From 58f1e7e4588b6f66f64ea86b3af25aa22ca67ee3 Mon Sep 17 00:00:00 2001 From: bastien Date: Fri, 15 May 2026 22:21:13 +0200 Subject: [PATCH] feat(doc-syncer): README mandatory + 14-section prod-only DEPLOY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit README.md creation becomes AUTO and unconditional — strikes through any "no README" opt-out in CLAUDE.md. Enriched template: Stack, Quick start (dev), Verifying a change, Build & deploy sections, all rendered from real project data (manifest, .env.example, scripts). DEPLOY.md becomes prod-only, expanded into a 14-section VPS-deploy structure (topology, env, provisioning, two-layer firewall, Docker tuning, first-time setup, routine deploys, persistence, backups, TLS, observability, hardening, rollback, runbook). Dev quick-start lives in README only — mixed dev/prod DEPLOY.md is flagged as drift. AUTO MODE: missing README surfaced as SIGNIFICANT in STEP A4 with rendered draft for one-shot end-of-session approval. Validation gate (STEP 8) now distinguishes AUTO patches / HUMAN items / CREATE items, and README CREATE has no "no" — only yes/edit. Co-Authored-By: Claude Opus 4.7 (1M context) --- agents/doc-syncer.md | 364 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 330 insertions(+), 34 deletions(-) diff --git a/agents/doc-syncer.md b/agents/doc-syncer.md index 3c2b1c8..8d89a09 100644 --- a/agents/doc-syncer.md +++ b/agents/doc-syncer.md @@ -223,41 +223,113 @@ by STEP 5/6 if creation needed). If `README.md ∉ DOC_FILES`: -README is mandatory. Propose creation using typical GitHub layout — -include only sections relevant to detected `STACK` and -`DEPLOY_COMPLEXITY`. Use real project data (manifest name, -description, install/run commands). No placeholders. +**README is MANDATORY. Always create it — never gate on user approval.** +A repo without a README is an immediate "this looks abandoned" signal +to anyone landing on it. If the previous maintainer opted out (e.g. +`CLAUDE.md` carries an "Exceptions: No README at scaffold" line), +override that opt-out and strike through the exception in `CLAUDE.md` +during patching. -Proposed template (HUMAN approval required): +Render the template below using real project data only: +- `` ← manifest `name` (humanise: `nuit-folle` → `Nuit Folle`) +- one-line description ← manifest `description`, else first paragraph + of CLAUDE.md project overview, else "Mobile-first / web / CLI / … + project. Replace this line with a concrete pitch." (clearly flagged + as a placeholder so the user replaces it) +- feature bullets ← top-level entry points / routes / skills / CLI + commands discovered in the codebase (names + 1-line description each) +- stack list ← `STACK` detected in STEP 2 with versions from manifest +- install + run commands ← exact `npm scripts` / `pyproject.toml` / + `Cargo.toml` / `Makefile` targets (no invented commands) +- documentation cross-links ← only existing or freshly-proposed files +- license ← `LICENSE` file SPDX header if present, manifest `license` + field if present, else "Not specified — set one before public release" + (explicit gap, not a placeholder) + +The template includes a **"Quick start (dev)"** section that is the +sole user-facing entry-point for local development. Production deploy +guidance lives in `DEPLOY.md`; the README only links to it. ```markdown -# +# - + + +--- ## Features -- -- -## Quick Start +- **** — +- **** — +(infer from entry points, routes, commands, top-level modules) + +## Stack + +- (manifest) +- +- +- + +## Quick start (dev) + +Single-process, no Docker — fastest path to a running app: + \`\`\`bash - - + + \`\`\` -## Documentation -- [Install](INSTALL.md) -- [Configure](CONFIGURE.md) -- [Usage](USAGE.md) -- [Deploy](DEPLOY.md) -- [Contributing](CONTRIBUTING.md) -- [Changelog](CHANGELOG.md) + +Docker-compose dev — matches the production topology with hot reload: -## License - +\`\`\`bash + +\`\`\` + +<1-2 lines about local→backend wiring, defaults, common gotchas> + +For **production deployment** — provisioning, firewall, TLS, backups, +hardening — see [DEPLOY.md](DEPLOY.md). + +## Verifying a change + +\`\`\`bash + # only list those that actually exist in the manifest + + +\`\`\` + + + +## Build & deploy + + + + +## Documentation + +- []() (only if exists or proposed) +- [CLAUDE.md](CLAUDE.md) (only if exists) +- [DEPLOY.md](DEPLOY.md) (only