chore: bump deps, update CI artifacts, and clean up Claude Code settings

[michellepace]

Summary

• Dependencies: Bump Next.js 16.2.1→16.2.2, Clerk packages, Playwright 1.58→1.59, Lefthook, dotenv, and others. Pin tailwindcss to ^4.2.2.
• CI: Upgrade actions/upload-artifact from v6 to v7 in both E2E workflows.
• Claude Code settings: Fix permission glob syntax (colon→space separator), sort and reorder allow list, add missing npm ci/ls/outdated permissions, remove unused enabledPlugins and extraKnownMarketplaces sections.
• Housekeeping: Update CLAUDE.md tech stack versions, collapse vitest config resolve block.

No functional changes.

Test plan

• Production build succeeds
• All 17 Playwright E2E tests pass

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
devflow	Ready	Preview, Comment	Apr 9, 2026 0:48am

[coderabbitai]

Warning

Rate limit exceeded

@michellepace has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 8 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 14 minutes and 8 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8a47bde6-1e7d-4449-9bea-099c8807be45

📥 Commits

Reviewing files that changed from the base of the PR and between ebf8057 and 5f8e0d6.

📒 Files selected for processing (1)

• e2e/authenticated.desktop.spec.ts

Walkthrough

Adds a JSON schema and restructures Claude settings (permissions and plugins), bumps multiple dependency versions, updates GitHub Actions upload-artifact steps and job timeouts, adds a markdownlint ignore rule, minor Vitest config formatting, updates CLAUDE.md version strings, and deletes three .claude/commands/* docs.

Changes

Cohort / File(s)	Summary
Dependencies package.json	Bumped runtime and dev dependency versions (Next.js, react/react-dom, @clerk/*, @playwright/test, vitest, and others). No scripts or behavioural changes.
Claude settings & docs .claude/settings.json, .claude/CLAUDE.md	Added "$schema"; converted many permissions.allow patterns from colon-wildcard to space-wildcard and added npm commands (npm ci, npm ls *, npm outdated *); removed several plugin entries and a marketplace key; enabled git-utils@my-claude-marketplace; updated tech-stack version strings in .claude/CLAUDE.md.
Deleted Claude commands .claude/commands/coderabbit.md, .claude/commands/commit.md, .claude/commands/merge-cleanup.md	Removed three command documentation files in full.
CI workflows .github/workflows/test-e2e.yml, .github/workflows/test-e2e-vercel.yml	Increased job timeouts from 10→15 minutes; updated actions/upload-artifact usage from v6→v7 for Playwright report uploads.
Lint & Test config .markdownlint-cli2.yaml, vitest.config.ts	Added .xdocs/DONE/** to markdownlint ignore patterns; reformatted resolve in Vitest config to a single-line object (no behavioural change).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• feat: add Clerk authentication with E2E tests #7: Overlaps on .claude/settings.json changes, enabled plugins/marketplaces and workflow/dependency edits.
• Template cleanup and course alignment #3: Similar edits to .claude command docs and settings.json permissions/allow-list.
• Add project assets and update dependencies #2: Touches .claude/commands/commit.md and dependency bumps; closely related to deleted/modified CLAUDE docs and package updates.

Poem

🐇 I hopped through JSON, schema tucked in neat,
Wildcards replaced, and plugins took a seat.
Workflows stretched their minutes, artifacts bumped too,
Docs waved a soft goodbye — I tidied through and through.
A tiny rabbit cheer: a cleaner branch for you!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarises the main changes: dependency bumps, CI artifact updates, and Claude Code settings cleanup.
Description check	✅ Passed	The description is directly related to the changeset, providing relevant details about dependency updates, CI improvements, and configuration changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch honky-tonky

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/settings.json:
- Around line 39-51: The allowlist entries "Bash(sed *)" and "Bash(xargs *)" are
overly broad and permit dangerous in-place edits or arbitrary command execution;
update .claude/settings.json by removing or narrowing these entries—either
remove "Bash(sed *)" and "Bash(xargs *)" entirely or replace them with specific,
safe subcommands (e.g., explicit arguments or fixed help/version invocations)
and/or add a config comment documenting the risk so reviewers know the change is
intentional; target the exact entries "Bash(sed *)" and "Bash(xargs *)" in the
array when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 19d0e683-a16a-4d18-b4c9-f3e32b873c2d

📥 Commits

Reviewing files that changed from the base of the PR and between f7079a7 and dc57d44.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• .claude/CLAUDE.md
• .claude/settings.json
• .github/workflows/test-e2e-vercel.yml
• .github/workflows/test-e2e.yml
• .markdownlint-cli2.yaml
• package.json
• vitest.config.ts