cleanup(legibility): convert TODOs to issue refs; justify naming violators

CLEANUP-2 (#413): convert two actionable TODOs to issue-referenced stubs - +layout.server.ts:29 → TODO(#453) for dedicated admin stats endpoint - ChronikRow.svelte: TODO(#454) for commentPreview; keep SECURITY line as standalone comment (XSS guard stays co-located with the risk) CLEANUP-3 (#414): add one-line justification comments to both naming violators — SecurityUtils and GlobalExceptionHandler are both justified by framework convention; no rename needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 09:25:55 +02:00
parent 172bafe202
commit 0fa90d58cb
4 changed files with 5 additions and 11 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandler.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandler.java
@@ -15,6 +15,7 @@ import org.springframework.web.server.ResponseStatusException;

 import lombok.extern.slf4j.Slf4j;

+// "Handler" is Spring's @RestControllerAdvice naming convention — not a generic suffix.
@RestControllerAdvice
@Slf4j
 public class GlobalExceptionHandler {
--- a/backend/src/main/java/org/raddatz/familienarchiv/security/SecurityUtils.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/security/SecurityUtils.java
@@ -7,6 +7,7 @@ import org.springframework.security.core.Authentication;

 import java.util.UUID;

+// Cross-cutting auth helper; no domain home — "Utils" is the correct suffix here.
 public final class SecurityUtils {

    private SecurityUtils() {}
--- a/frontend/src/lib/activity/ChronikRow.svelte
+++ b/frontend/src/lib/activity/ChronikRow.svelte
@@ -159,15 +159,8 @@ const rowHref: string = $derived(
 		</p>

 		{#if variant === 'comment'}
-			<!--
-				TODO: the backend does not yet expose a comment body preview on
-				ActivityFeedItemDTO. Render an ellipsis placeholder until it does —
-				duplicating the document title here looks like the comment is
-				quoting itself (Leonie, PR #288 review).
-				SECURITY: once item.commentPreview lands, render via {text}, never
-				{@html}. The backend must truncate and strip tags server-side (Nora,
-				issue #285 comment #3552).
-			-->
+			<!-- TODO(#454): add commentPreview to ActivityFeedItemDTO, then render here -->
+			<!-- SECURITY: render via {text} not {@html} when commentPreview arrives — XSS risk (#285) -->
 			<p
 				data-testid="chronik-comment-preview"
 				class="mt-1 line-clamp-1 font-serif text-sm text-ink-2 italic sm:line-clamp-2"
--- a/frontend/src/routes/admin/+layout.server.ts
+++ b/frontend/src/routes/admin/+layout.server.ts
@@ -26,8 +26,7 @@ export async function load({ fetch, locals }) {
 	const api = createApiClient(fetch);
 	const canManageUsers = hasPerm(user, 'ADMIN_USER');

-	// TODO: replace with a dedicated /api/admin/stats endpoint that returns counts only,
-	// so the System page does not load full entity lists it does not render.
+	// TODO(#453): replace with dedicated /api/admin/stats endpoint returning counts only
 	const [usersResult, groupsResult, tagsResult] = await Promise.all([
 		api.GET('/api/users'),
 		api.GET('/api/groups'),