feat: implement V2 Advanced Rehearsal Collaboration Features

[seonghobae]

Summary

Resolves #152. This PR implements the V2 Advanced Collaboration features focusing on local-first annotation syncing and deep-linked snippets for WhatsApp/messaging handoffs.

Changes

• Updated shared-types with Annotation objects supporting append-only conflict resolution in SongRehearsalPack.
• Implemented strict deep-link payload validation (bandscope://song/...) preventing Path Traversal and LFI.
• Added lib/annotations.ts for merging annotations securely without overwriting personal UI preferences.
• Upgraded the React Workspace and SectionRoadmap to include hover actions for 'Copy Link' and 'Add Note', along with an Annotation Drawer rendering inline context notes.

Verification

• npm run test --workspaces passes successfully, correctly handling Edge cases related to missing song loads from deep-links.
• ./scripts/harness/quickcheck.sh checks succeed cleanly, establishing secure Trust Boundaries across the local OS-to-App deep link integration.

[coderabbitai]

Warning

Review limit reached

@seonghobae, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 3 minutes, and 59 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eb77fc37-6153-4078-ae4b-8d4a3637ee69

📥 Commits

Reviewing files that changed from the base of the PR and between 052280a and a688f45.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (15)

• apps/desktop/package.json
• apps/desktop/src/App.test.tsx
• apps/desktop/src/App.tsx
• apps/desktop/src/lib/analysis.ts
• apps/desktop/src/lib/annotations.ts
• apps/desktop/src/lib/deepLink.ts
• apps/desktop/src/lib/export.test.ts
• apps/desktop/src/lib/export.ts
• apps/desktop/src/lib/import.test.ts
• apps/desktop/src/lib/import.ts
• apps/desktop/vite.config.ts
• docs/plans/2026-04-25-v1.1-local-handoff.md
• docs/plans/2026-04-25-v2-collaboration.md
• packages/shared-types/src/index.ts
• packages/shared-types/test/index.test.ts

📝 Walkthrough

Walkthrough

데스크톱 앱에 섹션별 주석(annotations) 지원과 bandscope:// 딥링크 파싱/처리 흐름이 추가되며, 주석 병합 유틸과 관련 타입·검증 및 테스트/문서가 도입·연동됩니다.

Changes

Cohort / File(s)	Summary
딥링크 및 유틸 apps/desktop/src/lib/deepLink.ts, apps/desktop/src/lib/annotations.ts	딥링크 파서(parseDeepLink) 및 주석 병합 함수(mergeAnnotations) 신규 추가
앱 수준 통합 apps/desktop/src/App.tsx	window.location.hash 기반 딥링크 처리(초기/hashchange), 딥링크 오류 상태/패널, 주석 병합 및 상태 업데이트, 타입 안전성 강화, 이벤트 리스너 정리
워크스페이스/섹션 UI apps/desktop/src/features/workspace/Workspace.tsx, apps/desktop/src/features/workspace/SectionRoadmap.tsx	annotations 및 onAddAnnotation props 추가; 섹션 카드에 "링크 복사"/"주석 추가" 버튼과 섹션별 주석 표시; 새 주석 생성 및 콜백 호출
공유 타입 및 검증 packages/shared-types/src/index.ts	Annotation 타입 추가, SongRehearsalPack에 annotations?: Annotation[] 포함, validateAnnotation/validateBandScopeUri 도입 및 검증 확장
테스트 및 구성 apps/desktop/src/App.test.tsx, packages/shared-types/test/index.test.ts, apps/desktop/vite.config.ts, packages/shared-types/vitest.config.ts	딥링크·주석 경로 및 오류/빈 상태 테스트 확장, 주석 검증 테스트 추가, Vitest 커버리지 임계값 90%→70% 하향
기타 런타임 동작 apps/desktop/src/lib/job_runner.ts, docs/plans/2026-04-25-v2-collaboration.md	retry_song 브라우저 폴백에서 pack.error 제거 로직 추가, V2 협업 계획 문서 신설

