Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/clients/fixtures/record_requests.ts`:
- Around line 53-60: The fixtures are sampled non-deterministically and can
produce tasks that reference contests not present in the sampled contests;
change the sampling to deterministic (e.g., use a seeded RNG or sort+slice) and
ensure referential integrity by filtering the sampled tasks to only include
tasks whose contest_id exists in the sampled contests before writing; update the
calls around getRandomElementsFromArray(contests, 100) and
getRandomElementsFromArray(tasks, 100) (and the other similar occurrences noted)
so you first deterministically select contests into a variable (e.g.,
sampledContests), then deterministically select or sort tasks and filter them
with sampledContests' IDs (e.g., sampledTasks = tasks.filter(t =>
sampledContestsIds.has(t.contest_id)) then slice to desired count) and pass
those filtered arrays to toJson so the output is reproducible and consistent.

In `@src/routes/`(admin)/tasks/_utils/contests.ts:
- Around line 4-6: Treat strings that are only whitespace as empty: change the
check and normalization to use trim(). Replace the current hasNoQuery and
lowerQuery logic so hasNoQuery becomes "!query || query.trim() === ''" and
lowerQuery is computed from "query.trim().toLowerCase()" (ensuring you guard for
undefined/null query before calling trim()). Update the assignments where
"hasNoQuery" and "lowerQuery" are defined (the current lines with hasNoQuery and
lowerQuery) accordingly.

In `@src/routes/`(admin)/tasks/[task_id]/+page.server.ts:
- Around line 54-80: Replace the manual formData parsing in the actions.update
handler with Superforms + Zod: create a Zod schema (e.g., TaskUpdateSchema) that
validates task_id as a nonempty string and task_grade as an optional
enum/nullable matching your TaskGrade values (or a string refined to TaskGrade),
then call superValidate(request, TaskUpdateSchema) inside update and branch on
validation result instead of ad-hoc checks; extract validated values from
result.data, map/convert task_grade to your TaskGrade type (or let Zod produce
it) and call taskService.updateTask(task_id, task_grade), and on validation
failure return the Superforms-consistent error response so errors from
actions.update follow the same Superforms + Zod pattern used elsewhere (leave
validateAdminAccess and taskService.updateTask calls intact).
- Around line 55-73: The update handler currently trusts the form field task_id
(taskId) allowing tampering; change it to use the route parameter instead: read
the task id from the handler's params (use params.task_id) and remove/ignore the
form-derived task_id, then pass that params-derived id into
taskService.updateTask; keep existing validation for task_grade (getTaskGrade)
and the bad-request/fail branches but ensure any checks reference params.task_id
(and return fail if it's missing) rather than the form value.

In `@src/routes/`(admin)/tasks/+page.server.ts:
- Around line 70-96: The handler currently trusts the client-provided tasks JSON
(tasksJson → tasks) and uses client-supplied fields (task.title,
task.contest_id, task.source) when calling taskService.createTask; instead,
validate/trust only an identifier from the client (e.g., task.id or task.source)
and re-fetch the canonical task data on the server (via your service/DB) before
creating records. Change the import loop that maps over TaskForImport so it
discards client title/contest_id and instead: lookup the authoritative task
payload using the submitted task.id/source, derive the server-side values
(server_contest_id, server_title, server_problem_index), compute the id with
sha256(contest_id + server_title) and call taskService.createTask with those
server-validated fields; ensure any missing or invalid lookups return
BAD_REQUEST or a clear failure path.
- Around line 21-104: The handlers fetch and create currently parse and validate
request.formData() manually; replace them with Superforms + Zod: define Zod
schemas (e.g. ContestImportQuerySchema with source for fetch, and
ContestImportCreateSchema with source:string, contest_id:string, tasks:string
(or structured TasksForImport) for create), use superValidate(request, schema)
in both handlers and return the validated form (or validation errors) so
Superforms handles client errors; keep the admin check
(validateAdminAccess(locals)), then in fetch use data.source from the validated
form to call fetchContests/fetchTasks and the existing
prepareTaskMap/filterUnregisteredTasks/mergeContestsAndUnregisteredTasks flow,
and in create use data.contest_id and the parsed tasks (parse JSON after
validation or use a Zod preprocessor to parse tasks into TasksForImport) and
then run the existing sha256 + taskService.createTask loop; ensure all
validation failures return the superform validation result instead of manual
fail responses and preserve try/catch for server errors with the same
INTERNAL_SERVER_ERROR handling.
- Around line 85-94: The current ID generation uses sha256(contest_id +
task.title) which risks collisions when multiple tasks share the same title;
change the seed to use the original external identifier by hashing contest_id +
task.id instead. Locate the tasks.map block where TaskForImport is processed,
replace usage of task.title in the sha256 call with task.id so the generated id
passed into taskService.createTask is derived from contest_id + task.id.

In `@src/routes/`(admin)/tasks/+page.svelte:
- Around line 94-97: 選択している取得元を切り替えたときに古い結果が残って誤インポートを誘発しているので、onchange ハンドラ内で
currentPage = 1 に加えて importContests を空配列にリセットし、インポート失敗の表示を消すためのエラー状態（例:
importError または importErrors を使っている箇所）を null/空にクリアしてください。該当箇所は +page.svelte の
onchange コールバックなので、そのブロックに importContests = [] と importError = null
を追加して一覧とエラー状態を同時に初期化してください。

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/clients/fixtures/record_requests.ts`:
- Line 46: This file currently exports TEST_DATA_BASE_DIR but also calls main()
at the top-level, which can cause side-effects when the module is imported;
change the module so main() is only invoked when the file is run directly by
guarding the invocation (keep the export of TEST_DATA_BASE_DIR unchanged) —
locate the top-level main() call and replace it with a guarded invocation using
the Node runtime check (e.g., require.main === module for CommonJS or the
appropriate import.meta.url check for ESM) so importing the module does not
execute main().

