feat: add skill file viewer

[regenrek]

summary

• Add skill file viewer and refactor detail page into smaller components.

motivation

• Surface all skill files before install and keep files under 500 LOC.

what's included

• Clickable file list + preview panel.
• New tabs/comments/util modules.
• Styles for viewer layout.

what's not included

• Command warnings/highlights (in PR4).
• Backend changes.

tests

• bun run test
• bun run lint

affected files

• src/components/SkillDetailPage.tsx
• src/components/SkillFilesPanel.tsx
• src/components/SkillDetailTabs.tsx
• src/components/SkillCommentsPanel.tsx
• src/components/skillDetailUtils.ts
• src/styles.css

prompt

# ClawdHub Security Hardening

## Goal & Success Criteria

- Block download inflation: rate limit + per‑IP/day dedupe on ZIP downloads.
- IP spoofing fixed: trust only cf-connecting-ip.
- Files tab shows full file viewer + warnings for dangerous commands.
- Each PR has Conventional Commits, full test suite runs, PR opened from regenrek fork.

## Non‑goals / Out of Scope

- Replace download stats with installs.
- Auth‑gated downloads or paid access.
- Deep static analysis beyond warning heuristics.

## Assumptions

- Rate limits: new “download” tier tighter than “read”.
- IP trust: CF‑only, no fallback.
- PRs live on regenrek fork, not upstream.

## Proposed Solution

- Single canonical rate‑limit/IP module (Convex best‑practice: no duplicated logic).
- Dedupe table keyed by hashed IP + skill + day bucket; increment only once.
- UI file viewer loads via existing getFileText; warnings from regex scan.

### Alternatives Considered

- Reuse “read” limits in convex/httpApiV1.ts:634 — too permissive.
- Fallback to x-forwarded-for — violates CF‑only requirement.
- Store raw IPs — privacy risk.

## System Design

- Increment flow: new mutation recordDownload handles dedupe + stats increment atomically.
- Cleanup: cron job prunes dedupe rows older than N days.
- UI: SkillDetailPage Files tab extracted to SkillFilesPanel with viewer + warnings.

## Interfaces & Data Contracts

- recordDownload mutation args: { skillId: Id<'skills'>, ipHash?: string, dayStart: number }.
- downloadDedupes schema: { skillId, ipHash, dayStart, createdAt }.
- Rate limit config includes download: { ip, key } in shared helper.

## Execution Details

PR 3 — File Viewer (feat)

- Extract Files tab to src/components/SkillFilesPanel.tsx.
- Add clickable file list; load via api.skills.getFileText.
- Add viewer panel, empty/error states.
- Adjust CSS in src/styles.css:1696.

## Testing & Quality

- Full suite per PR: bun run test and bun run lint.
- Add unit tests for dedupe/rate limit in convex/downloads.test.ts.
- Extend handler tests to cover CF‑only IP logic.

## Risks & Mitigations

- Missing CF header → “unknown” key. Mitigate by documenting requirement.
- Dedupe table growth → cron pruning.
- Viewer perf → relies on existing 200KB cap.

[vercel]

@regenrek is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.