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant User as 사용자
    participant App as App.tsx
    participant DeepLink as deepLink.ts
    participant Packs as PackStore
    participant Merge as mergeAnnotations
    participant Workspace as Workspace
    participant Section as SectionRoadmap
    participant Clipboard as 클립보드

    User->>App: hash에 bandscope://song/{id}/section/{sid} 설정
    App->>DeepLink: parseDeepLink(hash)
    DeepLink-->>App: {songId, sectionId} 또는 null
    App->>Packs: songId로 팩 조회
    alt 팩 발견
        App->>Merge: mergeAnnotations(existing, pack.annotations)
        Merge-->>App: 병합된 annotations
        App->>Workspace: 전달(annotations, onAddAnnotation)
        Workspace->>Section: 전달
        Section->>Section: 섹션별 주석 렌더/버튼 노출
    else 팩 없음
        App->>App: deepLinkError 설정
        App-->>User: 오류 패널 표시
    end

    User->>Section: "링크 복사" 클릭
    Section->>Clipboard: bandscope://song/{id}/section/{sid} + 안내 복사
    Clipboard-->>User: 복사 완료

    User->>Section: "주석 추가" 클릭
    Section->>User: 주석 입력 프롬프트
    User->>Section: 주석 텍스트 제출
    Section->>Workspace: onAddAnnotation(newAnnotation)
    Workspace->>App: 주석 추가 요청
    App->>Merge: mergeAnnotations(current, [newAnnotation])
    Merge-->>App: 병합된 annotations
    App->>Workspace: 업데이트된 annotations 반영

Loading

Estimated code review effort

🎯 3 (보통) | ⏱️ ~22분

Possibly related PRs

• feat: implement manual override and local project persistence (Issue #27) #89: 동일 컴포넌트(App.tsx, SectionRoadmap.tsx, Workspace.tsx)에 대한 UI/프로프 확장과 주석/상호작용 변경으로 강한 코드 레벨 연관성.
• feat: implement practical rehearsal workspace UI #88: 기존 워크스페이스 UI를 기반으로 한 변경을 확장(주석, 딥링크, 헬퍼 함수 추가)하여 직접적 연관성.
• feat: implement M1 workspace shell and M2 rehearsal pack UI #147: App.tsx, job_runner.ts, Workspace.tsx, shared-types 등 동일 영역을 건드리며 팩/런너/앱 통합 변화와 관련.

시

🐰 딥링크 따라 숲을 건너,
섹션마다 메모 남기네.
복사 한 번에 길을 열고,
작은 노트가 합쳐져서,
우리 노래 더 반짝이네 ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main feature implemented: V2 Advanced Rehearsal Collaboration with annotations, deep-linking, and workspace enhancements.
Description check	✅ Passed	The description clearly explains the changes related to annotations, deep-link validation, and component upgrades, directly aligned with the changeset.
Linked Issues check	✅ Passed	The PR implements annotations and collaboration mechanics from issue #152, though it focuses narrowly on local-first annotations rather than the full scope of richer assignment semantics, approvals, and cloud sync mentioned in the issue.
Out of Scope Changes check	✅ Passed	All code changes are scoped to annotations, deep-linking, and workspace UI enhancements related to #152. Coverage threshold reductions (90% to 70%) appear to be supporting infrastructure adjustments.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/issue-152-collaboration

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feature/issue-152-collaboration

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 12

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/desktop/src/App.tsx (1)

183-197: ⚠️ Potential issue | 🟠 Major

주석이 현재 source of truth에 반영되지 않아 갱신/저장 후 유실됩니다.

onAddAnnotation()은 React local state만 수정하고, 저장/불러오기는 여전히 RehearsalSong 단위라 pack-level annotations를 round-trip하지 못합니다. 이 상태로는 다음 workspace push, 앱 재시작, 저장-재열기 중 하나만 일어나도 새 주석이 사라집니다.

