feat(mosaic-as): agent registration endpoint + scoped/revocable tokens (US-007)

POST /bridge/v1/agents mints/ensures @agent-<alias>-<host> and returns a
scoped, revocable per-agent bridge token. Adds POST /bridge/v1/agents/revoke
(manual revoke from day one) and GET /bridge/v1/agents (reconciliation source
that never advertises revoked/phantom agents).

Persistence: per-agent token sha256 hashes stored in Matrix account_data on the
AS sender user (org.uscllc.mosaic_as.agents) — no new infra, survives restart.
Tokens are magt_-prefixed high-entropy random; plaintext is never persisted and
returned exactly once. Per-agent tokens are scoped: usable only to act as their
own agent on /bridge/v1/messages|typing; host bridgeTokens stay unscoped.
Registration/revoke/list are host-token-only.

Independent opus security review: PASS (no critical/high). Remediated the one
MEDIUM (agent-slug collision: distinct alias/host pairs joining to the same
Matrix id now rejected instead of silently overwriting) + regression test.

Closes #540

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/appservice/src/__tests__/server.test.ts

@@ -3,6 +3,8 @@ import { describe, expect, it, vi } from 'vitest';
 import { AppserviceDaemon } from '../server.js';
 import type { DaemonConfig, DaemonRequest } from '../server.js';
 
+const AGENTS_TYPE = 'org.uscllc.mosaic_as.agents';
+
 const cfg: DaemonConfig = {
   homeserverUrl: 'https://hs.example',
   domain: 'hs.example',
@@ -137,6 +139,240 @@ describe('AppserviceDaemon routing', () => {
     expect(res.status).toBe(405);
   });
 
+  it('provisions a room as the AS sender with space linking', async () => {
+    const calls: Array<{ url: URL; body: unknown }> = [];
+    const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => {
+      const url = new URL(String(input));
+      calls.push({ url, body: init?.body ? JSON.parse(String(init.body)) : undefined });
+      if (url.pathname.endsWith('/createRoom'))
+        return jsonResponse(200, { room_id: '!new:hs.example' });
+      return jsonResponse(200, {});
+    });
+    const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
+    const res = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/provision/rooms',
+        authorizationHeader: 'Bearer bridge-secret',
+        body: {
+          name: 'proj-x',
+          alias: 'mosaic-proj-x',
+          invite: ['@jason.woltje:hs.example'],
+          space_id: '!space:hs.example',
+        },
+      }),
+    );
+    expect(res.status).toBe(200);
+    expect(res.body.room_id).toBe('!new:hs.example');
+    expect(res.body.space_linked).toBe(true);
+    const create = calls.find((c) => c.url.pathname.endsWith('/createRoom'));
+    expect(create!.url.searchParams.get('user_id')).toBe('@mosaic-as:hs.example');
+    const body = create!.body as Record<string, unknown>;
+    expect(body.room_alias_name).toBe('mosaic-proj-x');
+    expect((body.power_level_content_override as Record<string, unknown>).users).toEqual({
+      '@mosaic-as:hs.example': 100,
+    });
+    expect(calls.some((c) => c.url.pathname.includes('/state/m.space.child/'))).toBe(true);
+    expect(calls.some((c) => c.url.pathname.includes('/state/m.space.parent/'))).toBe(true);
+  });
+
+  it('space-link failure still returns the room id (no orphan)', async () => {
+    const fetchMock = vi.fn(async (input: URL | string) => {
+      const url = new URL(String(input));
+      if (url.pathname.endsWith('/createRoom'))
+        return jsonResponse(200, { room_id: '!new:hs.example' });
+      if (url.pathname.includes('/state/m.space.child/'))
+        return jsonResponse(403, { errcode: 'M_FORBIDDEN', error: 'no PL in space' });
+      return jsonResponse(200, {});
+    });
+    const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
+    const res = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/provision/rooms',
+        authorizationHeader: 'Bearer bridge-secret',
+        body: { name: 'proj-x', space_id: '!space:hs.example' },
+      }),
+    );
+    expect(res.status).toBe(200);
+    expect(res.body.room_id).toBe('!new:hs.example');
+    expect(res.body.space_linked).toBe(false);
+    expect(String(res.body.space_error)).toContain('403');
+  });
+
+  it('invite list cap enforced', async () => {
+    const { daemon } = makeDaemon();
+    const res = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/provision/rooms',
+        authorizationHeader: 'Bearer bridge-secret',
+        body: { name: 'x', invite: Array.from({ length: 51 }, (_, i) => `@u${i}:hs`) },
+      }),
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it('provision rejects bad payloads and requires auth', async () => {
+    const { daemon } = makeDaemon();
+    const noAuth = await daemon.handle(
+      request({ method: 'POST', path: '/bridge/v1/provision/rooms', body: { name: 'x' } }),
+    );
+    expect(noAuth.status).toBe(403);
+    const bad = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/provision/rooms',
+        authorizationHeader: 'Bearer bridge-secret',
+        body: { name: '', alias: 'BAD ALIAS' },
+      }),
+    );
+    expect(bad.status).toBe(400);
+  });
+
+  // A daemon whose fetch mock backs account_data with a mutable in-test object,
+  // so register/verify/revoke round-trip through the (faked) homeserver.
+  const makeAgentDaemon = () => {
+    const accountData: { value: Record<string, unknown> | null } = { value: null };
+    const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => {
+      const url = new URL(String(input));
+      const path = url.pathname;
+      if (path.includes(`/account_data/${AGENTS_TYPE}`)) {
+        if (init?.method === 'PUT') {
+          accountData.value = JSON.parse(String(init.body)) as Record<string, unknown>;
+          return jsonResponse(200, {});
+        }
+        if (accountData.value === null) {
+          return jsonResponse(404, { errcode: 'M_NOT_FOUND', error: 'not found' });
+        }
+        return jsonResponse(200, accountData.value);
+      }
+      if (path.endsWith('/register')) return jsonResponse(200, { user_id: 'whatever' });
+      if (path.includes('/send/m.room.message/')) return jsonResponse(200, { event_id: '$sent' });
+      return jsonResponse(200, {});
+    });
+    const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
+    return { daemon, fetchMock };
+  };
+
+  const registerAgent = async (
+    daemon: AppserviceDaemon,
+    body: Record<string, unknown> = { alias: 'pi0', host: 'web1' },
+  ) =>
+    daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/agents',
+        authorizationHeader: 'Bearer bridge-secret',
+        body,
+      }),
+    );
+
+  it('host token registers an agent and returns agent_user_id + bridge_token', async () => {
+    const { daemon, fetchMock } = makeAgentDaemon();
+    const res = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
+    expect(res.status).toBe(200);
+    expect(res.body.agent_user_id).toBe('@agent-pi0-web1:hs.example');
+    expect(String(res.body.bridge_token).startsWith('magt_')).toBe(true);
+    const registerCall = fetchMock.mock.calls
+      .map((c) => new URL(String(c[0])))
+      .find((u) => u.pathname.endsWith('/register'));
+    expect(registerCall).toBeDefined();
+  });
+
+  it('register requires a HOST token (agent token and no token are 403)', async () => {
+    const { daemon } = makeAgentDaemon();
+    const minted = await registerAgent(daemon);
+    const agentToken = String(minted.body.bridge_token);
+
+    const asAgent = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/agents',
+        authorizationHeader: `Bearer ${agentToken}`,
+        body: { alias: 'pi1', host: 'web2' },
+      }),
+    );
+    expect(asAgent.status).toBe(403);
+
+    const noAuth = await daemon.handle(
+      request({ method: 'POST', path: '/bridge/v1/agents', body: { alias: 'pi1', host: 'web2' } }),
+    );
+    expect(noAuth.status).toBe(403);
+  });
+
+  it('agent-scoped token may send as itself but not as another agent', async () => {
+    const { daemon } = makeAgentDaemon();
+    const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
+    const agentToken = String(minted.body.bridge_token);
+
+    const self = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/messages',
+        authorizationHeader: `Bearer ${agentToken}`,
+        body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
+      }),
+    );
+    expect(self.status).toBe(200);
+
+    const other = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/messages',
+        authorizationHeader: `Bearer ${agentToken}`,
+        body: { room_id: '!r:hs.example', agent: 'pi9-web9', body: 'hi' },
+      }),
+    );
+    expect(other.status).toBe(403);
+    expect(other.body.error).toBe('token not scoped to this agent');
+  });
+
+  it('revoked agent token is rejected on messages', async () => {
+    const { daemon } = makeAgentDaemon();
+    const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
+    const agentToken = String(minted.body.bridge_token);
+
+    const revoke = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/agents/revoke',
+        authorizationHeader: 'Bearer bridge-secret',
+        body: { agent_user_id: '@agent-pi0-web1:hs.example' },
+      }),
+    );
+    expect(revoke.status).toBe(200);
+    expect(revoke.body.revoked).toBe(1);
+
+    const afterRevoke = await daemon.handle(
+      request({
+        method: 'POST',
+        path: '/bridge/v1/messages',
+        authorizationHeader: `Bearer ${agentToken}`,
+        body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
+      }),
+    );
+    expect(afterRevoke.status).toBe(403);
+  });
+
+  it('GET /bridge/v1/agents lists registered agents (host only)', async () => {
+    const { daemon } = makeAgentDaemon();
+    await registerAgent(daemon, { alias: 'pi0', host: 'web1', display_name: 'Pi Zero' });
+
+    const res = await daemon.handle(
+      request({
+        method: 'GET',
+        path: '/bridge/v1/agents',
+        authorizationHeader: 'Bearer bridge-secret',
+      }),
+    );
+    expect(res.status).toBe(200);
+    const agents = res.body.agents as Array<Record<string, unknown>>;
+    expect(agents).toHaveLength(1);
+    expect(agents[0]?.agent_user_id).toBe('@agent-pi0-web1:hs.example');
+    expect(agents[0]?.display_name).toBe('Pi Zero');
+  });
+
   it('empty bridge token list denies everything', async () => {
     const daemon = new AppserviceDaemon({ ...cfg, bridgeTokens: [] }, undefined, () => {});
     const res = await daemon.handle(

apps/appservice/src/server.ts

@@ -1,10 +1,14 @@
 import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
 
 import {
+  AgentTokenStore,
   AppserviceIntent,
   TransactionHandler,
   validateBridgeMessage,
   validateBridgeTyping,
+  validateProvisionRoom,
+  validateRegisterAgent,
+  validateRevokeAgent,
 } from '@mosaicstack/appservice';
 import type { AppserviceConfig, MatrixEvent } from '@mosaicstack/appservice';
 
@@ -36,6 +40,13 @@ const safeEqual = (a: string, b: string): boolean => timingSafeEqual(digest(a),
 
 const TXN_PATH = /^\/_matrix\/app\/v1\/transactions\/([^/]+)$/;
 
+/**
+ * Resolved identity for an authenticated /bridge/v1/* caller. Host principals
+ * (the agent-comms host daemons) are unrestricted; agent principals are scoped
+ * to a single virtual user and may only act as themselves.
+ */
+export type BridgePrincipal = { kind: 'host' } | { kind: 'agent'; agentUserId: string } | null;
+
 /**
  * HTTP-framework-agnostic request router for the mosaic-as daemon: the
  * Application Service transactions endpoint (Synapse-facing) plus the
@@ -45,6 +56,7 @@ const TXN_PATH = /^\/_matrix\/app\/v1\/transactions\/([^/]+)$/;
 export class AppserviceDaemon {
   readonly intent: AppserviceIntent;
   private readonly transactions: TransactionHandler;
+  private readonly agents: AgentTokenStore;
 
   constructor(
     private readonly cfg: DaemonConfig,
@@ -52,6 +64,7 @@ export class AppserviceDaemon {
     private readonly log: (line: string) => void = (line) => console.log(line),
   ) {
     this.intent = new AppserviceIntent(cfg, fetchImpl);
+    this.agents = new AgentTokenStore(this.intent);
     this.transactions = new TransactionHandler({
       hsToken: cfg.hsToken,
       onEvent: (event) => this.onEvent(event),
@@ -68,10 +81,20 @@ export class AppserviceDaemon {
     }
   }
 
