store: CT 302 Gitea push: embedded-credential URL rejected, use http.extraHeader instead

2026-02-20 08:56:32 -06:00 · 2026-02-20 08:56:32 -06:00 · 8e76020d2d
commit 8e76020d2d
parent fddb2d5d2c
1 changed files with 40 additions and 0 deletions
--- a/graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md
+++ b/graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md
@ -0,0 +1,40 @@
+---
+id: c5a9dff8-5ebe-4e5e-8494-c46333728db8
+type: fix
+title: "CT 302 Gitea push: embedded-credential URL rejected, use http.extraHeader instead"
+tags: [gitea, claude-runner, git, authentication, fix]
+importance: 0.6
+confidence: 0.8
+created: "2026-02-20T14:56:32.846201+00:00"
+updated: "2026-02-20T14:56:32.846201+00:00"
+---
+
+## Problem
+
+Pushing from CT 302 (claude-runner, 10.10.0.148) to Gitea failed with 403 Forbidden, even though the token was valid. The remote URL had the token embedded in the URL:
+
+```
+https://cal:<token>@git.manticorum.com/cal/claude-runner-monitoring.git
+```
+
+Gitea rejected this format.
+
+## Fix
+
+1. Set remote to plain HTTPS (no credentials in URL):
+   ```
+   git remote set-url origin https://git.manticorum.com/cal/claude-runner-monitoring.git
+   ```
+
+2. Configure persistent auth header in git config:
+   ```
+   git config http.https://git.manticorum.com/.extraHeader 'Authorization: token <token>'
+   ```
+
+Token is stored in `~/.claude/secrets/claude_runner_monitoring_gitea_token` on the workstation.
+
+## Notes
+
+- SSH git remote also doesn't work from CT 302 — no SSH key registered with Gitea for root@claude-runner
+- The `http.extraHeader` approach applies to all repos under `git.manticorum.com` from CT 302
+- Credential helper approach failed due to shell escaping issues over SSH