docs: DOC-06 CONTRIBUTING.md onramp (#873)

[Chris0Jeky]

Summary

Adds a CONTRIBUTING.md at the repo root as a friendly onramp for external
contributors. Complements (does not duplicate) AGENTS.md, which remains the
authoritative protocol.

Closes #873.

Sections Covered

• Prerequisites (.NET 8 SDK, Node.js 24.x, Git)
• Local setup (backend, frontend, Docker) for Windows / macOS / Linux
• Windows-specific notes: scripts/check-git-env.sh, Cygwin-git pitfall, PowerShell && caveat, stale index.lock
• Default URLs (API, Swagger, frontend, Docker reverse proxy)
• Running tests: backend (xUnit), frontend (typecheck/build/vitest/lint), E2E (Playwright)
• Commit message conventions (present-tense, small, one commit per file when spanning multiple files)
• PR process and review expectations, with pointer to AGENTS.md for the full protocol
• Good-first-issue guidance (label links for good first issue and Priority III)
• Cross-links to README, AGENTS.md, STATUS.md, MASTERPLAN, GOLDEN_PRINCIPLES, TESTING_GUIDE, START_HERE, ADR INDEX

Also cross-links CONTRIBUTING.md from README and removes stale duplicate
contributing bullets below the README license separator.

Commits

• docs: add CONTRIBUTING.md with prerequisites and setup
• docs: add testing, commit, and PR sections to CONTRIBUTING
• docs: cross-link CONTRIBUTING from README

Test plan

• All commands in CONTRIBUTING.md cross-checked against CLAUDE.md and AGENTS.md
• Links validated (relative paths to existing docs verified)
• CI green (ci-required.yml)

[Chris0Jeky]

Adversarial self-review

Ran through the diff as a hostile reviewer — command correctness, link validity, overlap with AGENTS.md, and Windows gotcha coverage. Cross-checked every command against CLAUDE.md, AGENTS.md, and frontend/taskdeck-web/package.json.

Findings

• [none, verified] Backend commands (dotnet restore/build/run/test, single-class --filter) — exact match with CLAUDE.md. No typos.
• [none, verified] Frontend scripts (npm run typecheck, npm run build, npm run lint, npx vitest --run -t, npm run dev) — all exist in frontend/taskdeck-web/package.json.
• [none, verified] Node version pin (>=24.13.1 <25) — matches engines in package.json.
• [none, verified] Playwright invocation (TASKDECK_E2E_DB=...) — matches CLAUDE.md.
• [none, verified] PowerShell env var syntax ($env:FOO = "bar"; cmd) — correct PS7 syntax, consistent with AGENTS.md's $LASTEXITCODE pattern.
• [none, verified] Windows gotchas — both the Cygwin-git fallback AND scripts/check-git-env.sh are documented, matching CLAUDE.md's Windows Notes exactly.
• [none, verified] Referenced paths (deploy/.env.example, docs/START_HERE.md, docs/ops/DEPLOYMENT_CONTAINERS.md, docs/TESTING_GUIDE.md, docs/STATUS.md, docs/IMPLEMENTATION_MASTERPLAN.md, docs/GOLDEN_PRINCIPLES.md, docs/decisions/INDEX.md) — all exist in repo.
• [none, verified] Good-first-issue label exists in the repo label set; when empty, doc points readers to Priority III as fallback (currently ~5 open). That is actionable, not vague fluff.
• [none, verified] No duplication with AGENTS.md — CONTRIBUTING keeps commit/PR guidance at onramp level (3–4 bullets each) and explicitly defers to AGENTS.md as the rulebook. No conflicting claims.
• [none, verified] README cleanup — removed stale duplicate contributing bullets that were orphaned below the license separator; new Contributing section now points CONTRIBUTING.md first, AGENTS.md second.

Potential nit not acted on

• CONTRIBUTING mentions npm run dev without noting it's a wrapper (node ./scripts/run-vite-dev.mjs). For an onramp this is correct and consistent with README/CLAUDE.md; wrapper detail is an implementation concern, not a contributor-facing one.

Acted on

• Nothing to fix — review did not surface a correctness defect. If CI flags a governance rule (e.g. Docs Governance), I'll address it in a follow-up commit.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 40c3d4f2de

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use the CI frontend test command with coverage

This section says it lists the exact CI commands, but npx vitest --run --reporter=verbose does not match the required CI gate: .github/workflows/reusable-frontend-unit.yml runs npm run test:coverage (with coverage output/threshold enforcement). As written, contributors can get a local green run here and still fail CI on coverage, which defeats the stated purpose of this checklist.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds a root-level contributor onramp (CONTRIBUTING.md) and updates the README to point new contributors to it, consolidating/cleaning up duplicated contribution guidance while keeping AGENTS.md as the authoritative protocol.

Changes:

• Add CONTRIBUTING.md with prerequisites, local setup, test commands, commit conventions, and PR process.
• Update README.md to link to CONTRIBUTING.md and remove duplicated contributing bullets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
README.md	Links to the new contributing onramp and removes duplicate guidance.
CONTRIBUTING.md	New contributor guide covering setup, testing, and contribution workflow (with AGENTS.md as source of truth).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The note "These are the exact commands CI runs" isn’t accurate for the current CI workflows. For example, CI uses npm ci (not npm install) and in the frontend unit workflow it runs npx vite build and npm run test:coverage rather than npm run build / npx vitest --run --reporter=verbose. Suggest either updating this section to match CI exactly, or rewording to say these commands are the recommended local equivalents/minimum gates.

