process.tty.trim().length > 0
diff --git a/packages/api/src/services/federation.ts b/packages/api/src/services/federation.ts
index a43f7780..829cd77e 100644
--- a/packages/api/src/services/federation.ts
+++ b/packages/api/src/services/federation.ts
@@ -1695,7 +1695,7 @@ const resolveAgentProvider = (
   subscription: FollowSubscription | undefined
 ): AgentProvider => {
   const raw = subscription?.agentProvider ?? process.env["DOCKER_GIT_EXCHANGE_AGENT_PROVIDER"]
-  return raw === "claude" || raw === "opencode" || raw === "custom" ? raw : "codex"
+  return raw === "claude" || raw === "opencode" || raw === "grok" || raw === "custom" ? raw : "codex"
 }
 
 const buildTaskPrompt = (issue: FederationIssueRecord): string => {
@@ -1730,6 +1730,9 @@ const buildAgentCommand = (
   if (provider === "opencode") {
     return `opencode run ${shellEscape(prompt)}`
   }
+  if (provider === "grok") {
+    return `MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox -p ${shellEscape(prompt)}`
+  }
   if (provider === "custom") {
     return `sh -lc ${shellEscape(`printf '%s\n' ${shellEscape(prompt)}`)}`
   }
diff --git a/packages/api/src/services/project-auth.ts b/packages/api/src/services/project-auth.ts
index f5a4e18f..5924d816 100644
--- a/packages/api/src/services/project-auth.ts
+++ b/packages/api/src/services/project-auth.ts
@@ -9,6 +9,7 @@ import { renderError, type AppError } from "@effect-template/lib/usecases/errors
 import { defaultProjectsRoot } from "@effect-template/lib/usecases/menu-helpers"
 import { autoSyncState } from "@effect-template/lib/usecases/state-repo"
 import { normalizeAccountLabel } from "@effect-template/lib/usecases/auth-helpers"
+import { hasGrokAuthJsonCredentialText, hasGrokUserSettingsCredentialText } from "@effect-template/lib/usecases/auth-grok-credential-text"
 
 import type { ProjectAuthFlow, ProjectAuthRequest, ProjectAuthSnapshot, ProjectDetails } from "../api/contracts.js"
 import { ApiBadRequestError } from "../api/errors.js"
@@ -17,6 +18,7 @@ type ProjectAuthRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.Co
 
 const claudeAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/claude`
 const geminiAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/gemini`
+const grokAuthRoot = `${defaultProjectsRoot(process.cwd())}/.orch/auth/grok`
 const globalEnvPath = `${defaultProjectsRoot(process.cwd())}/.orch/env/global.env`
 
 const githubTokenBaseKey = "GITHUB_TOKEN"
@@ -26,7 +28,9 @@ const projectGithubLabelKey = "GITHUB_AUTH_LABEL"
 const projectGitLabelKey = "GIT_AUTH_LABEL"
 const projectClaudeLabelKey = "CLAUDE_AUTH_LABEL"
 const projectGeminiLabelKey = "GEMINI_AUTH_LABEL"
+const projectGrokLabelKey = "GROK_AUTH_LABEL"
 const defaultGitUser = "x-access-token"
+const grokEnvApiKeyNames: ReadonlyArray<string> = ["GROK_DEPLOYMENT_KEY", "GROK_API_KEY", "XAI_API_KEY"]
 
 const normalizeLabel = (value: string): string => {
   const trimmed = value.trim()
@@ -170,7 +174,8 @@ const hasClaudeAccountCredentials = (
 
 const hasApiKeyInEnvFile = (
   fs: FileSystem.FileSystem,
-  envFilePath: string
+  envFilePath: string,
+  key: string
 ): Effect.Effect<boolean, PlatformError> =>
   Effect.gen(function*(_) {
     const hasFile = yield* _(hasFileAtPath(fs, envFilePath))
@@ -179,12 +184,13 @@ const hasApiKeyInEnvFile = (
     }
 
     const envContent = yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))
+    const prefix = `${key}=`
     for (const line of envContent.split("\n")) {
       const trimmed = line.trim()
-      if (!trimmed.startsWith("GEMINI_API_KEY=")) {
+      if (!trimmed.startsWith(prefix)) {
         continue
       }
-      const value = trimmed.slice("GEMINI_API_KEY=".length).replaceAll(/^['"]|['"]$/g, "").trim()
+      const value = trimmed.slice(prefix.length).replaceAll(/^['"]|['"]$/g, "").trim()
       if (value.length > 0) {
         return true
       }
@@ -192,6 +198,20 @@ const hasApiKeyInEnvFile = (
     return false
   })
 
+const hasNonEmptyApiKeyFile = (
+  fs: FileSystem.FileSystem,
+  filePath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasFile = yield* _(hasFileAtPath(fs, filePath))
+    if (!hasFile) {
+      return false
+    }
+
+    const apiKey = yield* _(fs.readFileString(filePath), Effect.orElseSucceed(() => ""))
+    return apiKey.trim().length > 0
+  })
+
 const checkAnyFileExists = (
   fs: FileSystem.FileSystem,
   basePath: string,
@@ -217,7 +237,7 @@ const hasGeminiAccountCredentials = (
         return Effect.succeed(true)
       }
 
-      return hasApiKeyInEnvFile(fs, `${accountPath}/.env`).pipe(
+      return hasApiKeyInEnvFile(fs, `${accountPath}/.env`, "GEMINI_API_KEY").pipe(
         Effect.flatMap((hasEnvApiKey) => {
           if (hasEnvApiKey) {
             return Effect.succeed(true)
@@ -232,6 +252,62 @@ const hasGeminiAccountCredentials = (
     })
   )
 
+const hasGrokUserSettingsCredentials = (
+  fs: FileSystem.FileSystem,
+  settingsPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasFile = yield* _(hasFileAtPath(fs, settingsPath))
+    if (!hasFile) {
+      return false
+    }
+
+    const settingsText = yield* _(fs.readFileString(settingsPath), Effect.orElseSucceed(() => ""))
+    return hasGrokUserSettingsCredentialText(settingsText)
+  })
+
+const hasGrokAuthJsonCredentials = (
+  fs: FileSystem.FileSystem,
+  authJsonPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasFile = yield* _(hasFileAtPath(fs, authJsonPath))
+    if (!hasFile) {
+      return false
+    }
+
+    const authJsonText = yield* _(fs.readFileString(authJsonPath), Effect.orElseSucceed(() => ""))
+    return hasGrokAuthJsonCredentialText(authJsonText)
+  })
+
+const hasGrokAccountCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  hasNonEmptyApiKeyFile(fs, `${accountPath}/.api-key`).pipe(
+    Effect.flatMap((hasApiKey) => {
+      if (hasApiKey) {
+        return Effect.succeed(true)
+      }
+
+      return Effect.forEach(grokEnvApiKeyNames, (key) => hasApiKeyInEnvFile(fs, `${accountPath}/.env`, key)).pipe(
+        Effect.map((results) => results.some((result) => result)),
+        Effect.flatMap((hasEnvApiKey) => {
+          if (hasEnvApiKey) {
+            return Effect.succeed(true)
+          }
+          return hasGrokAuthJsonCredentials(fs, `${accountPath}/.grok/auth.json`).pipe(
+            Effect.flatMap((hasAuthJson) =>
+              hasAuthJson
+                ? Effect.succeed(true)
+                : hasGrokUserSettingsCredentials(fs, `${accountPath}/.grok/user-settings.json`)
+            )
+          )
+        })
+      )
+    })
+  )
+
 const resolveAccountCandidates = (authPath: string, accountLabel: string): ReadonlyArray<string> =>
   accountLabel === "default" ? [`${authPath}/default`, authPath] : [`${authPath}/${accountLabel}`]
 
@@ -298,23 +374,27 @@ export const readProjectAuthSnapshot = (
     Effect.flatMap(({ fs, path, globalEnvText, projectEnvText }) =>
       Effect.all({
         claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthRoot),
-        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot)
+        geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthRoot),
+        grokAuthEntries: countAuthAccountDirectories(fs, path, grokAuthRoot)
       }).pipe(
-        Effect.map(({ claudeAuthEntries, geminiAuthEntries }) => ({
+        Effect.map(({ claudeAuthEntries, geminiAuthEntries, grokAuthEntries }) => ({
           projectDir: project.projectDir,
           projectName: project.displayName,
           envGlobalPath: globalEnvPath,
           envProjectPath: project.envProjectPath,
           claudeAuthPath: claudeAuthRoot,
           geminiAuthPath: geminiAuthRoot,
+          grokAuthPath: grokAuthRoot,
           githubTokenEntries: countKeyEntries(globalEnvText, githubTokenBaseKey),
           gitTokenEntries: countKeyEntries(globalEnvText, gitTokenBaseKey),
           claudeAuthEntries,
           geminiAuthEntries,
+          grokAuthEntries,
           activeGithubLabel: findEnvValue(projectEnvText, projectGithubLabelKey),
           activeGitLabel: findEnvValue(projectEnvText, projectGitLabelKey),
           activeClaudeLabel: findEnvValue(projectEnvText, projectClaudeLabelKey),
-          activeGeminiLabel: findEnvValue(projectEnvText, projectGeminiLabelKey)
+          activeGeminiLabel: findEnvValue(projectEnvText, projectGeminiLabelKey),
+          activeGrokLabel: findEnvValue(projectEnvText, projectGrokLabelKey)
         }))
       )
     )
@@ -330,6 +410,8 @@ const resolveSyncMessage = (flow: ProjectAuthFlow, label: string, displayName: s
     Match.when("ProjectClaudeDisconnect", () => `chore(state): project auth claude logout ${displayName}`),
     Match.when("ProjectGeminiConnect", () => `chore(state): project auth gemini ${label} ${displayName}`),
     Match.when("ProjectGeminiDisconnect", () => `chore(state): project auth gemini logout ${displayName}`),
+    Match.when("ProjectGrokConnect", () => `chore(state): project auth grok ${label} ${displayName}`),
+    Match.when("ProjectGrokDisconnect", () => `chore(state): project auth grok logout ${displayName}`),
     Match.exhaustive
   )
 
@@ -405,6 +487,21 @@ const resolveProjectEnvUpdate = (
         Match.when("ProjectGeminiDisconnect", () =>
           Effect.succeed(upsertEnvKey(projectEnvText, projectGeminiLabelKey, ""))
         ),
+        Match.when("ProjectGrokConnect", () =>
+          findFirstCredentialsMatch(
+            fs,
+            resolveAccountCandidates(grokAuthRoot, normalizeAccountLabel(request.label ?? null, "default")),
+            hasGrokAccountCredentials
+          ).pipe(
+            Effect.flatMap((matched) =>
+              matched === null
+                ? Effect.fail(missingSecret("Grok credentials (.api-key, GROK_DEPLOYMENT_KEY, or auth.json)", normalizedLabel, grokAuthRoot))
+                : Effect.succeed(upsertEnvKey(projectEnvText, projectGrokLabelKey, normalizedLabel))
+            )
+          )),
+        Match.when("ProjectGrokDisconnect", () =>
+          Effect.succeed(upsertEnvKey(projectEnvText, projectGrokLabelKey, ""))
+        ),
         Match.exhaustive
       )
     }),
diff --git a/packages/api/src/services/project-prompts.ts b/packages/api/src/services/project-prompts.ts
index 5bbc84a6..19685271 100644
--- a/packages/api/src/services/project-prompts.ts
+++ b/packages/api/src/services/project-prompts.ts
@@ -6,7 +6,7 @@ import { Effect, pipe } from "effect"
 import type { ProjectDetails } from "../api/contracts.js"
 import { ApiBadRequestError } from "../api/errors.js"
 
-export type ProjectPromptKind = "claude" | "codex" | "gemini"
+export type ProjectPromptKind = "claude" | "codex" | "gemini" | "grok"
 
 export type ProjectPromptFile = {
   readonly kind: ProjectPromptKind
@@ -28,7 +28,8 @@ export type ProjectPromptsSnapshot = {
 const promptDescriptors: ReadonlyArray<{ kind: ProjectPromptKind; fileName: string }> = [
   { kind: "claude", fileName: "CLAUDE.md" },
   { kind: "codex", fileName: "AGENTS.md" },
-  { kind: "gemini", fileName: "GEMINI.md" }
+  { kind: "gemini", fileName: "GEMINI.md" },
+  { kind: "grok", fileName: "GROK.md" }
 ]
 
 const maxPromptBytes = 1024 * 256
diff --git a/packages/api/src/services/project-skills.ts b/packages/api/src/services/project-skills.ts
index 5e9f5982..db200e2c 100644
--- a/packages/api/src/services/project-skills.ts
+++ b/packages/api/src/services/project-skills.ts
@@ -13,6 +13,7 @@ export type ProjectSkillScope =
   | "claude/skills"
   | "codex/skills"
   | "gemini/skills"
+  | "grok/skills"
 
 export type ProjectSkillFile = {
   readonly id: string
@@ -39,7 +40,8 @@ const skillScopes: ReadonlyArray<{ scope: ProjectSkillScope; relativeRoot: strin
   { scope: "agents/.skills", relativeRoot: ".agents/.skills" },
   { scope: "claude/skills", relativeRoot: ".claude/skills" },
   { scope: "codex/skills", relativeRoot: ".codex/skills" },
-  { scope: "gemini/skills", relativeRoot: ".gemini/skills" }
+  { scope: "gemini/skills", relativeRoot: ".gemini/skills" },
+  { scope: "grok/skills", relativeRoot: ".grok/skills" }
 ]
 
 const skillFileName = "SKILL.md"
diff --git a/packages/api/src/services/projects.ts b/packages/api/src/services/projects.ts
index 89e6b7c5..a20c001a 100644
--- a/packages/api/src/services/projects.ts
+++ b/packages/api/src/services/projects.ts
@@ -438,6 +438,8 @@ const toCreateRawOptions = (request: CreateProjectRequest): RawOptions => ({
   ...(request.skipGithubAuth === undefined ? {} : { skipGithubAuth: request.skipGithubAuth }),
   ...(request.codexTokenLabel === undefined ? {} : { codexTokenLabel: request.codexTokenLabel }),
   ...(request.claudeTokenLabel === undefined ? {} : { claudeTokenLabel: request.claudeTokenLabel }),
+  ...(request.geminiTokenLabel === undefined ? {} : { geminiTokenLabel: request.geminiTokenLabel }),
+  ...(request.grokTokenLabel === undefined ? {} : { grokTokenLabel: request.grokTokenLabel }),
   ...(request.agentAutoMode === undefined ? {} : { agentAutoMode: request.agentAutoMode }),
   ...(request.up === undefined ? {} : { up: request.up }),
   ...(request.openSsh === undefined ? {} : { openSsh: request.openSsh }),
diff --git a/packages/api/tests/agents.test.ts b/packages/api/tests/agents.test.ts
index 35f6d9b7..438d4b87 100644
--- a/packages/api/tests/agents.test.ts
+++ b/packages/api/tests/agents.test.ts
@@ -17,6 +17,13 @@ describe("agent service", () => {
     )
   })
 
+  it("starts default Grok agents with isolated Playwright MCP and unrestricted sandbox", () => {
+    expect(buildCommand({ provider: "grok" })).toBe("MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox")
+    expect(buildCommand({ provider: "grok", args: ["-p", "hello world"] })).toBe(
+      "MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox '-p' 'hello world'"
+    )
+  })
+
   it("starts default OpenCode agents without extra env assignments", () => {
     expect(buildCommand({ provider: "opencode" })).toBe("opencode")
   })
diff --git a/packages/api/tests/project-auth.test.ts b/packages/api/tests/project-auth.test.ts
new file mode 100644
index 00000000..98355c22
--- /dev/null
+++ b/packages/api/tests/project-auth.test.ts
@@ -0,0 +1,322 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import type { PlatformError } from "@effect/platform/Error"
+import * as Path from "@effect/platform/Path"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+import * as Scope from "effect/Scope"
+import fc from "fast-check"
+import { vi } from "vitest"
+
+import type { ProjectDetails } from "../src/api/contracts.js"
+
+const grokOidcAuthScope = "https://auth.x.ai::b1a00492-073a-47ea-816f-4c329264a828"
+const grokLegacyAuthScope = "https://accounts.x.ai/sign-in"
+
+const withTempDir = <A, E, R>(
+  use: (tempDir: string) => Effect.Effect<A, E, R>
+): Effect.Effect<A, E | PlatformError, FileSystem.FileSystem | Exclude<R, Scope.Scope>> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const fs = yield* _(FileSystem.FileSystem)
+      const tempDir = yield* _(
+        fs.makeTempDirectoryScoped({
+          prefix: "docker-git-api-project-auth-"
+        })
+      )
+      return yield* _(use(tempDir))
+    })
+  )
+
+const withProjectsRoot = <A, E, R>(
+  projectsRoot: string,
+  effect: Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R> =>
+  Effect.scoped(
+    Effect.acquireRelease(
+      Effect.sync(() => {
+        const previous = process.env["DOCKER_GIT_PROJECTS_ROOT"]
+        process.env["DOCKER_GIT_PROJECTS_ROOT"] = projectsRoot
+        return previous
+      }),
+      (previous) =>
+        Effect.sync(() => {
+          if (previous === undefined) {
+            delete process.env["DOCKER_GIT_PROJECTS_ROOT"]
+          } else {
+            process.env["DOCKER_GIT_PROJECTS_ROOT"] = previous
+          }
+        })
+    ).pipe(Effect.flatMap(() => effect))
+  )
+
+const buildProjectDetails = (projectDir: string, envProjectPath: string, envGlobalPath: string): ProjectDetails => ({
+  id: projectDir,
+  projectKey: "org/repo",
+  displayName: "org/repo",
+  repoUrl: "https://git.example.test/org/repo.git",
+  repoRef: "main",
+  containerName: "dg-project-auth-test",
+  serviceName: "dg-project-auth-test",
+  status: "stopped",
+  statusLabel: "stopped",
+  sshSessions: 0,
+  startedAtIso: null,
+  startedAtEpochMs: null,
+  sshUser: "dev",
+  sshPort: 2222,
+  gpu: "none",
+  targetDir: "/home/dev/app",
+  projectDir,
+  sshCommand: "ssh dev@localhost",
+  authorizedKeysPath: `${projectDir}/authorized_keys`,
+  authorizedKeysExists: false,
+  envGlobalPath,
+  envProjectPath,
+  codexAuthPath: `${projectDir}/codex`,
+  codexHome: "/home/dev/.codex"
+})
+
+const runGrokApiKeyConnectCase = (apiKey: string) =>
+  withTempDir((root) =>
+    Effect.gen(function*(_) {
+      const fs = yield* _(FileSystem.FileSystem)
+      const path = yield* _(Path.Path)
+      const projectsRoot = path.join(root, ".docker-git")
+      const envDir = path.join(projectsRoot, ".orch", "env")
+      const grokDefaultAuth = path.join(projectsRoot, ".orch", "auth", "grok", "default")
+      const projectDir = path.join(projectsRoot, "org", "repo")
+      const envGlobalPath = path.join(envDir, "global.env")
+      const envProjectPath = path.join(projectDir, ".env")
+      const project = buildProjectDetails(projectDir, envProjectPath, envGlobalPath)
+
+      yield* _(fs.makeDirectory(grokDefaultAuth, { recursive: true }))
+      yield* _(fs.makeDirectory(projectDir, { recursive: true }))
+      yield* _(fs.makeDirectory(envDir, { recursive: true }))
+      yield* _(fs.writeFileString(path.join(grokDefaultAuth, ".api-key"), apiKey))
+      yield* _(fs.writeFileString(envGlobalPath, "# docker-git env\n"))
+      yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+
+      const service = yield* _(
+        withProjectsRoot(
+          projectsRoot,
+          Effect.gen(function*(_) {
+            yield* _(Effect.sync(() => vi.resetModules()))
+            return yield* _(Effect.promise(() => import("../src/services/project-auth.js")))
+          })
+        )
+      )
+      const result = yield* _(
+        withProjectsRoot(
+          projectsRoot,
+          service.runProjectAuthFlow(project, {
+            flow: "ProjectGrokConnect",
+            label: "default"
+          })
+        ).pipe(
+          Effect.match({
+            onFailure: (error) => ({ _tag: "failure" as const, errorTag: error._tag }),
+            onSuccess: (snapshot) => ({ _tag: "success" as const, activeGrokLabel: snapshot.activeGrokLabel })
+          })
+        )
+      )
+      const envText = yield* _(fs.readFileString(envProjectPath))
+
+      return { result, envText }
+    })
+  )
+
+describe("project auth service", () => {
+  it.effect("preserves Grok project API-key connect invariants", () =>
+    Effect.tryPromise({
+      catch: (error) => error,
+      try: () =>
+        fc.assert(
+          fc.asyncProperty(
+            fc.oneof(fc.string(), fc.constant(""), fc.constant(" "), fc.constant("\t\n")),
+            (apiKey) =>
+              Effect.runPromise(
+                runGrokApiKeyConnectCase(apiKey).pipe(
+                  Effect.provide(NodeContext.layer),
+                  Effect.map(({ result, envText }) => {
+                    if (apiKey.trim().length === 0) {
+                      expect(result._tag).toBe("failure")
+                      if (result._tag === "failure") {
+                        expect(result.errorTag).toBe("ApiBadRequestError")
+                      }
+                      expect(envText).not.toContain("GROK_AUTH_LABEL=default")
+                      return
+                    }
+
+                    expect(result._tag).toBe("success")
+                    if (result._tag === "success") {
+                      expect(result.activeGrokLabel).toBe("default")
+                    }
+                    expect(envText).toContain("GROK_AUTH_LABEL=default")
+                  })
+                )
+              )
+          ),
+          { numRuns: 20 }
+        )
+    }))
+
+  it.effect("requires a non-empty Grok .api-key before connecting an account", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const projectsRoot = path.join(root, ".docker-git")
+        const envDir = path.join(projectsRoot, ".orch", "env")
+        const grokDefaultAuth = path.join(projectsRoot, ".orch", "auth", "grok", "default")
+        const projectDir = path.join(projectsRoot, "org", "repo")
+        const envGlobalPath = path.join(envDir, "global.env")
+        const envProjectPath = path.join(projectDir, ".env")
+        const project = buildProjectDetails(projectDir, envProjectPath, envGlobalPath)
+
+        yield* _(fs.makeDirectory(grokDefaultAuth, { recursive: true }))
+        yield* _(fs.makeDirectory(projectDir, { recursive: true }))
+        yield* _(fs.makeDirectory(envDir, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(grokDefaultAuth, ".api-key"), "  \n"))
+        yield* _(fs.writeFileString(envGlobalPath, "# docker-git env\n"))
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+
+        const service = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            Effect.gen(function*(_) {
+              yield* _(Effect.sync(() => vi.resetModules()))
+              return yield* _(Effect.promise(() => import("../src/services/project-auth.js")))
+            })
+          )
+        )
+        const failure = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            }).pipe(Effect.flip)
+          )
+        )
+
+        expect(failure._tag).toBe("ApiBadRequestError")
+        expect(failure.message).toContain("Grok credentials")
+        expect(yield* _(fs.readFileString(envProjectPath))).not.toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(path.join(grokDefaultAuth, ".api-key"), "live-token\n"))
+        const snapshot = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            })
+          )
+        )
+
+        expect(snapshot.activeGrokLabel).toBe("default")
+        expect(yield* _(fs.readFileString(envProjectPath))).toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+        yield* _(fs.remove(path.join(grokDefaultAuth, ".api-key")))
+        yield* _(fs.makeDirectory(path.join(grokDefaultAuth, ".grok"), { recursive: true }))
+        yield* _(
+          fs.writeFileString(
+            path.join(grokDefaultAuth, ".grok", "auth.json"),
+            `${JSON.stringify({ [grokOidcAuthScope]: { key: "xai-oauth" } })}\n`
+          )
+        )
+
+        const oauthSnapshot = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            })
+          )
+        )
+
+        expect(oauthSnapshot.activeGrokLabel).toBe("default")
+        expect(yield* _(fs.readFileString(envProjectPath))).toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+        yield* _(
+          fs.writeFileString(
+            path.join(grokDefaultAuth, ".grok", "auth.json"),
+            `${JSON.stringify({ [grokLegacyAuthScope]: { key: "xai-legacy" } })}\n`
+          )
+        )
+
+        const legacyOauthSnapshot = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            })
+          )
+        )
+
+        expect(legacyOauthSnapshot.activeGrokLabel).toBe("default")
+        expect(yield* _(fs.readFileString(envProjectPath))).toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+        yield* _(fs.writeFileString(path.join(grokDefaultAuth, ".grok", "auth.json"), "{\"scope\":{\"key\":\"xai-oauth\"}}\n"))
+
+        const arbitraryAuthJsonFailure = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            }).pipe(Effect.flip)
+          )
+        )
+
+        expect(arbitraryAuthJsonFailure._tag).toBe("ApiBadRequestError")
+        expect(yield* _(fs.readFileString(envProjectPath))).not.toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+        yield* _(fs.remove(path.join(grokDefaultAuth, ".grok"), { recursive: true }))
+        yield* _(fs.writeFileString(path.join(grokDefaultAuth, ".env"), "GROK_DEPLOYMENT_KEY='xai-deploy'\n"))
+
+        const envSnapshot = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            })
+          )
+        )
+
+        expect(envSnapshot.activeGrokLabel).toBe("default")
+        expect(yield* _(fs.readFileString(envProjectPath))).toContain("GROK_AUTH_LABEL=default")
+
+        yield* _(fs.writeFileString(envProjectPath, "# project env\n"))
+        yield* _(fs.remove(path.join(grokDefaultAuth, ".env")))
+        yield* _(fs.makeDirectory(path.join(grokDefaultAuth, ".grok"), { recursive: true }))
+        yield* _(
+          fs.writeFileString(
+            path.join(grokDefaultAuth, ".grok", "user-settings.json"),
+            "{\"oauth\":{},\"telemetry\":{\"token\":\"not-oauth\"}}\n"
+          )
+        )
+
+        const falsePositiveFailure = yield* _(
+          withProjectsRoot(
+            projectsRoot,
+            service.runProjectAuthFlow(project, {
+              flow: "ProjectGrokConnect",
+              label: "default"
+            }).pipe(Effect.flip)
+          )
+        )
+
+        expect(falsePositiveFailure._tag).toBe("ApiBadRequestError")
+        expect(yield* _(fs.readFileString(envProjectPath))).not.toContain("GROK_AUTH_LABEL=default")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+})
diff --git a/packages/api/tests/projects.test.ts b/packages/api/tests/projects.test.ts
index 85c14435..32345064 100644
--- a/packages/api/tests/projects.test.ts
+++ b/packages/api/tests/projects.test.ts
@@ -207,7 +207,7 @@ describe("projects service", () => {
           expect(failure.message).not.toContain("docker-daemon-access.js")
         }
       })
-    ).pipe(Effect.provide(NodeContext.layer)))
+    ).pipe(Effect.provide(NodeContext.layer)), 15_000)
 
   it.effect("accepts async create and records realtime lifecycle events on the request project id", () =>
     withTempDir((root) =>
diff --git a/packages/app/src/docker-git/api-auth-codec.ts b/packages/app/src/docker-git/api-auth-codec.ts
index c8ceeb86..b5eefe86 100644
--- a/packages/app/src/docker-git/api-auth-codec.ts
+++ b/packages/app/src/docker-git/api-auth-codec.ts
@@ -5,29 +5,36 @@ type RawAuthSnapshot = {
   readonly globalEnvPath: string | null
   readonly claudeAuthPath: string | null
   readonly geminiAuthPath: string | null
+  readonly grokAuthPath: string | null
   readonly totalEntries: number | null
   readonly githubTokenEntries: number | null
   readonly gitTokenEntries: number | null
   readonly gitUserEntries: number | null
   readonly claudeAuthEntries: number | null
   readonly geminiAuthEntries: number | null
+  readonly grokAuthEntries: number | null
 }
 
 type RawProjectAuthSnapshot = {
+  /* jscpd:ignore-start */
   readonly projectDir: string | null
   readonly projectName: string | null
   readonly envGlobalPath: string | null
   readonly envProjectPath: string | null
   readonly claudeAuthPath: string | null
   readonly geminiAuthPath: string | null
+  readonly grokAuthPath: string | null
   readonly githubTokenEntries: number | null
   readonly gitTokenEntries: number | null
   readonly claudeAuthEntries: number | null
   readonly geminiAuthEntries: number | null
+  readonly grokAuthEntries: number | null
   readonly activeGithubLabel: string | null
   readonly activeGitLabel: string | null
   readonly activeClaudeLabel: string | null
   readonly activeGeminiLabel: string | null
+  readonly activeGrokLabel: string | null
+  /* jscpd:ignore-end */
 }
 
 const readNumber = (value: JsonValue | undefined): number | null => typeof value === "number" ? value : null
@@ -53,12 +60,14 @@ const readAuthSnapshot = (
     globalEnvPath: asString(snapshot["globalEnvPath"]),
     claudeAuthPath: asString(snapshot["claudeAuthPath"]),
     geminiAuthPath: asString(snapshot["geminiAuthPath"]),
+    grokAuthPath: asString(snapshot["grokAuthPath"]),
     totalEntries: readNumber(snapshot["totalEntries"]),
     githubTokenEntries: readNumber(snapshot["githubTokenEntries"]),
     gitTokenEntries: readNumber(snapshot["gitTokenEntries"]),
     gitUserEntries: readNumber(snapshot["gitUserEntries"]),
     claudeAuthEntries: readNumber(snapshot["claudeAuthEntries"]),
-    geminiAuthEntries: readNumber(snapshot["geminiAuthEntries"])
+    geminiAuthEntries: readNumber(snapshot["geminiAuthEntries"]),
+    grokAuthEntries: readNumber(snapshot["grokAuthEntries"])
   }
 }
 
@@ -71,12 +80,14 @@ const decodeRequiredAuthSnapshot = (snapshot: RawAuthSnapshot): AuthSnapshot | n
     globalEnvPath: stringOrEmpty(snapshot.globalEnvPath),
     claudeAuthPath: stringOrEmpty(snapshot.claudeAuthPath),
     geminiAuthPath: stringOrEmpty(snapshot.geminiAuthPath),
+    grokAuthPath: stringOrEmpty(snapshot.grokAuthPath),
     totalEntries: numberOrZero(snapshot.totalEntries),
     githubTokenEntries: numberOrZero(snapshot.githubTokenEntries),
     gitTokenEntries: numberOrZero(snapshot.gitTokenEntries),
     gitUserEntries: numberOrZero(snapshot.gitUserEntries),
     claudeAuthEntries: numberOrZero(snapshot.claudeAuthEntries),
-    geminiAuthEntries: numberOrZero(snapshot.geminiAuthEntries)
+    geminiAuthEntries: numberOrZero(snapshot.geminiAuthEntries),
+    grokAuthEntries: numberOrZero(snapshot.grokAuthEntries)
   }
 }
 
@@ -94,14 +105,17 @@ const readProjectAuthSnapshot = (
     envProjectPath: asString(snapshot["envProjectPath"]),
     claudeAuthPath: asString(snapshot["claudeAuthPath"]),
     geminiAuthPath: asString(snapshot["geminiAuthPath"]),
+    grokAuthPath: asString(snapshot["grokAuthPath"]),
     githubTokenEntries: readNumber(snapshot["githubTokenEntries"]),
     gitTokenEntries: readNumber(snapshot["gitTokenEntries"]),
     claudeAuthEntries: readNumber(snapshot["claudeAuthEntries"]),
     geminiAuthEntries: readNumber(snapshot["geminiAuthEntries"]),
+    grokAuthEntries: readNumber(snapshot["grokAuthEntries"]),
     activeGithubLabel: asString(snapshot["activeGithubLabel"]),
     activeGitLabel: asString(snapshot["activeGitLabel"]),
     activeClaudeLabel: asString(snapshot["activeClaudeLabel"]),
-    activeGeminiLabel: asString(snapshot["activeGeminiLabel"])
+    activeGeminiLabel: asString(snapshot["activeGeminiLabel"]),
+    activeGrokLabel: asString(snapshot["activeGrokLabel"])
   }
 }
 
@@ -115,10 +129,12 @@ const decodeRequiredProjectAuthSnapshot = (
     snapshot.envProjectPath,
     snapshot.claudeAuthPath,
     snapshot.geminiAuthPath,
+    snapshot.grokAuthPath,
     snapshot.githubTokenEntries,
     snapshot.gitTokenEntries,
     snapshot.claudeAuthEntries,
-    snapshot.geminiAuthEntries
+    snapshot.geminiAuthEntries,
+    snapshot.grokAuthEntries
   ]
 
   if (hasNullValue(requiredValues)) {
@@ -132,14 +148,17 @@ const decodeRequiredProjectAuthSnapshot = (
     envProjectPath: stringOrEmpty(snapshot.envProjectPath),
     claudeAuthPath: stringOrEmpty(snapshot.claudeAuthPath),
     geminiAuthPath: stringOrEmpty(snapshot.geminiAuthPath),
+    grokAuthPath: stringOrEmpty(snapshot.grokAuthPath),
     githubTokenEntries: numberOrZero(snapshot.githubTokenEntries),
     gitTokenEntries: numberOrZero(snapshot.gitTokenEntries),
     claudeAuthEntries: numberOrZero(snapshot.claudeAuthEntries),
     geminiAuthEntries: numberOrZero(snapshot.geminiAuthEntries),
+    grokAuthEntries: numberOrZero(snapshot.grokAuthEntries),
     activeGithubLabel: snapshot.activeGithubLabel,
     activeGitLabel: snapshot.activeGitLabel,
     activeClaudeLabel: snapshot.activeClaudeLabel,
-    activeGeminiLabel: snapshot.activeGeminiLabel
+    activeGeminiLabel: snapshot.activeGeminiLabel,
+    activeGrokLabel: snapshot.activeGrokLabel
   }
 }
 
diff --git a/packages/app/src/docker-git/api-client-create.ts b/packages/app/src/docker-git/api-client-create.ts
index de19cbd7..b49413f2 100644
--- a/packages/app/src/docker-git/api-client-create.ts
+++ b/packages/app/src/docker-git/api-client-create.ts
@@ -47,6 +47,8 @@ export const buildCreateProjectRequest = (
     useManagedAuthorizedKeys: true,
     codexTokenLabel: config.codexAuthLabel,
     claudeTokenLabel: config.claudeAuthLabel,
+    geminiTokenLabel: config.geminiAuthLabel,
+    grokTokenLabel: config.grokAuthLabel,
     agentAutoMode: config.agentAuto ? (config.agentMode ?? "auto") : undefined,
     up: command.runUp,
     openSsh: false,
diff --git a/packages/app/src/docker-git/api-client.ts b/packages/app/src/docker-git/api-client.ts
index 286e4997..ba63a5ac 100644
--- a/packages/app/src/docker-git/api-client.ts
+++ b/packages/app/src/docker-git/api-client.ts
@@ -258,7 +258,7 @@ export const createProjectTerminalSession = (projectId: string) =>
   )
 
 export const createAuthTerminalSession = (
-  flow: "ClaudeOauth" | "GeminiOauth",
+  flow: "ClaudeOauth" | "GeminiOauth" | "GrokOauth",
   label: string | null
 ) =>
   request("POST", "/auth/terminal-sessions", { flow, label: label ?? undefined }).pipe(
diff --git a/packages/app/src/docker-git/cli/parser-apply.ts b/packages/app/src/docker-git/cli/parser-apply.ts
index 86b1f231..3e6ac8b5 100644
--- a/packages/app/src/docker-git/cli/parser-apply.ts
+++ b/packages/app/src/docker-git/cli/parser-apply.ts
@@ -33,6 +33,8 @@ export const parseApply = (
       gitTokenLabel: raw.gitTokenLabel,
       codexTokenLabel: raw.codexTokenLabel,
       claudeTokenLabel: raw.claudeTokenLabel,
+      geminiTokenLabel: raw.geminiTokenLabel,
+      grokTokenLabel: raw.grokTokenLabel,
       cpuLimit,
       ramLimit,
       playwrightCpuLimit,
diff --git a/packages/app/src/docker-git/cli/parser-auth.ts b/packages/app/src/docker-git/cli/parser-auth.ts
index 1babd3fd..539713a4 100644
--- a/packages/app/src/docker-git/cli/parser-auth.ts
+++ b/packages/app/src/docker-git/cli/parser-auth.ts
@@ -11,6 +11,7 @@ type AuthOptions = {
   readonly codexAuthPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly label: string | null
   readonly token: string | null
   readonly scopes: string | null
@@ -43,12 +44,14 @@ const defaultEnvGlobalPath = ".docker-git/.orch/env/global.env"
 const defaultCodexAuthPath = ".docker-git/.orch/auth/codex"
 const defaultClaudeAuthPath = ".docker-git/.orch/auth/claude"
 const defaultGeminiAuthPath = ".docker-git/.orch/auth/gemini"
+const defaultGrokAuthPath = ".docker-git/.orch/auth/grok"
 
 const resolveAuthOptions = (raw: RawOptions): AuthOptions => ({
   envGlobalPath: raw.envGlobalPath ?? defaultEnvGlobalPath,
   codexAuthPath: raw.codexAuthPath ?? defaultCodexAuthPath,
   claudeAuthPath: defaultClaudeAuthPath,
   geminiAuthPath: defaultGeminiAuthPath,
+  grokAuthPath: defaultGrokAuthPath,
   label: normalizeOptionalText(raw.label),
   token: normalizeOptionalText(raw.token),
   scopes: normalizeOptionalText(raw.scopes),
@@ -191,6 +194,40 @@ const buildGeminiCommand = (action: string, options: AuthOptions): Either.Either
     Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
   )
 
+// CHANGE: add Grok CLI auth command parsing
+// WHY: issue #304 requires docker-git auth grok login/status/logout support
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall action: buildGrokCommand(action, opts) = AuthCommand | ParseError
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: grokAuthPath is always set from defaults
+// COMPLEXITY: O(1)
+const buildGrokCommand = (action: string, options: AuthOptions): Either.Either<AuthCommand, ParseError> =>
+  Match.value(action).pipe(
+    Match.when("login", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthGrokLogin",
+        label: options.label,
+        grokAuthPath: options.grokAuthPath,
+        isWeb: options.authWeb
+      })),
+    Match.when("status", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthGrokStatus",
+        label: options.label,
+        grokAuthPath: options.grokAuthPath
+      })),
+    Match.when("logout", () =>
+      Either.right<AuthCommand>({
+        _tag: "AuthGrokLogout",
+        label: options.label,
+        grokAuthPath: options.grokAuthPath
+      })),
+    Match.orElse(() => Either.left(invalidArgument("auth action", `unknown action '${action}'`)))
+  )
+
 const buildAuthCommand = (
   provider: string,
   action: string,
@@ -204,6 +241,7 @@ const buildAuthCommand = (
     Match.when("claude", () => buildClaudeCommand(action, options)),
     Match.when("cc", () => buildClaudeCommand(action, options)),
     Match.when("gemini", () => buildGeminiCommand(action, options)),
+    Match.when("grok", () => buildGrokCommand(action, options)),
     Match.orElse(() => Either.left(invalidArgument("auth provider", `unknown provider '${provider}'`)))
   )
 
diff --git a/packages/app/src/docker-git/cli/parser-options.ts b/packages/app/src/docker-git/cli/parser-options.ts
index 2fa9ec85..bf69872d 100644
--- a/packages/app/src/docker-git/cli/parser-options.ts
+++ b/packages/app/src/docker-git/cli/parser-options.ts
@@ -33,6 +33,8 @@ interface ValueOptionSpec {
     | "gitTokenLabel"
     | "codexTokenLabel"
     | "claudeTokenLabel"
+    | "geminiTokenLabel"
+    | "grokTokenLabel"
     | "token"
     | "scopes"
     | "message"
@@ -76,6 +78,8 @@ const valueOptionSpecs: ReadonlyArray<ValueOptionSpec> = [
   { flag: "--git-token", key: "gitTokenLabel" },
   { flag: "--codex-token", key: "codexTokenLabel" },
   { flag: "--claude-token", key: "claudeTokenLabel" },
+  { flag: "--gemini-token", key: "geminiTokenLabel" },
+  { flag: "--grok-token", key: "grokTokenLabel" },
   { flag: "--token", key: "token" },
   { flag: "--scopes", key: "scopes" },
   { flag: "--message", key: "message" },
@@ -137,6 +141,8 @@ const valueFlagUpdaters: { readonly [K in ValueKey]: (raw: RawOptions, value: st
   gitTokenLabel: (raw, value) => ({ ...raw, gitTokenLabel: value }),
   codexTokenLabel: (raw, value) => ({ ...raw, codexTokenLabel: value }),
   claudeTokenLabel: (raw, value) => ({ ...raw, claudeTokenLabel: value }),
+  geminiTokenLabel: (raw, value) => ({ ...raw, geminiTokenLabel: value }),
+  grokTokenLabel: (raw, value) => ({ ...raw, grokTokenLabel: value }),
   token: (raw, value) => ({ ...raw, token: value }),
   scopes: (raw, value) => ({ ...raw, scopes: value }),
   message: (raw, value) => ({ ...raw, message: value }),
diff --git a/packages/app/src/docker-git/cli/usage.ts b/packages/app/src/docker-git/cli/usage.ts
index 59fa7b13..2bde89d7 100644
--- a/packages/app/src/docker-git/cli/usage.ts
+++ b/packages/app/src/docker-git/cli/usage.ts
@@ -34,7 +34,7 @@ Commands:
   ps, status          Show docker compose status for all docker-git projects
   apply-all           Apply docker-git config and refresh all containers (docker compose up); use --active to restrict to running containers only
   down-all            Stop all docker-git containers (docker compose down)
-  auth                Manage GitHub/GitLab/Codex/Claude Code auth for docker-git
+  auth                Manage GitHub/GitLab/Codex/Claude Code/Gemini/Grok auth for docker-git
   state               Manage docker-git state directory via git (sync across machines)
 
