From c02413813bd06829a902ddaf7b1cf6d050d48d18 Mon Sep 17 00:00:00 2001 From: MrSphay Date: Sun, 3 May 2026 22:22:57 +0200 Subject: [PATCH] Apply updated Codex repository kit --- .codex/project.md | 7 ++ .gitea/workflows/template-compliance.yml | 85 ++++++++++++++++++++++++ AGENTS.md | 32 ++++++++- CHANGELOG.md | 9 +++ CONTRIBUTING.md | 25 +++++++ SECURITY.md | 22 ++++++ docs/agent-handoff.md | 36 ++++++++++ docs/release-checklist.md | 35 ++++++++++ docs/release-notes.md | 30 +++++++++ docs/security-review.md | 55 +++++++++++++++ 10 files changed, 335 insertions(+), 1 deletion(-) create mode 100644 .gitea/workflows/template-compliance.yml create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md create mode 100644 docs/agent-handoff.md create mode 100644 docs/release-checklist.md create mode 100644 docs/release-notes.md create mode 100644 docs/security-review.md diff --git a/.codex/project.md b/.codex/project.md index 2bcb2de69..cb334a541 100644 --- a/.codex/project.md +++ b/.codex/project.md @@ -32,3 +32,10 @@ cargo clippy --package theseus ``` Full app packaging may require platform-specific Tauri dependencies. + +## Kit Application Notes + +- `AGENTS.md` intentionally preserves the upstream `CLAUDE.md` handoff while adding Modrinth Plus and Gitea workflow-loop rules. +- README blueprint generation is not enabled because the upstream Modrinth README should remain authoritative. +- Release dry-run automation is deferred until desktop packaging commands and artifact names are finalized. +- Template compliance is enabled on push to keep Codex context files present and placeholder-free. diff --git a/.gitea/workflows/template-compliance.yml b/.gitea/workflows/template-compliance.yml new file mode 100644 index 000000000..be6a16d10 --- /dev/null +++ b/.gitea/workflows/template-compliance.yml @@ -0,0 +1,85 @@ +name: Codex Template Compliance + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + template-compliance: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Check required Codex files + shell: bash + run: | + missing=0 + + required_files=( + "AGENTS.md" + ".codex/project.md" + "README.md" + ) + + recommended_files=( + "SECURITY.md" + "CHANGELOG.md" + "docs/agent-handoff.md" + ) + + for file in "${required_files[@]}"; do + if [ ! -f "$file" ]; then + echo "Missing required Codex file: $file" + missing=1 + fi + done + + for file in "${recommended_files[@]}"; do + if [ ! -f "$file" ]; then + echo "Recommended Codex file not found: $file" + fi + done + + if [ "$missing" -eq 1 ]; then + exit 1 + fi + + - name: Check unresolved placeholders + shell: bash + run: | + found=0 + paths=(AGENTS.md README.md SECURITY.md CHANGELOG.md .codex docs blueprint.md blueprint.json) + pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|AUTHOR_NAME|PROJECT_STACK|DOWNLOAD_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND|README_COMMAND|INSTALL_COMMAND|DEV_COMMAND|PACKAGE_MANAGER|PROJECT_VERSION' + + for path in "${paths[@]}"; do + [ -e "$path" ] || continue + if grep -RInE --exclude-dir=.git "$pattern" "$path"; then + found=1 + fi + done + + if [ "$found" -eq 1 ]; then + echo "Unresolved template placeholders found. Replace real values or mark genuinely unknown values as PENDING." + exit 1 + fi + + - name: Check workflow baseline + shell: bash + run: | + echo "Detected Gitea workflows:" + find .gitea/workflows -maxdepth 1 -type f -name '*.yml' -print 2>/dev/null || true + + - name: Compliance guidance + shell: bash + run: | + cat <<'EOF' + Codex template compliance check completed. + + This workflow verifies agent context and template hygiene. It does + not change files automatically. + EOF diff --git a/AGENTS.md b/AGENTS.md index 681311eb9..b658f9394 120000 --- a/AGENTS.md +++ b/AGENTS.md @@ -1 +1,31 @@ -CLAUDE.md \ No newline at end of file +# Agent Instructions + +Start by reading `CLAUDE.md`; it contains the upstream Modrinth monorepo rules. +This fork adds Modrinth Plus work on top of those rules. + +## Repository