Improve contributor onboarding with detailed setup guide

[dhruvi-16-me]

Closes #239

📝 Description
This PR improves contributor onboarding by adding a dedicated CONTRIBUTING.md with a clear, beginner-friendly local development setup flow (Flutter + Supabase), including required environment variables, Supabase CLI steps, optional local Edge Functions, and a short troubleshooting section.

🔧 Changes Made
Added new CONTRIBUTING.md with:
Quick start steps for setting up .env
Supabase CLI commands to initialize/link, deploy schema, deploy functions, and set required secrets
Instructions to run the Flutter app locally
Environment variable notes and a small troubleshooting section
📷 Screenshots or Visual Changes (if applicable)
N/A (documentation-only).

🤝 Collaboration
Collaborated with: @username (optional)

✅ Checklist

I have read the contributing guidelines.
I have added tests that prove my fix is effective or that my feature works.
I have added necessary documentation (if applicable).
Any dependent changes have been merged and published in downstream modules.

Summary by CodeRabbit

• Documentation
  • Added a comprehensive contribution guide with step‑by‑step local development setup for the app and backend, prerequisites, environment/configuration, and commands to run services and the app locally
  • Documented development workflow: branch/commit conventions, PR checklist, testing/linting recommendations, troubleshooting tips, and references to backend/frontend docs

[coderabbitai]

Walkthrough

A new CONTRIBUTING.md file was added to the repository root documenting local development setup, environment variables, Supabase backend setup (including Edge Functions), Flutter prerequisites, development workflow conventions, PR checklist, and troubleshooting guidance for contributors.

Changes

Cohort / File(s)	Summary
Documentation CONTRIBUTING.md	Added a comprehensive contributing guide: quick start (fork/clone, Flutter deps), create .env from .env.example, Supabase CLI setup (login/init/link/db push/functions deploy), required secrets, optional local Edge Functions serving, run Flutter app, prerequisites, branch/commit/PR conventions, lint/test commands, and troubleshooting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

Documentation

Poem

🐰 I hopped through docs and left a clue,

A trail of steps for building new.
Env, deploy, and tests to run,
Pull, review, then merge — we've won! ✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the main change—adding a detailed setup guide to improve contributor onboarding, which directly reflects the addition of CONTRIBUTING.md.
Linked Issues check	✅ Passed	The PR fully addresses issue #239 requirements: adds CONTRIBUTING.md, provides complete step-by-step setup instructions covering environment variables, Supabase CLI commands, and troubleshooting guidance as requested.
Out of Scope Changes check	✅ Passed	All changes are in-scope documentation additions directly aligned with issue #239 objectives; no unrelated modifications detected outside the contributing guide scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CONTRIBUTING.md`:
- Around line 87-114: Update the ordered lists in CONTRIBUTING.md (the five-step
Supabase setup list and the later 166-176 section) to use the repo's configured
numbering style (use consistent "1." for each item if that is the style), and
add a blank line before and after each fenced code block (the three blocks
containing supabase login/init/link, supabase db push, and supabase functions
deploy, plus the secrets block) so the MD029/MD031 warnings are resolved; ensure
spacing is applied around all triple-backtick blocks in those sections and the
list items remain correctly ordered and indented.
- Around line 12-18: Remove SUPABASE_SERVICE_ROLE_KEY from the client `.env`
listing and replace it with guidance that this value is a server-side secret
stored as a Supabase Edge Function (or server) secret; update the `.env` example
text (the list containing SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY,
VEXA_API_KEY, OAUTH_REDIRECT_URL) to omit SUPABASE_SERVICE_ROLE_KEY, add a short
sentence instructing contributors to set SUPABASE_SERVICE_ROLE_KEY only in
Supabase Edge Function secrets or a secure server environment, and make the same
change to the repeated section referenced around lines 70–76 so documentation
and examples match the codebase security model.
- Around line 26-27: The CONTRIBUTING.md secret list currently includes
SUPABASE_DB_URL but the Edge Function code doesn't reference it; either remove
SUPABASE_DB_URL from the required secrets list or add an explicit note
explaining which function/file consumes SUPABASE_DB_URL (and where in the code
to find it), and ensure the same change is applied to the other secret
occurrences mentioned (the GEMINI_API_KEY/SUPABASE_DB_URL listings referenced
elsewhere) so the docs and codebase stay in sync.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5e6a8bd1-6688-404c-a0f5-2d09e56a2387

📥 Commits

Reviewing files that changed from the base of the PR and between 5afe656 and e478671.

