sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/AGENTS.md
sjat 37cece9dbd Add ADR-010 (Forgejo integration) and rbw-unlocked pre-flight convention 
ADR-010: API tokens as least-privilege managed secrets, declarative-first (no
click-ops), automation boundary, planned trunk-based CI. CLAUDE.md/AGENTS.md:
check 'rbw unlocked' before vault-dependent tasks (incl. commits) rather than
failing partway.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 21:34:07 +02:00

26 lines
1.6 KiB
Markdown
Raw Permalink Blame History

# Guidance for AI coding agents
**Read `CLAUDE.md` first — it is the authoritative, detailed guide for this repo.**
This file exists so that non-Claude tools find the same rules; `CLAUDE.md` is
canonical. Also read **`STATUS.md`** to learn what actually exists versus what is
only designed — much of the ADR-described design is not built yet.
## Non-negotiables (full detail in CLAUDE.md)
- **Verify before claiming done.** Run `make lint` and the relevant `make check` /
`make test`, and report the real output. Never assert success you haven't observed.
- **Never edit generated files** (e.g. `inventories/*/hosts.yml`). Edit the source
(`terraform/environments/<env>/main.tf`) and regenerate with `make tf-inventory`.
Generated files carry a header saying so.
- **Secrets only in `vault.yml`** files — never plaintext elsewhere. The master
vault password comes from Vaultwarden via `rbw`; never print or commit it.
- **No `make deploy` / `make tf-apply`** without running `make check` / `make tf-plan`
first and showing the output.
- **Before deleting or overwriting a file you did not create, read it first** and
surface what you find rather than proceeding blind.
- **Check `STATUS.md`** before assuming a role, provider, or pipeline exists.
- **Git**: `main` must always work; branch for sweeping changes. Commit your work in
logical units with imperative ≤72-char subjects and a `Co-Authored-By` trailer.
- **Vault access**: before a task needing a Vaultwarden secret (`make
deploy/check/encrypt/decrypt`, or any `git commit` — the hook decrypts `vault.yml`),
run `rbw unlocked`; if locked, ask the user to `rbw unlock` first, don't fail partway.
Reference in a new issue View git blame Copy permalink