# Agent Instructions

## Project

Robocopy_Overhaul: Codex-ready repository baseline for a Robocopy overhaul project.

## Repository Rules

- Start by reading `AGENTS.md` and `.codex/project.md`.
- At task start, check for upstream repository updates and apply them with `git pull --ff-only` when the working tree is clean.
- If local changes exist, preserve them and do not overwrite user work.
- Conserve context tokens: use targeted searches and focused file reads instead of loading generated folders, dependency folders, build outputs, or full logs unless directly relevant.
- Keep changes scoped to the user's request.
- Prefer existing project patterns once application code exists.
- Do not commit secrets, `.env` files, private keys, certificates, or tokens.
- Do not rewrite history or run destructive git commands unless explicitly requested.
- Do not create a release unless explicitly requested.
- Check the working tree before editing and before finishing. Preserve unrelated user changes.
- Derive the repository owner and repository name from the target repository remote or `GITHUB_REPOSITORY`. Never reuse the owner from the template repository.
- If `GITEA_TOKEN` is available locally, use it only for read-only Gitea API checks such as private repository metadata, package-read visibility, and Actions run status. Never print, commit, or store the token.
- Use only supported Gitea Ubuntu runner labels for project builds, tests, audits, package jobs, installers, dependency setup, and releases: `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04`.
- Do not add Windows, macOS, self-hosted local-machine, or undocumented runner labels. If Windows-specific tooling appears necessary, document or implement an open-source Linux-compatible workaround for Ubuntu runners.
- Do not run heavy project commands on the user's local machine. Keep local verification limited to lightweight checks such as `rg`, JSON parsing, `git diff --check`, and read-only API status checks.
- Repository cleanup automation must be non-destructive if added later.
- Dependency, compliance, and release dry-run automation must report findings only unless the user explicitly asks for write actions.
- Create focused tracker issues for real follow-up work that is outside the current scope or independently parallelizable. If issue creation is unavailable, document the follow-up in `docs/agent-handoff.md`.

## Commands

No stack-specific commands are defined yet.

When code is added, update this file and `.codex/project.md` with the real commands for:

```text
lint
test
build
audit
```

## Artifacts

No release artifact output directory is defined yet.

## Security Notes

- Review `docs/security-review.md` before release work.
- Treat generated credentials and config files as sensitive.
- Keep external network calls documented.
- Prefer local processing for user data.
- Keep CI publishing secrets in repository or organization secrets, not in tracked files.
- Exclude repository-maintenance files such as `AGENTS.md`, `.codex/`, template blueprints, template workflow files, and `docs/agent-handoff.md` from user-facing release, package, installer, archive, and upload artifacts unless explicitly requested.
- Ensure `.gitignore` covers local config, build outputs, logs, temporary files, and secret material for the detected stack.

## Finish Checklist

- `git diff --check` passes when the directory is a Git repository.
- Lightweight local validation has been run when available and safe.
- Project build, test, audit, package, and release verification runs through Gitea Actions on a supported Ubuntu runner, or the reason runner verification could not run is documented.
- README, changelog, security review, and release checklist are updated when the change touches release behavior.
- `docs/agent-handoff.md` is updated when work is interrupted, risky, or spans multiple sessions.
- Any pushed Gitea workflow has been polled to success or a concrete blocker has been reported.