claude-skills/tea - tea - Gitea: Git with a cup of tea

claude-skills/tea

Fork 0

Commit Graph

Author	SHA1	Message	Date
naudachu	bac45028bf	tea-guard: resolve and rewrite --login instead of env-checking The previous guard required $GITEA_LOGIN to be set in the Bash environment, which (a) only happens after a session restart and (b) let Claude name any login it liked as long as one was set. Two failures: pinning needed a restart to take effect, and Claude could pick the wrong identity from memory. Rewrite the guard (now python3 for JSON in/out) to RESOLVE the login itself: - Claude must write the literal placeholder --login "$GITEA_LOGIN". - The hook reads the operator's pin from .claude/settings.local.json (env.GITEA_LOGIN) at call time — from the FILE via CLAUDE_PROJECT_DIR/cwd walk-up — and rewrites the command to that literal via updatedInput. - A literal login, another variable, an empty value, or a missing --login are all blocked: Claude may not choose the identity, only the operator may. - No pin -> block with a pointer to /tea:login. Effect: pinning works in the same session (no restart), and Claude can no longer act under a login it picked. /tea:login now mandates an explicit operator choice (AskUserQuestion), never inferring from memory. /tea:use documents the placeholder-only contract. Guard unit-tested across 13 rewrite/block/passthrough cases incl. -l, --login=, ${...}, compound+walkup+pipe. claude plugin validate passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 16:26:54 +05:00
naudachu	b3db734cd8	Restructure tea skill into a plugin with a mandatory-login guard Convert the standalone `tea` skill into a skills-dir plugin so commands are namespaced and an enforcement hook can ship with it: - /tea:login — pin the project Gitea login into .claude/settings.local.json - /tea:use — tea CLI reference (was the old root SKILL.md), with the login rule slimmed since the hook now enforces it - hooks/tea-guard.sh — PreToolUse(Bash) guard: blocks any `tea` command that touches Gitea unless it carries --login and $GITEA_LOGIN is set. Exempts `tea logins list` and `tea --version/--help` so /tea:login can bootstrap. References moved under skills/use/references/. `claude plugin validate` passes; guard unit-tested across allow/block cases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 15:54:48 +05:00

Author

SHA1

Message

Date

naudachu

bac45028bf

tea-guard: resolve and rewrite --login instead of env-checking

The previous guard required $GITEA_LOGIN to be set in the Bash environment,
which (a) only happens after a session restart and (b) let Claude name any
login it liked as long as one was set. Two failures: pinning needed a restart
to take effect, and Claude could pick the wrong identity from memory.

Rewrite the guard (now python3 for JSON in/out) to RESOLVE the login itself:

- Claude must write the literal placeholder --login "$GITEA_LOGIN".
- The hook reads the operator's pin from .claude/settings.local.json
  (env.GITEA_LOGIN) at call time — from the FILE via CLAUDE_PROJECT_DIR/cwd
  walk-up — and rewrites the command to that literal via updatedInput.
- A literal login, another variable, an empty value, or a missing --login are
  all blocked: Claude may not choose the identity, only the operator may.
- No pin -> block with a pointer to /tea:login.

Effect: pinning works in the same session (no restart), and Claude can no
longer act under a login it picked. /tea:login now mandates an explicit
operator choice (AskUserQuestion), never inferring from memory. /tea:use
documents the placeholder-only contract.

Guard unit-tested across 13 rewrite/block/passthrough cases incl. -l,
--login=, ${...}, compound+walkup+pipe. claude plugin validate passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-30 16:26:54 +05:00

naudachu

b3db734cd8

Restructure tea skill into a plugin with a mandatory-login guard

Convert the standalone `tea` skill into a skills-dir plugin so commands are
namespaced and an enforcement hook can ship with it:

- /tea:login  — pin the project Gitea login into .claude/settings.local.json
- /tea:use    — tea CLI reference (was the old root SKILL.md), with the
                login rule slimmed since the hook now enforces it
- hooks/tea-guard.sh — PreToolUse(Bash) guard: blocks any `tea` command that
  touches Gitea unless it carries --login and $GITEA_LOGIN is set. Exempts
  `tea logins list` and `tea --version/--help` so /tea:login can bootstrap.

References moved under skills/use/references/. `claude plugin validate` passes;
guard unit-tested across allow/block cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-30 15:54:48 +05:00

2 Commits