chore/bump-actions-node24 → main

## What & Why `actions/checkout@v4` and `actions/setup-node@v4` run on the deprecated Node 20 action runtime. Bumped both to v6 (Node 24) to clear the deprecation warnings. The `[20, 22]` app build matrix is unchanged. ## Related Issue N/A ## How to Verify 1. Open this PR and confirm CI passes. 2. Check the run Summary — the two "Node.js 20 actions are deprecated" warnings should be gone. ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [ ] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [ ] Tested on mobile viewport (if UI changed)

i18n/refine-ko-en-dictionaries → main

## What & Why Refines the KO/EN dictionaries and removes dead keys. - **KO policy** — GitHub status badges stay English as fixed API-enum labels(`Added/Removed/Modified/Renamed`, `Merged/Open/Closed`, `Private/Public`), while navigation, actions, and descriptions are Korean. - **EN polish** — capitalize file-status badges to match the other badges, sentence-case the expand/collapse actions, and drop the desktop-only "from the left" wording in `selectFile`. - **Cleanup** — remove unused keys: `code.branch`, `pulls.filesChanged` / `pulls.additions` / `pulls.deletions`. - **Docs** — AGENTS.md now states that API-enum status badges stay English in both locales, so they aren't "fixed" as untranslated strings later. ## Related Issue N/A ## How to Verify 1. Browse in **KO** (`/ko/...`) — repo list, file viewer, commits, PR list & detail tabs: status badges show in English, everything else in Korean. 2. Browse in **EN** — file-status badges read `Added/Removed/Modified/Renamed`; expand/collapse buttons are sentence case. 3. `npm run typecheck && npm run build` pass (removing unused keys doesn't break the `Dictionary` type). ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [x] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [x] Tested on mobile viewport (if UI changed)

refactor/component-named-exports → main

## What & Why `UnauthorizedForm` was the only component in `components/` using a default export — every other component uses a named export. Switched it to a named export and updated the import in `app/unauthorized/page.tsx` to match the convention. Also documented in AGENTS.md: - the export convention (`components/` → named; Next.js file conventions follow the framework's required shape). - how the `/unauthorized` page resolves its locale (it lives outside `app/[lang]/`, so it reads `Accept-Language`). ## Related Issue N/A ## How to Verify 1. `npm run typecheck && npm run lint && npm run build` — all pass. 2. Visit `/unauthorized` → the token form still renders, localized via `Accept-Language`, and submitting a token works. (No behavior change — export refactor only.) ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [x] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [x] Tested on mobile viewport (if UI changed)

fix/locale-switch-preserve-query → main

## What & Why Switching the language dropped the URL query string, because `LangSwitcher` built the target href from `pathname` alone. On a PR detail page this lost the `?tab=` param and reset the view to **Overview**; commit pagination(`?page=`) and the file viewer's `?path=`/`?branch=` were lost the same way. Fixed by reading the current query via `useSearchParams` and re-appending it, isolated behind a `Suspense` boundary so prerendered routes stay static. ## Related Issue N/A ## How to Verify 1. Open any PR detail page, switch to the **Commits** or **Files changed** tab. 2. Click `EN`/`KO` in the language switcher → stays on the same tab (previously reset to Overview). 3. On a commits list at `?page=2`, switch locale → still on page 2. 4. In the file viewer with a file open on a non-default branch, switch locale → `?path=` and `?branch=` retained. ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [x] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [x] Tested on mobile viewport (if UI changed)

fix/auth-timing-and-cookie-exposure → main

## What & Why Replace raw `===` token checks with `crypto.timingSafeEqual` to prevent timing attacks. Store HMAC-SHA256 of the share token in the auth cookie instead of the raw value, so that a leaked cookie does not directly expose the master token. ## Related Issue N/A ## How to Verify 1. Access with `?token=<SHARE_TOKEN>` → cookie is set and page redirects. 2. Refresh → cookie-based auth works normally. 3. Submit token on `/unauthorized` page → cookie is set and redirects to `/`. 4. Try an invalid token → rejected with 401. 5. Check cookie value in DevTools → hex string (HMAC), not the raw token. ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [x] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [x] Tested on mobile viewport (if UI changed)

fix/proxy-auth-bypass → main

## What & Why Closes two ways a viewer could bypass the `SHARE_TOKEN` check: - **Removed the `/api/github/[...path]` proxy route.** It was excluded from `proxy.ts` (the matcher skips `/api/*`) and never checked the `smc_auth` cookie, so anyone could read allowlisted private-repo contents without the share token. No client code used it — all GitHub calls happen server-side via `lib/github.ts`. - **Fixed the `proxy.ts` matcher.** The old `.*\..*` exclusion skipped every path containing a dot, so repository pages whose name contains a dot (e.g. `next.js`) bypassed the share-token check entirely. It now excludes only framework internals and named static assets. Also updated `CLAUDE.md` to match the real architecture (server-side GitHub fetches, 60s cache, matcher behavior). ## Related Issue N/A ## How to Verify 1. Without the `smc_auth` cookie, request `/<lang>/repository/<owner>/<dotted-repo>` (e.g. a repo named `next.js`) → now `307 → /unauthorized` (was `200`). 2. `curl -i /api/github/repos/<owner>/<repo>/contents/README.md` → `404` (route removed). 3. `npm run build && npm run typecheck && npm run lint && npm run format:check` all pass. ## Checklist - [x] PR title follows [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`) - [x] Translations added to both `locales/ko.json` and `locales/en.json` (if UI text changed) - [x] Tested on mobile viewport (if UI changed)

