Apply updated Codex kit guidance

.codex/project.md

@@ -33,9 +33,20 @@ cargo clippy --package theseus
 
 Full app packaging may require platform-specific Tauri dependencies.
 
+## Build Artifacts
+
+Windows installer packages are built by the Gitea runner and published to the generic package registry:
+
+```text
+https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/Modrinth-Plus-Windows-Setup.exe
+```
+
+The workflow also uploads a run artifact for debugging, but workflow-run artifacts are not Package Registry packages.
+
 ## Kit Application Notes
 
 - `AGENTS.md` intentionally preserves the upstream `CLAUDE.md` handoff while adding Modrinth Plus and Gitea workflow-loop rules.
 - README blueprint generation is not enabled because the upstream Modrinth README should remain authoritative.
 - Release dry-run automation is deferred until desktop packaging commands and artifact names are finalized.
 - Template compliance is enabled on push to keep Codex context files present and placeholder-free.
+- Codex kit metadata should stay in source control for agent work but should not be shipped inside user-facing installers or downloadable package artifacts.

.gitea/workflows/build.yml

@@ -79,27 +79,34 @@ jobs:
           app_version="$(node -p "require('./apps/app-frontend/package.json').version")"
           package_version="${app_version}-${GITHUB_SHA::7}"
           package_name="modrinth-plus"
-          latest_url="https://git.wilkensxl.de/api/packages/MrSphay/generic/${package_name}/latest"
+          repository_owner="${GITHUB_REPOSITORY%%/*}"
+          if [ -z "${repository_owner}" ] || [ "${repository_owner}" = "${GITHUB_REPOSITORY}" ]; then
+            repository_owner="MrSphay"
+          fi
+          gitea_server="${GITHUB_SERVER_URL:-https://git.wilkensxl.de}"
+          gitea_server="${gitea_server%/}"
+          package_dir="package-registry"
+          latest_url="${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/latest"
 
-          shopt -s nullglob
+          mapfile -d '' artifacts < <(find target/x86_64-pc-windows-msvc/release/bundle/nsis -maxdepth 1 -type f -name '*.exe' -print0)
-          artifacts=(target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe)
           if [ "${#artifacts[@]}" -eq 0 ]; then
             echo "No Windows installer found to publish"
             exit 1
           fi
 
-          mkdir -p package-latest
+          rm -rf "${package_dir}"
-          cp "${artifacts[0]}" "package-latest/Modrinth-Plus-Windows-Setup-${package_version}.exe"
+          mkdir -p "${package_dir}/versioned" "${package_dir}/latest"
+          cp "${artifacts[0]}" "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe"
 
           curl --fail-with-body \
-            --user "MrSphay:${REGISTRY_TOKEN}" \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
-            --upload-file "package-latest/Modrinth-Plus-Windows-Setup-${package_version}.exe" \
+            --upload-file "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe" \
-            "https://git.wilkensxl.de/api/packages/MrSphay/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Setup-${package_version}.exe"
+            "${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Setup-${package_version}.exe"
 
-          curl --silent --show-error --user "MrSphay:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
+          curl --silent --show-error --user "${repository_owner}:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
-          cp "${artifacts[0]}" "package-latest/Modrinth-Plus-Windows-Setup.exe"
+          cp "${artifacts[0]}" "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe"
 
           curl --fail-with-body \
-            --user "MrSphay:${REGISTRY_TOKEN}" \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
-            --upload-file "package-latest/Modrinth-Plus-Windows-Setup.exe" \
+            --upload-file "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe" \
             "${latest_url}/Modrinth-Plus-Windows-Setup.exe"

.gitea/workflows/template-compliance.yml

@@ -21,6 +21,7 @@ jobs:
           missing=0
 
           required_files=(
+            "AGENTS.md"
             ".codex/project.md"
             "README.md"
           )
@@ -31,11 +32,6 @@ jobs:
             "docs/agent-handoff.md"
           )
 
