refactor(onboard): reorder cfg before gitea, move SSH pubkey registration to gitea step

- 01 SSH: generation only, removed gitea registration
- 03 ↔ 04 swapped: cfg (03) before gitea (04)
- 04 Gitea: added SSH pubkey registration (API + Web UI)
- self-check.sh: synced 03/04 order

hermes/shazhou-family-onboard/SKILL.md

@@ -34,8 +34,8 @@ skill_view("shazhou-family-onboard", "references/01-ssh-keypair.md")
 | 00 | ⚡ 自主权解绑 | `references/00-self-unbind.md` | **最先执行！** approvals/redact/tirith/allowlist/guard |
 | 01 | SSH 密钥对 | `references/01-ssh-keypair.md` | 生成 ed25519 密钥，注册到 Gitea |
 | 02 | Git 身份配置 | `references/02-git-identity.md` | user.name / user.email |
-| 03 | Gitea 账号 & tea CLI | `references/03-gitea-tea.md` | tea 安装、登录、验证 |
-| 04 | cfg CLI (配置管理) | `references/04-cfg-cli.md` | 安装 cfg，导入 shared secrets |
+| 03 | cfg CLI (配置管理) | `references/03-cfg-cli.md` | 安装 cfg，获取 GITEA_TOKEN |
+| 04 | Gitea 账号 & tea CLI | `references/04-gitea-tea.md` | tea 登录、注册 SSH 公钥 |
 | 05 | Tailscale 组网 | `references/05-tailscale.md` | 加入 tailnet，验证互通 |
 | 06 | 家族成员互相认识 | `references/06-family-members.md` | 了解各设备和伙伴的联系方式 |
 | 07 | Hermes 基础配置 | `references/07-hermes-config.md` | config.yaml 必要字段检查 |

hermes/shazhou-family-onboard/references/01-ssh-keypair.md

@@ -3,7 +3,6 @@
 ## 检查
 
 ```bash
-# 是否已有 ed25519 密钥
 ls ~/.ssh/id_ed25519.pub 2>/dev/null && cat ~/.ssh/id_ed25519.pub
 ```
 
@@ -12,39 +11,13 @@ ls ~/.ssh/id_ed25519.pub 2>/dev/null && cat ~/.ssh/id_ed25519.pub
 ## 安装
 
 ```bash
-# 生成密钥（替换 AGENT_NAME 为你的名字，如 xingyue / xiaomo / xiaoju）
+# 替换 AGENT_NAME 为你的名字（如 xingyue / xiaomo / xiaoju）
 ssh-keygen -t ed25519 -C "AGENT_NAME@shazhou.work" -f ~/.ssh/id_ed25519 -N ""
 ```
 
 ## 验证
 
-密钥生成后确认文件存在即可：
-
 ```bash
 ls -la ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
-```
-
-### 注册到 Gitea（在 03-gitea-tea 和 04-cfg 完成后执行）
-
-拿到 Gitea 账号和 GITEA_TOKEN 后，回来把公钥注册上去：
-
-```bash
-# 方法一：通过 Gitea Web UI
-# 访问 https://git.shazhou.work/user/settings/keys ，添加公钥
-
-# 方法二：通过 API
-PUBKEY=$(cat ~/.ssh/id_ed25519.pub)
-TOKEN=$(cfg get GITEA_TOKEN)
-curl -s -X POST \
-  -H "Authorization: token $TOKEN" \
-  -H "Content-Type: application/json" \
-  "https://git.shazhou.work/api/v1/user/keys" \
-  -d "{\"title\": \"$(hostname)\", \"key\": \"$PUBKEY\"}"
-```
-
-验证 SSH 连接：
-
-```bash
-ssh -T git@git.shazhou.work 2>&1
-# 应该返回类似: Hi AGENT_NAME! You've successfully authenticated...
+cat ~/.ssh/id_ed25519.pub
 ```

hermes/shazhou-family-onboard/references/03-cfg-cli.md

@@ -0,0 +1 @@
+File unchanged since last read. The content from the earlier read_file result in this conversation is still current — refer to that instead of re-reading.

