Skip to main content
CContributors
Back to project pagePilot workspacePrivacy
DE
Sign inRegister
Contact
Back to project page
Audit room

Audit room: Contributors

README, vision, architecture, and audit card as reviewable context for charter, lead ask, risk, and missions.

Artifacts
6
Closed concierge pilot
MVP / concierge pilot
Provider
codex
Visibility
selective
Source review
Reviewed
Freshness
Fresh
FreshSource, snapshots, and review gate are fresh.

Source review

This audit room renders an approved source state.

SourceFreshnessHash
README.mdREADME.mdLocally linked-
ARCHITECT.mdARCHITECT.mdLocally linked-
VISION.mdVISION.mdLocally linked-
CLAUDE.mdCLAUDE.mdLocally linked-
contributors.project.jsondocs/integrations/contributors-project-manifest.mdLocally linked-

No refresh has run since the last source approval yet.

Audit decision history

Public version chain of stored human audit decisions.

project-audit-scorecard@1.0.0Current version
B - Curated Beta
Last reviewed
2026-05-15T09:00:00.000Z
Readiness
DACH platform counsel and 6 secondary ask contexts are structured for curated contribution review.
Decision ID
20000000...0001
Supersedes
-
Verified artifacts
  • docs/showcase/contributors.md
  • README.md
  • ARCHITECT.md
  • VISION.md
Open risks
  • Counsel review remains visible in the Legal Gate before broad beta.
README.mdProduct and Repository Context ARCHITECT.mdTechnical Architecture VISION.mdVision and Product Doctrine CLAUDE.mdSource artifact contributors.project.jsoncontributors.project.json AUDIT.mdContributors Audit Card
README.md

Product and Repository Context

Product context, current state, target shape, and repository structure for reviewers and contributors.

SourceContributors repository

Contributors Community

Contributors Community is the MVP workspace for a closed concierge pilot (Phase 1: DACH first). It helps an initiator turn an early product into a governed contributor project: project charter, missions, applications, discussions, Audit Room evidence, human-gated AI assistance, acceptance decisions, IP completeness, disputes, and exportable operating records.

The repository is intentionally domain-first. Compliance and lifecycle rules live in pure TypeScript domain code before HTTP, UI, persistence, or agent integrations.

Current Product Surface

  • apps/web: Next.js app with public project browsing, project detail pages, discussion views,

role-aware workspaces, auth/SSO preparation, project intake, and Audit Room document rendering.

  • apps/api: NestJS API under /api/v1 for project charters, invites, missions, applications,

acceptance, disputes, data subject requests, AI confirmations, and source-connection sync.

  • apps/mcp: MCP stdio bridge for Codex, Cowork, and similar agents. It can create a project,

connect a source workspace, and attach Audit Room artifacts through the API.

  • packages/domain: pure aggregates and invariants for projects, missions, applications,

acceptance, ledger, disputes, AI boundaries, privacy requests, and project sources.

  • packages/application: use cases and ports around the domain.
  • packages/infrastructure: Postgres event store, migration runner, and rebuildable projections.
  • : role and MFA policy checks. Admin is a flag; initiator/contributor are
packages/policies

contextual per project.

  • packages/ui: shared UI tokens and compliance components.

Core Flows

  • Browse or initiate projects from the web app.
  • Create a Project Charter draft, optionally with a source connection.
  • Sign the charter as a human initiator.
  • Publish missions and accept contributor applications.
  • Submit deliveries, complete IP records, and make human acceptance decisions.
  • Open disputes and data subject requests.
  • Persist AI output only as non-binding suggestions until a human confirms or rejects it.
  • Connect Codex, Cowork, GitHub, uploads, or manual artifacts into the project Audit Room.

Auth And Trust Boundary

Local development uses dev headers when production auth is not active. Production callers must use trusted principal headers signed with CONTRIBUTORS_API_PRINCIPAL_SECRET or EVENT_HMAC_SECRET with at least 32 characters.

Production API and web startup fail fast when auth-critical environment is unsafe: weak secrets, missing DATABASE_URL, non-HTTPS BETTER_AUTH_URL, dev auth flags, memory persistence, local trusted origins, or missing sign-in provider configuration. See docs/runbooks/production-auth.md.

