docs(framework): canonize merge-authority policy (hard gate 13 + E2E gate note)

Coordinated work: post-review merge go-ahead belongs to the active coordinator/orchestrator session; solo delivery merges without routine confirmation as before. 'No self-merge' means no UNREVIEWED self-merge. Previously this policy existed only as per-host local patches to the preserved ~/.config/mosaic/AGENTS.md (web1 + sb-it-mgr-0-lt rule 38) and was lost from E2E-DELIVERY.md on every framework sync. Shipping it in defaults/AGENTS.md + guides/E2E-DELIVERY.md makes it permanent for fresh installs and upgrades. Policy: Jason, 2026-06-11. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 18:41:59 -05:00
41 changed files with 88 additions and 1538 deletions
--- a/apps/appservice/src/tests/server.test.ts
+++ b/apps/appservice/src/tests/server.test.ts
@@ -3,8 +3,6 @@ import { describe, expect, it, vi } from 'vitest';
 import { AppserviceDaemon } from '../server.js';
 import type { DaemonConfig, DaemonRequest } from '../server.js';
 const AGENTS_TYPE = 'org.uscllc.mosaic_as.agents';
 const cfg: DaemonConfig = {
  homeserverUrl: 'https://hs.example',
  domain: 'hs.example',
@@ -230,149 +228,6 @@ describe('AppserviceDaemon routing', () => {
    expect(bad.status).toBe(400);
  });
  // A daemon whose fetch mock backs account_data with a mutable in-test object,
  // so register/verify/revoke round-trip through the (faked) homeserver.
  const makeAgentDaemon = () => {
    const accountData: { value: Record<string, unknown> | null } = { value: null };
    const fetchMock = vi.fn(async (input: URL | string, init?: RequestInit) => {
      const url = new URL(String(input));
      const path = url.pathname;
      if (path.includes(`/account_data/${AGENTS_TYPE}`)) {
        if (init?.method === 'PUT') {
          accountData.value = JSON.parse(String(init.body)) as Record<string, unknown>;
          return jsonResponse(200, {});
        }
        if (accountData.value === null) {
          return jsonResponse(404, { errcode: 'M_NOT_FOUND', error: 'not found' });
        }
        return jsonResponse(200, accountData.value);
      }
      if (path.endsWith('/register')) return jsonResponse(200, { user_id: 'whatever' });
      if (path.includes('/send/m.room.message/')) return jsonResponse(200, { event_id: '$sent' });
      return jsonResponse(200, {});
    });
    const daemon = new AppserviceDaemon(cfg, fetchMock as unknown as typeof fetch, () => {});
    return { daemon, fetchMock };
  };
  const registerAgent = async (
    daemon: AppserviceDaemon,
    body: Record<string, unknown> = { alias: 'pi0', host: 'web1' },
  ) =>
    daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/agents',
        authorizationHeader: 'Bearer bridge-secret',
        body,
      }),
    );
  it('host token registers an agent and returns agent_user_id + bridge_token', async () => {
    const { daemon, fetchMock } = makeAgentDaemon();
    const res = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
    expect(res.status).toBe(200);
    expect(res.body.agent_user_id).toBe('@agent-pi0-web1:hs.example');
    expect(String(res.body.bridge_token).startsWith('magt_')).toBe(true);
    const registerCall = fetchMock.mock.calls
      .map((c) => new URL(String(c[0])))
      .find((u) => u.pathname.endsWith('/register'));
    expect(registerCall).toBeDefined();
  });
  it('register requires a HOST token (agent token and no token are 403)', async () => {
    const { daemon } = makeAgentDaemon();
    const minted = await registerAgent(daemon);
    const agentToken = String(minted.body.bridge_token);
    const asAgent = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/agents',
        authorizationHeader: `Bearer ${agentToken}`,
        body: { alias: 'pi1', host: 'web2' },
      }),
    );
    expect(asAgent.status).toBe(403);
    const noAuth = await daemon.handle(
      request({ method: 'POST', path: '/bridge/v1/agents', body: { alias: 'pi1', host: 'web2' } }),
    );
    expect(noAuth.status).toBe(403);
  });
  it('agent-scoped token may send as itself but not as another agent', async () => {
    const { daemon } = makeAgentDaemon();
    const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
    const agentToken = String(minted.body.bridge_token);
    const self = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/messages',
        authorizationHeader: `Bearer ${agentToken}`,
        body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
      }),
    );
    expect(self.status).toBe(200);
    const other = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/messages',
        authorizationHeader: `Bearer ${agentToken}`,
        body: { room_id: '!r:hs.example', agent: 'pi9-web9', body: 'hi' },
      }),
    );
    expect(other.status).toBe(403);
    expect(other.body.error).toBe('token not scoped to this agent');
  });
  it('revoked agent token is rejected on messages', async () => {
    const { daemon } = makeAgentDaemon();
    const minted = await registerAgent(daemon, { alias: 'pi0', host: 'web1' });
    const agentToken = String(minted.body.bridge_token);
    const revoke = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/agents/revoke',
        authorizationHeader: 'Bearer bridge-secret',
        body: { agent_user_id: '@agent-pi0-web1:hs.example' },
      }),
    );
    expect(revoke.status).toBe(200);
    expect(revoke.body.revoked).toBe(1);
    const afterRevoke = await daemon.handle(
      request({
        method: 'POST',
        path: '/bridge/v1/messages',
        authorizationHeader: `Bearer ${agentToken}`,
        body: { room_id: '!r:hs.example', agent: 'pi0-web1', body: 'hi' },
      }),
    );
    expect(afterRevoke.status).toBe(403);
  });
  it('GET /bridge/v1/agents lists registered agents (host only)', async () => {
    const { daemon } = makeAgentDaemon();
    await registerAgent(daemon, { alias: 'pi0', host: 'web1', display_name: 'Pi Zero' });
    const res = await daemon.handle(
      request({
        method: 'GET',
        path: '/bridge/v1/agents',
        authorizationHeader: 'Bearer bridge-secret',
      }),
    );
    expect(res.status).toBe(200);
    const agents = res.body.agents as Array<Record<string, unknown>>;
    expect(agents).toHaveLength(1);
    expect(agents[0]?.agent_user_id).toBe('@agent-pi0-web1:hs.example');
    expect(agents[0]?.display_name).toBe('Pi Zero');
  });
  it('empty bridge token list denies everything', async () => {
    const daemon = new AppserviceDaemon({ ...cfg, bridgeTokens: [] }, undefined, () => {});
    const res = await daemon.handle(
--- a/apps/appservice/src/server.ts
+++ b/apps/appservice/src/server.ts
@@ -1,14 +1,11 @@
 import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
 import {
  AgentTokenStore,
  AppserviceIntent,
  TransactionHandler,
  validateBridgeMessage,
  validateBridgeTyping,
  validateProvisionRoom,
  validateRegisterAgent,
  validateRevokeAgent,
 } from '@mosaicstack/appservice';
 import type { AppserviceConfig, MatrixEvent } from '@mosaicstack/appservice';
@@ -40,13 +37,6 @@ const safeEqual = (a: string, b: string): boolean => timingSafeEqual(digest(a),
 const TXN_PATH = /^\/_matrix\/app\/v1\/transactions\/([^/]+)$/;
 /**
 * Resolved identity for an authenticated /bridge/v1/* caller. Host principals
 * (the agent-comms host daemons) are unrestricted; agent principals are scoped
 * to a single virtual user and may only act as themselves.
 */
 export type BridgePrincipal = { kind: 'host' } | { kind: 'agent'; agentUserId: string } | null;
 /**
 * HTTP-framework-agnostic request router for the mosaic-as daemon: the
 * Application Service transactions endpoint (Synapse-facing) plus the
@@ -56,7 +46,6 @@ export type BridgePrincipal = { kind: 'host' } | { kind: 'agent'; agentUserId: s
 export class AppserviceDaemon {
  readonly intent: AppserviceIntent;
  private readonly transactions: TransactionHandler;
  private readonly agents: AgentTokenStore;
  constructor(
    private readonly cfg: DaemonConfig,
@@ -64,7 +53,6 @@ export class AppserviceDaemon {
    private readonly log: (line: string) => void = (line) => console.log(line),
  ) {
    this.intent = new AppserviceIntent(cfg, fetchImpl);
    this.agents = new AgentTokenStore(this.intent);
    this.transactions = new TransactionHandler({
      hsToken: cfg.hsToken,
      onEvent: (event) => this.onEvent(event),
@@ -81,20 +69,10 @@ export class AppserviceDaemon {
    }
  }
-  /** Resolve the calling principal, or null when unauthorized. Fail-closed:
+  private bridgeAuthorized(authorizationHeader: string | undefined): boolean {
-   * host tokens win (timing-safe compare); otherwise a magt_* bearer is looked
+    if (!authorizationHeader?.startsWith('Bearer ')) return false;
   * up in the agent token store; anything else is rejected. */
  private async bridgeAuthorized(
    authorizationHeader: string | undefined,
  ): Promise<BridgePrincipal> {
    if (!authorizationHeader?.startsWith('Bearer ')) return null;
    const presented = authorizationHeader.slice('Bearer '.length);
-    if (this.cfg.bridgeTokens.some((token) => safeEqual(presented, token))) {
+    return this.cfg.bridgeTokens.some((token) => safeEqual(presented, token));
      return { kind: 'host' };
    }
    const agentUserId = await this.agents.verifyToken(presented);
    if (agentUserId) return { kind: 'agent', agentUserId };
    return null;
  }
  async handle(req: DaemonRequest): Promise<DaemonResponse> {
@@ -111,60 +89,12 @@ export class AppserviceDaemon {
    }
    if (req.path.startsWith('/bridge/v1/')) {
-      const principal = await this.bridgeAuthorized(req.authorizationHeader);
+      if (!this.bridgeAuthorized(req.authorizationHeader)) {
      if (!principal) {
        return { status: 403, body: { errcode: 'M_FORBIDDEN', error: 'bad bridge token' } };
      }
      try {
        if (req.method === 'POST' && req.path === '/bridge/v1/agents') {
          if (principal.kind !== 'host') {
            return {
              status: 403,
              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot register agents' },
            };
          }
          validateRegisterAgent(req.body);
          const { agentUserId, token } = await this.agents.register({
            alias: req.body.alias,
            host: req.body.host,
            displayName: req.body.display_name,
          });
          this.log(`registered agent ${agentUserId}`);
          return { status: 200, body: { agent_user_id: agentUserId, bridge_token: token } };
        }
        if (req.method === 'POST' && req.path === '/bridge/v1/agents/revoke') {
          if (principal.kind !== 'host') {
            return {
              status: 403,
              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot revoke agents' },
            };
          }
          validateRevokeAgent(req.body);
          const revoked = await this.agents.revoke(req.body.agent_user_id);
          this.log(`revoked ${revoked} token(s) for ${req.body.agent_user_id}`);
          return { status: 200, body: { revoked } };
        }
        if (req.method === 'GET' && req.path === '/bridge/v1/agents') {
          if (principal.kind !== 'host') {
            return {
              status: 403,
              body: { errcode: 'M_FORBIDDEN', error: 'agents cannot list agents' },
            };
          }
          const agents = await this.agents.list();
          return { status: 200, body: { agents } };
        }
        if (req.method === 'POST' && req.path === '/bridge/v1/messages') {
          validateBridgeMessage(req.body);
          if (
            principal.kind === 'agent' &&
            this.intent.agentUserId(req.body.agent) !== principal.agentUserId
          ) {
            return {
              status: 403,
              body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
            };
          }
          const eventId = await this.intent.sendAsAgent({
            roomId: req.body.room_id,
            agent: req.body.agent,
@@ -177,15 +107,6 @@ export class AppserviceDaemon {
        }
        if (req.method === 'POST' && req.path === '/bridge/v1/typing') {
          validateBridgeTyping(req.body);
          if (
            principal.kind === 'agent' &&
            this.intent.agentUserId(req.body.agent) !== principal.agentUserId
          ) {
            return {
              status: 403,
              body: { errcode: 'M_FORBIDDEN', error: 'token not scoped to this agent' },
            };
          }
          await this.intent.setTyping(req.body.room_id, req.body.agent, req.body.typing);
          return { status: 200, body: {} };
        }
--- a/docs/scratchpads/536-wrapper-login-pin.md
+++ b/docs/scratchpads/536-wrapper-login-pin.md
@@ -1,50 +0,0 @@
 # Issue 536 Wrapper Login Pin Scratchpad
 ## Metadata
 - Date: 2026-06-12
 - Worktree: `/home/hermes/agent-work/536-wrapper-audit`
 - Branch: `fix/536-wrapper-login-pin`
 - Coordinator: `mos-claude`
 - Issue: `mosaicstack/stack#536`
 - Scope: Audit and fix Gitea git wrappers that hardcode or incorrectly inherit tea login/instance selection.
