fix(git): select USC Gitea login for PR merges (#516 )

2026-05-22 09:34:35 -05:00
11 changed files with 208 additions and 88 deletions
--- a/README.md
+++ b/README.md
@@ -58,8 +58,6 @@ mosaic yolo pi               # Pi in yolo mode
 The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
 Pi launches default to a token-lean skill posture: `mosaic pi` passes `--no-skills` so Pi does not preload every global skill description into the system prompt. Use `MOSAIC_PI_SKILL_MODE=all mosaic pi` for the legacy all-skills catalog, or `MOSAIC_PI_SKILL_MODE=discover mosaic pi` to let Pi use its native settings/project skill discovery.
 ### TUI & Gateway
 ```bash
--- a/docs/scratchpads/t_3a368a52-gitea-login-selection.md
+++ b/docs/scratchpads/t_3a368a52-gitea-login-selection.md
@@ -0,0 +1,53 @@
 # t_3a368a52 — Gitea login selection for USC repos
 ## Objective
 Fix Mosaic git wrapper behavior so `git.uscllc.com` repositories use the USC Gitea/tea login instead of the Mosaic Stack login during PR merge operations.
 ## Issue / tracking
 - Kanban: `t_3a368a52`
 - Gitea issue: `#516` (`http://git.mosaicstack.dev/mosaicstack/stack/issues/516`)
 - Branch: `fix/t_3a368a52-gitea-usc-login`
 ## Scope
 - In scope: Mosaic framework git wrapper scripts under `packages/mosaic/framework/tools/git/` and matching framework docs.
 - Out of scope: U-Connect source, PR #1905 contents, Authentik settings, smoke credentials, and runtime infrastructure manifests.
 ## Root cause
 `pr-merge.sh` always built the Gitea merge command with `--login ${GITEA_LOGIN:-mosaicstack}`. In a `git.uscllc.com/USC/uconnect` repo with no explicit `GITEA_LOGIN`, this selected the `mosaicstack` tea login even though the remote host requires the `usc` login. While validating `pr-metadata.sh`, I also found that `load_credentials` preserves existing env vars; an ambient `GITEA_TOKEN` for a different account could override host-specific credential loading unless the lookup clears Gitea env vars inside the credential-loader subshell.
 ## Plan
 1. Add regression coverage for host → tea login selection.
 2. Add shared `get_gitea_login(host)` helper in `detect-platform.sh`.
 3. Update `pr-merge.sh` to derive the tea login from the current remote host.
 4. Document the host mapping in framework `TOOLS.md`.
 5. Validate with safe fake-`tea` merge command captures; do not perform a real merge.
 ## Evidence log
 - Reproduced old behavior safely from `/src/uconnect` with fake `tea`: PR #1905 command used `--login mosaicstack` for repo `USC/uconnect`.
 - RED test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` failed because `get_gitea_login` did not exist.
 - RED test extension: same test failed with `expected 'usc-token', got 'ambient-wrong-token'`, proving ambient `GITEA_TOKEN` could override host-specific USC credentials.
 - GREEN test: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed after adding host mapping and clearing Gitea env vars in the credential-loader subshell.
 - Syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
 - Metadata validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
  - PR #1905: `number=1905 state=open base=main head=edith/t_39ce717c-authentik-smoke-gate mergeable=True`.
  - PR #1869: `number=1869 state=closed base=main head=fix/t_6f492e4a-cert-renewal-malformed-crt mergeable=True`.
 - Safe fake-`tea` merge validation from `/src/uconnect` using the fixed wrapper source and `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
  - PR #1905 command captured `pr merge 1905 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
  - PR #1869 command captured `pr merge 1869 --style squash --repo USC/uconnect --login usc` and exited through fake `tea` with code 42; no merge was attempted.
 - `ci-queue-wait.sh --purpose merge -B main -t 5 -i 1` from `/src/uconnect` resolved `platform=gitea`, branch `main`, SHA `49f0bce75c242eee19472ed367295658da9e56fc`, state `unknown`, exit 0.
