MrSphay/Explosion-Overhaul
1
0
Fork 0
generated from MrSphay/codex-agent-repository-kit
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
MrSphay
2026-05-04 09:03:49 +00:00
commit 592db184a2
29 changed files with 2739 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
files/AGENTS.md Normal file
View File

@@ -0,0 +1,80 @@
# Agent Instructions
## Project
PROJECT_NAME: PROJECT_DESCRIPTION
## Repository Rules
- Start by reading `manifest.json`, then the workflow file that matches the task: `new-repository.md` for fresh repos or `existing-project.md` for retrofit work.
- Use the matching `profiles/*.md` file when the repository stack is detected. Profiles are guidance, not permission to ignore existing project conventions.
- Follow the `manifest.json` copy map for source and target paths. Do not invent alternate locations unless the target repository already has an equivalent convention.
- Prefer existing project patterns over new abstractions.
- Keep changes scoped to the user's request.
- Do not commit secrets, `.env` files, private keys, certificates, or tokens.
- Do not rewrite history or run destructive git commands unless explicitly requested.
- Do not create a release unless explicitly requested.
- Check `git status --short` before editing and before finishing. Preserve unrelated user changes.
- Replace all applicable placeholders. Remove non-applicable placeholder sections instead of leaving fake values.
- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata, package-read visibility, and Actions run status. Never print, commit, or store the token.
- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point.
- When the project uses `blueprint.md` and `blueprint.json` for README generation, keep the rainbow `{{ template:section-line }}` divider between major README sections. Do not replace it with plain `---` unless the target renderer cannot display inline images.
- If README blueprint files are changed, regenerate or update `README.md` in the same change and verify the generated output renders reasonably.
- For releasable projects, add or preserve `.gitea/workflows/security-scan.yml` using `files/security-scan-gitea.yml` unless the repository already has equivalent scheduled security automation.
- For active projects, add or preserve `.gitea/workflows/repo-cleanup.yml` using `files/repo-cleanup-gitea.yml` unless the repository already has equivalent cleanup checks.
- Add or preserve `.gitea/workflows/dependency-check.yml`, `.gitea/workflows/release-dry-run.yml`, and `.gitea/workflows/template-compliance.yml` when the repository is active, releasable, or intended as a Codex-maintained project.
- Repository cleanup automation must be non-destructive. Do not delete branches, packages, releases, or tracked files without explicit user approval.
- Dependency, compliance, and release dry-run automation must report findings only. Do not auto-update dependencies, auto-open PRs, create tags, publish packages, or create releases without explicit user approval.
- Gitea Actions artifacts are not Gitea Package Registry packages. If the user expects a package/download entry, add an explicit registry publish step and verify the package URL after the workflow succeeds.
## Commands
Use these commands when available:
```bash
LINT_COMMAND
TEST_COMMAND
BUILD_COMMAND
AUDIT_COMMAND
```
If a command is missing, inspect the project and document the closest safe alternative in `.codex/project.md`.
Keep `.codex/project.md` and this `AGENTS.md` aligned when commands, artifact paths, or release rules change.
## Artifacts
Expected artifact output:
```text
ARTIFACT_OUTPUT_DIRECTORY
```
Expected artifact names:
```text
ARTIFACT_NAME
```
## Security Notes
- Review `docs/security-review.md` before release work.
- Fill `docs/security-review.md` with actual checked commands and results when performing release-readiness work.
- Review scheduled security workflow failures before changing code. Treat matches as leads: they may be true positives, documentation examples, or test fixtures.
- Review repository cleanup workflow failures as maintenance leads. Document intentional exceptions instead of blindly deleting files.
- Review dependency and template compliance workflow failures as maintenance leads. Preserve project-specific conventions when they are documented.
- Treat generated credentials and config files as sensitive.
- Keep external network calls documented.
- Prefer local processing for user data.
- Keep CI publishing secrets in repository or organization secrets, not in tracked files. `REGISTRY_TOKEN` is the default package publishing secret name for the Gitea workflow template.
- Use URL-safe package filenames when publishing to a registry. Do not put raw artifact names with spaces or punctuation directly into upload URLs.
- Ensure `.gitignore` covers local config, build outputs, logs, temporary files, and secret material for the detected stack.
## Finish Checklist
- `git diff --check` passes.
- The cheapest reliable verification command has been run, or the reason it could not be run is documented.
- README, changelog, security review, and release checklist are updated when the change touches release behavior.
- `docs/agent-handoff.md` is updated when work is interrupted, risky, or spans multiple sessions.
- Any pushed Gitea workflow has been polled to success or a concrete blocker has been reported.