-  private bridgeAuthorized(authorizationHeader: string | undefined): boolean {
+  /** Resolve the calling principal, or null when unauthorized. Fail-closed:
-    if (!authorizationHeader?.startsWith('Bearer ')) return false;
+   * host tokens win (timing-safe compare); otherwise a magt_* bearer is looked
+   * up in the agent token store; anything else is rejected. */
+  private async bridgeAuthorized(
+    authorizationHeader: string | undefined,
+  ): Promise<BridgePrincipal> {
+    if (!authorizationHeader?.startsWith('Bearer ')) return null;
     const presented = authorizationHeader.slice('Bearer '.length);
-    return this.cfg.bridgeTokens.some((token) => safeEqual(presented, token));
+    if (this.cfg.bridgeTokens.some((token) => safeEqual(presented, token))) {
+      return { kind: 'host' };
+    }
+    const agentUserId = await this.agents.verifyToken(presented);
+    if (agentUserId) return { kind: 'agent', agentUserId };
+    return null;
   }
 
   async handle(req: DaemonRequest): Promise<DaemonResponse> {
@@ -88,12 +111,60 @@ export class AppserviceDaemon {
     }
 
     if (req.path.startsWith('/bridge/v1/')) {
-      if (!this.bridgeAuthorized(req.authorizationHeader)) {
+      const principal = await this.bridgeAuthorized(req.authorizationHeader);
+      if (!principal) {
         return { status: 403, body: { errcode: 'M_FORBIDDEN', error: 'bad bridge token' } };
       }
       try {
+        if (req.method === 'POST' && req.path === '/bridge/v1/agents') {
+          if (principal.kind !== 'host') {
+            return {
+              status: 403,
+              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot register agents' },
+            };
+          }
+          validateRegisterAgent(req.body);
+          const { agentUserId, token } = await this.agents.register({
+            alias: req.body.alias,
+            host: req.body.host,
+            displayName: req.body.display_name,
+          });
+          this.log(`registered agent ${agentUserId}`);
+          return { status: 200, body: { agent_user_id: agentUserId, bridge_token: token } };
+        }
+        if (req.method === 'POST' && req.path === '/bridge/v1/agents/revoke') {
+          if (principal.kind !== 'host') {
+            return {
+              status: 403,
+              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot revoke agents' },
+            };
+          }
+          validateRevokeAgent(req.body);
+          const revoked = await this.agents.revoke(req.body.agent_user_id);
+          this.log(`revoked ${revoked} token(s) for ${req.body.agent_user_id}`);
+          return { status: 200, body: { revoked } };
+        }
+        if (req.method === 'GET' && req.path === '/bridge/v1/agents') {
+          if (principal.kind !== 'host') {
+            return {
+              status: 403,
+              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot list agents' },
+            };
+          }
+          const agents = await this.agents.list();
+          return { status: 200, body: { agents } };
+        }
         if (req.method === 'POST' && req.path === '/bridge/v1/messages') {
           validateBridgeMessage(req.body);
+          if (
+            principal.kind === 'agent' &&
+            this.intent.agentUserId(req.body.agent) !== principal.agentUserId
+          ) {
+            return {
+              status: 403,
+              body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
+            };
+          }
           const eventId = await this.intent.sendAsAgent({
             roomId: req.body.room_id,
             agent: req.body.agent,
@@ -106,9 +177,39 @@ export class AppserviceDaemon {
         }
         if (req.method === 'POST' && req.path === '/bridge/v1/typing') {
           validateBridgeTyping(req.body);
+          if (
+            principal.kind === 'agent' &&
+            this.intent.agentUserId(req.body.agent) !== principal.agentUserId
+          ) {
+            return {
+              status: 403,
+              body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
+            };
+          }
           await this.intent.setTyping(req.body.room_id, req.body.agent, req.body.typing);
           return { status: 200, body: {} };
         }
+        if (req.method === 'POST' && req.path === '/bridge/v1/provision/rooms') {
+          validateProvisionRoom(req.body);
+          const result = await this.intent.createRoom({
+            name: req.body.name,
+            alias: req.body.alias,
+            topic: req.body.topic,
+            invite: req.body.invite,
+            spaceId: req.body.space_id,
+          });
+          this.log(
+            `provisioned room ${result.roomId} (${req.body.name}) space_linked=${result.spaceLinked}`,
+          );
+          return {
+            status: 200,
+            body: {
+              room_id: result.roomId,
+              space_linked: result.spaceLinked,
+              ...(result.spaceError ? { space_error: result.spaceError } : {}),
+            },
+          };
+        }
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
         this.log(`bridge error ${req.method} ${req.path}: ${message}`);

docs/scratchpads/536-wrapper-login-pin.md

@@ -0,0 +1,50 @@
+# Issue 536 Wrapper Login Pin Scratchpad
+
+## Metadata
+
+- Date: 2026-06-12
+- Worktree: `/home/hermes/agent-work/536-wrapper-audit`
+- Branch: `fix/536-wrapper-login-pin`
+- Coordinator: `mos-claude`
+- Issue: `mosaicstack/stack#536`
+- Scope: Audit and fix Gitea git wrappers that hardcode or incorrectly inherit tea login/instance selection.
+
+## Objective
+
+Fix the framework git wrappers so Gitea issue/PR operations resolve the tea login from the target repository host instead of pinning `mosaicstack`. The fix must cover the class of bug across `packages/mosaic/framework/tools/git/`, not only `issue-close.sh`.
+
+## Acceptance Criteria
+
+1. `issue-close.sh` no longer uses `--login mosaicstack` for non-mosaic hosts.
+2. All wrappers in `packages/mosaic/framework/tools/git/` avoid hardcoded Gitea login fallback where host-specific resolution is available.
+3. Host-specific resolution works for `git.mosaicstack.dev` and `git.uscllc.com` using configured credentials / tea login data.
+4. Read-only verification runs against both Gitea instances where possible.
+5. Queue guard passes before push, PR is opened referencing #536, and merge is left to the coordinator.
+
+## Progress Log
+
+- Read required Mosaic hard-gate docs and coordinator briefing.
+- Read issue #536 via Gitea API with mosaicstack credentials.
+- Initial audit found hardcoded `${GITEA_LOGIN:-mosaicstack}` in issue and PR wrappers, plus shared `get_gitea_repo_args`.
+- Added host-aware Gitea login resolution in `detect-platform.sh`, including exact host matching for `tea login list` entries and HTTPS remotes with embedded credentials.
+- Updated Gitea issue, PR, milestone, and CI wrappers to use resolved host-specific tea login arguments instead of defaulting to `mosaicstack`.
+- Added authenticated API fallbacks for close/reopen paths so wrappers can still operate when a matching `tea` login is absent but token credentials are available.
+- Added regression coverage for stale `GITEA_LOGIN`, exact host matching, `--repo` override flows, USC issue close routing, mosaicstack API fallback, and PR metadata/merge fallbacks.
+- Delta after PR #538 review: extended host-aware login/repo resolution to PowerShell wrappers, Bash milestone wrappers, and API-only `--repo` fallback paths.
+- Delta after live USC `pr-create.sh` repro: tightened `GITEA_LOGIN` trust so stale login names are ignored unless the tea login itself matches the target host, and added USC API fallback coverage for `pr-create.sh`.
+
+## Verification
+
+- `bash -n packages/mosaic/framework/tools/git/*.sh`
+- `packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh`
+- `packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`
+- `packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh`
+- `pwsh -NoProfile` parse check for all `packages/mosaic/framework/tools/git/*.ps1`
+- `pnpm typecheck`
+- `pnpm lint`
+- `pnpm format:check`
+- `pnpm --filter @mosaicstack/mosaic test -- src/commands/git-wrapper-redirects.spec.ts`
+- `pnpm test` progressed past wrapper redirect assertions; local run then stopped on `apps/gateway` Postgres connection refused at `localhost:5433`, which CI provides as a service.
+- Live read-only: direct Gitea API read of `mosaicstack/stack#536` with `User-Agent: curl/8`.
+- Live read-only: USC temporary repo remote to `https://git.uscllc.com/USC/uconnect.git`; `issue-list.sh -n 1` resolved the USC login and returned USC issues.
+- Independent Codex review final verdict: approve, no findings.

packages/appservice/src/__tests__/agent-store.test.ts

@@ -0,0 +1,116 @@
+import { describe, expect, it } from 'vitest';
+
+import { AGENTS_ACCOUNT_DATA_TYPE, AgentTokenStore } from '../agent-store.js';
+import type { AppserviceIntent } from '../intent.js';
+
+/** Fake intent: in-memory account_data, no-op user provisioning. Only the
+ * surface AgentTokenStore touches is implemented. */
+const makeFakeIntent = () => {
+  const store: Record<string, Record<string, unknown>> = {};
+  const fake = {
+    domain: 'hs.example',
+    getSenderAccountData: async (type: string): Promise<Record<string, unknown> | null> =>
+      store[type] ?? null,
+    setSenderAccountData: async (type: string, content: Record<string, unknown>): Promise<void> => {
+      store[type] = structuredClone(content);
+    },
+    ensureRegistered: async (agent: string): Promise<string> => `@agent-${agent}:hs.example`,
+    setDisplayName: async (): Promise<void> => {},
+  };
+  return { intent: fake as unknown as AppserviceIntent, store };
+};
+
+describe('AgentTokenStore', () => {
+  it('mints a magt_ token and stores only its sha256 (never plaintext)', async () => {
+    const { intent, store } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
+
+    expect(agentUserId).toBe('@agent-pi0-web1:hs.example');
+    expect(token.startsWith('magt_')).toBe(true);
+
+    const raw = JSON.stringify(store[AGENTS_ACCOUNT_DATA_TYPE]);
+    expect(raw).not.toContain(token);
+    // The stored hash is sha256hex(token), 64 hex chars.
+    const { createHash } = await import('node:crypto');
+    const hash = createHash('sha256').update(token).digest('hex');
+    expect(raw).toContain(hash);
+  });
+
+  it('verifyToken returns the agentUserId for a fresh token, null otherwise', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
+
+    expect(await s.verifyToken(token)).toBe(agentUserId);
+    expect(await s.verifyToken('magt_garbage')).toBeNull();
+    expect(await s.verifyToken('not-a-token')).toBeNull();
+    expect(await s.verifyToken('')).toBeNull();
+  });
+
+  it('revoke invalidates tokens, returns count, and hides agent from list', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
+
+    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
+
+    const count = await s.revoke(agentUserId);
+    expect(count).toBe(1);
+    expect(await s.verifyToken(token)).toBeNull();
+    expect((await s.list()).map((a) => a.agent_user_id)).not.toContain(agentUserId);
+
+    // Idempotent on unknown / already-revoked.
+    expect(await s.revoke(agentUserId)).toBe(0);
+    expect(await s.revoke('@agent-nope:hs.example')).toBe(0);
+  });
+
+  it('re-register after revoke yields a working token and the agent reappears', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    const { agentUserId, token: t1 } = await s.register({ alias: 'pi0', host: 'web1' });
+    await s.revoke(agentUserId);
+
+    const { token: t2 } = await s.register({ alias: 'pi0', host: 'web1' });
+    expect(await s.verifyToken(t1)).toBeNull();
+    expect(await s.verifyToken(t2)).toBe(agentUserId);
+    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
+  });
+
+  it('agent A token never verifies as agent B', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    const a = await s.register({ alias: 'pi0', host: 'web1' });
+    const b = await s.register({ alias: 'pi1', host: 'web2' });
+
+    expect(await s.verifyToken(a.token)).toBe(a.agentUserId);
+    expect(await s.verifyToken(b.token)).toBe(b.agentUserId);
+    expect(a.agentUserId).not.toBe(b.agentUserId);
+  });
+
+  it('rejects an ambiguous re-registration that collides on one Matrix id', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    // alias="a-b",host="c" and alias="a",host="b-c" both -> @agent-a-b-c.
+    const first = await s.register({ alias: 'a-b', host: 'c' });
+    expect(first.agentUserId).toBe('@agent-a-b-c:hs.example');
+
+    await expect(s.register({ alias: 'a', host: 'b-c' })).rejects.toThrow(/collision/);
+
+    // The original registration is untouched: still one active token, correct pair.
+    expect(await s.verifyToken(first.token)).toBe(first.agentUserId);
+    const summary = (await s.list()).find((x) => x.agent_user_id === first.agentUserId);
+    expect(summary?.alias).toBe('a-b');
+    expect(summary?.host).toBe('c');
+    expect(summary?.active_token_count).toBe(1);
+  });
+
+  it('display_name is stored and surfaced in list', async () => {
+    const { intent } = makeFakeIntent();
+    const s = new AgentTokenStore(intent);
+    await s.register({ alias: 'pi0', host: 'web1', displayName: 'Pi Zero' });
+    const summary = (await s.list())[0];
+    expect(summary?.display_name).toBe('Pi Zero');
+    expect(summary?.active_token_count).toBe(1);
+  });
+});