 ## Objective
 Fix the framework git wrappers so Gitea issue/PR operations resolve the tea login from the target repository host instead of pinning `mosaicstack`. The fix must cover the class of bug across `packages/mosaic/framework/tools/git/`, not only `issue-close.sh`.
 ## Acceptance Criteria
 1. `issue-close.sh` no longer uses `--login mosaicstack` for non-mosaic hosts.
 2. All wrappers in `packages/mosaic/framework/tools/git/` avoid hardcoded Gitea login fallback where host-specific resolution is available.
 3. Host-specific resolution works for `git.mosaicstack.dev` and `git.uscllc.com` using configured credentials / tea login data.
 4. Read-only verification runs against both Gitea instances where possible.
 5. Queue guard passes before push, PR is opened referencing #536, and merge is left to the coordinator.
 ## Progress Log
 - Read required Mosaic hard-gate docs and coordinator briefing.
 - Read issue #536 via Gitea API with mosaicstack credentials.
 - Initial audit found hardcoded `${GITEA_LOGIN:-mosaicstack}` in issue and PR wrappers, plus shared `get_gitea_repo_args`.
 - Added host-aware Gitea login resolution in `detect-platform.sh`, including exact host matching for `tea login list` entries and HTTPS remotes with embedded credentials.
 - Updated Gitea issue, PR, milestone, and CI wrappers to use resolved host-specific tea login arguments instead of defaulting to `mosaicstack`.
 - Added authenticated API fallbacks for close/reopen paths so wrappers can still operate when a matching `tea` login is absent but token credentials are available.
 - Added regression coverage for stale `GITEA_LOGIN`, exact host matching, `--repo` override flows, USC issue close routing, mosaicstack API fallback, and PR metadata/merge fallbacks.
 - Delta after PR #538 review: extended host-aware login/repo resolution to PowerShell wrappers, Bash milestone wrappers, and API-only `--repo` fallback paths.
 - Delta after live USC `pr-create.sh` repro: tightened `GITEA_LOGIN` trust so stale login names are ignored unless the tea login itself matches the target host, and added USC API fallback coverage for `pr-create.sh`.
 ## Verification
 - `bash -n packages/mosaic/framework/tools/git/*.sh`
 - `packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh`
 - `packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`
 - `packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh`
 - `pwsh -NoProfile` parse check for all `packages/mosaic/framework/tools/git/*.ps1`
 - `pnpm typecheck`
 - `pnpm lint`
 - `pnpm format:check`
 - `pnpm --filter @mosaicstack/mosaic test -- src/commands/git-wrapper-redirects.spec.ts`
 - `pnpm test` progressed past wrapper redirect assertions; local run then stopped on `apps/gateway` Postgres connection refused at `localhost:5433`, which CI provides as a service.
 - Live read-only: direct Gitea API read of `mosaicstack/stack#536` with `User-Agent: curl/8`.
 - Live read-only: USC temporary repo remote to `https://git.uscllc.com/USC/uconnect.git`; `issue-list.sh -n 1` resolved the USC login and returned USC issues.
 - Independent Codex review final verdict: approve, no findings.
--- a/packages/appservice/src/tests/agent-store.test.ts
+++ b/packages/appservice/src/tests/agent-store.test.ts
@@ -1,116 +0,0 @@
 import { describe, expect, it } from 'vitest';
 import { AGENTS_ACCOUNT_DATA_TYPE, AgentTokenStore } from '../agent-store.js';
 import type { AppserviceIntent } from '../intent.js';
 /** Fake intent: in-memory account_data, no-op user provisioning. Only the
 * surface AgentTokenStore touches is implemented. */
 const makeFakeIntent = () => {
  const store: Record<string, Record<string, unknown>> = {};
  const fake = {
    domain: 'hs.example',
    getSenderAccountData: async (type: string): Promise<Record<string, unknown> | null> =>
      store[type] ?? null,
    setSenderAccountData: async (type: string, content: Record<string, unknown>): Promise<void> => {
      store[type] = structuredClone(content);
    },
    ensureRegistered: async (agent: string): Promise<string> => `@agent-${agent}:hs.example`,
    setDisplayName: async (): Promise<void> => {},
  };
  return { intent: fake as unknown as AppserviceIntent, store };
 };
 describe('AgentTokenStore', () => {
  it('mints a magt_ token and stores only its sha256 (never plaintext)', async () => {
    const { intent, store } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
    expect(agentUserId).toBe('@agent-pi0-web1:hs.example');
    expect(token.startsWith('magt_')).toBe(true);
    const raw = JSON.stringify(store[AGENTS_ACCOUNT_DATA_TYPE]);
    expect(raw).not.toContain(token);
    // The stored hash is sha256hex(token), 64 hex chars.
    const { createHash } = await import('node:crypto');
    const hash = createHash('sha256').update(token).digest('hex');
    expect(raw).toContain(hash);
  });
  it('verifyToken returns the agentUserId for a fresh token, null otherwise', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
    expect(await s.verifyToken(token)).toBe(agentUserId);
    expect(await s.verifyToken('magt_garbage')).toBeNull();
    expect(await s.verifyToken('not-a-token')).toBeNull();
    expect(await s.verifyToken('')).toBeNull();
  });
  it('revoke invalidates tokens, returns count, and hides agent from list', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });
    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
    const count = await s.revoke(agentUserId);
    expect(count).toBe(1);
    expect(await s.verifyToken(token)).toBeNull();
    expect((await s.list()).map((a) => a.agent_user_id)).not.toContain(agentUserId);
    // Idempotent on unknown / already-revoked.
    expect(await s.revoke(agentUserId)).toBe(0);
    expect(await s.revoke('@agent-nope:hs.example')).toBe(0);
  });
  it('re-register after revoke yields a working token and the agent reappears', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token: t1 } = await s.register({ alias: 'pi0', host: 'web1' });
    await s.revoke(agentUserId);
    const { token: t2 } = await s.register({ alias: 'pi0', host: 'web1' });
    expect(await s.verifyToken(t1)).toBeNull();
    expect(await s.verifyToken(t2)).toBe(agentUserId);
    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
  });
  it('agent A token never verifies as agent B', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const a = await s.register({ alias: 'pi0', host: 'web1' });
    const b = await s.register({ alias: 'pi1', host: 'web2' });
    expect(await s.verifyToken(a.token)).toBe(a.agentUserId);
    expect(await s.verifyToken(b.token)).toBe(b.agentUserId);
    expect(a.agentUserId).not.toBe(b.agentUserId);
  });
  it('rejects an ambiguous re-registration that collides on one Matrix id', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    // alias="a-b",host="c" and alias="a",host="b-c" both -> @agent-a-b-c.
    const first = await s.register({ alias: 'a-b', host: 'c' });
    expect(first.agentUserId).toBe('@agent-a-b-c:hs.example');
    await expect(s.register({ alias: 'a', host: 'b-c' })).rejects.toThrow(/collision/);
    // The original registration is untouched: still one active token, correct pair.
