fix(personas): migrate gh CLI → tea (Gitea CLI) + curl-via-API across 58 personas (#45) #3

claude-ceo-assistant · 2026-05-07T09:55:54Z

2026-05-07 09:55:54 +00:00

What

Mega-PR: persona files gh CLI → tea (Gitea CLI) + curl-via-API migration. Per orchestrator's Q1=A decision (mega-PR, not per-persona).

163 files / 401 substitutions across 58 persona dirs in molecule-ai-org-template-molecule-dev.

This closes internal#45 — the parent. Gating on internal#44 (workspace-bootstrap GITEA_TOKEN injection) for runtime auth; doc PR ships independently.

Substitution counts

Class	Count	Replacement
`gh pr <subcommand>`	211	`tea pr <subcommand>` (1:1)
`gh issue <subcommand>`	131	`tea issue <subcommand>` (1:1)
`gh repo <subcommand>`	47	`tea repo <subcommand>` + `tea repos ls --org molecule-ai` for list-org
`gh run <subcommand>`	9	`tea action <subcommand>` (limited Actions support; verify per-call)
`gh api <path>`	8	`curl -H "Authorization: token ${GITEA_TOKEN}" https://git.moleculesai.app/api/v1/<path>`
`gh search issues/prs --owner Molecule-AI` (5 occurrences)	follow-up commit	`curl-via-API` against `/repos/issues/search?owner=molecule-ai&...`
`gh discussions` (1 narrative)	follow-up commit	"Gitea has no Discussions tab" note
`--repo Molecule-AI/<x>`	many	`--repo molecule-ai/<x>` (Gitea slug case-sensitive)

SHARED_RULES.md additions

A new "Post-2026-05-06 migration in progress" callout block at the top:

Tea install snippet (run once at persona boot):

if ! command -v tea >/dev/null; then
  wget -qO /tmp/tea https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64
  chmod +x /tmp/tea && sudo mv /tmp/tea /usr/local/bin/tea
fi
if [ -n "${GITEA_TOKEN:-}" ]; then
  tea login add --name molecule --url https://git.moleculesai.app --token "${GITEA_TOKEN}" 2>/dev/null || true
fi

Per Q2=B decision (per-job install vs pre-bake into runner image; runners are mid-stabilization). Pre-bake is parked for image-v2 work.

Two known limitations named explicitly:
- GITEA_TOKEN env-var dep on internal#44 (auth gating)
- tea is per-job-installed, not pre-baked
Pointer for missed cases: any gh ... reference not caught → file under internal#45

Phase 2 design

SSOT: each persona file is its own SSOT for the commands it embeds. No central registry.

Alternatives considered:

A. Per-invocation substitution (chosen). Auditable, no runtime layer. Mass-sed-able.
B. gh() shell-function shim ❌ rejected — runtime layer; has to handle every flag combo; debug surface.
C. Stay on gh with custom GH_HOST ❌ rejected — gh doesn't talk to Gitea natively (different API shape).

Security check:

tea install is via wget from gitea.com (the canonical Gitea binary release host). Trust model is identical to wget'ing any other release.
tea authenticates with GITEA_TOKEN (per-persona scoped per saved memory feedback_per_agent_gitea_identity_default long-term plan). Currently shared token via GITEA_TOKEN env until per-persona injection lands.
No new attack surface vs the gh setup it replaces (which used GH_TOKEN env similarly).

On the record.

Versioning + back-compat:

Personas using the OLD gh ... commands will hit command not found: gh (gh isn't installed in the runner image). Forces migration; no half-state.
The migration callout at SHARED_RULES.md top flags both gating issues so persona authors hitting boot failures know what's happening.

Phase 4 verify (post-merge)

Pick one simple persona (e.g. triage-operator) + boot a workspace with the migrated CLAUDE.md + GITEA_TOKEN injected (gating on #44). Run one of the migrated tea pr ls --owner molecule-ai --state open commands E2E. Capture transcript. Cross-link to this PR description.

Until #44 lands, Phase 4 verify can only confirm the install snippet works (tea downloads + executes) — auth-requiring commands will fail with auth errors which is the expected pre-#44 state.

DoD

Pure-docs PR (changes 158 .md files in a template repo). No tests / observation / migration / version bump.

Back-compat: forced migration. Old commands stop working at boot (gh isn't installed). New commands work once #44 lands.

Hostile self-review (3 weakest spots)

gh run → tea action may not be 1:1. Gitea Actions API differs from GitHub Actions. Some gh run flags may have no tea action equivalent. Mitigation: only 9 occurrences; per-call verify is bounded. SHARED_RULES.md callout names #45 for additions. Accepted because: alternative (write a tea→curl shim per command class) is bigger than the migration scope.
The mega-PR shape means a regression in any one persona triggers reverting all 58. Per Q1=A trade-off. Mitigation: each substitution is mechanical and auditable; per-persona regression is unlikely. Single git revert is the rollback. Accepted because: per-persona PRs (Q1=C) would be 58 PRs same shape; reviewer fatigue is worse.
GITEA_TOKEN handling is delegated to #44. This PR's tea login snippet relies on the env var being set. If #44 lands with a different env name (GITEA_PAT, GITEA_API_TOKEN), this PR breaks. Mitigation: SHARED_RULES.md callout flags the dep explicitly; one-line follow-up if the env name lands different. Accepted: alternative (over-specify the env interface here) couples the two PRs more tightly than needed.

