fix(together): require member auth on GET /together/groups/:groupId

invite_code was accessible without authentication to anyone who knew
the groupId (sequential integer). Now requires ?u= + member check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server.js

@@ -2579,10 +2579,14 @@ ${excerpt}
         }
     });
 
-    // GET /together/groups/:groupId — グループ情報
+    // GET /together/groups/:groupId — グループ情報（メンバーのみ）
     r.get('/together/groups/:groupId', async (req, res) => {
         if (!/^[a-zA-Z0-9_-]+$/.test(req.params.groupId)) return res.status(400).json({ error: 'invalid groupId' });
+        const username = req.query.u;
+        if (!username) return res.status(400).json({ error: 'u (username) は必須です' });
+        const jwtUserId = getTogetherJwtUserId(req);
         try {
+            if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return;
             const result = await pool.query('SELECT id, name, invite_code, created_at FROM together_groups WHERE id=$1', [req.params.groupId]);
             if (result.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' });
             res.json(result.rows[0]);