Merge branch 'main' into feat/friend-comparison-enhancement

Author: narang24

.env.example

@@ -1,12 +1,27 @@
-# -------------------------------------------------------
+# -------------------------------------------------------
 # Supabase
 # Project Settings → API → Project URL
-NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co
+NEXT_PUBLIC_SUPABASE_URL=https://<project-ref>.supabase.co
 
 # Project Settings → API → anon / public key
 NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
 
-# Project Settings → API → service_role secret (server-side only — never expose client-side)
+# ⚠️  CRITICAL SECURITY WARNING ⚠️
+# Project Settings → API → service_role secret (server-side only)
+# 
+# This key bypasses ALL Supabase Row Level Security (RLS) policies.
+# An attacker with access to this key has unrestricted read/write/delete access
+# to every user's data in the database.
+# 
+# SECURITY REQUIREMENTS:
+# 1. NEVER use this in client-side code (React components, browser scripts)
+# 2. NEVER commit this to version control
+# 3. NEVER expose it via environment variables with NEXT_PUBLIC_ prefix
+# 4. Store only in server-side .env.local (not in git)
+# 5. Use only in server-side API routes (@/src/app/api/*)
+# 6. If leaked, rotate the key immediately in Supabase dashboard
+# 
+# Leaked/compromised keys → Full database compromise (all user data at risk)
 SUPABASE_SERVICE_ROLE_KEY=your_supabase_service_role_key
 
 # -------------------------------------------------------
@@ -22,6 +37,15 @@ NEXTAUTH_URL=http://localhost:3000
 # Must not have a trailing slash.
 # NEXT_PUBLIC_APP_URL=https://devtrack-delta.vercel.app
 
+# -------------------------------------------------------
+# CSRF Allowed Origins (optional — used by CSRF middleware to validate Origin/Referer
+# headers on state-changing POST/PUT/PATCH/DELETE API requests).
+# Comma-separated list of origins that are allowed to make cross-origin requests.
+# NEXTAUTH_URL and NEXT_PUBLIC_APP_URL are included automatically — you only need
+# to add this if you have additional allowed origins (e.g. staging, custom domains).
+# Example: ALLOWED_ORIGINS=https://staging.devtrack.app,https://devtrack.example.com
+# ALLOWED_ORIGINS=
+
 # Generate with: openssl rand -base64 32
 NEXTAUTH_SECRET=your_nextauth_secret
 
@@ -56,17 +80,19 @@ UPSTASH_REDIS_REST_URL=your_upstash_redis_rest_url
 UPSTASH_REDIS_REST_TOKEN=your_upstash_redis_rest_token
 
 # -------------------------------------------------------
-# Anthropic Claude (optional — enables AI-generated weekly summaries in the
-# AI Mentor widget). Without this key the widget still works and shows
-# rule-based insights only.
-# console.anthropic.com → API Keys
+# Anthropic (optional — enables the "Generate Summary" button in the weekly
+# digest card, which produces a 2-3 sentence natural-language summary of the
+# user's week using claude-haiku-4-5-20251001).
+# Without this key the button is hidden and the rest of the widget functions
+# normally.  Rate limited to one generation per user per 24 hours.
+# console.anthropic.com -> API Keys
 # ANTHROPIC_API_KEY=sk-ant-...
 
 # -------------------------------------------------------
 # Groq API Key (optional — enables AI-generated weekly summaries in the
 # AI Mentor widget using Llama-3).
 # console.groq.com → API Keys
-GROQ_API_KEY=gsk_...
+GROQ_API_KEY=your_groq_api_key
 
 # -------------------------------------------------------
 # Leaderboard Configuration
@@ -75,4 +101,12 @@ GROQ_API_KEY=gsk_...
 # Higher values = faster builds but more resource usage
 # WARNING: Do not exceed 100 without load testing — risks memory exhaustion
 LEADERBOARD_USER_CONCURRENCY=5
-
+# -------------------------------------------------------
+# Cron / Scheduled-sync endpoints
+# Shared secret supplied by the scheduler (e.g. Vercel Cron) in every request:
+#   Authorization: Bearer <CRON_SECRET>
+# Required in ALL environments - cron routes fail closed when this is absent.
+# Local development: set any non-empty value and pass the matching header when
+# calling a sync endpoint manually (e.g. curl -H "Authorization: Bearer ...").
+# Generate with: openssl rand -hex 32
+CRON_SECRET=your_cron_secret

