Merge branch 'develop' of github.com:yn1323/yps-crispy-carnival into develop

Author: yn1323

.agents/skills/difit-review/SKILL.md

@@ -0,0 +1,55 @@
+---
+name: difit-review
+description: A skill for reviewing a specific diff and showing the findings as comments inside difit (the diff viewer). Use it to review branch diffs, commit diffs, or GitHub PRs, then preload findings or code explanations into difit with `--comment` before launching it for the user.
+---
+
+# Difit Review
+
+## Overview
+
+This skill launches a requested git diff in a viewer that is easy for humans to read. At the same time, the agent can attach arbitrary comments via the `--comment` option.
+This comment mechanism is well suited for code review findings and code explanations.
+Before running commands, choose `<difit-command>` using the following rule:
+
+- If `command -v difit` succeeds, use `difit`.
+- Otherwise, use `npx difit`.
+- If falling back to `npx difit` would require network access in a sandboxed environment without network permission, request escalated permissions and user approval before running it.
+- 心理的安全性も考慮してレビューしてください
+
+## Steps
+
+The final command typically looks like this:
+
+```bash
+<difit-command> <target> [compare-with] \
+  --comment '{"type":"thread","filePath":"src/foobar.ts","position":{"side":"old","line":102},"body":"line 1\nline 2"}' \
+  --comment '{"type":"thread","filePath":"src/example.ts","position":{"side":"new","line":{"start":36,"end":39}},"body":"Range comment for L36-L39"}'
+```
+
+The detailed procedure is as follows.
+
+1. Identify the target diff and review its contents.
+
+- Inspect the diff specified by the user. This may be a local git revision, a GitHub URL, a patch file, or something similar.
+- Understand the diff normally, inspect surrounding code when needed, and think through the response required by the user's request, whether that is review findings, explanations, or something else.
+- For PR reviews, inspect the PR locally and keep the review result limited to difit output. Do not post comments back to remote GitHub.
+
+2. Attach the prepared comments and launch difit.
+
+- **difit launch options**
+  - Use `<difit-command> <target> [compare-with]` to specify the target diff.
+  - For uncommitted changes use `<difit-command> .`, for working tree changes use `<difit-command> working`, and for staged changes use `<difit-command> staging`.
+  - For stdin input, use a form such as `diff -u file1.txt file2.txt | <difit-command>`.
+- **Comment arguments**
+  - Use `type: "thread"` for each comment.
+  - Write comment bodies in the language the user is using.
+  - Use `position.side: "new"` for lines that exist on the target side of the diff.
+  - Use `position.side: "old"` for lines that exist only on the deleted side.
+  - Use range comments for issues that span multiple lines.
+  - Never copy secrets, tokens, passwords, API keys, private keys, or other credential-like material from the diff into `--comment` bodies or any command-line arguments.
+- **Additional argument for files not yet added to git**
+  - For uncommitted changes, if you decide files not yet added to git should also appear in the diff, add `--include-untracked`.
+
+3. Share the difit URL and finish the response.
+   - If there were no comments to attach, explicitly say so.
+   - No manual verification of the launched difit page is required.

.agents/skills/difit-review/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: 'Difit Review'
+  short_description: 'Review diffs and open difit with inline findings.'
+  default_prompt: 'Use $difit-review to review a diff or PR, convert concrete findings into --comment entries, and open difit if available, otherwise npx difit with those comments preloaded.'

