Merge pull request #430 from TaloDev/develop

Release 0.64.0

Author: tudddorrr

.github/workflows/claude-code-review.yml

@@ -37,16 +37,65 @@ jobs:
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |
-            Please review this pull request and provide feedback on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Performance considerations
-            - Security concerns
-            
-            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
-            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
-          
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
-          claude_args: '--model sonnet --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
-          use_sticky_comment: true
+            You are reviewing PR #${{ github.event.pull_request.number }} in the repository ${{ github.repository }}.
+
+            Review this pull request and provide feedback focused only on improvements needed (not what works well):
+
+            **Categories to check:**
+            1. Code quality and best practices
+            2. Potential bugs or issues
+            3. Performance considerations
+            4. Security concerns
+
+            **Process:**
+            - The PR number is: ${{ github.event.pull_request.number }}
+            - View the PR using: `gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }}`
+            - Read CLAUDE.md to understand best practices
+            - View the PR diff using: `gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}`
+            - If an issue spans multiple categories, list it only once in the most relevant section
+            - Prioritize by severity: 🔴 Critical → 🟡 Major → 🔵 Minor
+            - Focus only on changes introduced in this PR, not pre-existing code issues
+
+            **Review Workflow (Follow these steps):**
+            1. **Analysis Phase**: Review the PR diff and identify potential issues
+            2. **Validation Phase**: For each issue you find, verify it by:
+               - Re-reading the relevant code carefully
+               - Checking if your suggested fix is actually different from the current code
+               - Confirming the issue violates documented standards (check CLAUDE.md)
+               - Ensuring your criticism is actionable and specific
+            3. **Draft Phase**: Write your review only after validating all issues
+            4. **Quality Check**: Before posting, remove any issues where:
+               - Your "before" and "after" code snippets are identical
+               - You're uncertain or use phrases like "appears", "might", "should verify"
+               - The issue is theoretical without clear impact
+            5. **Post Phase**: Only post the review if you have concrete, validated feedback
+
+            **Edge Case Policy:**
+            Only flag edge cases that meet ALL of these criteria:
+            1. Realistic: Could happen in normal usage or common error scenarios
+            2. Impactful: Would cause bugs, security issues, or data problems (not just "it's not perfect")
+            3. Actionable: Can be fixed with reasonable effort in this PR's scope
+
+            Ignore theoretical issues that require multiple unlikely conditions or malicious input patterns.
+            Use the "would this bother a pragmatic senior developer?" test.
+
+            Maximum chain of assumptions: 2 levels deep. Skip exotic input combinations that violate documented assumptions.
+
+            **Feedback style:**
+            - Provide specific code examples or line references showing the issue
+            - Suggest concrete fixes with code snippets where helpful
+            - Keep total feedback under 500 words
+            - Use section headers with emojis and horizontal dividers (---)
+            - If no improvements needed in a category, simply state "No issues found"
+            - Use neutral language; focus on the code, not the author
+            - If the PR looks good overall, say so clearly rather than forcing criticism
+
+            **Comment Management (IMPORTANT):**
+            Post your review using this command, which will edit your last comment if one exists, or create a new one:
+            ```bash
+              gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --edit-last --create-if-none --body "<review>"
+            ```
+
+            Ensure proper escaping of quotes and special characters in the comment body. Use single quotes around the body and escape any single quotes inside with '\''
+          claude_args: |
+            --allowedTools "Read,Bash(gh pr:*),Grep,Glob"

