Reduce AGENTS.md and ref skills

petrsnd · petrsnd · commit c0513e2b0d35 · 2026-05-15T19:27:29.000-06:00
diff --git a/.agents/skills/api-patterns/SKILL.md b/.agents/skills/api-patterns/SKILL.md
@@ -309,6 +309,31 @@ A2A requests use `Authorization: A2A <apiKey>` (not Bearer).
 the raw API yourself, you **must** use `Content-Type: application/json`.
 Using `data=` (raw string) results in **415 Unsupported Media Type**.
 
+## TLS / Certificate Verification
+
+The `verify` parameter on `SafeguardClient` and `A2AContext` accepts:
+
+- `True` (default) — use system trust store
+- `False` — disable TLS verification (development only)
+- `str` — path to a CA bundle file for custom trust
+
+```python
+# CA bundle (recommended for production)
+client = SafeguardClient("host", auth=auth, verify="/path/to/ca-bundle.pem")
+
+# Disable verification (development only)
+client = SafeguardClient("host", auth=auth, verify=False)
+```
+
+### Environment Variables for Trust
+
+| Variable | Affects | Description |
+|----------|---------|-------------|
+| `REQUESTS_CA_BUNDLE` | All HTTP requests | CA bundle path for `requests` library |
+| `WEBSOCKET_CLIENT_CA_BUNDLE` | SignalR event listeners | CA bundle path for WebSocket connections |
+
+Set these when the appliance uses a certificate signed by an internal CA.
+
 ## Common Patterns
 
 ### GET with query parameters
diff --git a/.agents/skills/architecture/SKILL.md b/.agents/skills/architecture/SKILL.md
@@ -207,6 +207,20 @@ listener.start()
 - Previous client is logged out best-effort on each reconnection
 - `stop()` stops inner listener, joins reconnect thread, emits `STOPPED`
 
+### Client Factory Methods
+
+`SafeguardClient` provides convenience methods to create event listeners
+from an authenticated client:
+
+```python
+listener = client.get_event_listener()              # SafeguardEventListener
+persistent = client.get_persistent_event_listener()  # PersistentSafeguardEventListener
+```
+
+**Note:** `AsyncSafeguardClient` does **not** have event listener factory
+methods. Create listeners directly using the sync client or construct them
+manually.
+
 ### signalrcore Protocol Version Bug
 
 signalrcore 1.0.2 incorrectly uses `negotiateVersion` (the negotiate
diff --git a/.agents/skills/testing-guide/SKILL.md b/.agents/skills/testing-guide/SKILL.md
@@ -13,16 +13,16 @@ description: >-
 
 ```bash
 # Unit tests (no live appliance required)
-python -m pytest tests/ -m "not integration"
+poetry run python -m pytest tests/ -m "not integration"
 
 # Integration tests (requires live appliance)
-SPP_HOST=<host> SPP_USERNAME=<user> SPP_PASSWORD=<pass> python -m pytest tests/ -m integration
+SPP_HOST=<host> SPP_USERNAME=<user> SPP_PASSWORD=<pass> poetry run python -m pytest tests/ -m integration
 
 # Single test file
-python -m pytest tests/test_auth.py -v
+poetry run python -m pytest tests/test_auth.py -v
 
 # Single test by name
-python -m pytest tests/ -k "test_password_auth_defaults" -v
+poetry run python -m pytest tests/ -k "test_password_auth_defaults" -v
 ```
 
 ## pytest Configuration
@@ -190,6 +190,19 @@ The test's session-scoped `a2a_env` fixture handles all of this automatically
 (including `openssl` cert generation in a temp directory). Cleanup deletes the
 trusted cert by thumbprint.
 
+### TLS Trust for Integration Tests
+
+If the appliance uses a certificate signed by an internal CA, set these
+environment variables in addition to the standard test variables:
+
+| Variable | Affects | Description |
+|----------|---------|-------------|
+| `REQUESTS_CA_BUNDLE` | All HTTP requests | CA bundle path for `requests` |
+| `WEBSOCKET_CLIENT_CA_BUNDLE` | SignalR event listeners | CA bundle path for WebSocket |
+
+Alternatively, pass the CA path via `SPP_CA_FILE` — the test fixtures pass it
+as `verify=<path>` to client constructors.
+
 ### A2A `set_password` Content-Type
 
 A2A `set_password` requires `Content-Type: application/json`. Use `json=`
diff --git a/AGENTS.md b/AGENTS.md
@@ -35,26 +35,29 @@ PySafeguard/
 ## Setup and build
 
 ```bash
-pip install poetry                # Install Poetry (if needed)
-poetry install --all-extras       # Install all deps including dev and optional
-poetry build                      # Build sdist + wheel
+pip install poetry                   # Install Poetry (if needed)
+poetry install --all-extras          # Install all deps including dev and optional
+poetry build                         # Build sdist + wheel
 ```
 
+All `poetry run` prefixed commands below assume deps are installed via
+`poetry install --all-extras`.
+
 ## Linting and type checking
 
 ```bash
-ruff check src/                   # Lint (line length: 160)
-ruff format --check src/          # Format check
-mypy src/                         # Type check (strict mode)
+poetry run ruff check src/                   # Lint (line length: 160)
+poetry run ruff format --check src/          # Format check
+poetry run mypy src/                         # Type check (strict mode)
 ```
 
 All code must pass `mypy --strict` without errors. Ruff enforces 160-char lines.
 
 ## Testing
 
 ```bash
-python -m pytest tests/ -m "not integration"    # Unit tests (no appliance)
-python -m pytest tests/ -m integration           # Integration tests (live appliance)
+poetry run python -m pytest tests/ -m "not integration"    # Unit tests
+poetry run python -m pytest tests/ -m integration           # Integration (live appliance)
 ```
 
 Uses `pytest-asyncio` with `asyncio_mode = "auto"` — async tests run without