📒 Files selected for processing (1)

• CONTRIBUTING.md

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (7)

CONTRIBUTING.md (7)

70-76: ⚠️ Potential issue | 🔴 Critical

Do not instruct contributors to store SUPABASE_SERVICE_ROLE_KEY in the Flutter .env.

This key is a server secret and should be documented as Supabase Edge Function secret only. The same fix needed at lines 12-18 applies here.

🔒 Suggested doc fix

 2. Fill in the values in `.env`:
    - `SUPABASE_URL`
    - `SUPABASE_ANON_KEY`
-   - `SUPABASE_SERVICE_ROLE_KEY`
    - `GEMINI_API_KEY`
    - `VEXA_API_KEY`
    - `OAUTH_REDIRECT_URL`
+   - (Do not put `SUPABASE_SERVICE_ROLE_KEY` in client `.env`; set it as a Supabase secret only.)

Based on learnings, SharkyBytes values clear contributor guidance on security practices, especially around environment variable management.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 70 - 76, Remove SUPABASE_SERVICE_ROLE_KEY from
the list of variables contributors are instructed to place in the Flutter .env
in CONTRIBUTING.md; instead update the text around the `.env` section (the list
containing SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY,
OAUTH_REDIRECT_URL) to explicitly state that SUPABASE_SERVICE_ROLE_KEY is a
server-only secret stored as a Supabase Edge Function (or server) secret and
must not be committed or placed in the Flutter `.env`; mirror the same phrasing
used earlier in the doc for server secrets so contributors know where to
configure SUPABASE_SERVICE_ROLE_KEY securely.

---

108-117: ⚠️ Potential issue | 🟠 Major

SUPABASE_DB_URL is documented as required, but the shown Edge Function code does not use it.

The Edge Functions in the codebase only consume SUPABASE_SERVICE_ROLE_KEY, GEMINI_API_KEY, and VEXA_API_KEY. Please either remove SUPABASE_DB_URL from the required secrets list or explicitly document which function/file consumes it.

As per coding guidelines, Markdown docs must provide clear explanations and accurate, up-to-date setup instructions matching the codebase.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 108 - 117, The docs list SUPABASE_DB_URL as a
required secret but none of the Edge Functions in supabase/functions (e.g.,
start-bot, fetch-transcript, summarize-transcription) use it; either remove
SUPABASE_DB_URL from the secrets section or update CONTRIBUTING.md to state
exactly which function/file consumes SUPABASE_DB_URL (and where it is
referenced), and ensure the secrets snippet only lists
SUPABASE_SERVICE_ROLE_KEY, GEMINI_API_KEY, and VEXA_API_KEY unless you add code
that reads SUPABASE_DB_URL.

---

12-18: ⚠️ Potential issue | 🔴 Critical

Do not instruct contributors to store SUPABASE_SERVICE_ROLE_KEY in the Flutter .env.

This key is a server secret and should be documented as Supabase Edge Function secret only. Keeping it in a client-loaded .env weakens security posture and risks secret exposure.

🔒 Suggested doc fix

 2. Create `.env` from `.env.example` and fill in:
    - `SUPABASE_URL`
    - `SUPABASE_ANON_KEY`
-   - `SUPABASE_SERVICE_ROLE_KEY`
    - `GEMINI_API_KEY`
    - `VEXA_API_KEY`
    - `OAUTH_REDIRECT_URL`
+   - (Do not put `SUPABASE_SERVICE_ROLE_KEY` in client `.env`; set it as a Supabase secret only.)

