Apply updated Codex repository kit

AGENTS.md

@@ -1 +1,31 @@
-CLAUDE.md
+# Agent Instructions
+
+Start by reading `CLAUDE.md`; it contains the upstream Modrinth monorepo rules.
+This fork adds Modrinth Plus work on top of those rules.
+
+## Repository Rules
+
+- Preserve upstream Modrinth structure and style unless a Modrinth Plus feature requires a focused change.
+- Keep desktop app work in the existing app boundaries: `apps/app-frontend`, `apps/app`, and `packages/app-lib`.
+- Do not commit secrets, `.env` files with private values, private keys, certificates, or tokens.
+- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata and Actions run status. Never print, commit, or store the token.
+- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point.
+
+## Commands
+
+Use upstream commands where possible:
+
+```bash
+pnpm install
+pnpm --filter @modrinth/app-frontend run lint
+cargo fmt --check
+cargo clippy --package theseus
+```
+
+If local Node/Rust toolchains are unavailable, use the Gitea runner as the authoritative verification loop.
+
+## Security Notes
+
+- Connected Library supports public HTTPS raw manifest URLs only in v1.
+- Keep private Git repository authentication out of Connected Library until token storage is designed.
+- Document new external network calls in `docs/security-review.md`.