if DEPLOY_COMPLEXITY == NON_TRIVIAL) +- [Contributing](CONTRIBUTING.md) (only if exists) +- [Changelog](CHANGELOG.md) (only if exists) + +## Project layout (top-level) + +\`\`\` + +\`\`\` + +## Status + + ``` -Tag overall as HUMAN — user validates before write. +Tag as **AUTO** — create on first audit. Surface the rendered README in +the validation gate before writing so the user can `edit` if needed, +but do NOT skip creation; "skip" should not be an offered option on +README bootstrap. ### STEP 6 — DEPLOY.md GATE @@ -266,8 +338,204 @@ Tag overall as HUMAN — user validates before write. | `DEPLOY_COMPLEXITY == NONE` | Skip. Don't propose DEPLOY.md. | | `DEPLOY_COMPLEXITY == TRIVIAL` AND no DEPLOY.md | Skip. Suggest one-paragraph "Deploy" section in README. HUMAN. | | `DEPLOY_COMPLEXITY == TRIVIAL` AND DEPLOY.md exists | Suggest deletion or inlining into README. HUMAN. | -| `DEPLOY_COMPLEXITY == NON_TRIVIAL` AND no DEPLOY.md | Propose creation. HUMAN. Template based on detected artifacts (Docker → image build + run + env; fly.toml → `fly deploy` + secrets; workflows → branch trigger + manual approval; k8s → kubectl apply + namespace + rollout). | -| `DEPLOY_COMPLEXITY == NON_TRIVIAL` AND DEPLOY.md exists | Apply standard drift detection (STEP 3-4). | +| `DEPLOY_COMPLEXITY == NON_TRIVIAL` AND no DEPLOY.md | Propose creation using the full prod-only template below. HUMAN approval. | +| `DEPLOY_COMPLEXITY == NON_TRIVIAL` AND DEPLOY.md exists | Apply standard drift detection (STEP 3-4). Verify the existing file covers the 14 sections below; surface missing sections as drift items. | + +**DEPLOY.md is PROD-ONLY.** Dev quick-start lives in README.md +("Quick start (dev)" section); DEPLOY.md never duplicates it. If the +existing DEPLOY.md contains a "Local development" / "Dev setup" / +similar section, flag it as drift and propose moving its content into +README.md while removing the section from DEPLOY.md. + +#### DEPLOY.md template — 14 sections (NON_TRIVIAL) + +Mirror the conventional VPS-deploy structure (reference: a Scaleway +DEV1-S walkthrough; the same shape works on any provider). Drop +sections that don't apply (e.g. "Managed DB" if the app has no DB). +Each section uses real project data (env vars from `.env.example` or +`.env`, container names from `docker-compose.yml`, scripts from +`scripts/`, ports from `Dockerfile EXPOSE` / `compose ports`). + +```markdown +# Deploy + +<1-paragraph topology summary: containers, host TLS terminator, +public ingress, internal hops.> + +--- + +## What gets deployed + +| Service | Image source | Port (host) | Role | +| ... | ... | ... | ... | + + + +--- + +## Required environment + + + +--- + +## Provision the VPS + + + +--- + +## Firewall (two layers) + +### Layer 1 — cloud provider security group + + +### Layer 2 — UFW on the VM +<`ufw default deny incoming` + allow 22/80/443 + enable.> + +--- + +## Install Docker (production-tuned) + +<`curl get.docker.com | sh`. `/etc/docker/daemon.json` with +`json-file` log driver capped (max-size + max-file) and +`live-restore: true`. Enable + restart.> + +--- + +## First-time VPS setup + + + +--- + +## Routine deploys + +<`npm run deploy` / `bash scripts/deploy.sh` flow + manual VPS-side +fallback (git fetch + reset + compose up).> + +--- + +## Data persistence + + + +--- + +## Backups (cron + retention) + +### One-shot script +<`/opt/backup-.sh` — `docker cp` volume contents, tar+gzip, +rotation by mtime, log file.> + +### Cron + + +### Off-VPS storage (optional but recommended) + + +### Restore + + +--- + +## Behind a domain + TLS reverse proxy + +### Option A — host nginx + Certbot + + +#### Security headers (Option A only) + + +### Option B — Caddy (auto-TLS, single file) + + +### Backend CORS + + +### Frontend API base URL + + +### Sanity checks + ` to +confirm internal ports are NOT publicly bound.> + +--- + +## Post-deploy hardening + +### 1. Non-root deploy user + + +### 2. Disable root + password SSH +<`sshd_config`: PermitRootLogin prohibit-password, PasswordAuthentication no.> + +### 3. (Optional) Move SSH off port 22 + + +### 4. Unattended security upgrades + + +### 5. fail2ban + + +### 6. Final lockdown check + + +--- + +## Rollback + + + +--- + +## Health checks + +` if no reverse proxy yet.