 - Final shell regression: `bash packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed, including `pr-merge.sh` fake-`tea` argv capture for USC login selection and a negative metacharacter login override test.
 - Final syntax check: `bash -n packages/mosaic/framework/tools/git/detect-platform.sh packages/mosaic/framework/tools/git/pr-merge.sh packages/mosaic/framework/tools/git/pr-metadata.sh packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh` passed.
 - Independent review initially found the changed `pr-merge.sh` path still used string-built `eval`; remediated by switching GitHub/Gitea merge execution to argv arrays, validating numeric PR numbers, and rejecting unsupported characters in explicit `GITEA_LOGIN` overrides.
 - Workspace gates: `pnpm typecheck`, `pnpm lint`, and `pnpm format:check` passed after dependency install.
 ## Current blocker/risk
 `ci-queue-wait.sh` still reports `state=unknown` for U-Connect main because the Gitea commit status payload does not classify into success/failure/pending/no-status. This task fixed the wrong tea login selection path; it did not alter CI status semantics.
 Full `pnpm test` remains blocked by unrelated gateway database setup in this Kanban workspace: gateway tests fail with `PostgresError: relation "messages" does not exist` (`42P01`) even after starting Postgres/Valkey with Docker Compose. Jaeger also fails to start because host port `16686` is already allocated. The targeted wrapper regression and repo type/lint/format gates pass.
--- a/packages/mosaic/framework/defaults/TOOLS.md
+++ b/packages/mosaic/framework/defaults/TOOLS.md
@@ -9,7 +9,7 @@ All tool suites are located at `~/.config/mosaic/tools/`.
 ### Git Wrappers (Use First)
-Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands.
+Mosaic wrappers at `~/.config/mosaic/tools/git/*.sh` handle platform detection and edge cases. Always use these before raw CLI commands. For self-hosted Gitea, the shared credential helper selects API credentials by remote host (`git.mosaicstack.dev` → `gitea-mosaicstack`, `git.uscllc.com` → `gitea-usc`), and the PR merge wrapper selects the matching tea login (`git.mosaicstack.dev` → `mosaicstack`, `git.uscllc.com` → `usc`) unless `GITEA_LOGIN` is explicitly set to a safe tea login override.
 ```bash
 # Issues
--- a/packages/mosaic/framework/tools/git/ci-queue-wait.sh
+++ b/packages/mosaic/framework/tools/git/ci-queue-wait.sh
@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
    local branch="$3"
    local token="$4"
    local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
-    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
    local sha="$3"
    local token="$4"
    local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "Authorization: token ${token}" "$url"
+    curl -fsS -H "Authorization: token ${token}" "$url"
 }
 while [[ $# -gt 0 ]]; do
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -91,6 +91,31 @@ get_remote_host() {
    return 1
 }
 # Resolve the tea login name for the given Gitea host.
 # Priority: explicit caller override → known Mosaic host mapping → no forced login.
 get_gitea_login() {
    local host="$1"
    if [[ -n "${GITEA_LOGIN:-}" ]]; then
        echo "$GITEA_LOGIN"
        return 0
    fi
    case "$host" in
        git.mosaicstack.dev)
            echo "mosaicstack"
            return 0
            ;;
        git.uscllc.com)
            echo "usc"
            return 0
            ;;
        *)
            return 1
            ;;