Based on learnings, SharkyBytes values clear contributor guidance on security practices, especially around environment variable management, wanting to ensure contributors understand the distinction between client-safe and server-side secrets.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 12 - 18, Remove SUPABASE_SERVICE_ROLE_KEY from
the client `.env` instructions and instead add a short note that
SUPABASE_SERVICE_ROLE_KEY is a server-only secret to be stored as a Supabase
Edge Function secret (not in client-distributed `.env`), while keeping the other
keys (SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY,
OAUTH_REDIRECT_URL) unchanged; explicitly state "do not store
SUPABASE_SERVICE_ROLE_KEY in Flutter/.env — use Supabase Edge Function secrets"
so contributors know where to place it.

---

87-114: ⚠️ Potential issue | 🟡 Minor

Fix markdownlint violations in list/code-block formatting.

Please normalize ordered list numbering to use consistent 1. for each item and add blank lines around fenced code blocks in these sections to clear MD029/MD031 warnings.

📝 Formatting fix

 1. Install and authenticate Supabase CLI (Supabase CLI setup is described in `BACKEND.md`).
-2. Initialize and link the Supabase project:
+1. Initialize and link the Supabase project:
+
 ```bash
 supabase login
 supabase init
 supabase link --project-ref YOUR_PROJECT_REF

Replace YOUR_PROJECT_REF with the project ref shown in your Supabase project's dashboard URL.
Note: This repo does not include supabase/config.toml in git. Running supabase init will generate the config locally.

-3. Deploy the database schema:
+1. Deploy the database schema:
+

supabase db push

-4. Deploy Edge Functions:
+1. Deploy Edge Functions:
+

supabase functions deploy

-5. Configure required Edge Function secrets in Supabase:
+1. Configure required Edge Function secrets in Supabase:
+

supabase secrets set SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
supabase secrets set SUPABASE_DB_URL=your-db-url
supabase secrets set GEMINI_API_KEY=your-gemini-api-key
supabase secrets set VEXA_API_KEY=your-vexa-api-key

</details>

As per coding guidelines, Markdown documentation should maintain proper formatting and structure.

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @CONTRIBUTING.md around lines 87 - 114, Standardize the ordered list
numbering to use "1." for each step and add blank lines before and after each
fenced code block to satisfy markdownlint rules (MD029/MD031); specifically
update the list items around the three code blocks containing the commands
"supabase login / supabase init / supabase link --project-ref YOUR_PROJECT_REF",
"supabase db push", "supabase functions deploy", and the secrets block starting
with "supabase secrets set SUPABASE_SERVICE_ROLE_KEY=...", ensuring each list
item label is "1." and there is an empty line above the opening bash and below the closing for each block.

</details>

---

`26-27`: _⚠️ Potential issue_ | _🟠 Major_

**`SUPABASE_DB_URL` is documented as required, but the shown Edge Function code does not use it.**

Please either remove this secret from the required list or explicitly note which function/file consumes it. Right now this reads as a mandatory step without evidence in the referenced function code.



As per coding guidelines, Markdown docs must provide clear explanations and accurate, up-to-date setup instructions matching the codebase.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 26 - 27, The CONTRIBUTING.md currently lists
SUPABASE_DB_URL as a required secret but the Edge Function code referenced does
not consume it; either remove SUPABASE_DB_URL from the required secrets list or
update the docs to explicitly state which file/function reads it (e.g., name the
Edge Function or module that uses SUPABASE_DB_URL) and where it’s referenced in
the codebase, and ensure the example command remains accurate for
SUPABASE_DB_URL and GEMINI_API_KEY.
```

</details>

---

`166-176`: _⚠️ Potential issue_ | _🟡 Minor_

**Add blank lines around fenced code blocks.**

The code blocks in this section should be surrounded by blank lines to satisfy Markdown formatting rules (MD031).