 Options:
@@ -70,13 +70,15 @@ Options:
   --gh-skip                 Skip GitHub auth for public clone/create and force anonymous HTTPS clone
   --codex-token <label>     Codex auth label for clone/create (maps to CODEX_AUTH_LABEL, example: agien)
   --claude-token <label>    Claude auth label for clone/create (maps to CLAUDE_AUTH_LABEL, example: agien)
+  --gemini-token <label>    Gemini auth label for clone/create (maps to GEMINI_AUTH_LABEL, example: agien)
+  --grok-token <label>      Grok auth label for clone/create (maps to GROK_AUTH_LABEL, example: agien)
   --wipe | --no-wipe        Wipe workspace before scrap import (default: --wipe)
   --lines <n>               Tail last N lines for sessions logs (default: 200)
   --include-default         Show default/system processes in sessions list
   --up | --no-up            Run docker compose up after init (default: --up)
   --ssh | --no-ssh          Auto-open SSH after create/clone (default: clone=--ssh, create=--no-ssh)
   --mcp-playwright | --no-mcp-playwright  Enable Playwright MCP + nested Chromium browser (default: --no-mcp-playwright)
-  --auto[=claude|codex]     Auto-execute an agent; without value picks by auth, random if both are available
+  --auto[=claude|codex|gemini|grok]  Auto-execute an agent; without value picks by auth, random if multiple are available
   --active                  apply-all: apply only to currently running containers (skip stopped ones)
   --force                   Overwrite existing files, replace conflicting docker-git projects/containers, and wipe compose volumes
   --force-env               Reset project env defaults only (keep workspace volume/data)
@@ -109,6 +111,8 @@ Auth providers:
   gitlab             GitLab CLI auth (tokens saved to env file)
   codex             Codex CLI auth (stored under .orch/auth/codex)
   claude, cc        Claude Code CLI auth (OAuth cache stored under .orch/auth/claude)
+  gemini            Gemini CLI auth (stored under .orch/auth/gemini)
+  grok              Grok CLI auth via the official xAI CLI (stored under .orch/auth/grok)
 
 Auth actions:
   login             Run login flow and store credentials
@@ -123,6 +127,8 @@ Auth options:
   --scopes <scopes>      GitHub scopes (login only, default: repo,workflow,read:org)
   --env-global <path>    Env file path for GitHub/GitLab tokens (default: <projectsRoot>/.orch/env/global.env)
   --codex-auth <path>    Codex auth root path (default: <projectsRoot>/.orch/auth/codex)
+  --gemini-auth <path>   Gemini auth root path (default: <projectsRoot>/.orch/auth/gemini)
+  --grok-auth <path>     Grok auth root path (default: <projectsRoot>/.orch/auth/grok)
 
 State actions:
   state path                         Print current projects root (default: ~/.docker-git; override via DOCKER_GIT_PROJECTS_ROOT)
diff --git a/packages/app/src/docker-git/frontend-lib/core/auth-domain.ts b/packages/app/src/docker-git/frontend-lib/core/auth-domain.ts
index b6ae3f8e..71cd7a50 100644
--- a/packages/app/src/docker-git/frontend-lib/core/auth-domain.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/auth-domain.ts
@@ -107,6 +107,35 @@ export interface AuthGeminiLogoutCommand {
   readonly geminiAuthPath: string
 }
 
+// CHANGE: add Grok CLI auth commands
+// WHY: issue #304 requires Grok login/status/logout profiles with isolated auth storage
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd ∈ AuthGrokCommand: cmd.grokAuthPath is valid path
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: authentication state is isolated by label
+// COMPLEXITY: O(1)
+export interface AuthGrokLoginCommand {
+  readonly _tag: "AuthGrokLogin"
+  readonly label: string | null
+  readonly grokAuthPath: string
+  readonly isWeb: boolean
+}
+
+export interface AuthGrokStatusCommand {
+  readonly _tag: "AuthGrokStatus"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
+export interface AuthGrokLogoutCommand {
+  readonly _tag: "AuthGrokLogout"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
 export type AuthCommand =
   | AuthGithubLoginCommand
   | AuthGithubStatusCommand
@@ -124,4 +153,7 @@ export type AuthCommand =
   | AuthGeminiLoginCommand
   | AuthGeminiStatusCommand
   | AuthGeminiLogoutCommand
+  | AuthGrokLoginCommand
+  | AuthGrokStatusCommand
+  | AuthGrokLogoutCommand
 /* jscpd:ignore-end */
diff --git a/packages/app/src/docker-git/frontend-lib/core/auto-agent-flags.ts b/packages/app/src/docker-git/frontend-lib/core/auto-agent-flags.ts
index c1683f36..c5472b66 100644
--- a/packages/app/src/docker-git/frontend-lib/core/auto-agent-flags.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/auto-agent-flags.ts
@@ -14,13 +14,13 @@ export const resolveAutoAgentFlags = (
   if (requested === "auto") {
     return Either.right({ agentMode: undefined, agentAuto: true })
   }
-  if (requested === "claude" || requested === "codex") {
+  if (requested === "claude" || requested === "codex" || requested === "gemini" || requested === "grok") {
     return Either.right({ agentMode: requested, agentAuto: true })
   }
   return Either.left({
     _tag: "InvalidOption",
     option: "--auto",
-    reason: "expected one of: claude, codex"
+    reason: "expected one of: claude, codex, gemini, grok"
   })
 }
 /* jscpd:ignore-end */
diff --git a/packages/app/src/docker-git/frontend-lib/core/command-builders-template.ts b/packages/app/src/docker-git/frontend-lib/core/command-builders-template.ts
new file mode 100644
index 00000000..f54a214d
--- /dev/null
+++ b/packages/app/src/docker-git/frontend-lib/core/command-builders-template.ts
@@ -0,0 +1,94 @@
+/* jscpd:ignore-start */
+import type { NameConfig, PathConfig, RepoBasics } from "./command-builders.js"
+import { type AgentMode, type CreateCommand, defaultTemplateConfig } from "./domain.js"
+
+export type BuildTemplateConfigInput = {
+  readonly repo: RepoBasics
+  readonly names: NameConfig
+  readonly paths: PathConfig
+  readonly cpuLimit: string | undefined
+  readonly ramLimit: string | undefined
+  readonly playwrightCpuLimit: string | undefined
+  readonly playwrightRamLimit: string | undefined
+  readonly gpu: CreateCommand["config"]["gpu"]
+  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
+  readonly dockerSharedNetworkName: string
+  readonly gitTokenLabel: string | undefined
+  readonly skipGithubAuth: boolean
+  readonly codexAuthLabel: string | undefined
+  readonly claudeAuthLabel: string | undefined
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
+  readonly enableMcpPlaywright: boolean
+  readonly agentMode: AgentMode | undefined
+  readonly agentAuto: boolean
+  readonly clonedOnHostname?: string | undefined
+}
+
+const buildTemplateConfigBase = (
+  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
+): Pick<
+  CreateCommand["config"],
+  | "containerName"
+  | "serviceName"
+  | "sshUser"
+  | "sshPort"
+  | "repoUrl"
+  | "repoRef"
+  | "targetDir"
+  | "volumeName"
+  | "dockerGitPath"
+  | "authorizedKeysPath"
+  | "envGlobalPath"
+  | "envProjectPath"
+  | "codexAuthPath"
+  | "codexSharedAuthPath"
+  | "codexHome"
+  | "geminiAuthPath"
+  | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
+> => ({
+  containerName: input.names.containerName,
+  serviceName: input.names.serviceName,
+  sshUser: input.repo.sshUser,
+  sshPort: input.repo.sshPort,
+  repoUrl: input.repo.repoUrl,
+  repoRef: input.repo.repoRef,
+  targetDir: input.repo.targetDir,
+  volumeName: input.names.volumeName,
+  dockerGitPath: input.paths.dockerGitPath,
+  authorizedKeysPath: input.paths.authorizedKeysPath,
+  envGlobalPath: input.paths.envGlobalPath,
+  envProjectPath: input.paths.envProjectPath,
+  codexAuthPath: input.paths.codexAuthPath,
+  codexSharedAuthPath: input.paths.codexSharedAuthPath,
+  codexHome: input.paths.codexHome,
+  geminiAuthPath: input.paths.geminiAuthPath,
+  geminiHome: input.paths.geminiHome,
+  grokAuthPath: input.paths.grokAuthPath,
+  grokHome: input.paths.grokHome
+})
+
+export const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
+  ...buildTemplateConfigBase(input),
+  gitTokenLabel: input.gitTokenLabel,
+  skipGithubAuth: input.skipGithubAuth,
+  codexAuthLabel: input.codexAuthLabel,
+  claudeAuthLabel: input.claudeAuthLabel,
+  geminiAuthLabel: input.geminiAuthLabel,
+  grokAuthLabel: input.grokAuthLabel,
+  cpuLimit: input.cpuLimit,
+  ramLimit: input.ramLimit,
+  playwrightCpuLimit: input.playwrightCpuLimit,
+  playwrightRamLimit: input.playwrightRamLimit,
+  gpu: input.gpu,
+  dockerNetworkMode: input.dockerNetworkMode,
+  dockerSharedNetworkName: input.dockerSharedNetworkName,
+  enableMcpPlaywright: input.enableMcpPlaywright,
+  bunVersion: defaultTemplateConfig.bunVersion,
+  agentMode: input.agentMode,
+  agentAuto: input.agentAuto,
+  clonedOnHostname: input.clonedOnHostname
+})
+/* jscpd:ignore-end */
diff --git a/packages/app/src/docker-git/frontend-lib/core/command-builders.ts b/packages/app/src/docker-git/frontend-lib/core/command-builders.ts
index 44c0bd88..d6dd8730 100644
--- a/packages/app/src/docker-git/frontend-lib/core/command-builders.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/command-builders.ts
@@ -10,9 +10,9 @@ import {
   parseSshPort,
   parseSshUser
 } from "./command-builders-shared.js"
+import { buildTemplateConfig } from "./command-builders-template.js"
 import { type RawOptions } from "./command-options.js"
 import {
-  type AgentMode,
   type CreateCommand,
   defaultTemplateConfig,
   deriveRepoPathParts,
@@ -28,7 +28,7 @@ export { nonEmpty } from "./command-builders-shared.js"
 
 const normalizeSecretsRoot = (value: string): string => trimRightChar(value, "/")
 
-type RepoBasics = {
+export type RepoBasics = {
   readonly repoUrl: string
   readonly repoSlug: string
   readonly projectSlug: string
@@ -62,7 +62,7 @@ const resolveRepoBasics = (raw: RawOptions): Either.Either<RepoBasics, ParseErro
     return { repoUrl, repoSlug, projectSlug, repoPath, repoRef, targetDir, sshUser, sshPort }
   })
 
-type NameConfig = {
+export type NameConfig = {
   readonly containerName: string
   readonly serviceName: string
   readonly volumeName: string
@@ -85,7 +85,7 @@ const resolveNames = (
     return { containerName, serviceName, volumeName }
   })
 
-type PathConfig = {
+export type PathConfig = {
   readonly dockerGitPath: string
   readonly authorizedKeysPath: string
   readonly envGlobalPath: string
@@ -95,6 +95,8 @@ type PathConfig = {
   readonly codexHome: string
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly outDir: string
 }
 
@@ -105,6 +107,7 @@ type DefaultPathConfig = {
   readonly envProjectPath: string
   readonly codexAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
 }
 
 const resolveNormalizedSecretsRoot = (value: string | undefined): string | undefined => {
@@ -122,7 +125,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: defaultTemplateConfig.envGlobalPath,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: defaultTemplateConfig.codexAuthPath,
-      geminiAuthPath: defaultTemplateConfig.geminiAuthPath
+      geminiAuthPath: defaultTemplateConfig.geminiAuthPath,
+      grokAuthPath: defaultTemplateConfig.grokAuthPath
     }
     : {
       // NOTE: Keep docker-git root mount stable (projects root) so caches like
@@ -132,7 +136,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: `${normalizedSecretsRoot}/global.env`,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: `${normalizedSecretsRoot}/codex`,
-      geminiAuthPath: `${normalizedSecretsRoot}/gemini`
+      geminiAuthPath: `${normalizedSecretsRoot}/gemini`,
+      grokAuthPath: `${normalizedSecretsRoot}/grok`
     }
 
 const resolvePaths = (
@@ -157,6 +162,8 @@ const resolvePaths = (
     const codexHome = yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome))
     const geminiAuthPath = defaults.geminiAuthPath
     const geminiHome = defaultTemplateConfig.geminiHome
+    const grokAuthPath = defaults.grokAuthPath
+    const grokHome = defaultTemplateConfig.grokHome
     const outDir = yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 
     return {
@@ -169,6 +176,8 @@ const resolvePaths = (
       codexHome,
       geminiAuthPath,
       geminiHome,
+      grokAuthPath,
+      grokHome,
       outDir
     }
   })
@@ -191,86 +200,20 @@ const resolveCreateBehavior = (raw: RawOptions): CreateBehavior => ({
   enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 })
 
-type BuildTemplateConfigInput = {
-  readonly repo: RepoBasics
-  readonly names: NameConfig
-  readonly paths: PathConfig
-  readonly cpuLimit: string | undefined
-  readonly ramLimit: string | undefined
-  readonly playwrightCpuLimit: string | undefined
-  readonly playwrightRamLimit: string | undefined
-  readonly gpu: CreateCommand["config"]["gpu"]
-  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
-  readonly dockerSharedNetworkName: string
+type TokenLabelConfig = {
   readonly gitTokenLabel: string | undefined
-  readonly skipGithubAuth: boolean
   readonly codexAuthLabel: string | undefined
   readonly claudeAuthLabel: string | undefined
-  readonly enableMcpPlaywright: boolean
-  readonly agentMode: AgentMode | undefined
-  readonly agentAuto: boolean
-  readonly clonedOnHostname?: string | undefined
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
 }
 
-const buildTemplateConfigBase = (
-  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
-): Pick<
-  CreateCommand["config"],
-  | "containerName"
-  | "serviceName"
-  | "sshUser"
-  | "sshPort"
-  | "repoUrl"
-  | "repoRef"
-  | "targetDir"
-  | "volumeName"
-  | "dockerGitPath"
-  | "authorizedKeysPath"
-  | "envGlobalPath"
-  | "envProjectPath"
-  | "codexAuthPath"
-  | "codexSharedAuthPath"
-  | "codexHome"
-  | "geminiAuthPath"
-  | "geminiHome"
-> => ({
-  containerName: input.names.containerName,
-  serviceName: input.names.serviceName,
-  sshUser: input.repo.sshUser,
-  sshPort: input.repo.sshPort,
-  repoUrl: input.repo.repoUrl,
-  repoRef: input.repo.repoRef,
-  targetDir: input.repo.targetDir,
-  volumeName: input.names.volumeName,
-  dockerGitPath: input.paths.dockerGitPath,
-  authorizedKeysPath: input.paths.authorizedKeysPath,
-  envGlobalPath: input.paths.envGlobalPath,
-  envProjectPath: input.paths.envProjectPath,
-  codexAuthPath: input.paths.codexAuthPath,
-  codexSharedAuthPath: input.paths.codexSharedAuthPath,
-  codexHome: input.paths.codexHome,
-  geminiAuthPath: input.paths.geminiAuthPath,
-  geminiHome: input.paths.geminiHome
-})
-
-const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
-  ...buildTemplateConfigBase(input),
-  gitTokenLabel: input.gitTokenLabel,
-  skipGithubAuth: input.skipGithubAuth,
-  codexAuthLabel: input.codexAuthLabel,
-  claudeAuthLabel: input.claudeAuthLabel,
-  cpuLimit: input.cpuLimit,
-  ramLimit: input.ramLimit,
-  playwrightCpuLimit: input.playwrightCpuLimit,
-  playwrightRamLimit: input.playwrightRamLimit,
-  gpu: input.gpu,
-  dockerNetworkMode: input.dockerNetworkMode,
-  dockerSharedNetworkName: input.dockerSharedNetworkName,
-  enableMcpPlaywright: input.enableMcpPlaywright,
-  bunVersion: defaultTemplateConfig.bunVersion,
-  agentMode: input.agentMode,
-  agentAuto: input.agentAuto,
-  clonedOnHostname: input.clonedOnHostname
+const resolveTokenLabels = (raw: RawOptions): TokenLabelConfig => ({
+  gitTokenLabel: normalizeGitTokenLabel(raw.gitTokenLabel),
+  codexAuthLabel: normalizeAuthLabel(raw.codexTokenLabel),
+  claudeAuthLabel: normalizeAuthLabel(raw.claudeTokenLabel),
+  geminiAuthLabel: normalizeAuthLabel(raw.geminiTokenLabel),
+  grokAuthLabel: normalizeAuthLabel(raw.grokTokenLabel)
 })
 
 // CHANGE: build a typed create command from raw options (CLI or API)
@@ -291,9 +234,7 @@ export const buildCreateCommand = (
     const names = yield* _(resolveNames(raw, repo.projectSlug))
     const paths = yield* _(resolvePaths(raw, repo.repoPath))
     const behavior = resolveCreateBehavior(raw)
-    const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel)
-    const codexAuthLabel = normalizeAuthLabel(raw.codexTokenLabel)
-    const claudeAuthLabel = normalizeAuthLabel(raw.claudeTokenLabel)
+    const tokenLabels = resolveTokenLabels(raw)
     const limits = yield* _(resolveResourceLimitsIntent(raw))
     const gpu = yield* _(parseGpuMode(raw.gpu))
     const dockerNetworkMode = yield* _(parseDockerNetworkMode(raw.dockerNetworkMode))
@@ -321,10 +262,8 @@ export const buildCreateCommand = (
         gpu,
         dockerNetworkMode,
         dockerSharedNetworkName,
-        gitTokenLabel,
+        ...tokenLabels,
         skipGithubAuth: behavior.skipGithubAuth,
-        codexAuthLabel,
-        claudeAuthLabel,
         enableMcpPlaywright: behavior.enableMcpPlaywright,
         agentMode,
         agentAuto
diff --git a/packages/app/src/docker-git/frontend-lib/core/command-options.ts b/packages/app/src/docker-git/frontend-lib/core/command-options.ts
index 12f15f15..5c4b02da 100644
--- a/packages/app/src/docker-git/frontend-lib/core/command-options.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/command-options.ts
@@ -41,6 +41,8 @@ export interface RawOptions {
   readonly gitTokenLabel?: string
   readonly codexTokenLabel?: string
   readonly claudeTokenLabel?: string
+  readonly geminiTokenLabel?: string
+  readonly grokTokenLabel?: string
   readonly token?: string
   readonly scopes?: string
   readonly message?: string
diff --git a/packages/app/src/docker-git/frontend-lib/core/domain.ts b/packages/app/src/docker-git/frontend-lib/core/domain.ts
index a65fee05..2398984d 100644
--- a/packages/app/src/docker-git/frontend-lib/core/domain.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/domain.ts
@@ -20,7 +20,10 @@ export type {
   AuthGithubStatusCommand,
   AuthGitlabLoginCommand,
   AuthGitlabLogoutCommand,
-  AuthGitlabStatusCommand
+  AuthGitlabStatusCommand,
+  AuthGrokLoginCommand,
+  AuthGrokLogoutCommand,
+  AuthGrokStatusCommand
 } from "./auth-domain.js"
 export type { MenuAction, ParseError } from "./menu.js"
 export { parseMenuSelection } from "./menu.js"
@@ -53,7 +56,7 @@ export {
   dockerGitSharedCodexVolumeName
 } from "./template-defaults.js"
 
-export type AgentMode = "claude" | "codex" | "gemini"
+export type AgentMode = "claude" | "codex" | "gemini" | "grok"
 
 export type DockerNetworkMode = "shared" | "project"
 export type GpuMode = "none" | "all"
@@ -97,6 +100,9 @@ export interface TemplateConfig {
   readonly geminiAuthLabel?: string | undefined
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthLabel?: string | undefined
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
@@ -192,6 +198,7 @@ export interface ApplyCommand {
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
   readonly geminiTokenLabel?: string | undefined
+  readonly grokTokenLabel?: string | undefined
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
diff --git a/packages/app/src/docker-git/frontend-lib/core/template-defaults.ts b/packages/app/src/docker-git/frontend-lib/core/template-defaults.ts
index da4d81eb..b3bc52c1 100644
--- a/packages/app/src/docker-git/frontend-lib/core/template-defaults.ts
+++ b/packages/app/src/docker-git/frontend-lib/core/template-defaults.ts
@@ -20,6 +20,8 @@ type DefaultTemplateConfig = Pick<
   | "codexHome"
   | "geminiAuthPath"
   | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
   | "cpuLimit"
   | "ramLimit"
   | "playwrightCpuLimit"
@@ -63,6 +65,8 @@ export const defaultTemplateConfig = {
   codexHome: "/home/dev/.codex",
   geminiAuthPath: "./.docker-git/.orch/auth/gemini",
   geminiHome: "/home/dev/.gemini",
+  grokAuthPath: "./.docker-git/.orch/auth/grok",
+  grokHome: "/home/dev/.grok",
   cpuLimit: defaultCpuLimit,
   ramLimit: defaultRamLimit,
   playwrightCpuLimit: defaultPlaywrightCpuLimit,
diff --git a/packages/app/src/docker-git/menu-auth-effects.ts b/packages/app/src/docker-git/menu-auth-effects.ts
index 50152b4c..7814e114 100644
--- a/packages/app/src/docker-git/menu-auth-effects.ts
+++ b/packages/app/src/docker-git/menu-auth-effects.ts
@@ -2,6 +2,7 @@ import { Effect, Match, pipe } from "effect"
 
 import { createAuthTerminalSession, githubLogin } from "./api-client.js"
 import { readAuthSnapshot, successMessage, writeAuthFlow } from "./menu-auth-data.js"
+import { terminalAuthTitle } from "./menu-auth-shared.js"
 import type { MenuError } from "./menu-errors.js"
 import type { AuthSnapshot, MenuEnv, MenuRunner, MenuViewContext, ViewState } from "./menu-types.js"
 import { attachTerminalSession } from "./terminal-session-client.js"
@@ -15,7 +16,9 @@ type AuthEffectContext = MenuViewContext & {
   readonly cwd: string
 }
 
-const missingAuthTerminalSessionError = (provider: "ClaudeOauth" | "GeminiOauth"): MenuError => ({
+type TerminalAuthProvider = "ClaudeOauth" | "GeminiOauth" | "GrokOauth"
+
+const missingAuthTerminalSessionError = (provider: TerminalAuthProvider): MenuError => ({
   _tag: "ApiRequestError",
   method: "POST",
   path: "/auth/terminal-sessions",
@@ -28,7 +31,7 @@ const resolveLabelOption = (values: Readonly<Record<string, string>>): string |
 }
 
 const resolveTerminalAuthEffect = (
-  provider: "ClaudeOauth" | "GeminiOauth",
+  provider: TerminalAuthProvider,
   labelOption: string | null
 ): Effect.Effect<void, MenuError, MenuEnv> =>
   createAuthTerminalSession(provider, labelOption).pipe(
@@ -36,7 +39,7 @@ const resolveTerminalAuthEffect = (
       session === null
         ? Effect.fail(missingAuthTerminalSessionError(provider))
         : attachTerminalSession({
-          header: provider === "ClaudeOauth" ? "Claude Code OAuth" : "Gemini CLI OAuth",
+          header: terminalAuthTitle(provider),
           session,
           websocketPath: `/auth/terminal-sessions/${encodeURIComponent(session.id)}/ws`
         })
@@ -63,6 +66,9 @@ export const resolveAuthPromptEffect = (
     Match.when("GeminiOauth", () => resolveTerminalAuthEffect("GeminiOauth", labelOption)),
     Match.when("GeminiApiKey", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GeminiLogout", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GrokOauth", () => resolveTerminalAuthEffect("GrokOauth", labelOption)),
+    Match.when("GrokApiKey", (flow) => writeAuthFlow(cwd, flow, values)),
+    Match.when("GrokLogout", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GithubRemove", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GitSet", (flow) => writeAuthFlow(cwd, flow, values)),
     Match.when("GitRemove", (flow) => writeAuthFlow(cwd, flow, values)),
diff --git a/packages/app/src/docker-git/menu-auth-shared.ts b/packages/app/src/docker-git/menu-auth-shared.ts
index 7e185224..9f42bfb5 100644
--- a/packages/app/src/docker-git/menu-auth-shared.ts
+++ b/packages/app/src/docker-git/menu-auth-shared.ts
@@ -4,7 +4,8 @@ import type { AuthFlow } from "./menu-types.js"
 
 export type AuthMenuAction = AuthFlow | "Refresh" | "Back"
 
-export type AuthEnvFlow = Exclude<AuthFlow, "GithubOauth" | "ClaudeOauth" | "GeminiOauth">
+export type AuthEnvFlow = Exclude<AuthFlow, "GithubOauth" | "ClaudeOauth" | "GeminiOauth" | "GrokOauth">
+export type TerminalAuthFlow = Extract<AuthFlow, "ClaudeOauth" | "GeminiOauth" | "GrokOauth">
 
 export type AuthPromptStep = {
   readonly key: "label" | "token" | "user" | "apiKey"
@@ -28,6 +29,9 @@ const authMenuItems: ReadonlyArray<AuthMenuItem> = [
   { action: "GeminiOauth", label: "Gemini CLI: login via OAuth (Google account)" },
   { action: "GeminiApiKey", label: "Gemini CLI: set API key" },
   { action: "GeminiLogout", label: "Gemini CLI: logout (clear credentials)" },
+  { action: "GrokOauth", label: "Grok CLI: login via OAuth (xAI account)" },
+  { action: "GrokApiKey", label: "Grok CLI: set API key" },
+  { action: "GrokLogout", label: "Grok CLI: logout (clear credentials)" },
   { action: "Refresh", label: "Refresh snapshot" },
   { action: "Back", label: "Back to main menu" }
 ]
@@ -62,6 +66,16 @@ const flowSteps: Readonly<Record<AuthFlow, ReadonlyArray<AuthPromptStep>>> = {
   ],
   GeminiLogout: [
     { key: "label", label: "Label to logout (empty = default)", required: false, secret: false }
+  ],
+  GrokOauth: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  GrokApiKey: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false },
+    { key: "apiKey", label: "Grok API key (from x.ai)", required: true, secret: true }
+  ],
+  GrokLogout: [
+    { key: "label", label: "Label to logout (empty = default)", required: false, secret: false }
   ]
 }
 
@@ -76,6 +90,9 @@ export const successMessage = (flow: AuthFlow, label: string): string =>
     Match.when("GeminiOauth", () => `Saved Gemini CLI OAuth login (${label}).`),
     Match.when("GeminiApiKey", () => `Saved Gemini API key (${label}).`),
     Match.when("GeminiLogout", () => `Logged out Gemini CLI (${label}).`),
+    Match.when("GrokOauth", () => `Saved Grok CLI OAuth login (${label}).`),
+    Match.when("GrokApiKey", () => `Saved Grok API key (${label}).`),
+    Match.when("GrokLogout", () => `Logged out Grok CLI (${label}).`),
     Match.exhaustive
   )
 
@@ -90,6 +107,17 @@ export const authViewTitle = (flow: AuthFlow): string =>
     Match.when("GeminiOauth", () => "Gemini CLI OAuth"),
     Match.when("GeminiApiKey", () => "Gemini CLI API key"),
     Match.when("GeminiLogout", () => "Gemini CLI logout"),
+    Match.when("GrokOauth", () => "Grok CLI OAuth"),
+    Match.when("GrokApiKey", () => "Grok CLI API key"),
+    Match.when("GrokLogout", () => "Grok CLI logout"),
+    Match.exhaustive
+  )
+
+export const terminalAuthTitle = (flow: TerminalAuthFlow): string =>
+  Match.value(flow).pipe(
+    Match.when("ClaudeOauth", () => "Claude Code OAuth"),
+    Match.when("GeminiOauth", () => "Gemini CLI OAuth"),
+    Match.when("GrokOauth", () => "Grok CLI OAuth"),
     Match.exhaustive
   )
 
diff --git a/packages/app/src/docker-git/menu-auth-snapshot-builder.ts b/packages/app/src/docker-git/menu-auth-snapshot-builder.ts
index 1f241b4c..86ef6d33 100644
--- a/packages/app/src/docker-git/menu-auth-snapshot-builder.ts
+++ b/packages/app/src/docker-git/menu-auth-snapshot-builder.ts
@@ -8,17 +8,20 @@ import { countAuthAccountDirectories } from "./menu-auth-helpers.js"
 export type AuthAccountCounts = {
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
 }
 
 export const countAuthAccountEntries = (
   fs: FileSystem.FileSystem,
   path: Path.Path,
   claudeAuthPath: string,
-  geminiAuthPath: string
+  geminiAuthPath: string,
+  grokAuthPath: string
 ): Effect.Effect<AuthAccountCounts, PlatformError> =>
   pipe(
     Effect.all({
       claudeAuthEntries: countAuthAccountDirectories(fs, path, claudeAuthPath),
-      geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthPath)
+      geminiAuthEntries: countAuthAccountDirectories(fs, path, geminiAuthPath),
+      grokAuthEntries: countAuthAccountDirectories(fs, path, grokAuthPath)
     })
   )
diff --git a/packages/app/src/docker-git/menu-auth.ts b/packages/app/src/docker-git/menu-auth.ts
index 314969c0..6d3eca3d 100644
--- a/packages/app/src/docker-git/menu-auth.ts
+++ b/packages/app/src/docker-git/menu-auth.ts
@@ -100,7 +100,7 @@ const submitAuthPrompt = (view: AuthPromptView, context: AuthInputContext) => {
       const effect = resolveAuthPromptEffect(view, context.state.cwd, nextValues)
       runAuthPromptEffect(effect, view, label, { ...context, cwd: context.state.cwd }, {
         suspendTui: view.flow === "GithubOauth" || view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout" ||
-          view.flow === "GeminiOauth"
+          view.flow === "GeminiOauth" || view.flow === "GrokOauth"
       })
     }
   )
diff --git a/packages/app/src/docker-git/menu-project-auth-shared.ts b/packages/app/src/docker-git/menu-project-auth-shared.ts
index 6250fe5f..062fefe7 100644
--- a/packages/app/src/docker-git/menu-project-auth-shared.ts
+++ b/packages/app/src/docker-git/menu-project-auth-shared.ts
@@ -25,6 +25,8 @@ const projectAuthMenuItems: ReadonlyArray<ProjectAuthMenuItem> = [
   { action: "ProjectClaudeDisconnect", label: "Project: Claude disconnect" },
   { action: "ProjectGeminiConnect", label: "Project: Gemini connect label" },
   { action: "ProjectGeminiDisconnect", label: "Project: Gemini disconnect" },
+  { action: "ProjectGrokConnect", label: "Project: Grok connect label" },
+  { action: "ProjectGrokDisconnect", label: "Project: Grok disconnect" },
   { action: "Refresh", label: "Refresh snapshot" },
   { action: "Back", label: "Back to main menu" }
 ]
@@ -45,7 +47,11 @@ const flowSteps: Readonly<Record<ProjectAuthFlow, ReadonlyArray<ProjectAuthPromp
   ProjectGeminiConnect: [
     { key: "label", label: "Label (empty = default)", required: false, secret: false }
   ],
-  ProjectGeminiDisconnect: []
+  ProjectGeminiDisconnect: [],
+  ProjectGrokConnect: [
+    { key: "label", label: "Label (empty = default)", required: false, secret: false }
+  ],
+  ProjectGrokDisconnect: []
 }
 
 export const projectAuthSuccessMessage = (
@@ -61,6 +67,8 @@ export const projectAuthSuccessMessage = (
     Match.when("ProjectClaudeDisconnect", () => "Disconnected Claude from project."),
     Match.when("ProjectGeminiConnect", () => `Connected Gemini label (${label}) to project.`),
     Match.when("ProjectGeminiDisconnect", () => "Disconnected Gemini from project."),
+    Match.when("ProjectGrokConnect", () => `Connected Grok label (${label}) to project.`),
+    Match.when("ProjectGrokDisconnect", () => "Disconnected Grok from project."),
     Match.exhaustive
   )
 
diff --git a/packages/app/src/docker-git/menu-project-auth.ts b/packages/app/src/docker-git/menu-project-auth.ts
index d355e64a..a946e4a9 100644
--- a/packages/app/src/docker-git/menu-project-auth.ts
+++ b/packages/app/src/docker-git/menu-project-auth.ts
@@ -133,7 +133,8 @@ const runProjectAuthAction = (
     action === "ProjectGithubDisconnect" ||
     action === "ProjectGitDisconnect" ||
     action === "ProjectClaudeDisconnect" ||
-    action === "ProjectGeminiDisconnect"
+    action === "ProjectGeminiDisconnect" ||
+    action === "ProjectGrokDisconnect"
   ) {
     runProjectAuthEffect(view.project, action, {}, "default", context)
     return
diff --git a/packages/app/src/docker-git/menu-render-auth.ts b/packages/app/src/docker-git/menu-render-auth.ts
index 7d0f0d56..7b85c366 100644
--- a/packages/app/src/docker-git/menu-render-auth.ts
+++ b/packages/app/src/docker-git/menu-render-auth.ts
@@ -11,8 +11,39 @@ import {
 import { renderLayout } from "./menu-render-layout.js"
 import type { AuthSnapshot, ViewState } from "./menu-types.js"
 
+type AuthPromptView = Extract<ViewState, { readonly _tag: "AuthPrompt" }>
+type AuthPromptFlow = AuthPromptView["flow"]
+
 const renderCountLine = (title: string, count: number): string => `${title}: ${count}`
 
+const oauthPromptFlows: ReadonlySet<AuthPromptFlow> = new Set([
+  "GithubOauth",
+  "ClaudeOauth",
+  "GeminiOauth",
+  "GrokOauth"
+])
+
+const claudePromptFlows: ReadonlySet<AuthPromptFlow> = new Set(["ClaudeOauth", "ClaudeLogout"])
+const geminiPromptFlows: ReadonlySet<AuthPromptFlow> = new Set(["GeminiOauth", "GeminiApiKey", "GeminiLogout"])
+const grokPromptFlows: ReadonlySet<AuthPromptFlow> = new Set(["GrokOauth", "GrokApiKey", "GrokLogout"])
+
+const authPromptHelpLine = (flow: AuthPromptFlow): string => {
+  if (oauthPromptFlows.has(flow)) {
+    return "Enter = start OAuth, Esc = cancel."
+  }
+  if (flow === "ClaudeLogout") {
+    return "Enter = logout, Esc = cancel."
+  }
+  return "Enter = next, Esc = cancel."
+}
+
+const authPromptHeaderPaths = (view: AuthPromptView): ReadonlyArray<string> => [
+  `Global env: ${view.snapshot.globalEnvPath}`,
+  ...(claudePromptFlows.has(view.flow) ? [`Claude auth: ${view.snapshot.claudeAuthPath}`] : []),
+  ...(geminiPromptFlows.has(view.flow) ? [`Gemini auth: ${view.snapshot.geminiAuthPath}`] : []),
+  ...(grokPromptFlows.has(view.flow) ? [`Grok auth: ${view.snapshot.grokAuthPath}`] : [])
+]
+
 export const renderAuthMenu = (
   snapshot: AuthSnapshot,
   selected: number,
@@ -25,11 +56,15 @@ export const renderAuthMenu = (
     [
       el(Text, null, `Global env: ${snapshot.globalEnvPath}`),
       el(Text, null, `Claude auth: ${snapshot.claudeAuthPath}`),
+      el(Text, null, `Gemini auth: ${snapshot.geminiAuthPath}`),
+      el(Text, null, `Grok auth: ${snapshot.grokAuthPath}`),
       el(Text, { fg: "gray" }, renderCountLine("Entries", snapshot.totalEntries)),
       el(Text, { fg: "gray" }, renderCountLine("GitHub tokens", snapshot.githubTokenEntries)),
       el(Text, { fg: "gray" }, renderCountLine("Git tokens", snapshot.gitTokenEntries)),
       el(Text, { fg: "gray" }, renderCountLine("Git users", snapshot.gitUserEntries)),
       el(Text, { fg: "gray" }, renderCountLine("Claude logins", snapshot.claudeAuthEntries)),
+      el(Text, { fg: "gray" }, renderCountLine("Gemini logins", snapshot.geminiAuthEntries)),
+      el(Text, { fg: "gray" }, renderCountLine("Grok logins", snapshot.grokAuthEntries)),
       el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
       renderMenuHelp("Use arrows + Enter, or type a number.")
     ],
@@ -38,28 +73,17 @@ export const renderAuthMenu = (
 }
 
 export const renderAuthPrompt = (
-  view: Extract<ViewState, { readonly _tag: "AuthPrompt" }>,
+  view: AuthPromptView,
   message: string | null
 ): React.ReactElement => {
   const el = React.createElement
   const { prompt, visibleBuffer } = resolvePromptState(authViewSteps(view.flow), view.step, view.buffer)
-  let helpLine = "Enter = next, Esc = cancel."
-  if (view.flow === "GithubOauth" || view.flow === "ClaudeOauth") {
-    helpLine = "Enter = start OAuth, Esc = cancel."
-  } else if (view.flow === "ClaudeLogout") {
-    helpLine = "Enter = logout, Esc = cancel."
-  }
   return renderPromptLayout({
     title: `docker-git / Auth / ${authViewTitle(view.flow)}`,
-    header: [
-      el(Text, { fg: "gray" }, `Global env: ${view.snapshot.globalEnvPath}`),
-      ...(view.flow === "ClaudeOauth" || view.flow === "ClaudeLogout"
-        ? [el(Text, { fg: "gray" }, `Claude auth: ${view.snapshot.claudeAuthPath}`)]
-        : [])
-    ],
+    header: authPromptHeaderPaths(view).map((line) => el(Text, { fg: "gray" }, line)),
     prompt,
     visibleBuffer,
-    helpLine,
+    helpLine: authPromptHelpLine(view.flow),
     message
   })
 }
diff --git a/packages/app/src/docker-git/menu-render-project-auth.ts b/packages/app/src/docker-git/menu-render-project-auth.ts
index c151f9d4..8b16c62e 100644
--- a/packages/app/src/docker-git/menu-render-project-auth.ts
+++ b/packages/app/src/docker-git/menu-render-project-auth.ts
@@ -31,6 +31,8 @@ export const renderProjectAuthMenu = (
       el(Text, { fg: "gray" }, `Project env: ${snapshot.envProjectPath}`),
       el(Text, { fg: "gray" }, `Global env: ${snapshot.envGlobalPath}`),
       el(Text, { fg: "gray" }, `Claude auth: ${snapshot.claudeAuthPath}`),
+      el(Text, { fg: "gray" }, `Gemini auth: ${snapshot.geminiAuthPath}`),
+      el(Text, { fg: "gray" }, `Grok auth: ${snapshot.grokAuthPath}`),
       el(
         Box,
         { marginTop: 1, flexDirection: "column" },
@@ -39,7 +41,11 @@ export const renderProjectAuthMenu = (
         el(Text, { fg: "gray" }, `Git label: ${renderActiveLabel(snapshot.activeGitLabel)}`),
         el(Text, { fg: "gray" }, renderCountLine("Available Git tokens", snapshot.gitTokenEntries)),
         el(Text, { fg: "gray" }, `Claude label: ${renderActiveLabel(snapshot.activeClaudeLabel)}`),
-        el(Text, { fg: "gray" }, renderCountLine("Available Claude logins", snapshot.claudeAuthEntries))
+        el(Text, { fg: "gray" }, renderCountLine("Available Claude logins", snapshot.claudeAuthEntries)),
+        el(Text, { fg: "gray" }, `Gemini label: ${renderActiveLabel(snapshot.activeGeminiLabel)}`),
+        el(Text, { fg: "gray" }, renderCountLine("Available Gemini logins", snapshot.geminiAuthEntries)),
+        el(Text, { fg: "gray" }, `Grok label: ${renderActiveLabel(snapshot.activeGrokLabel)}`),
+        el(Text, { fg: "gray" }, renderCountLine("Available Grok logins", snapshot.grokAuthEntries))
       ),
       el(Box, { flexDirection: "column", marginTop: 1 }, ...list),
       renderMenuHelp("Use arrows + Enter, or type a number from the list.")
diff --git a/packages/app/src/docker-git/menu-types.ts b/packages/app/src/docker-git/menu-types.ts
index 7bd32792..44df2630 100644
--- a/packages/app/src/docker-git/menu-types.ts
+++ b/packages/app/src/docker-git/menu-types.ts
@@ -90,17 +90,22 @@ export type AuthFlow =
   | "GeminiOauth"
   | "GeminiApiKey"
   | "GeminiLogout"
+  | "GrokOauth"
+  | "GrokApiKey"
+  | "GrokLogout"
 
 export interface AuthSnapshot {
   readonly globalEnvPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly totalEntries: number
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly gitUserEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
 }
 
 export type ProjectAuthFlow =
@@ -112,6 +117,8 @@ export type ProjectAuthFlow =
   | "ProjectClaudeDisconnect"
   | "ProjectGeminiConnect"
   | "ProjectGeminiDisconnect"
+  | "ProjectGrokConnect"
+  | "ProjectGrokDisconnect"
 
 export interface ProjectAuthSnapshot {
   readonly projectDir: string
@@ -120,14 +127,17 @@ export interface ProjectAuthSnapshot {
   readonly envProjectPath: string
   readonly claudeAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
   readonly githubTokenEntries: number
   readonly gitTokenEntries: number
   readonly claudeAuthEntries: number
   readonly geminiAuthEntries: number
+  readonly grokAuthEntries: number
   readonly activeGithubLabel: string | null
   readonly activeGitLabel: string | null
   readonly activeClaudeLabel: string | null
   readonly activeGeminiLabel: string | null
+  readonly activeGrokLabel: string | null
 }
 
 export type ViewState =
diff --git a/packages/app/src/docker-git/program-unsupported.ts b/packages/app/src/docker-git/program-unsupported.ts
index ee61354e..b7fdacc8 100644
--- a/packages/app/src/docker-git/program-unsupported.ts
+++ b/packages/app/src/docker-git/program-unsupported.ts
@@ -11,6 +11,9 @@ export type UnsupportedOperationalCommandTag =
   | "AuthGeminiLogin"
   | "AuthGeminiStatus"
   | "AuthGeminiLogout"
+  | "AuthGrokLogin"
+  | "AuthGrokStatus"
+  | "AuthGrokLogout"
 
 export const unsupportedOperationalCommands: Record<
   UnsupportedOperationalCommandTag,
@@ -51,5 +54,17 @@ export const unsupportedOperationalCommands: Record<
   AuthGeminiLogout: {
     command: "auth gemini logout",
     message: "Only GitHub, GitLab, and Codex auth are routed through the controller in host API mode."
+  },
+  AuthGrokLogin: {
+    command: "auth grok login",
+    message: "Only GitHub, GitLab, and Codex auth are routed through the controller in host API mode."
+  },
+  AuthGrokStatus: {
+    command: "auth grok status",
+    message: "Only GitHub, GitLab, and Codex auth are routed through the controller in host API mode."
+  },
+  AuthGrokLogout: {
+    command: "auth grok logout",
+    message: "Only GitHub, GitLab, and Codex auth are routed through the controller in host API mode."
   }
 }
diff --git a/packages/app/src/lib/core/auth-domain.ts b/packages/app/src/lib/core/auth-domain.ts
index b6ae3f8e..71cd7a50 100644
--- a/packages/app/src/lib/core/auth-domain.ts
+++ b/packages/app/src/lib/core/auth-domain.ts
@@ -107,6 +107,35 @@ export interface AuthGeminiLogoutCommand {
   readonly geminiAuthPath: string
 }
 