    expect(await s.verifyToken(first.token)).toBe(first.agentUserId);
    const summary = (await s.list()).find((x) => x.agent_user_id === first.agentUserId);
    expect(summary?.alias).toBe('a-b');
    expect(summary?.host).toBe('c');
    expect(summary?.active_token_count).toBe(1);
  });
  it('display_name is stored and surfaced in list', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    await s.register({ alias: 'pi0', host: 'web1', displayName: 'Pi Zero' });
    const summary = (await s.list())[0];
    expect(summary?.display_name).toBe('Pi Zero');
    expect(summary?.active_token_count).toBe(1);
  });
 });
--- a/packages/appservice/src/agent-registry.dto.ts
+++ b/packages/appservice/src/agent-registry.dto.ts
@@ -1,63 +0,0 @@
 /** DTOs for agent registration + scoped/revocable bridge tokens (US-007). */
 export interface RegisterAgentDto {
  /** Agent alias slug, e.g. "pi0". Combined with host into the agent slug. */
  alias: string;
  /** Host slug, e.g. "web1". Combined with alias into the agent slug. */
  host: string;
  display_name?: string;
 }
 export interface RevokeAgentDto {
  agent_user_id: string;
 }
 export interface RegisterAgentResponse {
  agent_user_id: string;
  bridge_token: string;
 }
 export interface AgentSummary {
  agent_user_id: string;
  alias: string;
  host: string;
  display_name?: string;
  created_at: string;
  active_token_count: number;
 }
 const SLUG_RE = /^[a-z0-9][a-z0-9_.-]*$/;
 /** Combined agent slug, e.g. alias="pi0", host="web1" -> "pi0-web1". */
 export function agentSlug(alias: string, host: string): string {
  return `${alias}-${host}`;
 }
 const assertSlug = (value: unknown, field: string): void => {
  if (typeof value !== 'string' || value.length === 0 || !SLUG_RE.test(value)) {
    throw new Error(`${field} must match [a-z0-9][a-z0-9_.-]* (lowercase, non-empty)`);
  }
 };
 export function validateRegisterAgent(input: unknown): asserts input is RegisterAgentDto {
  const o = input as Partial<RegisterAgentDto> | null | undefined;
  if (!o || typeof o !== 'object') throw new Error('payload must be an object');
  assertSlug(o.alias, 'alias');
  assertSlug(o.host, 'host');
  if (o.display_name !== undefined) {
    if (typeof o.display_name !== 'string' || o.display_name.length === 0) {
      throw new Error('display_name must be a non-empty string');
    }
    if (o.display_name.length > 100) {
      throw new Error('display_name must be at most 100 chars');
    }
  }
 }
 export function validateRevokeAgent(input: unknown): asserts input is RevokeAgentDto {
  const o = input as Partial<RevokeAgentDto> | null | undefined;
  if (!o || typeof o !== 'object') throw new Error('payload must be an object');
  if (typeof o.agent_user_id !== 'string' || !o.agent_user_id.startsWith('@')) {
    throw new Error('agent_user_id must be a Matrix user id');
  }
 }
--- a/packages/appservice/src/agent-store.ts
+++ b/packages/appservice/src/agent-store.ts
@@ -1,160 +0,0 @@
 import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
 import { agentSlug } from './agent-registry.dto.js';
 import type { AgentSummary } from './agent-registry.dto.js';
 import type { AppserviceIntent } from './intent.js';
 /** account_data type holding the agent registry on the AS sender user. */
 export const AGENTS_ACCOUNT_DATA_TYPE = 'org.uscllc.mosaic_as.agents';
 const TOKEN_PREFIX = 'magt_';
 interface StoredAgent {
  alias: string;
  host: string;
  display_name?: string;
  created_at: string;
  /** sha256hex of each active token. Plaintext tokens are NEVER stored. */
  token_hashes: string[];
  revoked_at?: string;
 }
 interface AgentRegistry {
  agents: Record<string, StoredAgent>;
 }
 const sha256hex = (value: string): string => createHash('sha256').update(value).digest('hex');
 const mintToken = (): string => `${TOKEN_PREFIX}${randomBytes(32).toString('base64url')}`;
 /**
 * Persists scoped/revocable bridge tokens for agent virtual users in Matrix
 * account_data on the AS sender user (no new infra; survives restart).
 *
 * Tokens are stored only as sha256 hashes (the high-entropy `magt_` token makes
 * plain sha256 safe — no salt/KDF needed since brute force is infeasible).
 *
 * KNOWN v1 LIMIT: Synapse caps a single account_data object (default
 * max_account_data_size, ~100KB). Each agent + hash entry is small, so this
 * supports thousands of agents, but a very large fleet would eventually need a
 * dedicated store. Revoked agents with no active tokens are pruned of hashes
 * (kept as tombstones) to bound growth.
 */
 export class AgentTokenStore {
  constructor(private readonly intent: AppserviceIntent) {}
  /** Read the registry fresh from account_data (low-frequency ops favor
   * correctness over caching; verifyToken/list also read fresh). */
  private async read(): Promise<AgentRegistry> {
    const data = await this.intent.getSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE);
    const agents = data?.agents;
    if (agents && typeof agents === 'object') {
      return { agents: agents as Record<string, StoredAgent> };
    }
    return { agents: {} };
  }
  private async write(registry: AgentRegistry): Promise<void> {
    await this.intent.setSenderAccountData(AGENTS_ACCOUNT_DATA_TYPE, {
      agents: registry.agents,
    });
  }
  /** Ensure the virtual user exists, mint a fresh token, store its hash, and
   * return the plaintext token ONCE. Clears any prior revocation. */
  async register(opts: {
    alias: string;
    host: string;
    displayName?: string;
  }): Promise<{ agentUserId: string; token: string }> {
    const slug = agentSlug(opts.alias, opts.host);
    const agentUserId = await this.intent.ensureRegistered(slug);
    if (opts.displayName !== undefined) {
      await this.intent.setDisplayName(slug, opts.displayName);
    }
    const token = mintToken();
    const hash = sha256hex(token);
    const registry = await this.read();
    const existing = registry.agents[agentUserId];
    if (existing) {
      // The agent slug `<alias>-<host>` joins with a `-`, which is also a legal
      // slug char, so distinct pairs can collide on one Matrix id (e.g.
      // a/b-c and a-b/c both -> @agent-a-b-c). They ARE the same Matrix user,
      // but silently overwriting the stored alias/host of a different pair
      // would conflate two logical agents into one token bucket. Reject the
      // ambiguous re-registration instead of overwriting.
      if (existing.alias !== opts.alias || existing.host !== opts.host) {
        throw new Error(
          `agent id collision: ${agentUserId} already registered as ` +
            `${existing.alias}/${existing.host}, refusing ${opts.alias}/${opts.host}`,
        );
      }
      if (opts.displayName !== undefined) existing.display_name = opts.displayName;
      existing.token_hashes = [...existing.token_hashes, hash];
      delete existing.revoked_at;
    } else {
      registry.agents[agentUserId] = {
        alias: opts.alias,
        host: opts.host,
        ...(opts.displayName !== undefined ? { display_name: opts.displayName } : {}),
        created_at: new Date().toISOString(),
        token_hashes: [hash],
      };
    }
    await this.write(registry);
    return { agentUserId, token };
  }
  /** Return the agentUserId bound to an active (non-revoked) token, else null.
   * Constant-time hash comparison; no early-out on match. */
  async verifyToken(token: string): Promise<string | null> {
    if (!token.startsWith(TOKEN_PREFIX)) return null;
    const presented = Buffer.from(sha256hex(token), 'hex');
    const registry = await this.read();
    let matched: string | null = null;
    for (const [agentUserId, agent] of Object.entries(registry.agents)) {
      if (agent.revoked_at) continue;
      for (const stored of agent.token_hashes) {
        const candidate = Buffer.from(stored, 'hex');
        if (candidate.length === presented.length && timingSafeEqual(candidate, presented)) {
          // No early break: keep scanning so timing does not reveal match position.
          matched = agentUserId;
        }
      }
    }
    return matched;
  }
  /** Revoke all active tokens for an agent. Idempotent; returns count revoked. */
  async revoke(agentUserId: string): Promise<number> {
    const registry = await this.read();
    const agent = registry.agents[agentUserId];
    if (!agent) return 0;
    const count = agent.token_hashes.length;
    agent.token_hashes = [];
    agent.revoked_at = new Date().toISOString();
    await this.write(registry);
    return count;
  }
  /** List agents with at least one active token (never advertise revoked/phantom). */
  async list(): Promise<AgentSummary[]> {
    const registry = await this.read();
    const out: AgentSummary[] = [];
    for (const [agentUserId, agent] of Object.entries(registry.agents)) {
      if (agent.revoked_at || agent.token_hashes.length === 0) continue;
      out.push({
        agent_user_id: agentUserId,
        alias: agent.alias,
        host: agent.host,
        ...(agent.display_name !== undefined ? { display_name: agent.display_name } : {}),
        created_at: agent.created_at,
        active_token_count: agent.token_hashes.length,
      });
    }
    return out;
  }
 }
--- a/packages/appservice/src/index.ts
+++ b/packages/appservice/src/index.ts
@@ -10,14 +10,6 @@ export {
  validateProvisionRoom,
 } from './bridge.dto.js';
 export type { BridgeMessageDto, BridgeTypingDto, ProvisionRoomDto } from './bridge.dto.js';
 export { agentSlug, validateRegisterAgent, validateRevokeAgent } from './agent-registry.dto.js';
 export type {
  RegisterAgentDto,
  RevokeAgentDto,
  RegisterAgentResponse,
  AgentSummary,
 } from './agent-registry.dto.js';
 export { AgentTokenStore, AGENTS_ACCOUNT_DATA_TYPE } from './agent-store.js';
 export type {
  AppserviceConfig,
  EventHandler,
--- a/packages/appservice/src/intent.ts
+++ b/packages/appservice/src/intent.ts
@@ -233,30 +233,4 @@ export class AppserviceIntent {
      body: { displayname: displayName },
    });
  }
  /** Read an account_data object on the AS sender user. Returns null when the
   * key has never been written (M_NOT_FOUND), so callers can treat that as an
   * empty store; any other error propagates. */