<details>
<summary>📝 Formatting fix</summary>

```diff
 ### Running checks and tests
 
 - Lint/analyzer:
+
 ```bash
 flutter analyze
 ```
+
 
 - Tests:
+
 ```bash
 flutter test
 ```
+
```
</details>

As per coding guidelines, Markdown documentation should maintain proper formatting and structure.

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @CONTRIBUTING.md around lines 166 - 176, The fenced code blocks under the
"Running checks and tests" heading are not surrounded by blank lines (violates
MD031); edit the CONTRIBUTING.md section titled "Running checks and tests" and
add a blank line before and after each ```bash fenced block (the blocks for
"flutter analyze" and "flutter test") so each code fence is separated from
surrounding text by an empty line, then save/commit the change.

</details>

---

`149-154`: _⚠️ Potential issue_ | _🟠 Major_

**`SUPABASE_DB_URL` is documented as required Edge Function secret, but is not consumed.**

This secret appears in the configuration summary but is not used by any Edge Function in the codebase. For accuracy, either remove it from this list or document which function requires it.



As per coding guidelines, Markdown documentation must contain accurate code examples and up-to-date information matching the codebase.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 149 - 154, The contributors guide lists
SUPABASE_DB_URL as a required Edge Function secret but the codebase does not
consume it; update CONTRIBUTING.md to either remove SUPABASE_DB_URL from the
"Edge Functions require secrets" list or add a precise note naming the specific
Edge Function (e.g., the function that would use SUPABASE_DB_URL) and where in
the code it is read (reference the secret name SUPABASE_DB_URL) so the
documentation matches the implementation; ensure the list now accurately
reflects only the secrets actually used (SUPABASE_SERVICE_ROLE_KEY,
GEMINI_API_KEY, VEXA_API_KEY) or includes a clear mapping between secret and
consumer function.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @CONTRIBUTING.md:

• Line 5: Add a blank line before and after the "## Quick start (most people
  follow this)" heading in CONTRIBUTING.md to ensure proper Markdown structure;
  locate the heading string "## Quick start (most people follow this)" and insert
  an empty line above (and optionally below) it so it's separated from surrounding
  paragraphs or content.
• Line 6: Change the standalone line "Fork the repository
  https://github.com/AOSSIE-Org/Ell-ena" to an ordered list item by prefixing it
  with "1. " (i.e., "1. Fork the repository
  https://github.com/AOSSIE-Org/Ell-ena") so it becomes the first step in the
  sequence and ensure subsequent steps remain numbered sequentially (2., 3., etc.)
  to maintain consistent ordered-list formatting in CONTRIBUTING.md.
• Line 264: The file ends without a trailing newline for the checklist line "* [
  ] PR is linked to an issue (e.g., Closes #123``)" — add a single newline
  character at the end of CONTRIBUTING.md so the file ends with exactly one
  trailing newline to satisfy MD047 and standard POSIX text-file conventions.

---

Duplicate comments:
In @CONTRIBUTING.md:

