fix(git): select USC Gitea login for PR merges (#516 )

2026-05-22 09:34:35 -05:00
15 changed files with 241 additions and 112 deletions
--- a/docs/scratchpads/t_3a368a52-gitea-login-selection.md
+++ b/docs/scratchpads/t_3a368a52-gitea-login-selection.md
@@ -0,0 +1,53 @@
+# t_3a368a52 — Gitea login selection for USC repos
+
+## Objective
+
+Fix Mosaic git wrapper behavior so `git.uscllc.com` repositories use the USC Gitea/tea login instead of the Mosaic Stack login during PR merge operations.
+
+## Issue / tracking
+
+- Kanban: `t_3a368a52`
+- Gitea issue: `#516` (`http://git.mosaicstack.dev/mosaicstack/stack/issues/516`)
+- Branch: `fix/t_3a368a52-gitea-usc-login`
+
+## Scope
+
+- In scope: Mosaic framework git wrapper scripts under `packages/mosaic/framework/tools/git/` and matching framework docs.
+- Out of scope: U-Connect source, PR #1905 contents, Authentik settings, smoke credentials, and runtime infrastructure manifests.
+
+## Root cause
+
+`pr-merge.sh` always built the Gitea merge command with `--login ${GITEA_LOGIN:-mosaicstack}`. In a `git.uscllc.com/USC/uconnect` repo with no explicit `GITEA_LOGIN`, this selected the `mosaicstack` tea login even though the remote host requires the `usc` login. While validating `pr-metadata.sh`, I also found that `load_credentials` preserves existing env vars; an ambient `GITEA_TOKEN` for a different account could override host-specific credential loading unless the lookup clears Gitea env vars inside the credential-loader subshell.
+
+## Plan
+
+1. Add regression coverage for host → tea login selection.
+2. Add shared `get_gitea_login(host)` helper in `detect-platform.sh`.
+3. Update `pr-merge.sh` to derive the tea login from the current remote host.
+4. Document the host mapping in framework `TOOLS.md`.
+5. Validate with safe fake-`tea` merge command captures; do not perform a real merge.
+
+## Evidence log
+
+- Reproduced old behavior safely from `/src/uconnect` with fake `tea`: PR #1905 command used `--login mosaicstack` for repo `USC/uconnect`.
+- RED test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` failed because `get_gitea_login` did not exist.
+- RED test extension: same test failed with `expected 'usc-token', got 'ambient-wrong-token'`, proving ambient `GITEA_TOKEN` could override host-specific USC credentials.
+- GREEN test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed after adding host mapping and clearing Gitea env vars in the credential-loader subshell.
+- Syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
+- Metadata validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
+  - PR #1905: `number=1905 state=open base=main head=edith/t_39ce717c-authentik-smoke-gate mergeable=True`.
+  - PR #1869: `number=1869 state=closed base=main head=fix/t_6f492e4a-cert-renewal-malformed-crt mergeable=True`.
+- Safe fake-`tea` merge validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
+  - PR #1905 command captured `pr merge 1905 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
+  - PR #1869 command captured `pr merge 1869 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
+- `ci-queue-wait.sh --purpose merge -B main -t 5 -i 1` from `/src/uconnect` resolved `platform=gitea`, branch `main`, SHA `49f0bce75c242eee19472ed367295658da9e56fc`, state `unknown`, exit 0.
+- Final shell regression: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed, including `pr-merge.sh` fake-`tea` argv capture for USC login selection and a negative metacharacter login override test.
+- Final syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
+- Independent review initially found the changed `pr-merge.sh` path still used string-built `eval`; remediated by switching GitHub/Gitea merge execution to argv arrays, validating numeric PR numbers, and rejecting unsupported characters in explicit `GITEA_LOGIN` overrides.
+- Workspace gates: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` passed after dependency install.
