# Agent Instructions

Start by reading `CLAUDE.md`; it contains the upstream Modrinth monorepo rules.
This fork adds Modrinth Plus work on top of those rules.

## Repository Rules

- Preserve upstream Modrinth structure and style unless a Modrinth Plus feature requires a focused change.
- Keep desktop app work in the existing app boundaries: `apps/app-frontend`, `apps/app`, and `packages/app-lib`.
- Do not commit secrets, `.env` files with private values, private keys, certificates, or tokens.
- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata and Actions run status. Never print, commit, or store the token.
- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop. Fixing and pushing a workflow failure is not a stopping point.

## Commands

Use upstream commands where possible:

```bash
pnpm install
pnpm --filter @modrinth/app-frontend run lint
cargo fmt --check
cargo clippy --package theseus
```

If local Node/Rust toolchains are unavailable, use the Gitea runner as the authoritative verification loop.

## Security Notes

- Connected Library supports public HTTPS raw manifest URLs only in v1.
- Keep private Git repository authentication out of Connected Library until token storage is designed.
- Document new external network calls in `docs/security-review.md`.