Align MyBlog platform positioning

.github/workflows/android-twa.yml

@@ -0,0 +1,69 @@
+name: Generate Android TWA
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - apps/android-shell/**
+      - apps/web/public/.well-known/assetlinks.json
+      - apps/web/public/manifest.webmanifest
+      - apps/web/public/sw.js
+      - apps/web/public/images/branding/**
+      - tools/generate-android-twa.mjs
+      - tools/validate-pwa-surface.mjs
+      - package.json
+      - package-lock.json
+
+permissions:
+  contents: read
+
+jobs:
+  twa:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Setup Java
+        uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Validate PWA and TWA contract
+        run: npm run android:twa:validate
+
+      - name: Generate unsigned Android artifacts
+        run: npm run android:twa:build
+        env:
+          TWA_SKIP_SIGNING: "1"
+          TWA_VERSION_CODE: ${{ github.run_number }}
+          TWA_VERSION_NAME: 1.${{ github.run_number }}
+
+      - name: Upload APK
+        uses: actions/upload-artifact@v5
+        with:
+          name: myblog-twa-unsigned-apk
+          path: .runtime/android-twa/app-release-unsigned-aligned.apk
+          if-no-files-found: error
+
+      - name: Upload AAB
+        uses: actions/upload-artifact@v5
+        with:
+          name: myblog-twa-unsigned-aab
+          path: .runtime/android-twa/app/build/outputs/bundle/release/app-release.aab
+          if-no-files-found: error

.github/workflows/pages.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - feat/content-runtime-governance
   workflow_dispatch:
 
 permissions:
@@ -39,6 +40,12 @@ jobs:
         run: npm ci
         working-directory: apps/web
 
+      - name: Seed runtime content index
+        run: |
+          mkdir -p public-data/runtime apps/web/public/runtime
+          curl -fsSL https://blog.tengokukk.com/runtime/content-index.json -o public-data/runtime/content-index.json
+          cp public-data/runtime/content-index.json apps/web/public/runtime/content-index.json
+
       - name: Validate repository governance
         run: npm run check
 

.gitignore

@@ -3,10 +3,13 @@ Thumbs.db
 db.json
 *.log
 .cache/
+.runtime/
 .next/
 node_modules/
 public/
 !apps/web/public/
 !apps/web/public/**
+apps/web/public/runtime/
+public-data/runtime/
 .deploy*/
 _multiconfig.yml

