docs: add new coding rules derived from PR #3316 review (SSR, FK, auth, env stubs)

Author: KATO-Hiro

.claude/rules/coding-style.md

@@ -141,3 +141,19 @@ Write plans/dev-notes/guides in Japanese. Source code comments in English. Alway
 
 - **Logging**: No user-identifiable data in `console.log`. Single authoritative log in service layer.
 - **CodeRabbit**: Run after all phases complete. Write `critical`/`high`/`medium` findings to `plan.md` verbatim; defer `nitpick` to PR CI.
+
+## `+page.server.ts` load() Error Handling
+
+Wrap calls to service functions in try-catch and return safe default values on failure, preventing a single service error from crashing the entire page.
+
+## Auth: Action Audit
+
+When adding an auth guard to one action in `+page.server.ts`, audit all other actions in the same file. Asymmetric guards (some actions protected, others not) are a recurring pattern of vulnerability.
+
+## Auth: success Flag and message Consistency
+
+When an action returns `success: false`, the `message` and `message_type` must also reflect failure. A success flag contradicting the message is a silent bug.
+
+## Dead Code Deletion: Three-Condition Rule
+
+Before deleting a function, grep the full project for callers. Deletion is safe only when all three conditions hold: (1) zero callers, (2) a replacement implementation exists, (3) any fields this function wrote to are also being deleted.

.claude/rules/prisma-db.md

@@ -83,6 +83,28 @@ automatically excluded. This is not an IS NOT NULL check; the mechanism is the J
 When documenting this behavior, write "excluded by INNER JOIN" rather than
 "implicitly includes IS NOT NULL".
 
+## FK Relations: Always Define @relation
+
+Any field that references another model's ID must have an explicit `@relation` defined. Without `@relation`, Prisma does not generate FK constraints automatically, leading to referential integrity gaps.
+
+```prisma
+// Bad: FK without @relation
+userId String
+
+// Good: explicit @relation generates FK constraint
+userId String
+user   User @relation(fields: [userId], references: [id])
+```
+
+## DB-Level Value Constraints
+
+Add `CHECK` constraints (via manual migration SQL) for:
+
+- `count` fields that must be non-negative (`count >= 0`)
+- Enum fields where specific values are invalid at the DB level (e.g. `grade != 'PENDING'`)
+
+Document every `CHECK` constraint in `prisma/ERD.md` — it is the only place they are visible outside migration SQL.
+
 ## Dual-Enforcement Constraints
 
 When the same constraint is enforced in both Zod (early validation) and SQL `CHECK` (last line of defense), add an inline comment stating each layer's role and the obligation to keep them in sync:

.claude/rules/svelte-components.md

@@ -225,3 +225,11 @@ const atCoderAccount = $derived(data.atCoderAccount);
 ```
 
 `data` is a reactive prop that SvelteKit updates after each form action. A plain assignment captures the initial value only.
+
+## SSR Safety: Non-Deterministic IDs
+
+Do not use `crypto.randomUUID()` or `Math.random()` in component initialization code that runs during SSR. These produce different values on server and client, causing hydration mismatches. Derive component IDs deterministically from prop values (e.g. `const componentId = item.task_id`).
+
+## `{#each}` — Key Expression Required
+
+Every `{#each}` block must include a key expression `(item.id)`. Keyless `{#each}` causes incorrect DOM reuse and hard-to-debug update bugs. Prefer a unique domain field; fall back to the index `(i)` only when no unique field exists.

.claude/rules/testing.md

@@ -109,3 +109,25 @@ When a service mixes DB operations and pure functions, split into `crud.ts` (DB;
 ## HTTP Mocking
 
 Use Nock for external HTTP calls. See `src/test/lib/clients/` for examples.
+
+## Environment Variable Stubs
+
+Use `vi.stubEnv(key, value)` + `vi.unstubAllEnvs()` instead of manually assigning `process.env[key]` and deleting it in cleanup. `vi.stubEnv` syncs `import.meta.env` as well and accurately restores the original value:
+
+```typescript
+// Bad
+beforeEach(() => {
+  process.env.MY_URL = 'https://example.com';
+});
+afterEach(() => {
+  delete process.env.MY_URL;
+});
+
+// Good
+beforeEach(() => {
+  vi.stubEnv('MY_URL', 'https://example.com');
+});
+afterEach(() => {
+  vi.unstubAllEnvs();
+});
+```