• Around line 70-76: Remove SUPABASE_SERVICE_ROLE_KEY from the list of variables
  contributors are instructed to place in the Flutter .env in CONTRIBUTING.md;
  instead update the text around the .env section (the list containing
  SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY,
  OAUTH_REDIRECT_URL) to explicitly state that SUPABASE_SERVICE_ROLE_KEY is a
  server-only secret stored as a Supabase Edge Function (or server) secret and
  must not be committed or placed in the Flutter .env; mirror the same phrasing
  used earlier in the doc for server secrets so contributors know where to
  configure SUPABASE_SERVICE_ROLE_KEY securely.
• Around line 108-117: The docs list SUPABASE_DB_URL as a required secret but
  none of the Edge Functions in supabase/functions (e.g., start-bot,
  fetch-transcript, summarize-transcription) use it; either remove SUPABASE_DB_URL
  from the secrets section or update CONTRIBUTING.md to state exactly which
  function/file consumes SUPABASE_DB_URL (and where it is referenced), and ensure
  the secrets snippet only lists SUPABASE_SERVICE_ROLE_KEY, GEMINI_API_KEY, and
  VEXA_API_KEY unless you add code that reads SUPABASE_DB_URL.
• Around line 12-18: Remove SUPABASE_SERVICE_ROLE_KEY from the client .env
  instructions and instead add a short note that SUPABASE_SERVICE_ROLE_KEY is a
  server-only secret to be stored as a Supabase Edge Function secret (not in
  client-distributed .env), while keeping the other keys (SUPABASE_URL,
  SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY, OAUTH_REDIRECT_URL) unchanged;
  explicitly state "do not store SUPABASE_SERVICE_ROLE_KEY in Flutter/.env — use
  Supabase Edge Function secrets" so contributors know where to place it.
• Around line 87-114: Standardize the ordered list numbering to use "1." for
  each step and add blank lines before and after each fenced code block to satisfy
  markdownlint rules (MD029/MD031); specifically update the list items around the
  three code blocks containing the commands "supabase login / supabase init /
  supabase link --project-ref YOUR_PROJECT_REF", "supabase db push", "supabase
  functions deploy", and the secrets block starting with "supabase secrets set
  SUPABASE_SERVICE_ROLE_KEY=...", ensuring each list item label is "1." and there
  is an empty line above the opening bash and below the closing for each
  block.
• Around line 26-27: The CONTRIBUTING.md currently lists SUPABASE_DB_URL as a
  required secret but the Edge Function code referenced does not consume it;
  either remove SUPABASE_DB_URL from the required secrets list or update the docs
  to explicitly state which file/function reads it (e.g., name the Edge Function
  or module that uses SUPABASE_DB_URL) and where it’s referenced in the codebase,
  and ensure the example command remains accurate for SUPABASE_DB_URL and
  GEMINI_API_KEY.
• Around line 166-176: The fenced code blocks under the "Running checks and
  tests" heading are not surrounded by blank lines (violates MD031); edit the
  CONTRIBUTING.md section titled "Running checks and tests" and add a blank line
  before and after each ```bash fenced block (the blocks for "flutter analyze" and
  "flutter test") so each code fence is separated from surrounding text by an
  empty line, then save/commit the change.
• Around line 149-154: The contributors guide lists SUPABASE_DB_URL as a
  required Edge Function secret but the codebase does not consume it; update
  CONTRIBUTING.md to either remove SUPABASE_DB_URL from the "Edge Functions
  require secrets" list or add a precise note naming the specific Edge Function
  (e.g., the function that would use SUPABASE_DB_URL) and where in the code it is
  read (reference the secret name SUPABASE_DB_URL) so the documentation matches
  the implementation; ensure the list now accurately reflects only the secrets
  actually used (SUPABASE_SERVICE_ROLE_KEY, GEMINI_API_KEY, VEXA_API_KEY) or
  includes a clear mapping between secret and consumer function.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Path: .coderabbit.yaml

**Review profile**: ASSERTIVE

**Plan**: Pro

**Run ID**: `51205e42-7fa1-41f9-92c2-046c42384832`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between e47867143398ae00146f9025678c1438ea650a18 and 41d4de182417d347e0ebcf3e645577ee7fa445eb.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `CONTRIBUTING.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[dhruvi-16-me]

Hey @SharkyBytes Please review and tell me if any changes required.

[coderabbitai]

♻️ Duplicate comments (3)

CONTRIBUTING.md (3)

5-5: ⚠️ Potential issue | 🟡 Minor

Fix Markdown lint violations (heading/list/fence/trailing newline).

There are outstanding MD022/MD029/MD031/MD047 issues around Line 5, Lines 87–114, Lines 166–176, and Line 250.

