Files

Sienna Meridian Satterwhite 25550e2165

fix(security): redact sensitive session IDs in marathonctl output

Addresses CodeQL cleartext-logging alerts (#1, #2, #3) by implementing
session ID redaction for CLI output.

Changes:
- Extract marathonctl into standalone crate (crates/marathonctl)
- Add session ID redaction showing only first 8 characters by default
- Add --show-sensitive/-s flag for full session IDs when debugging
- Implement beautiful ratatui-based UI module with inline viewport
- Add .envrc to .gitignore for secure token management
- Document GitHub token setup in CONTRIBUTING.md

The CLI now provides a secure-by-default experience while maintaining
debugging capabilities through explicit opt-in flags. Session IDs are
redacted to format "abc-def-..." unless --show-sensitive is specified.

UI module provides easy-to-use builder APIs (ui::table, ui::grid, ui::list)
that render beautiful terminal output without hijacking the terminal.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-07 19:15:10 +00:00

10 KiB

Raw Blame History

Contributing to Marathon

Thank you for your interest in contributing to Marathon! We're excited to work with you.

This document provides guidelines for contributing to the project. Following these guidelines helps maintain code quality and makes the review process smoother for everyone.

Code of Conduct
Getting Started
Development Environment Setup
How to Contribute
Coding Standards
Testing
Pull Request Process
Reporting Bugs
Suggesting Features
AI Usage Policy
Questions?

Code of Conduct

This project adheres to the Contributor Covenant Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to the project maintainers.

Getting Started

Fork the repository on GitHub
Clone your fork locally
Set up your development environment (see below)
Create a branch for your changes
Make your changes with clear commit messages
Test your changes thoroughly
Submit a pull request

Development Environment Setup

Prerequisites

Rust 2024 edition or later (install via rustup)
macOS (for macOS desktop and iOS development)
Xcode and iOS simulator (for iOS development)
Linux (for Linux desktop development)
Windows (for Windows desktop development)
Git for version control

Initial Setup

# Clone your fork
git clone https://github.com/user/marathon.git
cd marathon

# Add upstream remote
git remote add upstream https://github.com/r3t-studios/marathon.git

# Build the project
cargo build

# Run tests
cargo test

# Run the desktop demo
cargo run --package app

iOS Development Setup

For iOS development, see our detailed iOS Deployment Guide.

# Build for iOS simulator
cargo xtask ios-build

# Run on simulator
cargo xtask ios-run

Useful Commands

# Check code without building
cargo check

# Run clippy for linting
cargo clippy

# Format code
cargo fmt

# Run tests with output
cargo nextest run -- --nocapture

# Build documentation
cargo doc --open

Environment Variables with `.envrc`

Marathon uses direnv for managing environment variables. This is particularly useful for storing sensitive tokens like GitHub Personal Access Tokens (PAT).

Setup

Install direnv (if not already installed):

# macOS
brew install direnv

# Add to your shell profile (~/.zshrc or ~/.bashrc)
eval "$(direnv hook zsh)"  # or bash

Create .envrc file in the project root:

# The .envrc file is already gitignored for security
export GH_TOKEN=your_github_personal_access_token

Allow direnv to load the file:
```
direnv allow .
```

GitHub Token Setup

For working with security scanning alerts and other GitHub features:

Create a Personal Access Token at https://github.com/settings/tokens
Select the following scopes:
- ✅ repo (full control)
- ✅ security_events (read security events)

Add the token to your .envrc file:

export GH_TOKEN=github_pat_YOUR_TOKEN_HERE

The .envrc file is automatically ignored by git, so your tokens won't be committed.

How to Contribute

Types of Contributions

We welcome many types of contributions:

Bug fixes - Fix issues and improve stability
Features - Implement new functionality (discuss first in an issue)
Documentation - Improve or add documentation
Examples - Create new examples or demos
Tests - Add test coverage
Performance - Optimize existing code
Refactoring - Improve code quality

Before You Start

For bug fixes and small improvements, feel free to open a PR directly.

For new features or significant changes:

Open an issue first to discuss the proposal
Wait for maintainer feedback before investing significant time
Reference the issue in your PR

This helps ensure your work aligns with project direction and avoids duplicate effort.

