Contributing

Thanks for contributing! Here's how to get started:

  1. Open an issue to discuss the proposed change
  2. Fork the repo and create a branch from main
  3. Implement the change with tests
  4. Make sure bundle exec rake passes (linting + tests)
  5. Open a pull request targeting main

Setup

git clone git@github.com:fluence-eu/fluence-gateway-auth.git
cd fluence-gateway-auth
bin/setup

Requires Ruby 3.2+.

Development

Running tests and linting

bundle exec fluence-ci all              # full catalog (lint + security + codequality + docs + tests)
bundle exec fluence-ci lint             # rubocop only
bundle exec fluence-ci tests            # rspec only
bundle exec fluence-ci docs --report    # yardstick threshold check
bundle exec fluence-ci docs --build     # generate YARD HTML in doc/
bundle exec rubocop -a                  # auto-fix linting (no fluence-ci equivalent)

Interactive console

bin/console

Commit Convention

This project follows Conventional Commits.

Format

<type>(<scope>): <description>

[body]

[footer(s)]

Types

Type Description
feat New feature
fix Bug fix
docs Documentation only changes
style Formatting changes (whitespace, commas, etc.) — no logic
refactor Code change that neither fixes a bug nor adds a feature
perf Performance improvement
test Adding or updating tests
build Changes to build system or dependencies
ci CI/CD configuration changes
chore Other changes that don't modify source or tests
revert Revert a previous commit

Scope

Optional — indicates the area of the project affected:

  • feat(middleware): add request logging
  • fix(authentication): handle missing headers
  • refactor(config): simplify ENV fallback

Description

  • Imperative mood ("add", not "adds" or "added")
  • No capital letter at the start
  • No period at the end
  • Maximum 72 characters

Body (optional)

  • Use bullet points with - for multiple items
  • Explain why, not what (the diff speaks for itself)

Breaking Changes

Non-backward-compatible changes must be flagged with:

  • A ! after the type/scope: feat(middleware)!: change signature format
  • And/or a BREAKING CHANGE: footer in the body

Examples

feat(middleware): add request logging

fix(authentication): handle missing body in GET requests

- request.body can be nil for GET/DELETE requests
- use safe navigation to avoid NoMethodError

feat(config)!: require explicit hmac_secret configuration

BREAKING CHANGE: hmac_secret no longer defaults to a dev value,
applications must set it explicitly or via ENV.

Branching Model

  • main — default branch. All feature branches are created from here, and all PRs target this branch.
  • Never push directly to main — always create a feature branch and open a PR.

Pull Request Convention

PR Title

  • Same format as commits: <type>(<scope>): <description>
  • Under 72 characters

PR Classification

Level Criteria Description requirements
Critical Breaking change, security fix Full description — summary, changes, impact, rollback plan, how to test
Major New feature, significant refactor Summary + changes + how to test
Minor Small bug fix, config tweak, dependency bump Summary + changes (1-2 lines each)
Trivial Documentation, formatting, comment update One-line summary is enough

PR Description by Level

Critical / Major

## Summary
<What and why in 2-3 sentences>

## Changes
- <change 1>
- <change 2>

## How to Test
1. <step 1>
2. <step 2>

For Critical PRs, also add:

## Impact
- <what parts of the system are affected>

## Rollback Plan
- <how to safely revert if something goes wrong>

Minor

## Summary
<One sentence>

## Changes
- <change 1>

Trivial

A one-line summary in the PR body is sufficient.

Rules

  • One topic per PR — don't mix unrelated changes
  • All tests must pass (bundle exec rake)
  • New code must include tests
  • Never commit secrets or credentials

Architecture

lib/fluence-gateway-auth.rb             # Gem entry point
lib/fluence/gateway/auth.rb             # Namespace + require tree
lib/fluence/gateway/auth/
  configuration.rb                      # Gem configuration (user_model, hmac_secret)
  errors.rb                             # Error classes (SignatureError, etc.)
  gateway_authentication.rb             # Controller concern (current_<scope>, authenticate_<scope>!)
  gateway_connection.rb                 # ActionCable concern (current_<scope> on WebSocket)
  middleware.rb                         # Rack middleware (HMAC-SHA256 signature verification)
  railtie.rb                            # Auto-registers middleware and controller concern
  test_helpers.rb                       # RSpec/Minitest helpers (skip_middleware, fake headers)
  version.rb                            # Semantic version (bumped by release workflow)
lib/generators/
  fluence_gateway_auth/
    install_generator.rb                # rails generate fluence_gateway_auth:install
  templates/
    initializer.rb                      # Config initializer template
  • Middleware operates at Rack level — rejects invalid signatures before Rails
  • GatewayAuthentication concern resolves the user from headers at controller level
  • GatewayConnection concern resolves the user on ActionCable WebSocket upgrades
  • Railtie auto-registers middleware and concerns — no manual setup needed
  • TestHelpers skips HMAC verification and provides header builders for specs
  • Generator creates the initializer and optional migration

Tests

  • Framework: RSpec (spec/**/*_spec.rb)
  • HTTP stubs via WebMock (no real HTTP requests in tests)
  • All new code must be tested
  • YARD-style doc comments on all public methods

Code Conventions

  • frozen_string_literal: true on every Ruby file
  • Strings: single quotes (unless interpolation is needed)
  • RuboCop: no rule disabling without justification
  • Version in lib/fluence/gateway/auth/version.rb — do not modify unless for an explicit release
  • YARD-style doc comments on all public methods

CI

GitHub Actions:

  • main.yml — runs on every PR: RuboCop + RSpec across Ruby 3.2, 3.3, 3.4, 4.0
  • docs-deploy.yml — builds the YARD site and publishes to GitHub Pages on main
  • docs-measure.yml, docs-pr.yml — yardstick baseline on main + sticky coverage-delta comment on PRs
  • rubocop-measure.yml, rubocop-pr.yml — RuboCop offense baseline + sticky offense-delta comment on PRs
  • coverage-measure.yml, coverage-pr.yml — coverage baseline + undercover regression check
  • codequality-measure.yml, codequality-pr.yml — reek/flog/flay advisory deltas
  • prepare-release.ymlworkflow_dispatch bump (patch/minor/major) opens an auto-merged release PR
  • release.yml — on release PR merge, creates the tag + GitHub Release with the .gem attached
  • publish.yml — on Release published, pushes the gem to GitHub Packages

AI-Assisted Contributions

When using AI tools (Claude, Copilot, etc.) to generate commits or PRs:

  • Classify first — determine if the change is critical, major, minor, or trivial
  • Focus on the "why" — the diff already shows the "what"
  • Skip boilerplate — don't add empty sections or placeholder text

The person opening the PR takes full responsibility for the code. Before submitting:

  • [ ] I have read and understood every line of code in this PR
  • [ ] I can explain why each change was made
  • [ ] I have tested the changes locally

Do not add AI co-author lines (Co-Authored-By), "Generated with" footers, or any AI attribution in commits or PR descriptions.