🧹 Suggested formatting patch

 This guide explains how to set up Ell-ena locally (frontend + Supabase backend) and how to contribute via pull requests.
+
 ## Quick start (most people follow this)
-   Fork the repository https://github.com/AOSSIE-Org/Ell-ena
+
+1. Fork the repository https://github.com/AOSSIE-Org/Ell-ena

-1. Clone the repo and install Flutter deps:
+1. Clone the repo and install Flutter deps:
 ...
-2. Create `.env` from `.env.example` and fill in:
+1. Create `.env` from `.env.example` and fill in:
 ...
-3. Set up Supabase backend (from repo root):
+1. Set up Supabase backend (from repo root):
 ...
-4. Run:
+1. Run:
 ...

-1. Install and authenticate Supabase CLI (Supabase CLI setup is described in `BACKEND.md`).
-2. Initialize and link the Supabase project:
+1. Install and authenticate Supabase CLI (Supabase CLI setup is described in `BACKEND.md`).
+1. Initialize and link the Supabase project:
+
 ```bash
 supabase login
 supabase init
 supabase link --project-ref YOUR_PROJECT_REF

@@
-3. Deploy the database schema:
+1. Deploy the database schema:
+

supabase db push

@@
-4. Deploy Edge Functions:
+1. Deploy Edge Functions:
+

supabase functions deploy

@@
-5. Configure required Edge Function secrets in Supabase:
+1. Configure required Edge Function secrets in Supabase:
+

...

• Lint/analyzer:

flutter analyze

• Tests:

flutter test

-* [ ] PR is linked to an issue (e.g., Closes #123) +* [ ] PR is linked to an issue (e.g., `Closes `#123)
+

</details>

As per coding guidelines, Markdown docs should maintain proper formatting and structure.


Also applies to: 87-114, 166-176, 250-250

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @CONTRIBUTING.md at line 5, The CONTRIBUTING.md has multiple Markdown lint
violations (MD022/MD029/MD031/MD047) around the "Quick start (most people follow
this)" section and the ordered steps like "Deploy the database schema", "Deploy
Edge Functions", and "Configure required Edge Function secrets in Supabase"; fix
by normalizing heading levels, converting mis-numbered ordered list items back
to sequential numbers (1., 2., 3.), ensuring single blank lines before/after
fenced code blocks and lists, closing/opening triple-backtick fences correctly,
removing trailing whitespace and ensuring the file ends with a single newline;
apply the same fixes in the other affected blocks that mirror these steps (the
blocks around the indicated later sections) so all code fences, list markers,
and blank lines conform to commonmark/markdownlint rules.

</details>

---

`12-18`: _⚠️ Potential issue_ | _🔴 Critical_

**Remove `SUPABASE_SERVICE_ROLE_KEY` from client `.env` instructions.**

Line 15 and Line 73 document a server-side secret as a frontend `.env` variable. This key must be set only via Supabase secrets/server environment, not in a Flutter-loaded `.env`.

 

<details>
<summary>🔐 Suggested documentation fix</summary>

```diff
 2. Create `.env` from `.env.example` and fill in:
    - `SUPABASE_URL`
    - `SUPABASE_ANON_KEY`
-   - `SUPABASE_SERVICE_ROLE_KEY`
    - `GEMINI_API_KEY`
    - `VEXA_API_KEY`
    - `OAUTH_REDIRECT_URL`
+   - (Do not add `SUPABASE_SERVICE_ROLE_KEY` to client `.env`; set it only as a Supabase Edge Function secret.)

 ...

 2. Fill in the values in `.env`:
    - `SUPABASE_URL`
    - `SUPABASE_ANON_KEY`
-   - `SUPABASE_SERVICE_ROLE_KEY`
    - `GEMINI_API_KEY`
    - `VEXA_API_KEY`
    - `OAUTH_REDIRECT_URL`
+   - (Do not add `SUPABASE_SERVICE_ROLE_KEY` to client `.env`; set it only as a Supabase Edge Function secret.)

