dev: use forgejo-cli (fj) instead of tea

evolution/proposals/ECP-0061-agenix-secrets.md

@@ -7,7 +7,7 @@ Status: Draft
 Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:
 
 - Cloudflare API token (local `wrangler deploy`)
-- Codeberg token (optional; for `tea` CLI)
+- Codeberg token (optional; for `fj` CLI)
 
 ## Non-Goals
 
@@ -23,10 +23,10 @@ Provide a simple, repo-native way to manage a small set of long-lived tokens for
      - `secrets/codeberg-token.age`
 2. Add tools to the nix dev shell:
    - `agenix`
-   - `tea` (Forgejo/Gitea-compatible CLI)
+   - `forgejo-cli` (`fj`)
 3. Update scripts to use these secrets opportunistically:
    - `scripts/deploy-workers.sh` loads `CLOUDFLARE_API_TOKEN` via `agenix -d` when present.
-   - `scripts/tea-login-codeberg.sh` configures `tea` using `CODEBERG_TOKEN` (env) or `agenix`.
+   - `scripts/fj-auth-codeberg.sh` configures `fj` using `CODEBERG_TOKEN` (env) or `agenix`.
 
 ## Rationale
 
@@ -37,4 +37,3 @@ CI remains clean and auditable by using the platform's secret store.
 
 - Additive. If a developer doesn't use `agenix`, nothing breaks.
 - Easy to remove later if a different secret system is adopted.
-

flake.nix

@@ -47,7 +47,7 @@
             nodejs_22
             nodePackages.wrangler
             agenix
-            tea
+            forgejo-cli
             uv
             git
             just
@@ -76,7 +76,7 @@
             openssl
             ffmpeg
             agenix
-            tea
+            forgejo-cli
             git
           ];
 

scripts/fj-auth-codeberg.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "${root}"
 
-# Forgejo CLI: `tea` (Gitea-compatible)
+# Forgejo CLI: `fj`
 #
 # Auth token source order:
 # 1) CODEBERG_TOKEN env var
@@ -21,7 +21,7 @@ if [[ -z "${CODEBERG_TOKEN:-}" ]]; then
   exit 2
 fi
 
-# Name the login "codeberg" and point at https://codeberg.org.
-tea login add --name codeberg --url https://codeberg.org --token "${CODEBERG_TOKEN}" --insecure=false
-echo "tea configured. Try: tea repo ls"
+# Avoid passing the token on the command line (shows up in process listings); use stdin.
+printf "%s" "${CODEBERG_TOKEN}" | fj -H https://codeberg.org auth add-key every-channel
+echo "fj configured. Try: fj -H https://codeberg.org whoami"
 

secrets/README.md

@@ -8,7 +8,7 @@ CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather th
 
 - `secrets/secrets.nix`: recipients + secret file mapping
 - `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
-- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)
+- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `fj` (optional)
 
 ## Create / edit secrets (local)
 
@@ -35,4 +35,3 @@ agenix -d cloudflare-api-token.age
 ## Decryption identity
 
 `agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
-