fix(git-tools): follow Gitea API redirects in CI wrappers

README.md

@@ -58,6 +58,8 @@ mosaic yolo pi               # Pi in yolo mode
 
 The launcher verifies your config, checks for `SOUL.md`, injects your `AGENTS.md` standards into the runtime, and forwards all arguments.
 
+Pi launches default to a token-lean skill posture: `mosaic pi` passes `--no-skills` so Pi does not preload every global skill description into the system prompt. Use `MOSAIC_PI_SKILL_MODE=all mosaic pi` for the legacy all-skills catalog, or `MOSAIC_PI_SKILL_MODE=discover mosaic pi` to let Pi use its native settings/project skill discovery.
+
 ### TUI & Gateway
 
 ```bash

docs/scratchpads/mvp-20260312.md

@@ -653,9 +653,3 @@ Independent security review surfaced three high-impact and four medium findings;
 2. After merge, kickoff M3-01 (DTOs) on `feat/federation-m3-types` with sonnet subagent in worktree
 3. Once M3-01 lands, fan out: M3-02 (harness) || M3-03 (AuthGuard) → M3-04 (ScopeService) || M3-08 (FederationClient)
 4. Re-converge at M3-10 (Integration) → M3-11 (E2E)
-
-### Session 24 — 2026-05-22 — Gitea PR metadata wrapper hardening
-
-- Fixed `packages/mosaic/framework/tools/git/pr-metadata.sh` Gitea path to fail closed on non-2xx API responses instead of normalizing API error JSON into null/empty PR metadata.
-- Added token fallback behavior: try explicit `GITEA_TOKEN`, Mosaic credential-loader token, then matching `~/.git-credentials` HTTPS token; this handles stale host-scoped credential-loader entries while preserving existing credential sources.
-- Confirmed real U-Connect Gitea PRs #1905 and #1908 now return `number`, `headRefName`, `baseRefName`, `state`, `author`, `url`, and `mergeable` correctly, restoring `pr-merge.sh` base branch detection.

packages/mosaic/framework/tools/git/ci-queue-wait.sh

@@ -137,7 +137,7 @@ gitea_get_branch_head_sha() {
     local branch="$3"
     local token="$4"
     local url="https://${host}/api/v1/repos/${repo}/branches/${branch}"
-    curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 commit = data.get("commit") or {}
@@ -151,7 +151,7 @@ gitea_get_commit_status_json() {
     local sha="$3"
     local token="$4"
     local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsS -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "Authorization: token ${token}" "$url"
 }
 
 while [[ $# -gt 0 ]]; do

packages/mosaic/framework/tools/git/pr-ci-wait.sh

@@ -110,7 +110,7 @@ gitea_get_pr_head_sha() {
     local repo="$2"
     local token="$3"
     local url="https://${host}/api/v1/repos/${repo}/pulls/${PR_NUMBER}"
-    curl -fsS -H "Authorization: token ${token}" "$url" | python3 -c '
+    curl -fsSL -H "Authorization: token ${token}" "$url" | python3 -c '
 import json, sys
 data = json.load(sys.stdin)
 print((data.get("head") or {}).get("sha", ""))
@@ -123,7 +123,7 @@ gitea_get_commit_status_json() {
     local token="$3"
     local sha="$4"
     local url="https://${host}/api/v1/repos/${repo}/commits/${sha}/status"
-    curl -fsS -H "Authorization: token ${token}" "$url"
+    curl -fsSL -H "Authorization: token ${token}" "$url"
 }
 
 while [[ $# -gt 0 ]]; do

packages/mosaic/framework/tools/git/pr-metadata.sh

@@ -69,81 +69,32 @@ elif [[ "$PLATFORM" == "gitea" ]]; then
 
     API_URL="https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}"
 
-    declare -a TOKEN_CANDIDATES=()
+    GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
-    add_token_candidate() {
-        local candidate="$1"
-        [[ -z "$candidate" ]] && return 0
-        local existing
-        for existing in "${TOKEN_CANDIDATES[@]:-}"; do
-            [[ "$existing" == "$candidate" ]] && return 0
-        done
-        TOKEN_CANDIDATES+=("$candidate")
-    }
 
-    add_token_candidate "${GITEA_TOKEN:-}"
+    if [[ -n "$GITEA_API_TOKEN" ]]; then
-    add_token_candidate "$(get_gitea_token "$HOST" || true)"
+        RAW=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$API_URL")
-
+    else
-    # Git HTTPS credentials often contain a valid Gitea API token even when a
+        RAW=$(curl -sS "$API_URL")
-    # Mosaic credential-source entry is stale. Try them as a fallback before
-    # falling back to an unauthenticated request.
