eb6fdfb2ca
Credential Manager target 'GiteaPAT' (default) read on host, passed securely to guest WinRM session. Token never appears in argv, URL, or logs. Guest auth flow (§1.5 compliant): 1. Host reads PAT via Get-StoredCredential -Target GiteaPAT 2. Username + password passed as ArgumentList to Invoke-Command 3. Guest writes temp .git-credentials file (https://user:token@host) 4. git clone uses: -c 'credential.helper=store --file <tmp>' 5. finally{} deletes credentials file regardless of clone success/fail Setup (one-time on host): New-StoredCredential -Target 'GiteaPAT' -UserName '<user>' ` -Password '<pat>' -Persist LocalMachine Invoke-CIJob.ps1: added -GiteaCredentialTarget param (default: 'GiteaPAT'), passed through to Invoke-RemoteBuild when -UseGitClone is set. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>