SSO/OAuth is prepared in the web app as a provider-driven sign-in flow. The product model is:

  • every person is a user;
  • admin is an additional capability flag;
  • a user is an initiator for projects they own;
  • a user is a contributor for projects they contribute to;
  • one person can be admin, initiator, and contributor at the same time.

Audit Room And Source Connections

Projects can carry a sourceConnection with provider, scopes, visibility, workspace path or URL, and reviewable artifacts. The Audit Room renders project documents such as README.md, ARCHITECTURE.md, and VISION.md, including Mermaid diagrams.

Agent-facing sync is handled by apps/mcp:

  • contributors.create_project
  • contributors.sync_audit_room
  • contributors.attach_artifact

See docs/integrations/contributors-mcp-server.md and docs/integrations/contributors-project-manifest.md.

Setup

bash
corepack enable
corepack pnpm install
cp .env.example .env
docker compose -f infra/docker/docker-compose.yml up -d
corepack pnpm seed:dev
corepack pnpm run ci
corepack pnpm run ci:smoke:auth
corepack pnpm run test:integration
corepack pnpm run dev:boot:postgres

Useful local commands:

bash
corepack pnpm dev
corepack pnpm run release:local
corepack pnpm run dev:boot:postgres
corepack pnpm run container:up
corepack pnpm run container:smoke
corepack pnpm run container:build:release
corepack pnpm run container:config:prod
corepack pnpm typecheck
corepack pnpm lint
corepack pnpm test
corepack pnpm db:reset:dev
corepack pnpm seed:dev
corepack pnpm smoke:web:dev
corepack pnpm ci:smoke:auth
corepack pnpm ci:smoke:postgres
corepack pnpm --filter @contributors/mcp build
corepack pnpm --filter @contributors/mcp dev

The browser app usually runs on a local Next.js port such as http://localhost:3003. The API defaults to http://localhost:4000.

Containerized App

The default Compose command keeps running only infrastructure services. The app profile runs Postgres, seeds local fixture data, starts the Nest API, and starts the Next.js web app in containers:

bash
corepack pnpm run container:up

Use custom host ports when local servers are already running:

bash
POSTGRES_PORT=55432 API_PORT=4100 WEB_PORT=3100 WEB_URL=http://localhost:3100 corepack pnpm run container:up

For a clean end-to-end gate, run:

bash
corepack pnpm run container:smoke

The smoke uses an isolated Compose project, maps Postgres to host port 55432, builds API/web/seed images, seeds Docker Postgres, checks http://localhost:4100/api/v1/routes and http://localhost:3100/projects, runs smoke:web:dev, and removes its containers and volumes afterwards.

The API lifecycle store defaults to Docker Postgres via DATABASE_URL and runs infrastructure migrations on startup. For isolated tests or throwaway demos, set LIFECYCLE_STORE=memory explicitly.

corepack pnpm seed:dev resets the local Postgres schema, applies migrations, and writes hidden technical smoke fixtures Seeded LedgerFlow and Seeded Audit Room. With API and web servers running, corepack pnpm smoke:web:dev verifies the fixture-backed API resolver plus the public showcase overview, detail page, and Audit Room route. The dev reset refuses non-local database hosts unless SEED_DEV_ALLOW_NON_LOCAL_DATABASE=true is set explicitly.

corepack pnpm ci:smoke:postgres starts Docker Postgres, waits for readiness, seeds the database, boots API and web on isolated ports, runs the API/web smoke, and stops the app processes. CI sets CI_SMOKE_DOCKER_DOWN=true so the Docker volume is removed after the gate.

The GitHub CI workflow also runs corepack pnpm run container:smoke after the Postgres smoke. That job builds the app containers and proves Postgres, seed, API, web, project routes, and Audit Room rendering in one isolated Compose project.

Production deployment is defined by docs/runbooks/production-deployment.md: immutable API/web images, a separate migration profile, required production auth environment, health checks, and rollback expectations.

corepack pnpm ci:smoke:auth verifies the production auth gate with hardened API/web environments and known-bad production configurations before any deploy-style boot gate runs.

