feature: PDF-Thumbnails für Dokumente (Upload + Admin-Backfill) #308

Merged

marcel merged 24 commits from feat/issue-307-pdf-thumbnails into main 2026-04-23 07:11:23 +02:00

Conversation 13 Commits 24 Files Changed 37 +1767 -29

marcel commented 2026-04-22 22:52:37 +02:00

Owner

Copy Link

Closes #307

Summary

Adds JPEG thumbnails (240px wide, quality 85) for documents across the archive. PDFs render the first page via PDFBox; JPEG/PNG/TIFF images are scaled with Graphics2D bilinear interpolation. Thumbnails are generated fire-and-forget on upload and via a new admin backfill card for legacy documents.

Implementation follows the consolidated Discussion Resolutions posted as comment #3978 on the issue — every decision from the multi-persona review is honored:

• Async dispatch via ThumbnailAsyncRunner.dispatchAfterCommit — mirrors AuditService.logAfterCommit, guarantees rollback-safe semantics (T1)
• Dedicated thumbnailExecutor bean with CallerRunsPolicy — isolates PDF rendering from OCR, applies back-pressure instead of dropping work (T2)
• Streaming PDF reads via new FileService.downloadFileStream — never buffers 50 MB into heap; 30 s timeout defends against corrupt/malicious PDFs (T3)
• Cache-Control: private, immutable on /api/documents/{id}/thumbnail — avoids CWE-525 shared-cache leak (T4)
• Shared DocumentThumbnail.svelte 60×84 tile with object-top, dark:mix-blend-multiply, lazy loading, empty alt — used in both DocumentRow and PersonDocumentList (T5, T6)
• Seven new Paraglide keys (de/en/es) for the admin card mirroring admin_system_import_* (T7)
• Thorough test coverage — 14 new backend test methods (unit + controller slice + integration test against real MinIO), frontend unit test for thumbnails.ts, Playwright E2E for the admin card + axe-core on /admin/system (T9)
• Structured operator logs — per-failure warn + backfill end summary line (T10)
• ADR-004 in docs/adr/ capturing why PDFBox stays in-process (T11)

Files

Backend (new): ThumbnailService, ThumbnailAsyncRunner, ThumbnailBackfillService, their tests, ThumbnailServiceIntegrationTest (real MinIO), migration V52__add_document_thumbnails.sql.
Backend (modified): Document, DocumentRepository, ErrorCode, AsyncConfig, FileService, DocumentService, MassImportService, AdminController, DocumentController, and their tests. pom.xml gains twelvemonkeys-imageio-tiff.
Frontend (new): DocumentThumbnail.svelte, thumbnails.ts + test.
Frontend (modified): generated api.ts, DocumentRow, PersonDocumentList, persons/[id]/+page.svelte, admin/system/+page.svelte, messages/{de,en,es}.json, e2e/admin.spec.ts, e2e/accessibility.spec.ts.
Docs (new): docs/adr/004-pdfbox-thumbnails.md.

Test Plan

• ./mvnw test — 1251 backend tests, 0 failures
• npx vitest run thumbnails — 4 frontend unit tests pass
• Integration test ThumbnailServiceIntegrationTest spins up MinIO via Testcontainers GenericContainer, confirms real S3 round-trip
• Playwright E2E admin triggers thumbnail generation and sees DONE within 30s — requires full stack; run locally via npm run test:e2e
• Manual smoke: upload a PDF via UI, confirm thumbnail appears in the row within a couple of seconds
• Admin backfill: clear thumbnail_key on a doc, trigger from /admin/system, watch status transition to DONE

🤖 Generated with Claude Code

Closes #307 ## Summary Adds JPEG thumbnails (240px wide, quality 85) for documents across the archive. PDFs render the first page via PDFBox; JPEG/PNG/TIFF images are scaled with Graphics2D bilinear interpolation. Thumbnails are generated fire-and-forget on upload and via a new admin backfill card for legacy documents. Implementation follows the consolidated Discussion Resolutions posted as comment #3978 on the issue — every decision from the multi-persona review is honored: - **Async dispatch via `ThumbnailAsyncRunner.dispatchAfterCommit`** — mirrors `AuditService.logAfterCommit`, guarantees rollback-safe semantics (T1) - **Dedicated `thumbnailExecutor` bean** with `CallerRunsPolicy` — isolates PDF rendering from OCR, applies back-pressure instead of dropping work (T2) - **Streaming PDF reads** via new `FileService.downloadFileStream` — never buffers 50 MB into heap; 30 s timeout defends against corrupt/malicious PDFs (T3) - **`Cache-Control: private, immutable`** on `/api/documents/{id}/thumbnail` — avoids CWE-525 shared-cache leak (T4) - **Shared `DocumentThumbnail.svelte`** 60×84 tile with `object-top`, `dark:mix-blend-multiply`, lazy loading, empty alt — used in both `DocumentRow` and `PersonDocumentList` (T5, T6) - **Seven new Paraglide keys** (de/en/es) for the admin card mirroring `admin_system_import_*` (T7) - **Thorough test coverage** — 14 new backend test methods (unit + controller slice + integration test against real MinIO), frontend unit test for `thumbnails.ts`, Playwright E2E for the admin card + axe-core on `/admin/system` (T9) - **Structured operator logs** — per-failure warn + backfill end summary line (T10) - **ADR-004** in `docs/adr/` capturing why PDFBox stays in-process (T11) ## Files **Backend (new)**: `ThumbnailService`, `ThumbnailAsyncRunner`, `ThumbnailBackfillService`, their tests, `ThumbnailServiceIntegrationTest` (real MinIO), migration `V52__add_document_thumbnails.sql`. **Backend (modified)**: `Document`, `DocumentRepository`, `ErrorCode`, `AsyncConfig`, `FileService`, `DocumentService`, `MassImportService`, `AdminController`, `DocumentController`, and their tests. `pom.xml` gains `twelvemonkeys-imageio-tiff`. **Frontend (new)**: `DocumentThumbnail.svelte`, `thumbnails.ts` + test. **Frontend (modified)**: generated `api.ts`, `DocumentRow`, `PersonDocumentList`, `persons/[id]/+page.svelte`, `admin/system/+page.svelte`, `messages/{de,en,es}.json`, `e2e/admin.spec.ts`, `e2e/accessibility.spec.ts`. **Docs (new)**: `docs/adr/004-pdfbox-thumbnails.md`. ## Test Plan - [x] `./mvnw test` — **1251 backend tests, 0 failures** - [x] `npx vitest run thumbnails` — **4 frontend unit tests pass** - [x] Integration test `ThumbnailServiceIntegrationTest` spins up MinIO via Testcontainers GenericContainer, confirms real S3 round-trip - [ ] Playwright E2E `admin triggers thumbnail generation and sees DONE within 30s` — requires full stack; run locally via `npm run test:e2e` - [ ] Manual smoke: upload a PDF via UI, confirm thumbnail appears in the row within a couple of seconds - [ ] Admin backfill: clear `thumbnail_key` on a doc, trigger from `/admin/system`, watch status transition to DONE 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 21 commits 2026-04-22 22:52:37 +02:00

feat(db): add thumbnail_key and thumbnail_generated_at to documents ... 6cf0601590

Adds two nullable columns to the documents table and their JPA mappings
on the Document entity. Both are left out of the OpenAPI required-mode
schema so the generated TypeScript type exposes them as optional.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add DocumentRepository finder for thumbnail backfill ... b8962f4337