+// CHANGE: add Grok CLI auth commands
+// WHY: issue #304 requires Grok login/status/logout profiles with isolated auth storage
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd ∈ AuthGrokCommand: cmd.grokAuthPath is valid path
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: authentication state is isolated by label
+// COMPLEXITY: O(1)
+export interface AuthGrokLoginCommand {
+  readonly _tag: "AuthGrokLogin"
+  readonly label: string | null
+  readonly grokAuthPath: string
+  readonly isWeb: boolean
+}
+
+export interface AuthGrokStatusCommand {
+  readonly _tag: "AuthGrokStatus"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
+export interface AuthGrokLogoutCommand {
+  readonly _tag: "AuthGrokLogout"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
 export type AuthCommand =
   | AuthGithubLoginCommand
   | AuthGithubStatusCommand
@@ -124,4 +153,7 @@ export type AuthCommand =
   | AuthGeminiLoginCommand
   | AuthGeminiStatusCommand
   | AuthGeminiLogoutCommand
+  | AuthGrokLoginCommand
+  | AuthGrokStatusCommand
+  | AuthGrokLogoutCommand
 /* jscpd:ignore-end */
diff --git a/packages/app/src/lib/core/auto-agent-flags.ts b/packages/app/src/lib/core/auto-agent-flags.ts
index c1683f36..c5472b66 100644
--- a/packages/app/src/lib/core/auto-agent-flags.ts
+++ b/packages/app/src/lib/core/auto-agent-flags.ts
@@ -14,13 +14,13 @@ export const resolveAutoAgentFlags = (
   if (requested === "auto") {
     return Either.right({ agentMode: undefined, agentAuto: true })
   }
-  if (requested === "claude" || requested === "codex") {
+  if (requested === "claude" || requested === "codex" || requested === "gemini" || requested === "grok") {
     return Either.right({ agentMode: requested, agentAuto: true })
   }
   return Either.left({
     _tag: "InvalidOption",
     option: "--auto",
-    reason: "expected one of: claude, codex"
+    reason: "expected one of: claude, codex, gemini, grok"
   })
 }
 /* jscpd:ignore-end */
diff --git a/packages/app/src/lib/core/command-builders-template.ts b/packages/app/src/lib/core/command-builders-template.ts
new file mode 100644
index 00000000..f54a214d
--- /dev/null
+++ b/packages/app/src/lib/core/command-builders-template.ts
@@ -0,0 +1,94 @@
+/* jscpd:ignore-start */
+import type { NameConfig, PathConfig, RepoBasics } from "./command-builders.js"
+import { type AgentMode, type CreateCommand, defaultTemplateConfig } from "./domain.js"
+
+export type BuildTemplateConfigInput = {
+  readonly repo: RepoBasics
+  readonly names: NameConfig
+  readonly paths: PathConfig
+  readonly cpuLimit: string | undefined
+  readonly ramLimit: string | undefined
+  readonly playwrightCpuLimit: string | undefined
+  readonly playwrightRamLimit: string | undefined
+  readonly gpu: CreateCommand["config"]["gpu"]
+  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
+  readonly dockerSharedNetworkName: string
+  readonly gitTokenLabel: string | undefined
+  readonly skipGithubAuth: boolean
+  readonly codexAuthLabel: string | undefined
+  readonly claudeAuthLabel: string | undefined
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
+  readonly enableMcpPlaywright: boolean
+  readonly agentMode: AgentMode | undefined
+  readonly agentAuto: boolean
+  readonly clonedOnHostname?: string | undefined
+}
+
+const buildTemplateConfigBase = (
+  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
+): Pick<
+  CreateCommand["config"],
+  | "containerName"
+  | "serviceName"
+  | "sshUser"
+  | "sshPort"
+  | "repoUrl"
+  | "repoRef"
+  | "targetDir"
+  | "volumeName"
+  | "dockerGitPath"
+  | "authorizedKeysPath"
+  | "envGlobalPath"
+  | "envProjectPath"
+  | "codexAuthPath"
+  | "codexSharedAuthPath"
+  | "codexHome"
+  | "geminiAuthPath"
+  | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
+> => ({
+  containerName: input.names.containerName,
+  serviceName: input.names.serviceName,
+  sshUser: input.repo.sshUser,
+  sshPort: input.repo.sshPort,
+  repoUrl: input.repo.repoUrl,
+  repoRef: input.repo.repoRef,
+  targetDir: input.repo.targetDir,
+  volumeName: input.names.volumeName,
+  dockerGitPath: input.paths.dockerGitPath,
+  authorizedKeysPath: input.paths.authorizedKeysPath,
+  envGlobalPath: input.paths.envGlobalPath,
+  envProjectPath: input.paths.envProjectPath,
+  codexAuthPath: input.paths.codexAuthPath,
+  codexSharedAuthPath: input.paths.codexSharedAuthPath,
+  codexHome: input.paths.codexHome,
+  geminiAuthPath: input.paths.geminiAuthPath,
+  geminiHome: input.paths.geminiHome,
+  grokAuthPath: input.paths.grokAuthPath,
+  grokHome: input.paths.grokHome
+})
+
+export const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
+  ...buildTemplateConfigBase(input),
+  gitTokenLabel: input.gitTokenLabel,
+  skipGithubAuth: input.skipGithubAuth,
+  codexAuthLabel: input.codexAuthLabel,
+  claudeAuthLabel: input.claudeAuthLabel,
+  geminiAuthLabel: input.geminiAuthLabel,
+  grokAuthLabel: input.grokAuthLabel,
+  cpuLimit: input.cpuLimit,
+  ramLimit: input.ramLimit,
+  playwrightCpuLimit: input.playwrightCpuLimit,
+  playwrightRamLimit: input.playwrightRamLimit,
+  gpu: input.gpu,
+  dockerNetworkMode: input.dockerNetworkMode,
+  dockerSharedNetworkName: input.dockerSharedNetworkName,
+  enableMcpPlaywright: input.enableMcpPlaywright,
+  bunVersion: defaultTemplateConfig.bunVersion,
+  agentMode: input.agentMode,
+  agentAuto: input.agentAuto,
+  clonedOnHostname: input.clonedOnHostname
+})
+/* jscpd:ignore-end */
diff --git a/packages/app/src/lib/core/command-builders.ts b/packages/app/src/lib/core/command-builders.ts
index 44c0bd88..d6dd8730 100644
--- a/packages/app/src/lib/core/command-builders.ts
+++ b/packages/app/src/lib/core/command-builders.ts
@@ -10,9 +10,9 @@ import {
   parseSshPort,
   parseSshUser
 } from "./command-builders-shared.js"
+import { buildTemplateConfig } from "./command-builders-template.js"
 import { type RawOptions } from "./command-options.js"
 import {
-  type AgentMode,
   type CreateCommand,
   defaultTemplateConfig,
   deriveRepoPathParts,
@@ -28,7 +28,7 @@ export { nonEmpty } from "./command-builders-shared.js"
 
 const normalizeSecretsRoot = (value: string): string => trimRightChar(value, "/")
 
-type RepoBasics = {
+export type RepoBasics = {
   readonly repoUrl: string
   readonly repoSlug: string
   readonly projectSlug: string
@@ -62,7 +62,7 @@ const resolveRepoBasics = (raw: RawOptions): Either.Either<RepoBasics, ParseErro
     return { repoUrl, repoSlug, projectSlug, repoPath, repoRef, targetDir, sshUser, sshPort }
   })
 
-type NameConfig = {
+export type NameConfig = {
   readonly containerName: string
   readonly serviceName: string
   readonly volumeName: string
@@ -85,7 +85,7 @@ const resolveNames = (
     return { containerName, serviceName, volumeName }
   })
 
-type PathConfig = {
+export type PathConfig = {
   readonly dockerGitPath: string
   readonly authorizedKeysPath: string
   readonly envGlobalPath: string
@@ -95,6 +95,8 @@ type PathConfig = {
   readonly codexHome: string
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly outDir: string
 }
 
@@ -105,6 +107,7 @@ type DefaultPathConfig = {
   readonly envProjectPath: string
   readonly codexAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
 }
 
 const resolveNormalizedSecretsRoot = (value: string | undefined): string | undefined => {
@@ -122,7 +125,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: defaultTemplateConfig.envGlobalPath,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: defaultTemplateConfig.codexAuthPath,
-      geminiAuthPath: defaultTemplateConfig.geminiAuthPath
+      geminiAuthPath: defaultTemplateConfig.geminiAuthPath,
+      grokAuthPath: defaultTemplateConfig.grokAuthPath
     }
     : {
       // NOTE: Keep docker-git root mount stable (projects root) so caches like
@@ -132,7 +136,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: `${normalizedSecretsRoot}/global.env`,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: `${normalizedSecretsRoot}/codex`,
-      geminiAuthPath: `${normalizedSecretsRoot}/gemini`
+      geminiAuthPath: `${normalizedSecretsRoot}/gemini`,
+      grokAuthPath: `${normalizedSecretsRoot}/grok`
     }
 
 const resolvePaths = (
@@ -157,6 +162,8 @@ const resolvePaths = (
     const codexHome = yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome))
     const geminiAuthPath = defaults.geminiAuthPath
     const geminiHome = defaultTemplateConfig.geminiHome
+    const grokAuthPath = defaults.grokAuthPath
+    const grokHome = defaultTemplateConfig.grokHome
     const outDir = yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 
     return {
@@ -169,6 +176,8 @@ const resolvePaths = (
       codexHome,
       geminiAuthPath,
       geminiHome,
+      grokAuthPath,
+      grokHome,
       outDir
     }
   })
@@ -191,86 +200,20 @@ const resolveCreateBehavior = (raw: RawOptions): CreateBehavior => ({
   enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 })
 
-type BuildTemplateConfigInput = {
-  readonly repo: RepoBasics
-  readonly names: NameConfig
-  readonly paths: PathConfig
-  readonly cpuLimit: string | undefined
-  readonly ramLimit: string | undefined
-  readonly playwrightCpuLimit: string | undefined
-  readonly playwrightRamLimit: string | undefined
-  readonly gpu: CreateCommand["config"]["gpu"]
-  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
-  readonly dockerSharedNetworkName: string
+type TokenLabelConfig = {
   readonly gitTokenLabel: string | undefined
-  readonly skipGithubAuth: boolean
   readonly codexAuthLabel: string | undefined
   readonly claudeAuthLabel: string | undefined
-  readonly enableMcpPlaywright: boolean
-  readonly agentMode: AgentMode | undefined
-  readonly agentAuto: boolean
-  readonly clonedOnHostname?: string | undefined
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
 }
 
-const buildTemplateConfigBase = (
-  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
-): Pick<
-  CreateCommand["config"],
-  | "containerName"
-  | "serviceName"
-  | "sshUser"
-  | "sshPort"
-  | "repoUrl"
-  | "repoRef"
-  | "targetDir"
-  | "volumeName"
-  | "dockerGitPath"
-  | "authorizedKeysPath"
-  | "envGlobalPath"
-  | "envProjectPath"
-  | "codexAuthPath"
-  | "codexSharedAuthPath"
-  | "codexHome"
-  | "geminiAuthPath"
-  | "geminiHome"
-> => ({
-  containerName: input.names.containerName,
-  serviceName: input.names.serviceName,
-  sshUser: input.repo.sshUser,
-  sshPort: input.repo.sshPort,
-  repoUrl: input.repo.repoUrl,
-  repoRef: input.repo.repoRef,
-  targetDir: input.repo.targetDir,
-  volumeName: input.names.volumeName,
-  dockerGitPath: input.paths.dockerGitPath,
-  authorizedKeysPath: input.paths.authorizedKeysPath,
-  envGlobalPath: input.paths.envGlobalPath,
-  envProjectPath: input.paths.envProjectPath,
-  codexAuthPath: input.paths.codexAuthPath,
-  codexSharedAuthPath: input.paths.codexSharedAuthPath,
-  codexHome: input.paths.codexHome,
-  geminiAuthPath: input.paths.geminiAuthPath,
-  geminiHome: input.paths.geminiHome
-})
-
-const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
-  ...buildTemplateConfigBase(input),
-  gitTokenLabel: input.gitTokenLabel,
-  skipGithubAuth: input.skipGithubAuth,
-  codexAuthLabel: input.codexAuthLabel,
-  claudeAuthLabel: input.claudeAuthLabel,
-  cpuLimit: input.cpuLimit,
-  ramLimit: input.ramLimit,
-  playwrightCpuLimit: input.playwrightCpuLimit,
-  playwrightRamLimit: input.playwrightRamLimit,
-  gpu: input.gpu,
-  dockerNetworkMode: input.dockerNetworkMode,
-  dockerSharedNetworkName: input.dockerSharedNetworkName,
-  enableMcpPlaywright: input.enableMcpPlaywright,
-  bunVersion: defaultTemplateConfig.bunVersion,
-  agentMode: input.agentMode,
-  agentAuto: input.agentAuto,
-  clonedOnHostname: input.clonedOnHostname
+const resolveTokenLabels = (raw: RawOptions): TokenLabelConfig => ({
+  gitTokenLabel: normalizeGitTokenLabel(raw.gitTokenLabel),
+  codexAuthLabel: normalizeAuthLabel(raw.codexTokenLabel),
+  claudeAuthLabel: normalizeAuthLabel(raw.claudeTokenLabel),
+  geminiAuthLabel: normalizeAuthLabel(raw.geminiTokenLabel),
+  grokAuthLabel: normalizeAuthLabel(raw.grokTokenLabel)
 })
 
 // CHANGE: build a typed create command from raw options (CLI or API)
@@ -291,9 +234,7 @@ export const buildCreateCommand = (
     const names = yield* _(resolveNames(raw, repo.projectSlug))
     const paths = yield* _(resolvePaths(raw, repo.repoPath))
     const behavior = resolveCreateBehavior(raw)
-    const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel)
-    const codexAuthLabel = normalizeAuthLabel(raw.codexTokenLabel)
-    const claudeAuthLabel = normalizeAuthLabel(raw.claudeTokenLabel)
+    const tokenLabels = resolveTokenLabels(raw)
     const limits = yield* _(resolveResourceLimitsIntent(raw))
     const gpu = yield* _(parseGpuMode(raw.gpu))
     const dockerNetworkMode = yield* _(parseDockerNetworkMode(raw.dockerNetworkMode))
@@ -321,10 +262,8 @@ export const buildCreateCommand = (
         gpu,
         dockerNetworkMode,
         dockerSharedNetworkName,
-        gitTokenLabel,
+        ...tokenLabels,
         skipGithubAuth: behavior.skipGithubAuth,
-        codexAuthLabel,
-        claudeAuthLabel,
         enableMcpPlaywright: behavior.enableMcpPlaywright,
         agentMode,
         agentAuto
diff --git a/packages/app/src/lib/core/command-options.ts b/packages/app/src/lib/core/command-options.ts
index 12f15f15..5c4b02da 100644
--- a/packages/app/src/lib/core/command-options.ts
+++ b/packages/app/src/lib/core/command-options.ts
@@ -41,6 +41,8 @@ export interface RawOptions {
   readonly gitTokenLabel?: string
   readonly codexTokenLabel?: string
   readonly claudeTokenLabel?: string
+  readonly geminiTokenLabel?: string
+  readonly grokTokenLabel?: string
   readonly token?: string
   readonly scopes?: string
   readonly message?: string
diff --git a/packages/app/src/lib/core/domain.ts b/packages/app/src/lib/core/domain.ts
index 74bb7a64..f411e7a6 100644
--- a/packages/app/src/lib/core/domain.ts
+++ b/packages/app/src/lib/core/domain.ts
@@ -20,7 +20,10 @@ export type {
   AuthGithubStatusCommand,
   AuthGitlabLoginCommand,
   AuthGitlabLogoutCommand,
-  AuthGitlabStatusCommand
+  AuthGitlabStatusCommand,
+  AuthGrokLoginCommand,
+  AuthGrokLogoutCommand,
+  AuthGrokStatusCommand
 } from "./auth-domain.js"
 export type { MenuAction, ParseError } from "./menu.js"
 export { parseMenuSelection } from "./menu.js"
@@ -53,7 +56,7 @@ export {
   dockerGitSharedCodexVolumeName
 } from "./template-defaults.js"
 
-export type AgentMode = "claude" | "codex" | "gemini"
+export type AgentMode = "claude" | "codex" | "gemini" | "grok"
 
 export type DockerNetworkMode = "shared" | "project"
 export type GpuMode = "none" | "all"
@@ -97,6 +100,9 @@ export interface TemplateConfig {
   readonly geminiAuthLabel?: string | undefined
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthLabel?: string | undefined
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
@@ -188,6 +194,7 @@ export interface ApplyCommand {
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
   readonly geminiTokenLabel?: string | undefined
+  readonly grokTokenLabel?: string | undefined
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
diff --git a/packages/app/src/lib/core/template-defaults.ts b/packages/app/src/lib/core/template-defaults.ts
index da4d81eb..b3bc52c1 100644
--- a/packages/app/src/lib/core/template-defaults.ts
+++ b/packages/app/src/lib/core/template-defaults.ts
@@ -20,6 +20,8 @@ type DefaultTemplateConfig = Pick<
   | "codexHome"
   | "geminiAuthPath"
   | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
   | "cpuLimit"
   | "ramLimit"
   | "playwrightCpuLimit"
@@ -63,6 +65,8 @@ export const defaultTemplateConfig = {
   codexHome: "/home/dev/.codex",
   geminiAuthPath: "./.docker-git/.orch/auth/gemini",
   geminiHome: "/home/dev/.gemini",
+  grokAuthPath: "./.docker-git/.orch/auth/grok",
+  grokHome: "/home/dev/.grok",
   cpuLimit: defaultCpuLimit,
   ramLimit: defaultRamLimit,
   playwrightCpuLimit: defaultPlaywrightCpuLimit,
diff --git a/packages/app/src/lib/core/templates-entrypoint.ts b/packages/app/src/lib/core/templates-entrypoint.ts
index fce6deb9..43b16baa 100644
--- a/packages/app/src/lib/core/templates-entrypoint.ts
+++ b/packages/app/src/lib/core/templates-entrypoint.ts
@@ -24,6 +24,7 @@ import {
 import { renderEntrypointDnsRepair } from "./templates-entrypoint/dns-repair.js"
 import { renderEntrypointGeminiConfig } from "./templates-entrypoint/gemini.js"
 import { renderEntrypointGitConfig, renderEntrypointGitHooks } from "./templates-entrypoint/git.js"
+import { renderEntrypointGrokConfig } from "./templates-entrypoint/grok.js"
 import { renderEntrypointDockerGitBootstrap } from "./templates-entrypoint/nested-docker-git.js"
 import { renderEntrypointOpenCodeConfig } from "./templates-entrypoint/opencode.js"
 import { renderEntrypointProjectAgentRules } from "./templates-entrypoint/project-rules.js"
@@ -62,6 +63,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointGitConfig(config),
     renderEntrypointClaudeConfig(config),
     renderEntrypointGeminiConfig(config),
+    renderEntrypointGrokConfig(config),
     renderEntrypointRtkConfig(config),
     renderEntrypointGitHooks(),
     renderEntrypointBackgroundTasks(config),
diff --git a/packages/app/src/lib/core/templates-entrypoint/agent.ts b/packages/app/src/lib/core/templates-entrypoint/agent.ts
index d7517f3f..0db5871b 100644
--- a/packages/app/src/lib/core/templates-entrypoint/agent.ts
+++ b/packages/app/src/lib/core/templates-entrypoint/agent.ts
@@ -2,7 +2,7 @@
 import { Match } from "effect"
 import type { TemplateConfig } from "../domain.js"
 
-type AgentMode = "claude" | "codex" | "gemini"
+type AgentMode = "claude" | "codex" | "gemini" | "grok"
 
 const indentBlock = (block: string, size = 2): string => {
   const prefix = " ".repeat(size)
@@ -41,6 +41,7 @@ AGENT_ENV_FILE="/run/docker-git/agent-env.sh"
   [[ -f /etc/profile.d/gh-token.sh ]] && cat /etc/profile.d/gh-token.sh
   [[ -f /etc/profile.d/claude-config.sh ]] && cat /etc/profile.d/claude-config.sh
   [[ -f /etc/profile.d/gemini-config.sh ]] && cat /etc/profile.d/gemini-config.sh
+  [[ -f /etc/profile.d/grok-config.sh ]] && cat /etc/profile.d/grok-config.sh
 } > "$AGENT_ENV_FILE" 2>/dev/null || true
 chmod 644 "$AGENT_ENV_FILE"`,
     renderAgentPrompt(),
@@ -61,6 +62,8 @@ const renderAgentPromptCommand = (mode: AgentMode): string =>
     ),
     Match.when("codex", () => String.raw`MCP_PLAYWRIGHT_ISOLATED=1 codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
+    Match.when("grok", () =>
+      String.raw`MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.exhaustive
   )
 
@@ -99,6 +102,7 @@ const renderAgentModeCase = (config: TemplateConfig): string =>
     indentBlock(renderAgentModeBlock(config, "claude")),
     indentBlock(renderAgentModeBlock(config, "codex")),
     indentBlock(renderAgentModeBlock(config, "gemini")),
+    indentBlock(renderAgentModeBlock(config, "grok")),
     indentBlock(
       String.raw`*)
   echo "[agent] unknown agent mode: $AGENT_MODE"
diff --git a/packages/app/src/lib/core/templates-entrypoint/base.ts b/packages/app/src/lib/core/templates-entrypoint/base.ts
index 659d38a2..1ba0bd21 100644
--- a/packages/app/src/lib/core/templates-entrypoint/base.ts
+++ b/packages/app/src/lib/core/templates-entrypoint/base.ts
@@ -24,6 +24,7 @@ fi
 CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 CODEX_AUTH_LABEL="\${CODEX_AUTH_LABEL:-}"
 GEMINI_AUTH_LABEL="\${GEMINI_AUTH_LABEL:-}"
+GROK_AUTH_LABEL="\${GROK_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-}}"
 GITLAB_TOKEN="\${GITLAB_TOKEN:-}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
diff --git a/packages/app/src/lib/core/templates-entrypoint/grok.ts b/packages/app/src/lib/core/templates-entrypoint/grok.ts
new file mode 100644
index 00000000..269df685
--- /dev/null
+++ b/packages/app/src/lib/core/templates-entrypoint/grok.ts
@@ -0,0 +1,315 @@
+/* jscpd:ignore-start */
+import type { TemplateConfig } from "../domain.js"
+
+// CHANGE: add Grok CLI entrypoint configuration
+// WHY: issue #304 requires Grok auth, Playwright MCP and unrestricted agent permissions
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: renderEntrypointGrokConfig(config) -> valid_bash_script
+// PURITY: CORE
+// INVARIANT: Grok credentials are isolated by GROK_AUTH_LABEL
+// COMPLEXITY: O(1)
+
+const grokAuthRootContainerPath = (sshUser: string): string => `/home/${sshUser}/.docker-git/.orch/auth/grok`
+
+// CHANGE: render shell parameter defaults through TypeScript interpolation
+// WHY: String.raw preserves escaped \${...}, making optional Grok credentials fail under bash nounset
+// QUOTE(ТЗ): "GitHub Actions ... all CI checks are passing"
+// REF: issue-304-ci
+// SOURCE: n/a
+// FORMAT THEOREM: unset(GROK_DEPLOYMENT_KEY) -> safe_empty_value(GROK_DEPLOYMENT_KEY)
+// PURITY: CORE
+// INVARIANT: Optional Grok API credentials never require a bound environment variable
+// COMPLEXITY: O(1)
+const grokDeploymentKeyDefaultExpansion = "${GROK_DEPLOYMENT_KEY:-}"
+const grokApiKeyDefaultExpansion = "${GROK_API_KEY:-}"
+const grokAuthLabelDefaultExpansion = "${GROK_AUTH_LABEL:-}"
+const xaiApiKeyDefaultExpansion = "${XAI_API_KEY:-}"
+
+const grokAuthConfigTemplate = String
+  .raw`# Grok CLI: keep ~/.grok as a real home directory while sharing auth files from ~/.docker-git/.orch/auth/grok
+GROK_LABEL_RAW="${grokAuthLabelDefaultExpansion}"
+if [[ -z "$GROK_LABEL_RAW" ]]; then
+  GROK_LABEL_RAW="default"
+fi
+
+GROK_LABEL_NORM="$(printf "%s" "$GROK_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$GROK_LABEL_NORM" ]]; then
+  GROK_LABEL_NORM="default"
+fi
+export GROK_AUTH_LABEL="$GROK_LABEL_NORM"
+
+GROK_AUTH_ROOT="__GROK_AUTH_ROOT__"
+export GROK_CONFIG_DIR="$GROK_AUTH_ROOT/$GROK_LABEL_NORM"
+
+mkdir -p "$GROK_CONFIG_DIR" || true
+GROK_HOME_DIR="__GROK_HOME_DIR__"
+mkdir -p "$GROK_HOME_DIR" || true
+GROK_SHARED_HOME_DIR="$GROK_CONFIG_DIR/.grok"
+mkdir -p "$GROK_SHARED_HOME_DIR" || true
+
+docker_git_link_grok_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    if [[ -d "$link_path" ]]; then
+      return 0
+    fi
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+docker_git_prepare_grok_home_dir() {
+  if [[ -L "$GROK_HOME_DIR" ]]; then
+    local previous_target
+    previous_target="$(readlink -f "$GROK_HOME_DIR" || true)"
+    rm -f "$GROK_HOME_DIR" || true
+    mkdir -p "$GROK_HOME_DIR" || true
+    if [[ -n "$previous_target" && -d "$previous_target" ]]; then
+      cp -a "$previous_target"/. "$GROK_HOME_DIR"/ 2>/dev/null || true
+    fi
+    return 0
+  fi
+
+  mkdir -p "$GROK_HOME_DIR" || true
+}
+
+docker_git_prepare_grok_home_dir
+
+docker_git_link_grok_file "$GROK_CONFIG_DIR/.api-key" "$GROK_HOME_DIR/.api-key"
+docker_git_link_grok_file "$GROK_CONFIG_DIR/.env" "$GROK_HOME_DIR/.env"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/auth.json" "$GROK_HOME_DIR/auth.json"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/config.toml" "$GROK_HOME_DIR/config.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/managed_config.toml" "$GROK_HOME_DIR/managed_config.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/requirements.toml" "$GROK_HOME_DIR/requirements.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/user-settings.json" "$GROK_HOME_DIR/user-settings.json"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/settings.json" "$GROK_HOME_DIR/settings.json"
+
+GROK_REAL_BIN="$(command -v grok || echo "/usr/local/bin/grok")"
+GROK_WRAPPER_BIN="/usr/local/bin/grok-wrapper"
+if [[ -f "$GROK_REAL_BIN" && "$GROK_REAL_BIN" != "$GROK_WRAPPER_BIN" ]]; then
+  if [[ ! -f "$GROK_WRAPPER_BIN" ]]; then
+    cat <<'EOF' > "$GROK_WRAPPER_BIN"
+#!/usr/bin/env bash
+GROK_ORIGINAL_BIN="__GROK_REAL_BIN__"
+for arg in "$@"; do
+  if [[ "$arg" == "--no-sandbox" ]]; then
+    exec "$GROK_ORIGINAL_BIN" "$@"
+  fi
+done
+exec "$GROK_ORIGINAL_BIN" --no-sandbox "$@"
+EOF
+    sed -i "s#__GROK_REAL_BIN__#$GROK_REAL_BIN#g" "$GROK_WRAPPER_BIN" || true
+    chmod 0755 "$GROK_WRAPPER_BIN" || true
+  fi
+fi
+
+docker_git_refresh_grok_env() {
+  local RESOLVED_GROK_API_KEY
+  if [[ -f "$GROK_HOME_DIR/.api-key" ]]; then
+    RESOLVED_GROK_API_KEY="$(cat "$GROK_HOME_DIR/.api-key" | tr -d '\r\n')"
+  elif [[ -f "$GROK_HOME_DIR/.env" ]]; then
+    RESOLVED_GROK_API_KEY="$(grep -E "^GROK_DEPLOYMENT_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    if [[ -z "$RESOLVED_GROK_API_KEY" ]]; then
+      RESOLVED_GROK_API_KEY="$(grep -E "^GROK_API_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    fi
+    if [[ -z "$RESOLVED_GROK_API_KEY" ]]; then
+      RESOLVED_GROK_API_KEY="$(grep -E "^XAI_API_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    fi
+  elif [[ -n "${grokDeploymentKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${grokDeploymentKeyDefaultExpansion}"
+  elif [[ -n "${grokApiKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${grokApiKeyDefaultExpansion}"
+  elif [[ -n "${xaiApiKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${xaiApiKeyDefaultExpansion}"
+  else
+    RESOLVED_GROK_API_KEY=""
+  fi
+  # Priority: selected account files, then GROK_DEPLOYMENT_KEY, GROK_API_KEY, XAI_API_KEY.
+  if [[ -n "$RESOLVED_GROK_API_KEY" ]]; then
+    export GROK_DEPLOYMENT_KEY="$RESOLVED_GROK_API_KEY"
+    export GROK_API_KEY="$RESOLVED_GROK_API_KEY"
+    export XAI_API_KEY="$RESOLVED_GROK_API_KEY"
+  fi
+}
+
+docker_git_refresh_grok_env`
+
+const renderGrokAuthConfig = (config: TemplateConfig): string =>
+  grokAuthConfigTemplate
+    .replaceAll("__GROK_AUTH_ROOT__", grokAuthRootContainerPath(config.sshUser))
+    .replaceAll("__GROK_HOME_DIR__", config.grokHome)
+
+const grokSettingsJsonTemplate = `{
+  "sandboxMode": "off",
+  "confirmBeforeToolUse": false,
+  "mcpServers": {
+    "playwright": {
+      "command": "docker-git-playwright-mcp",
+      "args": [],
+      "trust": true
+    }
+  }
+}`
+
+const grokUserSettingsJsonTemplate = `{
+  "sandboxMode": "off",
+  "confirmBeforeToolUse": false
+}`
+
+const renderGrokPermissionSettingsConfig = (config: TemplateConfig): string =>
+  String.raw`# Grok CLI: keep sandbox and MCP settings in sync with docker-git defaults
+GROK_SETTINGS_DIR="${config.grokHome}"
+GROK_CONFIG_SETTINGS_FILE="$GROK_SETTINGS_DIR/settings.json"
+GROK_USER_SETTINGS_FILE="$GROK_SETTINGS_DIR/user-settings.json"
+
+mkdir -p "$GROK_SETTINGS_DIR" || true
+
+cat <<'EOF' > "$GROK_CONFIG_SETTINGS_FILE"
+${grokSettingsJsonTemplate}
+EOF
+
+if [[ ! -s "$GROK_USER_SETTINGS_FILE" ]]; then
+  cat <<'EOF' > "$GROK_USER_SETTINGS_FILE"
+${grokUserSettingsJsonTemplate}
+EOF
+fi
+
+GROK_SETTINGS_OWNER_UID="$(id -u "${config.sshUser}" 2>/dev/null || id -u)"
+GROK_SETTINGS_OWNER_GID="$(id -g "${config.sshUser}" 2>/dev/null || id -g)"
+chown -R "$GROK_SETTINGS_OWNER_UID:$GROK_SETTINGS_OWNER_GID" "$GROK_SETTINGS_DIR" || true
+chmod 0600 "$GROK_CONFIG_SETTINGS_FILE" "$GROK_USER_SETTINGS_FILE" 2>/dev/null || true`
+
+const renderGrokSudoConfig = (config: TemplateConfig): string =>
+  String.raw`# Grok CLI: allow passwordless sudo for agent tasks
+# Risk rationale: Grok runs inside an isolated per-project container. The sshUser
+# value is validated as a Unix username before TemplateConfig construction, and
+# passwordless sudo matches the broad container-local privileges expected for
+# docker-git coding agents that need to install packages or manage services.
+if [[ -d /etc/sudoers.d ]]; then
+  echo "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/grok-agent
+  chmod 0440 /etc/sudoers.d/grok-agent
+fi`
+
+const renderGrokProfileSetup = (config: TemplateConfig): string =>
+  String.raw`GROK_PROFILE="/etc/profile.d/grok-config.sh"
+printf "export GROK_AUTH_LABEL=%q\n" "$GROK_AUTH_LABEL" > "$GROK_PROFILE"
+printf "export GROK_HOME=%q\n" "${config.grokHome}" >> "$GROK_PROFILE"
+printf "alias grok='/usr/local/bin/grok-wrapper'\n" >> "$GROK_PROFILE"
+cat <<'EOF' >> "$GROK_PROFILE"
+if [[ -f "$GROK_HOME/.api-key" ]]; then
+  API_KEY="$(cat "$GROK_HOME/.api-key" | tr -d '\r\n')"
+  export GROK_DEPLOYMENT_KEY="$API_KEY"
+  export GROK_API_KEY="$API_KEY"
+  export XAI_API_KEY="$API_KEY"
+fi
+EOF
+chmod 0644 "$GROK_PROFILE" || true
+
+docker_git_upsert_ssh_env "GROK_AUTH_LABEL" "$GROK_AUTH_LABEL"
+docker_git_upsert_ssh_env "GROK_DEPLOYMENT_KEY" "${grokDeploymentKeyDefaultExpansion}"
+docker_git_upsert_ssh_env "GROK_API_KEY" "${grokApiKeyDefaultExpansion}"
+docker_git_upsert_ssh_env "XAI_API_KEY" "${xaiApiKeyDefaultExpansion}"`
+
+const entrypointGrokNoticeTemplate = String.raw`# Ensure global GROK.md exists for container context
+GROK_MD_PATH="__GROK_HOME__/GROK.md"
+GROK_WORKSPACE_CONTEXT="Контекст workspace: repository"
+if [[ "$REPO_REF" == issue-* ]]; then
+  ISSUE_ID="$(printf "%s" "$REPO_REF" | sed -E 's#^issue-##')"
+  ISSUE_URL=""
+  if [[ "$REPO_URL" == https://github.com/* ]]; then
+    ISSUE_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO" ]]; then
+      ISSUE_URL="https://github.com/$ISSUE_REPO/issues/$ISSUE_ID"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID ($ISSUE_URL)"
+  else
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID"
+  fi
+elif [[ "$REPO_REF" == refs/pull/*/head ]]; then
+  PR_ID="$(printf "%s" "$REPO_REF" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL=""
+  if [[ "$REPO_URL" == https://github.com/* && -n "$PR_ID" ]]; then
+    PR_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO" ]]; then
+      PR_URL="https://github.com/$PR_REPO/pull/$PR_ID"
+    fi
+  fi
+  if [[ -n "$PR_ID" && -n "$PR_URL" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID ($PR_URL)"
+  elif [[ -n "$PR_ID" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID"
+  else
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF)"
+  fi
+fi
+
+GROK_SYSTEM_PROMPT_OVERRIDE_FILE="${"$"}{GROK_SYSTEM_PROMPT_OVERRIDE_FILE:-}"
+GROK_SYSTEM_PROMPT_OVERRIDE="${"$"}{GROK_SYSTEM_PROMPT_OVERRIDE:-}"
+GROK_DEFAULT_PROMPT_BODY="$(cat <<EOF
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, bun, codex, gemini, grok, claude, opencode, oh-my-opencode, sshpass, git, node и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$GROK_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Для решения задач обязательно используй subagents. Сам агент обязан выполнять финальную проверку, интеграцию и валидацию результата перед ответом пользователю.
+Если ты видишь файлы AGENTS.md, GEMINI.md, GROK.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+EOF
+)"
+GROK_DEFAULT_PROMPT_BODY="$(docker_git_decode_unicode_escapes "$GROK_DEFAULT_PROMPT_BODY")"
+if [[ -n "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE" && -r "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE" ]]; then
+  GROK_PROMPT_BODY="$(cat "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE")"
+elif [[ -n "$GROK_SYSTEM_PROMPT_OVERRIDE" ]]; then
+  GROK_PROMPT_BODY="$GROK_SYSTEM_PROMPT_OVERRIDE"
+else
+  GROK_PROMPT_BODY="$GROK_DEFAULT_PROMPT_BODY"
+fi
+
+cat <<EOF > "$GROK_MD_PATH"
+<!-- docker-git-managed:grok-md -->
+$GROK_PROMPT_BODY
+<!-- /docker-git-managed:grok-md -->
+EOF
+GROK_NOTICE_OWNER_UID="$(id -u "__SSH_USER__" 2>/dev/null || id -u)"
+GROK_NOTICE_OWNER_GID="$(id -g "__SSH_USER__" 2>/dev/null || id -g)"
+chown "$GROK_NOTICE_OWNER_UID:$GROK_NOTICE_OWNER_GID" "$GROK_MD_PATH" || true`
+
+const renderEntrypointGrokNotice = (config: TemplateConfig): string =>
+  entrypointGrokNoticeTemplate
+    .replaceAll("__GROK_HOME__", config.grokHome)
+    .replaceAll("__SSH_USER__", config.sshUser)
+    .replaceAll("__TARGET_DIR__", config.targetDir)
+
+/**
+ * Renders the Grok CLI entrypoint bootstrap for a generated project container.
+ *
+ * @param config Project template configuration with SSH user, Grok home, and target directory paths.
+ * @returns Bash fragment that wires Grok auth labels, config files, profile exports, sudo policy, and managed GROK.md.
+ * @pure true
+ * @effect none; CORE template renderer only constructs a string.
+ * @invariant returned script keeps Grok credentials scoped by GROK_AUTH_LABEL.
+ * @precondition config contains validated container paths from TemplateConfig construction.
+ * @postcondition returned string contains all Grok setup fragments in deterministic order.
+ * @complexity O(1) time / O(1) space.
+ */
+export const renderEntrypointGrokConfig = (config: TemplateConfig): string =>
+  [
+    renderGrokAuthConfig(config),
+    renderGrokPermissionSettingsConfig(config),
+    renderGrokSudoConfig(config),
+    renderGrokProfileSetup(config),
+    renderEntrypointGrokNotice(config)
+  ].join("\n\n")
+/* jscpd:ignore-end */
diff --git a/packages/app/src/lib/core/templates-entrypoint/project-rules.ts b/packages/app/src/lib/core/templates-entrypoint/project-rules.ts
index 7e85cc1e..17a8e619 100644
--- a/packages/app/src/lib/core/templates-entrypoint/project-rules.ts
+++ b/packages/app/src/lib/core/templates-entrypoint/project-rules.ts
@@ -1,9 +1,9 @@
 /* jscpd:ignore-start */
 // CHANGE: separate project rule preparation by active agent mode
-// WHY: Codex, Claude Code, and Gemini CLI each have different native project-level config models
+// WHY: Codex, Claude Code, Gemini CLI, and Grok CLI each have different native project-level config models
 // REF: issue-207
 // PURITY: CORE
-// INVARIANT: Codex gets a bridge for skills that live outside CODEX_HOME; Claude/Gemini stay on native project-local discovery
+// INVARIANT: Codex gets a bridge for skills that live outside CODEX_HOME; Claude/Gemini/Grok stay on native project-local discovery
 // COMPLEXITY: O(1)
 const entrypointProjectAgentRulesTemplate = String
   .raw`# Prepare project-local rules using each agent's native conventions.
@@ -39,6 +39,22 @@ docker_git_detect_gemini_project_rules() {
   fi
 }
 
