# Agent Instructions

## Project

PROJECT_NAME: PROJECT_DESCRIPTION

## Repository Rules

- Prefer existing project patterns over new abstractions.
- Keep changes scoped to the user's request.
- Do not commit secrets, `.env` files, private keys, certificates, or tokens.
- Do not rewrite history or run destructive git commands unless explicitly requested.
- Do not create a release unless explicitly requested.
- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata, package-read visibility, and Actions run status. Never print, commit, or store the token.
- After pushing commits that trigger a Gitea workflow, poll the workflow run until it succeeds or fails. If it fails or is cancelled, inspect the failing job/logs, fix the issue when in scope, push again, and repeat the workflow check loop.

## Commands

Use these commands when available:

```bash
LINT_COMMAND
TEST_COMMAND
BUILD_COMMAND
AUDIT_COMMAND
```

If a command is missing, inspect the project and document the closest safe alternative in `.codex/project.md`.

## Artifacts

Expected artifact output:

```text
ARTIFACT_OUTPUT_DIRECTORY
```

Expected artifact names:

```text
ARTIFACT_NAME
```

## Security Notes

- Review `docs/security-review.md` before release work.
- Treat generated credentials and config files as sensitive.
- Keep external network calls documented.
- Prefer local processing for user data.
- Keep CI publishing secrets in repository or organization secrets, not in tracked files. `REGISTRY_TOKEN` is the default package publishing secret name for the Gitea workflow template.