Thanks for helping improve SecDev. This repository powers an autonomous deployment, testing, and security platform built with Next.js, TypeScript, E2B, Neon Postgres, Inngest, and Groq. Contributions should fit that stack and respect the platform's security-first design.
- Fork the repository on GitHub.
- Clone your fork locally.
- Add the upstream remote if you plan to keep your fork synced.
- Install dependencies with
pnpm install. - Copy your environment file from the project example, then fill in the required values.
- Run the app locally with
pnpm dev. - Start the Inngest dev server in a separate terminal with
npx inngest-cli@latest dev.
If you are working on deployment, sandbox, or API flow changes, verify the affected page or route locally before opening a pull request.
Use short, descriptive branches and keep the prefix aligned with the change type.
feature/<issue-number>-<short-description>fix/<issue-number>-<short-description>docs/<short-description>
Examples:
feature/42-console-sidebar-a11yfix/118-deployment-error-statedocs/update-env-vars-guide
Use Conventional Commits so history stays readable and release notes stay automated.
Format:
type(scope): short summary
Common types in this repo:
featfor new functionalityfixfor bug fixesdocsfor documentation-only changesrefactorfor behavior-preserving code changesstylefor formatting or non-functional UI changeschorefor maintenance work
Examples:
feat(attack-pipeline): add empty-state guidancefix(email): remove direct console loggingdocs(contributing): clarify gssoc flow
Keep commit messages short, imperative, and focused on one logical change.
Follow the patterns already used in SecDev:
- Use TypeScript everywhere.
- Prefer named exports.
- Keep React components focused on rendering.
- Use App Router conventions in
app/. - Put business logic in
lib/and reusable UI incomponents/. - Keep route handlers in
app/api/thin: validate inputs first, then call shared logic. - Return consistent API errors in the project shape used by the codebase.
- Use
async/awaitfor I/O. - Avoid
console.login production code. - Keep secrets in environment variables and read them with
process.env. - Prefer Tailwind utility classes over inline styles.
- Respect the security model: parameterized queries only, no raw untrusted SQL, and no leaking stack traces to clients.
If you touch deployment, sandbox, or testing flows, keep the E2B and Inngest interactions isolated and explicit.
- Open an issue first, or comment on an existing issue before you start.
- Ask to be assigned before you begin work, especially for GSSoC issues.
- Create a branch from your fork using the naming format above.
- Make one focused change per PR when possible.
- Include a clear summary of what changed and why.
- Add screenshots or short screen recordings for UI changes when useful.
- Mention any environment variables, migrations, or manual verification steps.
- Link the issue in the PR description using
Fixes #<issue-number>when appropriate. - Keep your branch up to date with the upstream default branch before requesting review.
This repository does not currently ship with a dedicated automated test script. Before opening a PR, run the checks that apply to your change:
pnpm lint- Manual verification of the touched page, API route, or sandbox workflow
- For UI changes, confirm the console view in both desktop and mobile widths when relevant
If your contribution introduces a new test workflow later, document the exact command in the same PR and update this section.
GSSoC contributors, especially first-time open source contributors, are welcome here. If you are unsure where to start, pick a good first issue, comment that you want to work on it, and wait for assignment before coding.
Maintainers will help you with scope, review feedback, and project-specific questions. Please keep communication in the issue thread so everyone can follow progress.