feat: resolve issues #129, #127, #126, #38 — XSS prevention, POSIX shell, public board sharing (#130)

## Summary
Bulk resolution of 4 open issues:

- **#129** XSS prevention smoke tests (comment text, board title, javascript: URL)
- **#127** Security hardening (CSP headers, explicit column selection, defense-in-depth)
- **#126** POSIX shell compliance in package.json scripts
- **#38** Public board sharing (Phase 1: read-only public view via share slug)

## Changes
- Added XSS smoke E2E tests for stored XSS vectors
- Added CSP Report-Only headers in next.config.ts
- Fixed `source .env` → `. .env` for POSIX compliance
- Added public board page at /public/[slug] with SSR
- Added board sharing toggle in BoardSettingsDialog
- Added RLS policies for public board access
- Added rate limiting for public board views
- Extracted shared `toRepoCardDomain` mapper
- Added `React.cache()` deduplication for public board fetch

Closes #129 Closes #127 Closes #126 Closes #38

Author: ryota-murakami

.github/workflows/e2e.yml

@@ -51,7 +51,7 @@ jobs:
       # Start local Supabase (Docker is pre-installed on ubuntu-latest)
       - name: Start Supabase
         run: |
-          cd src/supabase
+          cd supabase
           supabase start
           # Apply seed data
           supabase db reset --local
@@ -79,7 +79,7 @@ jobs:
       - name: Stop Supabase
         if: always()
         run: |
-          cd src/supabase
+          cd supabase
           supabase stop || true
 
       - name: Upload blob report

.github/workflows/supabase-production.yml

@@ -4,8 +4,8 @@ on:
   push:
     branches: [main]
     paths:
-      - 'src/supabase/migrations/**'
-      - 'src/supabase/config.toml'
+      - 'supabase/migrations/**'
+      - 'supabase/config.toml'
       - '.github/workflows/supabase-production.yml'
   workflow_dispatch:
 
@@ -28,23 +28,23 @@ jobs:
           version: latest
 
       - name: Link to Production Project
-        run: supabase link --project-ref $SUPABASE_PROJECT_REF --workdir src
+        run: supabase link --project-ref "$SUPABASE_PROJECT_REF"
         env:
           SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
 
       - name: Show Pending Migrations
-        run: supabase migration list --workdir src
+        run: supabase migration list
         env:
           SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
 
       # Note: Database backups are handled by Supabase Pro Plan's
       # automatic daily backups and Point-in-Time Recovery feature.
       - name: Apply Migrations
-        run: supabase db push --linked --workdir src
+        run: supabase db push --linked
         env:
           SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
 
       - name: Verify Migration Status
-        run: supabase migration list --workdir src
+        run: supabase migration list
         env:
           SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}

.gitignore

@@ -59,8 +59,9 @@ Thumbs.db
 
 # Supabase
 .supabase/
-src/supabase/.branches/
-src/supabase/.temp/
+supabase/.branches/
+supabase/.temp/
+supabase/.env
 
 # Storybook
 storybook-static/
@@ -88,6 +89,5 @@ blob-report/
 # Logs
 logs/
 
-supabase/
 .1code/
 claudedocs/

CLAUDE.md

@@ -85,7 +85,7 @@ await supabase.from('Board').select('*') // ❌ Wrong
 
 **Prerequisites:** Docker Desktop running
 
-**🔴 CRITICAL:** Always use the npm scripts to start/stop Supabase. Running bare `supabase start` from the project root will NOT load GitHub OAuth credentials (the `env()` substitution in `config.toml` requires shell env vars from `src/supabase/.env`).
+**🔴 CRITICAL:** Always use the npm scripts to start/stop Supabase. Running bare `supabase start` from the project root will NOT load GitHub OAuth credentials (the `env()` substitution in `config.toml` requires shell env vars from `supabase/.env`).
 
 ```bash
 # Start local Supabase (sources .env + applies migrations)
@@ -130,9 +130,9 @@ supabase db reset
 
 ### Local Supabase + GitHub OAuth Setup
 
-**🔴 CRITICAL:** Supabase CLI reads environment variables from `src/supabase/.env`, NOT from root `.env`.
+**🔴 CRITICAL:** Supabase CLI reads environment variables from `supabase/.env`, NOT from root `.env`.
 
-1. **config.toml** (`src/supabase/config.toml`) must have:
+1. **config.toml** (`supabase/config.toml`) must have:
 
    ```toml
    [auth.external.github]
@@ -142,7 +142,7 @@ supabase db reset
    redirect_uri = "http://127.0.0.1:54321/auth/v1/callback"
    ```
 
-2. **Create `src/supabase/.env`** with GitHub OAuth credentials:
+2. **Create `supabase/.env`** with GitHub OAuth credentials:
 
    ```bash
    GITHUB_CLIENT_ID="your_client_id"
@@ -154,7 +154,7 @@ supabase db reset
    supabase stop && supabase start
    ```
 
-**⚠️ Note:** `src/supabase/.env` is gitignored. Each developer must create their own from the GitHub OAuth App settings.
+**⚠️ Note:** `supabase/.env` is gitignored. Each developer must create their own from the GitHub OAuth App settings.
 
 ### Production Migration Procedure
 

README.md

@@ -109,9 +109,9 @@ pnpm db:reset
 
 ### GitHub OAuth for Local Development
 
-Supabase CLI reads OAuth credentials from `src/supabase/.env` (not root `.env`).
+Supabase CLI reads OAuth credentials from `supabase/.env` (not root `.env`).
 
-1. Create `src/supabase/.env`:
+1. Create `supabase/.env`:
 
