diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..be876bb --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,119 @@ +# Contributing to FlaskPaste + +## Development Setup + +```bash +# Clone repository +git clone +cd flaskpaste + +# Create virtual environment +python3 -m venv venv +source venv/bin/activate + +# Install dependencies +pip install -r requirements.txt + +# Install development tools +pip install ruff mypy pytest pytest-cov bandit + +# Run development server +python run.py +``` + +## Code Quality + +All code must pass these checks before merge: + +```bash +# Lint and format +ruff check app/ tests/ fpaste +ruff format --check app/ tests/ fpaste + +# Type checking +mypy app/ tests/ fpaste --ignore-missing-imports + +# Security scan +bandit -r app/ -ll -q + +# Tests +pytest tests/ -v --tb=short +``` + +## Testing + +```bash +# Run all tests +pytest tests/ -v + +# Run specific test file +pytest tests/test_api.py -v + +# Run with coverage +pytest tests/ --cov=app --cov-report=term-missing + +# Run security tests only +pytest tests/test_security.py tests/test_rate_limiting.py -v +``` + +## Commit Guidelines + +- Use lowercase, imperative mood: `fix: resolve rate limit bypass` +- Prefix with category: `fix:`, `feat:`, `docs:`, `ci:`, `test:`, `refactor:` +- Keep subject under 50 characters +- One logical change per commit + +Examples: +``` +fix: validate algorithm parameter in PKI methods +feat: add shell completions for bash/zsh/fish +docs: update API documentation for v1.5 +ci: enforce mypy type checking +``` + +## Code Style + +- Follow PEP 8 (enforced by ruff) +- Use type hints for all function signatures +- Docstrings for public functions (Google style) +- Maximum line length: 100 characters + +## Security + +- Never commit secrets or credentials +- Use parameterized queries for all database operations +- Validate all user input +- Follow OWASP guidelines for web security + +Report security vulnerabilities privately (see SECURITY.md). + +## Pull Requests + +1. Create a feature branch from `main` +2. Make changes with atomic commits +3. Ensure all checks pass locally +4. Submit PR with clear description +5. Address review feedback + +## Project Structure + +``` +flaskpaste/ +├── app/ # Application code +│ ├── __init__.py # App factory +│ ├── api/ # API routes +│ ├── audit.py # Audit logging +│ ├── config.py # Configuration +│ ├── database.py # SQLite operations +│ ├── metrics.py # Prometheus metrics +│ └── pki.py # Certificate management +├── tests/ # Test suite +├── fpaste # CLI client +├── run.py # Development server +├── wsgi.py # Production WSGI entry +└── requirements.txt # Dependencies +``` + +## License + +By contributing, you agree that your contributions will be licensed under the project's license. diff --git a/TASKLIST.md b/TASKLIST.md index b2c277f..ee87c34 100644 --- a/TASKLIST.md +++ b/TASKLIST.md @@ -15,13 +15,13 @@ Prioritized, actionable tasks. Each task is small and completable in one session | Status | Task |--------|-------------------------------------------------------------- -| ☐ | Create CONTRIBUTING.md with development setup | ☐ | Add PKI usage examples to documentation ## Completed | Date | Task |------------|-------------------------------------------------------------- +| 2024-12 | Create CONTRIBUTING.md with development setup | 2024-12 | Fix all mypy type errors (now enforced in CI) | 2024-12 | Enhance CI with security-tests job, SBOM generation, memory checks | 2024-12 | Complete pentest remediation (CRYPTO-001, TIMING-001)