From 1d9184f1567f8466ba409320d1f0eea5b677952b Mon Sep 17 00:00:00 2001 From: AnExiledDev Date: Thu, 26 Feb 2026 04:15:11 +0000 Subject: [PATCH 1/3] Add CI, security, contributor infrastructure and dual licensing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CI workflow with test + lint jobs (Node 18, Biome) - CodeQL security analysis (JS, weekly + PR triggers) - Dependabot for npm and GitHub Actions dependencies - Bug report and feature request issue templates (YAML forms) - Pull request template with checklist - CONTRIBUTING.md with GPL-3.0 and CLA guidelines - CLA.md (Individual Contributor License Agreement) - Dual licensing header in LICENSE.txt - Contributing and License sections in README.md with CI badge - SPDX copyright headers (GPL-3.0-only) in all 36 source files - Updated REPO-AUDIT.md scorecard (22/50 → 42/50) --- .devcontainer/CHANGELOG.md | 14 + .devcontainer/connect-external-terminal.sh | 2 + .../features/agent-browser/install.sh | 2 + .devcontainer/features/ast-grep/install.sh | 2 + .devcontainer/features/biome/install.sh | 2 + .devcontainer/features/ccburn/install.sh | 2 + .devcontainer/features/ccms/install.sh | 2 + .../features/ccstatusline/install.sh | 2 + .devcontainer/features/ccusage/install.sh | 2 + .devcontainer/features/chromaterm/install.sh | 2 + .../features/claude-code-native/install.sh | 2 + .../features/claude-monitor/install.sh | 2 + .../claude-session-dashboard/install.sh | 2 + .devcontainer/features/dprint/install.sh | 2 + .devcontainer/features/hadolint/install.sh | 2 + .../features/kitty-terminfo/install.sh | 2 + .devcontainer/features/lsp-servers/install.sh | 2 + .devcontainer/features/mcp-qdrant/install.sh | 2 + .../features/mcp-qdrant/poststart-hook.sh | 2 + .devcontainer/features/notify-hook/install.sh | 2 + .devcontainer/features/ruff/install.sh | 2 + .devcontainer/features/shellcheck/install.sh | 2 + .devcontainer/features/shfmt/install.sh | 2 + .devcontainer/features/tmux/install.sh | 2 + .devcontainer/features/tree-sitter/install.sh | 2 + .devcontainer/scripts/check-setup.sh | 2 + .devcontainer/scripts/setup-aliases.sh | 2 + .devcontainer/scripts/setup-auth.sh | 2 + .devcontainer/scripts/setup-config.sh | 2 + .devcontainer/scripts/setup-migrate-claude.sh | 2 + .devcontainer/scripts/setup-plugins.sh | 2 + .devcontainer/scripts/setup-projects.sh | 2 + .devcontainer/scripts/setup-terminal.sh | 2 + .devcontainer/scripts/setup-update-claude.sh | 2 + .devcontainer/scripts/setup.sh | 2 + .github/ISSUE_TEMPLATE/bug-report.yml | 61 ++++ .github/ISSUE_TEMPLATE/config.yml | 5 + .github/ISSUE_TEMPLATE/feature-request.yml | 36 +++ .github/dependabot.yml | 16 + .github/pull_request_template.md | 21 ++ .github/workflows/ci.yml | 26 ++ .github/workflows/codeql.yml | 40 +++ CLA.md | 63 ++++ CONTRIBUTING.md | 59 ++++ LICENSE.txt | 14 + README.md | 17 ++ REPO-AUDIT.md | 274 ++++++++++++++++++ setup.js | 2 + test.js | 2 + 49 files changed, 718 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug-report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature-request.yml create mode 100644 .github/dependabot.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 CLA.md create mode 100644 CONTRIBUTING.md create mode 100644 REPO-AUDIT.md diff --git a/.devcontainer/CHANGELOG.md b/.devcontainer/CHANGELOG.md index 5cad418..46dd230 100644 --- a/.devcontainer/CHANGELOG.md +++ b/.devcontainer/CHANGELOG.md @@ -4,6 +4,20 @@ ### Added +#### Public Repo Quality +- **CI workflow** (`.github/workflows/ci.yml`) — test and lint jobs on PRs and pushes to main (Node 18, `npm test` + Biome check) +- **CodeQL security analysis** (`.github/workflows/codeql.yml`) — JavaScript scanning on PRs, pushes, and weekly schedule +- **Dependabot** (`.github/dependabot.yml`) — weekly updates for npm (root + docs) and GitHub Actions +- **Bug report template** (`.github/ISSUE_TEMPLATE/bug-report.yml`) — YAML form with version, environment, and repro steps +- **Feature request template** (`.github/ISSUE_TEMPLATE/feature-request.yml`) — YAML form with problem/solution/alternatives +- **Issue template config** (`.github/ISSUE_TEMPLATE/config.yml`) — commercial licensing contact link +- **Pull request template** (`.github/pull_request_template.md`) — description, type of change, and checklist +- **CONTRIBUTING.md** — contribution guidelines with GPL-3.0 licensing and CLA requirement +- **CLA.md** — Individual Contributor License Agreement enabling dual licensing +- **Dual licensing notice** — added to README.md (Contributing + License sections) and LICENSE.txt (header) +- **CI badge** — added to README.md badge row +- **SPDX copyright headers** — `GPL-3.0-only` identifier and `Copyright (c) 2026 Marcus Krueger` added to all 36 source files (setup.js, test.js, 34 shell scripts) + #### Docs - **CLAUDE.md** — new "Status Bar Widgets" section documenting widget properties, token color conventions, label fusion pattern, and available widget types diff --git a/.devcontainer/connect-external-terminal.sh b/.devcontainer/connect-external-terminal.sh index e30b702..4d7e58a 100755 --- a/.devcontainer/connect-external-terminal.sh +++ b/.devcontainer/connect-external-terminal.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # # Connect to CodeForge devcontainer from external terminal with tmux # For Claude Code Agent Teams split-pane support diff --git a/.devcontainer/features/agent-browser/install.sh b/.devcontainer/features/agent-browser/install.sh index 2cabafb..d34a230 100755 --- a/.devcontainer/features/agent-browser/install.sh +++ b/.devcontainer/features/agent-browser/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/ast-grep/install.sh b/.devcontainer/features/ast-grep/install.sh index 7c4fdd4..3def52a 100755 --- a/.devcontainer/features/ast-grep/install.sh +++ b/.devcontainer/features/ast-grep/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/biome/install.sh b/.devcontainer/features/biome/install.sh index 9e6a377..28c4d8f 100755 --- a/.devcontainer/features/biome/install.sh +++ b/.devcontainer/features/biome/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/ccburn/install.sh b/.devcontainer/features/ccburn/install.sh index 066a834..a0d4aac 100644 --- a/.devcontainer/features/ccburn/install.sh +++ b/.devcontainer/features/ccburn/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # === SETUP === diff --git a/.devcontainer/features/ccms/install.sh b/.devcontainer/features/ccms/install.sh index 991d731..d29adca 100755 --- a/.devcontainer/features/ccms/install.sh +++ b/.devcontainer/features/ccms/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # === SETUP === diff --git a/.devcontainer/features/ccstatusline/install.sh b/.devcontainer/features/ccstatusline/install.sh index f9cecb8..3ce731c 100755 --- a/.devcontainer/features/ccstatusline/install.sh +++ b/.devcontainer/features/ccstatusline/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # Cleanup on exit diff --git a/.devcontainer/features/ccusage/install.sh b/.devcontainer/features/ccusage/install.sh index 5154bcd..d305ff0 100755 --- a/.devcontainer/features/ccusage/install.sh +++ b/.devcontainer/features/ccusage/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # === SETUP === diff --git a/.devcontainer/features/chromaterm/install.sh b/.devcontainer/features/chromaterm/install.sh index 355895a..e5923be 100755 --- a/.devcontainer/features/chromaterm/install.sh +++ b/.devcontainer/features/chromaterm/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/claude-code-native/install.sh b/.devcontainer/features/claude-code-native/install.sh index d620ca3..5ec6139 100755 --- a/.devcontainer/features/claude-code-native/install.sh +++ b/.devcontainer/features/claude-code-native/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/claude-monitor/install.sh b/.devcontainer/features/claude-monitor/install.sh index a56f945..e09c918 100755 --- a/.devcontainer/features/claude-monitor/install.sh +++ b/.devcontainer/features/claude-monitor/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/claude-session-dashboard/install.sh b/.devcontainer/features/claude-session-dashboard/install.sh index 0b9f43e..daa3ba1 100755 --- a/.devcontainer/features/claude-session-dashboard/install.sh +++ b/.devcontainer/features/claude-session-dashboard/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/dprint/install.sh b/.devcontainer/features/dprint/install.sh index b0e8e14..16a08f4 100755 --- a/.devcontainer/features/dprint/install.sh +++ b/.devcontainer/features/dprint/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/hadolint/install.sh b/.devcontainer/features/hadolint/install.sh index ff5c25d..452969d 100755 --- a/.devcontainer/features/hadolint/install.sh +++ b/.devcontainer/features/hadolint/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/kitty-terminfo/install.sh b/.devcontainer/features/kitty-terminfo/install.sh index 5741b96..1d40f22 100755 --- a/.devcontainer/features/kitty-terminfo/install.sh +++ b/.devcontainer/features/kitty-terminfo/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/lsp-servers/install.sh b/.devcontainer/features/lsp-servers/install.sh index 4f313a0..c3b171e 100755 --- a/.devcontainer/features/lsp-servers/install.sh +++ b/.devcontainer/features/lsp-servers/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # LSP Servers for Claude Code # Installs pyright, typescript-language-server, and gopls binaries diff --git a/.devcontainer/features/mcp-qdrant/install.sh b/.devcontainer/features/mcp-qdrant/install.sh index 06f03b7..5b381b7 100755 --- a/.devcontainer/features/mcp-qdrant/install.sh +++ b/.devcontainer/features/mcp-qdrant/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # Import options from devcontainer-feature.json diff --git a/.devcontainer/features/mcp-qdrant/poststart-hook.sh b/.devcontainer/features/mcp-qdrant/poststart-hook.sh index e754b19..698aa1a 100755 --- a/.devcontainer/features/mcp-qdrant/poststart-hook.sh +++ b/.devcontainer/features/mcp-qdrant/poststart-hook.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail echo "[mcp-qdrant] Registering Qdrant MCP server with Claude Code..." diff --git a/.devcontainer/features/notify-hook/install.sh b/.devcontainer/features/notify-hook/install.sh index cbe5929..c9bd35d 100644 --- a/.devcontainer/features/notify-hook/install.sh +++ b/.devcontainer/features/notify-hook/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/ruff/install.sh b/.devcontainer/features/ruff/install.sh index ead7254..378af09 100755 --- a/.devcontainer/features/ruff/install.sh +++ b/.devcontainer/features/ruff/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/shellcheck/install.sh b/.devcontainer/features/shellcheck/install.sh index 39c6d86..c8b2a83 100755 --- a/.devcontainer/features/shellcheck/install.sh +++ b/.devcontainer/features/shellcheck/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/shfmt/install.sh b/.devcontainer/features/shfmt/install.sh index 41798d1..39e0fd1 100755 --- a/.devcontainer/features/shfmt/install.sh +++ b/.devcontainer/features/shfmt/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # ============================== diff --git a/.devcontainer/features/tmux/install.sh b/.devcontainer/features/tmux/install.sh index 36e28ef..1cc4dca 100755 --- a/.devcontainer/features/tmux/install.sh +++ b/.devcontainer/features/tmux/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -e VERSION="${VERSION:-latest}" diff --git a/.devcontainer/features/tree-sitter/install.sh b/.devcontainer/features/tree-sitter/install.sh index b3600ba..d474825 100755 --- a/.devcontainer/features/tree-sitter/install.sh +++ b/.devcontainer/features/tree-sitter/install.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger set -euo pipefail # === IMPORT OPTIONS === diff --git a/.devcontainer/scripts/check-setup.sh b/.devcontainer/scripts/check-setup.sh index 57d8cae..2366b3f 100644 --- a/.devcontainer/scripts/check-setup.sh +++ b/.devcontainer/scripts/check-setup.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Verify CodeForge setup is working correctly # Run anytime with: check-setup diff --git a/.devcontainer/scripts/setup-aliases.sh b/.devcontainer/scripts/setup-aliases.sh index 43d8934..e7cf287 100755 --- a/.devcontainer/scripts/setup-aliases.sh +++ b/.devcontainer/scripts/setup-aliases.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Setup cc/claude/ccraw aliases for claude with local system prompt support # # Idempotent: removes the entire managed block then re-writes it fresh. diff --git a/.devcontainer/scripts/setup-auth.sh b/.devcontainer/scripts/setup-auth.sh index e0dc36e..3f5b3f6 100755 --- a/.devcontainer/scripts/setup-auth.sh +++ b/.devcontainer/scripts/setup-auth.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Configure Git (GitHub CLI) and NPM authentication from .secrets file or environment variables. # Environment variables override .secrets values, supporting Codespaces secrets and localEnv. # Auth failure should not block other setup steps, so set -e is intentionally omitted. diff --git a/.devcontainer/scripts/setup-config.sh b/.devcontainer/scripts/setup-config.sh index 6b923a6..f1a3034 100755 --- a/.devcontainer/scripts/setup-config.sh +++ b/.devcontainer/scripts/setup-config.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Copy configuration files to workspace based on file-manifest.json CONFIG_DIR="${CONFIG_SOURCE_DIR:?CONFIG_SOURCE_DIR not set}" diff --git a/.devcontainer/scripts/setup-migrate-claude.sh b/.devcontainer/scripts/setup-migrate-claude.sh index 51acb3a..3edf5bb 100755 --- a/.devcontainer/scripts/setup-migrate-claude.sh +++ b/.devcontainer/scripts/setup-migrate-claude.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # One-time migration: /workspaces/.claude → $HOME/.claude # Migrates config, credentials, and rules from the old bind-mount location # to the new home directory (Docker named volume). diff --git a/.devcontainer/scripts/setup-plugins.sh b/.devcontainer/scripts/setup-plugins.sh index 56cf756..71f12b0 100755 --- a/.devcontainer/scripts/setup-plugins.sh +++ b/.devcontainer/scripts/setup-plugins.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Install plugins: official Anthropic + local devs-marketplace registration # # Individual marketplace plugins are enabled via enabledPlugins in settings.json. diff --git a/.devcontainer/scripts/setup-projects.sh b/.devcontainer/scripts/setup-projects.sh index 27944d1..2b194ce 100755 --- a/.devcontainer/scripts/setup-projects.sh +++ b/.devcontainer/scripts/setup-projects.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Auto-detect projects under /workspaces/ and register them in Project Manager's projects.json. # Runs an initial scan synchronously, then starts an inotifywait background watcher # that updates the project list instantly when directories are created or removed. diff --git a/.devcontainer/scripts/setup-terminal.sh b/.devcontainer/scripts/setup-terminal.sh index 1ba6c40..d56f46c 100755 --- a/.devcontainer/scripts/setup-terminal.sh +++ b/.devcontainer/scripts/setup-terminal.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Configure VS Code Shift+Enter → newline for Claude Code terminal input # Writes to ~/.config/Code/User/keybindings.json (same path /terminal-setup uses) diff --git a/.devcontainer/scripts/setup-update-claude.sh b/.devcontainer/scripts/setup-update-claude.sh index 335e63a..528e65c 100755 --- a/.devcontainer/scripts/setup-update-claude.sh +++ b/.devcontainer/scripts/setup-update-claude.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Update Claude Code CLI to the latest version (native binary only) # Runs non-blocking in background by default via setup.sh # All failures are warnings — this script never blocks container startup diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh index 9d244c3..67e9c45 100755 --- a/.devcontainer/scripts/setup.sh +++ b/.devcontainer/scripts/setup.sh @@ -1,4 +1,6 @@ #!