fix(tools/git/pr-ci-wait): stdin collision in python3 - <<PY made wrapper always return "unknown"

When the wrapper invoked `python3 - <<'PY' ... PY` inside a function that
was being fed JSON via a pipe (`printf '%s' "$STATUS_JSON" |
extract_state_from_status_json`), the heredoc bound stdin to the Python
program text. The `-` argument tells Python to read its program from
stdin, so the program consumed stdin before json.load(sys.stdin) ran —
which then saw EOF and bailed to the "unknown" branch every time.

Result: pr-ci-wait.sh hung the full timeout (default 30 min) even when
the upstream Gitea status was already 'success', because every poll
returned 'unknown' and the loop kept retrying.

Fix: capture the piped JSON into a local variable with `payload=$(cat)`
BEFORE invoking python, then pass it via env (PR_CI_STATUS_JSON). The
heredoc still drives the Python program, but the payload is now read
from the environment instead of a stdin that's already been consumed.

Same fix applied to print_status_summary() which has the identical
pattern.

Verified locally:
  $ echo '{"state":"success"}' | extract_state_from_status_json → success
  $ echo '' | extract_state_from_status_json → unknown
  $ echo '{"state":null,"statuses":[{"state":"success"}]}' | … → success
  $ echo '{"state":"pending"}' | extract_state_from_status_json → pending
  $ echo '{"state":"failure"}' | extract_state_from_status_json → failure

Reported in screenshot from operator session 2026-05-13 — wrapper was
stuck waiting on a PR whose underlying Gitea status was already
success. Operator workaround was to bypass the wrapper and use the raw
Gitea API.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/scratchpads/mvp-20260312.md

@@ -653,9 +653,3 @@ Independent security review surfaced three high-impact and four medium findings;
 2. After merge, kickoff M3-01 (DTOs) on `feat/federation-m3-types` with sonnet subagent in worktree
 3. Once M3-01 lands, fan out: M3-02 (harness) || M3-03 (AuthGuard) → M3-04 (ScopeService) || M3-08 (FederationClient)
 4. Re-converge at M3-10 (Integration) → M3-11 (E2E)
-
-### Session 24 — 2026-05-22 — Gitea PR metadata wrapper hardening
-
-- Fixed `packages/mosaic/framework/tools/git/pr-metadata.sh` Gitea path to fail closed on non-2xx API responses instead of normalizing API error JSON into null/empty PR metadata.
-- Added token fallback behavior: try explicit `GITEA_TOKEN`, Mosaic credential-loader token, then matching `~/.git-credentials` HTTPS token; this handles stale host-scoped credential-loader entries while preserving existing credential sources.
-- Confirmed real U-Connect Gitea PRs #1905 and #1908 now return `number`, `headRefName`, `baseRefName`, `state`, `author`, `url`, and `mergeable` correctly, restoring `pr-merge.sh` base branch detection.

packages/mosaic/framework/tools/git/pr-ci-wait.sh

@@ -30,12 +30,19 @@ EOF
 # get_remote_host and get_gitea_token are provided by detect-platform.sh
 
 extract_state_from_status_json() {
-    python3 - <<'PY'
+    # Capture piped JSON BEFORE invoking `python3 - <<PY`. The heredoc binds
+    # stdin to the Python program text — so json.load(sys.stdin) inside would
+    # try to re-read stdin after `-` already consumed it for the program,
+    # yielding EOF and returning "unknown" every time. Pass payload via env.
+    local payload
+    payload=$(cat)
+    PR_CI_STATUS_JSON="$payload" python3 - <<'PY'
 import json
+import os
 import sys
 
 try:
-    payload = json.load(sys.stdin)
+    payload = json.loads(os.environ.get("PR_CI_STATUS_JSON", ""))
 except Exception:
     print("unknown")
     raise SystemExit(0)
@@ -66,12 +73,16 @@ PY
 }
 
 print_status_summary() {
-    python3 - <<'PY'
+    # Same stdin-collision fix as extract_state_from_status_json above.
+    local payload
+    payload=$(cat)
+    PR_CI_STATUS_JSON="$payload" python3 - <<'PY'
 import json
+import os
 import sys
 
 try:
-    payload = json.load(sys.stdin)
+    payload = json.loads(os.environ.get("PR_CI_STATUS_JSON", ""))
 except Exception:
     print("[pr-ci-wait] status payload unavailable")
     raise SystemExit(0)

packages/mosaic/framework/tools/git/pr-metadata.sh

@@ -69,81 +69,32 @@ elif [[ "$PLATFORM" == "gitea" ]]; then
 
     API_URL="https://${HOST}/api/v1/repos/${OWNER}/${REPO}/pulls/${PR_NUMBER}"
 
