fix(git): select USC Gitea login for PR merges (#516 )

2026-05-22 09:34:35 -05:00
10 changed files with 202 additions and 798 deletions
--- a/docs/scratchpads/t_3a368a52-gitea-login-selection.md
+++ b/docs/scratchpads/t_3a368a52-gitea-login-selection.md
@@ -0,0 +1,53 @@
 # t_3a368a52 — Gitea login selection for USC repos
 ## Objective
 Fix Mosaic git wrapper behavior so `git.uscllc.com` repositories use the USC Gitea/tea login instead of the Mosaic Stack login during PR merge operations.
 ## Issue / tracking
 - Kanban: `t_3a368a52`
 - Gitea issue: `#516` (`http://git.mosaicstack.dev/mosaicstack/stack/issues/516`)
 - Branch: `fix/t_3a368a52-gitea-usc-login`
 ## Scope
 - In scope: Mosaic framework git wrapper scripts under `packages/mosaic/framework/tools/git/` and matching framework docs.
 - Out of scope: U-Connect source, PR #1905 contents, Authentik settings, smoke credentials, and runtime infrastructure manifests.
 ## Root cause
 `pr-merge.sh` always built the Gitea merge command with `--login ${GITEA_LOGIN:-mosaicstack}`. In a `git.uscllc.com/USC/uconnect` repo with no explicit `GITEA_LOGIN`, this selected the `mosaicstack` tea login even though the remote host requires the `usc` login. While validating `pr-metadata.sh`, I also found that `load_credentials` preserves existing env vars; an ambient `GITEA_TOKEN` for a different account could override host-specific credential loading unless the lookup clears Gitea env vars inside the credential-loader subshell.
 ## Plan
 1. Add regression coverage for host → tea login selection.
 2. Add shared `get_gitea_login(host)` helper in `detect-platform.sh`.
 3. Update `pr-merge.sh` to derive the tea login from the current remote host.
 4. Document the host mapping in framework `TOOLS.md`.
 5. Validate with safe fake-`tea` merge command captures; do not perform a real merge.
 ## Evidence log
 - Reproduced old behavior safely from `/src/uconnect` with fake `tea`: PR #1905 command used `--login mosaicstack` for repo `USC/uconnect`.
 - RED test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` failed because `get_gitea_login` did not exist.
 - RED test extension: same test failed with `expected 'usc-token', got 'ambient-wrong-token'`, proving ambient `GITEA_TOKEN` could override host-specific USC credentials.
 - GREEN test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed after adding host mapping and clearing Gitea env vars in the credential-loader subshell.
 - Syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
 - Metadata validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
  - PR #1905: `number=1905 state=open base=main head=edith/t_39ce717c-authentik-smoke-gate mergeable=True`.
  - PR #1869: `number=1869 state=closed base=main head=fix/t_6f492e4a-cert-renewal-malformed-crt mergeable=True`.
 - Safe fake-`tea` merge validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
  - PR #1905 command captured `pr merge 1905 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
  - PR #1869 command captured `pr merge 1869 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
 - `ci-queue-wait.sh --purpose merge -B main -t 5 -i 1` from `/src/uconnect` resolved `platform=gitea`, branch `main`, SHA `49f0bce75c242eee19472ed367295658da9e56fc`, state `unknown`, exit 0.
 - Final shell regression: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed, including `pr-merge.sh` fake-`tea` argv capture for USC login selection and a negative metacharacter login override test.
 - Final syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
 - Independent review initially found the changed `pr-merge.sh` path still used string-built `eval`; remediated by switching GitHub/Gitea merge execution to argv arrays, validating numeric PR numbers, and rejecting unsupported characters in explicit `GITEA_LOGIN` overrides.
 - Workspace gates: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` passed after dependency install.
 ## Current blocker/risk
 `ci-queue-wait.sh` still reports `state=unknown` for U-Connect main because the Gitea commit status payload does not classify into success/failure/pending/no-status. This task fixed the wrong tea login selection path; it did not alter CI status semantics.
 Full `pnpm test` remains blocked by unrelated gateway database setup in this Kanban workspace: gateway tests fail with `PostgresError: relation "messages" does not exist` (`42P01`) even after starting Postgres/Valkey with Docker Compose. Jaeger also fails to start because host port `16686` is already allocated. The targeted wrapper regression and repo type/lint/format gates pass.
--- a/guides/BOOTSTRAP.md
+++ b/guides/BOOTSTRAP.md
@@ -453,26 +453,6 @@ Initialize standard labels and the first pre-MVP milestone:
 ---
 ## Secrets Bootstrap (Required for Every New App)
 Every new application MUST complete the following secrets bootstrap before deploying to any non-local environment. This is a hard gate — deployment without completed secrets bootstrap is forbidden.
