Merge for up to date

[LCSOGthb]

User description

---

---

Summary by cubic

Launch a modern “Coming Soon” Next.js app with a dark theme, accessibility improvements, and a language selector, plus performance benchmarks. Streamlines CI with ESLint and CodSpeed while removing legacy scanners.

• New Features

  • New page with animated gradient and language selector (en, zh); global dark theme via Tailwind v4.
  • Added GameCard and lib/games.ts utilities; performance benches using vitest with CodSpeed.
  • Path alias in tsconfig.json; bumped next to ^15.5.18; added @codspeed/vitest-plugin, vitest, @types/react.

• CI

  • Added CodSpeed and ESLint workflows; adjusted ossar schedule.
  • Removed codeql, codacy, codescan, osv-scanner, msvc, and Defender for DevOps workflows.

^{Written for commit 01611ee. Summary will update on new commits.}

---

CodeAnt-AI Description

Add a bilingual coming-soon landing page with accessibility and visual polish

What Changed

• Replaced the empty app shell with a centered coming-soon page, animated background, and visible version label
• Added a language selector so the headline and subtitle can switch between English and Chinese
• Added a skip link and clearer focus styling to make the page easier to use with a keyboard or screen reader
• Added benchmark coverage and a CodSpeed workflow to track performance changes over time

Impact

✅ Clearer first impression on the home page
✅ Shorter language switching for English and Chinese visitors
✅ Easier keyboard navigation and screen-reader use

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[cr-gpt]

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/ossar.yml	46% smaller
package.json	33% smaller
package-lock.json	16% smaller
.github/workflows/codacy-coverage-reporter.yaml	0% smaller
.github/workflows/codacy.yml	0% smaller
.github/workflows/codeql.yml	0% smaller
.github/workflows/codescan.yml	0% smaller
.github/workflows/codspeed.yml	0% smaller
.github/workflows/defender-for-devops.yml	0% smaller
.github/workflows/eslint.yml	0% smaller
.github/workflows/msvc.yml	0% smaller
.github/workflows/osv-scanner.yml	0% smaller
.replit	Unsupported file format
README.md	Unsupported file format
SECURITY.md	Unsupported file format
app/globals.css	0% smaller
app/layout.tsx	0% smaller
app/page.tsx	0% smaller
bench/games.bench.ts	0% smaller
components/GameCard.tsx	0% smaller
lib/games.ts	0% smaller
lib/translations.ts	0% smaller
tsconfig.json	0% smaller
vitest.config.mts	0% smaller

[codeant-ai]

CodeAnt AI is reviewing your PR.

[netlify]

✅ Deploy Preview for lsngames ready!

Name	Link
🔨 Latest commit	01611ee
🔍 Latest deploy log	https://app.netlify.com/projects/lsngames/deploys/6a1f86b93cd6cb000851d494
😎 Deploy Preview	https://deploy-preview-56--lsngames.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
games	Error		Jun 3, 2026 1:43am

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: acc90442-f052-4fae-8347-5d9af7706d9d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch main

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[corgea]

🧹 Quality - The "paginateGames" function fails to validate "page" and "pageSize", causing incorrect array slicing, such as negative start indexes when "page=0". This misaligns the control flow from its intended pagination logic. View in Corgea ↗

More Details

🎟️Issue Explanation: The "paginateGames" function fails to validate "page" and "pageSize", causing incorrect array slicing, such as negative start indexes when "page=0". This misaligns the control flow from its intended pagination logic.

- Negative or zero "page" causes "start" to be negative, making "slice" return unexpected results by counting from the array's end.
- Passing non-integer or negative "pageSize" leads to inconsistent slicing behavior, breaking assumptions in pagination.
- This flaw increases debugging complexity and reduces reliability, as pagination outputs don't align with expected page boundaries.

🪄Fix Explanation: Added input validation and normalization for pagination parameters to prevent unexpected behavior and ensure the function only processes valid positive integers.
Input validation with "Number.isFinite" ensures that non-numeric or infinite values immediately return an empty array, preventing runtime errors.
Flooring page and pageSize via "Math.floor" normalizes fractional inputs, improving consistency and expected pagination behavior.
Checks for positive values ("safePage < 1 || safePageSize < 1") guard against invalid pagination requests like zero or negative numbers.
Calculating "start" with validated and normalized inputs guarantees the slice range is always valid, improving robustness.

💡Important Instructions: Audit other pagination or indexing functions to apply similar input validation patterns for consistent robustness across the codebase.

Suggested change

	const start = (page - 1) * pageSize;
	// Validate inputs: require finite positive integers; return empty array if invalid
	if (!Number.isFinite(page) || !Number.isFinite(pageSize)) {
	return [];
	}
	const safePage = Math.floor(page);
	const safePageSize = Math.floor(pageSize);
	if (safePage < 1 || safePageSize < 1) {
	return [];
	}
	const start = (safePage - 1) * safePageSize;
	return games.slice(start, start + safePageSize);

[qodo-code-review]

Review Summary by Qodo

Add game library, benchmarks, and coming soon landing page with CodSpeed integration

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Add comprehensive benchmark suite for games and translations
• Implement game catalog library with filtering, sorting, search, pagination
• Create coming soon landing page with multi-language support
• Add CodSpeed performance monitoring workflow and vitest configuration
• Consolidate GitHub workflows, removing redundant security scanners
• Update dependencies including Next.js to 15.5.18

Diagram

flowchart LR
  A["Game Library<br/>lib/games.ts"] --> B["Benchmark Suite<br/>bench/games.bench.ts"]
  C["Translations<br/>lib/translations.ts"] --> D["Landing Page<br/>app/page.tsx"]
  D --> E["Global Styles<br/>app/globals.css"]
  B --> F["CodSpeed Workflow<br/>.github/workflows/codspeed.yml"]
  G["Package Updates<br/>package.json"] --> F
  H["Removed Workflows<br/>codacy, codeql, etc"] --> I["ESLint Workflow<br/>.github/workflows/eslint.yml"]

Loading

File Changes

1. bench/games.bench.ts 🧪 Tests +91/-0

New benchmark suite for game operations

bench/games.bench.ts

---

2. lib/games.ts ✨ Enhancement +37/-0

Game catalog utility functions library

lib/games.ts

---

3. lib/translations.ts ✨ Enhancement +25/-0

Multi-language translation support system

lib/translations.ts

---

View more (20)

4. app/globals.css ✨ Enhancement +255/-0

Global styles with animated gradient background

app/globals.css

---

5. app/layout.tsx ✨ Enhancement +25/-0

Root layout with metadata and viewport config

app/layout.tsx

---

6. app/page.tsx ✨ Enhancement +54/-0

Coming soon landing page with language selector

app/page.tsx

---

7. components/GameCard.tsx ✨ Enhancement +69/-0

Game card component with image and details

components/GameCard.tsx

---

8. .github/workflows/codspeed.yml ✨ Enhancement +35/-0

New CodSpeed performance benchmarking workflow

.github/workflows/codspeed.yml

---

9. .github/workflows/eslint.yml ✨ Enhancement +52/-0

New ESLint code quality scanning workflow

.github/workflows/eslint.yml

---

10. .github/workflows/codacy-coverage-reporter.yaml ⚙️ Configuration changes +0/-19