+docker_git_detect_grok_project_rules() {
+  local project_dir="${"$"}{TARGET_DIR:-}"
+
+  if [[ -z "$project_dir" || ! -d "$project_dir" ]]; then
+    return 0
+  fi
+
+  if [[ -f "$project_dir/GROK.md" \
+    || -f "$project_dir/.grok/settings.json" \
+    || -d "$project_dir/.grok/commands" \
+    || -d "$project_dir/.grok/skills" \
+    || -d "$project_dir/.agents/skills" ]]; then
+    echo "[grok] project-local Grok rules available in $project_dir"
+  fi
+}
+
 docker_git_prepare_active_agent_project_rules() {
   case "$AGENT_MODE" in
     "codex")
@@ -50,10 +66,14 @@ docker_git_prepare_active_agent_project_rules() {
     "gemini")
       docker_git_detect_gemini_project_rules
       ;;
+    "grok")
+      docker_git_detect_grok_project_rules
+      ;;
     *)
       docker_git_sync_project_codex_skills
       docker_git_detect_claude_project_rules
       docker_git_detect_gemini_project_rules
+      docker_git_detect_grok_project_rules
       ;;
   esac
 }`
diff --git a/packages/app/src/lib/core/templates-entrypoint/rtk.ts b/packages/app/src/lib/core/templates-entrypoint/rtk.ts
index 4a2dc994..13bc72ff 100644
--- a/packages/app/src/lib/core/templates-entrypoint/rtk.ts
+++ b/packages/app/src/lib/core/templates-entrypoint/rtk.ts
@@ -6,7 +6,7 @@ import type { TemplateConfig } from "../domain.js"
 // QUOTE(TASK): "make it work out of the box for docker-git"
 // REF: issue-266
 // SOURCE: https://github.com/rtk-ai/rtk/blob/develop/README.md
-// FORMAT THEOREM: forall start: RTK_ENABLED(start) -> configured(codex, claude, gemini, opencode)
+// FORMAT THEOREM: forall start: RTK_ENABLED(start) -> configured(codex, claude, gemini, grok, opencode)
 // PURITY: CORE (pure template renderer)
 // INVARIANT: RTK init runs as the non-root SSH user and never blocks container startup.
 // COMPLEXITY: O(1)
@@ -28,8 +28,8 @@ docker_git_rtk_init_as_user() {
     return 0
   fi
 
-  mkdir -p "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config/opencode" "/home/__SSH_USER__/.gemini" || true
-  chown -R 1000:1000 "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config" "/home/__SSH_USER__/.gemini" 2>/dev/null || true
+  mkdir -p "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config/opencode" "/home/__SSH_USER__/.gemini" "/home/__SSH_USER__/.grok" || true
+  chown -R 1000:1000 "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config" "/home/__SSH_USER__/.gemini" "/home/__SSH_USER__/.grok" 2>/dev/null || true
 
   if su - __SSH_USER__ -s /bin/bash -c "$command" </dev/null; then
     echo "[rtk] configured $label"
diff --git a/packages/app/src/lib/core/templates/docker-compose.ts b/packages/app/src/lib/core/templates/docker-compose.ts
index ede0767b..c189131d 100644
--- a/packages/app/src/lib/core/templates/docker-compose.ts
+++ b/packages/app/src/lib/core/templates/docker-compose.ts
@@ -16,6 +16,8 @@ type ComposeFragments = {
   readonly maybeGitTokenLabelEnv: string
   readonly maybeCodexAuthLabelEnv: string
   readonly maybeClaudeAuthLabelEnv: string
+  readonly maybeGeminiAuthLabelEnv: string
+  readonly maybeGrokAuthLabelEnv: string
   readonly maybeAgentModeEnv: string
   readonly maybeAgentAutoEnv: string
   readonly maybeDependsOn: string
@@ -31,6 +33,17 @@ type PlaywrightFragments = Pick<
   "maybeDependsOn" | "maybePlaywrightEnv" | "maybeBrowserService" | "maybeBrowserVolume"
 >
 
+type AuthEnvFragments = Pick<
+  ComposeFragments,
+  | "maybeGitTokenLabelEnv"
+  | "maybeCodexAuthLabelEnv"
+  | "maybeClaudeAuthLabelEnv"
+  | "maybeGeminiAuthLabelEnv"
+  | "maybeGrokAuthLabelEnv"
+>
+
+type AgentEnvFragments = Pick<ComposeFragments, "maybeAgentModeEnv" | "maybeAgentAutoEnv">
+
 export type ComposeResourceLimits = {
   readonly main: ResolvedComposeResourceLimits | undefined
   readonly playwright: ResolvedComposeResourceLimits | undefined
@@ -60,6 +73,16 @@ const renderClaudeAuthLabelEnv = (claudeAuthLabel: string): string =>
     ? `      CLAUDE_AUTH_LABEL: "${claudeAuthLabel}"\n`
     : ""
 
+const renderGeminiAuthLabelEnv = (geminiAuthLabel: string): string =>
+  geminiAuthLabel.length > 0
+    ? `      GEMINI_AUTH_LABEL: "${geminiAuthLabel}"\n`
+    : ""
+
+const renderGrokAuthLabelEnv = (grokAuthLabel: string): string =>
+  grokAuthLabel.length > 0
+    ? `      GROK_AUTH_LABEL: "${grokAuthLabel}"\n`
+    : ""
+
 const renderAgentModeEnv = (agentMode: string | undefined): string =>
   agentMode !== undefined && agentMode.length > 0
     ? `      AGENT_MODE: "${agentMode}"\n`
@@ -85,6 +108,21 @@ const renderBootstrapMounts = (): string => `      - ${bootstrapVolumeKey}:/opt/
 const renderEnvFiles = (config: TemplateConfig): string =>
   `    env_file:\n      - ${config.envGlobalPath}\n      - ${config.envProjectPath}\n`
 
+const optionalTrimmed = (value: string | undefined): string => value?.trim() ?? ""
+
+const buildAuthEnvFragments = (config: TemplateConfig): AuthEnvFragments => ({
+  maybeGitTokenLabelEnv: renderGitTokenLabelEnv(optionalTrimmed(config.gitTokenLabel)),
+  maybeCodexAuthLabelEnv: renderCodexAuthLabelEnv(optionalTrimmed(config.codexAuthLabel)),
+  maybeClaudeAuthLabelEnv: renderClaudeAuthLabelEnv(optionalTrimmed(config.claudeAuthLabel)),
+  maybeGeminiAuthLabelEnv: renderGeminiAuthLabelEnv(optionalTrimmed(config.geminiAuthLabel)),
+  maybeGrokAuthLabelEnv: renderGrokAuthLabelEnv(optionalTrimmed(config.grokAuthLabel))
+})
+
+const buildAgentEnvFragments = (config: TemplateConfig): AgentEnvFragments => ({
+  maybeAgentModeEnv: renderAgentModeEnv(config.agentMode),
+  maybeAgentAutoEnv: renderAgentAutoEnv(config.agentAuto)
+})
+
 const buildPlaywrightFragments = (
   config: TemplateConfig,
   networkName: string,
@@ -141,33 +179,23 @@ const buildComposeFragments = (
 ): ComposeFragments => {
   const networkMode = config.dockerNetworkMode
   const networkName = resolveComposeNetworkName(config)
-  const forkRepoUrl = config.forkRepoUrl ?? ""
   const maybeGithubAuthSkipEnv = renderGithubAuthSkipEnv(config.skipGithubAuth)
-  const gitTokenLabel = config.gitTokenLabel?.trim() ?? ""
-  const codexAuthLabel = config.codexAuthLabel?.trim() ?? ""
-  const claudeAuthLabel = config.claudeAuthLabel?.trim() ?? ""
-  const maybeGitTokenLabelEnv = renderGitTokenLabelEnv(gitTokenLabel)
-  const maybeCodexAuthLabelEnv = renderCodexAuthLabelEnv(codexAuthLabel)
-  const maybeClaudeAuthLabelEnv = renderClaudeAuthLabelEnv(claudeAuthLabel)
-  const maybeAgentModeEnv = renderAgentModeEnv(config.agentMode)
-  const maybeAgentAutoEnv = renderAgentAutoEnv(config.agentAuto)
+  const authEnv = buildAuthEnvFragments(config)
+  const agentEnv = buildAgentEnvFragments(config)
   const playwright = buildPlaywrightFragments(config, networkName, resourceLimits.playwright)
 
   return {
     networkMode,
     networkName,
     maybeGithubAuthSkipEnv,
-    maybeGitTokenLabelEnv,
-    maybeCodexAuthLabelEnv,
-    maybeClaudeAuthLabelEnv,
-    maybeAgentModeEnv,
-    maybeAgentAutoEnv,
+    ...authEnv,
+    ...agentEnv,
     maybeDependsOn: playwright.maybeDependsOn,
     maybePlaywrightEnv: playwright.maybePlaywrightEnv,
     maybeBrowserService: playwright.maybeBrowserService,
     maybeBrowserVolume: playwright.maybeBrowserVolume,
     maybeBootstrapMounts: renderBootstrapMounts(),
-    forkRepoUrl
+    forkRepoUrl: config.forkRepoUrl ?? ""
   }
 }
 
@@ -191,7 +219,9 @@ ${renderGpu(config.gpu)}${
 ${fragments.maybeGithubAuthSkipEnv}      # Optional anonymous public GitHub clone override
 ${fragments.maybeGitTokenLabelEnv}      # Optional token label selector (maps to GITHUB_TOKEN__<LABEL>/GIT_AUTH_TOKEN__<LABEL>)
 ${fragments.maybeCodexAuthLabelEnv}      # Optional Codex account label selector (maps to CODEX_AUTH_LABEL)
-${fragments.maybeClaudeAuthLabelEnv}${fragments.maybeAgentModeEnv}${fragments.maybeAgentAutoEnv}      # Optional Claude account label selector (maps to CLAUDE_AUTH_LABEL)
+${fragments.maybeClaudeAuthLabelEnv}      # Optional Claude account label selector (maps to CLAUDE_AUTH_LABEL)
+${fragments.maybeGeminiAuthLabelEnv}      # Optional Gemini account label selector (maps to GEMINI_AUTH_LABEL)
+${fragments.maybeGrokAuthLabelEnv}${fragments.maybeAgentModeEnv}${fragments.maybeAgentAutoEnv}      # Optional Grok account label selector (maps to GROK_AUTH_LABEL)
       # Optional isolated Docker daemon endpoint injected by the API controller.
       DOCKER_GIT_PROJECT_DOCKER_HOST: "\${DOCKER_GIT_PROJECT_DOCKER_HOST:-}"
       TARGET_DIR: "${config.targetDir}"
diff --git a/packages/app/src/lib/core/templates/dockerfile.ts b/packages/app/src/lib/core/templates/dockerfile.ts
index c5d3c7d8..7af83e43 100644
--- a/packages/app/src/lib/core/templates/dockerfile.ts
+++ b/packages/app/src/lib/core/templates/dockerfile.ts
@@ -87,8 +87,11 @@ RUN mkdir -p /usr/local/nvm \
 RUN printf "export NVM_DIR=/usr/local/nvm\\n[ -s /usr/local/nvm/nvm.sh ] && . /usr/local/nvm/nvm.sh\\n" \
   > /etc/profile.d/nvm.sh && chmod 0644 /etc/profile.d/nvm.sh`
 
+const grokCliInstallScriptUrl = "https://x.ai/cli/install.sh"
+const grokCliVersion = "0.1.211"
+
 const renderDockerfileBunPrelude = (config: TemplateConfig): string =>
-  `# Tooling: Bun + Codex CLI (bun) + oh-my-opencode (npm + platform binary) + Claude Code CLI (npm)
+  `# Tooling: Bun + Codex CLI (bun) + oh-my-opencode (npm + platform binary) + Claude Code CLI (npm) + Grok CLI (xAI installer)
 ENV TERM=xterm-256color
 RUN set -eu; \
   for attempt in 1 2 3 4 5; do \
@@ -118,7 +121,16 @@ RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
 RUN claude --version
 RUN npm install -g @google/gemini-cli@latest --force
-RUN gemini --version`
+RUN gemini --version
+RUN set -eu; \
+  curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 ${grokCliInstallScriptUrl} -o /tmp/grok-install.sh; \
+  HOME=/tmp/grok-install-home GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh ${grokCliVersion}; \
+  install -m 0755 "$(readlink -f /usr/local/bin/grok)" /usr/local/bin/grok.real; \
+  install -m 0755 "$(readlink -f /usr/local/bin/agent)" /usr/local/bin/agent.real; \
+  mv -f /usr/local/bin/grok.real /usr/local/bin/grok; \
+  mv -f /usr/local/bin/agent.real /usr/local/bin/agent; \
+  rm -rf /tmp/grok-install.sh /tmp/grok-install-home
+RUN grok --version`
 
 // CHANGE: install RTK as a real command-output optimizer in generated containers.
 // WHY: issue-266 asks for out-of-the-box RTK behavior, not only a session-sync estimate.
@@ -358,6 +370,8 @@ RUN set -eu; \
 RUN mkdir -p /opt/docker-git/bootstrap/.orch/auth/codex \
   /opt/docker-git/bootstrap/.orch/auth/codex-shared \
   /opt/docker-git/bootstrap/.orch/auth/claude \
+  /opt/docker-git/bootstrap/.orch/auth/gemini \
+  /opt/docker-git/bootstrap/.orch/auth/grok \
   /opt/docker-git/bootstrap/.orch/env \
   && touch /opt/docker-git/bootstrap/authorized_keys \
   /opt/docker-git/bootstrap/.orch/env/global.env \
diff --git a/packages/app/src/lib/shell/config.ts b/packages/app/src/lib/shell/config.ts
index 605387eb..37c63ceb 100644
--- a/packages/app/src/lib/shell/config.ts
+++ b/packages/app/src/lib/shell/config.ts
@@ -53,6 +53,13 @@ const TemplateConfigInputSchema = Schema.Struct({
   geminiHome: Schema.optionalWith(Schema.String, {
     default: () => defaultTemplateConfig.geminiHome
   }),
+  grokAuthLabel: Schema.optional(Schema.String),
+  grokAuthPath: Schema.optionalWith(Schema.String, {
+    default: () => defaultTemplateConfig.grokAuthPath
+  }),
+  grokHome: Schema.optionalWith(Schema.String, {
+    default: () => defaultTemplateConfig.grokHome
+  }),
   cpuLimit: Schema.optionalWith(Schema.String, {
     default: () => defaultTemplateConfig.cpuLimit
   }),
diff --git a/packages/app/src/lib/shell/docker-daemon-access.ts b/packages/app/src/lib/shell/docker-daemon-access.ts
index bf4046e5..2f0cf33c 100644
--- a/packages/app/src/lib/shell/docker-daemon-access.ts
+++ b/packages/app/src/lib/shell/docker-daemon-access.ts
@@ -21,6 +21,12 @@ const collectUint8Array = (chunks: Chunk.Chunk<Uint8Array>): Uint8Array =>
 const formatDockerFallbackFailure = (dockerHost: string, details: string): string =>
   `Fallback DOCKER_HOST=${dockerHost} failed: ${details}`
 
+const dockerInfoPlatformError = (error: PlatformError): DockerAccessError =>
+  new DockerAccessError({
+    issue: "DaemonUnavailable",
+    details: String(error)
+  })
+
 const resolveDockerHostFallbackCandidates = (): ReadonlyArray<string> => {
   if (process.env["DOCKER_HOST"] !== undefined) {
     return []
@@ -98,14 +104,14 @@ export const classifyDockerAccessIssue = (message: string): DockerAccessIssue =>
 // FORMAT THEOREM: ∀cwd: access(cwd)=ok ∨ DockerAccessError
 // PURITY: SHELL
 // EFFECT: Effect<void, DockerAccessError | PlatformError, CommandExecutor>
-// INVARIANT: non-zero docker info exit always maps to DockerAccessError
+// INVARIANT: non-zero docker info exit or spawn failure always maps to DockerAccessError
 // COMPLEXITY: O(command)
 export const ensureDockerDaemonAccess = (
   cwd: string
 ): Effect.Effect<void, DockerAccessError | PlatformError, CommandExecutor.CommandExecutor> =>
   Effect.scoped(
     Effect.gen(function*(_) {
-      const primaryResult = yield* _(runDockerInfoCommand(cwd))
+      const primaryResult = yield* _(runDockerInfoCommand(cwd).pipe(Effect.mapError(dockerInfoPlatformError)))
       if (primaryResult.exitCode === 0) {
         return
       }
@@ -129,7 +135,7 @@ export const ensureDockerDaemonAccess = (
           runDockerInfoCommand(cwd, {
             ...process.env,
             DOCKER_HOST: fallbackHost
-          })
+          }).pipe(Effect.mapError(dockerInfoPlatformError))
         )
 
         if (fallbackResult.exitCode === 0) {
diff --git a/packages/app/src/lib/usecases/agent-auto-select.ts b/packages/app/src/lib/usecases/agent-auto-select.ts
index 0fb2a325..1e9145d5 100644
--- a/packages/app/src/lib/usecases/agent-auto-select.ts
+++ b/packages/app/src/lib/usecases/agent-auto-select.ts
@@ -5,6 +5,7 @@ import type * as Path from "@effect/platform/Path"
 import { Effect } from "effect"
 
 import type { AgentMode, ParseError, TemplateConfig } from "../core/domain.js"
+import { hasGrokCredentials } from "./auth-grok-helpers.js"
 import { normalizeAccountLabel } from "./auth-helpers.js"
 import { hasNonEmptyFile } from "./auth-sync-helpers.js"
 
@@ -14,6 +15,16 @@ const autoOptionError = (reason: string): ParseError => ({
   reason
 })
 
+type AvailableAgentAuth = {
+  readonly claudeAvailable: boolean
+  readonly codexAvailable: boolean
+  readonly grokAvailable: boolean
+}
+
+const claudeMode: ReadonlyArray<AgentMode> = ["claude"]
+const codexMode: ReadonlyArray<AgentMode> = ["codex"]
+const grokMode: ReadonlyArray<AgentMode> = ["grok"]
+
 const isRegularFile = (
   fs: FileSystem.FileSystem,
   filePath: string
@@ -39,6 +50,15 @@ const hasCodexAuth = (
   return hasNonEmptyFile(fs, authPath)
 }
 
+const hasGrokAuth = (
+  fs: FileSystem.FileSystem,
+  rootPath: string,
+  label: string | undefined
+): Effect.Effect<boolean, PlatformError> => {
+  const normalized = normalizeAccountLabel(label ?? null, "default")
+  return hasGrokCredentials(fs, `${rootPath}/${normalized}`)
+}
+
 const resolveClaudeAccountPath = (rootPath: string, label: string | undefined): ReadonlyArray<string> => {
   const normalized = normalizeAccountLabel(label ?? null, "default")
   if (normalized !== "default") {
@@ -78,18 +98,22 @@ const resolveClaudeRoot = (codexSharedAuthPath: string): string =>
 
 const resolveAvailableAgentAuth = (
   fs: FileSystem.FileSystem,
-  config: Pick<TemplateConfig, "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath">
-): Effect.Effect<{ readonly claudeAvailable: boolean; readonly codexAvailable: boolean }, PlatformError> =>
+  config: Pick<
+    TemplateConfig,
+    "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath" | "grokAuthLabel" | "grokAuthPath"
+  >
+): Effect.Effect<AvailableAgentAuth, PlatformError> =>
   Effect.gen(function*(_) {
     const claudeAvailable = yield* _(
       hasClaudeAuth(fs, resolveClaudeRoot(config.codexSharedAuthPath), config.claudeAuthLabel)
     )
     const codexAvailable = yield* _(hasCodexAuth(fs, config.codexSharedAuthPath, config.codexAuthLabel))
-    return { claudeAvailable, codexAvailable }
+    const grokAvailable = yield* _(hasGrokAuth(fs, config.grokAuthPath, config.grokAuthLabel))
+    return { claudeAvailable, codexAvailable, grokAvailable }
   })
 
 const resolveExplicitAutoAgentMode = (
-  available: { readonly claudeAvailable: boolean; readonly codexAvailable: boolean },
+  available: AvailableAgentAuth,
   mode: AgentMode | undefined
 ): Effect.Effect<AgentMode | undefined, ParseError> => {
   if (mode === "claude") {
@@ -102,26 +126,43 @@ const resolveExplicitAutoAgentMode = (
       ? Effect.succeed("codex")
       : Effect.fail(autoOptionError("Codex auth not found"))
   }
+  if (mode === "grok") {
+    return available.grokAvailable
+      ? Effect.succeed("grok")
+      : Effect.fail(autoOptionError("Grok auth not found"))
+  }
   return Effect.sync(() => mode)
 }
 
-const pickRandomAutoAgentMode = (
-  available: { readonly claudeAvailable: boolean; readonly codexAvailable: boolean }
-): Effect.Effect<AgentMode, ParseError> => {
-  if (!available.claudeAvailable && !available.codexAvailable) {
-    return Effect.fail(autoOptionError("no Claude or Codex auth found"))
-  }
-  if (available.claudeAvailable && !available.codexAvailable) {
-    return Effect.succeed("claude")
+const availableAgentModes = (available: AvailableAgentAuth): ReadonlyArray<AgentMode> => [
+  ...(available.claudeAvailable ? claudeMode : []),
+  ...(available.codexAvailable ? codexMode : []),
+  ...(available.grokAvailable ? grokMode : [])
+]
+
+const pickRandomAutoAgentMode = (available: AvailableAgentAuth): Effect.Effect<AgentMode, ParseError> => {
+  const modes = availableAgentModes(available)
+  const firstMode = modes[0]
+  if (firstMode === undefined) {
+    return Effect.fail(autoOptionError("no Claude, Codex or Grok auth found"))
   }
-  if (!available.claudeAvailable && available.codexAvailable) {
-    return Effect.succeed("codex")
+  if (modes.length === 1) {
+    return Effect.succeed(firstMode)
   }
-  return Effect.sync(() => (process.hrtime.bigint() % 2n === 0n ? "claude" : "codex"))
+  return Effect.sync(() => modes[Number(process.hrtime.bigint() % BigInt(modes.length))] ?? firstMode)
 }
 
 export const resolveAutoAgentMode = (
-  config: Pick<TemplateConfig, "agentAuto" | "agentMode" | "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath">
+  config: Pick<
+    TemplateConfig,
+    | "agentAuto"
+    | "agentMode"
+    | "claudeAuthLabel"
+    | "codexAuthLabel"
+    | "codexSharedAuthPath"
+    | "grokAuthLabel"
+    | "grokAuthPath"
+  >
 ): Effect.Effect<AgentMode | undefined, ParseError | PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
     const fs = yield* _(FileSystem.FileSystem)
diff --git a/packages/app/src/lib/usecases/apply-overrides.ts b/packages/app/src/lib/usecases/apply-overrides.ts
index 8083111a..63269439 100644
--- a/packages/app/src/lib/usecases/apply-overrides.ts
+++ b/packages/app/src/lib/usecases/apply-overrides.ts
@@ -6,6 +6,8 @@ const applyOverrideKeys = [
   "gitTokenLabel",
   "codexTokenLabel",
   "claudeTokenLabel",
+  "geminiTokenLabel",
+  "grokTokenLabel",
   "cpuLimit",
   "ramLimit",
   "playwrightCpuLimit",
@@ -28,6 +30,12 @@ const applyTokenOverrides = (template: TemplateConfig, command: ApplyCommand): T
   if (command.claudeTokenLabel !== undefined) {
     next = { ...next, claudeAuthLabel: normalizeAuthLabel(command.claudeTokenLabel) }
   }
+  if (command.geminiTokenLabel !== undefined) {
+    next = { ...next, geminiAuthLabel: normalizeAuthLabel(command.geminiTokenLabel) }
+  }
+  if (command.grokTokenLabel !== undefined) {
+    next = { ...next, grokAuthLabel: normalizeAuthLabel(command.grokTokenLabel) }
+  }
   return next
 }
 
diff --git a/packages/app/src/lib/usecases/auth-grok-credential-text.ts b/packages/app/src/lib/usecases/auth-grok-credential-text.ts
new file mode 100644
index 00000000..716c13ac
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok-credential-text.ts
@@ -0,0 +1,77 @@
+/* jscpd:ignore-start */
+import * as ParseResult from "@effect/schema/ParseResult"
+import * as Schema from "@effect/schema/Schema"
+import { Either } from "effect"
+
+type JsonPrimitive = boolean | number | string | null
+type JsonValue = JsonPrimitive | JsonRecord | ReadonlyArray<JsonValue>
+type JsonRecord = Readonly<{ [key: string]: JsonValue }>
+
+const JsonValueSchema: Schema.Schema<JsonValue> = Schema.suspend(() =>
+  Schema.Union(
+    Schema.Null,
+    Schema.Boolean,
+    Schema.String,
+    Schema.JsonNumber,
+    Schema.Array(JsonValueSchema),
+    Schema.Record({ key: Schema.String, value: JsonValueSchema })
+  )
+)
+
+const JsonRecordSchema: Schema.Schema<JsonRecord> = Schema.Record({
+  key: Schema.String,
+  value: JsonValueSchema
+})
+
+const JsonRecordFromStringSchema = Schema.parseJson(JsonRecordSchema)
+const officialGrokAuthScopes: ReadonlyArray<string> = [
+  "https://auth.x.ai::b1a00492-073a-47ea-816f-4c329264a828",
+  "https://accounts.x.ai/sign-in"
+]
+const grokUserSettingsCredentialKeys: ReadonlyArray<string> = [
+  "apiKey",
+  "accessToken",
+  "access_token",
+  "authToken",
+  "refreshToken",
+  "refresh_token"
+]
+const grokOauthCredentialKeys: ReadonlyArray<string> = [...grokUserSettingsCredentialKeys, "token"]
+const grokUserSettingsFallbackCredentialMarkers: ReadonlyArray<RegExp> = [
+  /"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token)"\s*:\s*"[^"]+"/u
+]
+
+const parseJsonRecordOrNull = (text: string): JsonRecord | null =>
+  Either.match(ParseResult.decodeUnknownEither(JsonRecordFromStringSchema)(text), {
+    onLeft: () => null,
+    onRight: (record) => record
+  })
+
+const isJsonRecord = (value: JsonValue | undefined): value is JsonRecord =>
+  typeof value === "object" && value !== null && !Array.isArray(value)
+
+const hasNonEmptyStringProperty = (record: JsonRecord, key: string): boolean =>
+  typeof record[key] === "string" && record[key].trim().length > 0
+
+export const hasGrokUserSettingsCredentialText = (settingsText: string): boolean => {
+  const parsed = parseJsonRecordOrNull(settingsText)
+  if (parsed !== null) {
+    if (grokUserSettingsCredentialKeys.some((key) => hasNonEmptyStringProperty(parsed, key))) {
+      return true
+    }
+    const oauth = parsed["oauth"]
+    return isJsonRecord(oauth) && grokOauthCredentialKeys.some((key) => hasNonEmptyStringProperty(oauth, key))
+  }
+
+  return grokUserSettingsFallbackCredentialMarkers.some((marker) => marker.test(settingsText))
+}
+
+export const hasGrokAuthJsonCredentialText = (authJsonText: string): boolean => {
+  const parsed = parseJsonRecordOrNull(authJsonText)
+  return parsed !== null &&
+    officialGrokAuthScopes.some((scope) => {
+      const scopedCredentials = parsed[scope]
+      return isJsonRecord(scopedCredentials) && hasNonEmptyStringProperty(scopedCredentials, "key")
+    })
+}
+/* jscpd:ignore-end */
diff --git a/packages/app/src/lib/usecases/auth-grok-helpers.ts b/packages/app/src/lib/usecases/auth-grok-helpers.ts
new file mode 100644
index 00000000..e03efbc1
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok-helpers.ts
@@ -0,0 +1,285 @@
+/* jscpd:ignore-start */
+import type * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import type * as FileSystem from "@effect/platform/FileSystem"
+import type * as Path from "@effect/platform/Path"
+import { Effect, pipe } from "effect"
+
+import type { AuthGrokLoginCommand, AuthGrokLogoutCommand, AuthGrokStatusCommand } from "../core/domain.js"
+import { defaultTemplateConfig } from "../core/domain.js"
+import { runCommandExitCode } from "../shell/command-runner.js"
+import { CommandFailedError } from "../shell/errors.js"
+import { hasGrokAuthJsonCredentialText, hasGrokUserSettingsCredentialText } from "./auth-grok-credential-text.js"
+import { isRegularFile, normalizeAccountLabel } from "./auth-helpers.js"
+import { migrateLegacyOrchLayout } from "./auth-sync.js"
+import { ensureDockerImage } from "./docker-image.js"
+import { resolvePathFromCwd } from "./path-helpers.js"
+import { withFsPathContext } from "./runtime.js"
+
+export type GrokRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
+export type GrokAuthMethod = "none" | "api-key" | "oauth"
+
+export const grokImageName = "docker-git-auth-grok:latest"
+export const grokImageDir = ".docker-git/.orch/auth/grok/.image"
+export const grokContainerHomeDir = "/grok-home"
+export const grokCredentialsDir = ".grok"
+export const grokCliInstallScriptUrl = "https://x.ai/cli/install.sh"
+export const grokCliVersion = "0.1.211"
+
+export type GrokAccountContext = {
+  readonly accountLabel: string
+  readonly accountPath: string
+  readonly cwd: string
+  readonly fs: FileSystem.FileSystem
+}
+
+export const grokAuthRoot = ".docker-git/.orch/auth/grok"
+
+export const grokApiKeyFileName = ".api-key"
+export const grokEnvFileName = ".env"
+
+export const grokApiKeyPath = (accountPath: string): string => `${accountPath}/${grokApiKeyFileName}`
+export const grokEnvFilePath = (accountPath: string): string => `${accountPath}/${grokEnvFileName}`
+export const grokCredentialsPath = (accountPath: string): string => `${accountPath}/${grokCredentialsDir}`
+export const grokUserSettingsPath = (accountPath: string): string =>
+  `${grokCredentialsPath(accountPath)}/user-settings.json`
+export const grokAuthJsonPath = (accountPath: string): string => `${grokCredentialsPath(accountPath)}/auth.json`
+
+const grokEnvApiKeyNames: ReadonlyArray<string> = ["GROK_DEPLOYMENT_KEY", "GROK_API_KEY", "XAI_API_KEY"]
+
+// CHANGE: render Dockerfile for Grok CLI authentication image
+// WHY: Grok browser/OAuth auth must run in an isolated shell that persists ~/.grok
+// QUOTE(ТЗ): "Signing in with Grok..."
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: renderGrokDockerfile() -> valid_dockerfile
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: image includes the official xAI grok executable
+// COMPLEXITY: O(1)
+export const renderGrokDockerfile = (): string =>
+  String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN set -eu; \
+  curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 ${grokCliInstallScriptUrl} -o /tmp/grok-install.sh; \
+  HOME=/tmp/grok-install-home GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh ${grokCliVersion}; \
+  install -m 0755 "$(readlink -f /usr/local/bin/grok)" /usr/local/bin/grok.real; \
+  install -m 0755 "$(readlink -f /usr/local/bin/agent)" /usr/local/bin/agent.real; \
+  mv -f /usr/local/bin/grok.real /usr/local/bin/grok; \
+  mv -f /usr/local/bin/agent.real /usr/local/bin/agent; \
+  rm -rf /tmp/grok-install.sh /tmp/grok-install-home
+RUN grok --version
+`
+
+export const ensureGrokOrchLayout = (
+  cwd: string
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  migrateLegacyOrchLayout(cwd, {
+    envGlobalPath: defaultTemplateConfig.envGlobalPath,
+    envProjectPath: defaultTemplateConfig.envProjectPath,
+    codexAuthPath: defaultTemplateConfig.codexAuthPath,
+    ghAuthPath: ".docker-git/.orch/auth/gh",
+    claudeAuthPath: ".docker-git/.orch/auth/claude",
+    geminiAuthPath: ".docker-git/.orch/auth/gemini",
+    grokAuthPath: ".docker-git/.orch/auth/grok"
+  })
+
+export const resolveGrokAccountPath = (path: Path.Path, rootPath: string, label: string | null): {
+  readonly accountLabel: string
+  readonly accountPath: string
+} => {
+  const accountLabel = normalizeAccountLabel(label, "default")
+  const accountPath = path.join(rootPath, accountLabel)
+  return { accountLabel, accountPath }
+}
+
+export const withGrokAuth = <A, E>(
+  command: AuthGrokLoginCommand | AuthGrokLogoutCommand | AuthGrokStatusCommand,
+  run: (
+    context: GrokAccountContext
+  ) => Effect.Effect<A, E, CommandExecutor.CommandExecutor>,
+  options: { readonly buildImage?: boolean } = {}
+): Effect.Effect<A, E | PlatformError | CommandFailedError, GrokRuntime> =>
+  withFsPathContext(({ cwd, fs, path }) =>
+    Effect.gen(function*(_) {
+      yield* _(ensureGrokOrchLayout(cwd))
+      const rootPath = resolvePathFromCwd(path, cwd, command.grokAuthPath)
+      const { accountLabel, accountPath } = resolveGrokAccountPath(path, rootPath, command.label)
+      yield* _(fs.makeDirectory(accountPath, { recursive: true }))
+      yield* _(fs.chmod(accountPath, 0o700))
+      if (options.buildImage === true) {
+        yield* _(
+          ensureDockerImage(fs, path, cwd, {
+            imageName: grokImageName,
+            imageDir: grokImageDir,
+            dockerfile: renderGrokDockerfile(),
+            buildLabel: "grok auth"
+          })
+        )
+      }
+      return yield* _(run({ accountLabel, accountPath, cwd, fs }))
+    })
+  )
+
+const readApiKeyFromEnvFile = (
+  fs: FileSystem.FileSystem,
+  envFilePath: string
+): Effect.Effect<string | null, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasEnvFile = yield* _(isRegularFile(fs, envFilePath))
+    if (!hasEnvFile) {
+      return null
+    }
+    const envContent = yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))
+    for (const line of envContent.split("\n")) {
+      const trimmed = line.trim()
+      for (const key of grokEnvApiKeyNames) {
+        const prefix = `${key}=`
+        if (!trimmed.startsWith(prefix)) {
+          continue
+        }
+        const value = trimmed.slice(prefix.length).replaceAll(/^['"]|['"]$/g, "").trim()
+        if (value.length > 0) {
+          return value
+        }
+      }
+    }
+    return null
+  })
+
+export const readGrokApiKey = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<string | null, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKeyFilePath = grokApiKeyPath(accountPath)
+    const hasApiKey = yield* _(isRegularFile(fs, apiKeyFilePath))
+    if (hasApiKey) {
+      const apiKey = yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))
+      const trimmed = apiKey.trim()
+      if (trimmed.length > 0) {
+        return trimmed
+      }
+    }
+
+    return yield* _(readApiKeyFromEnvFile(fs, grokEnvFilePath(accountPath)))
+  })
+
+export const hasGrokCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKey = yield* _(readGrokApiKey(fs, accountPath))
+    if (apiKey !== null) {
+      return true
+    }
+    const hasAuthJson = yield* _(isRegularFile(fs, grokAuthJsonPath(accountPath)))
+    if (hasAuthJson) {
+      const authJson = yield* _(fs.readFileString(grokAuthJsonPath(accountPath)), Effect.orElseSucceed(() => ""))
+      if (hasGrokAuthJsonCredentialText(authJson)) {
+        return true
+      }
+    }
+    const hasUserSettings = yield* _(isRegularFile(fs, grokUserSettingsPath(accountPath)))
+    if (!hasUserSettings) {
+      return false
+    }
+    const content = yield* _(fs.readFileString(grokUserSettingsPath(accountPath)), Effect.orElseSucceed(() => ""))
+    return hasGrokUserSettingsCredentialText(content)
+  })
+
+export const resolveGrokAuthMethod = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<GrokAuthMethod, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKey = yield* _(readGrokApiKey(fs, accountPath))
+    if (apiKey !== null) {
+      return "api-key"
+    }
+    const hasUserSettings = yield* _(hasGrokCredentials(fs, accountPath))
+    return hasUserSettings ? "oauth" : "none"
+  })
+
+export const prepareGrokCredentialsDir = (
+  cwd: string,
+  accountPath: string,
+  fs: FileSystem.FileSystem
+) =>
+  Effect.gen(function*(_) {
+    const credentialsDir = grokCredentialsPath(accountPath)
+    const removeFallback = pipe(
+      runCommandExitCode({
+        cwd,
+        command: "docker",
+        args: ["run", "--rm", "-v", `${accountPath}:/target`, "alpine", "rm", "-rf", "/target/.grok"]
+      }),
+      Effect.flatMap((exitCode) =>
+        exitCode === 0
+          ? Effect.void
+          : Effect.fail(new CommandFailedError({ command: "docker", exitCode }))
+      )
+    )
+
+    yield* _(
+      fs.remove(credentialsDir, { recursive: true, force: true }).pipe(
+        Effect.orElse(() => removeFallback)
+      )
+    )
+    yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+    yield* _(fs.chmod(credentialsDir, 0o700))
+    return credentialsDir
+  })
+
+export const defaultGrokProjectSettings = {
+  sandboxMode: "off",
+  mcpServers: {
+    playwright: {
+      command: "docker-git-playwright-mcp",
+      args: [],
+      trust: true
+    }
+  }
+}
+
+export const defaultGrokUserSettings = (apiKey: string | null) => ({
+  ...(apiKey === null ? {} : { apiKey }),
+  sandboxMode: "off",
+  confirmBeforeToolUse: false
+})
+
+export const writeInitialGrokSettings = (
+  credentialsDir: string,
+  fs: FileSystem.FileSystem,
+  apiKey: string | null
+) =>
+  Effect.gen(function*(_) {
+    const settingsPath = `${credentialsDir}/settings.json`
+    yield* _(
+      fs.writeFileString(
+        settingsPath,
+        JSON.stringify(defaultGrokProjectSettings, null, 2) + "\n"
+      )
+    )
+    yield* _(fs.chmod(settingsPath, 0o600))
+
+    const userSettingsPath = `${credentialsDir}/user-settings.json`
+    const shouldWriteUserSettings = apiKey === null
+      ? !(yield* _(isRegularFile(fs, userSettingsPath)))
+      : true
+    if (shouldWriteUserSettings) {
+      yield* _(
+        fs.writeFileString(
+          userSettingsPath,
+          JSON.stringify(defaultGrokUserSettings(apiKey), null, 2) + "\n"
+        )
+      )
+      yield* _(fs.chmod(userSettingsPath, 0o600))
+    }
+    return settingsPath
+  })
+/* jscpd:ignore-end */
diff --git a/packages/app/src/lib/usecases/auth-grok-logout.ts b/packages/app/src/lib/usecases/auth-grok-logout.ts
new file mode 100644
index 00000000..fda3b549
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok-logout.ts
@@ -0,0 +1,35 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import type { AuthGrokLogoutCommand } from "../core/domain.js"
+import type { CommandFailedError } from "../shell/errors.js"
+import { grokApiKeyPath, grokCredentialsPath, grokEnvFilePath, withGrokAuth } from "./auth-grok-helpers.js"
+import type { GrokRuntime } from "./auth-grok-helpers.js"
+import { normalizeAccountLabel } from "./auth-helpers.js"
+import { autoSyncState } from "./state-repo.js"
+
+// CHANGE: logout Grok CLI by clearing API key and ~/.grok credentials for a label
+// WHY: allow revoking Grok CLI access deterministically
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokLogout(cmd) -> credentials_cleared(cmd)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: all credential files are removed from account directory
+// COMPLEXITY: O(1)
+export const authGrokLogout = (
+  command: AuthGrokLogoutCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  Effect.gen(function*(_) {
+    const accountLabel = normalizeAccountLabel(command.label, "default")
+    yield* _(
+      withGrokAuth(command, ({ accountPath, fs }) =>
+        Effect.gen(function*(_) {
+          yield* _(fs.remove(grokApiKeyPath(accountPath), { force: true }))
+          yield* _(fs.remove(grokEnvFilePath(accountPath), { force: true }))
+          yield* _(fs.remove(grokCredentialsPath(accountPath), { recursive: true, force: true }))
+        }))
+    )
+    yield* _(autoSyncState(`chore(state): auth grok logout ${accountLabel}`))
+  }).pipe(Effect.asVoid)
diff --git a/packages/app/src/lib/usecases/auth-grok-oauth.ts b/packages/app/src/lib/usecases/auth-grok-oauth.ts
new file mode 100644
index 00000000..34d62984
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok-oauth.ts
@@ -0,0 +1,164 @@
+import type * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import { runCommandWithExitCodes } from "../shell/command-runner.js"
+import { resolveDockerVolumeHostPath } from "../shell/docker-auth.js"
+import { AuthError, CommandFailedError } from "../shell/errors.js"
+
+// CHANGE: add Grok CLI OAuth/browser authentication flow
+// WHY: issue #304 expects `grok login` style URL handoff and callback paste support
+// QUOTE(ТЗ): "Paste the URL here if it doesn't connect"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: runGrokOauthLogin(cmd) -> grok_credentials_stored | error
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor>
+// INVARIANT: Grok credentials are stored in ~/.grok within the selected account path
+// COMPLEXITY: O(user_interaction)
+
+type DockerGrokAuthSpec = {
+  readonly cwd: string
+  readonly image: string
+  readonly hostPath: string
+  readonly containerPath: string
+  readonly env: ReadonlyArray<string>
+}
+
+const buildDockerGrokAuthSpec = (
+  cwd: string,
+  accountPath: string,
+  image: string,
+  containerPath: string
+): DockerGrokAuthSpec => ({
+  cwd,
+  image,
+  hostPath: accountPath,
+  containerPath,
+  env: [
+    `HOME=${containerPath}`,
+    "MCP_PLAYWRIGHT_ISOLATED=1"
+  ]
+})
+
+/**
+ * Builds the Docker CLI argument vector for the official Grok device-code login flow.
+ *
+ * @param spec Docker auth container paths, image, working directory, and environment bindings.
+ * @returns Immutable Docker argument vector ending with `grok login --device-auth`.
+ * @pure true
+ * @effect none; CORE argument builder only transforms immutable input data.
+ * @invariant every non-empty environment binding is emitted as an adjacent `-e` argument pair.
+ * @precondition spec.hostPath and spec.containerPath identify the selected Grok auth account directory.
+ * @postcondition returned args execute the official headless Grok login mode documented by xAI.
+ * @complexity O(n) time / O(n) space, where n is spec.env.length.
+ * @throws Never - invalid process execution is represented by callers through typed Effect errors.
+ */
+export const buildDockerGrokAuthArgs = (spec: DockerGrokAuthSpec): ReadonlyArray<string> => {
+  const base: Array<string> = [
+    "run",
+    "--rm",
+    "--init",
+    "-i",
+    "-t",
+    "-v",
+    `${spec.hostPath}:${spec.containerPath}`,
+    "-w",
+    spec.containerPath
+  ]
+
+  for (const entry of spec.env) {
+    const trimmed = entry.trim()
+    if (trimmed.length === 0) {
+      continue
+    }
+    base.push("-e", trimmed)
+  }
+  return [...base, spec.image, "grok", "login", "--device-auth"]
+}
+
+const printOauthInstructions = (): Effect.Effect<void> =>
+  Effect.sync(() => {
+    process.stderr.write("\n")
+    process.stderr.write("Grok CLI OAuth Authentication\n")
+    process.stderr.write("1. Open the Grok sign-in URL printed by the CLI.\n")
+    process.stderr.write("2. Complete browser authentication.\n")
+    process.stderr.write("3. If the callback cannot connect, paste the returned URL into the prompt.\n")
+    process.stderr.write("\n")
+  })
+
+const grokAuthPermissionScript = [
+  "target_uid=\"${CHOWN_UID:-$(stat -c %u \"$1\" 2>/dev/null || id -u)}\"",
+  "target_gid=\"${CHOWN_GID:-$(stat -c %g \"$1\" 2>/dev/null || id -g)}\"",
+  "chown -R \"$target_uid:$target_gid\" \"$1\"",
+  "find \"$1\" -type d -exec chmod 700 {} +",
+  "find \"$1\" -type f -exec chmod 600 {} +"
+].join(" && ")
+
+const fixGrokAuthPermissions = (cwd: string, hostPath: string, containerPath: string) =>
+  runCommandWithExitCodes(
+    {
+      cwd,
+      command: "docker",
+      args: [
+        "run",
+        "--rm",
+        "-v",
+        `${hostPath}:${containerPath}`,
+        "alpine",
+        "sh",
+        "-c",
+        grokAuthPermissionScript,
+        "sh",
+        containerPath
+      ]
+    },
+    [0],
+    (exitCode) => new CommandFailedError({ command: "chmod grok auth", exitCode })
+  ).pipe(
+    Effect.tapError((err) => Effect.logWarning(`Failed to fix Grok auth permissions: ${String(err)}`))
+  )
+
+/**
+ * Runs the Grok OAuth device login inside the docker-git auth container.
+ *
+ * @param cwd Working directory used for Docker command execution.
+ * @param accountPath Selected docker-git Grok account directory.
+ * @param options Auth container image and in-container home path.
+ * @returns Effect that completes after Grok writes credentials and permissions are normalized.
+ * @pure false
+ * @effect CommandExecutor; invokes Docker and writes credentials under the selected account path.
+ * @invariant successful completion leaves credentials scoped to accountPath and not to project source files.
+ * @precondition Docker is available and options.image contains the official Grok CLI binary.
+ * @postcondition accountPath ownership follows the mounted account root or a typed error is returned.
+ * @complexity O(n) local argument construction plus unbounded external OAuth interaction time.
+ * @throws Never - failures are modeled as AuthError, CommandFailedError, or PlatformError in the Effect type.
+ */
+export const runGrokOauthLoginWithPrompt = (
+  cwd: string,
+  accountPath: string,
+  options: {
+    readonly image: string
+    readonly containerPath: string
+  }
+): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  Effect.gen(function*(_) {
+    yield* _(printOauthInstructions())
+    const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath))
+    const spec = buildDockerGrokAuthSpec(cwd, hostPath, options.image, options.containerPath)
+    yield* _(
+      runCommandWithExitCodes(
+        {
+          cwd: spec.cwd,
+          command: "docker",
+          args: buildDockerGrokAuthArgs(spec)
+        },
+        [0],
+        (exitCode) =>
+          new AuthError({
+            message: `Grok CLI login failed with exit code ${exitCode}.`
+          })
+      )
+    )
+    yield* _(fixGrokAuthPermissions(spec.cwd, hostPath, spec.containerPath))
+  })
diff --git a/packages/app/src/lib/usecases/auth-grok-status.ts b/packages/app/src/lib/usecases/auth-grok-status.ts
new file mode 100644
index 00000000..d451e3cb
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok-status.ts
@@ -0,0 +1,33 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect, Match } from "effect"
+
+import type { AuthGrokStatusCommand } from "../core/domain.js"
+import type { CommandFailedError } from "../shell/errors.js"
+import { resolveGrokAuthMethod, withGrokAuth } from "./auth-grok-helpers.js"
+import type { GrokRuntime } from "./auth-grok-helpers.js"
+
+// CHANGE: show Grok CLI auth status for a given label
+// WHY: allow verifying API-key/user-settings presence without exposing credentials
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokStatus(cmd) -> connected(cmd, method) | disconnected(cmd)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: never logs API keys or tokens
+// COMPLEXITY: O(1)
+export const authGrokStatus = (
+  command: AuthGrokStatusCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  withGrokAuth(command, ({ accountLabel, accountPath, fs }) =>
+    Effect.gen(function*(_) {
+      const authMethod = yield* _(resolveGrokAuthMethod(fs, accountPath))
+      yield* _(
+        Match.value(authMethod).pipe(
+          Match.when("none", () => Effect.log(`Grok not connected (${accountLabel}).`)),
+          Match.when("api-key", () => Effect.log(`Grok connected (${accountLabel}, api-key).`)),
+          Match.when("oauth", () => Effect.log(`Grok connected (${accountLabel}, oauth).`)),
+          Match.exhaustive
+        )
+      )
+    }))
diff --git a/packages/app/src/lib/usecases/auth-grok.ts b/packages/app/src/lib/usecases/auth-grok.ts
new file mode 100644
index 00000000..1626105a
--- /dev/null
+++ b/packages/app/src/lib/usecases/auth-grok.ts
@@ -0,0 +1,98 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import type { AuthGrokLoginCommand } from "../core/domain.js"
+import { AuthError, type CommandFailedError } from "../shell/errors.js"
+import {
+  grokApiKeyPath,
+  grokContainerHomeDir,
+  grokCredentialsPath,
+  grokImageName,
+  type GrokRuntime,
+  prepareGrokCredentialsDir,
+  withGrokAuth,
+  writeInitialGrokSettings
+} from "./auth-grok-helpers.js"
+import { runGrokOauthLoginWithPrompt } from "./auth-grok-oauth.js"
+import { normalizeAccountLabel } from "./auth-helpers.js"
+import { autoSyncState } from "./state-repo.js"
+
+// CHANGE: login to Grok CLI by storing API key and Grok user settings
+// WHY: Grok CLI supports GROK_DEPLOYMENT_KEY and ~/.grok/auth.json while OAuth is handled by the terminal runner
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokLogin(cmd) -> api_key_file_exists(accountPath)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: API key is stored in .api-key and mirrored into .grok/user-settings.json
+// COMPLEXITY: O(1)
+export const authGrokLogin = (
+  command: AuthGrokLoginCommand,
+  apiKey: string
+): Effect.Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime> => {
+  const trimmedApiKey = apiKey.trim()
+  if (trimmedApiKey.length === 0) {
+    return Effect.fail(new AuthError({ message: "Grok API key must not be empty" }))
+  }
+  const accountLabel = normalizeAccountLabel(command.label, "default")
+  return withGrokAuth(command, ({ accountPath, fs }) =>
+    Effect.gen(function*(_) {
+      const apiKeyFilePath = grokApiKeyPath(accountPath)
+      yield* _(fs.writeFileString(apiKeyFilePath, `${trimmedApiKey}\n`))
+      yield* _(fs.chmod(apiKeyFilePath, 0o600))
+
+      const credentialsDir = grokCredentialsPath(accountPath)
+      yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+      yield* _(fs.chmod(credentialsDir, 0o700))
+      yield* _(writeInitialGrokSettings(credentialsDir, fs, trimmedApiKey))
+    })).pipe(
+      Effect.zipRight(autoSyncState(`chore(state): auth grok ${accountLabel}`))
+    )
+}
+
+export const authGrokLoginCli = (
+  _command: AuthGrokLoginCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  Effect.gen(function*(_) {
+    yield* _(Effect.log("Grok CLI supports two authentication methods:"))
+    yield* _(Effect.log(""))
+    yield* _(Effect.log("1. API Key:"))
+    yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Grok CLI: set API key"))
+    yield* _(Effect.log(""))
+    yield* _(Effect.log("2. OAuth/browser login:"))
+    yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Grok CLI: login via OAuth"))
+    yield* _(Effect.log("   - Follow the Grok CLI prompts and paste the callback URL when requested"))
+  })
+
+// FORMAT THEOREM: forall cmd: authGrokLoginOauth(cmd) -> grok_credentials_stored | error
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: Grok CLI writes credentials under .grok within the selected account directory
+// COMPLEXITY: O(user_interaction)
+export const authGrokLoginOauth = (
+  command: AuthGrokLoginCommand
+): Effect.Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime> => {
+  const accountLabel = normalizeAccountLabel(command.label, "default")
+  return withGrokAuth(
+    command,
+    ({ accountPath, cwd, fs }) =>
+      Effect.gen(function*(_) {
+        const credentialsDir = yield* _(prepareGrokCredentialsDir(cwd, accountPath, fs))
+
+        yield* _(
+          runGrokOauthLoginWithPrompt(cwd, accountPath, {
+            image: grokImageName,
+            containerPath: grokContainerHomeDir
+          })
+        )
+        yield* _(writeInitialGrokSettings(credentialsDir, fs, null))
+      }),
+    { buildImage: true }
+  ).pipe(
+    Effect.zipRight(autoSyncState(`chore(state): auth grok oauth ${accountLabel}`))
+  )
+}
+
+export { authGrokLogout } from "./auth-grok-logout.js"
+export { authGrokStatus } from "./auth-grok-status.js"
diff --git a/packages/app/src/lib/usecases/auth-sync-helpers.ts b/packages/app/src/lib/usecases/auth-sync-helpers.ts
index eb2f7bec..1fd6307e 100644
--- a/packages/app/src/lib/usecases/auth-sync-helpers.ts
+++ b/packages/app/src/lib/usecases/auth-sync-helpers.ts
@@ -172,5 +172,6 @@ export type LegacyOrchPaths = AuthPaths & {
   readonly ghAuthPath: string
   readonly gitlabAuthPath?: string
   readonly geminiAuthPath?: string
+  readonly grokAuthPath?: string
 }
 /* jscpd:ignore-end */
diff --git a/packages/app/src/lib/usecases/auth.ts b/packages/app/src/lib/usecases/auth.ts
index b2c87d17..c7bd0619 100644
--- a/packages/app/src/lib/usecases/auth.ts
+++ b/packages/app/src/lib/usecases/auth.ts
@@ -3,4 +3,5 @@ export * from "./auth-claude.js"
 export * from "./auth-codex.js"
 export * from "./auth-gemini.js"
 export * from "./auth-github.js"
+export * from "./auth-grok.js"
 /* jscpd:ignore-end */
diff --git a/packages/app/src/web/action-prompt.ts b/packages/app/src/web/action-prompt.ts
index 47f4edea..f85a8b7a 100644
--- a/packages/app/src/web/action-prompt.ts
+++ b/packages/app/src/web/action-prompt.ts
@@ -1,3 +1,5 @@
+import { Match } from "effect"
+
 import { type AuthMenuAction, authViewSteps, authViewTitle } from "../docker-git/menu-auth-shared.js"
 import { type ProjectAuthMenuAction, projectAuthViewSteps } from "../docker-git/menu-project-auth-shared.js"
 
