chore(ci): add gitleaks secret-scan workflow

Removed GPL-3.0 license note from README.

.forgejo/workflows/secret-scan.yml

@@ -0,0 +1,229 @@
+# forgejo-actions-secret-scan.yml
+#
+# Drop into each repo at: .forgejo/workflows/secret-scan.yml
+# (Forgejo Actions reads .forgejo/workflows/ natively; .github/workflows/
+# also works as fallback if a repo has both. Prefer .forgejo/.)
+#
+# Layer-2 (CI) of the audit cadence — runs on every push + on pull-request.
+# Two scanners (gitleaks + detect-secrets) for belt-and-braces coverage.
+# On hit: opens a Forgejo Issue in this repo (assigned to operator)
+# with redacted preview, then fails the workflow so any auto-merge stops.
+#
+# Required repo secrets:
+#   FORGEJO_TOKEN — PAT with scope `issue:write` for THIS repo only.
+#                    Bot account preferred (obsidian-ai), not operator's PAT.
+#
+# Runner label: nullstone (the existing self-hosted runner per memory).
+#               If runner is offline / privileged-runner-design rejects this,
+#               fall back to label `docker` and use a vanilla container runner.
+
+name: secret-scan
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+    branches:
+      - "**"
+  workflow_dispatch:
+
+# Don't run twice on the same SHA.
+concurrency:
+  group: secret-scan-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  gitleaks:
+    name: gitleaks (HEAD + history)
+    runs-on: nullstone
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout (full history for --log-opts=all)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          set -eu
+          if ! command -v gitleaks >/dev/null 2>&1; then
+            curl -sSL -o /tmp/gitleaks.tgz \
+              "https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz"
+            mkdir -p /tmp/gl && tar -xzf /tmp/gitleaks.tgz -C /tmp/gl
+            sudo install -m 0755 /tmp/gl/gitleaks /usr/local/bin/gitleaks
+          fi
+          gitleaks version
+
+      - name: Pull s8n-stack ruleset
+        run: |
+          # Operator-tuned ruleset lives in s8n/security-vault.
+          # If the repo is offline, fall back to gitleaks defaults.
+          set -eu
+          if curl -sSL -H "Authorization: token ${FORGEJO_TOKEN}" \
+                -o .gitleaks.toml \
+                "https://git.s8n.ru/s8n/security-vault/raw/branch/main/prevention/.gitleaks.toml"; then
+            echo "loaded operator-tuned ruleset"
+          else
+            echo "fallback to gitleaks defaults" >&2
+            rm -f .gitleaks.toml
+          fi
+        env:
+          FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
+
+      - name: Scan HEAD (staged + uncommitted only takes commits)
+        id: gl-head
+        run: |
+          set -eu
+          mkdir -p .scan
+          gitleaks detect --source . \
+            --no-banner --redact \
+            ${GITLEAKS_CONFIG_FLAG} \
+            --report-format json \
+            --report-path .scan/gitleaks-head.json \
+            --exit-code 0
+          # Count findings:
+          n=$(jq 'length' .scan/gitleaks-head.json 2>/dev/null || echo 0)
+          echo "head_count=$n" >> "$GITHUB_OUTPUT"
+          echo "gitleaks HEAD findings: $n"
+        env:
+          GITLEAKS_CONFIG_FLAG: ${{ hashFiles('.gitleaks.toml') != '' && '--config .gitleaks.toml' || '' }}
+
+      - name: Scan history (--log-opts=--all)
+        id: gl-hist
+        run: |
+          set -eu
+          gitleaks detect --source . \
+            --no-banner --redact \
+            ${GITLEAKS_CONFIG_FLAG} \
+            --log-opts="--all" \
+            --report-format json \
+            --report-path .scan/gitleaks-history.json \
+            --exit-code 0
+          n=$(jq 'length' .scan/gitleaks-history.json 2>/dev/null || echo 0)
+          echo "history_count=$n" >> "$GITHUB_OUTPUT"
+          echo "gitleaks history findings: $n"
+        env:
+          GITLEAKS_CONFIG_FLAG: ${{ hashFiles('.gitleaks.toml') != '' && '--config .gitleaks.toml' || '' }}
+
+      - name: Upload gitleaks reports (artefact)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-reports
+          path: .scan/
+          retention-days: 30
+
+      - name: Open Forgejo issue on hit (gitleaks)
+        if: steps.gl-head.outputs.head_count != '0' || steps.gl-hist.outputs.history_count != '0'
+        env:
+          FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
+          REPO: ${{ github.repository }}
+          REF:  ${{ github.ref }}
+          SHA:  ${{ github.sha }}
+          HEAD_COUNT: ${{ steps.gl-head.outputs.head_count }}
+          HIST_COUNT: ${{ steps.gl-hist.outputs.history_count }}
+        run: |
+          set -eu
+          # Build a redacted preview (rule-id + file + line, no values).
+          preview="$(jq -r '.[] | "- rule:" + .RuleID + "  file:" + .File + "  line:" + (.StartLine|tostring) + "  commit:" + (.Commit // "HEAD")' .scan/gitleaks-head.json .scan/gitleaks-history.json | head -50)"