Adds findByFilePathIsNotNullAndThumbnailKeyIsNull() used by the
upcoming ThumbnailBackfillService to locate documents that have a
file attached but no thumbnail yet.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add THUMBNAIL_BACKFILL_ALREADY_RUNNING error code ... a2333975f9

Mirrors the IMPORT_ALREADY_RUNNING pattern for the concurrent-start
guard in ThumbnailBackfillService.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

build: add twelvemonkeys-imageio-tiff for thumbnail TIFF support ... 2aa3b955f9

JDK ImageIO handles JPEG, PNG, BMP, GIF out of the box but not TIFF.
Since the document upload allowlist permits image/tiff, the thumbnail
generator must also decode it.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add FileService.downloadFileStream for memory-efficient reads ... 07019f54e8

Thumbnail generation will call this for PDFs up to 50 MB — loading the
full byte[] via downloadFileBytes would cause real memory pressure on
the single-VPS deploy. Stream-based reads let PDFBox parse the first
page without holding the whole file in heap.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add thumbnailExecutor bean for isolated thumbnail workload ... 0bb18c6789

Dedicated thread pool (core=1, max=2, queue=200) with CallerRunsPolicy
for back-pressure. Keeps thumbnail rendering off the shared taskExecutor
used by OCR and out of the AbortPolicy queue that drops work on overflow.
Quick-upload batches (15+ files) now apply back-pressure instead of
silently dropping thumbnail jobs.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add ThumbnailService for PDF and image thumbnails ... 955c497ba0

Renders a 240px-wide JPEG (quality 85) from either a PDF first page
via PDFBox or a JPEG/PNG/TIFF scan via ImageIO, then uploads to
S3 under thumbnails/{docId}.jpg and updates the Document entity.

Scaling uses Graphics2D.drawImage with VALUE_INTERPOLATION_BILINEAR
(not deprecated Image.getScaledInstance). Source is streamed via
FileService.downloadFileStream to avoid buffering 50MB PDFs.

Never throws — returns Outcome.SKIPPED for unsupported content types
and Outcome.FAILED for rendering/upload errors so the backfill can
tally them without aborting the run.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add ThumbnailAsyncRunner with afterCommit dispatch and timeout ... 3b7ef6117e

Bridges @Transactional upload paths to the async thumbnail pipeline.
dispatchAfterCommit registers a TransactionSynchronization so the async
task only fires after the surrounding commit (and is silently skipped
on rollback) — mirrors the AuditService.logAfterCommit pattern.

generateAsync wraps the full ThumbnailService.generate call in a 30s
watchdog so a hung PDFBox render cannot occupy a thumbnailExecutor slot
indefinitely.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): dispatch thumbnail generation from DocumentService upload paths ... 7d0e13c591

All four upload code paths (storeDocument, createDocument, updateDocument,
attachFile) now call thumbnailAsyncRunner.dispatchAfterCommit(id) after
the document save. createDocument and updateDocument only dispatch when a
file was actually provided/replaced.

The dispatch is afterCommit-safe: if the surrounding @Transactional
method rolls back, no thumbnail is generated for a document that never
reached the DB.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): dispatch thumbnail generation from MassImportService ... 0344a0c7ff

ODS/Excel imports that actually upload a file (file.isPresent()) now
trigger thumbnail generation alongside hash/metadata. Metadata-only
import rows produce no thumbnail — nothing to render.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add ThumbnailBackfillService for regenerating missing thumbnails ... 09fc871756

Sequentially processes all documents with a file but no thumbnail and
tallies processed / skipped / failed counts. Runs on thumbnailExecutor
so it shares back-pressure with live upload thumbnails but can never
saturate them (single-threaded loop).

Concurrent start rejected with THUMBNAIL_BACKFILL_ALREADY_RUNNING.
Emits a structured summary log line on completion for operator
visibility.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add AdminController endpoints for thumbnail backfill ... 323ec1ec54

- POST /api/admin/generate-thumbnails  → triggers async backfill, 202
- GET  /api/admin/thumbnail-status     → returns current BackfillStatus

Both gated by the class-level @RequirePermission(Permission.ADMIN).
Shape and polling semantics mirror the mass-import endpoints.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(backend): add GET /api/documents/{id}/thumbnail endpoint ... f11a29504a

Streams the JPEG thumbnail from S3 with Cache-Control: private,
max-age=31536000, immutable — `private` (not `public`) prevents
shared caches from leaking one user's thumbnail to another (CWE-525).
`immutable` is safe because the URL carries ?v=<thumbnailGeneratedAt>
as a cache-buster that changes whenever the file is replaced.

Authentication falls back to the global .anyRequest().authenticated()
rule, matching the existing /file endpoint's permission model.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(backend): add ThumbnailServiceIntegrationTest against real MinIO ... 547db2fd02

Spins up a MinIO container (Testcontainers GenericContainer) alongside
the existing PostgresContainerConfig, uploads a sample PDF, runs the
real ThumbnailService, and reads the resulting JPEG back from the
object store. Catches S3 signing / path-style access issues a mocked
S3Client wouldn't — justifies the CI cost (~45s) per walkthrough T9b.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(frontend): add thumbnailKey and thumbnailGeneratedAt to Document type ... 75ae4b6a02

Mirrors the backend Document entity's new optional fields. Both are
optional (no @Schema requiredMode on the backend side), so legacy
documents without thumbnails stay valid.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(frontend): add thumbnailUrl helper with cache-bust param ... 0c95797242

Pure function returning /api/documents/{id}/thumbnail?v=<timestamp>
or null when thumbnailKey is missing. The encoded timestamp changes
whenever the backend regenerates a thumbnail (file replace),
invalidating browser caches despite the immutable Cache-Control.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(frontend): add DocumentThumbnail shared 60x84 tile component ... be184d8faf

Renders the document thumbnail with object-cover + object-top so
letter salutations stay visible, empty alt (title nearby is the
accessible name), loading=lazy, decoding=async, and dark:mix-blend-multiply
for dark mode. Falls back to a PDF icon when thumbnailKey is null —
legacy documents, unsupported content types, or transient failures
all land here.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(frontend): render DocumentThumbnail in DocumentRow and PersonDocumentList ... 04ebd2a5bd

Home search rows and person detail sidebars now show the real
first-page preview when one exists, falling back to the PDF icon
for documents the backfill hasn't processed yet. The old `variant`
prop on PersonDocumentList is removed — it tinted the icon
differently for sent vs received, which no longer applies with a
uniform thumbnail tile.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(frontend): add admin card to generate thumbnails with polling ... 7bb3800490

Fourth card on /admin/system mirrors the mass-import pattern:
- POST /api/admin/generate-thumbnails to trigger
- 2000 ms polling on /api/admin/thumbnail-status while RUNNING
- processed / skipped / failed counters in the DONE message
- standalone pollInterval so import and thumbnail polling don't
  interfere with each other

Paraglide keys added in de/en/es, mirroring admin_system_import_*.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(e2e): cover admin thumbnail generation card + a11y ... abbb7c798f

- admin.spec: click 'Thumbnails erzeugen', wait for status DONE
  within 30s, screenshot the success message
- accessibility.spec: /admin/system joins the page list so the
  thumbnail card is checked in light, system-dark, and manual-dark
  axe-core runs

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(adr): record ADR-004 — PDFBox thumbnails stay in Spring Boot ... 39eaa10d85

Captures why thumbnails render in-process rather than being delegated
to ocr-service. Prevents a future reviewer from rehashing the decision
or moving it to the Python side without knowing the trade-offs.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel commented 2026-04-22 22:53:55 +02:00

Author

Owner

Copy Link

🏛️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

I've reviewed the 37 changed files against the consolidated Discussion Resolutions. The shape matches what we agreed: dedicated executor, afterCommit dispatch, in-process PDFBox, sequential backfill loop, ADR-004 captured. Good execution overall — a few architectural concerns to raise.

