diff --git a/CONTRIBUTING_GUIDE_GSSOC.md b/CONTRIBUTING_GUIDE_GSSOC.md
index 386a1ed..2c99514 100644
--- a/CONTRIBUTING_GUIDE_GSSOC.md
+++ b/CONTRIBUTING_GUIDE_GSSOC.md
@@ -32,45 +32,6 @@ Maintainers may ask you to confirm:
 
 If the maintainer asks for a smaller first step, follow that direction before expanding the change.
 
-
-## GSSoC Labels & Scoring (Project-specific)
-
-Maintainers use the following labels and scoring rules to award points for merged PRs. Apply the `gssoc:approved` label once a contribution meets the project standards (tests, style, and review).
-
-- **gssoc:approved** : +50 pts (base for every approved PR)
-
-Difficulty (pick one):
-
-- **level:beginner** : +20 pts
-- **level:intermediate** : +35 pts
-- **level:advanced** : +55 pts
-- **level:critical** : +80 pts
-
-Quality multiplier (optional):
-
-- **quality:clean** : ×1.2
-- **quality:exceptional** : ×1.5
-
-Type bonus (optional, stackable):
-
-- **type:docs** : +5
-- **type:bug** : +10
-- **type:feature** : +10
-- **type:testing** : +10
-- **type:design** : +10
-- **type:refactor** : +10
-- **type:accessibility** : +15
-- **type:performance** : +15
-- **type:devops** : +15
-- **type:security** : +20
-
-Formula (recommended):
-
-```
-50 + (difficulty × quality) + type bonus
-```
-
-Requirements to award points:
 ## Difficulty Expectations
 
 ### Easy
@@ -163,3 +124,48 @@ Requirements to award points:
 - PR must carry the **gssoc:approved** label (added by maintainers)
 
 Maintainers may adjust final points based on actual impact and implementation quality.
+
+## GSSoC Labels & Scoring (Project-specific)
+
+Maintainers use the following labels and scoring rules to award points for merged PRs. Apply the `gssoc:approved` label once a contribution meets the project standards (tests, style, and review).
+
+- **gssoc:approved** : +50 pts (base for every approved PR)
+
+Difficulty (pick one):
+
+- **level:beginner** : +20 pts
+- **level:intermediate** : +35 pts
+- **level:advanced** : +55 pts
+- **level:critical** : +80 pts
+
+Quality multiplier (optional):
+
+- **quality:clean** : ×1.2
+- **quality:exceptional** : ×1.5
+
+Type bonus (optional, stackable):
+
+- **type:docs** : +5
+- **type:bug** : +10
+- **type:feature** : +10
+- **type:testing** : +10
+- **type:design** : +10
+- **type:refactor** : +10
+- **type:accessibility** : +15
+- **type:performance** : +15
+- **type:devops** : +15
+- **type:security** : +20
+
+Formula (recommended):
+
+```
+50 + (difficulty × quality) + type bonus
+```
+
+Requirements to award points:
+
+- PR must be **merged**
+- At least **one review** approved
+- PR must carry the **gssoc:approved** label (added by maintainers)
+
+Maintainers may adjust final points based on actual impact and implementation quality.
diff --git a/GOOD_FIRST_ISSUE.md b/GOOD_FIRST_ISSUE.md
index ffbafc8..e84a2e9 100644
--- a/GOOD_FIRST_ISSUE.md
+++ b/GOOD_FIRST_ISSUE.md
@@ -1,81 +1,643 @@
-# Good First Issues for SecDev
+# SecDev Audit Report
 
-These starter issues are tailored to SecDev's current codebase and its Next.js, TypeScript, E2B, Neon, and Inngest architecture. They are intentionally scoped so a new contributor can learn the project without needing to change the entire system.
+## Console Pages Found
 
-## 1. Improve the SecDev Placeholder Screen
+- Account
+- API Testing
+- Attack Pipeline
+- Billing
+- Dashboard
+- Deployments
+- Deployment Detail
+- Env Vars
+- GitHub
+- Logs
+- Notifications
+- Performance
+- Projects
+- Sandboxes
+- Security
+- Security Agent
+- Settings
+- Test Suite
+- Vibetest
 
-**Problem**: Several console surfaces still rely on the shared placeholder UI, and the current message is generic.
+## File: app/api/env-vars/route.ts
 
-**Expected outcome**: Make the placeholder more informative for SecDev by adding context-specific copy and a clearer call to action for each page that uses it.
+## [CRITICAL] Unauthenticated env-var read/write endpoint
 
-**Skills needed**: React components, Tailwind CSS, basic Next.js App Router structure.
+**File:** `app/api/env-vars/route.ts`
+**Line(s):** `14–83`
+**Console Page (if applicable):** `Env Vars`
+**Severity:** `Critical`
 
-**Difficulty**: Easy
+### Description
 
-**Relevant files or folders**:
+This route exposes plaintext secret storage and mutation without any authentication or authorization checks. `GET` can reveal plaintext values with `reveal=1`, and `POST`/`DELETE` can overwrite or remove values for any `project` supplied by the caller.
 
-- `components/console/not-implemented.tsx`
-- `app/console/*/page.tsx`
+### Evidence (from code)
 
-## 2. Make the Console Sidebar More Accessible
+```ts
+export async function GET(request: Request) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const project = searchParams.get("project");
+    const reveal = searchParams.get("reveal") === "1";
 
-**Problem**: The console sidebar is functional, but the collapse and group-toggle interactions can be improved for keyboard and screen-reader users.
+    if (!project) {
+      return NextResponse.json(
+        { error: "project query param required" },
+        { status: 400 },
+      );
+    }
 
-**Expected outcome**: Add better accessibility labels, clearer focus behavior, and more descriptive toggle states while keeping the current design.
+    if (reveal) {
+      const vars = await getEnvVars(project);
+      return NextResponse.json({
+        ok: true,
+        vars: Object.entries(vars).map(([key, value]) => ({ key, value })),
+      });
+    }
 
-**Skills needed**: React event handling, accessibility basics, Lucide icons, Tailwind CSS.
+    const masked = await listEnvVars(project);
+    return NextResponse.json({ ok: true, vars: masked });
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : String(err);
+    return NextResponse.json({ ok: false, error: message }, { status: 500 });
+  }
+}
+```
+
+### Suggested Fix
+
+Require a valid session before any read or write, then restrict each `project` to the authenticated user's resources. For secret reads, avoid a plaintext reveal flag entirely or gate it behind a stricter admin-only policy.
 
-**Difficulty**: Easy
+## File: lib/env-store.ts
 
-**Relevant files or folders**:
+## [HIGH] Hardcoded fallback key weakens encrypted env vars
 
-- `components/console/sidebar.tsx`
-- `app/console/layout.tsx`
+**File:** `lib/env-store.ts`
+**Line(s):** `20`
+**Console Page (if applicable):** `Env Vars`
+**Severity:** `High`
 
-## 3. Remove Direct Console Logging from the Email Service
+### Description
 
-**Problem**: The email service still emits an info-level `console.log` path, which does not match the project's production logging expectations.
+If `NEXTAUTH_SECRET` is missing, secret encryption falls back to a hardcoded development string. That means env-var values can be decrypted with a predictable key instead of a deployment-specific secret.
 
-**Expected outcome**: Replace direct console logging with the project's structured logging approach so email events are handled consistently.
+### Evidence (from code)
 
-**Skills needed**: TypeScript, async/await, service-layer refactoring, logging hygiene.
+```ts
+function getKey(): Buffer {
+  const raw = process.env.NEXTAUTH_SECRET ?? "default-dev-secret-32-chars-long";
+  return createHash("sha256").update(raw).digest();
+}
+```
 
-**Difficulty**: Easy
+### Suggested Fix
 
-**Relevant files or folders**:
+Fail fast when `NEXTAUTH_SECRET` is absent in non-development environments. Do not derive encryption keys from a hardcoded fallback string.
 
-- `lib/email/mail-service.ts`
-- `lib/email/brevo.ts`
-- `lib/email/notifications.ts`
+## File: lib/deployer.ts
 
-## 4. Add Better Empty-State Copy to the Logs Page
+## [CRITICAL] Shell command injection in sandbox deployment pipeline
 
-**Problem**: The console logs view should guide users more clearly when no sandbox is selected or no log lines are available yet.
+**File:** `lib/deployer.ts`
+**Line(s):** `236, 266–272`
+**Console Page (if applicable):** `Deployments`
+**Severity:** `Critical`
 
-**Expected outcome**: Show helpful empty and error states so contributors can understand what to do next instead of seeing a blank or confusing view.
+### Description
 
-**Skills needed**: React state rendering, conditional UI, Next.js data fetching.
+User-controlled `repoUrl`, `branch`, and environment-variable data are interpolated directly into shell command strings. A crafted repository URL or branch can change the `git clone` command, and env-var content is concatenated into the install command without shell escaping.
 
