# Contributing

Privacy Redactor is designed for small, reviewable improvements.

## Good First Contributions

- Add synthetic patterns for a specific domain or locale.
- Add tests for false negatives using fake data only.
- Improve mode documentation.
- Add integration examples.
- Improve the Web Component review UX.

## Useful Rule Areas

- General PII: emails, phone numbers, addresses, identity numbers.
- Developer secrets: tokens, keys, credentials, config files, logs.
- Travel: bookings, tickets, passports, loyalty numbers.
- Healthcare: patient IDs, MRNs, insurance IDs.
- Finance: account numbers, tax IDs, transaction references.
- Legal: case numbers, client identifiers, court filings.
- HR: resumes, employee IDs, candidate notes.

## Rules For Test Data

Do not commit real private data.

Use synthetic examples such as:

- `user@example.com`
- `Passenger: TEST/USER`
- `Booking reference: ABC123`
- `api_key=sk_test_1234567890abcdefghijklmnop`
- `SSN: 219-09-9999`

## Design Principles

- Local-first by default.
- No runtime dependencies unless clearly justified.
- Rules should be explainable.
- False positives should be controlled through modes.
- High-risk fields can be conservative when the user can review output.
- Contributions should include tests.
- Rule changes should add synthetic fixtures in `test/fixtures/redaction-cases.json` when possible.

See [Rule Authoring Guide](./docs/rule-authoring.md) for rule shape, scoring, validators, and test expectations.

Before opening a pull request, run:

```bash
npm run verify
```

For rule-only debugging, `npm run evaluate` checks synthetic fixtures. For CLI behavior, `npm run smoke:cli` checks text, JSON, Markdown, stdin, sample files, and default raw-value safety. For demo pages, `npm run smoke:demo` checks static entry points, local core imports, and documented demo URLs. For package consumption, `npm run smoke:package` packs and installs the local tarball into a temporary project, then checks imports, subpath exports, CLI usage, and packaged demo/extension files. For local-first safety, `npm run check:privacy` scans runtime files for network APIs and unexpected remote scripts. For packaging and documentation consistency, `npm run check:release` checks exported files, type declarations, extension metadata, package contents, and local Markdown links.