Removed Codacy coverage reporter workflow

.github/workflows/codacy-coverage-reporter.yaml

---

11. .github/workflows/codacy.yml ⚙️ Configuration changes +0/-61

Removed Codacy security scan workflow

.github/workflows/codacy.yml

---

12. .github/workflows/codeql.yml ⚙️ Configuration changes +0/-90

Removed CodeQL advanced analysis workflow

.github/workflows/codeql.yml

---

13. .github/workflows/codescan.yml ⚙️ Configuration changes +0/-35

Removed CodeScan workflow

.github/workflows/codescan.yml

---

14. .github/workflows/defender-for-devops.yml ⚙️ Configuration changes +0/-47

Removed Microsoft Defender for DevOps workflow

.github/workflows/defender-for-devops.yml

---

15. .github/workflows/msvc.yml ⚙️ Configuration changes +0/-66

Removed Microsoft C++ code analysis workflow

.github/workflows/msvc.yml

---

16. .github/workflows/ossar.yml ⚙️ Configuration changes +1/-1

Updated OSSAR workflow cron schedule

.github/workflows/ossar.yml

---

17. .github/workflows/osv-scanner.yml ⚙️ Configuration changes +0/-52

Removed OSV-Scanner vulnerability scanning workflow

.github/workflows/osv-scanner.yml

---

18. .replit ⚙️ Configuration changes +6/-0

Replit configuration for Node.js environment

.replit

---

19. README.md 📝 Documentation +32/-12

Updated badges and added CodSpeed, DeepScan, CodeScene badges

README.md

---

20. SECURITY.md 📝 Documentation +11/-8

Simplified security policy with universal support

SECURITY.md

---

21. package.json Dependencies +5/-2

Updated Next.js and dependencies, added vitest and CodSpeed

package.json

---

22. tsconfig.json ⚙️ Configuration changes +39/-0

TypeScript configuration with path aliases

tsconfig.json

---

23. vitest.config.mts ⚙️ Configuration changes +6/-0

Vitest configuration with CodSpeed plugin

vitest.config.mts

---

[sourcery-ai]

Reviewer's Guide

Modernizes the Next.js app landing experience and project tooling by adding a localized animated "Coming Soon" UI, introducing reusable game catalog utilities with Vitest/CodSpeed benchmarks, tightening TypeScript support, and streamlining CI/badges and security documentation.

Sequence diagram for Home page language switching and translations

sequenceDiagram
  actor User
  participant Home as HomeComponent
  participant Translations as translations_module

  User->>Home: load page
  Home->>Translations: getTranslation("en")
  Translations-->>Home: translation_object
  Home-->>User: render title and subtitle

  User->>Home: change language (select zh)
  Home->>Home: setLang("zh")
  Home->>Translations: getTranslation("zh")
  Translations-->>Home: translation_object
  Home-->>User: re-render title and subtitle

Loading

File-Level Changes

Change	Details	Files
Add a localized animated "Coming Soon" landing page with global styling and layout in the Next.js app.	Introduce a global dark theme, animated gradient background, accessibility helpers, and layout utility classes in the main CSS file Create a root layout component configuring document metadata, viewport, and wiring in the global styles Implement the main page with a language selector, centered coming-soon card content, skip link, and version label using translation helpers	app/globals.css app/layout.tsx app/page.tsx
Introduce basic game catalog domain utilities and a reusable GameCard UI component.	Add a Game interface and helper functions for filtering, sorting, searching, de-duplicating categories, and paginating game collections Create an accessible GameCard client component with image, category badge, description, and call-to-action button	lib/games.ts components/GameCard.tsx
Add translations infrastructure and wiring for the landing page.	Define translation data for English and Chinese including title, subtitle, and language metadata Expose helpers to fetch translations with English fallback and list available languages Integrate translation lookup into the home page via a typed Language union	lib/translations.ts app/page.tsx
Integrate Vitest and CodSpeed for performance benchmarking of game catalog and translation utilities.	Add Vitest and the CodSpeed Vitest plugin as dev dependencies and configure Vitest to use the plugin Create benchmark suites that generate synthetic game catalogs and measure performance of catalog and translation helper functions Add a CodSpeed GitHub Actions workflow to run benchmarks in simulation mode on pushes, PRs, and manual triggers	package.json vitest.config.mts bench/games.bench.ts .github/workflows/codspeed.yml
Improve TypeScript support and linting/analysis automation while simplifying other CI integrations.	Introduce a TypeScript configuration tuned for a Next.js app with JSX, path aliases, and incremental compilation Add React type definitions and update Next.js and Wrangler versions in dependencies Add a GitHub Actions ESLint workflow that runs ESLint with SARIF output and uploads results, and adjust OSSAR scan schedule Remove several existing code scanning/quality workflows in favor of the new setup	tsconfig.json package.json .github/workflows/eslint.yml .github/workflows/ossar.yml .github/workflows/codacy-coverage-reporter.yaml .github/workflows/codacy.yml .github/workflows/codeql.yml .github/workflows/codescan.yml .github/workflows/defender-for-devops.yml .github/workflows/msvc.yml .github/workflows/osv-scanner.yml
Refresh project badges and security policy documentation.	Reorganize and expand README badges to include repository metrics, CodSpeed, and additional static-analysis services while removing Scrutinizer badges Rewrite SECURITY policy to a concise supported-versions table and simple guidance for reporting vulnerabilities via GitHub issues	README.md SECURITY.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 🔗 Cross-repo conflicts (0)

1. Unpinned CodSpeed action 🐞 Bug ⛨ Security

Description

The CodSpeed workflow runs CodSpeedHQ/action@v4 (floating tag) while granting id-token: write,
which increases supply-chain risk because the executed action code can change without review.
Pinning to a commit SHA is needed to make the workflow execution immutable.

Code

.github/workflows/codspeed.yml[R12-35]

Evidence

The workflow grants id-token: write and references a third-party action via a floating tag, which
is mutable and therefore a supply-chain risk.

.github/workflows/codspeed.yml[12-35]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow uses a third-party GitHub Action by floating tag (`CodSpeedHQ/action@v4`) while also enabling OIDC token minting (`id-token: write`). If the tag ever changes unexpectedly, the workflow could run unreviewed code with elevated permissions.

### Issue Context
This is a CI supply-chain hardening issue. GitHub recommends pinning actions to commit SHAs.

### Fix Focus Areas
- .github/workflows/codspeed.yml[12-35]

### Suggested fix
- Replace `uses: CodSpeedHQ/action@v4` with `uses: CodSpeedHQ/action@<full_commit_sha>`.
- (Optional hardening) Scope `permissions` to the job level and keep `id-token: write` only if CodSpeed requires OIDC in your setup.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. ESLint toolchain drift 🐞 Bug ⚙ Maintainability

Description

The ESLint workflow installs ESLint 8.10.0 via npm install even though the repo is pinned to
ESLint 9.x in package-lock.json, so code-scanning results can diverge from local/locked lint
behavior. This also creates an extra maintenance surface (versions now live in workflow YAML rather
than the repo’s dependency graph).