 ### Secrets bootstrap checklist
 - [ ] Vault path created: `vault kv put secret/k3s/<app>/ ...` with all required secret fields
 - [ ] Required secrets listed in project README under a "Secrets architecture" section, including:
  - Vault path(s) used
  - All required secret keys and their purpose
  - Whether the app uses ESO bridge (default) or Direct-Vault (opt-in, with justification)
 - [ ] `external-secret.yaml` manifest committed to repo's `deploy/` or `k8s/` directory
 - [ ] Deployment YAML references the synced k8s Secret via `secretKeyRef` (not raw env vars or `.env` files)
 - [ ] App startup has schema-based validation for all required env vars (zod / pydantic / envconfig equivalent) that exits non-zero on missing required values
 - [ ] Direct-Vault opt-in (if applicable): justification documented in README + AppRole provisioned + bootstrap credentials stored in Vault and synced via a separate `ExternalSecret`
 See `~/.config/mosaic/guides/VAULT-SECRETS.md` for full worked examples of the ESO bridge pattern, the Direct-Vault opt-in pattern, and the forbidden antipatterns.
 ---
 ## Checklist
 After bootstrapping, verify:
--- a/guides/VAULT-SECRETS.md
+++ b/guides/VAULT-SECRETS.md
@@ -203,374 +203,3 @@ Error: token expired
 3. **Audit logging** - All access is logged; act accordingly
 4. **No local copies** - Don't store secrets in files or env vars long-term
 5. **Rotate on compromise** - Immediately rotate any exposed secrets
 ---
 ## Secrets Architecture Decision Matrix
 Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
 | Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
 | --- | --- | --- |
 | **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
 | **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
 | **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
 | **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
 | **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
 | **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
 | **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
 **Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
 ---
 ## ESO Bridge Pattern (Default)
 This is the required default for all k8s workloads. Follow this exact pattern unless a documented dynamic-secrets requirement justifies Direct-Vault.
 ### 1. Provision Vault path
 ```bash
 # Write the secrets for the app (run once; use IaC/Terraform for repeatable provisioning)
 vault kv put secret/k3s/<app> \
  db_password="..." \
  api_key="..." \
  jwt_secret="..."
 ```
 Use the canonical path structure: `secret/k3s/<app>` for k3s cluster workloads.
 ### 2. ExternalSecret manifest
 Commit this to the repo's `deploy/` or `k8s/` directory:
 ```yaml
 # deploy/external-secret.yaml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: <app>-secrets
  namespace: <namespace>
 spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend        # ClusterSecretStore name — verify with cluster admin
    kind: ClusterSecretStore
  target:
    name: <app>-secrets        # k8s Secret name that will be created
    creationPolicy: Owner
  data:
    - secretKey: DB_PASSWORD   # key in the k8s Secret
      remoteRef:
        key: secret/k3s/<app>  # Vault path
        property: db_password  # field within the Vault secret
    - secretKey: API_KEY
      remoteRef:
        key: secret/k3s/<app>
        property: api_key
    - secretKey: JWT_SECRET
      remoteRef:
        key: secret/k3s/<app>
        property: jwt_secret
 ```
 ### 3. Deployment manifest — reference synced k8s Secret
 ```yaml
 # deploy/deployment.yaml (env section)
 env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: <app>-secrets   # matches ExternalSecret target.name
        key: DB_PASSWORD
  - name: API_KEY
    valueFrom:
      secretKeyRef:
        name: <app>-secrets
        key: API_KEY
  - name: JWT_SECRET
    valueFrom:
      secretKeyRef:
        name: <app>-secrets
        key: JWT_SECRET
  - name: PORT
    value: "3000"              # safe-default: non-secret, no Vault needed
 ```
 ### 4. App-side schema validation — TypeScript (zod)
 Validate all required env vars at startup. Exit non-zero on missing values.
 ```typescript
 // src/env.ts
 import { z } from 'zod';
 const envSchema = z.object({
  DB_PASSWORD: z.string().min(1, 'DB_PASSWORD is required'),
  API_KEY: z.string().min(1, 'API_KEY is required'),
  JWT_SECRET: z.string().min(32, 'JWT_SECRET must be at least 32 chars'),
  PORT: z.coerce.number().default(3000),
  NODE_ENV: z.enum(['development', 'production', 'test']).default('production'),
 });
 const result = envSchema.safeParse(process.env);
 if (!result.success) {
  console.error('Missing or invalid environment variables:');
  console.error(result.error.flatten().fieldErrors);
  process.exit(1);
 }
 export const env = result.data;
 ```
 ### 4b. App-side schema validation — Python (pydantic)
 ```python
 # src/config.py
 from pydantic_settings import BaseSettings, SettingsConfigDict
 class Settings(BaseSettings):
    db_password: str
    api_key: str
    jwt_secret: str
    port: int = 3000
    node_env: str = "production"
    model_config = SettingsConfigDict(env_file=None)  # no .env in prod
 try:
    settings = Settings()
 except Exception as e:
    import sys
    print(f"Missing or invalid environment variables: {e}", file=sys.stderr)
    sys.exit(1)
 ```
 ### 4c. App-side schema validation — Go (envconfig)
 ```go
 // config/config.go
 package config
 import (
    "fmt"
    "github.com/kelseyhightower/envconfig"
 )
 type Config struct {
    DBPassword string `envconfig:"DB_PASSWORD" required:"true"`
    APIKey     string `envconfig:"API_KEY" required:"true"`
    JWTSecret  string `envconfig:"JWT_SECRET" required:"true"`
    Port       int    `envconfig:"PORT" default:"3000"`
 }
 func Load() (*Config, error) {
    var cfg Config
    if err := envconfig.Process("", &cfg); err != nil {
        return nil, fmt.Errorf("invalid environment: %w", err)
    }
    return &cfg, nil
 }
 ```
 In your `main.go`:
 ```go
 cfg, err := config.Load()
 if err != nil {
    fmt.Fprintln(os.Stderr, err)
    os.Exit(1)
 }
 ```
 ---
 ## Direct-Vault Opt-In Pattern
 Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB rotation with short TTLs, AWS STS, PKI, per-request audit). Document the justification in the project README under "Secrets architecture" before implementing.
