feat: initial repo — docs and scripts for Gitea read-only token access

Three-layer access scheme: owner -> reader account -> scoped API token.
Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/test-access.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+CONFIG="${SCRIPT_DIR}/../config.ini"
+
+REPO="${1:-}"
+[[ -n "${2:-}" ]] && CONFIG="$2"
+
+if [[ ! -f "$CONFIG" ]]; then
+  echo "ERROR: config file not found: $CONFIG"
+  exit 1
+fi
+
+# --- Parse INI ---
+parse_ini() {
+  local file="$1" section="$2" key="$3"
+  sed -n "/^\[$section\]/,/^\[/p" "$file" | grep "^${key}\s*=" | head -1 | sed 's/^[^=]*=\s*//' | sed 's/\s*$//'
+}
+
+GITEA_URL=$(parse_ini "$CONFIG" gitea url)
+GITEA_API=$(parse_ini "$CONFIG" gitea api_url)
+OWNER_USER=$(parse_ini "$CONFIG" owner username)
+READER_USER=$(parse_ini "$CONFIG" reader username)
+TOKEN=$(parse_ini "$CONFIG" reader token)
+
+if [[ -z "$TOKEN" ]]; then
+  echo "ERROR: No token found in config.ini. Run setup-reader.sh first."
+  exit 1
+fi
+
+PASS=0
+FAIL=0
+
+check() {
+  local desc="$1" expected="$2" actual="$3"
+  if [[ "$actual" == "$expected" ]]; then
+    echo "  PASS: $desc (HTTP $actual)"
+    ((PASS++))
+  else
+    echo "  FAIL: $desc (expected $expected, got $actual)"
+    ((FAIL++))
+  fi
+}
+
+echo "=== Access Test for '$READER_USER' ==="
+echo "Server: $GITEA_API"
+echo ""
+
+# --- Test 1: Token is valid (list repos) ---
+echo "[Test 1] Token validity — list repos..."
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+  -H "Authorization: token $TOKEN" \
+  "$GITEA_API/user/repos")
+check "GET /user/repos with token" "200" "$HTTP_CODE"
+
+# --- Test 2: Token scope limitation (should NOT access admin endpoints) ---
+echo "[Test 2] Token scope — admin API should be denied..."
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+  -H "Authorization: token $TOKEN" \
+  "$GITEA_API/admin/users")
+check "GET /admin/users with read-only token" "403" "$HTTP_CODE"
+
+if [[ -n "$REPO" ]]; then
+  echo ""
+  echo "[Test 3] Repo access — $OWNER_USER/$REPO..."
+
+  # --- Test 3a: Access with token ---
+  HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+    -H "Authorization: token $TOKEN" \
+    "$GITEA_API/repos/$OWNER_USER/$REPO")
+  check "GET /repos/$OWNER_USER/$REPO with token" "200" "$HTTP_CODE"
+
+  # --- Test 3b: Access without token (private repo should be 404) ---
+  HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+    "$GITEA_API/repos/$OWNER_USER/$REPO")
+  check "GET /repos/$OWNER_USER/$REPO without token (expect 404)" "404" "$HTTP_CODE"
+
+  # --- Test 3c: Clone URL with token ---
+  echo ""
+  echo "[Info] Clone URL for scripts/installers:"
+  echo "  git clone https://${READER_USER}:${TOKEN}@${GITEA_URL#https://}/${OWNER_USER}/${REPO}.git"
+  echo "  (or use: Authorization: token $TOKEN header)"
+else
+  echo ""
+  echo "[Info] Pass a repo name to test specific repo access:"
+  echo "  $0 <repo-name>"
+fi
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[[ "$FAIL" -gt 0 ]] && exit 1
+exit 0