Apply updated Codex repository kit

.codex/project.md

@@ -32,3 +32,10 @@ cargo clippy --package theseus
 ```
 
 Full app packaging may require platform-specific Tauri dependencies.
+
+## Kit Application Notes
+
+- `AGENTS.md` intentionally preserves the upstream `CLAUDE.md` handoff while adding Modrinth Plus and Gitea workflow-loop rules.
+- README blueprint generation is not enabled because the upstream Modrinth README should remain authoritative.
+- Release dry-run automation is deferred until desktop packaging commands and artifact names are finalized.
+- Template compliance is enabled on push to keep Codex context files present and placeholder-free.

.gitea/workflows/template-compliance.yml

@@ -0,0 +1,85 @@
+name: Codex Template Compliance
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  template-compliance:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check required Codex files
+        shell: bash
+        run: |
+          missing=0
+
+          required_files=(
+            "AGENTS.md"
+            ".codex/project.md"
+            "README.md"
+          )
+
+          recommended_files=(
+            "SECURITY.md"
+            "CHANGELOG.md"
+            "docs/agent-handoff.md"
+          )
+
+          for file in "${required_files[@]}"; do
+            if [ ! -f "$file" ]; then
+              echo "Missing required Codex file: $file"
+              missing=1
+            fi
+          done
+
+          for file in "${recommended_files[@]}"; do
+            if [ ! -f "$file" ]; then
+              echo "Recommended Codex file not found: $file"
+            fi
+          done
+
+          if [ "$missing" -eq 1 ]; then
+            exit 1
+          fi
+
+      - name: Check unresolved placeholders
+        shell: bash
+        run: |
+          found=0
+          paths=(AGENTS.md README.md SECURITY.md CHANGELOG.md .codex docs blueprint.md blueprint.json)
+          pattern='PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY|AUTHOR_NAME|PROJECT_STACK|DOWNLOAD_URL|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND|AUDIT_COMMAND|README_COMMAND|INSTALL_COMMAND|DEV_COMMAND|PACKAGE_MANAGER|PROJECT_VERSION'
+
+          for path in "${paths[@]}"; do
+            [ -e "$path" ] || continue
+            if grep -RInE --exclude-dir=.git "$pattern" "$path"; then
+              found=1
+            fi
+          done
+
+          if [ "$found" -eq 1 ]; then
+            echo "Unresolved template placeholders found. Replace real values or mark genuinely unknown values as PENDING."
+            exit 1
+          fi
+
+      - name: Check workflow baseline
+        shell: bash
+        run: |
+          echo "Detected Gitea workflows:"
+          find .gitea/workflows -maxdepth 1 -type f -name '*.yml' -print 2>/dev/null || true
+
+      - name: Compliance guidance
+        shell: bash
+        run: |
+          cat <<'EOF'
+          Codex template compliance check completed.
+
+          This workflow verifies agent context and template hygiene. It does
+          not change files automatically.
+          EOF

AGENTS.md

@@ -1 +1,31 @@
-CLAUDE.md
+# Agent Instructions
+
+Start by reading `CLAUDE.md`; it contains the upstream Modrinth monorepo rules.
+This fork adds Modrinth Plus work on top of those rules.
+
+## Repository Rules
+
+- Preserve upstream Modrinth structure and style unless a Modrinth Plus feature requires a focused change.
+- Keep desktop app work in the existing app boundaries: `apps/app-frontend`, `apps/app`, and `packages/app-lib`.
+- Do not commit secrets, `.env` files with private values, private keys, certificates, or tokens.
+- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata and Actions run status. Never print, commit, or store the token.
+- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point.
+
+## Commands
+
+Use upstream commands where possible:
+
+```bash
+pnpm install
+pnpm --filter @modrinth/app-frontend run lint
+cargo fmt --check
+cargo clippy --package theseus
+```
+
+If local Node/Rust toolchains are unavailable, use the Gitea runner as the authoritative verification loop.
+
+## Security Notes
+
+- Connected Library supports public HTTPS raw manifest URLs only in v1.
+- Keep private Git repository authentication out of Connected Library until token storage is designed.
+- Document new external network calls in `docs/security-review.md`.

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+All notable Modrinth Plus changes are documented here.
+
+## Unreleased
+
+- Added Connected Library for public Git-hosted `modrinth-plus.json` modpack manifests.
+- Added Gitea Actions verification for the Modrinth Plus fork.
+- Added Codex repository context and release/security documentation.

CONTRIBUTING.md

@@ -0,0 +1,25 @@
+# Contributing
+
+This repository is a Modrinth fork. Read upstream `CLAUDE.md` before changing code.
+
+## Development
+
+Use the existing monorepo commands and package boundaries. Prefer small, focused commits.
+
+```bash
+pnpm install
+pnpm --filter @modrinth/app-frontend run lint
+cargo fmt --check
+cargo clippy --package theseus
+```
+
+## Pull Request Readiness
+
+- Keep the working tree clean.
+- Run the cheapest local checks available.
+- Push and watch Gitea Actions until the workflow succeeds.
+- Document skipped checks when local toolchains are unavailable.
+
+## Security
+
+Do not commit private tokens, credentials, signing keys, or local secrets. Use repository or organization secrets for CI.

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| Latest `main` | Yes |
+
+## Reporting A Vulnerability
+
+Report security issues privately to the project owner.
+
+Do not include secrets, production data, private repository URLs, or credentials in public issues.
+
+## Project Security Principles
+
+- Keep secrets out of the repository.
+- Prefer local processing for user data.
+- Document external network calls.
+- Keep release artifacts reproducible through CI.
+- Run dependency and workflow checks before releases.
+- Connected Library v1 must use public HTTPS manifest and `.mrpack` URLs only.

docs/agent-handoff.md

@@ -0,0 +1,36 @@
+# Agent Handoff
+
+Use this file when a task spans multiple sessions, has unresolved follow-up work, or changes release behavior.
+
+## Current State
+
+Modrinth Plus is a fork of the upstream Modrinth monorepo with an initial Connected Library feature.
+
+## Changes Made
+
+- Added Connected Library backend, Tauri commands, UI, and SQLite migration.
+- Added Gitea runner workflow for app frontend and Rust checks.
+- Added Codex repository baseline documentation.
+
+## Verification
+
+| Check | Result |
+| --- | --- |
+| `git diff --check` | Passes locally |
+| Gitea Actions | Must be polled after every workflow-triggering push |
+| Local `pnpm` checks | Depends on local toolchain availability |
+| Local `cargo` checks | Depends on local toolchain availability |
+
+## Open Questions
+
+- Final release artifact names and packaging flow are not fixed.
+- Private Connected Library repository authentication is out of scope for v1.
+
+## Next Steps
+
+- Keep the Gitea workflow loop running until the current pushed commit succeeds.
+- Expand Connected Library tests after local or CI toolchain issues are resolved.
+
+## Risks
+
+- Connected Library update semantics currently preserve local user state and may leave removed pack files in place until stricter sync behavior is designed.

docs/release-checklist.md

@@ -0,0 +1,35 @@
+# Release Checklist
+
+## Version
+
+- [ ] Version number updated.
+- [ ] Changelog updated.
+- [ ] Release notes updated.
+
+## Quality
+
+- [ ] Working tree is clean.
+- [ ] Gitea Actions build workflow succeeds.
+- [ ] Frontend lint passes.
+- [ ] Rust format and clippy pass.
+- [ ] Known skipped checks are documented.
+
+## Security
+
+- [ ] Security review is current.
+- [ ] No secrets are committed.
+- [ ] Connected Library external URLs are documented.
+- [ ] Private repo authentication remains disabled unless explicitly designed.
+
+## Artifacts
+
+- [ ] Desktop app artifact names are known.
+- [ ] Installer or archive output paths are documented.
+- [ ] Download links work if release artifacts are published.
+
+## Release
+
+- [ ] Git tag created only when explicitly requested.
+- [ ] Release notes written.
+- [ ] Release published only when explicitly requested.
+- [ ] Post-release install/update smoke test completed.

docs/release-notes.md

@@ -0,0 +1,30 @@
+# Modrinth Plus Unreleased
+
+## Downloads
+
+Release artifacts are not published yet.
+
+## Highlights
+
+- Connected Library can track public Git-hosted modpack manifests.
+- Per-pack auto-update can be enabled after a pack is connected.
+- Gitea Actions are used as the verification runner.
+
+## Security
+
+- Dependency audit: pending runner/toolchain confirmation.
+- Secret handling: no tokens are stored by Connected Library v1.
+- External network calls: public HTTPS manifest and `.mrpack` downloads.
+
+## Verification
+
+| Check | Result |
+| --- | --- |
+| Gitea Actions build | Must pass before release |
+| Frontend lint | Covered by Gitea build workflow |
+| Rust clippy | Covered by Gitea build workflow |
+| Artifact download | Pending release packaging |
+
+## Notes
+
+This fork is not release-ready until packaging and artifact names are finalized.

docs/security-review.md

@@ -0,0 +1,55 @@
+# Security Review
+
+## Scope
+
+Project:
+
+```text
+Modrinth Plus
+```
+
+Reviewed version or commit:
+
+```text
+main
+```
+
+## Code Patterns Checked
+
+- [ ] No `eval`.
+- [ ] No dynamic `Function` constructor.
+- [ ] No unsafe HTML injection.
+- [ ] No unexpected shell execution.
+- [x] External network calls documented for Connected Library.
+- [x] No private Connected Library credentials are persisted in v1.
+- [x] Connected Library requires HTTPS manifest and `.mrpack` URLs.
+
+## Dependency Review
+
+Command:
+
+```bash
+pnpm --filter @modrinth/app-frontend run lint
+cargo clippy --package theseus
+```
+
+Result:
+
+```text
+Pending successful Gitea Actions run.
+```
+
+## Runtime Review
+
+- [x] Connected Library manifests are stored locally in SQLite.
+- [x] Connected Library auto-update is disabled by default.
+- [x] `GITEA_TOKEN` is only for local agent API checks, not runtime app use.
+- [ ] Full Tauri runtime permission review pending.
+
+## Release Notes
+
+Known residual risks:
+
+```text
+Connected Library update behavior is conservative and does not yet implement strict removed-file sync.
+```