8
files/CHANGELOG.md Normal file
View File

@@ -0,0 +1,8 @@
# Changelog
All notable changes to this project are documented here.
## Unreleased
- Initial project setup.

48
files/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,48 @@
# Contributing
## Working Rules
- Keep changes scoped to the issue or user request.
- Prefer existing project patterns.
- Do not commit secrets, generated credentials, local `.env` files, or private keys.
- Do not create releases unless explicitly requested.
- Preserve unrelated user changes.
## Before Committing
Run the cheapest reliable verification commands for this project:
```bash
LINT_COMMAND
TEST_COMMAND
BUILD_COMMAND
```
Also run:
```bash
git diff --check
```
If a command cannot run, document why in the final response or handoff notes.
## Pull Requests
Pull requests should include:
- summary of changes,
- verification performed,
- known risks or skipped checks,
- artifact/download notes when relevant.
## Releases
Before release work, update:
```text
CHANGELOG.md
docs/release-checklist.md
docs/security-review.md
README.md
```

22
files/SECURITY.md Normal file
View File

@@ -0,0 +1,22 @@
# Security Policy
## Supported Versions
| Version | Supported |
| --- | --- |
| Latest | Yes |
## Reporting A Vulnerability
Please report security issues privately to the project owner.
Do not include secrets, production data, or private credentials in public issues.
## Project Security Principles
- Keep secrets out of the repository.
- Prefer local processing for user data.
- Document external network calls.
- Keep release artifacts reproducible through CI.
- Run dependency audits before releases.

35
files/agent-handoff.md Normal file
View File

@@ -0,0 +1,35 @@
# Agent Handoff
Use this file when a task spans multiple sessions, has unresolved follow-up work, or changes release behavior.
## Current State
```text
PENDING
```
## Changes Made
- PENDING
## Verification
| Check | Result |
| --- | --- |
| `git diff --check` | PENDING |
| `LINT_COMMAND` | PENDING |
| `TEST_COMMAND` | PENDING |
| `BUILD_COMMAND` | PENDING |
## Open Questions
- PENDING
## Next Steps
- PENDING
## Risks
- PENDING

30
files/blueprint.json Normal file
View File

@@ -0,0 +1,30 @@
{
"ids": {
"github": "REPOSITORY_OWNER/REPOSITORY_NAME"
},
"badges": [
{
"alt": "Build",
"img": "https://img.shields.io/badge/build-Gitea%20Runner-2563eb",
"url": "https://git.wilkensxl.de/REPOSITORY_OWNER/REPOSITORY_NAME/actions"
},
{
"alt": "Version",
"img": "https://img.shields.io/badge/version-0.1.0-111827",
"url": "https://git.wilkensxl.de/REPOSITORY_OWNER/REPOSITORY_NAME/releases"
}
],
"headingPrefix": {
"1": "",
"2": ""
},
"line": "rainbow",
"templates": [
{
"name": "section-line",
"template": "<p align=\"center\"><img src=\"https://raw.githubusercontent.com/andreasbm/readme/master/assets/lines/rainbow.png\" alt=\"-----------------------------------------------------\" width=\"100%\"></p>"
}
],
"text": "PROJECT_DESCRIPTION"
}

