BandScope is a public GitHub project. GitHub is the source of truth for code review, CI/CD, release delivery, code security, dependency review, and SBOM retention.
developis the repository default branch after bootstrap.mainis the protected release branch.developis the protected integration branch.feature/*branches targetdevelop.release/*branches prepare adevelop -> mainrelease.hotfix/*branches targetmainand must not bypass review or required checks.
Read docs/repository/gitflow.md before opening a PR.
- direct push to
mainordevelopis not allowed - every protected-branch merge requires a passing
CodeRabbitcheck - all review conversations must be resolved before merge
- required checks must stay green; do not bypass them
npm installuv sync --project services/analysis-engine --group dev./scripts/harness/quickcheck.sh- keep changes small and reviewable
- explain security impact, dependency impact, SBOM impact, and i18n impact in the PR template
- record dependency admission rationale for every new direct dependency
- keep workflows SHA pinned and lockfiles committed
- do not weaken branch protections, required checks, Code Security, or supply-chain controls
Use the reporting guidance in SECURITY.md. Do not open public issues for unpatched security defects when private reporting is available.