# Contributing to Wajeeh BI / BlueDXP

Welcome. This repository powers the **BlueDXP platform** (Wajeeh BI brand) and
its **Integrated Management System** (ISO 9001 / 14001 / 45001 / 27001 aligned).
Read this entire file before your first commit — there is one mandatory rule
that will reject your commit if you skip it.

---

## TL;DR for new developers

```bash
git clone https://github.com/balbayaty/wajeeh-bi-bluedxp.git
cd wajeeh-bi-bluedxp
npm ci
pwsh scripts/install-git-hooks.ps1   # installs the IMS pre-commit hook
cp .env.example .env.local           # then fill in your local values
npm run smoke:ci                     # confirms your environment can build
```

If `npm run smoke:ci` passes, you have a working dev environment.

---

## The one rule that will reject your commit

This repository enforces **`.cursor/rules/keep-ims-manual-in-sync.mdc`** via a
local Git pre-commit hook (installed by `scripts/install-git-hooks.ps1`).

If you stage **any file matching the in-scope globs** without also staging
`platform-architecture-and-ims-sops.html`, your commit is rejected.

In-scope globs (mirrors `.git/hooks/pre-commit` lines 38–47):

```
api/**/*.js          api/**/*.ts          api/_lib/**
*.html               vercel.json          package.json
lib/**               app/**               components/**
types/**             middleware/**
```

Out-of-scope exceptions (handled by the same hook):

```
scripts/smoke-*      *test*               *spec*
.gateway-inspect/*   *.css
```

### Why the rule exists

ISO 9001 §7.5.3 (Control of documented information) and ISO 27001 A.5.33
(Protection of records) require that every change to a controlled asset is
identifiable, retrievable and reversible. The IMS manual is the controlled
asset. Git history is the audit trail. If the manual lags behind the code, an
auditor cannot trust either.

### How to satisfy the rule (correct workflow)

1. Make your code change.
2. Open `platform-architecture-and-ims-sops.html` and update the relevant
   data array (`MODULES`, `INTEGRATIONS`, `ROLES`, `SOPS`, `IMS`, `RISKS`,
   etc. — see the section comments inside the file).
3. Bump `const VERSION` (semver: patch for typos, minor for new features /
   policy expansion, major for breaking process changes).
4. Add an entry to the top of `const CHANGELOG` with `v`, `date`,
   `author` and a `changes:` array describing what shifted and **why**.
5. Run `node scripts/update-manual-revisions.js` to refresh
   `manual-revisions.json` (the manual reads this at runtime to render its
   "Document Control & Git Trail" panel).
6. Stage everything together:

   ```bash
   git add <your-code-files>
   git add platform-architecture-and-ims-sops.html manual-revisions.json
   git commit -m "feat(<area>): <what>"
   ```

### Override (use sparingly, almost never)

```powershell
$env:SKIP_IMS_CHECK = "1"; git commit ...
```

```bash
SKIP_IMS_CHECK=1 git commit ...
```

You **must** explain _why_ in the commit footer. Every override is visible in
the audit log via `git log --grep='SKIP_IMS_CHECK'`.

---

## Branching & PR workflow

- `main` is the deploy branch. Every push to `main` triggers
  `.github/workflows/deploy-vercel.yml` which runs `npm run smoke:ci`,
  deploys to Vercel and curls the smoke endpoints on
  `https://wajeeh.app`.
- Open all work as a feature branch off `main`:
  `feat/<short-description>`, `fix/<short-description>`,
  `docs/<short-description>`, `chore/<short-description>`.
- Open a PR using the template (`.github/PULL_REQUEST_TEMPLATE.md`). The
  template asks the IMS-relevant questions every PR must answer.
- A reviewer named in `.github/CODEOWNERS` is auto-requested for any change
  to a critical path (security, IMS manual, deploy workflow, etc.).