For a fresh-checkout production-like boot gate, run corepack pnpm run release:local. It combines CI checks, the production auth smoke, Postgres-backed integration tests, and dev:boot:postgres. See docs/runbooks/local-production-like.md for the full runbook and local override matrix.

Documentation

  • ARCHITECT.md: concise current architecture brief.
  • CLAUDE.md: agent guidance for Claude/Codex style work in this repository.
  • docs/README.md: canonical documentation index.
  • docs/architecture/overview.md: layer and trust-boundary

overview.

  • docs/architecture/event-catalog.md: current domain

event catalog.

  • docs/runbooks/local-production-like.md: fresh-checkout

production-like boot gate.

  • docs/runbooks/production-auth.md: production auth

environment gate.

  • docs/strategy/vision.md: product vision source.

Current Non-Scope

The repo does not contain final legal text, a final hosting choice, a final E-Sign provider, or a production SSO provider rollout. Those are represented as explicit integration seams and policy boundaries.

ARCHITECT.md

Technical Architecture

Technical architecture, system boundaries, data model, room lifecycle, and operating risks as review context.

SourceContributors repository

ARCHITECT.md

System Shape

Contributors Community is a pnpm/turbo monorepo with a domain-first backend, a Next.js product UI, and an MCP bridge for agent-connected project intake.

mermaid
Rendering diagram...
flowchart LR
  Browser["Browser / user"] --> Web["apps/web Next.js"]
  Agent["Codex / Cowork / MCP client"] --> Mcp["apps/mcp stdio server"]
  Web --> Api["apps/api NestJS /api/v1"]
  Mcp --> Api
  Api --> Auth["Auth context + policy gate"]
  Auth --> Application["packages/application use cases"]
  Application --> Domain["packages/domain aggregates"]
  Application --> Ports["Repository and provider ports"]
  Infrastructure["packages/infrastructure"] --> Ports
  Infrastructure --> Events["PostgreSQL domain_events"]
  Events --> Projections["Rebuildable projections"]
  Web --> AuditRoom["Audit Room markdown + Mermaid rendering"]
  Domain --> Source["Project source connection metadata"]
  Source --> AuditRoom

Trust Boundaries

  • Browser sessions are converted into signed trusted-principal headers when a server secret exists.
  • MCP production calls must also sign trusted-principal headers.
  • Development headers are accepted only outside production.
  • Policy checks happen in the API before application use cases run.
  • Privileged roles require MFA.

Domain Boundaries

  • Projects own charters, project-source connections, and signing state.
  • Missions own publish requirements and deliverable scope.
  • Applications own contributor intent and withdrawal.
  • Acceptance owns human acceptance decisions.
  • Ledger owns points and corrections as append-only events.
  • AI Assist owns non-binding interactions and human confirmation/rejection.
  • Disputes own stage-one decisions.
  • Privacy owns data subject request intake.

Source And Audit Room

Project source connections are metadata-first. A project can reference Codex, Cowork, GitHub, uploads, or manual artifacts without granting broad repository access by default.

The Audit Room renders source documents such as:

  • README.md
  • ARCHITECT.md
  • VISION.md
  • additional artifacts listed in contributors.project.json

Mermaid diagrams are rendered client-side in the web app.

Runtime Packages

  • apps/web: UI, auth/session flow, role-aware project surfaces.
  • apps/api: API routes, auth context, policy enforcement, lifecycle facade.
  • apps/mcp: JSON-RPC over stdio and API forwarding for agent tools.
  • packages/api-contracts: Zod contracts shared by web, API, and MCP.
  • packages/domain: pure domain model and events.
  • packages/application: orchestration use cases.
  • packages/policies: CASL-based role and MFA rules.
  • packages/infrastructure: persistence and projections.

Persistence Model

Domain events are append-only and hash-linked in PostgreSQL. Projections are rebuildable read models, not the source of truth. Ledger corrections are modeled as new events instead of mutation.