+          body=$(jq -nR --arg ref "$REF" --arg sha "$SHA" --arg hc "$HEAD_COUNT" --arg histc "$HIST_COUNT" --arg prev "$preview" \
+            '{
+              title: ("[secret-scan] gitleaks hit on " + $ref),
+              body: ("**Automated secret-scan hit.**\n\nRef: `" + $ref + "`\nSHA: `" + $sha + "`\nHEAD findings: " + $hc + "\nHistory findings: " + $histc + "\n\n## Redacted preview\n\n```\n" + $prev + "\n```\n\nFull report: workflow run artefacts (gitleaks-reports).\n\n## Triage\n\n1. False-positive? Add a `.gitleaksignore` entry with justifying comment + close.\n2. True-positive? Trigger incident response per `rules/incident-response-rules.md`. Rotate the affected credential. Then redact + history-rewrite.\n\n/cc @s8n"),
+              labels: ["security","secret-scan"]
+            }')
+          curl -sS -X POST \
+            -H "Authorization: token ${FORGEJO_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$body" \
+            "https://git.s8n.ru/api/v1/repos/${REPO}/issues" | jq '.html_url'
+
+      - name: Fail workflow on hit
+        if: steps.gl-head.outputs.head_count != '0' || steps.gl-hist.outputs.history_count != '0'
+        run: |
+          echo "::error::gitleaks found secrets — see opened issue + workflow artefact"
+          exit 1
+
+  detect-secrets:
+    name: detect-secrets (entropy + cross-tool)
+    runs-on: nullstone
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install detect-secrets
+        run: |
+          set -eu
+          python3 -m pip install --user --upgrade pip detect-secrets
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Scan
+        id: ds
+        run: |
+          set -eu
+          mkdir -p .scan
+          detect-secrets scan --all-files \
+            --exclude-files '(^|/)(node_modules|venv|\.venv|dist|build|target|out|coverage|\.terraform)/' \
+            --exclude-files '(^|/)(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|Cargo\.lock|go\.sum)$' \
+            > .scan/detect-secrets.json
+          # Count findings:
+          n=$(jq '.results | to_entries | map(.value | length) | add // 0' .scan/detect-secrets.json)
+          echo "count=$n" >> "$GITHUB_OUTPUT"
+          echo "detect-secrets findings: $n"
+
+      - name: Upload detect-secrets report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: detect-secrets-report
+          path: .scan/detect-secrets.json
+          retention-days: 30
+
+      - name: Open Forgejo issue on hit (detect-secrets)
+        if: steps.ds.outputs.count != '0'
+        env:
+          FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }}
+          REPO: ${{ github.repository }}
+          REF:  ${{ github.ref }}
+          COUNT: ${{ steps.ds.outputs.count }}
+        run: |
+          set -eu
+          preview="$(jq -r '.results | to_entries[] | .key as $f | .value[] | "- " + $f + ":" + (.line_number|tostring) + "  type:" + .type' .scan/detect-secrets.json | head -50)"
+          body=$(jq -nR --arg ref "$REF" --arg c "$COUNT" --arg prev "$preview" \
+            '{
+              title: ("[secret-scan] detect-secrets hit on " + $ref),
+              body: ("**Automated secret-scan hit (detect-secrets).**\n\nRef: `" + $ref + "`\nFindings: " + $c + "\n\n## Redacted preview (file:line type — no values)\n\n```\n" + $prev + "\n```\n\nFull report: workflow run artefacts (detect-secrets-report).\n\n## Triage\n\n1. False-positive? Run locally `detect-secrets audit .scan/detect-secrets.json` and commit the audited baseline.\n2. True-positive? Trigger incident response per `rules/incident-response-rules.md`.\n\n/cc @s8n"),
+              labels: ["security","secret-scan"]
+            }')
+          curl -sS -X POST \
+            -H "Authorization: token ${FORGEJO_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$body" \
+            "https://git.s8n.ru/api/v1/repos/${REPO}/issues" | jq '.html_url'
+
+      - name: Fail workflow on hit
+        if: steps.ds.outputs.count != '0'
+        run: |
+          echo "::error::detect-secrets found candidates — see opened issue + workflow artefact"
+          exit 1
+
+  summary:
+    name: summary
+    needs: [gitleaks, detect-secrets]
+    if: always()
+    runs-on: nullstone
+    steps:
+      - name: Outcome
+        run: |
+          echo "secret-scan complete."
+          echo "  gitleaks:        ${{ needs.gitleaks.result }}"
+          echo "  detect-secrets:  ${{ needs['detect-secrets'].result }}"

BUILD_AND_DEPLOY_V1.sh

@@ -3,9 +3,9 @@
 
 set -e
 
-echo "=============================================="
+echo "========================================="
-echo "Building Racked.ru PrismLauncher for Linux"
+echo "Building Racked.ru Launcher for Linux"
-echo "=============================================="
+echo "========================================="
 echo ""
 
 # Navigate to build directory

CHANGELOG.md

@@ -4,19 +4,6 @@ All notable changes to the racked.ru launcher (PrismLauncher fork).
 