---

## Commit message convention

We follow a relaxed Conventional-Commits style:

```
<type>(<scope>): <subject>

<body — what changed, why, what could break, what was tested>

<footer — optional: refs to issues, security review IDs, override reasons>
```

| `type`     | Use for                                              |
| ---------- | ---------------------------------------------------- |
| `feat`     | New user-visible capability                          |
| `fix`      | Bug fix in production code                           |
| `docs`     | Markdown / OpenAPI / README / IMS manual prose only  |
| `chore`    | Tooling, deps, scripts (no user-visible change)      |
| `refactor` | Code restructure with no behavior change             |
| `perf`     | Performance improvement                              |
| `test`     | Tests / smoke scripts only                           |
| `sec`      | Security-only change (record in IMS RISKS array too) |
| `ims`      | IMS manual update only (no code change)              |

---

## Code style

- **JavaScript / Node** — CommonJS (`require` / `module.exports`); arrow
  functions for callbacks; 2-space indent. No bundler, no transpile.
- **HTML / CSS** — single-file artifacts where each shell loads
  `platform-nav.js` and the appropriate theme file
  (`wajeeh-theme.js` / `flex-theme.js`). Avoid duplicating tokens; pull from
  `wajeeh-theme-tokens.css` or `flex-theme-tokens.css`.
- **Comments** — explain _why_, not _what_. The code already shows what.
- **No `any`** in newly added TypeScript (`types/**`); use `unknown` when
  the shape is genuinely unknown.

---

## Security

- See `SECURITY.md` for the vulnerability disclosure policy.
- Read `SECURITY_HARDENING_ACTIONS.md` for the current security baseline
  (legacy-key default-off, admin MFA enforcement, encrypted MFA secrets,
  Postgres-backed rate limiter, strict CSP / COOP / CORP, two-person
  approval for new accounts).
- Never hardcode an API key. Every secret comes from an environment
  variable; `.env.example` documents every variable the platform reads.
- Production secrets (`.env`, `.env.bluedxp.prod`, `.env.local`,
  `.env.vercel-import.local`) are **never** committed — they are listed
  in `.gitignore` and verified by `git check-ignore`.

---

## Testing & verification before push

Run these before opening a PR (CI runs them too):

```bash
npm run smoke:ci          # Vercel build + Hazalyze stub-mode smoke
npm run verify:doc-links  # internal HTML link integrity
node scripts/smoke-auth.js              # auth round-trip
node scripts/smoke-driver-share.js      # signed-token round-trip
```

If your change touches `api/_lib/inbox-intelligence/`,
`api/_lib/dispatch-*`, `api/_lib/contact-identity-graph.js` or
`api/_lib/access-approval.js`, also run any matching smoke scripts in
`scripts/`.

---

## Documentation that must stay in sync

| File                                      | When to update                                |
| ----------------------------------------- | --------------------------------------------- |
| `platform-architecture-and-ims-sops.html` | Every in-scope code change (rule above)       |
| `README.md`                               | New module, new env var, new top-level URL    |
| `.env.example`                            | Every new env var the platform reads          |
| `AUTOMATION.md`                           | Workflow changes in `.github/workflows/`      |
| `GO_LIVE.md`                              | New live integration or operational checklist |
| `END_USER_READINESS.md`                   | New user-facing capability                    |
| `docs/openapi-official-data-sources.yaml` | New / changed public API endpoint             |
| `docs/policies/D01–D04.md`                | Material change to scope / standards / owner  |
| `docs/ims/D05.md`, `docs/ims/D07.md`      | Material change to context or KPIs            |
| `SECURITY_HARDENING_ACTIONS.md`           | New security control or policy default change |

---

## Getting help

- Architecture questions → read `platform-architecture-and-ims-sops.html`
  end-to-end. It is the IMS source of truth.
- Visual architecture → `architecture-overview.html`,
  `whatsapp-hub-architecture.html`,
  `platform-visual-documentation.html`.
- Operational runbook → `GO_LIVE.md`.
- Stuck on the IMS pre-commit hook → re-read the section above, then read
  `.cursor/rules/keep-ims-manual-in-sync.mdc`.