 ### When it is justified
 - Vault DB secrets engine with lease TTLs shorter than a typical pod lifecycle (< 1 hour)
 - AWS STS assume-role tokens generated per-request
 - Vault PKI short-lived certificates (< 24 hours) that must be renewed within a running pod
 - Per-request audit trail requirement (each app call must appear separately in Vault audit log)
 ### Provision an AppRole for the app
 ```bash
 # Enable AppRole auth (if not already enabled)
 vault auth enable approle
 # Create a Vault policy for the app
 # Note: KV v2 paths require both the exact path (for the top-level secret) and the
 # wildcard (for sub-paths). Always include both to avoid permission denied errors.
 vault policy write <app>-policy - <<EOF
 path "secret/data/k3s/<app>" {
  capabilities = ["read"]
 }
 path "secret/data/k3s/<app>/*" {
  capabilities = ["read"]
 }
 path "database/creds/<app>-role" {
  capabilities = ["read"]
 }
 EOF
 # Create the AppRole
 vault write auth/approle/role/<app>-role \
  token_policies="<app>-policy" \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_ttl=0
 # Retrieve role-id and secret-id
 vault read auth/approle/role/<app>-role/role-id
 vault write -f auth/approle/role/<app>-role/secret-id
 ```
 ### Bootstrap AppRole credentials via ESO (solving the chicken-and-egg problem)
 The AppRole `role-id` and `secret-id` are themselves secrets. Store them in Vault at a bootstrap path, then use ESO to sync them into a k8s Secret. The app reads that k8s Secret at startup to authenticate with Vault directly.
 ```bash
 # Store the bootstrap credentials in Vault
 vault kv put secret/k3s/<app>-bootstrap \
  role_id="<role-id>" \
  secret_id="<secret-id>"
 ```
 ```yaml
 # deploy/external-secret-bootstrap.yaml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: <app>-vault-auth
  namespace: <namespace>
 spec:
  refreshInterval: 24h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: <app>-vault-auth
    creationPolicy: Owner
  data:
    - secretKey: VAULT_ROLE_ID
      remoteRef:
        key: secret/k3s/<app>-bootstrap
        property: role_id
    - secretKey: VAULT_SECRET_ID
      remoteRef:
        key: secret/k3s/<app>-bootstrap
        property: secret_id
 ```
 ```yaml
 # deploy/deployment.yaml (env section for Direct-Vault app)
 env:
  - name: VAULT_ADDR
    value: "https://vault.example.com"  # safe-default: non-secret cluster address
  - name: VAULT_ROLE_ID
    valueFrom:
      secretKeyRef:
        name: <app>-vault-auth
        key: VAULT_ROLE_ID
  - name: VAULT_SECRET_ID
    valueFrom:
      secretKeyRef:
        name: <app>-vault-auth
        key: VAULT_SECRET_ID
 ```
 ### App-side Vault client pattern
 ```typescript
 // src/vault-client.ts — only exists in Direct-Vault apps
 import vault from 'node-vault';
 import { z } from 'zod';
 const bootstrapSchema = z.object({
  VAULT_ADDR: z.string().url(),
  VAULT_ROLE_ID: z.string().min(1),
  VAULT_SECRET_ID: z.string().min(1),
 });
 const bootstrap = bootstrapSchema.parse(process.env);
 const client = vault({ endpoint: bootstrap.VAULT_ADDR });
 export async function getVaultClient() {
  const { auth } = await client.approleLogin({
    role_id: bootstrap.VAULT_ROLE_ID,
    secret_id: bootstrap.VAULT_SECRET_ID,
  });
  client.token = auth.client_token;
  return client;
 }
 ```
 Document in README under "Secrets architecture": the Vault path, why Direct-Vault is required, and the lease/renewal strategy.
 ---
 ## Forbidden Patterns (CI Lint Targets)
 The following patterns are forbidden in all Mosaic projects. CI lint SHOULD catch these automatically (implementation tracked separately). Agents MUST NOT introduce these patterns.
 ### 1. Untagged fallback defaults for required values
 ```yaml
 # FORBIDDEN — required secret with silent fallback
 environment:
  - DB_PASSWORD=${DB_PASSWORD:-changeme}
  - API_KEY=${API_KEY:-}
 # REQUIRED — fast-fail on missing required values
 environment:
  - DB_PASSWORD=${DB_PASSWORD:?DB_PASSWORD is required}
  - API_KEY=${API_KEY:?API_KEY is required}
 # ALLOWED — true convenience default, tagged
 environment:
  - PORT=${PORT:-3000}  # safe-default: non-secret, app works at any port
 ```
 This applies to: `docker-compose.yml`, k8s manifests, Helm `values.yaml`, any env file committed to git.
