docs: add CONTRIBUTING, CODE_OF_CONDUCT, and SECURITY files (#32)

mldangelo · claude · web-flow · commit 414c2d596e45 · 2026-02-24T15:20:39.000-08:00
All three redirect to promptfoo/promptfoo as the primary project.
CONTRIBUTING includes minimal setup instructions specific to this
pip wrapper for issues scoped to the Python shim itself.

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,5 @@
+# Code of Conduct
+
+This project follows the same Code of Conduct as the main promptfoo project.
+
+Please read and follow it: **[github.com/promptfoo/promptfoo/blob/main/CODE_OF_CONDUCT.md](https://github.com/promptfoo/promptfoo/blob/main/CODE_OF_CONDUCT.md)**
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,39 @@
+# Contributing
+
+## Contributing to promptfoo
+
+For contributions to promptfoo itself — new features, providers, bug fixes, and documentation — please go to the main project:
+
+**[github.com/promptfoo/promptfoo](https://github.com/promptfoo/promptfoo)**
+
+## Contributing to this pip wrapper
+
+This repository is only the thin Python shim that lets people install promptfoo via `pip`. Issues here should be about:
+
+- Installation failures via pip
+- Node.js detection or environment problems
+- Python shim behaviour on Windows/macOS/Linux
+
+### Setup
+
+Requires Python 3.9+, Node.js 20+, and [uv](https://github.com/astral-sh/uv).
+
+```bash
+git clone https://github.com/promptfoo/promptfoo-python.git
+cd promptfoo-python
+uv sync --extra dev
+uv run pytest -m 'not smoke'   # fast unit tests
+uv run pytest                  # all tests (requires Node.js)
+```
+
+### Submitting changes
+
+1. Branch from `main`
+2. Follow [Conventional Commits](https://www.conventionalcommits.org/) — release-please uses commit messages to version and changelog automatically
+3. Run checks before opening a PR:
+   ```bash
+   uv run ruff check src/ --fix && uv run ruff format src/
+   uv run mypy src/promptfoo/ && uv run pyright src/promptfoo/
+   uv run pytest -m 'not smoke'
+   ```
+4. Open a pull request against `main`
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please follow the security policy of the main promptfoo project for reporting vulnerabilities:
+
+**[github.com/promptfoo/promptfoo/blob/main/SECURITY.md](https://github.com/promptfoo/promptfoo/blob/main/SECURITY.md)**
+
+## Scope
+
+- **This repository**: issues with the Python pip wrapper (installation, shim behaviour, CI integration)
+- **promptfoo features and security**: report to [promptfoo/promptfoo](https://github.com/promptfoo/promptfoo)
+
+Do not open public GitHub issues for security vulnerabilities. Follow the responsible disclosure process linked above.
