# Authentication

Agents need Gitea credentials to work autonomously via both MCP tools and the `tea` CLI fallback.

## Credential Source

Credentials are stored in a **project-level** `.claude/.env` file (never in global env, to avoid overriding user's personal credentials).

### Required variables

```
GITEA_HOST=https://git.marlerino-apps.io
GITEA_ACCESS_TOKEN=<api-token>
GITEA_USER=<username>
GITEA_PASS=<password>
```

- `GITEA_ACCESS_TOKEN` — primary auth method (API token, used by MCP and `tea`)
- `GITEA_USER` / `GITEA_PASS` — fallback for basic auth when token is unavailable

### Bootstrap

If `.claude/.env` does not exist, create it with empty values as a template:

```bash
mkdir -p .claude
cat > .claude/.env << 'EOF'
GITEA_HOST=
GITEA_ACCESS_TOKEN=
GITEA_USER=
GITEA_PASS=
EOF
```

Then tell the user: "Created `.claude/.env` — please fill in your Gitea credentials and re-run."
Stop execution — do not proceed without credentials.

Also ensure `.claude/.env` is in `.gitignore`:

```bash
grep -qxF '.claude/.env' .gitignore 2>/dev/null || echo '.claude/.env' >> .gitignore
```

### Loading credentials

Before any Gitea operation, load credentials:

```bash
set -a; source .claude/.env; set +a
```

After loading, verify values are non-empty. If any required variable is empty, tell the user to fill in `.claude/.env` and stop.

### tea CLI login

If `tea` is not yet logged in for this project, authenticate using loaded credentials:

```bash
tea login add \
  --name project \
  --url "$GITEA_HOST" \
  --token "$GITEA_ACCESS_TOKEN" \
  --user "$GITEA_USER"
```

## Security

- `.claude/.env` MUST be in `.gitignore` — never commit credentials
- Agents bootstrap `.claude/.env` automatically if missing, but never fill in credential values themselves