How we build

Start contributing

Help build the one that doesn't spy.

OpenWarden is pre-1.0: the specs and threat model are complete, the code is just beginning. That makes now the best time to shape it. Here's exactly what you need and the path to your first pull request.

Open the repo See the five steps
What you need

Short list. One command installs most of it.

  • A computermacOS, Linux, or Windows. The bootstrap script installs the rest.
  • The toolchainJDK 21, Android SDK + emulator, and ktlint, all installed by /bootstrap-repo. No manual setup hunt.
  • A test targetThe emulator the bootstrap creates, or a Pixel 7 for real device-controller work.
  • Git + GitHubYou'll fork the repo and open pull requests. Commits must be signed.
  • A skill to bringKotlin / Android for v1; crypto review, docs, or Swift come later. Not sure where you fit? Every good-first-issue is labeled with its cost.
  • Optional: an engineClaude Code or Codex CLI if you want the AI loop. Pure-human contributions are just as welcome.
The path

Five steps to your first PR.

Read the docs

Start with the README and the spec under docs/. Every claim on this site traces to a doc; your code should too.

Bootstrap your machine

Run /bootstrap-repo once, then confirm with ./scripts/verify-env.sh. It's idempotent, so it's safe to re-run.

Pick a good first issue

Grab one labeled with build and maintain cost. Start small and Tier 0 or 1. At least five are kept open at all times.

Build it test-first

Write the failing test, make the smallest diff to green, then run /verify-openwarden-spec. Stuck after three tries, or touching crypto? Run /codex-second-opinion.

Open the pull request

Sign your commits, add the DCO sign-off, and make sure CI is green. One approval merges; crypto and ADR changes need two.

The rules, on one screen

Non-negotiable, and short.

  • Sign-offDCO on every commit: git commit -s. Submitting a PR confirms it.
  • Signed commitsCryptographically signed: git commit -S.
  • TestsRequired for crypto, protocol, new features, and bug fixes (with a regression test).
  • CIMust pass before review. Reviewers don't babysit a red build.
  • ConductContributor Covenant 2.1, enforced.
  • Won't mergeAnything with a subscription, telemetry, a required third-party SaaS, or content monitoring. Those aren't bugs to fix; they're the line.

Where to ask

New contributors are expected, not tolerated. If something's unclear, open a discussion before sinking a weekend into it.

See the whole build system & AI dev loop