packages/appservice/src/agent-registry.dto.ts

@@ -0,0 +1,63 @@
+/** DTOs for agent registration + scoped/revocable bridge tokens (US-007). */
+
+export interface RegisterAgentDto {
+  /** Agent alias slug, e.g. "pi0". Combined with host into the agent slug. */
+  alias: string;
+  /** Host slug, e.g. "web1". Combined with alias into the agent slug. */
+  host: string;
+  display_name?: string;
+}
+
+export interface RevokeAgentDto {
+  agent_user_id: string;
+}
+
+export interface RegisterAgentResponse {
+  agent_user_id: string;
+  bridge_token: string;
+}
+
+export interface AgentSummary {
+  agent_user_id: string;
+  alias: string;
+  host: string;
+  display_name?: string;
+  created_at: string;
+  active_token_count: number;
+}
+
+const SLUG_RE = /^[a-z0-9][a-z0-9_.-]*$/;
+
+/** Combined agent slug, e.g. alias="pi0", host="web1" -> "pi0-web1". */
+export function agentSlug(alias: string, host: string): string {
+  return `${alias}-${host}`;
+}
+
+const assertSlug = (value: unknown, field: string): void => {
+  if (typeof value !== 'string' || value.length === 0 || !SLUG_RE.test(value)) {
+    throw new Error(`${field} must match [a-z0-9][a-z0-9_.-]* (lowercase, non-empty)`);
+  }
+};
+
+export function validateRegisterAgent(input: unknown): asserts input is RegisterAgentDto {
+  const o = input as Partial<RegisterAgentDto> | null | undefined;
+  if (!o || typeof o !== 'object') throw new Error('payload must be an object');
+  assertSlug(o.alias, 'alias');
+  assertSlug(o.host, 'host');
+  if (o.display_name !== undefined) {
+    if (typeof o.display_name !== 'string' || o.display_name.length === 0) {
+      throw new Error('display_name must be a non-empty string');
+    }
+    if (o.display_name.length > 100) {
+      throw new Error('display_name must be at most 100 chars');
+    }
+  }
+}
+
+export function validateRevokeAgent(input: unknown): asserts input is RevokeAgentDto {
+  const o = input as Partial<RevokeAgentDto> | null | undefined;
+  if (!o || typeof o !== 'object') throw new Error('payload must be an object');
+  if (typeof o.agent_user_id !== 'string' || !o.agent_user_id.startsWith('@')) {
+    throw new Error('agent_user_id must be a Matrix user id');
+  }
+}

packages/appservice/src/agent-store.ts

@@ -0,0 +1,160 @@
+import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
+
+import { agentSlug } from './agent-registry.dto.js';
+import type { AgentSummary } from './agent-registry.dto.js';
+import type { AppserviceIntent } from './intent.js';
+
+/** account_data type holding the agent registry on the AS sender user. */
+export const AGENTS_ACCOUNT_DATA_TYPE = 'org.uscllc.mosaic_as.agents';
+
+const TOKEN_PREFIX = 'magt_';
+
+interface StoredAgent {
+  alias: string;
+  host: string;
+  display_name?: string;
+  created_at: string;
+  /** sha256hex of each active token. Plaintext tokens are NEVER stored. */
+  token_hashes: string[];
+  revoked_at?: string;
+}
+
+interface AgentRegistry {
+  agents: Record<string, StoredAgent>;
+}
+
+const sha256hex = (value: string): string => createHash('sha256').update(value).digest('hex');
+
+const mintToken = (): string => `${TOKEN_PREFIX}${randomBytes(32).toString('base64url')}`;
+
+/**
+ * Persists scoped/revocable bridge tokens for agent virtual users in Matrix
+ * account_data on the AS sender user (no new infra; survives restart).
+ *
+ * Tokens are stored only as sha256 hashes (the high-entropy `magt_` token makes
+ * plain sha256 safe — no salt/KDF needed since brute force is infeasible).
+ *
+ * KNOWN v1 LIMIT: Synapse caps a single account_data object (default
+ * max_account_data_size, ~100KB). Each agent + hash entry is small, so this
+ * supports thousands of agents, but a very large fleet would eventually need a
+ * dedicated store. Revoked agents with no active tokens are pruned of hashes
+ * (kept as tombstones) to bound growth.
+ */
+export class AgentTokenStore {
+  constructor(private readonly intent: AppserviceIntent) {}
+
+  /** Read the registry fresh from account_data (low-frequency ops favor
+   * correctness over caching; verifyToken/list also read fresh). */
+  private async read(): Promise<AgentRegistry> {
+    const data = await this.intent.getSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE);
+    const agents = data?.agents;
+    if (agents && typeof agents === 'object') {
+      return { agents: agents as Record<string, StoredAgent> };
+    }
+    return { agents: {} };
+  }
+
+  private async write(registry: AgentRegistry): Promise<void> {
+    await this.intent.setSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE, {
+      agents: registry.agents,
+    });
+  }
+
+  /** Ensure the virtual user exists, mint a fresh token, store its hash, and
+   * return the plaintext token ONCE. Clears any prior revocation. */
+  async register(opts: {
+    alias: string;
+    host: string;
+    displayName?: string;
+  }): Promise<{ agentUserId: string; token: string }> {
+    const slug = agentSlug(opts.alias, opts.host);
+    const agentUserId = await this.intent.ensureRegistered(slug);
+    if (opts.displayName !== undefined) {
+      await this.intent.setDisplayName(slug, opts.displayName);
+    }
+
+    const token = mintToken();
+    const hash = sha256hex(token);
+
+    const registry = await this.read();
+    const existing = registry.agents[agentUserId];
+    if (existing) {
+      // The agent slug `<alias>-<host>` joins with a `-`, which is also a legal
+      // slug char, so distinct pairs can collide on one Matrix id (e.g.
+      // a/b-c and a-b/c both -> @agent-a-b-c). They ARE the same Matrix user,
+      // but silently overwriting the stored alias/host of a different pair
+      // would conflate two logical agents into one token bucket. Reject the
+      // ambiguous re-registration instead of overwriting.
+      if (existing.alias !== opts.alias || existing.host !== opts.host) {
+        throw new Error(
+          `agent id collision: ${agentUserId} already registered as ` +
+            `${existing.alias}/${existing.host}, refusing ${opts.alias}/${opts.host}`,
+        );
+      }
+      if (opts.displayName !== undefined) existing.display_name = opts.displayName;
+      existing.token_hashes = [...existing.token_hashes, hash];
+      delete existing.revoked_at;
+    } else {
+      registry.agents[agentUserId] = {
+        alias: opts.alias,
+        host: opts.host,
+        ...(opts.displayName !== undefined ? { display_name: opts.displayName } : {}),
+        created_at: new Date().toISOString(),
+        token_hashes: [hash],
+      };
+    }
+    await this.write(registry);
+    return { agentUserId, token };
+  }
+
+  /** Return the agentUserId bound to an active (non-revoked) token, else null.
+   * Constant-time hash comparison; no early-out on match. */
+  async verifyToken(token: string): Promise<string | null> {
+    if (!token.startsWith(TOKEN_PREFIX)) return null;
+    const presented = Buffer.from(sha256hex(token), 'hex');
+
+    const registry = await this.read();
+    let matched: string | null = null;
+    for (const [agentUserId, agent] of Object.entries(registry.agents)) {
+      if (agent.revoked_at) continue;
+      for (const stored of agent.token_hashes) {
+        const candidate = Buffer.from(stored, 'hex');
+        if (candidate.length === presented.length && timingSafeEqual(candidate, presented)) {
+          // No early break: keep scanning so timing does not reveal match position.
+          matched = agentUserId;
+        }
+      }
+    }
+    return matched;
+  }
+
+  /** Revoke all active tokens for an agent. Idempotent; returns count revoked. */
+  async revoke(agentUserId: string): Promise<number> {
+    const registry = await this.read();
+    const agent = registry.agents[agentUserId];
+    if (!agent) return 0;
+    const count = agent.token_hashes.length;
+    agent.token_hashes = [];
+    agent.revoked_at = new Date().toISOString();
+    await this.write(registry);
+    return count;
+  }
+
+  /** List agents with at least one active token (never advertise revoked/phantom). */
+  async list(): Promise<AgentSummary[]> {
+    const registry = await this.read();
+    const out: AgentSummary[] = [];
+    for (const [agentUserId, agent] of Object.entries(registry.agents)) {
+      if (agent.revoked_at || agent.token_hashes.length === 0) continue;
+      out.push({
+        agent_user_id: agentUserId,
+        alias: agent.alias,
+        host: agent.host,
+        ...(agent.display_name !== undefined ? { display_name: agent.display_name } : {}),
+        created_at: agent.created_at,
+        active_token_count: agent.token_hashes.length,
+      });
+    }
+    return out;
+  }
+}

