/diff-based-code-reviewer I'll get the git diff from the current project (the map app). Ran a command, read a file The lockfile dominates the diff. Let me read the meaningful changed files. Ran 5 commands Now I have enough context. Here is the full review. Code Review — Calendar App Scaffold Tracked diff covers: .claude/settings.local.json, next.config.ts, package.json / package-lock.json, src/app/layout.tsx, src/app/page.tsx Context map: next.config.ts — build config; serverExternalPackages is the correct Next.js 15 key (replaces the old experimental.serverComponentsExternalPackages). ✓ src/app/layout.tsx — root layout; simplified from scaffold. src/app/page.tsx — root page; searchParams typed as Promise<…> is the Next.js 15 pattern. ✓ .claude/settings.local.json — Claude Code permission allowlist for this project. package-lock.json — mechanical lockfile churn from adding drizzle-orm, better-sqlite3, drizzle-kit; not reviewed line-by-line. Blocker None. Major 1. src/app/page.tsx — parseInt on unvalidated query params can crash with RangeError const year = params.y ? parseInt(params.y) : now.getFullYear(); const month = params.m !== undefined ? parseInt(params.m) : now.getMonth(); const day = params.d ? parseInt(params.d) : now.getDate(); parseInt("abc") → NaN. NaN then flows into getEventsByMonth → new Date(NaN, NaN, 1).toISOString() → RangeError: Invalid time value. Any visitor (or bot) can trigger a 500 by requesting /?y=abc. Fix: guard parsed values. const year = params.y ? (parseInt(params.y) || now.getFullYear()) : now.getFullYear(); const month = params.m !== undefined ? (parseInt(params.m) || 0) : now.getMonth(); const day = params.d ? (parseInt(params.d) || 1) : now.getDate(); Or more explicitly, Number.isNaN(parsed) ? fallback : parsed. 2. .claude/settings.local.json — hardcoded PID 7904 allows killing an arbitrary future process "PowerShell(Stop-Process -Id 7904 -Force -ErrorAction SilentlyContinue)" PID 7904 was a one-time dev process. That PID can be reassigned by the OS to any process (a browser, an SSH daemon, another server). This permission should be removed entirely. 3. .claude/settings.local.json — cross-repo absolute-path permissions belong to a different project "Bash(cd \"C:\\\\Users\\\\Nihil\\\\Documents\\\\GitHub\\\\MarciniakWebpage\" && cat Models/ViewModels/CatalogViewModel.cs)", "Bash(cd \"C:\\\\Users\\\\Nihil\\\\Documents\\\\GitHub\\\\MarciniakWebpage\" && grep -n \"Price\" Models/Product.cs ...)" These were added during the previous code-review session on MarciniakWebpage. They give Claude Code free access to commands in an unrelated repo from this project's settings — a permissions-scope leak. Remove both entries; if needed they belong in MarciniakWebpage's own settings. Nit 4. src/app/page.tsx — invalid view param is silently swallowed const view = (params.view as "month" | "week" | "day") ?? "month"; The as cast doesn't validate. ?view=bogus gets passed through; CalendarTemplate's else branch silently treats it as month. The cast gives false type-safety. Consider: const VALID_VIEWS = ["month", "week", "day"] as const; const view = VALID_VIEWS.includes(params.view as any) ? (params.view as "month" | "week" | "day") : "month"; 5. src/app/layout.tsx — Readonly wrapper removed without replacement The scaffold convention (and Next.js docs) use Readonly<{ children: React.ReactNode }>. Removing it is harmless but deviates from the pattern used in every generated page. A trivial delta if you want to stay consistent. Aspects with no issues Security (next.config.ts): serverExternalPackages: ["better-sqlite3"] is the right way to prevent Next.js from trying to bundle a native module. ✓ Performance (package.json): drizzle-kit in devDependencies (correct, it's a CLI tool only); better-sqlite3 and drizzle-orm in dependencies (correct for runtime use). ✓ Conventions (src/app/page.tsx): searchParams: Promise<…> and await searchParams matches Next.js 15's async-params contract. ✓ Out-of-scope observations (untracked new files) These aren't in the diff but are part of the same feature set: src/app/actions/events.ts: new Date(startAt) where startAt is a raw FormData string — invalid input throws RangeError rather than returning a user-friendly validation error. src/lib/queries.ts: getEventsByWeek passes weekEnd.toISOString() as an upper bound, where weekEnd is midnight (00:00:00 local) on Sunday. Events on Saturday after midnight UTC but before midnight local time may be missed. calendar.db, calendar.db-shm, calendar.db-wal: Untracked database files should be added to .gitignore to avoid accidentally committing user data. Approval request The following findings are mechanically fixable. Please tell me which to apply (by number), and I'll edit only those files: [Major] src/app/page.tsx — guard parseInt results against NaN before passing to date functions. [Major] .claude/settings.local.json — remove the hardcoded PID 7904 Stop-Process entry. [Major] .claude/settings.local.json — remove the two cross-repo MarciniakWebpage Bash entries. [Nit] src/app/page.tsx — replace the as view-cast with a runtime validation guard. Which findings should I apply?