 ### 2. Vault KV calls in application source code (ESO-default projects)
 ```python
 # FORBIDDEN in ESO-default apps — direct Vault client in app source
 import hvac
 client = hvac.Client(url=os.environ['VAULT_ADDR'])
 secret = client.secrets.kv.v2.read_secret_version(path='myapp/db')
 ```
 ESO-default apps read env vars only. Direct-Vault clients belong only in apps with a documented dynamic-secrets justification in README.
 ### 3. Hardcoded secrets or API keys in committed files
 ```python
 # FORBIDDEN — hardcoded credential
 DB_PASSWORD = "supersecret123"
 API_KEY = "sk-live-abc123"
 ```
 No exceptions. CI lint must flag any string matching common secret patterns (`password`, `secret`, `api_key`, `token` assigned a literal non-env-var value).
 ### 4. `.env` files in production deployment paths
 ```
 # FORBIDDEN — .env file in a production deploy path
 deploy/.env
 k8s/.env
 docker/.env
 # ALLOWED — local dev only
 .env.example          # template only, no real values
 .env                  # local dev, must be in .gitignore
 ```
 `.env` files are acceptable in local-dev contexts only and MUST be in `.gitignore`. They are forbidden in any path that a CI pipeline or production deployment process reads directly.
--- a/packages/mosaic/framework/defaults/STANDARDS.md
+++ b/packages/mosaic/framework/defaults/STANDARDS.md
@@ -27,16 +27,6 @@ Master/slave model:
 - Do not perform destructive git/file actions without explicit instruction.
 - Browser automation (Playwright, Cypress, Puppeteer) MUST run in headless mode. Never launch a visible browser — it collides with the user's display and active session.
 ### Secrets handling (HARD RULE)
 - Vault is the canonical source-of-truth for every secret in every environment. No exceptions.
 - For k8s workloads, the default read path is **External Secrets Operator → k8s Secret → env var** (`secretKeyRef`). The app reads standard env vars; no Vault client in app code.
 - Direct-Vault clients in application code are **opt-in only**, justified per-app by a documented dynamic-secrets requirement (e.g., DB rotation, AWS STS). Default to ESO. Document the justification in the project's README under "Secrets architecture".
 - `${VAR:-default}` fallback syntax in any deployment configuration (compose, k8s manifests, Helm values, env files committed to git) is **forbidden** for required values. Use `${VAR:?VAR is required}` to fast-fail. Defaults are allowed only for true conveniences (e.g. `${PORT:-3000}`) and MUST be tagged `# safe-default: <reason>` so a reviewer can confirm the intent.
 - `.env` files in production deployment paths are **forbidden**. `.env.example` and `.env` in local-dev paths are fine.
 - App startup MUST validate required secrets against a schema (zod / pydantic / equivalent) and exit non-zero on missing required values. Never run with defaulted weak fallbacks.
 - New apps: bootstrap checklist (see `~/.config/mosaic/guides/BOOTSTRAP.md`) MUST include Vault path provisioning + `ExternalSecret` manifest + README declaring the Vault path and required keys.
 ## Session Lifecycle Contract
 - Start: `scripts/agent/session-start.sh`
--- a/packages/mosaic/framework/defaults/TOOLS.md
+++ b/packages/mosaic/framework/defaults/TOOLS.md
@@ -9,7 +9,7 @@ All tool suites are located at `~/.config/mosaic/tools/`.
 ### Git Wrappers (Use First)
-Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands.
+Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands. For self-hosted Gitea, the shared credential helper selects API credentials by remote host (`git.mosaicstack.dev` → `gitea-mosaicstack`, `git.uscllc.com` → `gitea-usc`), and the PR merge wrapper selects the matching tea login (`git.mosaicstack.dev` → `mosaicstack`, `git.uscllc.com` → `usc`) unless `GITEA_LOGIN` is explicitly set to a safe tea login override.
 ```bash
 # Issues
--- a/packages/mosaic/framework/guides/BOOTSTRAP.md
+++ b/packages/mosaic/framework/guides/BOOTSTRAP.md
@@ -453,26 +453,6 @@ Initialize standard labels and the first pre-MVP milestone:
 ---
 ## Secrets Bootstrap (Required for Every New App)
 Every new application MUST complete the following secrets bootstrap before deploying to any non-local environment. This is a hard gate — deployment without completed secrets bootstrap is forbidden.
 ### Secrets bootstrap checklist
 - [ ] Vault path created: `vault kv put secret/k3s/<app>/ ...` with all required secret fields
 - [ ] Required secrets listed in project README under a "Secrets architecture" section, including:
  - Vault path(s) used
  - All required secret keys and their purpose
  - Whether the app uses ESO bridge (default) or Direct-Vault (opt-in, with justification)
 - [ ] `external-secret.yaml` manifest committed to repo's `deploy/` or `k8s/` directory
 - [ ] Deployment YAML references the synced k8s Secret via `secretKeyRef` (not raw env vars or `.env` files)
 - [ ] App startup has schema-based validation for all required env vars (zod / pydantic / envconfig equivalent) that exits non-zero on missing required values
 - [ ] Direct-Vault opt-in (if applicable): justification documented in README + AppRole provisioned + bootstrap credentials stored in Vault and synced via a separate `ExternalSecret`
 See `~/.config/mosaic/guides/VAULT-SECRETS.md` for full worked examples of the ESO bridge pattern, the Direct-Vault opt-in pattern, and the forbidden antipatterns.