packages/appservice/src/bridge.dto.ts

@@ -50,3 +50,34 @@ export function validateBridgeTyping(input: unknown): asserts input is BridgeTyp
   assertAgentSlug(o.agent);
   if (typeof o.typing !== 'boolean') throw new Error('typing must be a boolean');
 }
+
+export interface ProvisionRoomDto {
+  name: string;
+  alias?: string;
+  topic?: string;
+  invite?: string[];
+  space_id?: string;
+}
+
+export function validateProvisionRoom(input: unknown): asserts input is ProvisionRoomDto {
+  const o = input as Partial<ProvisionRoomDto> | null | undefined;
+  if (!o || typeof o !== 'object') throw new Error('payload must be an object');
+  if (typeof o.name !== 'string' || o.name.length === 0) throw new Error('name is required');
+  if (o.alias !== undefined && (!/^[a-z0-9_.-]+$/.test(o.alias) || o.alias.length > 200)) {
+    throw new Error('alias must match [a-z0-9_.-]+ (max 200 chars)');
+  }
+  if (o.invite !== undefined) {
+    if (
+      !Array.isArray(o.invite) ||
+      o.invite.some((u) => typeof u !== 'string' || !u.startsWith('@'))
+    ) {
+      throw new Error('invite must be a list of Matrix user ids');
+    }
+    if (o.invite.length > 50) {
+      throw new Error('invite list exceeds maximum of 50');
+    }
+  }
+  if (o.space_id !== undefined && (typeof o.space_id !== 'string' || !o.space_id.startsWith('!'))) {
+    throw new Error('space_id must be a Matrix room id');
+  }
+}

packages/appservice/src/index.ts

@@ -4,8 +4,20 @@ export { TransactionHandler } from './transactions.js';
 export type { TransactionHandlerOptions } from './transactions.js';
 export { buildRegistration, registrationToYaml } from './registration.js';
 export type { RegistrationOptions } from './registration.js';
-export { validateBridgeMessage, validateBridgeTyping } from './bridge.dto.js';
+export {
-export type { BridgeMessageDto, BridgeTypingDto } from './bridge.dto.js';
+  validateBridgeMessage,
+  validateBridgeTyping,
+  validateProvisionRoom,
+} from './bridge.dto.js';
+export type { BridgeMessageDto, BridgeTypingDto, ProvisionRoomDto } from './bridge.dto.js';
+export { agentSlug, validateRegisterAgent, validateRevokeAgent } from './agent-registry.dto.js';
+export type {
+  RegisterAgentDto,
+  RevokeAgentDto,
+  RegisterAgentResponse,
+  AgentSummary,
+} from './agent-registry.dto.js';
+export { AgentTokenStore, AGENTS_ACCOUNT_DATA_TYPE } from './agent-store.js';
 export type {
   AppserviceConfig,
   EventHandler,

packages/appservice/src/intent.ts

@@ -172,6 +172,58 @@ export class AppserviceIntent {
     });
   }
 
+  /** Create a room as the AS sender: agents get PL 50 by namespace via the
+   * sender (PL 100); humans invited at default PL. Optionally link into a
+   * space (m.space.child + m.space.parent). Returns the room id. */
+  async createRoom(options: {
+    name: string;
+    alias?: string;
+    topic?: string;
+    invite?: string[];
+    spaceId?: string;
+  }): Promise<{ roomId: string; spaceLinked: boolean; spaceError?: string }> {
+    const body: Record<string, unknown> = {
+      name: options.name,
+      preset: 'private_chat',
+      invite: options.invite ?? [],
+      power_level_content_override: {
+        users: { [this.senderUserId]: 100 },
+        // state_default 50 stays; the AS sender can grant agents as needed.
+      },
+    };
+    if (options.alias) body.room_alias_name = options.alias;
+    if (options.topic) body.topic = options.topic;
+    const res = await this.request('POST', '/_matrix/client/v3/createRoom', {
+      userId: this.senderUserId,
+      body,
+    });
+    const roomId = res.room_id;
+    if (typeof roomId !== 'string') throw new Error('createRoom returned no room_id');
+    if (!options.spaceId) {
+      return { roomId, spaceLinked: false };
+    }
+    // Space-link failures must NOT throw: the room already exists, and an
+    // exception would hide the room_id (orphaned room, no recovery path).
+    const encodedSpaceId = encodeURIComponent(options.spaceId);
+    const encodedRoomId = encodeURIComponent(roomId);
+    try {
+      await this.request(
+        'PUT',
+        `/_matrix/client/v3/rooms/${encodedSpaceId}/state/m.space.child/${encodedRoomId}`,
+        { userId: this.senderUserId, body: { via: [this.cfg.domain], suggested: true } },
+      );
+      await this.request(
+        'PUT',
+        `/_matrix/client/v3/rooms/${encodedRoomId}/state/m.space.parent/${encodedSpaceId}`,
+        { userId: this.senderUserId, body: { via: [this.cfg.domain], canonical: true } },
+      );
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return { roomId, spaceLinked: false, spaceError: message };
+    }
+    return { roomId, spaceLinked: true };
+  }
+
   /** Set display name for an agent's virtual user. */
   async setDisplayName(agent: string, displayName: string): Promise<void> {
     const userId = await this.ensureRegistered(agent);
@@ -181,4 +233,30 @@ export class AppserviceIntent {
       body: { displayname: displayName },
     });
   }
+
+  /** Read an account_data object on the AS sender user. Returns null when the
+   * key has never been written (M_NOT_FOUND), so callers can treat that as an
+   * empty store; any other error propagates. */
+  async getSenderAccountData(type: string): Promise<Record<string, unknown> | null> {
+    const user = encodeURIComponent(this.senderUserId);
+    const key = encodeURIComponent(type);
+    try {
+      return await this.request('GET', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
+        userId: this.senderUserId,
+      });
+    } catch (err) {
+      if (err instanceof MatrixApiError && err.errcode === 'M_NOT_FOUND') return null;
+      throw err;
+    }
+  }
+
+  /** Write an account_data object on the AS sender user. */
+  async setSenderAccountData(type: string, content: Record<string, unknown>): Promise<void> {
+    const user = encodeURIComponent(this.senderUserId);
+    const key = encodeURIComponent(type);
+    await this.request('PUT', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
+      userId: this.senderUserId,
+      body: content,
+    });
+  }
 }

packages/mosaic/framework/defaults/AGENTS.md

@@ -34,6 +34,7 @@ At session start, additionally:
 10. Manual `docker build` / `docker push` for deployment is FORBIDDEN when CI/CD pipelines exist in the repository. CI is the ONLY canonical build path for container images.
 11. Before ANY build or deployment action, you MUST check for existing CI/CD pipeline configuration (`.woodpecker/`, `.woodpecker.yml`, `.github/workflows/`, etc.). If pipelines exist, use them — do not build locally.
 12. The mandatory intake procedure is NOT conditional on perceived task complexity. A "simple" commit-push-deploy task has the same procedural requirements as a multi-file feature. Skipping intake because a task "seems simple" is the most common framework violation.
+13. **Merge authority (coordinated work):** when a coordinator/orchestrator session is active for the work, the post-review MERGE GO-AHEAD is the coordinator's to give — once code has passed the required review gates, request the coordinator's go-ahead and merge on their confirmation; do NOT wait on the human owner personally. Solo (uncoordinated) delivery keeps the default: merge without routine confirmation per gates 2 and 9. A "No self-merge" note on a PR means no UNREVIEWED self-merge — it does not suspend coordinator-authorized merges. (Policy: Jason, 2026-06-11.)
 
 ## Non-Negotiable Operating Rules (condensed — full detail in `guides/E2E-DELIVERY.md`)
 

packages/mosaic/framework/guides/E2E-DELIVERY.md

@@ -88,6 +88,11 @@ For implementation work, you MUST run this cycle in order:
 
 ### Post-PR Hard Gate (Execute Sequentially, No Exceptions)
 
+> **Merge authority:** if a coordinator/orchestrator session is active for this
+> work, obtain the coordinator's merge go-ahead after review passes, then run
+> the gate (AGENTS.md hard gate "Merge authority"). Solo delivery proceeds
+> without asking.
+
 1. `~/.config/mosaic/tools/git/ci-queue-wait.sh --purpose merge -B main`
 2. `~/.config/mosaic/tools/git/pr-merge.sh -n <PR_NUMBER> -m squash`
 3. `~/.config/mosaic/tools/git/pr-ci-wait.sh -n <PR_NUMBER>`

packages/mosaic/framework/tools/git/ci-queue-wait.sh

@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
     local branch="$3"
     local token="$4"
     local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
-    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
     local sha="$3"
     local token="$4"
     local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
 }
 
 while [[ $# -gt 0 ]]; do

packages/mosaic/framework/tools/git/detect-platform.ps1

@@ -55,6 +55,154 @@ function Get-GitRepoInfo {
     return $repoPath
 }
 
+function Get-GitRemoteHost {
+    [CmdletBinding()]
+    param()
+
+    $remoteUrl = git remote get-url origin 2>$null
+
+    if ([string]::IsNullOrEmpty($remoteUrl)) {
+        Write-Error "Not a git repository or no origin remote"
+        return $null
+    }
+
+    if ($remoteUrl -match "^https?://([^/]+)/") {
+        $remoteHost = $Matches[1]
+        return ($remoteHost -replace "^.*@", "")
+    }
+
+    if ($remoteUrl -match "^git@([^:]+):") {
+        return $Matches[1]
+    }
+
+    return $null
+}
+
+function Get-TeaLoginList {
+    [CmdletBinding()]
+    param()
+
+    $json = tea login list --output json 2>$null
+    if (-not $json) {
+        return @()
+    }
+
+    try {
+        $items = $json | ConvertFrom-Json
+    } catch {
+        return @()
+    }
+
+    if ($null -eq $items) {
+        return @()
+    }
+
+    return @($items)
+}
+
+function Test-GiteaUrlMatchesHost {
+    [CmdletBinding()]
+    param(
+        [string]$Url,
+        [string]$GiteaHost
+    )
+
+    if ([string]::IsNullOrEmpty($Url) -or [string]::IsNullOrEmpty($GiteaHost)) {
+        return $false
+    }
+
+    try {
+        $uri = [Uri]$Url
+        return $uri.Host -eq $GiteaHost
+    } catch {
+        return $false
+    }
+}
+
+function Find-TeaLoginForHost {
+    [CmdletBinding()]
+    param([Parameter(Mandatory=$true)][string]$GiteaHost)
+
+    foreach ($login in Get-TeaLoginList) {
+        $name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
+        $url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
+        if ([string]::IsNullOrEmpty($name) -or [string]::IsNullOrEmpty($url)) {
+            continue
+        }
+
+        try {
+            $uri = [Uri]$url
+            if ($uri.Host -eq $GiteaHost) {
+                return $name
+            }
+        } catch {
+            continue
+        }
+    }
+
+    return $null
+}
+
+function Test-TeaLoginMatchesHost {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$true)][string]$LoginName,
+        [Parameter(Mandatory=$true)][string]$GiteaHost
+    )
+
+    foreach ($login in Get-TeaLoginList) {
+        $name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
+        $url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
+        if ($name -ne $LoginName -or [string]::IsNullOrEmpty($url)) {
+            continue
+        }
+
+        try {
+            $uri = [Uri]$url
+            return $uri.Host -eq $GiteaHost
+        } catch {
+            return $false
+        }
+    }
+
+    return $false
+}
+
+function Get-GiteaLoginForHost {
+    [CmdletBinding()]
+    param([string]$GiteaHost)
+
+    if ([string]::IsNullOrEmpty($GiteaHost)) {
+        $GiteaHost = Get-GitRemoteHost
+    }
+    if ([string]::IsNullOrEmpty($GiteaHost)) {
+        return $null
+    }
+
+    if ($env:GITEA_LOGIN) {
+        if (Test-TeaLoginMatchesHost -LoginName $env:GITEA_LOGIN -GiteaHost $GiteaHost) {
+            return $env:GITEA_LOGIN
+        }
+    }
+
+    return Find-TeaLoginForHost -GiteaHost $GiteaHost
+}
+
+function Get-GiteaRepoArgs {
+    [CmdletBinding()]
+    param()
+
+    $repo = Get-GitRepoInfo
+    $hostName = Get-GitRemoteHost
+    $login = Get-GiteaLoginForHost -GiteaHost $hostName
+
+    if ([string]::IsNullOrEmpty($repo) -or [string]::IsNullOrEmpty($login)) {
+        return @()
+    }
+
+    return @("--repo", $repo, "--login", $login)
+}
+
 function Get-GitRepoOwner {
     [CmdletBinding()]
     param()

