plone · rboixaderg · May 24, 2026 · May 24, 2026 · May 24, 2026 · May 29, 2026
@@ -59,6 +59,7 @@ pip-wheel-metadata
 /.idea/
 /.Python
 /venv
+/.venv
 # files
 *.log
 *.swp

@@ -20,8 +20,15 @@
 - Run tests:
   - `.venv/bin/pytest guillotina/tests`
   - Targeted: `.venv/bin/pytest guillotina/tests/<path>`
+- Run GitHub Actions parity checks locally before finishing code changes:
+  - `.venv/bin/flake8 guillotina --config=setup.cfg`
+  - `.venv/bin/isort --check-only guillotina/`
+  - `.venv/bin/black --check --verbose guillotina`
+  - `.venv/bin/mypy --config-file setup.cfg guillotina/`
+  - `.venv/bin/pytest -rfE --reruns 2 --cov=guillotina -s --tb=native -v --cov-report xml --cov-append guillotina`
 
 ## Validation
+- Always run the same local checks as GitHub Actions before marking code work complete. If any check cannot be run locally, state the exact command, the blocker, and whether the equivalent GitHub Actions check is expected to cover it.
 - For contrib changes, run focused tests under the touched contrib test folder.
 - For API/service changes, verify status codes and response payload contracts.
 - Keep docs updated under `docs/source/contrib/` when adding contrib features.
@@ -35,7 +42,16 @@
 - Avoid wrapper layers when task explicitly requires low-level protocol primitives.
 - Never commit credentials or local environment files.
 
+## Code Intention and Clarity
+- Code should read like a book: the flow of a module should tell the story of what is happening.
+- Names must express intent, not implementation details. Ask: "what does the caller care about?"
+  - Prefer `rate_limit_exceeded()` over `check_and_record_rate_limit()`.
+  - Prefer `build_client_from_registration()` over `make_client()`.
+  - Prefer `generate_opaque_token()` over `generate_opaque_token_value()`.
+- Do not hide side effects behind names that look like pure queries.
+- Keep functions small and at a single level of abstraction; each step should read as the next sentence.
+- A name does not need to describe every detail, but it must not lie or obscure the consumer's goal.
+
 ## Task Closeout Notes
 - Update `CHANGELOG.rst` for notable changes.
 - Record branch name, commit hash, validation output, and task evidence in Ops Tracker.
-
@@ -4,6 +4,11 @@ CHANGELOG
 7.1.3 (unreleased)
 ------------------
 
+- OAuth: implement Guillotina OAuth 2.0 authorization server with authorization-code flow,
+  dynamic client registration, token refresh/revocation, consent management and well-known
+  metadata. Compliant with RFC 6749, RFC 7636, RFC 7591, RFC 8414, RFC 9207, RFC 9700 and
+  RFC 9728.
+  [rboixaderg]
 - MCP: enforce Guillotina content permissions for tools and resources,
   require ``ViewContent`` for full serialized JSON, isolate cached tool
   responses by principal/container/context, and invalidate MCP cache on

@@ -17,4 +17,5 @@ Contents:
    swagger
    mailer
    dbusers
+   oauth
    mcp
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,7 @@ pip-wheel-metadata @@
     /.idea/
     /.Python
     /venv
+    /.venv
     # files
     *.log
     *.swp
@@ Expand Down @@