+
+## Current blocker/risk
+
+`ci-queue-wait.sh` still reports `state=unknown` for U-Connect main because the Gitea commit status payload does not classify into success/failure/pending/no-status. This task fixed the wrong tea login selection path; it did not alter CI status semantics.
+
+Full `pnpm test` remains blocked by unrelated gateway database setup in this Kanban workspace: gateway tests fail with `PostgresError: relation "messages" does not exist` (`42P01`) even after starting Postgres/Valkey with Docker Compose. Jaeger also fails to start because host port `16686` is already allocated. The targeted wrapper regression and repo type/lint/format gates pass.
--- a/packages/mosaic/framework/defaults/TOOLS.md
+++ b/packages/mosaic/framework/defaults/TOOLS.md
@@ -9,7 +9,7 @@ All tool suites are located at `~/.config/mosaic/tools/`.

 ### Git Wrappers (Use First)

-Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands.
+Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands. For self-hosted Gitea, the shared credential helper selects API credentials by remote host (`git.mosaicstack.dev` → `gitea-mosaicstack`, `git.uscllc.com` → `gitea-usc`), and the PR merge wrapper selects the matching tea login (`git.mosaicstack.dev` → `mosaicstack`, `git.uscllc.com` → `usc`) unless `GITEA_LOGIN` is explicitly set to a safe tea login override.

 ```bash
 # Issues
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -74,16 +74,6 @@ get_repo_name() {
    echo "${repo_info##*/}"
 }

-get_repo_slug() {
-    get_repo_info
-}
-
-get_gitea_repo_args() {
-    local repo
-    repo=$(get_repo_slug) || return 1
-    printf -- '--repo %q --login %q' "$repo" "${GITEA_LOGIN:-mosaicstack}"
-}
-
 get_remote_host() {
    local remote_url
    remote_url=$(git remote get-url origin 2>/dev/null || true)
@@ -101,6 +91,31 @@ get_remote_host() {
    return 1
 }

+# Resolve the tea login name for the given Gitea host.
+# Priority: explicit caller override → known Mosaic host mapping → no forced login.
+get_gitea_login() {
+    local host="$1"
+
+    if [[ -n "${GITEA_LOGIN:-}" ]]; then
+        echo "$GITEA_LOGIN"
+        return 0
+    fi
+
+    case "$host" in
+        git.mosaicstack.dev)
+            echo "mosaicstack"
+            return 0
+            ;;
+        git.uscllc.com)
+            echo "usc"
+            return 0
+            ;;
+        *)
+            return 1
+            ;;
+    esac
+}
+
 # Resolve a Gitea API token for the given host.
 # Priority: Mosaic credential loader → GITEA_TOKEN env → ~/.git-credentials
 get_gitea_token() {
@@ -114,6 +129,10 @@ get_gitea_token() {
        local token
        token=$(
            source "$cred_loader"
+            # load_credentials preserves pre-existing env vars by design. Clear
+            # Gitea env in this subshell so host-specific credential lookup wins
+            # over an ambient token for a different Gitea instance.
