fix: remove unused http import and set stable secret key fallback

[asiyasafwana15-byte]

Which issue does this PR close?

• Closes #.

Rationale for this change

What changes are included in this PR?

Are these changes tested?

Are there any user-facing changes?

[vercel]

@asiyasafwana15-byte is attempting to deploy a commit to the 007's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Thanks for creating a PR for your Issue! ☺️

We'll review it as soon as possible.
In the meantime, please double-check the file changes and ensure that all commits are accurate.

If there are any unresolved review comments, feel free to resolve them. 🙌🏼

[entelligence-ai-pr-reviews]

Missing comma in os.path.join concatenates 'static' and 'uploads' into 'staticuploads'

Python's implicit string literal concatenation turns "static" "uploads" into a single argument "staticuploads", so UPLOAD_FOLDER resolves to <base>/staticuploads (a non-existent path) instead of <base>/static/uploads. File saves at line 473 and profile-directory creation at line 663 will write to the wrong location.

Suggested change

	UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static" "uploads")
	UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static", "uploads")

Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

In app.py at line 41, the call to os.path.join is missing a comma between "static" and "uploads". Python's implicit string concatenation silently merges them into "staticuploads", making UPLOAD_FOLDER point to a wrong path. Fix by changing the line to:

UPLOAD_FOLDER = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static", "uploads")

[entelligence-ai-pr-reviews]

Hardcoded default secret key exposes session signing to anyone who reads the repo

Any deployment that omits the SECRET_KEY env var will use the publicly visible string "dev-secret-key-change-me", allowing an attacker to forge signed session cookies. The previous default secrets.token_hex(16) was randomly generated per process, which was safer.

Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

In app.py at line 21, the Flask secret key fallback was changed from `secrets.token_hex(16)` to the hardcoded string `"dev-secret-key-change-me"`. This is a security vulnerability: any deployment without the SECRET_KEY env var will use a publicly known key, enabling session cookie forgery. Revert the fallback to `secrets.token_hex(16)` (which requires the `secrets` module already imported) or raise a `RuntimeError` when SECRET_KEY is missing in production.

[entelligence-ai-pr-reviews]

---

Confidence Score: 1/5 - Blocking Issues

Not safe to merge — this PR introduces two serious regressions in app.py that are worse than the issues it attempts to fix. The missing comma in os.path.join('static' 'uploads') silently concatenates the string literals into 'staticuploads' via Python's implicit string concatenation, creating an incorrect file path that will break any upload or static file serving logic at runtime. Additionally, hardcoding a fallback secret key (e.g., app.secret_key = os.environ.get('SECRET_KEY', 'hardcoded-fallback')) exposes session signing to anyone who can read the repository, meaning any deployment missing the env var is silently insecure rather than failing loudly.

Key Findings:

• Missing comma in os.path.join('static' 'uploads') causes Python's implicit string literal concatenation to produce the single string 'staticuploads' instead of joining two path components — this is a silent runtime bug that corrupts file paths for upload/static file handling.
• The hardcoded fallback secret key in the SECRET_KEY env var lookup means any deployment that omits the environment variable will silently use a publicly known key, making all session cookies forgeable by anyone who has read the repo — a direct security vulnerability.
• The PR's stated goals (remove unused http import, set stable secret key fallback) are reasonable in intent, but the implementation of both changes contains critical errors that make the result more broken and less secure than the original code.

Files requiring special attention

• app.py

[asiyasafwana15-byte]

i changed line 1 and line 21