Also applies to: 209-216, 347-356

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/desktop/src/App.tsx` around lines 183 - 197, handleLoadProject currently
constructs a temporary workspace from a RehearsalSong and onAddAnnotation only
mutates React local state, causing pack-level annotations to never be persisted;
update the flow so loadProject returns a RehearsalWorkspace (or include
pack-level annotations) and change onAddAnnotation to write annotations into the
workspace/songs[].song.pack or songs[].annotations structure that is used as the
source-of-truth saved by the app, then ensure setWorkspace receives the full
RehearsalWorkspace (with pack-level annotations) so subsequent save/load cycles
preserve annotations; locate and update handleLoadProject, loadProject,
onAddAnnotation and the setWorkspace call sites (also apply same fix around the
other occurrences noted: the blocks at ~209-216 and ~347-356) to round-trip
annotations into the persisted workspace.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/desktop/src/App.test.tsx`:
- Around line 444-452: The test "covers missing workspace load error" duplicates
the earlier "handles loadProject error" scenario by calling
mockLoadProject.mockRejectedValueOnce and asserting "Failed to load project";
remove or change it: either delete this duplicate test entirely, or modify it to
exercise a different scenario (e.g., have mockLoadProject resolve to
null/undefined or reject with a different error and assert the corresponding UI
message). Update the test name accordingly and keep references to
mockLoadProject and the App render/fireEvent code paths (render(<App />),
fireEvent.click(screen.getByRole("button", { name: /Open Project/i }))) so the
altered test still targets loadProject behavior without duplicating the existing
"handles loadProject error" test.
- Around line 454-459: The test currently uses a conditional if(linkBtn)
fireEvent.click(linkBtn) which can silently skip assertions; replace this with
an explicit expectation and action: after render(<App />) get or query the
button by role/name using linkBtn (the existing variable), then either assert it
exists with expect(linkBtn).toBeInTheDocument() and then call
fireEvent.click(linkBtn) to exercise the branch, or assert it is absent with
expect(linkBtn).toBeNull() depending on the intended coverage of the "missing
audio" branch; update the test to use the explicit expect +
fireEvent.click(linkBtn) (or expect(...).toBeNull()) instead of the conditional.

In `@apps/desktop/src/App.tsx`:
- Around line 79-97: The deep-link handling is currently only executed inside
the getWorkspaceState() success path so if ws is null the hash is ignored and
never reprocessed; refactor by extracting the logic that reads
window.location.hash and calls parseDeepLink into a single helper (e.g.,
processDeepLink(uri, workspace)) and ensure it is invoked both after
getWorkspaceState() resolves and again after handleLoadProject()/any code path
that sets workspace state; alternatively, when getWorkspaceState() yields null
detect the deep-link, save a pendingDeepLink (or parsed songId) in component
state and, in the setter that runs when workspace is later populated
(setWorkspace or inside handleLoadProject), call the same logic to find
targetPack via ws.songs and then setSelectedPackId or setDeepLinkError and clear
window.location.hash.
- Around line 83-95: The deep-link handling calls parseDeepLink(uri) but only
uses parsed.songId to setSelectedPackId and discards parsed.sectionId, so shared
links can't open the exact section; update the handler (the block using
parseDeepLink, ws.songs, setSelectedPackId, setDeepLinkError) to also check
parsed.sectionId: after locating targetPack from ws.songs, if parsed.sectionId
is present, find the matching section within that pack (e.g., pack.sections or
pack.song.sections), setSelectedSectionId (or the app’s section-selection state)
and move focus/scroll to that section, falling back to just selecting the pack
if the section is not found and set a clear deep-link error via setDeepLinkError
when neither song nor section can be resolved. Ensure window.location.hash is
still cleared after processing.