76
files/blueprint.md Normal file
View File

@@ -0,0 +1,76 @@
{{ template:title }}
{{ template:badges }}
{{ template:section-line }}
{{ template:table-of-contents }}
{{ template:section-line }}
## Overview
PROJECT_DESCRIPTION
{{ template:section-line }}
## Features
| Area | Description |
| --- | --- |
| Core | Describe the main project capability |
| Workflow | Describe the primary user or developer workflow |
| Build | Describe how artifacts are produced |
| Security | Describe the default security posture |
{{ template:section-line }}
## Installation
```bash
INSTALL_COMMAND
```
{{ template:section-line }}
## Development
```bash
DEV_COMMAND
LINT_COMMAND
TEST_COMMAND
BUILD_COMMAND
```
{{ template:section-line }}
## Downloads
| Variant | Download |
| --- | --- |
| Latest artifact | [Download latest](DOWNLOAD_URL) |
Private repositories may require an active session or a token with package read access.
{{ template:section-line }}
## Security
Security posture:
| Area | State |
| --- | --- |
| Secrets | Secrets must not be committed |
| Dependency audit | CI should run the project dependency audit |
| User data | User data should stay local unless explicitly documented |
| External services | Network calls should be documented |
See `SECURITY.md` and `docs/security-review.md`.
{{ template:section-line }}
## Release
Release readiness is tracked in `docs/release-checklist.md`.
{{ template:section-line }}
## Project Info
| Field | Value |
| --- | --- |
| Author | `AUTHOR_NAME` |
| Repository | `REPOSITORY_OWNER/REPOSITORY_NAME` |
| Stack | `PROJECT_STACK` |
| README workflow | Blueprint workflow based on `andreasbm/readme` |

105
files/build-gitea.yml Normal file
View File

@@ -0,0 +1,105 @@
name: Build
on:
push:
branches:
- main
- master
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v4
# Replace this runtime setup block with the stack this project uses.
# Examples:
# - Node: actions/setup-node@v4
# - Python: actions/setup-python@v5
# - Go: actions/setup-go@v5
# - Rust: dtolnay/rust-toolchain@stable
- name: Setup runtime
run: echo "Configure PROJECT_STACK runtime here"
- name: Install dependencies
run: INSTALL_COMMAND
- name: Audit dependencies
run: AUDIT_COMMAND
- name: Lint
run: LINT_COMMAND
- name: Test
run: TEST_COMMAND
- name: Build
run: BUILD_COMMAND
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: PROJECT_NAME-artifacts
path: |
ARTIFACT_OUTPUT_DIRECTORY/**
- name: Publish latest package
if: ${{ env.REGISTRY_TOKEN != '' }}
shell: bash
run: |
app_version="PROJECT_VERSION"
package_version="${app_version}-${GITHUB_SHA::7}"
package_name="PACKAGE_NAME"
package_dir="package-registry"
latest_url="https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/latest"
mapfile -d '' artifacts < <(find ARTIFACT_OUTPUT_DIRECTORY -maxdepth 1 -type f -print0)
if [ "${#artifacts[@]}" -eq 0 ]; then
echo "No package artifacts found in ARTIFACT_OUTPUT_DIRECTORY"
exit 1
fi
rm -rf "${package_dir}"
mkdir -p "${package_dir}/versioned" "${package_dir}/latest"
for artifact in "${artifacts[@]}"; do
extension=""
base_name="$(basename "$artifact")"
stem="$base_name"
if [[ "$base_name" == *.* ]]; then
extension=".${base_name##*.}"
stem="${base_name%.*}"
fi
safe_stem="$(echo "$stem" | tr -cs 'A-Za-z0-9._-' '-' | sed 's/^-//; s/-$//')"
safe_name="${safe_stem}-${package_version}${extension}"
cp "$artifact" "${package_dir}/versioned/${safe_name}"
curl --fail-with-body \
--user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
--upload-file "${package_dir}/versioned/${safe_name}" \
"https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/${package_version}/${safe_name}"
done
curl --silent --show-error --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
for artifact in "${artifacts[@]}"; do
extension=""
base_name="$(basename "$artifact")"
stem="$base_name"
if [[ "$base_name" == *.* ]]; then
extension=".${base_name##*.}"
stem="${base_name%.*}"
fi
safe_stem="$(echo "$stem" | tr -cs 'A-Za-z0-9._-' '-' | sed 's/^-//; s/-$//')"
safe_name="${safe_stem}-latest${extension}"
cp "$artifact" "${package_dir}/latest/${safe_name}"
curl --fail-with-body \
--user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
--upload-file "${package_dir}/latest/${safe_name}" \
"${latest_url}/${safe_name}"
done

