taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 10:20:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8dcdc34476f423fdbda77c1ed9f2e4cf2880812c
nora/CONTRIBUTING.md
DevITWay | Pavel Volkov 432e8d35af security: migrate token hashing from SHA256 to Argon2id (#55) 
* docs: add DCO, governance model, roles, vulnerability credit policy

* security: migrate token hashing from SHA256 to Argon2id

- Replace unsalted SHA256 with Argon2id (salted) for API token hashing
- Fix TOCTOU race: replace exists()+read() with read()+match on error
- Set chmod 600 on token files and 700 on token storage directory
- Auto-migrate legacy SHA256 tokens to Argon2id on first verification
- Add regression tests: argon2 format, legacy migration, file permissions
2026-03-24 22:56:43 +00:00

3.1 KiB
Raw Blame History

Contributing to NORA

Thank you for your interest in contributing to NORA!

Developer Certificate of Origin (DCO)

By submitting a pull request, you agree to the Developer Certificate of Origin. Your contribution will be licensed under the MIT License.

You confirm that you have the right to submit the code and that it does not violate any third-party rights.

Project Governance

NORA uses a Benevolent Dictator governance model:

  • Maintainer: @devitway — final decisions on features, releases, and architecture
  • Contributors: anyone who submits issues, PRs, or docs improvements
  • Decision process: proposals via GitHub Issues → discussion → maintainer decision
  • Release authority: maintainer only

Roles and Responsibilities

Role Person Responsibilities
Maintainer @devitway Code review, releases, roadmap, security response
Contributor anyone Issues, PRs, documentation, testing
Dependabot automated Dependency updates

Continuity

The GitHub organization getnora-io has multiple admin accounts to ensure project continuity. Source code is MIT-licensed, enabling anyone to fork and continue the project.

Getting Started

  1. Fork the repository
  2. Clone your fork: git clone https://github.com/YOUR_USERNAME/nora.git
  3. Create a branch: git checkout -b feature/your-feature

Development Setup

# Install Rust (if needed)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Build
cargo build --package nora-registry

# Run tests (important: always use --lib --bin nora to skip fuzz targets)
cargo test --lib --bin nora

# Run clippy
cargo clippy --package nora-registry -- -D warnings

# Format
cargo fmt

# Run locally
cargo run --bin nora -- serve

Before Submitting a PR

cargo fmt --check
cargo clippy --package nora-registry -- -D warnings
cargo test --lib --bin nora

All three must pass. CI will enforce this.

Code Style

  • Run cargo fmt before committing
  • Fix all cargo clippy warnings
  • Follow Rust naming conventions
  • Keep functions short and focused
  • Add tests for new functionality

Pull Request Process

  1. Update CHANGELOG.md if the change is user-facing
  2. Add tests for new features or bug fixes
  3. Ensure CI passes (fmt, clippy, test, security checks)
  4. Keep PRs focused — one feature or fix per PR

Commit Messages

Use conventional commits:

  • feat: new feature
  • fix: bug fix
  • docs: documentation
  • test: adding or updating tests
  • security: security improvements
  • chore: maintenance

Example: feat: add npm scoped package support

Reporting Issues

  • Use GitHub Issues with the provided templates
  • Include steps to reproduce
  • Include NORA version (nora --version) and OS

License

By contributing, you agree that your contributions will be licensed under the MIT License.

Community

Reference in New Issue View Git Blame Copy Permalink