From 44f812c8d24920dc3a9ce2a0dcb9ba979b56d3de Mon Sep 17 00:00:00 2001
From: xintaofei <xintaofei@users.noreply.github.com>
Date: Sat, 21 Mar 2026 16:49:48 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dgit=E5=87=AD=E8=AF=81?=
 =?UTF-8?q?=E7=9A=84=E4=BD=BF=E7=94=A8=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src-tauri/src/commands/folders.rs |  1 +
 src-tauri/src/git_credential.rs   | 38 +++++++++++++++++++++++++++----
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/src-tauri/src/commands/folders.rs b/src-tauri/src/commands/folders.rs
index 1f4a615..f9803fe 100644
--- a/src-tauri/src/commands/folders.rs
+++ b/src-tauri/src/commands/folders.rs
@@ -84,6 +84,7 @@ async fn prepare_remote_git_cmd_for_url(
 /// Classify a git remote command error, detecting authentication failures.
 fn classify_remote_git_error(operation: &str, stderr: &[u8]) -> AppCommandError {
     let msg = String::from_utf8_lossy(stderr).trim().to_string();
+    eprintln!("[GIT_CMD] {} failed, stderr: {}", operation, msg);
     let lower = msg.to_lowercase();
 
     if lower.contains("authentication failed")
diff --git a/src-tauri/src/git_credential.rs b/src-tauri/src/git_credential.rs
index 643473f..8cd52b6 100644
--- a/src-tauri/src/git_credential.rs
+++ b/src-tauri/src/git_credential.rs
@@ -198,7 +198,14 @@ pub fn inject_credentials(
     token: &str,
     askpass_path: &Path,
 ) {
-    cmd.env("GIT_ASKPASS", askpass_path)
+    // Clear all system credential helpers (e.g. macOS Keychain `osxkeychain`)
+    // so git falls through to GIT_ASKPASS. Without this, a system credential
+    // helper may return stale/wrong credentials and GIT_ASKPASS is never called.
+    // Per git docs, setting credential.helper="" resets the helper list.
+    cmd.env("GIT_CONFIG_COUNT", "1")
+        .env("GIT_CONFIG_KEY_0", "credential.helper")
+        .env("GIT_CONFIG_VALUE_0", "")
+        .env("GIT_ASKPASS", askpass_path)
         .env("CODEG_GIT_USERNAME", username)
         .env("CODEG_GIT_PASSWORD", token)
         .env("GIT_TERMINAL_PROMPT", "0");
@@ -335,22 +342,41 @@ pub async fn try_inject_for_repo(
 ) -> bool {
     let settings = match load_github_accounts(conn).await {
         Some(s) if !s.accounts.is_empty() => s,
-        _ => return false,
+        _ => {
+            eprintln!("[GIT_CRED] no accounts configured");
+            return false;
+        }
     };
 
     let remote_url = match get_remote_url(repo_path).await {
         Some(url) => url,
-        None => return false,
+        None => {
+            eprintln!("[GIT_CRED] no remote URL found for {}", repo_path);
+            return false;
+        }
     };
 
     // Only inject for HTTPS URLs (SSH uses keys, not tokens)
     if !remote_url.starts_with("https://") && !remote_url.starts_with("http://") {
+        eprintln!("[GIT_CRED] skipping non-HTTPS URL: {}", remote_url);
         return false;
     }
 
     let account = match find_matching_account(&settings.accounts, &remote_url) {
         Some(a) => a,
-        None => return false,
+        None => {
+            eprintln!(
+                "[GIT_CRED] no matching account for remote {}. Available hosts: {}",
+                remote_url,
+                settings
+                    .accounts
+                    .iter()
+                    .map(|a| a.server_url.as_str())
+                    .collect::<Vec<_>>()
+                    .join(", ")
+            );
+            return false;
+        }
     };
 
     let askpass = match ensure_askpass_script(app_data_dir) {
@@ -361,6 +387,10 @@ pub async fn try_inject_for_repo(
         }
     };
 
+    eprintln!(
+        "[GIT_CRED] injecting credentials for {} (user: {})",
+        remote_url, account.username
+    );
     inject_credentials(cmd, &account.username, &account.token, &askpass);
     true
 }