Code

.github/workflows/eslint.yml[R33-46]

Evidence

The workflow installs ESLint 8.10.0 directly, while the repository’s dependencies/lockfile pin
ESLint 9.x, so CI is not using the same lint engine as the repo toolchain.

.github/workflows/eslint.yml[33-46]
package.json[16-25]
package-lock.json[4157-4162]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The ESLint GitHub Action installs a hard-coded ESLint version (8.10.0) using `npm install`, but the repository’s locked toolchain uses ESLint 9.x. This can cause inconsistent lint/SARIF results between CI and local runs.

### Issue Context
- The workflow installs tooling ad-hoc instead of using the repo’s lockfile.
- The repo already pins ESLint via `package-lock.json`.

### Fix Focus Areas
- .github/workflows/eslint.yml[33-46]
- package.json[16-25]
- package-lock.json[4157-4162]

### Suggested fix
- Add `actions/setup-node@v4`.
- Replace the ad-hoc installs with `npm ci`.
- Run the repo’s ESLint (e.g., `npx eslint ...` after `npm ci`, or `npm run lint` if you want Next’s lint wrapper), and keep the SARIF formatter either as a devDependency or install it deterministically (preferably via the lockfile).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Version label mismatch 🐞 Bug ≡ Correctness

Description

app/page.tsx shows version 0.14 but the aria-label announces 0.13, so assistive technologies
will read incorrect information. This is a correctness/accessibility bug in the same UI element.

Code

app/page.tsx[R48-51]

Evidence

The same element contains two different version values: one in visible text and one in the
aria-label.

app/page.tsx[48-51]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The version label’s `aria-label` does not match the visible version string, causing screen readers to announce the wrong version.

### Issue Context
This is an accessibility correctness issue: the accessible name should match the displayed content when it’s meant to represent the same information.

### Fix Focus Areas
- app/page.tsx[48-51]

### Suggested fix
- Update `aria-label` to match the displayed version (e.g., `Version 0.14 Beta`), or remove `aria-label` entirely if it’s redundant and the visible text is sufficient.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 critical · 7 high · 25 medium · 67 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category	Results
Compatibility	3 medium 5 high
BestPractice	22 medium 4 minor
Documentation	5 minor
ErrorProne	1 critical 1 high
Security	1 high
CodeStyle	58 minor

View in Codacy

🟢 Metrics 33 complexity

Metric	Results
Complexity	33

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[guardrails]

⚠️ We detected 5 security issues in this pull request:

Vulnerable Libraries (5)

Severity	Details
Medium	pkg:npm/next@15.5.18 upgrade to: > 15.5.18
High	pkg:npm/eslint-config-next@15.3.4 upgrade to: > 15.3.4
Medium	pkg:npm/@tailwindcss/postcss@4.1.18 (t) upgrade to: > 4.1.18
Medium	pkg:npm/vitest@4.1.7 upgrade to: > 4.1.7
High	pkg:npm/wrangler@4.95.0 upgrade to: > 4.95.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[difflens]

View changes in DiffLens

[difflens]

View changes in DiffLens

[deepsource-io]

DeepSource Code Review

We reviewed changes in 03ab971...01611ee on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Jun 3, 2026 1:43a.m.	Review ↗
Python		Jun 3, 2026 1:43a.m.	Review ↗
Rust		Jun 3, 2026 1:43a.m.	Review ↗
Secrets		Jun 3, 2026 1:43a.m.	Review ↗
Ruby		Jun 3, 2026 1:43a.m.	Review ↗
Shell		Jun 3, 2026 1:43a.m.	Review ↗
Scala		Jun 3, 2026 1:43a.m.	Review ↗
SQL		Jun 3, 2026 1:43a.m.	Review ↗
Terraform		Jun 3, 2026 1:43a.m.	Review ↗
Code coverage		Jun 3, 2026 1:43a.m.	Review ↗
Swift		Jun 3, 2026 1:43a.m.	Review ↗
C & C++		Jun 3, 2026 1:43a.m.	Review ↗
C#		Jun 3, 2026 1:43a.m.	Review ↗
Ansible		Jun 3, 2026 1:43a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[codescene-delta-analysis]

Gates Passed
6 Quality Gates Passed

See analysis details in CodeScene

Quality Gate Profile: Pay Down Tech Debt
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

[codereviewbot-ai]

Potential Accessibility Issue: overflow: hidden on html, body

Setting overflow: hidden on both html and body prevents scrolling, which can make content inaccessible if it overflows the viewport. This is especially problematic for users on smaller screens or with zoom enabled. Consider removing or adjusting this property to allow scrolling when necessary.

Recommended Solution:

html, body {
  height: 100%;
  /* Remove overflow: hidden unless absolutely necessary */
}

[codereviewbot-ai]

Performance Concern: Heavy Blur Filters and Box-Shadows

The use of backdrop-filter: blur(20px) and large box-shadows can significantly impact rendering performance, especially on lower-end devices or browsers with limited support. This may cause lag or degraded user experience.

Recommended Solution:

• Reduce the blur radius or use lighter box-shadows.
• Consider using simpler effects or fallback styles for performance-critical environments.
• Test on multiple devices to ensure acceptable performance.

[codereviewbot-ai]

The use of as Language in setLang(e.target.value as Language) is potentially unsafe. If the select options are modified or if a user manipulates the DOM, an invalid value could be set, leading to runtime errors or unexpected behavior. Consider validating the value before updating the state:

const value = e.target.value;
if (value === 'en' || value === 'zh') setLang(value);

This ensures only supported languages are set.

[codereviewbot-ai]

There is no error handling for the result of getTranslation(lang). If getTranslation returns undefined or null (e.g., for an unsupported language), the component may render undefined values or throw an error. Consider adding a fallback or validation:

const t = getTranslation(lang) || { title: 'Coming Soon', subtitle: '' };

This ensures the UI remains robust even if translations are missing.

[codereviewbot-ai]

Image Fallback Handling:
The <img> element does not provide any fallback or error handling for cases where game.image is missing or fails to load. This can result in broken images and negatively impact the UI. Consider adding an onError handler or a default placeholder image:

<img
  src={game.image || '/default-image.png'}
  alt={`Preview image for ${game.title}`}
  onError={(e) => { e.currentTarget.src = '/default-image.png'; }}
  className="h-full w-full object-cover transition-transform duration-300 group-hover:scale-105"
/>

[codereviewbot-ai]

Button Functionality:
The 'Play Now' button does not have any event handler or navigation logic, making it non-functional. If the intent is to allow users to play the game, consider adding an onClick handler or wrapping the button in a link to the game's page:

<button
  type="button"
  className="btn-primary w-full"
  aria-label={`Play ${game.title}`}
  onClick={() => navigateToGame(game.id)}
>
  Play Now
</button>

Or use a <Link> component if navigation is required.

