From bd2e0128df9dd5f198852fb45697023a648a003d Mon Sep 17 00:00:00 2001
From: Jim Myhrberg <contact@jimeh.me>
Date: Mon, 2 Feb 2026 14:12:11 +0000
Subject: [PATCH] chore: add Claude Code configuration files

Provide project context and coding guidelines for Claude Code via
AGENTS.md (architecture, conventions, commands) and CLAUDE.md (pointer
to AGENTS.md).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 AGENTS.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 CLAUDE.md |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 AGENTS.md
 create mode 100644 CLAUDE.md

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..d2b326d
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,49 @@
+# AGENTS.md
+
+Terraform module for configuring email-related DNS records and services on
+Cloudflare. Manages MX, SPF, DMARC, DKIM, TLSRPT, and MTA-STS — including a
+Cloudflare Worker + KV to serve the MTA-STS policy file.
+
+## Commands
+
+- `make docs` — regenerate README input/output tables via `terraform-docs`
+- `terraform fmt` — format HCL files
+- `terraform validate` — validate configuration
+
+Tool versions managed with [mise](https://mise.jdx.dev/) (see `.mise.toml`).
+
+## Architecture
+
+Single flat module — all resources in `main.tf`, organized by section comments:
+
+- **General** — `cloudflare_zone` data source lookup
+- **MX** — MX records for root domain + optional subdomains, flattened via
+  `locals` into a `for_each` map
+- **SPF** — single TXT record built from configurable terms list
+- **TLS SMTP** — TLSRPT TXT record
+- **MTA-STS** — the most involved piece:
+  - Proxied A/AAAA records for `mta-sts.` subdomain (dummy IPs, Cloudflare
+    proxies the traffic)
+  - `_mta-sts` TXT record with SHA1-based policy version
+  - Workers KV namespace + KV entry holding the rendered policy
+    (`mta-sts.txt.tpl`)
+  - Worker script (`mta-sts.js`) serving the policy from KV
+  - Worker route binding `mta-sts.<domain>/*`
+- **DMARC** — TXT record assembled from multiple variables with mode
+  abbreviation lookup (`relaxed` → `r`, `strict` → `s`)
+- **Domain Keys (DKIM)** — `for_each` over a map of DKIM keys, supports both
+  TXT and CNAME record types
+
+## Conventions
+
+- All DNS resources use `for_each` (not `count`).
+- Extensive variable validation blocks with custom error messages.
+- Section comments (`# MX`, `# SPF`, etc.) separate logical groups in all
+  `.tf` files.
+- Provider constraint: `cloudflare/cloudflare >= 3.0, < 5.0`.
+
+## Releases
+
+Automated via [release-please](https://github.com/googleapis/release-please).
+Uses conventional commits — pushes to `main` trigger the release-please GitHub
+Action which manages changelog, version bumps, and GitHub releases.
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..43c994c
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md