VISION.md

Vision and Product Doctrine

Vision, Mediation OS thesis, audiences, boundaries, and strategic product line.

SourceContributors repository

Contributors Vision

Stand: 2026-05-13 Status: Root-Synthese aus Strategiepapier, Vision-Update und Project-Manifest Owner: Tim Mergenthaler

Beitrag vor Kapital. Ledger vor Bauchgefuehl.

Contributors ist die Trust-, Audit- und Contribution-Schicht fuer eine AI-Aera, in der es mehr glaubwuerdige Repositories, Prototypen und Demos geben wird als belastbare Teams, klare Verantwortung und gepruefte Capabilities.

Die Plattform hilft Initiatoren, aus einem unfertigen, aber substanziellen Projekt ein pruefbares Venture-Building-Objekt zu machen: mit Charter, Audit-Room, klaren Missionen, menschlichen Entscheidungen, Contribution Ledger und spaeterer Uebersetzung von Beitrag in Upside.

These

AI macht Building moeglich, aber nicht vollstaendig.

Die neue Knappheit ist nicht Code. Die neue Knappheit ist Vertrauen, Urteilsvermoegen, Domain-Expertise, rechtliche Klarheit, technische Review-Qualitaet, Produkt-Fokus, Go-to-Market-Kompetenz und Investor-Readiness.

Contributors existiert fuer genau diese Luecke:

  • Repo-born Projekte sollen lesbar und auditierbar werden.
  • Fehlende menschliche Capabilities sollen als klar begrenzte Missions sichtbar werden.
  • Contributions sollen vorab definiert, nachweisbar geliefert und append-only dokumentiert werden.
  • AI darf vorbereiten, strukturieren und vorschlagen, aber keine bindenden Entscheidungen treffen.
  • Projekte muessen nicht oeffentlich sein, um contributor-ready zu werden.

Was Contributors Ist

Contributors ist ein geschlossenes, human-gated Operating System fuer fruehe Projekte vor einem klassischen vollstaendigen Team.

Ein Projekt kann als Idee, Repository, Prototyp, MVP, private Codebase, Forschungsartefakt, AI-generierter Build oder Founder-led Side Project starten. Contributors fragt nicht, ob es schon fertig ist. Contributors fragt:

  • Was existiert bereits?
  • Welche Quelle ist pruefbar?
  • Was bleibt privat?
  • Welche Artefakte duerfen in den Audit-Room?
  • Welche kritische Capability fehlt jetzt?
  • Welche Mission ist so klar, dass ein Mensch sie annehmen, liefern und reviewen kann?
  • Welche Risiken muessen vor Oeffnung, Contribution oder Pilot sichtbar sein?

Das Produkt ist deshalb zuerst ein Trust-Substrat, nicht ein Marketplace.

Was Contributors Nicht Ist

Contributors ist in Phase 1 bewusst nicht:

  • ein oeffentlicher Self-Service-Marktplatz,
  • ein Freelancer-Marktplatz,
  • eine DAO,
  • ein Cap-Table-Tool,
  • eine Crowdfunding-Plattform,
  • ein Ort fuer AI-only-Decisions,
  • ein Versprechen auf automatische Equity,
  • ein Zwang, private Repositories zu oeffnen.

Die spaetere Vision kann Project Value, Project Fund und Cash-Hybrid-Missions enthalten. Die Phase-1-Doktrin bleibt konservativ: Recht vor Produkt, Audit vor Geschwindigkeit, Mensch vor AI.

Operating Model

1. Project Charter

Der Initiator legt ein Projekt an und beschreibt Stand, Ziel, Sichtbarkeit, Risiken und erste Artefakte. Der Charter ist die Grenze zwischen Idee und operativem Contributors-Projekt.

Ohne unterschriebenen Charter keine Mission. Ohne counsel-faehige Templates kein echter Pilot.

2. Source Connection

Ein Projekt kann mit einer Quelle verbunden werden: Codex Workspace, Cowork, GitHub, Upload oder manual Concierge Intake. Die Quelle ist kein Freibrief fuer Repository-Zugriff.

