-
Notifications
You must be signed in to change notification settings - Fork 1
Contributing
Edgar Cano edited this page Jun 1, 2026
·
1 revision
git clone https://github.com/OdinoCano/3va.git
cd 3va
./scripts/dev-setup.sh # installs git hooks, verifies toolsThis installs pre-commit hooks that run cargo fmt --check and cargo clippy before every commit, and cargo test before every push.
cargo test # run full test suite
cargo fmt # format code
cargo clippy # check lints
cargo deny check # check dependencies for CVEs and license issuesEvery PR must pass all of the following before it can be merged:
| Check | Blocks merge |
|---|---|
cargo fmt --check |
Yes |
cargo clippy -D warnings |
Yes |
cargo test |
Yes |
cargo deny check (advisories + licenses + bans) |
Yes |
| Secret scanning (gitleaks) | Yes |
| Semgrep SAST (ERROR severity) | Yes |
There is no way to bypass CI. Branch protection on main and develop requires all status checks to pass and at least one maintainer approval. Even maintainers cannot push directly to main.
Changes to the following require maintainer review regardless of author (enforced via CODEOWNERS):
-
crates/permissions/— capability model -
crates/js/src/builtins/— JS API surface exposed to user code -
crates/wasm/src/— WASM sandbox -
.github/— CI and security pipelines -
Cargo.toml,Cargo.lock,deny.toml— dependency surface
- Fork the repository and create a branch from
develop - Make your changes and ensure all CI checks pass locally
- Open a pull request against
develop(notmain) - Fill out the PR template
See Security for reporting vulnerabilities.