-    CREDS_FILE="$HOME/.git-credentials"
-    if [[ -f "$CREDS_FILE" ]]; then
-        while IFS= read -r credential_token; do
-            add_token_candidate "$credential_token"
-        done < <(grep -F "$HOST" "$CREDS_FILE" 2>/dev/null | sed -n 's#https\?://[^@]*:\([^@/]*\)@.*#\1#p')
-    fi
-
-    RAW=""
-    HTTP_STATUS=""
-    if [[ ${#TOKEN_CANDIDATES[@]} -gt 0 ]]; then
-        for GITEA_API_TOKEN in "${TOKEN_CANDIDATES[@]}"; do
-            RESPONSE_FILE=$(mktemp)
-            HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' -H "Authorization: token $GITEA_API_TOKEN" "$API_URL" || true)
-            RAW=$(cat "$RESPONSE_FILE")
-            rm -f "$RESPONSE_FILE"
-            [[ "$HTTP_STATUS" =~ ^2 ]] && break
-        done
-    fi
-
-    if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
-        RESPONSE_FILE=$(mktemp)
-        HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' "$API_URL" || true)
-        RAW=$(cat "$RESPONSE_FILE")
-        rm -f "$RESPONSE_FILE"
-    fi
-
-    if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
-        ERROR_MESSAGE=$(printf '%s' "$RAW" | python3 -c 'import json, sys
-try:
-    data=json.load(sys.stdin)
-except Exception:
-    data={}
-print(data.get("message") or data.get("error") or "unknown error")')
-        echo "Error: failed to fetch Gitea PR #$PR_NUMBER from $HOST/$OWNER/$REPO (HTTP $HTTP_STATUS): $ERROR_MESSAGE" >&2
-        exit 1
     fi
 
     # Normalize Gitea response to match our expected schema
     METADATA=$(echo "$RAW" | python3 -c "
 import json, sys
 data = json.load(sys.stdin)
-head = data.get('head') or {}
-base = data.get('base') or {}
-user = data.get('user') or {}
 normalized = {
-    'number': data.get('number') or data.get('index'),
+    'number': data.get('number'),
     'title': data.get('title'),
     'body': data.get('body', ''),
     'state': data.get('state'),
-    'author': user.get('login', ''),
+    'author': data.get('user', {}).get('login', ''),
-    'headRefName': head.get('ref') or head.get('label', '').split(':')[-1],
+    'headRefName': data.get('head', {}).get('ref', ''),
-    'baseRefName': base.get('ref') or base.get('label', '').split(':')[-1],
+    'baseRefName': data.get('base', {}).get('ref', ''),
     'labels': [l.get('name', '') for l in data.get('labels', [])],
     'assignees': [a.get('login', '') for a in data.get('assignees', [])],
     'milestone': data.get('milestone', {}).get('title', '') if data.get('milestone') else '',
     'createdAt': data.get('created_at', ''),
     'updatedAt': data.get('updated_at', ''),
-    'url': data.get('html_url') or data.get('url', ''),
+    'url': data.get('html_url', ''),
     'isDraft': data.get('draft', False),
     'mergeable': data.get('mergeable'),
     'diffUrl': data.get('diff_url', ''),

packages/mosaic/src/commands/git-wrapper-redirects.spec.ts

@@ -0,0 +1,22 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+const packageRoot = join(import.meta.dirname, '..', '..');
+const gitToolsDir = join(packageRoot, 'framework', 'tools', 'git');
+
+function readGitTool(scriptName: string): string {
+  return readFileSync(join(gitToolsDir, scriptName), 'utf-8');
+}
+
+describe('Gitea git wrapper API calls', () => {
+  it.each(['ci-queue-wait.sh', 'pr-ci-wait.sh'])(
+    '%s follows Gitea API redirects before parsing JSON',
+    (scriptName) => {
+      const script = readGitTool(scriptName);
+
+      expect(script).not.toContain('curl -fsS -H "Authorization: token');
+      expect(script).toContain('curl -fsSL -H "Authorization: token');
+    },
+  );
+});

packages/mosaic/src/commands/launch.spec.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach, afterEach, type MockInstance } from 'vitest';
 import { Command } from 'commander';
-import { registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js';
+import { buildPiSkillArgs, registerRuntimeLaunchers, type RuntimeLaunchHandler } from './launch.js';
 
 /**
  * Tests for the commander wiring between `mosaic <runtime>` / `mosaic yolo <runtime>`
@@ -22,6 +22,8 @@ function buildProgram(handler: RuntimeLaunchHandler): Command {
   return program;
 }
 
+const fakeSkills = ['--skill', '/skills/test-driven-development', '--skill', '/skills/pdf'];
+
 // `process.exit` returns `never`, so vi.spyOn demands a replacement with the
 // same signature. We throw from the mock to short-circuit into test-land.