114
files/dependency-check-gitea.yml Normal file
View File

@@ -0,0 +1,114 @@
name: Scheduled Dependency Check
on:
schedule:
- cron: "29 3 * * 2"
workflow_dispatch:
jobs:
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect project stack
id: detect
shell: bash
run: |
stacks=""
[ -f package.json ] && stacks="${stacks} node"
{ [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
[ -f Cargo.toml ] && stacks="${stacks} rust"
[ -f go.mod ] && stacks="${stacks} go"
{ [ -f Dockerfile ] || [ -f compose.yml ] || [ -f docker-compose.yml ]; } && stacks="${stacks} docker"
echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
echo "Detected stacks:${stacks:- generic}"
- name: Node dependency report
if: contains(steps.detect.outputs.stacks, 'node')
shell: bash
run: |
if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
npm ci
else
npm install --package-lock-only --ignore-scripts
fi
echo "Security audit:"
npm audit --omit=dev --audit-level=high
echo
echo "Outdated dependencies:"
npm outdated || true
- name: Python dependency report
if: contains(steps.detect.outputs.stacks, 'python')
shell: bash
run: |
python -m pip install --upgrade pip pip-audit
echo "Security audit:"
if [ -f requirements.txt ]; then
pip-audit -r requirements.txt
else
pip-audit
fi
echo
echo "Outdated packages:"
python -m pip list --outdated || true
- name: Rust dependency report
if: contains(steps.detect.outputs.stacks, 'rust')
shell: bash
run: |
cargo install cargo-audit cargo-outdated --locked
echo "Security audit:"
cargo audit
echo
echo "Outdated crates:"
cargo outdated || true
- name: Go dependency report
if: contains(steps.detect.outputs.stacks, 'go')
shell: bash
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
echo "Security audit:"
govulncheck ./...
echo
echo "Available dependency updates:"
go list -u -m all || true
- name: Docker base image report
if: contains(steps.detect.outputs.stacks, 'docker')
shell: bash
run: |
echo "Docker image references:"
grep -RInE --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=dist --exclude-dir=build '^\s*FROM\s+' Dockerfile* . 2>/dev/null || true
echo
echo "Review Docker base images manually for pinned versions, official sources, and current security status."
- name: Dependency guidance
shell: bash
run: |
cat <<'EOF'
Dependency check completed.
This workflow reports vulnerabilities and available updates. It does
not modify dependency files, create pull requests, or publish packages.
Recommended manual follow-up:
- update dependencies in a focused branch,
- run the project test/build commands,
- review lockfile diffs carefully,
- document intentionally held versions.
EOF

46
files/gitignore.template Normal file
View File

@@ -0,0 +1,46 @@
# Dependencies
node_modules/
vendor/
.venv/
venv/
__pycache__/
# Build outputs
dist/
build/
out/
release/
target/
bin/
obj/
# Logs and temporary files
*.log
*.tmp
*.temp
.cache/
.turbo/
.vite/
.pytest_cache/
# Local environment and secrets
.env
.env.*
!.env.example
*.pem
*.key
*.pfx
*.p12
*.crt
*.cer
*.token
secrets/
# OS and editor files
.DS_Store
Thumbs.db
.idea/
.vscode/
*.swp
*.swo

