Decentralized bug-bounty platform. Smart-contract escrow on Arbitrum Sepolia (USDC) released by GitHub merge webhooks, with reputation leaderboards.
This repo is an npm-workspaces monorepo holding the Express API, the
chain indexer, and the Hardhat smart contracts. The Next.js frontend
lives in a separate repo, devbounty-web.
- Architecture:
docs/ARCHITECTURE.md - Engineering process (git, CI, Rulesets, release):
docs/ENGINEERING.md - Issue plan (60 issues, v0.4):
docs/planning/ISSUES.md
api/ workspace @devbounty/api — Express API + indexer (two entrypoints)
contracts/ workspace @devbounty/contracts — BountyEscrow.sol + Hardhat
scripts/ sync-abi, deploy helpers, repo seeding
docs/ architecture, engineering, planning history
nvm use # Node 20 (see .nvmrc)
npm install # installs deps + husky hooks
npm --workspace api run dev(Local Mongo + webhook tunneling + Hardhat node helpers arrive in #38.)
| Script | What it does |
|---|---|
npm run format |
Prettier write across the repo |
npm run sync:abi |
Compile contracts → copy ABI into api/src/abi/ |
CI (.github/workflows/ci.yml) runs on every PR and on push to main:
contracts, api, abi-drift always; commitlint (PR title) and
dependency-review on PRs. Workspace jobs start as placeholders and gain real
steps as each workspace lands (api → #4, contracts → #6).
Branch protection is enforced via GitHub Rulesets (ENGINEERING §3.3), not
classic branch protection. Apply once, after CI exists on main:
bash scripts/setup-rulesets.shmain: require PR, require the five status checks, require linear history, block force-push, block deletion, enforced for admins (no bypass).- All branches: block deletion — the "no branch is ever deleted" audit rule.
main is human-merge-only (squash). Tooling opens PRs and parks them; it never
merges.
Bootstrapping. See the milestones and issues for progress.