public/contributing.md

Contributing

Issues, PRs, code areas

Thank you for considering a contribution to Workframe.

Before you start

Read What is Workframe? and Develop
Set up the reference stack locally
For security findings, use SECURITY.md — not public issues

How to contribute

Bug reports

Open a GitHub issue with:

What you expected vs what happened
Deployment mode (single_user_local, trusted_team, public_multi_user)
Steps to reproduce
Relevant logs (redact secrets)

Pull requests

Fork and branch from main
Make focused changes; match existing code style
Run local verification (below)
Open a PR with a clear description and test notes

We do not require a CLA. Contributions are under the project LICENSE (Apache-2.0).

Local development

git clone https://github.com/npx-workframe/workframe.git
cd workframe
pnpm install
pnpm build:web
cd infra/compose/workframe
cp .env.example .env
docker compose up -d --build

Full setup: Develop

Where to work

Area	Path
Product UI	`apps/web/src/`
API	`services/workframe-api/`
Supervisor	`services/workframe-supervisor/`
Installer	`packages/create-workframe/`
Reference compose	`infra/compose/workframe/`
Ops scripts	`scripts/workframe/`

UI or API changes that ship to end users must follow the canonical sync steps in Release verification before npm publish.

Verification before PR

Minimum for most changes:

pnpm test:ci

This runs public-repo verification, API py_compile typecheck, web build, UI bundle copy, and scaffold smoke tests for all packs.

For API, security, or installer changes, also run checks in Release verification.

Documentation

Public docs live in docs/public/. Update docs when behavior changes. Verify against source (server.py, compose files, UI onboarding flow).

Sanitization rules for public docs: MAINTAINER.md

Code of conduct

Be respectful and constructive. Security issues deserve responsible disclosure via SECURITY.md.

Release verification — pre-publish gate
Audit — security review map
Operations — running stacks