docs(scripts): improve README, CONTRIBUTING, and test runner scripts

[pankaj-bind]

Type of Change

Select the type of change:

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactoring (code restructuring without changing functionality)
• Documentation update
• Performance improvement
• Security patch

Description

What does this PR do?

A clear and concise description of your changes.

Related Issue

Link to the issue this PR addresses:

Closes #(issue number)

Changes Made

List the specific changes you've made:

• Changed X to Y in file A
• Added new component B
• Refactored function C
• Updated documentation for D

Screenshots

For UI changes, provide before/after screenshots:

Before

After

Testing

How has this been tested?

• Tested on Desktop (Chrome, Firefox, Safari)
• Tested on Mobile (iOS Safari, Chrome Mobile)
• Tested on Tablet
• Added new unit tests
• All existing tests pass
• Manual testing completed

Test scenarios:

1. Scenario 1: Description of what you tested
2. Scenario 2: Description of what you tested

Checklist

Before submitting, confirm:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have checked my code and corrected any misspellings
• My commit messages follow the Conventional Commits specification

Frontend Changes (if applicable)

• TypeScript types are properly defined
• Component uses Tailwind CSS (no inline styles)
• Responsive design tested on multiple screen sizes
• Accessibility (ARIA labels, keyboard navigation) considered
• Dark mode compatibility verified

Backend Changes (if applicable)

• Follows PEP 8 style guide
• Database migrations created (if schema changed)
• API endpoint documentation updated
• Input validation implemented
• Security best practices followed
• No sensitive data logged

Security Considerations

Does this PR introduce any security concerns?

• No security impact
• Security review required
• Handles sensitive data (encryption implemented)
• Changes authentication/authorization logic
• Adds new external dependencies

If security-sensitive, describe the measures taken:

Breaking Changes

Does this PR introduce breaking changes?

• No
• Yes (describe below)

If yes, describe the breaking changes and migration path:

Additional Notes

Any additional information reviewers should know:

Deployment Notes

Special deployment steps required:

• No special steps needed
• Environment variables need updating
• Database migration required
• Cache needs clearing
• Other: ___

---

Reviewer Checklist:

• Code quality and style approved
• Tests are adequate and passing
• Documentation is clear and complete
• No security vulnerabilities introduced
• Performance impact is acceptable

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
accountsafe	Ready	Preview, Comment	Mar 27, 2026 2:00am

[Copilot]

Pull request overview

This PR focuses on improving developer documentation and local tooling ergonomics, mainly by updating READMEs/CONTRIBUTING guidance and simplifying the test runner scripts, with a small tweak to local Nginx routing for static/media.

Changes:

• Simplify/standardize output and paths in the cross-platform test runner scripts.
• Expand README/CONTRIBUTING with clearer setup, testing, and troubleshooting instructions.
• Adjust local Nginx handling for /static/ (try local first, fall back to backend) and proxy /media/ to backend.

Reviewed changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
scripts/run_tests.sh	Simplified banner/output; updated backend/frontend paths relative to scripts/.
scripts/run_tests.bat	Simplified banner/output; updated backend/frontend paths relative to scripts\.
README.md	Large overhaul: prerequisites, Docker/native setup, testing instructions, troubleshooting, deployment section.
CONTRIBUTING.md	Expanded contributor guidance: prerequisites, setup steps, project structure, testing + PR process.
SECURITY.md	Minor wording/punctuation edits in security policy text.
frontend/public/docs/SECURITY.md	Mirror of SECURITY policy text for frontend docs.
frontend/nginx.local.conf	Refined /static/ handling with fallback to backend; /media/ proxies to backend.
frontend/src/index.css	Comment typography normalization (em dash → hyphen) in design system comments.
backend/api/tests/test_zero_knowledge.py	Comment/docstring typography normalization (em dash → hyphen).
backend/api/features/auth/zero_knowledge.py	Comment typography normalization.
backend/api/features/auth/services.py	Comment typography normalization.
.github/workflows/ci.yml	Comment typography normalization.
package-lock.json	Lockfile metadata update (peer flag) for root docs-related dependencies.
frontend/package-lock.json	Lockfile metadata normalization (removal of many peer flags).