Blockers

None.

Concerns

1. ThumbnailService injects DocumentRepository directly (ThumbnailService.java:38). Per the project's layering rules, "services never reach into another domain's repository — call the other domain's service instead". The cleanest way around this is circular because DocumentService needs ThumbnailAsyncRunner, and ThumbnailService needs to persist the thumbnail fields onto Document. I'd treat ThumbnailService as an aspect-owner of the thumbnail columns specifically — but the ADR should explicitly acknowledge this layering exception. Same applies to ThumbnailBackfillService (ThumbnailBackfillService.java:37).

2. The ADR-004 doesn't mention in-memory BackfillStatus. It's a real operational trait (state lost on restart; single-node only) and every future maintainer will re-ask. Two sentences covers it.

3. Document entity got two new columns without @Schema(requiredMode = REQUIRED) — correct (they're nullable), but the convention on new fields in this entity is to add the annotation when the field is always populated. Since these are nullable by design, the current state is correct. Just flagging that the review saw it and it's right.

Suggestions

• ThumbnailService.generate() does file fetch → render → scale → encode → upload → persist in one 40-line method. Splitting into readSource(doc) / renderJpeg(source) / uploadAndPersist(doc, jpeg) would make each stage individually testable without mocking S3. Not a blocker — you test at the right boundaries and the existing tests are strong.
• The polling pattern in admin/system/+page.svelte is now duplicated between import and thumbnail status. Two instances doesn't justify extraction. Three would. Leave it for now.
• ThumbnailAsyncRunner.generateAsync spawns a single-threaded ExecutorService per call for the 30 s timeout. Correct but allocates a thread + shuts it down every invocation. At the expected volume this is fine; at 10k+ docs during backfill it's 10k thread allocations. Consider a small shared ScheduledExecutorService if the backfill grows. Follow-up, not blocker.

## 🏛️ Markus Keller — Senior Application Architect **Verdict: ⚠️ Approved with concerns** I've reviewed the 37 changed files against the consolidated Discussion Resolutions. The shape matches what we agreed: dedicated executor, afterCommit dispatch, in-process PDFBox, sequential backfill loop, ADR-004 captured. Good execution overall — a few architectural concerns to raise. ### Blockers None. ### Concerns 1. **`ThumbnailService` injects `DocumentRepository` directly** (`ThumbnailService.java:38`). Per the project's layering rules, "services never reach into another domain's repository — call the other domain's service instead". The cleanest way around this is circular because `DocumentService` needs `ThumbnailAsyncRunner`, and `ThumbnailService` needs to persist the thumbnail fields onto `Document`. I'd treat `ThumbnailService` as an aspect-owner of the thumbnail columns specifically — but the ADR should explicitly acknowledge this layering exception. Same applies to `ThumbnailBackfillService` (`ThumbnailBackfillService.java:37`). 2. **The ADR-004 doesn't mention in-memory `BackfillStatus`.** It's a real operational trait (state lost on restart; single-node only) and every future maintainer will re-ask. Two sentences covers it. 3. **`Document` entity got two new columns without `@Schema(requiredMode = REQUIRED)`** — correct (they're nullable), but the convention on new fields in this entity is to *add* the annotation when the field is always populated. Since these are nullable by design, the current state is correct. Just flagging that the review saw it and it's right. ### Suggestions - `ThumbnailService.generate()` does file fetch → render → scale → encode → upload → persist in one 40-line method. Splitting into `readSource(doc)` / `renderJpeg(source)` / `uploadAndPersist(doc, jpeg)` would make each stage individually testable without mocking S3. Not a blocker — you test at the right boundaries and the existing tests are strong. - The polling pattern in `admin/system/+page.svelte` is now duplicated between import and thumbnail status. Two instances doesn't justify extraction. Three would. Leave it for now. - `ThumbnailAsyncRunner.generateAsync` spawns a single-threaded `ExecutorService` per call for the 30 s timeout. Correct but allocates a thread + shuts it down every invocation. At the expected volume this is fine; at 10k+ docs during backfill it's 10k thread allocations. Consider a small shared `ScheduledExecutorService` if the backfill grows. Follow-up, not blocker.

marcel commented 2026-04-22 22:54:12 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

TDD discipline looks clean: ThumbnailServiceTest (7), ThumbnailAsyncRunnerTest (5), ThumbnailBackfillServiceTest (7), controller slice tests, integration test, frontend unit tests for thumbnails.ts. Every test I'd want to defend the decisions is present. 1251 backend tests green. Two real concerns below, rest is polish.

Concerns

1. ThumbnailService.generate() has two try blocks with overlapping catches (ThumbnailService.java:68-103). The first wraps the source read, the second wraps scale/encode/upload. Both catch Exception → log+return FAILED. The second one swallows errors from documentRepository.save() too — if Hibernate throws a ConstraintViolationException the thumbnail was successfully uploaded to S3 but the entity update failed silently. We'll see orphan thumbnails/{docId}.jpg objects in MinIO that no document points at. Not catastrophic (next backfill regenerates), but worth a TODO at minimum, and ideally a log line distinguishing "upload failed" from "save failed".

2. updateDocument doesn't delete the previous thumbnail when newFile != null (DocumentService.java:262-268). The S3 key is deterministic (thumbnails/{docId}.jpg), so PutObject overwrites it — so no actual orphan, and the regenerated thumbnail replaces the old one cleanly. Re-read the code twice to confirm this. Writing it out because future-me will wonder: yes, deterministic key + PutObject = replace, so we're safe. Maybe worth a one-line comment on the thumbnail key constant.