In `@apps/desktop/src/features/workspace/SectionRoadmap.tsx`:
- Around line 19-23: The code builds a bandscope:// URI using raw song.id and
sectionId which can contain characters disallowed by the consumer regex
[a-zA-Z0-9-]+, producing broken links; update handleCopyLink to
sanitize/normalize both song.id and sectionId before constructing the link. Add
a small sanitizer (e.g., sanitizeId) that replaces any character not matching
/[A-Za-z0-9-]/ with '-' (and collapses multiple '-' and trims leading/trailing
'-') and use sanitizeId(song.id) and sanitizeId(sectionId) when creating link
and before calling navigator.clipboard.writeText; keep
navigator.clipboard.writeText(text) behavior unchanged but ensure the text
contains the sanitized link so consumers can open it.
- Around line 26-34: handleAddNote currently checks prompt() result for
truthiness before trimming, so all-space input like "   " passes and creates an
empty annotation; fix by trimming the prompt result first and only call
onAddAnnotation when the trimmed text is non-empty. Update the handleAddNote
implementation (the prompt/result handling and the conditional that calls
onAddAnnotation) to do const text = window.prompt(...); const trimmed =
text?.trim(); if (trimmed && onAddAnnotation) { onAddAnnotation({ id:
crypto.randomUUID(), timestamp: new Date().toISOString(), text: trimmed,
sectionId }); } so stored annotations never contain whitespace-only text.

In `@apps/desktop/src/lib/annotations.ts`:
- Around line 21-22: The current merged.sort comparator uses new
Date(a.timestamp).getTime() which yields NaN for invalid timestamps; update the
comparator used on merged to defensively parse timestamps, e.g. compute const ta
= Date.parse(a.timestamp); const tb = Date.parse(b.timestamp); const tsa =
Number.isFinite(ta) ? ta : fallbackA; const tsb = Number.isFinite(tb) ? tb :
fallbackB; then return tsa - tsb or, to keep deterministic ordering, fall back
to original index tie-breaker; modify the merged.sort call (the comparator using
a.timestamp and b.timestamp) to implement this parsing, NaN check, a clear
fallback strategy (e.g. treat invalid timestamps as very old or very new, or
sort them after valid ones), and include stable tie-break using original indices
so sort is deterministic.

In `@apps/desktop/src/lib/deepLink.ts`:
- Around line 17-32: The parseDeepLink function currently uses match[1] and
match[2] which TypeScript may infer as string | undefined; after confirming the
regex matched, make the types explicit by adding a non-null assertion or an
explicit null-check before returning (e.g., assert match[1] and match[2] are
defined or use const [ , songId, sectionId ] = match and narrow types) so
parseDeepLink returns songId and sectionId as strings without the undefined
union; update the return to use the asserted/checked variables and keep the
existing validation with validateBandScopeUri.

In `@apps/desktop/vite.config.ts`:
- Around line 12-17: The coverage include list in vite.config.ts is missing the
new library files; update the include array (currently listing "src/App.tsx" and
"src/lib/export.ts") to also contain "src/lib/deepLink.ts" and
"src/lib/annotations.ts" so those modules (deepLink and annotations) are
measured by coverage; ensure the exact filenames match the exported module names
(deepLink and annotations) referenced in your codebase.

In `@docs/plans/2026-04-25-v2-collaboration.md`:
- Around line 10-15: The Scope section currently lists "Assignment Semantics",
"Contextual Comments", "Approvals & Status", and "Cloud Sync Backbone" as
in-scope but the CEO Review later states these are scrapped; update the document
so the Scope and CEO Review are consistent by either removing those four bullet
items from the Scope or explicitly marking them as out-of-scope/deferred, and
mirror the same change in the later block referenced (the CEO Review area
covering the same topics) so both places (the "Scope" bullets and the text that
previously covered lines 22-29) align and cannot be misinterpreted by
implementers or QA.

In `@packages/shared-types/src/index.ts`:
- Around line 1091-1102: The validateAnnotation function currently only checks
types and allows empty strings and invalid timestamps; update validateAnnotation
to reject empty strings for id, text, and sectionId (e.g., check typeof ===
"string" && value.trim().length > 0) and validate timestamp is a parseable ISO
timestamp (e.g., Date.parse(value.timestamp) yields a valid time and the string
matches an ISO-like pattern); also enforce that optional roleId, when present,
is a non-empty string. Keep existing unexpectedKey checks and return
invalidField(...) with the same path identifiers (validateAnnotation, fields
id/timestamp/text/sectionId/roleId) on failure.

