claude-skills/tea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructure tea skill into a plugin with a mandatory-login guard

Browse Source 
Convert the standalone `tea` skill into a skills-dir plugin so commands are
namespaced and an enforcement hook can ship with it:

- /tea:login  — pin the project Gitea login into .claude/settings.local.json
- /tea:use    — tea CLI reference (was the old root SKILL.md), with the
                login rule slimmed since the hook now enforces it
- hooks/tea-guard.sh — PreToolUse(Bash) guard: blocks any `tea` command that
  touches Gitea unless it carries --login and $GITEA_LOGIN is set. Exempts
  `tea logins list` and `tea --version/--help` so /tea:login can bootstrap.

References moved under skills/use/references/. `claude plugin validate` passes;
guard unit-tested across allow/block cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
naudachu
2026-05-30 15:54:48 +05:00
parent bb4ad963ee
commit b3db734cd8
12 changed files with 217 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/login/SKILL.md
+40
View File
@@ -0,0 +1,40 @@
---
name: login
description: Pin the Gitea login used by the tea CLI in this project. Run when $GITEA_LOGIN is unset, when the tea-guard hook blocks a command demanding a login, or when the user types /tea:login. Enumerates available logins, lets the user pick one, and persists it to .claude/settings.local.json.
---
# /tea:login — pin the project Gitea login
Goal: select exactly one `tea` login for this project and persist it to
`.claude/settings.local.json` under `env.GITEA_LOGIN`, so every later `tea`
call can pass `--login "$GITEA_LOGIN"`. The `tea-guard` hook blocks every
Gitea-touching `tea` command until this is done — this command is the
remediation it points to.
## Steps
1. Enumerate logins (allowed by the guard even without `--login`):
`tea logins list -o json`
2. **No logins:** stop and ask the user to run `tea logins add` themselves —
it is interactive (prompts for URL/token). Do not run it for them.
3. **One login:** propose pinning it; confirm with the user before writing.
4. **Several logins:** use `AskUserQuestion` to let the user pick. Show each
login's `name`, `user`, and `url` so the choice is unambiguous.
5. Merge the chosen name into `.claude/settings.local.json` under `env`
do not clobber other keys:
```json
{ "env": { "GITEA_LOGIN": "<chosen-name>" } }
```
6. Tell the user: the updated `$GITEA_LOGIN` is only exported into Bash after a
**session restart**. Until they restart, pass the literal name explicitly:
`tea --login <chosen-name> ...`.
## Hard rules (identity safety)
- NEVER run commands that mutate logins or global login state:
`tea logins add/edit/delete/default`, `tea logout`. Read-only
`tea logins list` is the only allowed login command.
- If a `tea` call fails with a permission/scope error, report it to the user.
Do NOT try to fix it by switching to, or editing, a different login.
- If you ever see `no gitea login detected, falling back to login '...'`,
treat it as a hard failure: stop, do not act on the result, surface it.