Das Project Manifest ist der Handoff-Vertrag:

json
{
  "manifestVersion": "contributors.project@1.0.0",
  "source": {
    "provider": "codex",
    "visibility": "selective",
    "scopes": ["metadata", "read_artifacts"]
  },
  "artifacts": ["README.md", "VISION.md", "ARCHITECTURE.md", "docs/audit/AUDIT.md"]
}

Guardrail: Kein Repository wird implizit gelesen. Nur explizit freigegebene Artefakte werden als Audit-Room-Kontext genutzt. Secrets, private Branches und unveroeffentlichte Unterlagen bleiben ausgeschlossen, bis ein menschlicher Initiator passende Scopes gewaehrt.

3. Audit Room

Der Audit-Room macht das Projekt pruefbar, ohne es komplett oeffnen zu muessen.

Standard-Artefakte sind:

  • README.md fuer Produkt- und Repo-Kontext,
  • VISION.md fuer Zielbild, Doktrin und Grenzen,
  • ARCHITECTURE.md fuer Systemgrenzen, Datenfluesse und Risiken,
  • AUDIT.md fuer Reifegrad, Lead Ask, Risiken und Contribution-Slots.

Wenn echte Source-Artefakte existieren, gewinnen sie. Wenn sie fehlen, darf ein klar markierter Fallback aus dem Projektprofil helfen, aber niemals so tun, als sei er Repo-Quelle.

4. Missions

Eine Mission ist ein begrenztes Work-Paket mit Ziel, Deliverable, Kontext, Akzeptanzkriterien, Risiko, Review-Owner, Contribution-Point-Wert und IP-/Confidentiality-Anforderungen.

Contributions sind breiter als Pull Requests:

  • Build Contributions,
  • Expert Contributions,
  • Strategic Contributions,
  • Trust Contributions,
  • Network Contributions.

Der entscheidende Unterschied zu Freelance-Arbeit: Nicht Zeit wird verkauft, sondern nachweisbarer Wertbeitrag wird dokumentiert.

5. Human-Gated Acceptance

AI kann Akzeptanzkriterien vorbereiten, Risiken markieren und Vergleichsmasstaebe vorschlagen. Bindend wird eine Entscheidung erst, wenn ein benannter Mensch sie trifft.

Bei Streit gibt es drei Stufen:

  1. Standardbewertung durch Initiator gegen Akzeptanzkriterien.
  2. Peer Review durch passende Reviewer.
  3. Externes Schiedsverfahren bei substantiellen Streitigkeiten.

6. Contribution Ledger

Das Ledger ist append-only. Es dokumentiert Missions, Deliverables, Acceptance, IP-Status, Disputes, AI-Vorschlaege, menschliche Entscheidungen und Contribution Points.

Contribution Points sind zunaechst keine Wertpapiere. Sie sind strukturierte Beitragsaufzeichnungen, die spaeter unter expliziten Vertragen in Equity, Revenue Share, Phantom Shares, Token oder andere Ansprueche uebersetzt werden koennen.

Tim's Portfolio Als Erster Kontrollierter Test

Contributors ist die Klammer, die Tim's halbfertige, aber echte Projekte zu einer ehrlichen Komposition macht. Die Unfertigkeit ist kein Makel der Demo. Sie ist der Grund, warum Contributors existiert.

ProjektRolle
ContributorsMission-, Audit- und Ledger-Schicht
Strategy OSDiagnose-Vor-Schritt: klaert, welche Frage ein Initiator eigentlich stellt
Der DritteKonfliktloesungs-Modul fuer Co-Founder und Mission-Stakeholder
AI-Org PrototypeBuild-Modul fuer Software-Mission-Deliverables
FloraScoutExterner Proof Point ausserhalb der Klammer-Logik

Diese Komposition ist eine Lesebrille, kein Voraus-Versprechen. Jedes Projekt bleibt in seinem realen Reifegrad sichtbar.