[codereviewbot-ai]

Input Validation in paginateGames

The paginateGames function does not validate the page and pageSize parameters. If negative, zero, or non-integer values are provided, the function may return unexpected results or an empty array. This can lead to subtle bugs in pagination logic.

Recommended Solution:
Add validation to ensure page and pageSize are positive integers:

if (page < 1 || pageSize < 1 || !Number.isInteger(page) || !Number.isInteger(pageSize)) {
  throw new Error('Page and pageSize must be positive integers');
}

[codereviewbot-ai]

Null/Undefined Input Handling in searchGames

The searchGames function does not handle cases where games or query are null or undefined. This could result in runtime errors if the function is called with invalid input.

Recommended Solution:
Add input validation to ensure games is an array and query is a string:

if (!Array.isArray(games) || typeof query !== 'string') {
  return [];
}

[codereviewbot-ai]

The getTranslation function accepts any string as input, which may lead to silent fallback to English for unsupported or misspelled language codes. This can mask errors and make debugging more difficult. Consider restricting the input type to Language or explicitly handling unknown languages, for example by throwing an error or logging a warning when an unsupported language is requested.

Recommended solution:

export function getTranslation(lang: Language) {
  return translations[lang];
}

Or, if you must accept arbitrary strings, add explicit handling for unknown languages.

[codereviewbot-ai]

The getAvailableLanguages function returns a string[], but the valid set of languages is already defined by the Language type. Returning Language[] instead would provide better type safety and consistency throughout the codebase.

Recommended solution:

export function getAvailableLanguages(): Language[] {
  return Object.keys(translations) as Language[];
}

[difflens]

View changes in DiffLens

[gemini-code-assist]

Code Review

This pull request introduces a "Coming Soon" landing page built with Next.js, featuring multi-language support, custom styling, and game catalog utility functions along with Vitest benchmarks and CodSpeed integration. The code review highlights several areas for improvement: the pagination logic in paginateGames should defensively handle invalid inputs; missing CSS variables (--bg-elevated and --border-subtle) should be defined in globals.css to prevent broken styles; the aria-label on the version label in page.tsx needs to be updated to match the rendered text; and strict mode should be enabled in tsconfig.json for better type safety.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The pagination logic in paginateGames does not handle cases where page or pageSize is less than 1. If page is 0 or negative, start will be negative, causing slice to count from the end of the array and return incorrect results. We should defensively guard against invalid inputs.

Suggested change

	export function paginateGames(
	games: Game[],
	page: number,
	pageSize: number,
	): Game[] {
	const start = (page - 1) * pageSize;
	return games.slice(start, start + pageSize);
	}
	export function paginateGames(
	games: Game[],
	page: number,
	pageSize: number,
	): Game[] {
	const safePage = Math.max(1, page);
	const safePageSize = Math.max(1, pageSize);
	const start = (safePage - 1) * safePageSize;
	return games.slice(start, start + safePageSize);
	}

[gemini-code-assist]

The CSS variables --bg-elevated and --border-subtle are used in components/GameCard.tsx but are not defined in :root inside app/globals.css. This will cause fallback or broken styles. Please define these variables in :root.

:root {
  --bg-base: #0a0a0f;
  --bg-surface: rgba(255, 255, 255, 0.05);
  --bg-card: rgba(255, 255, 255, 0.08);
  --bg-elevated: rgba(255, 255, 255, 0.1);
  --text-primary: #ffffff;
  --text-secondary: rgba(255, 255, 255, 0.7);
  --border-default: rgba(255, 255, 255, 0.12);
  --border-hover: rgba(255, 255, 255, 0.2);
  --border-subtle: rgba(255, 255, 255, 0.06);
  --focus-ring: rgba(255, 255, 255, 0.5);
}

[gemini-code-assist]

There is a mismatch between the aria-label ("Version 0.13 Beta") and the actual rendered version text ("Version: 0.14 β"). This can confuse screen reader users. Please update the aria-label to match the rendered version.

Suggested change

	<div className="version-label" aria-label="Version 0.13 Beta">
	Version: 0.14 β
	</div>
	<div className="version-label" aria-label="Version 0.14 Beta">
	Version: 0.14 β
	</div>

[gemini-code-assist]

Setting "strict": false disables TypeScript's strict type-checking features, which can lead to runtime errors and reduces the benefits of using TypeScript. It is highly recommended to enable strict mode for better type safety and maintainability.

Suggested change

	"strict": false,
	"strict": true,

[difflens]

View changes in DiffLens

[difflens]

View changes in DiffLens

[devin-ai-integration]

Devin Review found 4 potential issues.

[devin-ai-integration]

🟡 aria-label shows stale version "0.13" while visible text shows "0.14"

The aria-label on the version label div says "Version 0.13 Beta" but the visible text reads Version: 0.14 β. This was likely caused by the version bump in commit a60f240 updating the visible text but not the aria-label. Screen reader users will hear the wrong version number.

Suggested change

	<div className="version-label" aria-label="Version 0.13 Beta">
	Version: 0.14 β
	</div>
	<div className="version-label" aria-label="Version 0.14 Beta">
	Version: 0.14 β
	</div>

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 ESLint workflow references non-existent .eslintrc.js config file

The new ESLint workflow at .github/workflows/eslint.yml:42 runs npx eslint . --config .eslintrc.js, but no .eslintrc.js file exists in the repository. ESLint will fail to find the config and error out. Although continue-on-error: true prevents the step from failing the workflow, the eslint-results.sarif output file will never be generated, causing the subsequent SARIF upload step to also fail. The entire workflow is effectively non-functional.

Prompt for agents

The ESLint workflow installs eslint@8.10.0 and uses --config .eslintrc.js --ext flags (ESLint 8 style), but the project uses eslint ^9 (flat config) with eslint-config-next, and no .eslintrc.js file exists. The workflow needs to be updated to either: (1) create a compatible .eslintrc.js config file in the repo, or (2) update the workflow to use ESLint 9 flat config (eslint.config.mjs) without --config and --ext flags (which are removed in ESLint 9). The project's package.json already has eslint-config-next 15.3.4 and eslint ^9 as devDependencies, so aligning the workflow with the project's own ESLint setup would be the simplest fix.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

📝 Info: Language type is effectively string due to Record annotation

In lib/translations.ts:17, export type Language = keyof typeof translations resolves to string because translations is explicitly annotated as Record<string, ...>. This means the Language type provides no narrowing — useState<Language>("en") and the as Language cast in app/page.tsx:28 do nothing useful. If the intent was to restrict to "en" | "zh", the annotation should be removed or replaced with satisfies so TypeScript infers the literal keys. Not a runtime bug since getTranslation handles unknown keys via fallback (?? translations["en"]), but it defeats the purpose of having a named type.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 ESLint workflow installs a separate eslint@8 instead of using the project's eslint@9

Beyond the missing .eslintrc.js config (reported as a bug), the ESLint workflow at .github/workflows/eslint.yml:35 installs eslint@8.10.0 directly rather than running npm ci to use the project's own eslint@^9. This means even if the config file issue were fixed, the workflow would use a completely different (much older) ESLint version than the project's devDependencies specify. The --ext flag used on line 43 is also removed in ESLint 9. This workflow appears to be boilerplate that wasn't adapted to the actual project setup.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[codeant-ai]

Suggestion: The ARIA label announces a different version than the visible text, so screen-reader users get incorrect release information. Keep the announced version string consistent with the rendered version text. [incorrect variable usage]

Severity Level: Major ⚠️

- ⚠️ Screen readers announce outdated version for version label.
- ⚠️ Accessibility compliance reduced for assistive technology users.