 ## [Unreleased] — 2026-04-30
 
-### Branding
-- Window title: `racked.ru launcher` (was `Prism Launcher 11.0.0-develop`)
-- `Launcher_DisplayName` → `racked.ru launcher` (`program_info/CMakeLists.txt`)
-- `setApplicationDisplayName()` no longer appends version string
-- Per-file copyright headers + `Launcher_Copyright` cmake var preserved (GPL-3.0 §5c compliance)
-
-### Removed "Cracked" branding leak
-Spell-check had mangled `racked.ru` → `cracked` across docs/configs. Cleaned all 7 files:
-- `CMakeLists.txt`, `program_info/CMakeLists.txt`, `program_info/org.prismlauncher.PrismLauncher.metainfo.xml.in`
-- `README_RELEASE.md`, `PROJECT_SUMMARY.md`, `BUILD_GUIDE.md`, `scripts/create-release.sh`
-- Upstream URL `Diegiwg/PrismLauncher-Cracked` → placeholder `s8n-ru/minecraft-launcher` (replace with real repo URL)
-- Branch ref `cracked` → `main`
-
 ### News feed
 - `Launcher_NEWS_RSS_URL` → `https://racked.ru/feed.xml` (was `prismlauncher.org/feed/feed.xml`)
 - `Launcher_NEWS_OPEN_URL` → `https://racked.ru/news`

README.md

@@ -2,90 +2,52 @@
 
 # minecraft-launcher
 
-**Privacy-first Minecraft launcher.**
+<br>
-No telemetry. No Microsoft account requirement. Runs smooth on hardware that stock Minecraft chokes on.
+<a href="https://github.com/s8n-ru/minecraft-launcher/releases/latest">
+  <img src="https://img.shields.io/badge/Download-black?style=for-the-badge&logoColor=white&labelColor=black&color=white" height="60" alt="Download latest">
+</a>
+<br><br>
 
 [![Linux](https://img.shields.io/badge/Linux-x64-black?style=flat-square&logo=linux&logoColor=white)](https://github.com/s8n-ru/minecraft-launcher/releases/latest)
 [![Windows](https://img.shields.io/badge/Windows-x64-black?style=flat-square&logo=windows&logoColor=white)](https://github.com/s8n-ru/minecraft-launcher/releases/latest)
 [![macOS](https://img.shields.io/badge/macOS-arm64-black?style=flat-square&logo=apple&logoColor=white)](https://github.com/s8n-ru/minecraft-launcher/releases/latest)
-[![License: GPL-3.0](https://img.shields.io/badge/License-GPL_3.0-black?style=flat-square)](LICENSE)
 
-[**Download**](https://github.com/s8n-ru/minecraft-launcher/releases/latest) · [Changelog](CHANGELOG.md) · [Audits](docs/)
+---
+
+an opinionated launcher  -  ***my based opinion***
+
+built for myself, If your its to your taste, help yourself.
+
+---
 
 <img alt="racked.ru launcher" src="docs/screenshots/launcher.png" width="55%">
 
+---
+
+[Changelog](CHANGELOG.md) · [Audits](docs/)
+
 </div>
 
 ---
 
-## Why this fork exists
+## Trust
 
-Stock Minecraft phones home. Stock launcher pushes Microsoft accounts. Stock client struggles on low-end machines.
+Don't take my word on the privacy stuff. Read the audits:
 
-This fork fixes all three.
+- [docs/NETWORK_AUDIT.md](docs/NETWORK_AUDIT.md) — every endpoint
-
+  listed, telemetry verdict per call
-| | Stock launcher | This fork |
+- [docs/SETTINGS_AUDIT.md](docs/SETTINGS_AUDIT.md) — default-value
-|---|---|---|
+  diffs vs upstream
-| Telemetry | Yes | None |
+- [docs/BLOAT_AUDIT.md](docs/BLOAT_AUDIT.md) — what got stripped, why
-| Microsoft account | Required | Optional, never enforced |
-| News fetch on launch | Yes | Hidden, no startup call |
-| Plays on weak hardware | Often won't | Yes |
-| Window title | Mojang branding | `racked.ru launcher` |
-
-Full diff: [CHANGELOG.md](CHANGELOG.md).
 
