diff --git a/nix/templates/harness-base.nix b/nix/templates/harness-base.nix
index c9b4b26..e6cf7aa 100644
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@@ -82,6 +82,20 @@
     '';
   };
 
+  options.hyperhive.forge.url = lib.mkOption {
+    type = lib.types.str;
+    default = "http://localhost:3000";
+    example = "http://forge.internal:3000";
+    description = ''
+      Base URL of the hyperhive-managed Forgejo. Used at container
+      boot by a oneshot systemd unit that calls
+      `tea login add --url <this> --token "$(cat /state/forge-token)"`
+      so the agent's claude can shell out to `tea` without an extra
+      auth dance. No-op when `/state/forge-token` is missing (i.e.
+      hive-forge isn't running on the host).
+    '';
+  };
+
   options.hyperhive.claudePlugins = lib.mkOption {
     type = lib.types.listOf lib.types.str;
     default = [ ];
@@ -124,8 +138,47 @@
       # procps for pkill — used by the web UI's /api/cancel to SIGINT the
       # in-flight claude turn.
       procps
+      # tea: gitea/forgejo CLI client. Configured at boot by the
+      # tea-login oneshot below if /state/forge-token is present, so
+      # claude can `tea repos create`, `tea pulls create`, etc.
+      tea
     ];
 
+    # One-shot: configure tea with the agent's forge token if
+    # hive-c0re seeded one and tea hasn't been configured yet.
+    # Runs before the harness service so the first turn can already
+    # `tea repos create`. Idempotent — exits 0 if config already
+    # exists, exits 0 if no token file (hive-forge not enabled).
+    systemd.services.tea-login = {
+      description = "configure tea CLI from /state/forge-token";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "local-fs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      path = [ pkgs.tea pkgs.coreutils ];
+      script = ''
+        set -eu
+        TOKEN_FILE=/state/forge-token
+        CONFIG=/root/.config/tea/config.yml
+        if [ ! -f "$TOKEN_FILE" ]; then
+          echo "tea-login: no $TOKEN_FILE (hive-forge not seeded); skipping"
+          exit 0
+        fi
+        if [ -f "$CONFIG" ]; then
+          echo "tea-login: $CONFIG already present; skipping"
+          exit 0
+        fi
+        mkdir -p "$(dirname "$CONFIG")"
+        tea login add \
+          --name forge \
+          --url ${lib.escapeShellArg config.hyperhive.forge.url} \
+          --token "$(cat "$TOKEN_FILE")"
+        echo "tea-login: configured for ${config.hyperhive.forge.url}"
+      '';
+    };
+
     # Git is needed by claude's Bash tool (for the agent <-> manager config
     # request flow) and by hive-c0re's own setup_applied / setup_proposed.
     # The per-agent `applied/<name>/flake.nix` overrides `user.name` and