Steps of Reproduction ✅

1. Render the Home page component defined in `app/page.tsx:6-54` by running the Next.js
app so the default `/` route loads.

2. Inspect the DOM for the version label container at `app/page.tsx:48-51`, which renders
`<div className="version-label" aria-label="Version 0.13 Beta">`.

3. Observe that the visible text inside this div (line 50) is `Version: 0.14 β`, while the
`aria-label` attribute (line 49) still says `Version 0.13 Beta`.

4. Use a screen reader (or browser accessibility inspector) to verify that assistive
technologies announce the aria-label string `Version 0.13 Beta`, which does not match the
visible `0.14 β` text, confirming inconsistent version information for non-visual users.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** app/page.tsx
**Line:** 49:51
**Comment:**
	*Incorrect Variable Usage: The ARIA label announces a different version than the visible text, so screen-reader users get incorrect release information. Keep the announced version string consistent with the rendered version text.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: Pagination allows non-positive page values, which produces negative slice indices and returns items from the end of the array instead of page 1 semantics. Validate or clamp page/pageSize to positive integers before computing offsets. [logic error]

Severity Level: Major ⚠️

- ⚠️ paginateGames misbehaves when page argument is non-positive.
- ⚠️ Library pagination helper less robust to invalid input.

Steps of Reproduction ✅

1. Open `lib/games.ts` and locate `paginateGames` at lines 30-37, which computes `const
start = (page - 1) * pageSize;` (line 35) and then calls `games.slice(start, start +
pageSize);` (line 36).

2. In a Node REPL, test file, or benchmark, import `paginateGames` from `lib/games.ts` and
construct a simple array of games (e.g., using `generateGames` from
`bench/games.bench.ts:16-28`).

3. Call `paginateGames(games, 0, 10)`; by substitution into the code, `start = (0 - 1) *
10 = -10`, so `games.slice(-10, 0)` is executed.

4. Verify that JavaScript `Array.prototype.slice` with a negative start index returns
elements from the end of the array, so `paginateGames` returns the last 10 items instead
of the first page semantics, demonstrating that non-positive `page` values produce
incorrect page results.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** lib/games.ts
**Line:** 35:36
**Comment:**
	*Logic Error: Pagination allows non-positive `page` values, which produces negative slice indices and returns items from the end of the array instead of page 1 semantics. Validate or clamp `page`/`pageSize` to positive integers before computing offsets.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

🟠 Architect Review — HIGH

The ESLint workflow step references a .eslintrc.js config that does not exist anywhere in the repo, so npx eslint . --config .eslintrc.js cannot run with the specified configuration.

Suggestion: Either add and maintain the .eslintrc.js file, or update the workflow to use the project's real lint entrypoint (for example npm run lint or a config-less next lint) so the CI ESLint job actually runs.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/eslint.yml
**Line:** 33:43
**Comment:**
	*HIGH: The ESLint workflow step references a `.eslintrc.js` config that does not exist anywhere in the repo, so `npx eslint . --config .eslintrc.js` cannot run with the specified configuration.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🟠 Architect Review — HIGH

The app exposes a language selector and Chinese translations but the document <html> lang attribute is hardcoded to en, so when users switch to Chinese assistive technologies still interpret the page as English.

Suggestion: Treat the selected language as a page-level state and ensure the root <html lang> (and related metadata) is updated to match the current language so accessibility and localization stay consistent.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** app/layout.tsx
**Line:** 21:21
**Comment:**
	*HIGH: The app exposes a language selector and Chinese translations but the document `<html>` `lang` attribute is hardcoded to `en`, so when users switch to Chinese assistive technologies still interpret the page as English.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🎨 Design Review — MEDIUM

Do you think the language selector control may be too small for touch users, since the current padding and font-size yield a hit area noticeably below the recommended 44×44px target (WCAG 2.5.5 Target Size guidance)?

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a **Design Review** comment — a question about the UX/design of frontend code. It is intentionally framed as a question, not a prescription. The author may agree or disagree.

**Path:** app/globals.css
**Line:** 164:177
**Comment:**
	*MEDIUM: Do you think the language selector control may be too small for touch users, since the current padding and font-size yield a hit area noticeably below the recommended 44×44px target (WCAG 2.5.5 Target Size guidance)?

- If you agree with the proposal, apply a small, localized change (swap a color token, bump a font size, adjust spacing, add an aria-label, etc.).
- If you disagree, or the answer depends on a design decision a human should make, explain your reasoning and ask the user how to proceed.
Do NOT refactor surrounding components or apply other design changes that weren't asked about.

[codeant-ai]

🎨 Design Review — MEDIUM

Do you think the version label's accessible name should match its visible text, since screen readers currently get "Version 0.13 Beta" via aria-label while the UI shows "Version: 0.14 β" (violating WCAG 4.1.2 Name, Role, Value consistency)?

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a **Design Review** comment — a question about the UX/design of frontend code. It is intentionally framed as a question, not a prescription. The author may agree or disagree.

**Path:** app/page.tsx
**Line:** 49:50
**Comment:**
	*MEDIUM: Do you think the version label's accessible name should match its visible text, since screen readers currently get "Version 0.13 Beta" via `aria-label` while the UI shows "Version: 0.14 β" (violating WCAG 4.1.2 Name, Role, Value consistency)?

- If you agree with the proposal, apply a small, localized change (swap a color token, bump a font size, adjust spacing, add an aria-label, etc.).
- If you disagree, or the answer depends on a design decision a human should make, explain your reasoning and ask the user how to proceed.
Do NOT refactor surrounding components or apply other design changes that weren't asked about.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
app/page.tsx	49-50	aria-label value "Version 0.13 Beta" does not match visible text "Version: 0.14 β" - screen readers will announce incorrect information

Files Reviewed (6 files)

• app/page.tsx - 1 issue
• app/layout.tsx - no issues
• components/GameCard.tsx - no issues
• lib/games.ts - no issues
• lib/translations.ts - no issues
• app/globals.css - no issues
• .github/workflows/codspeed.yml - no issues
• .github/workflows/eslint.yml - no issues
• .github/workflows/ossar.yml - no issues (schedule change only)

---

_{Reviewed by laguna-m.1-20260312:free · 1,516,892 tokens}

[kilo-code-bot]

WARNING: aria-label value does not match visible text

The aria-label attribute says "Version 0.13 Beta" but the visible text is "Version: 0.14 β". Screen readers will announce the aria-label, which contains outdated information. Either update the aria-label to match the visible text or remove it if the visible text is sufficient.