CLAUDE.md

@@ -0,0 +1,180 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Talo is a self-hostable game dev dashboard. This is the frontend React application that provides a web interface for managing players, leaderboards, events, stats, game saves, and other game backend features. The frontend communicates with the Talo backend API.
+
+## Development Commands
+
+### Running the application
+```bash
+npm run dev              # Start dev server on http://localhost:8080
+npm run dev:e2e          # Start dev server in e2e mode for Cypress tests
+npm run build            # Build for production (runs tsc + vite build)
+```
+
+### Testing
+```bash
+npm test                 # Run all Vitest unit tests (runs with TZ=UTC)
+npm test -- <pattern>    # Run specific test file(s) matching pattern
+npm run test:e2e         # Start dev server and open Cypress for e2e tests
+npm run cypress:open     # Open Cypress (dev server must be running)
+```
+
+### Code Quality
+```bash
+npm run lint             # Run ESLint on src/**/*.{js,jsx,ts,tsx}
+```
+
+### Testing Notes
+- Unit tests use Vitest with jsdom environment
+- Test files are co-located with source in `__tests__/` directories
+- E2E tests are in `cypress/e2e/pages/` and use Cypress
+- Coverage excludes `src/api/`, `src/entities/`, `src/constants/`, and `src/utils/canViewPage.ts`
+- Tests must run with `TZ=UTC` for consistent date handling
+
+## Architecture Overview
+
+### Tech Stack
+- React 18 with TypeScript
+- Vite for build tooling
+- React Router v6 for routing
+- Recoil for global state management
+- Axios for HTTP requests
+- SWR for data fetching and caching
+- Zod for runtime validation
+- Tailwind CSS v4 for styling
+- Recharts for charts
+- React Hook Form for forms
+
+### Directory Structure
+
+```
+src/
+├── api/              # SWR hooks and API functions (91 files)
+├── components/       # Reusable UI components
+│   ├── billing/
+│   ├── charts/
+│   ├── events/
+│   ├── saves/
+│   ├── tables/
+│   ├── toast/
+│   └── toggles/
+├── constants/        # App constants (routes, nav, user types)
+├── entities/         # TypeScript types and Zod schemas (29 domain models)
+├── modals/           # Modal dialog components
+├── pages/            # Page components (39 pages)
+├── services/         # Business logic (AuthService)
+├── state/            # Recoil atoms (8 state files)
+├── styles/           # CSS files
+├── utils/            # Utilities and custom hooks
+│   ├── group-rules/
+│   └── validation/
+├── App.tsx           # Main app component (handles auth and routing)
+├── Router.tsx        # Route definitions with lazy loading
+└── index.tsx         # App entry point
+```
+
+### Routing
+- Routes are defined in [Router.tsx](src/Router.tsx) using React Router v6
+- Route paths are constants in [src/constants/routes.ts](src/constants/routes.ts)
+- All pages use lazy loading via `React.lazy()` for code splitting
+- Routes are split into unauthenticated (login, register) and authenticated sections
+- Permission checks use `canViewPage()` utility before rendering routes
+- Many routes only render when an `activeGame` is selected
+
+### State Management
+- Global state uses Recoil with atoms in [src/state/](src/state/)
+- Key atoms:
+  - `userState` - Current authenticated user
+  - `activeGameState` - Currently selected game (persisted to localStorage)
+  - `gamesState` - User's games list
+  - `organisationState` - Organization data
+  - `devDataState` - Dev data inclusion flag
+- State consumed via `useRecoilValue()`, `useRecoilState()`, `useSetRecoilState()`
+
+### API Layer
+- Base Axios instance configured in [src/api/api.ts](src/api/api.ts)
+- Request interceptor adds Bearer token and dev data header
+- Response interceptor handles 401s with automatic token refresh
+- Base URL from `VITE_API_URL` environment variable
+
+**Data fetching patterns:**
+
+1. **SWR hooks** (23 hooks): Pattern is `use{Entity}(game, params)` returning `{ data, loading, error }`
+   - Examples: `useEvents`, `useLeaderboards`, `useStats`
+   - Uses `makeValidatedGetRequest()` for Zod validation
+   - Automatic caching, revalidation, and deduplication
+
+2. **Mutation functions** (68 functions): Named after action (e.g., `createLeaderboard`, `updatePlayer`)
+   - Uses `makeValidatedRequest()` wrapper for Zod validation
+   - Returns validated, typed responses
+
+### Component Patterns
+- Functional components with TypeScript
+- Composition over inheritance
+- Context for cross-cutting concerns (EventsContext, ToastProvider)
+- Form handling with React Hook Form
+- Tables use composable system: `Table` > `TableHeader`/`TableBody` > `TableCell`
+
+### Key Utilities and Hooks
+Located in [src/utils/](src/utils/):
+
+- `useTimePeriod` - Date range calculation from period strings ('1d', '7d', '30d', 'w', 'm', 'y')
+- `useTimePeriodAndDates` - Combined time period and date management
+- `useLocalStorage` - localStorage with React state sync
+- `usePlayer` - Extract player from URL params
+- `useSortedItems` - Client-side sorting
+- `useSearch` - Client-side search filtering
+- `useNodeGraph` - Graph visualization for save data (using @xyflow/react)
+- `buildError` - Normalize error objects
+- `canPerformAction` / `canViewPage` - Permission checking
+- `getEventColour` - Consistent color assignment for events
+
+## Important Patterns
+
+### Authentication
+- Managed by [AuthService](src/services/AuthService.ts) singleton
+- Token-based with automatic refresh on 401 responses
+- Token stored in memory (not localStorage for security)
+- Login redirects handled via `useIntendedRoute` hook
+
+### Authorization
+- Route-level checks with `canViewPage()` in Router
+- Action-level checks with `canPerformAction()` throughout components
+- Based on user type (ADMIN, OWNER, DEV, DEMO)
+
+### Validation
+- Zod schemas defined alongside entities in [src/entities/](src/entities/)
+- `makeValidatedRequest()` and `makeValidatedGetRequest()` wrappers ensure type safety
+- Validation errors logged and sent to Sentry
+
+### Error Handling
+- Centralized error normalization via `buildError()`
+- API errors show user-friendly messages via toast notifications
+- Sentry integration for error tracking
+
+### Date Handling
+- All API dates must be UTC
+- Use `convertDateToUTC()` when sending dates to API
+- Tests run with `TZ=UTC` to ensure consistency
+
+### Active Game Context
+- Most features require an active game to be selected
+- Active game stored in Recoil state and persisted to localStorage
+- Routes conditionally render based on `activeGame` availability
+
+## Environment Variables
+
+Required environment variables (set via `.env` files):
+- `VITE_API_URL` - Backend API base URL (e.g., `http://localhost:3000`)
+
+## Node Version
+
+This project requires Node.js 22.x (see package.json engines).
+
+## Git Workflow
+
+Main branch for PRs: `develop`