AGENTS.md

@@ -0,0 +1,68 @@
+# MyBlog Agent Rules
+
+This repo inherits the global policy core at `C:\Users\ASUS-KL\.codex\policy\index.md`.
+
+
+## Required Read Order
+
+Before editing this repository, read:
+
+1. `AI_CONTEXT.md`
+2. `ARCHITECTURE.md`
+3. `SYSTEM_TOPOLOGY.md`
+4. `WORKSPACE_RUNTIME.md`
+5. `docs/operations/current-runtime-map.md`
+6. `project.json`
+7. `workspace.manifest.json`
+
+## Frontend Documentation Freshness
+
+- Any change to `apps/web/` frontend UI, interaction, reader behavior, visual system, homepage information architecture, or frontend runtime must also update the relevant Architecture Codex entry.
+- The project canonical Architecture Codex source is `apps/web/src/data/architectureCodex.ts`; public pages are `/codex/` and `/codex/[slug]/`.
+- `README.md` keeps the project contract and Codex truth layer. Do not let README and `/codex/` drift.
+- Before editing frontend files, state in commentary what is being changed, why it is being changed, and which Codex entry or README section will be refreshed.
+- If a frontend change genuinely does not affect the Codex, state that reason explicitly before editing.
+
+## Workspace Capability Governance
+
+- MyBlog supports multiple workspaces and AI worktrees; workspace existence is not authority.
+- Before deploying, run `npm run deploy:site` or at minimum `npm run check:workspace`; do not hand-run `scp` from an unchecked worktree.
+- The machine-readable workspace authority source is `workspace.manifest.json`.
+- Workspaces under `C:\Users\ASUS-KL\.codex-runtime\worktrees\*` are experimental by default: they may prototype UI, feed, drawer, visual and animation changes, but must not deploy, modify PWA authority, runtime schema or OpenList authority unless their manifest explicitly grants that capability and the guard passes.
+- The current deploy-authoritative workspace is `/srv/myblog/repo`.
+- Any change to workspace authority must update `README.md`, `project.json`, `workspace.manifest.json`, `workspaces/*.json` and the `runtime-federation` Architecture Codex entry together.
+
+## Remote IDE / Server-First Rule
+
+- Default edit root: `ubuntu@124.220.233.126:/srv/myblog/repo`.
+- Default deploy target: `ubuntu@124.220.233.126:/srv/myblog/site`.
+- Repository-local GitHub SSH key on the server: `/home/ubuntu/.ssh/myblog_source_ed25519`.
+- Do not rely on server-global GitHub credentials; `/srv/myblog/repo` must own its `core.sshCommand`.
+- `E:\My Project\MyBlog` is retired. If a local checkout exists, it is a mirror or delivery fallback only, never the canonical workspace.
+- If SSH is temporarily unavailable, do not reinterpret the local checkout as source of truth. Use GitHub delivery only as an outage fallback, then reconcile `/srv/myblog/repo` when SSH returns.
+
+## Current Codex Entries
+
+- `reader-system`
+- `runtime-architecture`
+- `frontend-runtime-archaeology`
+- `frontend-runtime-convergence`
+- `runtime-experience-layer`
+- `content-pipeline`
+- `composable-service-stack`
+- `runtime-federation`
+- `object-layer`
+- `projection-clients`
+- `knowledge-runtime`
+- `visual-system`
+- `design-language`
+- `collection-stack`
+
+## Delivery Closure Gate
+
+- Any implementation turn that modifies MyBlog source, docs, contracts, or frontend runtime must end in one of these states:
+  - verified, committed, and pushed to the appropriate remote branch
+  - explicitly blocked with the failing command, dirty files, and reason it cannot be pushed
+- Do not stop after code edits with an uncommitted worktree unless a blocker has been reported.
+- For deployable frontend changes, run the repository verification command before commit. If the change is intended for production, continue through the repository delivery path that triggers CI/CD instead of leaving changes only in the remote IDE workspace.
+- If CI/CD is branch-gated, state the branch gate and whether the pushed branch does or does not trigger deployment.