+            unset GITEA_TOKEN GITEA_URL
            case "$host" in
                git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;
--- a/packages/mosaic/framework/tools/git/issue-comment.sh
+++ b/packages/mosaic/framework/tools/git/issue-comment.sh
@@ -53,7 +53,7 @@ if [[ "$PLATFORM" == "github" ]]; then
    gh issue comment "$ISSUE_NUMBER" --body "$COMMENT"
    echo "Added comment to GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
+    tea issue comment "$ISSUE_NUMBER" "$COMMENT"
    echo "Added comment to Gitea issue #$ISSUE_NUMBER"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/issue-create.sh
+++ b/packages/mosaic/framework/tools/git/issue-create.sh
@@ -112,22 +112,20 @@ PLATFORM=$(detect_platform)

 case "$PLATFORM" in
    github)
-        CMD=(gh issue create --title "$TITLE")
-        [[ -n "$BODY" ]] && CMD+=(--body "$BODY")
-        [[ -n "$LABELS" ]] && CMD+=(--label "$LABELS")
-        [[ -n "$MILESTONE" ]] && CMD+=(--milestone "$MILESTONE")
-        "${CMD[@]}"
+        CMD="gh issue create --title \"$TITLE\""
+        [[ -n "$BODY" ]] && CMD="$CMD --body \"$BODY\""
+        [[ -n "$LABELS" ]] && CMD="$CMD --label \"$LABELS\""
+        [[ -n "$MILESTONE" ]] && CMD="$CMD --milestone \"$MILESTONE\""
+        eval "$CMD"
        ;;
    gitea)
        if command -v tea >/dev/null 2>&1; then
-            REPO_SLUG=$(get_repo_slug)
-            REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
-            CMD=(tea issue create "${REPO_ARGS[@]}" --title "$TITLE")
-            [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
-            [[ -n "$LABELS" ]] && CMD+=(--labels "$LABELS")
+            CMD="tea issue create --title \"$TITLE\""
+            [[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\""
+            [[ -n "$LABELS" ]] && CMD="$CMD --labels \"$LABELS\""
            # tea accepts milestone by name directly (verified 2026-02-05)
-            [[ -n "$MILESTONE" ]] && CMD+=(--milestone "$MILESTONE")
-            if "${CMD[@]}"; then
+            [[ -n "$MILESTONE" ]] && CMD="$CMD --milestone \"$MILESTONE\""
+            if eval "$CMD"; then
                exit 0
            fi
            echo "Warning: tea issue create failed, trying Gitea API fallback..." >&2
--- a/packages/mosaic/framework/tools/git/issue-list.sh
+++ b/packages/mosaic/framework/tools/git/issue-list.sh
@@ -80,8 +80,7 @@ case "$PLATFORM" in
        eval "$CMD"
        ;;
    gitea)
-        REPO_ARGS=$(get_gitea_repo_args)
-        CMD="tea issues list $REPO_ARGS --state $STATE --limit $LIMIT"
+        CMD="tea issues list --state $STATE --limit $LIMIT"
        [[ -n "$LABEL" ]] && CMD="$CMD --labels \"$LABEL\""
        [[ -n "$MILESTONE" ]] && CMD="$CMD --milestones \"$MILESTONE\""
        # Note: tea may not support assignee filter directly
--- a/packages/mosaic/framework/tools/git/issue-reopen.sh
+++ b/packages/mosaic/framework/tools/git/issue-reopen.sh
@@ -52,9 +52,9 @@ if [[ "$PLATFORM" == "github" ]]; then
    echo "Reopened GitHub issue #$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
    if [[ -n "$COMMENT" ]]; then
-        tea issue comment "$ISSUE_NUMBER" "$COMMENT" $(get_gitea_repo_args)
+        tea issue comment "$ISSUE_NUMBER" "$COMMENT"
    fi
-    tea issue reopen "$ISSUE_NUMBER" $(get_gitea_repo_args)
+    tea issue reopen "$ISSUE_NUMBER"
    echo "Reopened Gitea issue #$ISSUE_NUMBER"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/issue-view.sh
+++ b/packages/mosaic/framework/tools/git/issue-view.sh
@@ -67,7 +67,7 @@ if [[ "$PLATFORM" == "github" ]]; then
    gh issue view "$ISSUE_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
    if command -v tea >/dev/null 2>&1; then