@@ -30,30 +32,20 @@ export type ActionPromptState =
 const initialPromptValues = (steps: ReadonlyArray<ActionPromptStep>): Readonly<Record<string, string>> =>
   Object.fromEntries(steps.map((step) => [step.key, ""]))
 
-const projectAuthTitle = (action: ProjectAuthPromptAction): string => {
-  if (action === "ProjectGithubConnect") {
-    return "Project GitHub connect"
-  }
-  if (action === "ProjectGithubDisconnect") {
-    return "Project GitHub disconnect"
-  }
-  if (action === "ProjectGitConnect") {
-    return "Project Git connect"
-  }
-  if (action === "ProjectGitDisconnect") {
-    return "Project Git disconnect"
-  }
-  if (action === "ProjectClaudeConnect") {
-    return "Project Claude connect"
-  }
-  if (action === "ProjectClaudeDisconnect") {
-    return "Project Claude disconnect"
-  }
-  if (action === "ProjectGeminiConnect") {
-    return "Project Gemini connect"
-  }
-  return "Project Gemini disconnect"
-}
+const projectAuthTitle = (action: ProjectAuthPromptAction): string =>
+  Match.value(action).pipe(
+    Match.when("ProjectGithubConnect", () => "Project GitHub connect"),
+    Match.when("ProjectGithubDisconnect", () => "Project GitHub disconnect"),
+    Match.when("ProjectGitConnect", () => "Project Git connect"),
+    Match.when("ProjectGitDisconnect", () => "Project Git disconnect"),
+    Match.when("ProjectClaudeConnect", () => "Project Claude connect"),
+    Match.when("ProjectClaudeDisconnect", () => "Project Claude disconnect"),
+    Match.when("ProjectGeminiConnect", () => "Project Gemini connect"),
+    Match.when("ProjectGeminiDisconnect", () => "Project Gemini disconnect"),
+    Match.when("ProjectGrokConnect", () => "Project Grok connect"),
+    Match.when("ProjectGrokDisconnect", () => "Project Grok disconnect"),
+    Match.exhaustive
+  )
 
 export const createAuthActionPrompt = (action: AuthPromptAction): ActionPromptState => {
   const steps = authViewSteps(action)
diff --git a/packages/app/src/web/actions-auth.ts b/packages/app/src/web/actions-auth.ts
index 69e35b00..a3a6ebaa 100644
--- a/packages/app/src/web/actions-auth.ts
+++ b/packages/app/src/web/actions-auth.ts
@@ -4,7 +4,9 @@ import {
   type AuthMenuAction,
   authViewSteps,
   authViewTitle,
-  successMessage as authSuccessMessage
+  successMessage as authSuccessMessage,
+  type TerminalAuthFlow,
+  terminalAuthTitle
 } from "../docker-git/menu-auth-shared.js"
 import {
   type ProjectAuthMenuAction,
@@ -39,7 +41,14 @@ import { projectPickerScreen } from "./screen.js"
 
 type SupportedAuthMutation = Extract<
   AuthMenuAction,
-  "GithubRemove" | "GitSet" | "GitRemove" | "ClaudeLogout" | "GeminiApiKey" | "GeminiLogout"
+  | "GithubRemove"
+  | "GitSet"
+  | "GitRemove"
+  | "ClaudeLogout"
+  | "GeminiApiKey"
+  | "GeminiLogout"
+  | "GrokApiKey"
+  | "GrokLogout"
 >
 
 type SupportedProjectMutation = Extract<
@@ -52,6 +61,8 @@ type SupportedProjectMutation = Extract<
   | "ProjectClaudeDisconnect"
   | "ProjectGeminiConnect"
   | "ProjectGeminiDisconnect"
+  | "ProjectGrokConnect"
+  | "ProjectGrokDisconnect"
 >
 
 export const refreshAuthPanel = (context: BrowserActionContext) => {
@@ -125,11 +136,11 @@ const runSupportedAuthMutation = (
 }
 
 const runTerminalOnlyAuthAction = (
-  action: Extract<AuthMenuAction, "ClaudeOauth" | "GeminiOauth">,
+  action: TerminalAuthFlow,
   values: Readonly<Record<string, string>>,
   context: BrowserActionContext
 ) => {
-  const provider = action === "ClaudeOauth" ? "Claude Code OAuth" : "Gemini CLI OAuth"
+  const provider = terminalAuthTitle(action)
   const label = nullableValue(values["label"])
   const sessionLabel = defaultLabel(values["label"])
   withBusy({
@@ -276,7 +287,7 @@ export const submitBrowserActionPrompt = (
       runSupportedAuthMutation(prompt.action, prompt.values, context)
       return
     }
-    if (prompt.action === "ClaudeOauth" || prompt.action === "GeminiOauth") {
+    if (prompt.action === "ClaudeOauth" || prompt.action === "GeminiOauth" || prompt.action === "GrokOauth") {
       runTerminalOnlyAuthAction(prompt.action, prompt.values, context)
       return
     }
diff --git a/packages/app/src/web/api-auth-schema.ts b/packages/app/src/web/api-auth-schema.ts
index a60bce0e..5ecf2e64 100644
--- a/packages/app/src/web/api-auth-schema.ts
+++ b/packages/app/src/web/api-auth-schema.ts
@@ -23,13 +23,19 @@ export const GithubStatusResponseSchema = Schema.Struct({
   status: GithubAuthStatusSchema
 })
 
-export const AuthSnapshotSchema = Schema.Struct({
+const AuthProviderSnapshotFields = {
   claudeAuthEntries: Schema.Number,
   claudeAuthPath: Schema.String,
   geminiAuthEntries: Schema.Number,
   geminiAuthPath: Schema.String,
+  grokAuthEntries: Schema.Number,
+  grokAuthPath: Schema.String,
   githubTokenEntries: Schema.Number,
-  gitTokenEntries: Schema.Number,
+  gitTokenEntries: Schema.Number
+}
+
+export const AuthSnapshotSchema = Schema.Struct({
+  ...AuthProviderSnapshotFields,
   gitUserEntries: Schema.Number,
   globalEnvPath: Schema.String,
   totalEntries: Schema.Number
@@ -43,16 +49,12 @@ export const AuthSnapshotResponseSchema = Schema.Struct({
 export const ProjectAuthSnapshotSchema = Schema.Struct({
   activeClaudeLabel: NullableString,
   activeGeminiLabel: NullableString,
+  activeGrokLabel: NullableString,
   activeGithubLabel: NullableString,
   activeGitLabel: NullableString,
-  claudeAuthEntries: Schema.Number,
-  claudeAuthPath: Schema.String,
+  ...AuthProviderSnapshotFields,
   envGlobalPath: Schema.String,
   envProjectPath: Schema.String,
-  geminiAuthEntries: Schema.Number,
-  geminiAuthPath: Schema.String,
-  githubTokenEntries: Schema.Number,
-  gitTokenEntries: Schema.Number,
   projectDir: Schema.String,
   projectName: Schema.String
 })
diff --git a/packages/app/src/web/api-prompts-schema.ts b/packages/app/src/web/api-prompts-schema.ts
index 164aaaa6..d63c7e24 100644
--- a/packages/app/src/web/api-prompts-schema.ts
+++ b/packages/app/src/web/api-prompts-schema.ts
@@ -3,7 +3,8 @@ import * as Schema from "@effect/schema/Schema"
 export const ProjectPromptKindSchema = Schema.Union(
   Schema.Literal("claude"),
   Schema.Literal("codex"),
-  Schema.Literal("gemini")
+  Schema.Literal("gemini"),
+  Schema.Literal("grok")
 )
 
 export const ProjectPromptFileSchema = Schema.Struct({
diff --git a/packages/app/src/web/api-skills-schema.ts b/packages/app/src/web/api-skills-schema.ts
index 7a569907..7a083f62 100644
--- a/packages/app/src/web/api-skills-schema.ts
+++ b/packages/app/src/web/api-skills-schema.ts
@@ -8,7 +8,8 @@ export const ProjectSkillScopeSchema = Schema.Union(
   Schema.Literal("agents/.skills"),
   Schema.Literal("claude/skills"),
   Schema.Literal("codex/skills"),
-  Schema.Literal("gemini/skills")
+  Schema.Literal("gemini/skills"),
+  Schema.Literal("grok/skills")
 )
 
 export const ProjectSkillFileSchema = Schema.Struct({
diff --git a/packages/app/src/web/api-skills.ts b/packages/app/src/web/api-skills.ts
index 5aebe495..f76c5e78 100644
--- a/packages/app/src/web/api-skills.ts
+++ b/packages/app/src/web/api-skills.ts
@@ -10,7 +10,8 @@ const skillScopeIdByScope: Readonly<Record<ProjectSkillScope, string>> = {
   "agents/.skills": "agents-dot-skills",
   "claude/skills": "claude-skills",
   "codex/skills": "codex-skills",
-  "gemini/skills": "gemini-skills"
+  "gemini/skills": "gemini-skills",
+  "grok/skills": "grok-skills"
 }
 
 export const projectSkillScopeToId = (scope: ProjectSkillScope): string => skillScopeIdByScope[scope]
diff --git a/packages/app/src/web/api-types.ts b/packages/app/src/web/api-types.ts
index 1d39161d..5df7f56f 100644
--- a/packages/app/src/web/api-types.ts
+++ b/packages/app/src/web/api-types.ts
@@ -79,6 +79,8 @@ export type AuthMenuFlow =
   | "ClaudeLogout"
   | "GeminiApiKey"
   | "GeminiLogout"
+  | "GrokApiKey"
+  | "GrokLogout"
 
 export type ProjectAuthFlow =
   | "ProjectGithubConnect"
@@ -89,5 +91,7 @@ export type ProjectAuthFlow =
   | "ProjectClaudeDisconnect"
   | "ProjectGeminiConnect"
   | "ProjectGeminiDisconnect"
+  | "ProjectGrokConnect"
+  | "ProjectGrokDisconnect"
 
 export { type TerminalServerMessage, type TerminalSession } from "../shared/terminal-session-schema.js"
diff --git a/packages/app/src/web/api.ts b/packages/app/src/web/api.ts
index 6545ddeb..1379bbb3 100644
--- a/packages/app/src/web/api.ts
+++ b/packages/app/src/web/api.ts
@@ -185,7 +185,7 @@ export const startProjectTerminalSession = (
   )
 
 export const createAuthTerminalSession = (
-  flow: "ClaudeOauth" | "GeminiOauth",
+  flow: "ClaudeOauth" | "GeminiOauth" | "GrokOauth",
   label: string | null
 ) =>
   requestJson(
diff --git a/packages/app/src/web/panel-auth.tsx b/packages/app/src/web/panel-auth.tsx
index f520f560..67abf228 100644
--- a/packages/app/src/web/panel-auth.tsx
+++ b/packages/app/src/web/panel-auth.tsx
@@ -7,7 +7,7 @@ import { Box, Text } from "./elements.js"
 import { ActionLine, ActionPromptPanel, SnapshotLine } from "./panel-auth-shared.js"
 
 const actionHint = (action: string | null): string | undefined => {
-  if (action === "ClaudeOauth" || action === "GeminiOauth") {
+  if (action === "ClaudeOauth" || action === "GeminiOauth" || action === "GrokOauth") {
     return "opens embedded terminal"
   }
   if (action === "GithubOauth") {
@@ -80,6 +80,7 @@ export const AuthPanel = (
           <SnapshotLine label="Git users" value={snapshot.gitUserEntries} />
           <SnapshotLine label="Claude accounts" value={snapshot.claudeAuthEntries} />
           <SnapshotLine label="Gemini accounts" value={snapshot.geminiAuthEntries} />
+          <SnapshotLine label="Grok accounts" value={snapshot.grokAuthEntries} />
         </Box>
       )}
     <GithubStatusSection githubStatus={githubStatus} />
diff --git a/packages/app/src/web/panel-project-auth.tsx b/packages/app/src/web/panel-project-auth.tsx
index 03b25a13..71852fcf 100644
--- a/packages/app/src/web/panel-project-auth.tsx
+++ b/packages/app/src/web/panel-project-auth.tsx
@@ -35,6 +35,8 @@ const ProjectAuthSnapshotSection = ({ snapshot }: { readonly snapshot: ProjectAu
         <SnapshotLine label="Git label" value={snapshot.activeGitLabel ?? "not set"} />
         <SnapshotLine label="Claude label" value={snapshot.activeClaudeLabel ?? "not set"} />
         <SnapshotLine label="Gemini label" value={snapshot.activeGeminiLabel ?? "not set"} />
+        <SnapshotLine label="Grok label" value={snapshot.activeGrokLabel ?? "not set"} />
+        <SnapshotLine label="Grok accounts" value={snapshot.grokAuthEntries} />
       </Box>
     )
 
diff --git a/packages/app/src/web/panel-project-prompts.tsx b/packages/app/src/web/panel-project-prompts.tsx
index 2c6d1479..4773aeb5 100644
--- a/packages/app/src/web/panel-project-prompts.tsx
+++ b/packages/app/src/web/panel-project-prompts.tsx
@@ -14,7 +14,8 @@ type PromptsPanelProps = {
 const promptTitleByKind: Record<ProjectPromptKind, string> = {
   claude: "Claude (CLAUDE.md)",
   codex: "Codex / Agents (AGENTS.md)",
-  gemini: "Gemini (GEMINI.md)"
+  gemini: "Gemini (GEMINI.md)",
+  grok: "Grok (GROK.md)"
 }
 
 const formatBytes = (bytes: number): string => {
@@ -125,7 +126,7 @@ export const ProjectPromptsPanel = (
     <Text bold={true} fg="#8be9fd">Project system prompts</Text>
     <Text fg="#d6e5f7" wrap="wrap">
       Edit per-project system prompts that agents read on startup: CLAUDE.md (Claude), AGENTS.md (Codex / generic
-      agents), GEMINI.md (Gemini).
+      agents), GEMINI.md (Gemini), GROK.md (Grok).
     </Text>
     <Text fg="#8fa6c4" wrap="truncate">
       Project: {selectedProjectSummary?.displayName ?? "not selected"}
diff --git a/packages/app/src/web/panel-project-skills.tsx b/packages/app/src/web/panel-project-skills.tsx
index 8c19e861..9b6d1822 100644
--- a/packages/app/src/web/panel-project-skills.tsx
+++ b/packages/app/src/web/panel-project-skills.tsx
@@ -251,8 +251,8 @@ const SkillsPanelHeader = (
   <>
     <Text bold={true} fg="#8be9fd">Project skills</Text>
     <Text fg="#d6e5f7" wrap="wrap">
-      Manage SKILL.md files across the conventional skill folders shared with Claude, Codex, Gemini and generic agents.
-      Each entry edits a single SKILL.md file under the project directory.
+      Manage SKILL.md files across the conventional skill folders shared with Claude, Codex, Gemini, Grok and generic
+      agents. Each entry edits a single SKILL.md file under the project directory.
     </Text>
     <Text fg="#8fa6c4" wrap="truncate">
       Project: {selectedProjectSummary?.displayName ?? "not selected"}
diff --git a/packages/app/tests/docker-git/actions-github-oauth.test.ts b/packages/app/tests/docker-git/actions-github-oauth.test.ts
index 19b379f9..b1101eec 100644
--- a/packages/app/tests/docker-git/actions-github-oauth.test.ts
+++ b/packages/app/tests/docker-git/actions-github-oauth.test.ts
@@ -34,6 +34,8 @@ const authSnapshot: AuthSnapshot = {
   claudeAuthPath: "/home/dev/.docker-git/.orch/auth/claude",
   geminiAuthEntries: 0,
   geminiAuthPath: "/home/dev/.docker-git/.orch/auth/gemini",
+  grokAuthEntries: 0,
+  grokAuthPath: "/home/dev/.docker-git/.orch/auth/grok",
   gitTokenEntries: 0,
   gitUserEntries: 0,
   githubTokenEntries: 1,
diff --git a/packages/app/tests/docker-git/parser-auth.test.ts b/packages/app/tests/docker-git/parser-auth.test.ts
index 02c8abd8..6659e907 100644
--- a/packages/app/tests/docker-git/parser-auth.test.ts
+++ b/packages/app/tests/docker-git/parser-auth.test.ts
@@ -19,6 +19,27 @@ const expectGitlabLoginCommand = (
   })
 
 describe("parse auth commands", () => {
+  it.effect("parses grok auth commands into the controller-owned auth directory", () =>
+    Effect.sync(() => {
+      const login = parseOrThrow(["auth", "grok", "login", "--label", "Team A", "--web"])
+      const status = parseOrThrow(["auth", "grok", "status", "--label", "Team A"])
+      const logout = parseOrThrow(["auth", "grok", "logout", "--label", "Team A"])
+
+      expect(login._tag).toBe("AuthGrokLogin")
+      expect(status._tag).toBe("AuthGrokStatus")
+      expect(logout._tag).toBe("AuthGrokLogout")
+
+      if (login._tag !== "AuthGrokLogin" || status._tag !== "AuthGrokStatus" || logout._tag !== "AuthGrokLogout") {
+        throw new Error("expected AuthGrok commands")
+      }
+
+      expect(login.label).toBe("Team A")
+      expect(login.grokAuthPath).toBe(".docker-git/.orch/auth/grok")
+      expect(login.isWeb).toBe(true)
+      expect(status.grokAuthPath).toBe(".docker-git/.orch/auth/grok")
+      expect(logout.grokAuthPath).toBe(".docker-git/.orch/auth/grok")
+    }))
+
   it.effect("parses codex auth import into the controller-owned auth directory", () =>
     Effect.sync(() => {
       const command = parseOrThrow(["auth", "codex", "import"])
diff --git a/packages/lib/src/core/auth-domain.ts b/packages/lib/src/core/auth-domain.ts
index f150a93d..2cf27170 100644
--- a/packages/lib/src/core/auth-domain.ts
+++ b/packages/lib/src/core/auth-domain.ts
@@ -106,6 +106,35 @@ export interface AuthGeminiLogoutCommand {
   readonly geminiAuthPath: string
 }
 
+// CHANGE: add Grok CLI auth commands
+// WHY: issue #304 requires Grok login/status/logout profiles with isolated auth storage
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd ∈ AuthGrokCommand: cmd.grokAuthPath is valid path
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: authentication state is isolated by label
+// COMPLEXITY: O(1)
+export interface AuthGrokLoginCommand {
+  readonly _tag: "AuthGrokLogin"
+  readonly label: string | null
+  readonly grokAuthPath: string
+  readonly isWeb: boolean
+}
+
+export interface AuthGrokStatusCommand {
+  readonly _tag: "AuthGrokStatus"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
+export interface AuthGrokLogoutCommand {
+  readonly _tag: "AuthGrokLogout"
+  readonly label: string | null
+  readonly grokAuthPath: string
+}
+
 export type AuthCommand =
   | AuthGithubLoginCommand
   | AuthGithubStatusCommand
@@ -123,3 +152,6 @@ export type AuthCommand =
   | AuthGeminiLoginCommand
   | AuthGeminiStatusCommand
   | AuthGeminiLogoutCommand
+  | AuthGrokLoginCommand
+  | AuthGrokStatusCommand
+  | AuthGrokLogoutCommand
diff --git a/packages/lib/src/core/auto-agent-flags.ts b/packages/lib/src/core/auto-agent-flags.ts
index 590c5a24..bd6bf1ed 100644
--- a/packages/lib/src/core/auto-agent-flags.ts
+++ b/packages/lib/src/core/auto-agent-flags.ts
@@ -13,12 +13,12 @@ export const resolveAutoAgentFlags = (
   if (requested === "auto") {
     return Either.right({ agentMode: undefined, agentAuto: true })
   }
-  if (requested === "claude" || requested === "codex") {
+  if (requested === "claude" || requested === "codex" || requested === "gemini" || requested === "grok") {
     return Either.right({ agentMode: requested, agentAuto: true })
   }
   return Either.left({
     _tag: "InvalidOption",
     option: "--auto",
-    reason: "expected one of: claude, codex"
+    reason: "expected one of: claude, codex, gemini, grok"
   })
 }
diff --git a/packages/lib/src/core/command-builders-template.ts b/packages/lib/src/core/command-builders-template.ts
new file mode 100644
index 00000000..7d5f9bdb
--- /dev/null
+++ b/packages/lib/src/core/command-builders-template.ts
@@ -0,0 +1,92 @@
+import type { NameConfig, PathConfig, RepoBasics } from "./command-builders.js"
+import { type AgentMode, type CreateCommand, defaultTemplateConfig } from "./domain.js"
+
+export type BuildTemplateConfigInput = {
+  readonly repo: RepoBasics
+  readonly names: NameConfig
+  readonly paths: PathConfig
+  readonly cpuLimit: string | undefined
+  readonly ramLimit: string | undefined
+  readonly playwrightCpuLimit: string | undefined
+  readonly playwrightRamLimit: string | undefined
+  readonly gpu: CreateCommand["config"]["gpu"]
+  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
+  readonly dockerSharedNetworkName: string
+  readonly gitTokenLabel: string | undefined
+  readonly skipGithubAuth: boolean
+  readonly codexAuthLabel: string | undefined
+  readonly claudeAuthLabel: string | undefined
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
+  readonly enableMcpPlaywright: boolean
+  readonly agentMode: AgentMode | undefined
+  readonly agentAuto: boolean
+  readonly clonedOnHostname?: string | undefined
+}
+
+const buildTemplateConfigBase = (
+  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
+): Pick<
+  CreateCommand["config"],
+  | "containerName"
+  | "serviceName"
+  | "sshUser"
+  | "sshPort"
+  | "repoUrl"
+  | "repoRef"
+  | "targetDir"
+  | "volumeName"
+  | "dockerGitPath"
+  | "authorizedKeysPath"
+  | "envGlobalPath"
+  | "envProjectPath"
+  | "codexAuthPath"
+  | "codexSharedAuthPath"
+  | "codexHome"
+  | "geminiAuthPath"
+  | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
+> => ({
+  containerName: input.names.containerName,
+  serviceName: input.names.serviceName,
+  sshUser: input.repo.sshUser,
+  sshPort: input.repo.sshPort,
+  repoUrl: input.repo.repoUrl,
+  repoRef: input.repo.repoRef,
+  targetDir: input.repo.targetDir,
+  volumeName: input.names.volumeName,
+  dockerGitPath: input.paths.dockerGitPath,
+  authorizedKeysPath: input.paths.authorizedKeysPath,
+  envGlobalPath: input.paths.envGlobalPath,
+  envProjectPath: input.paths.envProjectPath,
+  codexAuthPath: input.paths.codexAuthPath,
+  codexSharedAuthPath: input.paths.codexSharedAuthPath,
+  codexHome: input.paths.codexHome,
+  geminiAuthPath: input.paths.geminiAuthPath,
+  geminiHome: input.paths.geminiHome,
+  grokAuthPath: input.paths.grokAuthPath,
+  grokHome: input.paths.grokHome
+})
+
+export const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
+  ...buildTemplateConfigBase(input),
+  gitTokenLabel: input.gitTokenLabel,
+  skipGithubAuth: input.skipGithubAuth,
+  codexAuthLabel: input.codexAuthLabel,
+  claudeAuthLabel: input.claudeAuthLabel,
+  geminiAuthLabel: input.geminiAuthLabel,
+  grokAuthLabel: input.grokAuthLabel,
+  cpuLimit: input.cpuLimit,
+  ramLimit: input.ramLimit,
+  playwrightCpuLimit: input.playwrightCpuLimit,
+  playwrightRamLimit: input.playwrightRamLimit,
+  gpu: input.gpu,
+  dockerNetworkMode: input.dockerNetworkMode,
+  dockerSharedNetworkName: input.dockerSharedNetworkName,
+  enableMcpPlaywright: input.enableMcpPlaywright,
+  bunVersion: defaultTemplateConfig.bunVersion,
+  agentMode: input.agentMode,
+  agentAuto: input.agentAuto,
+  clonedOnHostname: input.clonedOnHostname
+})
diff --git a/packages/lib/src/core/command-builders.ts b/packages/lib/src/core/command-builders.ts
index a875ebfa..865b5b56 100644
--- a/packages/lib/src/core/command-builders.ts
+++ b/packages/lib/src/core/command-builders.ts
@@ -10,9 +10,9 @@ import {
   parseSshPort,
   parseSshUser
 } from "./command-builders-shared.js"
+import { buildTemplateConfig } from "./command-builders-template.js"
 import { type RawOptions } from "./command-options.js"
 import {
-  type AgentMode,
   type CreateCommand,
   defaultTemplateConfig,
   deriveRepoPathParts,
@@ -28,7 +28,7 @@ export { nonEmpty } from "./command-builders-shared.js"
 
 const normalizeSecretsRoot = (value: string): string => trimRightChar(value, "/")
 
-type RepoBasics = {
+export type RepoBasics = {
   readonly repoUrl: string
   readonly repoSlug: string
   readonly projectSlug: string
@@ -62,7 +62,7 @@ const resolveRepoBasics = (raw: RawOptions): Either.Either<RepoBasics, ParseErro
     return { repoUrl, repoSlug, projectSlug, repoPath, repoRef, targetDir, sshUser, sshPort }
   })
 
-type NameConfig = {
+export type NameConfig = {
   readonly containerName: string
   readonly serviceName: string
   readonly volumeName: string
@@ -85,7 +85,7 @@ const resolveNames = (
     return { containerName, serviceName, volumeName }
   })
 
-type PathConfig = {
+export type PathConfig = {
   readonly dockerGitPath: string
   readonly authorizedKeysPath: string
   readonly envGlobalPath: string
@@ -95,6 +95,8 @@ type PathConfig = {
   readonly codexHome: string
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly outDir: string
 }
 