Suggested change

	<div className="version-label" aria-label="Version 0.13 Beta">
	<div className="version-label" aria-label="Version: 0.14 β">

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• In components/GameCard.tsx you reference CSS variables like --bg-elevated and --border-subtle, but these aren't defined in globals.css (only --bg-base, --bg-surface, --bg-card, --border-default, --border-hover exist); either add the missing variables or switch to the existing ones to avoid rendering inconsistencies.
• The ESLint workflow installs a hard‑coded global eslint@8.10.0 and uses it via npx, while the project devDependency is eslint@^9—it would be more robust to run npm ci and use the local ESLint version (and config) to keep CI behavior aligned with the project.
• In lib/translations.ts, you define a Language type but getTranslation and getAvailableLanguages both use string types; tightening these to use Language (and returning Language[] from getAvailableLanguages) would improve type safety and catch invalid language keys at compile time.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `components/GameCard.tsx` you reference CSS variables like `--bg-elevated` and `--border-subtle`, but these aren't defined in `globals.css` (only `--bg-base`, `--bg-surface`, `--bg-card`, `--border-default`, `--border-hover` exist); either add the missing variables or switch to the existing ones to avoid rendering inconsistencies.
- The ESLint workflow installs a hard‑coded global `eslint@8.10.0` and uses it via `npx`, while the project devDependency is `eslint@^9`—it would be more robust to run `npm ci` and use the local ESLint version (and config) to keep CI behavior aligned with the project.
- In `lib/translations.ts`, you define a `Language` type but `getTranslation` and `getAvailableLanguages` both use `string` types; tightening these to use `Language` (and returning `Language[]` from `getAvailableLanguages`) would improve type safety and catch invalid language keys at compile time.

## Individual Comments

### Comment 1
<location path="components/GameCard.tsx" line_range="22" />
<code_context>
+      {/* Image Container */}
+      <div
+        className="relative h-44 overflow-hidden"
+        style={{ backgroundColor: "var(--bg-elevated)" }}
+      >
+        <img
</code_context>
<issue_to_address>
**issue (bug_risk):** The CSS variables `--bg-elevated` and `--border-subtle` are used but not defined in `globals.css`.

These inline styles use `var(--bg-elevated)` and `var(--border-subtle)`, but `globals.css` only defines `--bg-base`, `--bg-surface`, and `--bg-card`, so they’ll fall back to default/transparent. Please either add these variables to `:root` or replace them with existing ones (e.g. `--bg-surface` / `--border-default`) to match the intended design.
</issue_to_address>

### Comment 2
<location path=".github/workflows/eslint.yml" line_range="33-36" />
<code_context>
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install ESLint
+        run: |
+          npm install eslint@8.10.0
+          npm install @microsoft/eslint-formatter-sarif@3.1.0
+
+      - name: Run ESLint
</code_context>
<issue_to_address>
**suggestion (bug_risk):** The workflow pins ESLint to 8.10.0, which likely diverges from the project’s configured ESLint version.

Here the workflow installs `eslint@8.10.0` while `package.json` specifies `^9`, which can cause config incompatibilities and different lint results in CI vs. local. Please either use the version from `package.json` (e.g., `npm ci` then `npx eslint`) or update the pinned version here to match it.

Suggested implementation:

```
      - name: Install dependencies
        run: |
          npm ci
          npm install @microsoft/eslint-formatter-sarif@3.1.0

```

```
      - name: Run ESLint
        env:
          SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
        run: |
          npx eslint .
            --config .eslintrc.js
            --ext .js,.jsx,.ts,.tsx
            --format @microsoft/eslint-formatter-sarif
            --output-file eslint-results.sarif
        continue-on-error: true

```

1. Ensure that `eslint` is declared in `devDependencies` in `package.json` (e.g., `"eslint": "^9.x.x"`), so `npm ci` installs the correct version used locally.
2. Optionally, add `@microsoft/eslint-formatter-sarif` as a dev dependency in `package.json` to avoid installing it separately in CI and improve reproducibility.
</issue_to_address>

### Comment 3
<location path="SECURITY.md" line_range="11" />
<code_context>
+
+## Reporting a Vulnerability
+
+Go to Issues Report a Vulnerability
</code_context>
<issue_to_address>
**suggestion (typo):** Clarify and correct the grammar of the vulnerability reporting instruction.

The phrase “Go to Issues Report a Vulnerability” is unclear and ungrammatical. Please reword to something like “Go to the Issues tab to report a vulnerability” or “Go to Issues and report a vulnerability,” and add a period at the end.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): The CSS variables --bg-elevated and --border-subtle are used but not defined in globals.css.

These inline styles use var(--bg-elevated) and var(--border-subtle), but globals.css only defines --bg-base, --bg-surface, and --bg-card, so they’ll fall back to default/transparent. Please either add these variables to :root or replace them with existing ones (e.g. --bg-surface / --border-default) to match the intended design.

[sourcery-ai]

suggestion (bug_risk): The workflow pins ESLint to 8.10.0, which likely diverges from the project’s configured ESLint version.

Here the workflow installs eslint@8.10.0 while package.json specifies ^9, which can cause config incompatibilities and different lint results in CI vs. local. Please either use the version from package.json (e.g., npm ci then npx eslint) or update the pinned version here to match it.

Suggested implementation:

      - name: Install dependencies
        run: |
          npm ci
          npm install @microsoft/eslint-formatter-sarif@3.1.0

      - name: Run ESLint
        env:
          SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
        run: |
          npx eslint .
            --config .eslintrc.js
            --ext .js,.jsx,.ts,.tsx
            --format @microsoft/eslint-formatter-sarif
            --output-file eslint-results.sarif
        continue-on-error: true

1. Ensure that eslint is declared in devDependencies in package.json (e.g., "eslint": "^9.x.x"), so npm ci installs the correct version used locally.
2. Optionally, add @microsoft/eslint-formatter-sarif as a dev dependency in package.json to avoid installing it separately in CI and improve reproducibility.

[sourcery-ai]

suggestion (typo): Clarify and correct the grammar of the vulnerability reporting instruction.

The phrase “Go to Issues Report a Vulnerability” is unclear and ungrammatical. Please reword to something like “Go to the Issues tab to report a vulnerability” or “Go to Issues and report a vulnerability,” and add a period at the end.

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Approve with suggestions

This PR modernizes the project with a new Coming Soon page and CI improvements, but introduces several maintainability concerns including ESLint version mismatch, disabled strict mode, removal of Node types, and an oversimplified security policy.

📄 Documentation Diagram

This diagram illustrates the user interaction flow for the new Coming Soon page introduced in this PR.

sequenceDiagram
    participant User
    participant Browser
    participant App
    User->>Browser: Load page
    Browser->>App: GET /
    App->>Browser: Serve layout, CSS, JS
    Browser->>Browser: Render animated gradient background
    Browser->>Browser: Display language selector (English/中文)
    User->>Browser: Select language
    Browser->>App: Trigger state change (no server call)
    App->>Browser: Update title and subtitle text
    Browser->>Browser: Display coming-soon card with content
    note over App: PR #35;56: Added animated gradient, language selector, and card component

Loading

Priority	File	Category	Impact Summary	Anchors
P2	.github/workflows/eslint.yml	Maintainability	ESLint version mismatch may cause inconsistent linting	path:package.json
P2	tsconfig.json	Maintainability	Disabled strict mode weakens type safety
P2	package.json	Maintainability	Removal of @types/node may break existing imports
P2	SECURITY.md	Maintainability	Misleading security policy and weak disclosure

🔍 Notable Themes

• Several findings highlight gaps in configuration consistency and security posture that could impact long-term maintainability.