.claude/skills/difit-review/SKILL.md

@@ -0,0 +1,54 @@
+---
+name: difit-review
+description: A skill for reviewing a specific diff and showing the findings as comments inside difit (the diff viewer). Use it to review branch diffs, commit diffs, or GitHub PRs, then preload findings or code explanations into difit with `--comment` before launching it for the user.
+---
+
+# Difit Review
+
+## Overview
+
+This skill launches a requested git diff in a viewer that is easy for humans to read. At the same time, the agent can attach arbitrary comments via the `--comment` option.
+This comment mechanism is well suited for code review findings and code explanations.
+Before running commands, choose `<difit-command>` using the following rule:
+
+- If `command -v difit` succeeds, use `difit`.
+- Otherwise, use `npx difit`.
+- If falling back to `npx difit` would require network access in a sandboxed environment without network permission, request escalated permissions and user approval before running it.
+
+## Steps
+
+The final command typically looks like this:
+
+```bash
+<difit-command> <target> [compare-with] \
+  --comment '{"type":"thread","filePath":"src/foobar.ts","position":{"side":"old","line":102},"body":"line 1\nline 2"}' \
+  --comment '{"type":"thread","filePath":"src/example.ts","position":{"side":"new","line":{"start":36,"end":39}},"body":"Range comment for L36-L39"}'
+```
+
+The detailed procedure is as follows.
+
+1. Identify the target diff and review its contents.
+
+- Inspect the diff specified by the user. This may be a local git revision, a GitHub URL, a patch file, or something similar.
+- Understand the diff normally, inspect surrounding code when needed, and think through the response required by the user's request, whether that is review findings, explanations, or something else.
+- For PR reviews, inspect the PR locally and keep the review result limited to difit output. Do not post comments back to remote GitHub.
+
+2. Attach the prepared comments and launch difit.
+
+- **difit launch options**
+  - Use `<difit-command> <target> [compare-with]` to specify the target diff.
+  - For uncommitted changes use `<difit-command> .`, for working tree changes use `<difit-command> working`, and for staged changes use `<difit-command> staging`.
+  - For stdin input, use a form such as `diff -u file1.txt file2.txt | <difit-command>`.
+- **Comment arguments**
+  - Use `type: "thread"` for each comment.
+  - Write comment bodies in the language the user is using.
+  - Use `position.side: "new"` for lines that exist on the target side of the diff.
+  - Use `position.side: "old"` for lines that exist only on the deleted side.
+  - Use range comments for issues that span multiple lines.
+  - Never copy secrets, tokens, passwords, API keys, private keys, or other credential-like material from the diff into `--comment` bodies or any command-line arguments.
+- **Additional argument for files not yet added to git**
+  - For uncommitted changes, if you decide files not yet added to git should also appear in the diff, add `--include-untracked`.
+
+3. Share the difit URL and finish the response.
+   - If there were no comments to attach, explicitly say so.
+   - No manual verification of the launched difit page is required.

.claude/skills/difit-review/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: 'Difit Review'
+  short_description: 'Review diffs and open difit with inline findings.'
+  default_prompt: 'Use $difit-review to review a diff or PR, convert concrete findings into --comment entries, and open difit if available, otherwise npx difit with those comments preloaded.'

.gitignore

@@ -19,6 +19,7 @@ storybook-static
 node_modules/
 /test-results/
 /playwright-report/
+test-results.json
 /blob-report/
 /playwright/.cache/
 

convex-seeds/seeds/db.zip

@@ -159,7 +159,7 @@ query の返り値はドキュメントをそのまま返さず、必要なフ
 - [ ] query の返り値を必要最低限のフィールドに制限
 - [ ] Magic Link のワンタイム・有効期限を実装
 - [ ] エラーメッセージから内部情報が漏れないことを確認
-- [ ] レートリミットを Magic Link 検証に適用
+- [x] レートリミットを Magic Link 検証に適用
 
 ## テスト
 

convex/CLAUDE.md

@@ -10,6 +10,7 @@
 
 import type * as _lib_dateFormat from "../_lib/dateFormat.js";
 import type * as _lib_functions from "../_lib/functions.js";
+import type * as _lib_rateLimits from "../_lib/rateLimits.js";
 import type * as _lib_resend from "../_lib/resend.js";
 import type * as _lib_time from "../_lib/time.js";
 import type * as _lib_uuid from "../_lib/uuid.js";
@@ -41,6 +42,7 @@ import type {
 declare const fullApi: ApiFromModules<{
   "_lib/dateFormat": typeof _lib_dateFormat;
   "_lib/functions": typeof _lib_functions;
+  "_lib/rateLimits": typeof _lib_rateLimits;
   "_lib/resend": typeof _lib_resend;
   "_lib/time": typeof _lib_time;
   "_lib/uuid": typeof _lib_uuid;

convex/_generated/api.d.ts

@@ -0,0 +1,24 @@
+import { defineRateLimits } from "convex-helpers/server/rateLimit";
+
+const MINUTE = 60_000;
+const HOUR = 60 * MINUTE;
+
+export const { checkRateLimit, rateLimit, resetRateLimit } = defineRateLimits({
+  // マジックリンクトークン検証: トークン先頭8文字をキーに
+  // 5回/分 — ブルートフォース保険
+  verifyToken: {
+    kind: "token bucket",
+    rate: 5,
+    period: MINUTE,
+    capacity: 5,
+  },
+
+  // リンク再発行リクエスト: email+recruitmentId をキーに
+  // 3回/時 — メール爆撃防止（Resend課金対策）
+  requestReissue: {
+    kind: "token bucket",
+    rate: 3,
+    period: HOUR,
+    capacity: 3,
+  },
+});

convex/_lib/rateLimits.ts

@@ -56,7 +56,7 @@ export const getDashboardData = authenticatedQuery({
     return {
       shop: { name: shop.name },
       recruitments: recruitmentsWithCounts,
-      staffs: staffs.map((s) => ({ _id: s._id, name: s.name, email: s.email })),
+      staffs: staffs.map((s) => ({ _id: s._id, name: s.name, email: s.email, isOwner: s.userId === ctx.user?._id })),
     };
   },
 });