/* mod-forgejo-login.css — mod-id-only login policy (not cosmetic — separate file from
   mod-forgejo.css on purpose, since that file's charter is "cosmetic only, never touches
   forms/behaviour"). Every mod sub-app authenticates through mod-id (Authelia OIDC) only;
   this hides Forgejo's local username/password form on /user/login so the OAuth2 button is
   the only option shown, and gives that button the mod-id key mark instead of Forgejo's
   generic OpenID icon. Deliberately NOT scoped to [data-theme^="company-"] — this is a policy,
   not a skin choice, so it stays in force under any built-in Forgejo theme too.

   Config-level backing (ops-aios/docker-compose.yml): ALLOW_ONLY_EXTERNAL_REGISTRATION=true +
   SHOW_REGISTRATION_BUTTON=false already block local signup. This closes the remaining gap —
   the local sign-in form for pre-existing local accounts (e.g. the initial admin) was still
   shown. That account still works if visited directly; it's just off the default menu.

   Selectors verified live against https://code.originium.xyz/user/login (2026-07-16):
     form.ui.form[action="/user/login"]   — the local username/password form
     .divider.divider-text                — the "or" divider between local form and OAuth
     .ui.attached.segment.header.top      — the "Forgot password?" footer segment
     #oauth2-login-navigator a.oauth-login-link.openidConnect — the mod-id sign-in button
   Re-verify after any Forgejo image bump (structure can change between major versions). */

.page-content.user.signin form.ui.form[action="/user/login"],
.page-content.user.signin .ui.attached.segment > .divider.divider-text,
.page-content.user.signin .ui.attached.segment.header.top {
  display: none !important;
}

/* ---- OAuth2 button: swap Forgejo's generic OpenID mark for the mod-id key, relabel ---- */
#oauth2-login-navigator a.oauth-login-link.openidConnect {
  position: relative;
  font-size: 0; /* collapses the raw text node "Sign in with authelia" (source Name field) */
}
#oauth2-login-navigator a.oauth-login-link.openidConnect svg {
  display: none !important;
}
#oauth2-login-navigator a.oauth-login-link.openidConnect::before {
  content: "";
  display: inline-block;
  width: 22px;
  height: 22px;
  margin-right: 0.5rem;
  vertical-align: middle;
  background: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 46 46'%3E%3Cg fill='none' stroke='%23e08768' stroke-width='4' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='16' cy='17' r='7'/%3E%3Cpath d='M21 22 L35 36'/%3E%3Cpath d='M31 32 L35 28'/%3E%3Cpath d='M27 28 L31 24'/%3E%3C/g%3E%3C/svg%3E") center/contain no-repeat;
}
#oauth2-login-navigator a.oauth-login-link.openidConnect::after {
  content: "Sign in with mod-id";
  font-size: 1rem;
  vertical-align: middle;
}