Doktrin

  • Recht vor Produkt.
  • Audit vor Geschwindigkeit.
  • Domain vor Framework.
  • Mensch vor AI.
  • Klarheit vor Eleganz.
  • Reversibel vor optimal.
  • Geschlossen vor offen.
  • Keine Mission ohne Charter.
  • Keine Contribution ohne Akzeptanzkriterien.
  • Keine Points ohne Evidenz.
  • Keine AI-Entscheidung ohne menschliches Gate.
  • Keine oeffentlichen Claims ohne pruefbare Quelle.

ICP Und Phase-1 Scope

Initiatoren: Menschen mit einem auditierbaren Artefakt und einer benennbaren Capability-Luecke. Das Artefakt kann ein Prototyp, Early-MVP, Repository, Konzept, Datenraum, Research-Stand, Design, Workflow oder anderes belastbares Ausgangsmaterial sein. Entscheidend ist, dass die Luecke als Mission beschrieben und spaeter geprueft werden kann.

Contributors: Spezialisten, die gegen Points statt Stunden arbeiten und ihren Beitrag auditierbar nachweisen wollen. Der Fokus liegt auf Trust + Expert Missions: Counsel, Security Review, Domain Expertise, Senior Engineering Review, GTM, Research, QA, Design Review, Moderation, Operations, Community und weitere klar begrenzte fachliche Beitraege.

Expert Auditors: Counsel, Security Reviewer, Domain Experts, Senior Engineers, GTM-Experten, Mediatoren, Localization Reviewer, Compliance-Reviewer fuer weitere Jurisdiktionen, AI-Pipeline-Reviewer und andere High-Trust-Roles, deren Review ein Projekt glaubwuerdiger macht, ohne dass das gesamte Repo oeffentlich werden muss.

DACH bleibt fuer Phase 1 ein Operational Scope, kein dauerhaftes ICP-Limit. Der Pilot startet dort, wo Netzwerk, Rechtsannahmen und manuelle Concierge-Schritte am belastbarsten sind. Die Vision bleibt international und domain-agnostisch, solange Artefakt, Luecke, Gate und Acceptance auditierbar sind.

Roadmap

PhaseZielGate
1Geschlossener Concierge-Pilot mit Tim's PortfolioCounsel-freigegebene Templates
2Erste Fremd-Initiatoren mit auditierbarem Artefakt und klarer Capability-LueckeSignierbarer Charter und Audit-Room Sync
3Produktisierte Audit-PipelineStandard-Audit-Typen, AI-DPA, Reviewer-Pool
4Project ValueCompliance-Sign-off und Translation-Event-Klarheit
5Project Fund und Cash-Hybrid-MissionsSecurities-Recht-Klarheit

Quellen

  • docs/strategy/vision.md
  • docs/strategy/vision-update-2026-05-13.md
  • docs/strategy/vision-update-2026-05-06.md
  • docs/strategy/contributors-strategy-updated-repo-to-series-a.md
  • docs/integrations/contributors-project-manifest.md
  • docs/showcase/contributors.md
  • docs/briefs/codex-brief-mvp.md
CLAUDE.md

Source artifact

Artifact from the connected project source. Content is rendered from the intake snapshot or read locally from the source workspace.

SourceContributors repository

CLAUDE.md

This file gives Claude, Codex, and other coding agents the current operating context for this repository.

Mission

Contributors Community is a domain-first MVP for a contributor platform with Phase 1 DACH operational scope. The product must stay legally careful, human-gated, and auditable while still being useful as a working web app.

Non-Negotiables

  • Keep domain invariants in packages/domain before HTTP, UI, persistence, or agent layers.
  • Do not let AI create binding domain state on its own. AI output is advisory until a human confirms

or rejects it.

  • Keep admin separate from project roles. Admin is a capability flag; initiator and contributor are

contextual relationships to projects.

  • Preserve MFA checks for privileged roles.
  • Use signed trusted-principal headers in production. Dev auth headers are only for non-production.
  • Keep source connections explicit: provider, scopes, visibility, artifacts, and human actor.
  • Prefer focused changes and tests over broad refactors.
  • Do not move unrelated docs into the repo root. Root docs are limited to README.md,

CLAUDE.md, ARCHITECT.md, and VISION.md; canonical supporting docs live under docs/.