@@ -105,6 +107,7 @@ type DefaultPathConfig = {
   readonly envProjectPath: string
   readonly codexAuthPath: string
   readonly geminiAuthPath: string
+  readonly grokAuthPath: string
 }
 
 const resolveNormalizedSecretsRoot = (value: string | undefined): string | undefined => {
@@ -122,7 +125,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: defaultTemplateConfig.envGlobalPath,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: defaultTemplateConfig.codexAuthPath,
-      geminiAuthPath: defaultTemplateConfig.geminiAuthPath
+      geminiAuthPath: defaultTemplateConfig.geminiAuthPath,
+      grokAuthPath: defaultTemplateConfig.grokAuthPath
     }
     : {
       // NOTE: Keep docker-git root mount stable (projects root) so caches like
@@ -132,7 +136,8 @@ const buildDefaultPathConfig = (
       envGlobalPath: `${normalizedSecretsRoot}/global.env`,
       envProjectPath: defaultTemplateConfig.envProjectPath,
       codexAuthPath: `${normalizedSecretsRoot}/codex`,
-      geminiAuthPath: `${normalizedSecretsRoot}/gemini`
+      geminiAuthPath: `${normalizedSecretsRoot}/gemini`,
+      grokAuthPath: `${normalizedSecretsRoot}/grok`
     }
 
 const resolvePaths = (
@@ -157,6 +162,8 @@ const resolvePaths = (
     const codexHome = yield* _(nonEmpty("--codex-home", raw.codexHome, defaultTemplateConfig.codexHome))
     const geminiAuthPath = defaults.geminiAuthPath
     const geminiHome = defaultTemplateConfig.geminiHome
+    const grokAuthPath = defaults.grokAuthPath
+    const grokHome = defaultTemplateConfig.grokHome
     const outDir = yield* _(nonEmpty("--out-dir", raw.outDir, `.docker-git/${repoPath}`))
 
     return {
@@ -169,6 +176,8 @@ const resolvePaths = (
       codexHome,
       geminiAuthPath,
       geminiHome,
+      grokAuthPath,
+      grokHome,
       outDir
     }
   })
@@ -191,86 +200,20 @@ const resolveCreateBehavior = (raw: RawOptions): CreateBehavior => ({
   enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 })
 
-type BuildTemplateConfigInput = {
-  readonly repo: RepoBasics
-  readonly names: NameConfig
-  readonly paths: PathConfig
-  readonly cpuLimit: string | undefined
-  readonly ramLimit: string | undefined
-  readonly playwrightCpuLimit: string | undefined
-  readonly playwrightRamLimit: string | undefined
-  readonly gpu: CreateCommand["config"]["gpu"]
-  readonly dockerNetworkMode: CreateCommand["config"]["dockerNetworkMode"]
-  readonly dockerSharedNetworkName: string
+type TokenLabelConfig = {
   readonly gitTokenLabel: string | undefined
-  readonly skipGithubAuth: boolean
   readonly codexAuthLabel: string | undefined
   readonly claudeAuthLabel: string | undefined
-  readonly enableMcpPlaywright: boolean
-  readonly agentMode: AgentMode | undefined
-  readonly agentAuto: boolean
-  readonly clonedOnHostname: string
+  readonly geminiAuthLabel: string | undefined
+  readonly grokAuthLabel: string | undefined
 }
 
-const buildTemplateConfigBase = (
-  input: Pick<BuildTemplateConfigInput, "repo" | "names" | "paths">
-): Pick<
-  CreateCommand["config"],
-  | "containerName"
-  | "serviceName"
-  | "sshUser"
-  | "sshPort"
-  | "repoUrl"
-  | "repoRef"
-  | "targetDir"
-  | "volumeName"
-  | "dockerGitPath"
-  | "authorizedKeysPath"
-  | "envGlobalPath"
-  | "envProjectPath"
-  | "codexAuthPath"
-  | "codexSharedAuthPath"
-  | "codexHome"
-  | "geminiAuthPath"
-  | "geminiHome"
-> => ({
-  containerName: input.names.containerName,
-  serviceName: input.names.serviceName,
-  sshUser: input.repo.sshUser,
-  sshPort: input.repo.sshPort,
-  repoUrl: input.repo.repoUrl,
-  repoRef: input.repo.repoRef,
-  targetDir: input.repo.targetDir,
-  volumeName: input.names.volumeName,
-  dockerGitPath: input.paths.dockerGitPath,
-  authorizedKeysPath: input.paths.authorizedKeysPath,
-  envGlobalPath: input.paths.envGlobalPath,
-  envProjectPath: input.paths.envProjectPath,
-  codexAuthPath: input.paths.codexAuthPath,
-  codexSharedAuthPath: input.paths.codexSharedAuthPath,
-  codexHome: input.paths.codexHome,
-  geminiAuthPath: input.paths.geminiAuthPath,
-  geminiHome: input.paths.geminiHome
-})
-
-const buildTemplateConfig = (input: BuildTemplateConfigInput): CreateCommand["config"] => ({
-  ...buildTemplateConfigBase(input),
-  gitTokenLabel: input.gitTokenLabel,
-  skipGithubAuth: input.skipGithubAuth,
-  codexAuthLabel: input.codexAuthLabel,
-  claudeAuthLabel: input.claudeAuthLabel,
-  cpuLimit: input.cpuLimit,
-  ramLimit: input.ramLimit,
-  playwrightCpuLimit: input.playwrightCpuLimit,
-  playwrightRamLimit: input.playwrightRamLimit,
-  gpu: input.gpu,
-  dockerNetworkMode: input.dockerNetworkMode,
-  dockerSharedNetworkName: input.dockerSharedNetworkName,
-  enableMcpPlaywright: input.enableMcpPlaywright,
-  bunVersion: defaultTemplateConfig.bunVersion,
-  agentMode: input.agentMode,
-  agentAuto: input.agentAuto,
-  clonedOnHostname: input.clonedOnHostname
+const resolveTokenLabels = (raw: RawOptions): TokenLabelConfig => ({
+  gitTokenLabel: normalizeGitTokenLabel(raw.gitTokenLabel),
+  codexAuthLabel: normalizeAuthLabel(raw.codexTokenLabel),
+  claudeAuthLabel: normalizeAuthLabel(raw.claudeTokenLabel),
+  geminiAuthLabel: normalizeAuthLabel(raw.geminiTokenLabel),
+  grokAuthLabel: normalizeAuthLabel(raw.grokTokenLabel)
 })
 
 // CHANGE: build a typed create command from raw options (CLI or API)
@@ -291,9 +234,7 @@ export const buildCreateCommand = (
     const names = yield* _(resolveNames(raw, repo.projectSlug))
     const paths = yield* _(resolvePaths(raw, repo.repoPath))
     const behavior = resolveCreateBehavior(raw)
-    const gitTokenLabel = normalizeGitTokenLabel(raw.gitTokenLabel)
-    const codexAuthLabel = normalizeAuthLabel(raw.codexTokenLabel)
-    const claudeAuthLabel = normalizeAuthLabel(raw.claudeTokenLabel)
+    const tokenLabels = resolveTokenLabels(raw)
     const limits = yield* _(resolveResourceLimitsIntent(raw))
     const gpu = yield* _(parseGpuMode(raw.gpu))
     const dockerNetworkMode = yield* _(parseDockerNetworkMode(raw.dockerNetworkMode))
@@ -321,10 +262,8 @@ export const buildCreateCommand = (
         gpu,
         dockerNetworkMode,
         dockerSharedNetworkName,
-        gitTokenLabel,
+        ...tokenLabels,
         skipGithubAuth: behavior.skipGithubAuth,
-        codexAuthLabel,
-        claudeAuthLabel,
         enableMcpPlaywright: behavior.enableMcpPlaywright,
         agentMode,
         agentAuto,
diff --git a/packages/lib/src/core/command-options.ts b/packages/lib/src/core/command-options.ts
index 9fe76d8f..55db8135 100644
--- a/packages/lib/src/core/command-options.ts
+++ b/packages/lib/src/core/command-options.ts
@@ -40,6 +40,8 @@ export interface RawOptions {
   readonly gitTokenLabel?: string
   readonly codexTokenLabel?: string
   readonly claudeTokenLabel?: string
+  readonly geminiTokenLabel?: string
+  readonly grokTokenLabel?: string
   readonly token?: string
   readonly scopes?: string
   readonly message?: string
diff --git a/packages/lib/src/core/domain.ts b/packages/lib/src/core/domain.ts
index 4baa2d56..484da3d0 100644
--- a/packages/lib/src/core/domain.ts
+++ b/packages/lib/src/core/domain.ts
@@ -19,7 +19,10 @@ export type {
   AuthGithubStatusCommand,
   AuthGitlabLoginCommand,
   AuthGitlabLogoutCommand,
-  AuthGitlabStatusCommand
+  AuthGitlabStatusCommand,
+  AuthGrokLoginCommand,
+  AuthGrokLogoutCommand,
+  AuthGrokStatusCommand
 } from "./auth-domain.js"
 export type { MenuAction, ParseError } from "./menu.js"
 export { parseMenuSelection } from "./menu.js"
@@ -52,7 +55,7 @@ export {
   dockerGitSharedCodexVolumeName
 } from "./template-defaults.js"
 
-export type AgentMode = "claude" | "codex" | "gemini"
+export type AgentMode = "claude" | "codex" | "gemini" | "grok"
 
 export type DockerNetworkMode = "shared" | "project"
 export type GpuMode = "none" | "all"
@@ -96,6 +99,9 @@ export interface TemplateConfig {
   readonly geminiAuthLabel?: string | undefined
   readonly geminiAuthPath: string
   readonly geminiHome: string
+  readonly grokAuthLabel?: string | undefined
+  readonly grokAuthPath: string
+  readonly grokHome: string
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
@@ -187,6 +193,7 @@ export interface ApplyCommand {
   readonly codexTokenLabel?: string | undefined
   readonly claudeTokenLabel?: string | undefined
   readonly geminiTokenLabel?: string | undefined
+  readonly grokTokenLabel?: string | undefined
   readonly cpuLimit?: string | undefined
   readonly ramLimit?: string | undefined
   readonly playwrightCpuLimit?: string | undefined
diff --git a/packages/lib/src/core/template-defaults.ts b/packages/lib/src/core/template-defaults.ts
index a6bafcab..b17cbd85 100644
--- a/packages/lib/src/core/template-defaults.ts
+++ b/packages/lib/src/core/template-defaults.ts
@@ -19,6 +19,8 @@ type DefaultTemplateConfig = Pick<
   | "codexHome"
   | "geminiAuthPath"
   | "geminiHome"
+  | "grokAuthPath"
+  | "grokHome"
   | "cpuLimit"
   | "ramLimit"
   | "playwrightCpuLimit"
@@ -62,6 +64,8 @@ export const defaultTemplateConfig = {
   codexHome: "/home/dev/.codex",
   geminiAuthPath: "./.docker-git/.orch/auth/gemini",
   geminiHome: "/home/dev/.gemini",
+  grokAuthPath: "./.docker-git/.orch/auth/grok",
+  grokHome: "/home/dev/.grok",
   cpuLimit: defaultCpuLimit,
   ramLimit: defaultRamLimit,
   playwrightCpuLimit: defaultPlaywrightCpuLimit,
diff --git a/packages/lib/src/core/templates-entrypoint.ts b/packages/lib/src/core/templates-entrypoint.ts
index 1a11ecbb..b0fa1afb 100644
--- a/packages/lib/src/core/templates-entrypoint.ts
+++ b/packages/lib/src/core/templates-entrypoint.ts
@@ -23,6 +23,7 @@ import {
 import { renderEntrypointDnsRepair } from "./templates-entrypoint/dns-repair.js"
 import { renderEntrypointGeminiConfig } from "./templates-entrypoint/gemini.js"
 import { renderEntrypointGitConfig, renderEntrypointGitHooks } from "./templates-entrypoint/git.js"
+import { renderEntrypointGrokConfig } from "./templates-entrypoint/grok.js"
 import { renderEntrypointDockerGitBootstrap } from "./templates-entrypoint/nested-docker-git.js"
 import { renderEntrypointOpenCodeConfig } from "./templates-entrypoint/opencode.js"
 import { renderEntrypointPlaywrightBrowserRuntime } from "./templates-entrypoint/playwright-browser.js"
@@ -63,6 +64,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointGitConfig(config),
     renderEntrypointClaudeConfig(config),
     renderEntrypointGeminiConfig(config),
+    renderEntrypointGrokConfig(config),
     renderEntrypointRtkConfig(config),
     renderEntrypointGitHooks(),
     renderEntrypointBackgroundTasks(config),
diff --git a/packages/lib/src/core/templates-entrypoint/agent.ts b/packages/lib/src/core/templates-entrypoint/agent.ts
index 3a02b478..fe413b05 100644
--- a/packages/lib/src/core/templates-entrypoint/agent.ts
+++ b/packages/lib/src/core/templates-entrypoint/agent.ts
@@ -1,7 +1,7 @@
 import { Match } from "effect"
 import type { TemplateConfig } from "../domain.js"
 
-type AgentMode = "claude" | "codex" | "gemini"
+type AgentMode = "claude" | "codex" | "gemini" | "grok"
 
 const indentBlock = (block: string, size = 2): string => {
   const prefix = " ".repeat(size)
@@ -40,6 +40,7 @@ AGENT_ENV_FILE="/run/docker-git/agent-env.sh"
   [[ -f /etc/profile.d/gh-token.sh ]] && cat /etc/profile.d/gh-token.sh
   [[ -f /etc/profile.d/claude-config.sh ]] && cat /etc/profile.d/claude-config.sh
   [[ -f /etc/profile.d/gemini-config.sh ]] && cat /etc/profile.d/gemini-config.sh
+  [[ -f /etc/profile.d/grok-config.sh ]] && cat /etc/profile.d/grok-config.sh
 } > "$AGENT_ENV_FILE" 2>/dev/null || true
 chmod 644 "$AGENT_ENV_FILE"`,
     renderAgentPrompt(),
@@ -60,6 +61,8 @@ const renderAgentPromptCommand = (mode: AgentMode): string =>
     ),
     Match.when("codex", () => String.raw`MCP_PLAYWRIGHT_ISOLATED=1 codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
+    Match.when("grok", () =>
+      String.raw`MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.exhaustive
   )
 
@@ -98,6 +101,7 @@ const renderAgentModeCase = (config: TemplateConfig): string =>
     indentBlock(renderAgentModeBlock(config, "claude")),
     indentBlock(renderAgentModeBlock(config, "codex")),
     indentBlock(renderAgentModeBlock(config, "gemini")),
+    indentBlock(renderAgentModeBlock(config, "grok")),
     indentBlock(
       String.raw`*)
   echo "[agent] unknown agent mode: $AGENT_MODE"
diff --git a/packages/lib/src/core/templates-entrypoint/base.ts b/packages/lib/src/core/templates-entrypoint/base.ts
index c414a2c1..52868b9d 100644
--- a/packages/lib/src/core/templates-entrypoint/base.ts
+++ b/packages/lib/src/core/templates-entrypoint/base.ts
@@ -24,6 +24,7 @@ fi
 CLAUDE_AUTH_LABEL="\${CLAUDE_AUTH_LABEL:-}"
 CODEX_AUTH_LABEL="\${CODEX_AUTH_LABEL:-}"
 GEMINI_AUTH_LABEL="\${GEMINI_AUTH_LABEL:-}"
+GROK_AUTH_LABEL="\${GROK_AUTH_LABEL:-}"
 GIT_AUTH_USER="\${GIT_AUTH_USER:-\${GITHUB_USER:-}}"
 GITLAB_TOKEN="\${GITLAB_TOKEN:-}"
 GIT_AUTH_TOKEN="\${GIT_AUTH_TOKEN:-\${GITHUB_TOKEN:-\${GH_TOKEN:-}}}"
diff --git a/packages/lib/src/core/templates-entrypoint/grok.ts b/packages/lib/src/core/templates-entrypoint/grok.ts
new file mode 100644
index 00000000..e75543d4
--- /dev/null
+++ b/packages/lib/src/core/templates-entrypoint/grok.ts
@@ -0,0 +1,313 @@
+import type { TemplateConfig } from "../domain.js"
+
+// CHANGE: add Grok CLI entrypoint configuration
+// WHY: issue #304 requires Grok auth, Playwright MCP and unrestricted agent permissions
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: renderEntrypointGrokConfig(config) -> valid_bash_script
+// PURITY: CORE
+// INVARIANT: Grok credentials are isolated by GROK_AUTH_LABEL
+// COMPLEXITY: O(1)
+
+const grokAuthRootContainerPath = (sshUser: string): string => `/home/${sshUser}/.docker-git/.orch/auth/grok`
+
+// CHANGE: render shell parameter defaults through TypeScript interpolation
+// WHY: String.raw preserves escaped \${...}, making optional Grok credentials fail under bash nounset
+// QUOTE(ТЗ): "GitHub Actions ... all CI checks are passing"
+// REF: issue-304-ci
+// SOURCE: n/a
+// FORMAT THEOREM: unset(GROK_DEPLOYMENT_KEY) -> safe_empty_value(GROK_DEPLOYMENT_KEY)
+// PURITY: CORE
+// INVARIANT: Optional Grok API credentials never require a bound environment variable
+// COMPLEXITY: O(1)
+const grokDeploymentKeyDefaultExpansion = "${GROK_DEPLOYMENT_KEY:-}"
+const grokApiKeyDefaultExpansion = "${GROK_API_KEY:-}"
+const grokAuthLabelDefaultExpansion = "${GROK_AUTH_LABEL:-}"
+const xaiApiKeyDefaultExpansion = "${XAI_API_KEY:-}"
+
+const grokAuthConfigTemplate = String
+  .raw`# Grok CLI: keep ~/.grok as a real home directory while sharing auth files from ~/.docker-git/.orch/auth/grok
+GROK_LABEL_RAW="${grokAuthLabelDefaultExpansion}"
+if [[ -z "$GROK_LABEL_RAW" ]]; then
+  GROK_LABEL_RAW="default"
+fi
+
+GROK_LABEL_NORM="$(printf "%s" "$GROK_LABEL_RAW" \
+  | tr '[:upper:]' '[:lower:]' \
+  | sed -E 's/[^a-z0-9]+/-/g; s/^-+//; s/-+$//')"
+if [[ -z "$GROK_LABEL_NORM" ]]; then
+  GROK_LABEL_NORM="default"
+fi
+export GROK_AUTH_LABEL="$GROK_LABEL_NORM"
+
+GROK_AUTH_ROOT="__GROK_AUTH_ROOT__"
+export GROK_CONFIG_DIR="$GROK_AUTH_ROOT/$GROK_LABEL_NORM"
+
+mkdir -p "$GROK_CONFIG_DIR" || true
+GROK_HOME_DIR="__GROK_HOME_DIR__"
+mkdir -p "$GROK_HOME_DIR" || true
+GROK_SHARED_HOME_DIR="$GROK_CONFIG_DIR/.grok"
+mkdir -p "$GROK_SHARED_HOME_DIR" || true
+
+docker_git_link_grok_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    if [[ -d "$link_path" ]]; then
+      return 0
+    fi
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+docker_git_prepare_grok_home_dir() {
+  if [[ -L "$GROK_HOME_DIR" ]]; then
+    local previous_target
+    previous_target="$(readlink -f "$GROK_HOME_DIR" || true)"
+    rm -f "$GROK_HOME_DIR" || true
+    mkdir -p "$GROK_HOME_DIR" || true
+    if [[ -n "$previous_target" && -d "$previous_target" ]]; then
+      cp -a "$previous_target"/. "$GROK_HOME_DIR"/ 2>/dev/null || true
+    fi
+    return 0
+  fi
+
+  mkdir -p "$GROK_HOME_DIR" || true
+}
+
+docker_git_prepare_grok_home_dir
+
+docker_git_link_grok_file "$GROK_CONFIG_DIR/.api-key" "$GROK_HOME_DIR/.api-key"
+docker_git_link_grok_file "$GROK_CONFIG_DIR/.env" "$GROK_HOME_DIR/.env"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/auth.json" "$GROK_HOME_DIR/auth.json"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/config.toml" "$GROK_HOME_DIR/config.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/managed_config.toml" "$GROK_HOME_DIR/managed_config.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/requirements.toml" "$GROK_HOME_DIR/requirements.toml"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/user-settings.json" "$GROK_HOME_DIR/user-settings.json"
+docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/settings.json" "$GROK_HOME_DIR/settings.json"
+
+GROK_REAL_BIN="$(command -v grok || echo "/usr/local/bin/grok")"
+GROK_WRAPPER_BIN="/usr/local/bin/grok-wrapper"
+if [[ -f "$GROK_REAL_BIN" && "$GROK_REAL_BIN" != "$GROK_WRAPPER_BIN" ]]; then
+  if [[ ! -f "$GROK_WRAPPER_BIN" ]]; then
+    cat <<'EOF' > "$GROK_WRAPPER_BIN"
+#!/usr/bin/env bash
+GROK_ORIGINAL_BIN="__GROK_REAL_BIN__"
+for arg in "$@"; do
+  if [[ "$arg" == "--no-sandbox" ]]; then
+    exec "$GROK_ORIGINAL_BIN" "$@"
+  fi
+done
+exec "$GROK_ORIGINAL_BIN" --no-sandbox "$@"
+EOF
+    sed -i "s#__GROK_REAL_BIN__#$GROK_REAL_BIN#g" "$GROK_WRAPPER_BIN" || true
+    chmod 0755 "$GROK_WRAPPER_BIN" || true
+  fi
+fi
+
+docker_git_refresh_grok_env() {
+  local RESOLVED_GROK_API_KEY
+  if [[ -f "$GROK_HOME_DIR/.api-key" ]]; then
+    RESOLVED_GROK_API_KEY="$(cat "$GROK_HOME_DIR/.api-key" | tr -d '\r\n')"
+  elif [[ -f "$GROK_HOME_DIR/.env" ]]; then
+    RESOLVED_GROK_API_KEY="$(grep -E "^GROK_DEPLOYMENT_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    if [[ -z "$RESOLVED_GROK_API_KEY" ]]; then
+      RESOLVED_GROK_API_KEY="$(grep -E "^GROK_API_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    fi
+    if [[ -z "$RESOLVED_GROK_API_KEY" ]]; then
+      RESOLVED_GROK_API_KEY="$(grep -E "^XAI_API_KEY=" "$GROK_HOME_DIR/.env" 2>/dev/null | head -n 1 | cut -d'=' -f2- | sed "s/^['\"]//;s/['\"]$//" || true)"
+    fi
+  elif [[ -n "${grokDeploymentKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${grokDeploymentKeyDefaultExpansion}"
+  elif [[ -n "${grokApiKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${grokApiKeyDefaultExpansion}"
+  elif [[ -n "${xaiApiKeyDefaultExpansion}" ]]; then
+    RESOLVED_GROK_API_KEY="${xaiApiKeyDefaultExpansion}"
+  else
+    RESOLVED_GROK_API_KEY=""
+  fi
+  # Priority: selected account files, then GROK_DEPLOYMENT_KEY, GROK_API_KEY, XAI_API_KEY.
+  if [[ -n "$RESOLVED_GROK_API_KEY" ]]; then
+    export GROK_DEPLOYMENT_KEY="$RESOLVED_GROK_API_KEY"
+    export GROK_API_KEY="$RESOLVED_GROK_API_KEY"
+    export XAI_API_KEY="$RESOLVED_GROK_API_KEY"
+  fi
+}
+
+docker_git_refresh_grok_env`
+
+const renderGrokAuthConfig = (config: TemplateConfig): string =>
+  grokAuthConfigTemplate
+    .replaceAll("__GROK_AUTH_ROOT__", grokAuthRootContainerPath(config.sshUser))
+    .replaceAll("__GROK_HOME_DIR__", config.grokHome)
+
+const grokSettingsJsonTemplate = `{
+  "sandboxMode": "off",
+  "confirmBeforeToolUse": false,
+  "mcpServers": {
+    "playwright": {
+      "command": "docker-git-playwright-mcp",
+      "args": [],
+      "trust": true
+    }
+  }
+}`
+
+const grokUserSettingsJsonTemplate = `{
+  "sandboxMode": "off",
+  "confirmBeforeToolUse": false
+}`
+
+const renderGrokPermissionSettingsConfig = (config: TemplateConfig): string =>
+  String.raw`# Grok CLI: keep sandbox and MCP settings in sync with docker-git defaults
+GROK_SETTINGS_DIR="${config.grokHome}"
+GROK_CONFIG_SETTINGS_FILE="$GROK_SETTINGS_DIR/settings.json"
+GROK_USER_SETTINGS_FILE="$GROK_SETTINGS_DIR/user-settings.json"
+
+mkdir -p "$GROK_SETTINGS_DIR" || true
+
+cat <<'EOF' > "$GROK_CONFIG_SETTINGS_FILE"
+${grokSettingsJsonTemplate}
+EOF
+
+if [[ ! -s "$GROK_USER_SETTINGS_FILE" ]]; then
+  cat <<'EOF' > "$GROK_USER_SETTINGS_FILE"
+${grokUserSettingsJsonTemplate}
+EOF
+fi
+
+GROK_SETTINGS_OWNER_UID="$(id -u "${config.sshUser}" 2>/dev/null || id -u)"
+GROK_SETTINGS_OWNER_GID="$(id -g "${config.sshUser}" 2>/dev/null || id -g)"
+chown -R "$GROK_SETTINGS_OWNER_UID:$GROK_SETTINGS_OWNER_GID" "$GROK_SETTINGS_DIR" || true
+chmod 0600 "$GROK_CONFIG_SETTINGS_FILE" "$GROK_USER_SETTINGS_FILE" 2>/dev/null || true`
+
+const renderGrokSudoConfig = (config: TemplateConfig): string =>
+  String.raw`# Grok CLI: allow passwordless sudo for agent tasks
+# Risk rationale: Grok runs inside an isolated per-project container. The sshUser
+# value is validated as a Unix username before TemplateConfig construction, and
+# passwordless sudo matches the broad container-local privileges expected for
+# docker-git coding agents that need to install packages or manage services.
+if [[ -d /etc/sudoers.d ]]; then
+  echo "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/grok-agent
+  chmod 0440 /etc/sudoers.d/grok-agent
+fi`
+
+const renderGrokProfileSetup = (config: TemplateConfig): string =>
+  String.raw`GROK_PROFILE="/etc/profile.d/grok-config.sh"
+printf "export GROK_AUTH_LABEL=%q\n" "$GROK_AUTH_LABEL" > "$GROK_PROFILE"
+printf "export GROK_HOME=%q\n" "${config.grokHome}" >> "$GROK_PROFILE"
+printf "alias grok='/usr/local/bin/grok-wrapper'\n" >> "$GROK_PROFILE"
+cat <<'EOF' >> "$GROK_PROFILE"
+if [[ -f "$GROK_HOME/.api-key" ]]; then
+  API_KEY="$(cat "$GROK_HOME/.api-key" | tr -d '\r\n')"
+  export GROK_DEPLOYMENT_KEY="$API_KEY"
+  export GROK_API_KEY="$API_KEY"
+  export XAI_API_KEY="$API_KEY"
+fi
+EOF
+chmod 0644 "$GROK_PROFILE" || true
+
+docker_git_upsert_ssh_env "GROK_AUTH_LABEL" "$GROK_AUTH_LABEL"
+docker_git_upsert_ssh_env "GROK_DEPLOYMENT_KEY" "${grokDeploymentKeyDefaultExpansion}"
+docker_git_upsert_ssh_env "GROK_API_KEY" "${grokApiKeyDefaultExpansion}"
+docker_git_upsert_ssh_env "XAI_API_KEY" "${xaiApiKeyDefaultExpansion}"`
+
+const entrypointGrokNoticeTemplate = String.raw`# Ensure global GROK.md exists for container context
+GROK_MD_PATH="__GROK_HOME__/GROK.md"
+GROK_WORKSPACE_CONTEXT="Контекст workspace: repository"
+if [[ "$REPO_REF" == issue-* ]]; then
+  ISSUE_ID="$(printf "%s" "$REPO_REF" | sed -E 's#^issue-##')"
+  ISSUE_URL=""
+  if [[ "$REPO_URL" == https://github.com/* ]]; then
+    ISSUE_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO" ]]; then
+      ISSUE_URL="https://github.com/$ISSUE_REPO/issues/$ISSUE_ID"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID ($ISSUE_URL)"
+  else
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID"
+  fi
+elif [[ "$REPO_REF" == refs/pull/*/head ]]; then
+  PR_ID="$(printf "%s" "$REPO_REF" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL=""
+  if [[ "$REPO_URL" == https://github.com/* && -n "$PR_ID" ]]; then
+    PR_REPO="$(printf "%s" "$REPO_URL" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO" ]]; then
+      PR_URL="https://github.com/$PR_REPO/pull/$PR_ID"
+    fi
+  fi
+  if [[ -n "$PR_ID" && -n "$PR_URL" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID ($PR_URL)"
+  elif [[ -n "$PR_ID" ]]; then
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID"
+  else
+    GROK_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF)"
+  fi
+fi
+
+GROK_SYSTEM_PROMPT_OVERRIDE_FILE="${"$"}{GROK_SYSTEM_PROMPT_OVERRIDE_FILE:-}"
+GROK_SYSTEM_PROMPT_OVERRIDE="${"$"}{GROK_SYSTEM_PROMPT_OVERRIDE:-}"
+GROK_DEFAULT_PROMPT_BODY="$(cat <<EOF
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, bun, codex, gemini, grok, claude, opencode, oh-my-opencode, sshpass, git, node и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$GROK_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Для решения задач обязательно используй subagents. Сам агент обязан выполнять финальную проверку, интеграцию и валидацию результата перед ответом пользователю.
+Если ты видишь файлы AGENTS.md, GEMINI.md, GROK.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+EOF
+)"
+GROK_DEFAULT_PROMPT_BODY="$(docker_git_decode_unicode_escapes "$GROK_DEFAULT_PROMPT_BODY")"
+if [[ -n "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE" && -r "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE" ]]; then
+  GROK_PROMPT_BODY="$(cat "$GROK_SYSTEM_PROMPT_OVERRIDE_FILE")"
+elif [[ -n "$GROK_SYSTEM_PROMPT_OVERRIDE" ]]; then
+  GROK_PROMPT_BODY="$GROK_SYSTEM_PROMPT_OVERRIDE"
+else
+  GROK_PROMPT_BODY="$GROK_DEFAULT_PROMPT_BODY"
+fi
+
+cat <<EOF > "$GROK_MD_PATH"
+<!-- docker-git-managed:grok-md -->
+$GROK_PROMPT_BODY
+<!-- /docker-git-managed:grok-md -->
+EOF
+GROK_NOTICE_OWNER_UID="$(id -u "__SSH_USER__" 2>/dev/null || id -u)"
+GROK_NOTICE_OWNER_GID="$(id -g "__SSH_USER__" 2>/dev/null || id -g)"
+chown "$GROK_NOTICE_OWNER_UID:$GROK_NOTICE_OWNER_GID" "$GROK_MD_PATH" || true`
+
+const renderEntrypointGrokNotice = (config: TemplateConfig): string =>
+  entrypointGrokNoticeTemplate
+    .replaceAll("__GROK_HOME__", config.grokHome)
+    .replaceAll("__SSH_USER__", config.sshUser)
+    .replaceAll("__TARGET_DIR__", config.targetDir)
+
+/**
+ * Renders the Grok CLI entrypoint bootstrap for a generated project container.
+ *
+ * @param config Project template configuration with SSH user, Grok home, and target directory paths.
+ * @returns Bash fragment that wires Grok auth labels, config files, profile exports, sudo policy, and managed GROK.md.
+ * @pure true
+ * @effect none; CORE template renderer only constructs a string.
+ * @invariant returned script keeps Grok credentials scoped by GROK_AUTH_LABEL.
+ * @precondition config contains validated container paths from TemplateConfig construction.
+ * @postcondition returned string contains all Grok setup fragments in deterministic order.
+ * @complexity O(1) time / O(1) space.
+ */
+export const renderEntrypointGrokConfig = (config: TemplateConfig): string =>
+  [
+    renderGrokAuthConfig(config),
+    renderGrokPermissionSettingsConfig(config),
+    renderGrokSudoConfig(config),
+    renderGrokProfileSetup(config),
+    renderEntrypointGrokNotice(config)
+  ].join("\n\n")
diff --git a/packages/lib/src/core/templates-entrypoint/project-rules.ts b/packages/lib/src/core/templates-entrypoint/project-rules.ts
index 8f03db50..cf8d3dd7 100644
--- a/packages/lib/src/core/templates-entrypoint/project-rules.ts
+++ b/packages/lib/src/core/templates-entrypoint/project-rules.ts
@@ -1,8 +1,8 @@
 // CHANGE: separate project rule preparation by active agent mode
-// WHY: Codex, Claude Code, and Gemini CLI each have different native project-level config models
+// WHY: Codex, Claude Code, Gemini CLI, and Grok CLI each have different native project-level config models
 // REF: issue-207
 // PURITY: CORE
-// INVARIANT: Codex gets a bridge for skills that live outside CODEX_HOME; Claude/Gemini stay on native project-local discovery
+// INVARIANT: Codex gets a bridge for skills that live outside CODEX_HOME; Claude/Gemini/Grok stay on native project-local discovery
 // COMPLEXITY: O(1)
 const entrypointProjectAgentRulesTemplate = String
   .raw`# Prepare project-local rules using each agent's native conventions.
@@ -38,6 +38,22 @@ docker_git_detect_gemini_project_rules() {
   fi
 }
 
+docker_git_detect_grok_project_rules() {
+  local project_dir="${"$"}{TARGET_DIR:-}"
+
+  if [[ -z "$project_dir" || ! -d "$project_dir" ]]; then
+    return 0
+  fi
+
+  if [[ -f "$project_dir/GROK.md" \
+    || -f "$project_dir/.grok/settings.json" \
+    || -d "$project_dir/.grok/commands" \
+    || -d "$project_dir/.grok/skills" \
+    || -d "$project_dir/.agents/skills" ]]; then
+    echo "[grok] project-local Grok rules available in $project_dir"
+  fi
+}
+
 docker_git_prepare_active_agent_project_rules() {
   case "$AGENT_MODE" in
     "codex")
@@ -49,10 +65,14 @@ docker_git_prepare_active_agent_project_rules() {
     "gemini")
       docker_git_detect_gemini_project_rules
       ;;
+    "grok")
+      docker_git_detect_grok_project_rules
+      ;;
     *)
       docker_git_sync_project_codex_skills
       docker_git_detect_claude_project_rules
       docker_git_detect_gemini_project_rules
+      docker_git_detect_grok_project_rules
       ;;
   esac
 }`
diff --git a/packages/lib/src/core/templates-entrypoint/rtk.ts b/packages/lib/src/core/templates-entrypoint/rtk.ts
index 5d245991..042ac23c 100644
--- a/packages/lib/src/core/templates-entrypoint/rtk.ts
+++ b/packages/lib/src/core/templates-entrypoint/rtk.ts
@@ -5,7 +5,7 @@ import type { TemplateConfig } from "../domain.js"
 // QUOTE(TASK): "make it work out of the box for docker-git"
 // REF: issue-266
 // SOURCE: https://github.com/rtk-ai/rtk/blob/develop/README.md
-// FORMAT THEOREM: forall start: RTK_ENABLED(start) -> configured(codex, claude, gemini, opencode)
+// FORMAT THEOREM: forall start: RTK_ENABLED(start) -> configured(codex, claude, gemini, grok, opencode)
 // PURITY: CORE (pure template renderer)
 // INVARIANT: RTK init runs as the non-root SSH user and never blocks container startup.
 // COMPLEXITY: O(1)
@@ -27,8 +27,8 @@ docker_git_rtk_init_as_user() {
     return 0
   fi
 
-  mkdir -p "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config/opencode" "/home/__SSH_USER__/.gemini" || true
-  chown -R 1000:1000 "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config" "/home/__SSH_USER__/.gemini" 2>/dev/null || true
+  mkdir -p "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config/opencode" "/home/__SSH_USER__/.gemini" "/home/__SSH_USER__/.grok" || true
+  chown -R 1000:1000 "$CLAUDE_CONFIG_DIR" "__CODEX_HOME__" "/home/__SSH_USER__/.config" "/home/__SSH_USER__/.gemini" "/home/__SSH_USER__/.grok" 2>/dev/null || true
 
   if su - __SSH_USER__ -s /bin/bash -c "$command" </dev/null; then
     echo "[rtk] configured $label"
diff --git a/packages/lib/src/core/templates/docker-compose.ts b/packages/lib/src/core/templates/docker-compose.ts
index d5df1d87..84e09d2b 100644
--- a/packages/lib/src/core/templates/docker-compose.ts
+++ b/packages/lib/src/core/templates/docker-compose.ts
@@ -15,6 +15,8 @@ type ComposeFragments = {
   readonly maybeGitTokenLabelEnv: string
   readonly maybeCodexAuthLabelEnv: string
   readonly maybeClaudeAuthLabelEnv: string
+  readonly maybeGeminiAuthLabelEnv: string
+  readonly maybeGrokAuthLabelEnv: string
   readonly maybeAgentModeEnv: string
   readonly maybeAgentAutoEnv: string
   readonly maybeDependsOn: string
@@ -30,6 +32,17 @@ type PlaywrightFragments = Pick<
   "maybeDependsOn" | "maybeDockerSocketMount" | "maybePlaywrightEnv" | "maybeBrowserVolume"
 >
 
+type AuthEnvFragments = Pick<
+  ComposeFragments,
+  | "maybeGitTokenLabelEnv"
+  | "maybeCodexAuthLabelEnv"
+  | "maybeClaudeAuthLabelEnv"
+  | "maybeGeminiAuthLabelEnv"
+  | "maybeGrokAuthLabelEnv"
+>
+
+type AgentEnvFragments = Pick<ComposeFragments, "maybeAgentModeEnv" | "maybeAgentAutoEnv">
+
 export type DockerComposeRenderOptions = {
   readonly enableLocalDockerSocket: boolean
 }
@@ -64,6 +77,16 @@ const renderClaudeAuthLabelEnv = (claudeAuthLabel: string): string =>
     ? `      CLAUDE_AUTH_LABEL: "${claudeAuthLabel}"\n`
     : ""
 
+const renderGeminiAuthLabelEnv = (geminiAuthLabel: string): string =>
+  geminiAuthLabel.length > 0
+    ? `      GEMINI_AUTH_LABEL: "${geminiAuthLabel}"\n`
+    : ""
+
+const renderGrokAuthLabelEnv = (grokAuthLabel: string): string =>
+  grokAuthLabel.length > 0
+    ? `      GROK_AUTH_LABEL: "${grokAuthLabel}"\n`
+    : ""
+
 const renderAgentModeEnv = (agentMode: string | undefined): string =>
   agentMode !== undefined && agentMode.length > 0
     ? `      AGENT_MODE: "${agentMode}"\n`
@@ -94,6 +117,21 @@ const renderOptionalDockerSocketMount = (enableLocalDockerSocket: boolean): stri
 const renderEnvFiles = (config: TemplateConfig): string =>
   `    env_file:\n      - ${config.envGlobalPath}\n      - ${config.envProjectPath}\n`
 