AI_CONTEXT.md

@@ -0,0 +1,74 @@
+# AI Context
+
+Before modifying MyBlog, read this file first, then read `AGENTS.md`, `project.json`, `workspace.manifest.json`, `ARCHITECTURE.md`, `SYSTEM_TOPOLOGY.md`, `WORKSPACE_RUNTIME.md`, and `docs/operations/current-runtime-map.md`.
+
+MyBlog is not a traditional blog, CMS admin panel, CRUD app, or generic Astro theme. MyBlog is a knowledge runtime surface: a public presentation shell over Obsidian file truth, server runtime projections, reader state, evidence/library surfaces, and controlled deployment authority.
+
+## Remote-First Source Rule
+
+- Default editable source root: `ubuntu@124.220.233.126:/srv/myblog/repo`.
+- GitHub repository: `https://github.com/emptyinkpot/emptyinkpot.github.io`.
+- Remote IDE / server-side workspace is `/srv/myblog/repo` on `124.220.233.126`.
+- Server GitHub auth is repo-local through `/home/ubuntu/.ssh/myblog_source_ed25519`; do not assume global server Git credentials.
+- Local Windows checkout `E:\My Project\MyBlog` is retired and must not be used as the default edit or deploy source.
+- Normal workflow: edit `/srv/myblog/repo` -> validate remotely -> commit remotely -> push to GitHub -> deploy to `/srv/myblog/site` only through the guarded deployment path.
+- Do not hand-run `scp` from an unchecked workspace to `/srv/myblog/site`.
+- If SSH is unavailable, treat it as an infrastructure outage. A local mirror can push a corrective documentation commit to GitHub, but it does not become canonical and it must not deploy.
+
+## Read Order For Architecture Work
+
+1. `README.md`
+2. `AI_CONTEXT.md`
+3. `ARCHITECTURE.md`
+4. `SYSTEM_TOPOLOGY.md`
+5. `WORKSPACE_RUNTIME.md`
+6. `docs/operations/current-runtime-map.md`
+7. `topology/SYSTEM_TOPOLOGY.md`
+8. `topology/DEPLOY_GRAPH.md`
+9. `topology/SYNC_ARCHITECTURE.md`
+10. `docs/frontend-runtime-audit.md`
+11. `docs/frontend-runtime-convergence.md`
+12. `docs/runtime-experience-layer.md`
+
+## Core Principles
+
+- Runtime-first: public pages are projections over content/runtime objects, not independent content islands.
+- Collection-as-lens: collections are context and navigation lenses, not separate CMS silos.
+- Drawer-first reading: reader flows should preserve reading continuity and avoid card-wall nesting.
+- File truth stays outside MyBlog: Obsidian/Vault files are authoring truth; MyBlog projects them.
+- Artifact-first deployment: builds, static dist, runtime JSON, Pagefind, and deployment logs are evidence.
+- Workspace authority is explicit: `workspace.manifest.json` decides whether a workspace can deploy.
+
+## Current Runtime Boundary
+
+```text
+GitHub repository
+<-> /srv/myblog/repo remote source workspace
+-> npm checks/build
+-> apps/web/dist
+-> /srv/myblog/site static runtime
+-> nginx public routes
+
+Windows Vault
+-> Linux /home/vault/Obsidian hot mirror
+-> runtime content projector
+-> /srv/myblog/site/runtime/content-index.json
+
+apps/admin-next + MySQL
+-> runtime APIs / reader memory / evidence surfaces
+```
+
+## What Not To Do
+
+- Do not restore `E:\My Project\MyBlog` as canonical source.
+- Do not deploy from `.codex-runtime` or another unchecked worktree.
+- Do not claim AppFlowy, Directus, Meilisearch, Immich, or composable-stack services are active unless runtime service evidence exists.
+- Do not treat OpenList/COS/Quark as system disk, database disk, Syncthing hot mirror, Astro dist, or Pagefind storage.
+- Do not add another bespoke sync/search/CMS engine before checking the mature-substrate policy in `project.json`.
+
+## Executable Gates
+
+- `npm run check:workspace` validates workspace authority.
+- `npm run check:governance` validates repo governance.
+- `npm run check` runs the broader static/runtime validation suite.
+- `npm run deploy:site` is the guarded static deployment path.

AI_RULES.md

@@ -0,0 +1,47 @@
+# AI_RULES
+
+Read this before editing MyBlog.
+
+MyBlog is a Knowledge Runtime Surface. It is not a traditional blog theme, CMS collection site, Notion clone, admin dashboard, or static article index.
+
+## Required Reading
+
+1. `project.frontend-runtime-contract.json`
+2. `contracts/frontend-runtime-contract.json`
+3. `contracts/runtime-authority-map.json`
+4. `contracts/object-projection-contract.json`
+5. `contracts/collection-behavior-contract.json`
+6. `philosophy/FRONTEND_DESIGN_PHILOSOPHY.md`
+7. `philosophy/RUNTIME_IDENTITY.md`
+8. `philosophy/COLLECTION_MODEL.md`
+9. `topology/SYSTEM_TOPOLOGY.md`
+10. `adr/ADR-001-collections-are-lenses-not-pages.md`
+
+## Do Not
+
+- Do not turn collections into standalone CMS pages.
+- Do not replace the homepage mixed-object masonry stream with collection grids.
+- Do not make feed tabs trigger full route navigation.
+- Do not put card walls inside reader drawers.
+- Do not destroy feed continuity when opening a collection.
+- Do not reset scroll, active filters, drawer state, or runtime context on collection open.
+- Do not make `/collections/[slug]/` the primary reading path.
+- Do not make topic collections prerender into static collection pages.
+- Do not introduce a second article truth beside Runtime MarkdownObject.
+- Do not let OpenList become CMS, database, build root, Pagefind root, or hot storage.
+
+## Preserve
+
+- Mixed object feed.
+- Runtime overlay drawer.
+- Continuous scroll context.
+- Client-side filtering.
+- Collection as lens.
+- Drawer as reading.
+- Homepage as discovery.
+- Object-first projection.
+- Runtime authority boundaries.
+
+## Core Sentence
+
+Collection is context. Drawer is reading. Homepage is discovery. Object projection is the system.