Rules + +- Preserve upstream Modrinth structure and style unless a Modrinth Plus feature requires a focused change. +- Keep desktop app work in the existing app boundaries: `apps/app-frontend`, `apps/app`, and `packages/app-lib`. +- Do not commit secrets, `.env` files with private values, private keys, certificates, or tokens. +- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata and Actions run status. Never print, commit, or store the token. +- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point. + +## Commands + +Use upstream commands where possible: + +```bash +pnpm install +pnpm --filter @modrinth/app-frontend run lint +cargo fmt --check +cargo clippy --package theseus +``` + +If local Node/Rust toolchains are unavailable, use the Gitea runner as the authoritative verification loop. + +## Security Notes + +- Connected Library supports public HTTPS raw manifest URLs only in v1. +- Keep private Git repository authentication out of Connected Library until token storage is designed. +- Document new external network calls in `docs/security-review.md`. diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..c44e8746f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Changelog + +All notable Modrinth Plus changes are documented here. + +## Unreleased + +- Added Connected Library for public Git-hosted `modrinth-plus.json` modpack manifests. +- Added Gitea Actions verification for the Modrinth Plus fork. +- Added Codex repository context and release/security documentation. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..52cc83598 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,25 @@ +# Contributing + +This repository is a Modrinth fork. Read upstream `CLAUDE.md` before changing code. + +## Development + +Use the existing monorepo commands and package boundaries. Prefer small, focused commits. + +```bash +pnpm install +pnpm --filter @modrinth/app-frontend run lint +cargo fmt --check +cargo clippy --package theseus +``` + +## Pull Request Readiness + +- Keep the working tree clean. +- Run the cheapest local checks available. +- Push and watch Gitea Actions until the workflow succeeds. +- Document skipped checks when local toolchains are unavailable. + +## Security + +Do not commit private tokens, credentials, signing keys, or local secrets. Use repository or organization secrets for CI. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..052c05202 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| --- | --- | +| Latest `main` | Yes | + +## Reporting A Vulnerability + +Report security issues privately to the project owner. + +Do not include secrets, production data, private repository URLs, or credentials in public issues. + +## Project Security Principles + +- Keep secrets out of the repository. +- Prefer local processing for user data. +- Document external network calls. +- Keep release artifacts reproducible through CI. +- Run dependency and workflow checks before releases. +- Connected Library v1 must use public HTTPS manifest and `.mrpack` URLs only. diff --git a/docs/agent-handoff.md b/docs/agent-handoff.md new file mode 100644 index 000000000..eba1c9e60 --- /dev/null +++ b/docs/agent-handoff.md @@ -0,0 +1,36 @@ +# Agent Handoff + +Use this file when a task spans multiple sessions, has unresolved follow-up work, or changes release behavior. + +## Current State + +Modrinth Plus is a fork of the upstream Modrinth monorepo with an initial Connected Library feature. + +## Changes Made + +- Added Connected Library backend, Tauri commands, UI, and SQLite migration. +- Added Gitea runner workflow for app frontend and Rust checks. +- Added Codex repository baseline documentation. + +## Verification + +| Check | Result | +| --- | --- | +| `git diff --check` | Passes locally | +| Gitea Actions | Must be polled after every workflow-triggering push | +| Local `pnpm` checks | Depends on local toolchain availability | +| Local `cargo` checks | Depends on local toolchain availability | + +## Open Questions + +- Final release artifact names and packaging flow are not fixed. +- Private Connected Library repository authentication is out of scope for v1. + +## Next Steps + +- Keep the Gitea workflow loop running until the current pushed commit succeeds. +- Expand Connected Library tests after local or CI toolchain issues are resolved. + +## Risks + +- Connected Library update semantics currently preserve local user state and may leave removed pack files in place until stricter sync behavior is designed. diff --git a/docs/release-checklist.md b/docs/release-checklist.md new file mode 100644 index 000000000..1fa9f354a --- /dev/null +++ b/docs/release-checklist.md @@ -0,0 +1,35 @@ +# Release Checklist + +## Version + +- [ ] Version number updated. +- [ ] Changelog updated. +- [ ] Release notes updated. + +## Quality + +- [ ] Working tree is clean. +- [ ] Gitea Actions build workflow succeeds. +- [ ] Frontend lint passes. +- [ ] Rust format and clippy pass. +- [ ] Known skipped checks are documented. + +## Security + +- [ ] Security review is current. +- [ ] No secrets are committed. +- [ ] Connected Library external URLs are documented. +- [ ] Private repo authentication remains disabled unless explicitly designed. + +## Artifacts + +- [ ] Desktop app artifact names are known. +- [ ] Installer or archive output paths are documented. +- [ ] Download links work if release artifacts are published. + +## Release + +- [ ] Git tag created only when explicitly requested. +- [ ] Release notes written. +- [ ] Release published only when explicitly requested. +- [ ] Post-release install/update smoke test completed. diff --git a/docs/release-notes.md b/docs/release-notes.md new file mode 100644 index 000000000..057ddeb9e --- /dev/null +++ b/docs/release-notes.md @@ -0,0 +1,30 @@ +# Modrinth Plus Unreleased + +## Downloads + +Release artifacts are not published yet. + +## Highlights + +- Connected Library can track public Git-hosted modpack manifests. +- Per-pack auto-update can be enabled after a pack is connected. +- Gitea Actions are used as the verification runner. + +## Security + +- Dependency audit: pending runner/toolchain confirmation. +- Secret handling: no tokens are stored by Connected Library v1. +- External network calls: public HTTPS manifest and `.mrpack` downloads. + +## Verification + +| Check | Result | +| --- | --- | +| Gitea Actions build | Must pass before release | +| Frontend lint | Covered by Gitea build workflow | +| Rust clippy | Covered by Gitea build workflow | +| Artifact download | Pending release packaging | + +## Notes + +This fork is not release-ready until packaging and artifact names are finalized. diff --git a/docs/security-review.md b/docs/security-review.md new file mode 100644 index 000000000..e12578eb5 --- /dev/null +++ b/docs/security-review.md @@ -0,0 +1,55 @@ +# Security Review + +## Scope + +Project: + +```text +Modrinth Plus +``` + +Reviewed version or commit: + +```text +main +``` + +## Code Patterns Checked + +- [ ] No `eval`. +- [ ] No dynamic `Function` constructor. +- [ ] No unsafe HTML injection. +- [ ] No unexpected shell execution. +- [x] External network calls documented for Connected Library. +- [x] No private Connected Library credentials are persisted in v1. +- [x] Connected Library requires HTTPS manifest and `.mrpack` URLs. + +## Dependency Review + +Command: + +```bash +pnpm --filter @modrinth/app-frontend run lint +cargo clippy --package theseus +``` + +Result: + +```text +Pending successful Gitea Actions run. +``` + +## Runtime Review + +- [x] Connected Library manifests are stored locally in SQLite. +- [x] Connected Library auto-update is disabled by default. +- [x] `GITEA_TOKEN` is only for local agent API checks, not runtime app use. +- [ ] Full Tauri runtime permission review pending. + +## Release Notes + +Known residual risks: + +```text +Connected Library update behavior is conservative and does not yet implement strict removed-file sync. +```