    esac
 }
 # Resolve a Gitea API token for the given host.
 # Priority: Mosaic credential loader → GITEA_TOKEN env → ~/.git-credentials
 get_gitea_token() {
@@ -104,6 +129,10 @@ get_gitea_token() {
        local token
        token=$(
            source "$cred_loader"
            # load_credentials preserves pre-existing env vars by design. Clear
            # Gitea env in this subshell so host-specific credential lookup wins
            # over an ambient token for a different Gitea instance.
            unset GITEA_TOKEN GITEA_URL
            case "$host" in
                git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;
--- a/packages/mosaic/framework/tools/git/pr-ci-wait.sh
+++ b/packages/mosaic/framework/tools/git/pr-ci-wait.sh
@@ -110,7 +110,7 @@ gitea_get_pr_head_sha() {
    local repo="$2"
    local token="$3"
    local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
-    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 print((data.get("head") or {}).get("sha", ""))
@@ -123,7 +123,7 @@ gitea_get_commit_status_json() {
    local token="$3"
    local sha="$4"
    local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsSL -H "Authorization: token ${token}" "$url"
+    curl -fsS -H "Authorization: token ${token}" "$url"
 }
 while [[ $# -gt 0 ]]; do
--- a/packages/mosaic/framework/tools/git/pr-merge.sh
+++ b/packages/mosaic/framework/tools/git/pr-merge.sh
@@ -69,6 +69,11 @@ if [[ -z "$PR_NUMBER" ]]; then
    usage
 fi
 if [[ ! "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
    echo "Error: PR number must be numeric." >&2
    exit 1
 fi
 if [[ "$MERGE_METHOD" != "squash" ]]; then
    echo "Error: Mosaic policy enforces squash merge only. Received '$MERGE_METHOD'." >&2
    exit 1
@@ -94,19 +99,31 @@ REPO=$(get_repo_name)
 case "$PLATFORM" in
    github)
-        CMD="gh pr merge $PR_NUMBER --squash"
+        CMD=(gh pr merge "$PR_NUMBER" --squash)
-        [[ "$DELETE_BRANCH" == true ]] && CMD="$CMD --delete-branch"
+        [[ "$DELETE_BRANCH" == true ]] && CMD+=(--delete-branch)
-        eval "$CMD"
+        "${CMD[@]}"
        ;;
    gitea)
-        CMD="tea pr merge $PR_NUMBER --style squash --repo $OWNER/$REPO --login ${GITEA_LOGIN:-mosaicstack}"
+        HOST=$(get_remote_host) || {
            echo "Error: Could not determine remote host." >&2
            exit 1
        }
        CMD=(tea pr merge "$PR_NUMBER" --style squash --repo "$OWNER/$REPO")
        GITEA_TEA_LOGIN=$(get_gitea_login "$HOST" || true)
        if [[ -n "$GITEA_TEA_LOGIN" ]]; then
            if [[ ! "$GITEA_TEA_LOGIN" =~ ^[A-Za-z0-9._-]+$ ]]; then
                echo "Error: Gitea tea login contains unsupported characters." >&2
                exit 1
            fi
            CMD+=(--login "$GITEA_TEA_LOGIN")
        fi
        # Delete branch after merge if requested
        if [[ "$DELETE_BRANCH" == true ]]; then
            echo "Note: Branch deletion after merge may need to be done separately with tea" >&2
        fi
-        eval "$CMD"
+        "${CMD[@]}"
        ;;
    *)
        echo "Error: Could not detect git platform" >&2
--- a/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
+++ b/packages/mosaic/framework/tools/git/tests/gitea-login-selection.test.sh
@@ -0,0 +1,97 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 source "$SCRIPT_DIR/detect-platform.sh"
 fail() {
  echo "FAIL: $*" >&2
  exit 1
 }
 assert_eq() {
  local expected="$1"
  local actual="$2"
  local message="$3"
  if [[ "$actual" != "$expected" ]]; then
    fail "$message: expected '$expected', got '$actual'"
  fi
 }
 unset GITEA_LOGIN || true
 assert_eq "usc" "$(get_gitea_login git.uscllc.com)" "USC Gitea host should select usc tea login"
 assert_eq "mosaicstack" "$(get_gitea_login git.mosaicstack.dev)" "Mosaic Gitea host should select mosaicstack tea login"
 GITEA_LOGIN="custom-login"
 export GITEA_LOGIN
 assert_eq "custom-login" "$(get_gitea_login git.uscllc.com)" "Explicit GITEA_LOGIN should override host default"