+const optionalTrimmed = (value: string | undefined): string => value?.trim() ?? ""
+
+const buildAuthEnvFragments = (config: TemplateConfig): AuthEnvFragments => ({
+  maybeGitTokenLabelEnv: renderGitTokenLabelEnv(optionalTrimmed(config.gitTokenLabel)),
+  maybeCodexAuthLabelEnv: renderCodexAuthLabelEnv(optionalTrimmed(config.codexAuthLabel)),
+  maybeClaudeAuthLabelEnv: renderClaudeAuthLabelEnv(optionalTrimmed(config.claudeAuthLabel)),
+  maybeGeminiAuthLabelEnv: renderGeminiAuthLabelEnv(optionalTrimmed(config.geminiAuthLabel)),
+  maybeGrokAuthLabelEnv: renderGrokAuthLabelEnv(optionalTrimmed(config.grokAuthLabel))
+})
+
+const buildAgentEnvFragments = (config: TemplateConfig): AgentEnvFragments => ({
+  maybeAgentModeEnv: renderAgentModeEnv(config.agentMode),
+  maybeAgentAutoEnv: renderAgentAutoEnv(config.agentAuto)
+})
+
 const renderBrowserLimitEnv = (
   key: string,
   value: number | string | undefined
@@ -153,25 +191,16 @@ const buildComposeFragments = (
   const networkName = resolveComposeNetworkName(config)
   const forkRepoUrl = config.forkRepoUrl ?? ""
   const maybeGithubAuthSkipEnv = renderGithubAuthSkipEnv(config.skipGithubAuth)
-  const gitTokenLabel = config.gitTokenLabel?.trim() ?? ""
-  const codexAuthLabel = config.codexAuthLabel?.trim() ?? ""
-  const claudeAuthLabel = config.claudeAuthLabel?.trim() ?? ""
-  const maybeGitTokenLabelEnv = renderGitTokenLabelEnv(gitTokenLabel)
-  const maybeCodexAuthLabelEnv = renderCodexAuthLabelEnv(codexAuthLabel)
-  const maybeClaudeAuthLabelEnv = renderClaudeAuthLabelEnv(claudeAuthLabel)
-  const maybeAgentModeEnv = renderAgentModeEnv(config.agentMode)
-  const maybeAgentAutoEnv = renderAgentAutoEnv(config.agentAuto)
+  const authEnv = buildAuthEnvFragments(config)
+  const agentEnv = buildAgentEnvFragments(config)
   const playwright = buildPlaywrightFragments(config, resourceLimits.playwright, options)
 
   return {
     networkMode,
     networkName,
     maybeGithubAuthSkipEnv,
-    maybeGitTokenLabelEnv,
-    maybeCodexAuthLabelEnv,
-    maybeClaudeAuthLabelEnv,
-    maybeAgentModeEnv,
-    maybeAgentAutoEnv,
+    ...authEnv,
+    ...agentEnv,
     maybeDependsOn: playwright.maybeDependsOn,
     maybeDockerSocketMount: playwright.maybeDockerSocketMount,
     maybePlaywrightEnv: playwright.maybePlaywrightEnv,
@@ -200,7 +229,9 @@ ${renderGpu(config.gpu)}${
 ${fragments.maybeGithubAuthSkipEnv}      # Optional anonymous public GitHub clone override
 ${fragments.maybeGitTokenLabelEnv}      # Optional token label selector (maps to GITHUB_TOKEN__<LABEL>/GIT_AUTH_TOKEN__<LABEL>)
 ${fragments.maybeCodexAuthLabelEnv}      # Optional Codex account label selector (maps to CODEX_AUTH_LABEL)
-${fragments.maybeClaudeAuthLabelEnv}${fragments.maybeAgentModeEnv}${fragments.maybeAgentAutoEnv}      # Optional Claude account label selector (maps to CLAUDE_AUTH_LABEL)
+${fragments.maybeClaudeAuthLabelEnv}      # Optional Claude account label selector (maps to CLAUDE_AUTH_LABEL)
+${fragments.maybeGeminiAuthLabelEnv}      # Optional Gemini account label selector (maps to GEMINI_AUTH_LABEL)
+${fragments.maybeGrokAuthLabelEnv}${fragments.maybeAgentModeEnv}${fragments.maybeAgentAutoEnv}      # Optional Grok account label selector (maps to GROK_AUTH_LABEL)
       # Optional isolated Docker daemon endpoint injected by the API controller.
       DOCKER_GIT_PROJECT_DOCKER_HOST: "\${DOCKER_GIT_PROJECT_DOCKER_HOST:-}"
       TARGET_DIR: "${config.targetDir}"
diff --git a/packages/lib/src/core/templates/dockerfile.ts b/packages/lib/src/core/templates/dockerfile.ts
index 0861c37a..3079edbe 100644
--- a/packages/lib/src/core/templates/dockerfile.ts
+++ b/packages/lib/src/core/templates/dockerfile.ts
@@ -87,8 +87,11 @@ RUN mkdir -p /usr/local/nvm \
 RUN printf "export NVM_DIR=/usr/local/nvm\\n[ -s /usr/local/nvm/nvm.sh ] && . /usr/local/nvm/nvm.sh\\n" \
   > /etc/profile.d/nvm.sh && chmod 0644 /etc/profile.d/nvm.sh`
 
+const grokCliInstallScriptUrl = "https://x.ai/cli/install.sh"
+const grokCliVersion = "0.1.211"
+
 const renderDockerfileBunPrelude = (config: TemplateConfig): string =>
-  `# Tooling: Bun + Codex CLI (bun) + oh-my-opencode (npm + platform binary) + Claude Code CLI (npm)
+  `# Tooling: Bun + Codex CLI (bun) + oh-my-opencode (npm + platform binary) + Claude Code CLI (npm) + Grok CLI (xAI installer)
 ENV TERM=xterm-256color
 RUN set -eu; \
   for attempt in 1 2 3 4 5; do \
@@ -118,7 +121,16 @@ RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
 RUN claude --version
 RUN npm install -g @google/gemini-cli@latest --force
-RUN gemini --version`
+RUN gemini --version
+RUN set -eu; \
+  curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 ${grokCliInstallScriptUrl} -o /tmp/grok-install.sh; \
+  HOME=/tmp/grok-install-home GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh ${grokCliVersion}; \
+  install -m 0755 "$(readlink -f /usr/local/bin/grok)" /usr/local/bin/grok.real; \
+  install -m 0755 "$(readlink -f /usr/local/bin/agent)" /usr/local/bin/agent.real; \
+  mv -f /usr/local/bin/grok.real /usr/local/bin/grok; \
+  mv -f /usr/local/bin/agent.real /usr/local/bin/agent; \
+  rm -rf /tmp/grok-install.sh /tmp/grok-install-home
+RUN grok --version`
 
 // CHANGE: install RTK as a real command-output optimizer in generated containers.
 // WHY: issue-266 asks for out-of-the-box RTK behavior, not only a session-sync estimate.
@@ -365,6 +377,8 @@ RUN set -eu; \
 RUN mkdir -p /opt/docker-git/bootstrap/.orch/auth/codex \
   /opt/docker-git/bootstrap/.orch/auth/codex-shared \
   /opt/docker-git/bootstrap/.orch/auth/claude \
+  /opt/docker-git/bootstrap/.orch/auth/gemini \
+  /opt/docker-git/bootstrap/.orch/auth/grok \
   /opt/docker-git/bootstrap/.orch/env \
   && touch /opt/docker-git/bootstrap/authorized_keys \
   /opt/docker-git/bootstrap/.orch/env/global.env \
diff --git a/packages/lib/src/shell/config.ts b/packages/lib/src/shell/config.ts
index b4b2a70a..f4a0d0e9 100644
--- a/packages/lib/src/shell/config.ts
+++ b/packages/lib/src/shell/config.ts
@@ -52,6 +52,13 @@ const TemplateConfigInputSchema = Schema.Struct({
   geminiHome: Schema.optionalWith(Schema.String, {
     default: () => defaultTemplateConfig.geminiHome
   }),
+  grokAuthLabel: Schema.optional(Schema.String),
+  grokAuthPath: Schema.optionalWith(Schema.String, {
+    default: () => defaultTemplateConfig.grokAuthPath
+  }),
+  grokHome: Schema.optionalWith(Schema.String, {
+    default: () => defaultTemplateConfig.grokHome
+  }),
   cpuLimit: Schema.optionalWith(Schema.String, {
     default: () => defaultTemplateConfig.cpuLimit
   }),
diff --git a/packages/lib/src/shell/docker-daemon-access.ts b/packages/lib/src/shell/docker-daemon-access.ts
index def9356f..107b226f 100644
--- a/packages/lib/src/shell/docker-daemon-access.ts
+++ b/packages/lib/src/shell/docker-daemon-access.ts
@@ -20,6 +20,12 @@ const collectUint8Array = (chunks: Chunk.Chunk<Uint8Array>): Uint8Array =>
 const formatDockerFallbackFailure = (dockerHost: string, details: string): string =>
   `Fallback DOCKER_HOST=${dockerHost} failed: ${details}`
 
+const dockerInfoPlatformError = (error: PlatformError): DockerAccessError =>
+  new DockerAccessError({
+    issue: "DaemonUnavailable",
+    details: String(error)
+  })
+
 const resolveDockerHostFallbackCandidates = (): ReadonlyArray<string> => {
   if (process.env["DOCKER_HOST"] !== undefined) {
     return []
@@ -97,14 +103,14 @@ export const classifyDockerAccessIssue = (message: string): DockerAccessIssue =>
 // FORMAT THEOREM: ∀cwd: access(cwd)=ok ∨ DockerAccessError
 // PURITY: SHELL
 // EFFECT: Effect<void, DockerAccessError | PlatformError, CommandExecutor>
-// INVARIANT: non-zero docker info exit always maps to DockerAccessError
+// INVARIANT: non-zero docker info exit or spawn failure always maps to DockerAccessError
 // COMPLEXITY: O(command)
 export const ensureDockerDaemonAccess = (
   cwd: string
 ): Effect.Effect<void, DockerAccessError | PlatformError, CommandExecutor.CommandExecutor> =>
   Effect.scoped(
     Effect.gen(function*(_) {
-      const primaryResult = yield* _(runDockerInfoCommand(cwd))
+      const primaryResult = yield* _(runDockerInfoCommand(cwd).pipe(Effect.mapError(dockerInfoPlatformError)))
       if (primaryResult.exitCode === 0) {
         return
       }
@@ -128,7 +134,7 @@ export const ensureDockerDaemonAccess = (
           runDockerInfoCommand(cwd, {
             ...process.env,
             DOCKER_HOST: fallbackHost
-          })
+          }).pipe(Effect.mapError(dockerInfoPlatformError))
         )
 
         if (fallbackResult.exitCode === 0) {
diff --git a/packages/lib/src/usecases/agent-auto-select.ts b/packages/lib/src/usecases/agent-auto-select.ts
index 3f4877ff..53c951bb 100644
--- a/packages/lib/src/usecases/agent-auto-select.ts
+++ b/packages/lib/src/usecases/agent-auto-select.ts
@@ -4,6 +4,7 @@ import type * as Path from "@effect/platform/Path"
 import { Effect } from "effect"
 
 import type { AgentMode, ParseError, TemplateConfig } from "../core/domain.js"
+import { hasGrokCredentials } from "./auth-grok-helpers.js"
 import { normalizeAccountLabel } from "./auth-helpers.js"
 import { hasNonEmptyFile } from "./auth-sync-helpers.js"
 
@@ -13,6 +14,16 @@ const autoOptionError = (reason: string): ParseError => ({
   reason
 })
 
+type AvailableAgentAuth = {
+  readonly claudeAvailable: boolean
+  readonly codexAvailable: boolean
+  readonly grokAvailable: boolean
+}
+
+const claudeMode: ReadonlyArray<AgentMode> = ["claude"]
+const codexMode: ReadonlyArray<AgentMode> = ["codex"]
+const grokMode: ReadonlyArray<AgentMode> = ["grok"]
+
 const isRegularFile = (
   fs: FileSystem.FileSystem,
   filePath: string
@@ -38,6 +49,15 @@ const hasCodexAuth = (
   return hasNonEmptyFile(fs, authPath)
 }
 
+const hasGrokAuth = (
+  fs: FileSystem.FileSystem,
+  rootPath: string,
+  label: string | undefined
+): Effect.Effect<boolean, PlatformError> => {
+  const normalized = normalizeAccountLabel(label ?? null, "default")
+  return hasGrokCredentials(fs, `${rootPath}/${normalized}`)
+}
+
 const resolveClaudeAccountPath = (rootPath: string, label: string | undefined): ReadonlyArray<string> => {
   const normalized = normalizeAccountLabel(label ?? null, "default")
   if (normalized !== "default") {
@@ -77,18 +97,22 @@ const resolveClaudeRoot = (codexSharedAuthPath: string): string =>
 
 const resolveAvailableAgentAuth = (
   fs: FileSystem.FileSystem,
-  config: Pick<TemplateConfig, "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath">
-): Effect.Effect<{ readonly claudeAvailable: boolean; readonly codexAvailable: boolean }, PlatformError> =>
+  config: Pick<
+    TemplateConfig,
+    "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath" | "grokAuthLabel" | "grokAuthPath"
+  >
+): Effect.Effect<AvailableAgentAuth, PlatformError> =>
   Effect.gen(function*(_) {
     const claudeAvailable = yield* _(
       hasClaudeAuth(fs, resolveClaudeRoot(config.codexSharedAuthPath), config.claudeAuthLabel)
     )
     const codexAvailable = yield* _(hasCodexAuth(fs, config.codexSharedAuthPath, config.codexAuthLabel))
-    return { claudeAvailable, codexAvailable }
+    const grokAvailable = yield* _(hasGrokAuth(fs, config.grokAuthPath, config.grokAuthLabel))
+    return { claudeAvailable, codexAvailable, grokAvailable }
   })
 
 const resolveExplicitAutoAgentMode = (
-  available: { readonly claudeAvailable: boolean; readonly codexAvailable: boolean },
+  available: AvailableAgentAuth,
   mode: AgentMode | undefined
 ): Effect.Effect<AgentMode | undefined, ParseError> => {
   if (mode === "claude") {
@@ -101,26 +125,43 @@ const resolveExplicitAutoAgentMode = (
       ? Effect.succeed("codex")
       : Effect.fail(autoOptionError("Codex auth not found"))
   }
+  if (mode === "grok") {
+    return available.grokAvailable
+      ? Effect.succeed("grok")
+      : Effect.fail(autoOptionError("Grok auth not found"))
+  }
   return Effect.sync(() => mode)
 }
 
-const pickRandomAutoAgentMode = (
-  available: { readonly claudeAvailable: boolean; readonly codexAvailable: boolean }
-): Effect.Effect<AgentMode, ParseError> => {
-  if (!available.claudeAvailable && !available.codexAvailable) {
-    return Effect.fail(autoOptionError("no Claude or Codex auth found"))
-  }
-  if (available.claudeAvailable && !available.codexAvailable) {
-    return Effect.succeed("claude")
+const availableAgentModes = (available: AvailableAgentAuth): ReadonlyArray<AgentMode> => [
+  ...(available.claudeAvailable ? claudeMode : []),
+  ...(available.codexAvailable ? codexMode : []),
+  ...(available.grokAvailable ? grokMode : [])
+]
+
+const pickRandomAutoAgentMode = (available: AvailableAgentAuth): Effect.Effect<AgentMode, ParseError> => {
+  const modes = availableAgentModes(available)
+  const firstMode = modes[0]
+  if (firstMode === undefined) {
+    return Effect.fail(autoOptionError("no Claude, Codex or Grok auth found"))
   }
-  if (!available.claudeAvailable && available.codexAvailable) {
-    return Effect.succeed("codex")
+  if (modes.length === 1) {
+    return Effect.succeed(firstMode)
   }
-  return Effect.sync(() => (process.hrtime.bigint() % 2n === 0n ? "claude" : "codex"))
+  return Effect.sync(() => modes[Number(process.hrtime.bigint() % BigInt(modes.length))] ?? firstMode)
 }
 
 export const resolveAutoAgentMode = (
-  config: Pick<TemplateConfig, "agentAuto" | "agentMode" | "claudeAuthLabel" | "codexAuthLabel" | "codexSharedAuthPath">
+  config: Pick<
+    TemplateConfig,
+    | "agentAuto"
+    | "agentMode"
+    | "claudeAuthLabel"
+    | "codexAuthLabel"
+    | "codexSharedAuthPath"
+    | "grokAuthLabel"
+    | "grokAuthPath"
+  >
 ): Effect.Effect<AgentMode | undefined, ParseError | PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
     const fs = yield* _(FileSystem.FileSystem)
diff --git a/packages/lib/src/usecases/apply-overrides.ts b/packages/lib/src/usecases/apply-overrides.ts
index 3b2e0289..bf10b913 100644
--- a/packages/lib/src/usecases/apply-overrides.ts
+++ b/packages/lib/src/usecases/apply-overrides.ts
@@ -5,6 +5,8 @@ const applyOverrideKeys = [
   "gitTokenLabel",
   "codexTokenLabel",
   "claudeTokenLabel",
+  "geminiTokenLabel",
+  "grokTokenLabel",
   "cpuLimit",
   "ramLimit",
   "playwrightCpuLimit",
@@ -27,6 +29,12 @@ const applyTokenOverrides = (template: TemplateConfig, command: ApplyCommand): T
   if (command.claudeTokenLabel !== undefined) {
     next = { ...next, claudeAuthLabel: normalizeAuthLabel(command.claudeTokenLabel) }
   }
+  if (command.geminiTokenLabel !== undefined) {
+    next = { ...next, geminiAuthLabel: normalizeAuthLabel(command.geminiTokenLabel) }
+  }
+  if (command.grokTokenLabel !== undefined) {
+    next = { ...next, grokAuthLabel: normalizeAuthLabel(command.grokTokenLabel) }
+  }
   return next
 }
 
diff --git a/packages/lib/src/usecases/auth-grok-credential-text.ts b/packages/lib/src/usecases/auth-grok-credential-text.ts
new file mode 100644
index 00000000..dc9f5826
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok-credential-text.ts
@@ -0,0 +1,47 @@
+import { parseJsonRecordOrNull } from "./auth-sync-helpers.js"
+import type { JsonRecord, JsonValue } from "./auth-sync-helpers.js"
+
+const officialGrokAuthScopes: ReadonlyArray<string> = [
+  "https://auth.x.ai::b1a00492-073a-47ea-816f-4c329264a828",
+  "https://accounts.x.ai/sign-in"
+]
+const grokUserSettingsCredentialKeys: ReadonlyArray<string> = [
+  "apiKey",
+  "accessToken",
+  "access_token",
+  "authToken",
+  "refreshToken",
+  "refresh_token"
+]
+const grokOauthCredentialKeys: ReadonlyArray<string> = [...grokUserSettingsCredentialKeys, "token"]
+const grokUserSettingsFallbackCredentialMarkers: ReadonlyArray<RegExp> = [
+  /"(?:apiKey|accessToken|access_token|authToken|refreshToken|refresh_token)"\s*:\s*"[^"]+"/u
+]
+
+const isJsonRecord = (value: JsonValue | undefined): value is JsonRecord =>
+  typeof value === "object" && value !== null && !Array.isArray(value)
+
+const hasNonEmptyStringProperty = (record: JsonRecord, key: string): boolean =>
+  typeof record[key] === "string" && record[key].trim().length > 0
+
+export const hasGrokUserSettingsCredentialText = (settingsText: string): boolean => {
+  const parsed = parseJsonRecordOrNull(settingsText)
+  if (parsed !== null) {
+    if (grokUserSettingsCredentialKeys.some((key) => hasNonEmptyStringProperty(parsed, key))) {
+      return true
+    }
+    const oauth = parsed["oauth"]
+    return isJsonRecord(oauth) && grokOauthCredentialKeys.some((key) => hasNonEmptyStringProperty(oauth, key))
+  }
+
+  return grokUserSettingsFallbackCredentialMarkers.some((marker) => marker.test(settingsText))
+}
+
+export const hasGrokAuthJsonCredentialText = (authJsonText: string): boolean => {
+  const parsed = parseJsonRecordOrNull(authJsonText)
+  return parsed !== null &&
+    officialGrokAuthScopes.some((scope) => {
+      const scopedCredentials = parsed[scope]
+      return isJsonRecord(scopedCredentials) && hasNonEmptyStringProperty(scopedCredentials, "key")
+    })
+}
diff --git a/packages/lib/src/usecases/auth-grok-helpers.ts b/packages/lib/src/usecases/auth-grok-helpers.ts
new file mode 100644
index 00000000..23c8eb9b
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok-helpers.ts
@@ -0,0 +1,283 @@
+import type * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import type * as FileSystem from "@effect/platform/FileSystem"
+import type * as Path from "@effect/platform/Path"
+import { Effect, pipe } from "effect"
+
+import type { AuthGrokLoginCommand, AuthGrokLogoutCommand, AuthGrokStatusCommand } from "../core/domain.js"
+import { defaultTemplateConfig } from "../core/domain.js"
+import { runCommandExitCode } from "../shell/command-runner.js"
+import { CommandFailedError } from "../shell/errors.js"
+import { hasGrokAuthJsonCredentialText, hasGrokUserSettingsCredentialText } from "./auth-grok-credential-text.js"
+import { isRegularFile, normalizeAccountLabel } from "./auth-helpers.js"
+import { migrateLegacyOrchLayout } from "./auth-sync.js"
+import { ensureDockerImage } from "./docker-image.js"
+import { resolvePathFromCwd } from "./path-helpers.js"
+import { withFsPathContext } from "./runtime.js"
+
+export type GrokRuntime = FileSystem.FileSystem | Path.Path | CommandExecutor.CommandExecutor
+export type GrokAuthMethod = "none" | "api-key" | "oauth"
+
+export const grokImageName = "docker-git-auth-grok:latest"
+export const grokImageDir = ".docker-git/.orch/auth/grok/.image"
+export const grokContainerHomeDir = "/grok-home"
+export const grokCredentialsDir = ".grok"
+export const grokCliInstallScriptUrl = "https://x.ai/cli/install.sh"
+export const grokCliVersion = "0.1.211"
+
+export type GrokAccountContext = {
+  readonly accountLabel: string
+  readonly accountPath: string
+  readonly cwd: string
+  readonly fs: FileSystem.FileSystem
+}
+
+export const grokAuthRoot = ".docker-git/.orch/auth/grok"
+
+export const grokApiKeyFileName = ".api-key"
+export const grokEnvFileName = ".env"
+
+export const grokApiKeyPath = (accountPath: string): string => `${accountPath}/${grokApiKeyFileName}`
+export const grokEnvFilePath = (accountPath: string): string => `${accountPath}/${grokEnvFileName}`
+export const grokCredentialsPath = (accountPath: string): string => `${accountPath}/${grokCredentialsDir}`
+export const grokUserSettingsPath = (accountPath: string): string =>
+  `${grokCredentialsPath(accountPath)}/user-settings.json`
+export const grokAuthJsonPath = (accountPath: string): string => `${grokCredentialsPath(accountPath)}/auth.json`
+
+const grokEnvApiKeyNames: ReadonlyArray<string> = ["GROK_DEPLOYMENT_KEY", "GROK_API_KEY", "XAI_API_KEY"]
+
+// CHANGE: render Dockerfile for Grok CLI authentication image
+// WHY: Grok browser/OAuth auth must run in an isolated shell that persists ~/.grok
+// QUOTE(ТЗ): "Signing in with Grok..."
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: renderGrokDockerfile() -> valid_dockerfile
+// PURITY: CORE
+// EFFECT: n/a
+// INVARIANT: image includes the official xAI grok executable
+// COMPLEXITY: O(1)
+export const renderGrokDockerfile = (): string =>
+  String.raw`FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl bsdutils \
+  && rm -rf /var/lib/apt/lists/*
+RUN set -eu; \
+  curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 ${grokCliInstallScriptUrl} -o /tmp/grok-install.sh; \
+  HOME=/tmp/grok-install-home GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh ${grokCliVersion}; \
+  install -m 0755 "$(readlink -f /usr/local/bin/grok)" /usr/local/bin/grok.real; \
+  install -m 0755 "$(readlink -f /usr/local/bin/agent)" /usr/local/bin/agent.real; \
+  mv -f /usr/local/bin/grok.real /usr/local/bin/grok; \
+  mv -f /usr/local/bin/agent.real /usr/local/bin/agent; \
+  rm -rf /tmp/grok-install.sh /tmp/grok-install-home
+RUN grok --version
+`
+
+export const ensureGrokOrchLayout = (
+  cwd: string
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  migrateLegacyOrchLayout(cwd, {
+    envGlobalPath: defaultTemplateConfig.envGlobalPath,
+    envProjectPath: defaultTemplateConfig.envProjectPath,
+    codexAuthPath: defaultTemplateConfig.codexAuthPath,
+    ghAuthPath: ".docker-git/.orch/auth/gh",
+    claudeAuthPath: ".docker-git/.orch/auth/claude",
+    geminiAuthPath: ".docker-git/.orch/auth/gemini",
+    grokAuthPath: ".docker-git/.orch/auth/grok"
+  })
+
+export const resolveGrokAccountPath = (path: Path.Path, rootPath: string, label: string | null): {
+  readonly accountLabel: string
+  readonly accountPath: string
+} => {
+  const accountLabel = normalizeAccountLabel(label, "default")
+  const accountPath = path.join(rootPath, accountLabel)
+  return { accountLabel, accountPath }
+}
+
+export const withGrokAuth = <A, E>(
+  command: AuthGrokLoginCommand | AuthGrokLogoutCommand | AuthGrokStatusCommand,
+  run: (
+    context: GrokAccountContext
+  ) => Effect.Effect<A, E, CommandExecutor.CommandExecutor>,
+  options: { readonly buildImage?: boolean } = {}
+): Effect.Effect<A, E | PlatformError | CommandFailedError, GrokRuntime> =>
+  withFsPathContext(({ cwd, fs, path }) =>
+    Effect.gen(function*(_) {
+      yield* _(ensureGrokOrchLayout(cwd))
+      const rootPath = resolvePathFromCwd(path, cwd, command.grokAuthPath)
+      const { accountLabel, accountPath } = resolveGrokAccountPath(path, rootPath, command.label)
+      yield* _(fs.makeDirectory(accountPath, { recursive: true }))
+      yield* _(fs.chmod(accountPath, 0o700))
+      if (options.buildImage === true) {
+        yield* _(
+          ensureDockerImage(fs, path, cwd, {
+            imageName: grokImageName,
+            imageDir: grokImageDir,
+            dockerfile: renderGrokDockerfile(),
+            buildLabel: "grok auth"
+          })
+        )
+      }
+      return yield* _(run({ accountLabel, accountPath, cwd, fs }))
+    })
+  )
+
+const readApiKeyFromEnvFile = (
+  fs: FileSystem.FileSystem,
+  envFilePath: string
+): Effect.Effect<string | null, PlatformError> =>
+  Effect.gen(function*(_) {
+    const hasEnvFile = yield* _(isRegularFile(fs, envFilePath))
+    if (!hasEnvFile) {
+      return null
+    }
+    const envContent = yield* _(fs.readFileString(envFilePath), Effect.orElseSucceed(() => ""))
+    for (const line of envContent.split("\n")) {
+      const trimmed = line.trim()
+      for (const key of grokEnvApiKeyNames) {
+        const prefix = `${key}=`
+        if (!trimmed.startsWith(prefix)) {
+          continue
+        }
+        const value = trimmed.slice(prefix.length).replaceAll(/^['"]|['"]$/g, "").trim()
+        if (value.length > 0) {
+          return value
+        }
+      }
+    }
+    return null
+  })
+
+export const readGrokApiKey = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<string | null, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKeyFilePath = grokApiKeyPath(accountPath)
+    const hasApiKey = yield* _(isRegularFile(fs, apiKeyFilePath))
+    if (hasApiKey) {
+      const apiKey = yield* _(fs.readFileString(apiKeyFilePath), Effect.orElseSucceed(() => ""))
+      const trimmed = apiKey.trim()
+      if (trimmed.length > 0) {
+        return trimmed
+      }
+    }
+
+    return yield* _(readApiKeyFromEnvFile(fs, grokEnvFilePath(accountPath)))
+  })
+
+export const hasGrokCredentials = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<boolean, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKey = yield* _(readGrokApiKey(fs, accountPath))
+    if (apiKey !== null) {
+      return true
+    }
+    const hasAuthJson = yield* _(isRegularFile(fs, grokAuthJsonPath(accountPath)))
+    if (hasAuthJson) {
+      const authJson = yield* _(fs.readFileString(grokAuthJsonPath(accountPath)), Effect.orElseSucceed(() => ""))
+      if (hasGrokAuthJsonCredentialText(authJson)) {
+        return true
+      }
+    }
+    const hasUserSettings = yield* _(isRegularFile(fs, grokUserSettingsPath(accountPath)))
+    if (!hasUserSettings) {
+      return false
+    }
+    const content = yield* _(fs.readFileString(grokUserSettingsPath(accountPath)), Effect.orElseSucceed(() => ""))
+    return hasGrokUserSettingsCredentialText(content)
+  })
+
+export const resolveGrokAuthMethod = (
+  fs: FileSystem.FileSystem,
+  accountPath: string
+): Effect.Effect<GrokAuthMethod, PlatformError> =>
+  Effect.gen(function*(_) {
+    const apiKey = yield* _(readGrokApiKey(fs, accountPath))
+    if (apiKey !== null) {
+      return "api-key"
+    }
+    const hasUserSettings = yield* _(hasGrokCredentials(fs, accountPath))
+    return hasUserSettings ? "oauth" : "none"
+  })
+
+export const prepareGrokCredentialsDir = (
+  cwd: string,
+  accountPath: string,
+  fs: FileSystem.FileSystem
+) =>
+  Effect.gen(function*(_) {
+    const credentialsDir = grokCredentialsPath(accountPath)
+    const removeFallback = pipe(
+      runCommandExitCode({
+        cwd,
+        command: "docker",
+        args: ["run", "--rm", "-v", `${accountPath}:/target`, "alpine", "rm", "-rf", "/target/.grok"]
+      }),
+      Effect.flatMap((exitCode) =>
+        exitCode === 0
+          ? Effect.void
+          : Effect.fail(new CommandFailedError({ command: "docker", exitCode }))
+      )
+    )
+
+    yield* _(
+      fs.remove(credentialsDir, { recursive: true, force: true }).pipe(
+        Effect.orElse(() => removeFallback)
+      )
+    )
+    yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+    yield* _(fs.chmod(credentialsDir, 0o700))
+    return credentialsDir
+  })
+
+export const defaultGrokProjectSettings = {
+  sandboxMode: "off",
+  mcpServers: {
+    playwright: {
+      command: "docker-git-playwright-mcp",
+      args: [],
+      trust: true
+    }
+  }
+}
+
+export const defaultGrokUserSettings = (apiKey: string | null) => ({
+  ...(apiKey === null ? {} : { apiKey }),
+  sandboxMode: "off",
+  confirmBeforeToolUse: false
+})
+
+export const writeInitialGrokSettings = (
+  credentialsDir: string,
+  fs: FileSystem.FileSystem,
+  apiKey: string | null
+) =>
+  Effect.gen(function*(_) {
+    const settingsPath = `${credentialsDir}/settings.json`
+    yield* _(
+      fs.writeFileString(
+        settingsPath,
+        JSON.stringify(defaultGrokProjectSettings, null, 2) + "\n"
+      )
+    )
+    yield* _(fs.chmod(settingsPath, 0o600))
+
+    const userSettingsPath = `${credentialsDir}/user-settings.json`
+    const shouldWriteUserSettings = apiKey === null
+      ? !(yield* _(isRegularFile(fs, userSettingsPath)))
+      : true
+    if (shouldWriteUserSettings) {
+      yield* _(
+        fs.writeFileString(
+          userSettingsPath,
+          JSON.stringify(defaultGrokUserSettings(apiKey), null, 2) + "\n"
+        )
+      )
+      yield* _(fs.chmod(userSettingsPath, 0o600))
+    }
+    return settingsPath
+  })
diff --git a/packages/lib/src/usecases/auth-grok-logout.ts b/packages/lib/src/usecases/auth-grok-logout.ts
new file mode 100644
index 00000000..fda3b549
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok-logout.ts
@@ -0,0 +1,35 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import type { AuthGrokLogoutCommand } from "../core/domain.js"
+import type { CommandFailedError } from "../shell/errors.js"
+import { grokApiKeyPath, grokCredentialsPath, grokEnvFilePath, withGrokAuth } from "./auth-grok-helpers.js"
+import type { GrokRuntime } from "./auth-grok-helpers.js"
+import { normalizeAccountLabel } from "./auth-helpers.js"
+import { autoSyncState } from "./state-repo.js"
+
+// CHANGE: logout Grok CLI by clearing API key and ~/.grok credentials for a label
+// WHY: allow revoking Grok CLI access deterministically
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokLogout(cmd) -> credentials_cleared(cmd)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: all credential files are removed from account directory
+// COMPLEXITY: O(1)
+export const authGrokLogout = (
+  command: AuthGrokLogoutCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  Effect.gen(function*(_) {
+    const accountLabel = normalizeAccountLabel(command.label, "default")
+    yield* _(
+      withGrokAuth(command, ({ accountPath, fs }) =>
+        Effect.gen(function*(_) {
+          yield* _(fs.remove(grokApiKeyPath(accountPath), { force: true }))
+          yield* _(fs.remove(grokEnvFilePath(accountPath), { force: true }))
+          yield* _(fs.remove(grokCredentialsPath(accountPath), { recursive: true, force: true }))
+        }))
+    )
+    yield* _(autoSyncState(`chore(state): auth grok logout ${accountLabel}`))
+  }).pipe(Effect.asVoid)
diff --git a/packages/lib/src/usecases/auth-grok-oauth.ts b/packages/lib/src/usecases/auth-grok-oauth.ts
new file mode 100644
index 00000000..34d62984
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok-oauth.ts
@@ -0,0 +1,164 @@
+import type * as CommandExecutor from "@effect/platform/CommandExecutor"
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import { runCommandWithExitCodes } from "../shell/command-runner.js"
+import { resolveDockerVolumeHostPath } from "../shell/docker-auth.js"
+import { AuthError, CommandFailedError } from "../shell/errors.js"
+
+// CHANGE: add Grok CLI OAuth/browser authentication flow
+// WHY: issue #304 expects `grok login` style URL handoff and callback paste support
+// QUOTE(ТЗ): "Paste the URL here if it doesn't connect"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: runGrokOauthLogin(cmd) -> grok_credentials_stored | error
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor>
+// INVARIANT: Grok credentials are stored in ~/.grok within the selected account path
+// COMPLEXITY: O(user_interaction)
+
+type DockerGrokAuthSpec = {
+  readonly cwd: string
+  readonly image: string
+  readonly hostPath: string
+  readonly containerPath: string
+  readonly env: ReadonlyArray<string>
+}
+
+const buildDockerGrokAuthSpec = (
+  cwd: string,
+  accountPath: string,
+  image: string,
+  containerPath: string
+): DockerGrokAuthSpec => ({
+  cwd,
+  image,
+  hostPath: accountPath,
+  containerPath,
+  env: [
+    `HOME=${containerPath}`,
+    "MCP_PLAYWRIGHT_ISOLATED=1"
+  ]
+})
+
+/**
+ * Builds the Docker CLI argument vector for the official Grok device-code login flow.
+ *
+ * @param spec Docker auth container paths, image, working directory, and environment bindings.
+ * @returns Immutable Docker argument vector ending with `grok login --device-auth`.
+ * @pure true
+ * @effect none; CORE argument builder only transforms immutable input data.
+ * @invariant every non-empty environment binding is emitted as an adjacent `-e` argument pair.
+ * @precondition spec.hostPath and spec.containerPath identify the selected Grok auth account directory.
+ * @postcondition returned args execute the official headless Grok login mode documented by xAI.
+ * @complexity O(n) time / O(n) space, where n is spec.env.length.
+ * @throws Never - invalid process execution is represented by callers through typed Effect errors.
+ */
+export const buildDockerGrokAuthArgs = (spec: DockerGrokAuthSpec): ReadonlyArray<string> => {
+  const base: Array<string> = [
+    "run",
+    "--rm",
+    "--init",
+    "-i",
+    "-t",
+    "-v",
+    `${spec.hostPath}:${spec.containerPath}`,
+    "-w",
+    spec.containerPath
+  ]
+
+  for (const entry of spec.env) {
+    const trimmed = entry.trim()
+    if (trimmed.length === 0) {
+      continue
+    }
+    base.push("-e", trimmed)
+  }
+  return [...base, spec.image, "grok", "login", "--device-auth"]
+}
+
+const printOauthInstructions = (): Effect.Effect<void> =>
+  Effect.sync(() => {
+    process.stderr.write("\n")
+    process.stderr.write("Grok CLI OAuth Authentication\n")
+    process.stderr.write("1. Open the Grok sign-in URL printed by the CLI.\n")
+    process.stderr.write("2. Complete browser authentication.\n")
+    process.stderr.write("3. If the callback cannot connect, paste the returned URL into the prompt.\n")
+    process.stderr.write("\n")
+  })
+
+const grokAuthPermissionScript = [
+  "target_uid=\"${CHOWN_UID:-$(stat -c %u \"$1\" 2>/dev/null || id -u)}\"",
+  "target_gid=\"${CHOWN_GID:-$(stat -c %g \"$1\" 2>/dev/null || id -g)}\"",
+  "chown -R \"$target_uid:$target_gid\" \"$1\"",
+  "find \"$1\" -type d -exec chmod 700 {} +",
+  "find \"$1\" -type f -exec chmod 600 {} +"
+].join(" && ")
+
+const fixGrokAuthPermissions = (cwd: string, hostPath: string, containerPath: string) =>
+  runCommandWithExitCodes(
+    {
+      cwd,
+      command: "docker",
+      args: [
+        "run",
+        "--rm",
+        "-v",
+        `${hostPath}:${containerPath}`,
+        "alpine",
+        "sh",
+        "-c",
+        grokAuthPermissionScript,
+        "sh",
+        containerPath
+      ]
+    },
+    [0],
+    (exitCode) => new CommandFailedError({ command: "chmod grok auth", exitCode })
+  ).pipe(
+    Effect.tapError((err) => Effect.logWarning(`Failed to fix Grok auth permissions: ${String(err)}`))
+  )
+
+/**
+ * Runs the Grok OAuth device login inside the docker-git auth container.
+ *
+ * @param cwd Working directory used for Docker command execution.
+ * @param accountPath Selected docker-git Grok account directory.
+ * @param options Auth container image and in-container home path.
+ * @returns Effect that completes after Grok writes credentials and permissions are normalized.
+ * @pure false
+ * @effect CommandExecutor; invokes Docker and writes credentials under the selected account path.
+ * @invariant successful completion leaves credentials scoped to accountPath and not to project source files.
+ * @precondition Docker is available and options.image contains the official Grok CLI binary.
+ * @postcondition accountPath ownership follows the mounted account root or a typed error is returned.
+ * @complexity O(n) local argument construction plus unbounded external OAuth interaction time.
+ * @throws Never - failures are modeled as AuthError, CommandFailedError, or PlatformError in the Effect type.
+ */
+export const runGrokOauthLoginWithPrompt = (
+  cwd: string,
+  accountPath: string,
+  options: {
+    readonly image: string
+    readonly containerPath: string
+  }
+): Effect.Effect<void, AuthError | CommandFailedError | PlatformError, CommandExecutor.CommandExecutor> =>
+  Effect.gen(function*(_) {
+    yield* _(printOauthInstructions())
+    const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath))
+    const spec = buildDockerGrokAuthSpec(cwd, hostPath, options.image, options.containerPath)
+    yield* _(
+      runCommandWithExitCodes(
+        {
+          cwd: spec.cwd,
+          command: "docker",
+          args: buildDockerGrokAuthArgs(spec)
+        },
+        [0],
+        (exitCode) =>
+          new AuthError({
+            message: `Grok CLI login failed with exit code ${exitCode}.`
+          })
+      )
+    )
+    yield* _(fixGrokAuthPermissions(spec.cwd, hostPath, spec.containerPath))
+  })
diff --git a/packages/lib/src/usecases/auth-grok-status.ts b/packages/lib/src/usecases/auth-grok-status.ts
new file mode 100644
index 00000000..d451e3cb
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok-status.ts
@@ -0,0 +1,33 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect, Match } from "effect"
+
+import type { AuthGrokStatusCommand } from "../core/domain.js"
+import type { CommandFailedError } from "../shell/errors.js"
+import { resolveGrokAuthMethod, withGrokAuth } from "./auth-grok-helpers.js"
+import type { GrokRuntime } from "./auth-grok-helpers.js"
+
+// CHANGE: show Grok CLI auth status for a given label
+// WHY: allow verifying API-key/user-settings presence without exposing credentials
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokStatus(cmd) -> connected(cmd, method) | disconnected(cmd)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: never logs API keys or tokens
+// COMPLEXITY: O(1)
+export const authGrokStatus = (
+  command: AuthGrokStatusCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  withGrokAuth(command, ({ accountLabel, accountPath, fs }) =>
+    Effect.gen(function*(_) {
+      const authMethod = yield* _(resolveGrokAuthMethod(fs, accountPath))
+      yield* _(
+        Match.value(authMethod).pipe(
+          Match.when("none", () => Effect.log(`Grok not connected (${accountLabel}).`)),
+          Match.when("api-key", () => Effect.log(`Grok connected (${accountLabel}, api-key).`)),
+          Match.when("oauth", () => Effect.log(`Grok connected (${accountLabel}, oauth).`)),
+          Match.exhaustive
+        )
+      )
+    }))
diff --git a/packages/lib/src/usecases/auth-grok.ts b/packages/lib/src/usecases/auth-grok.ts
new file mode 100644
index 00000000..1626105a
--- /dev/null
+++ b/packages/lib/src/usecases/auth-grok.ts
@@ -0,0 +1,98 @@
+import type { PlatformError } from "@effect/platform/Error"
+import { Effect } from "effect"
+
+import type { AuthGrokLoginCommand } from "../core/domain.js"
+import { AuthError, type CommandFailedError } from "../shell/errors.js"
+import {
+  grokApiKeyPath,
+  grokContainerHomeDir,
+  grokCredentialsPath,
+  grokImageName,
+  type GrokRuntime,
+  prepareGrokCredentialsDir,
+  withGrokAuth,
+  writeInitialGrokSettings
+} from "./auth-grok-helpers.js"
+import { runGrokOauthLoginWithPrompt } from "./auth-grok-oauth.js"
+import { normalizeAccountLabel } from "./auth-helpers.js"
+import { autoSyncState } from "./state-repo.js"
+
+// CHANGE: login to Grok CLI by storing API key and Grok user settings
+// WHY: Grok CLI supports GROK_DEPLOYMENT_KEY and ~/.grok/auth.json while OAuth is handled by the terminal runner
+// QUOTE(ТЗ): "Реализовать поддержку авторизации grok"
+// REF: issue-304
+// SOURCE: https://x.ai/news/grok-build-cli
+// FORMAT THEOREM: forall cmd: authGrokLogin(cmd) -> api_key_file_exists(accountPath)
+// PURITY: SHELL
+// EFFECT: Effect<void, PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: API key is stored in .api-key and mirrored into .grok/user-settings.json
+// COMPLEXITY: O(1)
+export const authGrokLogin = (
+  command: AuthGrokLoginCommand,
+  apiKey: string
+): Effect.Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime> => {
+  const trimmedApiKey = apiKey.trim()
+  if (trimmedApiKey.length === 0) {
+    return Effect.fail(new AuthError({ message: "Grok API key must not be empty" }))
+  }
+  const accountLabel = normalizeAccountLabel(command.label, "default")
+  return withGrokAuth(command, ({ accountPath, fs }) =>
+    Effect.gen(function*(_) {
+      const apiKeyFilePath = grokApiKeyPath(accountPath)
+      yield* _(fs.writeFileString(apiKeyFilePath, `${trimmedApiKey}\n`))
+      yield* _(fs.chmod(apiKeyFilePath, 0o600))
+
+      const credentialsDir = grokCredentialsPath(accountPath)
+      yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+      yield* _(fs.chmod(credentialsDir, 0o700))
+      yield* _(writeInitialGrokSettings(credentialsDir, fs, trimmedApiKey))
+    })).pipe(
+      Effect.zipRight(autoSyncState(`chore(state): auth grok ${accountLabel}`))
+    )
+}
+
+export const authGrokLoginCli = (
+  _command: AuthGrokLoginCommand
+): Effect.Effect<void, PlatformError | CommandFailedError, GrokRuntime> =>
+  Effect.gen(function*(_) {
+    yield* _(Effect.log("Grok CLI supports two authentication methods:"))
+    yield* _(Effect.log(""))
+    yield* _(Effect.log("1. API Key:"))
+    yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Grok CLI: set API key"))
+    yield* _(Effect.log(""))
+    yield* _(Effect.log("2. OAuth/browser login:"))
+    yield* _(Effect.log("   - Use: docker-git menu -> Auth profiles -> Grok CLI: login via OAuth"))
+    yield* _(Effect.log("   - Follow the Grok CLI prompts and paste the callback URL when requested"))
+  })
+
+// FORMAT THEOREM: forall cmd: authGrokLoginOauth(cmd) -> grok_credentials_stored | error
+// PURITY: SHELL
+// EFFECT: Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime>
+// INVARIANT: Grok CLI writes credentials under .grok within the selected account directory
+// COMPLEXITY: O(user_interaction)
+export const authGrokLoginOauth = (
+  command: AuthGrokLoginCommand
+): Effect.Effect<void, AuthError | PlatformError | CommandFailedError, GrokRuntime> => {
+  const accountLabel = normalizeAccountLabel(command.label, "default")
+  return withGrokAuth(
+    command,
+    ({ accountPath, cwd, fs }) =>
+      Effect.gen(function*(_) {
+        const credentialsDir = yield* _(prepareGrokCredentialsDir(cwd, accountPath, fs))
+
+        yield* _(
+          runGrokOauthLoginWithPrompt(cwd, accountPath, {
+            image: grokImageName,
+            containerPath: grokContainerHomeDir
+          })
+        )
+        yield* _(writeInitialGrokSettings(credentialsDir, fs, null))
+      }),
+    { buildImage: true }
+  ).pipe(
+    Effect.zipRight(autoSyncState(`chore(state): auth grok oauth ${accountLabel}`))
+  )
+}
+
+export { authGrokLogout } from "./auth-grok-logout.js"
+export { authGrokStatus } from "./auth-grok-status.js"
diff --git a/packages/lib/src/usecases/auth-sync-helpers.ts b/packages/lib/src/usecases/auth-sync-helpers.ts
index b9c7cba6..dba1fd67 100644
--- a/packages/lib/src/usecases/auth-sync-helpers.ts
+++ b/packages/lib/src/usecases/auth-sync-helpers.ts
@@ -6,8 +6,8 @@ import { Effect, Either } from "effect"
 
 type CopyDecision = "skip" | "copy"
 type JsonPrimitive = boolean | number | string | null
-type JsonValue = JsonPrimitive | JsonRecord | ReadonlyArray<JsonValue>
-type JsonRecord = Readonly<{ [key: string]: JsonValue }>
+export type JsonValue = JsonPrimitive | JsonRecord | ReadonlyArray<JsonValue>
+export type JsonRecord = Readonly<{ [key: string]: JsonValue }>
 
 const JsonValueSchema: Schema.Schema<JsonValue> = Schema.suspend(() =>
   Schema.Union(
@@ -115,12 +115,15 @@ export const shouldCopyEnv = (sourceText: string, targetText: string): CopyDecis
   return "skip"
 }
 
