docs: add repository guidelines

[gentamura]

Summary

• add AGENTS.md with contributor guidance for automation agents
• update README.md to provide an English overview for humans

Testing

• Not Applicable

Summary by CodeRabbit

• Documentation
  • Added AGENTS.md with repository guidelines for development, testing, style, and releases.
  • Expanded README with Overview, repository layout, Getting Started steps, contribution notes, and release process.
  • Clarifies package scope, CI-driven publishing via Changesets, testing expectations, and commit/PR conventions.
  • Documentation-only changes; no code or API modifications.

[coderabbitai]

Walkthrough

Adds a new AGENTS.md with development, testing, style, and release guidelines for a Bun-based monorepo and replaces the minimal README.md with a comprehensive README covering overview, repository layout, setup, contribution notes, and release process. No source code or public API changes.

Changes

Cohort / File(s)	Summary
Docs: Repository Guidelines AGENTS.md	New document detailing project structure, build/test/dev commands, coding standards, testing guidelines, commit/PR conventions, security rules, and release management for the monorepo.
Docs: README Overhaul README.md	Replaced single-line description with multi-section README: Overview, Repository Layout, Getting Started, Contribution Notes, and Release Process. Documentation-only changes; no code or API edits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my nose at docs so neat,
New trails mapped out, a tidy feat.
With buns and tests we hop in line,
Commits in cadence, versions fine.
README seeds planted — onward we leap! 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "docs: add repository guidelines" is concise, follows the conventional "docs:" prefix, and accurately captures the primary change—adding AGENTS.md and updating README with repository guidelines—so it clearly communicates the main intent to reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/guidelines

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (7)

AGENTS.md (5)

4-4: Lockfile name likely incorrect: use bun.lockb (not bun.lock).

Bun’s lockfile is typically bun.lockb. Referencing bun.lock will confuse contributors.

Apply this diff:

-Shared tooling lives at the root (`tsconfig.json`, `biome.json`, `vitest.config.ts`, `bun.lock`);
+Shared tooling lives at the root (`tsconfig.json`, `biome.json`, `vitest.config.ts`, `bun.lockb`);

---

11-11: Prefer bunx for Changesets invocations.

Unless there’s a package.json script named “changeset”, bun run changeset will fail. bunx works out of the box.

-- `bun run changeset` — Draft release notes and version bumps via Changesets.
+- `bunx changeset` — Draft release notes and version bumps via Changesets.

---

12-12: Clarify “clean” to be non-destructive.

Make sure the clean script doesn’t delete untracked source files; limit to artifacts and node_modules.

-- `bun run clean` — Remove untracked files and reinstall dependencies; stash local work first.
+- `bun run clean` — Remove build artifacts and reinstall dependencies (does not delete untracked source files).

---

15-15: Add TS “satisfies” guidance alongside type guards.

Small style upgrade that reduces “as” casts without extra boilerplate.

-TypeScript runs with `strict` enabled; avoid implicit `any` and replace `as` casts with dedicated type guards.
+TypeScript runs with `strict` enabled; avoid implicit `any` and replace `as` casts with dedicated type guards or the `satisfies` operator where appropriate.

---

24-24: Strengthen secrets and release posture.

Recommend CI secret scanning and npm provenance/2FA to prevent supply‑chain mishaps.

 Verify releases by checking the generated changelog and confirming publication for each package on npm.
+Enable secret scanning and push protection in CI (e.g., gitleaks), and require npm 2FA + provenance for publishing.

README.md (2)

14-18: Use bunx for Changesets; optionally pin Bun via packageManager.

“bun run changeset init” assumes a script; bunx is safer. Also consider pinning Bun to avoid CI/local drift.

-4. Initialize Changesets with `bun run changeset init` if you are bootstrapping a fresh clone.
+4. Initialize Changesets with `bunx changeset init` if you are bootstrapping a fresh clone.

Optionally add after Step 1:

-1. Install Bun `1.2.19` or later.
+1. Install Bun `1.2.19` (or later). We recommend pinning via `"packageManager": "bun@1.2.19"` in the root package.json for reproducibility.

---

6-12: List bun.lockb and .changeset in the layout for consistency.

Aligns with AGENTS.md and contributor expectations.

 - `vitest.config.ts` — Test runner configuration for the entire workspace.
+- `bun.lockb` — Bun lockfile committed to version control.
+- `.changeset/` — Changesets entries and config for releases.
 - `.github/workflows/` — CI pipelines based on `listee-dev/listee-ci@v1` workflows.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d45a5a1 and 06ac42b.

📒 Files selected for processing (2)

• AGENTS.md (1 hunks)
• README.md (1 hunks)

🔇 Additional comments (2)

AGENTS.md (1)

1-25: Well-structured, actionable repo guidelines.

Clear, concise, and aligned with a Bun + TS monorepo. Nice job setting expectations for devs and automation.

README.md (1)

1-26: Nice README upgrade—clear overview, layout, and workflows.

Solid developer onboarding and alignment with AGENTS.md.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

README.md (3)

3-5: Spell out MCP and tighten the scope sentence.

Minor clarity nit: expand MCP on first mention to help new contributors.

-... (API, web, CLI, MCP) ...
+... (API, web, CLI, Model Context Protocol (MCP)) ...

---

6-12: List .changeset and root package.json in the layout.

These are first‑class repo artifacts and useful to call out.

 - `.github/workflows/` — CI pipelines based on `listee-dev/listee-ci@v1` workflows.
+
+Additional top-level files:
+- `.changeset/` — Changesets config and pending release notes.
+- `package.json` — Workspace scripts and `"packageManager"` pin.

---

19-23: Require a Changeset in PRs that modify publishable packages.

Prevents accidental unpublished changes and keeps release notes accurate.

 - Coordinate feature work through focused branches (`feature/...`, `chore/...`, etc.) and submit PRs with clear descriptions, linked issues, and test evidence.
+ - Include a Changeset in any PR that modifies a publishable package under `packages/`. PRs without a Changeset should be explicitly labeled/docs‑only.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06ac42b and e1f2c48.

📒 Files selected for processing (2)

• AGENTS.md (1 hunks)
• README.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• AGENTS.md

🔇 Additional comments (2)

README.md (2)

13-18: Qualify running changeset init and add a Bun engine/packageManager pin

• Make init conditional: only run bun run changeset init when .changeset/ is missing (fresh repo).
• Recommend adding "packageManager": "bun@1.2.19" or an engines.bun entry in package.json to surface Bun version mismatches in CI/local.

-4. Initialize Changesets with `bun run changeset init` if you are bootstrapping a fresh clone.
+4. If `.changeset/` is missing (brand‑new repo setup), initialize Changesets with `bun run changeset init`.

.changeset/ missing; package.json not found — unable to verify presence of lint/build/test/changeset scripts or packageManager/engines.

---

24-25: Pin GitHub Actions to SHAs & document the Changesets release flow

• Pin all "uses:" refs in .github/workflows to commit SHAs (avoid floating tags like @v1) for supply‑chain safety.
• Update README.md (lines 24–25) to state the CI Changesets sequence (version → publish) and include a short local dry‑run: 1) bun run changeset 2) bun run build 3) bun run test 4) open PR with generated changeset. Also state to verify npm publishes for @listee/types and @listee/db after merge.
• Inspection script returned no matches — unable to verify workflow refs; confirm .github/workflows for floating refs and pin them if present.