Suggested change

	These are the exact commands CI runs; keep them green locally before pushing.
	Treat these as the recommended local equivalents / minimum gates to keep green before pushing.

[Copilot]

The frontend command list is internally inconsistent with the script definitions: npm run build already runs npm run typecheck (per frontend/taskdeck-web/package.json), so listing both commands in sequence implies running typecheck twice. Consider either removing the standalone npm run typecheck from this list, or changing the build line to npx vite build (which matches CI) and keeping npm run typecheck separate.

Suggested change

	npm run build # typecheck + vite build
	npx vite build # production build

[gemini-code-assist]

Code Review

This pull request introduces a new CONTRIBUTING.md file to guide new contributors through local setup, testing, and the PR process, while updating README.md to link to this new guide. Feedback was provided regarding the PowerShell command chaining examples to ensure they do not inadvertently close a user's terminal window upon failure.

[gemini-code-assist]

Using exit $LASTEXITCODE in a command chaining example is problematic for human contributors because it will close their terminal window if the first command fails. While this pattern is used in AGENTS.md for automated environments where exiting the process is desired, for a local setup guide it is better to use a pattern that stops execution without exiting the shell. Since PowerShell 7+ is recommended in the prerequisites, you could also use && which is supported there, unless there is a specific reason to avoid it for human contributors.

Suggested change

	npm run typecheck; if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }; npm run build
	npm run typecheck; if ($?) { npm run build }

[gemini-code-assist]

Update this note to reflect the change in the recommended PowerShell chaining pattern to avoid confusion about using $LASTEXITCODE and exit in interactive shells.

Suggested change

	On Windows PowerShell, chain with `;` and `$LASTEXITCODE` instead of `&&` (see
	the Windows section above).
	On Windows PowerShell, chain with `;` and a success check instead of `&&` (see
	the Windows section above).

[Chris0Jeky]

Adversarial review + bot-findings triage — round 2

Ran a fresh adversarial pass and triaged the three bot reviews
(gemini-code-assist, Copilot, chatgpt-codex-connector). All five bot
findings were valid; fixed them across three focused commits. New
findings from my own pass turned up nothing beyond what the bots caught,
so this round is bot-driven.

Bot findings triage

#	Bot	File:line	Finding	Resolution
1	gemini-code-assist	CONTRIBUTING.md:106	exit $LASTEXITCODE in a PS example closes interactive terminals on failure	Fixed — switched to non-terminating if ($LASTEXITCODE -eq 0) { ... }; called out exit pattern as automated-script variant
2	gemini-code-assist	CONTRIBUTING.md:161	Cross-reference note should match new chaining pattern	Fixed — updated cross-ref to "chain with ; and a success check"
3	Copilot	CONTRIBUTING.md:134	"exact commands CI runs" not accurate — CI uses npm ci, npx vite build, npm run test:coverage	Fixed — softened intro to "recommended local equivalents / minimum gates", pointed at .github/workflows/ for the real gate, noted npm run test:coverage mirrors CI's coverage-thresholded gate
4	Copilot	CONTRIBUTING.md:154	npm run build already runs typecheck, so listing both runs it twice	Fixed — replaced npm run build with npx vite build (matches CI), kept standalone npm run typecheck, added a short note explaining the choice
5	chatgpt-codex-connector	CONTRIBUTING.md:155	Frontend test line should match CI gate (npm run test:coverage)	Fixed — replaced npx vitest --run --reporter=verbose with npm run test:coverage; kept vitest --run -t "name" as the dev-only single-test variant

Fresh adversarial findings (round 2)

Pass covered: command correctness vs CLAUDE.md / AGENTS.md / .github/workflows/; Node engine pin vs package.json; Windows gotchas (Cygwin, check-git-env.sh, PowerShell &&); every referenced doc/script/env-file path; README cross-link; good-first-issue fallback; AGENTS.md duplication.

No new findings beyond the bot set above. Specifically verified:

• All 12 referenced paths exist (docs/ops/DEPLOYMENT_CONTAINERS.md, docs/TESTING_GUIDE.md, docs/STATUS.md, docs/IMPLEMENTATION_MASTERPLAN.md, docs/GOLDEN_PRINCIPLES.md, docs/START_HERE.md, docs/decisions/INDEX.md, docs/INDEX.md, AGENTS.md, README.md, scripts/check-git-env.sh, deploy/.env.example).
• Node pin >=24.13.1 <25 exactly matches frontend/taskdeck-web/package.json engines.
• reusable-frontend-unit.yml CI order (lint → typecheck → npx vite build → npm run test:coverage) now mirrored in the Running Tests list.
• PowerShell $env:FOO = "bar"; cmd syntax is correct PS7.
• README cleanup (f1af4f47) already removed the duplicate contributing bullets below the LICENSE section.

Commits

• 75329cd4 — docs(contributing): fix PowerShell chaining example to not close interactive shells
• ac429352 — docs(contributing): soften CI equivalence claim in Running Tests intro
• 05e52fde — docs(contributing): align frontend command list with CI and avoid double typecheck

CI

Pushed at HEAD 05e52fde; CI re-running now. Will update if anything goes non-green. This is a docs-only change, so the only sensitive gate is Docs Governance, which already passed.