-**Difficulty**: Easy
+### Evidence (from code)
 
-**Relevant files or folders**:
+```ts
+const cloneResult = await sandbox.commands.run(
+  `git clone --depth 1 --branch ${branch} ${repoUrl} /home/user/repo 2>&1`,
+  { onStdout, onStderr, timeoutMs: 120_000 },
+);
 
-- `app/console/logs/page.tsx`
-- `components/console/*`
+const envStr = envVars
+  ? Object.entries(envVars)
+      .map(([k, v]) => `${k}=${JSON.stringify(v)}`)
+      .join(" ")
+  : "";
 
-## 5. Improve Repository Browser Copy and CTA Clarity
+const installCmd = `cd /home/user/repo && ${envStr} ${pkgMgr} install 2>&1`;
+```
 
-**Problem**: The repository browser is one of the first user-facing flows in SecDev, and its cards/tables can explain the deploy action more clearly.
+### Suggested Fix
 
-**Expected outcome**: Refine the copy in the repository browser so users immediately understand what each repository state means and what happens when they click deploy.
+Stop building shell commands with string interpolation. Use argument arrays or a shell-escaping library, and validate `repoUrl`, `branch`, and env-var values against strict allowlists before they reach the sandbox.
 
-**Skills needed**: React components, UX copywriting, conditional rendering, TypeScript.
+## File: app/api/dashboard/stats/route.ts
 
-**Difficulty**: Medium
+## [HIGH] Dashboard stats leak legacy rows across users
 
-**Relevant files or folders**:
+**File:** `app/api/dashboard/stats/route.ts`
+**Line(s):** `29, 36, 43, 84`
+**Console Page (if applicable):** `Dashboard`
+**Severity:** `High`
 
