Thank you for your interest in contributing. CWI is a civic AI tool — contributions that improve the quality of AI-assisted constituency case work, strengthen security, or improve reliability are especially welcome.
- Check the open issues to avoid duplicating work
- For significant changes, open an issue first to discuss the approach before writing code
- Read
SECURITY_FRAMEWORK.mdbefore touching anything inapi/server.js— every AI endpoint has specific security controls that must be preserved
- Docker and Docker Compose
- Node.js 20 (see
.nvmrc) - Ollama running
gemma4:e2blocally or on the network
# Install frontend dependencies
npm install
# Copy environment config
cp .env.example .env
# Edit .env — set OLLAMA_ENDPOINT and admin credentials
# Start with Docker Compose
docker compose up -d
# Or run frontend dev server directly (hot reload)
npm run devApp runs at http://localhost:5173 (dev) or http://localhost:3081 (Docker).
- TypeScript for all frontend code; no
anywithout a comment explaining why 'use strict'in all Node.js files- Comments explain why, not what — remove commented-out code before submitting
Every PR that touches AI-related code must confirm the following are still in place:
- All AI calls route through
cwi-ai-proxy— no direct browser-to-Ollama calls - System prompt defined only in
api/server.js - All user input passes through
sanitize()before Ollama -
maskPII()applied to all user-supplied text -
sanitizeOutput()applied before returning AI text to client - Canary token detection present in every endpoint returning AI text
-
auditLog()called on success and error paths -
npm audit --audit-level=highpasses for frontend and proxy
These are merge blockers. A PR that disables or weakens any of these controls will not be merged regardless of other improvements it contains.
Follow conventional commits:
feat: add agency routing confidence threshold
fix: handle empty causality graph gracefully
docs: update SECURITY_FRAMEWORK rate limit table
refactor: extract PII patterns to constants file
First line: imperative mood, 50 characters max. No period at the end.
feature/agency-routing-threshold
fix/empty-causal-graph-crash
docs/security-framework-update
- Fork the repository and create your branch from
main - Run
npm audit --audit-level=highand fix any high or critical CVEs before submitting - Fill in the pull request template completely
- Link to the issue your PR resolves (use
Closes #123in the description) - A PR is ready for review when all checklist items are checked — do not submit with open items
- Code that bypasses or weakens any security control listed in
SECURITY_FRAMEWORK.md - Changes that introduce direct browser-to-Ollama communication
- Features that enable automatic transmission of AI-generated correspondence without explicit human action
- Dependencies with known high or critical CVEs
Open a Discussion for questions that are not bug reports or feature requests.