Christian Nennemann
a9d1f535aa
- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all other crates and SDKs (Signal-style) - Add SECURITY.md with vulnerability disclosure policy - Add CONTRIBUTING.md with build, test, and code standards - Add "not audited" security disclaimer to README - Add workspace package metadata (license, repository, keywords) - Move internal planning docs to docs/internal/ (gitignored)
1.3 KiB
1.3 KiB
Contributing to quicproquo
Prerequisites
- Rust toolchain (stable) via rustup
- protoc is vendored via the
protobuf-srccrate -- no system installation needed - Git with GPG signing configured
Building and Testing
cargo build --workspace
cargo test --workspace
A justfile is also available for common tasks (just build, just test, just proto, etc.).
Code Standards
Commits
- Conventional commits:
feat:,fix:,docs:,chore:,test:,refactor: - Commits must be GPG-signed
- Commit messages describe why, not just what
- No
Co-authored-bytrailers
Rust
- No
.unwrap()on crypto or I/O operations outside of tests - Secrets must be zeroized on drop and never logged
- No stubs,
todo!(), orunimplemented!()in production code - Prefer clarity over cleverness; avoid unnecessary abstractions
Security Vulnerabilities
Do not open public issues for security bugs. See SECURITY.md for responsible disclosure instructions.
Licensing
The server crate (quicproquo-server) is licensed under AGPL-3.0. All other crates are dual-licensed under Apache-2.0 / MIT. By submitting a contribution, you agree to license your work under the applicable license(s).