Development and contributing
This repo is source-first. Keep implementation changes small, tested, and separate from docs-only changes where practical.
Repository layout
Section titled “Repository layout”| Path | Purpose |
|---|---|
cmd/mytunnel | Client CLI. |
cmd/mytunneld | Edge daemon and control commands. |
internal/client | SSH control-plane and reverse tunnel helpers. |
internal/edge | Lease store, slug policy, Caddy route management, and daemon service logic. |
deploy | systemd, Caddy, and SSH forced-command assets. |
scripts | Install, upgrade, check, uninstall, and validation workflows. |
docs-site | Public Starlight documentation site. |
make buildVerify implementation
Section titled “Verify implementation”Primary local verification:
go test ./...go vet ./...go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./...shellcheck \ deploy/ssh/mytunnel-ssh-gate.sh \ scripts/bootstrap-edge.sh \ scripts/check-client.sh \ scripts/check-edge.sh \ scripts/install-client.sh \ scripts/install-edge.sh \ scripts/install-edge-ssh-key.sh \ scripts/install-local.sh \ scripts/real-system-validation.sh \ scripts/test-ssh-gate.sh \ scripts/uninstall-edge.sh \ scripts/uninstall-local.sh \ scripts/upgrade-edge.sh \ scripts/upgrade-local.shDocker fallback:
make verify-dockerRelease-quality verification:
go test -race ./...go test ./... -count=1go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./...make buildmake release-clientmake checksumsVerify docs
Section titled “Verify docs”From the docs site:
cd docs-sitenpm installnpm run checkRun the local docs server:
cd docs-sitenpm run devPreview a production build:
cd docs-sitenpm run buildnpm run previewDocs checks include:
- Prettier formatting.
- Markdownlint.
- cspell.
- Command-example classification markers.
- Starlight build and internal link validation.
Command example markers
Section titled “Command example markers”Every shell command block in public docs should be classified with one of these invisible comments immediately before the block:
<!-- docs-check: local --><!-- docs-check: docker --><!-- docs-check: edge-only --><!-- docs-check: example-only --><!-- docs-check: output-only -->Use:
localfor commands that can run on a normal checkout.dockerfor commands intended to run through Docker verification.edge-onlyfor commands that require root, systemd, an edge host, DNS, SSH credentials, or public traffic.example-onlyfor illustrative command shapes that include placeholders or should not be run directly.output-onlyfor shell-shaped output blocks.
Contribution expectations
Section titled “Contribution expectations”- Preserve user dirty work.
- Keep implementation changes scoped.
- Treat the edge daemon as the security boundary.
- Do not trust client flags for owner identity or privilege.
- Keep SSH control commands and long-running tunnel processes separate.
- Use strict shell mode and quote variables in scripts.
- Avoid leaking secrets in logs and docs.
- Add tests for security-sensitive behavior.
Public release checklist
Section titled “Public release checklist”- Choose and add a real
LICENSE. - Run release-quality verification.
- Run
scripts/real-system-validation.shagainst a real edge host. - Confirm Caddy Admin API is not externally reachable.
- Confirm wildcard DNS and TLS issuance with the real provider.
- Confirm upgrade rollback on a real edge host.