Files not reviewed (1)

• frontend/package-lock.json: Language not supported

[Copilot]

The usage examples imply running run_tests.bat from the current directory, but the file lives under scripts\. Either update the usage block to scripts\run_tests.bat ... (for running from repo root) or explicitly state it should be run after cd scripts.

[Copilot]

This Windows test command block is inconsistent: after cd scripts, scripts\run_tests.bat would resolve to scripts\scripts\run_tests.bat and fail. Use run_tests.bat ... after cd scripts, or remove the cd scripts and keep scripts\run_tests.bat ... from the repo root.

Suggested change

	scripts\run_tests.bat # all tests
	scripts\run_tests.bat backend # backend only
	scripts\run_tests.bat frontend # frontend only
	run_tests.bat # all tests
	run_tests.bat backend # backend only
	run_tests.bat frontend # frontend only

[Copilot]

Same punctuation issue here: add spaces around the dash (or restore the em dash) before the bold phrase so the sentence reads correctly in Markdown.

Suggested change

	Similarly, if you discover a secondary authentication path that reveals different vault contents-**this is the Duress Mode (Ghost Vault) feature**.
	Similarly, if you discover a secondary authentication path that reveals different vault contents — **this is the Duress Mode (Ghost Vault) feature**.

[Copilot]

There should be spacing around the dash (or use an em dash) before the bold text. As written (behavior-**this is by design**) it reads like a hyphenated word and renders awkwardly in Markdown.

Suggested change

	If you are auditing AccountSafe and discover credentials that appear to trigger alerts, logging mechanisms, or "phone home" behavior-**this is by design**.
	If you are auditing AccountSafe and discover credentials that appear to trigger alerts, logging mechanisms, or "phone home" behavior - **this is by design**.

[Copilot]

Same punctuation issue here: add spaces around the dash (or restore the em dash) before the bold phrase so the sentence reads correctly in Markdown.

Suggested change

	Similarly, if you discover a secondary authentication path that reveals different vault contents-**this is the Duress Mode (Ghost Vault) feature**.
	Similarly, if you discover a secondary authentication path that reveals different vault contents - **this is the Duress Mode (Ghost Vault) feature**.

[Copilot]

In the /media/ proxy block you only set Host and X-Real-IP, but the backend reads HTTP_X_FORWARDED_FOR (client IP) and may rely on HTTP_X_FORWARDED_PROTO for secure redirects. Consider adding X-Forwarded-For and X-Forwarded-Proto here (consistent with the /api/, /admin/, and @backend_static blocks).

Suggested change

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

[Copilot]

The architecture table now states key derivation is PBKDF2-only, but the frontend crypto implementation currently derives keys with Argon2id (see frontend/src/services/cryptoService.ts), and there is also PBKDF2-based code under frontend/src/utils/encryption.ts. The README should reflect the actual KDF(s) used so security claims stay accurate.

Suggested change

	| Key Derivation | PBKDF2 (600k iterations) |
	| Key Derivation | Argon2id (frontend) and PBKDF2 (600k iterations, compatibility) |

[Copilot]

The usage examples imply running the script as ./run_tests.sh, but this file lives under scripts/. If invoked from the repo root, the correct path is ./scripts/run_tests.sh (or clarify that users should cd scripts first). Updating the usage block will prevent confusion.

Suggested change

	# ./run_tests.sh Run all tests
	# ./run_tests.sh backend Run backend tests only
	# ./run_tests.sh frontend Run frontend tests only
	# ./run_tests.sh --coverage Run with coverage reports
	# ./scripts/run_tests.sh Run all tests
	# ./scripts/run_tests.sh backend Run backend tests only
	# ./scripts/run_tests.sh frontend Run frontend tests only
	# ./scripts/run_tests.sh --coverage Run with coverage reports

[Copilot]

There should be spacing around the dash (or use an em dash) before the bold text. As written (behavior-**this is by design**) it reads like a hyphenated word and renders awkwardly in Markdown.

Suggested change

	If you are auditing AccountSafe and discover credentials that appear to trigger alerts, logging mechanisms, or "phone home" behavior-**this is by design**.
	If you are auditing AccountSafe and discover credentials that appear to trigger alerts, logging mechanisms, or "phone home" behavior — **this is by design**.