fix(mosaic): harden gitea pr wrapper metadata

docs/PRD.md

@@ -62,8 +62,9 @@ Jarvis (v0.2.0) is a self-hosted AI assistant with a Python FastAPI backend and
 19. `@mosaicstack/prdy` — PRD wizard
 20. `@mosaicstack/quality-rails` — code quality scaffolder
 21. `@mosaicstack/cli` — unified `mosaic` CLI
-22. Docker Compose deployment + bare-metal capability
-23. Agent log service — ingest, parse, tier, summarize agent interaction logs
+22. Mosaic framework git wrappers — provider-aware issue/PR/CI shell wrappers for GitHub and self-hosted Gitea hosts used by Mosaic/USC repositories
+23. Docker Compose deployment + bare-metal capability
+24. Agent log service — ingest, parse, tier, summarize agent interaction logs
 
 ### Out of Scope (v0.1.0)
 

docs/TASKS.md

@@ -30,6 +30,7 @@ These are MVP-level checks that don't belong to any single workstream. Updated b
 | MVP-T04 | not-started | Sync `.mosaic/orchestrator/mission.json` MVP slot with this manifest (milestone enumeration, etc.)       | Coord state file; consider whether to repopulate via `mosaic coord` or accept hand-edit |
 | MVP-T05 | in-progress | Kick off W1 / FED-M1 — federated tier infrastructure                                                     | Session 16 (2026-04-19): FED-M1-01 in-progress on `feat/federation-m1-tier-config`      |
 | MVP-T06 | not-started | Declare additional workstreams (web dashboard, TUI/CLI parity, remote control, etc.) as scope solidifies | Track each new workstream by adding a row to the Workstream Rollup                      |
+| MVP-T07 | in-progress | Harden Mosaic framework Gitea PR metadata and merge preflight wrappers                                   | Internal ref `t_a292e96f`; source branch `fix/gitea-pr-metadata-login-t-a292e96f`       |
 
 ## Pointer to Active Workstream
 

docs/scratchpads/t_a292e96f-gitea-pr-wrapper.md

@@ -0,0 +1,48 @@
+# t_a292e96f — Gitea PR metadata and merge wrapper fix
+
+## Objective
+
+Fix Mosaic git wrappers so Gitea repositories on `git.uscllc.com` resolve PR metadata and merge preflight through the correct host credentials, without selecting the stale `mosaicstack` Tea login.
+
+## Acceptance criteria
+
+- `pr-metadata.sh` returns `baseRefName=main` for U-Connect PR #1905 and PR #1908.
+- `pr-metadata.sh` returns source-branch-style `headRefName`; for Gitea `refs/pull/<n>/head` responses, normalize to `head.label`.
+- `pr-merge.sh` preserves Mosaic squash-only and base-branch policy, then uses host-matched Gitea API credentials for Gitea merges instead of a hard-coded Tea login.
+- Add regression coverage/harness for Gitea metadata normalization and merge preflight.
+- Do not print, log, or commit tokens.
+
+## Plan
+
+1. Reproduce current live metadata/login context with sanitized output.
+2. Patch repo-source shell wrappers under `packages/mosaic/framework/tools/git/`.
+3. Add a hermetic shell regression harness with fake `git`, `curl`, and `tea`.
+4. Validate with `bash -n`, shellcheck if available, regression harness, and live sanitized U-Connect wrapper calls.
+5. Apply the same script changes to the installed Mosaic wrapper location only after source changes validate, so active U-Connect merge wrappers are unblocked while the PR is reviewed.
+6. Commit, push through queue guard, open PR, and hand off to Ultron review task `t_848435ab`; do not merge.
+
+## Progress
+
+- Live sanitized metadata check before source patch:
+  - PR #1905: `baseRefName=main`, `headRefName=edith/t_39ce717c-authentik-smoke-gate`.
+  - PR #1908: `baseRefName=main`, `headRefName=refs/pull/1908/head`; raw Gitea `head.label` is `fix/t_23fa9e1d-portal-health-backend`.
+  - `tea login list` contains only `git.mosaicstack.dev`, so the prior `--login mosaicstack` default cannot work for `git.uscllc.com`.
+
+## Verification log
+
+- `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/pr-gitea-wrapper-regression.sh` — pass.
+- `shellcheck packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/pr-gitea-wrapper-regression.sh` — pass when available in the Kanban runtime.
+- `TMPDIR="$PWD/.agent-tmp" bash packages/mosaic/framework/tools/git/tests/pr-gitea-wrapper-regression.sh` — pass; proves host-matched Gitea credential selection, metadata normalization, and merge dry-run preflight without invoking `tea`.
+- Live sanitized U-Connect metadata using the patched wrapper from `/src/uconnect`:
+  - PR #1905: `number=1905`, `baseRefName=main`, `headRefName=edith/t_39ce717c-authentik-smoke-gate`, `state=open`.
+  - PR #1908: `number=1908`, `baseRefName=main`, `headRefName=fix/t_23fa9e1d-portal-health-backend`, `state=closed`.
+- Live sanitized U-Connect merge preflight using `pr-merge.sh --skip-queue-guard --dry-run`:
+  - PR #1905: `Dry run: Gitea merge preflight OK for USC/uconnect#1905 targeting main via git.uscllc.com API`.
+  - PR #1908: `Dry run: Gitea merge preflight OK for USC/uconnect#1908 targeting main via git.uscllc.com API`.
+- Installed wrapper parity: `/home/hermes/.config/mosaic/tools/git/{detect-platform.sh,pr-metadata.sh,pr-merge.sh}` byte-match the PR source copies after validation, so active U-Connect wrapper invocations use the same fix while source PR review runs.
+
+## Risks / notes
+
+- `--dry-run` was added to `pr-merge.sh` to validate metadata/auth/preflight without merging a live PR.
+- Gitea branch deletion after merge remains a documented warning, matching prior behavior, and is not expanded in this fix.
+- Duplicate recovery PR #517 was closed after wrapper-first `pr-close.sh -n 517` failed headlessly with `/dev/tty`; PR #518 is the review target.