Thank you for your interest in contributing to App Vault! This document provides guidelines for contributing to the project.
- Be respectful and inclusive
- Welcome newcomers and encourage diverse perspectives
- Focus on what is best for the community
- Fork the repository
- Clone your fork:
git clone https://github.com/yourusername/app-vault.git - Create a feature branch:
git checkout -b feature/your-feature-name - Make your changes
- Run tests:
go test ./... - Commit your changes:
git commit -am 'Add new feature' - Push to your fork:
git push origin feature/your-feature-name - Create a Pull Request
- Go 1.23 or later
- PostgreSQL 12 or later
- Docker (optional, for running PostgreSQL)
# Clone the repository
git clone https://github.com/App Vault/app-vault.git
cd app-vault
# Install dependencies
go mod download
# Start PostgreSQL (using Docker)
docker-compose up -d
# Run the server
go run cmd/server/main.goFollow the official Go Code Review Comments and the guidelines in .github/instructions/go.instructions.md.
Key points:
- Use
gofmtto format your code - Keep functions small and focused
- Write clear, descriptive variable names
- Add comments for exported functions and complex logic
- Use early returns to reduce nesting
- Handle all errors properly
Critical security rules (from .github/instructions/copilot-instructions.md):
- Never log secrets or plaintext - No sensitive data in logs, errors, or traces
- Use constant-time comparisons - For tokens, hashes, and derived keys
- Validate all inputs - Length limits, character sets, prevent injection
- Parameterized queries only - No string concatenation in SQL
- Zero sensitive buffers - Clear memory after use (best effort in Go)
- Use AEAD encryption - XChaCha20-Poly1305 only, no custom crypto
- Write unit tests for all new functionality
- Ensure tests pass:
go test ./... - Aim for high code coverage
- Test error cases and edge conditions
- No secrets or credentials in test code
Example test structure:
func TestMyFunction(t *testing.T) {
// Setup
input := "test input"
// Execute
result, err := MyFunction(input)
// Assert
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if result != expected {
t.Errorf("got %v, want %v", result, expected)
}
}- Update documentation - Update README.md or relevant docs if needed
- Add tests - Ensure new code has adequate test coverage
- Run tests - All tests must pass:
go test ./... - Run linters -
go vet ./...must pass - Write clear commit messages - Describe what and why
- Keep PRs focused - One feature or fix per PR
- Respond to reviews - Address feedback promptly and professionally
type: brief description
Detailed explanation of what changed and why.
Fixes #123
Types:
feat:- New featurefix:- Bug fixdocs:- Documentation changestest:- Adding or updating testsrefactor:- Code refactoringperf:- Performance improvementschore:- Maintenance tasks
Look for issues labeled good first issue or help wanted.
- Features: Service principal management UI, rate limiting improvements
- Documentation: Tutorials, deployment guides, architecture diagrams
- Tests: Increase test coverage, add integration tests
- Performance: Optimize database queries, caching strategies
- Security: Security audits, penetration testing reports
- Breaking API changes (discuss first in an issue)
- Features that violate zero-knowledge principles
- Custom cryptography implementations
- UI/frontend code (backend only for now)
cmd/server/ - Application entry point
internal/
api/ - HTTP handlers and middleware
service/ - Business logic layer
db/ - Database repository layer
crypto/ - Cryptography operations
models/ - Shared data structures
migrations/ - SQL schema migrations
- API Layer: HTTP request/response handling, validation, authentication
- Service Layer: Business logic, orchestration, transactions
- Database Layer: Data persistence, queries, transactions
- Crypto Layer: Encryption, decryption, key derivation
- Add handler in
internal/api/handlers.go - Add business logic in appropriate service file
- Add database operations if needed in
internal/db/database.go - Register route in
cmd/server/main.go - Update API documentation in README.md
- Add tests
Create a new SQL file in migrations/ with naming pattern: NNN_description.sql
Example: 002_add_sessions_table.sql
-- Add session management
CREATE TABLE IF NOT EXISTS sessions (
id UUID PRIMARY KEY,
user_id UUID NOT NULL REFERENCES users(id),
token_hash VARCHAR(255) NOT NULL,
expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX idx_sessions_user_id ON sessions(user_id);
CREATE INDEX idx_sessions_expires_at ON sessions(expires_at);Migrations must be:
- Idempotent (can run multiple times safely)
- Forward-compatible (no breaking changes to existing data)
# All tests
go test ./...
# Specific package
go test ./internal/crypto
# With coverage
go test ./... -cover
# Verbose output
go test ./... -vAim for:
- Critical paths: 90%+ coverage
- Crypto operations: 100% coverage
- Business logic: 80%+ coverage
- HTTP handlers: 70%+ coverage
- Update README.md for user-facing changes
- Update EXAMPLES.md for new API endpoints
- Add godoc comments for exported functions
- Keep comments up-to-date with code changes
- Open an issue for questions about contributing
- Check existing issues and PRs for similar work
- Join discussions in GitHub Discussions (if enabled)
By contributing, you agree that your contributions will be licensed under the MIT License.