/bin/bash +# SPDX-License-Identifier: GPL-3.0-only +# Copyright (c) 2026 Marcus Krueger # Master setup script for CodeForge devcontainer SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml new file mode 100644 index 0000000..b873d30 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -0,0 +1,61 @@ +name: Bug Report +description: Report a bug or unexpected behavior +labels: ["bug"] +body: + - type: textarea + id: description + attributes: + label: Description + description: A clear description of the bug + validations: + required: true + + - type: textarea + id: steps + attributes: + label: Steps to Reproduce + description: Steps to reproduce the behavior + placeholder: | + 1. Run `npx codeforge-dev` + 2. Open in container + 3. ... + validations: + required: true + + - type: textarea + id: expected + attributes: + label: Expected Behavior + description: What you expected to happen + validations: + required: true + + - type: input + id: version + attributes: + label: CodeForge Version + description: "Run `npm view codeforge-dev version` or check package.json" + placeholder: "1.14.2" + validations: + required: true + + - type: dropdown + id: environment + attributes: + label: Environment + options: + - Docker Desktop + - Podman + - GitHub Codespaces + - DevPod + - Other + validations: + required: true + + - type: textarea + id: context + attributes: + label: Additional Context + description: Any other context, screenshots, or logs + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..0054d6a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Commercial Licensing + url: mailto:696222+AnExiledDev@users.noreply.github.com + about: Inquire about commercial licensing options diff --git a/.github/ISSUE_TEMPLATE/feature-request.yml b/.github/ISSUE_TEMPLATE/feature-request.yml new file mode 100644 index 0000000..6b52712 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request.yml @@ -0,0 +1,36 @@ +name: Feature Request +description: Suggest a new feature or enhancement +labels: ["enhancement"] +body: + - type: textarea + id: problem + attributes: + label: Problem + description: What problem does this solve? + placeholder: "I'm always frustrated when..." + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed Solution + description: Describe the solution you'd like + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives Considered + description: Any alternative solutions or features you've considered + validations: + required: false + + - type: textarea + id: context + attributes: + label: Additional Context + description: Any other context, mockups, or references + validations: + required: false diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..cef2c79 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "npm" + directory: "/docs" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..d6c1fa1 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,21 @@ +## Description + + + +## Related Issue + + + +## Type of Change + +- [ ] Bug fix +- [ ] New feature +- [ ] Breaking change +- [ ] Documentation +- [ ] Maintenance / refactor + +## Checklist + +- [ ] Tests pass (`npm test`) +- [ ] Changelog updated (`.devcontainer/CHANGELOG.md`) +- [ ] Documentation updated (if applicable) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..ed9587a --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,26 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 18 + - run: npm test + + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 18 + - run: npx @biomejs/biome check setup.js test.js diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..56630c5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,40 @@ +name: "CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [javascript] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" diff --git a/CLA.md b/CLA.md new file mode 100644 index 0000000..0de3da6 --- /dev/null +++ b/CLA.md @@ -0,0 +1,63 @@ +# Individual Contributor License Agreement + +Thank you for your interest in contributing to CodeForge. This Contributor +License Agreement ("Agreement") documents the rights granted by contributors +to the project maintainer. + +By submitting a pull request or other contribution to this project, you accept +and agree to the following terms. + +## 1. Definitions + +**"You"** (or **"Contributor"**) means the individual who submits a Contribution +to the Project. + +**"Contribution"** means any original work of authorship, including any +modifications or additions to an existing work, that you submit to the Project. + +**"Project"** means the CodeForge software maintained at +[github.com/AnExiledDev/CodeForge](https://github.com/AnExiledDev/CodeForge). + +**"Maintainer"** means Marcus Krueger (AnExiledDev), the copyright holder and +project maintainer. + +## 2. Grant of Rights + +You hereby grant to the Maintainer a perpetual, worldwide, non-exclusive, +no-charge, royalty-free, irrevocable license to: + +- Use, reproduce, modify, and distribute your Contribution +- Sublicense your Contribution under any license, including proprietary licenses +- Create derivative works from your Contribution + +This grant includes the right to relicense the Contribution as part of a +commercial offering of the Project. + +## 3. Ownership + +You retain copyright and all other rights in your Contribution. This Agreement +does not transfer ownership of your Contribution — it grants the Maintainer +a license to use it. + +## 4. Representations + +You represent that: + +- You are the original author of the Contribution, or have the right to submit + it under the terms of this Agreement +- Your Contribution does not violate any third party's intellectual property + rights +- You have the legal authority to enter into this Agreement +- If your employer has rights to intellectual property you create, you have + received permission to make the Contribution on behalf of that employer, or + your employer has waived such rights + +## 5. No Warranty + +Your Contribution is provided "as is", without warranty of any kind. + +## 6. Agreement + +You indicate your acceptance of this Agreement by submitting a Contribution +to the Project. The CLA Assistant bot will record your acceptance on your first +pull request. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..2660764 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,59 @@ +# Contributing to CodeForge + +Thank you for your interest in contributing to CodeForge! This document provides +guidelines for contributing to the project. + +## How to Contribute + +1. **Fork** the repository +2. **Create a branch** from `main` for your change +3. **Make your changes** following the guidelines below +4. **Submit a pull request** using the PR template + +## Development Setup + +```bash +git clone https://github.com/AnExiledDev/CodeForge.git +cd CodeForge +npm test +``` + +To test the devcontainer itself, open the project in VS Code and select +"Reopen in Container". + +## Pull Request Process + +- Fill out the [pull request template](.github/pull_request_template.md) +- Ensure `npm test` passes +- Add an entry to `.devcontainer/CHANGELOG.md` describing your change +- Update documentation if your change affects user-facing behavior +- PRs require one approving review before merge + +## Code Style + +- **JavaScript** — formatted and linted with [Biome](https://biomejs.dev/) +- **Shell scripts** — follow existing conventions; formatted with shfmt where applicable +- Keep changes focused — one logical change per PR + +## Licensing + +All contributions are licensed under the +[GNU General Public License v3.0](LICENSE.txt). By submitting a pull request, +you agree that your contributions will be licensed under GPL-3.0. + +## Contributor License Agreement + +A CLA is required for all contributions. The +[CLA Assistant](https://cla-assistant.io/) bot will prompt you to sign on your +first pull request. + +**Why a CLA?