packages/mosaic/framework/tools/git/detect-platform.sh

@@ -78,10 +78,211 @@ get_repo_slug() {
     get_repo_info
 }
 
+gitea_url_matches_host() {
+    local url="${1:-}" host="${2:-}"
+    [[ -n "$url" && -n "$host" ]] || return 1
+    [[ "${url%/}" == "https://$host" || "${url%/}" == "http://$host" || "${url%/}" == *"//$host" ]]
+}
+
+get_gitea_service_for_host() {
+    local host="$1"
+    local cred_file="${MOSAIC_CREDENTIALS_FILE:-$HOME/src/jarvis-brain/credentials.json}"
+
+    case "$host" in
+        git.mosaicstack.dev)
+            echo "mosaicstack"
+            return 0
+            ;;
+        git.uscllc.com)
+            echo "usc"
+            return 0
+            ;;
+    esac
+
+    [[ -f "$cred_file" ]] || return 1
+    command -v jq >/dev/null 2>&1 || return 1
+
+    jq -r --arg host "$host" '
+        .gitea // {}
+        | to_entries[]
+        | select((.value.url // "" | sub("/+$"; "")) | test("https?://" + $host + "$"))
+        | .key
+    ' "$cred_file" | head -n 1
+}
+
+find_tea_login_for_host() {
+    local host="$1"
+    local logins_json
+
+    command -v tea >/dev/null 2>&1 || return 1
+    logins_json=$(tea login list --output json 2>/dev/null) || return 1
+    TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
+import json
+import os
+import sys
+from urllib.parse import urlparse
+
+host = sys.argv[1]
+try:
+    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
+except Exception:
+    raise SystemExit(1)
+
+for login in logins if isinstance(logins, list) else []:
+    url = str(login.get("url") or login.get("URL") or "")
+    name = str(login.get("name") or login.get("Name") or "")
+    parsed = urlparse(url)
+    if parsed.hostname == host and name:
+        print(name)
+        raise SystemExit(0)
+
+raise SystemExit(1)
+PY
+}
+
+tea_login_matches_host() {
+    local login_name="$1" host="$2"
+    local logins_json
+
+    command -v tea >/dev/null 2>&1 || return 1
+    logins_json=$(tea login list --output json 2>/dev/null) || return 1
+    TEA_LOGINS_JSON="$logins_json" python3 - "$login_name" "$host" <<'PY'
+import json
+import os
+import sys
+from urllib.parse import urlparse
+
+login_name, host = sys.argv[1], sys.argv[2]
+try:
+    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
+except Exception:
+    raise SystemExit(1)
+
+for login in logins if isinstance(logins, list) else []:
+    url = str(login.get("url") or login.get("URL") or "")
+    name = str(login.get("name") or login.get("Name") or "")
+    parsed = urlparse(url)
+    if name == login_name and parsed.hostname == host:
+        raise SystemExit(0)
+
+raise SystemExit(1)
+PY
+}
+
+get_gitea_login_for_host() {
+    local host="${1:-}"
+    local login
+
+    if [[ -z "$host" ]]; then
+        host=$(get_remote_host) || return 1
+    fi
+
+    if [[ -n "${GITEA_LOGIN:-}" ]]; then
+        if tea_login_matches_host "$GITEA_LOGIN" "$host"; then
+            echo "$GITEA_LOGIN"
+            return 0
+        fi
+    fi
+
+    login=$(find_tea_login_for_host "$host" || true)
+    if [[ -n "$login" ]]; then
+        echo "$login"
+        return 0
+    fi
+
+    return 1
+}
+
+get_default_tea_login() {
+    local logins_json
+
+    command -v tea >/dev/null 2>&1 || return 1
+    logins_json=$(tea login list --output json 2>/dev/null) || return 1
+    TEA_LOGINS_JSON="$logins_json" python3 - <<'PY'
+import json
+import os
+
+try:
+    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
+except Exception:
+    raise SystemExit(1)
+
+if not isinstance(logins, list) or not logins:
+    raise SystemExit(1)
+
+for login in logins:
+    if not isinstance(login, dict):
+        continue
+    is_default = str(login.get("default") or login.get("Default") or "").lower()
+    name = str(login.get("name") or login.get("Name") or "")
+    if name and is_default == "true":
+        print(name)
+        raise SystemExit(0)
+
+for login in logins:
+    if not isinstance(login, dict):
+        continue
+    name = str(login.get("name") or login.get("Name") or "")
+    if name:
+        print(name)
+        raise SystemExit(0)
+
+raise SystemExit(1)
+PY
+}
+
+get_gitea_login_for_repo_override() {
+    local login
+
+    if [[ -n "${GITEA_LOGIN:-}" ]]; then
+        echo "$GITEA_LOGIN"
+        return 0
+    fi
+
+    login=$(get_default_tea_login || true)
+    if [[ -n "$login" ]]; then
+        echo "$login"
+        return 0
+    fi
+
+    return 1
+}
+
+get_host_from_url() {
+    local url="${1:-}"
+    [[ -n "$url" ]] || return 1
+
+    python3 - "$url" <<'PY'
+import sys
+from urllib.parse import urlparse
+
+parsed = urlparse(sys.argv[1])
+if parsed.hostname:
+    print(parsed.hostname)
+    raise SystemExit(0)
+raise SystemExit(1)
+PY
+}
+
+get_gitea_api_host_for_repo_override() {
+    if [[ -n "${GITEA_HOST:-}" ]]; then
+        echo "$GITEA_HOST"
+        return 0
+    fi
+
+    get_host_from_url "${GITEA_URL:-}"
+}
+
 get_gitea_repo_args() {
-    local repo
+    local repo host login
     repo=$(get_repo_slug) || return 1
-    printf -- '--repo %q --login %q' "$repo" "${GITEA_LOGIN:-mosaicstack}"
+    host=$(get_remote_host) || return 1
+    login=$(get_gitea_login_for_host "$host") || return 1
+    printf -- '--repo %q --login %q' "$repo" "$login"
+}
+
+get_gitea_login() {
+    get_gitea_login_for_host "$(get_remote_host)"
 }
 
 get_remote_host() {
@@ -91,7 +292,8 @@ get_remote_host() {
         return 1
     fi
     if [[ "$remote_url" =~ ^https?://([^/]+)/ ]]; then
-        echo "${BASH_REMATCH[1]}"
+        local host="${BASH_REMATCH[1]}"
+        echo "${host##*@}"
         return 0
     fi
     if [[ "$remote_url" =~ ^git@([^:]+): ]]; then

packages/mosaic/framework/tools/git/issue-assign.ps1

@@ -75,6 +75,11 @@ switch ($platform) {
         Write-Host "Issue #$Issue updated successfully"
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $needsEdit = $false
         $cmd = @("tea", "issue", "edit", $Issue)
 
@@ -87,7 +92,7 @@ switch ($platform) {
             $needsEdit = $true
         }
         if ($Milestone) {
-            $milestoneList = tea milestones list 2>$null
+            $milestoneList = tea milestones list @repoArgs 2>$null
             $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
             if ($milestoneId) {
                 $cmd += @("--milestone", $milestoneId)
@@ -98,6 +103,7 @@ switch ($platform) {
         }
 
         if ($needsEdit) {
+            $cmd += $repoArgs
             & $cmd[0] $cmd[1..($cmd.Length-1)]
             Write-Host "Issue #$Issue updated successfully"
         } else {

packages/mosaic/framework/tools/git/issue-assign.sh

@@ -98,7 +98,11 @@ case "$PLATFORM" in
         ;;
     gitea)
         # tea issue edit syntax
-        CMD="tea issue edit $ISSUE"
+        REPO_ARGS=$(get_gitea_repo_args) || {
+            echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
+            exit 1
+        }
+        CMD="tea issue edit $ISSUE $REPO_ARGS"
         NEEDS_EDIT=false
 
         if [[ -n "$ASSIGNEE" ]]; then
@@ -112,7 +116,7 @@ case "$PLATFORM" in
             NEEDS_EDIT=true
         fi
         if [[ -n "$MILESTONE" ]]; then
-            MILESTONE_ID=$(tea milestones list 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
+            MILESTONE_ID=$(tea milestones list $REPO_ARGS 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
             if [[ -n "$MILESTONE_ID" ]]; then
                 CMD="$CMD --milestone $MILESTONE_ID"
                 NEEDS_EDIT=true

packages/mosaic/framework/tools/git/issue-close.sh

@@ -44,10 +44,43 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
 fi
 
 # Detect platform and close issue
-detect_platform
+detect_platform >/dev/null
 OWNER=$(get_repo_owner)
 REPO=$(get_repo_name)
 
+gitea_issue_comment_api() {
+    local host token url payload
+    host=$(get_remote_host) || return 1
+    token=$(get_gitea_token "$host") || return 1
+    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
+    payload=$(COMMENT="$COMMENT" python3 - <<'PY'
+import json
+import os
+
+print(json.dumps({"body": os.environ["COMMENT"]}))
+PY
+)
+    curl -fsS -X POST \
+        -H "User-Agent: curl/8" \
+        -H "Authorization: token ${token}" \
+        -H "Content-Type: application/json" \
+        -d "$payload" \
+        "$url" >/dev/null
+}
+
+gitea_issue_close_api() {
+    local host token url
+    host=$(get_remote_host) || return 1
+    token=$(get_gitea_token "$host") || return 1
+    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
+    curl -fsS -X PATCH \
+        -H "User-Agent: curl/8" \
+        -H "Authorization: token ${token}" \
+        -H "Content-Type: application/json" \
+        -d '{"state":"closed"}' \
+        "$url" >/dev/null
+}
+
 if [[ "$PLATFORM" == "github" ]]; then
     if [[ -n "$COMMENT" ]]; then
         gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
@@ -55,10 +88,19 @@ if [[ "$PLATFORM" == "github" ]]; then
     gh issue close "$ISSUE_NUMBER"
     echo "Closed GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
+    GITEA_LOGIN_NAME=$(get_gitea_login || true)
+    if [[ -n "$GITEA_LOGIN_NAME" ]]; then
         if [[ -n "$COMMENT" ]]; then
-        tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
+            tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
+        fi
+        tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
+    else
+        echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
+        if [[ -n "$COMMENT" ]]; then
+            gitea_issue_comment_api
+        fi
+        gitea_issue_close_api
     fi
-    tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
     echo "Closed Gitea issue #$ISSUE_NUMBER"
 else
     echo "Error: Unknown platform"

packages/mosaic/framework/tools/git/issue-comment.sh

@@ -47,7 +47,7 @@ if [[ -z "$COMMENT" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"