Suggestions

• ThumbnailService.generate is ~40 lines across two try blocks. Splitting source-read / transform / upload into private helpers makes each stage unit-testable without building a whole MinIO in-memory. Not a blocker.
• thumbnails.ts test has encodeURIComponent in the expected value (thumbnails.test.ts:21). That's fine, but the test documents the URL shape future readers will see — add one sentence above the test: // %3A escape is expected — colons in LocalDateTime are URL-unsafe.
• DocumentThumbnail.svelte uses doc={doc} in DocumentRow (formatter expanded it from {doc}). Both are valid Svelte 5; prettier's preference. Not worth changing.
• The fallback PDF icon in DocumentThumbnail.svelte renders for any unsupported / missing thumbnail — including images. An image file whose thumbnail generation fails gets a PDF icon, which is mildly misleading. Low priority, but a neutral "file" icon would be more honest.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ⚠️ Approved with concerns** TDD discipline looks clean: `ThumbnailServiceTest` (7), `ThumbnailAsyncRunnerTest` (5), `ThumbnailBackfillServiceTest` (7), controller slice tests, integration test, frontend unit tests for `thumbnails.ts`. Every test I'd want to defend the decisions is present. 1251 backend tests green. Two real concerns below, rest is polish. ### Concerns 1. **`ThumbnailService.generate()` has two `try` blocks with overlapping catches** (`ThumbnailService.java:68-103`). The first wraps the source read, the second wraps scale/encode/upload. Both catch `Exception` → log+return `FAILED`. The second one swallows errors from `documentRepository.save()` too — if Hibernate throws a `ConstraintViolationException` the thumbnail was successfully uploaded to S3 but the entity update failed silently. We'll see orphan `thumbnails/{docId}.jpg` objects in MinIO that no document points at. Not catastrophic (next backfill regenerates), but worth a TODO at minimum, and ideally a log line distinguishing "upload failed" from "save failed". 2. **`updateDocument` doesn't delete the previous thumbnail when `newFile != null`** (`DocumentService.java:262-268`). The S3 key is deterministic (`thumbnails/{docId}.jpg`), so `PutObject` overwrites it — so no actual orphan, and the regenerated thumbnail replaces the old one cleanly. Re-read the code twice to confirm this. Writing it out because future-me will wonder: yes, deterministic key + `PutObject` = replace, so we're safe. Maybe worth a one-line comment on the thumbnail key constant. ### Suggestions - **`ThumbnailService.generate` is ~40 lines across two try blocks.** Splitting source-read / transform / upload into private helpers makes each stage unit-testable without building a whole MinIO in-memory. Not a blocker. - **`thumbnails.ts` test has `encodeURIComponent` in the expected value** (`thumbnails.test.ts:21`). That's fine, but the test documents the URL shape future readers will see — add one sentence above the test: `// %3A escape is expected — colons in LocalDateTime are URL-unsafe`. - **`DocumentThumbnail.svelte` uses `doc={doc}` in DocumentRow (formatter expanded it from `{doc}`)**. Both are valid Svelte 5; prettier's preference. Not worth changing. - **The fallback PDF icon in `DocumentThumbnail.svelte`** renders for any unsupported / missing thumbnail — including images. An image file whose thumbnail generation fails gets a PDF icon, which is mildly misleading. Low priority, but a neutral "file" icon would be more honest.

marcel commented 2026-04-22 22:54:25 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

All three items I flagged during the issue review have been addressed:

• ✅ Cache-Control: private, max-age=31536000, immutable on /api/documents/{id}/thumbnail (DocumentController.java:109) with regression test asserting private present and public absent (DocumentControllerTest.java:389-401)
• ✅ 30-second watchdog timeout in ThumbnailAsyncRunner.generateAsync (ThumbnailAsyncRunner.java:68), tested with a 5-second sleep vs. 1-second configurable timeout (ThumbnailAsyncRunnerTest.java:93-108)
• ✅ Loader.loadPDF(new RandomAccessReadBuffer(in)) (ThumbnailService.java:115) with streamed input; the stream is closed in a try-with-resources block so memory and file-descriptor leaks are not an issue even on malformed PDFs

Suggestions

• Integration test hardcodes minioadmin/minioadmin (ThumbnailServiceIntegrationTest.java:49-50). Consistent with MINIO_ROOT_USER defaults used elsewhere in test setup; not a leak risk (the container only exists during the test). No action needed, just flagging for awareness.
• Thumbnail endpoint relies on .anyRequest().authenticated() rather than @RequirePermission(READ_ALL). That's consistent with the existing /file endpoint and was the walkthrough decision. When the household eventually gets per-document ACLs, both endpoints need the same treatment — worth a TODO reminder in DocumentController comments near /file and /thumbnail.
• PDFBox scratch-file policy — by default, PDFBox 3 uses a memory-buffered scratch; for thumbnails on a 50MB PDF this is the correct choice (single-page render doesn't need disk). But if a corrupt PDF triggers pathological behavior inside PDFBox, our 30 s timeout catches it. Defense-in-depth is already adequate for a household archive. No action.

Good security hygiene. Ship it.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** All three items I flagged during the issue review have been addressed: - ✅ `Cache-Control: private, max-age=31536000, immutable` on `/api/documents/{id}/thumbnail` (DocumentController.java:109) with regression test asserting `private` present and `public` absent (DocumentControllerTest.java:389-401) - ✅ 30-second watchdog timeout in `ThumbnailAsyncRunner.generateAsync` (ThumbnailAsyncRunner.java:68), tested with a 5-second sleep vs. 1-second configurable timeout (ThumbnailAsyncRunnerTest.java:93-108) - ✅ `Loader.loadPDF(new RandomAccessReadBuffer(in))` (ThumbnailService.java:115) with streamed input; the stream is closed in a try-with-resources block so memory and file-descriptor leaks are not an issue even on malformed PDFs ### Suggestions - **Integration test hardcodes `minioadmin`/`minioadmin`** (`ThumbnailServiceIntegrationTest.java:49-50`). Consistent with `MINIO_ROOT_USER` defaults used elsewhere in test setup; not a leak risk (the container only exists during the test). No action needed, just flagging for awareness. - **Thumbnail endpoint relies on `.anyRequest().authenticated()`** rather than `@RequirePermission(READ_ALL)`. That's consistent with the existing `/file` endpoint and was the walkthrough decision. When the household eventually gets per-document ACLs, both endpoints need the same treatment — worth a TODO reminder in `DocumentController` comments near `/file` and `/thumbnail`. - **PDFBox scratch-file policy** — by default, PDFBox 3 uses a memory-buffered scratch; for thumbnails on a 50MB PDF this is the correct choice (single-page render doesn't need disk). But if a corrupt PDF triggers pathological behavior inside PDFBox, our 30 s timeout catches it. Defense-in-depth is already adequate for a household archive. No action. Good security hygiene. Ship it.

marcel commented 2026-04-22 22:54:44 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — QA & Test Strategist

Verdict: ✅ Approved

The test matrix I asked for during the issue review is fully present. Going through the checklist:

• ✅ ThumbnailServiceTest — PDF render, image types (JPEG/PNG), S3 put with correct key + content-type, unsupported content type → SKIPPED, source stream failure → FAILED, S3 put failure → FAILED (7 tests)
• ✅ ThumbnailAsyncRunnerTest — afterCommit path, no-transaction direct dispatch, rollback path does NOT fire runner, timeout path (5 tests)
• ✅ ThumbnailBackfillServiceTest — initial IDLE status, happy path, skipped counting, failed-but-continue, unexpected exception continuation, concurrent start rejection, startedAt is set (7 tests)
• ✅ DocumentServiceTest — exactly-once dispatch on all four paths (storeDocument / createDocument / updateDocument / attachFile), no-dispatch when no file provided, file-replacement regeneration (5 new tests)
• ✅ AdminControllerTest — 401/403/202/200 on new endpoints (5 tests)
• ✅ DocumentControllerTest — 200 with private Cache-Control + immutable, 404 when no thumbnail, 404 when storage missing, 401 when unauthenticated (4 tests)
• ✅ ThumbnailServiceIntegrationTest — real MinIO + real Postgres round-trip; asserts the uploaded JPEG decodes at width 240 (Sara's "one integration test against real MinIO" target)
• ✅ Frontend thumbnails.test.ts — null case, no-generatedAt case, encoded generatedAt case, different timestamps produce different URLs
• ✅ Playwright admin triggers thumbnail generation and sees DONE within 30s
• ✅ accessibility.spec.ts extended to cover /admin/system in light + system-dark + manual-dark modes

Backend suite: 1251 tests, 0 failures, 0 errors. Frontend thumbnails suite: 4/4. The numbers themselves don't prove correctness — I spot-checked the actual assertions and they verify the right invariants (not just that methods were called).

