diff --git a/AGENTS.md b/AGENTS.md
index e69de29..4f9d668 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,33 @@
+# FleetDM Stack — Project Rules
+
+## Project Overview
+
+Helm-based deployment of FleetDM Server + MySQL + Redis on local Kubernetes (Kind/Minikube).
+Gitea Actions CI at https://git.produktor.io/eSlider/flamingo-tech-test
+
+## Structure
+
+- `fleetdm-stack/` — Helm umbrella chart (Fleet subchart brings MySQL + Redis)
+- `Makefile` — cluster lifecycle: `cluster`, `install`, `uninstall`, `verify`, `port-forward`, `clean`
+- `docs/` — theoretical architecture docs with Mermaid diagrams
+- `.github/workflows/release.yaml` — Gitea Actions (lint on push, release on `v*` tag)
+
+## Conventions
+
+- Helm values: all Fleet config lives under `fleet:` key in `fleetdm-stack/values.yaml`
+- Secrets: `fleet-secret.yaml` (TLS certs via `.Files.Get`), `mysql-secret-alias.yaml` (password alias)
+- TLS certs generated by `make tls-certs` into `fleetdm-stack/certs/` (self-signed, local dev only)
+- Local access: `make port-forward` on port 8585 (configurable via `FLEET_PORT`)
+- DB migrations: `autoApplySQLMigrations: true` — no manual `fleet prepare db` needed
+
+## CI/CD
+
+- Gitea Actions runner uses manual `git clone` (not `actions/checkout`) due to Docker DNS
+- Avoid piping to `head` in CI steps (causes SIGPIPE exit 141)
+- Release job only triggers on `v*` tags via `if: startsWith(gitea.ref, 'refs/tags/v')`
+
+## Do Not
+
+- Do not modify `TASKS.md` — it is the assignment spec
+- Do not commit real credentials; `fleetdm-local-dev` password is for local dev only
+- Do not remove `fleetdm-stack/certs/` from git — needed for Helm `.Files.Get` at package time