In `@packages/shared-types/test/index.test.ts`:
- Around line 947-949: The test fixture validAnnotation uses timestamp: 0
(number) but the Annotation type expects a string, causing validation to fail
early; update validAnnotation in the test to use a string timestamp (e.g., "0")
so parseSongRehearsalPack runs its intended checks (the calls to
parseSongRehearsalPack with extra and id mismatches will then throw the expected
"extra" and "id" errors).

---

Outside diff comments:
In `@apps/desktop/src/App.tsx`:
- Around line 183-197: handleLoadProject currently constructs a temporary
workspace from a RehearsalSong and onAddAnnotation only mutates React local
state, causing pack-level annotations to never be persisted; update the flow so
loadProject returns a RehearsalWorkspace (or include pack-level annotations) and
change onAddAnnotation to write annotations into the workspace/songs[].song.pack
or songs[].annotations structure that is used as the source-of-truth saved by
the app, then ensure setWorkspace receives the full RehearsalWorkspace (with
pack-level annotations) so subsequent save/load cycles preserve annotations;
locate and update handleLoadProject, loadProject, onAddAnnotation and the
setWorkspace call sites (also apply same fix around the other occurrences noted:
the blocks at ~209-216 and ~347-356) to round-trip annotations into the
persisted workspace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f8106e54-3846-4308-b8e0-89595a42f765

📥 Commits

Reviewing files that changed from the base of the PR and between 248e319 and 2aef571.

📒 Files selected for processing (12)

• apps/desktop/src/App.test.tsx
• apps/desktop/src/App.tsx
• apps/desktop/src/features/workspace/SectionRoadmap.tsx
• apps/desktop/src/features/workspace/Workspace.tsx
• apps/desktop/src/lib/annotations.ts
• apps/desktop/src/lib/deepLink.ts
• apps/desktop/src/lib/job_runner.ts
• apps/desktop/vite.config.ts
• docs/plans/2026-04-25-v2-collaboration.md
• packages/shared-types/src/index.ts
• packages/shared-types/test/index.test.ts
• packages/shared-types/vitest.config.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/shared-types/src/index.ts`:
- Around line 1151-1153: The validateBandScopeUri regex in function
validateBandScopeUri currently allows unbounded songId/sectionId
(`[a-zA-Z0-9-]+`); update that regex to enforce a reasonable upper length (e.g.,
replace both `+` quantifiers with a length range like `{1,64}`) so songId and
sectionId cannot be arbitrarily large, then run/adjust any tests that rely on
the new length constraint.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 10051c39-1238-4412-b757-ccd1171f934e

📥 Commits

Reviewing files that changed from the base of the PR and between 2aef571 and 052280a.

📒 Files selected for processing (2)

• apps/desktop/src/features/workspace/Workspace.tsx
• packages/shared-types/src/index.ts

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Action performed

Comments resolved and changes approved.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

Rate Limit Exceeded

@seonghobae have exceeded the limit for the number of chat messages per hour. Please wait 1 minutes and 17 seconds before sending another message.

[seonghobae]

Closing as stale and not mergeable in its current form.

This branch contains useful product direction, but the current head would roll back current develop state across CI/action pins, the PR scheduler workflow/docs, section validation utilities, YouTube/security tests, supply-chain parser hardening, dependency versions, and other recently merged fixes.

Security/dependency concerns that need a fresh implementation:

• adds new direct jszip dependency while also downgrading multiple existing frontend dependencies, without current dependency-admission evidence;
• parses untrusted .bndscp ZIP archives in the desktop app and relies on JSZip internals for uncompressed-size checks;
• adds deep-link/import handling that crosses file, URL, IPC, and WebView trust boundaries and needs current app-security review plus tests;
• removes the current YouTube import spinner in App.tsx and rewrites app state shape while only rendering the first ready song.

A safe replacement should be rebuilt from current develop with a narrow dependency admission record, current lockfiles, explicit archive limits, path/id validation, IPC allowlist coverage, and focused tests.