  async getSenderAccountData(type: string): Promise<Record<string, unknown> | null> {
    const user = encodeURIComponent(this.senderUserId);
    const key = encodeURIComponent(type);
    try {
      return await this.request('GET', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
        userId: this.senderUserId,
      });
    } catch (err) {
      if (err instanceof MatrixApiError && err.errcode === 'M_NOT_FOUND') return null;
      throw err;
    }
  }
  /** Write an account_data object on the AS sender user. */
  async setSenderAccountData(type: string, content: Record<string, unknown>): Promise<void> {
    const user = encodeURIComponent(this.senderUserId);
    const key = encodeURIComponent(type);
    await this.request('PUT', `/_matrix/client/v3/user/${user}/account_data/${key}`, {
      userId: this.senderUserId,
      body: content,
    });
  }
 }
--- a/packages/mosaic/framework/tools/git/ci-queue-wait.sh
+++ b/packages/mosaic/framework/tools/git/ci-queue-wait.sh
@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
    local branch="$3"
    local token="$4"
    local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
-    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
    local sha="$3"
    local token="$4"
    local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "Authorization: token ${token}" "$url"
 }
 while [[ $# -gt 0 ]]; do
--- a/packages/mosaic/framework/tools/git/detect-platform.ps1
+++ b/packages/mosaic/framework/tools/git/detect-platform.ps1
@@ -55,154 +55,6 @@ function Get-GitRepoInfo {
    return $repoPath
 }
 function Get-GitRemoteHost {
    [CmdletBinding()]
    param()
    $remoteUrl = git remote get-url origin 2>$null
    if ([string]::IsNullOrEmpty($remoteUrl)) {
        Write-Error "Not a git repository or no origin remote"
        return $null
    }
    if ($remoteUrl -match "^https?://([^/]+)/") {
        $remoteHost = $Matches[1]
        return ($remoteHost -replace "^.*@", "")
    }
    if ($remoteUrl -match "^git@([^:]+):") {
        return $Matches[1]
    }
    return $null
 }
 function Get-TeaLoginList {
    [CmdletBinding()]
    param()
    $json = tea login list --output json 2>$null
    if (-not $json) {
        return @()
    }
    try {
        $items = $json | ConvertFrom-Json
    } catch {
        return @()
    }
    if ($null -eq $items) {
        return @()
    }
    return @($items)
 }
 function Test-GiteaUrlMatchesHost {
    [CmdletBinding()]
    param(
        [string]$Url,
        [string]$GiteaHost
    )
    if ([string]::IsNullOrEmpty($Url) -or [string]::IsNullOrEmpty($GiteaHost)) {
        return $false
    }
    try {
        $uri = [Uri]$Url
        return $uri.Host -eq $GiteaHost
    } catch {
        return $false
    }
 }
 function Find-TeaLoginForHost {
    [CmdletBinding()]
    param([Parameter(Mandatory=$true)][string]$GiteaHost)
    foreach ($login in Get-TeaLoginList) {
        $name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
        $url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
        if ([string]::IsNullOrEmpty($name) -or [string]::IsNullOrEmpty($url)) {
            continue
        }
        try {
            $uri = [Uri]$url
            if ($uri.Host -eq $GiteaHost) {
                return $name
            }
        } catch {
            continue
        }
    }
    return $null
 }
 function Test-TeaLoginMatchesHost {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)][string]$LoginName,
        [Parameter(Mandatory=$true)][string]$GiteaHost
    )
    foreach ($login in Get-TeaLoginList) {
        $name = if ($login.name) { [string]$login.name } elseif ($login.Name) { [string]$login.Name } else { "" }
        $url = if ($login.url) { [string]$login.url } elseif ($login.URL) { [string]$login.URL } else { "" }
        if ($name -ne $LoginName -or [string]::IsNullOrEmpty($url)) {
            continue
        }
        try {
            $uri = [Uri]$url
            return $uri.Host -eq $GiteaHost
        } catch {
            return $false
        }
    }
    return $false
 }
 function Get-GiteaLoginForHost {
    [CmdletBinding()]
    param([string]$GiteaHost)
    if ([string]::IsNullOrEmpty($GiteaHost)) {
        $GiteaHost = Get-GitRemoteHost
    }
    if ([string]::IsNullOrEmpty($GiteaHost)) {
        return $null
    }
    if ($env:GITEA_LOGIN) {
        if (Test-TeaLoginMatchesHost -LoginName $env:GITEA_LOGIN -GiteaHost $GiteaHost) {
            return $env:GITEA_LOGIN
        }
    }
    return Find-TeaLoginForHost -GiteaHost $GiteaHost
 }
 function Get-GiteaRepoArgs {
    [CmdletBinding()]
    param()
    $repo = Get-GitRepoInfo
    $hostName = Get-GitRemoteHost
    $login = Get-GiteaLoginForHost -GiteaHost $hostName
    if ([string]::IsNullOrEmpty($repo) -or [string]::IsNullOrEmpty($login)) {
        return @()
    }
    return @("--repo", $repo, "--login", $login)
 }
 function Get-GitRepoOwner {
    [CmdletBinding()]
    param()
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -78,211 +78,10 @@ get_repo_slug() {
    get_repo_info
 }
 gitea_url_matches_host() {
    local url="${1:-}" host="${2:-}"
    [[ -n "$url" && -n "$host" ]] || return 1
    [[ "${url%/}" == "https://$host" || "${url%/}" == "http://$host" || "${url%/}" == *"//$host" ]]
 }
 get_gitea_service_for_host() {
    local host="$1"
    local cred_file="${MOSAIC_CREDENTIALS_FILE:-$HOME/src/jarvis-brain/credentials.json}"
    case "$host" in
        git.mosaicstack.dev)
            echo "mosaicstack"
            return 0
            ;;
        git.uscllc.com)
            echo "usc"
            return 0
            ;;
    esac
    [[ -f "$cred_file" ]] || return 1
    command -v jq >/dev/null 2>&1 || return 1
    jq -r --arg host "$host" '
        .gitea // {}
        | to_entries[]
        | select((.value.url // "" | sub("/+$"; "")) | test("https?://" + $host + "$"))
        | .key
    ' "$cred_file" | head -n 1
 }
 find_tea_login_for_host() {
    local host="$1"
    local logins_json
    command -v tea >/dev/null 2>&1 || return 1
    logins_json=$(tea login list --output json 2>/dev/null) || return 1
    TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
 import json
 import os
 import sys
 from urllib.parse import urlparse
 host = sys.argv[1]
 try:
    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
 except Exception:
    raise SystemExit(1)
 for login in logins if isinstance(logins, list) else []:
    url = str(login.get("url") or login.get("URL") or "")
    name = str(login.get("name") or login.get("Name") or "")
    parsed = urlparse(url)
    if parsed.hostname == host and name:
        print(name)
        raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 tea_login_matches_host() {
    local login_name="$1" host="$2"
    local logins_json
    command -v tea >/dev/null 2>&1 || return 1
    logins_json=$(tea login list --output json 2>/dev/null) || return 1
    TEA_LOGINS_JSON="$logins_json" python3 - "$login_name" "$host" <<'PY'
 import json
 import os
 import sys
 from urllib.parse import urlparse
 login_name, host = sys.argv[1], sys.argv[2]
 try:
    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
 except Exception:
    raise SystemExit(1)
 for login in logins if isinstance(logins, list) else []:
    url = str(login.get("url") or login.get("URL") or "")
    name = str(login.get("name") or login.get("Name") or "")
    parsed = urlparse(url)
    if name == login_name and parsed.hostname == host:
        raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 get_gitea_login_for_host() {
    local host="${1:-}"
    local login
    if [[ -z "$host" ]]; then
        host=$(get_remote_host) || return 1
    fi
    if [[ -n "${GITEA_LOGIN:-}" ]]; then
        if tea_login_matches_host "$GITEA_LOGIN" "$host"; then
            echo "$GITEA_LOGIN"
            return 0
        fi
    fi
    login=$(find_tea_login_for_host "$host" || true)
    if [[ -n "$login" ]]; then
        echo "$login"
        return 0
    fi
    return 1
 }
 get_default_tea_login() {
    local logins_json
    command -v tea >/dev/null 2>&1 || return 1
    logins_json=$(tea login list --output json 2>/dev/null) || return 1
    TEA_LOGINS_JSON="$logins_json" python3 - <<'PY'
 import json
 import os
 try:
    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
 except Exception:
    raise SystemExit(1)
 if not isinstance(logins, list) or not logins:
    raise SystemExit(1)
 for login in logins:
    if not isinstance(login, dict):
        continue
    is_default = str(login.get("default") or login.get("Default") or "").lower()
    name = str(login.get("name") or login.get("Name") or "")
    if name and is_default == "true":
        print(name)
        raise SystemExit(0)
 for login in logins:
    if not isinstance(login, dict):
        continue
    name = str(login.get("name") or login.get("Name") or "")
    if name:
        print(name)
        raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 get_gitea_login_for_repo_override() {
    local login
    if [[ -n "${GITEA_LOGIN:-}" ]]; then
        echo "$GITEA_LOGIN"
        return 0
    fi
    login=$(get_default_tea_login || true)
    if [[ -n "$login" ]]; then
        echo "$login"
        return 0
    fi
    return 1
 }
 get_host_from_url() {
    local url="${1:-}"
    [[ -n "$url" ]] || return 1
    python3 - "$url" <<'PY'
 import sys
 from urllib.parse import urlparse
 parsed = urlparse(sys.argv[1])
 if parsed.hostname:
    print(parsed.hostname)
    raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 get_gitea_api_host_for_repo_override() {
    if [[ -n "${GITEA_HOST:-}" ]]; then
        echo "$GITEA_HOST"
        return 0
    fi
    get_host_from_url "${GITEA_URL:-}"
 }
 get_gitea_repo_args() {
-    local repo host login
+    local repo
    repo=$(get_repo_slug) || return 1
-    host=$(get_remote_host) || return 1
+    printf -- '--repo %q --login %q' "$repo" "${GITEA_LOGIN:-mosaicstack}"
    login=$(get_gitea_login_for_host "$host") || return 1
    printf -- '--repo %q --login %q' "$repo" "$login"
 }
 get_gitea_login() {
    get_gitea_login_for_host "$(get_remote_host)"
 }
 get_remote_host() {
@@ -292,8 +91,7 @@ get_remote_host() {
        return 1
    fi