** CodeForge is dual-licensed (GPL-3.0 for open source use + +commercial licenses for proprietary use). The CLA grants the maintainer +(Marcus Krueger) the right to offer contributions under both licenses. You +retain copyright of your work. See [CLA.md](CLA.md) for the full agreement. + +## Reporting Issues + +- **Bugs** — use the [bug report template](https://github.com/AnExiledDev/CodeForge/issues/new?template=bug-report.yml) +- **Feature requests** — use the [feature request template](https://github.com/AnExiledDev/CodeForge/issues/new?template=feature-request.yml) +- **Security vulnerabilities** — email [696222+AnExiledDev@users.noreply.github.com](mailto:696222+AnExiledDev@users.noreply.github.com) directly diff --git a/LICENSE.txt b/LICENSE.txt index f288702..0bfc212 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,3 +1,17 @@ +CodeForge — Copyright (c) 2026 Marcus Krueger (AnExiledDev) + +This software is dual-licensed: + + 1. GNU General Public License v3.0 (see below) — for open source use + 2. Commercial License — available upon request for proprietary use + +For commercial licensing inquiries, contact: + 696222+AnExiledDev@users.noreply.github.com + +SPDX-License-Identifier: GPL-3.0-only + +──────────────────────────────────────────────────────────────────────── + GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 diff --git a/README.md b/README.md index 492e01d..2e838e9 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ [![npm downloads](https://img.shields.io/npm/dm/codeforge-dev)](https://www.npmjs.com/package/codeforge-dev) [![Node.js](https://img.shields.io/badge/node-%3E%3D14.0.0-brightgreen)](https://nodejs.org/) [![GitHub issues](https://img.shields.io/github/issues/AnExiledDev/CodeForge)](https://github.com/AnExiledDev/CodeForge/issues) +[![CI](https://github.com/AnExiledDev/CodeForge/actions/workflows/ci.yml/badge.svg)](https://github.com/AnExiledDev/CodeForge/actions/workflows/ci.yml) A curated development environment optimized for AI-powered coding with Claude Code. CodeForge comes pre-configured with language servers, code intelligence tools, and official Anthropic plugins to streamline your development workflow. @@ -83,6 +84,22 @@ The `agent-system` plugin includes 17 specialized agents (architect, explorer, t For full usage documentation — authentication, configuration, tools, agents, and keybindings — see [`.devcontainer/README.md`](.devcontainer/README.md). +## Contributing + +We welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) +before submitting a pull request. All contributions require signing our +[Contributor License Agreement](CLA.md). + +## License + +This project is licensed under the [GNU General Public License v3.0](LICENSE.txt). + +**Commercial licensing** is available for organizations that need to use CodeForge +without GPL-3.0 obligations. Contact +[696222+AnExiledDev@users.noreply.github.com](mailto:696222+AnExiledDev@users.noreply.github.com) +or [open a GitHub issue](https://github.com/AnExiledDev/CodeForge/issues/new) +for terms. + ## Development ### Testing Locally diff --git a/REPO-AUDIT.md b/REPO-AUDIT.md new file mode 100644 index 0000000..c4bcf2b --- /dev/null +++ b/REPO-AUDIT.md @@ -0,0 +1,274 @@ +# CodeForge — Public Repo Checklist Audit + +**Date:** 2026-02-26 +**Repository:** [AnExiledDev/CodeForge](https://github.com/AnExiledDev/CodeForge) + +--- + +## Professional Signals + +| Item | Status | Notes | +|------|--------|-------| +| CI badge | ✅ | CI workflow badge added to README | +| License badge | ✅ | GPL-3.0 badge present | +| Version badge | ✅ | npm version badge present | +| Clear repo description | ✅ | "A fully configured DevPod environment optimized for Claude Code development…" | +| Topics added | ⏳ | Post-merge: `gh repo edit --add-topic devcontainer,claude-code,ai-development,developer-tools,vscode,devpod` | +| Releases enabled | ✅ | Active releases (latest: v1.14.2, 2026-02-24). Automated via `release.yml` | +| Dependabot enabled | ✅ | `.github/dependabot.yml` added (npm root, npm docs, github-actions). Vulnerability alerts ⏳ post-merge | +| CodeQL enabled | ✅ | `.github/workflows/codeql.yml` added (JS, weekly schedule + PR/push triggers) | +| Discussions enabled | ⏳ | Post-merge: `gh repo edit --enable-discussions` | + +**Recommendation:** +- **Topics** — Add immediately. Free discoverability boost: `devcontainer`, `claude-code`, `ai-development`, `developer-tools`, `vscode`. Zero effort, high ROI. +- **CI badge** — Add after implementing a CI workflow (see Automation section below). +- **Dependabot** — **Implement.** You have npm and Python dependencies. A basic `dependabot.yml` covering `npm` and `pip` takes 10 lines. +- **CodeQL** — **Implement.** GitHub provides a starter workflow. Since you have JS/Python, it catches real issues. Low effort. +- **Discussions** — **Ignore.** Solo project, issues are sufficient. + +--- + +## GPL-3.0 Best Practices + +| Item | Status | Notes | +|------|--------|-------| +| LICENSE file | ✅ | `LICENSE.txt` — full GPL-3.0 text. `package.json` declares `"license": "GPL-3.0"` | +| COPYING file | ❌ | Not present | +| Copyright header in source files | ✅ | SPDX + copyright headers added to all 36 source files | +| CONTRIBUTING.md noting GPL3 | ✅ | CONTRIBUTING.md added with GPL-3.0 + CLA guidelines | +| CLA for dual licensing | ✅ | CLA.md added; CLA Assistant GitHub App to be installed separately | + +**Recommendation:** +- **COPYING** — **Ignore.** Traditional GNU convention but `LICENSE.txt` is the modern standard. Having both is redundant. +- **Copyright headers** — **Implement.** GPL-3.0 recommends a brief header in each source file. This is the most impactful missing GPL practice. A one-liner like: + ``` + # SPDX-License-Identifier: GPL-3.0-only + # Copyright (c) 2026 AnExiledDev + ``` + The SPDX short-form is widely accepted and less intrusive than the full GNU boilerplate. +- **CONTRIBUTING.md** — **Implement.** Must address both GPL-3.0 contribution terms AND CLA requirements if dual licensing. See Dual Licensing section below. +- **CLA** — **Implement if dual licensing.** See Dual Licensing section for details. + +--- + +## PR & Issue Hygiene + +| Item | Status | Notes | +|------|--------|-------| +| Issue templates (bug / feature) | ✅ | Bug report + feature request YAML form templates added | +| PR template | ✅ | `.github/pull_request_template.md` added | +| Label: `bug` | ✅ | Present | +| Label: `enhancement` | ✅ | Present | +| Label: `good-first-issue` | ✅ | Present (as "good first issue") | +| Label: `help-wanted` | ✅ | Present (as "help wanted") | +| Label: `breaking-change` | ⏳ | Post-merge: `gh label create "breaking-change" -c "D93F0B"` | + +**Recommendation:** +- **Issue templates** — **Implement.** Bug and feature request templates guide contributors and reduce noise. Standard GitHub practice, ~20 minutes of work. +- **PR template** — **Implement.** A simple template with Description / Linked Issue / Checklist sections. Helps even for solo PRs to maintain discipline. +- **`breaking-change` label** — **Implement.** One CLI command: `gh label create "breaking-change" -c "D93F0B" -d "Introduces a breaking change"`. Critical for a published npm package. + +--- + +## README Quality + +| Item | Status | Notes | +|------|--------|-------| +| 1-sentence clear description | ✅ | Line 11 — concise and accurate | +| Why it exists | ❌ | No motivation/problem statement section | +| Installation | ✅ | Clear with `npx` command and alternatives | +| Quick start example | ✅ | 4-step guide | +| Configuration section | ❌ | Deferred to `.devcontainer/README.md` — no inline summary | +| Contributing section | ✅ | Added with link to CONTRIBUTING.md and CLA | +| License section | ✅ | Dedicated section with GPL-3.0 link + commercial licensing notice | +| Roadmap | ❌ | Not present | +| Architecture overview | ❌ | Not present (relevant for dev tooling) | + +**Recommendation:** +- **Why it exists** — **Implement.