docs: update AGENTS.md for rpc→rpchandler rename and CI workflows

CybotTM · CybotTM · commit 9249ac1aabd8 · 2026-02-22T12:32:29.000+01:00
- Update Go/pnpm versions (1.26, Fiber v3, pnpm 10.30)
- Document internal/rpc → internal/rpchandler rename and type changes
- Add dependency management notes (pnpm overrides, unified packages)
- Document pr-quality.yml and auto-merge-deps.yml workflows
diff --git a/AGENTS.md b/AGENTS.md
@@ -1,6 +1,6 @@
 # Agent Guidelines
 
-<!-- Managed by agent: keep sections & order; edit content, not structure. Last updated: 2026-02-04 -->
+<!-- Managed by agent: keep sections & order; edit content, not structure. Last updated: 2026-02-22 -->
 
 **Precedence**: Nearest AGENTS.md wins. This is the root file with global defaults.
 
@@ -17,7 +17,7 @@
 
 Self-service password change/reset web app for LDAP/ActiveDirectory with email-based password reset, rate limiting, and strict accessibility standards. Single binary deployment with embedded assets.
 
-**Stack**: Go 1.25 + Fiber, TypeScript (ultra-strict), Tailwind CSS 4, Docker multi-stage builds, pnpm 10.28
+**Stack**: Go 1.26 + Fiber v3, TypeScript (ultra-strict), Tailwind CSS 4, Docker multi-stage builds, pnpm 10.30
 
 **Key characteristics**:
 
@@ -49,7 +49,7 @@ See [docs/development-guide.md](docs/development-guide.md) for comprehensive set
 
 ### Build & Test Commands
 
-**Package manager**: pnpm (specified in package.json: `pnpm@10.28.2`)
+**Package manager**: pnpm (specified in package.json: `pnpm@10.30.1`)
 
 ```bash
 # Build everything
@@ -286,3 +286,11 @@ func connectLDAP(config LDAPConfig) *ldap.Conn {
 - Major version updates require changelog review
 - Use Context7 MCP or official docs for migrations
 - Keep pnpm-lock.yaml and go.sum committed
+- Use `pnpm.overrides` for transitive dependency CVE fixes when upstream hasn't patched yet
+- Don't add redundant direct deps if a unified package re-exports them (e.g., `typescript-eslint` provides `@typescript-eslint/parser` + `@typescript-eslint/eslint-plugin`)
+
+**CI/CD Workflows**:
+
+- `pr-quality.yml`: Auto-approves PRs from repo collaborators (solo-maintainer pattern)
+- `auto-merge-deps.yml`: Auto-merges Dependabot/Renovate PRs with strategy auto-detection
+- Bootstrap: The PR introducing `pr-quality.yml` requires manual approval; all subsequent PRs auto-approve
diff --git a/internal/AGENTS.md b/internal/AGENTS.md
@@ -1,6 +1,6 @@
 # Go Backend Services
 
-<!-- Managed by agent: keep sections & order; edit content, not structure. Last updated: 2026-02-04 -->
+<!-- Managed by agent: keep sections & order; edit content, not structure. Last updated: 2026-02-22 -->
 
 **Scope**: Go backend packages in `internal/` directory
 
@@ -14,7 +14,7 @@ Backend services for LDAP selfservice password change/reset functionality. Organ
 - **options/**: Configuration management from environment variables
 - **ratelimit/**: IP-based rate limiting (3 req/hour default)
 - **resettoken/**: Cryptographic token generation and validation
-- **rpc/**: JSON-RPC 2.0 API handlers (password change/reset)
+- **rpchandler/**: JSON-RPC 2.0 API handlers (password change/reset) — renamed from `rpc/` to avoid Go stdlib `net/rpc` conflict
 - **validators/**: Password policy validation logic
 - **web/**: HTTP server setup, static assets, routing (see [web/AGENTS.md](web/AGENTS.md))
 
@@ -45,11 +45,11 @@ RATE_LIMIT_WINDOW=1h
 TOKEN_EXPIRY_DURATION=1h
 ```
 
-**Go toolchain**: Requires Go 1.25+ (specified in `go.mod`)
+**Go toolchain**: Requires Go 1.26+ (specified in `go.mod`)
 
 **Key dependencies**:
 
-- `github.com/gofiber/fiber/v2` - HTTP server
+- `github.com/gofiber/fiber/v3` - HTTP server
 - `github.com/netresearch/simple-ldap-go` - LDAP client
 - `github.com/testcontainers/testcontainers-go` - Integration testing
 - `github.com/joho/godotenv` - Environment loading
@@ -358,9 +358,11 @@ go build -gcflags="all=-N -l"
 - Base64 URL encoding (safe for URLs)
 - Store tokens server-side with expiry
 
-### rpc/
+### rpchandler/
 
 - JSON-RPC 2.0 specification compliance
+- Renamed from `rpc/` to avoid Go stdlib `net/rpc` conflict (revive var-naming)
+- Types: `Request` (was `JSONRPC`), `Response` (was `JSONRPCResponse`) — avoid stuttering (`rpchandler.JSONRPCResponse`)
 - Error codes defined in [docs/api-reference.md](../docs/api-reference.md)
 - Request validation before processing
 - Endpoint: `POST /api/rpc`