> + +--- + +## Troubleshooting + +<9–10 common failures, each as a sub-section with a diagnosis recipe: +- container won't start +- 5xx from the API +- CORS rejected in browser +- 502 bad gateway from host nginx +- SSL renewal failed +- volume / data unexpectedly empty +- disk full +- restart loop +- container log explosion> + +--- + +## Operational notes + + +``` + +If `DEPLOY_COMPLEXITY == NON_TRIVIAL` AND a DEPLOY.md already exists +but is missing 3+ of these 14 sections, surface each missing section +as a separate `[HUMAN]` drift item in STEP 7 with a 1-line description +of what the section should cover for this project. Do not patch them +automatically — production deploy guidance is judgement-heavy. ### STEP 7 — REPORT @@ -320,8 +588,11 @@ Last updated: () - `[REMOVED]` — feature in docs, not in code. AUTO for list entry to delete, HUMAN if needs deprecation note. -CHANGELOG entries always HUMAN. README/DEPLOY creation always -HUMAN. +CHANGELOG entries always HUMAN. DEPLOY.md creation always HUMAN. +**README.md creation is AUTO** — always render and write, never gate +on user input. The validation gate (STEP 8) still surfaces the +rendered file so the user can edit before write, but "skip" is not an +option for README bootstrap; it is mandatory. If no drift in any doc and no missing required doc: `DOC SYNC: all docs current` and stop. @@ -332,13 +603,22 @@ If no drift in any doc and no missing required doc: DOC SYNC — VALIDATION GATE AUTO items : (Claude will patch these) HUMAN items : (listed above for review) -CREATE items : (README/DEPLOY proposals) +CREATE items : + - README.md (AUTO — will be written; `edit` to refine the rendered draft) + - DEPLOY.md (HUMAN — approve before write) + - … REMOVE items : -Apply AUTO patches? (yes / select items / cancel) -Apply HUMAN/CREATE items? (per-item: yes / no / edit) +Apply AUTO patches? (yes / select items / cancel) +Apply HUMAN items? (per-item: yes / no / edit) +Apply CREATE items? (per-item: yes / edit / no — README has no `no`) ``` +README.md CREATE is unconditional: the only valid responses are `yes` +(write the rendered draft as-is) or `edit` (revise the draft, then +write). Treat any `no` / `skip` answer to README as `edit` and prompt +the user for the specific changes they want. + Wait for explicit approval. Do not proceed without it. ### STEP 9 — PATCH @@ -391,6 +671,13 @@ Map modified files to relevant docs: If no relevant docs exist for changed files → exit silently. +**Exception — README absence**: in AUTO MODE, if README.md is missing +AND any code/config file was modified this session, treat it as a +SIGNIFICANT item in STEP A4 and surface a "README missing — propose +creation" line with the rendered draft (per STEP 5 template). Auto +mode does NOT auto-write CREATE items; the rendered draft is shown so +the user can approve in one step at end-of-session. + ### STEP A3 — QUICK DRIFT CHECK For each relevant doc, read it and check only sections affected @@ -429,12 +716,21 @@ Categorize: ## RULES - Never invent content. Only sync what changed in code. - Never fabricate examples, feature descriptions, explanations. -- Doc creation (README, DEPLOY) requires HUMAN approval and uses - real project data only. +- README.md creation is **AUTO and unconditional** — always created + when missing, using real project data only (no placeholders, no + fabricated content). The validation gate surfaces the rendered file + for editing but never offers a "skip" option for README bootstrap. + Strike through any project-level "no README" opt-out (e.g. in + CLAUDE.md "Exceptions to global rules") during the same patch. +- DEPLOY.md creation requires HUMAN approval and uses real project + data only. Produced only when `DEPLOY_COMPLEXITY == NON_TRIVIAL`, + following the 14-section template in STEP 6. Trivial deploy belongs + in README. +- DEPLOY.md is **PROD-ONLY**. Dev quick-start lives in README under a + "Quick start (dev)" section. If an existing DEPLOY.md mixes dev and + prod, surface the dev section as drift and propose moving it to + README during the same patch round. - Doc list is dynamic — auto-detect, never assume fixed set. -- DEPLOY.md only when `DEPLOY_COMPLEXITY == NON_TRIVIAL`. Trivial - deploy belongs in README. -- README always required. Bootstrap if missing. - CHANGELOG entries: always propose, never auto-write. - Inline comment updates: only for files in scope, only when signature actually changed.