** 2-3 sentences explaining the problem (configuring dev environments for Claude Code is tedious/error-prone). Makes the README compelling. +- **Configuration** — **Implement.** A brief section (5-10 lines) summarizing key config options with a link to the full guide. Users shouldn't have to click through to know if config exists. +- **Contributing** — **Implement.** Even a short section saying "See CONTRIBUTING.md" with a link. Standard expectation for public repos. +- **License section** — **Implement.** Add a 2-line section: license name + link to LICENSE.txt. Badges alone aren't sufficient for some compliance scanners. +- **Roadmap** — **Ignore.** You use `.specs/BACKLOG.md` internally. A public roadmap is optional for this project type. +- **Architecture overview** — **Consider.** A brief diagram or section listing the plugin/feature/agent architecture would help contributors understand the system. Lower priority. + +--- + +## Automation Hygiene + +| Item | Status | Notes | +|------|--------|-------| +| CI required for merge | ✅ | CI workflow added (test + lint jobs). Status checks ⏳ post-merge ruleset update | +| Tests required | ✅ | CI workflow runs `npm test` on PRs and pushes to main | +| Lint required | ✅ | CI workflow runs Biome lint on PRs and pushes to main | +| No direct pushes to main | ✅ | Ruleset enforces PR requirement with `non_fast_forward` rule | +| Squash-only merge | ✅ | Ruleset `allowed_merge_methods: ["squash"]` | +| Signed commits | ✅ | `required_signatures` rule active | + +**Recommendation:** +- **CI workflow** — **Implement (high priority).** Create a `.github/workflows/ci.yml` that runs on PRs: `npm test` + lint. This is the biggest gap — you have tests but they only gate releases, not PRs. +- **Required status checks** — **Implement** after CI workflow exists. Add `required_status_checks` to the ruleset so PRs can't merge without passing CI. +- **Lint step** — **Implement.** You ship `biome` and `ruff` — use them in CI. + +--- + +## Opinionated Setup (Solo + Technical) + +| Item | Status | Notes | +|------|--------|-------| +| Require PR | ✅ | Enforced via ruleset | +| Restrict updates (you only) | ✅ | `bypass_actors` limited to repo admin (RepositoryRole 5) | +| Status checks required | ⏳ | Post-merge: add `required_status_checks` to ruleset 13201702 (test + lint) | +| Squash-only merge | ✅ | Enforced | +| Signed commits | ✅ | Enforced | +| Automation can open PRs but NOT bypass | ✅ | No automation actors in bypass list; CI now gates merges | +| No auto-merge without review | ✅ | 1 required review, dismiss stale reviews, require last push approval | + +--- + +## Dual Licensing & Commercial Licensing Strategy + +### Current State + +| Item | Status | Notes | +|------|--------|-------| +| Dual licensing notice in README | ✅ | License section with commercial licensing notice added | +| Dual licensing notice in LICENSE.txt | ✅ | Dual licensing header prepended to GPL-3.0 text | +| CLA for contributors | ✅ | CLA.md added; CLA Assistant GitHub App install is manual/post-merge | +| Copyright ownership documentation | ✅ | SPDX headers with `Copyright (c) 2026 Marcus Krueger` in all source files | +| Commercial license template | ❌ | Prepared offline, not in repo (out of scope) | +| Contact method for licensing inquiries | ✅ | Email in README, LICENSE.txt, and issue template config | + +### Why This Matters + +Dual licensing (GPL-3.0 public + commercial for paying customers) is a proven monetization model for dev tooling. But it **only works if you own 100% of the copyright**. The moment an external contributor submits code without a CLA, you lose the legal right to offer that code under a non-GPL license. + +### What to Implement + +**1. Contributor License Agreement (CLA)** — **Critical if dual licensing** + +You need contributors to grant you relicensing rights. Two common approaches: + +| Approach | Pros | Cons | +|----------|------|------| +| **CLA Assistant** (GitHub App) | Automated, signs on first PR via comment. Free. [cla-assistant.io](https://cla-assistant.io/) | Extra step for contributors | +| **DCO (Developer Certificate of Origin)** | Lighter — `Signed-off-by` line in commits. No separate agreement | Does NOT grant relicensing rights — insufficient for dual licensing | + +**Recommendation:** Use **CLA Assistant** with a simple CLA that grants you the right to sublicense contributions. DCO alone is not enough for dual licensing. + +**2. README Licensing Notice** — Add to the License section: + +``` +## License + +This project is licensed under the [GNU General Public License v3.0](LICENSE.txt). + +**Commercial licensing** is available for organizations that need to use CodeForge +without GPL obligations. Contact [your-email] for terms. +``` + +**3. CONTRIBUTING.md CLA Section** — Make it clear upfront: + +``` +## Contributor License Agreement + +By submitting a pull request, you agree to the CodeForge CLA, which grants +the project maintainer the right to relicense your contributions. This enables +us to offer commercial licenses while keeping the open source version free +under GPL-3.0. + +The CLA bot will prompt you to sign on your first PR. +``` + +**4. Copyright Ownership File** — Optional but recommended. A `COPYRIGHT` file or section in README stating: + +``` +Copyright (c) 2026 AnExiledDev. All rights reserved. +Licensed under GPL-3.0. Commercial licenses available. +``` + +**5. Commercial License Template** — Prepare a standard commercial license agreement. Does not need to live in the repo, but have it ready before advertising availability. Key terms to cover: +- Scope of use (embedding, distribution, modification) +- Support/maintenance terms (if any) +- Warranty disclaimers +- Duration and renewal + +### Decision Tree + +``` +Want to offer commercial licenses? +├── YES → Implement CLA + dual licensing notice + copyright headers +│ ├── Accepting external contributions? → CLA is MANDATORY +│ └── Solo-only contributions? → CLA not needed yet, but add before opening to contributors +└── NO → Keep current setup. No CLA needed. CONTRIBUTING.md just states GPL-3.0 terms. +``` + +### Impact on Other Checklist Items + +If you pursue dual licensing, these items change: + +| Item | Previous | Updated | +|------|----------|---------| +| CLA | ✅ "No CLA (correct for GPL3)" | ❌ → **Implement CLA** | +| CONTRIBUTING.md | ❌ "Note GPL3 implications" | ❌ → **Note GPL3 + CLA + dual licensing** | +| Copyright headers | ❌ SPDX only | ❌ → **SPDX + copyright holder name** (required for relicensing proof) | +| README License section | ⚠️ Badge only | ❌ → **Full section with commercial notice** | + +--- + +## Priority Actions + +### Do Now (high impact, low effort) + +1. **Add repo topics** — `gh repo edit --add-topic devcontainer,claude-code,ai-development,developer-tools,vscode` +2. **Add `breaking-change` label** — `gh label create "breaking-change" -c "D93F0B"` +3. **Create CI workflow** — run `npm test` + lint on PRs +4. **Add `required_status_checks`** to ruleset after CI exists +5. **Enable Dependabot** — create `.github/dependabot.yml` + +### Dual Licensing (decide first, then implement) + +6. **Decide: dual licensing yes/no** — this gates items 7-9 +7. **Set up CLA** — CLA Assistant GitHub App + CLA document (if dual licensing) +8. **Add dual licensing notice** — README License section + LICENSE.txt header (if dual licensing) +9. **Prepare commercial license template** — offline, not in repo (if dual licensing) + +### Do Soon (moderate effort, professional polish) + +10. **Add issue templates** — bug report + feature request in `.github/ISSUE_TEMPLATE/` +11. **Add PR template** — `.github/pull_request_template.md` +12. **Create CONTRIBUTING.md** — contribution guidelines + GPL-3.0 + CLA notice (if applicable) +13. **Add SPDX copyright headers** — `SPDX-License-Identifier` + `Copyright (c)` to source files +14. **Add CodeQL workflow** — `.github/workflows/codeql.yml` + +### Enhance README + +15. Add "Why CodeForge?" section +16. Add brief Configuration summary +17. Add Contributing section (link to CONTRIBUTING.md) +18. Add License section with commercial licensing notice (not just badge) + +### Ignore + +- **COPYING file** — `LICENSE.txt` is sufficient +- **Discussions** — issues are enough for a solo project +- **Public roadmap** — internal backlog serves the purpose +- **Wiki** — README + docs site covers it +- **DCO** — insufficient for dual licensing; use a real CLA instead + +--- + +## Scorecard + +| Category | Score | Change | +|----------|-------|--------| +| Professional Signals | 7/9 | +3 (CI badge, Dependabot, CodeQL). Topics + Discussions ⏳ post-merge | +| GPL-3.0 Best Practices | 5/5 | +3 (copyright headers, CONTRIBUTING.md, CLA) | +| PR & Issue Hygiene | 7/8 | +3 (issue templates, PR template). `breaking-change` label ⏳ post-merge | +| README Quality | 6/9 | +2 (Contributing section, License section) | +| Automation Hygiene | 6/6 | +3 (CI workflow, tests on PR, lint on PR) | +| Opinionated Setup | 6/7 | +1 (CI gates merges). `required_status_checks` ⏳ post-merge | +| Dual Licensing Readiness | 5/6 | +5 (README notice, LICENSE header, CLA, copyright docs, contact). Commercial template offline | +| **Overall** | **42/50 (84%)** | **+20 from 22/50** | + +Remaining ⏳ items require post-merge GitHub API changes (topics, discussions, labels, required status checks, vulnerability alerts). See "GitHub API Changes (Post-Merge)" in the PR description. diff --git a/setup.js b/setup.js index 116d13f..ac5c859 100755 --- a/setup.js +++ b/setup.js @@ -1,4 +1,6 @@ #!/usr/bin/env node +// SPDX-License-Identifier: GPL-3.0-only +// Copyright (c) 2026 Marcus Krueger const fs = require("fs"); const path = require("path"); diff --git a/test.js b/test.js index a2b2af2..c8d68cc 100644 --- a/test.js +++ b/test.js @@ -1,4 +1,6 @@ #!/usr/bin/env node +// SPDX-License-Identifier: GPL-3.0-only +// Copyright (c) 2026 Marcus Krueger const fs = require('fs'); const path = require('path'); From 9dbf0fad31922bff64e4057500129b4dc8b31377 Mon Sep 17 00:00:00 2001 From: AnExiledDev Date: Thu, 26 Feb 2026 04:16:53 +0000 Subject: [PATCH 2/3] Remove REPO-AUDIT.md from tracked files --- REPO-AUDIT.md | 274 -------------------------------------------------- 1 file changed, 274 deletions(-) delete mode 100644 REPO-AUDIT.md diff --git a/REPO-AUDIT.md b/REPO-AUDIT.md deleted file mode 100644 index c4bcf2b..0000000 --- a/REPO-AUDIT.md +++ /dev/null @@ -1,274 +0,0 @@ -# CodeForge — Public Repo Checklist Audit - -**Date:** 2026-02-26 -**Repository:** [AnExiledDev/CodeForge](https://github.com/AnExiledDev/CodeForge) - ---- - -## Professional Signals - -| Item | Status | Notes | -|------|--------|-------| -| CI badge | ✅ | CI workflow badge added to README | -| License badge | ✅ | GPL-3.0 badge present | -| Version badge | ✅ | npm version badge present | -| Clear repo description | ✅ | "A fully configured DevPod environment optimized for Claude Code development…" | -| Topics added | ⏳ | Post-merge: `gh repo edit --add-topic devcontainer,claude-code,ai-development,developer-tools,vscode,devpod` | -| Releases enabled | ✅ | Active releases (latest: v1.14.2, 2026-02-24). Automated via `release.yml` | -| Dependabot enabled | ✅ | `.github/dependabot.yml` added (npm root, npm docs, github-actions). Vulnerability alerts ⏳ post-merge | -| CodeQL enabled | ✅ | `.github/workflows/codeql.yml` added (JS, weekly schedule + PR/push triggers) | -| Discussions enabled | ⏳ | Post-merge: `gh repo edit --enable-discussions` | - -**Recommendation:** -- **Topics** — Add immediately. Free discoverability boost: `devcontainer`, `claude-code`, `ai-development`, `developer-tools`, `vscode`. Zero effort, high ROI. -- **CI badge** — Add after implementing a CI workflow (see Automation section below). -- **Dependabot** — **Implement.** You have npm and Python dependencies. A basic `dependabot.yml` covering `npm` and `pip` takes 10 lines. -- **CodeQL** — **Implement.** GitHub provides a starter workflow. Since you have JS/Python, it catches real issues. Low effort. -- **Discussions** — **Ignore.** Solo project, issues are sufficient. - ---- - -## GPL-3.0 Best Practices - -| Item | Status | Notes | -|------|--------|-------| -| LICENSE file | ✅ | `LICENSE.txt` — full GPL-3.0 text. `package.json` declares `"license": "GPL-3.0"` | -| COPYING file | ❌ | Not present | -| Copyright header in source files | ✅ | SPDX + copyright headers added to all 36 source files | -| CONTRIBUTING.md noting GPL3 | ✅ | CONTRIBUTING.md added with GPL-3.0 + CLA guidelines | -| CLA for dual licensing | ✅ | CLA.md added; CLA Assistant GitHub App to be installed separately | - -**Recommendation:** -- **COPYING** — **Ignore.** Traditional GNU convention but `LICENSE.txt` is the modern standard. Having both is redundant. -- **Copyright headers** — **Implement.** GPL-3.0 recommends a brief header in each source file. This is the most impactful missing GPL practice. A one-liner like: - ``` - # SPDX-License-Identifier: GPL-3.0-only - # Copyright (c) 2026 AnExiledDev - ``` - The SPDX short-form is widely accepted and less intrusive than the full GNU boilerplate. -- **CONTRIBUTING.md** — **Implement.** Must address both GPL-3.0 contribution terms AND CLA requirements if dual licensing. See Dual Licensing section below. -- **CLA** — **Implement if dual licensing.** See Dual Licensing section for details. - ---- - -## PR & Issue Hygiene - -| Item | Status | Notes | -|------|--------|-------| -| Issue templates (bug / feature) | ✅ | Bug report + feature request YAML form templates added | -| PR template | ✅ | `.github/pull_request_template.md` added | -| Label: `bug` | ✅ | Present | -| Label: `enhancement` | ✅ | Present | -| Label: `good-first-issue` | ✅ | Present (as "good first issue") | -| Label: `help-wanted` | ✅ | Present (as "help wanted") | -| Label: `breaking-change` | ⏳ | Post-merge: `gh label create "breaking-change" -c "D93F0B"` | - -**Recommendation:** -- **Issue templates** — **Implement.** Bug and feature request templates guide contributors and reduce noise. Standard GitHub practice, ~20 minutes of work. -- **PR template** — **Implement.** A simple template with Description / Linked Issue / Checklist sections. Helps even for solo PRs to maintain discipline. -- **`breaking-change` label** — **Implement.** One CLI command: `gh label create "breaking-change" -c "D93F0B" -d "Introduces a breaking change"`. Critical for a published npm package. - ---- - -## README Quality - -| Item | Status | Notes | -|------|--------|-------| -| 1-sentence clear description | ✅ | Line 11 — concise and accurate | -| Why it exists | ❌ | No motivation/problem statement section | -| Installation | ✅ | Clear with `npx` command and alternatives | -| Quick start example | ✅ | 4-step guide | -| Configuration section | ❌ | Deferred to `.devcontainer/README.md` — no inline summary | -| Contributing section | ✅ | Added with link to CONTRIBUTING.md and CLA | -| License section | ✅ | Dedicated section with GPL-3.0 link + commercial licensing notice | -| Roadmap | ❌ | Not present | -| Architecture overview | ❌ | Not present (relevant for dev tooling) | - -**Recommendation:** -- **Why it exists** — **Implement.** 2-3 sentences explaining the problem (configuring dev environments for Claude Code is tedious/error-prone). Makes the README compelling. -- **Configuration** — **Implement.** A brief section (5-10 lines) summarizing key config options with a link to the full guide. Users shouldn't have to click through to know if config exists. -- **Contributing** — **Implement.** Even a short section saying "See CONTRIBUTING.md" with a link. Standard expectation for public repos. -- **License section** — **Implement.** Add a 2-line section: license name + link to LICENSE.txt. Badges alone aren't sufficient for some compliance scanners. -- **Roadmap** — **Ignore.** You use `.specs/BACKLOG.md` internally. A public roadmap is optional for this project type. -- **Architecture overview** — **Consider.** A brief diagram or section listing the plugin/feature/agent architecture would help contributors understand the system. Lower priority. - ---- - -## Automation Hygiene - -| Item | Status | Notes | -|------|--------|-------| -| CI required for merge | ✅ | CI workflow added (test + lint jobs). Status checks ⏳ post-merge ruleset update | -| Tests required | ✅ | CI workflow runs `npm test` on PRs and pushes to main | -| Lint required | ✅ | CI workflow runs Biome lint on PRs and pushes to main | -| No direct pushes to main | ✅ | Ruleset enforces PR requirement with `non_fast_forward` rule | -| Squash-only merge | ✅ | Ruleset `allowed_merge_methods: ["squash"]` | -| Signed commits | ✅ | `required_signatures` rule active | - -**Recommendation:** -- **CI workflow** — **Implement (high priority).** Create a `.github/workflows/ci.yml` that runs on PRs: `npm test` + lint. This is the biggest gap — you have tests but they only gate releases, not PRs. -- **Required status checks** — **Implement** after CI workflow exists. Add `required_status_checks` to the ruleset so PRs can't merge without passing CI. -- **Lint step** — **Implement.** You ship `biome` and `ruff` — use them in CI. - ---- - -## Opinionated Setup (Solo + Technical) - -| Item | Status | Notes | -|------|--------|-------| -| Require PR | ✅ | Enforced via ruleset | -| Restrict updates (you only) | ✅ | `bypass_actors` limited to repo admin (RepositoryRole 5) | -| Status checks required | ⏳ | Post-merge: add `required_status_checks` to ruleset 13201702 (test + lint) | -| Squash-only merge | ✅ | Enforced | -| Signed commits | ✅ | Enforced | -| Automation can open PRs but NOT bypass | ✅ | No automation actors in bypass list; CI now gates merges | -| No auto-merge without review | ✅ | 1 required review, dismiss stale reviews, require last push approval | - ---- - -## Dual Licensing & Commercial Licensing Strategy - -### Current State - -| Item | Status | Notes | -|------|--------|-------| -| Dual licensing notice in README | ✅ | License section with commercial licensing notice added | -| Dual licensing notice in LICENSE.txt | ✅ | Dual licensing header prepended to GPL-3.0 text | -| CLA for contributors | ✅ | CLA.md added; CLA Assistant GitHub App install is manual/post-merge | -| Copyright ownership documentation | ✅ | SPDX headers with `Copyright (c) 2026 Marcus Krueger` in all source files | -| Commercial license template | ❌ | Prepared offline, not in repo (out of scope) | -| Contact method for licensing inquiries | ✅ | Email in README, LICENSE.txt, and issue template config | - -### Why This Matters - -Dual licensing (GPL-3.0 public + commercial for paying customers) is a proven monetization model for dev tooling. But it **only works if you own 100% of the copyright**. The moment an external contributor submits code without a CLA, you lose the legal right to offer that code under a non-GPL license. - -### What to Implement - -**1. Contributor License Agreement (CLA)** — **Critical if dual licensing** - -You need contributors to grant you relicensing rights. Two common approaches: - -| Approach | Pros | Cons | -|----------|------|------| -| **CLA Assistant** (GitHub App) | Automated, signs on first PR via comment. Free. [cla-assistant.io](https://cla-assistant.io/) | Extra step for contributors | -| **DCO (Developer Certificate of Origin)** | Lighter — `Signed-off-by` line in commits. No separate agreement | Does NOT grant relicensing rights — insufficient for dual licensing | - -**Recommendation:** Use **CLA Assistant** with a simple CLA that grants you the right to sublicense contributions. DCO alone is not enough for dual licensing. - -**2. README Licensing Notice** — Add to the License section: - -``` -## License - -This project is licensed under the [GNU General Public License v3.0](LICENSE.txt). - -**Commercial licensing** is available for organizations that need to use CodeForge -without GPL obligations. Contact [your-email] for terms. -``` - -**3. CONTRIBUTING.md CLA Section** — Make it clear upfront: - -``` -## Contributor License Agreement - -By submitting a pull request, you agree to the CodeForge CLA, which grants -the project maintainer the right to relicense your contributions. This enables -us to offer commercial licenses while keeping the open source version free -under GPL-3.0. - -The CLA bot will prompt you to sign on your first PR. -``` - -**4. Copyright Ownership File** — Optional but recommended. A `COPYRIGHT` file or section in README stating: - -``` -Copyright (c) 2026 AnExiledDev. All rights reserved. -Licensed under GPL-3.0. Commercial licenses available. -``` - -**5. Commercial License Template** — Prepare a standard commercial license agreement. Does not need to live in the repo, but have it ready before advertising availability. Key terms to cover: -- Scope of use (embedding, distribution, modification) -- Support/maintenance terms (if any) -- Warranty disclaimers -- Duration and renewal - -### Decision Tree - -``` -Want to offer commercial licenses? -├── YES → Implement CLA + dual licensing notice + copyright headers -│ ├── Accepting external contributions? → CLA is MANDATORY -│ └── Solo-only contributions? → CLA not needed yet, but add before opening to contributors -└── NO → Keep current setup. No CLA needed. CONTRIBUTING.md just states GPL-3.0 terms. -``` - -### Impact on Other Checklist Items - -If you pursue dual licensing, these items change: - -| Item | Previous | Updated | -|------|----------|---------| -| CLA | ✅ "No CLA (correct for GPL3)" | ❌ → **Implement CLA** | -| CONTRIBUTING.md | ❌ "Note GPL3 implications" | ❌ → **Note GPL3 + CLA + dual licensing** | -| Copyright headers | ❌ SPDX only | ❌ → **SPDX + copyright holder name** (required for relicensing proof) | -| README License section | ⚠️ Badge only | ❌ → **Full section with commercial notice** | - ---- - -## Priority Actions - -### Do Now (high impact, low effort) - -1. **Add repo topics** — `gh repo edit --add-topic devcontainer,claude-code,ai-development,developer-tools,vscode` -2. **Add `breaking-change` label** — `gh label create "breaking-change" -c "D93F0B"` -3. **Create CI workflow** — run `npm test` + lint on PRs -4. **Add `required_status_checks`** to ruleset after CI exists -5. **Enable Dependabot** — create `.github/dependabot.yml` - -### Dual Licensing (decide first, then implement) - -6. **Decide: dual licensing yes/no** — this gates items 7-9 -7. **Set up CLA** — CLA Assistant GitHub App + CLA document (if dual licensing) -8. **Add dual licensing notice** — README License section + LICENSE.txt header (if dual licensing) -9. **Prepare commercial license template** — offline, not in repo (if dual licensing) - -### Do Soon (moderate effort, professional polish) - -10. **Add issue templates** — bug report + feature request in `.github/ISSUE_TEMPLATE/` -11. **Add PR template** — `.github/pull_request_template.md` -12. **Create CONTRIBUTING.md** — contribution guidelines + GPL-3.0 + CLA notice (if applicable) -13. **Add SPDX copyright headers** — `SPDX-License-Identifier` + `Copyright (c)` to source files -14. **Add CodeQL workflow** — `.github/workflows/codeql.yml` - -### Enhance README - -15. Add "Why CodeForge?" section -16. Add brief Configuration summary -17. Add Contributing section (link to CONTRIBUTING.md) -18. Add License section with commercial licensing notice (not just badge) - -### Ignore - -- **COPYING file** — `LICENSE.txt` is