Coding Standards

Rust Style

Follow the Rust API Guidelines
Follow the Rust Style Guide
Use cargo +nightly fmt to format code (run before committing)
Address all cargo clippy warnings
Use meaningful variable and function names
Add doc comments (///) for public APIs

Code Organization

Keep modules focused and cohesive
Prefer composition over inheritance
Use Rust's type system to enforce invariants
Avoid unnecessary unsafe code

Documentation

Add doc comments for all public types, traits, and functions
Include examples in doc comments when helpful
Update relevant documentation in /docs when making architectural changes
Keep README.md in sync with current capabilities

Commit Messages

Write clear, descriptive conventional commit messages:

Short summary (50 chars or less)

More detailed explanation if needed. Wrap at 72 characters.

- Bullet points are fine
- Use present tense ("Add feature" not "Added feature")
- Reference issues and PRs with #123

Good examples:

Add cursor synchronization to networking layer

Implement entity selection system for iOS

Fix panic in SQLite persistence during shutdown (#42)

Testing

Running Tests

# Run all tests
cargo nextest run

# Run tests for specific crate
cargo nextest run --package libmarathon

# Run specific test
cargo nextest run test_vector_clock_merge

# Run tests with output
cargo nextest run -- --nocapture

Writing Tests

Add unit tests in the same file as the code (in a mod tests block)
Add integration tests in tests/ directory
Test edge cases and error conditions
Keep tests focused and readable
Use descriptive test names: test_vector_clock_handles_concurrent_updates

Test Coverage

We aim for good test coverage, especially for:

CRDT operations and synchronization logic
Persistence layer operations
Network protocol handling
Error conditions and edge cases

You don't need 100% coverage, but core logic should be well-tested.

Pull Request Process

Before Submitting

Update your branch with latest upstream changes

git fetch upstream
git rebase upstream/mainline

Run the test suite and ensure all tests pass
```
cargo test
```
Run clippy and fix any warnings
```
cargo clippy
```
Format your code
```
cargo fmt
```
Update documentation if you changed APIs or behavior

Submitting Your PR

Push to your fork
```
git push origin your-branch-name
```
Open a pull request on GitHub
Fill out the PR template with:
- Clear description of what changed and why
- Link to related issues
- Testing performed
- Screenshots/videos for UI changes
Request review from maintainers

During Review

Be responsive to feedback
Make requested changes promptly
Push updates to the same branch (they'll appear in the PR)
Use "fixup" commits or force-push after addressing review comments
Be patient - maintainers are volunteers with limited time

After Approval

Maintainers will merge your PR
You can delete your branch after merging
Celebrate! 🎉 You're now a Marathon contributor!

Reporting Bugs

Before Reporting

Check existing issues to avoid duplicates
Verify it's a bug and not expected behavior
Test on the latest version from mainline branch

Bug Report Template

When opening a bug report, please include:

Description - What went wrong?
Expected behavior - What should have happened?
Actual behavior - What actually happened?
Steps to reproduce - Minimal steps to reproduce the issue
Environment:
- OS version (macOS version, iOS version)
- Rust version (rustc --version)
- Marathon version or commit hash
Logs/Stack traces - Error messages or relevant log output
Screenshots/Videos - If applicable

Security Issues

Do not report security vulnerabilities in public issues.

Please see our Security Policy for how to report security issues privately.

Suggesting Features

We welcome feature suggestions! Here's how to propose them effectively:

Before Suggesting

Check existing issues and discussions for similar ideas
Consider if it aligns with Marathon's goals (multiplayer game engine framework)
Think about the scope - is this a core feature or better as a plugin/extension?

Feature Request Template

When suggesting a feature, please include:

Problem statement - What problem does this solve?
Proposed solution - How would this feature work?
Alternatives considered - What other approaches did you think about?
Use cases - Real-world scenarios where this helps
Implementation ideas - Technical approach (if you have thoughts)

Feature Discussion

Maintainers will label feature requests as enhancement
We'll discuss feasibility, scope, and priority
Features that align with the roadmap are more likely to be accepted
You're welcome to implement features you propose (with approval)

AI Usage Policy

Marathon has specific guidelines around AI and ML tool usage. Please read our AI Usage Policy before contributing.

Key points:

AI tools (Copilot, ChatGPT, etc.) are allowed for productivity
You must understand and be accountable for all code you submit
Humans make all architectural decisions, not AI
When in doubt, ask yourself: "Can I maintain and debug this?"

Questions?

General questions - Open a Discussion
Bug reports - Open an Issue
Real-time chat - [Discord/Slack link if you have one]
Email - [maintainer email if appropriate]

Recognition

All contributors will be recognized in our release notes and can be listed in AUTHORS file (coming soon).

Thank you for contributing to Marathon! Your effort helps make collaborative software better for everyone.

10 KiB Raw Blame History