Contributing
Getting Started
BASH# Fork and clone git clone https://github.com/<your-username>/ctx-sync.git cd ctx-sync # Install dependencies (includes Husky git hooks) npm install # Build shared packages npm run build -w packages/shared # Verify everything works npm run typecheck npm run lint npm run test:unit -w apps/cli
Node.js >= 20.0.0 and Git >= 2.25 are required. Run `node --version` to check.
Branching Strategy
We use a structured branching model. All work happens on feature branches that merge into develop, which is then promoted to main for releases.
feat/<name> ──squash merge──> develop ──merge──> main ──tag──> vX.Y.Z
- Create a feature branch from
develop:git checkout -b feat/my-feature develop - Do your work with atomic commits
- Open a PR targeting
develop(never directly tomain) - After approval, the PR is squash-merged into
develop
Branch Naming
| Prefix | Purpose |
|---|---|
feat/ |
New features |
fix/ |
Bug fixes |
docs/ |
Documentation-only changes |
test/ |
Test additions or improvements |
refactor/ |
Code restructuring |
chore/ |
Maintenance, CI, tooling |
Commit Convention
This project enforces Conventional Commits via commitlint. Every commit must follow this format:
<type>[optional scope]: <description>
Allowed Types
| Type | When to use |
|---|---|
feat |
A new feature |
fix |
A bug fix |
docs |
Documentation only |
test |
Adding or updating tests |
refactor |
Code change that neither fixes nor adds |
chore |
Maintenance, CI, dependencies |
perf |
Performance improvements |
Examples
feat(cli): add --force flag to init command
fix(ci): align release workflow node matrix
docs(website): update FAQ for v1.2.0
test: add coverage for restore --no-pull
Use a scope to clarify what area is affected: `cli`, `ci`, `website`, `shared`.
Pre-commit Hooks
Husky runs these checks on every commit — if any fail, the commit is rejected:
- TypeScript typecheck —
tsc --noEmitacross all packages - ESLint — linting across all packages
- Unit tests — CLI + shared package tests
- Commitlint — validates your commit message format
Running Tests
BASH# Individual suites npm run test:unit -w apps/cli # ~800 unit tests npm run test:integration -w apps/cli # Integration tests npm run test:e2e -w apps/cli # End-to-end tests npm run test:security -w apps/cli # ~260 security tests npm run test:performance -w apps/cli # Benchmarks # Everything at once npm run test:all # Watch mode (great during development) npm run test:watch -w apps/cli
If your change touches encryption, key management, file permissions, or Git operations, always run the security suite: `npm run test:security -w apps/cli`
Security Considerations
ctx-sync handles encryption keys and secrets. When contributing:
- Never log, print, or expose private keys or decrypted secrets
- Never pass secrets as CLI arguments (use stdin or env vars)
- Ensure file permissions are enforced (key:
0o600, config dir:0o700) - All new state must be encrypted before writing to disk or Git
- Do not commit
.envfiles, credentials, or key material
CI Pipeline
Every PR triggers these checks — all must pass to merge:
| Check | What it does |
|---|---|
lint-and-typecheck |
ESLint + TypeScript across all packages |
build |
Compiles shared + CLI packages |
test-cli |
Unit, integration, E2E tests (Ubuntu + macOS, Node 20 + 22) |
test-shared |
Shared package tests |
security |
npm audit + security test suite + secret scanning |
The main branch is protected — direct pushes are blocked and all status checks must pass via PR.
Submitting a Pull Request
- Ensure your branch is up to date with
develop - Run the checks locally:BASH
npm run typecheck && npm run lint && npm run test:unit -w apps/cli - Push your branch and open a PR targeting
develop - Fill in the PR with a Summary (what and why) and Test plan (how you verified)
- Address review feedback
Reporting Issues
- Use GitHub Issues
- Include: OS, Node version, ctx-sync version, steps to reproduce
- For security vulnerabilities, email the maintainer directly — do not open a public issue