-- `components/console/repository-card.tsx`
-- `components/console/repository-table.tsx`
-- `components/console/repository-list.tsx`
-- `app/console/projects/page.tsx`
+### Description
+
+Each stats query includes rows where `user_id = ''`, so any authenticated user can see records that were created without an owner. That leaks deployment, test-run, and security-agent counts across accounts and makes the dashboard totals untrustworthy.
+
+### Evidence (from code)
+
+```ts
+      sql`
+        SELECT status, COUNT(*) AS count
+        FROM deployments
+        WHERE user_id = ${userId} OR user_id = ''
+        GROUP BY status
+      `,
+      sql`
+        SELECT type, status, COUNT(*) AS count
+        FROM test_runs
+        WHERE user_id = ${userId} OR user_id = ''
+        GROUP BY type, status
+      `,
+      sql`
+        SELECT status, COUNT(*) AS count
+        FROM security_agent_runs
+        WHERE user_id = ${userId} OR user_id = ''
+        GROUP BY status
+      `,
+...
+      WHERE user_id = ${userId} OR user_id = ''
+```
+
+### Suggested Fix
+
+Remove the `user_id = ''` fallback and backfill/repair legacy rows before exposing them. If legacy rows must remain accessible, migrate them to a real owner or gate them behind a separate admin-only path.
+
+## File: app/api/deploy/[id]/route.ts
+
+## [HIGH] Empty-owner deployments bypass the ownership check
+
+**File:** `app/api/deploy/[id]/route.ts`
+**Line(s):** `17–18`
+**Console Page (if applicable):** `Deployments`
+**Severity:** `High`
+
+### Description
+
+The ownership check only rejects a deployment when `record.userId` is truthy and different from the session user. Any deployment row with an empty `userId` skips the check entirely, so authenticated users can read, restart, refresh, or delete those rows.
+
+### Evidence (from code)
+
+```ts
+if (record.userId && record.userId !== session.user.id) {
+  return {
+    error: NextResponse.json(
+      { ok: false, error: "Forbidden" },
+      { status: 403 },
+    ),
+  };
+}
+```
+
+### Suggested Fix
+
+Treat missing ownership as forbidden unless the record is explicitly marked public. Enforce ownership on insert and backfill existing rows so an empty `userId` cannot bypass access control.
+
+## File: app/api/tests/run/route.ts
+
+## [HIGH] Test-run history leaks and accepts legacy unowned rows
+
+**File:** `app/api/tests/run/route.ts`
+**Line(s):** `47–52, 93`
+**Console Page (if applicable):** `Test Suite`
+**Severity:** `High`
+
+### Description
+
+The POST path only blocks access when a deployment row exists and has a non-empty `user_id`. If the deployment row is missing or still has `user_id = ''`, the route creates a test run anyway. The GET path has the same `user_id = ''` fallback, so run history from those legacy rows is visible across users.
+
+### Evidence (from code)
+
+```ts
+    const dep = await sql`SELECT user_id FROM deployments WHERE sandbox_id = ${sandboxId} LIMIT 1`;
+    if (dep.length > 0 && dep[0].user_id && dep[0].user_id !== userId) {
+      return NextResponse.json({ ok: false, error: "Forbidden" }, { status: 403 });
+    }
+...
+      rows = await sql`SELECT * FROM test_runs WHERE (user_id = ${userId} OR user_id = '') ORDER BY created_at DESC LIMIT 100`;
+```
+
+### Suggested Fix
+
+Require an owned deployment row before starting a run, and stop exposing `user_id = ''` rows in history. If legacy runs must be retained, migrate them to a real owner or hide them from normal users.
+
+## File: app/api/tests/ai-plan/route.ts
+
+## [HIGH] AI planning trusts arbitrary sandbox IDs
+
+**File:** `app/api/tests/ai-plan/route.ts`
+**Line(s):** `79–92`
+**Console Page (if applicable):** `Security Agent`
+**Severity:** `High`
+
+### Description
+
+The route accepts any `sandboxId`, parses its routes, and sends the result to OpenAI without proving that the sandbox belongs to the authenticated user. A caller can therefore request AI planning for a sandbox they do not own, which misattributes analysis and can expose route structure.
+
+### Evidence (from code)
+
+```ts
+const { sandboxId } = (await request.json()) as { sandboxId?: string };
+if (!sandboxId) {
+  return NextResponse.json(
+    { ok: false, error: "sandboxId is required" },
+    { status: 400 },
+  );
+}
+
+// Discover routes
+const routes = await parseApiRoutes(sandboxId);
+if (routes.length === 0) {
+  return NextResponse.json(
+    { ok: false, error: "No API routes found in this deployment" },
+    { status: 404 },
+  );
+}
+
+const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY! });
+```
+
+### Suggested Fix
+
+Look up the deployment by `sandboxId` and verify ownership before parsing routes. Also guard `OPENAI_API_KEY` explicitly so the route fails with a clear configuration error instead of a runtime exception.
+
+## File: app/api/attack-pipeline/route.ts
+
+## [MEDIUM] Attack-pipeline runs are accepted for arbitrary sandbox IDs
+
+**File:** `app/api/attack-pipeline/route.ts`
+**Line(s):** `36–60`
+**Console Page (if applicable):** `Attack Pipeline`
+**Severity:** `Medium`
+
+### Description
+
+The POST handler stores and executes a run for whatever `sandboxId` the caller supplies, but it never checks that the sandbox belongs to the signed-in user. That allows a caller to misattribute runs to other sandbox IDs and pollute the attack-pipeline history.
+
+### Evidence (from code)
+
+```ts
+const { baseUrl, sandboxId, useAi = false, includePerformance = false } = body;
+
+if (!baseUrl || typeof baseUrl !== "string") {
+  return NextResponse.json(
+    { ok: false, error: "baseUrl is required" },
+    { status: 400 },
+  );
+}
+
+// Basic URL validation — must start with http(s)://
+if (!/^https?:\/\/.+/i.test(baseUrl)) {
+  return NextResponse.json(
+    { ok: false, error: "baseUrl must start with http:// or https://" },
+    { status: 400 },
+  );
+}
+
+await ensureTables();
+const sql = getDb();
+
+const runId = `ap_${randomBytes(8).toString("hex")}`;
+
+// Insert run record immediately so history shows it
+await sql`
+    INSERT INTO attack_pipeline_runs
+      (id, user_id, base_url, sandbox_id, status, created_at)
+    VALUES
+      (${runId}, ${userId}, ${baseUrl}, ${sandboxId ?? null}, 'running', ${Date.now()})
+  `;
+```
+
+### Suggested Fix
+
+Verify the sandbox ownership before inserting the run record. If the sandbox does not belong to the authenticated user, return `403` and do not persist or execute the scan.
+
+## File: app/console/dashboard/page.tsx
+
+## [MEDIUM] Dashboard swallows stats fetch failures
+
+**File:** `app/console/dashboard/page.tsx`
+**Line(s):** `53–64`
+**Console Page (if applicable):** `Dashboard`
+**Severity:** `Medium`
+
+### Description
+
+The page fetches dashboard stats on mount, but the `catch` handler does nothing and the component never tracks an error state. If `/api/dashboard/stats` fails, the page quietly shows stale or empty metrics with no feedback to the user.
+
+### Evidence (from code)
+
+```ts
+const fetchStats = async () => {
+  try {
+    const res = await fetch("/api/dashboard/stats");
+    const data = await res.json();
+    if (data.ok) setStats(data);
+  } catch {
+    /* ignore */
+  }
+  setLoading(false);
+};
+
+useEffect(() => {
+  fetch("/api/dashboard/stats")
+    .then((r) => r.json())
+    .then((data) => {
+      if (data.ok) setStats(data);
+    })
+    .catch(() => {})
+    .finally(() => setLoading(false));
+}, []);
+```
+
+### Suggested Fix
+
+Store a visible error state and render an inline failure message or retry control when the stats request fails. Avoid maintaining two separate fetch paths for the same mount-time data.
+
+## File: app/console/settings/page.tsx
+
+## [MEDIUM] Save Changes is only local UI state
+
+**File:** `app/console/settings/page.tsx`
+**Line(s):** `43–180`
+**Console Page (if applicable):** `Settings`
+**Severity:** `Medium`
+
+### Description
+
+The settings page presents editable deployment settings and a `Save Changes` button, but the save handler only flips local state and never persists anything. Users can interact with the form, but none of the values are written to the backend.
+
+### Evidence (from code)
+
+```ts
+  const save = () => {
+    setSaved(true);
+    setTimeout(() => setSaved(false), 2000);
+  };
+...
+      <div className="flex justify-end">
+        <button
+          onClick={save}
+          className={`flex items-center gap-2 px-5 py-2 text-sm font-medium rounded-lg transition-all ${
+            saved
+              ? "bg-green-600 text-white"
+              : "bg-gray-900 dark:bg-white dark:text-gray-900 hover:bg-gray-700 dark:hover:bg-gray-100 text-white"
+          }`}
+        >
+          <Save className="w-4 h-4" />
+          {saved ? "Saved!" : "Save Changes"}
+        </button>
+      </div>
+```
+
+### Suggested Fix
+
+Wire the form up to a real persistence endpoint or remove the save affordance until storage exists. If the page is intentionally mock-only, label it clearly so it does not imply persistence.
+
+## File: app/console/attack-pipeline/page.tsx
+
+## [LOW] Attack Pipeline page hides deployment and history load failures
+
+**File:** `app/console/attack-pipeline/page.tsx`
+**Line(s):** `260, 280, 312`
+**Console Page (if applicable):** `Attack Pipeline`
+**Severity:** `Low`
+
+### Description
+
+The page silently ignores failures while loading deployments and run history, so the UI can remain empty or stale without explaining why. That makes it hard to distinguish “no data” from “backend failed.”
+
+### Evidence (from code)
+
+```ts
+    fetch("/api/deploy")
+      .then((r) => r.json())
+      .then((d) => {
+        if (d.ok) {
+          const all = (d.deployments ?? []).filter((dep: Deployment) => dep.status !== "failed");
+          setDeployments(all);
+          if (all.length > 0) setSelectedSandbox(all[0].sandboxId);
+        }
+      })
+      .catch(() => null);
+...
+      .catch(() => null)
+...
+      }).catch(() => null);
+```
+
+### Suggested Fix
+
+Track a visible error state for deployment/history loading and render a retry or empty-state message when the fetch fails.
+
+## File: app/console/api-testing/page.tsx
+
+## [LOW] API Testing page suppresses history/loading errors
+
+**File:** `app/console/api-testing/page.tsx`
+**Line(s):** `110`
+**Console Page (if applicable):** `API Testing`
+**Severity:** `Low`
+
+### Description
+
+The API testing page suppresses fetch failures while loading run history, so the page can render with no runs and no explanation if the backend is down. That makes troubleshooting much harder for users.
+
+### Evidence (from code)
+
+```ts
+try {
+  const res = await fetch(
+    `/api/tests/run?sandboxId=${selectedSandbox}&type=api`,
+  );
+  const data = await res.json();
+  if (data.ok) setRuns(data.runs ?? []);
+} catch {
+  /* ignore */
+}
+```
+
+### Suggested Fix
+
+Add an error state for the history fetch and expose a retry action in the page UI.
+
+## File: app/console/security/page.tsx
+
+## [LOW] Security page suppresses history/loading errors
+
+**File:** `app/console/security/page.tsx`
+**Line(s):** `130`
+**Console Page (if applicable):** `Security`
+**Severity:** `Low`
+
+### Description
+
+The Security page ignores failures when loading scan history, so the page can appear empty even when the backend request failed. There is no visible fallback or retry path for users.
+
+### Evidence (from code)
+
+```ts
+try {
+  const res = await fetch(
+    `/api/tests/run?sandboxId=${selectedSandbox}&type=security`,
+  );
+  const data = await res.json();
+  if (data.ok) setScanRuns(data.runs ?? []);
+} catch {
+  /* ignore */
+}
+```
+
+### Suggested Fix
+
+Track an error message for failed history loads and render it alongside the existing scan controls.
+
+## File: app/console/performance/page.tsx
+
+## [LOW] Performance page suppresses history/load failures
+
+**File:** `app/console/performance/page.tsx`
+**Line(s):** `79`
+**Console Page (if applicable):** `Performance`
+**Severity:** `Low`
+
+### Description
+
+The Performance page swallows fetch failures when loading historical runs and selected-run results. That leaves the UI with empty state instead of a useful error message when the backend request fails.
+
+### Evidence (from code)
+
+```ts
+try {
+  const res = await fetch(
+    `/api/tests/run?sandboxId=${selectedSandbox}&type=performance`,
+  );
+  const data = await res.json();
+  if (data.ok) setRuns(data.runs ?? []);
+} catch {
+  /* ignore */
+}
+```
+
+### Suggested Fix
+
+Record a fetch error and display a retry affordance so failures are visible instead of silent.
+
+## File: app/console/vibetest/page.tsx
+
+## [LOW] Vibetest page suppresses history/load failures
+
+**File:** `app/console/vibetest/page.tsx`
+**Line(s):** `85`
+**Console Page (if applicable):** `Vibetest`
+**Severity:** `Low`
+
+### Description
+
+The Vibetest page ignores failures while loading run history and result data. Users get no indication that the backend request failed, which makes the page look broken or empty.
+
+### Evidence (from code)
+
+```ts
+try {
+  const res = await fetch(
+    `/api/tests/run?sandboxId=${selectedSandbox}&type=vibetest`,
+  );
+  const data = await res.json();
+  if (data.ok) setRuns(data.runs ?? []);
+} catch {
+  /* ignore */
+}
+```
+
+### Suggested Fix
+
+Add error state and retry UI around the run-history load path.
+
+## File: app/console/testing/page.tsx
+
+## [LOW] Test Suite page suppresses history/load failures
+
+**File:** `app/console/testing/page.tsx`
+**Line(s):** `558`
+**Console Page (if applicable):** `Test Suite`
+**Severity:** `Low`
+
+### Description
+
+The Test Suite page silently ignores fetch failures while loading run history, so a broken backend looks identical to an empty project. That makes it easy for users to miss a real error.
+
+### Evidence (from code)
+
+```ts
+try {
+  const res = await fetch(
+    `/api/tests/run?sandboxId=${selectedSandbox}&type=suite`,
+  );
+  const data = await res.json();
+  if (data.ok) setRuns(data.runs ?? []);
+} catch {
+  /* ignore */
+}
+```
+
+### Suggested Fix
+
+Surface a visible error state and let the user retry the run-history load.
+
+## File: app/console/testing/page.tsx.bak
+
+## [LOW] Stale backup file left in the tracked source tree
+
+**File:** `app/console/testing/page.tsx.bak`
+**Line(s):** `1–260`
+**Console Page (if applicable):** `Test Suite`
+**Severity:** `Low`
+
+### Description
+
+The repository contains a full backup copy of the Test Suite page alongside the real page implementation. That is dead code from the application's perspective and creates a maintenance risk because future edits can diverge from the active page.
+
+### Evidence (from code)
+
+```ts
+"use client";
+
+import { useEffect, useState, useCallback, useRef } from "react";
+import Link from "next/link";
+import {
+  Globe,
+  Play,
+  RefreshCw,
+  CheckCircle2,
+  XCircle,
+  AlertTriangle,
+  Loader2,
+  ExternalLink,
+  Shield,
+  Code2,
+  Zap,
+  Sparkles,
+  Square,
+  BarChart3,
+  Clock,
+  Activity,
+  ChevronRight,
+  TestTube2,
+} from "lucide-react";
+```
+
+### Suggested Fix
+
+Delete the `.bak` file once the active page is confirmed, or move it outside the source tree if it is needed as a reference snapshot.
diff --git a/app/api/auth/register/route.ts b/app/api/auth/register/route.ts
new file mode 100644
index 0000000..e7620c5
--- /dev/null
+++ b/app/api/auth/register/route.ts
@@ -0,0 +1,47 @@
+import { NextResponse } from "next/server";
+import { createUser } from "@/lib/user-auth";
+
+type RegisterBody = {
+  email?: string;
+  password?: string;
+};
+
+export async function POST(request: Request) {
+  try {
+    const body = (await request.json()) as RegisterBody;
+    const email = body.email?.trim();
+    const password = body.password ?? "";
+
+    if (!email || !password) {
+      return NextResponse.json(
+        { ok: false, error: "Email and password are required", code: "INVALID_INPUT", detail: "Missing email or password" },
+        { status: 400 }
+      );
+    }
+
+    if (password.length < 6) {
+      return NextResponse.json(
+        { ok: false, error: "Password must be at least 6 characters", code: "INVALID_PASSWORD", detail: "Password too short" },
+        { status: 400 }
+      );
+    }
+
+    const userId = await createUser(email, password);
+
+    return NextResponse.json({ ok: true, data: { userId } }, { status: 201 });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Registration failed";
+
+    if (message === "EMAIL_IN_USE") {
+      return NextResponse.json(
+        { ok: false, error: "Email already in use", code: "EMAIL_IN_USE", detail: "Choose a different email address" },
+        { status: 409 }
+      );
+    }
+
+    return NextResponse.json(
+      { ok: false, error: "Registration failed", code: "REGISTRATION_FAILED", detail: message },
+      { status: 500 }
+    );
+  }
+}
diff --git a/app/console/account/page.tsx b/app/console/account/page.tsx
index 7c83fb9..1e18bc0 100644
--- a/app/console/account/page.tsx
+++ b/app/console/account/page.tsx
@@ -1,204 +1,12 @@
-"use client";
-import { useState } from "react";
-import { User, Lock, ShieldAlert, Camera, Check, Eye, EyeOff } from "lucide-react";
+import { auth } from "@/lib/auth";
+import { getUserProfile, getUserProfileByEmail } from "@/lib/user-auth";
+import { AccountPageClient } from "@/components/console/account-page-client";
 