 ```bash
 GITHUB_CLIENT_ID="your-github-oauth-client-id"

SPEC.md

@@ -988,10 +988,10 @@ Each Supabase project requires its own GitHub OAuth App:
 
 #### Local Supabase + GitHub OAuth Setup
 
-Supabase CLI reads environment variables from `src/supabase/.env` (NOT root `.env`):
+Supabase CLI reads environment variables from `supabase/.env` (NOT root `.env`):
 
 ```bash
-# src/supabase/.env
+# supabase/.env
 GITHUB_CLIENT_ID=your_client_id
 GITHUB_CLIENT_SECRET=your_client_secret
 ```
@@ -1011,7 +1011,7 @@ additional_redirect_urls = [
 #### Migration Workflow
 
 1. Create migration: `supabase migration new <description>`
-2. Write SQL in `src/supabase/migrations/YYYYMMDDHHMMSS_<description>.sql`
+2. Write SQL in `supabase/migrations/YYYYMMDDHHMMSS_<description>.sql`
 3. Test on dev: `supabase link --project-ref jqtxjzdxczqwsrvevmyk` → `supabase db push --linked`
 4. Merge to `main` → Production deploys via GitHub Actions
 

e2e/logged-in/xss-smoke.spec.ts

@@ -0,0 +1,155 @@
+/**
+ * XSS Smoke Tests
+ *
+ * Verifies that user-input rendering paths properly escape XSS payloads.
+ * Tests the three primary attack surfaces:
+ * - Comment text (stored XSS)
+ * - Board title (stored XSS)
+ * - Project info link URL (javascript: scheme)
+ *
+ * @see https://github.com/laststance/gitbox/issues/127
+ */
+
+import { test, expect } from '../fixtures/coverage'
+import {
+  BOARD_IDS,
+  CARD_IDS,
+  resetProjectInfoComments,
+} from '../helpers/db-query'
+
+test.describe('XSS Prevention Smoke Tests (Authenticated)', () => {
+  test.use({ storageState: 'e2e/.auth/user.json' })
+
+  const BOARD_URL = `/board/${BOARD_IDS.testBoard}`
+  const XSS_SCRIPT_PAYLOAD = '<script>alert("xss")</script>'
+  const XSS_IMG_PAYLOAD = '<img src=x onerror=alert("xss")>'
+  const XSS_JS_URL = 'javascript:alert(1)'
+
+  test.beforeEach(async ({ page }) => {
+    await resetProjectInfoComments()
+    await page.goto(BOARD_URL)
+    await page.waitForLoadState('networkidle')
+    await expect(
+      page.locator('[data-testid^="repo-card-"]').first(),
+    ).toBeVisible({ timeout: 10000 })
+  })
+
+  test('should escape script tags in comment text', async ({ page }) => {
+    // Track any dialog/alert events — should never fire
+    let alertFired = false
+    page.on('dialog', async (dialog) => {
+      alertFired = true
+      await dialog.dismiss()
+    })
+
+    // Click on card-1 comment to enter edit mode
+    const commentDisplay = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-display"]`,
+    )
+    await expect(commentDisplay).toBeVisible({ timeout: 10000 })
+    await commentDisplay.click()
+
+    // Type XSS payload into textarea
+    const textarea = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-inline-edit"] textarea`,
+    )
+    await expect(textarea).toBeVisible({ timeout: 5000 })
+    await textarea.fill(XSS_SCRIPT_PAYLOAD)
+    await textarea.press('Enter')
+
+    // Verify the XSS payload is rendered as escaped text, not executed
+    // (toContainText auto-waits for the save to complete)
+    const commentText = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-text"]`,
+    )
+    await expect(commentText).toContainText('<script>')
+
+    // Verify no alert fired after DOM settled
+    expect(alertFired).toBe(false)
+  })
+
+  test('should escape img onerror payload in comment text', async ({
+    page,
+  }) => {
+    let alertFired = false
+    page.on('dialog', async (dialog) => {
+      alertFired = true
+      await dialog.dismiss()
+    })
+
+    const commentDisplay = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-display"]`,
+    )
+    await expect(commentDisplay).toBeVisible({ timeout: 10000 })
+    await commentDisplay.click()
+
+    const textarea = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-inline-edit"] textarea`,
+    )
+    await expect(textarea).toBeVisible({ timeout: 5000 })
+    await textarea.fill(XSS_IMG_PAYLOAD)
+    await textarea.press('Enter')
+
+    // Verify the XSS payload is rendered as escaped text, not executed
+    // (toContainText auto-waits for the save to complete)
+    const commentText = page.locator(
+      `[data-testid="repo-card-${CARD_IDS.card1}"] [data-testid="comment-text"]`,
+    )
+    await expect(commentText).toContainText('<img')
+
+    // Verify no alert fired after DOM settled
+    expect(alertFired).toBe(false)
+  })
+
+  test('should reject javascript: URL in project info link', async ({
+    page,
+  }) => {
+    let alertFired = false
+    page.on('dialog', async (dialog) => {
+      alertFired = true
+      await dialog.dismiss()
+    })
+
+    // Open the first card's note/project info modal
+    const card = page.locator(`[data-testid="repo-card-${CARD_IDS.card1}"]`)
+    await card.click()
+
+    // Wait for note modal to appear
+    const modal = page.locator('[role="dialog"]')
+    await expect(modal).toBeVisible({ timeout: 5000 })
+
+    // Find a link edit button and click it
+    let enteredEditMode = false
+    const editButton = modal.locator('[data-testid^="url-edit-"]').first()
+    if (await editButton.isVisible({ timeout: 3000 }).catch(() => false)) {
+      await editButton.click()
+      enteredEditMode = true
+    } else {
+      // If no existing link, look for "add link" button
+      const addLink = modal.locator('button:has-text("Add")').first()
+      if (await addLink.isVisible({ timeout: 3000 }).catch(() => false)) {
+        await addLink.click()
+        enteredEditMode = true
+      }
+    }
+
+    // Ensure we actually found an edit/add button — test is meaningless otherwise
+    expect(enteredEditMode).toBe(true)
+
+    // Try to enter javascript: URL
+    const urlInput = modal.locator('[data-testid^="url-input-"]').first()
+    await expect(urlInput).toBeVisible({ timeout: 3000 })
+    await urlInput.fill(XSS_JS_URL)
+    await urlInput.press('Tab')
+
+    // Wait for validation
+    await page.waitForTimeout(500)
+
+    // Should show error — javascript: is not allowed
+    const error = modal.locator('[role="alert"]').first()
+    await expect(error).toBeVisible({ timeout: 3000 })
+    await expect(error).toContainText('http')
+
+    expect(alertFired).toBe(false)
+  })
+})