 unset GITEA_LOGIN || true
 unknown_login="$(get_gitea_login git.example.invalid || true)"
 assert_eq "" "$unknown_login" "Unknown Gitea hosts should not force a mismatched login"
 TEST_WORKDIR="${TEST_WORKDIR:-$SCRIPT_DIR/tests/.tmp-gitea-login-selection}"
 rm -rf "$TEST_WORKDIR"
 mkdir -p "$TEST_WORKDIR"
 trap 'rm -rf "$TEST_WORKDIR"' EXIT
 cat > "$TEST_WORKDIR/credentials.json" <<'JSON'
 {
  "gitea": {
    "mosaicstack": {
      "url": "https://git.mosaicstack.dev",
      "token": "mosaic-token"
    },
    "usc": {
      "url": "https://git.uscllc.com",
      "token": "usc-token"
    }
  }
 }
 JSON
 export MOSAIC_CREDENTIALS_FILE="$TEST_WORKDIR/credentials.json"
 GITEA_TOKEN="ambient-wrong-token"
 GITEA_URL="https://git.mosaicstack.dev"
 export GITEA_TOKEN GITEA_URL
 assert_eq "usc-token" "$(get_gitea_token git.uscllc.com)" "Host-specific credential lookup should ignore ambient mismatched GITEA_TOKEN"
 assert_eq "mosaic-token" "$(get_gitea_token git.mosaicstack.dev)" "Host-specific credential lookup should select Mosaic token for Mosaic host"
 FAKEBIN="$TEST_WORKDIR/fakebin"
 REPO_DIR="$TEST_WORKDIR/repo"
 CAPTURE_FILE="$TEST_WORKDIR/tea-args.txt"
 mkdir -p "$FAKEBIN" "$REPO_DIR"
 cat > "$FAKEBIN/python3" <<'SH'
 #!/usr/bin/env bash
 cat >/dev/null
 printf 'main\n'
 SH
 chmod +x "$FAKEBIN/python3"
 cat > "$FAKEBIN/tea" <<'SH'
 #!/usr/bin/env bash
 printf '%s\n' "$@" > "$TEA_CAPTURE_FILE"
 SH
 chmod +x "$FAKEBIN/tea"
 (
  cd "$REPO_DIR"
  git init -q
  git remote add origin https://git.uscllc.com/USC/uconnect.git
  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905
 )
 assert_eq $'pr\nmerge\n1905\n--style\nsquash\n--repo\nUSC/uconnect\n--login\nusc' "$(cat "$CAPTURE_FILE")" "pr-merge should pass USC tea login as isolated argv entries"
 PWNED_FILE="$TEST_WORKDIR/pwned"
 if (
  cd "$REPO_DIR"
  PATH="$FAKEBIN:$PATH" TEA_CAPTURE_FILE="$CAPTURE_FILE" GITEA_LOGIN="bad;touch $PWNED_FILE" "$SCRIPT_DIR/pr-merge.sh" --skip-queue-guard -n 1905 >/dev/null 2>&1
 ); then
  fail "pr-merge should reject GITEA_LOGIN values with shell metacharacters"
 fi
 if [[ -e "$PWNED_FILE" ]]; then
  fail "pr-merge executed shell metacharacters from GITEA_LOGIN"
 fi
 echo "gitea-login-selection tests passed"
--- a/packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
+++ b/packages/mosaic/src/commands/git-wrapper-redirects.spec.ts
@@ -1,22 +0,0 @@
 import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { describe, expect, it } from 'vitest';
 const packageRoot = join(import.meta.dirname, '..', '..');
 const gitToolsDir = join(packageRoot, 'framework', 'tools', 'git');
 function readGitTool(scriptName: string): string {
  return readFileSync(join(gitToolsDir, scriptName), 'utf-8');
 }
 describe('Gitea git wrapper API calls', () => {
  it.each(['ci-queue-wait.sh', 'pr-ci-wait.sh'])(
    '%s follows Gitea API redirects before parsing JSON',
    (scriptName) => {
      const script = readGitTool(scriptName);
      expect(script).not.toContain('curl -fsS -H "Authorization: token');
      expect(script).toContain('curl -fsSL -H "Authorization: token');
    },
  );
 });
--- a/packages/mosaic/src/commands/launch.spec.ts
+++ b/packages/mosaic/src/commands/launch.spec.ts
@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach, afterEach, type MockInstance } from 'vitest';
 import { Command } from 'commander';
-import { buildPiSkillArgs, registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js';
+import { registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js';
 /**
 * Tests for the commander wiring between `mosaic <runtime>` / `mosaic yolo <runtime>`
@@ -22,8 +22,6 @@ function buildProgram(handler: RuntimeLaunchHandler): Command {
  return program;
 }
 const fakeSkills = ['--skill', '/skills/test-driven-development', '--skill', '/skills/pdf'];
 // `process.exit` returns `never`, so vi.spyOn demands a replacement with the
 // same signature. We throw from the mock to short-circuit into test-land.