-function Section({ title, icon, children }: { title: string; icon: React.ReactNode; children: React.ReactNode }) {
-  return (
-    <div className="bg-white dark:bg-zinc-900 border border-gray-200 dark:border-zinc-800 rounded-xl p-6">
-      <div className="flex items-center gap-2 text-sm font-semibold text-gray-900 dark:text-white mb-5 pb-3 border-b border-gray-100 dark:border-zinc-800">
-        <span className="text-gray-500 dark:text-zinc-400">{icon}</span>
-        {title}
-      </div>
-      {children}
-    </div>
-  );
-}
-
-function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
-  return (
-    <div>
-      <label className="block text-sm font-medium text-gray-700 dark:text-zinc-300 mb-1.5">{label}</label>
-      {children}
-      {hint && <p className="text-xs text-gray-400 dark:text-zinc-600 mt-1">{hint}</p>}
-    </div>
-  );
-}
-
-export default function AccountPage() {
-  const [showOld, setShowOld] = useState(false);
-  const [showNew, setShowNew] = useState(false);
-  const [deleteInput, setDeleteInput] = useState("");
-  const [profileSaved, setProfileSaved] = useState(false);
-  const [pwSaved, setPwSaved] = useState(false);
-
-  const saveProfile = () => {
-    setProfileSaved(true);
-    setTimeout(() => setProfileSaved(false), 2000);
-  };
-  const savePw = () => {
-    setPwSaved(true);
-    setTimeout(() => setPwSaved(false), 2000);
-  };
-
-  return (
-    <div className="space-y-6 max-w-2xl mx-auto">
-      <div>
-        <h1 className="text-2xl font-bold text-gray-900 dark:text-white">Account</h1>
-        <p className="text-sm text-gray-500 dark:text-zinc-500 mt-0.5">Manage your profile and security settings</p>
-      </div>
-
-      {/* Profile */}
-      <Section title="Profile" icon={<User className="w-4 h-4" />}>
-        <div className="space-y-5">
-          {/* Avatar */}
-          <div className="flex items-center gap-4">
-            <div className="relative group cursor-pointer">
-              <div className="w-16 h-16 rounded-full bg-gray-900 dark:bg-white flex items-center justify-center text-2xl text-white dark:text-gray-900 font-bold select-none">
-                D
-              </div>
-              <div className="absolute inset-0 rounded-full bg-black/40 flex items-center justify-center opacity-0 group-hover:opacity-100 transition-opacity">
-                <Camera className="w-5 h-5 text-white" />
-              </div>
-            </div>
-            <div>
-              <p className="text-sm font-medium text-gray-800 dark:text-zinc-200">Profile Picture</p>
-              <p className="text-xs text-gray-500 dark:text-zinc-500">Click to upload a new avatar (PNG, JPG)</p>
-            </div>
-          </div>
-
-          <Field label="Display Name">
-            <input
-              defaultValue=""
-              placeholder="Enter your name"
-              className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-gray-500 dark:focus:border-zinc-400 transition-colors"
-            />
-          </Field>
-          <Field label="Email Address" hint="Your email is managed through your authentication provider.">
-            <input
-              defaultValue=""
-              placeholder="Enter your email"
-              readOnly
-              className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-gray-500 dark:focus:border-zinc-400 transition-colors"
-            />
-          </Field>
-          <Field label="Username">
-            <input
-              defaultValue=""
-              placeholder="Enter your username"
-              className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-gray-500 dark:focus:border-zinc-400 transition-colors"
-            />
-          </Field>
-          <button
-            onClick={saveProfile}
-            className={`flex items-center gap-2 px-5 py-2 text-sm font-medium rounded-lg transition-colors ${
-              profileSaved ? "bg-green-600 text-white" : "bg-gray-900 dark:bg-white dark:text-gray-900 hover:bg-gray-700 dark:hover:bg-gray-100 text-white"
-            }`}
-          >
-            {profileSaved && <Check className="w-4 h-4" />}
-            {profileSaved ? "Saved!" : "Save Profile"}
-          </button>
-        </div>
-      </Section>
-
-      {/* Security */}
-      <Section title="Security" icon={<Lock className="w-4 h-4" />}>
-        <div className="space-y-5">
-          <Field label="Current Password">
-            <div className="relative">
-              <input
-                type={showOld ? "text" : "password"}
-                placeholder="••••••••"
-                className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 pr-10 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-gray-500 dark:focus:border-zinc-400 transition-colors"
-              />
-              <button
-                type="button"
-                onClick={() => setShowOld(!showOld)}
-                className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-400 dark:text-zinc-500 hover:text-gray-600 dark:hover:text-zinc-300 transition-colors"
-              >
-                {showOld ? <EyeOff className="w-4 h-4" /> : <Eye className="w-4 h-4" />}
-              </button>
-            </div>
-          </Field>
-          <Field label="New Password" hint="Minimum 8 characters. Use uppercase, numbers, and symbols.">
-            <div className="relative">
-              <input
-                type={showNew ? "text" : "password"}
-                placeholder="••••••••"
-                className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 pr-10 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-gray-500 dark:focus:border-zinc-400 transition-colors"
-              />
-              <button
-                type="button"
-                onClick={() => setShowNew(!showNew)}
-                className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-400 dark:text-zinc-500 hover:text-gray-600 dark:hover:text-zinc-300 transition-colors"
-              >
-                {showNew ? <EyeOff className="w-4 h-4" /> : <Eye className="w-4 h-4" />}
-              </button>
-            </div>
-          </Field>
-          <button
-            onClick={savePw}
-            className={`flex items-center gap-2 px-5 py-2 text-sm font-medium rounded-lg transition-colors ${
-              pwSaved ? "bg-green-600 text-white" : "bg-gray-900 dark:bg-white dark:text-gray-900 hover:bg-gray-700 dark:hover:bg-gray-100 text-white"
-            }`}
-          >
-            {pwSaved && <Check className="w-4 h-4" />}
-            {pwSaved ? "Updated!" : "Update Password"}
-          </button>
-        </div>
-      </Section>
-
-      {/* Sessions */}
-      <Section title="Active Sessions" icon={<Lock className="w-4 h-4" />}>
-        <div className="space-y-3">
-          {[
-            { device: "Chrome on macOS", loc: "Bengaluru, IN", current: true },
-            { device: "VS Code Extension", loc: "Bengaluru, IN", current: false },
-          ].map((s) => (
-            <div key={s.device} className="flex items-center justify-between p-3 bg-gray-50 dark:bg-zinc-800 rounded-lg">
-              <div>
-                <p className="text-sm font-medium text-gray-800 dark:text-zinc-200">{s.device}</p>
-                <p className="text-xs text-gray-500 dark:text-zinc-500">{s.loc}</p>
-              </div>
-              {s.current ? (
-                <span className="text-xs bg-emerald-100 dark:bg-emerald-500/10 text-emerald-700 dark:text-emerald-400 px-2 py-0.5 rounded-full border border-emerald-200 dark:border-emerald-500/20">
-                  Current
-                </span>
-              ) : (
-                <button className="text-xs text-red-500 hover:text-red-600 transition-colors">Revoke</button>
-              )}
-            </div>
-          ))}
-        </div>
-      </Section>
+export default async function AccountPage() {
+  const session = await auth();
+  const userById = session?.user?.id ? await getUserProfile(session.user.id) : null;
+  const user = userById ?? (session?.user?.email ? await getUserProfileByEmail(session.user.email) : null);
+  const hasGithubConnection = Boolean(session?.accessToken);
 
