diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..5beb7df --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,61 @@ +name: ๐Ÿž Bug report +description: Report something that isn't working as expected +labels: ["bug"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to file a bug! Please fill out the sections + below so we can reproduce and fix it quickly. + - type: textarea + id: what-happened + attributes: + label: What happened? + description: A clear and concise description of the bug. + placeholder: When I spin the roulette in demo mode, ... + validations: + required: true + - type: textarea + id: steps + attributes: + label: Steps to reproduce + description: How can we reproduce the problem? + placeholder: | + 1. Go to '...' + 2. Click on '...' + 3. See error + validations: + required: true + - type: textarea + id: expected + attributes: + label: Expected behavior + description: What did you expect to happen instead? + validations: + required: true + - type: dropdown + id: mode + attributes: + label: Which mode? + description: Were you in demo mode or real mode (signed in with a token)? + options: + - Demo mode (?demo=1) + - Real mode (signed in) + - Not sure / both + validations: + required: true + - type: input + id: environment + attributes: + label: Environment + description: Browser, OS, and whether it was local (`npm run dev`) or deployed. + placeholder: Chrome 124 on macOS, deployed on Vercel + validations: + required: false + - type: textarea + id: extra + attributes: + label: Anything else? + description: Screenshots, console errors, or other context. Do NOT paste your daily.dev API token. + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..766136f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: ๐Ÿ”’ Report a security vulnerability + url: https://github.com/finallyjay/daily-dev-roulette/security/advisories/new + about: Please report security issues privately, not as public issues. See SECURITY.md. + - name: ๐Ÿ’ฌ Questions & ideas + url: https://github.com/finallyjay/daily-dev-roulette/discussions + about: Ask questions or discuss ideas in Discussions (if enabled). diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..c1e37bb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,32 @@ +name: ๐Ÿ’ก Feature request / new roulette mode +description: Suggest an improvement or a new roulette mode +labels: ["enhancement"] +body: + - type: markdown + attributes: + value: | + Got an idea for a new roulette mode or an improvement? Tell us about it! + daily.dev's Public API exposes feeds, follows, and tech stack โ€” all + candidates for future modes. + - type: textarea + id: problem + attributes: + label: What's the idea? + description: Describe the feature or roulette mode you'd like to see. + placeholder: A "Feeds Roulette" that ... + validations: + required: true + - type: textarea + id: motivation + attributes: + label: Why is it useful? + description: What problem does it solve, or what makes it fun? + validations: + required: true + - type: textarea + id: alternatives + attributes: + label: Alternatives considered + description: Any other approaches you thought about? + validations: + required: false diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..cb6b744 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,37 @@ + + +## What does this PR do? + + + +## Related issue + + + +Closes # + +## Type of change + +- [ ] ๐Ÿž Bug fix +- [ ] โœจ New feature / new roulette mode +- [ ] ๐Ÿงน Refactor / cleanup +- [ ] ๐Ÿ“ Docs +- [ ] Other: + +## How was this tested? + +- [ ] `npm run build` succeeds +- [ ] Tested manually in **demo mode** (`/roulette?demo=1`) +- [ ] Tested manually in **real mode** (signed in with a token) โ€” if applicable + + + +## Checklist + +- [ ] My change follows the existing code style and stays focused. +- [ ] I did not log, expose, or commit any daily.dev API token or secret. +- [ ] Token handling (if touched) stays server-side in `src/lib/` / `src/pages/api/`. +- [ ] I updated docs (README/CONTRIBUTING) if behavior or setup changed. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..e882b52 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,62 @@ +# Code of Conduct + +## Our pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our standards + +Examples of behavior that contributes to a positive environment: + +- Demonstrating empathy and kindness toward other people. +- Being respectful of differing opinions, viewpoints, and experiences. +- Giving and gracefully accepting constructive feedback. +- Accepting responsibility, apologizing to those affected by our mistakes, and + learning from the experience. +- Focusing on what is best not just for us as individuals, but for the overall + community. + +Examples of unacceptable behavior include harassment of any kind, trolling or +insulting comments, personal or political attacks, publishing others' private +information without permission, and any other conduct which could reasonably be +considered inappropriate in a professional setting. + +## Enforcement responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +**finallyjay@gmail.com**. All complaints will be reviewed and investigated +promptly and fairly. Community leaders are obligated to respect the privacy and +security of the reporter of any incident. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. + +[homepage]: https://www.contributor-covenant.org diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..8481480 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,71 @@ +# Contributing to daily.dev Roulette + +Thanks for your interest in contributing! This project started as a daily.dev +hackathon hack, and it's built to grow โ€” the long-term idea is a hub of +"roulette" modes, so new modes and improvements are very welcome. + +## Code of Conduct + +This project follows the [Contributor Covenant](./CODE_OF_CONDUCT.md). By +participating, you're expected to uphold it. Report unacceptable behavior to +**finallyjay@gmail.com**. + +## Getting started + +```bash +git clone https://github.com/finallyjay/daily-dev-roulette.git +cd daily-dev-roulette +npm install +npm run dev # http://localhost:4321 +``` + +No environment variables are required โ€” **demo mode** (`/roulette?demo=1`) runs +entirely in the browser on a fake bookmark pile, so you can develop without a +daily.dev Plus account or token. + +Optionally, copy `.env.example` to `.env` and set `DAILY_TOKEN` to power the +"Try the demo" button with a real token (see the file for details). + +## Project layout + +See the **Architecture** section of the [README](./README.md) for a file-by-file +map. In short: + +- `src/pages/` โ€” routes (hub, roulette, and the `api/` server proxy) +- `src/lib/` โ€” server-only daily.dev client, session/auth, and demo data +- `src/layouts/` โ€” shared shell + +## Making a change + +1. **Open an issue first** for anything non-trivial, so we can agree on the + approach before you invest time. +2. Create a branch off `main`: `git checkout -b my-feature`. +3. Keep changes focused โ€” one logical change per pull request. +4. Match the existing style: TypeScript, Astro components, and the current + formatting/naming conventions. No formatter config is enforced yet, so just + keep diffs clean and consistent with surrounding code. +5. **Test your change manually**: run `npm run dev` and exercise both demo mode + and (if you have Plus) real mode. Run `npm run build` to confirm the + production build passes. + +## Security + +The daily.dev token is sensitive. Never log it, never expose it to client JS, +and keep all token handling inside the server-side `src/lib/` and `src/pages/api/` +code. If you find a vulnerability, please follow [SECURITY.md](./SECURITY.md) +instead of opening a public issue. + +## Pull requests + +- Fill out the pull request template. +- Reference the issue your PR addresses (e.g. "Closes #12"). +- Make sure `npm run build` succeeds. +- Be patient and kind in review โ€” this is a small, friendly project. + +## Ideas for new roulette modes + +daily.dev's Public API exposes more than bookmarks (feeds, follows, tech stack). +Those are great candidates for future roulette modes โ€” see the **API notes** in +the README and `spike/spike.mjs` for a standalone API probe. + +Thanks for helping put daily.dev habits on the line, one spin at a time. ๐ŸŽฒ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..bc3df4b --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Jay (finallyjay) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..34cbafe --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,44 @@ +# Security Policy + +## Supported versions + +This is a small hackathon project under active, informal development. Only the +latest `main` branch is supported โ€” security fixes land there. + +| Version | Supported | +| ------- | --------- | +| `main` | โœ… | +| older | โŒ | + +## Reporting a vulnerability + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, report them privately so they can be fixed before disclosure: + +- Preferred: open a [private security advisory](https://github.com/finallyjay/daily-dev-roulette/security/advisories/new) + on GitHub, **or** +- Email **finallyjay@gmail.com** with the details. + +Please include: + +- A description of the vulnerability and its impact. +- Steps to reproduce (a proof of concept if possible). +- Any suggested remediation. + +You can expect an initial acknowledgement within a few days. Once the issue is +confirmed and fixed, we're happy to credit you in the release notes unless you +prefer to stay anonymous. + +## Scope and sensitive data + +The most sensitive asset in this app is the **daily.dev API token**: + +- The token is validated server-side and stored in an **httpOnly cookie**, so it + is never exposed to client-side JavaScript. +- All daily.dev API calls are proxied through Astro server routes + (`src/pages/api/`), so the token never reaches the browser and there are no + CORS workarounds. + +Reports about token leakage, session handling, the server-side proxy, or any way +to exfiltrate the token are especially appreciated. diff --git a/package.json b/package.json index 9a5cc1f..c0ef498 100644 --- a/package.json +++ b/package.json @@ -3,6 +3,7 @@ "type": "module", "version": "0.1.0", "private": true, + "license": "MIT", "scripts": { "dev": "astro dev", "build": "astro build",