-    declare -a TOKEN_CANDIDATES=()
-    add_token_candidate() {
-        local candidate="$1"
-        [[ -z "$candidate" ]] && return 0
-        local existing
-        for existing in "${TOKEN_CANDIDATES[@]:-}"; do
-            [[ "$existing" == "$candidate" ]] && return 0
-        done
-        TOKEN_CANDIDATES+=("$candidate")
-    }
+    GITEA_API_TOKEN=$(get_gitea_token "$HOST" || true)
 
-    add_token_candidate "${GITEA_TOKEN:-}"
-    add_token_candidate "$(get_gitea_token "$HOST" || true)"
-
-    # Git HTTPS credentials often contain a valid Gitea API token even when a
-    # Mosaic credential-source entry is stale. Try them as a fallback before
-    # falling back to an unauthenticated request.
-    CREDS_FILE="$HOME/.git-credentials"
-    if [[ -f "$CREDS_FILE" ]]; then
-        while IFS= read -r credential_token; do
-            add_token_candidate "$credential_token"
-        done < <(grep -F "$HOST" "$CREDS_FILE" 2>/dev/null | sed -n 's#https\?://[^@]*:\([^@/]*\)@.*#\1#p')
-    fi
-
-    RAW=""
-    HTTP_STATUS=""
-    if [[ ${#TOKEN_CANDIDATES[@]} -gt 0 ]]; then
-        for GITEA_API_TOKEN in "${TOKEN_CANDIDATES[@]}"; do
-            RESPONSE_FILE=$(mktemp)
-            HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' -H "Authorization: token $GITEA_API_TOKEN" "$API_URL" || true)
-            RAW=$(cat "$RESPONSE_FILE")
-            rm -f "$RESPONSE_FILE"
-            [[ "$HTTP_STATUS" =~ ^2 ]] && break
-        done
-    fi
-
-    if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
-        RESPONSE_FILE=$(mktemp)
-        HTTP_STATUS=$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' "$API_URL" || true)
-        RAW=$(cat "$RESPONSE_FILE")
-        rm -f "$RESPONSE_FILE"
-    fi
-
-    if [[ ! "$HTTP_STATUS" =~ ^2 ]]; then
-        ERROR_MESSAGE=$(printf '%s' "$RAW" | python3 -c 'import json, sys
-try:
-    data=json.load(sys.stdin)
-except Exception:
-    data={}
-print(data.get("message") or data.get("error") or "unknown error")')
-        echo "Error: failed to fetch Gitea PR #$PR_NUMBER from $HOST/$OWNER/$REPO (HTTP $HTTP_STATUS): $ERROR_MESSAGE" >&2
-        exit 1
+    if [[ -n "$GITEA_API_TOKEN" ]]; then
+        RAW=$(curl -sS -H "Authorization: token $GITEA_API_TOKEN" "$API_URL")
+    else
+        RAW=$(curl -sS "$API_URL")
     fi
 
     # Normalize Gitea response to match our expected schema
     METADATA=$(echo "$RAW" | python3 -c "
 import json, sys
 data = json.load(sys.stdin)
-head = data.get('head') or {}
-base = data.get('base') or {}
-user = data.get('user') or {}
 normalized = {
-    'number': data.get('number') or data.get('index'),
+    'number': data.get('number'),
     'title': data.get('title'),
     'body': data.get('body', ''),
     'state': data.get('state'),
-    'author': user.get('login', ''),
-    'headRefName': head.get('ref') or head.get('label', '').split(':')[-1],
-    'baseRefName': base.get('ref') or base.get('label', '').split(':')[-1],
+    'author': data.get('user', {}).get('login', ''),
+    'headRefName': data.get('head', {}).get('ref', ''),
+    'baseRefName': data.get('base', {}).get('ref', ''),
     'labels': [l.get('name', '') for l in data.get('labels', [])],
     'assignees': [a.get('login', '') for a in data.get('assignees', [])],
     'milestone': data.get('milestone', {}).get('title', '') if data.get('milestone') else '',
     'createdAt': data.get('created_at', ''),
     'updatedAt': data.get('updated_at', ''),
-    'url': data.get('html_url') or data.get('url', ''),
+    'url': data.get('html_url', ''),
     'isDraft': data.get('draft', False),
     'mergeable': data.get('mergeable'),
     'diffUrl': data.get('diff_url', ''),