Workspace Map

  • apps/web: Next.js UI, auth flow, role workspaces, project intake, Audit Room, discussions.
  • apps/api: NestJS API and policy-protected lifecycle routes.
  • apps/mcp: MCP stdio bridge for agent-driven project and Audit Room sync.
  • packages/domain: aggregates, value objects, events, and invariants.
  • packages/application: use cases and repository/provider ports.
  • packages/infrastructure: event store, migrations, projections.
  • packages/policies: role, MFA, and project-membership policy checks.
  • packages/api-contracts: Zod request contracts shared by API, web, and MCP.
  • packages/ui: shared UI primitives and compliance components.

Current Integration Points

  • Web calls the API with trusted principal headers when a signing secret is configured.
  • API falls back to development auth headers only outside production.
  • MCP calls the API over stdio-driven tools and requires a production signing secret in production.
  • Project source manifests are documented in

docs/integrations/contributors-project-manifest.md.

  • MCP usage is documented in docs/integrations/contributors-mcp-server.md.

Common Commands

bash
corepack pnpm install
corepack pnpm typecheck
corepack pnpm lint
corepack pnpm test
corepack pnpm --filter @contributors/mcp build
corepack pnpm --filter @contributors/mcp test

Run focused package checks during development, then run the repo gates before committing when the change crosses package boundaries.

Documentation Rule

If code changes alter product flow, auth, project source sync, domain events, or architecture, update the relevant docs in the same phase:

  • README.md
  • ARCHITECT.md
  • VISION.md
  • docs/architecture/*
  • docs/integrations/*
  • docs/README.md when a new documentation area appears
contributors.project.json

contributors.project.json

Artifact from the connected project source. Content is rendered from the intake snapshot or read locally from the source workspace.

SourceContributors repository

Contributors Project Manifest

contributors.project.json is the agent handoff contract for attaching an existing project to Contributors without granting broad repository access by default.

Purpose

Codex, Cowork, GitHub imports, and manual export bundles can use the manifest to create a project source connection during Project Charter setup. The manifest does not publish anything by itself. It records provenance, requested scopes, visibility, and the first reviewable artifacts.

Minimal Manifest

json
{
  "manifestVersion": "contributors.project@1.0.0",
  "name": "Der Dritte",
  "source": {
    "provider": "codex",
    "label": "Codex Workspace",
    "workspacePath": "/Users/tim/der_dritte",
    "visibility": "selective",
    "scopes": ["metadata", "read_artifacts"]
  },
  "artifacts": ["README.md", "VISION.md", "ARCHITECTURE.md", "docs/audit/AUDIT.md"]
}

Providers

  • manual: concierge intake without a technical connector.
  • codex: local or remote Codex workspace handoff.
  • cowork: Cowork project handoff.
  • github: repository source.
  • upload: file or export bundle without live access.

Scopes

  • metadata: project name, source label, provider, and status.
  • read_artifacts: read selected artifacts listed in the manifest.
  • read_repository: read repository content beyond listed artifacts.
  • write_back: allow Contributors to write generated artifacts back to the source.
  • webhook: allow future sync events.

Guardrails

Connected sources require explicit location data through url or workspacePath, except manual and upload. No repository is read implicitly. Sensitive data, secrets, private branches, and unpublished artifacts stay excluded until a human initiator grants the matching scope.

AUDIT.md

Contributors Audit Card

Contributors audit card with lead ask, maturity, risks, roadmap, and contribution slots.

Sourcegenerated fallback

Contributors

Note: This document is a deployable fallback from the Contributors project profile. Once a project source provides README, vision, or architecture artifacts, that source is rendered first.

Audit Snapshot

Contribution before capital, ledger before gut feel: Contributors turns missing critical capabilities into scoped missions.

Maturity

  • Present: Auth baseline, app shell, project overview, missions and ledger mock, compliance badges.
  • Missing: Counsel decision, contributor agreement, mission template review, initial reviewer pool.

Lead Ask

DACH platform counsel: Initial legal review for charter, contributor agreement, Mission Value, CP ledger, dispute basics, and closed DACH pilot.