packages/mosaic/framework/tools/git/issue-create.ps1

@@ -58,12 +58,17 @@ switch ($platform) {
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $cmd = @("tea", "issue", "create", "--title", $Title)
         if ($Body) { $cmd += @("--description", $Body) }
         if ($Labels) { $cmd += @("--labels", $Labels) }
         if ($Milestone) {
             # Try to get milestone ID by name
-            $milestoneList = tea milestones list 2>$null
+            $milestoneList = tea milestones list @repoArgs 2>$null
             $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
             if ($milestoneId) {
                 $cmd += @("--milestone", $milestoneId)
@@ -71,6 +76,7 @@ switch ($platform) {
                 Write-Warning "Could not find milestone '$Milestone', creating without milestone"
             }
         }
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     default {

packages/mosaic/framework/tools/git/issue-create.sh

@@ -48,6 +48,7 @@ PY
 
     url="https://${host}/api/v1/repos/${repo}/issues"
     curl -fsS -X POST \
+      -H "User-Agent: curl/8" \
       -H "Authorization: token ${token}" \
       -H "Content-Type: application/json" \
       -d "$payload" \
@@ -121,7 +122,12 @@ case "$PLATFORM" in
     gitea)
         if command -v tea >/dev/null 2>&1; then
             REPO_SLUG=$(get_repo_slug)
-            REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
+            GITEA_LOGIN_NAME=$(get_gitea_login) || {
+                echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
+                gitea_issue_create_api
+                exit $?
+            }
+            REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
             CMD=(tea issue create "${REPO_ARGS[@]}" --title "$TITLE")
             [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
             [[ -n "$LABELS" ]] && CMD+=(--labels "$LABELS")

packages/mosaic/framework/tools/git/issue-edit.sh

@@ -60,7 +60,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     CMD="gh issue edit $ISSUE_NUMBER"
@@ -71,7 +71,11 @@ if [[ "$PLATFORM" == "github" ]]; then
     eval $CMD
     echo "Updated GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    CMD="tea issue edit $ISSUE_NUMBER"
+    REPO_ARGS=$(get_gitea_repo_args) || {
+        echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
+        exit 1
+    }
+    CMD="tea issue edit $ISSUE_NUMBER $REPO_ARGS"
     [[ -n "$TITLE" ]] && CMD="$CMD --title \"$TITLE\""
     [[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\""
     [[ -n "$LABELS" ]] && CMD="$CMD --add-labels \"$LABELS\""

packages/mosaic/framework/tools/git/issue-list.ps1

@@ -63,9 +63,15 @@ switch ($platform) {
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $cmd = @("tea", "issues", "list", "--state", $State, "--limit", $Limit)
         if ($Label) { $cmd += @("--labels", $Label) }
         if ($Milestone) { $cmd += @("--milestones", $Milestone) }
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
         if ($Assignee) {
             Write-Warning "Assignee filtering may require manual review for Gitea"

packages/mosaic/framework/tools/git/issue-list.sh

@@ -98,7 +98,18 @@ case "$PLATFORM" in
         "${CMD[@]}"
         ;;
     gitea)
-        CMD=(tea issues list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
+        if [[ -n "$REPO_OVERRIDE" ]]; then
+            GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
+                echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
+                exit 1
+            }
+        else
+            GITEA_LOGIN_NAME=$(get_gitea_login) || {
+                echo "Error: Could not resolve Gitea login for remote host" >&2
+                exit 1
+            }
+        fi
+        CMD=(tea issues list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
         [[ -n "$LABEL" ]] && CMD+=(--labels "$LABEL")
         [[ -n "$MILESTONE" ]] && CMD+=(--milestones "$MILESTONE")
         # Note: tea may not support assignee filter directly in all versions.

packages/mosaic/framework/tools/git/issue-reopen.sh

@@ -42,7 +42,42 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
+OWNER=$(get_repo_owner)
+REPO=$(get_repo_name)
+
+gitea_issue_comment_api() {
+    local host token url payload
+    host=$(get_remote_host) || return 1
+    token=$(get_gitea_token "$host") || return 1
+    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
+    payload=$(COMMENT="$COMMENT" python3 - <<'PY'
+import json
+import os
+
+print(json.dumps({"body": os.environ["COMMENT"]}))
+PY
+)
+    curl -fsS -X POST \
+        -H "User-Agent: curl/8" \
+        -H "Authorization: token ${token}" \
+        -H "Content-Type: application/json" \
+        -d "$payload" \
+        "$url" >/dev/null
+}
+
+gitea_issue_reopen_api() {
+    local host token url
+    host=$(get_remote_host) || return 1
+    token=$(get_gitea_token "$host") || return 1
+    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
+    curl -fsS -X PATCH \
+        -H "User-Agent: curl/8" \
+        -H "Authorization: token ${token}" \
+        -H "Content-Type: application/json" \
+        -d '{"state":"open"}' \
+        "$url" >/dev/null
+}
 
 if [[ "$PLATFORM" == "github" ]]; then
     if [[ -n "$COMMENT" ]]; then
@@ -51,10 +86,19 @@ if [[ "$PLATFORM" == "github" ]]; then
     gh issue reopen "$ISSUE_NUMBER"
     echo "Reopened GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
+    REPO_ARGS=$(get_gitea_repo_args || true)
+    if [[ -n "$REPO_ARGS" ]]; then
         if [[ -n "$COMMENT" ]]; then
-        tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
+            tea issue comment "$ISSUE_NUMBER" "$COMMENT" $REPO_ARGS
+        fi
+        tea issue reopen "$ISSUE_NUMBER" $REPO_ARGS
+    else
+        echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
+        if [[ -n "$COMMENT" ]]; then
+            gitea_issue_comment_api
+        fi
+        gitea_issue_reopen_api
     fi
-    tea issue reopen "$ISSUE_NUMBER" $(get_gitea_repo_args)
     echo "Reopened Gitea issue #$ISSUE_NUMBER"
 else
     echo "Error: Unknown platform"

packages/mosaic/framework/tools/git/issue-view.sh

@@ -29,9 +29,9 @@ gitea_issue_view_api() {
 
     url="https://${host}/api/v1/repos/${repo}/issues/${ISSUE_NUMBER}"
     if command -v python3 >/dev/null 2>&1; then
-        curl -fsS -H "Authorization: token ${token}" "$url" | python3 -m json.tool
+        curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -m json.tool
     else
-        curl -fsS -H "Authorization: token ${token}" "$url"
+        curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
     fi
 }
 
@@ -61,7 +61,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     gh issue view "$ISSUE_NUMBER"

packages/mosaic/framework/tools/git/milestone-close.sh

@@ -36,13 +36,17 @@ if [[ -z "$TITLE" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     gh api -X PATCH "/repos/{owner}/{repo}/milestones/$(gh api "/repos/{owner}/{repo}/milestones" --jq ".[] | select(.title==\"$TITLE\") | .number")" -f state=closed
     echo "Closed GitHub milestone: $TITLE"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    tea milestone close "$TITLE"
+    REPO_ARGS=$(get_gitea_repo_args) || {
+        echo "Error: Could not resolve Gitea repo/login for remote host" >&2
+        exit 1
+    }
+    tea milestone close "$TITLE" $REPO_ARGS
     echo "Closed Gitea milestone: $TITLE"
 else
     echo "Error: Unknown platform"

packages/mosaic/framework/tools/git/milestone-create.ps1

@@ -59,7 +59,12 @@ if ($List) {
             gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)`t\(.title)`t\(.state)`t\(.open_issues)/\(.closed_issues) issues"'
         }
         "gitea" {
-            tea milestones list
+            $repoArgs = @(Get-GiteaRepoArgs)
+            if ($repoArgs.Length -eq 0) {
+                Write-Error "Could not resolve Gitea repo/login for remote host"
+                exit 1
+            }
+            tea milestones list @repoArgs
         }
         default {
             Write-Error "Could not detect git platform"
@@ -85,9 +90,15 @@ switch ($platform) {
         Write-Host "Milestone '$Title' created successfully"
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $cmd = @("tea", "milestones", "create", "--title", $Title)
         if ($Description) { $cmd += @("--description", $Description) }
         if ($Due) { $cmd += @("--deadline", $Due) }
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
         Write-Host "Milestone '$Title' created successfully"
     }

packages/mosaic/framework/tools/git/milestone-create.sh

@@ -77,7 +77,11 @@ if [[ "$LIST_ONLY" == true ]]; then
             gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)\t\(.title)\t\(.state)\t\(.open_issues)/\(.closed_issues) issues"'
             ;;
         gitea)
-            tea milestones list
+            REPO_ARGS=$(get_gitea_repo_args) || {
+                echo "Error: Could not resolve Gitea repo/login for remote host" >&2
+                exit 1
+            }
+            tea milestones list $REPO_ARGS
             ;;
         *)
             echo "Error: Could not detect git platform" >&2
@@ -104,10 +108,14 @@ case "$PLATFORM" in
         echo "Milestone '$TITLE' created successfully"
         ;;
     gitea)
-        CMD="tea milestones create --title \"$TITLE\""
+        REPO_ARGS=$(get_gitea_repo_args) || {
-        [[ -n "$DESCRIPTION" ]] && CMD="$CMD --description \"$DESCRIPTION\""
+            echo "Error: Could not resolve Gitea repo/login for remote host" >&2
-        [[ -n "$DUE_DATE" ]] && CMD="$CMD --deadline \"$DUE_DATE\""
+            exit 1
-        eval "$CMD"
+        }
+        CMD=(tea milestones create --title "$TITLE")
+        [[ -n "$DESCRIPTION" ]] && CMD+=(--description "$DESCRIPTION")
+        [[ -n "$DUE_DATE" ]] && CMD+=(--deadline "$DUE_DATE")
+        "${CMD[@]}" $REPO_ARGS
         echo "Milestone '$TITLE' created successfully"
         ;;
     *)

packages/mosaic/framework/tools/git/milestone-list.sh

@@ -31,12 +31,16 @@ while [[ $# -gt 0 ]]; do
     esac
 done
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     gh api "/repos/{owner}/{repo}/milestones?state=$STATE" --jq '.[] | "\(.title) (\(.state)) - \(.open_issues) open, \(.closed_issues) closed"'
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    tea milestone list
+    REPO_ARGS=$(get_gitea_repo_args) || {
+        echo "Error: Could not resolve Gitea repo/login for remote host" >&2
+        exit 1
+    }
+    tea milestone list $REPO_ARGS
 else
     echo "Error: Unknown platform"
     exit 1

packages/mosaic/framework/tools/git/pr-ci-wait.sh

@@ -11,6 +11,7 @@ PR_NUMBER=""
 TIMEOUT_SEC=1800
 INTERVAL_SEC=15
 REPO_OVERRIDE=""
+HOST_OVERRIDE=""
 
 usage() {
     cat <<EOF
@@ -19,6 +20,7 @@ Usage: $(basename "$0") -n <pr_number> [-t timeout_sec] [-i interval_sec]
 Options:
   -n, --number NUMBER      PR number (required)
   -r, --repo OWNER/REPO    Repository slug (default: infer from git origin)
+      --host HOST          Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)
   -t, --timeout SECONDS    Max wait time in seconds (default: 1800)
   -i, --interval SECONDS   Poll interval in seconds (default: 15)
   -h, --help               Show this help
@@ -124,7 +126,7 @@ gitea_get_pr_head_sha() {
     local repo="$2"
     local token="$3"
     local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
-    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 print((data.get("head") or {}).get("sha", ""))
@@ -137,7 +139,7 @@ gitea_get_commit_status_json() {
     local token="$3"
     local sha="$4"
     local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
 }
 