-      {/* Danger Zone */}
-      <div className="bg-white dark:bg-zinc-900 border border-red-200 dark:border-red-500/30 rounded-xl p-6">
-        <div className="flex items-center gap-2 text-sm font-semibold text-red-600 dark:text-red-400 mb-4 pb-3 border-b border-red-100 dark:border-red-500/20">
-          <ShieldAlert className="w-4 h-4" />
-          Danger Zone
-        </div>
-        <p className="text-sm text-gray-600 dark:text-zinc-400 mb-4">
-          Permanently delete your account and all associated data. This action cannot be undone.
-        </p>
-        <Field label='Type "delete my account" to confirm'>
-          <input
-            value={deleteInput}
-            onChange={(e) => setDeleteInput(e.target.value)}
-            placeholder='delete my account'
-            className="w-full bg-gray-50 dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-lg px-3 py-2 text-sm text-gray-900 dark:text-white focus:outline-none focus:border-red-400 transition-colors"
-          />
-        </Field>
-        <button
-          disabled={deleteInput !== "delete my account"}
-          className={`mt-4 px-5 py-2 text-sm font-medium rounded-lg transition-colors ${
-            deleteInput === "delete my account"
-              ? "bg-red-600 hover:bg-red-500 text-white"
-              : "bg-gray-100 dark:bg-zinc-800 text-gray-400 dark:text-zinc-600 cursor-not-allowed"
-          }`}
-        >
-          Delete My Account
-        </button>
-      </div>
-    </div>
-  );
+  return <AccountPageClient user={user} hasGithubConnection={hasGithubConnection} />;
 }
diff --git a/app/console/github/page.tsx b/app/console/github/page.tsx
new file mode 100644
index 0000000..2328bfd
--- /dev/null
+++ b/app/console/github/page.tsx
@@ -0,0 +1,32 @@
+import { auth } from "@/lib/auth";
+import { RepositoryList } from "@/components/console/repository-list";
+import { GitHubConnectButton } from "@/components/console/github-connect-button";
+
+export default async function GitHubConsolePage() {
+  const session = await auth();
+  const hasGithubConnection = Boolean(session?.accessToken);
+
+  return (
+    <div className="space-y-6 max-w-5xl mx-auto">
+      <div>
+        <h1 className="text-2xl font-bold text-gray-900 dark:text-white">GitHub</h1>
+        <p className="mt-0.5 text-sm text-gray-500 dark:text-zinc-500">
+          Connect GitHub once, then browse repositories and deploy directly from SecDev.
+        </p>
+      </div>
+
+      {!hasGithubConnection ? (
+        <div className="rounded-xl border border-gray-200 bg-white p-6 dark:border-zinc-800 dark:bg-zinc-900">
+          <p className="text-sm text-gray-600 dark:text-zinc-400">
+            GitHub is not connected yet. Use the button below to authorize GitHub for this account.
+          </p>
+          <GitHubConnectButton callbackUrl="/console/github" />
+        </div>
+      ) : null}
+
+      <div className="bg-white dark:bg-zinc-900 border border-gray-200 dark:border-zinc-800 rounded-xl p-5">
+        <RepositoryList showViewToggle={false} defaultView="table" compact={false} />
+      </div>
+    </div>
+  );
+}
\ No newline at end of file
diff --git a/app/login/page.tsx b/app/login/page.tsx
index 37b8781..c302fd8 100644
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@@ -3,9 +3,23 @@ import React, { useState } from "react";
 import { useRouter } from "next/navigation";
 import Link from "next/link";
 import { Eye, EyeOff } from "lucide-react";
-import { signInWithEmail } from "@/lib/firebase";
 import { signIn } from "next-auth/react";
-import { Github } from "lucide-react";
+
+function getLoginErrorMessage(error: string | null | undefined): string {
+  if (!error) {
+    return "Sign in failed";
+  }
+
+  if (error === "CredentialsSignin") {
+    return "Invalid email or password";
+  }
+
+  if (error === "Configuration") {
+    return "Auth configuration error. Check NEXTAUTH_SECRET, NEXTAUTH_URL, and the enabled providers.";
+  }
+
+  return error;
+}
 
 export default function LoginPage() {
   const [email, setEmail] = useState("");
@@ -21,10 +35,21 @@ export default function LoginPage() {
     setLoading(true);
     setError(null);
     try {
-      await signInWithEmail(email, password);
-      router.push("/");
+      const result = await signIn("credentials", {
+        email,
+        password,
+        redirect: false,
+        callbackUrl: "/console/dashboard",
+      });
+
+      if (!result || result.error) {
+        throw new Error(result?.error ?? "Sign in failed");
+      }
+
+      router.push("/console/dashboard");
     } catch (err: unknown) {
-      setError(err instanceof Error ? err.message : "Sign in failed");
+      const message = err instanceof Error ? getLoginErrorMessage(err.message) : "Sign in failed";
+      setError(message);
     } finally {
       setLoading(false);
     }
@@ -116,19 +141,13 @@ export default function LoginPage() {
           {/* Divider */}
           <div className="flex items-center gap-3 mt-4">
             <div className="flex-1 h-px bg-zinc-800" />
-            <span className="text-xs text-zinc-600">or continue with</span>
+            <span className="text-xs text-zinc-600">credentials only</span>
             <div className="flex-1 h-px bg-zinc-800" />
           </div>
 
-          {/* GitHub OAuth */}
-          <button
-            type="button"
-            onClick={() => signIn("github", { callbackUrl: "/console/dashboard" })}
-            className="mt-2 w-full flex items-center justify-center gap-3 rounded-2xl border border-zinc-700 bg-zinc-900 hover:bg-zinc-800 px-4 py-3.5 text-sm font-semibold text-white transition-colors"
-          >
-            <Github className="w-4 h-4" />
-            Sign in with GitHub
-          </button>
+          <p className="mt-3 text-center text-xs text-zinc-500">
+            Use email and password to sign in. After login, you can connect GitHub from your account page.
+          </p>
 
           {/* Sign up link */}
           <p className="mt-6 text-center text-sm text-zinc-500">
diff --git a/app/register/page.tsx b/app/register/page.tsx
index 60cab69..f1b70f3 100644
--- a/app/register/page.tsx
+++ b/app/register/page.tsx
@@ -3,9 +3,6 @@ import React, { useState } from "react";
 import { useRouter } from "next/navigation";
 import Link from "next/link";
 import { Eye, EyeOff } from "lucide-react";
-import { signUpWithEmail } from "@/lib/firebase";
-import { signIn } from "next-auth/react";
-import { Github } from "lucide-react";
 
 export default function RegisterPage() {
   const [email, setEmail] = useState("");
@@ -20,8 +17,19 @@ export default function RegisterPage() {
     setLoading(true);
     setError(null);
     try {
-      await signUpWithEmail(email, password);
-      router.push("/");
+      const response = await fetch("/api/auth/register", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password }),
+      });
+
+      const payload = (await response.json()) as { ok?: boolean; error?: string; detail?: string };
+
+      if (!response.ok || !payload.ok) {
+        throw new Error(payload.error ?? payload.detail ?? "Registration failed");
+      }
+
+      router.push("/login");
     } catch (err: unknown) {
       setError(err instanceof Error ? err.message : "Registration failed");
     } finally {
@@ -47,6 +55,12 @@ export default function RegisterPage() {
             </div>
           )}
 
+          {error === "Email already in use" && (
+            <p className="mb-4 text-sm text-zinc-500">
+              That account already exists. Use <Link href="/login" className="text-blue-400 hover:text-blue-300 transition-colors">Sign In</Link> instead.
+            </p>
+          )}
+
           {/* Form */}
           <form onSubmit={handleSubmit} className="space-y-5">
             {/* Email */}
@@ -106,19 +120,13 @@ export default function RegisterPage() {
           {/* Divider */}
           <div className="flex items-center gap-3 mt-4">
             <div className="flex-1 h-px bg-zinc-800" />
-            <span className="text-xs text-zinc-600">or continue with</span>
+            <span className="text-xs text-zinc-600">credentials only</span>
             <div className="flex-1 h-px bg-zinc-800" />
           </div>
 
-          {/* GitHub OAuth */}
-          <button
-            type="button"
-            onClick={() => signIn("github", { callbackUrl: "/console/dashboard" })}
-            className="mt-2 w-full flex items-center justify-center gap-3 rounded-2xl border border-zinc-700 bg-zinc-900 hover:bg-zinc-800 px-4 py-3.5 text-sm font-semibold text-white transition-colors"
-          >
-            <Github className="w-4 h-4" />
-            Sign up with GitHub
-          </button>
+          <p className="mt-3 text-center text-xs text-zinc-500">
+            After creating credentials, sign in and connect GitHub later from your account page.
+          </p>
 