    if [[ "$remote_url" =~ ^https?://([^/]+)/ ]]; then
-        local host="${BASH_REMATCH[1]}"
+        echo "${BASH_REMATCH[1]}"
        echo "${host##*@}"
        return 0
    fi
    if [[ "$remote_url" =~ ^git@([^:]+): ]]; then
--- a/packages/mosaic/framework/tools/git/issue-assign.ps1
+++ b/packages/mosaic/framework/tools/git/issue-assign.ps1
@@ -75,11 +75,6 @@ switch ($platform) {
        Write-Host "Issue #$Issue updated successfully"
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $needsEdit = $false
        $cmd = @("tea", "issue", "edit", $Issue)
@@ -92,7 +87,7 @@ switch ($platform) {
            $needsEdit = $true
        }
        if ($Milestone) {
-            $milestoneList = tea milestones list @repoArgs 2>$null
+            $milestoneList = tea milestones list 2>$null
            $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
            if ($milestoneId) {
                $cmd += @("--milestone", $milestoneId)
@@ -103,7 +98,6 @@ switch ($platform) {
        }
        if ($needsEdit) {
            $cmd += $repoArgs
            & $cmd[0] $cmd[1..($cmd.Length-1)]
            Write-Host "Issue #$Issue updated successfully"
        } else {
--- a/packages/mosaic/framework/tools/git/issue-assign.sh
+++ b/packages/mosaic/framework/tools/git/issue-assign.sh
@@ -98,11 +98,7 @@ case "$PLATFORM" in
        ;;
    gitea)
        # tea issue edit syntax
-        REPO_ARGS=$(get_gitea_repo_args) || {
+        CMD="tea issue edit $ISSUE"
            echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
            exit 1
        }
        CMD="tea issue edit $ISSUE $REPO_ARGS"
        NEEDS_EDIT=false
        if [[ -n "$ASSIGNEE" ]]; then
@@ -116,7 +112,7 @@ case "$PLATFORM" in
            NEEDS_EDIT=true
        fi
        if [[ -n "$MILESTONE" ]]; then
-            MILESTONE_ID=$(tea milestones list $REPO_ARGS 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
+            MILESTONE_ID=$(tea milestones list 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
            if [[ -n "$MILESTONE_ID" ]]; then
                CMD="$CMD --milestone $MILESTONE_ID"
                NEEDS_EDIT=true
--- a/packages/mosaic/framework/tools/git/issue-close.sh
+++ b/packages/mosaic/framework/tools/git/issue-close.sh
@@ -44,43 +44,10 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
 fi
 # Detect platform and close issue
-detect_platform >/dev/null
+detect_platform
 OWNER=$(get_repo_owner)
 REPO=$(get_repo_name)
 gitea_issue_comment_api() {
    local host token url payload
    host=$(get_remote_host) || return 1
    token=$(get_gitea_token "$host") || return 1
    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
    payload=$(COMMENT="$COMMENT" python3 - <<'PY'
 import json
 import os
 print(json.dumps({"body": os.environ["COMMENT"]}))
 PY
 )
    curl -fsS -X POST \
        -H "User-Agent: curl/8" \
        -H "Authorization: token ${token}" \
        -H "Content-Type: application/json" \
        -d "$payload" \
        "$url" >/dev/null
 }
 gitea_issue_close_api() {
    local host token url
    host=$(get_remote_host) || return 1
    token=$(get_gitea_token "$host") || return 1
    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
    curl -fsS -X PATCH \
        -H "User-Agent: curl/8" \
        -H "Authorization: token ${token}" \
        -H "Content-Type: application/json" \
        -d '{"state":"closed"}' \
        "$url" >/dev/null
 }
 if [[ "$PLATFORM" == "github" ]]; then
    if [[ -n "$COMMENT" ]]; then
        gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
@@ -88,19 +55,10 @@ if [[ "$PLATFORM" == "github" ]]; then
    gh issue close "$ISSUE_NUMBER"
    echo "Closed GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
    GITEA_LOGIN_NAME=$(get_gitea_login || true)
    if [[ -n "$GITEA_LOGIN_NAME" ]]; then
    if [[ -n "$COMMENT" ]]; then
-            tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
+        tea issue comment "$ISSUE_NUMBER" "$COMMENT" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
        fi
        tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "$GITEA_LOGIN_NAME"
    else
        echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
        if [[ -n "$COMMENT" ]]; then
            gitea_issue_comment_api
        fi
        gitea_issue_close_api
    fi
    tea issue close "$ISSUE_NUMBER" --repo "$OWNER/$REPO" --login "${GITEA_LOGIN:-mosaicstack}"
    echo "Closed Gitea issue #$ISSUE_NUMBER"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/issue-comment.sh
+++ b/packages/mosaic/framework/tools/git/issue-comment.sh
@@ -47,7 +47,7 @@ if [[ -z "$COMMENT" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
--- a/packages/mosaic/framework/tools/git/issue-create.ps1
+++ b/packages/mosaic/framework/tools/git/issue-create.ps1
@@ -58,17 +58,12 @@ switch ($platform) {
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $cmd = @("tea", "issue", "create", "--title", $Title)
        if ($Body) { $cmd += @("--description", $Body) }
        if ($Labels) { $cmd += @("--labels", $Labels) }
        if ($Milestone) {
            # Try to get milestone ID by name
-            $milestoneList = tea milestones list @repoArgs 2>$null
+            $milestoneList = tea milestones list 2>$null
            $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
            if ($milestoneId) {
                $cmd += @("--milestone", $milestoneId)
@@ -76,7 +71,6 @@ switch ($platform) {
                Write-Warning "Could not find milestone '$Milestone', creating without milestone"
            }
        }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    default {
--- a/packages/mosaic/framework/tools/git/issue-create.sh
+++ b/packages/mosaic/framework/tools/git/issue-create.sh
@@ -48,7 +48,6 @@ PY
    url="https://${host}/api/v1/repos/${repo}/issues"
    curl -fsS -X POST \
      -H "User-Agent: curl/8" \
      -H "Authorization: token ${token}" \
      -H "Content-Type: application/json" \
      -d "$payload" \
@@ -122,12 +121,7 @@ case "$PLATFORM" in
    gitea)
        if command -v tea >/dev/null 2>&1; then
            REPO_SLUG=$(get_repo_slug)
-            GITEA_LOGIN_NAME=$(get_gitea_login) || {
+            REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
                echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
                gitea_issue_create_api
                exit $?
            }
            REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
            CMD=(tea issue create "${REPO_ARGS[@]}" --title "$TITLE")
            [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
            [[ -n "$LABELS" ]] && CMD+=(--labels "$LABELS")
--- a/packages/mosaic/framework/tools/git/issue-edit.sh
+++ b/packages/mosaic/framework/tools/git/issue-edit.sh
@@ -60,7 +60,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    CMD="gh issue edit $ISSUE_NUMBER"
@@ -71,11 +71,7 @@ if [[ "$PLATFORM" == "github" ]]; then
    eval $CMD
    echo "Updated GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    REPO_ARGS=$(get_gitea_repo_args) || {
+    CMD="tea issue edit $ISSUE_NUMBER"
        echo "Error: Could not resolve Gitea repo/login args for remote host" >&2
        exit 1
    }
    CMD="tea issue edit $ISSUE_NUMBER $REPO_ARGS"
    [[ -n "$TITLE" ]] && CMD="$CMD --title \"$TITLE\""
    [[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\""
    [[ -n "$LABELS" ]] && CMD="$CMD --add-labels \"$LABELS\""
--- a/packages/mosaic/framework/tools/git/issue-list.ps1
+++ b/packages/mosaic/framework/tools/git/issue-list.ps1
@@ -63,15 +63,9 @@ switch ($platform) {
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $cmd = @("tea", "issues", "list", "--state", $State, "--limit", $Limit)
        if ($Label) { $cmd += @("--labels", $Label) }
        if ($Milestone) { $cmd += @("--milestones", $Milestone) }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
        if ($Assignee) {
            Write-Warning "Assignee filtering may require manual review for Gitea"
--- a/packages/mosaic/framework/tools/git/issue-list.sh
+++ b/packages/mosaic/framework/tools/git/issue-list.sh
@@ -98,18 +98,7 @@ case "$PLATFORM" in
        "${CMD[@]}"
        ;;
    gitea)
-        if [[ -n "$REPO_OVERRIDE" ]]; then
+        CMD=(tea issues list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
            GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
                echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
                exit 1
            }
        else
            GITEA_LOGIN_NAME=$(get_gitea_login) || {
                echo "Error: Could not resolve Gitea login for remote host" >&2
                exit 1
            }
        fi
        CMD=(tea issues list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
        [[ -n "$LABEL" ]] && CMD+=(--labels "$LABEL")
        [[ -n "$MILESTONE" ]] && CMD+=(--milestones "$MILESTONE")
        # Note: tea may not support assignee filter directly in all versions.
--- a/packages/mosaic/framework/tools/git/issue-reopen.sh
+++ b/packages/mosaic/framework/tools/git/issue-reopen.sh
@@ -42,42 +42,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 OWNER=$(get_repo_owner)
 REPO=$(get_repo_name)
 gitea_issue_comment_api() {
    local host token url payload
    host=$(get_remote_host) || return 1
    token=$(get_gitea_token "$host") || return 1
    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}/comments"
    payload=$(COMMENT="$COMMENT" python3 - <<'PY'
 import json
 import os
 print(json.dumps({"body": os.environ["COMMENT"]}))
 PY
 )
    curl -fsS -X POST \
        -H "User-Agent: curl/8" \
        -H "Authorization: token ${token}" \
        -H "Content-Type: application/json" \
        -d "$payload" \
        "$url" >/dev/null
 }
 gitea_issue_reopen_api() {
    local host token url
    host=$(get_remote_host) || return 1
    token=$(get_gitea_token "$host") || return 1
    url="https://${host}/api/v1/repos/${OWNER}/${REPO}/issues/${ISSUE_NUMBER}"
    curl -fsS -X PATCH \
        -H "User-Agent: curl/8" \
        -H "Authorization: token ${token}" \
        -H "Content-Type: application/json" \
        -d '{"state":"open"}' \
        "$url" >/dev/null
 }
 if [[ "$PLATFORM" == "github" ]]; then
