Thank you for your interest in contributing. bili-core is an open-source research framework, and contributions of all kinds are welcome: bug reports, fixes, new features, documentation improvements, and adversarial test payloads for AEGIS.
This document covers how to file issues, the contribution workflow, and a few rules that apply to anything that lands in the public repository.
- Use GitHub Issues for bug reports, feature requests, and questions.
- Do not report security vulnerabilities in public issues. Use the process described in SECURITY.md instead.
- When reporting a bug, include the version of bili-core (release tag, branch, or commit SHA), the relevant component (IRIS, AETHER, AEGIS, auth, Flask, Streamlit), and a minimal reproduction.
bili-core uses a GitFlow-shaped branching model.
- The default branch is
develop. Feature work targetsdevelop. mainonly receives merges fromdevelopas part of a tagged release.- Feature branches use the prefix
feat/,fix/,chore/, ordocs/followed by a short descriptive slug (e.g.feat/aegis-new-attack-suite,fix/checkpoint-race).
The container-based development environment is the supported path. See the top-level README.md for the full setup walkthrough.
cd scripts/development
./start-container.sh
./attach-container.shInside the container, streamlit starts the UI on port 8501 and flask starts the API on port 5001.
Before opening a pull request:
- Run
./run_python_formatters.shto apply Black, Autoflake, and Isort. - Run
pylint bili/ --fail-under=9to confirm the lint score is at least 9.0. - Run
pytest bili/and confirm the full suite passes. The suite runs without any external services: MongoDB-backed tests usemongomock, and the AEGIS structural tests validate committed sample fixtures underbili/aegis/tests/<suite>/fixtures/. No tests should be skipped or error. - Add tests for new functionality. Existing test conventions for each component live under
bili/<component>/tests/. - Use type hints throughout new code.
The pre-commit hooks enforce the formatters and lint automatically. The test suite is enforced in CI.
Two required status checks gate every PR to main and develop:
build-application: runs pylint at the 9.0 threshold and builds the distribution package.test-application: installs the full dependency set and runs the completepytest bili/suite.
Both must pass before a PR can merge. The test job runs the suite with no external services, so a green local pytest bili/ should match CI.
- Target
develop, notmain. - Reference the issue your PR addresses, if applicable.
- Write a PR body that summarizes the change in 2–3 sentences and lists any user-visible behavior changes.
- The Claude code review workflow will run automatically on every push and post a review comment. Address the substantive findings before requesting human review.
- Conversations on PR comments must be marked as resolved before the PR is merged.
Three Claude-driven review workflows run on PRs in this repository:
- Claude Code Review runs on every PR push and posts a single review comment surfacing correctness, style, and small-scale design issues.
- Claude Security Review runs on PRs targeting
mainordevelopand performs a deeper pass focused on security-relevant changes (input handling, authentication paths, secret handling, supply-chain regressions). - @claude bot is available in PR and issue comments for follow-up questions and targeted fixes. The bot only responds to comments from users with write access to the repository.
The reviews are best treated as a strong first pass, not a substitute for human review of substantive changes. Address the substantive findings; a final summary line from the reviewer noting that remaining items are "low-severity wording quibbles, none block merge" is a reasonable place to stop iterating.
bili-core is a public repository. Test fixtures, example configurations, comments, and documentation must not include real personal names, real institutional abbreviations beyond MSU Denver itself, or real email addresses.
Use these substitutions:
- Personal names: Alice Garcia, Bob Jones, Carol Lee, Maria A. Smith. Generic enough not to identify anyone.
- Institutional abbreviations in examples: ZX, YW, FOO, BAR.
- Email addresses:
@example.comor@example.edu(RFC-reserved domains).
The discipline is to apply the substitution at the moment of writing the test, not after the fact. Force-pushing a feature branch to scrub a commit that already contains real names is possible but is best avoided.
bili-core is licensed under the MIT License (see LICENSE). By contributing, you agree that your contributions are licensed under the same terms.