Thank you for your interest in contributing to the smp-civic Media Platform! This document outlines the development process, coding standards, and security considerations for contributors.
Before contributing, please understand that this platform handles sensitive journalistic content. All contributions must prioritize security and privacy.
- Never commit secrets, API keys, or sensitive data
- Use secure coding practices and follow OWASP guidelines
- All crypto implementations must use established libraries
- Report security vulnerabilities privately to security@smpcivic.org
-
Prerequisites
- Docker & Docker Compose
- Node.js 18+ and npm
- Python 3.11+ and pip
- Git with GPG signing enabled
-
Initial Setup
git clone https://github.com/atonixdev/smp-civic.git cd smp-civic cp .env.example .env docker compose up -d -
Backend Setup
cd backend python -m venv venv source venv/bin/activate pip install -r requirements.txt python manage.py migrate python manage.py createsuperuser
-
Frontend Setup
cd frontend npm install npm start
- Style: PEP 8 compliance (enforced by black and flake8)
- Testing: pytest with 90%+ coverage
- Documentation: Google-style docstrings
- Security: All inputs validated, SQL injection prevention
- Performance: Database query optimization
- Style: ESLint + Prettier configuration
- Testing: Jest + React Testing Library
- Documentation: TSDoc comments for complex functions
- Performance: React.memo, useMemo, useCallback where appropriate
- Accessibility: WCAG 2.1 AA compliance
main: Production-ready codedevelop: Integration branch for featuresfeature/*: Feature development brancheshotfix/*: Critical production fixes
- Create feature branch from
develop - Implement changes with tests
- Ensure all CI checks pass
- Request review from core team
- Address feedback and merge
type(scope): description
[optional body]
[optional footer]
Types: feat, fix, docs, style, refactor, test, chore, security
Example:
feat(publishing): add encrypted document upload
Implements secure file upload with client-side encryption
using post-quantum cryptography algorithms.
Closes #123
cd backend
pytest --cov=apps --cov-report=htmlcd frontend
npm test -- --coveragenpm run test:e2e# Backend security scan
bandit -r backend/apps/
# Frontend security scan
npm audit
# Container security scan
docker run --rm -v $(pwd):/app -w /app aquasec/trivy fs .- Automated dependency vulnerability scanning
- Regular updates of security-critical packages
- Supply chain verification for all dependencies
- All public APIs must have docstrings
- Complex algorithms require detailed comments
- Security-sensitive code needs threat model documentation
- OpenAPI 3.0 specifications for all endpoints
- Interactive documentation at
/api/docs/ - Examples for all request/response formats
docker compose updocker compose -f docker-compose.staging.yml up -d- Automated via GitHub Actions
- Blue-green deployment strategy
- Automated rollback on failure
- Version Bumping: Semantic versioning (MAJOR.MINOR.PATCH)
- Changelog: Automated generation from conventional commits
- Security Review: Manual security review for all releases
- Staging Testing: Full E2E testing on staging environment
- Production Deployment: Automated deployment with monitoring
- Environment details
- Steps to reproduce
- Expected vs actual behavior
- Security implications (if any)
- Use case description
- Proposed implementation
- Security considerations
- Performance impact
- Private disclosure via security@smpcivic.org
- CVE assessment and scoring
- Coordinated disclosure timeline
- Respectful and inclusive communication
- Focus on constructive feedback
- No tolerance for harassment or discrimination
- Professional behavior in all interactions
- GitHub Issues: Bug reports and feature requests
- GitHub Discussions: General questions and ideas
- Email: security@smpcivic.org for security issues
Contributors will be recognized in:
- GitHub contributor graph
- CONTRIBUTORS.md file
- Release notes for significant contributions
- Annual contributor appreciation events
Thank you for helping build a more transparent and secure media platform! 🛡️📰