diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..8e5dd75
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,119 @@
+# Contributing to Tranquil PDS
+
+## Local Development
+
+### Prerequisites
+
+- [Docker](https://docs.docker.com/get-docker/) and Docker Compose
+- Add `pds.test` to your hosts file (one-time setup):
+
+  ```
+  127.0.0.1 pds.test
+  ```
+
+  - **macOS / Linux:** `/etc/hosts`
+  - **Windows:** `C:\Windows\System32\drivers\etc\hosts`
+
+### Starting the dev environment
+
+```bash
+just run-dev
+```
+
+This starts the following services via `docker-compose`:
+
+- **Traefik** — HTTPS reverse proxy at `https://pds.test`
+- **Backend** — Rust server with `cargo-watch` (auto-rebuilds on file changes)
+- **Frontend** — Vite dev server with hot module replacement
+- **Postgres** — Database on port 5432
+- **PLC Directory** — Local [did-method-plc](https://github.com/did-method-plc/did-method-plc) server for DID registration
+- **Mailpit** — Local email server with web UI at [http://localhost:8025](http://localhost:8025)
+
+Once all services are running, open **https://pds.test** in your browser.
+
+### Trusting the self-signed certificate
+
+Traefik generates a self-signed TLS certificate. Your browser will show a security warning on first visit. You can either click through it, or add the certificate to your system trust store for a seamless experience:
+
+**macOS:**
+
+```bash
+# Extract the cert from traefik and add it to the system keychain
+echo | openssl s_client -connect localhost:443 -servername pds.test 2>/dev/null | openssl x509 > /tmp/pds-test.pem
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/pds-test.pem
+```
+
+**Linux (Debian/Ubuntu):**
+
+```bash
+echo | openssl s_client -connect localhost:443 -servername pds.test 2>/dev/null | openssl x509 | sudo tee /usr/local/share/ca-certificates/pds-test.crt
+sudo update-ca-certificates
+```
+
+**Linux (Fedora/RHEL):**
+
+```bash
+echo | openssl s_client -connect localhost:443 -servername pds.test 2>/dev/null | openssl x509 | sudo tee /etc/pki/ca-trust/source/anchors/pds-test.pem
+sudo update-ca-trust
+```
+
+**Windows (PowerShell as Administrator):**
+
+```powershell
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+$cert.Import([System.Text.Encoding]::UTF8.GetBytes((echo | openssl s_client -connect localhost:443 -servername pds.test 2>$null | openssl x509)))
+$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
+$store.Open("ReadWrite")
+$store.Add($cert)
+$store.Close()
+```
+
+Restart your browser after adding the certificate.
+
+### Stopping the dev environment
+
+```bash
+# Stop containers (preserves database + build cache)
+docker compose --profile dev down
+
+# Stop and wipe all data (fresh start)
+docker compose --profile dev down -v
+```
+
+### Direct database access
+
+Postgres is exposed on port 5432:
+
+```bash
+psql postgres://postgres:postgres@localhost:5432/pds
+```
+
+### How it works
+
+- **Source code** is bind-mounted into the containers so that changes made on the host will be immediately reflected in the application
+- **Backend** uses `cargo-watch` to recompile and restart when Rust files change
+- **Frontend** uses Vite's HMR for instant browser updates when frontend files change
+- **Build cache** (`target/` directory and cargo registry) are stored in Docker volumes, so incremental compilation persists across container restarts
+- **Traefik** routes `/`, `/xrpc`, `/oauth`, `/.well-known`, `/u`, and `/health` to the backend; everything else goes to the Vite dev server
+- **Mailpit** captures all outgoing email — open [http://localhost:8025](http://localhost:8025) to view verification emails during registration
+- **PLC Directory** runs locally so DID registration doesn't hit the real `plc.directory`
+
+### Running the backend natively
+
+If you prefer running the Rust backend outside Docker (faster incremental builds on host), you need:
+
+- Rust toolchain (see `rust-toolchain.toml`)
+- `protoc` (`brew install protobuf` on macOS)
+- PostgreSQL (start with `docker compose up db`)
+
+Then run:
+
+```bash
+cargo run -p tranquil-server -- --config config.toml
+```
+
+And start the frontend separately:
+
+```bash
+cd frontend && pnpm install && pnpm dev
+```