Expand §11 TLS/PKI with the concrete host cert paths, file modes, and the
ACL-for-service-accounts pattern. Document the 24h cert expiry and the
continuous step.service renewal so implementations don't assume certs are
stable. Add the standard systemd .path/.service reload pair for services
that need to re-read certs without restart.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Carve out the agent-instruction files as exceptions to the lowercase-readme
convention — their all-caps naming is what tooling expects and what makes
them visible in a file listing. Also document that agents can modify these
files on their own judgement; diffs get reviewed so drift is caught
downstream.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add guidance in generic.md §12 that readme files (and other conventional
top-level docs: license, changelog, contributing) should be named in
lowercase, not shouty all-caps. Update all README.md references in
generic.md and rename this repo's own README.md to match.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Migrations are sequentially numbered and frozen once committed. Editing an
already-landed migration causes checksum divergence and migration-runner
failures at deploy time — new changes must go in new files. Call this out
explicitly so contributors don't quietly break a service by "fixing" a
prior migration in place.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Projects with a Postgres dependency typically expose an MCP server scoped
to their database(s). Call this out so agents know to verify schema and
query shapes against the real database rather than guessing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Note that new projects default to the self-hosted Gitea instance at
git.lair.cafe (git.internal on the WireGuard mesh), that legacy projects
on GitHub/GitLab are being migrated as they come up for refactor, and
that relocated repos should carry a prominent pointer to the new URL.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The "web/" folder name in §4 was being read as a required convention, but
projects routinely use ui/, dashboard/, or admin/ instead — and may have
more than one frontend in the same repo. Document the common names, note
that each frontend is an independent Vite app, and add guidance on sharing
types across multiple frontends.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Document Conventional Commits as the required syntax and spell out when
agentic contributors should commit without approval vs. hold off. The
concern is commit-history pollution from speculative attempts, not the
autonomy itself — a clean commit that ends a thread of work doesn't need
an approval prompt.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Introduce a README that frames this repo as living, cross-project
architectural guidance — required reading for human and agentic
contributors to any project under my control. Explains what's here,
how to use it, and how it evolves.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The infrastructure uses only the default zone created at OS install
(FedoraServer on servers, FedoraWorkstation on workstations). Remove the
aspirational internal/wg zone guidance and have deploy.sh resolve the
default zone via firewall-cmd --get-default-zone on the target.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Expand generic.md with detailed guidance on service account creation via
systemd-sysusers, named firewalld service definitions, and SELinux policy
management. Update deploy.sh responsibilities, asset layout, and conventions
summary to reflect the new requirements.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
