Contributing
Workflow
Section titled “Workflow”AI Gateway uses a fork-and-branch workflow:
- Fork the repository on GitHub.
- Clone your fork locally and run
mise run install. - Create a feature branch from
main(e.g.,feat/bedrock-streaming). - Make your changes and commit using Conventional Commits format.
- Push your branch and open a pull request against
main. - All CI checks must pass and a CODEOWNERS review is required before merge.
Conventional Commits
Section titled “Conventional Commits”Every commit message must follow the Conventional Commits format. The commit-msg git hook enforces this automatically.
<type>(<scope>): <description>Supported types:
| Type | When to Use |
|---|---|
feat | A new feature |
fix | A bug fix |
docs | Documentation changes only |
style | Formatting, whitespace (no logic change) |
refactor | Code restructuring (no feature change, no bug fix) |
perf | Performance improvement |
test | Adding or updating tests |
build | Build system or external dependency changes |
ci | CI/CD pipeline changes |
chore | Maintenance tasks (tooling, config) |
revert | Reverting a previous commit |
Examples:
git commit -m "feat(auth): add Cognito custom scope validation"git commit -m "fix(compute): correct OTel sidecar memory limit"git commit -m "docs(adr): add ADR-008 for rate limiting strategy"git commit -m "ci: upgrade trivy action to v0.36"Git Hooks
Section titled “Git Hooks”Lefthook manages git hooks. All hooks within each stage run in parallel for speed.
Pre-commit (runs on every commit)
Section titled “Pre-commit (runs on every commit)”| Check | Scope | Auto-fixes |
|---|---|---|
| ruff lint | *.py staged files | Yes (stages fixed files) |
| ruff format | *.py staged files | Yes (stages fixed files) |
| pyright | src/ | No |
| gitleaks | Staged changes | No |
| hadolint | Dockerfile* staged files | No |
| terraform fmt | infrastructure/**/*.tf | No (check only) |
| terraform validate | infrastructure/**/*.tf | No |
| terraform-docs | infrastructure/**/*.tf | Yes (regenerates and stages README) |
Pre-push (runs before push)
Section titled “Pre-push (runs before push)”| Check | Scope |
|---|---|
| pytest | tests/ (fail-fast mode) |
| semgrep | Full repository (OWASP Top 10 rules) |
| checkov | infrastructure/ (Terraform framework) |
| trivy fs | Full repository (HIGH + CRITICAL) |
Commit-msg
Section titled “Commit-msg”Validates that the commit message matches Conventional Commits format. Rejects commits that do not match.
Running Quality Gates Locally
Section titled “Running Quality Gates Locally”Use mise run to execute any project task. The most common workflows:
# Run the full CI pipeline locally (lint + typecheck + test + security)mise run ci
# Individual checksmise run lint # ruff check + format checkmise run typecheck # pyright on src/mise run test # pytest on tests/mise run security # all security scans (SAST, secrets, IaC, Dockerfile, trivy fs)
# Format code (auto-fix)mise run format # ruff format + ruff check --fix + terraform fmt
# Terraform operationsmise run tf:validate # terraform init + validatemise run tf:plan # terraform init + planmise run tf:fmt # terraform fmt -recursivemise run tf:docs # regenerate infrastructure/README.mdProject Task Reference
Section titled “Project Task Reference”All tasks are defined in mise.toml and run with mise run <task>.
Core Tasks
Section titled “Core Tasks”| Task | Description |
|---|---|
install | Install all project dependencies and git hooks |
dev | Run the API gateway in development mode (uvicorn, port 8000) |
test | Run test suite with pytest |
lint | Run ruff linter and format check |
format | Auto-format Python (ruff) and Terraform (fmt) |
typecheck | Run pyright type checker on src/ |
Security Tasks
Section titled “Security Tasks”| Task | Description |
|---|---|
security | Run all security scans (depends on all sub-tasks below) |
security:sast | SAST scan with semgrep (OWASP Top 10, security audit) |
security:secrets | Secret detection with gitleaks |
security:iac | IaC security scan with checkov (Terraform framework) |
security:dockerfile | Lint Dockerfiles with hadolint |
security:image | Scan container image with trivy (HIGH + CRITICAL) |
security:fs | Filesystem vulnerability scan with trivy |
Terraform Tasks
Section titled “Terraform Tasks”| Task | Description |
|---|---|
tf:init | Initialize Terraform |
tf:plan | Terraform plan (depends on tf:init) |
tf:fmt | Format Terraform files recursively |
tf:validate | Validate Terraform configuration (depends on tf:init) |
tf:docs | Generate Terraform documentation with terraform-docs |
Terragrunt Tasks
Section titled “Terragrunt Tasks”| Task | Description |
|---|---|
tg:init | Terragrunt init for a specific environment |
tg:plan | Terragrunt plan for a specific environment |
tg:plan-all | Terragrunt plan all environments |
tg:validate-all | Terragrunt validate all environments |
CI Tasks
Section titled “CI Tasks”| Task | Description |
|---|---|
ci | Full CI pipeline (lint, typecheck, test, security) |
ci:lint | Validate GitHub Actions workflows with actionlint |
ci:validate | Validate all CI + quality gates in one shot |
Documentation Tasks
Section titled “Documentation Tasks”| Task | Description |
|---|---|
docs:serve | Serve documentation locally with hot reload |
docs:build | Build documentation site |
Pull Request Requirements
Section titled “Pull Request Requirements”Before a PR can be merged:
- All CI jobs must pass — quality, SAST, IaC security, and container security.
- CODEOWNERS review —
@theagenticguyis the default owner for all files. Infrastructure changes (infrastructure/) require explicit review. - Dependency review — The dependency-review workflow blocks PRs that introduce HIGH/CRITICAL vulnerabilities or GPL-3.0/AGPL-3.0 licensed dependencies.
- Conventional commit messages — Every commit in the PR must follow the format.
Adding New Terraform Modules
Section titled “Adding New Terraform Modules”Follow the existing module pattern:
- Create a directory under
infrastructure/modules/<module-name>/. - Add three files following the standard structure:
variables.tf— Input variables with descriptions and types.main.tf— Resource definitions.outputs.tf— Output values with descriptions.
- Wire the module in
infrastructure/main.tfwith explicit dependency ordering. - Add any new root-level variables in
infrastructure/variables.tf. - Run
mise run tf:docsto regenerate the infrastructure README. - Run
mise run tf:validateto confirm the module is valid.
Adding New Python Code
Section titled “Adding New Python Code”- Place source code in
src/and tests intests/. - Follow the ruff configuration in
ruff.toml(30+ rule sets enabled, 120-char line length, Python 3.13 target). - Add type hints to all function signatures — pyright runs in
standardmode. - Write tests using pytest. Use fixtures for shared setup and markers for test categorization.
- Add new dependencies with
uv add <package>(oruv add --dev <package>for dev-only).