 ---
 ## Checklist
 After bootstrapping, verify:
--- a/packages/mosaic/framework/guides/VAULT-SECRETS.md
+++ b/packages/mosaic/framework/guides/VAULT-SECRETS.md
@@ -203,374 +203,3 @@ Error: token expired
 3. **Audit logging** - All access is logged; act accordingly
 4. **No local copies** - Don't store secrets in files or env vars long-term
 5. **Rotate on compromise** - Immediately rotate any exposed secrets
 ---
 ## Secrets Architecture Decision Matrix
 Use this table to choose between the ESO bridge (default) and Direct-Vault (opt-in) patterns for every new app or integration.
 | Factor | ESO Bridge (default) | Direct-Vault (opt-in) |
 | --- | --- | --- |
 | **Use-case** | All static secrets (DB creds, API keys, signing keys, OAuth secrets) | Dynamic creds with short TTLs (DB rotation, AWS STS, PKI), per-request audit trails, or lease renewal mid-pod-lifecycle |
 | **App code change** | None — reads standard env vars via `secretKeyRef` | Requires Vault client (`hvac`, `node-vault`, `vault/api`) in application code |
 | **Secret rotation** | ESO re-syncs on Vault write; pod restart or secret refresh picks up new value | App manages lease renewal or re-auth within the running process |
 | **Audit granularity** | Access logged at Vault when ESO syncs; no per-request app audit | Every app request to Vault is a separate audit log entry |
 | **Operational burden** | Low — ESO handles polling, sync, and k8s Secret lifecycle | Higher — app must handle auth, lease renewal, error paths, and token rotation |
 | **Justification required?** | No — this is the default | Yes — document in project README under "Secrets architecture" |
 | **Example use cases** | Web app DB password, OAuth client secret, JWT signing key, API token | HashiCorp DB secrets engine with 15-min TTL leases, AWS STS assume-role, Vault PKI short-lived certs |
 **Decision rule:** If you are unsure, use ESO. Only justify Direct-Vault when the secret cannot be safely stored in a k8s Secret (too short-lived, per-request TTL required, or mid-lifecycle renewal needed).
 ---
 ## ESO Bridge Pattern (Default)
 This is the required default for all k8s workloads. Follow this exact pattern unless a documented dynamic-secrets requirement justifies Direct-Vault.
 ### 1. Provision Vault path
 ```bash
 # Write the secrets for the app (run once; use IaC/Terraform for repeatable provisioning)
 vault kv put secret/k3s/<app> \
  db_password="..." \
  api_key="..." \
  jwt_secret="..."
 ```
 Use the canonical path structure: `secret/k3s/<app>` for k3s cluster workloads.
 ### 2. ExternalSecret manifest
 Commit this to the repo's `deploy/` or `k8s/` directory:
 ```yaml
 # deploy/external-secret.yaml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: <app>-secrets
  namespace: <namespace>
 spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend        # ClusterSecretStore name — verify with cluster admin
    kind: ClusterSecretStore
  target:
    name: <app>-secrets        # k8s Secret name that will be created
    creationPolicy: Owner
  data:
    - secretKey: DB_PASSWORD   # key in the k8s Secret
      remoteRef:
        key: secret/k3s/<app>  # Vault path
        property: db_password  # field within the Vault secret
    - secretKey: API_KEY
      remoteRef:
        key: secret/k3s/<app>
        property: api_key
    - secretKey: JWT_SECRET
      remoteRef:
        key: secret/k3s/<app>
        property: jwt_secret
 ```
 ### 3. Deployment manifest — reference synced k8s Secret
 ```yaml
 # deploy/deployment.yaml (env section)
 env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: <app>-secrets   # matches ExternalSecret target.name
        key: DB_PASSWORD
  - name: API_KEY
    valueFrom:
      secretKeyRef:
        name: <app>-secrets
        key: API_KEY
  - name: JWT_SECRET
    valueFrom:
      secretKeyRef:
        name: <app>-secrets
        key: JWT_SECRET
  - name: PORT
    value: "3000"              # safe-default: non-secret, no Vault needed
 ```
 ### 4. App-side schema validation — TypeScript (zod)
 Validate all required env vars at startup. Exit non-zero on missing values.
