feat: add agents.md

AGENTS.md

@@ -0,0 +1,97 @@
+# AGENTS.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Conventions
+
+- Do not edit `CHANGELOG.md`. It is generated by the release pipeline; hand edits will be overwritten.
+
+## Commands
+
+```bash
+# Build
+go build ./cmd/session-manager
+
+# Lint
+golangci-lint run --build-tags=integration ./...
+golangci-lint run --fix --build-tags=integration ./...   # auto-fix
+
+# Unit + integration tests (full suite)
+make test
+
+# Unit tests only (no k3d cluster required)
+go test -count=1 -race ./...
+
+# Integration tests only (requires running k3d cluster)
+go test -v -count=1 -race -tags=integration ./integration
+
+# Single test
+go test -run TestName ./path/to/package
+
+# Code generation (OpenAPI + sqlc)
+make codegen
+# expands to:
+go generate ./...
+go tool github.com/sqlc-dev/sqlc/cmd/sqlc generate
+
+# Local k3d cluster with PostgreSQL + Valkey
+make start
+```
+
+## Architecture
+
+Session Manager is an OIDC authorization code flow service with a pluggable module system, dual REST+gRPC APIs, and multi-tenant support.
+
+### Data Flow
+
+```
+REST (:8080)              gRPC (:9091)
+/sm/auth                  Session.Check / Introspect
+/sm/callback              TrustMapping CRUD
+/sm/logout
+      |                         |
+      └──────── Session Manager (internal/session/manager.go) ──────────
+                      |                     |
+               ValKey (sessions,      PostgreSQL (trust
+               OIDC state, TTL)        mappings via sqlc)
+```
+
+`internal/business/business.go` is the main orchestrator: it starts the HTTP and gRPC servers concurrently and waits for the first error to shut down both.
+
+### Key Packages
+
+| Package | Purpose |
+|---|---|
+| `internal/session/` | Session lifecycle: login, callback, logout, token refresh |
+| `internal/grpc/` | gRPC server implementations (session, trust mapping) |
+| `internal/openapi/` | Generated REST handlers (do not edit manually) |
+| `internal/business/` | Orchestration: startup, housekeeper, DB migration |
+| `internal/config/` | Config structs (koanf-based unmarshaling) |
+
+### Session & State Storage
+
+- **Sessions and OIDC state**: ValKey (Redis-compatible), TTL-based. Implementation in `internal/session/valkey/`.
+- **Trust mappings**: PostgreSQL, accessed through sqlc-generated.
+- **In-memory cache**: `jellydator/ttlcache` used for OIDC configuration and introspection results.
+
+### Background Jobs
+
+`internal/business/housekeeper.go` runs two periodic tasks:
+- Session cleanup (configurable `triggerInterval`, default 10m)
+- Token refresh for sessions nearing expiry (`tokenRefreshTriggerInterval`, default 15m)
+
+### CLI Commands
+
+The binary (`cmd/session-manager/`) exposes four Cobra subcommands: `api-server`, `housekeeper`, `migrate`, `version`.
+
+### Code Generation
+
+- `internal/openapi/` is generated from `api/session-manager.yaml` via oapi-codegen — never edit directly.
+- `trust/internal/sql/queries/` is generated by sqlc from SQL migrations — never edit directly.
+- Mock files are generated and excluded from linting.
+
+### Testing Conventions
+
+- Integration tests live in `integration/` and require `//go:build integration` tag.
+- `internal/dbtest/` provides test helpers for database-backed tests.
+- Import tests (e.g. `internal/grpc/import_test.go`) verify module wiring without full server startup.

CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md