Skip to content

Commit d10c5c4

Browse files
committed
feat: add foundational documentation and security measures
- Introduced essential files including `README.md`, `LICENSE`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, and `SECURITY.md` to establish project guidelines and community standards. - Updated `.gitignore` to include `.npm-cache/` for improved environment management. - Enhanced security posture by detailing vulnerability reporting processes and hardening practices in `SECURITY.md`.
1 parent 005668f commit d10c5c4

7 files changed

Lines changed: 329 additions & 33 deletions

File tree

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
# Dependencies
22
node_modules/
3+
.npm-cache/
34
/.pnp
45
.pnp.*
56
.yarn/*

CODE_OF_CONDUCT.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# Contributor Covenant Code of Conduct
2+
3+
## Our Pledge
4+
5+
In the interest of fostering an open and welcoming community, we pledge to make participation in Vibe Coding Profiler a harassment-free experience for everyone, regardless of background or identity.
6+
7+
## Our Standards
8+
9+
Examples of behavior that contributes to a positive environment include:
10+
11+
- Using welcoming and inclusive language
12+
- Being respectful of differing viewpoints and experiences
13+
- Gracefully accepting constructive criticism
14+
- Focusing on what is best for the project
15+
16+
Examples of unacceptable behavior include:
17+
18+
- Harassment, intimidation, or discrimination
19+
- Publishing private information without consent
20+
- Trolling or intentionally derailing conversations
21+
- Presenting offensive or demeaning language/images
22+
23+
## Enforcement
24+
25+
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting `security@bolokonon.dev`. All complaints will be reviewed and investigated promptly and fairly.
26+
27+
## Scope
28+
29+
This Code of Conduct applies within the project’s spaces and in public spaces when an individual is representing the project.
30+
31+
## Attribution
32+
33+
This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct/.

CONTRIBUTING.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Contributing to Vibe Coding Profiler
2+
3+
Thanks for helping improve Vibe Coding Profiler! We welcome new contributors—here’s how to get started safely and respectfully.
4+
5+
## 1. Pick your workstream
6+
7+
- **Bug/issue:** Open an issue describing the behaviour, steps to reproduce, and expected outcome.
8+
- **New feature:** Link to the relevant PRD or tracker under `docs/prd/` and coordinate in `docs/implementation-trackers/`.
9+
- **Docs or security improvements:** Target the `docs/` tree (architecture, security readiness, workflow notes).
10+
11+
Before working, confirm nobody else is already tackling it (add a comment or label the issue). If you’re unsure, open a discussion issue and tag `@devakone`.
12+
13+
## 2. Local setup
14+
15+
1. `npm install`
16+
2. Copy `.env.example``apps/web/.env.local` and fill Supabase/GitHub/Claude values.
17+
3. `npm run lint`, `npm run build`, `npm run test` to ensure your machine matches CI standards.
18+
4. `npm run dev:web` for the frontend (Next.js listens on 8108).
19+
20+
Database migrations run via `npm run supabase:migration:up`; avoid manual schema changes unless coordinated with the team.
21+
22+
## 3. Workflow
23+
24+
1. Work on a branch named `feat/...` or `fix/...`.
25+
2. Run `turbo lint`/`npm run lint` before pushing.
26+
3. Rebase on `develop` and keep commits tidy (conventional commits if you plan to merge).
27+
4. Push, then open a PR against `develop`. The PR template will check that:
28+
- Tests/lint/build pass locally.
29+
- No secrets are leaked (run `git status`, never stage `.env` files).
30+
- The README/SECURITY docs are up to date if your change affects onboarding or security.
31+
5. After PR review, squash/fixups if needed and merge via “rebase and merge.”
32+
33+
## 4. Communication
34+
35+
- Use Slack/email for urgent ship-blockers.
36+
- Report vulnerabilities via `security@bolokonon.dev` (see `SECURITY.md`).
37+
- Tag `@devakone` on docs or backend changes requiring clarification.
38+
39+
## 5. Trademark reminder
40+
41+
The code is Apache 2.0 open-source, but **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are trademarks. Keep the brand names within this repo; if you fork for commercial use, rename your project accordingly.

