a763215 · TreeTrace

Add contributor docs, security policy, and issue templates

Adds SECURITY.md (private vulnerability reporting and redaction-gate
scope), CONTRIBUTING.md, bug and feature issue forms, a pull request
template, CODEOWNERS, and a tag-triggered npm publish workflow with
provenance.

a763215 Zion Boggan committed on Jun 13, 2026 (1 week ago)

.github/CODEOWNERS +1 -0

		@@ -0,0 +1 @@
	+	* @zionboggan

.github/ISSUE_TEMPLATE/bug_report.yml +52 -0

		@@ -0,0 +1,52 @@
	+	name: Bug report
	+	description: Something in TreeTrace did not work as expected
	+	labels: ["bug"]
	+	body:
	+	- type: markdown
	+	attributes:
	+	value: \|
	+	Thanks for the report. Please do not paste real secrets or full transcripts. A redacted snippet is enough.
	+	- type: textarea
	+	id: what-happened
	+	attributes:
	+	label: What happened
	+	description: What you ran and what TreeTrace did.
	+	placeholder: I ran `npx treetrace --report` and ...
	+	validations:
	+	required: true
	+	- type: textarea
	+	id: expected
	+	attributes:
	+	label: What you expected instead
	+	validations:
	+	required: true
	+	- type: input
	+	id: version
	+	attributes:
	+	label: TreeTrace version
	+	placeholder: 0.4.0
	+	validations:
	+	required: true
	+	- type: input
	+	id: environment
	+	attributes:
	+	label: OS and Node version
	+	placeholder: macOS 14, Node 20
	+	validations:
	+	required: true
	+	- type: dropdown
	+	id: source
	+	attributes:
	+	label: Transcript source
	+	options:
	+	- Claude Code (auto-discovered)
	+	- Codex CLI
	+	- ChatGPT export
	+	- Gemini CLI
	+	- Copilot
	+	- Cursor
	+	- Grok
	+	- Pasted transcript
	+	- Other
	+	validations:
	+	required: false

.github/ISSUE_TEMPLATE/config.yml +8 -0

		@@ -0,0 +1,8 @@
	+	blank_issues_enabled: false
	+	contact_links:
	+	- name: Security report
	+	url: https://github.com/Tree-Trace/treetrace/security/advisories/new
	+	about: Report a vulnerability privately instead of opening a public issue.
	+	- name: Website
	+	url: https://treetrace.dev
	+	about: Project site and overview.

.github/ISSUE_TEMPLATE/feature_request.yml +25 -0

		@@ -0,0 +1,25 @@
	+	name: Feature request
	+	description: Suggest an improvement or a new source adapter
	+	labels: ["enhancement"]
	+	body:
	+	- type: textarea
	+	id: problem
	+	attributes:
	+	label: The problem
	+	description: What are you trying to do that TreeTrace makes hard today?
	+	validations:
	+	required: true
	+	- type: textarea
	+	id: idea
	+	attributes:
	+	label: The idea
	+	description: What would you like it to do? If this is a new source adapter, link the export format if you can.
	+	validations:
	+	required: true
	+	- type: textarea
	+	id: notes
	+	attributes:
	+	label: Anything else
	+	description: Constraints worth knowing. TreeTrace stays local-first and zero-dependency, so ideas that fit that hold up best.
	+	validations:
	+	required: false

.github/PULL_REQUEST_TEMPLATE.md +10 -0

		@@ -0,0 +1,10 @@
	+	## What this changes
	+
	+	One or two lines on what changed and why.
	+
	+	## Checklist
	+
	+	- [ ] `npm test` passes
	+	- [ ] Added or updated a test for the behavior change
	+	- [ ] No new runtime dependencies
	+	- [ ] No secrets, real transcripts, or personal paths in the diff