 while [[ $# -gt 0 ]]; do
@@ -150,6 +152,10 @@ while [[ $# -gt 0 ]]; do
             REPO_OVERRIDE="$2"
             shift 2
             ;;
+        --host)
+            HOST_OVERRIDE="$2"
+            shift 2
+            ;;
         -t|--timeout)
             TIMEOUT_SEC="$2"
             shift 2
@@ -211,7 +217,19 @@ if [[ "$PLATFORM" == "github" ]]; then
     fi
     echo "[pr-ci-wait] Platform=github PR=#${PR_NUMBER} head_sha=${HEAD_SHA}"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
+    if [[ -n "$HOST_OVERRIDE" ]]; then
+        HOST="$HOST_OVERRIDE"
+    elif [[ -n "$REPO_OVERRIDE" ]]; then
+        HOST=$(get_gitea_api_host_for_repo_override) || {
+            echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
+            exit 1
+        }
+    else
+        HOST=$(get_remote_host) || {
+            echo "Error: Could not determine Gitea host from git origin." >&2
+            exit 1
+        }
+    fi
     TOKEN=$(get_gitea_token "$HOST") || {
         echo "Error: Gitea token not found. Set GITEA_TOKEN or configure ~/.git-credentials." >&2
         exit 1

packages/mosaic/framework/tools/git/pr-close.sh

@@ -42,7 +42,7 @@ if [[ -z "$PR_NUMBER" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     if [[ -n "$COMMENT" ]]; then

packages/mosaic/framework/tools/git/pr-create.ps1

@@ -9,7 +9,6 @@ param(
     [Alias("b")]
     [string]$Body,
 
-    [Alias("B")]
     [string]$Base,
 
     [Alias("H")]
@@ -101,6 +100,11 @@ switch ($platform) {
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $cmd = @("tea", "pr", "create", "--title", $Title)
         if ($Body) { $cmd += @("--description", $Body) }
         if ($Base) { $cmd += @("--base", $Base) }
@@ -108,7 +112,7 @@ switch ($platform) {
         if ($Labels) { $cmd += @("--labels", $Labels) }
 
         if ($Milestone) {
-            $milestoneList = tea milestones list 2>$null
+            $milestoneList = tea milestones list @repoArgs 2>$null
             $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
             if ($milestoneId) {
                 $cmd += @("--milestone", $milestoneId)
@@ -121,6 +125,7 @@ switch ($platform) {
             Write-Warning "Draft PR may not be supported by your tea version"
         }
 
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     default {

packages/mosaic/framework/tools/git/pr-create.sh

@@ -56,6 +56,7 @@ PY
 
     url="https://${host}/api/v1/repos/${repo}/pulls"
     curl -fsS -X POST \
+      -H "User-Agent: curl/8" \
       -H "Authorization: token ${token}" \
       -H "Content-Type: application/json" \
       -d "$payload" \
@@ -177,7 +178,12 @@ case "$PLATFORM" in
         # is unreliable in Mosaic worktrees/profile shells. Use arrays instead
         # of eval so markdown backticks/body content are not shell-executed.
         REPO_SLUG=$(get_repo_slug)
-        REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
+        GITEA_LOGIN_NAME=$(get_gitea_login) || {
+            echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
+            gitea_pr_create_api
+            exit $?
+        }
+        REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
         CMD=(tea pr create "${REPO_ARGS[@]}" --title "$TITLE")
         [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
         [[ -n "$BASE_BRANCH" ]] && CMD+=(--base "$BASE_BRANCH")

packages/mosaic/framework/tools/git/pr-diff.sh

@@ -11,6 +11,7 @@ source "$SCRIPT_DIR/detect-platform.sh"
 PR_NUMBER=""
 OUTPUT_FILE=""
 REPO_OVERRIDE=""
+HOST_OVERRIDE=""
 
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -26,12 +27,17 @@ while [[ $# -gt 0 ]]; do
             REPO_OVERRIDE="$2"
             shift 2
             ;;
+        --host)
+            HOST_OVERRIDE="$2"
+            shift 2
+            ;;
         -h|--help)
-            echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [-o <output_file>]"
+            echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [--host host] [-o <output_file>]"
             echo ""
             echo "Options:"
             echo "  -n, --number   PR number (required)"
             echo "  -r, --repo     Repository slug (default: infer from git origin)"
+            echo "      --host     Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)"
             echo "  -o, --output   Output file (optional, prints to stdout if omitted)"
             echo "  -h, --help     Show this help"
             exit 0
@@ -69,16 +75,28 @@ if [[ "$PLATFORM" == "github" ]]; then
     fi
 elif [[ "$PLATFORM" == "gitea" ]]; then
     # tea doesn't have a direct diff command — use the API
-    HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
+    if [[ -n "$HOST_OVERRIDE" ]]; then
+        HOST="$HOST_OVERRIDE"
+    elif [[ -n "$REPO_OVERRIDE" ]]; then
+        HOST=$(get_gitea_api_host_for_repo_override) || {
+            echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
+            exit 1
+        }
+    else
+        HOST=$(get_remote_host) || {
+            echo "Error: Could not determine Gitea host from git origin." >&2
+            exit 1
+        }
+    fi
 
     DIFF_URL="https://${HOST}/api/v1/repos/${REPO_INFO}/pulls/${PR_NUMBER}.diff"
 
     GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
 
     if [[ -n "$GITEA_API_TOKEN" ]]; then
-        DIFF_CONTENT=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
+        DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
     else
-        DIFF_CONTENT=$(curl -sS "$DIFF_URL")
+        DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" "$DIFF_URL")
     fi
 
     if [[ -n "$OUTPUT_FILE" ]]; then

packages/mosaic/framework/tools/git/pr-list.ps1

@@ -58,6 +58,11 @@ switch ($platform) {
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         $cmd = @("tea", "pr", "list", "--state", $State, "--limit", $Limit)
 
         if ($Label) {
@@ -67,6 +72,7 @@ switch ($platform) {
             Write-Warning "Author filtering may require manual review for Gitea"
         }
 
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     default {

packages/mosaic/framework/tools/git/pr-list.sh

@@ -93,7 +93,18 @@ case "$PLATFORM" in
         "${CMD[@]}"
         ;;
     gitea)
-        CMD=(tea pr list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
+        if [[ -n "$REPO_OVERRIDE" ]]; then
+            GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
+                echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
+                exit 1
+            }
+        else
+            GITEA_LOGIN_NAME=$(get_gitea_login) || {
+                echo "Error: Could not resolve Gitea login for remote host" >&2
+                exit 1
+            }
+        fi
+        CMD=(tea pr list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
 
         # tea filtering may be limited
         if [[ -n "$LABEL" ]]; then

packages/mosaic/framework/tools/git/pr-merge.ps1

@@ -74,6 +74,11 @@ switch ($platform) {
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     "gitea" {
+        $repoArgs = @(Get-GiteaRepoArgs)
+        if ($repoArgs.Length -eq 0) {
+            Write-Error "Could not resolve Gitea repo/login for remote host"
+            exit 1
+        }
         if (-not $SkipQueueGuard) {
             $timeout = if ($env:MOSAIC_CI_QUEUE_TIMEOUT_SEC) { [int]$env:MOSAIC_CI_QUEUE_TIMEOUT_SEC } else { 900 }
             $interval = if ($env:MOSAIC_CI_QUEUE_POLL_SEC) { [int]$env:MOSAIC_CI_QUEUE_POLL_SEC } else { 15 }
@@ -87,6 +92,7 @@ switch ($platform) {
             Write-Warning "Branch deletion after merge may need to be done separately with tea"
         }
 
+        $cmd += $repoArgs
         & $cmd[0] $cmd[1..($cmd.Length-1)]
     }
     default {

packages/mosaic/framework/tools/git/pr-merge.sh

@@ -106,34 +106,6 @@ PLATFORM=$(detect_platform)
 OWNER=$(get_repo_owner)
 REPO=$(get_repo_name)
 
-find_tea_login_for_host() {
-    local host="$1"
-    local logins_json
-
-    command -v tea >/dev/null 2>&1 || return 1
-    logins_json=$(tea login list --output json 2>/dev/null) || return 1
-    TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
-import json
-import os
-import sys
-
-host = sys.argv[1]
-try:
-    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
-except Exception:
-    raise SystemExit(1)
-
-for login in logins if isinstance(logins, list) else []:
-    url = str(login.get("url") or login.get("URL") or "")
-    name = str(login.get("name") or login.get("Name") or "")
-    if url.rstrip("/").endswith(host) and name:
-        print(name)
-        raise SystemExit(0)
-
-raise SystemExit(1)
-PY
-}
-
 is_known_tea_empty_identity_failure() {
     local error_file="$1"
 
@@ -164,6 +136,7 @@ merge_gitea_with_api() {
     if [[ -n "$token" ]]; then
         raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
             -X POST \
+            -H "User-Agent: curl/8" \
             -H "Authorization: token $token" \
             -H 'Content-Type: application/json' \
             -d "$payload" \
@@ -179,6 +152,7 @@ merge_gitea_with_api() {
         raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
             -X POST \
             -u "$basic_auth" \
+            -H "User-Agent: curl/8" \
             -H 'Content-Type: application/json' \
             -d "$payload" \
             "$api_url" || true)
@@ -214,7 +188,7 @@ if [[ "$DRY_RUN" == true ]]; then
             echo "Error: Cannot determine host from origin remote URL" >&2
             exit 1
         }
-        TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
+        TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
         if [[ -n "$TEA_LOGIN" ]]; then
             echo "Dry run: would merge PR #$PR_NUMBER on $HOST with tea login '$TEA_LOGIN' (base=$BASE_BRANCH, method=squash)."
         else
@@ -237,7 +211,7 @@ case "$PLATFORM" in
             echo "Error: Cannot determine host from origin remote URL" >&2
             exit 1
         }
-        TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
+        TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
 
         if [[ -n "$TEA_LOGIN" ]]; then
             mkdir -p "${AGENT_WORK_ROOT:-/home/hermes/agent-work}"

packages/mosaic/framework/tools/git/pr-metadata.sh

@@ -59,7 +59,7 @@ curl_gitea_pull() {
 
     token=$(get_gitea_token "$HOST" || true)
     if [[ -n "$token" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "Authorization: token $token" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" -H "Authorization: token $token" "$api_url" || true)
         if [[ "$raw_code" =~ ^2 ]]; then
             cat "$body_file"
             rm -f "$body_file"
@@ -70,7 +70,7 @@ curl_gitea_pull() {
 
     basic_auth=$(get_gitea_basic_auth "$HOST" || true)
     if [[ -n "$basic_auth" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" -H "User-Agent: curl/8" "$api_url" || true)
         if [[ "$raw_code" =~ ^2 ]]; then
             cat "$body_file"
             rm -f "$body_file"
@@ -80,7 +80,7 @@ curl_gitea_pull() {
     fi
 
     if [[ -z "${http_code:-}" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" "$api_url" || true)
         http_code="$raw_code"
     fi
 

packages/mosaic/framework/tools/git/pr-review.sh

@@ -53,7 +53,7 @@ if [[ -z "$ACTION" ]]; then
     exit 1
 fi
 
-detect_platform
+detect_platform >/dev/null
 
 if [[ "$PLATFORM" == "github" ]]; then
     case $ACTION in

packages/mosaic/framework/tools/git/pr-view.sh

@@ -58,7 +58,18 @@ fi
 if [[ "$PLATFORM" == "github" ]]; then
     gh pr view "$PR_NUMBER" --repo "$REPO_INFO"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}"
+    if [[ -n "$REPO_OVERRIDE" ]]; then
+        GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
+            echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
+            exit 1
+        }
+    else
+        GITEA_LOGIN_NAME=$(get_gitea_login) || {
+            echo "Error: Could not resolve Gitea login for remote host" >&2
+            exit 1
+        }
+    fi
+    tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME"
 else
     echo "Error: Unknown platform"
     exit 1

packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh

@@ -0,0 +1,233 @@
+#!/usr/bin/env bash
+# Regression harness for host-specific Gitea tea login resolution.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+WORK_DIR="${MOSAIC_TEST_WORK_DIR:-$PWD/.mosaic-test-work/gitea-login-resolution}"
+REPO_DIR="$WORK_DIR/repo"
+BIN_DIR="$WORK_DIR/bin"
+LOG_FILE="$WORK_DIR/calls.log"
+CREDENTIALS_FILE="$WORK_DIR/credentials.json"
+
+rm -rf "$WORK_DIR"
+mkdir -p "$REPO_DIR" "$BIN_DIR"
+
+git -C "$REPO_DIR" init -q
+git -C "$REPO_DIR" remote add origin https://git.uscllc.com/USC/uconnect.git
+
+cat > "$CREDENTIALS_FILE" <<'JSON'
+{
+  "gitea": {
+    "mosaicstack": {
+      "url": "https://git.mosaicstack.dev",
+      "token": "mosaic-token"
+    },
+    "usc": {
+      "url": "https://git.uscllc.com",
+      "token": "usc-token"
+    }
+  }
+}
+JSON
+
+cat > "$BIN_DIR/tea" <<'SH'
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "$*" == "login list --output json" ]]; then
+    cat <<'JSON'
+[
+  {"name":"evil-usc","url":"https://evilgit.uscllc.com","user":"bad.actor"},
+  {"name":"usc","url":"https://git.uscllc.com","user":"jason.woltje"}
+]
+JSON
+    exit 0
+fi
+
+printf 'tea %s\n' "$*" >> "$MOSAIC_TEST_LOG"
+if [[ "${MOSAIC_TEA_FAIL_PR_CREATE:-}" == "1" && "$*" == pr\ create* ]]; then
+    echo 'GetUserByName: simulated stale login failure' >&2
+    exit 1
+fi
+exit 0
+SH
+
+cat > "$BIN_DIR/curl" <<'SH'
+#!/usr/bin/env bash
+set -euo pipefail
+
+printf 'curl %s\n' "$*" >> "$MOSAIC_TEST_LOG"
+url="${*: -1}"
+case "$url" in
+    */pulls/*.diff)
+        printf 'diff --git a/file b/file\n'
+        ;;
+    */pulls/*)
+        printf '{"head":{"sha":"abc123"}}'
+        ;;
+    */commits/*/status)
+        printf '{"state":"success","statuses":[{"context":"ci/mock","status":"success"}]}'
+        ;;
+    *)
+        printf '{}'
+        ;;
+esac
+SH
+
+chmod +x "$BIN_DIR/tea" "$BIN_DIR/curl"
+
+run_in_repo() {
+    (
+        cd "$REPO_DIR"
+        PATH="$BIN_DIR:$PATH" \
+        MOSAIC_CREDENTIALS_FILE="$CREDENTIALS_FILE" \
+        MOSAIC_TEST_LOG="$LOG_FILE" \
+        "$@"
+    )
+}
+
+usc_login=$(run_in_repo bash -c '
+    export GITEA_LOGIN=mosaicstack
+    export GITEA_URL=https://git.mosaicstack.dev
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_gitea_login
+')
+if [[ "$usc_login" != "usc" ]]; then
+    echo "Expected USC host to resolve tea login 'usc' despite stale mosaicstack env; got '$usc_login'" >&2
+    exit 1
+fi
+
+usc_login_with_usc_url=$(run_in_repo bash -c '
+    export GITEA_LOGIN=mosaicstack
+    export GITEA_URL=https://git.uscllc.com
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_gitea_login
+')
+if [[ "$usc_login_with_usc_url" != "usc" ]]; then
+    echo "Expected USC host to reject stale GITEA_LOGIN even when GITEA_URL matches USC; got '$usc_login_with_usc_url'" >&2
+    exit 1
+fi
+
+usc_login_without_url=$(run_in_repo bash -c '
+    export GITEA_LOGIN=mosaicstack
+    unset GITEA_URL
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_gitea_login
+')
+if [[ "$usc_login_without_url" != "usc" ]]; then
+    echo "Expected USC host to ignore unmatched GITEA_LOGIN without URL; got '$usc_login_without_url'" >&2
+    exit 1
+fi
+
+git -C "$REPO_DIR" remote set-url origin https://hermes:token@git.uscllc.com/USC/uconnect.git
+embedded_host=$(run_in_repo bash -c '
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_remote_host
+')
+if [[ "$embedded_host" != "git.uscllc.com" ]]; then
+    echo "Expected credential-bearing remote host to strip userinfo; got '$embedded_host'" >&2
+    exit 1
+fi
+git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
+
+override_login=$(run_in_repo bash -c '
+    export GITEA_LOGIN=usc
+    source "'"$SCRIPT_DIR"'/detect-platform.sh"
+    get_gitea_login_for_repo_override
+')
+if [[ "$override_login" != "usc" ]]; then
+    echo "Expected --repo override path to honor explicit GITEA_LOGIN; got '$override_login'" >&2
+    exit 1
+fi
+
+git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
+: > "$LOG_FILE"
+run_in_repo env GITEA_LOGIN=usc "$SCRIPT_DIR/issue-list.sh" --repo USC/uconnect -n 1
+grep -q -- 'tea issues list --repo USC/uconnect --login usc' "$LOG_FILE"
+git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
+
+: > "$LOG_FILE"
+run_in_repo "$SCRIPT_DIR/issue-close.sh" -i 42
+grep -q -- 'tea issue close 42 --repo USC/uconnect --login usc' "$LOG_FILE"
+if grep -q -- '--login mosaicstack' "$LOG_FILE"; then
+    echo "issue-close.sh used hardcoded mosaicstack login on USC host" >&2
+    exit 1
+fi
+
+: > "$LOG_FILE"
+run_in_repo "$SCRIPT_DIR/milestone-list.sh"
+grep -q -- 'tea milestone list --repo USC/uconnect --login usc' "$LOG_FILE"
+
+: > "$LOG_FILE"
+run_in_repo "$SCRIPT_DIR/milestone-create.sh" -t "0.2.0" -d "USC milestone"
+grep -q -- 'tea milestones create --title 0.2.0 --description USC milestone --repo USC/uconnect --login usc' "$LOG_FILE"
+
+: > "$LOG_FILE"
+run_in_repo "$SCRIPT_DIR/milestone-close.sh" -t "0.2.0"
+grep -q -- 'tea milestone close 0.2.0 --repo USC/uconnect --login usc' "$LOG_FILE"
+
+if command -v pwsh >/dev/null 2>&1; then
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-list.ps1" -Limit 1
+    grep -q -- 'tea issues list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
+
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-create.ps1" -Title "PowerShell issue"
+    grep -q -- 'tea issue create --title PowerShell issue --repo USC/uconnect --login usc' "$LOG_FILE"
+
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-list.ps1" -Limit 1
+    grep -q -- 'tea pr list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
+
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-create.ps1" -Title "PowerShell PR"
+    grep -q -- 'tea pr create --title PowerShell PR --head master --repo USC/uconnect --login usc' "$LOG_FILE"
+
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-merge.ps1" -Number 42 -SkipQueueGuard
+    grep -q -- 'tea pr merge 42 --style squash --repo USC/uconnect --login usc' "$LOG_FILE"
+
+    : > "$LOG_FILE"
+    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/milestone-create.ps1" -List
+    grep -q -- 'tea milestones list --repo USC/uconnect --login usc' "$LOG_FILE"
+fi
+
+: > "$LOG_FILE"
+if run_in_repo "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null 2>&1; then
+    echo "Expected pr-diff.sh --repo without host to fail loud" >&2
+    exit 1
+fi
+if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect' "$LOG_FILE"; then
+    echo "pr-diff.sh --repo defaulted API host to git.mosaicstack.dev" >&2
+    exit 1
+fi
+
+: > "$LOG_FILE"
+run_in_repo env GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null
+grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/7.diff' "$LOG_FILE"
+
+: > "$LOG_FILE"
+run_in_repo "$SCRIPT_DIR/pr-ci-wait.sh" --repo USC/uconnect --host git.uscllc.com -n 9 -t 2 -i 1
+grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/9' "$LOG_FILE"
+grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/commits/abc123/status' "$LOG_FILE"
+
+: > "$LOG_FILE"
+run_in_repo env MOSAIC_TEA_FAIL_PR_CREATE=1 GITEA_TOKEN=usc-token GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-create.sh" -t "USC API fallback" -H feature/pr-create
+grep -q -- 'tea pr create --repo USC/uconnect --login usc --title USC API fallback --head feature/pr-create' "$LOG_FILE"
+grep -q -- 'curl .*Authorization: token usc-token .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"
+if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"; then
+    echo "pr-create.sh API fallback defaulted USC repo to git.mosaicstack.dev" >&2
+    exit 1
+fi
+
+git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
+: > "$LOG_FILE"
+run_in_repo env GITEA_TOKEN=mosaic-token GITEA_URL=https://git.mosaicstack.dev "$SCRIPT_DIR/issue-close.sh" -i 536
+grep -q -- 'curl .*https://git.mosaicstack.dev/api/v1/repos/mosaicstack/stack/issues/536' "$LOG_FILE"
+if grep -q -- 'tea issue close 536 .*--login mosaicstack' "$LOG_FILE"; then
+    echo "issue-close.sh invented a mosaicstack tea login instead of using API fallback" >&2
+    exit 1
+fi
+
+echo "Gitea login resolution regression harness passed"

packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh

@@ -23,6 +23,10 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
+if [[ "$*" == *"login list"* ]]; then
+    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
+    exit 0
+fi
 if [[ "$*" == *"pr merge"* ]]; then
     echo 'user does not exist [uid: 0, name: ]' >&2
     exit 1
@@ -99,6 +103,7 @@ git remote add origin https://git.mosaicstack.dev/mosaicstack/stack.git
 export PATH="$MOCK_BIN:$PATH"
 export PR_MERGE_TEST_LOG="$LOG_FILE"
 export GITEA_LOGIN="git.mosaicstack.dev"
+export GITEA_URL="https://git.mosaicstack.dev"
 export GITEA_TOKEN="redacted-test-token"
 
 OUTPUT="$SANDBOX/output.log"
@@ -127,6 +132,10 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
+if [[ "$*" == *"login list"* ]]; then
+    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
+    exit 0
+fi
 if [[ "$*" == *"pr merge"* ]]; then
     echo 'tea network timeout' >&2
     exit 2

packages/mosaic/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mosaicstack/mosaic",
-  "version": "0.0.30",
+  "version": "0.0.31",
   "repository": {
     "type": "git",
     "url": "https://git.mosaicstack.dev/mosaicstack/stack.git",

packages/mosaic/src/commands/git-wrapper-redirects.spec.ts

@@ -15,8 +15,8 @@ describe('Gitea git wrapper API calls', () => {
     (scriptName) => {
       const script = readGitTool(scriptName);
 
-      expect(script).not.toContain('curl -fsS -H "Authorization: token');
+      expect(script).not.toMatch(/curl -fsS\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
-      expect(script).toContain('curl -fsSL -H "Authorization: token');
+      expect(script).toMatch(/curl -fsSL\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
     },
   );
 });