-        if tea issue "$ISSUE_NUMBER" $(get_gitea_repo_args); then
+        if tea issue "$ISSUE_NUMBER"; then
            exit 0
        fi
        echo "Warning: tea issue view failed, trying Gitea API fallback..." >&2
--- a/packages/mosaic/framework/tools/git/pr-close.sh
+++ b/packages/mosaic/framework/tools/git/pr-close.sh
@@ -52,9 +52,9 @@ if [[ "$PLATFORM" == "github" ]]; then
    echo "Closed GitHub PR #$PR_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
    if [[ -n "$COMMENT" ]]; then
-        tea pr comment "$PR_NUMBER" "$COMMENT" $(get_gitea_repo_args)
+        tea pr comment "$PR_NUMBER" "$COMMENT"
    fi
-    tea pr close "$PR_NUMBER" $(get_gitea_repo_args)
+    tea pr close "$PR_NUMBER"
    echo "Closed Gitea PR #$PR_NUMBER"
 else
    echo "Error: Unknown platform"
--- a/packages/mosaic/framework/tools/git/pr-create.sh
+++ b/packages/mosaic/framework/tools/git/pr-create.sh
@@ -17,51 +17,6 @@ MILESTONE=""
 DRAFT=false
 ISSUE=""

-# get_remote_host, get_gitea_token, get_repo_info, and get_gitea_repo_args are provided by detect-platform.sh
-
-gitea_pr_create_api() {
-    local host repo token url payload
-    host=$(get_remote_host) || {
-        echo "Error: could not determine remote host for API fallback" >&2
-        return 1
-    }
-    repo=$(get_repo_info) || {
-        echo "Error: could not determine repo owner/name for API fallback" >&2
-        return 1
-    }
-    token=$(get_gitea_token "$host") || {
-        echo "Error: Gitea token not found for API fallback (set GITEA_TOKEN or configure ~/.git-credentials)" >&2
-        return 1
-    }
-
-    if [[ -n "$LABELS" || -n "$MILESTONE" || "$DRAFT" == true ]]; then
-        echo "Warning: API fallback applies title/body/head/base only; labels/milestone/draft require authenticated tea setup." >&2
-    fi
-
-    payload=$(TITLE="$TITLE" BODY="$BODY" HEAD_BRANCH="$HEAD_BRANCH" BASE_BRANCH="$BASE_BRANCH" python3 - <<'PY'
-import json
-import os
-
-payload = {
-    "title": os.environ["TITLE"],
-    "head": os.environ["HEAD_BRANCH"],
-    "base": os.environ["BASE_BRANCH"] or "main",
-}
-body = os.environ.get("BODY", "")
-if body:
-    payload["body"] = body
-print(json.dumps(payload))
-PY
-)
-
-    url="https://${host}/api/v1/repos/${repo}/pulls"
-    curl -fsS -X POST \
-      -H "Authorization: token ${token}" \
-      -H "Content-Type: application/json" \
-      -d "$payload" \
-      "$url"
-}
-
 usage() {
    cat <<EOF
 Usage: $(basename "$0") [OPTIONS]
@@ -163,37 +118,33 @@ PLATFORM=$(detect_platform)

 case "$PLATFORM" in
    github)
-        CMD=(gh pr create --title "$TITLE")
-        [[ -n "$BODY" ]] && CMD+=(--body "$BODY")
-        [[ -n "$BASE_BRANCH" ]] && CMD+=(--base "$BASE_BRANCH")
-        [[ -n "$HEAD_BRANCH" ]] && CMD+=(--head "$HEAD_BRANCH")
-        [[ -n "$LABELS" ]] && CMD+=(--label "$LABELS")
-        [[ -n "$MILESTONE" ]] && CMD+=(--milestone "$MILESTONE")
-        [[ "$DRAFT" == true ]] && CMD+=(--draft)
-        "${CMD[@]}"
+        CMD="gh pr create --title \"$TITLE\""
+        [[ -n "$BODY" ]] && CMD="$CMD --body \"$BODY\""
+        [[ -n "$BASE_BRANCH" ]] && CMD="$CMD --base \"$BASE_BRANCH\""
+        [[ -n "$HEAD_BRANCH" ]] && CMD="$CMD --head \"$HEAD_BRANCH\""
+        [[ -n "$LABELS" ]] && CMD="$CMD --label \"$LABELS\""
+        [[ -n "$MILESTONE" ]] && CMD="$CMD --milestone \"$MILESTONE\""
+        [[ "$DRAFT" == true ]] && CMD="$CMD --draft"
+        eval "$CMD"
        ;;
    gitea)
-        # tea pull create syntax. Always pass --repo because tea repo inference
-        # is unreliable in Mosaic worktrees/profile shells. Use arrays instead
-        # of eval so markdown backticks/body content are not shell-executed.
