---
name: login
description: Pin the Gitea login used by the tea CLI in this project. Run when $GITEA_LOGIN is unset, when the tea-guard hook blocks a command demanding a login, or when the user types /tea:login. Enumerates available logins, lets the user pick one, and persists it to .claude/settings.local.json.
---

# /tea:login — pin the project Gitea login

Goal: select exactly one `tea` login for this project and persist it to
`.claude/settings.local.json` under `env.GITEA_LOGIN`, so every later `tea`
call can pass `--login "$GITEA_LOGIN"`. The `tea-guard` hook blocks every
Gitea-touching `tea` command until this is done — this command is the
remediation it points to.

## Steps

1. Enumerate logins (allowed by the guard even without `--login`):
   `tea logins list -o json`
2. **No logins:** stop and ask the user to run `tea logins add` themselves —
   it is interactive (prompts for URL/token). Do not run it for them.
3. **One login:** propose pinning it; confirm with the user before writing.
4. **Several logins:** use `AskUserQuestion` to let the user pick. Show each
   login's `name`, `user`, and `url` so the choice is unambiguous.
5. Merge the chosen name into `.claude/settings.local.json` under `env` —
   do not clobber other keys:
   ```json
   { "env": { "GITEA_LOGIN": "<chosen-name>" } }
   ```
6. Tell the user: the updated `$GITEA_LOGIN` is only exported into Bash after a
   **session restart**. Until they restart, pass the literal name explicitly:
   `tea --login <chosen-name> ...`.

## Hard rules (identity safety)

- NEVER run commands that mutate logins or global login state:
  `tea logins add/edit/delete/default`, `tea logout`. Read-only
  `tea logins list` is the only allowed login command.
- If a `tea` call fails with a permission/scope error, report it to the user.
  Do NOT try to fix it by switching to, or editing, a different login.
- If you ever see `no gitea login detected, falling back to login '...'`,
  treat it as a hard failure: stop, do not act on the result, surface it.