Thank you for your interest in contributing to this Zero-Trust IAM reference implementation.
- Python 3.12+
- Docker & Docker Compose
- Poetry (for dependency management)
# Clone the repository
git clone https://github.com/laugiov/iam-zero-trust-reference.git
cd iam-zero-trust-reference
# Install dependencies
poetry install
# Copy environment template
cp .env.example .env
# Generate RSA keys for JWT
openssl genrsa -out /tmp/private.pem 2048
openssl rsa -in /tmp/private.pem -pubout -out /tmp/public.pem
# Add keys to .env (follow instructions in .env.example)
# Run tests
poetry run pytestfeat/<description>- New featuresfix/<description>- Bug fixesdocs/<description>- Documentation updatessecurity/<description>- Security improvements
We follow Conventional Commits:
feat: add OIDC token refresh support
fix: correct tenant validation logic
docs: update authorization model documentation
security: add audit logging for denied requests
Before submitting a pull request:
# Format code
poetry run black .
# Lint
poetry run ruff check .
# Security scan
poetry run bandit -r iam
# Run tests with coverage
poetry run pytest --cov=iam --cov-report=term-missing- Fork the repository
- Create a feature branch from
main - Make your changes
- Ensure all tests pass and coverage is maintained
- Update documentation if needed
- Submit a pull request
- Tests added/updated
- Documentation updated
- No secrets or sensitive data committed
- Code formatted with Black
- Linting passes (Ruff, Bandit)
- Coverage maintained (minimum 75%)
This is a Zero-Trust IAM reference project. When contributing:
- Never commit secrets - Use environment variables
- Validate all inputs - Use Pydantic with
extra="forbid" - No PII in logs - Only log trace_id for correlation
- Secure defaults - Fail closed, not open
- Short token TTL - JWT expiration should be minimal
See SECURITY.md for the security policy.
Open an issue for questions about contributing or the codebase.
Thank you for helping make this project better!