ARCHITECTURE.md

@@ -0,0 +1,61 @@
+# Architecture
+
+MyBlog is a knowledge runtime and public projection shell. It combines static Astro rendering with server-side runtime projections and controlled service integrations.
+
+## Layers
+
+| Layer | Path / Service | Responsibility |
+| --- | --- | --- |
+| Source workspace | `/srv/myblog/repo` | Remote-first editable repository workspace. |
+| Public shell | `apps/web` | Astro site, reader surfaces, homepage, collections, search pages. |
+| Admin/runtime API | `apps/admin-next` | Server APIs, reader memory, evidence/library runtime, GitHub/OpenList integration. |
+| Runtime contracts | `contracts/`, `packages/runtime-contract`, `packages/runtime-kernel` | Machine-readable runtime and frontend authority contracts. |
+| Object model | `packages/object-model` | KnowledgeObject schema and projection semantics. |
+| Design system | `packages/design-system`, `FRONTEND_DESIGN_PHILOSOPHY.md` | Interaction and visual system primitives. |
+| Static deploy output | `apps/web/dist` | Built site artifact before deployment. |
+| Production static root | `/srv/myblog/site` | Nginx-served public static site and runtime JSON directory. |
+| Vault hot mirror | `/home/vault/Obsidian` | Linux hot mirror of the authoring vault. |
+| Public file access | OpenList `/openlist/Obsidian`, COS, Quark | Public file identity and cold/blob storage surfaces. |
+
+## Runtime Flow
+
+```text
+Obsidian authoring truth
+-> Linux hot mirror
+-> runtime content projector
+-> runtime content-index JSON
+-> Astro projection shell
+-> public reader/discovery surfaces
+```
+
+Code and deployment flow:
+
+```text
+/srv/myblog/repo
+-> npm run check:workspace
+-> npm run check / npm run build
+-> apps/web/dist
+-> npm run deploy:site
+-> /srv/myblog/site
+-> nginx / blog.tengokukk.com
+```
+
+## Active Services
+
+- `myblog-admin-next.service`: admin/runtime API service.
+- `myblog-runtime-content-projector.service`: projects Linux Vault mirror into runtime JSON.
+- `myblog-runtime-sse.service`: emits runtime content-index updates.
+- `nginx.service`: public reverse proxy/static server.
+
+Known inactive/problem state:
+
+- `syncthing@ubuntu.service` is currently failed and must be repaired before claiming hot mirror sync is healthy.
+- AppFlowy, Directus, Meilisearch, Immich, and composable-stack are target/skeleton services unless separately verified.
+
+## Authority Boundaries
+
+- GitHub owns long-term Git history and collaboration.
+- `/srv/myblog/repo` owns active edits and deploy-authoritative builds.
+- `/srv/myblog/site` is runtime output, not source.
+- `/srv/myblog/source` is legacy/server-side source copy and must not be treated as the canonical editable repository.
+- `E:\My Project\MyBlog` is retired and must not be used as default source.