-        REPO_SLUG=$(get_repo_slug)
-        REPO_ARGS=(--repo "$REPO_SLUG" --login "${GITEA_LOGIN:-mosaicstack}")
-        CMD=(tea pr create "${REPO_ARGS[@]}" --title "$TITLE")
-        [[ -n "$BODY" ]] && CMD+=(--description "$BODY")
-        [[ -n "$BASE_BRANCH" ]] && CMD+=(--base "$BASE_BRANCH")
-        [[ -n "$HEAD_BRANCH" ]] && CMD+=(--head "$HEAD_BRANCH")
+        # tea pull create syntax
+        CMD="tea pr create --title \"$TITLE\""
+        [[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\""
+        [[ -n "$BASE_BRANCH" ]] && CMD="$CMD --base \"$BASE_BRANCH\""
+        [[ -n "$HEAD_BRANCH" ]] && CMD="$CMD --head \"$HEAD_BRANCH\""

        # Handle labels for tea
        if [[ -n "$LABELS" ]]; then
            # tea may use --labels flag
-            CMD+=(--labels "$LABELS")
+            CMD="$CMD --labels \"$LABELS\""
        fi

        # Handle milestone for tea
        if [[ -n "$MILESTONE" ]]; then
-            MILESTONE_ID=$(tea milestones list "${REPO_ARGS[@]}" 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
+            MILESTONE_ID=$(tea milestones list 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
            if [[ -n "$MILESTONE_ID" ]]; then
-                CMD+=(--milestone "$MILESTONE_ID")
+                CMD="$CMD --milestone $MILESTONE_ID"
            else
                echo "Warning: Could not find milestone '$MILESTONE', creating without milestone" >&2
            fi
@@ -204,11 +155,7 @@ case "$PLATFORM" in
            echo "Note: Draft PR may not be supported by your tea version" >&2
        fi

-        if "${CMD[@]}"; then
-            exit 0
-        fi
-        echo "Warning: tea pr create failed, trying Gitea API fallback..." >&2
-        gitea_pr_create_api
+        eval "$CMD"
        ;;
    *)
        echo "Error: Could not detect git platform" >&2
--- a/packages/mosaic/framework/tools/git/pr-list.sh
+++ b/packages/mosaic/framework/tools/git/pr-list.sh
@@ -74,8 +74,7 @@ case "$PLATFORM" in
        ;;
    gitea)
        # tea pr list - note: tea uses 'pulls' subcommand in some versions
-        REPO_ARGS=$(get_gitea_repo_args)
-        CMD="tea pr list $REPO_ARGS --state $STATE --limit $LIMIT"
+        CMD="tea pr list --state $STATE --limit $LIMIT"

        # tea filtering may be limited
        if [[ -n "$LABEL" ]]; then
--- a/packages/mosaic/framework/tools/git/pr-merge.sh
+++ b/packages/mosaic/framework/tools/git/pr-merge.sh
@@ -69,6 +69,11 @@ if [[ -z "$PR_NUMBER" ]]; then
    usage
 fi

+if [[ ! "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+    echo "Error: PR number must be numeric." >&2
+    exit 1
+fi
+
 if [[ "$MERGE_METHOD" != "squash" ]]; then
    echo "Error: Mosaic policy enforces squash merge only. Received '$MERGE_METHOD'." >&2
    exit 1
@@ -94,19 +99,31 @@ REPO=$(get_repo_name)

 case "$PLATFORM" in
    github)
-        CMD="gh pr merge $PR_NUMBER --squash"
-        [[ "$DELETE_BRANCH" == true ]] && CMD="$CMD --delete-branch"
