# Contributing to quicprochat

## Prerequisites

- **Rust toolchain** (stable) via [rustup](https://rustup.rs/)
- **protoc** is vendored via the `protobuf-src` crate -- no system installation needed
- Git with GPG signing configured

## Building and Testing

```sh
cargo build --workspace
cargo test --workspace
```

A `justfile` is also available for common tasks (`just build`, `just test`, `just proto`, etc.).

## Code Standards

### Commits

- **Conventional commits**: `feat:`, `fix:`, `docs:`, `chore:`, `test:`, `refactor:`
- Commits must be **GPG-signed**
- Commit messages describe *why*, not just *what*
- No `Co-authored-by` trailers

### Rust

- No `.unwrap()` on crypto or I/O operations outside of tests
- Secrets must be zeroized on drop and never logged
- No stubs, `todo!()`, or `unimplemented!()` in production code
- Prefer clarity over cleverness; avoid unnecessary abstractions

## Security Vulnerabilities

Do not open public issues for security bugs. See [SECURITY.md](SECURITY.md) for responsible disclosure instructions.

## Licensing

The server crate (`quicprochat-server`) is licensed under **AGPL-3.0**. All other crates are dual-licensed under **Apache-2.0 / MIT**. By submitting a contribution, you agree to license your work under the applicable license(s).