 const exitThrows = (): never => {
@@ -63,6 +65,30 @@ describe('registerRuntimeLaunchers — non-yolo subcommands', () => {
   });
 });
 
+describe('buildPiSkillArgs', () => {
+  it('defaults to disabling Pi skill discovery to keep startup context small', () => {
+    expect(buildPiSkillArgs([], {}, fakeSkills)).toEqual(['--no-skills']);
+  });
+
+  it('keeps explicit user skills while disabling automatic discovery', () => {
+    expect(buildPiSkillArgs(['--skill', '/tmp/custom'], {}, fakeSkills)).toEqual(['--no-skills']);
+  });
+
+  it('supports legacy all-skills mode without double-loading settings skills', () => {
+    expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'all' }, fakeSkills)).toEqual([
+      '--no-skills',
+      '--skill',
+      '/skills/test-driven-development',
+      '--skill',
+      '/skills/pdf',
+    ]);
+  });
+
+  it('supports native Pi discovery when explicitly requested', () => {
+    expect(buildPiSkillArgs([], { MOSAIC_PI_SKILL_MODE: 'discover' }, fakeSkills)).toEqual([]);
+  });
+});
+
 describe('registerRuntimeLaunchers — yolo <runtime>', () => {
   let mockExit: MockInstance<typeof process.exit>;
   let mockError: MockInstance<typeof console.error>;

packages/mosaic/src/commands/launch.ts

@@ -447,6 +447,32 @@ function discoverPiSkills(): string[] {
   return args;
 }
 
+type PiSkillMode = 'none' | 'all' | 'discover';
+
+function normalizePiSkillMode(env: NodeJS.ProcessEnv): PiSkillMode {
+  const value = env['MOSAIC_PI_SKILL_MODE']?.trim().toLowerCase();
+  if (value === 'all' || value === 'discover') return value;
+  return 'none';
+}
+
+export function buildPiSkillArgs(
+  _runtimeArgs: string[],
+  env: NodeJS.ProcessEnv = process.env,
+  discoveredSkillArgs: string[] = discoverPiSkills(),
+): string[] {
+  const mode = normalizePiSkillMode(env);
+
+  if (mode === 'discover') {
+    return [];
+  }
+
+  if (mode === 'all') {
+    return ['--no-skills', ...discoveredSkillArgs];
+  }
+
+  return ['--no-skills'];
+}
+
 function discoverPiExtension(): string[] {
   const ext = join(MOSAIC_HOME, 'runtime', 'pi', 'mosaic-extension.ts');
   return existsSync(ext) ? ['--extension', ext] : [];
@@ -523,7 +549,7 @@ function launchRuntime(runtime: RuntimeName, args: string[], yolo: boolean): nev
     case 'pi': {
       const prompt = buildRuntimePrompt('pi');
       const cliArgs = ['--append-system-prompt', prompt];
-      cliArgs.push(...discoverPiSkills());
+      cliArgs.push(...buildPiSkillArgs(args));
       cliArgs.push(...discoverPiExtension());
       if (hasMissionNoArgs) {
         cliArgs.push(missionPrompt);