Thank you for helping make code safer for everyone. This guide covers everything you need to contribute effectively.
main ← production-only. Protected. No direct pushes ever.
develop ← integration branch. All PRs merge here first.
feature/* ← new features (e.g. feature/vscode-inline-fix)
fix/* ← bug fixes (e.g. fix/sca-false-positive-npm)
chore/* ← maintenance (e.g. chore/update-nvd-feed)
docs/* ← documentation only
Golden rule: Open your PR against develop. The develop → main merge only happens on releases.
- Pick an issue — check the Issues tab and comment to claim it
- Branch off
developgit checkout develop && git pull git checkout -b feature/your-feature-name - Write code — follow the style guide below
- Test locally — all CI checks must pass
- Open a PR — fill out the PR template completely
- Get reviewed — at least 1 approval required before merge
- Squash merge into
develop
- Run
cargo fmtbefore committing - Run
cargo clippy -- -D warnings— no clippy warnings allowed - Write doc comments on all public functions
- Tests go in a
#[cfg(test)]module at the bottom of each file
- Run
pnpm lintandpnpm typecheckbefore committing - Use named exports — no default exports except page components
- Keep components under 200 lines; split if larger
- Commit messages follow Conventional Commits:
feat:,fix:,chore:,docs:,test:,refactor: - Never commit secrets,
.envfiles, or API keys - Every new feature needs at least one test
# Rust
cargo test --workspace
# Frontend
cd apps/web && pnpm test
# VS Code extension
cd extensions/vscode && pnpm testIf you find a vulnerability in Zenvra, do not open a public issue. Use the Security Report template or email security@zenvra.dev.
Be kind. Be constructive. We're building something together.