Setting Up Your IDE Properly, From Scratch

If you're not already on one of these, choose now:

• →
  VS Code — free, universal, works with everything. Start here if you're unsure.
• →
  Cursor — VS Code with AI built in. Upgrade once you're comfortable with the basics.
• →
  Antigravity — Google's agent-first IDE. Use this if you're building full projects and want AI running tasks in parallel, not just completing your sentences.

For this guide I'll reference VS Code and Cursor. Antigravity works differently — it's less about configuration and more about how you orchestrate agents.

Download, install, open. You should be looking at a blank workspace.

Before writing a single line, get this right:

my-project/
├── .env            ← your secrets live here (APIs mostly)
├── .env.example    ← placeholder version, safe to commit
├── .gitignore      ← tells git what to ignore
├── src/            ← all your source code
└── README.md

The .env file is where all API keys, database passwords, and tokens live. It never gets committed. Ever.

Create your .gitignore immediately and add this at minimum:

.env
.env.local
.env*.local
*.pem
*.key
node_modules/
.DS_Store

If you skip this step and commit a secret key to GitHub, you'll spend your afternoon revoking and rotating credentials. Ask me how I know.

Don't wait until you have code worth saving. Start version control from the first file.

git init
git add .gitignore
git commit -m "init"

Then create a repo on GitHub and connect it:

git remote add origin git@github.com:yourname/your-repo.git
git push -u origin main

Use SSH for authentication, not HTTPS. Generate an SSH key if you haven't:

ssh-keygen -t ed25519 -C "your@email.com"

Add the public key to GitHub under Settings → SSH Keys. You'll never type a password again.

This one takes five minutes and most developers skip it entirely.

Commit signing means every commit is cryptographically verified as coming from you. If anyone ever compromises your account or tries to push fake commits, they can't fake the signature.

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

GitHub shows a green "Verified" badge on every signed commit. Small thing. Looks professional. Protects you.

.gitignore is your first line of defence. But it's not foolproof — you can still accidentally stage a file with a hardcoded key in it.

Install gitleaks:

brew install gitleaks

Then add it as a pre-commit hook so it scans your staged files every time you commit. If it finds an API key pattern, it blocks the commit entirely.

One accidental push of a live AWS key to a public repo costs you a four-figure cloud bill from bots that scrape GitHub continuously. This tool costs you nothing.

Stop thinking about formatting. Just make it automatic.

Install Prettier for JavaScript/TypeScript:

npm install --save-dev prettier

Create a .prettierrc:

{
  "semi": false,
  "singleQuote": true,
  "tabWidth": 2,
  "trailingComma": "es5"
}

Then in VS Code settings (Cmd+Shift+P → Open User Settings JSON):

{
  "editor.formatOnSave": true,
  "editor.defaultFormatter": "esbenp.prettier-vscode"
}

Every file formats itself on save. For Python, use Black instead:

pip install black

Same principle — format on save, zero manual effort.

Formatting fixes how code looks. Linting catches how code behaves.

ESLint for JavaScript/TypeScript:

npm install --save-dev eslint
npx eslint --init

Add auto-fix on save to your VS Code settings:

{
  "editor.codeActionsOnSave": {
    "source.fixAll.eslint": true
  }
}

ESLint catches undefined variables, unused imports, suspicious patterns, and dozens of other issues before they become bugs. It runs silently and fixes what it can automatically.

If you're writing TypeScript (and you should be), half the configuration value comes from turning strict mode on.

In your tsconfig.json:

{
  "compilerOptions": {
    "strict": true,
    "noUncheckedIndexedAccess": true
  }
}

Strict TypeScript forces you to handle null cases, prevents implicit any types, and catches entire categories of runtime errors at compile time. It feels restrictive for the first hour. After that, it catches bugs before you can even run the code.

You now have linting, formatting, and secret scanning. Pre-commit hooks make all of them run automatically before every single commit.

Install Husky:

npm install --save-dev husky
npx husky init

Edit .husky/pre-commit:

#!/bin/sh
gitleaks protect --staged
npx tsc --noEmit
npx eslint .
npx prettier --check .

Now every commit automatically:

• →Scans for leaked secrets
• →Type-checks your code
• →Lints your code
• →Checks formatting

If any of these fail, the commit is blocked. You fix it, then commit. Nothing broken ever makes it into version control.

This is where setup gets compounding returns.

In Cursor, create a .cursorrules file in your project root. This is a plain text file that tells the AI exactly how your project works — every time, without you having to explain it:

You are working on a Next.js 15 TypeScript project using Tailwind CSS.

- Always use TypeScript with strict mode
- Use named exports, not default exports for components
- No inline styles — use Tailwind classes only
- All API routes follow the pattern in /app/api
- Never commit secrets or hardcode environment variables
- Write clean, minimal code — no unnecessary abstractions

Adjust this to your stack. The more specific you are, the more useful the AI becomes. A well-configured rules file means you stop re-explaining context on every prompt.

Skip the extension rabbit hole. These are the ones worth having:

That's it. More extensions slow VS Code down and create conflicts.

This is a small one but it adds up. Replace this:

import { Button } from '../../../components/ui/Button'

With this:

import { Button } from '@/components/ui/Button'

In tsconfig.json:

{
  "compilerOptions": {
    "baseUrl": ".",
    "paths": {
      "@/*": ["./src/*"]
    }
  }
}

Cleaner imports, faster navigation, zero confusion about relative paths.

Stop alt-tabbing to a separate terminal. Everything runs inside the IDE.

Ctrl+backtick opens the terminal in VS Code. Split it horizontally — one pane for your dev server running continuously, one pane for commands.

Set your default shell explicitly in settings:

{
  "terminal.integrated.defaultProfile.osx": "zsh"
}

If you use oh-my-zsh with the git plugin, your terminal shows the current branch, staged/unstaged status, and last command exit code inline in the prompt. Worth the ten-minute setup.

Before you ship anything, audit what you've imported.

npm audit          # shows known vulnerabilities in your packages
npm audit fix      # auto-fixes what it can

Enable Dependabot on your GitHub repo (Settings → Security → Dependabot alerts). It monitors your dependencies continuously and opens PRs automatically when a vulnerability is found.

This is entirely passive once it's enabled. It watches so you don't have to.