 ```typescript
 // src/env.ts
 import { z } from 'zod';
 const envSchema = z.object({
  DB_PASSWORD: z.string().min(1, 'DB_PASSWORD is required'),
  API_KEY: z.string().min(1, 'API_KEY is required'),
  JWT_SECRET: z.string().min(32, 'JWT_SECRET must be at least 32 chars'),
  PORT: z.coerce.number().default(3000),
  NODE_ENV: z.enum(['development', 'production', 'test']).default('production'),
 });
 const result = envSchema.safeParse(process.env);
 if (!result.success) {
  console.error('Missing or invalid environment variables:');
  console.error(result.error.flatten().fieldErrors);
  process.exit(1);
 }
 export const env = result.data;
 ```
 ### 4b. App-side schema validation — Python (pydantic)
 ```python
 # src/config.py
 from pydantic_settings import BaseSettings, SettingsConfigDict
 class Settings(BaseSettings):
    db_password: str
    api_key: str
    jwt_secret: str
    port: int = 3000
    node_env: str = "production"
    model_config = SettingsConfigDict(env_file=None)  # no .env in prod
 try:
    settings = Settings()
 except Exception as e:
    import sys
    print(f"Missing or invalid environment variables: {e}", file=sys.stderr)
    sys.exit(1)
 ```
 ### 4c. App-side schema validation — Go (envconfig)
 ```go
 // config/config.go
 package config
 import (
    "fmt"
    "github.com/kelseyhightower/envconfig"
 )
 type Config struct {
    DBPassword string `envconfig:"DB_PASSWORD" required:"true"`
    APIKey     string `envconfig:"API_KEY" required:"true"`
    JWTSecret  string `envconfig:"JWT_SECRET" required:"true"`
    Port       int    `envconfig:"PORT" default:"3000"`
 }
 func Load() (*Config, error) {
    var cfg Config
    if err := envconfig.Process("", &cfg); err != nil {
        return nil, fmt.Errorf("invalid environment: %w", err)
    }
    return &cfg, nil
 }
 ```
 In your `main.go`:
 ```go
 cfg, err := config.Load()
 if err != nil {
    fmt.Fprintln(os.Stderr, err)
    os.Exit(1)
 }
 ```
 ---
 ## Direct-Vault Opt-In Pattern
 Use this pattern ONLY when a documented dynamic-secrets requirement applies (DB rotation with short TTLs, AWS STS, PKI, per-request audit). Document the justification in the project README under "Secrets architecture" before implementing.
 ### When it is justified
 - Vault DB secrets engine with lease TTLs shorter than a typical pod lifecycle (< 1 hour)
 - AWS STS assume-role tokens generated per-request
 - Vault PKI short-lived certificates (< 24 hours) that must be renewed within a running pod
 - Per-request audit trail requirement (each app call must appear separately in Vault audit log)
 ### Provision an AppRole for the app
 ```bash
 # Enable AppRole auth (if not already enabled)
 vault auth enable approle
 # Create a Vault policy for the app
 # Note: KV v2 paths require both the exact path (for the top-level secret) and the
 # wildcard (for sub-paths). Always include both to avoid permission denied errors.
 vault policy write <app>-policy - <<EOF
 path "secret/data/k3s/<app>" {
  capabilities = ["read"]
 }
 path "secret/data/k3s/<app>/*" {
  capabilities = ["read"]
 }
 path "database/creds/<app>-role" {
  capabilities = ["read"]
 }
 EOF
 # Create the AppRole
 vault write auth/approle/role/<app>-role \
  token_policies="<app>-policy" \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_ttl=0
 # Retrieve role-id and secret-id
 vault read auth/approle/role/<app>-role/role-id
 vault write -f auth/approle/role/<app>-role/secret-id
 ```
 ### Bootstrap AppRole credentials via ESO (solving the chicken-and-egg problem)
 The AppRole `role-id` and `secret-id` are themselves secrets. Store them in Vault at a bootstrap path, then use ESO to sync them into a k8s Secret. The app reads that k8s Secret at startup to authenticate with Vault directly.
 ```bash
 # Store the bootstrap credentials in Vault
 vault kv put secret/k3s/<app>-bootstrap \
  role_id="<role-id>" \
  secret_id="<secret-id>"
 ```
 ```yaml
 # deploy/external-secret-bootstrap.yaml
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: <app>-vault-auth
  namespace: <namespace>
 spec:
  refreshInterval: 24h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: <app>-vault-auth
    creationPolicy: Owner
  data:
    - secretKey: VAULT_ROLE_ID
      remoteRef:
        key: secret/k3s/<app>-bootstrap
        property: role_id
    - secretKey: VAULT_SECRET_ID
      remoteRef:
        key: secret/k3s/<app>-bootstrap
        property: secret_id
 ```
 ```yaml
 # deploy/deployment.yaml (env section for Direct-Vault app)
 env:
  - name: VAULT_ADDR
    value: "https://vault.example.com"  # safe-default: non-secret cluster address
  - name: VAULT_ROLE_ID
    valueFrom:
      secretKeyRef:
        name: <app>-vault-auth
        key: VAULT_ROLE_ID
  - name: VAULT_SECRET_ID
    valueFrom:
      secretKeyRef:
        name: <app>-vault-auth
        key: VAULT_SECRET_ID
 ```
 ### App-side Vault client pattern
 ```typescript
 // src/vault-client.ts — only exists in Direct-Vault apps
 import vault from 'node-vault';
 import { z } from 'zod';
 const bootstrapSchema = z.object({
  VAULT_ADDR: z.string().url(),
  VAULT_ROLE_ID: z.string().min(1),
  VAULT_SECRET_ID: z.string().min(1),
 });
 const bootstrap = bootstrapSchema.parse(process.env);
 const client = vault({ endpoint: bootstrap.VAULT_ADDR });
 export async function getVaultClient() {
  const { auth } = await client.approleLogin({
    role_id: bootstrap.VAULT_ROLE_ID,
    secret_id: bootstrap.VAULT_SECRET_ID,
  });
  client.token = auth.client_token;
  return client;
 }
 ```
 Document in README under "Secrets architecture": the Vault path, why Direct-Vault is required, and the lease/renewal strategy.
