first commit

files/AGENTS.md

@@ -0,0 +1,48 @@
+# Agent Instructions
+
+## Project
+
+PROJECT_NAME: PROJECT_DESCRIPTION
+
+## Repository Rules
+
+- Prefer existing project patterns over new abstractions.
+- Keep changes scoped to the user's request.
+- Do not commit secrets, `.env` files, private keys, certificates, or tokens.
+- Do not rewrite history or run destructive git commands unless explicitly requested.
+- Do not create a release unless explicitly requested.
+
+## Commands
+
+Use these commands when available:
+
+```bash
+LINT_COMMAND
+TEST_COMMAND
+BUILD_COMMAND
+AUDIT_COMMAND
+```
+
+If a command is missing, inspect the project and document the closest safe alternative in `.codex/project.md`.
+
+## Artifacts
+
+Expected artifact output:
+
+```text
+ARTIFACT_OUTPUT_DIRECTORY
+```
+
+Expected artifact names:
+
+```text
+ARTIFACT_NAME
+```
+
+## Security Notes
+
+- Review `docs/security-review.md` before release work.
+- Treat generated credentials and config files as sensitive.
+- Keep external network calls documented.
+- Prefer local processing for user data.
+

files/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project are documented here.
+
+## Unreleased
+
+- Initial project setup.
+

files/SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --- | --- |
+| Latest | Yes |
+
+## Reporting A Vulnerability
+
+Please report security issues privately to the project owner.
+
+Do not include secrets, production data, or private credentials in public issues.
+
+## Project Security Principles
+
+- Keep secrets out of the repository.
+- Prefer local processing for user data.
+- Document external network calls.
+- Keep release artifacts reproducible through CI.
+- Run dependency audits before releases.
+

files/blueprint.json

@@ -0,0 +1,30 @@
+{
+  "ids": {
+    "github": "REPOSITORY_OWNER/REPOSITORY_NAME"
+  },
+  "badges": [
+    {
+      "alt": "Build",
+      "img": "https://img.shields.io/badge/build-Gitea%20Runner-2563eb",
+      "url": "https://git.wilkensxl.de/REPOSITORY_OWNER/REPOSITORY_NAME/actions"
+    },
+    {
+      "alt": "Version",
+      "img": "https://img.shields.io/badge/version-0.1.0-111827",
+      "url": "https://git.wilkensxl.de/REPOSITORY_OWNER/REPOSITORY_NAME/releases"
+    }
+  ],
+  "headingPrefix": {
+    "1": "",
+    "2": ""
+  },
+  "line": "rainbow",
+  "templates": [
+    {
+      "name": "section-line",
+      "template": "<p align=\"center\"><img src=\"https://raw.githubusercontent.com/andreasbm/readme/master/assets/lines/rainbow.png\" alt=\"-----------------------------------------------------\" width=\"100%\"></p>"
+    }
+  ],
+  "text": "PROJECT_DESCRIPTION"
+}
+

files/blueprint.md

@@ -0,0 +1,76 @@
+{{ template:title }}
+
+{{ template:badges }}
+
+{{ template:section-line }}
+{{ template:table-of-contents }}
+
+{{ template:section-line }}
+## Overview
+
+PROJECT_DESCRIPTION
+
+{{ template:section-line }}
+## Features
+
+| Area | Description |
+| --- | --- |
+| Core | Describe the main project capability |
+| Workflow | Describe the primary user or developer workflow |
+| Build | Describe how artifacts are produced |
+| Security | Describe the default security posture |
+
+{{ template:section-line }}
+## Installation
+
+```bash
+INSTALL_COMMAND
+```
+
+{{ template:section-line }}
+## Development
+
+```bash
+DEV_COMMAND
+LINT_COMMAND
+TEST_COMMAND
+BUILD_COMMAND
+```
+
+{{ template:section-line }}
+## Downloads
+
+| Variant | Download |
+| --- | --- |
+| Latest artifact | [Download latest](DOWNLOAD_URL) |
+
+Private repositories may require an active session or a token with package read access.
+
+{{ template:section-line }}
+## Security
+
+Security posture:
+
+| Area | State |
+| --- | --- |
+| Secrets | Secrets must not be committed |
+| Dependency audit | CI should run the project dependency audit |
+| User data | User data should stay local unless explicitly documented |
+| External services | Network calls should be documented |
+
+See `SECURITY.md` and `docs/security-review.md`.
+
+{{ template:section-line }}
+## Release
+
+Release readiness is tracked in `docs/release-checklist.md`.
+
+{{ template:section-line }}
+## Project Info
+
+| Field | Value |
+| --- | --- |
+| Author | `AUTHOR_NAME` |
+| Repository | `REPOSITORY_OWNER/REPOSITORY_NAME` |
+| Stack | `PROJECT_STACK` |
+| README workflow | Blueprint workflow based on `andreasbm/readme` |