-          if [ ! -f "AGENTS.md" ] && [ ! -f "CLAUDE.md" ]; then
-            echo "Missing required Codex agent file: AGENTS.md or CLAUDE.md"
-            missing=1
-          fi
-
           for file in "${required_files[@]}"; do
             if [ ! -f "$file" ]; then
               echo "Missing required Codex file: $file"
@@ -57,12 +53,12 @@ jobs:
         shell: bash
         run: |
           found=0
-          paths=(AGENTS.md README.md SECURITY.md CHANGELOG.md .codex docs blueprint.md blueprint.json)
+          paths=(AGENTS.md README.md SECURITY.md CHANGELOG.md .codex docs .gitea blueprint.md blueprint.json)
-          pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|AUTHOR_NAME|PROJECT_STACK|DOWNLOAD_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND|README_COMMAND|INSTALL_COMMAND|DEV_COMMAND|PACKAGE_MANAGER|PROJECT_VERSION'
+          pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|AUTHOR_NAME|PROJECT_STACK|DOWNLOAD_URL|CI_URL|RELEASES_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND|README_COMMAND|INSTALL_COMMAND|DEV_COMMAND|PACKAGE_MANAGER|PROJECT_VERSION|COMMIT_OR_VERSION'
 
           for path in "${paths[@]}"; do
             [ -e "$path" ] || continue
-            if grep -RInE --exclude-dir=.git "$pattern" "$path"; then
+            if grep -RInE --exclude-dir=.git --exclude=template-compliance.yml "$pattern" "$path"; then
               found=1
             fi
           done
@@ -72,12 +68,30 @@ jobs:
             exit 1
           fi
 
+      - name: Check README divider convention
+        shell: bash
+        run: |
+          if [ -f blueprint.md ] || [ -f blueprint.json ]; then
+            if ! grep -q 'template:section-line' blueprint.md 2>/dev/null; then
+              echo "README blueprint exists but does not use {{ template:section-line }}."
+              exit 1
+            fi
+          fi
+
       - name: Check workflow baseline
         shell: bash
         run: |
           echo "Detected Gitea workflows:"
           find .gitea/workflows -maxdepth 1 -type f -name '*.yml' -print 2>/dev/null || true
 
+          if [ ! -f ".gitea/workflows/security-scan.yml" ]; then
+            echo "Recommended workflow missing: .gitea/workflows/security-scan.yml"
+          fi
+
+          if [ ! -f ".gitea/workflows/repo-cleanup.yml" ]; then
+            echo "Recommended workflow missing: .gitea/workflows/repo-cleanup.yml"
+          fi
+
       - name: Compliance guidance
         shell: bash
         run: |
@@ -86,4 +100,10 @@ jobs:
 
           This workflow verifies agent context and template hygiene. It does
           not change files automatically.
+
+          Recommended manual follow-up:
+          - add missing required Codex context files,
+          - replace unresolved placeholders,
+          - keep README blueprint and README output aligned,
+          - document intentional exceptions in .codex/project.md.
           EOF

AGENTS.md

@@ -7,9 +7,13 @@ This fork adds Modrinth Plus work on top of those rules.
 
 - Preserve upstream Modrinth structure and style unless a Modrinth Plus feature requires a focused change.
 - Keep desktop app work in the existing app boundaries: `apps/app-frontend`, `apps/app`, and `packages/app-lib`.
+- Conserve context tokens: search with `rg` or targeted file lists first, read only files needed for the task, summarize large outputs, and avoid generated folders, dependency folders, build outputs, or full logs unless directly relevant.
 - Do not commit secrets, `.env` files with private values, private keys, certificates, or tokens.
-- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata and Actions run status. Never print, commit, or store the token.
+- At the start of every user-requested task, briefly check for upstream repository updates and apply a safe fast-forward pull when the working tree is clean. If local changes exist, do not overwrite them.
+- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata, package-read visibility, and Actions run status. Never print, commit, or store the token.
 - After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point.
+- Gitea Actions artifacts are not Gitea Package Registry packages. If the user expects a package/download entry, add or verify an explicit registry publish step and verify the package URL after the workflow succeeds.
+- Keep Codex kit files in source control for agents, but exclude them from user-facing installer/package/release artifacts unless the user explicitly asks to ship repository-maintenance files.
 
 ## Commands
 
@@ -29,3 +33,5 @@ If local Node/Rust toolchains are unavailable, use the Gitea runner as the autho
 - Connected Library supports public HTTPS raw manifest URLs only in v1.
 - Keep private Git repository authentication out of Connected Library until token storage is designed.
 - Document new external network calls in `docs/security-review.md`.
+- Keep CI publishing secrets in repository or organization secrets. `REGISTRY_TOKEN` is the Gitea package publishing secret.
+- Use URL-safe package filenames when publishing to a registry. Do not put raw artifact names with spaces or punctuation directly into upload URLs.

CHANGELOG.md

@@ -6,4 +6,5 @@ All notable Modrinth Plus changes are documented here.
 
 - Added Connected Library for public Git-hosted `modrinth-plus.json` modpack manifests.
 - Added Gitea Actions verification for the Modrinth Plus fork.
+- Added Windows installer publishing to the Gitea generic package registry.
 - Added Codex repository context and release/security documentation.