 ---
 ## Forbidden Patterns (CI Lint Targets)
 The following patterns are forbidden in all Mosaic projects. CI lint SHOULD catch these automatically (implementation tracked separately). Agents MUST NOT introduce these patterns.
 ### 1. Untagged fallback defaults for required values
 ```yaml
 # FORBIDDEN — required secret with silent fallback
 environment:
  - DB_PASSWORD=${DB_PASSWORD:-changeme}
  - API_KEY=${API_KEY:-}
 # REQUIRED — fast-fail on missing required values
 environment:
  - DB_PASSWORD=${DB_PASSWORD:?DB_PASSWORD is required}
  - API_KEY=${API_KEY:?API_KEY is required}
 # ALLOWED — true convenience default, tagged
 environment:
  - PORT=${PORT:-3000}  # safe-default: non-secret, app works at any port
 ```
 This applies to: `docker-compose.yml`, k8s manifests, Helm `values.yaml`, any env file committed to git.
 ### 2. Vault KV calls in application source code (ESO-default projects)
 ```python
 # FORBIDDEN in ESO-default apps — direct Vault client in app source
 import hvac
 client = hvac.Client(url=os.environ['VAULT_ADDR'])
 secret = client.secrets.kv.v2.read_secret_version(path='myapp/db')
 ```
 ESO-default apps read env vars only. Direct-Vault clients belong only in apps with a documented dynamic-secrets justification in README.
 ### 3. Hardcoded secrets or API keys in committed files
 ```python
 # FORBIDDEN — hardcoded credential
 DB_PASSWORD = "supersecret123"
 API_KEY = "sk-live-abc123"
 ```
 No exceptions. CI lint must flag any string matching common secret patterns (`password`, `secret`, `api_key`, `token` assigned a literal non-env-var value).
 ### 4. `.env` files in production deployment paths
 ```
 # FORBIDDEN — .env file in a production deploy path
 deploy/.env
 k8s/.env
 docker/.env
 # ALLOWED — local dev only
 .env.example          # template only, no real values
 .env                  # local dev, must be in .gitignore
 ```
 `.env` files are acceptable in local-dev contexts only and MUST be in `.gitignore`. They are forbidden in any path that a CI pipeline or production deployment process reads directly.
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -91,6 +91,31 @@ get_remote_host() {
    return 1
 }
 # Resolve the tea login name for the given Gitea host.
 # Priority: explicit caller override → known Mosaic host mapping → no forced login.
 get_gitea_login() {
    local host="$1"
    if [[ -n "${GITEA_LOGIN:-}" ]]; then
        echo "$GITEA_LOGIN"
        return 0
    fi
    case "$host" in
        git.mosaicstack.dev)
            echo "mosaicstack"
            return 0
            ;;
        git.uscllc.com)
            echo "usc"
            return 0
            ;;
        *)
            return 1
            ;;
    esac
 }
 # Resolve a Gitea API token for the given host.
 # Priority: Mosaic credential loader → GITEA_TOKEN env → ~/.git-credentials
 get_gitea_token() {
@@ -104,6 +129,10 @@ get_gitea_token() {
        local token
        token=$(
            source "$cred_loader"
