We accept documentation improvements, tests, bug fixes, and roadmap-aligned feature work.
This project is security-sensitive. Process matters because design, roadmap alignment, and security boundaries matter.
- Read the README, roadmap, and project plan.
- Run
make setupto buildDockerfile.devfor the active agent from.agent-sandbox/active-target.env. - Search existing issues and pull requests before opening a new one.
- Keep changes agent-agnostic when possible.
- Do not start substantive feature implementation before maintainer review.
You can open a pull request directly for:
- Typo fixes
- Documentation clarifications
- Test additions or improvements
- Small bug fixes that do not change architecture, security boundaries, or public behavior in a broad way
Keep these PRs focused. If a review reveals broader design impact, maintainers may ask you to open or link an issue first.
Use the GitHub bug report form for reproducible, non-security bugs.
Include:
- What happened
- How to reproduce it
- What you expected
- Relevant environment details
- Logs, screenshots, or policy snippets when useful
Small bug fixes can still go straight to a PR, but an issue is preferred when the problem is ambiguous, cross-cutting, or likely to need discussion.
Start substantive feature work with a feature request issue.
Examples:
- New commands or workflows
- New runtime modes
- New policy model or enforcement behavior
- New authentication flows
- New agent support
- Cross-cutting or security-sensitive behavior changes
After maintainer review, accepted feature issues may move through these stages:
stage:proposal- initial idea under discussionstage:needs-plan- direction looks good and a planning doc is requestedstage:planned- planning doc is accepted and implementation can proceed
Do not open a substantive implementation PR before the feature issue has maintainer buy-in.
Maintainers may ask for a planning artifact before code review begins.
Use:
docs/plan/issues/for a shorter proposal document when the work is relatively containeddocs/plan/milestones/for milestone-scale planning when the work changes roadmap scope
If you are using the repo's agent workflow, the plan skill is the recommended way to produce planning artifacts. The required artifact is the document, not the tool.
Planning up front helps avoid spending time on a PR that does not fit the roadmap, mission, or security posture of the project.
New agent support should start with a feature request issue.
If maintainers want to pursue it, they may ask for a planning doc and then an implementation PR.
If you are using Claude or Codex in this repo, the recommended workflow is the add-agent skill. You do not have to use that skill, but your contribution should still match the same quality bar and output shape.
Do not use the public bug form for sandbox escapes, proxy or firewall bypasses, credential exposure, privilege escalation, or similar security issues.
Use the process in SECURITY.md.
Keep pull requests small and reviewable.
Every PR should:
- Explain the change clearly
- Link the relevant issue when one exists
- Link the planning doc when one was required
- Include tests when the change affects behavior
- Update documentation when the behavior or workflow changes
For changes in security-sensitive areas, explain the security impact and tradeoffs in the PR description.
Issue labels are intentionally small and orthogonal.
Type labels:
type:bugtype:feature
Feature stage labels:
stage:proposalstage:needs-planstage:planned
General status labels:
status:needs-infostatus:blocked
Contribution visibility labels:
good first issuehelp wanted
Rules:
- Every issue should have one
type:label. - Only feature issues should use
stage:labels. - Feature issues should have at most one
stage:label at a time. - Issues are closed when work is merged or explicitly declined. There is no separate
mergedlabel.
Run the checks that match your change before asking for review.
Examples:
go test ./...for CLI changes./images/build.shfor image changes- Focused manual verification for template, proxy, and documentation changes
If you could not run a relevant check, say so in the PR.