    if [[ -n "$COMMENT" ]]; then
@@ -86,19 +51,10 @@ if [[ "$PLATFORM" == "github" ]]; then
    gh issue reopen "$ISSUE_NUMBER"
    echo "Reopened GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
    REPO_ARGS=$(get_gitea_repo_args || true)
    if [[ -n "$REPO_ARGS" ]]; then
    if [[ -n "$COMMENT" ]]; then
-            tea issue comment "$ISSUE_NUMBER" "$COMMENT" $REPO_ARGS
+        tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
        fi
        tea issue reopen "$ISSUE_NUMBER" $REPO_ARGS
    else
        echo "No tea login configured for $(get_remote_host); using authenticated Gitea API fallback." >&2
        if [[ -n "$COMMENT" ]]; then
            gitea_issue_comment_api
        fi
        gitea_issue_reopen_api
    fi
    tea issue reopen "$ISSUE_NUMBER" $(get_gitea_repo_args)
    echo "Reopened Gitea issue #$ISSUE_NUMBER"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/issue-view.sh
+++ b/packages/mosaic/framework/tools/git/issue-view.sh
@@ -29,9 +29,9 @@ gitea_issue_view_api() {
    url="https://${host}/api/v1/repos/${repo}/issues/${ISSUE_NUMBER}"
    if command -v python3 >/dev/null 2>&1; then
-        curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -m json.tool
+        curl -fsS -H "Authorization: token ${token}" "$url" | python3 -m json.tool
    else
-        curl -fsS -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
+        curl -fsS -H "Authorization: token ${token}" "$url"
    fi
 }
@@ -61,7 +61,7 @@ if [[ -z "$ISSUE_NUMBER" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    gh issue view "$ISSUE_NUMBER"
--- a/packages/mosaic/framework/tools/git/milestone-close.sh
+++ b/packages/mosaic/framework/tools/git/milestone-close.sh
@@ -36,17 +36,13 @@ if [[ -z "$TITLE" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    gh api -X PATCH "/repos/{owner}/{repo}/milestones/$(gh api "/repos/{owner}/{repo}/milestones" --jq ".[] | select(.title==\"$TITLE\") | .number")" -f state=closed
    echo "Closed GitHub milestone: $TITLE"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    REPO_ARGS=$(get_gitea_repo_args) || {
+    tea milestone close "$TITLE"
        echo "Error: Could not resolve Gitea repo/login for remote host" >&2
        exit 1
    }
    tea milestone close "$TITLE" $REPO_ARGS
    echo "Closed Gitea milestone: $TITLE"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/milestone-create.ps1
+++ b/packages/mosaic/framework/tools/git/milestone-create.ps1
@@ -59,12 +59,7 @@ if ($List) {
            gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)`t\(.title)`t\(.state)`t\(.open_issues)/\(.closed_issues) issues"'
        }
        "gitea" {
-            $repoArgs = @(Get-GiteaRepoArgs)
+            tea milestones list
            if ($repoArgs.Length -eq 0) {
                Write-Error "Could not resolve Gitea repo/login for remote host"
                exit 1
            }
            tea milestones list @repoArgs
        }
        default {
            Write-Error "Could not detect git platform"
@@ -90,15 +85,9 @@ switch ($platform) {
        Write-Host "Milestone '$Title' created successfully"
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $cmd = @("tea", "milestones", "create", "--title", $Title)
        if ($Description) { $cmd += @("--description", $Description) }
        if ($Due) { $cmd += @("--deadline", $Due) }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
        Write-Host "Milestone '$Title' created successfully"
    }
--- a/packages/mosaic/framework/tools/git/milestone-create.sh
+++ b/packages/mosaic/framework/tools/git/milestone-create.sh
@@ -77,11 +77,7 @@ if [[ "$LIST_ONLY" == true ]]; then
            gh api repos/:owner/:repo/milestones --jq '.[] | "\(.number)\t\(.title)\t\(.state)\t\(.open_issues)/\(.closed_issues) issues"'
            ;;
        gitea)
-            REPO_ARGS=$(get_gitea_repo_args) || {
+            tea milestones list
                echo "Error: Could not resolve Gitea repo/login for remote host" >&2
                exit 1
            }
            tea milestones list $REPO_ARGS
            ;;
        *)
            echo "Error: Could not detect git platform" >&2
@@ -108,14 +104,10 @@ case "$PLATFORM" in
        echo "Milestone '$TITLE' created successfully"
        ;;
    gitea)
-        REPO_ARGS=$(get_gitea_repo_args) || {
+        CMD="tea milestones create --title \"$TITLE\""
-            echo "Error: Could not resolve Gitea repo/login for remote host" >&2
+        [[ -n "$DESCRIPTION" ]] && CMD="$CMD --description \"$DESCRIPTION\""
-            exit 1
+        [[ -n "$DUE_DATE" ]] && CMD="$CMD --deadline \"$DUE_DATE\""
-        }
+        eval "$CMD"
        CMD=(tea milestones create --title "$TITLE")
        [[ -n "$DESCRIPTION" ]] && CMD+=(--description "$DESCRIPTION")
        [[ -n "$DUE_DATE" ]] && CMD+=(--deadline "$DUE_DATE")
        "${CMD[@]}" $REPO_ARGS
        echo "Milestone '$TITLE' created successfully"
        ;;
    *)
--- a/packages/mosaic/framework/tools/git/milestone-list.sh
+++ b/packages/mosaic/framework/tools/git/milestone-list.sh
@@ -31,16 +31,12 @@ while [[ $# -gt 0 ]]; do
    esac
 done
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    gh api "/repos/{owner}/{repo}/milestones?state=$STATE" --jq '.[] | "\(.title) (\(.state)) - \(.open_issues) open, \(.closed_issues) closed"'
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    REPO_ARGS=$(get_gitea_repo_args) || {
+    tea milestone list
        echo "Error: Could not resolve Gitea repo/login for remote host" >&2
        exit 1
    }
    tea milestone list $REPO_ARGS
 else
    echo "Error: Unknown platform"
    exit 1
--- a/packages/mosaic/framework/tools/git/pr-ci-wait.sh
+++ b/packages/mosaic/framework/tools/git/pr-ci-wait.sh
@@ -11,7 +11,6 @@ PR_NUMBER=""
 TIMEOUT_SEC=1800
 INTERVAL_SEC=15
 REPO_OVERRIDE=""
 HOST_OVERRIDE=""
 usage() {
    cat <<EOF
@@ -20,7 +19,6 @@ Usage: $(basename "$0") -n <pr_number> [-t timeout_sec] [-i interval_sec]
 Options:
  -n, --number NUMBER      PR number (required)
  -r, --repo OWNER/REPO    Repository slug (default: infer from git origin)
      --host HOST          Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)
  -t, --timeout SECONDS    Max wait time in seconds (default: 1800)
  -i, --interval SECONDS   Poll interval in seconds (default: 15)
  -h, --help               Show this help
@@ -126,7 +124,7 @@ gitea_get_pr_head_sha() {
    local repo="$2"
    local token="$3"
    local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
-    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 print((data.get("head") or {}).get("sha", ""))
@@ -139,7 +137,7 @@ gitea_get_commit_status_json() {
    local token="$3"
    local sha="$4"
    local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "Authorization: token ${token}" "$url"
 }
 while [[ $# -gt 0 ]]; do
@@ -152,10 +150,6 @@ while [[ $# -gt 0 ]]; do
            REPO_OVERRIDE="$2"
            shift 2
            ;;
        --host)
            HOST_OVERRIDE="$2"
            shift 2
            ;;
        -t|--timeout)
            TIMEOUT_SEC="$2"
            shift 2
@@ -217,19 +211,7 @@ if [[ "$PLATFORM" == "github" ]]; then
    fi
    echo "[pr-ci-wait] Platform=github PR=#${PR_NUMBER} head_sha=${HEAD_SHA}"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    if [[ -n "$HOST_OVERRIDE" ]]; then
+    HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
        HOST="$HOST_OVERRIDE"
    elif [[ -n "$REPO_OVERRIDE" ]]; then
        HOST=$(get_gitea_api_host_for_repo_override) || {
            echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
            exit 1
        }
    else
        HOST=$(get_remote_host) || {
            echo "Error: Could not determine Gitea host from git origin." >&2
            exit 1
        }
    fi
    TOKEN=$(get_gitea_token "$HOST") || {
        echo "Error: Gitea token not found. Set GITEA_TOKEN or configure ~/.git-credentials." >&2
        exit 1
--- a/packages/mosaic/framework/tools/git/pr-close.sh
+++ b/packages/mosaic/framework/tools/git/pr-close.sh
@@ -42,7 +42,7 @@ if [[ -z "$PR_NUMBER" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    if [[ -n "$COMMENT" ]]; then
--- a/packages/mosaic/framework/tools/git/pr-create.ps1
+++ b/packages/mosaic/framework/tools/git/pr-create.ps1
@@ -9,6 +9,7 @@ param(
    [Alias("b")]
    [string]$Body,
    [Alias("B")]
    [string]$Base,
    [Alias("H")]
@@ -100,11 +101,6 @@ switch ($platform) {
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $cmd = @("tea", "pr", "create", "--title", $Title)
        if ($Body) { $cmd += @("--description", $Body) }
        if ($Base) { $cmd += @("--base", $Base) }
@@ -112,7 +108,7 @@ switch ($platform) {
        if ($Labels) { $cmd += @("--labels", $Labels) }
        if ($Milestone) {
-            $milestoneList = tea milestones list @repoArgs 2>$null
+            $milestoneList = tea milestones list 2>$null
            $milestoneId = ($milestoneList | Select-String "^\s*(\d+).*$Milestone" | ForEach-Object { $_.Matches.Groups[1].Value } | Select-Object -First 1)
            if ($milestoneId) {
                $cmd += @("--milestone", $milestoneId)
@@ -125,7 +121,6 @@ switch ($platform) {
            Write-Warning "Draft PR may not be supported by your tea version"
        }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    default {
--- a/packages/mosaic/framework/tools/git/pr-create.sh
+++ b/packages/mosaic/framework/tools/git/pr-create.sh
@@ -56,7 +56,6 @@ PY
    url="https://${host}/api/v1/repos/${repo}/pulls"
    curl -fsS -X POST \
      -H "User-Agent: curl/8" \
      -H "Authorization: token ${token}" \
      -H "Content-Type: application/json" \
      -d "$payload" \
@@ -178,12 +177,7 @@ case "$PLATFORM" in
        # is unreliable in Mosaic worktrees/profile shells. Use arrays instead
        # of eval so markdown backticks/body content are not shell-executed.
        REPO_SLUG=$(get_repo_slug)
-        GITEA_LOGIN_NAME=$(get_gitea_login) || {
+        REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
            echo "Warning: could not resolve Gitea login for tea; trying Gitea API fallback..." >&2
            gitea_pr_create_api
            exit $?