LICENSE

Lines changed: 162 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,162 @@
1+
Apache License
2+
Version 2.0, January 2004
3+
http://www.apache.org/licenses/
4+
5+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6+
7+
1. Definitions.
8+
9+
"License" shall mean the terms and conditions for use, reproduction,
10+
and distribution as defined by Sections 1 through 9 of this document.
11+
12+
"Licensor" shall mean the copyright owner or entity authorized by the
13+
copyright owner that is granting the License.
14+
15+
"Legal Entity" shall mean the union of the acting entity and all
16+
other entities that control, are controlled by, or are under common
17+
control with that entity. For the purposes of this definition,
18+
"control" means (i) the power, direct or indirect, to cause the
19+
direction or management of such entity, whether by contract or
20+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
21+
outstanding shares, or (iii) beneficial ownership of such entity.
22+
23+
"You" (or "Your") shall mean an individual or Legal Entity
24+
exercising permissions granted by this License.
25+
26+
"Source" form shall mean the preferred form for making modifications,
27+
including but not limited to software source code, documentation
28+
source, and configuration files.
29+
30+
"Object" form shall mean any form resulting from mechanical
31+
transformation or translation of a Source form, including but not
32+
limited to compiled object code, generated documentation, and
33+
conversions to other media types.
34+
35+
"Work" shall mean the work of authorship, whether in Source or Object
36+
form, made available under the License.
37+
38+
"Derivative Works" shall mean any work, whether in Source or Object
39+
form, that is based on (or derived from) the Work and for which the
40+
editorial revisions, annotations, elaborations, or other modifications
41+
represent, as a whole, an original work of authorship.
42+
43+
"Contribution" shall mean any work of authorship, including the
44+
original version of the Work and any modifications or additions to
45+
that Work or Derivative Works thereof, that is intentionally
46+
submitted to Licensor for inclusion in the Work by the copyright owner
47+
or by an individual or Legal Entity authorized to submit on behalf of
48+
the copyright owner.
49+
50+
"Contributor" shall mean Licensor and any individual or Legal Entity
51+
on behalf of which a Contribution has been received by Licensor and
52+
subsequently incorporated within the Work.
53+
54+
2. Grant of Copyright License.
55+
56+
Subject to the terms and conditions of this License, each Contributor
57+
hereby grants to You a perpetual, worldwide, non-exclusive,
58+
royalty-free, irrevocable copyright license to reproduce, prepare
59+
Derivative Works of, publicly display, publicly perform, sublicense,
60+
and distribute the Work and such Derivative Works in Source or Object
61+
form.
62+
63+
3. Grant of Patent License.
64+
65+
Subject to the terms and conditions of this License, each Contributor
66+
hereby grants to You a perpetual, worldwide, non-exclusive,
67+
royalty-free, irrevocable (except as stated in this section) patent
68+
license to make, have made, use, offer to sell, sell, import, and
69+
otherwise transfer the Work, where such license applies only to those
70+
patent claims licensable by such Contributor that are necessarily
71+
infringed by their Contribution(s) alone or by combination of their
72+
Contribution(s) with the Work to which such Contribution(s) was
73+
submitted. If You institute patent litigation against any entity
74+
(including a cross-claim or counterclaim in a lawsuit) alleging that
75+
the Work or a Contribution incorporated within the Work constitutes
76+
direct or contributory patent infringement, then any patent licenses
77+
granted to You under this License for that Work shall terminate as of
78+
the date such litigation is filed.
79+
80+
4. Redistribution.
81+
82+
You may reproduce and distribute copies of the Work or Derivative
83+
Works thereof in any medium, with or without modifications, and in
84+
Source or Object form, provided that You meet the following
85+
conditions:
86+
87+
(a) You must give any other recipients of the Work or Derivative Works
88+
a copy of this License; and
89+
90+
(b) You must cause any modified files to carry prominent notices
91+
stating that You changed the files; and
92+
93+
(c) You must retain, in the Source form of any Derivative Works that
94+
You distribute, all copyright, patent, trademark, and attribution
95+
notices from the Source form of the Work, excluding those notices
96+
that do not pertain to any part of the Derivative Works; and
97+
98+
(d) If the Work includes a "NOTICE" text file as part of its
99+
distribution, then any Derivative Works that You distribute must
100+
include a readable copy of the attribution notices contained
101+
within such NOTICE file, excluding those notices that do not
102+
pertain to any part of the Derivative Works, in at least one of
103+
the following places: within a NOTICE text file distributed as
104+
part of the Derivative Works; within the Source form or
105+
documentation, if provided along with the Derivative Works; or,
106+
within a display generated by the Derivative Works, if and where
107+
such display normally appears. The contents of the NOTICE file
108+
are for informational purposes only and do not modify the License.
109+
110+
You may add Your own copyright statement to Your modifications and
111+
may provide additional or different license terms and conditions for
112+
use, reproduction, or distribution of Your modifications, or for any
113+
such Derivative Works as a whole, provided Your use, reproduction,
114+
and distribution of the Work otherwise complies with the conditions
115+
stated in this License.
116+
117+
5. Submission of Contributions.
118+
119+
Unless You explicitly state otherwise, any Contribution intentionally
120+
submitted for inclusion in the Work by You to the Licensor shall be
121+
under the terms and conditions of this License, without any additional
122+
terms or conditions. Notwithstanding the above, nothing herein shall
123+
supersede or modify the terms of any separate license agreement you
124+
may have executed with Licensor regarding such Contributions.
125+
126+
6. Trademarks.
127+
128+
This License does not grant permission to use the trade names, trademarks,
129+
service marks, or product names of the Licensor, except as required for
130+
reasonable and customary use in describing the origin of the Work and
131+
reproducing the content of the NOTICE file.
132+
133+
7. Disclaimer of Warranty.
134+
135+
Unless required by applicable law or agreed to in writing, Licensor
136+
provides the Work (and each Contributor provides its Contributions)
137+
on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
138+
either express or implied, including, without limitation, any
139+
warranties or conditions of TITLE, NONINFRINGEMENT, MERCHANTABILITY, or
140+
FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for
141+
determining the appropriateness of using or redistributing the Work and
142+
assume any risks associated with Your exercise of permissions under
143+
this License.
144+
145+
8. Limitation of Liability.
146+
147+
In no event and under no legal theory, whether in tort (including
148+
negligence), contract, or otherwise, unless required by applicable law
149+
(such as deliberate and grossly negligent acts) or agreed to in writing,
150+
shall any Contributor be liable to You for damages, including any direct,
151+
indirect, special, incidental, or consequential damages of any character
152+
arising as a result of this License or out of the use or inability to use
153+
the Work (including but not limited to damages for loss of goodwill, work
154+
stoppage, computer failure or malfunction, or any and all other commercial
155+
damages or losses), even if such Contributor has been advised of the
156+
possibility of such damages.
157+
158+
9. Accepting the License.
159+
160+
You accept and agree to be bound by the terms of this License by copying,
161+
modifying, or distributing the Work (or any work based on the Work).
162+

