docs(gitea): require non-interactive git auth on Windows

Mike's objection to Git for Windows is the constant GCM password prompts that hang automation/background pushes, not the tool itself. Document the working fix (repo-local credential.helper=store primed with the azcomputerguru Gitea API token, GIT_TERMINAL_PROMPT=0) in the Gitea Agent definition and shared memory. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 14:54:16 -07:00
parent f3a175e5d6
commit 9ff5a9f04f
3 changed files with 31 additions and 0 deletions
--- a/.claude/agents/gitea.md
+++ b/.claude/agents/gitea.md
@@ -56,6 +56,17 @@ You are the Gitea Agent - the sole custodian of version control for all ClaudeTo
 **Authentication:** SSH key (C:\Users\MikeSwanson\.ssh\id_ed25519)
 **Local Git:** git.exe (Windows Git)
 ### Non-interactive auth (IMPORTANT)
 Mike's hard requirement: git must NEVER sit at an interactive credential/password prompt. That is his actual objection to Git for Windows — its Git Credential Manager (`credential.helper = manager`) pops a prompt and silently hangs any automation/background push. This repo (`D:\ClaudeTools`) is configured to authenticate silently instead: repo-local `credential.helper = store`, primed with the `azcomputerguru` Gitea API token in `~/.git-credentials`, scoped to the internal host `172.16.3.20:3000`. So a plain `git push origin main` / `git fetch` just works with no prompt. The global GCM default is left untouched for other repos.
 Rules when running git here:
 - Run git from the **PowerShell tool** using native `git.exe`; quote Windows paths as-is.
 - ALWAYS set `GIT_TERMINAL_PROMPT=0` (PowerShell: `$env:GIT_TERMINAL_PROMPT='0'`) so a credential failure errors immediately instead of hanging on a hidden prompt — a hang is fatal for background agents.
 - If the stored credential is ever missing, get the token from vault `services/gitea.sops.yaml` field `api-token` (username `azcomputerguru`) and either re-append the `store` line to `~/.git-credentials` or push once to `http://azcomputerguru:<token>@172.16.3.20:3000/azcomputerguru/claudetools.git`.
 - Note: git writes progress (including "Everything up-to-date") to stderr; under PowerShell 5.1 that surfaces as a `NativeCommandError` even on success — trust `$LASTEXITCODE`/`EXIT=0`, not the red text.
 - System OpenSSH (not Git's bundled SSH) remains the rule for any SSH-based remote.
 See memory: `feedback_git_noninteractive_auth`.
 ## Repository Structure
 ### System Repository
--- a/.claude/memory/MEMORY.md
+++ b/.claude/memory/MEMORY.md
@@ -43,6 +43,7 @@
 - [Point vault-access teammates at SOPS path](feedback_vault_pointer_for_teammates.md) — When relaying infra/credential info to Howard or other vault-access teammates, hand over the SOPS path + key anchors; don't transcribe the entry's fields into the message.
 - [/tmp path mismatch on Windows](feedback_tmp_path_windows.md) — Write tool and Git Bash resolve `/tmp` to DIFFERENT real dirs. Use heredoc or workspace path for JSON payloads handed to curl.
 - [Windows bash command mapping](feedback_windows_bash_mapping.md) — `bash` often resolves to WSL stub instead of Git/MSYS bash required by the harness. Fix by prepending `C:\Program Files\Git\bin` (and usr\bin) to PATH, or source `.claude/scripts/ensure-git-bash.ps1`. Profile has the logic; use plain `bash .claude/scripts/...` after remap. See the helper and this memory file for details.
 - [Git must authenticate non-interactively](feedback_git_noninteractive_auth.md) — Mike's gripe with Git for Windows is the constant password prompts (GCM) that hang automation, NOT the tool itself. D:\ClaudeTools is set to `credential.helper=store` primed with the azcomputerguru Gitea API token (host 172.16.3.20:3000); always set `GIT_TERMINAL_PROMPT=0`. Any never-prompts solution is acceptable.
 - [SQL instance role — verify by connections, not name](feedback_sql_instance_role_by_connection.md) — Standard installed under default `SQLEXPRESS` instance name is real. Prove role with `sys.dm_exec_sessions` + `Get-NetTCPConnection -OwningProcess` before recommending stop/uninstall.
 - [Clear-RecycleBin fails silently as SYSTEM](feedback_clear_recyclebin_system_context.md) — RMM-dispatched cleanup scripts cannot use `Clear-RecycleBin -Force`; the cmdlet uses Shell COM and silently no-ops without an interactive desktop. Enumerate `C:\$Recycle.Bin\<SID>\*` directly.
 - [Graph CA policy reads are eventually consistent](feedback_graph_ca_policy_eventual_consistency.md) — After PATCHing a CA policy (204), wait ~5s before GET-verifying; immediate reads can be stale.
--- a/.claude/memory/feedback_git_noninteractive_auth.md
+++ b/.claude/memory/feedback_git_noninteractive_auth.md
@@ -0,0 +1,19 @@
 ---
 name: feedback_git_noninteractive_auth
 description: Mike's objection to Git for Windows is interactive password/credential prompts, not the tool itself. Git must authenticate non-interactively — any solution that never prompts is fine.
 metadata:
  type: feedback
 ---
 Mike (admin, owner) clarified: he doesn't dislike git itself or the PowerShell-vs-bash choice. He dislikes that **Git for Windows constantly prompts for passwords and is impossible to automate** (Git Credential Manager, `credential.helper = manager`, pops a prompt that silently hangs background pushes). His instruction: "use any solution that doesn't bother me all the time."
 **Why:** An interactive credential prompt is invisible to a background agent — it hangs forever and the work never completes. Observed live 2026-06-06: a Gitea Agent background `git push` hung on a GCM prompt; `git log origin/main..main` still showed the commit unpushed. Killing the agent + pushing with a token fixed it.
 **How to apply (the working setup on this Windows box, GURU-5070 / D:\ClaudeTools):**
 - The repo is configured for silent auth: repo-local `credential.helper = store`, primed with the `azcomputerguru` Gitea API token in `~/.git-credentials`, scoped to the internal Gitea host `http://172.16.3.20:3000`. Plain `git push origin main` / `git fetch` then works with no prompt. Global GCM (`manager`) left untouched for other repos.
 - ALWAYS export `GIT_TERMINAL_PROMPT=0` before git calls so auth failures error fast instead of hanging on a hidden prompt.
 - Token source if it needs re-priming: vault `services/gitea.sops.yaml` field `api-token`, username `azcomputerguru`. One-shot push URL: `http://azcomputerguru:<token>@172.16.3.20:3000/azcomputerguru/claudetools.git`.
 - Run git from the PowerShell tool (native `git.exe`). Under PowerShell 5.1, git's stderr progress (even "Everything up-to-date") surfaces as a red `NativeCommandError` on success — trust `$LASTEXITCODE`, not the text.
 - The Gitea Agent definition (`.claude/agents/gitea.md`) carries this same guidance so delegated pushes also stay non-interactive.
 Related Windows gotchas (separate issues, still real): [[feedback_windows_bash_mapping]], [[feedback_tmp_path_windows]], [[feedback_jq_crlf_windows]]. Gitea API auth detail: [[reference_gitea_api_credential]].