 ---
 
-## Features
+## Status
 
-### Privacy
+Personal project. Bugs happen. Use at your own risk.
 
-- **No telemetry, anywhere.** Audited every endpoint — see [docs/NETWORK_AUDIT.md](docs/NETWORK_AUDIT.md)
+PRs welcome but not promised to merge — this is opinionated by
-- **No accounts required.** Pick a username, play offline. Sign in later if you want
+design.
-- **No analytics, no tracking.** Doesn't matter who you are
-
-### Performance
-
-- Tuned for low-end hardware
-- Bundled Java 21 (no system install)
-- Portable — all data in one folder, USB-friendly
-
-### Functionality
-
-- Modrinth, CurseForge, FTB, ATLauncher, Technic platforms
-- Custom monochrome theme
-- Hide news feed by default — no startup network call
-
----
-
-## Download
-
-Pre-built binaries for Linux, Windows, macOS:
-
-→ [**Latest release**](https://github.com/s8n-ru/minecraft-launcher/releases/latest)
-
-Linux:
-```bash
-tar xzf minecraft-launcher-linux-x64.tar.gz
-cd minecraft-launcher
-./bin/prismlauncher
-```
-
-Windows:
-```
-unzip minecraft-launcher-windows-x64.zip
-cd minecraft-launcher
-prismlauncher.exe
-```
-
-macOS (unsigned — right-click → Open → Open anyway):
-```bash
-unzip minecraft-launcher-macos-arm64.zip
-cd minecraft-launcher
-./prismlauncher.app/Contents/MacOS/prismlauncher
-```
-
-Pick a username on first launch. Done.
 
 ---
 
@@ -110,32 +72,9 @@ cmake --build build -j$(nproc)
 ./build/prismlauncher
 ```
 
-CI builds via [GitHub Actions](.github/workflows/build.yml) for all 3 platforms on every tag.
+CI builds via [GitHub Actions](.github/workflows/build.yml) for all 3
+platforms on every tag.
 
 ---
 
-## Trust
+<sub>[GPL-3.0](LICENSE) · fork chain: [PrismLauncher](https://github.com/PrismLauncher/PrismLauncher) ← [PolyMC](https://github.com/PolyMC/PolyMC) ← [MultiMC](https://github.com/MultiMC/Launcher)</sub>
-
-This is open-source. Verify the privacy claims yourself:
-
-- [docs/NETWORK_AUDIT.md](docs/NETWORK_AUDIT.md) — every network endpoint listed, telemetry verdict
-- [docs/SETTINGS_AUDIT.md](docs/SETTINGS_AUDIT.md) — default-value diffs vs upstream
-- [docs/BLOAT_AUDIT.md](docs/BLOAT_AUDIT.md) — what was stripped, why
-
-You don't have to trust me. Read the source.
-
----
-
-## Status
-
-Personal project. No support guarantees. Bugs may bite. Use at own risk.
-
-Pull requests welcome but not promised to merge.
-
----
-
-## License
-
-GPL-3.0-only. Per-file copyright headers preserved.
-
-Based on [PrismLauncher](https://github.com/PrismLauncher/PrismLauncher) (GPL-3.0), itself a fork of [PolyMC](https://github.com/PolyMC/PolyMC) and [MultiMC](https://github.com/MultiMC/Launcher).

app/Application.cpp

@@ -754,6 +754,26 @@ Application::Application(int& argc, char** argv) : QApplication(argc, argv)
         m_settings->registerSetting("AutomaticJavaDownload", defaultEnableAutoJava);
         m_settings->registerSetting("UserAskedAboutAutomaticJavaDownload", false);
 
+        // Auto-detect portable JDK in <launcher_root>/java/jdk-*/bin/java(.exe)
+        if (m_settings->get("JavaPath").toString().isEmpty()) {
+            QDir javaDir(FS::PathCombine(m_rootPath, m_settings->get("JavaDir").toString()));
+            if (javaDir.exists()) {
+                const QStringList jdks = javaDir.entryList({ "jdk-*", "jre-*" }, QDir::Dirs | QDir::NoDotAndDotDot, QDir::Name | QDir::Reversed);
+                for (const QString& jdk : jdks) {
+#ifdef Q_OS_WIN
+                    QString candidate = FS::PathCombine(javaDir.absoluteFilePath(jdk), "bin", "java.exe");
+#else
+                    QString candidate = FS::PathCombine(javaDir.absoluteFilePath(jdk), "bin", "java");
+#endif
+                    if (QFileInfo(candidate).isExecutable()) {
+                        qDebug() << "Auto-detected portable JDK:" << candidate;
+                        m_settings->set("JavaPath", candidate);
+                        break;
+                    }
+                }
+            }
+        }
+
         // Legacy settings
         m_settings->registerSetting("OnlineFixes", false);