Minor suggestions

• ThumbnailServiceIntegrationTest bumps test suite time by ~45s on first run (container pull). Acceptable per the walkthrough. If CI perf becomes a concern later, consider reusing a single MinIO container across multiple integration tests via a @TestConfiguration bean.
• DocumentControllerThumbnailIT was called out in my issue review but the integration test lives in the service layer instead (ThumbnailServiceIntegrationTest). That's fine — the round-trip is what mattered; the controller slice tests cover HTTP shape separately.

Test hygiene is solid. Quality gate (branch coverage ≥ 80%) should be satisfied — every new branch in ThumbnailService has at least one test hitting it.

## 🧪 Sara Holt — QA & Test Strategist **Verdict: ✅ Approved** The test matrix I asked for during the issue review is fully present. Going through the checklist: - ✅ `ThumbnailServiceTest` — PDF render, image types (JPEG/PNG), S3 put with correct key + content-type, unsupported content type → SKIPPED, source stream failure → FAILED, S3 put failure → FAILED (7 tests) - ✅ `ThumbnailAsyncRunnerTest` — `afterCommit` path, no-transaction direct dispatch, rollback path does NOT fire runner, timeout path (5 tests) - ✅ `ThumbnailBackfillServiceTest` — initial IDLE status, happy path, skipped counting, failed-but-continue, unexpected exception continuation, concurrent start rejection, `startedAt` is set (7 tests) - ✅ `DocumentServiceTest` — exactly-once dispatch on all four paths (storeDocument / createDocument / updateDocument / attachFile), no-dispatch when no file provided, file-replacement regeneration (5 new tests) - ✅ `AdminControllerTest` — 401/403/202/200 on new endpoints (5 tests) - ✅ `DocumentControllerTest` — 200 with private Cache-Control + immutable, 404 when no thumbnail, 404 when storage missing, 401 when unauthenticated (4 tests) - ✅ `ThumbnailServiceIntegrationTest` — real MinIO + real Postgres round-trip; asserts the uploaded JPEG decodes at width 240 (Sara's "one integration test against real MinIO" target) - ✅ Frontend `thumbnails.test.ts` — null case, no-generatedAt case, encoded generatedAt case, different timestamps produce different URLs - ✅ Playwright `admin triggers thumbnail generation and sees DONE within 30s` - ✅ `accessibility.spec.ts` extended to cover `/admin/system` in light + system-dark + manual-dark modes Backend suite: **1251 tests, 0 failures, 0 errors**. Frontend `thumbnails` suite: 4/4. The numbers themselves don't prove correctness — I spot-checked the actual assertions and they verify the right invariants (not just that methods were called). ### Minor suggestions - `ThumbnailServiceIntegrationTest` bumps test suite time by ~45s on first run (container pull). Acceptable per the walkthrough. If CI perf becomes a concern later, consider reusing a single MinIO container across multiple integration tests via a `@TestConfiguration` bean. - `DocumentControllerThumbnailIT` was called out in my issue review but the integration test lives in the service layer instead (`ThumbnailServiceIntegrationTest`). That's fine — the round-trip is what mattered; the controller slice tests cover HTTP shape separately. Test hygiene is solid. Quality gate (branch coverage ≥ 80%) should be satisfied — every new branch in ThumbnailService has at least one test hitting it.

marcel commented 2026-04-22 22:55:04 +02:00

Author

Owner

Copy Link

⚙️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

Operational shape is right. Everything flagged during the issue review has a concrete response in the diff:

• ✅ Dedicated thumbnailExecutor bean (AsyncConfig.java:42-56) with core=1, max=2, queue=200, CallerRunsPolicy. Isolated from taskExecutor. Comment explains why CallerRunsPolicy is safe here when auditExecutor uses AbortPolicy.
• ✅ Streaming via FileService.downloadFileStream (FileService.java:115-127) replaces full-bytes buffering — memory ceiling on CX32 holds.
• ✅ Structured logs — per-failure log.warn("Thumbnail generation failed for doc={} reason={}", ...) and backfill completion log.info("Thumbnail backfill complete: total={} processed={} skipped={} failed={} durationMs={}", ...). Parseable by Loki once we wire it up (phase-7).
• ✅ docker-compose.yml untouched. No new services, no new env vars, same bucket. Production migration to Hetzner Object Storage works identically — thumbnails/ is a prefix on the existing bucket.
• ✅ Integration test pins MinIO image to RELEASE.2024-06-13T22-53-53Z (ThumbnailServiceIntegrationTest.java:55). Renovate will pick up future bumps. twelvemonkeys-imageio-tiff:3.12.0 also pinned in pom.xml.

Operational notes for deploy day

• No Flyway migration risk. V52__add_document_thumbnails.sql adds two nullable columns with no default backfill — instant ALTER on a non-trivial documents table in Postgres 16. No table rewrite, no lock hold beyond metadata.
• No config changes required. The admin system page card works out of the box against the existing ${app.s3.bucket}.
• Backfill expectation — for the current archive size (hundreds of docs), running the backfill from /admin/system should complete in seconds to a couple of minutes. If the archive grows to thousands of docs, the single-threaded loop × ~2s per PDF = real time. Still acceptable as a one-shot admin action.
• Memory sanity check — 240px output × JPEG85 is 5–8KB per thumbnail. For 5000 docs that's ~40MB of new objects in MinIO. Negligible.

Suggestions (none blocking)

• docker-compose.yml has a MinIO MC helper container that creates the archive-documents bucket on startup. For Hetzner Object Storage migration we'll want the same "ensure thumbnails prefix permissions" logic — but since it's a prefix not a separate bucket, nothing to do today. Just noting for the migration checklist.
• When Micrometer + Prometheus land in phase-7, add Counter.builder("thumbnails.generated").tag("result", ...) on each outcome. Trivial one-liner, valuable at scale.

Ship it.

## ⚙️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** Operational shape is right. Everything flagged during the issue review has a concrete response in the diff: - ✅ **Dedicated `thumbnailExecutor` bean** (AsyncConfig.java:42-56) with `core=1, max=2, queue=200, CallerRunsPolicy`. Isolated from `taskExecutor`. Comment explains why `CallerRunsPolicy` is safe here when `auditExecutor` uses `AbortPolicy`. - ✅ **Streaming via `FileService.downloadFileStream`** (FileService.java:115-127) replaces full-bytes buffering — memory ceiling on CX32 holds. - ✅ **Structured logs** — per-failure `log.warn("Thumbnail generation failed for doc={} reason={}", ...)` and backfill completion `log.info("Thumbnail backfill complete: total={} processed={} skipped={} failed={} durationMs={}", ...)`. Parseable by Loki once we wire it up (phase-7). - ✅ **`docker-compose.yml` untouched.** No new services, no new env vars, same bucket. Production migration to Hetzner Object Storage works identically — `thumbnails/` is a prefix on the existing bucket. - ✅ **Integration test pins MinIO image** to `RELEASE.2024-06-13T22-53-53Z` (ThumbnailServiceIntegrationTest.java:55). Renovate will pick up future bumps. `twelvemonkeys-imageio-tiff:3.12.0` also pinned in pom.xml. ### Operational notes for deploy day - **No Flyway migration risk.** `V52__add_document_thumbnails.sql` adds two nullable columns with no default backfill — instant ALTER on a non-trivial `documents` table in Postgres 16. No table rewrite, no lock hold beyond metadata. - **No config changes required.** The admin system page card works out of the box against the existing `${app.s3.bucket}`. - **Backfill expectation** — for the current archive size (hundreds of docs), running the backfill from `/admin/system` should complete in seconds to a couple of minutes. If the archive grows to thousands of docs, the single-threaded loop × ~2s per PDF = real time. Still acceptable as a one-shot admin action. - **Memory sanity check** — 240px output × JPEG85 is 5–8KB per thumbnail. For 5000 docs that's ~40MB of new objects in MinIO. Negligible. ### Suggestions (none blocking) - `docker-compose.yml` has a MinIO MC helper container that creates the `archive-documents` bucket on startup. For Hetzner Object Storage migration we'll want the same "ensure thumbnails prefix permissions" logic — but since it's a prefix not a separate bucket, nothing to do today. Just noting for the migration checklist. - When Micrometer + Prometheus land in phase-7, add `Counter.builder("thumbnails.generated").tag("result", ...)` on each outcome. Trivial one-liner, valuable at scale. Ship it.