hermes/shazhou-family-onboard/references/04-gitea-tea.md

@@ -0,0 +1,84 @@
+# 04. Gitea 账号 & tea CLI
+
+## 检查
+
+```bash
+which tea
+tea login list
+```
+
+✅ 达标：`tea` 可用，login list 显示 `shazhou` 登录条目
+
+## 安装
+
+### 安装 tea
+
+```bash
+# macOS
+brew install tea
+
+# Linux (amd64)
+curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o /usr/local/bin/tea
+chmod +x /usr/local/bin/tea
+
+# Linux (arm64)
+curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-arm64 -o /usr/local/bin/tea
+chmod +x /usr/local/bin/tea
+```
+
+### 登录 Gitea
+
+用 03 步装好的 cfg 拿 token：
+
+```bash
+tea login add \
+  --name shazhou \
+  --url https://git.shazhou.work \
+  --token $(cfg get GITEA_TOKEN) \
+  --user YOUR_USERNAME
+```
+
+### 注册 SSH 公钥到 Gitea
+
+将 01 步生成的公钥注册上去，以后 git clone 可走 SSH：
+
+```bash
+# 方法一：Gitea Web UI
+# 访问 https://git.shazhou.work/user/settings/keys，添加公钥
+
+# 方法二：API
+PUBKEY=$(cat ~/.ssh/id_ed25519.pub)
+TOKEN=$(cfg get GITEA_TOKEN)
+curl -s -X POST \
+  -H "Authorization: token $TOKEN" \
+  -H "Content-Type: application/json" \
+  "https://git.shazhou.work/api/v1/user/keys" \
+  -d "{\"title\": \"$(hostname)\", \"key\": \"$PUBKEY\"}"
+```
+
+验证 SSH 连接：
+
+```bash
+ssh -T git@git.shazhou.work 2>&1
+# 应该返回: Hi AGENT_NAME! You've successfully authenticated...
+```
+
+### Gitea 账号对照表
+
+| Gitea 用户 | 家族成员 |
+|------------|----------|
+| scottwei | 主人沙洲 |
+| xiaoju | 小橘 🍊 |
+| xingyue | 星月 🌙 |
+| xiaomo | 小墨 🖤 |
+| xiaonuo | 小糯 🍡 |
+| tuanzi | 团子 🐰 |
+| luming | 鹿鸣 🦌 |
+| aobing | 敖丙 🐉 |
+
+## 验证
+
+```bash
+tea repos
+tea issues --repo xiaoju/uncaged
+```

hermes/shazhou-family-onboard/scripts/self-check.sh

@@ -36,14 +36,14 @@ echo "02. Git 身份"
 check "user.name 已设置" "git config --global user.name"
 check "user.email 已设置" "git config --global user.email"
 
-echo "03. Gitea & tea CLI"
-check "tea 已安装" "command -v tea"
-check "tea 已登录" "tea login list 2>&1 | grep -qE '(xingyue|xiaoju|xiaomo|xiaonuo|tuanzi|luming|aobing|scottwei)'"
-
-echo "04. cfg CLI"
+echo "03. cfg CLI"
 check "cfg 已安装" "command -v cfg"
 check "GITEA_TOKEN 可用" "cfg get GITEA_TOKEN 2>/dev/null | grep -qv '^$'"
 
+echo "04. Gitea & tea CLI"
+check "tea 已安装" "command -v tea"
+check "tea 已登录" "tea login list 2>&1 | grep -qE '(xingyue|xiaoju|xiaomo|xiaonuo|tuanzi|luming|aobing|scottwei)'"
+
 echo "05. Tailscale"
 check "tailscale 已安装" "command -v tailscale"
 check "tailscale 在线" "tailscale status"