72
files/project.md Normal file
View File

@@ -0,0 +1,72 @@
# Codex Project Notes
## Project
`PROJECT_NAME` is `PROJECT_DESCRIPTION`
Repository:
```text
REPOSITORY_OWNER/REPOSITORY_NAME
```
## Commands
Use these commands as the source of truth:
```text
LINT_COMMAND
TEST_COMMAND
BUILD_COMMAND
AUDIT_COMMAND
README_COMMAND
```
If a command does not exist, document the closest safe alternative. Do not invent commands that cannot run.
## Stack
```text
PROJECT_STACK
```
Package manager or build tool:
```text
PACKAGE_MANAGER
```
## Build Artifacts
Release artifacts are produced in:
```text
ARTIFACT_OUTPUT_DIRECTORY
```
Expected files:
```text
ARTIFACT_NAME
```
## Security Rules
- Do not commit secrets, tokens, `.env` files, certificates, or private keys.
- Treat generated credentials as sensitive.
- Prefer local generation and local processing for user data.
- Keep dependency audit results visible in CI where possible.
- Do not add external network calls unless the feature explicitly requires them.
## Release Rules
Before a release:
1. run the release checklist,
2. verify CI is green,
3. verify download links,
4. update README and changelog,
5. create a tag,
6. create the release.
Do not create releases unless the user explicitly asks for a release.

36
files/release-checklist.md Normal file
View File

@@ -0,0 +1,36 @@
# Release Checklist
## Version
- [ ] Version number updated.
- [ ] Changelog updated.
- [ ] README regenerated if blueprint files changed.
## Quality
- [ ] Working tree is clean.
- [ ] Lint/type checks pass.
- [ ] Tests pass or missing tests are documented.
- [ ] Build succeeds in CI.
## Security
- [ ] Security review is current.
- [ ] Dependency audit is clean or documented.
- [ ] No secrets are committed.
- [ ] Release artifacts do not contain local config files.
## Artifacts
- [ ] Artifacts are uploaded.
- [ ] Download links work.
- [ ] Package registry links work if used.
- [ ] Installer/portable/archive naming is clear.
## Release
- [ ] Git tag created.
- [ ] Release notes written.
- [ ] Release published.
- [ ] Post-release download smoke test completed.

133
files/release-dry-run-gitea.yml Normal file
View File

@@ -0,0 +1,133 @@
name: Release Dry Run
on:
push:
branches:
- main
- master
workflow_dispatch:
jobs:
release-dry-run:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Inspect release metadata
shell: bash
run: |
missing=0
required_docs=(
"README.md"
"CHANGELOG.md"
"SECURITY.md"
"docs/release-checklist.md"
)
for file in "${required_docs[@]}"; do
if [ ! -f "$file" ]; then
echo "Missing release document: $file"
missing=1
fi
done
placeholder_paths=(README.md AGENTS.md .codex docs)
placeholder_pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|DOWNLOAD_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND'
for path in "${placeholder_paths[@]}"; do
[ -e "$path" ] || continue
if grep -RInE --exclude-dir=.git "$placeholder_pattern" "$path"; then
echo "Unresolved template placeholders found."
missing=1
fi
done
if [ "$missing" -eq 1 ]; then
exit 1
fi
- name: Detect project stack
id: detect
shell: bash
run: |
stacks=""
[ -f package.json ] && stacks="${stacks} node"
{ [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
[ -f Cargo.toml ] && stacks="${stacks} rust"
[ -f go.mod ] && stacks="${stacks} go"
echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
echo "Detected stacks:${stacks:- generic}"
- name: Node release checks
if: contains(steps.detect.outputs.stacks, 'node')
shell: bash
run: |
if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
npm ci
else
npm install
fi
node -e "const p=require('./package.json'); if(!p.name||!p.version){throw new Error('package.json needs name and version')}; console.log(p.name+'@'+p.version)"
npm run lint --if-present
npm test --if-present
npm run build --if-present
npm run release:check --if-present
- name: Python release checks
if: contains(steps.detect.outputs.stacks, 'python')
shell: bash
run: |
python -m pip install --upgrade pip
if [ -f requirements.txt ]; then
python -m pip install -r requirements.txt
fi
if [ -f pyproject.toml ]; then
python -m pip install build
python -m build
else
echo "No pyproject.toml found; skipped Python package build."
fi
- name: Rust release checks
if: contains(steps.detect.outputs.stacks, 'rust')
shell: bash
run: |
cargo test
cargo build --release
- name: Go release checks
if: contains(steps.detect.outputs.stacks, 'go')
shell: bash
run: |
go test ./...
go build ./...
- name: Artifact report
shell: bash
run: |
echo "Potential release artifacts:"
find . \
-path ./.git -prune -o \
-path ./node_modules -prune -o \
-path './dist/*' -type f -print -o \
-path './build/*' -type f -print -o \
-path './release/*' -type f -print -o \
-path './target/release/*' -type f -print \
| sed 's#^\./##' \
| head -200
cat <<'EOF'
Release dry run completed.
This workflow verifies release readiness. It does not create tags,
releases, packages, or upload artifacts.
EOF

