Development

.env.example

@@ -1,36 +1,54 @@
-# ============================================
-# VIBE PROMPTING - ENVIRONMENT VARIABLES
-# ============================================
-# Copy this file to .env and fill in your actual values
-# Never commit .env to version control!
+# =====================================================
+# VIBE PROMPTING V2 - ENVIRONMENT VARIABLES
+# =====================================================
+# Copy this file to .env.local for local development
+# NEVER commit .env.local or .env.production to git
 
-# ============================================
-# SUPABASE CONFIGURATION (Required)
-# ============================================
-# Get these from: https://app.supabase.com/project/_/settings/api
-VITE_SUPABASE_URL=your_supabase_project_url_here
-VITE_SUPABASE_ANON_KEY=your_supabase_anon_key_here
+# =====================================================
+# PUBLIC VARIABLES (Exposed to client via VITE_ prefix)
+# =====================================================
+VITE_SUPABASE_URL=https://your-project.supabase.co
+VITE_SUPABASE_ANON_KEY=your-anon-key-here
 
-# ============================================
-# AI API KEYS (Choose at least ONE)
-# ============================================
+# =====================================================
+# SERVER-ONLY VARIABLES (NEVER prefix with VITE_)
+# =====================================================
+# These are ONLY used in Supabase Edge Functions
+# Set these in Supabase Dashboard → Edge Functions → Secrets
 
-# Option 1: Google Gemini API (Recommended)
-# - FREE tier available with generous limits
-# - Get your key from: https://aistudio.google.com/apikey
-# - Used as primary AI model (Gemini 2.0 Flash)
-VITE_GEMINI_API_KEY=your_gemini_api_key_here
+# Supabase Service Role (NEVER expose to client)
+SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
 
-# Option 2: OpenRouter API (Fallback)
-# - FREE $1 credit + access to multiple models
-# - Get your key from: https://openrouter.ai/keys
-# - Used as fallback (Llama 3.2 3B Instruct)
-VITE_OPENROUTER_API_KEY=your_openrouter_api_key_here
+# LLM API Keys (Server-side only)
+GEMINI_API_KEY=your-gemini-key-here
+OPENROUTER_API_KEY=your-openrouter-key-here
+ANTHROPIC_API_KEY=your-anthropic-key-here
 
-# ============================================
-# NOTES:
-# ============================================
-# - You need at least ONE AI API key for the app to work
-# - Gemini is recommended for better results
-# - OpenRouter is used as backup if Gemini fails
-# - All keys are prefixed with VITE_ for Vite to expose them to the client
+# Database Direct Connection (for migrations only)
+DATABASE_URL=postgresql://postgres:[password]@db.your-project.supabase.co:5432/postgres
+
+# =====================================================
+# DEPLOYMENT INSTRUCTIONS:
+# =====================================================
+# Local Development:
+#   1. Copy this file to .env.local
+#   2. Fill in VITE_* variables from Supabase dashboard
+#   3. Server-side keys not needed locally (Edge Functions use Supabase secrets)
+#
+# Production (Vercel):
+#   1. Set VITE_* variables in Vercel dashboard
+#   2. Never set server-side keys in Vercel (use Supabase Edge Function secrets)
+#
+# Edge Functions:
+#   supabase secrets set GEMINI_API_KEY=your-key
+#   supabase secrets set OPENROUTER_API_KEY=your-key
+#   supabase secrets set SUPABASE_SERVICE_ROLE_KEY=your-key
+#
+# =====================================================
+# SECURITY CHECKLIST:
+# =====================================================
+# ✅ .env.local is in .gitignore
+# ✅ Only VITE_ vars exposed to browser
+# ✅ Service role key ONLY in Edge Functions
+# ✅ Rotate keys immediately if exposed
+# ✅ Never store tokens in localStorage

.github/dependabot.yml

@@ -0,0 +1,26 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "Addy-shetty"
+    labels:
+      - "dependencies"
+      - "security"
+    # Automatically merge security updates
+    target-branch: "main"
+    versioning-strategy: increase
+
+  # Monitor GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/instructions/copilot.instruction.md.instructions.md

@@ -0,0 +1,11 @@
+---
+applyTo: '**'
+---
+CRITICAL: Before ANY implementation, STOP and ask for confirmation.
+- If asked "what about X?", only EXPLAIN, don't implement
+- Make ONLY requested changes, no bonus features
+- No documentation files unless explicitly asked
+- Ask before creating files or running commands
+- Short explanations (2-3 sentences max)
+- List options and wait for user choice when unclear
+USER IS IN CONTROL. I assist only when explicitly directed.

.github/workflows/security-audit.yml

@@ -0,0 +1,68 @@
+name: Security Audit
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run weekly security audit
+    - cron: '0 0 * * 0'
+
+jobs:
+  npm-audit:
+    name: NPM Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        run: npm audit --audit-level=moderate
+        continue-on-error: true
+
+      - name: Generate audit report
+        run: npm audit --json > audit-report.json
+        continue-on-error: true
+
+      - name: Upload audit report
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-audit-report
+          path: audit-report.json
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+
+  codeql-analysis:
+    name: CodeQL Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript, typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.gitignore

@@ -1,10 +1,16 @@
 # Dependencies
 node_modules
 
-# Environment Variables (NEVER COMMIT)
+# Environment Variables (⚠️ NEVER COMMIT - CONTAINS SECRETS)
 .env
 .env.local
 .env.production
+.env.development
+.env.*.local
+
+# Supabase Local (if using local Supabase)
+supabase/.branches
+supabase/.temp
 
 # Build Output
 dist