A small Flask app that compares a job posting to a résumé (pasted text or PDF), calls NVIDIA NIM (meta/llama-4-maverick-17b-128e-instruct), and returns structured JSON: missing skills, keywords to strengthen, and prioritized fixes.
Uploads are processed in memory only; nothing is written to disk for persistence.
- Python 3.12 (see
.python-version) - An NVIDIA API key with access to the integrate API used in
app.py
python3 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
cp .env.example .envEdit .env and set your secrets (see below). Do not commit .env.
| Variable | Required | Notes |
|---|---|---|
NVIDIA_API_KEY |
Yes (for analysis) | Used to call NVIDIA chat completions. |
SECRET_KEY |
Recommended | Stable random string for sessions and CSRF. If unset on Vercel, the app derives a per-deployment key from Vercel system variables so all instances agree. Set this explicitly for rotation and predictable behavior across deploys. Locally, a random key is generated if unset. |
FLASK_DEBUG |
No | Set to 1 only for local debugging. Never enable in production. |
SESSION_COOKIE_SECURE |
No | On Vercel, secure cookies are enabled automatically when VERCEL=1. |
On Vercel, set NVIDIA_API_KEY under Project → Settings → Environment Variables. Add SECRET_KEY when you want a fixed key you control; otherwise the app still works using a derived deployment key.
flask --app app runOr with gunicorn (closer to production):
gunicorn -w 1 -b 127.0.0.1:5000 app:appOpen http://127.0.0.1:5000. The UI posts to POST /api/analyze with CSRF protection (X-CSRF-Token and session cookie).
- Connect this repo to Vercel (Python runtime is detected from
requirements.txt/ layout). - Set
NVIDIA_API_KEYandSECRET_KEYin the project environment. - Optional:
.vercelignoreexcludes local env files and dev-only scripts from the upload bundle.
Static assets live under public/static/ and are served at /static/... per Flask configuration.
- Never commit real API keys or
.env. - Prefer strong, long
SECRET_KEYvalues in production and keep them stable across deploys so sessions remain valid. - The app applies security headers (CSP, frame denial, etc.) and rate limits sensitive routes; see
app.pyfor details.
Use and modify as you like for your own projects; there is no warranty.