fix: update Bitbucket clone auth to use API token scheme

[octo-patch]

Fixes #444

Problem

When cloning private Bitbucket repositories, the application uses the x-token-auth authentication scheme (designed for Bitbucket app passwords). However, Bitbucket is deprecating app passwords (EOL June 2026) and has already removed the ability to create new ones from the normal user panel. New users can only generate HTTP access tokens, which require the x-bitbucket-api-token-auth scheme instead.

This mismatch causes authentication to fail with a 401 error even when the token is valid and can be used to clone the repository manually.

Relevant code (api/data_pipeline.py line 120):

# Before (broken for API tokens):
clone_url = urlunparse((parsed.scheme, f"x-token-auth:{encoded_token}@{parsed.netloc}", ...))

# After (works with current Bitbucket HTTP access tokens):
clone_url = urlunparse((parsed.scheme, f"x-bitbucket-api-token-auth:{encoded_token}@{parsed.netloc}", ...))

Solution

Updated the Bitbucket clone URL format to use x-bitbucket-api-token-auth, the authentication scheme required by Bitbucket HTTP access tokens.

Testing

Confirmed that x-bitbucket-api-token-auth is the correct scheme per Atlassian's documentation for HTTP access tokens.

[gemini-code-assist]

Code Review

This pull request updates the Bitbucket authentication scheme to x-bitbucket-api-token-auth to support modern HTTP access tokens. The reviewer noted that this change is breaking for users of App Passwords, which are supported until 2026, and suggested dynamically selecting the scheme based on the token prefix to ensure backward compatibility.

[gemini-code-assist]

While switching to x-bitbucket-api-token-auth is necessary for the new Bitbucket HTTP access tokens, this change is a breaking one for users still using Bitbucket App Passwords (which require the x-token-auth scheme). Since App Passwords are not fully EOL until June 2026, it would be better to support both schemes to avoid regressions for existing users.

Bitbucket HTTP access tokens can be identified by their ATCTT prefix. We can use this to dynamically select the correct authentication scheme.

Suggested change

	# Format: https://x-bitbucket-api-token-auth:{token}@bitbucket.org/owner/repo.git
	# Bitbucket HTTP access tokens require the x-bitbucket-api-token-auth scheme.
	# The older x-token-auth scheme was used for app passwords, which are being
	# deprecated by Atlassian (EOL June 2026).
	clone_url = urlunparse((parsed.scheme, f"x-bitbucket-api-token-auth:{encoded_token}@{parsed.netloc}", parsed.path, '', '', ''))
	# Bitbucket HTTP access tokens (starting with 'ATCTT') require x-bitbucket-api-token-auth.
	# App passwords (deprecated but supported until June 2026) use x-token-auth.
	auth_scheme = "x-bitbucket-api-token-auth" if access_token.startswith("ATCTT") else "x-token-auth"
	clone_url = urlunparse((parsed.scheme, f"{auth_scheme}:{encoded_token}@{parsed.netloc}", parsed.path, '', '', ''))

[octo-patch]

Thanks @gemini-code-assist! You're right — that was a regression for App Password users.

Pushed ae9d45c which detects the token format by its ATCTT prefix and picks the matching auth scheme: x-bitbucket-api-token-auth for HTTP access tokens, x-token-auth for App Passwords (still supported until June 2026).

[gemini-code-assist]

That looks like a solid approach to handle the transition while maintaining backward compatibility for existing App Password users. The prefix-based detection is a clean way to distinguish between the two authentication schemes.