api/AGENTS.md

AGENTS.md

This repository (groombook/api) is part of the GroomBook application stack. The authoritative process, quality bar, and safety rules live in the shared groombook/org skills repository. Read those first; this file is only a pointer.

Authoritative skills

• SDLC (branching, PRs, phases, handoffs): groombook/org/skills/sdlc/SKILL.md
• Coding standards (priority ordering, PR discipline, tests, no-hardcoded-values, CalVer): groombook/org/skills/coding-standards/SKILL.md
• Safety (no plaintext secrets, no direct kubectl apply to groombook, no self-merge, board approval for destructive actions): groombook/org/skills/safety/SKILL.md

For human contributors and humans reviewing agent work, see CONTRIBUTING.md in this repo for the phase-by-phase PR flow and the uat→main merge-gate policy summary.

Non-negotiable operational rules

These mirror the org skills; they are restated here so any agent landing in this repo sees them without a cross-repo fetch.

• All changes go through a PR. Never push directly to dev, uat, or main.
• Branch strategy: feature/<name> → dev → uat → main. Engineers always target dev first.
• No self-merge contract. The engineer who opened a PR clicks merge only after the named reviewer (CI / QA / UAT / Security / CTO per phase) approves. Issue-thread QA / UAT / security approvals do not clear the Gitea required_approvals gate on uat→main — only a Gitea Approve click from a member of the approvals_whitelist_username does. On this repo that whitelist is ["gb_flea", "gb_dogfather"] (engineer team). Board-level accounts cannot give the Approve click by policy.
• Always include cc @cpfarhood at the bottom of every PR body for board visibility (not as a reviewer).
• Secrets in code are forbidden. Use Bitnami Sealed Secrets; never commit plaintext. See the safety skill.
• Production (groombook namespace) is Flux-managed. Never kubectl apply directly. Infrastructure changes go through PRs in groombook/infra.

Local development

See the repo's own README, package scripts, and CI workflow. The authoritative pipeline (Gitea Actions, image build, deploy hooks) is the shared groombook/infra overlay; do not reimplement it here.

When uncertain

If a task conflicts with the org skills, the org skills win. Open an issue in groombook/org to propose a change rather than encoding a local exception.