From 3fa4d599fe158ad2570ab1d783e030381934c9b4 Mon Sep 17 00:00:00 2001 From: Offending Commit Date: Fri, 1 May 2026 09:57:57 -0500 Subject: [PATCH] docs: add OSS community health files - CONTRIBUTING.md: contributor onboarding, conventional commit rules, local setup - CODE_OF_CONDUCT.md: adopts Contributor Covenant 2.1 by reference - SECURITY.md: vulnerability reporting via GitHub private advisories, scope boundaries - .github/ISSUE_TEMPLATE/config.yml: disables blank issues, links to discussions and Honcho upstream Lifts the GitHub community profile score from 57% toward 100%. --- .github/ISSUE_TEMPLATE/config.yml | 8 ++++ CODE_OF_CONDUCT.md | 13 +++++++ CONTRIBUTING.md | 63 +++++++++++++++++++++++++++++++ SECURITY.md | 36 ++++++++++++++++++ 4 files changed, 120 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..8b22895 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: Honcho upstream issues + url: https://github.com/plastic-labs/honcho/issues + about: Bugs in the Honcho server itself, not the OpenConcho UI. + - name: Question or discussion + url: https://github.com/offendingcommit/openconcho/discussions + about: General questions, ideas, or design discussion. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..90fc4bd --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,13 @@ +# Code of Conduct + +This project adopts the [Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) as its code of conduct. + +The full text is available at the link above. + +## Reporting + +Report violations to the maintainer at the email address listed on the [GitHub profile of @offendingcommit](https://github.com/offendingcommit). All reports are reviewed and investigated promptly and fairly. + +## Scope + +This Code of Conduct applies within all project spaces — issues, pull requests, discussions, and any other public or private channel where you represent the project. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..d149cf9 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,63 @@ +# Contributing to OpenConcho + +Thanks for your interest in helping out. This is a small, focused project — please read this before opening a PR. + +## Ground rules + +- **Open an issue first** for anything beyond a small fix. Discussion saves wasted work. +- **Conventional commits** are required (`feat:`, `fix:`, `docs:`, `refactor:`, `test:`, `chore:`). They drive [semantic-release](https://semantic-release.gitbook.io/). +- **One logical change per PR.** Easier to review, easier to revert. + +## Local setup + +```bash +git clone https://github.com/offendingcommit/openconcho.git +cd openconcho +pnpm install +pnpm dev # web dev server at http://localhost:5173 +``` + +For desktop work: + +```bash +pnpm --filter @openconcho/desktop dev +``` + +## Before opening a PR + +```bash +pnpm lint # Biome lint +pnpm typecheck # tsc --noEmit +pnpm test # Vitest +pnpm build # full build +``` + +All four must pass. CI will block the merge otherwise. + +## Coding standards + +The full standards live in [`.claude/rules/coding-standards.md`](.claude/rules/coding-standards.md). The short version: + +- TypeScript strict mode; no `any`. +- No hardcoded URLs — connection config lives in `localStorage` under `openconcho:config`. +- Use CSS variables (`var(--text-1)`) for theme-aware colors, never Tailwind color utilities. +- Cast TanStack Router `params` as `as never` at navigation callsites. +- One assertion per test. + +## API schema changes + +`src/api/schema.d.ts` is generated. Don't edit it by hand — run: + +```bash +pnpm generate:api +``` + +…after updating `openapi.json`. + +## Reporting bugs + +Use the [bug report template](.github/ISSUE_TEMPLATE/bug_report.yml). Include the Honcho version, your OS, and reproduction steps. + +## License + +By contributing, you agree your contributions are licensed under the [MIT License](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d2da996 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Supported Versions + +OpenConcho follows semantic versioning via [semantic-release](https://semantic-release.gitbook.io/). Only the latest minor release on `main` receives security fixes. + +| Version | Supported | +|---------|-----------| +| latest | ✅ | +| older | ❌ | + +## Reporting a Vulnerability + +**Please do not open public issues for security reports.** + +Use GitHub's [private vulnerability reporting](https://github.com/offendingcommit/openconcho/security/advisories/new) to file a report. Include: + +- A description of the issue and its impact +- Steps to reproduce +- Affected version(s) +- Any mitigations you've identified + +You should expect an acknowledgement within 72 hours and a fix or status update within 14 days. + +## Scope + +OpenConcho is a frontend client. It stores connection config (`base URL`, optional `token`) in `localStorage` under the keys `openconcho:config` and `openconcho:theme`. It makes no network requests outside the Honcho instance you configure. + +In-scope: +- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI +- Token leakage from `localStorage` to third parties +- Build-toolchain supply-chain issues + +Out of scope: +- Vulnerabilities in your own Honcho instance — report those upstream at [plastic-labs/honcho](https://github.com/plastic-labs/honcho) +- Issues that require physical access to an unlocked device