        }
        REPO_ARGS=(--repo "$REPO_SLUG" --login "$GITEA_LOGIN_NAME")
        CMD=(tea pr create "${REPO_ARGS[@]}" --title "$TITLE")
        [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
        [[ -n "$BASE_BRANCH" ]] && CMD+=(--base "$BASE_BRANCH")
--- a/packages/mosaic/framework/tools/git/pr-diff.sh
+++ b/packages/mosaic/framework/tools/git/pr-diff.sh
@@ -11,7 +11,6 @@ source "$SCRIPT_DIR/detect-platform.sh"
 PR_NUMBER=""
 OUTPUT_FILE=""
 REPO_OVERRIDE=""
 HOST_OVERRIDE=""
 while [[ $# -gt 0 ]]; do
    case $1 in
@@ -27,17 +26,12 @@ while [[ $# -gt 0 ]]; do
            REPO_OVERRIDE="$2"
            shift 2
            ;;
        --host)
            HOST_OVERRIDE="$2"
            shift 2
            ;;
        -h|--help)
-            echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [--host host] [-o <output_file>]"
+            echo "Usage: pr-diff.sh -n <pr_number> [-r owner/repo] [-o <output_file>]"
            echo ""
            echo "Options:"
            echo "  -n, --number   PR number (required)"
            echo "  -r, --repo     Repository slug (default: infer from git origin)"
            echo "      --host     Gitea host for --repo API calls (or set GITEA_HOST/GITEA_URL)"
            echo "  -o, --output   Output file (optional, prints to stdout if omitted)"
            echo "  -h, --help     Show this help"
            exit 0
@@ -75,28 +69,16 @@ if [[ "$PLATFORM" == "github" ]]; then
    fi
 elif [[ "$PLATFORM" == "gitea" ]]; then
    # tea doesn't have a direct diff command — use the API
-    if [[ -n "$HOST_OVERRIDE" ]]; then
+    HOST=$(get_remote_host 2>/dev/null || echo "git.mosaicstack.dev")
        HOST="$HOST_OVERRIDE"
    elif [[ -n "$REPO_OVERRIDE" ]]; then
        HOST=$(get_gitea_api_host_for_repo_override) || {
            echo "Error: Gitea host is required with --repo. Pass --host or set GITEA_HOST/GITEA_URL." >&2
            exit 1
        }
    else
        HOST=$(get_remote_host) || {
            echo "Error: Could not determine Gitea host from git origin." >&2
            exit 1
        }
    fi
    DIFF_URL="https://${HOST}/api/v1/repos/${REPO_INFO}/pulls/${PR_NUMBER}.diff"
    GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
    if [[ -n "$GITEA_API_TOKEN" ]]; then
-        DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
+        DIFF_CONTENT=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$DIFF_URL")
    else
-        DIFF_CONTENT=$(curl -sS -H "User-Agent: curl/8" "$DIFF_URL")
+        DIFF_CONTENT=$(curl -sS "$DIFF_URL")
    fi
    if [[ -n "$OUTPUT_FILE" ]]; then
--- a/packages/mosaic/framework/tools/git/pr-list.ps1
+++ b/packages/mosaic/framework/tools/git/pr-list.ps1
@@ -58,11 +58,6 @@ switch ($platform) {
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        $cmd = @("tea", "pr", "list", "--state", $State, "--limit", $Limit)
        if ($Label) {
@@ -72,7 +67,6 @@ switch ($platform) {
            Write-Warning "Author filtering may require manual review for Gitea"
        }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    default {
--- a/packages/mosaic/framework/tools/git/pr-list.sh
+++ b/packages/mosaic/framework/tools/git/pr-list.sh
@@ -93,18 +93,7 @@ case "$PLATFORM" in
        "${CMD[@]}"
        ;;
    gitea)
-        if [[ -n "$REPO_OVERRIDE" ]]; then
+        CMD=(tea pr list --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}" --state "$STATE" --limit "$LIMIT")
            GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
                echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
                exit 1
            }
        else
            GITEA_LOGIN_NAME=$(get_gitea_login) || {
                echo "Error: Could not resolve Gitea login for remote host" >&2
                exit 1
            }
        fi
        CMD=(tea pr list --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME" --state "$STATE" --limit "$LIMIT")
        # tea filtering may be limited
        if [[ -n "$LABEL" ]]; then
--- a/packages/mosaic/framework/tools/git/pr-merge.ps1
+++ b/packages/mosaic/framework/tools/git/pr-merge.ps1
@@ -74,11 +74,6 @@ switch ($platform) {
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    "gitea" {
        $repoArgs = @(Get-GiteaRepoArgs)
        if ($repoArgs.Length -eq 0) {
            Write-Error "Could not resolve Gitea repo/login for remote host"
            exit 1
        }
        if (-not $SkipQueueGuard) {
            $timeout = if ($env:MOSAIC_CI_QUEUE_TIMEOUT_SEC) { [int]$env:MOSAIC_CI_QUEUE_TIMEOUT_SEC } else { 900 }
            $interval = if ($env:MOSAIC_CI_QUEUE_POLL_SEC) { [int]$env:MOSAIC_CI_QUEUE_POLL_SEC } else { 15 }
@@ -92,7 +87,6 @@ switch ($platform) {
            Write-Warning "Branch deletion after merge may need to be done separately with tea"
        }
        $cmd += $repoArgs
        & $cmd[0] $cmd[1..($cmd.Length-1)]
    }
    default {
--- a/packages/mosaic/framework/tools/git/pr-merge.sh
+++ b/packages/mosaic/framework/tools/git/pr-merge.sh
@@ -106,6 +106,34 @@ PLATFORM=$(detect_platform)
 OWNER=$(get_repo_owner)
 REPO=$(get_repo_name)
 find_tea_login_for_host() {
    local host="$1"
    local logins_json
    command -v tea >/dev/null 2>&1 || return 1
    logins_json=$(tea login list --output json 2>/dev/null) || return 1
    TEA_LOGINS_JSON="$logins_json" python3 - "$host" <<'PY'
 import json
 import os
 import sys
 host = sys.argv[1]
 try:
    logins = json.loads(os.environ.get("TEA_LOGINS_JSON", "[]"))
 except Exception:
    raise SystemExit(1)
 for login in logins if isinstance(logins, list) else []:
    url = str(login.get("url") or login.get("URL") or "")
    name = str(login.get("name") or login.get("Name") or "")
    if url.rstrip("/").endswith(host) and name:
        print(name)
        raise SystemExit(0)
 raise SystemExit(1)
 PY
 }
 is_known_tea_empty_identity_failure() {
    local error_file="$1"
@@ -136,7 +164,6 @@ merge_gitea_with_api() {
    if [[ -n "$token" ]]; then
        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
            -X POST \
            -H "User-Agent: curl/8" \
            -H "Authorization: token $token" \
            -H 'Content-Type: application/json' \
            -d "$payload" \
@@ -152,7 +179,6 @@ merge_gitea_with_api() {
        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" \
            -X POST \
            -u "$basic_auth" \
            -H "User-Agent: curl/8" \
            -H 'Content-Type: application/json' \
            -d "$payload" \
            "$api_url" || true)
@@ -188,7 +214,7 @@ if [[ "$DRY_RUN" == true ]]; then
            echo "Error: Cannot determine host from origin remote URL" >&2
            exit 1
        }
-        TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
+        TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
        if [[ -n "$TEA_LOGIN" ]]; then
            echo "Dry run: would merge PR #$PR_NUMBER on $HOST with tea login '$TEA_LOGIN' (base=$BASE_BRANCH, method=squash)."
        else
@@ -211,7 +237,7 @@ case "$PLATFORM" in
            echo "Error: Cannot determine host from origin remote URL" >&2
            exit 1
        }
-        TEA_LOGIN="$(get_gitea_login_for_host "$HOST" || true)"
+        TEA_LOGIN="${GITEA_LOGIN:-$(find_tea_login_for_host "$HOST" || true)}"
        if [[ -n "$TEA_LOGIN" ]]; then
            mkdir -p "${AGENT_WORK_ROOT:-/home/hermes/agent-work}"
--- a/packages/mosaic/framework/tools/git/pr-metadata.sh
+++ b/packages/mosaic/framework/tools/git/pr-metadata.sh
@@ -59,7 +59,7 @@ curl_gitea_pull() {
    token=$(get_gitea_token "$HOST" || true)
    if [[ -n "$token" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" -H "Authorization: token $token" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "Authorization: token $token" "$api_url" || true)
        if [[ "$raw_code" =~ ^2 ]]; then
            cat "$body_file"
            rm -f "$body_file"
@@ -70,7 +70,7 @@ curl_gitea_pull() {
    basic_auth=$(get_gitea_basic_auth "$HOST" || true)
    if [[ -n "$basic_auth" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" -H "User-Agent: curl/8" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" "$api_url" || true)
        if [[ "$raw_code" =~ ^2 ]]; then
            cat "$body_file"
            rm -f "$body_file"
@@ -80,7 +80,7 @@ curl_gitea_pull() {
    fi
    if [[ -z "${http_code:-}" ]]; then
-        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" "$api_url" || true)
+        raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" "$api_url" || true)
        http_code="$raw_code"
    fi
--- a/packages/mosaic/framework/tools/git/pr-review.sh
+++ b/packages/mosaic/framework/tools/git/pr-review.sh
@@ -53,7 +53,7 @@ if [[ -z "$ACTION" ]]; then
    exit 1
 fi
-detect_platform >/dev/null
+detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    case $ACTION in
--- a/packages/mosaic/framework/tools/git/pr-view.sh
+++ b/packages/mosaic/framework/tools/git/pr-view.sh
@@ -58,18 +58,7 @@ fi
 if [[ "$PLATFORM" == "github" ]]; then
    gh pr view "$PR_NUMBER" --repo "$REPO_INFO"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    if [[ -n "$REPO_OVERRIDE" ]]; then
+    tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "${GITEA_LOGIN:-mosaicstack}"
        GITEA_LOGIN_NAME=$(get_gitea_login_for_repo_override) || {
            echo "Error: Could not resolve Gitea login for --repo override. Set GITEA_LOGIN or configure a default tea login." >&2
            exit 1
        }
    else
        GITEA_LOGIN_NAME=$(get_gitea_login) || {
            echo "Error: Could not resolve Gitea login for remote host" >&2
            exit 1
        }
    fi
    tea pr "$PR_NUMBER" --repo "$REPO_INFO" --login "$GITEA_LOGIN_NAME"
 else
    echo "Error: Unknown platform"