marcel commented 2026-04-22 22:55:23 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — UX & Accessibility Lead

Verdict: ⚠️ Approved with concerns

The shared DocumentThumbnail.svelte component is exactly what I asked for — centralized, single source of truth, used in both DocumentRow and PersonDocumentList. Every a11y decision from the walkthrough is in the code:

• ✅ Fixed 60×84 tile with object-cover object-top
• ✅ alt="" (decorative — the title nearby is the accessible name)
• ✅ loading="lazy" decoding="async"
• ✅ dark:mix-blend-multiply on the <img> for dark-mode glare
• ✅ border border-line visible in both themes
• ✅ rounded-sm + bg-white background
• ✅ Fallback PDF icon centered when thumbnailKey is null
• ✅ Paraglide keys for admin card copy (de/en/es) mirroring admin_system_import_*
• ✅ axe-core check on /admin/system extended to the three-mode matrix

Concerns

1. PersonDocumentList's row height grew significantly (old: 32px icon + padding ≈ 56px total; new: 84px tile + padding ≈ 108px total). Five rows now take ~540px vertical space instead of ~280px — nearly doubling the section. On a 1280×800 person detail page this might push the "more" button below the fold. I endorse the uniform 60×84 tile in principle but I want to eyeball this at the real archive before declaring it ideal. Not a blocker for shipping — just something to revisit after the backfill runs and we see real thumbnails in place of the icon fallback.

2. Fallback icon is always the PDF icon, even for image documents (DocumentThumbnail.svelte:34-54). Felix flagged the same thing. Users with PNG family photos will see a PDF icon until the backfill runs. Minor visual inconsistency; low priority.

Suggestions (post-merge iteration)

• Once real thumbnails populate via the backfill, run a fresh axe-core pass on / with actual JPEG data to confirm the dark:mix-blend-multiply doesn't introduce any contrast failures I didn't catch in the static preview.
• At 60×84 on mobile, the PDF-icon fallback centered via flex might be a bit small (24px icon in an 84px tile). Not an a11y issue (it's decorative), but visually sparse. If/when we iterate, bumping to 32–40px or adding subtle "PDF" text label would make the empty state more informative.
• ConversationTimeline + ChronikRow remain out of scope per the walkthrough; the spec for briefwechsel thumbnail rows (docs/specs/briefwechsel-thumbnail-rows-spec.html) is ready when we come back to it.

Approve with the PersonDocumentList height concern noted. Doesn't block merge — it's a "check it looks right with real data" follow-up.

## 🎨 Leonie Voss — UX & Accessibility Lead **Verdict: ⚠️ Approved with concerns** The shared `DocumentThumbnail.svelte` component is exactly what I asked for — centralized, single source of truth, used in both `DocumentRow` and `PersonDocumentList`. Every a11y decision from the walkthrough is in the code: - ✅ Fixed 60×84 tile with `object-cover object-top` - ✅ `alt=""` (decorative — the title nearby is the accessible name) - ✅ `loading="lazy" decoding="async"` - ✅ `dark:mix-blend-multiply` on the `<img>` for dark-mode glare - ✅ `border border-line` visible in both themes - ✅ `rounded-sm` + `bg-white` background - ✅ Fallback PDF icon centered when `thumbnailKey` is null - ✅ Paraglide keys for admin card copy (de/en/es) mirroring `admin_system_import_*` - ✅ axe-core check on `/admin/system` extended to the three-mode matrix ### Concerns 1. **PersonDocumentList's row height grew significantly** (old: 32px icon + padding ≈ 56px total; new: 84px tile + padding ≈ 108px total). Five rows now take ~540px vertical space instead of ~280px — nearly doubling the section. On a 1280×800 person detail page this might push the "more" button below the fold. I endorse the uniform 60×84 tile in principle but I want to eyeball this at the real archive before declaring it ideal. Not a blocker for shipping — just something to revisit after the backfill runs and we see real thumbnails in place of the icon fallback. 2. **Fallback icon is always the PDF icon**, even for image documents (`DocumentThumbnail.svelte:34-54`). Felix flagged the same thing. Users with PNG family photos will see a PDF icon until the backfill runs. Minor visual inconsistency; low priority. ### Suggestions (post-merge iteration) - Once real thumbnails populate via the backfill, run a fresh axe-core pass on `/` with actual JPEG data to confirm the `dark:mix-blend-multiply` doesn't introduce any contrast failures I didn't catch in the static preview. - At 60×84 on mobile, the PDF-icon fallback centered via flex might be a bit small (24px icon in an 84px tile). Not an a11y issue (it's decorative), but visually sparse. If/when we iterate, bumping to 32–40px or adding subtle "PDF" text label would make the empty state more informative. - **ConversationTimeline + ChronikRow** remain out of scope per the walkthrough; the spec for briefwechsel thumbnail rows (`docs/specs/briefwechsel-thumbnail-rows-spec.html`) is ready when we come back to it. Approve with the PersonDocumentList height concern noted. Doesn't block merge — it's a "check it looks right with real data" follow-up.

marcel added 3 commits 2026-04-22 23:06:34 +02:00

docs(adr): document layering exception and in-memory backfill state ... f137aa79a2

Addresses @mkeller (Markus) — fixes(adr): "the ADR doesn't mention
in-memory BackfillStatus" and "treat this as a layering exception,
acknowledge it explicitly". Two new paragraphs under Operational caveats.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

refactor(backend): split ThumbnailService.generate into stages with distinct logs ... f0f9753c42

Addresses @felixbrandt — fix(backend): "the two try blocks in generate()
overlap — a save failure logs 'generation failed' even though the
thumbnail is already in S3 as an orphan".

generate() now orchestrates four stages, each in its own try+log:
  readSourceImage / encodeThumbnail / uploadToStorage / persistThumbnailMetadata

persistThumbnailMetadata emits the distinct "orphaned in storage as <key>"
log line so an operator can see database-side failures after the upload
completed. The deterministic key ensures the next run overwrites cleanly,
so the orphan is self-healing.

Also extracts THUMBNAIL_KEY_PREFIX/SUFFIX constants with a comment
explaining the deterministic-overwrite contract.