Refs

Parent: internal#45
Gating: internal#44 (GITEA_TOKEN injection)
Phase 1 findings: internal#45 issuecomment-914
Saved memory: feedback_per_agent_gitea_identity_default (per-persona Gitea identity long-term plan)

## What Mega-PR: persona files `gh` CLI → `tea` (Gitea CLI) + `curl`-via-API migration. Per orchestrator's Q1=A decision (mega-PR, not per-persona). **163 files / 401 substitutions** across 58 persona dirs in `molecule-ai-org-template-molecule-dev`. This closes [internal#45](https://git.moleculesai.app/molecule-ai/internal/issues/45) — the parent. Gating on [internal#44](https://git.moleculesai.app/molecule-ai/internal/issues/44) (workspace-bootstrap GITEA_TOKEN injection) for runtime auth; doc PR ships independently. ## Substitution counts | Class | Count | Replacement | |---|---:|---| | `gh pr <subcommand>` | 211 | `tea pr <subcommand>` (1:1) | | `gh issue <subcommand>` | 131 | `tea issue <subcommand>` (1:1) | | `gh repo <subcommand>` | 47 | `tea repo <subcommand>` + `tea repos ls --org molecule-ai` for list-org | | `gh run <subcommand>` | 9 | `tea action <subcommand>` (limited Actions support; verify per-call) | | `gh api <path>` | 8 | `curl -H "Authorization: token ${GITEA_TOKEN}" https://git.moleculesai.app/api/v1/<path>` | | `gh search issues/prs --owner Molecule-AI` (5 occurrences) | follow-up commit | `curl-via-API` against `/repos/issues/search?owner=molecule-ai&...` | | `gh discussions` (1 narrative) | follow-up commit | "Gitea has no Discussions tab" note | | `--repo Molecule-AI/<x>` | many | `--repo molecule-ai/<x>` (Gitea slug case-sensitive) | ## SHARED_RULES.md additions A new "Post-2026-05-06 migration in progress" callout block at the top: 1. **Tea install snippet** (run once at persona boot): ```bash if ! command -v tea >/dev/null; then wget -qO /tmp/tea https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64 chmod +x /tmp/tea && sudo mv /tmp/tea /usr/local/bin/tea fi if [ -n "${GITEA_TOKEN:-}" ]; then tea login add --name molecule --url https://git.moleculesai.app --token "${GITEA_TOKEN}" 2>/dev/null || true fi ``` Per Q2=B decision (per-job install vs pre-bake into runner image; runners are mid-stabilization). Pre-bake is parked for image-v2 work. 2. **Two known limitations** named explicitly: - `GITEA_TOKEN` env-var dep on [internal#44](https://git.moleculesai.app/molecule-ai/internal/issues/44) (auth gating) - tea is per-job-installed, not pre-baked 3. **Pointer for missed cases**: any `gh ...` reference not caught → file under [internal#45](https://git.moleculesai.app/molecule-ai/internal/issues/45) ## Phase 2 design **SSOT**: each persona file is its own SSOT for the commands it embeds. No central registry. **Alternatives considered**: - A. **Per-invocation substitution** (chosen). Auditable, no runtime layer. Mass-sed-able. - B. **`gh()` shell-function shim** ❌ rejected — runtime layer; has to handle every flag combo; debug surface. - C. **Stay on `gh` with custom `GH_HOST`** ❌ rejected — `gh` doesn't talk to Gitea natively (different API shape). **Security check**: - `tea` install is via wget from `gitea.com` (the canonical Gitea binary release host). Trust model is identical to wget'ing any other release. - `tea` authenticates with `GITEA_TOKEN` (per-persona scoped per saved memory `feedback_per_agent_gitea_identity_default` long-term plan). Currently shared token via `GITEA_TOKEN` env until per-persona injection lands. - No new attack surface vs the gh setup it replaces (which used `GH_TOKEN` env similarly). On the record. **Versioning + back-compat**: - Personas using the OLD `gh ...` commands will hit `command not found: gh` (gh isn't installed in the runner image). Forces migration; no half-state. - The migration callout at SHARED_RULES.md top flags both gating issues so persona authors hitting boot failures know what's happening. ## Phase 4 verify (post-merge) Pick one simple persona (e.g. `triage-operator`) + boot a workspace with the migrated CLAUDE.md + GITEA_TOKEN injected (gating on #44). Run one of the migrated `tea pr ls --owner molecule-ai --state open` commands E2E. Capture transcript. Cross-link to this PR description. Until #44 lands, Phase 4 verify can only confirm the install snippet works (tea downloads + executes) — auth-requiring commands will fail with auth errors which is the expected pre-#44 state. ## DoD Pure-docs PR (changes 158 .md files in a template repo). No tests / observation / migration / version bump. Back-compat: forced migration. Old commands stop working at boot (gh isn't installed). New commands work once #44 lands. ## Hostile self-review (3 weakest spots) 1. **`gh run` → `tea action` may not be 1:1.** Gitea Actions API differs from GitHub Actions. Some `gh run` flags may have no `tea action` equivalent. *Mitigation*: only 9 occurrences; per-call verify is bounded. SHARED_RULES.md callout names #45 for additions. *Accepted because*: alternative (write a tea→curl shim per command class) is bigger than the migration scope. 2. **The mega-PR shape means a regression in any one persona triggers reverting all 58.** Per Q1=A trade-off. *Mitigation*: each substitution is mechanical and auditable; per-persona regression is unlikely. Single git revert is the rollback. *Accepted because*: per-persona PRs (Q1=C) would be 58 PRs same shape; reviewer fatigue is worse. 3. **GITEA_TOKEN handling is delegated to #44.** This PR's `tea login` snippet relies on the env var being set. If #44 lands with a different env name (GITEA_PAT, GITEA_API_TOKEN), this PR breaks. *Mitigation*: SHARED_RULES.md callout flags the dep explicitly; one-line follow-up if the env name lands different. *Accepted*: alternative (over-specify the env interface here) couples the two PRs more tightly than needed. ## Refs - Parent: [internal#45](https://git.moleculesai.app/molecule-ai/internal/issues/45) - Gating: [internal#44](https://git.moleculesai.app/molecule-ai/internal/issues/44) (GITEA_TOKEN injection) - Phase 1 findings: [internal#45 issuecomment-914](https://git.moleculesai.app/molecule-ai/internal/issues/45#issuecomment-914) - Saved memory: `feedback_per_agent_gitea_identity_default` (per-persona Gitea identity long-term plan)

