An AI-powered code analyzer that gives you complexity metrics, security insights, and quality reviews — paste your code and get an instant deep-dive.
| Feature | What it does |
|---|---|
| Code Explanation | Plain-language walkthrough of what your code does. |
| Unit Test Suggestions | Generates test cases that exercise your logic. |
| Complexity Analysis | Big-O time & space complexity, visualised with Chart.js. |
| Performance Optimization | Flags bottlenecks and suggests faster patterns. |
| Documentation Generation | Auto-writes comments and doc blocks. |
| Security Vulnerability Detection | Lists likely issues (XSS, SQLi, etc.) with a risk score. |
| Syntax & Error Detection | Spots syntax errors and likely bugs. |
| Code Quality Review | Best-practice and maintainability feedback. |
| Technology | Role |
|---|---|
| React 19 | UI layer with hooks and an error boundary. |
| Vite 8 | Build tooling and dev server. |
| Tailwind CSS 4 | Styling via the @tailwindcss/vite plugin. |
| Google Gemini | AI analysis with a cascading free-tier model fallback. |
| Chart.js | Renders the complexity charts. |
| DOMPurify | Sanitises AI-generated markdown before it is rendered. |
git clone https://github.com/realkeshav08/CodePulse.git
cd CodePulse
npm installCopy the example env file and add your Google AI Studio API key:
cp .env.example .envGEMINI_API_KEY=your_gemini_api_key_hereGet a key at https://aistudio.google.com/app/apikey.
🔒 The key has no
VITE_prefix on purpose. It is read only by the server-side function inapi/analyze.js, so Vite never bundles it into the client — the key stays on the server and is never exposed to the browser.
npm run build # produce a production bundle in dist/
npm run preview # preview the production build
npm run lint # run ESLintBecause the API key now lives in a serverless function, the app needs that
function running during development. Use the Vercel CLI, which serves both the
Vite frontend and the /api route together and loads .env automatically:
npm i -g vercel # one-time
vercel dev # http://localhost:3000
npm run devstill starts the Vite frontend on its own, but/api/analyzewill return 404 there — analysis only works undervercel dev(or once deployed).
api/
└── analyze.js # Serverless proxy — holds the Gemini key, runs model fallback
src/
├── components/ # UI components
│ └── ui/ # Reusable design-system primitives
├── pages/ # Router views (Home, Chat)
├── utils/ # Client connector that calls /api/analyze (no key here)
├── data/ # Feature list
└── lib/ # Helpers (classname merge)
- Server-side API key. Gemini calls are proxied through
api/analyze.js. The key never leaves the server and is never included in the client bundle. - Same-origin guard. The
/api/analyzeendpoint rejects requests whoseOrigin/Refererhost does not match the request host, blocking casual cross-site abuse of the endpoint. - No-store responses. AI responses are returned with
Cache-Control: no-storeso they are never cached by intermediaries. - XSS sanitisation. AI markdown is sanitised with DOMPurify at the render site — every code path that feeds the response surface is sanitised, not just the happy path.
- Error boundary. A React error boundary keeps a failed render from crashing the whole page.
- Input limits. Uploads are capped at 512 KB on the client; the API rejects prompts above 200 KB.
- Resilient model fallback. The API cascades through multiple Gemini / Gemma models on rate limits, 5xx, overload, and network errors.
- Dependencies.
npm auditreports zero known vulnerabilities.
The endpoint is still public and unauthenticated. For a portfolio / demo on the free tier this is fine — quota exhaustion is the worst case. If this ever takes real traffic or a billed key, add rate limiting (e.g. Upstash Redis or Vercel KV) on top of the same-origin guard.
- Push the repository to GitHub and import it into Vercel (or run
vercel --prodlocally). - Under Project → Settings → Environment Variables add
GEMINI_API_KEYto Production (and Preview, if you use preview deployments). It must have noVITE_prefix — that prefix would inline it into the client bundle. - In Google Cloud Console → Credentials, set the key's
Application restrictions to None (it is now a server-side key —
"Websites" referrer restrictions would block your own backend, which has
no
Refererheader). Keep API restrictions limited to the Generative Language API. - Deploy. The
vercel.jsonrewrite (/((?!api/).*) → /index.html) handles SPA routing without swallowing the/apiroutes.
Built by realkeshav08