documentation update

Author: Christopher Skene

CODE_OF_CONDUCT.md

@@ -0,0 +1,56 @@
+## Contributor Covenant Code of Conduct
+
+This project adopts the Contributor Covenant Code of Conduct, version 2.1.
+
+## Our Pledge
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
+
+## Our Standards
+Examples of behavior that contributes to a positive environment for our community include:
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others’ private information, such as a physical or email address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement Responsibilities
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces.
+
+## Enforcement
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project team at support@aurabox.cloud. All complaints will be reviewed and investigated promptly and fairly.
+
+## Enforcement Guidelines
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+## 1. Correction
+- Community Impact: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+- Consequence: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+## 2. Warning
+- Community Impact: A violation through a single incident or series of actions.
+- Consequence: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+## 3. Temporary Ban
+- Community Impact: A serious violation of community standards, including sustained inappropriate behavior.
+- Consequence: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+## 4. Permanent Ban
+- Community Impact: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+- Consequence: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+This Code of Conduct is adapted from the Contributor Covenant, version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+
+Community Impact Guidelines were inspired by https://github.com/mozilla/diversity
+
+For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

CONTRIBUTING.md

@@ -0,0 +1,65 @@
+# Contributing to Harmony Proxy
+
+Thank you for your interest in contributing! This document explains how to propose changes, the development workflow, coding standards, and community expectations.
+
+## Code of Conduct
+- By participating, you agree to abide by our Code of Conduct. See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
+
+## Scope of contributions
+- We welcome bug reports, feature requests, documentation improvements, performance optimizations, and test coverage enhancements.
+
+## Getting started
+- Read [DEVELOPER.md](DEVELOPER.md) for local setup, repository layout, commands, and testing guidance.
+- Review the docs index at [docs/README.md](docs/README.md) for architecture, configuration, middleware, and testing references.
+
+## Workflow
+- Trunk-based development: use feature branches and open pull requests against main.
+- Keep PRs small and focused. Avoid mixing unrelated refactors, formatting, or lint changes with functional changes.
+- Link issues in PR descriptions when applicable. Describe the problem, approach, and trade-offs.
+
+## Commit messages and PR titles
+- Use Conventional Commits and prefer aligning PR titles similarly:
+  - feat: add DIMSE store-and-forward support
+  - fix: handle JWKS rotation error on startup
+  - docs: update configuration examples
+  - refactor: extract DICOMweb client
+  - test: add pipeline validation cases
+  - perf: reduce clone in router
+  - ci: enable tests in GitHub Actions
+- Follow Semantic Versioning. Breaking changes should be marked with ! (e.g., feat!: change endpoint config).
+
+## Coding standards and gates
+- Format code: `cargo fmt --all`
+- Lint: `cargo clippy --all-targets -- -D warnings`
+- Build: `cargo build`
+- Test: `cargo test` (add `RUST_LOG=harmony=debug` and `-- --nocapture` for verbose output)
+- These gates must pass locally before opening a PR; CI will run them as well.
+
+## Tests
+- Prefer focused and deterministic unit/integration tests.
+- Use ./tmp for temporary artifacts; do not rely on /tmp.
+- DIMSE/DCMTK integration tests:
+  - Default runs are quiet. Enable verbose logs with `HARMONY_TEST_VERBOSE_DCMTK=1`.
+  - Additional debug behavior: `HARMONY_TEST_DEBUG=1`.
+- Use the samples/ directory for test inputs where relevant; keep tests hermetic.
+
+## Documentation
+- Update docs/ and examples/config when behavior or configuration changes.
+- Include usage notes and security implications where applicable.
+
+## Security guidance
+- Do not commit secrets. Use environment variables or secret managers; restrict permissions to least privilege.
+- JWT in production should use RS256 with strict algorithm enforcement and claim validation (exp, nbf, iat, iss, aud).
+- Encryption: where used, AES-256-GCM with ephemeral public key, IV, and authentication tag encoded in base64.
+- Temporary files: prefer ./tmp within the working directory.
+- See [docs/security.md](docs/security.md) for additional guidance.
+
+## Licensing of contributions
+- By contributing, you agree your contributions are licensed under the Apache License, Version 2.0, and acknowledge the project’s commercialization restriction described in [README.md](README.md) (hosted resale/embedding requires a commercial licence from Aurabox Pty Ltd).
+- No CLA or DCO is presently required.
+
+## Issue triage and labels
+- Use labels such as bug, enhancement, documentation, help wanted, and good first issue where applicable.
+
+## Contact
+- General questions, security or conduct concerns: hello@aurabox.cloud