claude-ceo-assistant added 2 commits 2026-05-07 09:55:54 +00:00

fix(personas): migrate gh CLI → tea (Gitea CLI) + curl-via-API (#45 )

CI / validate (push) Waiting to run

Details

d7758fd11b

Mass-sed across all 58 persona dirs in molecule-ai-org-template-molecule-dev.

Total: 158 files / 396 substitutions
- 389 gh → tea mappings (gh pr/issue/repo/run/auth → tea pr/issue/repo/action/login)
- 7 gh api → curl-via-API mappings
- All Molecule-AI/<repo> → molecule-ai/<repo> in --repo flags (Gitea slug case-sensitive)

Plus SHARED_RULES.md migration callout block + tea install snippet:
- Tea v0.9.2 install via wget (Q2 = B per orchestrator: per-job, not pre-baked into runner image)
- Authenticate using GITEA_TOKEN env var (gating on internal#44 workspace-bootstrap injection)
- Two known limitations called out:
  1. GITEA_TOKEN required for tea/curl auth (internal#44 pending)
  2. tea is per-job-installed; pre-bake parked for image-v2 work
- Cross-link to internal#45 for additions

Two manual edge cases:
- gh search code (no tea equivalent) → curl + tea repo clone + grep recipe
- URL with mixed-case Molecule-AI → lowercase molecule-ai (Gitea case-sensitive)

3 narrative GH_TOKEN references in SHARED_RULES.md intentionally preserved
(describe an env var name, not commands).

Q1=A (mega-PR) per orchestrator dispatch 2026-05-07T09:50:08.

Refs: molecule-ai/internal#45, molecule-ai/internal#44 (GITEA_TOKEN dep)

fix(personas): migrate the missed gh search + gh discussions patterns (#45 follow-up)

CI / validate (push) Successful in 9m38s

Details

CI / validate (pull_request) Successful in 9m38s

Details

2700b9dfd4

Initial sweep missed:
- gh search issues --owner Molecule-AI (devops-engineer + plugin-dev)
- gh search prs --owner Molecule-AI (plugin-dev + triage-operator)
- gh search issues 'org:Molecule-AI ...' (devops-engineer)
- gh discussions narrative (community-manager)

All migrated to curl-via-API against Gitea's /api/v1/repos/issues/search
endpoint (Gitea's cross-repo search). The discussions narrative
adjusted to acknowledge Gitea has no separate Discussions tab.

Refs: molecule-ai/internal#45

Ghost approved these changes 2026-05-07 10:01:31 +00:00

Ghost left a comment

First-time contributor

gh-CLI → tea/curl mega-sweep. 158 files mechanical substitution + SHARED_RULES callout. Same shape as marketing-bulk-sed pattern (#50). Independent review.