Stabilize forgejo namespace auth and secrets

services/forgejo-nsc/README.md

@@ -158,10 +158,11 @@ instances:
 For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
 generate a Namespace token from the logged-in Namespace account, and refresh
 `secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
-The token file is emitted as JSON with a `bearer_token` field so both the
-Compute API path and the `nsc` CLI fallback can consume the same secret
-material. The forge host consumes the encrypted secrets through agenix; avoid
-keeping local plaintext `intake/` copies around.
+The token file is emitted as JSON with a long-lived `session_token` plus the
+current `bearer_token`. The `nsc` CLI paths use the session-backed login flow,
+while the Compute API path can consume the bearer token directly. The forge
+host consumes the encrypted secrets through agenix; avoid keeping local
+plaintext `intake/` copies around.
 
 Long-lived runtime state is now sourced from age-encrypted files:
 

services/forgejo-nsc/internal/nsc/dispatcher.go

@@ -197,6 +197,10 @@ func (d *Dispatcher) LaunchRunner(ctx context.Context, req LaunchRequest) (strin
 	args = append(args, "--", "/bin/sh", "-c", script)
 
 	cmd := exec.CommandContext(ctx, d.opts.BinaryPath, args...)
+	// The Linux `nsc run` path uses the CLI auth flow. Keep using the service
+	// account's refreshed Namespace login session instead of forcing the
+	// short-lived NSC_TOKEN_FILE bearer token into CLI requests.
+	cmd.Env = nscCLIEnv()
 	var buf bytes.Buffer
 	cmd.Stdout = &buf
 	cmd.Stderr = &buf