⚠️ **Unanchored Suggestions (Manual Review Recommended)**

The following suggestions could not be precisely anchored to a specific line in the diff. This can happen if the code is outside the changed lines, has been significantly refactored, or if the suggestion is a general observation. Please review them carefully in the context of the full file.

---

📁 File: package.json

@types/node was removed from devDependencies and replaced with @types/react. If any source file (outside of the added new files) uses Node.js globals (e.g., process, Buffer, __dirname), those imports will now fail type checking. The PR does not add usage of such globals in the new code, but the broader codebase may still reference them. This removal is a breaking change if any existing file depends on Node.js types. Consider keeping @types/node or verifying no such usage remains.

Suggestion:

"devDependencies": {
    "@types/node": "^20.17.6",
    "@types/react": "19.2.15",
    ...
  }

Related Code:

-    "@types/node": "^20.17.6",
+    "@types/react": "19.2.15",

---

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

[llamapreview]

P2 | Confidence: High

The workflow installs eslint@8.10.0 globally via npm install, but the project’s package.json declares "eslint": "^9" as a devDependency. This creates a version mismatch: CI may run linting with a much older version (8.10.0) that could produce different results or miss rules/configurations defined for ESLint 9. Additionally, the workflow does not use the project’s local ESLint installation (npx eslint will pick up the globally installed one), leading to potential false passes or failures. To ensure consistency, CI should either use the project’s locally installed ESLint or align the installed version with the project’s requirement.

Suggested change

	- name: Install ESLint
	run: |
	npm install eslint@8.10.0
	npm install @microsoft/eslint-formatter-sarif@3.1.0
	- name: Install dependencies
	run: npm ci
	- name: Run ESLint
	run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif
	continue-on-error: true

Evidence: path:package.json

[llamapreview]

P2 | Confidence: High

Setting "strict": false disables all strict type‑checking options (including noImplicitAny, strictNullChecks, etc.). This weakens the TypeScript compiler’s ability to catch common runtime errors, such as null/undefined dereferences or implicit any types, before deployment. While it may speed up initial development, it introduces long‑term quality risk and is inconsistent with modern Next.js best practices. Consider enabling "strict": true once the codebase is stable, or at least enabling strictNullChecks and noImplicitAny individually if full strict mode is too aggressive.

Suggested change

	"strict": false,
	"strict": true,

[llamapreview]

P2 | Confidence: Medium

The security policy was changed from a specific, version‑based support matrix to claiming all versions are supported. This is a misleading oversimplification because it contradicts the typical practice of only supporting recent releases. If the project has a large number of unsupported historical versions, this policy could give users a false sense of security. Furthermore, the reporting instructions were replaced with a vague “Go to Issues Report a Vulnerability” instead of directing reporters to a private disclosure channel, which can lead to public disclosure of vulnerabilities before a fix is available. Revert to a more accurate and responsible disclosure process.

Suggested change

	| Version | Supported |
	| ------- | ------------------ |
	| All | :white_check_mark: |
	## Supported Versions
	| Version | Supported |
	| ------- | ------------------ |
	| 5.1.x | :white_check_mark: |
	| 5.0.x | :x: |
	| 4.0.x | :white_check_mark: |
	| < 4.0 | :x: |
	## Reporting a Vulnerability
	Please report vulnerabilities to [security@example.com](mailto:security@example.com) instead of public issues.

[qodo-code-review]

1. Unpinned codspeed action 🐞 Bug ⛨ Security

The CodSpeed workflow runs CodSpeedHQ/action@v4 (floating tag) while granting id-token: write,
which increases supply-chain risk because the executed action code can change without review.
Pinning to a commit SHA is needed to make the workflow execution immutable.

Agent Prompt

### Issue description
The workflow uses a third-party GitHub Action by floating tag (`CodSpeedHQ/action@v4`) while also enabling OIDC token minting (`id-token: write`). If the tag ever changes unexpectedly, the workflow could run unreviewed code with elevated permissions.

### Issue Context
This is a CI supply-chain hardening issue. GitHub recommends pinning actions to commit SHAs.

### Fix Focus Areas
- .github/workflows/codspeed.yml[12-35]

### Suggested fix
- Replace `uses: CodSpeedHQ/action@v4` with `uses: CodSpeedHQ/action@<full_commit_sha>`.
- (Optional hardening) Scope `permissions` to the job level and keep `id-token: write` only if CodSpeed requires OIDC in your setup.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[cubic-dev-ai]

14 issues found across 24 files

Confidence score: 2/5

• Merge risk is high because there are multiple concrete, high-severity issues (including 8/10 items with high confidence), rather than just housekeeping updates.
• lib/games.ts has a user-impacting pagination bug: unvalidated non-positive page/pageSize can produce a negative start, causing slice to return unintended results from the end of the array.
• CI/security posture is currently fragile: .github/workflows/eslint.yml references a missing .eslintrc.js (lint job fails immediately), and SECURITY.md/README.md include security-reporting and token-exposure concerns that should be corrected before release.
• Pay close attention to lib/games.ts, .github/workflows/eslint.yml, SECURITY.md, README.md - pagination correctness, failing lint workflow, and security-reporting/credential-handling gaps are the main blockers.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="SECURITY.md">

<violation number="1" location="SECURITY.md:7">
P2: The support table claims all versions are security-supported, which is overly broad and can create false security expectations.</violation>

<violation number="2" location="SECURITY.md:11">
P1: The vulnerability reporting instructions are non-actionable; add an actual reporting link or contact method.</violation>

<violation number="3" location="SECURITY.md:11">
P1: The policy routes vulnerability reports to public Issues, which can disclose security details before a fix is available.</violation>
</file>

<file name="components/GameCard.tsx">

<violation number="1" location="components/GameCard.tsx:22">
P2: GameCard relies on undefined design tokens/classes, so parts of the card render unstyled.</violation>
</file>

<file name="lib/games.ts">

<violation number="1" location="lib/games.ts:1">
P3: `Game` type is duplicated across files instead of reusing a single shared model, which is brittle and can drift.</violation>

<violation number="2" location="lib/games.ts:35">
P1: Validate or clamp `page`/`pageSize` before computing `start`; non-positive values make `start` negative and `slice` returns results from the end of the array.</violation>
</file>

<file name="app/globals.css">

<violation number="1" location="app/globals.css:23">
P2: Avoid globally forcing `overflow: hidden` on `html, body`; it can block scrolling and make overflowed content inaccessible on small screens or zoomed views.</violation>
</file>

<file name="app/page.tsx">

<violation number="1" location="app/page.tsx:31">
P2: Language selector options are duplicated/hard-coded instead of derived from the translations source of truth, which can cause language drift.</violation>
</file>