 const exitThrows = (): never => {
@@ -65,30 +63,6 @@ describe('registerRuntimeLaunchers — non-yolo subcommands', () => {
  });
 });
 describe('buildPiSkillArgs', () => {
  it('defaults to disabling Pi skill discovery to keep startup context small', () => {
    expect(buildPiSkillArgs([], {}, fakeSkills)).toEqual(['--no-skills']);
  });
  it('keeps explicit user skills while disabling automatic discovery', () => {
    expect(buildPiSkillArgs(['--skill', '/tmp/custom'], {}, fakeSkills)).toEqual(['--no-skills']);
  });
  it('supports legacy all-skills mode without double-loading settings skills', () => {
    expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'all' }, fakeSkills)).toEqual([
      '--no-skills',
      '--skill',
      '/skills/test-driven-development',
      '--skill',
      '/skills/pdf',
    ]);
  });
  it('supports native Pi discovery when explicitly requested', () => {
    expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'discover' }, fakeSkills)).toEqual([]);
  });
 });
 describe('registerRuntimeLaunchers — yolo <runtime>', () => {
  let mockExit: MockInstance<typeof process.exit>;
  let mockError: MockInstance<typeof console.error>;
--- a/packages/mosaic/src/commands/launch.ts
+++ b/packages/mosaic/src/commands/launch.ts
@@ -447,32 +447,6 @@ function discoverPiSkills(): string[] {
  return args;
 }
 type PiSkillMode = 'none' | 'all' | 'discover';
 function normalizePiSkillMode(env: NodeJS.ProcessEnv): PiSkillMode {
  const value = env['MOSAIC_PI_SKILL_MODE']?.trim().toLowerCase();
  if (value === 'all' || value === 'discover') return value;
  return 'none';
 }
 export function buildPiSkillArgs(
  _runtimeArgs: string[],
  env: NodeJS.ProcessEnv = process.env,
  discoveredSkillArgs: string[] = discoverPiSkills(),
 ): string[] {
  const mode = normalizePiSkillMode(env);
  if (mode === 'discover') {
    return [];
  }
  if (mode === 'all') {
    return ['--no-skills', ...discoveredSkillArgs];
  }
  return ['--no-skills'];
 }
 function discoverPiExtension(): string[] {
  const ext = join(MOSAIC_HOME, 'runtime', 'pi', 'mosaic-extension.ts');
  return existsSync(ext) ? ['--extension', ext] : [];
@@ -549,7 +523,7 @@ function launchRuntime(runtime: RuntimeName, args: string[], yolo: boolean): nev
    case 'pi': {
      const prompt = buildRuntimePrompt('pi');
      const cliArgs = ['--append-system-prompt', prompt];
-      cliArgs.push(...buildPiSkillArgs(args));
+      cliArgs.push(...discoverPiSkills());
      cliArgs.push(...discoverPiExtension());
      if (hasMissionNoArgs) {
        cliArgs.push(missionPrompt);