31
files/release-notes.md Normal file
View File

@@ -0,0 +1,31 @@
# PROJECT_NAME PROJECT_VERSION
## Downloads
| Variant | Download |
| --- | --- |
| Latest artifact | DOWNLOAD_URL |
## Highlights
- PENDING
## Security
- Dependency audit: PENDING
- Secret handling: PENDING
- External network calls: PENDING
## Verification
| Check | Result |
| --- | --- |
| `LINT_COMMAND` | PENDING |
| `TEST_COMMAND` | PENDING |
| `BUILD_COMMAND` | PENDING |
| Artifact download | PENDING |
## Notes
PENDING

139
files/repo-cleanup-gitea.yml Normal file
View File

@@ -0,0 +1,139 @@
name: Scheduled Repository Cleanup Check
on:
schedule:
- cron: "43 3 * * 1"
workflow_dispatch:
jobs:
cleanup-check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check ignored and untracked generated files
shell: bash
run: |
echo "Ignored files that would be skipped by git:"
git status --ignored --short || true
echo
echo "Tracked generated files check:"
generated_patterns=(
'(^|/)node_modules/'
'(^|/)dist/'
'(^|/)build/'
'(^|/)out/'
'(^|/)release/'
'(^|/)target/'
'(^|/)coverage/'
'\.log$'
'\.tmp$'
'\.temp$'
)
found=0
tracked_files="$(git ls-files)"
for pattern in "${generated_patterns[@]}"; do
if echo "$tracked_files" | grep -Ei "$pattern"; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Generated files appear to be tracked. Review .gitignore and remove generated outputs from version control if appropriate."
exit 1
fi
- name: Check large tracked files
shell: bash
run: |
limit_bytes="${LARGE_FILE_LIMIT_BYTES:-5242880}"
found=0
while IFS= read -r file; do
[ -f "$file" ] || continue
size="$(wc -c < "$file")"
if [ "$size" -gt "$limit_bytes" ]; then
echo "${file} is ${size} bytes, above limit ${limit_bytes}."
found=1
fi
done < <(git ls-files)
if [ "$found" -eq 1 ]; then
echo "Large tracked files found. Move release artifacts to packages/releases or document why they belong in git."
exit 1
fi
- name: Check local config and secret-prone files
shell: bash
run: |
found=0
risky_patterns=(
'^\.env$'
'^\.env\.'
'\.pfx$'
'\.p12$'
'\.pem$'
'\.key$'
'\.token$'
'(^|/)secrets/'
)
tracked_files="$(git ls-files)"
for pattern in "${risky_patterns[@]}"; do
if echo "$tracked_files" | grep -Ei "$pattern" | grep -vE '^\.env\.example$'; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Secret-prone local config files are tracked. Review immediately."
exit 1
fi
- name: Check stale branches
shell: bash
run: |
git fetch --all --prune
protected='^(main|master|develop|dev|release|staging|production)$'
cutoff="$(date -u -d '90 days ago' +%s)"
found=0
while IFS='|' read -r branch timestamp; do
branch="${branch#origin/}"
[ "$branch" = "HEAD" ] && continue
echo "$branch" | grep -Eq "$protected" && continue
if [ "$timestamp" -lt "$cutoff" ]; then
echo "Stale remote branch candidate: ${branch}"
found=1
fi
done < <(git for-each-ref refs/remotes/origin --format='%(refname:short)|%(committerdate:unix)')
if [ "$found" -eq 1 ]; then
echo "Stale branch candidates found. Review manually before deleting anything."
exit 1
fi
- name: Cleanup guidance
shell: bash
run: |
cat <<'EOF'
Repository cleanup check completed.
This workflow reports cleanup candidates. It does not delete branches,
packages, releases, or files automatically.
Recommended manual follow-up:
- remove generated files from git,
- update .gitignore,
- move large artifacts to releases or package registry,
- review stale branches,
- document intentional exceptions.
EOF