<file name="tsconfig.json">

<violation number="1" location="tsconfig.json:11">
P3: Disabling TypeScript strict mode removes important static checks and weakens type safety across the codebase. Enable `strict` (or strict sub-flags) to catch type issues earlier.</violation>

<violation number="2" location="tsconfig.json:16">
P2: `moduleResolution: "node"` is misaligned with Next.js 15/bundler resolution and can cause incorrect module/type resolution.</violation>
</file>

<file name=".github/workflows/codspeed.yml">

<violation number="1" location=".github/workflows/codspeed.yml:21">
P2: Workflow actions are pinned to mutable tags (`@v4`) instead of immutable commit SHAs, weakening CI supply-chain integrity.</violation>
</file>

<file name="README.md">

<violation number="1" location="README.md:74">
P2: The GuardRails badge URL hard-codes an authentication token in README, which exposes credentials.</violation>
</file>

<file name=".github/workflows/eslint.yml">

<violation number="1" location=".github/workflows/eslint.yml:35">
P2: CI pins ESLint 8.10.0 even though the repository is configured for ESLint 9, creating inconsistent lint results.</violation>

<violation number="2" location=".github/workflows/eslint.yml:42">
P1: Workflow references a non-existent ESLint config file (`.eslintrc.js`), so the lint scan will fail immediately.</violation>
</file>

<sub>Shadow auto-approve: would not auto-approve because issues were found.
Tip: cubic can generate docs of your entire codebase and keep them up to date. Try it here.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: The vulnerability reporting instructions are non-actionable; add an actual reporting link or contact method.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At SECURITY.md, line 11:

<comment>The vulnerability reporting instructions are non-actionable; add an actual reporting link or contact method.</comment>

<file context>
@@ -1,8 +1,11 @@
+
+## Reporting a Vulnerability
+
+Go to Issues Report a Vulnerability
</file context>

Suggested change

	Go to Issues Report a Vulnerability
	[Report a Vulnerability](https://github.com/LCSOGthb/Games/issues/new/choose)

[cubic-dev-ai]

P1: Validate or clamp page/pageSize before computing start; non-positive values make start negative and slice returns results from the end of the array.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/games.ts, line 35:

<comment>Validate or clamp `page`/`pageSize` before computing `start`; non-positive values make `start` negative and `slice` returns results from the end of the array.</comment>

<file context>
@@ -0,0 +1,37 @@
+  page: number,
+  pageSize: number,
+): Game[] {
+  const start = (page - 1) * pageSize;
+  return games.slice(start, start + pageSize);
+}
</file context>

[cubic-dev-ai]

P1: The policy routes vulnerability reports to public Issues, which can disclose security details before a fix is available.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At SECURITY.md, line 11:

<comment>The policy routes vulnerability reports to public Issues, which can disclose security details before a fix is available.</comment>

<file context>
@@ -1,8 +1,11 @@
+
+## Reporting a Vulnerability
+
+Go to Issues Report a Vulnerability
</file context>

Suggested change

	Go to Issues Report a Vulnerability
	Please report vulnerabilities privately using GitHub's **Report a vulnerability** form in the Security tab (do not open a public issue).

[cubic-dev-ai]

P1: Workflow references a non-existent ESLint config file (.eslintrc.js), so the lint scan will fail immediately.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/eslint.yml, line 42:

<comment>Workflow references a non-existent ESLint config file (`.eslintrc.js`), so the lint scan will fail immediately.</comment>

<file context>
@@ -0,0 +1,52 @@
+        env:
+          SARIF_ESLINT_IGNORE_SUPPRESSED: "true"
+        run: npx eslint .
+          --config .eslintrc.js
+          --ext .js,.jsx,.ts,.tsx
+          --format @microsoft/eslint-formatter-sarif
</file context>

[cubic-dev-ai]

P2: GameCard relies on undefined design tokens/classes, so parts of the card render unstyled.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At components/GameCard.tsx, line 22:

<comment>GameCard relies on undefined design tokens/classes, so parts of the card render unstyled.</comment>

<file context>
@@ -0,0 +1,69 @@
+      {/* Image Container */}
+      <div
+        className="relative h-44 overflow-hidden"
+        style={{ backgroundColor: "var(--bg-elevated)" }}
+      >
+        <img
</file context>

[cubic-dev-ai]

P2: Workflow actions are pinned to mutable tags (@v4) instead of immutable commit SHAs, weakening CI supply-chain integrity.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codspeed.yml, line 21:

<comment>Workflow actions are pinned to mutable tags (`@v4`) instead of immutable commit SHAs, weakening CI supply-chain integrity.</comment>

<file context>
@@ -0,0 +1,35 @@
+    name: Run benchmarks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
</file context>

[cubic-dev-ai]

P2: The GuardRails badge URL hard-codes an authentication token in README, which exposes credentials.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 74:

<comment>The GuardRails badge URL hard-codes an authentication token in README, which exposes credentials.</comment>

<file context>
@@ -55,3 +57,21 @@ SonarQube
+[![CodeScene System Mastery](https://codescene.io/projects/79939/status-badges/system-mastery)](https://codescene.io/projects/79939)
+
+GuardRails
+[![GuardRails badge](https://api.guardrails.io/v2/badges/716795?token=0ed261234e4e51bfb9562d7161ce66cce193e4c9d9f9092cc8d0caf081e532fa)](https://dashboard.guardrails.io/gh/LCSOGthb/repos/716795)
+
+Codeac
</file context>

Suggested change

	[](https://dashboard.guardrails.io/gh/LCSOGthb/repos/716795)
	[GuardRails](https://dashboard.guardrails.io/gh/LCSOGthb/repos/716795)

[cubic-dev-ai]

P2: CI pins ESLint 8.10.0 even though the repository is configured for ESLint 9, creating inconsistent lint results.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/eslint.yml, line 35:

<comment>CI pins ESLint 8.10.0 even though the repository is configured for ESLint 9, creating inconsistent lint results.</comment>

<file context>
@@ -0,0 +1,52 @@
+
+      - name: Install ESLint
+        run: |
+          npm install eslint@8.10.0
+          npm install @microsoft/eslint-formatter-sarif@3.1.0
+
</file context>

[cubic-dev-ai]

P3: Game type is duplicated across files instead of reusing a single shared model, which is brittle and can drift.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/games.ts, line 1:

<comment>`Game` type is duplicated across files instead of reusing a single shared model, which is brittle and can drift.</comment>

<file context>
@@ -0,0 +1,37 @@
+export interface Game {
+  id: number;
+  title: string;
</file context>

[cubic-dev-ai]

P3: Disabling TypeScript strict mode removes important static checks and weakens type safety across the codebase. Enable strict (or strict sub-flags) to catch type issues earlier.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At tsconfig.json, line 11:

<comment>Disabling TypeScript strict mode removes important static checks and weakens type safety across the codebase. Enable `strict` (or strict sub-flags) to catch type issues earlier.</comment>

<file context>
@@ -0,0 +1,39 @@
+    ],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": false,
+    "noEmit": true,
+    "incremental": true,
</file context>