README.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# Vibe Coding Profiler
2+
3+
Vibe Coding Profiler is an open-source “Vibe Coding Profile” experience that analyzes Git history to surface craftsmanship patterns, persona signals, and shareable narratives tailored for developers who build with AI assistance. The source code is released under the Apache License 2.0, but **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are our trademarks—please don’t use those names, logos, or service descriptions in commercial products without written permission.
4+
5+
## Quick start
6+
7+
1. `npm install`
8+
2. Copy `.env.example` to `apps/web/.env.local` and populate Supabase, GitHub, and Claude API keys.
9+
3. `npm run dev:web` (runs Next.js on port 8108 by default)
10+
4. `npm run lint`, `npm run build`, `npm run test` (via turbo) verify the workspace.
11+
12+
## Structure
13+
14+
- `apps/web`: Next.js app (App Router, API routes, share endpoints)
15+
- `apps/worker`: standalone Supabase worker (GitHub ingestion + analysis)
16+
- `packages/core`: analysis and persona logic used by the worker and web app
17+
- `packages/db`: Supabase helper library + generated types
18+
- `supabase/migrations`: Postgres schema + security policies
19+
- `docs/`: requirements, architecture, security, workflow trackers
20+
21+
## Security / brand notes
22+
23+
- Secrets are protected with AES-256-GCM helpers and Supabase RLS (see `apps/web/src/lib/llmKey.ts`, `supabase/migrations/0013_create_llm_configs.sql`).
24+
- `trufflehog`/`git-secrets` should run before every public release; rotate any detected keys.
25+
- The repository runs `.github/workflows/security.yml`, which executes `npm audit --audit-level=moderate` and a `trufflehog` git scan on every push/PR to `develop`/`main`.
26+
- `Vibed Coding`, `Vibe Coding Profile`, `Vibe Coding Profiler`, and `VCP` are brand assets; you may fork and build on the code, but please rename your fork if it’s used commercially or redistributed.
27+
28+
## Documentation
29+
30+
- `docs/security/open-source-preparedness.md`: release readiness + remaining hardening steps
31+
- `docs/PRD.md`: product requirements driving the interface
32+
- `docs/architecture/`: pipeline, LLM, share experiences
33+
- `docs/implementation-trackers/`: phase-oriented trackers for UI/API work
34+
- `CONTRIBUTING.md`: how to collaborate
35+
- `CODE_OF_CONDUCT.md`: behavioral expectations
36+
37+
## Contribution
38+
39+
See `CONTRIBUTING.md` for workflow expectations and the trademark reminder.

SECURITY.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Security
2+
3+
If you discover a vulnerability affecting Vibe Coding Profiler, please report it directly via email to `security@bolokonon.dev`. We aim to respond within 3 business days and keep communication confidential until a fix is released.
4+
5+
## What to include
6+
7+
- A brief description of the issue and its impact
8+
- Steps to reproduce (logs, commands, payloads)
9+
- Version/commit hash affected
10+
- Contact information for follow-up
11+
12+
## Hardening guidance
13+
14+
- Secrets live only in environment variables (`apps/web/.env.example`). Do not commit `.env` files.
15+
- Supabase enforces row-level security on sensitive tables (`analysis_insights`, `llm_configs`, `llm_usage`, etc.).
16+
- The worker analyzes metadata only; PR bodies, code, and file contents are never persisted.
17+
- Security workflow: `.github/workflows/security.yml` runs `npm audit --audit-level=moderate` and `trufflehog --entropy False` on every PR/push to `develop` and `main`.
18+
- Trademark note: **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are our registered/common law marks. Please do not reuse them for commercial offerings without permission; the code stays Apache 2.0 open source while the brand remains controlled.

0 commit comments

Comments
 (0)