fix(gtea): embed git credentials in URL; fix double /api/v1 path; add git-lfs

- test_git_push.py + test_lfs_roundtrip.py: use cred_url (https://user:pass@host/...)
  instead of GIT_CONFIG_COUNT insteadOf rewriting, which silently failed to
  propagate credentials to the push step (repo remained empty after push exit 0).
  Also add GIT_SSL_NO_VERIFY=true and GIT_TERMINAL_PROMPT=0.
- test_lfs_roundtrip.py: fix restart health-poll path /api/v1/version → /version
  (_api() already prepends /api/v1; double prefix produced 404 and a 120s timeout).
- nix/hosts/cc-ci/configuration.nix: add git-lfs to systemPackages (required for
  the LFS capstone test on the lfs-plain-gitea PR branch).

Adversary pre-M1 findings: Issue 1 (git-lfs absent) + Issue 2 (double path) both fixed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nix/hosts/cc-ci/configuration.nix

@@ -56,6 +56,7 @@
   environment.systemPackages = with pkgs; [
     curl
     git
+    git-lfs
     jq
     openssh
   ];

tests/gitea/custom/test_git_push.py

@@ -77,7 +77,9 @@ def test_git_push(live_app):
         user=user, password=password,
     )
     assert status == 201, f"repo create HTTP {status}: {body}"
-    clone_url = body.get("clone_url") or f"https://{live_app}/{user}/{repo_name}.git"
+    # Embed credentials directly in the URL so clone + push both work without
+    # a separate credential helper. Password is a 32-char hex string (URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"
 
     tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-push-")
     try:
@@ -86,14 +88,12 @@ def test_git_push(live_app):
             "GIT_AUTHOR_EMAIL": "ci@ci.local",
             "GIT_COMMITTER_NAME": "CI Test Bot",
             "GIT_COMMITTER_EMAIL": "ci@ci.local",
-            # Embed credentials so HTTPS push works without interactive prompt.
+            "GIT_SSL_NO_VERIFY": "true",
-            "GIT_CONFIG_COUNT": "1",
+            "GIT_TERMINAL_PROMPT": "0",
-            "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-            "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
         }
 
         # 2. Clone (empty repo)
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
         _run_git(["checkout", "-b", "main"], cwd=tmpdir, env=git_env)
 
         # 3. Commit a file

tests/gitea/custom/test_lfs_roundtrip.py

@@ -90,15 +90,14 @@ def test_lfs_roundtrip(live_app):
 
     user, password = admin_creds(live_app)
     repo_name = "ci-lfs-test"
+    # Embed credentials directly in the URL (password is 32-char hex, URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"
     git_env = {
         "GIT_AUTHOR_NAME": "CI LFS Bot",
         "GIT_AUTHOR_EMAIL": "ci@ci.local",
         "GIT_COMMITTER_NAME": "CI LFS Bot",
         "GIT_COMMITTER_EMAIL": "ci@ci.local",
-        "GIT_CONFIG_COUNT": "1",
+        "GIT_SSL_NO_VERIFY": "true",
-        "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-        "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
-        # Suppress interactive LFS credential prompts
         "GIT_TERMINAL_PROMPT": "0",
     }
 
@@ -109,12 +108,11 @@ def test_lfs_roundtrip(live_app):
         user=user, password=password,
     )
     assert status in (201, 409), f"repo create HTTP {status}: {body}"
-    clone_url = f"https://{live_app}/{user}/{repo_name}.git"
 
     tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-")
     try:
         # 2. Clone repo
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
         _run_git(["lfs", "install"], cwd=tmpdir, env=git_env)
 
         # 3. Track *.bin as LFS
@@ -145,7 +143,7 @@ def test_lfs_roundtrip(live_app):
         # 6. Download in a FRESH clone (proves the LFS server stores and serves the object)
         fresh_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-dl-")
         try:
-            _run_git(["clone", clone_url, fresh_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, fresh_dir], cwd="/tmp", env=git_env)
             fetched_path = os.path.join(fresh_dir, "testblob.bin")
             assert os.path.exists(fetched_path), "testblob.bin not fetched in fresh clone"
             with open(fetched_path, "rb") as f:
@@ -181,7 +179,7 @@ def test_lfs_roundtrip(live_app):
         import time
         deadline = time.time() + 120
         while time.time() < deadline:
-            status2, _ = _api(live_app, "/api/v1/version", user=user, password=password)
+            status2, _ = _api(live_app, "/version", user=user, password=password)
             if status2 == 200:
                 break
             time.sleep(5)
@@ -200,7 +198,7 @@ def test_lfs_roundtrip(live_app):
         # 8. Verify a fresh clone still works after restart (tokens still validate)
         post_restart_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-restart-")
         try:
-            _run_git(["clone", clone_url, post_restart_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, post_restart_dir], cwd="/tmp", env=git_env)
             pr_blob = os.path.join(post_restart_dir, "testblob.bin")
             assert os.path.exists(pr_blob), "testblob.bin not fetched in post-restart clone"
             with open(pr_blob, "rb") as f: