# Contributing to OmniRoute Thank you for your interest in contributing! This guide covers everything you need to get started. --- ## Development Setup ### Prerequisites - **Node.js** `>=22.22.3 <23`, or `>=24.0.0 <27` (recommended: 24 LTS) - **npm** 10+ - **Git** ### Clone & Install ```bash git clone https://github.com/diegosouzapw/OmniRoute.git cd OmniRoute npm install ``` ### Environment Variables ```bash # Create your .env from the template cp .env.example .env # Generate required secrets echo "JWT_SECRET=$(openssl rand -base64 48)" >> .env echo "API_KEY_SECRET=$(openssl rand -hex 32)" >> .env ``` Key variables for development: | Variable | Development Default | Description | | ---------------------- | ------------------------ | --------------------- | | `PORT` | `20128` | Server port | | `NEXT_PUBLIC_BASE_URL` | `http://localhost:20128` | Base URL for frontend | | `JWT_SECRET` | (generate above) | JWT signing secret | | `INITIAL_PASSWORD` | `CHANGEME` | First login password | | `APP_LOG_LEVEL` | `info` | Log verbosity level | ### Dashboard Settings The dashboard provides UI toggles for features that can also be configured via environment variables: | Setting Location | Toggle | Description | | ------------------- | ------------------ | ------------------------------ | | Settings → Advanced | Debug Mode | Enable debug request logs (UI) | | Settings → General | Sidebar Visibility | Show/hide sidebar sections | These settings are stored in the database and persist across restarts, overriding env var defaults when set. ### Running Locally ```bash # Development mode (hot reload) npm run dev # Production build npm run build npm run start # Common port configuration PORT=20128 NEXT_PUBLIC_BASE_URL=http://localhost:20128 npm run dev ``` Default URLs: - **Dashboard**: `http://localhost:20128/dashboard` - **API**: `http://localhost:20128/v1` --- ## Git Workflow > ⚠️ **NEVER commit directly to `main`.** Always use feature branches. ```bash git checkout -b feat/your-feature-name # ... make changes ... git commit -m "feat: describe your change" git push -u origin feat/your-feature-name # Open a Pull Request on GitHub ``` ### Branch Naming | Prefix | Purpose | | ----------- | ------------------------- | | `feat/` | New features | | `fix/` | Bug fixes | | `refactor/` | Code restructuring | | `docs/` | Documentation changes | | `test/` | Test additions/fixes | | `chore/` | Tooling, CI, dependencies | ### Commit Messages Follow [Conventional Commits](https://www.conventionalcommits.org/): ``` feat: add circuit breaker for provider calls fix: resolve JWT secret validation edge case docs: update SECURITY.md with PII protection test: add observability unit tests refactor(db): consolidate rate limit tables ``` Scopes (v3.8): `db`, `sse`, `oauth`, `dashboard`, `api`, `cli`, `docker`, `ci`, `mcp`, `a2a`, `memory`, `skills`, `cloud-agent`, `guardrails`, `compression`, `auto-combo`, `resilience`, `providers`, `executors`, `translator`, `domain`, `authz`. --- ## Running Tests ```bash # All tests (unit + vitest + ecosystem + e2e) npm run test:all # Single test file (Node.js native test runner — most tests use this) node --import tsx/esm --test tests/unit/your-file.test.ts # Vitest (MCP server, autoCombo, cache) npm run test:vitest # E2E tests (requires Playwright) npm run test:e2e # Protocol clients E2E (MCP transports, A2A) npm run test:protocols:e2e # Ecosystem compatibility tests npm run test:ecosystem # Coverage gate: 75% statements/lines/functions, 70% branches npm run test:coverage npm run coverage:report # Lint + format check npm run lint npm run check ``` Coverage notes: - `npm run test:coverage` measures source coverage for the main unit test suite, excludes `tests/**`, and includes `open-sse/**` - Pull requests must keep the coverage gate at **75%+** statements/lines/functions and **70%+** branches - If a PR changes production code in `src/`, `open-sse/`, `electron/`, or `bin/`, it must add or update automated tests in the same PR - `npm run coverage:report` prints the detailed file-by-file report from the latest coverage run - `npm run test:coverage:legacy` preserves the older metric for historical comparison - See `docs/ops/COVERAGE_PLAN.md` for the phased coverage improvement roadmap ### Pull Request Requirements Before opening or merging a PR: - Run `npm run test:unit` - Run `npm run test:coverage` - Ensure the coverage gate stays at **75%+** statements/lines/functions, **70%+** branches - Include the changed or added test files in the PR description when production code changed - Check the SonarQube result on the PR when the project secrets are configured in CI Current test status: **122 unit test files** covering: - Provider translators and format conversion - Rate limiting, circuit breaker, and resilience - Semantic cache, idempotency, progress tracking - Database operations and schema (21 DB modules) - OAuth flows and authentication - API endpoint validation (Zod v4) - MCP server tools and scope enforcement - Memory and Skills systems --- ## Code Style - **ESLint** — Run `npm run lint` before committing - **Prettier** — Auto-formatted via `lint-staged` on commit (2 spaces, semicolons, double quotes, 100 char width, es5 trailing commas) - **TypeScript** — All `src/` code uses `.ts`/`.tsx`; `open-sse/` uses `.ts`/`.js`; document with TSDoc (`@param`, `@returns`, `@throws`) - **No `eval()`** — ESLint enforces `no-eval`, `no-implied-eval`, `no-new-func` - **Zod validation** — Use Zod v4 schemas for all API input validation - **Naming**: Files = camelCase/kebab-case, components = PascalCase, constants = UPPER_SNAKE --- ## Project Structure ``` src/ # TypeScript (.ts / .tsx) ├── app/ # Next.js 16 App Router │ ├── (dashboard)/ # Dashboard pages (23 sections) │ ├── api/ # API routes (51 directories) │ └── login/ # Auth pages (.tsx) ├── domain/ # Policy engine (policyEngine, comboResolver, costRules, etc.) ├── lib/ # Core business logic (.ts) │ ├── a2a/ # Agent-to-Agent v0.3 protocol server │ ├── acp/ # Agent Communication Protocol registry │ ├── compliance/ # Compliance policy engine │ ├── db/ # SQLite database layer (21 modules + 16 migrations) │ ├── memory/ # Persistent conversational memory │ ├── oauth/ # OAuth providers, services, and utilities │ ├── skills/ # Extensible skill framework │ ├── usage/ # Usage tracking and cost calculation │ └── localDb.ts # Re-export layer only — never add logic here ├── middleware/ # Request middleware (promptInjectionGuard) ├── mitm/ # MITM proxy (cert, DNS, target routing) ├── shared/ │ ├── components/ # React components (.tsx) │ ├── constants/ # Provider definitions (177), MCP scopes, 14 routing strategies │ ├── utils/ # Circuit breaker, sanitizer, auth helpers │ └── validation/ # Zod v4 schemas └── sse/ # SSE proxy pipeline open-sse/ # @omniroute/open-sse workspace ├── executors/ # 14 provider-specific request executors ├── handlers/ # 11 request handlers (chat, responses, embeddings, images, etc.) ├── mcp-server/ # MCP server (25 tools, 3 transports, 10 scopes) ├── services/ # 36+ services (combo, autoCombo, rateLimitManager, etc.) ├── translator/ # Format translators (OpenAI ↔ Claude ↔ Gemini ↔ Responses ↔ Ollama) ├── transformer/ # Responses API transformer └── utils/ # 22 utility modules (stream, TLS, proxy, logging) electron/ # Electron desktop app (cross-platform) tests/ ├── unit/ # Node.js test runner (122 test files) ├── integration/ # Integration tests ├── e2e/ # Playwright tests ├── security/ # Security tests ├── translator/ # Translator-specific tests └── load/ # Load tests docs/ # Documentation ├── ARCHITECTURE.md # System architecture ├── API_REFERENCE.md # All endpoints ├── USER_GUIDE.md # Provider setup, CLI integration ├── TROUBLESHOOTING.md # Common issues ├── MCP-SERVER.md # MCP server (25 tools) ├── A2A-SERVER.md # A2A agent protocol ├── AUTO-COMBO.md # Auto-combo engine ├── CLI-TOOLS.md # CLI tools integration ├── COVERAGE_PLAN.md # Test coverage improvement plan ├── openapi.yaml # OpenAPI specification └── adr/ # Architecture Decision Records ``` --- ## Adding a New Provider ### Step 1: Register Provider Constants Add to `src/shared/constants/providers.ts` — Zod-validated at module load. ### Step 2: Add Executor (if custom logic needed) Create executor in `open-sse/executors/your-provider.ts` extending the base executor. ### Step 3: Add Translator (if non-OpenAI format) Create request/response translators in `open-sse/translator/`. ### Step 4: Add OAuth Config (if OAuth-based) Add OAuth credentials in `src/lib/oauth/constants/oauth.ts` and service in `src/lib/oauth/services/`. If the upstream provider distributes a public OAuth client_id/secret or Firebase Web API key inside its public CLI / browser bundle, **do not** embed it as a string literal. Use `resolvePublicCred()` from `open-sse/utils/publicCreds.ts` and add a masked byte entry to `EMBEDDED_DEFAULTS`. The full mandatory workflow is documented in [`docs/security/PUBLIC_CREDS.md`](./docs/security/PUBLIC_CREDS.md). Inside handlers/executors, error messages reaching the client must go through `buildErrorBody()` / `sanitizeErrorMessage()` from `open-sse/utils/error.ts` — never put raw `err.stack` or `err.message` in a Response body. See [`docs/security/ERROR_SANITIZATION.md`](./docs/security/ERROR_SANITIZATION.md). ### Step 5: Register Models Add model definitions in `open-sse/config/providerRegistry.ts`. ### Step 6: Add Tests Write unit tests in `tests/unit/` covering at minimum: - Provider registration - Request/response translation - Error handling --- ## Pull Request Checklist - [ ] Tests pass (`npm test`) - [ ] Linting passes (`npm run lint`) - [ ] Build succeeds (`npm run build`) - [ ] TypeScript types added for new public functions and interfaces - [ ] No hardcoded secrets or fallback values - [ ] Public upstream credentials embedded via `resolvePublicCred()` (see [`docs/security/PUBLIC_CREDS.md`](./docs/security/PUBLIC_CREDS.md)), never as literals - [ ] Error responses route through `buildErrorBody()` / `sanitizeErrorMessage()` — no raw stack traces in response bodies (see [`docs/security/ERROR_SANITIZATION.md`](./docs/security/ERROR_SANITIZATION.md)) - [ ] Shell commands (`exec` / `spawn`) pass runtime values via `env`, not via string interpolation - [ ] All inputs validated with Zod schemas - [ ] CHANGELOG updated (if user-facing change) - [ ] Documentation updated (if applicable) - [ ] No new CodeQL / Secret-Scanning alerts opened, or each one dismissed with technical justification referencing the relevant `docs/security/` doc - [ ] Routes that spawn child processes (`/api/mcp/`, `/api/cli-tools/runtime/`) classified as `isLocalOnlyPath()` in `src/server/authz/routeGuard.ts` — see [Hard Rule #15](docs/security/ROUTE_GUARD_TIERS.md) - [ ] No `Co-Authored-By` trailers in commit messages — commits must appear solely under the repository owner's Git identity (Hard Rule #16) --- ## Releasing Releases are managed via the `/generate-release` workflow. When a new GitHub Release is created, the package is **automatically published to npm** via GitHub Actions. --- ## Getting Help - **Architecture**: See [`docs/architecture/ARCHITECTURE.md`](docs/architecture/ARCHITECTURE.md) - **API Reference**: See [`docs/reference/API_REFERENCE.md`](docs/reference/API_REFERENCE.md) - **Security docs**: [`docs/security/CLI_TOKEN.md`](docs/security/CLI_TOKEN.md), [`docs/security/ROUTE_GUARD_TIERS.md`](docs/security/ROUTE_GUARD_TIERS.md), [`docs/security/ERROR_SANITIZATION.md`](docs/security/ERROR_SANITIZATION.md), [`docs/security/PUBLIC_CREDS.md`](docs/security/PUBLIC_CREDS.md) - **Ops docs**: [`docs/ops/SQLITE_RUNTIME.md`](docs/ops/SQLITE_RUNTIME.md) - **Issues**: [github.com/diegosouzapw/OmniRoute/issues](https://github.com/diegosouzapw/OmniRoute/issues) - **ADRs**: See `docs/adr/` for architectural decision records