    exit 1
--- a/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
+++ b/packages/mosaic/framework/tools/git/test-gitea-login-resolution.sh
@@ -1,233 +0,0 @@
 #!/usr/bin/env bash
 # Regression harness for host-specific Gitea tea login resolution.
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 WORK_DIR="${MOSAIC_TEST_WORK_DIR:-$PWD/.mosaic-test-work/gitea-login-resolution}"
 REPO_DIR="$WORK_DIR/repo"
 BIN_DIR="$WORK_DIR/bin"
 LOG_FILE="$WORK_DIR/calls.log"
 CREDENTIALS_FILE="$WORK_DIR/credentials.json"
 rm -rf "$WORK_DIR"
 mkdir -p "$REPO_DIR" "$BIN_DIR"
 git -C "$REPO_DIR" init -q
 git -C "$REPO_DIR" remote add origin https://git.uscllc.com/USC/uconnect.git
 cat > "$CREDENTIALS_FILE" <<'JSON'
 {
  "gitea": {
    "mosaicstack": {
      "url": "https://git.mosaicstack.dev",
      "token": "mosaic-token"
    },
    "usc": {
      "url": "https://git.uscllc.com",
      "token": "usc-token"
    }
  }
 }
 JSON
 cat > "$BIN_DIR/tea" <<'SH'
 #!/usr/bin/env bash
 set -euo pipefail
 if [[ "$*" == "login list --output json" ]]; then
    cat <<'JSON'
 [
  {"name":"evil-usc","url":"https://evilgit.uscllc.com","user":"bad.actor"},
  {"name":"usc","url":"https://git.uscllc.com","user":"jason.woltje"}
 ]
 JSON
    exit 0
 fi
 printf 'tea %s\n' "$*" >> "$MOSAIC_TEST_LOG"
 if [[ "${MOSAIC_TEA_FAIL_PR_CREATE:-}" == "1" && "$*" == pr\ create* ]]; then
    echo 'GetUserByName: simulated stale login failure' >&2
    exit 1
 fi
 exit 0
 SH
 cat > "$BIN_DIR/curl" <<'SH'
 #!/usr/bin/env bash
 set -euo pipefail
 printf 'curl %s\n' "$*" >> "$MOSAIC_TEST_LOG"
 url="${*: -1}"
 case "$url" in
    */pulls/*.diff)
        printf 'diff --git a/file b/file\n'
        ;;
    */pulls/*)
        printf '{"head":{"sha":"abc123"}}'
        ;;
    */commits/*/status)
        printf '{"state":"success","statuses":[{"context":"ci/mock","status":"success"}]}'
        ;;
    *)
        printf '{}'
        ;;
 esac
 SH
 chmod +x "$BIN_DIR/tea" "$BIN_DIR/curl"
 run_in_repo() {
    (
        cd "$REPO_DIR"
        PATH="$BIN_DIR:$PATH" \
        MOSAIC_CREDENTIALS_FILE="$CREDENTIALS_FILE" \
        MOSAIC_TEST_LOG="$LOG_FILE" \
        "$@"
    )
 }
 usc_login=$(run_in_repo bash -c '
    export GITEA_LOGIN=mosaicstack
    export GITEA_URL=https://git.mosaicstack.dev
    source "'"$SCRIPT_DIR"'/detect-platform.sh"
    get_gitea_login
 ')
 if [[ "$usc_login" != "usc" ]]; then
    echo "Expected USC host to resolve tea login 'usc' despite stale mosaicstack env; got '$usc_login'" >&2
    exit 1
 fi
 usc_login_with_usc_url=$(run_in_repo bash -c '
    export GITEA_LOGIN=mosaicstack
    export GITEA_URL=https://git.uscllc.com
    source "'"$SCRIPT_DIR"'/detect-platform.sh"
    get_gitea_login
 ')
 if [[ "$usc_login_with_usc_url" != "usc" ]]; then
    echo "Expected USC host to reject stale GITEA_LOGIN even when GITEA_URL matches USC; got '$usc_login_with_usc_url'" >&2
    exit 1
 fi
 usc_login_without_url=$(run_in_repo bash -c '
    export GITEA_LOGIN=mosaicstack
    unset GITEA_URL
    source "'"$SCRIPT_DIR"'/detect-platform.sh"
    get_gitea_login
 ')
 if [[ "$usc_login_without_url" != "usc" ]]; then
    echo "Expected USC host to ignore unmatched GITEA_LOGIN without URL; got '$usc_login_without_url'" >&2
    exit 1
 fi
 git -C "$REPO_DIR" remote set-url origin https://hermes:token@git.uscllc.com/USC/uconnect.git
 embedded_host=$(run_in_repo bash -c '
    source "'"$SCRIPT_DIR"'/detect-platform.sh"
    get_remote_host
 ')
 if [[ "$embedded_host" != "git.uscllc.com" ]]; then
    echo "Expected credential-bearing remote host to strip userinfo; got '$embedded_host'" >&2
    exit 1
 fi
 git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
 override_login=$(run_in_repo bash -c '
    export GITEA_LOGIN=usc
    source "'"$SCRIPT_DIR"'/detect-platform.sh"
    get_gitea_login_for_repo_override
 ')
 if [[ "$override_login" != "usc" ]]; then
    echo "Expected --repo override path to honor explicit GITEA_LOGIN; got '$override_login'" >&2
    exit 1
 fi
 git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
 : > "$LOG_FILE"
 run_in_repo env GITEA_LOGIN=usc "$SCRIPT_DIR/issue-list.sh" --repo USC/uconnect -n 1
 grep -q -- 'tea issues list --repo USC/uconnect --login usc' "$LOG_FILE"
 git -C "$REPO_DIR" remote set-url origin https://git.uscllc.com/USC/uconnect.git
 : > "$LOG_FILE"
 run_in_repo "$SCRIPT_DIR/issue-close.sh" -i 42
 grep -q -- 'tea issue close 42 --repo USC/uconnect --login usc' "$LOG_FILE"
 if grep -q -- '--login mosaicstack' "$LOG_FILE"; then
    echo "issue-close.sh used hardcoded mosaicstack login on USC host" >&2
    exit 1
 fi
 : > "$LOG_FILE"
 run_in_repo "$SCRIPT_DIR/milestone-list.sh"
 grep -q -- 'tea milestone list --repo USC/uconnect --login usc' "$LOG_FILE"
 : > "$LOG_FILE"
 run_in_repo "$SCRIPT_DIR/milestone-create.sh" -t "0.2.0" -d "USC milestone"
 grep -q -- 'tea milestones create --title 0.2.0 --description USC milestone --repo USC/uconnect --login usc' "$LOG_FILE"
 : > "$LOG_FILE"
 run_in_repo "$SCRIPT_DIR/milestone-close.sh" -t "0.2.0"
 grep -q -- 'tea milestone close 0.2.0 --repo USC/uconnect --login usc' "$LOG_FILE"
 if command -v pwsh >/dev/null 2>&1; then
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-list.ps1" -Limit 1
    grep -q -- 'tea issues list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/issue-create.ps1" -Title "PowerShell issue"
    grep -q -- 'tea issue create --title PowerShell issue --repo USC/uconnect --login usc' "$LOG_FILE"
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-list.ps1" -Limit 1
    grep -q -- 'tea pr list --state open --limit 1 --repo USC/uconnect --login usc' "$LOG_FILE"
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-create.ps1" -Title "PowerShell PR"
    grep -q -- 'tea pr create --title PowerShell PR --head master --repo USC/uconnect --login usc' "$LOG_FILE"
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/pr-merge.ps1" -Number 42 -SkipQueueGuard
    grep -q -- 'tea pr merge 42 --style squash --repo USC/uconnect --login usc' "$LOG_FILE"
    : > "$LOG_FILE"
    run_in_repo pwsh -NoProfile -File "$SCRIPT_DIR/milestone-create.ps1" -List
    grep -q -- 'tea milestones list --repo USC/uconnect --login usc' "$LOG_FILE"
 fi
 : > "$LOG_FILE"
 if run_in_repo "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null 2>&1; then
    echo "Expected pr-diff.sh --repo without host to fail loud" >&2
    exit 1
 fi
 if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect' "$LOG_FILE"; then
    echo "pr-diff.sh --repo defaulted API host to git.mosaicstack.dev" >&2
    exit 1
 fi
 : > "$LOG_FILE"
 run_in_repo env GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-diff.sh" --repo USC/uconnect -n 7 >/dev/null
 grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/7.diff' "$LOG_FILE"
 : > "$LOG_FILE"
 run_in_repo "$SCRIPT_DIR/pr-ci-wait.sh" --repo USC/uconnect --host git.uscllc.com -n 9 -t 2 -i 1
 grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls/9' "$LOG_FILE"
 grep -q -- 'curl .*https://git.uscllc.com/api/v1/repos/USC/uconnect/commits/abc123/status' "$LOG_FILE"
 : > "$LOG_FILE"
 run_in_repo env MOSAIC_TEA_FAIL_PR_CREATE=1 GITEA_TOKEN=usc-token GITEA_URL=https://git.uscllc.com "$SCRIPT_DIR/pr-create.sh" -t "USC API fallback" -H feature/pr-create
 grep -q -- 'tea pr create --repo USC/uconnect --login usc --title USC API fallback --head feature/pr-create' "$LOG_FILE"
 grep -q -- 'curl .*Authorization: token usc-token .*https://git.uscllc.com/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"
 if grep -q -- 'git.mosaicstack.dev/api/v1/repos/USC/uconnect/pulls' "$LOG_FILE"; then
    echo "pr-create.sh API fallback defaulted USC repo to git.mosaicstack.dev" >&2
    exit 1
 fi
 git -C "$REPO_DIR" remote set-url origin https://git.mosaicstack.dev/mosaicstack/stack.git
 : > "$LOG_FILE"
 run_in_repo env GITEA_TOKEN=mosaic-token GITEA_URL=https://git.mosaicstack.dev "$SCRIPT_DIR/issue-close.sh" -i 536
 grep -q -- 'curl .*https://git.mosaicstack.dev/api/v1/repos/mosaicstack/stack/issues/536' "$LOG_FILE"
 if grep -q -- 'tea issue close 536 .*--login mosaicstack' "$LOG_FILE"; then
    echo "issue-close.sh invented a mosaicstack tea login instead of using API fallback" >&2
    exit 1
 fi
 echo "Gitea login resolution regression harness passed"
--- a/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
+++ b/packages/mosaic/framework/tools/git/test-pr-merge-gitea-empty-uid.sh
@@ -23,10 +23,6 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
 if [[ "$*" == *"login list"* ]]; then
    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
    exit 0
 fi
 if [[ "$*" == *"pr merge"* ]]; then
    echo 'user does not exist [uid: 0, name: ]' >&2
    exit 1
@@ -103,7 +99,6 @@ git remote add origin https://git.mosaicstack.dev/mosaicstack/stack.git
 export PATH="$MOCK_BIN:$PATH"
 export PR_MERGE_TEST_LOG="$LOG_FILE"
 export GITEA_LOGIN="git.mosaicstack.dev"
 export GITEA_URL="https://git.mosaicstack.dev"
 export GITEA_TOKEN="redacted-test-token"
 OUTPUT="$SANDBOX/output.log"
@@ -132,10 +127,6 @@ cat > "$MOCK_BIN/tea" <<'EOF'
 set -euo pipefail
 printf 'tea %q ' "$@" >> "$PR_MERGE_TEST_LOG"
 printf '\n' >> "$PR_MERGE_TEST_LOG"
 if [[ "$*" == *"login list"* ]]; then
    echo '[{"name":"git.mosaicstack.dev","url":"https://git.mosaicstack.dev"}]'
    exit 0
 fi
 if [[ "$*" == *"pr merge"* ]]; then
    echo 'tea network timeout' >&2
    exit 2
--- a/packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
+++ b/packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
@@ -15,8 +15,8 @@ describe('Gitea git wrapper API calls', () => {
    (scriptName) => {
      const script = readGitTool(scriptName);
-      expect(script).not.toMatch(/curl -fsS\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
+      expect(script).not.toContain('curl -fsS -H "Authorization: token');
-      expect(script).toMatch(/curl -fsSL\s+(?:-H "[^"]+"\s+)*-H "Authorization: token/);
+      expect(script).toContain('curl -fsSL -H "Authorization: token');
    },
  );
 });