.github/workflows/release.yml +21 -0

		@@ -0,0 +1,21 @@
	+	name: release
	+	on:
	+	push:
	+	tags: ['v*']
	+
	+	jobs:
	+	publish:
	+	runs-on: ubuntu-latest
	+	permissions:
	+	contents: read
	+	id-token: write
	+	steps:
	+	- uses: actions/checkout@v4
	+	- uses: actions/setup-node@v4
	+	with:
	+	node-version: 20
	+	registry-url: 'https://registry.npmjs.org'
	+	- run: node --test test/treetrace.test.js test/adapters.test.js
	+	- run: npm publish --provenance --access public
	+	env:
	+	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

CONTRIBUTING.md +41 -0

		@@ -0,0 +1,41 @@
	+	# Contributing to TreeTrace
	+
	+	Thanks for looking. TreeTrace is a small, local-first CLI with no runtime dependencies, and the goal is to keep it that way: readable in one sitting, easy to audit, safe to trust with a session transcript.
	+
	+	## Ground rules
	+
	+	- No runtime dependencies. The tool must keep working with a bare `npx treetrace` and nothing else installed. Dev-only tooling is fine. Anything that would ship in `files` is not.
	+	- Local-first. No network calls, no telemetry, no uploads. A user's transcripts never leave their machine.
	+	- The redaction gate fails closed. If you touch redaction, add a fixture that proves a secret shape is caught, and never loosen a rule without a test that shows why it is safe.
	+	- Ship clean code. No commented-out blocks, no inline narration. If a line needs a comment to be understood, the code usually wants rewriting first.
	+
	+	## Getting set up
	+
	+	```bash
	+	git clone https://github.com/Tree-Trace/treetrace.git
	+	cd treetrace
	+	npm test
	+	```
	+
	+	There is no build step. Source is plain ES modules under `src/`, the entry point is `bin/treetrace.js`, and tests use the Node built-in test runner.
	+
	+	Run the CLI against a session while you work:
	+
	+	```bash
	+	node bin/treetrace.js --file path/to/session.jsonl --dir /tmp/tt-out --redact-auto
	+	```
	+
	+	## Pull requests
	+
	+	- Keep each pull request focused on one change.
	+	- Add or update a test for any behavior change. The suite is the spec.
	+	- Run `npm test` and confirm it is green before opening the request.
	+	- Describe what changed and why in plain language.
	+
	+	## Adding a source adapter
	+
	+	New tools live in `src/adapters/`. An adapter turns a tool's export into the shared session shape and emits per-turn actions where it can. Add a fixture under `test/fixtures/adapters/` and record where it came from in that folder's `PROVENANCE.md`. Keep the adapter marked experimental until it has been validated against a real captured session, not just a schema-shaped fixture.
	+
	+	## Reporting bugs and ideas
	+
	+	Open an issue with the template that fits. For anything security-related, use the private channel in [SECURITY.md](SECURITY.md) instead of a public issue.

SECURITY.md +23 -0

		@@ -0,0 +1,23 @@
	+	# Security policy
	+
	+	TreeTrace runs locally and never uploads your data, so most of its security surface is the redaction gate that runs before any artifact is written. Reports about that gate, or about anything else in the tool, are welcome.
	+
	+	## Reporting a vulnerability
	+
	+	Use GitHub's private vulnerability reporting for this repository:
	+
	+	https://github.com/Tree-Trace/treetrace/security/advisories/new
	+
	+	That keeps the report private until a fix is out. Please include the version, your platform and Node version, and a minimal way to reproduce. If a secret would slip through the redaction gate, describe the token shape rather than pasting a real secret.
	+
	+	Expect a first response within a few days. Once a fix ships, the advisory is published with credit to the reporter unless you ask to stay anonymous.
	+
	+	## Supported versions
	+
	+	The latest published 0.x release on npm receives security fixes. TreeTrace is pre-1.0, so older minor versions are not patched separately. Upgrade to the current release.
	+
	+	## Scope
	+
	+	- The redaction gate fails closed. Outside a terminal every detected secret is redacted automatically, and the rendered artifact is shadow-scanned before it is written. A report that shows a known secret shape passing through is in scope and high priority.
	+	- TreeTrace ships with no runtime dependencies, so there is no third-party package supply chain to compromise in the installed tool.
	+	- Reading a transcript must never write outside the target directory or run code carried in the transcript. Anything that breaks that boundary is in scope.