diff --git a/.cursor/rules/gitea-token.mdc b/.cursor/rules/gitea-token.mdc
new file mode 100644
index 0000000..dc9d432
--- /dev/null
+++ b/.cursor/rules/gitea-token.mdc
@@ -0,0 +1,24 @@
+---
+description: Safe use of Gitea API token
+globs:
+alwaysApply: true
+---
+
+Rule: Gitea API token access and usage
+
+Source of token:
+- Environment variable `GITEA_TOKEN` must be set in the shell/session.
+
+Security:
+- Never print the token value to chat, logs, diffs, or console output.
+- Do not hardcode the token.
+- Do not store the token unencrypted on disk. Prefer environment variables or a secret manager.
+
+Setup:
+- Ensure `GITEA_TOKEN` is set before use (e.g., via secure secret manager or manual export without echoing the value).
+
+HTTP:
+- Add header: `Authorization: token $GITEA_TOKEN`.
+
+CLI/Scripts:
+- Pass `GITEA_TOKEN` to commands/scripts without printing its value.