# Agent Instructions

## Project

dockge-image-update-checker: Companion service that checks Dockge stack images for newer registry digests.

## Repository Rules

- Prefer small, dependency-light changes. The service intentionally uses Node built-ins for Docker Engine and registry access.
- Keep stack scanning read-only. Updating or redeploying stacks is out of scope unless explicitly requested.
- Do not commit secrets, `.env` files, private keys, certificates, registry tokens, or Gitea tokens.
- Check `git status --short` before editing and before finishing. Preserve unrelated user changes.
- Keep `.codex/project.md` aligned with command and architecture changes.

## Commands

```bash
npm test
npm run build
npm run check
```

## Security Notes

- The service needs read access to the Dockge stacks directory and the Docker socket.
- Registry credentials are not stored by the service. Public registry checks use anonymous token flows.
- Mounting `/var/run/docker.sock` is powerful. Run this only on hosts where that operational tradeoff is acceptable.

## Finish Checklist

- `git diff --check` passes.
- `npm test` passes.
- `npm run build` passes.