-export const parseJsonRecord = (text: string): Effect.Effect<JsonRecord | null> =>
+export const parseJsonRecordOrNull = (text: string): JsonRecord | null =>
   Either.match(ParseResult.decodeUnknownEither(JsonRecordFromStringSchema)(text), {
-    onLeft: () => Effect.succeed(null),
-    onRight: (record) => Effect.succeed(record)
+    onLeft: () => null,
+    onRight: (record) => record
   })
 
+export const parseJsonRecord = (text: string): Effect.Effect<JsonRecord | null> =>
+  Effect.succeed(parseJsonRecordOrNull(text))
+
 export const hasClaudeOauthAccount = (record: JsonRecord | null): boolean =>
   record !== null && typeof record["oauthAccount"] === "object" && record["oauthAccount"] !== null
 
@@ -171,4 +174,5 @@ export type LegacyOrchPaths = AuthPaths & {
   readonly ghAuthPath: string
   readonly gitlabAuthPath?: string
   readonly geminiAuthPath?: string
+  readonly grokAuthPath?: string
 }
diff --git a/packages/lib/src/usecases/auth.ts b/packages/lib/src/usecases/auth.ts
index 5f73c11c..97a410ab 100644
--- a/packages/lib/src/usecases/auth.ts
+++ b/packages/lib/src/usecases/auth.ts
@@ -2,3 +2,4 @@ export * from "./auth-claude.js"
 export * from "./auth-codex.js"
 export * from "./auth-gemini.js"
 export * from "./auth-github.js"
+export * from "./auth-grok.js"
diff --git a/packages/lib/tests/core/templates.test.ts b/packages/lib/tests/core/templates.test.ts
index 2a55f38c..46ef813c 100644
--- a/packages/lib/tests/core/templates.test.ts
+++ b/packages/lib/tests/core/templates.test.ts
@@ -27,6 +27,7 @@ const makeTemplateConfig = (overrides: Partial<TemplateConfig> = {}): TemplateCo
   codexAuthPath: "/workspace/.orch/auth/codex",
   codexSharedAuthPath: "/workspace/.orch/auth/codex-shared",
   geminiAuthPath: "/workspace/.orch/auth/gemini",
+  grokAuthPath: "/workspace/.orch/auth/grok",
   gpu: "none",
   ...overrides
 })
@@ -213,6 +214,19 @@ describe("renderDockerfile", () => {
     ])
     expect(dockerfile).not.toContain("glab_1.93.0_linux_\\$GLAB_ARCH.deb")
   })
+
+  it("installs Grok CLI for generated project containers", () => {
+    const dockerfile = renderDockerfile(makeTemplateConfig())
+
+    expectContainsAll(dockerfile, [
+      "https://x.ai/cli/install.sh",
+      "GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh 0.1.211",
+      "grok --version"
+    ])
+    expect(dockerfile).not.toContain("grok-dev")
+    expect(dockerfile).not.toContain("npm install -g grok-dev")
+    expect(dockerfile).not.toContain("grok --version >/dev/null || true")
+  })
 })
 
 describe("renderPromptScript", () => {
@@ -407,7 +421,7 @@ describe("renderEntrypoint auth bridge", () => {
     ])
   })
 
-  it("renders Codex and Gemini project rules wiring", () => {
+  it("renders Codex, Gemini and Grok project rules wiring", () => {
     const entrypoint = renderAuthEntrypoint()
 
     expectContainsAll(entrypoint, [
@@ -418,6 +432,7 @@ describe("renderEntrypoint auth bridge", () => {
       "docker_git_prepare_active_agent_project_rules()",
       "docker_git_detect_claude_project_rules()",
       "docker_git_detect_gemini_project_rules()",
+      "docker_git_detect_grok_project_rules()",
       "DOCKER_GIT_RTK_ENABLE=\"${DOCKER_GIT_RTK_ENABLE:-1}\"",
       "DOCKER_GIT_RTK_ENABLE=1",
       "docker_git_rtk_init_as_user()",
@@ -430,6 +445,7 @@ describe("renderEntrypoint auth bridge", () => {
       "\"codex\")",
       "\"claude\")",
       "\"gemini\")",
+      "\"grok\")",
       'MCP_PLAYWRIGHT_ISOLATED="${MCP_PLAYWRIGHT_ISOLATED:-0}"',
       "\"20-agents-skills::.agents/skills\"",
       "\"30-agents-dot-skills::.agents/.skills\"",
@@ -440,8 +456,12 @@ describe("renderEntrypoint auth bridge", () => {
       "$project_dir/.gemini/settings.json",
       "$project_dir/.gemini/commands",
       "$project_dir/.gemini/skills",
+      "$project_dir/.grok/settings.json",
+      "$project_dir/.grok/commands",
+      "$project_dir/.grok/skills",
       "MCP_PLAYWRIGHT_ISOLATED=1 codex exec",
-      "MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p"
+      "MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p",
+      "MCP_PLAYWRIGHT_ISOLATED=1 grok --no-sandbox -p"
     ])
     expect(entrypoint).not.toContain("codex --approval-mode full-auto")
     expect(entrypoint).not.toContain("\"40-claude-skills::.claude/skills\"")
@@ -466,7 +486,66 @@ describe("renderEntrypoint auth bridge", () => {
     expect(entrypoint.split("SUBAGENTS_LINE=").length - 1).toBeGreaterThanOrEqual(1)
   })
 
-  it("renders system-prompt override hooks for codex/claude/gemini", () => {
+  it("renders Grok API env expansion without escaping bash defaults", () => {
+    const entrypoint = renderAuthEntrypoint()
+
+    expectContainsAll(entrypoint, [
+      'GROK_LABEL_RAW="${GROK_AUTH_LABEL:-}"',
+      'export GROK_AUTH_LABEL="$GROK_LABEL_NORM"',
+      'elif [[ -n "${GROK_DEPLOYMENT_KEY:-}" ]]; then',
+      'elif [[ -n "${GROK_API_KEY:-}" ]]; then',
+      'elif [[ -n "${XAI_API_KEY:-}" ]]; then',
+      "Priority: selected account files, then GROK_DEPLOYMENT_KEY, GROK_API_KEY, XAI_API_KEY.",
+      'docker_git_upsert_ssh_env "GROK_DEPLOYMENT_KEY" "${GROK_DEPLOYMENT_KEY:-}"',
+      'export GROK_DEPLOYMENT_KEY="$RESOLVED_GROK_API_KEY"',
+      'docker_git_upsert_ssh_env "GROK_API_KEY" "${GROK_API_KEY:-}"',
+      'docker_git_upsert_ssh_env "XAI_API_KEY" "${XAI_API_KEY:-}"'
+    ])
+    expect(entrypoint).not.toContain('GROK_LABEL_RAW="$GROK_AUTH_LABEL"')
+    expect(entrypoint).not.toContain("\\${GROK_DEPLOYMENT_KEY:-}")
+    expect(entrypoint).not.toContain("\\${GROK_API_KEY:-}")
+    expect(entrypoint).not.toContain("\\${XAI_API_KEY:-}")
+    expect(entrypoint).not.toContain('export XAI_API_KEY="$GROK_API_KEY"')
+    expect(entrypoint).not.toContain('export GROK_DEPLOYMENT_KEY="${GROK_API_KEY:-}"')
+    expect(entrypoint).not.toContain('export GROK_API_KEY="${XAI_API_KEY:-}"')
+  })
+
+  it("renders Grok file ownership from the configured SSH user", () => {
+    const entrypoint = renderAuthEntrypoint()
+
+    expectContainsAll(entrypoint, [
+      'GROK_SETTINGS_OWNER_UID="$(id -u "dev" 2>/dev/null || id -u)"',
+      'GROK_SETTINGS_OWNER_GID="$(id -g "dev" 2>/dev/null || id -g)"',
+      'chown -R "$GROK_SETTINGS_OWNER_UID:$GROK_SETTINGS_OWNER_GID" "$GROK_SETTINGS_DIR" || true',
+      'GROK_NOTICE_OWNER_UID="$(id -u "dev" 2>/dev/null || id -u)"',
+      'GROK_NOTICE_OWNER_GID="$(id -g "dev" 2>/dev/null || id -g)"',
+      'chown "$GROK_NOTICE_OWNER_UID:$GROK_NOTICE_OWNER_GID" "$GROK_MD_PATH" || true',
+      "Risk rationale: Grok runs inside an isolated per-project container."
+    ])
+    expect(entrypoint).not.toContain('chown -R 1000:1000 "$GROK_SETTINGS_DIR"')
+    expect(entrypoint).not.toContain('chown 1000:1000 "$GROK_MD_PATH"')
+  })
+
+  it("replaces migrated Grok home files with selected-label symlinks", () => {
+    const entrypoint = renderAuthEntrypoint()
+    const copyIndex = entrypoint.indexOf('cp "$link_path" "$source_path" || true')
+    const dirGuardIndex = entrypoint.indexOf('if [[ -d "$link_path" ]]; then', copyIndex)
+    const linkIndex = entrypoint.indexOf('ln -sfn "$source_path" "$link_path" || true', dirGuardIndex)
+
+    expectContainsAll(entrypoint, [
+      'cp "$link_path" "$source_path" || true',
+      'chmod 0600 "$source_path" || true',
+      'if [[ -d "$link_path" ]]; then',
+      'ln -sfn "$source_path" "$link_path" || true',
+      'docker_git_link_grok_file "$GROK_CONFIG_DIR/.api-key" "$GROK_HOME_DIR/.api-key"',
+      'docker_git_link_grok_file "$GROK_SHARED_HOME_DIR/auth.json" "$GROK_HOME_DIR/auth.json"'
+    ])
+    expect(copyIndex).toBeGreaterThanOrEqual(0)
+    expect(dirGuardIndex).toBeGreaterThan(copyIndex)
+    expect(linkIndex).toBeGreaterThan(dirGuardIndex)
+  })
+
+  it("renders system-prompt override hooks for codex/claude/gemini/grok", () => {
     const entrypoint = renderAuthEntrypoint()
 
     expectContainsAll(entrypoint, [
@@ -487,7 +566,13 @@ describe("renderEntrypoint auth bridge", () => {
       "GEMINI_DEFAULT_PROMPT_BODY=\"$(docker_git_decode_unicode_escapes \"$GEMINI_DEFAULT_PROMPT_BODY\")\"",
       "GEMINI_PROMPT_BODY=\"$(cat \"$GEMINI_SYSTEM_PROMPT_OVERRIDE_FILE\")\"",
       "GEMINI_PROMPT_BODY=\"$GEMINI_SYSTEM_PROMPT_OVERRIDE\"",
-      "GEMINI_PROMPT_BODY=\"$GEMINI_DEFAULT_PROMPT_BODY\""
+      "GEMINI_PROMPT_BODY=\"$GEMINI_DEFAULT_PROMPT_BODY\"",
+      "GROK_SYSTEM_PROMPT_OVERRIDE_FILE=\"${GROK_SYSTEM_PROMPT_OVERRIDE_FILE:-}\"",
+      "GROK_SYSTEM_PROMPT_OVERRIDE=\"${GROK_SYSTEM_PROMPT_OVERRIDE:-}\"",
+      "GROK_DEFAULT_PROMPT_BODY=\"$(docker_git_decode_unicode_escapes \"$GROK_DEFAULT_PROMPT_BODY\")\"",
+      "GROK_PROMPT_BODY=\"$(cat \"$GROK_SYSTEM_PROMPT_OVERRIDE_FILE\")\"",
+      "GROK_PROMPT_BODY=\"$GROK_SYSTEM_PROMPT_OVERRIDE\"",
+      "GROK_PROMPT_BODY=\"$GROK_DEFAULT_PROMPT_BODY\""
     ])
   })
 
diff --git a/packages/lib/tests/usecases/agent-auto-select.test.ts b/packages/lib/tests/usecases/agent-auto-select.test.ts
index 4728ba8a..345c4a4c 100644
--- a/packages/lib/tests/usecases/agent-auto-select.test.ts
+++ b/packages/lib/tests/usecases/agent-auto-select.test.ts
@@ -39,6 +39,10 @@ const makeConfig = (root: string, path: Path.Path): TemplateConfig => ({
   codexAuthPath: path.join(root, ".orch/auth/codex"),
   codexSharedAuthPath: path.join(root, ".orch/auth/codex"),
   codexHome: "/home/dev/.codex",
+  geminiAuthPath: path.join(root, ".orch/auth/gemini"),
+  geminiHome: "/home/dev/.gemini",
+  grokAuthPath: path.join(root, ".orch/auth/grok"),
+  grokHome: "/home/dev/.grok",
   dockerNetworkMode: "shared",
   dockerSharedNetworkName: "docker-git-shared",
   enableMcpPlaywright: false,
@@ -112,7 +116,39 @@ describe("resolveAutoAgentMode", () => {
       })
     ).pipe(Effect.provide(NodeContext.layer)))
 
-  it.effect("returns one of the available agents when both Claude and Codex auth exist", () =>
+  it.effect("chooses Grok when only Grok auth exists", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const config = makeConfig(root, path)
+        const grokRoot = path.join(root, ".orch/auth/grok/default")
+
+        yield* _(fs.makeDirectory(grokRoot, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(grokRoot, ".api-key"), "grok-token\n"))
+
+        const mode = yield* _(resolveAutoAgentMode(config))
+        expect(mode).toBe("grok")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("keeps explicit Grok mode when Grok auth exists", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const config: TemplateConfig = { ...makeConfig(root, path), agentMode: "grok" }
+        const grokRoot = path.join(root, ".orch/auth/grok/default")
+
+        yield* _(fs.makeDirectory(grokRoot, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(grokRoot, ".api-key"), "grok-token\n"))
+
+        const mode = yield* _(resolveAutoAgentMode(config))
+        expect(mode).toBe("grok")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("returns one of the available agents when multiple agent auth entries exist", () =>
     withTempDir((root) =>
       Effect.gen(function*(_) {
         const fs = yield* _(FileSystem.FileSystem)
@@ -120,14 +156,17 @@ describe("resolveAutoAgentMode", () => {
         const config = makeConfig(root, path)
         const claudeRoot = path.join(root, ".orch/auth/claude/default")
         const codexRoot = path.join(root, ".orch/auth/codex")
+        const grokRoot = path.join(root, ".orch/auth/grok/default")
 
         yield* _(fs.makeDirectory(claudeRoot, { recursive: true }))
         yield* _(fs.makeDirectory(codexRoot, { recursive: true }))
+        yield* _(fs.makeDirectory(grokRoot, { recursive: true }))
         yield* _(fs.writeFileString(path.join(claudeRoot, ".oauth-token"), "token\n"))
         yield* _(fs.writeFileString(path.join(codexRoot, "auth.json"), "{\"ok\":true}\n"))
+        yield* _(fs.writeFileString(path.join(grokRoot, ".api-key"), "grok-token\n"))
 
         const mode = yield* _(resolveAutoAgentMode(config))
-        expect(["claude", "codex"]).toContain(mode)
+        expect(["claude", "codex", "grok"]).toContain(mode)
       })
     ).pipe(Effect.provide(NodeContext.layer)))
 
@@ -163,6 +202,22 @@ describe("resolveAutoAgentMode", () => {
       })
     ).pipe(Effect.provide(NodeContext.layer)))
 
+  it.effect("fails explicit Grok mode when Grok auth is missing", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const path = yield* _(Path.Path)
+        const config: TemplateConfig = { ...makeConfig(root, path), agentMode: "grok" }
+
+        const exit = yield* _(
+          resolveAutoAgentMode(config).pipe(
+            Effect.flip,
+            Effect.map((error) => error._tag)
+          )
+        )
+        expect(exit).toBe("InvalidOption")
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
   it.effect("fails when no auth exists", () =>
     withTempDir((root) =>
       Effect.gen(function*(_) {
diff --git a/packages/lib/tests/usecases/auth-grok.test.ts b/packages/lib/tests/usecases/auth-grok.test.ts
new file mode 100644
index 00000000..fb6fd8cc
--- /dev/null
+++ b/packages/lib/tests/usecases/auth-grok.test.ts
@@ -0,0 +1,416 @@
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+import * as fc from "fast-check"
+
+import { authGrokLogin } from "../../src/usecases/auth-grok.js"
+import { buildDockerGrokAuthArgs } from "../../src/usecases/auth-grok-oauth.js"
+import {
+  grokCliInstallScriptUrl,
+  grokCliVersion,
+  hasGrokCredentials,
+  renderGrokDockerfile
+} from "../../src/usecases/auth-grok-helpers.js"
+
+const withTempDir = <A, E, R>(
+  use: (tempDir: string) => Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R | FileSystem.FileSystem> =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const fs = yield* _(FileSystem.FileSystem)
+      const tempDir = yield* _(
+        fs.makeTempDirectoryScoped({
+          prefix: "docker-git-auth-grok-"
+        })
+      )
+      return yield* _(use(tempDir))
+    })
+  )
+
+const withPatchedEnv = <A, E, R>(
+  patch: Readonly<Record<string, string | undefined>>,
+  effect: Effect.Effect<A, E, R>
+): Effect.Effect<A, E, R> =>
+  Effect.acquireUseRelease(
+    Effect.sync(() => {
+      const previous = new Map<string, string | undefined>()
+      for (const [key, value] of Object.entries(patch)) {
+        previous.set(key, process.env[key])
+        if (value === undefined) {
+          delete process.env[key]
+        } else {
+          process.env[key] = value
+        }
+      }
+      return previous
+    }),
+    () => effect,
+    (previous) =>
+      Effect.sync(() => {
+        for (const [key, value] of previous.entries()) {
+          if (value === undefined) {
+            delete process.env[key]
+          } else {
+            process.env[key] = value
+          }
+        }
+      })
+  )
+
+const detectUserSettingsPayload = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  accountPath: string,
+  payload: object
+) =>
+  Effect.gen(function*(_) {
+    const credentialsDir = path.join(accountPath, ".grok")
+    yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+    yield* _(
+      fs.writeFileString(
+        path.join(credentialsDir, "user-settings.json"),
+        `${JSON.stringify(payload)}\n`
+      )
+    )
+    return yield* _(hasGrokCredentials(fs, accountPath))
+  })
+
+const grokOidcAuthScope = "https://auth.x.ai::b1a00492-073a-47ea-816f-4c329264a828"
+const grokLegacyAuthScope = "https://accounts.x.ai/sign-in"
+
+describe("authGrokLogin", () => {
+  it("installs the official xAI Grok CLI in the OAuth helper image", () => {
+    const dockerfile = renderGrokDockerfile()
+
+    expect(dockerfile).toContain(grokCliInstallScriptUrl)
+    expect(dockerfile).toContain(`GROK_BIN_DIR=/usr/local/bin bash /tmp/grok-install.sh ${grokCliVersion}`)
+    expect(dockerfile).toContain("grok --version")
+    expect(dockerfile).not.toContain("grok-dev")
+    expect(dockerfile).not.toContain("npm install -g grok-dev")
+  })
+
+  it("uses the official Grok device-auth login mode", () => {
+    const args = buildDockerGrokAuthArgs({
+      cwd: "/workspace",
+      image: "docker-git-auth-grok:latest",
+      hostPath: "/host/grok",
+      containerPath: "/grok-home",
+      env: ["HOME=/grok-home", "MCP_PLAYWRIGHT_ISOLATED=1"]
+    })
+
+    expect(args).toContain("MCP_PLAYWRIGHT_ISOLATED=1")
+    expect(args).not.toContain("NO_BROWSER=true")
+    expect(args).not.toContain("GROK_NO_BROWSER=true")
+    expect(args.slice(-4)).toEqual(["docker-git-auth-grok:latest", "grok", "login", "--device-auth"])
+  })
+
+  it.effect("stores API key and writes Grok settings with Playwright MCP and no sandbox", () =>
+    withTempDir((root) =>
+      withPatchedEnv(
+        {
+          HOME: root,
+          DOCKER_GIT_STATE_AUTO_SYNC: "0"
+        },
+        Effect.gen(function*(_) {
+          const fs = yield* _(FileSystem.FileSystem)
+          const path = yield* _(Path.Path)
+          const grokAuthPath = ".docker-git/.orch/auth/grok"
+          const accountLabel = "test-account"
+          const absoluteGrokAuthPath = path.join(root, grokAuthPath)
+
+          yield* _(
+            authGrokLogin(
+              {
+                _tag: "AuthGrokLogin",
+                label: accountLabel,
+                grokAuthPath: absoluteGrokAuthPath,
+                isWeb: false
+              },
+              "xai-test-api-key"
+            ).pipe(
+              Effect.provideService(FileSystem.FileSystem, fs),
+              Effect.provideService(Path.Path, path)
+            )
+          )
+
+          const accountPath = path.join(absoluteGrokAuthPath, accountLabel)
+          const apiKey = yield* _(fs.readFileString(path.join(accountPath, ".api-key")))
+          const apiKeyInfo = yield* _(fs.stat(path.join(accountPath, ".api-key")))
+          const credentialsInfo = yield* _(fs.stat(path.join(accountPath, ".grok")))
+          const userSettings = JSON.parse(
+            yield* _(fs.readFileString(path.join(accountPath, ".grok", "user-settings.json")))
+          )
+          const projectSettings = JSON.parse(
+            yield* _(fs.readFileString(path.join(accountPath, ".grok", "settings.json")))
+          )
+
+          expect(apiKey).toBe("xai-test-api-key\n")
+          expect(Number(apiKeyInfo.mode ?? 0) & 0o777).toBe(0o600)
+          expect(Number(credentialsInfo.mode ?? 0) & 0o777).toBe(0o700)
+          expect(userSettings.apiKey).toBe("xai-test-api-key")
+          expect(userSettings.sandboxMode).toBe("off")
+          expect(projectSettings.mcpServers.playwright.command).toBe("docker-git-playwright-mcp")
+          expect(projectSettings.mcpServers.playwright.trust).toBe(true)
+        })
+      )
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("rejects empty API keys", () =>
+    withTempDir((root) =>
+      withPatchedEnv(
+        {
+          HOME: root,
+          DOCKER_GIT_STATE_AUTO_SYNC: "0"
+        },
+        Effect.gen(function*(_) {
+          const fs = yield* _(FileSystem.FileSystem)
+          const path = yield* _(Path.Path)
+          const grokAuthPath = path.join(root, ".docker-git/.orch/auth/grok")
+
+          const errors = yield* _(
+            Effect.forEach(
+              ["", "   "],
+              (apiKey) =>
+                authGrokLogin(
+                  {
+                    _tag: "AuthGrokLogin",
+                    label: "empty-key",
+                    grokAuthPath,
+                    isWeb: false
+                  },
+                  apiKey
+                ).pipe(
+                  Effect.provideService(FileSystem.FileSystem, fs),
+                  Effect.provideService(Path.Path, path),
+                  Effect.flip
+                )
+            )
+          )
+
+          for (const error of errors) {
+            expect(error._tag).toBe("AuthError")
+            if (error._tag === "AuthError") {
+              expect(error.message).toBe("Grok API key must not be empty")
+            }
+          }
+        })
+      )
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("detects user-settings.json as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+        const credentialsDir = path.join(accountPath, ".grok")
+
+        yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(credentialsDir, "user-settings.json"), "{\"apiKey\":\"xai-test\"}\n"))
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(true)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("detects nested oauth user settings as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+
+        const detected = yield* _(
+          detectUserSettingsPayload(fs, path, accountPath, {
+            oauth: {
+              meta: {},
+              accessToken: "oauth-token"
+            }
+          })
+        )
+        expect(detected).toBe(true)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("detects official Grok auth.json as OAuth credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+        const credentialsDir = path.join(accountPath, ".grok")
+
+        yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+        yield* _(
+          fs.writeFileString(path.join(credentialsDir, "auth.json"), `${JSON.stringify({ [grokOidcAuthScope]: { key: "xai-oauth" } })}\n`)
+        )
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(true)
+
+        yield* _(
+          fs.writeFileString(path.join(credentialsDir, "auth.json"), `${JSON.stringify({ [grokLegacyAuthScope]: { key: "xai-legacy" } })}\n`)
+        )
+
+        const legacyDetected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(legacyDetected).toBe(true)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("does not treat unrelated auth.json tokens as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+        const credentialsDir = path.join(accountPath, ".grok")
+
+        yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(credentialsDir, "auth.json"), "{\"scope\":{\"key\":\"xai-oauth\"},\"token\":\"nope\"}\n"))
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(false)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("detects official Grok deployment key env files", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+
+        yield* _(fs.makeDirectory(accountPath, { recursive: true }))
+        yield* _(fs.writeFileString(path.join(accountPath, ".env"), "GROK_DEPLOYMENT_KEY='xai-deploy'\n"))
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(true)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("does not treat bootstrap user settings as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+        const credentialsDir = path.join(accountPath, ".grok")
+
+        yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+        yield* _(
+          fs.writeFileString(
+            path.join(credentialsDir, "user-settings.json"),
+            "{\"sandboxMode\":\"off\",\"confirmBeforeToolUse\":false}\n"
+          )
+        )
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(false)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("does not treat empty oauth with unrelated token as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+        const credentialsDir = path.join(accountPath, ".grok")
+
+        yield* _(fs.makeDirectory(credentialsDir, { recursive: true }))
+        yield* _(
+          fs.writeFileString(
+            path.join(credentialsDir, "user-settings.json"),
+            "{\"oauth\":{},\"telemetry\":{\"token\":\"not-oauth\"}}\n"
+          )
+        )
+
+        const detected = yield* _(hasGrokCredentials(fs, accountPath))
+        expect(detected).toBe(false)
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("detects generated user settings with apiKey as Grok credentials", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+
+        yield* _(
+          Effect.tryPromise({
+            catch: (error) => error,
+            try: () =>
+              fc.assert(
+                fc.asyncProperty(
+                  fc.tuple(
+                    fc.string({ minLength: 1 }).filter((value) => value.trim().length > 0),
+                    fc.boolean(),
+                    fc.constantFrom("off", "on")
+                  ),
+                  ([apiKey, confirmBeforeToolUse, sandboxMode]) =>
+                    Effect.runPromise(
+                      detectUserSettingsPayload(fs, path, accountPath, {
+                        apiKey,
+                        confirmBeforeToolUse,
+                        sandboxMode
+                      }).pipe(
+                        Effect.map((detected) => {
+                          expect(detected).toBe(true)
+                        })
+                      )
+                    )
+                ),
+                { numRuns: 25 }
+              )
+          })
+        )
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("rejects generated bootstrap-like user settings without apiKey", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const accountPath = path.join(root, "default")
+
+        yield* _(
+          Effect.tryPromise({
+            catch: (error) => error,
+            try: () =>
+              fc.assert(
+                fc.asyncProperty(
+                  fc.tuple(
+                    fc.boolean(),
+                    fc.boolean(),
+                    fc.constantFrom("off", "on"),
+                    fc.constantFrom(
+                      {},
+                      { token: "" },
+                      { accessToken: "" },
+                      { refreshToken: "" }
+                    )
+                  ),
+                  ([includeConfirmBeforeToolUse, includeOauth, sandboxMode, oauth]) =>
+                    Effect.runPromise(
+                      detectUserSettingsPayload(fs, path, accountPath, {
+                        sandboxMode,
+                        ...(includeConfirmBeforeToolUse ? { confirmBeforeToolUse: false } : {}),
+                        ...(includeOauth ? { oauth } : {})
+                      }).pipe(
+                        Effect.map((detected) => {
+                          expect(detected).toBe(false)
+                        })
+                      )
+                    )
+                ),
+                { numRuns: 25 }
+              )
+          })
+        )
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+})
diff --git a/scripts/e2e/_lib.sh b/scripts/e2e/_lib.sh
index 9b8dcf22..b669888e 100644
--- a/scripts/e2e/_lib.sh
+++ b/scripts/e2e/_lib.sh
@@ -134,6 +134,73 @@ dg_ensure_node_gyp() {
   export PATH="$node_gyp_bin:$PATH"
 }
 
+dg_pick_free_port() {
+  local first_port="$1"
+  local last_port="$2"
+  local host="${3:-127.0.0.1}"
+
+  if ! command -v node >/dev/null 2>&1; then
+    echo "e2e: node is required to pick a free TCP port" >&2
+    return 1
+  fi
+
+  node - "$first_port" "$last_port" "$host" <<'NODE'
+const net = require("node:net")
+
+const [firstRaw, lastRaw, host] = process.argv.slice(2)
+const first = Number.parseInt(firstRaw, 10)
+const last = Number.parseInt(lastRaw, 10)
+
+if (!Number.isInteger(first) || !Number.isInteger(last) || first < 1 || last > 65535 || first > last) {
+  console.error(`e2e: invalid port range: ${firstRaw}-${lastRaw}`)
+  process.exit(1)
+}
+
+const canListen = (port) =>
+  new Promise((resolve) => {
+    const server = net.createServer()
+    server.unref()
+    server.once("error", () => resolve(false))
+    server.listen({ host, port, exclusive: true }, () => {
+      server.close(() => resolve(true))
+    })
+  })
+
+;(async () => {
+  const count = last - first + 1
+  const start = Math.floor(Math.random() * count)
+
+  for (let offset = 0; offset < count; offset += 1) {
+    const port = first + ((start + offset) % count)
+    if (await canListen(port)) {
+      console.log(port)
+      return
+    }
+  }
+
+  console.error(`e2e: no free TCP port on ${host} in range ${first}-${last}`)
+  process.exit(1)
+})().catch((error) => {
+  console.error(error instanceof Error ? error.message : String(error))
+  process.exit(1)
+})
+NODE
+}
+
+dg_require_free_port() {
+  local first_port="$1"
+  local last_port="$2"
+  local label="${3:-TCP}"
+  local port
+
+  if ! port="$(dg_pick_free_port "$first_port" "$last_port")" || [[ -z "$port" ]]; then
+    echo "e2e: failed to pick free ${label} port in range ${first_port}-${last_port}" >&2
+    return 1
+  fi
+
+  printf '%s\n' "$port"
+}
+
 dg_controller_container_name() {
   printf '%s\n' "${DOCKER_GIT_API_CONTAINER_NAME:-docker-git-api}"
 }
diff --git a/scripts/e2e/browser-command.sh b/scripts/e2e/browser-command.sh
index 66bae263..61e7e91e 100755
--- a/scripts/e2e/browser-command.sh
+++ b/scripts/e2e/browser-command.sh
@@ -21,8 +21,10 @@ BROWSER_STARTUP_ATTEMPTS="${DOCKER_GIT_E2E_BROWSER_STARTUP_ATTEMPTS:-240}"
 export DOCKER_GIT_PROJECTS_ROOT="$ROOT"
 export DOCKER_GIT_PROJECTS_ROOT_VOLUME="docker-git-e2e-browser-$RUN_ID-projects"
 export DOCKER_GIT_API_CONTAINER_NAME="docker-git-e2e-browser-$RUN_ID-api"
-export DOCKER_GIT_API_PORT="$(( (RANDOM % 1000) + 34000 ))"
-export DOCKER_GIT_WEB_PORT="$(( (RANDOM % 1000) + 41000 ))"
+DOCKER_GIT_API_PORT="$(dg_require_free_port 34000 34999 "browser API")"
+export DOCKER_GIT_API_PORT
+DOCKER_GIT_WEB_PORT="$(dg_require_free_port 41000 41999 "browser web")"
+export DOCKER_GIT_WEB_PORT
 export COMPOSE_PROJECT_NAME="docker-git-e2e-browser-$RUN_ID"
 export DOCKER_GIT_STATE_AUTO_SYNC=0
 
diff --git a/scripts/e2e/clone-auto-open-ssh.sh b/scripts/e2e/clone-auto-open-ssh.sh
index dd2a611c..d18df1dd 100755
--- a/scripts/e2e/clone-auto-open-ssh.sh
+++ b/scripts/e2e/clone-auto-open-ssh.sh
@@ -28,7 +28,7 @@ OUT_DIR="$ROOT/e2e/clone-auto-open-ssh-$RUN_ID"
 CONTAINER_NAME="dg-e2e-clone-auto-ssh-$RUN_ID"
 SERVICE_NAME="dg-e2e-clone-auto-ssh-$RUN_ID"
 VOLUME_NAME="dg-e2e-clone-auto-ssh-$RUN_ID-home"
-SSH_PORT="$(( (RANDOM % 1000) + 24000 ))"
+SSH_PORT="$(dg_pick_free_port 24000 24999)"
 SSH_KEY="$ROOT/dev_ssh_key"
 SSH_PUB_KEY="$ROOT/dev_ssh_key.pub"
 CLONE_LOG="$ROOT/clone-auto-open-ssh.log"
diff --git a/scripts/e2e/clone-cache.sh b/scripts/e2e/clone-cache.sh
index 763e5511..dcf6bffa 100755
--- a/scripts/e2e/clone-cache.sh
+++ b/scripts/e2e/clone-cache.sh
@@ -126,7 +126,8 @@ run_clone_case() {
   local container_name="dg-e2e-cache-${case_name}-${RUN_ID}"
   local service_name="dg-e2e-cache-${case_name}-${RUN_ID}"
   local volume_name="dg-e2e-cache-${case_name}-${RUN_ID}-home"
-  local ssh_port="$(( (RANDOM % 1000) + 22000 ))"
+  local ssh_port
+  ssh_port="$(dg_pick_free_port 22000 22999)"
   local log_path="$ROOT/clone-cache-${case_name}.log"
   local host_log_path="$ROOT/clone-cache-${case_name}-host.log"
 
diff --git a/scripts/e2e/login-context.sh b/scripts/e2e/login-context.sh
index 9beb357a..83522a48 100755
--- a/scripts/e2e/login-context.sh
+++ b/scripts/e2e/login-context.sh
@@ -85,7 +85,8 @@ run_case() {
   local container_name="dg-e2e-login-${case_name}-${RUN_ID}"
   local service_name="dg-e2e-login-${case_name}-${RUN_ID}"
   local volume_name="dg-e2e-login-${case_name}-${RUN_ID}-home"
-  local ssh_port="$(( (RANDOM % 1000) + 21000 ))"
+  local ssh_port
+  ssh_port="$(dg_pick_free_port 21000 21999)"
   local login_log="/tmp/docker-git-login-context-${RUN_ID}-${case_name}.log"
   local probe_script="$ROOT/login-context-${case_name}-probe.sh"
 
diff --git a/scripts/e2e/opencode-autoconnect.sh b/scripts/e2e/opencode-autoconnect.sh
index fb8b361b..c2b4e103 100755
--- a/scripts/e2e/opencode-autoconnect.sh
+++ b/scripts/e2e/opencode-autoconnect.sh
@@ -19,12 +19,13 @@ OUT_DIR="$ROOT/e2e/opencode-autoconnect-$RUN_ID"
 CONTAINER_NAME="dg-e2e-opencode-$RUN_ID"
 SERVICE_NAME="dg-e2e-opencode-$RUN_ID"
 VOLUME_NAME="dg-e2e-opencode-$RUN_ID-home"
-SSH_PORT="$(( (RANDOM % 1000) + 20000 ))"
+SSH_PORT="$(dg_pick_free_port 20000 20999)"
 
 export DOCKER_GIT_PROJECTS_ROOT="$ROOT"
 export DOCKER_GIT_PROJECTS_ROOT_VOLUME="docker-git-e2e-opencode-$RUN_ID-projects"
 export DOCKER_GIT_API_CONTAINER_NAME="docker-git-e2e-opencode-$RUN_ID-api"
-export DOCKER_GIT_API_PORT="$(( (RANDOM % 1000) + 34000 ))"
+DOCKER_GIT_API_PORT="$(dg_require_free_port 34000 34999 "opencode API")"
+export DOCKER_GIT_API_PORT
 export COMPOSE_PROJECT_NAME="docker-git-e2e-opencode-$RUN_ID"
 export DOCKER_GIT_STATE_AUTO_SYNC=0
 
diff --git a/scripts/e2e/runtime-volumes-ssh.sh b/scripts/e2e/runtime-volumes-ssh.sh
index 78f16497..28abc357 100755
--- a/scripts/e2e/runtime-volumes-ssh.sh
+++ b/scripts/e2e/runtime-volumes-ssh.sh
@@ -28,7 +28,7 @@ OUT_DIR="$ROOT/e2e/runtime-volumes-ssh-$RUN_ID"
 CONTAINER_NAME="dg-e2e-runtime-$RUN_ID"
 SERVICE_NAME="dg-e2e-runtime-$RUN_ID"
 VOLUME_NAME="dg-e2e-runtime-$RUN_ID-home"
-SSH_PORT="$(( (RANDOM % 1000) + 23000 ))"
+SSH_PORT="$(dg_pick_free_port 23000 23999)"
 SSH_KEY="$ROOT/dev_ssh_key"
 SSH_PUB_KEY="$ROOT/dev_ssh_key.pub"
 CLONE_LOG="$ROOT/clone.log"