mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 22:33:48 +02:00
2.7 KiB
2.7 KiB
Contributing Guide
This guide defines baseline expectations when adding features, APIs, tools, frontend pages, or docs.
Principles
- New features need documentation.
- New APIs need OpenAPI updates.
- New frontend text needs zh-CN and en-US i18n.
- New config must state hot-apply behavior.
- New high-risk tools must define HITL policy.
- New DB fields must be compatible with old databases.
- New long-running tasks need state, cancellation, or recovery strategy.
New API Checklist
- Handler validates parameters.
- Error response has stable
errorand readablemessage. - Endpoint is authenticated unless it is an explicit platform callback.
- Mutations write audit events.
- Long tasks write monitoring/task state.
internal/handler/openapi.goupdated.- API docs or recipes updated.
- Handler tests added.
New Config Checklist
- Field exists in
config.Config. config.yamlsample has comments.- Safe default when omitted.
- Old configs still start.
- Hot-apply behavior documented.
- Web settings do not delete unknown fields.
- Security docs updated if high-risk capability is affected.
New Tool Checklist
For YAML tools and Go MCP tools:
- stable and specific tool name;
- searchable
short_description; - explicit input schema, not one raw
cmd; - readable and stable output;
- controlled timeout and error path;
- high-risk operation not globally allowlisted;
- docs explain use case and risk.
New Frontend Page Checklist
- Reuse
apiFetch, modal, notifications, and existing state patterns. - Add all visible text to
zh-CN.jsonanden-US.json. - Include loading, empty, and error states.
- Confirm destructive/high-risk actions.
- Avoid overflow in long English labels.
- Browser console clean.
DB Change Checklist
- Migration is idempotent.
- Old DB upgrades.
- Defaults are safe.
- Large indexes are deliberate.
- Empty DB and old DB tested.
- Release notes mention backup.
High-Risk Capability Checklist
High-risk includes Shell, WebShell, C2, external MCP write/execute, credential access, and bulk scanning.
Answer:
- Who can call it?
- Does it require HITL?
- What is audited?
- How can it be cancelled?
- How is cleanup done?
- How can it be disabled?
- Is it off by default?
Documentation Requirements
Each important feature should document:
- purpose;
- config;
- workflow;
- risk boundary;
- troubleshooting;
- source anchors.
Chinese and English docs must have matching filenames:
docs/zh-CN/
docs/en-US/
Update:
docs/README.mddocs/zh-CN/README.mddocs/en-US/README.md
Review Focus
Prioritize:
- behavior regressions;
- security boundaries;
- old data compatibility;
- error handling;
- test gaps;
- docs and OpenAPI sync.