54
files/security-review.md Normal file
View File

@@ -0,0 +1,54 @@
# Security Review
## Scope
Project:
```text
PROJECT_NAME
```
Reviewed version or commit:
```text
COMMIT_OR_VERSION
```
## Code Patterns Checked
- [ ] No `eval`.
- [ ] No dynamic `Function` constructor.
- [ ] No unsafe HTML injection.
- [ ] No unexpected shell execution.
- [ ] No unexpected external network calls.
- [ ] No secrets committed.
- [ ] No unsafe file writes outside expected user-selected paths.
## Dependency Review
Command:
```bash
AUDIT_COMMAND
```
Result:
```text
PENDING
```
## Runtime Review
- [ ] Least-privilege runtime configuration.
- [ ] External URLs documented.
- [ ] Local data storage documented.
- [ ] Sensitive data is not persisted unless explicitly required.
## Release Notes
Known residual risks:
```text
None documented yet.
```

174
files/security-scan-gitea.yml Normal file
View File

@@ -0,0 +1,174 @@
name: Scheduled Security Scan
on:
schedule:
- cron: "17 3 * * 1"
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect project stack
id: detect
shell: bash
run: |
stacks=""
[ -f package.json ] && stacks="${stacks} node"
{ [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
[ -f Cargo.toml ] && stacks="${stacks} rust"
[ -f go.mod ] && stacks="${stacks} go"
{ [ -f Dockerfile ] || [ -f compose.yml ] || [ -f docker-compose.yml ]; } && stacks="${stacks} docker"
echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
echo "Detected stacks:${stacks:- generic}"
- name: Node production dependency audit
if: contains(steps.detect.outputs.stacks, 'node')
run: npm audit --omit=dev --audit-level=high
- name: Python dependency audit
if: contains(steps.detect.outputs.stacks, 'python')
shell: bash
run: |
python -m pip install --upgrade pip pip-audit
if [ -f requirements.txt ]; then
pip-audit -r requirements.txt
else
pip-audit
fi
- name: Rust dependency audit
if: contains(steps.detect.outputs.stacks, 'rust')
shell: bash
run: |
cargo install cargo-audit --locked
cargo audit
- name: Go vulnerability scan
if: contains(steps.detect.outputs.stacks, 'go')
shell: bash
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Suspicious code pattern scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=node_modules
--exclude-dir=dist
--exclude-dir=build
--exclude-dir=release
--exclude=security-scan.yml
)
patterns=(
'eval\s*\('
'new Function\s*\('
'dangerouslySetInnerHTML'
'innerHTML\s*='
'child_process'
'exec\s*\('
'spawn\s*\('
'shell\.openExternal'
'nodeIntegration:\s*true'
'webSecurity:\s*false'
'allowRunningInsecureContent:\s*true'
'curl .*sh'
'wget .*sh'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Suspicious code patterns were found. Review the matches above."
exit 1
fi
- name: Secret and config leak scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=node_modules
--exclude-dir=dist
--exclude-dir=build
--exclude-dir=release
--exclude=security-scan.yml
)
patterns=(
'BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY'
'AKIA[0-9A-Z]{16}'
'xox[baprs]-[0-9A-Za-z-]+'
'gh[pousr]_[0-9A-Za-z_]+'
'sk-[A-Za-z0-9]{20,}'
'api[_-]?key\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
'token\s*=\s*["'\'']?[A-Za-z0-9_\-]{20,}'
'password\s*=\s*["'\'']?[^[:space:]]{8,}'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInE "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if find . -path ./.git -prune -o \( -name ".env" -o -name ".env.*" \) -not -name ".env.example" -print | grep .; then
echo "Committed environment files were found."
found=1
fi
if [ "$found" -eq 1 ]; then
echo "Potential secret or config leak detected. Review the matches above."
exit 1
fi
- name: AI instruction injection scan
shell: bash
run: |
grep_excludes=(
--exclude-dir=.git
--exclude-dir=node_modules
--exclude-dir=dist
--exclude-dir=build
--exclude-dir=release
--exclude=security-scan.yml
)
patterns=(
'ignore (all )?(previous|above) instructions'
'system prompt'
'developer message'
'reveal your instructions'
'exfiltrate'
'send.*token'
'send.*secret'
'disable.*safety'
'jailbreak'
'prompt injection'
)
found=0
for pattern in "${patterns[@]}"; do
if grep -RInEi "${grep_excludes[@]}" "$pattern" .; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Potential AI instruction-injection text found. Review whether this is documentation, test data, or malicious content."
exit 1
fi

