add docs

Author: komalharshita

PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,98 @@
+<!--
+  Pull Request Template — DevPath
+  --------------------------------
+  Delete sections that do not apply.
+  Every section marked [required] must be completed before review begins.
+  PRs with empty required sections will be returned without review.
+-->
+
+## Summary [required]
+
+<!-- One paragraph explaining what this PR does and why. -->
+<!-- Do not just repeat the commit message or the issue title. -->
+
+
+
+## Related Issue [required]
+
+<!-- Every PR must link to an open issue. -->
+<!-- If no issue exists, open one before submitting this PR. -->
+
+Closes #
+
+## Type of Change [required]
+
+<!-- Check all that apply. -->
+
+- [ ] Bug fix — resolves a broken behaviour
+- [ ] Feature — adds new functionality
+- [ ] Data — adds new projects to `data/projects.json`
+- [ ] Documentation — updates docs, README, or code comments only
+- [ ] Style — CSS or visual changes only, no logic change
+- [ ] Refactor — restructures code without changing behaviour
+- [ ] Test — adds or updates tests
+
+## What Was Changed [required]
+
+<!-- List every file you modified and briefly explain why. -->
+<!-- Do not list files you only read. -->
+
+| File | Change made |
+|------|-------------|
+| `utils/recommender.py` | Added `clear_cache()` function |
+| `tests/test_basic.py` | Added test for cache invalidation |
+
+## How to Test This PR [required]
+
+<!-- Exact steps a reviewer can follow to verify your change works. -->
+<!-- "It works on my machine" is not sufficient. -->
+
+1. Clone this branch: `git checkout your-branch-name`
+2. Install dependencies: `pip install -r requirements.txt`
+3. Run the app: `python app.py`
+4. Open http://127.0.0.1:5000 and...
+5. Run the tests: `python tests/test_basic.py`
+
+Expected test output:
+```
+27 passed, 0 failed out of 27 tests
+```
+
+## Test Results [required]
+
+<!-- Paste the full output of python tests/test_basic.py -->
+
+```
+paste output here
+```
+
+## Screenshots (if UI change)
+
+<!-- Before and after screenshots for any visual change. -->
+<!-- Remove this section if your PR has no visual change. -->
+
+| Before | After |
+|--------|-------|
+| screenshot | screenshot |
+
+## Self-Review Checklist [required]
+
+<!-- Complete every item before requesting review. -->
+<!-- Do not submit a PR you would not approve yourself. -->
+
+- [ ] I have read [CONTRIBUTING.md](../CONTRIBUTING.md) and followed all guidelines
+- [ ] My branch name follows the convention: `feat/`, `fix/`, `docs/`, `data/`, `style/`, `test/`
+- [ ] I have run `python tests/test_basic.py` and all 27 tests pass
+- [ ] I have run `flake8 .` locally and there are no errors
+- [ ] I have not introduced any `print()` or `console.log()` debug statements
+- [ ] Every new function I wrote has a docstring
+- [ ] I have not modified files outside the scope of the linked issue
+- [ ] If I changed the UI, I tested it at 375px (mobile) and 1280px (desktop)
+- [ ] If I added a project to the dataset, it has all required JSON fields
+
+## Notes for Reviewer
+
+<!-- Anything you want the reviewer to pay particular attention to. -->
+<!-- Or "None" if there is nothing unusual. -->
+
+

SECURITY.md

@@ -0,0 +1,83 @@
+# Security Policy
+
+## Supported Versions
+
+DevPath is currently in active development. Security fixes are applied to
+the latest version on the `main` branch only.
+
+| Version | Supported |
+|---------|-----------|
+| Latest (`main`) | Yes |
+| Older branches  | No  |
+
+---
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in DevPath, **do not open a public
+GitHub Issue**. Public disclosure before a fix is available puts all users
+of the project at risk.
+
+**How to report:**
+
+1. Open a [GitHub Security Advisory](https://github.com/your-username/devpath/security/advisories/new)
+   on this repository (private by default).
+2. Include a clear description of the vulnerability, steps to reproduce it,
+   and your assessment of its impact.
+3. You will receive an acknowledgement within 48 hours.
+
+**What to expect:**
+
+- Acknowledgement within 48 hours of your report
+- An assessment of severity and impact within 5 business days
+- A fix or mitigation plan shared with you before public disclosure
+- Credit in the changelog if you wish to be named
+
+---
+
+## Scope
+
+The following are in scope for security reports:
+
+- Path traversal or file disclosure in the starter code serving routes
+- Injection vulnerabilities in the recommendation API
+- Information disclosure through error messages
+- Dependencies with known CVEs that affect the application
+
+The following are out of scope:
+
+- Vulnerabilities in development-mode Flask debug server (never use in production)
+- Self-XSS or issues requiring physical access to the machine
+- Denial of service via intentional resource exhaustion
+
+---
+
+## Known Security Considerations
+
+### Development server
+
+`python app.py` starts Flask in debug mode. The debug server must never be
+exposed to the public internet. For production deployment, use a WSGI server
+such as Gunicorn behind a reverse proxy.
+
+### Path traversal mitigation
+
+The `utils/file_server.py` module uses `os.path.basename()` to strip any
+directory components from starter code paths before resolving them. This
+prevents a crafted `starter_code` value in `projects.json` from reading
+arbitrary files.
+
+### No user input is stored
+
+DevPath does not persist user input. The recommendation API reads inputs from
+the request body, processes them in memory, and returns a response. No session
+data, no database, no user-submitted content is written to disk.
+
+---
+
+## Dependency Security
+
+Dependencies are pinned in `requirements.txt`. Contributors should not upgrade
+dependencies without a review of the changelog for that package. If you
+discover that a pinned dependency has a known CVE, please report it using the
+process above.