diff --git a/.gitea/workflows/build-publish.yml b/.gitea/workflows/build-publish.yml
index 2928f7f..77c344f 100644
--- a/.gitea/workflows/build-publish.yml
+++ b/.gitea/workflows/build-publish.yml
@@ -1,20 +1,3 @@
-# =============================================================================
-# build-and-publish (multi-distro matrix)
-#
-# Builds twiy as a Debian .deb for each target distro in parallel:
-#   - trixie  (Debian 13)         -> uploaded to NEXUS_REPO_TRIXIE
-#   - raccoon (Ubuntu 26.04 LTS)  -> uploaded to NEXUS_REPO_RACCOON
-#
-# Each matrix job spins up a Docker container of the target distro on the
-# Gitea runner host, builds nginx + modules INSIDE the container so apt deps
-# and ldd resolution match what end users have, then uploads the resulting
-# .deb to that distro's Nexus apt-hosted repository.
-#
-# Required repository secrets:
-#   NEXUS_USER, NEXUS_PASS, NEXUS_URL                 (shared)
-#   NEXUS_REPO_TRIXIE                                 (Debian 13 target)
-#   NEXUS_REPO_RACCOON                                (Ubuntu 26.04 target)
-# =============================================================================
 name: build-and-publish
 
 on:
@@ -24,10 +7,8 @@ on:
 
 jobs:
   build:
-    # Runner is just a docker host; build OS is determined by matrix.image.
     runs-on: ubuntu-22.04
     strategy:
-      # If trixie fails, still finish raccoon (and vice versa) — surface both.
       fail-fast: false
       matrix:
         target: [trixie, raccoon]
@@ -51,16 +32,12 @@ jobs:
         run: |
           set -euo pipefail
           mkdir -p dist
-          # The whole compile + .deb assembly happens inside the target distro
-          # container. Output is dropped into ./dist/ (mounted from the runner)
-          # so the publish step on the host can grab it.
           sudo docker run --rm \
             -v "$PWD:/repo" \
             -w /repo \
             -e TARGET="$TARGET" \
             "$IMAGE" \
             bash -euxc '
-              # build script handles its own apt-get install (per-distro list)
               touch /.dockerenv
               bash build/${TARGET}.sh new
               bash build/${TARGET}.sh build
@@ -68,22 +45,10 @@ jobs:
 
               PKG_NAME="twiy"
               NGINX_VER="$(nginx -v 2>&1 | awk -F/ "{print \$2}")"
-              # Append CI run number AND target so each rebuild is a strictly-
-              # greater Debian revision. Without this, `apt upgrade twiy` would
-              # be a no-op when upstream nginx hasnt moved, so packaging fixes
-              # wouldnt reach users who already have the package installed.
-              # The ~target suffix keeps trixie/raccoon versions distinct in
-              # case any introspection ever compares them.
               VERSION="${NGINX_VER}-${GITHUB_RUN_NUMBER:-1}~${TARGET}"
               ARCH="amd64"
               PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
               DEB_DIR="${PKG_DIR}/DEBIAN"
-
-              # The *_temp dirs under /usr/local/nginx are nginxs compiled-in
-              # defaults for client_body / proxy / fastcgi / uwsgi / scgi temp
-              # storage (no --http-*-temp-path was passed to ./configure). They
-              # must exist before `nginx -t` runs, so we ship them empty in the
-              # .deb and the postinst chowns them to the nginx user.
               mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
                        "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
                        "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
@@ -100,14 +65,9 @@ jobs:
               cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
               cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
               cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
-
-              # Bundle every shared library nginx links against. ldd resolves
-              # against THIS containers libraries (not the runner host) so the
-              # .deb gets the correct per-distro libs.
               for lib in $(ldd /usr/sbin/nginx | grep "=> /" | awk "{print \$3}"); do
                 cp "$lib" "${PKG_DIR}/usr/lib/" || true
               done
-
               # ---- DEBIAN/control --------------------------------------------
               mkdir -p "${DEB_DIR}"
               cat > "${DEB_DIR}/control" <<EOF
@@ -166,16 +126,6 @@ jobs:
 
           ls -la "${DEB_FILE}"
           sha256sum "${DEB_FILE}"
-
-      # ─────────────────────────────────────────────────────────────────────────
-      # Publish to Nexus (runs on the runner host, not in the build container).
-      # Same security posture as the previous workflow:
-      #   * tmpfs scratch dir for credentials
-      #   * trap covers EXIT INT TERM HUP
-      #   * netrc auth (no -u user:pass on cmdline → no /proc leak)
-      #   * NEXUS_HOST derived from NEXUS_URL so forks don't have to edit YAML
-      # The matrix-driven secret indirection picks the right per-distro repo.
-      # ─────────────────────────────────────────────────────────────────────────
       - name: Publish to Nexus (${{ matrix.target }})
         env:
           NEXUS_USER: ${{ secrets.NEXUS_USER }}
@@ -202,10 +152,6 @@ jobs:
           printf 'machine %s login %s password %s\n' \
                  "$NEXUS_HOST" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
           unset NEXUS_USER NEXUS_PASS
-
-          # Replace the prior version of this same package in this same repo,
-          # if any. Best-effort: missing prior is not an error. (apt-hosted
-          # repos in Nexus retain every upload otherwise.)
           OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
                     "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
                     | PKG_NAME="$PKG_NAME" python3 -c '