Add a public-facing README with production-ready project documentation#3
Conversation
Agent-Logs-Url: https://github.com/schoedel-learn/LXPython/sessions/377c5e82-3732-467c-95c9-142398eb2881 Co-authored-by: schoedel-learn <212212630+schoedel-learn@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Replaces the previously empty README.md with a public-facing project document describing the app’s purpose, stack, setup, scripts, deployment flow, and contribution expectations.
Changes:
- Added a project overview, feature list, and tech stack summary
- Documented local development commands, quality checks, and available npm scripts
- Documented environment variables and the Firebase Hosting CI/CD deployment model
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Copy and configure environment values as needed: | ||
|
|
||
| ```bash | ||
| cp .env.example .env | ||
| ``` |
There was a problem hiding this comment.
The README instructs copying .env.example to .env, but the app/tooling in this repo doesn’t load .env (no dotenv usage). As written, users may expect npm run start/npm run build to pick up .env automatically, but the only documented injection path is via --define (see npm run dev). Update the README to either (a) document exporting env vars + using npm run dev, or (b) add and document a .env loader so cp .env.example .env actually works.
| `/.env.example` includes: | ||
|
|
||
| - `OPENAI_API_KEY` (required for AI responses) | ||
| - `APP_URL` (runtime app URL) |
There was a problem hiding this comment.
APP_URL is listed as an environment value, but it isn’t referenced anywhere in the codebase. Either remove it from the README (and possibly .env.example) or document the exact place it’s consumed so contributors don’t spend time configuring an unused variable.
| - `APP_URL` (runtime app URL) |
| - `APP_URL` (runtime app URL) | ||
| - `DEFAULT_AI_MODEL` (optional model override; default set in project config) | ||
|
|
||
| > Important: this app currently initializes OpenAI calls from the frontend runtime. Use only trusted deployment environments and protect secrets appropriately. |
There was a problem hiding this comment.
The warning about initializing OpenAI calls in the browser is easy to overlook and understates the risk: because OPENAI_API_KEY is injected via build-time define, it will be bundled into client JS and exposed to every user. Please make the README explicit that this is not safe for production and recommend moving OpenAI calls to a server-side proxy/Cloud Function (or remove references to deploying with a real key).
| - `OPENAI_API_KEY` | ||
| - `FIREBASE_SERVICE_ACCOUNT` | ||
|
|
There was a problem hiding this comment.
The deployment section says OPENAI_API_KEY is a required GitHub secret, but the current workflow only sets it as an environment variable for npm run build and does not pass a --define override. Given the code reads a build-time global OPENAI_API_KEY, this secret likely has no effect on the deployed bundle. Either update the README to reflect how the key is actually injected during CI builds, or adjust the workflow/build config accordingly and document that approach here.
| - `OPENAI_API_KEY` | |
| - `FIREBASE_SERVICE_ACCOUNT` | |
| - `FIREBASE_SERVICE_ACCOUNT` | |
| `OPENAI_API_KEY` is used for local/development configuration, but the current CI deployment flow does not inject it into the production bundle as a build-time define. If CI-based OpenAI access is needed later, update the workflow/build command to pass the define explicitly and document that injection mechanism here. |
This updates an empty
README.mdinto a public-facing project document aligned with OSS best practices. The new content is structured for fast onboarding, operational clarity, and safe configuration by external contributors.Problem addressed
Documentation structure added
Operational/security clarity
OPENAI_API_KEY,APP_URL,DEFAULT_AI_MODEL)Example (from new README usage flow)