chore/native-git-hooks → main

## Related Issue N/A ## Changes - Add native git hooks in `.githooks/` — `commit-msg` enforces Conventional Commits prefixes (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`), `pre-push` enforces matching branch name prefixes. - Hooks are activated automatically on `npm install` via the `prepare` script (`git config core.hooksPath .githooks`) — no husky needed. - Remove commitlint: it was never wired to a git hook, so it never actually ran. Deletes `commitlint.config.js`, two devDependencies, and 66 transitive packages. - Drop the unused `test` label from commit/branch conventions and the PR template, since this project intentionally has no test suite. - Document the hooks in `CLAUDE.md`. ## How to Verify 1. Run `npm install` (activates the hooks), then check `git config core.hooksPath` prints `.githooks`. 2. `git commit --allow-empty -m "bad message"` → rejected with a prefix error. 3. `git commit --allow-empty -m "chore: valid message"` → succeeds (then reset). 4. Push a branch named without a prefix → rejected by `pre-push`. ## Checklist - [x] `npm run format:check` passes - [x] `npm run lint` passes - [x] `npm run typecheck` passes - [x] `npm run build` passes - [x] PR title follows Conventional Commits (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `i18n:`)

docs/sync-claude-md → main

## Related Issue N/A ## Changes - CLAUDE.md: split the Diff view description into `FilesChanged.tsx` (diff rendering) and `FilesChangedWithTree.tsx` (tree-sidebar wrapper, the component the detail pages actually import). - CLAUDE.md: add `FilesChangedWithTree.tsx` to the `"use client"` component list. - CLAUDE.md: document the Error UI pattern (`global-error.tsx`, repo-scoped `error.tsx`). - CLAUDE.md: document the `/api/auth` manual token-entry flow and the `smc_auth` cookie in Access Control; switch "middleware" wording to "proxy.ts" for consistency. - .env.example: translate the two Korean comments to English to match the rest of the file and the English-comment convention. ## How to Verify 1. Read the updated sections in CLAUDE.md and confirm they match the code(`FilesChangedWithTree.tsx`, `app/api/auth/route.ts`, `error.tsx`). 2. Confirm `.env.example` has no remaining non-English comments. ## Checklist - [x] `npm run format:check` passes - [x] `npm run lint` passes - [x] `npm run typecheck` passes - [x] `npm run build` passes - [x] PR title follows Conventional Commits (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `test:`, `i18n:`)

fix/diff-page-mobile-padding → main

## Related Issue N/A ## Changes - Replace bare `px-6` with `px-3 md:px-6` on the `<main>` of the commit-detail and PR-detail pages (and their `loading.tsx` skeletons), per the page-level padding convention in CLAUDE.md. - These four pages were the only ones violating the rule; mobile (≥320px) now gets 12px side padding instead of 24px, freeing up horizontal space for diffs. Desktop (`md:` and up) keeps 24px unchanged. ## How to Verify 1. Open a PR detail and a commit detail page at a 320px viewport width. 2. Confirm side padding is tighter (12px) and the diff has more room. 3. Resize to ≥768px and confirm padding returns to 24px. ## Checklist - [x] `npm run format:check` passes - [x] `npm run lint` passes - [x] `npm run typecheck` passes - [x] `npm run build` passes - [x] PR title follows Conventional Commits (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `test:`, `i18n:`)

refactor/brand-tab-title → main

## Related Issue N/A ## Changes - Fix the browser tab title to the brand name **showmycode** on every page (previously it followed `SITE_NAME` → `GITHUB_OWNER`) - Update the site `description` metadata to reflect showmycode's purpose as a general-purpose private-repo sharing tool, not an interviewer-only viewer - Remove the `SITE_NAME` env var — it was used in a single place (home header) and only duplicated the GitHub owner shown on repo pages. The home header brand now derives directly from `GITHUB_OWNER`, keeping all headers consistent - Fail fast in `getAllowedRepos()` with `"GITHUB_OWNER is not set"` instead of silently producing a confusing GitHub 404 downstream - Sync env docs: drop `SITE_NAME` from `.env.example` and `CLAUDE.md`, and add the previously-undocumented `SHARE_TOKEN` to the `CLAUDE.md` env list ## How to Verify 1. Run `npm run dev` with a valid `.env.local` 2. Open any page — the browser tab title reads **showmycode** 3. Home and repository headers both show the GitHub owner consistently 4. Temporarily unset `GITHUB_OWNER` and reload — the app fails with a clear `GITHUB_OWNER is not set. See .env.example.` error (not a 404) ## Checklist - [x] `npm run format:check` passes - [x] `npm run lint` passes - [x] `npm run typecheck` passes - [x] `npm run build` passes - [x] PR title follows Conventional Commits (`feat:`, `fix:`, `chore:`, `refactor:`, `docs:`, `test:`, `i18n:`)