Adds test: generate_returnsFailed_whenPersistThrows_butUploadSucceeded.

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(frontend): use generic document icon for thumbnail fallback ... b6bfb9148e

Addresses @leonievoss and @felixbrandt — fix(ui): "the PDF icon
misleads for image documents" and "swap for a neutral file icon".

The fallback now shows a generic document-text glyph (page outline +
three text lines) instead of the PDF-specific icon with the folded
corner. Applies equally well to PDFs, JPEG/PNG scans, and TIFF
documents — all of which can land in the fallback path.

Also bumped the icon from h-6/w-6 to h-8/w-8 — the previous 24px
glyph looked sparse inside the 60×84 tile (Leonie, post-merge
iteration point #2).

Refs #307

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel commented 2026-04-22 23:06:56 +02:00

Author

Owner

Copy Link

Review Cycle 1 — Changes

Addressed

• [@mkeller] "The ADR doesn't mention in-memory BackfillStatus" + "treat this as a layering exception, acknowledge it explicitly" — expanded docs/adr/004-pdfbox-thumbnails.md with an "Operational caveats (intentional)" section covering both. Commit f137aa79.
• [@felixbrandt] "Two try blocks overlap — a save failure logs 'generation failed' even though the thumbnail is in S3 as an orphan" — split ThumbnailService.generate into four stages (readSourceImage / encodeThumbnail / uploadToStorage / persistThumbnailMetadata), each with a distinct log line. Persist failure specifically logs "orphaned in storage as {key}". Added generate_returnsFailed_whenPersistThrows_butUploadSucceeded test. Also extracted THUMBNAIL_KEY_PREFIX/SUFFIX constants with a comment explaining the deterministic-overwrite contract. Commit f0f9753c.
• [@leonievoss + @felixbrandt] "The fallback PDF icon misleads for image documents" — swapped to a generic document-text glyph (page outline + three text lines) that works for PDFs, JPEG/PNG scans, and TIFF equally. Bumped icon size from 24 px to 32 px inside the 60×84 tile to address Leonie's separate "looks sparse" suggestion. Commit b6bfb914.

Not addressed (follow-up, not blocker per reviewer)

• [@mkeller] "Shared ScheduledExecutorService instead of per-call Executors.newSingleThreadExecutor" — explicitly flagged as "follow-up, not blocker" at the expected volume. Deferring.
• [@leonievoss] "PersonDocumentList row height grew significantly" — cannot evaluate without real thumbnail data in place; Leonie flagged as "revisit after the backfill runs". Opening as follow-up would be premature.
• [@felixbrandt] "Splitting ThumbnailService.generate into helpers for individual testability" — addressed as part of the try-block split above; the four new private methods are now each testable via their public caller's surface.

Deferred to new issues

None — every raised concern has either been fixed, explicitly deferred by the reviewer, or is dependent on post-merge data to evaluate.

Test suite: 1252 backend tests, 0 failures (+1 from the new persist-fails regression test).

Re-running review cycle 2.

## Review Cycle 1 — Changes ### Addressed - **[@mkeller]** "The ADR doesn't mention in-memory `BackfillStatus`" + "treat this as a layering exception, acknowledge it explicitly" — expanded `docs/adr/004-pdfbox-thumbnails.md` with an "Operational caveats (intentional)" section covering both. Commit `f137aa79`. - **[@felixbrandt]** "Two try blocks overlap — a save failure logs 'generation failed' even though the thumbnail is in S3 as an orphan" — split `ThumbnailService.generate` into four stages (`readSourceImage` / `encodeThumbnail` / `uploadToStorage` / `persistThumbnailMetadata`), each with a distinct log line. Persist failure specifically logs `"orphaned in storage as {key}"`. Added `generate_returnsFailed_whenPersistThrows_butUploadSucceeded` test. Also extracted `THUMBNAIL_KEY_PREFIX`/`SUFFIX` constants with a comment explaining the deterministic-overwrite contract. Commit `f0f9753c`. - **[@leonievoss + @felixbrandt]** "The fallback PDF icon misleads for image documents" — swapped to a generic document-text glyph (page outline + three text lines) that works for PDFs, JPEG/PNG scans, and TIFF equally. Bumped icon size from 24 px to 32 px inside the 60×84 tile to address Leonie's separate "looks sparse" suggestion. Commit `b6bfb914`. ### Not addressed (follow-up, not blocker per reviewer) - **[@mkeller]** "Shared `ScheduledExecutorService` instead of per-call `Executors.newSingleThreadExecutor`" — explicitly flagged as "follow-up, not blocker" at the expected volume. Deferring. - **[@leonievoss]** "PersonDocumentList row height grew significantly" — cannot evaluate without real thumbnail data in place; Leonie flagged as "revisit after the backfill runs". Opening as follow-up would be premature. - **[@felixbrandt]** "Splitting `ThumbnailService.generate` into helpers for individual testability" — addressed as part of the try-block split above; the four new private methods are now each testable via their public caller's surface. ### Deferred to new issues None — every raised concern has either been fixed, explicitly deferred by the reviewer, or is dependent on post-merge data to evaluate. Test suite: **1252 backend tests, 0 failures** (+1 from the new persist-fails regression test). Re-running review cycle 2.

marcel commented 2026-04-22 23:07:26 +02:00

Author

Owner

Copy Link

🏛️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

Cycle 2 review — checking only the delta.

• ✅ ADR-004 now explicitly documents the in-memory BackfillStatus caveat (single-node, restart-lossy, idempotent replay via findByFilePathIsNotNullAndThumbnailKeyIsNull).
• ✅ Layering-exception paragraph lands exactly where a future reviewer will look: right next to the consequences section, framed as intentional rather than accidental. The "extract a proper ThumbnailRepository if thumbnails grow into their own domain" future-direction note is the right escape hatch.

No further architectural concerns. The per-call Executors.newSingleThreadExecutor is follow-up material — at the expected volume (hundreds to low thousands of docs) thread allocation is a non-issue.

Ship it.

## 🏛️ Markus Keller — Senior Application Architect **Verdict: ✅ Approved** Cycle 2 review — checking only the delta. - ✅ ADR-004 now explicitly documents the in-memory `BackfillStatus` caveat (single-node, restart-lossy, idempotent replay via `findByFilePathIsNotNullAndThumbnailKeyIsNull`). - ✅ Layering-exception paragraph lands exactly where a future reviewer will look: right next to the consequences section, framed as intentional rather than accidental. The "extract a proper ThumbnailRepository if thumbnails grow into their own domain" future-direction note is the right escape hatch. No further architectural concerns. The per-call `Executors.newSingleThreadExecutor` is follow-up material — at the expected volume (hundreds to low thousands of docs) thread allocation is a non-issue. Ship it.

marcel commented 2026-04-22 23:07:34 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

Cycle 2 delta check.

• ✅ ThumbnailService.generate now reads as four named stages — each try/catch wraps a single concern. persistThumbnailMetadata logs the orphan explicitly: "Thumbnail persist failed for doc={} (orphaned in storage as {}): {}". That's the audit trail the operator needs.
• ✅ THUMBNAIL_KEY_PREFIX/SUFFIX constants + comment on the deterministic-overwrite contract. The key pattern is in one place now, so changing it (e.g. adding a size suffix) is a one-line change.
• ✅ New test generate_returnsFailed_whenPersistThrows_butUploadSucceeded verifies S3 put was called AND save was called — proves the FAILED outcome is from the persist, not the upload. 8/8 ThumbnailServiceTest green.
• ✅ Full suite: 1252 backend tests, 0 failures (was 1251).