sufficient -- **Discussions** — issues are enough for a solo project -- **Public roadmap** — internal backlog serves the purpose -- **Wiki** — README + docs site covers it -- **DCO** — insufficient for dual licensing; use a real CLA instead - ---- - -## Scorecard - -| Category | Score | Change | -|----------|-------|--------| -| Professional Signals | 7/9 | +3 (CI badge, Dependabot, CodeQL). Topics + Discussions ⏳ post-merge | -| GPL-3.0 Best Practices | 5/5 | +3 (copyright headers, CONTRIBUTING.md, CLA) | -| PR & Issue Hygiene | 7/8 | +3 (issue templates, PR template). `breaking-change` label ⏳ post-merge | -| README Quality | 6/9 | +2 (Contributing section, License section) | -| Automation Hygiene | 6/6 | +3 (CI workflow, tests on PR, lint on PR) | -| Opinionated Setup | 6/7 | +1 (CI gates merges). `required_status_checks` ⏳ post-merge | -| Dual Licensing Readiness | 5/6 | +5 (README notice, LICENSE header, CLA, copyright docs, contact). Commercial template offline | -| **Overall** | **42/50 (84%)** | **+20 from 22/50** | - -Remaining ⏳ items require post-merge GitHub API changes (topics, discussions, labels, required status checks, vulnerability alerts). See "GitHub API Changes (Post-Merge)" in the PR description. From 7956444b58978d8962323532e3066eecaea998ec Mon Sep 17 00:00:00 2001 From: AnExiledDev Date: Thu, 26 Feb 2026 04:33:08 +0000 Subject: [PATCH 3/3] Fix Biome lint errors: node: protocol and template literals MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apply auto-fixes for useNodejsImportProtocol (require("fs") → require("node:fs")) and useTemplate (string concat → template literals) in setup.js and test.js. Biome also reformatted test.js indentation and quotes to match project style. --- setup.js | 10 ++--- test.js | 128 ++++++++++++++++++++++++++++++------------------------- 2 files changed, 74 insertions(+), 64 deletions(-) diff --git a/setup.js b/setup.js index ac5c859..da13926 100755 --- a/setup.js +++ b/setup.js @@ -2,8 +2,8 @@ // SPDX-License-Identifier: GPL-3.0-only // Copyright (c) 2026 Marcus Krueger -const fs = require("fs"); -const path = require("path"); +const fs = require("node:fs"); +const path = require("node:path"); // ── Default preserve list ──────────────────────────────────────── // Files in the package that should NOT overwrite user customizations. @@ -82,7 +82,7 @@ function syncDirectory(src, dest, preserveSet) { const srcPath = path.join(srcDir, entry.name); const destPath = path.join(destDir, entry.name); const relativePath = relativeBase - ? relativeBase + "/" + entry.name + ? `${relativeBase}/${entry.name}` : entry.name; if (entry.isDirectory()) { @@ -92,7 +92,7 @@ function syncDirectory(src, dest, preserveSet) { // Special handling for devcontainer.json: overwrite + save .bak if (relativePath === "devcontainer.json" && fs.existsSync(destPath)) { - fs.copyFileSync(destPath, destPath + ".bak"); + fs.copyFileSync(destPath, `${destPath}.bak`); fs.copyFileSync(srcPath, destPath); stats.backedUp++; stats.updated++; @@ -101,7 +101,7 @@ function syncDirectory(src, dest, preserveSet) { // Preserved files: skip overwrite, save package version as .codeforge-new if (preserveSet.has(relativePath) && fs.existsSync(destPath)) { - fs.copyFileSync(srcPath, destPath + ".codeforge-new"); + fs.copyFileSync(srcPath, `${destPath}.codeforge-new`); stats.preserved++; stats.preservedFiles.push(relativePath); continue; diff --git a/test.js b/test.js index c8d68cc..48a671b 100644 --- a/test.js +++ b/test.js @@ -2,74 +2,84 @@ // SPDX-License-Identifier: GPL-3.0-only // Copyright (c) 2026 Marcus Krueger -const fs = require('fs'); -const path = require('path'); -const { copyDirectory, main } = require('./setup.js'); +const fs = require("node:fs"); +const path = require("node:path"); +const { copyDirectory, main } = require("./setup.js"); function runTests() { - console.log('🧪 Running CodeForge package tests...\n'); + console.log("🧪 Running CodeForge package tests...\n"); - // Test 1: copyDirectory function exists - console.log('✓ Test 1: copyDirectory function exists'); - - // Test 2: main function exists - console.log('✓ Test 2: main function exists'); + // Test 1: copyDirectory function exists + console.log("✓ Test 1: copyDirectory function exists"); - // Test 3: Check required files exist - const requiredFiles = [ - 'package.json', - 'setup.js', - 'README.md', - '.devcontainer/devcontainer.json', - '.devcontainer/scripts/setup.sh', - '.devcontainer/config/defaults/settings.json' - ]; + // Test 2: main function exists + console.log("✓ Test 2: main function exists"); - let allFilesExist = true; - requiredFiles.forEach(file => { - if (fs.existsSync(path.join(__dirname, file))) { - console.log(`✓ Test 3.${requiredFiles.indexOf(file) + 1}: ${file} exists`); - } else { - console.log(`❌ Test 3.${requiredFiles.indexOf(file) + 1}: ${file} missing`); - allFilesExist = false; - } - }); + // Test 3: Check required files exist + const requiredFiles = [ + "package.json", + "setup.js", + "README.md", + ".devcontainer/devcontainer.json", + ".devcontainer/scripts/setup.sh", + ".devcontainer/config/defaults/settings.json", + ]; - // Test 4: Package.json has correct structure - const packageJson = JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'), 'utf8')); - const requiredFields = ['name', 'version', 'bin', 'files']; - let packageValid = true; + let allFilesExist = true; + requiredFiles.forEach((file) => { + if (fs.existsSync(path.join(__dirname, file))) { + console.log( + `✓ Test 3.${requiredFiles.indexOf(file) + 1}: ${file} exists`, + ); + } else { + console.log( + `❌ Test 3.${requiredFiles.indexOf(file) + 1}: ${file} missing`, + ); + allFilesExist = false; + } + }); - requiredFields.forEach(field => { - if (packageJson[field]) { - console.log(`✓ Test 4.${requiredFields.indexOf(field) + 1}: package.json has ${field}`); - } else { - console.log(`❌ Test 4.${requiredFields.indexOf(field) + 1}: package.json missing ${field}`); - packageValid = false; - } - }); + // Test 4: Package.json has correct structure + const packageJson = JSON.parse( + fs.readFileSync(path.join(__dirname, "package.json"), "utf8"), + ); + const requiredFields = ["name", "version", "bin", "files"]; + let packageValid = true; - // Test 5: Setup script is executable - let setupExecutable = true; - const setupStat = fs.statSync(path.join(__dirname, 'setup.js')); - if (setupStat.mode & parseInt('111', 8)) { - console.log('✓ Test 5: setup.js is executable'); - } else { - console.log('❌ Test 5: setup.js is not executable'); - setupExecutable = false; - } + requiredFields.forEach((field) => { + if (packageJson[field]) { + console.log( + `✓ Test 4.${requiredFields.indexOf(field) + 1}: package.json has ${field}`, + ); + } else { + console.log( + `❌ Test 4.${requiredFields.indexOf(field) + 1}: package.json missing ${field}`, + ); + packageValid = false; + } + }); - // Summary - console.log('\n📊 Test Results:'); - if (allFilesExist && packageValid && setupExecutable) { - console.log('🎉 All tests passed! Package is ready for distribution.'); - process.exit(0); - } else { - console.log('❌ Some tests failed. Check the errors above.'); - process.exit(1); - } + // Test 5: Setup script is executable + let setupExecutable = true; + const setupStat = fs.statSync(path.join(__dirname, "setup.js")); + if (setupStat.mode & 0o111) { + console.log("✓ Test 5: setup.js is executable"); + } else { + console.log("❌ Test 5: setup.js is not executable"); + setupExecutable = false; + } + + // Summary + console.log("\n📊 Test Results:"); + if (allFilesExist && packageValid && setupExecutable) { + console.log("🎉 All tests passed! Package is ready for distribution."); + process.exit(0); + } else { + console.log("❌ Some tests failed. Check the errors above."); + process.exit(1); + } } if (require.main === module) { - runTests(); -} \ No newline at end of file + runTests(); +}