Thanks for your interest. NodeBench is open source (MIT). This guide tells you where to start, what bar to meet, and how to ship.
- Read
docs/ARCHITECTURE.mdfirst. Answers "given this URL, what code runs?" Including: which component is canonical vs@deprecated, where data flows from, what tests cover what. Anything else in this repo's mental model is downstream of that map. - Read
CLAUDE.md. Project conventions, merge workflow, the 13 hard rules. - **Read
docs/runbooks/PROD_PARITY_UI_KIT_WORKFLOW.mdbefore any UI/design-kit work. - Skim
.claude/rules/— if you're using Claude Code on this repo, these are the enforced conventions (modular rules withrelated_frontmatter for two-hop discovery). - Run the app locally per the quickstart in
README.md.
A new engineer's first PR should be small, scoped, and ship through CI green on the first try. The two safest first-PR types:
- Fix a stale doc claim. Run a 4-axis canonical check (kit + production
DOM + routing + git recency — see ARCHITECTURE.md) on something
docs/ARCHITECTURE.mdor.claude/rules/*.mdsays, and fix the doc if it's stale. Zero runtime risk. - Delete dead code. Find a component, run the 4-axis check, if all four axes say it's orphan, delete + open PR.
Avoid as a first PR: anything touching the chat surface, any new Convex table, any route rename. Those are 2-day investigations masquerading as PRs.
| Contribution | Bar |
|---|---|
| Bug fix | Reproduce, root-cause (see .claude/rules/analyst_diagnostic.md), fix the cause not the symptom, add a scenario test |
| New diligence block | Follows DiligenceBlock<T> contract in docs/architecture/DILIGENCE_BLOCKS.md · authority allowlist · gates · fixtures · legal check |
| UI change | Visual verification (screenshot before/after) · npx tsc --noEmit clean · npx vitest run clean · respects docs/architecture/DESIGN_SYSTEM.md |
| New rule or skill | Follows the template of existing files in .claude/rules/ (frontmatter, related_, prior art citation) |
| Architecture change | New ADR in docs/architecture/plans/ with date prefix; supersedes existing via clear "Supersedes: [OLD.md]" header |
- Silent auto-persistence of agent output (every new artifact needs an explicit promote flow)
- Unbounded in-memory caches (see
.claude/rules/agentic_reliability.md) - Fake confidence scores / hardcoded evidence floors
- New surface areas without a State / Target / Transition / Invariant spec
- New top-level directories without a 3-line README explaining purpose
git fetch origin main
git checkout -b <type>/<short-slug> origin/mainBranch name format: <type>/<short-slug>. Types match Conventional Commits:
feat/— new behavior or surfacefix/— bug fixcleanup/— deletion / consolidation (sprint work)docs/—.mdchanges onlychore/— tooling, deps, configrefactor/— structural change, no behavior difftest/— test-only PRsperf/,ci/,build/— as named
npx tsc --noEmit # type-check (CI required check)
npx convex codegen # Convex bundle analysis (CI required check — catches the @openai/agents class of bugs)
npm run test:run # unit + runtime smoke (CI required check)
npm run build # production build (CI required check)If your change touches the UI:
npx vite preview --host 127.0.0.1 --port 4173 &
BASE_URL=http://127.0.0.1:4173 npx playwright test \
tests/e2e/exact-kit-parity-prod.spec.ts \
tests/e2e/one-flow-regression.spec.ts \
--project=chromiumFormat: <type>(<scope>): <subject> — e.g.
fix(a9): require >=3 live sessions to use live data, else seed.
Hard limit: ~400 LOC of substantive change. Split or pre-discuss larger PRs.
One concern per PR. "Delete dead code + refactor + add a feature" = three PRs, not one.
If you touched the UI: include before/after screenshots at 1440x900 and 375x812 (mobile) in the PR description.
gh pr create --title "..." --body "..."
gh pr merge <N> --auto --squash --delete-branchUse --auto, NOT --admin. Branch protection enforces 4 required
checks: Typecheck, Runtime smoke, Build, Tier B vs preview URL.
enforce_admins: true — admins cannot bypass. Auto-merge fires when all
checks go green.
If you're tempted to use --admin, the answer is almost always "fix the
failing check first."
Adding a production dependency requires the PR description to include:
- Why this and not alternatives? Why not extend an existing dep? Why not write the 50 lines yourself?
- Install size impact —
npm ls <pkg>ordu -sh node_modules/<pkg>. - License — must be MIT-compatible permissive (MIT, BSD, ISC, Apache-2.0). No GPL/AGPL/SSPL.
- Bundle-time analyzer compatibility — verify
npx convex codegenruns clean with the new dep before shipping. The@openai/agents-corezod regression that blocked deploys for hours is the canonical example this rule fights.
The expected GitHub repository baseline is documented in
docs/runbooks/GITHUB_REPOSITORY_SETUP.md.
Maintainers should keep these controls enabled:
mainbranch protection with required PR review- Code Owner review
- required checks:
CI / Typecheck,CI / Runtime smoke,CI / Build - Dependabot alerts and security updates
- automatic branch deletion after merge
If repository settings drift, run:
node scripts/github/configureRepoSettings.mjs --apply- TypeScript strict mode — no
anyin new code unless justified in comment - No ESLint disables without a comment explaining why
- Feature-first — new code goes under
src/features/<feature>/, not in loosesrc/folders - Tests colocated —
*.test.tsnext to the file it tests (except e2e which lives intests/e2e/) - Scenario tests, not shallow tests — see
.claude/rules/scenario_testing.md
Conventional commit prefixes are encouraged:
feat(scope):— new featurefix(scope):— bug fixrefactor(scope):— refactor, no behavior changedocs(scope):— docs onlytest(scope):— tests only
Commit body should answer "why", not just "what". The "what" is in the diff.
Do not open a public issue for security vulnerabilities. Email the
maintainer (see package.json author field) or contact
privately via GitHub security advisories.
See docs/architecture/USER_FEEDBACK_SECURITY.md
for our threat model on user-submitted content.
- Design questions → open a GitHub Discussion
- Bug reports → GitHub Issues with the
buglabel + reproduction steps - Feature requests → GitHub Issues with the
enhancementlabel + user story
Many patterns in this repo borrow from well-documented industry practice
(Anthropic's "Building Effective Agents", Manus AI's virtual workspace,
Cognition Devin, Claude Code's layered file-based memory, Cursor, Perplexity,
LangSmith, etc.). When adding a new pattern, cite its prior art in the
module header comment AND in the relevant docs/architecture/ doc. See
.claude/rules/reference_attribution.md (if present) for the exact format.
By contributing, you agree that your contributions will be licensed under the
same MIT license that covers the project. See LICENSE.