-        eval "$CMD"
+        CMD=(gh pr merge "$PR_NUMBER" --squash)
+        [[ "$DELETE_BRANCH" == true ]] && CMD+=(--delete-branch)
+        "${CMD[@]}"
        ;;
    gitea)
-        CMD="tea pr merge $PR_NUMBER --style squash --repo $OWNER/$REPO --login ${GITEA_LOGIN:-mosaicstack}"
+        HOST=$(get_remote_host) || {
+            echo "Error: Could not determine remote host." >&2
+            exit 1
+        }
+        CMD=(tea pr merge "$PR_NUMBER" --style squash --repo "$OWNER/$REPO")
+        GITEA_TEA_LOGIN=$(get_gitea_login "$HOST" || true)
+        if [[ -n "$GITEA_TEA_LOGIN" ]]; then
+            if [[ ! "$GITEA_TEA_LOGIN" =~ ^[A-Za-z0-9._-]+$ ]]; then
+                echo "Error: Gitea tea login contains unsupported characters." >&2
+                exit 1
+            fi
+            CMD+=(--login "$GITEA_TEA_LOGIN")
+        fi

        # Delete branch after merge if requested
        if [[ "$DELETE_BRANCH" == true ]]; then
            echo "Note: Branch deletion after merge may need to be done separately with tea" >&2
        fi

-        eval "$CMD"
+        "${CMD[@]}"
        ;;
    *)
        echo "Error: Could not detect git platform" >&2
--- a/packages/mosaic/framework/tools/git/pr-review.sh
+++ b/packages/mosaic/framework/tools/git/pr-review.sh
@@ -85,7 +85,7 @@ if [[ "$PLATFORM" == "github" ]]; then
 elif [[ "$PLATFORM" == "gitea" ]]; then
    case $ACTION in
        approve)
-            tea pr approve "$PR_NUMBER" $(get_gitea_repo_args) ${COMMENT:+--comment "$COMMENT"}
+            tea pr approve "$PR_NUMBER" ${COMMENT:+--comment "$COMMENT"}
            echo "Approved Gitea PR #$PR_NUMBER"
            ;;
        request-changes)
@@ -93,7 +93,7 @@ elif [[ "$PLATFORM" == "gitea" ]]; then
                echo "Error: Comment required for request-changes"
                exit 1
            fi
-            tea pr reject "$PR_NUMBER" $(get_gitea_repo_args) --comment "$COMMENT"
+            tea pr reject "$PR_NUMBER" --comment "$COMMENT"
            echo "Requested changes on Gitea PR #$PR_NUMBER"
            ;;
        comment)
@@ -101,7 +101,7 @@ elif [[ "$PLATFORM" == "gitea" ]]; then
                echo "Error: Comment required"
                exit 1
            fi
-            tea pr comment "$PR_NUMBER" "$COMMENT" $(get_gitea_repo_args)
+            tea pr comment "$PR_NUMBER" "$COMMENT"
            echo "Added comment to Gitea PR #$PR_NUMBER"
            ;;
        *)
--- a/packages/mosaic/framework/tools/git/pr-view.sh
+++ b/packages/mosaic/framework/tools/git/pr-view.sh
@@ -41,7 +41,7 @@ detect_platform
 if [[ "$PLATFORM" == "github" ]]; then
    gh pr view "$PR_NUMBER"
 elif [[ "$PLATFORM" == "gitea" ]]; then
-    tea pr "$PR_NUMBER" $(get_gitea_repo_args)
+    tea pr "$PR_NUMBER"
 else
    echo "Error: Unknown platform"
    exit 1
--- a/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
+++ b/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+source "$SCRIPT_DIR/detect-platform.sh"