            # load_credentials preserves pre-existing env vars by design. Clear
            # Gitea env in this subshell so host-specific credential lookup wins
            # over an ambient token for a different Gitea instance.
            unset GITEA_TOKEN GITEA_URL
            case "$host" in
                git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;
--- a/packages/mosaic/framework/tools/git/pr-merge.sh
+++ b/packages/mosaic/framework/tools/git/pr-merge.sh
@@ -69,6 +69,11 @@ if [[ -z "$PR_NUMBER" ]]; then
    usage
 fi
 if [[ ! "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
    echo "Error: PR number must be numeric." >&2
    exit 1
 fi
 if [[ "$MERGE_METHOD" != "squash" ]]; then
    echo "Error: Mosaic policy enforces squash merge only. Received '$MERGE_METHOD'." >&2
    exit 1
@@ -94,19 +99,31 @@ REPO=$(get_repo_name)
 case "$PLATFORM" in
    github)
-        CMD="gh pr merge $PR_NUMBER --squash"
+        CMD=(gh pr merge "$PR_NUMBER" --squash)
-        [[ "$DELETE_BRANCH" == true ]] && CMD="$CMD --delete-branch"
+        [[ "$DELETE_BRANCH" == true ]] && CMD+=(--delete-branch)
-        eval "$CMD"
+        "${CMD[@]}"
        ;;
    gitea)
-        CMD="tea pr merge $PR_NUMBER --style squash --repo $OWNER/$REPO --login ${GITEA_LOGIN:-mosaicstack}"
+        HOST=$(get_remote_host) || {
            echo "Error: Could not determine remote host." >&2
            exit 1
        }
        CMD=(tea pr merge "$PR_NUMBER" --style squash --repo "$OWNER/$REPO")
        GITEA_TEA_LOGIN=$(get_gitea_login "$HOST" || true)
        if [[ -n "$GITEA_TEA_LOGIN" ]]; then
            if [[ ! "$GITEA_TEA_LOGIN" =~ ^[A-Za-z0-9._-]+$ ]]; then
                echo "Error: Gitea tea login contains unsupported characters." >&2
                exit 1
            fi
            CMD+=(--login "$GITEA_TEA_LOGIN")
        fi
        # Delete branch after merge if requested
        if [[ "$DELETE_BRANCH" == true ]]; then
            echo "Note: Branch deletion after merge may need to be done separately with tea" >&2
        fi
-        eval "$CMD"
+        "${CMD[@]}"
        ;;
    *)
        echo "Error: Could not detect git platform" >&2
--- a/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
+++ b/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
@@ -0,0 +1,97 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 source "$SCRIPT_DIR/detect-platform.sh"
 fail() {
  echo "FAIL: $*" >&2
  exit 1
 }
 assert_eq() {
  local expected="$1"
  local actual="$2"
  local message="$3"
  if [[ "$actual" != "$expected" ]]; then
    fail "$message: expected '$expected', got '$actual'"
  fi
 }
 unset GITEA_LOGIN || true
 assert_eq "usc" "$(get_gitea_login git.uscllc.com)" "USC Gitea host should select usc tea login"
 assert_eq "mosaicstack" "$(get_gitea_login git.mosaicstack.dev)" "Mosaic Gitea host should select mosaicstack tea login"
 GITEA_LOGIN="custom-login"
 export GITEA_LOGIN
 assert_eq "custom-login" "$(get_gitea_login git.uscllc.com)" "Explicit GITEA_LOGIN should override host default"
 unset GITEA_LOGIN || true
 unknown_login="$(get_gitea_login git.example.invalid || true)"
 assert_eq "" "$unknown_login" "Unknown Gitea hosts should not force a mismatched login"
 TEST_WORKDIR="${TEST_WORKDIR:-$SCRIPT_DIR/tests/.tmp-gitea-login-selection}"
 rm -rf "$TEST_WORKDIR"
 mkdir -p "$TEST_WORKDIR"
 trap 'rm -rf "$TEST_WORKDIR"' EXIT
 cat > "$TEST_WORKDIR/credentials.json" <<'JSON'
 {
  "gitea": {
    "mosaicstack": {
      "url": "https://git.mosaicstack.dev",
      "token": "mosaic-token"
    },
    "usc": {
      "url": "https://git.uscllc.com",
      "token": "usc-token"
    }
  }
 }
 JSON
 export MOSAIC_CREDENTIALS_FILE="$TEST_WORKDIR/credentials.json"
 GITEA_TOKEN="ambient-wrong-token"
 GITEA_URL="https://git.mosaicstack.dev"
 export GITEA_TOKEN GITEA_URL
 assert_eq "usc-token" "$(get_gitea_token git.uscllc.com)" "Host-specific credential lookup should ignore ambient mismatched GITEA_TOKEN"
 assert_eq "mosaic-token" "$(get_gitea_token git.mosaicstack.dev)" "Host-specific credential lookup should select Mosaic token for Mosaic host"
 FAKEBIN="$TEST_WORKDIR/fakebin"
 REPO_DIR="$TEST_WORKDIR/repo"
 CAPTURE_FILE="$TEST_WORKDIR/tea-args.txt"
 mkdir -p "$FAKEBIN" "$REPO_DIR"
 cat > "$FAKEBIN/python3" <<'SH'
 #!/usr/bin/env bash
 cat >/dev/null
 printf 'main\n'
 SH
 chmod +x "$FAKEBIN/python3"
 cat > "$FAKEBIN/tea" <<'SH'
 #!/usr/bin/env bash
 printf '%s\n' "$@" > "$TEA_CAPTURE_FILE"
 SH
 chmod +x "$FAKEBIN/tea"
 (
  cd "$REPO_DIR"
  git init -q
  git remote add origin https://git.uscllc.com/USC/uconnect.git
  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905
 )
 assert_eq $'pr\nmerge\n1905\n--style\nsquash\n--repo\nUSC/uconnect\n--login\nusc' "$(cat "$CAPTURE_FILE")" "pr-merge should pass USC tea login as isolated argv entries"
 PWNED_FILE="$TEST_WORKDIR/pwned"
 if (
  cd "$REPO_DIR"
  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" GITEA_LOGIN="bad;touch $PWNED_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905 >/dev/null 2>&1
 ); then
  fail "pr-merge should reject GITEA_LOGIN values with shell metacharacters"
 fi
 if [[ -e "$PWNED_FILE" ]]; then
  fail "pr-merge executed shell metacharacters from GITEA_LOGIN"
 fi
 echo "gitea-login-selection tests passed"