|
| 1 | +# Contributing |
| 2 | + |
| 3 | +Thanks for helping make `secure` better. The following guidance keeps contributions aligned with the project’s release-quality standards. |
| 4 | + |
| 5 | +## Development environment |
| 6 | + |
| 7 | +1. Create a virtual environment and activate it: |
| 8 | + ```bash |
| 9 | + python -m venv .venv |
| 10 | + source .venv/bin/activate |
| 11 | + ``` |
| 12 | +2. Install the package in editable mode so local changes are picked up automatically: |
| 13 | + ```bash |
| 14 | + pip install -e . |
| 15 | + ``` |
| 16 | +3. Install the tooling used by the project: |
| 17 | + ```bash |
| 18 | + pip install ruff |
| 19 | + ``` |
| 20 | + _Optional:_ `uv` is the package manager used by the project for releases; you can use `uv add ...` to manage dependencies, but it is not required for local development. |
| 21 | + |
| 22 | +## Running tests, linting, and formatting |
| 23 | + |
| 24 | +- **Run unit tests:** `python -m unittest tests/*/*.py` |
| 25 | +- **Run the linter:** `ruff check` |
| 26 | +- **Apply formatting / fix issues:** `ruff format` |
| 27 | + |
| 28 | +Run these commands before opening a pull request. If you rely on a different Python version, keep it within the supported range (Python 3.10+). |
| 29 | + |
| 30 | +## Adding a header document |
| 31 | + |
| 32 | +1. Add a new guide under `docs/headers/` named after the header (for example, `docs/headers/example_header.md`). |
| 33 | +2. Mirror the structure of the existing header docs: |
| 34 | + - Start with a **Purpose** section that explains the header’s intent. |
| 35 | + - Describe the **Default behavior** and mention how the builder models that default. |
| 36 | + - Show a **Using with `Secure`** example and describe the builder API with method names. |
| 37 | + - Include **Resources** / **Attribution** and any security caveats. |
| 38 | +3. Link the new document from `docs/README.md` (under the Security Headers list) so readers can discover it easily. |
| 39 | +4. Ensure code snippets use the public API (`from secure import ...`), reference the appropriate response types, and avoid framework-specific terminology unless a callout is necessary. |
| 40 | + |
| 41 | +## Adding a framework example |
| 42 | + |
| 43 | +1. Update `docs/frameworks.md`: |
| 44 | + - Add the framework to the table of contents. |
| 45 | + - Include a short intro describing the framework’s model (WSGI vs ASGI, sync vs async). |
| 46 | + - Provide at least one working example showing how to wire `Secure` (middleware, hooks, or response-level helpers). |
| 47 | + - Mention the correct response type (`Response`, `JSONResponse`, etc.) or highlight that you are working with the framework’s default response object. |
| 48 | +2. If the framework needs extra instructions (e.g., disabling Uvicorn’s `Server` header), document them in the same section. |
| 49 | +3. Keep the tone focused on security headers rather than broader framework guidance. |
| 50 | + |
| 51 | +## Commit conventions |
| 52 | + |
| 53 | +- Keep commit messages short (<72 characters) and in the imperative (e.g., `docs: clarify defaults`). |
| 54 | +- Prefix doc-only changes with `docs:` so reviewers immediately know the scope. |
| 55 | +- Reference any related issue or PR in the description when applicable. |
| 56 | +- Run linting/tests before committing to minimize follow-up work. |
| 57 | + |
| 58 | +## Pull request checklist |
| 59 | + |
| 60 | +- [ ] I have run `python -m unittest tests/*/*.py` locally (or a representative suite) and addressed any failures. |
| 61 | +- [ ] I have run `ruff check` and `ruff format` (when formatting attr). |
| 62 | +- [ ] Documentation updates describe the new behavior (new header docs, framework guidance, etc.). |
| 63 | +- [ ] If applicable, I have updated the release notes/CHANGELOG entry for new user-visible behavior. |
| 64 | +- [ ] My changes follow the project’s security and contribution guidelines (this document). |
0 commit comments