Add review rules for Amazon Q Developer

Author: poad

.amazonq/rules/review-rules.md

@@ -0,0 +1,24 @@
+# Review Rules
+
+- Comments should be provided in Japanese by default, while maintaining English-based technical analysis to ensure review quality.
+- When you find a problem, suggest a solution.
+- If you find a problem that is not in the code, point it out.
+- Always evaluate security implications of code changes.
+- Check for potential vulnerabilities and secure coding practices.
+- Check for hardcoded credentials, API keys, and sensitive data
+- Verify no hardcoded credentials or secrets
+- Ensure proper input validation and sanitization
+- Check dependencies for known vulnerabilities
+- Verify proper input validation and sanitization
+- Ensure secure communication protocols (HTTPS, TLS)
+- Review permission and access control implementations
+- Check for proper error handling of security-related operations
+- Validate secure storage of sensitive data
+- Check for proper WebView configuration.
+- Secure data storage using Android Keystore, and safe handling of Intent data.
+- Since this is a Device Flow client, please verify OAuth 2.0 Device Flow-specific security considerations.
+  - Ensure that proper PKCE implementation is in place
+  - Ensure that secure token handling is implemented
+  - Ensure that state verification is performed
+  - Verify secure random number generation for state and PKCE values
+  - Check for proper timing attack mitigations in token comparisons

.github/workflows/enable-auto-merge.yml

@@ -4,10 +4,8 @@ on:
   pull_request:
 
 permissions:
-  id-token: write
   contents: write
   pull-requests: write
-  checks: write
 
 jobs:
   pull-request-auto-merge: