diff --git a/services/gitea/kustomization.yaml b/services/gitea/kustomization.yaml
index b09f5fdf..af30b68e 100644
--- a/services/gitea/kustomization.yaml
+++ b/services/gitea/kustomization.yaml
@@ -5,6 +5,14 @@ resources:
   - namespace.yaml
   - serviceaccount.yaml
   - pvc.yaml
+  - oneoffs/veles-feedback-acl-ensure-job.yaml
   - deployment.yaml
   - service.yaml
   - ingress.yaml
+configMapGenerator:
+  - name: veles-feedback-acl-ensure-script
+    namespace: gitea
+    files:
+      - scripts/veles_feedback_acl_ensure.sh
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml b/services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml
new file mode 100644
index 00000000..659b9b58
--- /dev/null
+++ b/services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml
@@ -0,0 +1,48 @@
+# services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml
+# One-off job for gitea/veles-feedback-acl-ensure-1.
+# Purpose: keep Veles testers on the feedback repo without granting source access.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: veles-feedback-acl-ensure-1
+  namespace: gitea
+spec:
+  suspend: false
+  backoffLimit: 0
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/role: "gitea"
+        vault.hashicorp.com/agent-inject-secret-gitea-db-secret__password: "kv/data/atlas/gitea/gitea-db-secret"
+        vault.hashicorp.com/agent-inject-template-gitea-db-secret__password: |
+          {{ with secret "kv/data/atlas/gitea/gitea-db-secret" }}
+          {{ .Data.data.password }}
+          {{ end }}
+    spec:
+      serviceAccountName: gitea-vault
+      restartPolicy: Never
+      volumes:
+        - name: veles-feedback-acl-ensure-script
+          configMap:
+            name: veles-feedback-acl-ensure-script
+            defaultMode: 0555
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values: ["arm64"]
+                  - key: node-role.kubernetes.io/worker
+                    operator: Exists
+      containers:
+        - name: apply
+          image: postgres:15
+          command: ["/scripts/veles_feedback_acl_ensure.sh"]
+          volumeMounts:
+            - name: veles-feedback-acl-ensure-script
+              mountPath: /scripts
+              readOnly: true
diff --git a/services/gitea/scripts/veles_feedback_acl_ensure.sh b/services/gitea/scripts/veles_feedback_acl_ensure.sh
new file mode 100644
index 00000000..dcb35b87
--- /dev/null
+++ b/services/gitea/scripts/veles_feedback_acl_ensure.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/env sh
+set -eu
+
+db_host="${GITEA_DB_HOST:-postgres-service.postgres.svc.cluster.local}"
+db_port="${GITEA_DB_PORT:-5432}"
+db_name="${GITEA_DB_NAME:-gitea}"
+db_user="${GITEA_DB_USER:-gitea}"
+org_name="${VELES_GITEA_ORG:-veles-alpha}"
+repo_name="${VELES_GITEA_FEEDBACK_REPO:-feedback}"
+team_name="${VELES_GITEA_TESTER_TEAM:-testers}"
+
+if [ ! -r /vault/secrets/gitea-db-secret__password ]; then
+  echo "Missing readable Vault secret file: /vault/secrets/gitea-db-secret__password" >&2
+  exit 1
+fi
+
+export PGPASSWORD
+PGPASSWORD="$(tr -d '\r\n' </vault/secrets/gitea-db-secret__password)"
+
+psql_base="psql -h ${db_host} -p ${db_port} -U ${db_user} -d ${db_name} -v ON_ERROR_STOP=1 -P pager=off"
+
+${psql_base} \
+  -v org_name="${org_name}" \
+  -v repo_name="${repo_name}" \
+  -v team_name="${team_name}" <<'SQL'
+begin;
+
+create temporary table veles_acl_ids on commit drop as
+select
+  org.id as org_id,
+  repo.id as repo_id,
+  team.id as team_id
+from gitea."user" org
+join gitea.repository repo
+  on repo.owner_id = org.id
+join gitea.team team
+  on team.org_id = org.id
+where org.lower_name = lower(:'org_name')
+  and org.type = 1
+  and repo.lower_name = lower(:'repo_name')
+  and team.lower_name = lower(:'team_name');
+
+do $$
+begin
+  if (select count(*) from veles_acl_ids) != 1 then
+    raise exception 'Expected one veles feedback ACL target, found %', (select count(*) from veles_acl_ids);
+  end if;
+end $$;
+
+update gitea.team team
+set authorize = 1,
+    includes_all_repositories = true,
+    can_create_org_repo = false
+from veles_acl_ids ids
+where team.id = ids.team_id;
+
+insert into gitea.team_repo (org_id, team_id, repo_id)
+select ids.org_id, ids.team_id, ids.repo_id
+from veles_acl_ids ids
+where not exists (
+  select 1
+  from gitea.team_repo existing
+  where existing.team_id = ids.team_id
+    and existing.repo_id = ids.repo_id
+);
+
+delete from gitea.team_unit unit
+using veles_acl_ids ids
+where unit.team_id = ids.team_id
+  and unit.type in (1, 2, 3, 4, 5, 8, 9, 10);
+
+insert into gitea.team_unit (org_id, team_id, type, access_mode)
+select ids.org_id, ids.team_id, desired.type, desired.access_mode
+from veles_acl_ids ids
+cross join (
+  values
+    (1, 0),
+    (2, 2),
+    (3, 0),
+    (4, 0),
+    (5, 0),
+    (8, 0),
+    (9, 0),
+    (10, 0)
+) as desired(type, access_mode);
+
+commit;
+SQL
+
+echo "Veles feedback Gitea ACL ready"
diff --git a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml
index 33be307a..cca75f12 100644
--- a/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml
@@ -1,12 +1,12 @@
 # services/keycloak/oneoffs/veles-gitea-oidc-secret-ensure-job.yaml
-# One-off job for sso/veles-gitea-oidc-secret-ensure-4.
+# One-off job for sso/veles-gitea-oidc-secret-ensure-5.
 # Purpose: create/update the Veles realm Gitea OIDC client and write the
 # matching Gitea auth-source secret to Vault.
 # Keep suspended until the Vault policy change has reconciled, then unsuspend once.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: veles-gitea-oidc-secret-ensure-4
+  name: veles-gitea-oidc-secret-ensure-5
   namespace: sso
 spec:
   suspend: true
diff --git a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh
index da0aa6e6..e08039d8 100755
--- a/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh
+++ b/services/keycloak/scripts/veles_gitea_oidc_secret_ensure.sh
@@ -10,7 +10,7 @@ PUBLIC_BASE_URL="${GITEA_PUBLIC_BASE_URL:-https://scm.bstein.dev}"
 AUTH_SOURCE_NAME="${GITEA_AUTH_SOURCE_NAME:-veles}"
 TESTER_GROUP="${VELES_GITEA_TESTER_GROUP:-veles-tester}"
 VAULT_SECRET_PATH="${VAULT_SECRET_PATH:-gitea/gitea-veles-oidc}"
-GROUP_TEAM_MAP="${GITEA_GROUP_TEAM_MAP:-}"
+GROUP_TEAM_MAP="${GITEA_GROUP_TEAM_MAP:-{\"veles-tester\":{\"veles-alpha\":[\"testers\"]}}}"
 
 ACCESS_TOKEN=""
 for attempt in 1 2 3 4 5 6 7 8 9 10; do