diff --git a/docs/scratchpads/536-wrapper-login-pin.md b/docs/scratchpads/536-wrapper-login-pin.md
index fabe4a3..1807b46 100644
--- a/docs/scratchpads/536-wrapper-login-pin.md
+++ b/docs/scratchpads/536-wrapper-login-pin.md
@@ -31,6 +31,7 @@ Fix the framework git wrappers so Gitea issue/PR operations resolve the tea logi
 - Added authenticated API fallbacks for close/reopen paths so wrappers can still operate when a matching `tea` login is absent but token credentials are available.
 - Added regression coverage for stale `GITEA_LOGIN`, exact host matching, `--repo` override flows, USC issue close routing, mosaicstack API fallback, and PR metadata/merge fallbacks.
 - Delta after PR #538 review: extended host-aware login/repo resolution to PowerShell wrappers, Bash milestone wrappers, and API-only `--repo` fallback paths.
+- Delta after live USC `pr-create.sh` repro: tightened `GITEA_LOGIN` trust so stale login names are ignored unless the tea login itself matches the target host, and added USC API fallback coverage for `pr-create.sh`.
 
 ## Verification
 
diff --git a/packages/mosaic/framework/tools/git/detect-platform.ps1 b/packages/mosaic/framework/tools/git/detect-platform.ps1
index fb5dbd0..49cb4d7 100644
--- a/packages/mosaic/framework/tools/git/detect-platform.ps1
+++ b/packages/mosaic/framework/tools/git/detect-platform.ps1
@@ -180,7 +180,7 @@ function Get-GiteaLoginForHost {
     }
 
     if ($env:GITEA_LOGIN) {
-        if ((Test-GiteaUrlMatchesHost -Url $env:GITEA_URL -GiteaHost $GiteaHost) -or (Test-TeaLoginMatchesHost -LoginName $env:GITEA_LOGIN -GiteaHost $GiteaHost)) {
+        if (Test-TeaLoginMatchesHost -LoginName $env:GITEA_LOGIN -GiteaHost $GiteaHost) {
             return $env:GITEA_LOGIN
         }
     }
diff --git a/packages/mosaic/framework/tools/git/detect-platform.sh b/packages/mosaic/framework/tools/git/detect-platform.sh
index b88aa19..58ac2fe 100755
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -178,7 +178,7 @@ get_gitea_login_for_host() {
     fi
 
     if [[ -n "${GITEA_LOGIN:-}" ]]; then
-        if gitea_url_matches_host "${GITEA_URL:-}" "$host" || tea_login_matches_host "$GITEA_LOGIN" "$host"; then
+        if tea_login_matches_host "$GITEA_LOGIN" "$host"; then
             echo "$GITEA_LOGIN"
             return 0
         fi
diff --git a/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh b/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
index ec80441..411848f 100755
--- a/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
+++ b/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
@@ -46,6 +46,10 @@ JSON
 fi
 
 printf 'tea %s\n' "$*" >> "$MOSAIC_TEST_LOG"
+if [[ "${MOSAIC_TEA_FAIL_PR_CREATE:-}" == "1" && "$*" == pr\ create* ]]; then
+    echo 'GetUserByName: simulated stale login failure' >&2
+    exit 1
+fi
 exit 0
 SH
 
@@ -94,6 +98,17 @@ if [[ "$usc_login" != "usc" ]]; then
     exit 1
 fi
 
+usc_login_with_usc_url=$(run_in_repo bash -c '
+    export GITEA_LOGIN=mosaicstack
+    export GITEA_URL=https://git.uscllc.com
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_gitea_login
+')
+if [[ "$usc_login_with_usc_url" != "usc" ]]; then
+    echo "Expected USC host to reject stale GITEA_LOGIN even when GITEA_URL matches USC; got '$usc_login_with_usc_url'" >&2
+    exit 1
+fi
+
 usc_login_without_url=$(run_in_repo bash -c '
     export GITEA_LOGIN=mosaicstack
     unset GITEA_URL
@@ -197,6 +212,15 @@ run_in_repo "$SCRIPT_DIR/pr-ci-wait.sh" --repo USC/uconnect --host git.uscllc.co
 grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/9' "$LOG_FILE"
 grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/commits/abc123/status' "$LOG_FILE"
 
+: > "$LOG_FILE"
+run_in_repo env MOSAIC_TEA_FAIL_PR_CREATE=1 GITEA_TOKEN=usc-token GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-create.sh" -t "USC API fallback" -H feature/pr-create
+grep -q -- 'tea pr create --repo USC/uconnect --login usc --title USC API fallback --head feature/pr-create' "$LOG_FILE"
+grep -q -- 'curl .*Authorization: token usc-token .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"
+if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"; then
+    echo "pr-create.sh API fallback defaulted USC repo to git.mosaicstack.dev" >&2
+    exit 1
+fi
+
 git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
 : > "$LOG_FILE"
 run_in_repo env GITEA_TOKEN=mosaic-token GITEA_URL=https://git.mosaicstack.dev "$SCRIPT_DIR/issue-close.sh" -i 536
diff --git a/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh b/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
index 9dbf2e2..c1aeb27 100755
--- a/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
+++ b/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
@@ -23,6 +23,10 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
+if [[ "$*" == *"login list"* ]]; then
+    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
+    exit 0
+fi
 if [[ "$*" == *"pr merge"* ]]; then
     echo 'user does not exist [uid: 0, name: ]' >&2
     exit 1
@@ -128,6 +132,10 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
+if [[ "$*" == *"login list"* ]]; then
+    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
+    exit 0
+fi
 if [[ "$*" == *"pr merge"* ]]; then
     echo 'tea network timeout' >&2
     exit 2