.eslintrc.json

@@ -0,0 +1,85 @@
+name: Bug Report
+description: Report a bug to help us improve DevTrack
+title: "[BUG] "
+labels: ["bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please fill out the details below so we can investigate.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Bug Description
+      description: What happened? What did you expect instead?
+      placeholder: "When I click X, Y happens instead of Z"
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this bug?
+      value: |
+        1. Go to '...'
+        2. Click on '...'
+        3. See error
+    validations:
+      required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Affected Area
+      description: Which part of DevTrack is affected?
+      options:
+        - Dashboard
+        - Landing Page
+        - Authentication / Sign-in
+        - API Routes
+        - Public Profile
+        - Leaderboard
+        - Collaboration Rooms
+        - Goal Tracker
+        - Streak System
+        - Settings
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: If applicable, add screenshots to help explain the issue.
+    validations:
+      required: false
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser & OS
+      placeholder: "Chrome 126 on Windows 11"
+    validations:
+      required: false
+
+  - type: dropdown
+    id: environment
+    attributes:
+      label: Environment
+      options:
+        - Local Development
+        - Production (devtrack.site)
+        - Both
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Any other relevant information (error logs, console output, etc.)
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1 +1,11 @@
-blank_issues_enabled: true
+blank_issues_enabled: false
+contact_links:
+  - name: Questions & Help
+    url: https://github.com/Priyanshu-byte-coder/devtrack/discussions/categories/q-a
+    about: Ask questions and get help from the community
+  - name: Feature Ideas & Discussion
+    url: https://github.com/Priyanshu-byte-coder/devtrack/discussions/categories/ideas
+    about: Share and vote on feature ideas before creating an issue
+  - name: Show & Tell
+    url: https://github.com/Priyanshu-byte-coder/devtrack/discussions/categories/show-and-tell
+    about: Share your DevTrack setup, dashboards, or cool things you built

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,73 @@
+name: Feature Request
+description: Suggest a new feature or improvement for DevTrack
+title: "[FEAT] "
+labels: ["enhancement", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Help us understand what you need.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Statement
+      description: What problem does this feature solve? Why is it needed?
+      placeholder: "As a user, I want to ... so that ..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How should this feature work? Be as specific as possible.
+    validations:
+      required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Feature Area
+      description: Which part of DevTrack would this affect?
+      options:
+        - Dashboard
+        - Landing Page
+        - Authentication
+        - API / Backend
+        - Public Profile
+        - Leaderboard
+        - Collaboration Rooms
+        - Goal Tracker
+        - Streak System
+        - Settings
+        - New Feature Area
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: What other approaches did you consider?
+    validations:
+      required: false
+
+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Acceptance Criteria
+      description: How will we know this feature is complete?
+      value: |
+        - [ ] ...
+        - [ ] ...
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context
+      description: Screenshots, mockups, or links to similar implementations.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -1,14 +1,39 @@
 version: 2
+
 updates:
-  - package-ecosystem: npm
-    directory: /
+  - package-ecosystem: "npm"
+    directory: "/"
+
     schedule:
-      interval: weekly
-      day: monday
+      interval: "weekly"
+      day: "monday"
+
     open-pull-requests-limit: 5
+
     labels:
-      - type:devops
-      - level:beginner
+      - "type:devops"
+      - "level:beginner"
+
+    reviewers:
+      - "Priyanshu-byte-coder"
+
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
     ignore:
       - dependency-name: "*"
-        update-types: ["version-update:semver-major"]
+        update-types:
+          - "version-update:semver-major"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+
+    schedule:
+      interval: "weekly"
+      day: "monday"
+
+    reviewers:
+      - "Priyanshu-byte-coder"