           {/* Sign in link */}
           <p className="mt-6 text-center text-sm text-zinc-500">
diff --git a/components/console/account-page-client.tsx b/components/console/account-page-client.tsx
new file mode 100644
index 0000000..2f577df
--- /dev/null
+++ b/components/console/account-page-client.tsx
@@ -0,0 +1,239 @@
+"use client";
+
+import { useState } from "react";
+import { Github, User, Lock, ShieldAlert, Camera, Check, Eye, EyeOff } from "lucide-react";
+import { signIn } from "next-auth/react";
+import type { UserProfile } from "@/lib/user-auth";
+
+function Section({ title, icon, children }: { title: string; icon: React.ReactNode; children: React.ReactNode }) {
+  return (
+    <div className="rounded-xl border border-gray-200 bg-white p-6 dark:border-zinc-800 dark:bg-zinc-900">
+      <div className="mb-5 flex items-center gap-2 border-b border-gray-100 pb-3 text-sm font-semibold text-gray-900 dark:border-zinc-800 dark:text-white">
+        <span className="text-gray-500 dark:text-zinc-400">{icon}</span>
+        {title}
+      </div>
+      {children}
+    </div>
+  );
+}
+
+function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <label className="mb-1.5 block text-sm font-medium text-gray-700 dark:text-zinc-300">{label}</label>
+      {children}
+      {hint && <p className="mt-1 text-xs text-gray-400 dark:text-zinc-600">{hint}</p>}
+    </div>
+  );
+}
+
+function formatCreatedAt(createdAt: number): string {
+  const timestamp = Number(createdAt);
+  if (!Number.isFinite(timestamp)) {
+    return "Unknown";
+  }
+
+  return new Intl.DateTimeFormat("en", { dateStyle: "medium", timeStyle: "short" }).format(new Date(timestamp));
+}
+
+export function AccountPageClient({ user, hasGithubConnection }: { user: UserProfile | null; hasGithubConnection: boolean }) {
+  const [showOld, setShowOld] = useState(false);
+  const [showNew, setShowNew] = useState(false);
+  const [deleteInput, setDeleteInput] = useState("");
+  const [profileSaved, setProfileSaved] = useState(false);
+  const [pwSaved, setPwSaved] = useState(false);
+
+  const saveProfile = () => {
+    setProfileSaved(true);
+    setTimeout(() => setProfileSaved(false), 2000);
+  };
+
+  const savePw = () => {
+    setPwSaved(true);
+    setTimeout(() => setPwSaved(false), 2000);
+  };
+
+  return (
+    <div className="mx-auto max-w-2xl space-y-6">
+        <div>
+          <h1 className="text-2xl font-bold text-gray-900 dark:text-white">Account</h1>
+          <p className="mt-0.5 text-sm text-gray-500 dark:text-zinc-500">Manage your profile and security settings</p>
+        </div>
+
+        <Section title="Profile" icon={<User className="h-4 w-4" />}>
+          <div className="space-y-5">
+            {!hasGithubConnection && (
+              <div className="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-zinc-800 dark:bg-zinc-800/50">
+                <p className="text-sm font-medium text-gray-800 dark:text-zinc-200">GitHub connection</p>
+                <p className="mt-1 text-xs text-gray-500 dark:text-zinc-500">
+                  Connect GitHub after credentials login to unlock repository features.
+                </p>
+                <button
+                  type="button"
+                  onClick={() => signIn("github", { callbackUrl: "/console/account" })}
+                  className="mt-3 inline-flex items-center gap-2 rounded-lg bg-gray-900 px-4 py-2 text-sm font-medium text-white transition-colors hover:bg-gray-700 dark:bg-white dark:text-gray-900 dark:hover:bg-gray-100"
+                >
+                  <Github className="h-4 w-4" />
+                  Connect GitHub
+                </button>
+              </div>
+            )}
+
+            <div className="flex items-center gap-4">
+              <div className="group relative cursor-pointer">
+                <div className="flex h-16 w-16 select-none items-center justify-center rounded-full bg-gray-900 text-2xl font-bold text-white dark:bg-white dark:text-gray-900">
+                  {user?.email?.[0]?.toUpperCase() ?? "U"}
+                </div>
+                <div className="absolute inset-0 flex items-center justify-center rounded-full bg-black/40 opacity-0 transition-opacity group-hover:opacity-100">
+                  <Camera className="h-5 w-5 text-white" />
+                </div>
+              </div>
+              <div>
+                <p className="text-sm font-medium text-gray-800 dark:text-zinc-200">Account Avatar</p>
+                <p className="text-xs text-gray-500 dark:text-zinc-500">Use a generic avatar for privacy.</p>
+              </div>
+            </div>
+
+            <Field label="Display Name">
+              <input
+                value={user?.email?.split("@")[0] ?? ""}
+                readOnly
+                className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+              />
+            </Field>
+            <Field label="Email Address">
+              <input
+                value={user?.email ?? ""}
+                readOnly
+                className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+              />
+            </Field>
+            <Field label="User ID">
+              <input
+                value={user?.id ?? ""}
+                readOnly
+                className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+              />
+            </Field>
+            <Field label="Created At">
+              <input
+                value={user?.createdAt ? formatCreatedAt(user.createdAt) : ""}
+                readOnly
+                className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+              />
+            </Field>
+            <button
+              onClick={saveProfile}
+              className={`flex items-center gap-2 rounded-lg px-5 py-2 text-sm font-medium transition-colors ${
+                profileSaved
+                  ? "bg-green-600 text-white"
+                  : "bg-gray-900 text-white hover:bg-gray-700 dark:bg-white dark:text-gray-900 dark:hover:bg-gray-100"
+              }`}
+            >
+              {profileSaved && <Check className="h-4 w-4" />}
+              {profileSaved ? "Saved!" : "Save Profile"}
+            </button>
+          </div>
+        </Section>
+
+        <Section title="Security" icon={<Lock className="h-4 w-4" />}>
+          <div className="space-y-5">
+            <Field label="Current Password">
+              <div className="relative">
+                <input
+                  type={showOld ? "text" : "password"}
+                  placeholder="••••••••"
+                  className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 pr-10 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+                />
+                <button
+                  type="button"
+                  onClick={() => setShowOld(!showOld)}
+                  className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-400 transition-colors hover:text-gray-600 dark:text-zinc-500 dark:hover:text-zinc-300"
+                >
+                  {showOld ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+                </button>
+              </div>
+            </Field>
+            <Field label="New Password" hint="Minimum 8 characters. Use uppercase, numbers, and symbols.">
+              <div className="relative">
+                <input
+                  type={showNew ? "text" : "password"}
+                  placeholder="••••••••"
+                  className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 pr-10 text-sm text-gray-900 transition-colors focus:border-gray-500 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-zinc-400"
+                />
+                <button
+                  type="button"
+                  onClick={() => setShowNew(!showNew)}
+                  className="absolute right-3 top-1/2 -translate-y-1/2 text-gray-400 transition-colors hover:text-gray-600 dark:text-zinc-500 dark:hover:text-zinc-300"
+                >
+                  {showNew ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+                </button>
+              </div>
+            </Field>
+            <button
+              onClick={savePw}
+              className={`flex items-center gap-2 rounded-lg px-5 py-2 text-sm font-medium transition-colors ${
+                pwSaved
+                  ? "bg-green-600 text-white"
+                  : "bg-gray-900 text-white hover:bg-gray-700 dark:bg-white dark:text-gray-900 dark:hover:bg-gray-100"
+              }`}
+            >
+              {pwSaved && <Check className="h-4 w-4" />}
+              {pwSaved ? "Updated!" : "Update Password"}
+            </button>
+          </div>
+        </Section>
+
+        <Section title="Active Sessions" icon={<Lock className="h-4 w-4" />}>
+          <div className="space-y-3">
+            {[
+              { device: "Chrome on macOS", loc: "Bengaluru, IN", current: true },
+              { device: "VS Code Extension", loc: "Bengaluru, IN", current: false },
+            ].map((s) => (
+              <div key={s.device} className="flex items-center justify-between rounded-lg bg-gray-50 p-3 dark:bg-zinc-800">
+                <div>
+                  <p className="text-sm font-medium text-gray-800 dark:text-zinc-200">{s.device}</p>
+                  <p className="text-xs text-gray-500 dark:text-zinc-500">{s.loc}</p>
+                </div>
+                {s.current ? (
+                  <span className="rounded-full border border-emerald-200 bg-emerald-100 px-2 py-0.5 text-xs text-emerald-700 dark:border-emerald-500/20 dark:bg-emerald-500/10 dark:text-emerald-400">
+                    Current
+                  </span>
+                ) : (
+                  <button className="text-xs text-red-500 transition-colors hover:text-red-600">Revoke</button>
+                )}
+              </div>
+            ))}
+          </div>
+        </Section>
+
+        <div className="rounded-xl border border-red-200 bg-white p-6 dark:border-red-500/30 dark:bg-zinc-900">
+          <div className="mb-4 flex items-center gap-2 border-b border-red-100 pb-3 text-sm font-semibold text-red-600 dark:border-red-500/20 dark:text-red-400">
+            <ShieldAlert className="h-4 w-4" />
+            Danger Zone
+          </div>
+          <p className="mb-4 text-sm text-gray-600 dark:text-zinc-400">
+            Permanently delete your account and all associated data. This action cannot be undone.
+          </p>
+          <Field label='Type "delete my account" to confirm'>
+            <input
+              value={deleteInput}
+              onChange={(e) => setDeleteInput(e.target.value)}
+              placeholder='delete my account'
+              className="w-full rounded-lg border border-gray-200 bg-gray-50 px-3 py-2 text-sm text-gray-900 transition-colors focus:border-red-400 focus:outline-none dark:border-zinc-700 dark:bg-zinc-800 dark:text-white"
+            />
+          </Field>
+          <button
+            disabled={deleteInput !== "delete my account"}
+            className={`mt-4 rounded-lg px-5 py-2 text-sm font-medium transition-colors ${
+              deleteInput === "delete my account"
+                ? "bg-red-600 text-white hover:bg-red-500"
+                : "cursor-not-allowed bg-gray-100 text-gray-400 dark:bg-zinc-800 dark:text-zinc-600"
+            }`}
+          >
+            Delete My Account
+          </button>
+        </div>
+    </div>
+  );
+}
diff --git a/components/console/github-connect-button.tsx b/components/console/github-connect-button.tsx
new file mode 100644
index 0000000..30c3516
--- /dev/null
+++ b/components/console/github-connect-button.tsx
@@ -0,0 +1,15 @@
+"use client";
+
+import { signIn } from "next-auth/react";
+
+export function GitHubConnectButton({ callbackUrl }: { callbackUrl: string }) {
+  return (
+    <button
+      type="button"
+      onClick={() => signIn("github", { callbackUrl })}
+      className="mt-4 inline-flex items-center rounded-lg bg-gray-900 px-4 py-2 text-sm font-medium text-white transition-colors hover:bg-gray-700 dark:bg-white dark:text-gray-900 dark:hover:bg-gray-100"
+    >
+      Connect GitHub
+    </button>
+  );
+}
\ No newline at end of file
diff --git a/components/console/repository-list.tsx b/components/console/repository-list.tsx
index 5506ed8..efea7ee 100644
--- a/components/console/repository-list.tsx
+++ b/components/console/repository-list.tsx
@@ -2,6 +2,7 @@
 import { useEffect, useState } from "react";
 import { useSession } from "next-auth/react";
 import { Github, AlertCircle, PackageOpen, LayoutGrid, List } from "lucide-react";
+import { signIn } from "next-auth/react";
 import { RepositoryCard, type GitHubRepo } from "./repository-card";
 import { RepositoryTable } from "./repository-table";
 
