First off, thank you for considering contributing to TrustVault! This is a security-focused project, so we have specific guidelines to maintain the highest standards.
This is a security-critical application. All contributions must:
- Follow security best practices
- Not introduce vulnerabilities
- Maintain OWASP Mobile Top 10 2025 compliance
- Preserve zero-knowledge architecture
- Include security considerations in PRs
-
Fork the Repository
git clone https://github.com/yourusername/trustvault-pwa.git cd trustvault-pwa -
Install Dependencies
npm install
-
Create a Branch
git checkout -b feature/your-feature-name
-
Make Your Changes
- Follow TypeScript strict mode
- Write clean, documented code
- Add tests for new features
- Update documentation
-
Run Quality Checks
npm run type-check npm run lint npm run format npm run security:audit npm run test -
Commit Your Changes
git commit -m "feat: add amazing feature" -
Push and Create PR
git push origin feature/your-feature-name
- Use strict mode (already configured)
- Explicit return types for functions
- No
anytypes (useunknownif needed) - Prefer interfaces over types for objects
- Use const assertions where appropriate
- Functional components only
- Custom hooks for reusable logic
- Proper dependency arrays in useEffect
- Memoization for expensive computations
- Avoid prop drilling (use Zustand)
- Never log sensitive data
- No console.log in production code
- Validate all inputs
- Use constant-time comparisons
- Secure random number generation only
- Unit tests for utilities
- Integration tests for features
- Security tests for crypto functions
- Mock external dependencies
presentation/ → UI components, pages, state
domain/ → Business logic, entities, interfaces
data/ → Implementations, storage, API calls
core/ → Utilities, crypto, authentication
Rules:
- Presentation can import from domain and core
- Domain cannot import from presentation or data
- Data can import from domain and core
- Core has no internal dependencies
// Good
src/
domain/
entities/
User.ts # Entity definition
repositories/
IUserRepository.ts # Interface
data/
repositories/
UserRepositoryImpl.ts # Implementation
// Bad - Don't mix layers
src/
components/
UserRepository.ts # Wrong layer!- ✅ Cryptographic functions (100% coverage required)
- ✅ Business logic
- ✅ State management
- ✅ Component rendering
- ✅ Error handling
- ❌ Third-party libraries
- ❌ Material-UI components
- ❌ Simple getters/setters
import { describe, it, expect } from 'vitest';
import { encrypt, decrypt } from '@/core/crypto/encryption';
describe('Encryption', () => {
it('should encrypt and decrypt data correctly', async () => {
const plaintext = 'sensitive data';
const key = await generateEncryptionKey();
const encrypted = await encrypt(plaintext, key);
const decrypted = await decrypt(encrypted, key);
expect(decrypted).toBe(plaintext);
});
});We use ESLint and Prettier for consistent formatting.
# Format code
npm run format
# Fix linting issues
npm run lint:fix- Components: PascalCase (
LoginPage.tsx) - Hooks: camelCase with
useprefix (useAuth.ts) - Utilities: camelCase (
encryption.ts) - Constants: UPPER_SNAKE_CASE (
MAX_PASSWORD_LENGTH) - Interfaces: PascalCase with
Iprefix (IUserRepository) - Types: PascalCase (
CredentialCategory)
Follow Conventional Commits:
<type>(<scope>): <subject>
<body>
<footer>
feat: New featurefix: Bug fixdocs: Documentationstyle: Formatting (no code change)refactor: Code restructuringtest: Adding testschore: Maintenancesecurity: Security improvements
feat(auth): add biometric authentication support
fix(crypto): constant-time comparison in password verification
docs(security): update OWASP compliance documentation
security(storage): implement secure memory wipe on logout-
Before Submitting
- ✅ All tests pass
- ✅ No linting errors
- ✅ Type checking passes
- ✅ Security audit clean
- ✅ Documentation updated
- ✅ CHANGELOG.md updated (for features)
-
PR Description Template
## Description Brief description of changes ## Type of Change - [ ] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Security Impact Describe any security implications ## Testing - [ ] Unit tests added/updated - [ ] Integration tests added/updated - [ ] Manual testing performed ## Checklist - [ ] TypeScript strict mode compliance - [ ] No console.log statements - [ ] Documentation updated - [ ] Security review performed
-
Review Process
- Maintainer review required
- Security review for crypto changes
- CI/CD must pass
- At least one approval needed
Use GitHub Issues with this template:
**Describe the Bug**
Clear description of the issue
**To Reproduce**
Steps to reproduce:
1. Go to '...'
2. Click on '...'
3. See error
**Expected Behavior**
What should happen
**Screenshots**
If applicable
**Environment**
- OS: [e.g., macOS 13.0]
- Browser: [e.g., Chrome 120]
- Version: [e.g., 1.0.0]
**Security Concerns**
Does this involve security? If yes, email security@trustvault.example instead**Feature Description**
Clear description of the feature
**Use Case**
Why is this needed?
**Proposed Solution**
How should it work?
**Alternatives Considered**
Other approaches you've thought about
**Security Implications**
Any security considerations?DO NOT create public issues for security vulnerabilities!
Email: security@trustvault.example (update with real contact)
Include:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We follow responsible disclosure and will:
- Acknowledge within 24 hours
- Assess within 48 hours
- Fix based on severity
- Credit you in release notes (if desired)
- Code: JSDoc comments for public APIs
- README.md: User-facing features
- SECURITY.md: Security architecture
- QUICKSTART.md: Getting started guide
- This file: Contribution guidelines
/**
* Encrypts plaintext using AES-256-GCM
*
* @param plaintext - The data to encrypt
* @param key - CryptoKey for AES-256-GCM
* @returns Encrypted data with IV and auth tag
* @throws Error if encryption fails
*
* @example
* ```typescript
* const key = await generateEncryptionKey();
* const encrypted = await encrypt("secret", key);
* ```
*/
export async function encrypt(
plaintext: string,
key: CryptoKey
): Promise<EncryptedData> {
// Implementation
}- 🔐 Security enhancements
- 🧪 Test coverage improvements
- 📚 Documentation improvements
- 🐛 Bug fixes
- ♿ Accessibility improvements
- ✨ New features (after discussion)
- 🎨 UI/UX improvements
- ⚡ Performance optimizations
- 🌍 Internationalization
- 🧹 Code refactoring
- 📝 Code comments
- 🎭 Visual tweaks
- Be respectful and inclusive
- Provide constructive feedback
- Help others learn
- Follow the Code of Conduct
By contributing, you agree that your contributions will be licensed under the MIT License.
Thank you for helping make TrustVault more secure! 🔒