diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..87fcdd1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,30 @@ +--- +name: Bug report +about: Report something that isn't working as expected +title: "" +labels: bug +assignees: "" +--- + +**Describe the bug** +A clear description of what's wrong. + +**To reproduce** +Minimal `Scene`/`Layer` code that reproduces the issue: + +```dart + +``` + +**Expected behavior** +What you expected to happen instead. + +**Environment** + +- layer_canvas version: +- Dart SDK version: +- Platform: [e.g. macOS, Linux, Windows, Android, iOS] +- Using `layer_canvas` directly or via `layer_canvas_flutter`: + +**Additional context** +Stack trace, rendered output (PNG attachment), or anything else relevant. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..241e34b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Security vulnerability + url: https://github.com/code3743/layer_canvas/security/advisories/new + about: Please report security vulnerabilities privately, not as a public issue. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..c9a4c33 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest a new layer type, API, or capability +title: "" +labels: enhancement +assignees: "" +--- + +**What problem does this solve?** +A clear description of the use case this would enable or simplify. + +**Proposed solution** +What you'd like to happen — e.g. a new `Layer` subtype, an option on an +existing API, a new `Scene`/renderer capability. + +**Alternatives considered** +Any workarounds you're currently using instead. + +**Additional context** +Links, sketches, or examples from other rendering libraries, if relevant. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..13a8fe5 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +## Summary + + + +## Related issue + + + +## Checklist + +- [ ] `dart analyze` passes +- [ ] `dart test` passes +- [ ] `dart format --output=none --set-exit-if-changed .` passes +- [ ] Added/updated tests under `test/` for the behavior change +- [ ] Updated `CHANGELOG.md` (for user-visible changes) +- [ ] Updated `README.md` / `doc/GUIDE.md` if public API or usage changed diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..1b4d9b9 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,67 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic +status, nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +- Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +- The use of sexualized language or imagery, and sexual attention or advances + of any kind +- Trolling, insulting or derogatory comments, and personal or political + attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email + address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Project maintainers are responsible for clarifying and enforcing our +standards of acceptable behavior and will take appropriate and fair +corrective action in response to any behavior that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies within all community spaces (issues, pull +requests, discussions) and also applies when an individual is officially +representing the community in public spaces. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the project maintainer at jotalopez.dev@gmail.com. All +complaints will be reviewed and investigated promptly and fairly. + +All project maintainers are obligated to respect the privacy and security of +the reporter of any incident. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. + +[homepage]: https://www.contributor-covenant.org diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..fcfec49 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,93 @@ +# Contributing to layer_canvas + +Thanks for your interest in improving layer_canvas! This document covers how +to get a working dev environment and what we expect from a pull request. + +By participating in this project you agree to abide by our +[Code of Conduct](CODE_OF_CONDUCT.md). + +## Getting started + +layer_canvas vendors [Blend2D](https://blend2d.com) as a git submodule and +compiles it from source via a native build hook +(`hook/build.dart`, using `package:native_toolchain_c`), so the submodule +and a C++ toolchain are required even just to run the test suite. + +```bash +git clone --recurse-submodules https://github.com/code3743/layer_canvas.git +cd layer_canvas +dart pub get +``` + +If you already cloned without `--recurse-submodules`: + +```bash +git submodule update --init --recursive +``` + +### Toolchain requirements + +- Dart SDK `^3.12.2` (see `pubspec.yaml`) +- A C++ compiler: `clang` + `cmake` on Linux (the CI image installs these + explicitly — `gcc` alone is not picked up by + `package:native_toolchain_c` on Linux), or the standard Xcode / + MSVC toolchains on macOS / Windows +- [FVM](https://fvm.app) is used to pin the Flutter version for the + companion `layer_canvas_flutter` package (see `.fvmrc`); not required to + build this package alone + +### Running checks locally + +```bash +dart analyze +dart test +dart format --output=none --set-exit-if-changed . +``` + +All three must pass before a PR is merged; CI runs `dart analyze` and +`dart test` on every push and pull request (see +`.github/workflows/dart.yml`). + +## Making changes + +- Keep pull requests focused — one logical change per PR. +- Add or update tests under `test/` for any behavioral change. +- Update `CHANGELOG.md` when the change is user-visible (new layer type, + public API change, bug fix, etc.) — add an entry under the next version + heading (maintainers will confirm the version number at release time). +- Match the existing code style; `dart format` is authoritative for + formatting, `analysis_options.yaml` (package:lints/recommended) for lints. +- `layer_canvas` intentionally has no Flutter dependency — don't introduce + one. Flutter-specific ergonomics belong in + [`layer_canvas_flutter`](https://github.com/code3743/layer_canvas_flutter) + instead. + +## Commit messages + +Use short, imperative commit messages (e.g. `fix: correct gradient stop +clamping`, `feat: add blur filter layer`). This isn't strictly enforced but +keeps `CHANGELOG.md` and release notes easy to write. + +## Submitting a pull request + +1. Fork the repo and create your branch from `main`. +2. Make your change, following the checks above. +3. Open a PR against `main` using the pull request template — fill in what + changed and why, and link any related issue. +4. A maintainer will review, request changes if needed, and merge once CI + is green. + +## Reporting bugs / requesting features + +Please use the issue templates under "New Issue" — they collect the +information (reproduction steps, platform, Dart/Blend2D version) needed to +act on a report quickly. + +## Reporting security issues + +Do **not** open a public issue for security vulnerabilities. See +[SECURITY.md](SECURITY.md) for how to report them privately. + +## Questions + +Open an issue if anything here is unclear. diff --git a/README.md b/README.md index 0c22a52..d41d012 100644 --- a/README.md +++ b/README.md @@ -131,6 +131,16 @@ everything else — gradients, paths and polygons, SVG import, images, custom fonts, groups, the complete API reference, architecture, and how to build/test the package — see **[`doc/GUIDE.md`](https://github.com/code3743/layer_canvas/blob/main/doc/GUIDE.md)**. +## Contributing + +Contributions are welcome! See +[`CONTRIBUTING.md`](https://github.com/code3743/layer_canvas/blob/main/CONTRIBUTING.md) +for how to set up a dev environment and submit a pull request, and our +[`CODE_OF_CONDUCT.md`](https://github.com/code3743/layer_canvas/blob/main/CODE_OF_CONDUCT.md). +To report a security vulnerability, see +[`SECURITY.md`](https://github.com/code3743/layer_canvas/blob/main/SECURITY.md) +instead of opening a public issue. + ## License MIT — see [`LICENSE`](https://github.com/code3743/layer_canvas/blob/main/LICENSE). See [`THIRD_PARTY_NOTICES.md`](https://github.com/code3743/layer_canvas/blob/main/THIRD_PARTY_NOTICES.md) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..083a634 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,51 @@ +# Security Policy + +## Supported Versions + +layer_canvas is currently in beta (`0.x`). Security fixes are made against +the latest published version on [pub.dev](https://pub.dev/packages/layer_canvas) +and the `main` branch. There is no long-term support for older `0.x` +releases — please upgrade to the latest version before reporting an issue. + +| Version | Supported | +| ------- | ------------------ | +| latest | :white_check_mark: | +| older | :x: | + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub +issues, discussions, or pull requests.** + +Instead, report them privately using one of these channels: + +- [GitHub Security Advisories](https://github.com/code3743/layer_canvas/security/advisories/new) + for this repository (preferred), or +- Email jotalopez.dev@gmail.com + +Please include: + +- A description of the vulnerability and its potential impact +- Steps to reproduce (a minimal `Scene`/`Layer` snippet if applicable) +- The affected version(s) and platform (Android/iOS/macOS/Linux/Windows) + +## Scope + +layer_canvas renders untrusted input in two places that matter most from a +security standpoint: + +- **Blend2D (native, via FFI)** — vendored as a git submodule and compiled + into this package. Memory-safety issues in decoding images, fonts, or SVGs + through this path are in scope. +- **SVG / font parsing** (`lib/src/svg`, font registry) — malformed input + causing crashes, panics, or memory corruption is in scope. + +Denial-of-service via pathologically large inputs (e.g. an enormous canvas +size) is a known, low-severity class — please still report it, but expect +it to be triaged as lower priority than memory-safety issues. + +## Response + +We aim to acknowledge reports within 5 business days and to release a fix +or mitigation, or provide a timeline, within 30 days depending on severity +and complexity.