Based on learnings, contributors should be explicitly guided on client-safe variables vs server-side secrets for secure environment variable management.

Also applies to: 70-76

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 12 - 18, Remove SUPABASE_SERVICE_ROLE_KEY from
the client `.env` setup instructions in the "Create `.env` from `.env.example`"
section and anywhere else it appears as a client-facing variable (e.g., the
bullet list that currently includes SUPABASE_SERVICE_ROLE_KEY and the similar
block around lines 70-76); instead, note that SUPABASE_SERVICE_ROLE_KEY is a
server-only secret and should be configured via Supabase project secrets or
server environment variables, and update wording to clearly separate client-safe
variables (SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY,
OAUTH_REDIRECT_URL) from server-side secrets.

---

26-27: ⚠️ Potential issue | 🟠 Major

Clarify or remove SUPABASE_DB_URL from required secrets.

Line 26, Line 111, and Line 151 mark SUPABASE_DB_URL as required, but the provided function examples and frontend snippets do not show usage. Please either remove it from the required list or cite the exact consuming function/file path.

As per coding guidelines, Markdown docs must contain accurate setup instructions matching actual code usage.

Also applies to: 108-117, 149-153

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 26 - 27, CONTRIBUTING.md currently lists
SUPABASE_DB_URL as a required secret but the codebase examples don't reference
it; either remove SUPABASE_DB_URL from the required secrets list or update the
doc to point to the exact consumer(s) by locating the environment variable usage
(search for SUPABASE_DB_URL, process.env.SUPABASE_DB_URL, or any configuration
key like supabaseUrl) and add the specific file(s)/function(s) that use it
(e.g., the module, class, or function name that reads that env var) so the docs
match the implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@CONTRIBUTING.md`:
- Line 5: The CONTRIBUTING.md has multiple Markdown lint violations
(MD022/MD029/MD031/MD047) around the "Quick start (most people follow this)"
section and the ordered steps like "Deploy the database schema", "Deploy Edge
Functions", and "Configure required Edge Function secrets in Supabase"; fix by
normalizing heading levels, converting mis-numbered ordered list items back to
sequential numbers (1., 2., 3.), ensuring single blank lines before/after fenced
code blocks and lists, closing/opening triple-backtick fences correctly,
removing trailing whitespace and ensuring the file ends with a single newline;
apply the same fixes in the other affected blocks that mirror these steps (the
blocks around the indicated later sections) so all code fences, list markers,
and blank lines conform to commonmark/markdownlint rules.
- Around line 12-18: Remove SUPABASE_SERVICE_ROLE_KEY from the client `.env`
setup instructions in the "Create `.env` from `.env.example`" section and
anywhere else it appears as a client-facing variable (e.g., the bullet list that
currently includes SUPABASE_SERVICE_ROLE_KEY and the similar block around lines
70-76); instead, note that SUPABASE_SERVICE_ROLE_KEY is a server-only secret and
should be configured via Supabase project secrets or server environment
variables, and update wording to clearly separate client-safe variables
(SUPABASE_URL, SUPABASE_ANON_KEY, GEMINI_API_KEY, VEXA_API_KEY,
OAUTH_REDIRECT_URL) from server-side secrets.
- Around line 26-27: CONTRIBUTING.md currently lists SUPABASE_DB_URL as a
required secret but the codebase examples don't reference it; either remove
SUPABASE_DB_URL from the required secrets list or update the doc to point to the
exact consumer(s) by locating the environment variable usage (search for
SUPABASE_DB_URL, process.env.SUPABASE_DB_URL, or any configuration key like
supabaseUrl) and add the specific file(s)/function(s) that use it (e.g., the
module, class, or function name that reads that env var) so the docs match the
implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0cc5b48c-d997-4f0e-83bb-09cf30b86dff

📥 Commits

Reviewing files that changed from the base of the PR and between 41d4de1 and 7cd2e5c.

📒 Files selected for processing (1)

• CONTRIBUTING.md