feat: initial repo — docs and scripts for Gitea read-only token access

Three-layer access scheme: owner -> reader account -> scoped API token.
Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/manual-setup.md

@@ -0,0 +1,137 @@
+# Manual Setup via curl
+
+Step-by-step commands for setting up read-only access manually.
+Replace placeholders with your actual values.
+
+## Variables
+
+```bash
+GITEA_API="https://git.example.com/api/v1"
+OWNER="myuser"
+OWNER_PASS="mypassword"
+READER="myreader"
+READER_PASS="readerpassword"
+READER_EMAIL="myreader@noreply.local"
+```
+
+## 1. Create Reader Account
+
+```bash
+curl -X POST "$GITEA_API/admin/users" \
+  -u "$OWNER:$OWNER_PASS" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "username": "'"$READER"'",
+    "password": "'"$READER_PASS"'",
+    "email": "'"$READER_EMAIL"'",
+    "must_change_password": false,
+    "visibility": "public"
+  }'
+```
+
+Expected: HTTP 201
+
+## 2. Activate Account
+
+Some Gitea configurations require explicit activation:
+
+```bash
+curl -X PATCH "$GITEA_API/admin/users/$READER" \
+  -u "$OWNER:$OWNER_PASS" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "active": true,
+    "visibility": "public",
+    "login_name": "'"$READER"'"
+  }'
+```
+
+## 3. Create API Token
+
+Authenticate as the reader to create a token with limited scope:
+
+```bash
+curl -X POST "$GITEA_API/users/$READER/tokens" \
+  -u "$READER:$READER_PASS" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "installer-readonly",
+    "scopes": ["read:repository"]
+  }'
+```
+
+Response:
+```json
+{
+  "id": 1,
+  "name": "installer-readonly",
+  "sha1": "abc123...",
+  "token_last_eight": "abc12345"
+}
+```
+
+Save the `sha1` value — it is only shown once.
+
+## 4. Grant Access to a Repository
+
+```bash
+REPO="my-private-repo"
+
+curl -X PUT "$GITEA_API/repos/$OWNER/$REPO/collaborators/$READER" \
+  -u "$OWNER:$OWNER_PASS" \
+  -H "Content-Type: application/json" \
+  -d '{"permission": "read"}'
+```
+
+Expected: HTTP 204
+
+## 5. Verify Access
+
+With token (should work):
+```bash
+TOKEN="abc123..."
+
+curl -H "Authorization: token $TOKEN" \
+  "$GITEA_API/repos/$OWNER/$REPO"
+```
+
+Without token (should return 404 for private repo):
+```bash
+curl "$GITEA_API/repos/$OWNER/$REPO"
+```
+
+## 6. Clone with Token
+
+```bash
+git clone "https://$READER:$TOKEN@git.example.com/$OWNER/$REPO.git"
+```
+
+Or download a specific file:
+```bash
+curl -H "Authorization: token $TOKEN" \
+  "$GITEA_API/repos/$OWNER/$REPO/raw/README.md"
+```
+
+## 7. Revoke Access
+
+Remove from collaborators:
+```bash
+curl -X DELETE "$GITEA_API/repos/$OWNER/$REPO/collaborators/$READER" \
+  -u "$OWNER:$OWNER_PASS"
+```
+
+## 8. Rotate Token
+
+Delete old:
+```bash
+curl -X DELETE "$GITEA_API/users/$READER/tokens/installer-readonly" \
+  -u "$READER:$READER_PASS"
+```
+
+Create new:
+```bash
+curl -X POST "$GITEA_API/users/$READER/tokens" \
+  -u "$READER:$READER_PASS" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "installer-readonly", "scopes": ["read:repository"]}'
+```