files/build-gitea.yml

@@ -0,0 +1,78 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Replace this runtime setup block with the stack this project uses.
+      # Examples:
+      # - Node: actions/setup-node@v4
+      # - Python: actions/setup-python@v5
+      # - Go: actions/setup-go@v5
+      # - Rust: dtolnay/rust-toolchain@stable
+      - name: Setup runtime
+        run: echo "Configure PROJECT_STACK runtime here"
+
+      - name: Install dependencies
+        run: INSTALL_COMMAND
+
+      - name: Audit dependencies
+        run: AUDIT_COMMAND
+
+      - name: Lint
+        run: LINT_COMMAND
+
+      - name: Test
+        run: TEST_COMMAND
+
+      - name: Build
+        run: BUILD_COMMAND
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: PROJECT_NAME-artifacts
+          path: |
+            ARTIFACT_OUTPUT_DIRECTORY/**
+
+      - name: Publish latest package
+        if: ${{ env.REGISTRY_TOKEN != '' }}
+        shell: bash
+        run: |
+          app_version="PROJECT_VERSION"
+          package_version="${app_version}-${GITHUB_SHA::7}"
+          latest_url="https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/latest"
+
+          for artifact in ARTIFACT_OUTPUT_DIRECTORY/*; do
+            [ -f "$artifact" ] || continue
+            file_name="$(basename "$artifact")"
+
+            curl --fail-with-body \
+              --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
+              --upload-file "$artifact" \
+              "https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/${package_version}/${file_name}"
+          done
+
+          curl --silent --show-error --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
+
+          for artifact in ARTIFACT_OUTPUT_DIRECTORY/*; do
+            [ -f "$artifact" ] || continue
+            file_name="$(basename "$artifact")"
+
+            curl --fail-with-body \
+              --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
+              --upload-file "$artifact" \
+              "${latest_url}/${file_name}"
+          done

files/project.md

@@ -0,0 +1,72 @@
+# Codex Project Notes
+
+## Project
+
+`PROJECT_NAME` is `PROJECT_DESCRIPTION`
+
+Repository:
+
+```text
+REPOSITORY_OWNER/REPOSITORY_NAME
+```
+
+## Commands
+
+Use these commands as the source of truth:
+
+```text
+LINT_COMMAND
+TEST_COMMAND
+BUILD_COMMAND
+AUDIT_COMMAND
+README_COMMAND
+```
+
+If a command does not exist, document the closest safe alternative. Do not invent commands that cannot run.
+
+## Stack
+
+```text
+PROJECT_STACK
+```
+
+Package manager or build tool:
+
+```text
+PACKAGE_MANAGER
+```
+
+## Build Artifacts
+
+Release artifacts are produced in:
+
+```text
+ARTIFACT_OUTPUT_DIRECTORY
+```
+
+Expected files:
+
+```text
+ARTIFACT_NAME
+```
+
+## Security Rules
+
+- Do not commit secrets, tokens, `.env` files, certificates, or private keys.
+- Treat generated credentials as sensitive.
+- Prefer local generation and local processing for user data.
+- Keep dependency audit results visible in CI where possible.
+- Do not add external network calls unless the feature explicitly requires them.
+
+## Release Rules
+
+Before a release:
+
+1. run the release checklist,
+2. verify CI is green,
+3. verify download links,
+4. update README and changelog,
+5. create a tag,
+6. create the release.
+
+Do not create releases unless the user explicitly asks for a release.

files/release-checklist.md

@@ -0,0 +1,36 @@
+# Release Checklist
+
+## Version
+
+- [ ] Version number updated.
+- [ ] Changelog updated.
+- [ ] README regenerated if blueprint files changed.
+
+## Quality
+
+- [ ] Working tree is clean.
+- [ ] Lint/type checks pass.
+- [ ] Tests pass or missing tests are documented.
+- [ ] Build succeeds in CI.
+
+## Security
+
+- [ ] Security review is current.
+- [ ] Dependency audit is clean or documented.
+- [ ] No secrets are committed.
+- [ ] Release artifacts do not contain local config files.
+
+## Artifacts
+
+- [ ] Artifacts are uploaded.
+- [ ] Download links work.
+- [ ] Package registry links work if used.
+- [ ] Installer/portable/archive naming is clear.
+
+## Release
+
+- [ ] Git tag created.
+- [ ] Release notes written.
+- [ ] Release published.
+- [ ] Post-release download smoke test completed.
+

files/security-review.md

@@ -0,0 +1,54 @@
+# Security Review
+
+## Scope
+
+Project:
+
+```text
+PROJECT_NAME
+```
+
+Reviewed version or commit:
+
+```text
+COMMIT_OR_VERSION
+```
+
+## Code Patterns Checked
+
+- [ ] No `eval`.
+- [ ] No dynamic `Function` constructor.
+- [ ] No unsafe HTML injection.
+- [ ] No unexpected shell execution.
+- [ ] No unexpected external network calls.
+- [ ] No secrets committed.
+- [ ] No unsafe file writes outside expected user-selected paths.
+
+## Dependency Review
+
+Command:
+
+```bash
+AUDIT_COMMAND
+```
+
+Result:
+
+```text
+PENDING
+```
+
+## Runtime Review
+
+- [ ] Least-privilege runtime configuration.
+- [ ] External URLs documented.
+- [ ] Local data storage documented.
+- [ ] Sensitive data is not persisted unless explicitly required.
+
+## Release Notes
+
+Known residual risks:
+
+```text
+None documented yet.
+```