The fallback icon swap is clean — single SVG, h-8 w-8 at 60×84 is ~37% of the tile width, visually substantial. No action.

Approve.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ✅ Approved** Cycle 2 delta check. - ✅ `ThumbnailService.generate` now reads as four named stages — each try/catch wraps a single concern. `persistThumbnailMetadata` logs the orphan explicitly: `"Thumbnail persist failed for doc={} (orphaned in storage as {}): {}"`. That's the audit trail the operator needs. - ✅ `THUMBNAIL_KEY_PREFIX`/`SUFFIX` constants + comment on the deterministic-overwrite contract. The key pattern is in one place now, so changing it (e.g. adding a size suffix) is a one-line change. - ✅ New test `generate_returnsFailed_whenPersistThrows_butUploadSucceeded` verifies S3 put was called AND save was called — proves the FAILED outcome is from the persist, not the upload. 8/8 ThumbnailServiceTest green. - ✅ Full suite: **1252 backend tests, 0 failures** (was 1251). The fallback icon swap is clean — single SVG, `h-8 w-8` at 60×84 is ~37% of the tile width, visually substantial. No action. Approve.

marcel commented 2026-04-22 23:07:40 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

Re-review after cycle 2. No security-relevant changes in the delta — refactor of ThumbnailService.generate preserves every control I checked in cycle 1:

• Cache-Control header unchanged (private, max-age=31536000, immutable)
• 30 s timeout still wrapping the full generate call
• PDFBox still loaded via RandomAccessReadBuffer(in) with streaming + try-with-resources
• S3 key still deterministic and UUID-based; no user input flows into the key path

The new persistThumbnailMetadata log line improves auditability — distinct log per failure mode is exactly what you want during incident response.

No findings. Ship.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** Re-review after cycle 2. No security-relevant changes in the delta — refactor of `ThumbnailService.generate` preserves every control I checked in cycle 1: - Cache-Control header unchanged (`private, max-age=31536000, immutable`) - 30 s timeout still wrapping the full generate call - PDFBox still loaded via `RandomAccessReadBuffer(in)` with streaming + try-with-resources - S3 key still deterministic and UUID-based; no user input flows into the key path The new `persistThumbnailMetadata` log line improves auditability — distinct log per failure mode is exactly what you want during incident response. No findings. Ship.

marcel commented 2026-04-22 23:07:46 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — QA & Test Strategist

Verdict: ✅ Approved

Cycle 2 delta:

• ✅ New regression test generate_returnsFailed_whenPersistThrows_butUploadSucceeded codifies Felix's orphan-thumbnail concern. Asserts verify(s3Client).putObject(...) AND verify(documentRepository).save(...) both happened — proves the upload succeeded before the persist failure, which is exactly the "orphan" case we want to catch if it regresses.
• ✅ Backend suite grew from 1251 → 1252 tests; still 0 failures.
• ✅ Icon fallback change is a visual-only tweak — no test needed; existing DocumentThumbnail behavior (url-present → img, url-null → fallback) is unchanged.

No further findings. Branch coverage should still satisfy the 80% gate — each of the four new private methods in ThumbnailService has a path to an existing public-level test.

Approve.

## 🧪 Sara Holt — QA & Test Strategist **Verdict: ✅ Approved** Cycle 2 delta: - ✅ New regression test `generate_returnsFailed_whenPersistThrows_butUploadSucceeded` codifies Felix's orphan-thumbnail concern. Asserts `verify(s3Client).putObject(...)` AND `verify(documentRepository).save(...)` both happened — proves the upload succeeded before the persist failure, which is exactly the "orphan" case we want to catch if it regresses. - ✅ Backend suite grew from 1251 → 1252 tests; still 0 failures. - ✅ Icon fallback change is a visual-only tweak — no test needed; existing `DocumentThumbnail` behavior (url-present → img, url-null → fallback) is unchanged. No further findings. Branch coverage should still satisfy the 80% gate — each of the four new private methods in `ThumbnailService` has a path to an existing public-level test. Approve.

marcel commented 2026-04-22 23:07:51 +02:00

Author

Owner

Copy Link

⚙️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

Cycle 2 changes are code-only — no infrastructure delta. Re-checking:

• ✅ No changes to AsyncConfig, docker-compose.yml, pom.xml, or any migration.
• ✅ The new distinct log line "orphaned in storage as {key}" is operator-grade — I can grep Loki for this specifically once phase-7 is up, and count how often it fires. Good forward compatibility with monitoring rollout.
• ✅ ADR documents the restart-loss behavior of BackfillStatus — aligns with the existing MassImportService pattern that's already been running in production for a year. No new operational surprise.

Nothing to add. Ship.

## ⚙️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** Cycle 2 changes are code-only — no infrastructure delta. Re-checking: - ✅ No changes to `AsyncConfig`, `docker-compose.yml`, `pom.xml`, or any migration. - ✅ The new distinct log line `"orphaned in storage as {key}"` is operator-grade — I can grep Loki for this specifically once phase-7 is up, and count how often it fires. Good forward compatibility with monitoring rollout. - ✅ ADR documents the restart-loss behavior of `BackfillStatus` — aligns with the existing `MassImportService` pattern that's already been running in production for a year. No new operational surprise. Nothing to add. Ship.

marcel commented 2026-04-22 23:07:58 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — UX & Accessibility Lead

Verdict: ✅ Approved

Cycle 2 delta:

• ✅ Fallback glyph swapped to generic document-text (page outline + three text lines). Works for PDFs, JPEGs, PNGs, TIFFs equally — no more misleading PDF-specific imagery on image documents.
• ✅ Icon size bumped from h-6 w-6 (24 px) to h-8 w-8 (32 px) — fills the 60×84 tile better; the empty state no longer looks sparse.
• ✅ No a11y regression: the glyph is still aria-hidden inside a decorative wrapper div, alt="" on the real <img> when thumbnails are present, focus ring on the enclosing <a>.

My earlier concern about PersonDocumentList row height doubling is still valid but genuinely requires real thumbnail data to evaluate — post-merge follow-up if it feels wrong in practice. Not a blocker.

Ship it.

## 🎨 Leonie Voss — UX & Accessibility Lead **Verdict: ✅ Approved** Cycle 2 delta: - ✅ Fallback glyph swapped to generic document-text (page outline + three text lines). Works for PDFs, JPEGs, PNGs, TIFFs equally — no more misleading PDF-specific imagery on image documents. - ✅ Icon size bumped from `h-6 w-6` (24 px) to `h-8 w-8` (32 px) — fills the 60×84 tile better; the empty state no longer looks sparse. - ✅ No a11y regression: the glyph is still `aria-hidden` inside a decorative wrapper div, `alt=""` on the real `<img>` when thumbnails are present, focus ring on the enclosing `<a>`. My earlier concern about PersonDocumentList row height doubling is still valid but genuinely requires real thumbnail data to evaluate — post-merge follow-up if it feels wrong in practice. Not a blocker. Ship it.

marcel merged commit b6bfb9148e into main 2026-04-23 07:11:23 +02:00

marcel deleted branch feat/issue-307-pdf-thumbnails 2026-04-23 07:11:24 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#308