e2e/unauthenticated/public-board.spec.ts

@@ -0,0 +1,31 @@
+/**
+ * Public Board E2E Tests
+ *
+ * Tests for the public board sharing feature (unauthenticated).
+ * Validates 404 handling for invalid/non-existent slugs.
+ */
+
+import { test, expect } from '../fixtures/coverage'
+
+test.describe('Public Board', () => {
+  test('should return 404 for invalid slug format', async ({ page }) => {
+    // Slug must be exactly 12 hex chars — "invalid" doesn't match
+    const response = await page.goto('/public/invalid-slug')
+
+    expect(response?.status()).toBe(404)
+  })
+
+  test('should return 404 for non-existent valid slug', async ({ page }) => {
+    // Valid format (12 hex chars) but no matching board
+    const response = await page.goto('/public/aabbccddeeff')
+
+    expect(response?.status()).toBe(404)
+  })
+
+  test('should return 404 for empty slug', async ({ page }) => {
+    const response = await page.goto('/public/')
+
+    // Next.js may return 404 for this route
+    expect(response?.status()).toBe(404)
+  })
+})

eslint.config.mjs

@@ -62,6 +62,7 @@ export default defineConfig([
     './e2e/tablet-landscape/**',
     '.storybook/**',
     '**/.husky/**',
+    '_trials/**',
     'src/lib/supabase/types.ts',
     'src/lib/supabase/database.types.ts',
     'src/lib/github/api.ts',
@@ -94,6 +95,20 @@ export default defineConfig([
             'Use axios instead of fetch for MSW compatibility. Import from lib/axios.ts.',
         },
       ],
+      // Ban revalidatePath/revalidateTag - Supabase SDK doesn't use Next.js cache
+      'no-restricted-imports': [
+        'error',
+        {
+          paths: [
+            {
+              name: 'next/cache',
+              importNames: ['revalidatePath', 'revalidateTag'],
+              message:
+                'Supabase SDK does not use Next.js cache. Use Redux optimistic updates instead.',
+            },
+          ],
+        },
+      ],
       // Ban console usage - use logger (server) or Sentry (client) instead
       'no-console': 'error',
     },

mocks/handlers/data.ts

@@ -114,6 +114,8 @@ const INITIAL_MOCK_BOARDS = [
     theme: 'sunrise',
     settings: null,
     is_favorite: false,
+    is_public: false,
+    share_slug: null as string | null,
     position: 1,
     created_at: '2024-01-01T00:00:00.000Z',
     updated_at: '2024-01-01T00:00:00.000Z',
@@ -126,6 +128,8 @@ const INITIAL_MOCK_BOARDS = [
     theme: 'midnight',
     settings: null,
     is_favorite: false,
+    is_public: false,
+    share_slug: null as string | null,
     position: 0,
     created_at: '2024-01-02T00:00:00.000Z',
     updated_at: '2024-01-02T00:00:00.000Z',