DEVELOPER.md

@@ -0,0 +1,71 @@
+# DEVELOPER.md
+
+## Overview
+- Harmony Proxy is a Rust workspace providing a configurable data mesh proxy/gateway for heterogeneous systems, with first-class healthcare protocols (FHIR, JMIX, DICOM/DICOMweb). It is part of the Runbeam ecosystem.
+- Key concepts: endpoints, middleware, services/backends, pipelines, and storage. See [docs/README.md](docs/README.md) for full architecture.
+
+## Prerequisites
+- Rust (stable) via rustup
+- macOS or Linux
+- Optional: DCMTK tools for DIMSE integration tests (e.g., macOS: `brew install dcmtk`, Debian/Ubuntu: `sudo apt-get install dcmtk`)
+
+## Repository layout
+- Root crate: harmony (src/lib.rs, src/main.rs)
+- Workspace crates: crates/dimse, crates/dicom_json_tool, crates/transform
+- Examples: examples/config (config.toml, pipelines/, transforms/), examples/custom_endpoint (example crate)
+- Docs: docs/* (getting-started, configuration, endpoints, middleware, backends, router, envelope, dimse-integration, testing, security, system-description)
+- Samples: samples/jolt/*; additional DICOM samples in dev/samples
+- Temporary outputs: prefer ./tmp (gitignored) over /tmp
+
+## Build, run, test
+- Build (debug): `cargo build`
+- Build (release): `cargo build --release`
+- Run with example config: `cargo run -- --config examples/config/config.toml`
+- Run tests: `cargo test`
+- With logs: `RUST_LOG=harmony=debug cargo test -- --nocapture`
+- Format: `cargo fmt --all`
+- Lint: `cargo clippy --all-targets -- -D warnings`
+
+## Configuration model (high level)
+- Config is loaded from the provided TOML file and can merge additional files from proxy.pipelines_path and proxy.transforms_path relative to the base config directory.
+- Major sections: proxy, network, pipelines, endpoints, backends, middleware/middleware_types, services, targets, storage, transforms.
+- Validation enforces: proxy ID and log level; per-network interface/HTTP constraints; pipeline endpoints exist; middleware_types are known or specified via module; targets have non-empty URLs; storage backend options are valid.
+- See: src/config/config.rs and [docs/configuration.md](docs/configuration.md).
+
+## Pipelines and middleware
+- Pipelines bind networks to endpoints and an ordered set of middleware/services.
+- Built-in middleware types include: jwtauth, auth, connect, passthru, json_extractor, jmix_builder, dicomweb_to_dicom, dicom_to_dicomweb, dicomweb, transform.
+- JWT guidance: prefer RS256 in production, enforce algorithm, validate exp/nbf/iat, iss/aud as applicable. HS256 is for development/tests only.
+
+## JMIX and schema path
+- The JMIX schema directory used by validation or transforms is configurable and may be placed outside the repo (e.g., ../jmix). Ensure paths in config reference your chosen location.
+
+## Storage and tmp
+- Filesystem storage defaults to a project-local ./tmp directory. Favor ./tmp for all temporary files. The path may be configurable via storage options.
+
+## Testing notes
+- Strategy: unit/integration tests should be fast and deterministic. See [docs/testing.md](docs/testing.md).
+- DIMSE integration: DCMTK processes may be spawned; artifacts are written under ./tmp with per-test UUIDs. Enable verbose DIMSE output with `HARMONY_TEST_VERBOSE_DCMTK=1`. Additional debugging: `HARMONY_TEST_DEBUG=1`.
+- Sample data: samples/ and dev/samples/ contain example inputs.
+
+## Security considerations
+- Encryption: the project uses AES-256-GCM where applicable, with ephemeral public key, IV, and authentication tag encoded in base64.
+- Credentials and secrets: do not commit. Load via environment variables or secret managers. Prefer least-privilege file permissions.
+- JWT: in production, require RS256 with strict algorithm checks and claim validation.
+- Temporary files: prefer ./tmp within the working directory.
+- See [docs/security.md](docs/security.md) for more detail.
+
+## Commit and PR hygiene
+- Use Conventional Commits for messages (e.g., feat:, fix:, docs:, refactor:, test:, build:, ci:, chore:, perf:, style:, revert:). Keep PRs focused; avoid mixing unrelated changes.
+- Trunk-based development: open feature branches targeting main.
+- Tests, lint, and fmt should pass locally before opening a PR.
+
+## Quick links
+- README: [README.md](README.md)
+- Docs index: [docs/README.md](docs/README.md)
+- Getting started: [docs/getting-started.md](docs/getting-started.md)
+- Configuration: [docs/configuration.md](docs/configuration.md)
+- Middleware: [docs/middleware.md](docs/middleware.md)
+- Security: [docs/security.md](docs/security.md)
+- Testing: [docs/testing.md](docs/testing.md)
+- Router: [docs/router.md](docs/router.md)

docs/README.md

@@ -1,6 +1,6 @@
 # Documentation Index
 
-Welcome to Harmony Proxy’s documentation. Start here to explore concepts, configuration, and usage.
+Welcome to Harmony Proxy’s documentation. Harmony is a general-purpose data mesh proxy with first-class support for medical data (FHIR, DICOM/DICOMweb, JMIX). Start here to explore concepts, configuration, and usage.
 
 - Getting started: getting-started.md
 - Configuration: configuration.md