Thanks for your interest in contributing to CodeMax. This guide will help you get started.
git clone https://github.com/rish-e/codemax.git
cd codemax
npm install --ignore-scripts
npm run build
npm test- Node.js >= 18.0.0
- npm >= 9
src/
index.ts # Entry point (MCP server + CLI dispatcher)
cli.ts # CLI mode (audit, --format, --diff, --ci)
server.ts # MCP server with 13 tool registrations
types.ts # Shared type definitions
analyzers/
project-detector.ts # Framework, monorepo, ORM detection
frontend-scanner.ts # API call extraction (fetch, axios, SWR, etc.)
backend-scanner.ts # Route extraction (Next.js, Express, etc.)
env-analyzer.ts # Environment variable cross-referencing
bridge/
orchestrator.ts # Full audit coordination + ledger integration
contract-analyzer.ts # Frontend-backend contract comparison
correlator.ts # Cross-stack issue detection
health-scorer.ts # 6-dimension health scoring
formatters/
sarif.ts # SARIF output (GitHub Code Scanning compatible)
tools/
ledger-manager.ts # Issue lifecycle tracking
report-writer.ts # Living REPORT.md generation
utils/
helpers.ts # URL normalization, scoring, formatting
| Command | Description |
|---|---|
npm run build |
Compile TypeScript to dist/ |
npm test |
Run all tests (Vitest) |
npm run test:watch |
Run tests in watch mode |
npm run test:coverage |
Run tests with coverage report |
npm run lint |
Type-check without emitting |
npm run dev |
Watch mode for TypeScript compilation |
- Bug fixes with a test that reproduces the bug
- New framework support (scanners for additional frontend/backend frameworks)
- Improved detection patterns (better regex, fewer false positives)
- Documentation improvements (README, inline docs, examples)
- Performance improvements (faster scanning, lower memory usage)
- New output formats (HTML reports, JUnit XML, etc.)
Open an issue before working on:
- New MCP tools (must serve the cross-stack analysis mission)
- Breaking changes to the tool API or output formats
- Major architectural changes (new dependencies, restructuring modules)
- Opinionated features (severity thresholds, default config values)
- Fork and branch — create a feature branch from
main - Keep PRs focused — one feature or fix per PR
- Add tests — every new feature or bug fix should have a test
- All tests must pass —
npm testmust exit cleanly - Type-check must pass —
npm run lintmust exit cleanly - Write clear descriptions — explain what changed and why
Use clear, descriptive commit messages:
feat: add Vue 3 Composition API scanner support
fix: normalize dynamic route segments in URL matching
docs: add Windsurf installation instructions
test: add contract analysis edge case for optional params
CodeMax uses Vitest for testing. Tests live alongside source code in src/__tests__/.
# Run all tests
npm test
# Run a specific test file
npx vitest run src/__tests__/contract-analyzer.test.ts
# Run tests matching a pattern
npx vitest run -t "phantom call"
# Watch mode
npm run test:watch- Use temporary directories (
fs.mkdtempSync) for tests that need file system fixtures - Clean up temp directories in
afterEach - Mock data should use the factory functions (see
ledger.test.tsfor examples) - Test both the happy path and error cases
- TypeScript strict mode is enabled
- ESM modules — use
.jsextensions in imports (TypeScript + ESM convention) - Functional core — scanners and analyzers are pure functions where possible
- No
console.login production code — useprocess.stderr.writefor debug output - No
process.exitin library code — only in the CLI entry point
- Read-only — CodeMax never modifies the scanned project's files
- Zero config — auto-detection should handle common setups without configuration
- Deterministic — same input should produce the same output (except timestamps)
- Graceful degradation — if a scanner can't parse a file, skip it and continue
- Cross-stack focus — features should bridge frontend and backend, not duplicate what single-side tools do
Open a discussion or reach out via issues.