@@ -134,14 +135,15 @@ export function RepositoryList({
           Connect your GitHub account
         </p>
         <p className="text-xs text-gray-500 dark:text-zinc-500 mb-4 max-w-xs">
-          Sign in with GitHub to fetch your repositories and enable one-click deployments.
+          Connect GitHub to fetch your repositories and enable one-click deployments.
         </p>
-        <a
-          href="/login"
+        <button
+          type="button"
+          onClick={() => signIn("github", { callbackUrl: "/console/github" })}
           className="px-4 py-2 text-sm font-medium text-white bg-gray-900 dark:bg-white dark:text-gray-900 hover:bg-gray-700 dark:hover:bg-gray-100 rounded-lg transition-colors"
         >
-          Sign in with GitHub
-        </a>
+          Connect GitHub
+        </button>
       </div>
     );
   }
diff --git a/components/console/top-navbar.tsx b/components/console/top-navbar.tsx
index 1c11b85..b81ce80 100644
--- a/components/console/top-navbar.tsx
+++ b/components/console/top-navbar.tsx
@@ -1,15 +1,14 @@
 "use client";
 import React, { useState, useEffect } from "react";
 import Link from "next/link";
-import { Bell, Search, ChevronDown, LogOut, User, Settings, Sun, Moon, Github, Rocket } from "lucide-react";
+import { Bell, Search, ChevronDown, LogOut, User, Settings, Sun, Moon, Rocket } from "lucide-react";
 import { useTheme } from "next-themes";
-import { useSession, signIn, signOut } from "next-auth/react";
+import { signOut } from "next-auth/react";
 
 export function ConsoleTopNav() {
   const [userOpen, setUserOpen] = useState(false);
   const [mounted, setMounted] = useState(false);
   const { theme, setTheme } = useTheme();
-  const { data: session } = useSession();
 
   const [unreadCount, setUnreadCount] = useState(0);
 
@@ -26,10 +25,9 @@ export function ConsoleTopNav() {
 
   const close = () => { setUserOpen(false); };
 
-  // Derive display name and avatar initial from session
-  const displayName = session?.user?.name ?? session?.user?.email?.split("@")[0] ?? "User";
-  const avatarInitial = displayName[0]?.toUpperCase() ?? "U";
-  const avatarImage = session?.user?.image;
+  const displayName = "Account";
+  const avatarInitial = "A";
+  const avatarImage = undefined;
 
   return (
     <header className="flex items-center h-14 px-4 border-b border-gray-200 dark:border-zinc-800 bg-white/80 dark:bg-zinc-950/80 backdrop-blur-sm gap-3 shrink-0">
@@ -107,7 +105,7 @@ export function ConsoleTopNav() {
             <div className="absolute top-full right-0 mt-1 w-52 bg-white dark:bg-zinc-800 border border-gray-200 dark:border-zinc-700 rounded-xl shadow-lg z-50 py-1">
               <div className="px-4 py-2.5 border-b border-gray-200 dark:border-zinc-700">
                 <p className="text-sm font-semibold text-gray-900 dark:text-white truncate">{displayName}</p>
-                <p className="text-xs text-gray-500 dark:text-zinc-500 truncate">{session?.user?.email ?? "GitHub user"}</p>
+                <p className="text-xs text-gray-500 dark:text-zinc-500 truncate">Signed in successfully</p>
               </div>
               <Link href="/console/account" onClick={close} className="flex items-center gap-2.5 px-4 py-2 text-sm text-gray-700 dark:text-zinc-300 hover:bg-gray-100 dark:hover:bg-zinc-700 hover:text-gray-900 dark:hover:text-white transition-colors">
                 <User className="w-4 h-4" />Account
@@ -115,14 +113,6 @@ export function ConsoleTopNav() {
               <Link href="/console/settings" onClick={close} className="flex items-center gap-2.5 px-4 py-2 text-sm text-gray-700 dark:text-zinc-300 hover:bg-gray-100 dark:hover:bg-zinc-700 hover:text-gray-900 dark:hover:text-white transition-colors">
                 <Settings className="w-4 h-4" />Settings
               </Link>
-              {!session && (
-                <button
-                  onClick={() => { signIn("github", { callbackUrl: "/console/dashboard" }); close(); }}
-                  className="flex items-center gap-2.5 w-full px-4 py-2 text-sm text-gray-700 dark:text-zinc-300 hover:bg-gray-100 dark:hover:bg-zinc-700 hover:text-gray-900 dark:hover:text-white transition-colors"
-                >
-                  <Github className="w-4 h-4" />Sign in with GitHub
-                </button>
-              )}
               <div className="border-t border-gray-200 dark:border-zinc-700 mt-1 pt-1">
                 <button
                   onClick={() => { signOut({ callbackUrl: "/" }); close(); }}
diff --git a/lib/auth.ts b/lib/auth.ts
index 0be4696..24dc12e 100644
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -1,6 +1,9 @@
 import NextAuth from "next-auth";
 import GitHub from "next-auth/providers/github";
+import Credentials from "next-auth/providers/credentials";
+import type { NextAuthConfig } from "next-auth";
 import type { DefaultSession } from "next-auth";
+import { authenticateUser } from "@/lib/user-auth";
 
 declare module "next-auth" {
   interface Session extends DefaultSession {
@@ -11,24 +14,86 @@ declare module "next-auth" {
   }
 }
 