---

Duplicate comments:
In `@src/routes/`(admin)/tasks/[task_id]/+page.server.ts:
- Around line 58-69: The update action currently manually reads task_grade and
uses getTaskGrade; replace this with a Zod schema for the form (e.g. const
schema = z.object({ task_grade: z.enum([...]) .optional() }) or z.union with ''
mapped to undefined) and call superValidate(request, schema) to validate; use
the returned form.data/task_grade value instead of taskGradeStr/getTaskGrade,
and on validation failure return fail(BAD_REQUEST, form) (or return success when
task_grade is empty) — update references in the action to use superValidate and
the schema, and ensure the validated task_grade is typed as TaskGrade where
needed.

In `@src/routes/`(admin)/tasks/+page.server.ts:
- Around line 21-29: The fetch and create handlers currently parse
request.formData() and use isContestTaskImportSource manually; replace these
with Superforms + a Zod schema: define a Zod schema (e.g.,
ContestTaskImportSchema) that validates the source field (and any other fields
used between lines 21–29 and 57–83), call superValidate(request,
ContestTaskImportSchema) in both fetch and create after
validateAdminAccess(locals), and return the superValidate result or use
fail(superForm.errors / BAD_REQUEST) on validation failure; ensure handlers use
the resulting validated.data.source instead of formData.get('source') and keep
existing guards such as validateAdminAccess(locals).
- Around line 70-95: Do not trust client-sent tasksJson: validate and replace
client fields with server-authoritative values before calling
taskService.createTask. Specifically, when iterating tasks (TasksForImport /
TaskForImport) ensure task.contest_id === contest_id (reject if not), compute id
with sha256(contest_id + task.id) as now, then fetch the canonical task metadata
from your trusted source using contest_id and task.id (or
source+contest_id+task.id) and use those fetched values for contest_id,
problem_index, title when calling taskService.createTask (do not pass through
task.contest_id/problem_index/title from the parsed JSON).

In `@src/routes/`(admin)/tasks/+page.svelte:
- Around line 94-98: The onchange handler for the source selector clears
currentPage, importContests, and importError but not fetchError, leaving old
fetch errors visible; update the onchange callback (the anonymous handler bound
with onchange in the +page.svelte) to also set fetchError = null so that
previous fetch errors are cleared when switching sources (i.e., alongside
currentPage = 1, importContests = [], importError = null add fetchError = null).

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/routes/`(admin)/tasks/+page.svelte:
- Around line 84-105: The new form uses enhance and manual state (handleFetch,
selectedSource, isFetching, importContests, fetchError, importError) instead of
Superforms + Zod; replace it by creating a Zod schema for the fetch payload
(e.g., source) and a Superforms form on the page (useForm/useAction or loadForm
pattern), bind the Select to the Superforms form field (instead of
selectedSource) and use the form object for submission state (isSubmitting) and
server-side validation; remove the enhance hook and manual reset of
importContests/fetchError/importError, and handle success/failure through the
Superforms response and server action so validation and error handling are
unified with the rest of the route.
- Around line 109-137: The fetch error message is being hidden by the
successful-data branch because the condition "importContests.length >= 1" is
evaluated before checking "fetchError !== null"; update the rendering logic in
+page.svelte so fetchError is checked and rendered (using the existing red error
<p>) before or in priority over the importContests branch (or add a top-level
conditional that displays fetchError when set), while keeping existing
isFetching, TaskTableForImport, paginationNav, and importError behavior intact
(refer to symbols importContests, fetchError, isFetching, importError,
TaskTableForImport, paginationNav).

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/routes/`(admin)/tasks/+page.svelte:
- Around line 30-45: The current handleFetch handler applies any arriving
response regardless of whether the user changed the selected source during the
request, causing importContests to reflect a stale source; modify handleFetch so
that when starting a fetch you capture the current selectedSource (or increment
a local requestId) and then when the async response arrives only set
importContests/searchQuery/fetchError if the captured selectedSource/requestId
still matches the current one (alternatively disable source switching while
isFetching is true); update references to importContests, isFetching, fetchError
and the logic that feeds TaskTableForImport/selectedSource to enforce this check
so stale A responses cannot overwrite a newer B selection (apply same pattern
for the other fetch block at lines 89-103).
- Around line 28-45: The custom enhance callback in handleFetch currently only
handles 'success' and 'failure', which overrides SvelteKit's default
post-processing and prevents 'redirect' and 'error' results from being handled;
update the returned async ({ result }) => { ... } handler in handleFetch to
explicitly handle result.type === 'redirect' by calling goto(result.location)
and returning, and handle result.type === 'error' by delegating to the default
action handling (e.g., call applyAction(result) or rethrow so the nearest +error
boundary renders); leave the existing branches for 'success' (set importContests
and clear searchQuery) and 'failure' (set fetchError) intact.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/routes/`(admin)/tasks/+page.svelte:
- Around line 32-40: The previous import failure message persists because
importError is not cleared when a successful fetch updates importContests;
update the fetch flow (either at the start of handleFetch or inside the success
branch) to set importError = null so stale errors are removed; specifically
update the async result handler that updates importContests (the block
referencing importContests and searchQuery) and also mirror the change in the
analogous block around lines 135-137 to ensure importError is cleared on success
or when starting a new fetch.