+
+fail() {
+  echo "FAIL: $*" >&2
+  exit 1
+}
+
+assert_eq() {
+  local expected="$1"
+  local actual="$2"
+  local message="$3"
+  if [[ "$actual" != "$expected" ]]; then
+    fail "$message: expected '$expected', got '$actual'"
+  fi
+}
+
+unset GITEA_LOGIN || true
+assert_eq "usc" "$(get_gitea_login git.uscllc.com)" "USC Gitea host should select usc tea login"
+assert_eq "mosaicstack" "$(get_gitea_login git.mosaicstack.dev)" "Mosaic Gitea host should select mosaicstack tea login"
+
+GITEA_LOGIN="custom-login"
+export GITEA_LOGIN
+assert_eq "custom-login" "$(get_gitea_login git.uscllc.com)" "Explicit GITEA_LOGIN should override host default"
+
+unset GITEA_LOGIN || true
+unknown_login="$(get_gitea_login git.example.invalid || true)"
+assert_eq "" "$unknown_login" "Unknown Gitea hosts should not force a mismatched login"
+
+TEST_WORKDIR="${TEST_WORKDIR:-$SCRIPT_DIR/tests/.tmp-gitea-login-selection}"
+rm -rf "$TEST_WORKDIR"
+mkdir -p "$TEST_WORKDIR"
+trap 'rm -rf "$TEST_WORKDIR"' EXIT
+
+cat > "$TEST_WORKDIR/credentials.json" <<'JSON'
+{
+  "gitea": {
+    "mosaicstack": {
+      "url": "https://git.mosaicstack.dev",
+      "token": "mosaic-token"
+    },
+    "usc": {
+      "url": "https://git.uscllc.com",
+      "token": "usc-token"
+    }
+  }
+}
+JSON
+
+export MOSAIC_CREDENTIALS_FILE="$TEST_WORKDIR/credentials.json"
+GITEA_TOKEN="ambient-wrong-token"
+GITEA_URL="https://git.mosaicstack.dev"
+export GITEA_TOKEN GITEA_URL
+assert_eq "usc-token" "$(get_gitea_token git.uscllc.com)" "Host-specific credential lookup should ignore ambient mismatched GITEA_TOKEN"
+assert_eq "mosaic-token" "$(get_gitea_token git.mosaicstack.dev)" "Host-specific credential lookup should select Mosaic token for Mosaic host"
+
+FAKEBIN="$TEST_WORKDIR/fakebin"
+REPO_DIR="$TEST_WORKDIR/repo"
+CAPTURE_FILE="$TEST_WORKDIR/tea-args.txt"
+mkdir -p "$FAKEBIN" "$REPO_DIR"
+
+cat > "$FAKEBIN/python3" <<'SH'
+#!/usr/bin/env bash
+cat >/dev/null
+printf 'main\n'
+SH
+chmod +x "$FAKEBIN/python3"
+
+cat > "$FAKEBIN/tea" <<'SH'
+#!/usr/bin/env bash
+printf '%s\n' "$@" > "$TEA_CAPTURE_FILE"
+SH
+chmod +x "$FAKEBIN/tea"
+
+(
+  cd "$REPO_DIR"
+  git init -q
+  git remote add origin https://git.uscllc.com/USC/uconnect.git
+  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905
+)
+assert_eq $'pr\nmerge\n1905\n--style\nsquash\n--repo\nUSC/uconnect\n--login\nusc' "$(cat "$CAPTURE_FILE")" "pr-merge should pass USC tea login as isolated argv entries"
+
+PWNED_FILE="$TEST_WORKDIR/pwned"
+if (
+  cd "$REPO_DIR"
+  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" GITEA_LOGIN="bad;touch $PWNED_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905 >/dev/null 2>&1
+); then
+  fail "pr-merge should reject GITEA_LOGIN values with shell metacharacters"
+fi
+if [[ -e "$PWNED_FILE" ]]; then
+  fail "pr-merge executed shell metacharacters from GITEA_LOGIN"
+fi
+
+echo "gitea-login-selection tests passed"