+type AuthToken = {
+  sub?: string;
+  email?: string;
+  accessToken?: string;
+};
+
 export const { handlers, auth, signIn, signOut } = NextAuth({
-  providers: [
-    GitHub({
-      clientId: process.env.CLIENT_ID!,
-      clientSecret: process.env.CLIENT_SECRET!,
-    }),
-  ],
+  providers: (() => {
+    const providers: NextAuthConfig["providers"] = [
+      Credentials({
+        name: "Email and Password",
+        credentials: {
+          email: { label: "Email", type: "email" },
+          password: { label: "Password", type: "password" },
+        },
+        async authorize(credentials) {
+          const email = credentials?.email;
+          const password = credentials?.password;
+
+          if (typeof email !== "string" || typeof password !== "string" || !email || !password) {
+            return null;
+          }
+
+          const userId = await authenticateUser(email, password);
+
+          if (!userId) {
+            return null;
+          }
+
+          return {
+            id: userId,
+          };
+        },
+      }),
+    ];
+
+    const githubClientId = process.env.GITHUB_CLIENT_ID ?? process.env.CLIENT_ID;
+    const githubClientSecret = process.env.GITHUB_CLIENT_SECRET ?? process.env.CLIENT_SECRET;
+
+    if (githubClientId && githubClientSecret) {
+      providers.push(
+        GitHub({
+          clientId: githubClientId,
+          clientSecret: githubClientSecret,
+        })
+      );
+    }
+
+    return providers;
+  })(),
   callbacks: {
-    async jwt({ token, account }) {
-      if (account?.access_token) {
-        token.accessToken = account.access_token;
+    async jwt({ token, account, user, profile }) {
+      const authToken = token as typeof token & AuthToken;
+
+      if (user?.email) {
+        authToken.email = user.email;
+      }
+
+      if (profile && typeof profile === "object" && "email" in profile) {
+        const profileEmail = (profile as { email?: string | null }).email;
+        if (typeof profileEmail === "string" && profileEmail) {
+          authToken.email = profileEmail;
+        }
       }
-      return token;
+
+      if (account?.provider === "github" && account.access_token) {
+        authToken.accessToken = account.access_token;
+      }
+
+      return authToken;
     },
     async session({ session, token }) {
-      session.accessToken = token.accessToken as string | undefined;
-      // Expose stable user ID (GitHub provider sets sub = GitHub user numeric ID)
-      if (token.sub) session.user.id = token.sub;
+      const authToken = token as typeof token & AuthToken;
+
+      session.accessToken = authToken.accessToken;
+      session.user = {
+        ...session.user,
+        ...(authToken.sub ? { id: authToken.sub } : {}),
+        ...(authToken.email ? { email: authToken.email } : {}),
+      } as typeof session.user;
       return session;
     },
   },
diff --git a/lib/firebase.ts b/lib/firebase.ts
deleted file mode 100644
index 98e41f4..0000000
--- a/lib/firebase.ts
+++ /dev/null
@@ -1,60 +0,0 @@
-"use client";
-import { initializeApp, getApps } from "firebase/app";
-import {
-  getAuth,
-  createUserWithEmailAndPassword,
-  signInWithEmailAndPassword,
-  signOut as firebaseSignOut,
-  onAuthStateChanged,
-  GoogleAuthProvider,
-  signInWithPopup,
-  type User,
-} from "firebase/auth";
-
-const firebaseConfig = {
-  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY || "",
-  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || "",
-  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || "",
-  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || "",
-  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || "",
-  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "",
-  measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || "",
-};
-
-// Initialize only once and only on the client
-const app =
-  typeof window !== "undefined"
-    ? getApps().length
-      ? getApps()[0]
-      : initializeApp(firebaseConfig)
-    : null;
-
-const auth = app ? getAuth(app) : null;
-
-export async function signUpWithEmail(email: string, password: string) {
-  if (!auth) throw new Error("Auth not initialized");
-  return createUserWithEmailAndPassword(auth, email, password);
-}
-
-export async function signInWithEmail(email: string, password: string) {
-  if (!auth) throw new Error("Auth not initialized");
-  return signInWithEmailAndPassword(auth, email, password);
-}
-
-export async function signInWithGoogle() {
-  if (!auth) throw new Error("Auth not initialized");
-  const provider = new GoogleAuthProvider();
-  return signInWithPopup(auth, provider);
-}
-
-export async function signOut() {
-  if (!auth) throw new Error("Auth not initialized");
-  return firebaseSignOut(auth);
-}
-
-export function onAuthChange(cb: (user: User | null) => void) {
-  if (!auth) return () => {};
-  return onAuthStateChanged(auth, cb);
-}
-
-export { auth };
diff --git a/lib/user-auth.ts b/lib/user-auth.ts
new file mode 100644
index 0000000..7793f2c
--- /dev/null
+++ b/lib/user-auth.ts
@@ -0,0 +1,164 @@
+import { randomBytes, randomUUID, pbkdf2 } from "crypto";
+import { promisify } from "util";
+import { getDb } from "@/lib/db";
+
+const pbkdf2Async = promisify(pbkdf2);
+const ITERATIONS = 310000;
+const KEY_LENGTH = 32;
+const DIGEST = "sha256";
+
+type UserRow = {
+  id: string;
+  email: string;
+  password_hash: string;
+};
+
+export type UserProfile = {
+  id: string;
+  email: string;
+  createdAt: number;
+};
+
+async function ensureUserTable(): Promise<void> {
+  const sql = getDb();
+
+  await sql`
+    CREATE TABLE IF NOT EXISTS users (
+      id             TEXT PRIMARY KEY,
+      email          TEXT NOT NULL UNIQUE,
+      password_hash  TEXT NOT NULL,
+      created_at     BIGINT NOT NULL
+    )
+  `;
+}
+
+async function hashPassword(password: string): Promise<string> {
+  const salt = randomBytes(16).toString("hex");
+  const derivedKey = (await pbkdf2Async(password, salt, ITERATIONS, KEY_LENGTH, DIGEST)) as Buffer;
+  return ["pbkdf2", ITERATIONS, salt, derivedKey.toString("hex")].join("$");
+}
+
+async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
+  const [scheme, iterationsText, salt, expectedHex] = storedHash.split("$");
+
+  if (scheme !== "pbkdf2" || !iterationsText || !salt || !expectedHex) {
+    return false;
+  }
+
+  const iterations = Number.parseInt(iterationsText, 10);
+  if (!Number.isFinite(iterations) || iterations <= 0) {
+    return false;
+  }
+
+  const derivedKey = (await pbkdf2Async(password, salt, iterations, KEY_LENGTH, DIGEST)) as Buffer;
+  const expected = Buffer.from(expectedHex, "hex");
+
+  if (expected.length !== derivedKey.length) {
+    return false;
+  }
+
+  return expected.equals(derivedKey);
+}
+
+export async function createUser(email: string, password: string): Promise<string> {
+  await ensureUserTable();
+
+  const normalizedEmail = email.trim().toLowerCase();
+  const sql = getDb();
+  const existing = (await sql`
+    SELECT id, email, password_hash
+    FROM users
+    WHERE email = ${normalizedEmail}
+    LIMIT 1
+  `) as UserRow[];
+
+  if (existing.length > 0) {
+    throw new Error("EMAIL_IN_USE");
+  }
+
+  const id = randomUUID();
+  const passwordHash = await hashPassword(password);
+
+  await sql`
+    INSERT INTO users (id, email, password_hash, created_at)
+    VALUES (${id}, ${normalizedEmail}, ${passwordHash}, ${Date.now()})
+  `;
+
+  return id;
+}
+
+export async function authenticateUser(email: string, password: string): Promise<string | null> {
+  await ensureUserTable();
+
+  const normalizedEmail = email.trim().toLowerCase();
+  const sql = getDb();
+  const rows = (await sql`
+    SELECT id, email, password_hash
+    FROM users
+    WHERE email = ${normalizedEmail}
+    LIMIT 1
+  `) as UserRow[];
+
+  const user = rows[0];
+  if (!user) {
+    return null;
+  }
+
+  const isValid = await verifyPassword(password, user.password_hash);
+  return isValid ? user.id : null;
+}
+
+export async function getUserProfile(userId: string): Promise<UserProfile | null> {
+  await ensureUserTable();
+
+  if (!userId) {
+    return null;
+  }
+
+  const sql = getDb();
+  const rows = (await sql`
+    SELECT id, email, created_at
+    FROM users
+    WHERE id = ${userId}
+    LIMIT 1
+  `) as Array<{ id: string; email: string; created_at: number }>;
+
+  const user = rows[0];
+  if (!user) {
+    return null;
+  }
+
+  return {
+    id: user.id,
+    email: user.email,
+    createdAt: Number(user.created_at),
+  };
+}
+
+export async function getUserProfileByEmail(email: string): Promise<UserProfile | null> {
+  await ensureUserTable();
+
+  const normalizedEmail = email.trim().toLowerCase();
+  if (!normalizedEmail) {
+    return null;
+  }
+
+  const sql = getDb();
+  const rows = (await sql`
+    SELECT id, email, created_at
+    FROM users
+    WHERE email = ${normalizedEmail}
+    LIMIT 1
+  `) as Array<{ id: string; email: string; created_at: number }>;
+
+  const user = rows[0];
+  if (!user) {
+    return null;
+  }
+
+  return {
+    id: user.id,
+    email: user.email,
+    createdAt: Number(user.created_at),
+  };
+}
diff --git a/package.json b/package.json
index 5966249..f3bb36c 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,6 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "e2b": "^2.14.1",
-    "firebase": "^12.10.0",
     "framer-motion": "^12.35.0",
     "groq-sdk": "^0.37.0",
     "inngest": "^3.54.0",