109
files/template-compliance-gitea.yml Normal file
View File

@@ -0,0 +1,109 @@
name: Codex Template Compliance
on:
push:
branches:
- main
- master
pull_request:
workflow_dispatch:
jobs:
template-compliance:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check required Codex files
shell: bash
run: |
missing=0
required_files=(
"AGENTS.md"
".codex/project.md"
"README.md"
)
recommended_files=(
"SECURITY.md"
"CHANGELOG.md"
"docs/agent-handoff.md"
)
for file in "${required_files[@]}"; do
if [ ! -f "$file" ]; then
echo "Missing required Codex file: $file"
missing=1
fi
done
for file in "${recommended_files[@]}"; do
if [ ! -f "$file" ]; then
echo "Recommended Codex file not found: $file"
fi
done
if [ "$missing" -eq 1 ]; then
exit 1
fi
- name: Check unresolved placeholders
shell: bash
run: |
found=0
paths=(AGENTS.md README.md SECURITY.md CHANGELOG.md .codex docs blueprint.md blueprint.json)
pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|AUTHOR_NAME|PROJECT_STACK|DOWNLOAD_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND|README_COMMAND|INSTALL_COMMAND|DEV_COMMAND|PACKAGE_MANAGER|PROJECT_VERSION'
for path in "${paths[@]}"; do
[ -e "$path" ] || continue
if grep -RInE --exclude-dir=.git "$pattern" "$path"; then
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo "Unresolved template placeholders found. Replace real values or mark genuinely unknown values as PENDING."
exit 1
fi
- name: Check README divider convention
shell: bash
run: |
if [ -f blueprint.md ] || [ -f blueprint.json ]; then
if ! grep -q 'template:section-line' blueprint.md 2>/dev/null; then
echo "README blueprint exists but does not use {{ template:section-line }}."
exit 1
fi
fi
- name: Check workflow baseline
shell: bash
run: |
echo "Detected Gitea workflows:"
find .gitea/workflows -maxdepth 1 -type f -name '*.yml' -print 2>/dev/null || true
if [ ! -f ".gitea/workflows/security-scan.yml" ]; then
echo "Recommended workflow missing: .gitea/workflows/security-scan.yml"
fi
if [ ! -f ".gitea/workflows/repo-cleanup.yml" ]; then
echo "Recommended workflow missing: .gitea/workflows/repo-cleanup.yml"
fi
- name: Compliance guidance
shell: bash
run: |
cat <<'EOF'
Codex template compliance check completed.
This workflow verifies agent context and template hygiene. It does
not change files automatically.
Recommended manual follow-up:
- add missing required Codex context files,
- replace unresolved placeholders,
- keep README blueprint and README output aligned,
- document intentional exceptions in .codex/project.md.
EOF