feat: decouple person-mention display text from person name (#372) #373

Merged

marcel merged 17 commits from feat/person-mentions-issue-362-frontend-b2 into main 2026-04-29 16:55:53 +02:00

Conversation 15 Commits 17 Files Changed 28 +1814 -1078

marcel commented 2026-04-29 15:59:57 +02:00

Owner

Copy Link

Closes #372

Summary

Replaces the textarea-based PersonMentionEditor with a Tiptap v3 rich-text editor and decouples the stored mention displayName from the person's DB display name. When a transcriber types @Aug and selects "Auguste Raddatz" from the dropdown, the mention now stores displayName: 'Aug' (the typed query) — preserving archival fidelity of the original transcription.

AC mapping

AC	Status	Where covered
AC-1 typed text becomes displayName, not DB name	✅ in this PR	suggestion command inserts props.displayName = renderProps.query. Regression test: PersonMentionEditor.svelte.spec.ts "typed query → sidecar".
AC-2 mention pill renders distinct from plain text	✅ in this PR	decoration-ink/50 underline (matches read-mode .person-mention, ≥3:1 contrast per WCAG 1.4.11).
AC-3 dropdown shows life dates next to name	✅ in this PR	MentionDropdown.svelte renders {formatLifeDateRange(...)} line; spec covers "* 1882 – † 1944" rendering.
AC-4 mention tokens are atomic	✅ in this PR	Native Tiptap node behaviour (no custom beforeinput interception needed).
AC-5 keyboard navigation (Up/Down/Enter/Escape)	✅ in this PR	MentionDropdown.onKeyDown; specs for ArrowDown highlight, Enter select, Escape close.
AC-6 backward compat with old full-name sidecar	✅ in this PR	mentionSerializer longest-displayName-first matching; explicit "backward compatibility" suite in mentionSerializer.spec.ts.
AC-7 quote selection still works in transcribe mode	✅ in this PR	TranscriptionBlock migrated from captureTextarea + handleTextareaMouseUp to onSelectionChange wired to Tiptap's selectionUpdate.

Backend changes

Deleted the PersonMentionPropagationListener + PersonDisplayNameChangedEvent infrastructure. Under the new archival model, mentions are never rewritten when a person is renamed — the listener would actively corrupt historical transcription text.

• Removed: PersonMentionPropagationListener, PersonDisplayNameChangedEvent, ErrorCode.PERSON_RENAME_CONFLICT, the publish-event block in PersonService.updatePerson
• Added: archival comment on PersonMention.displayName
• Cleaned up: 4 obsolete tests in PersonServiceTest, 1 in PersonControllerTest

Frontend changes

• New: mentionSerializer.ts (pure deserialize/serialize with round-trip invariant), MentionDropdown.svelte (Tiptap suggestion-compatible), Tiptap v3.22.5 (core, starter-kit, extension-mention) pinned exact, renovate.json @tiptap/* group rule
• Rewritten: PersonMentionEditor.svelte as a Tiptap editor with custom Mention extension (uses personId/displayName attrs, not the default id/label); PersonMentionEditor.svelte.spec.ts (old tests used document.querySelector('textarea') — dead after migration)
• Updated: TranscriptionBlock.svelte quote selection, PersonHoverCard.svelte geb. → m.person_born_name_prefix(), errors.ts removes PERSON_RENAME_CONFLICT, i18n keys transcription_editor_aria_label + person_born_name_prefix in de/en/es

Cycle 2 review fixes (post-review push)

Addressed every blocker plus most concerns from the seven-persona review:

• Felix #5615: deleted dead code (personMention.ts/spec) + stale error_person_rename_conflict translation keys.
• Leonie #5621 / Nora #5618 / Felix #5615 (BLOCKER): editor.setEditable(!disabled) wired reactively, aria-disabled on wrapper — keyboard users can no longer type into a "disabled" editor (WCAG 2.1.1 / 4.1.2).
• Leonie #5621 (Major): mention pill underline switched from decoration-brand-mint (≈1.7:1) to decoration-ink/50 (≈6.4:1); dropdown highlight ring switched from ring-brand-mint (≈2.5:1) to ring-brand-navy (≈14.5:1) — WCAG 1.4.11 Non-Text Contrast resolved.
• Leonie #5621 / Elicit OQ-373-04: restored "Neue Person anlegen →" link in the empty state of MentionDropdown (uses existing m.person_mention_create_new() key, opens in a new tab so the editor state is preserved).
• Nora #5618: added explicit XSS regression test (PersonMentionEditor.svelte.spec.ts "renders a malicious displayName as text, not as HTML elements") asserting no <img>/<script> element is created from a sidecar payload like <img src=x onerror=alert(1)>.
• Markus #5616: added inline doc comment in the suggestion plugin documenting the client-side fetch exception. ADR is deferred to a follow-up issue (consistent with project convention).
• Nora #5618 #3 (deferred): GET /api/persons returns the full PersonSummaryDTO including notes. Tracked separately in #374 ("GET /api/persons leaks PersonSummaryDTO.notes to typeahead clients (CWE-200)") so the fix can be done with proper DTO partitioning.

Test results

• mentionSerializer.spec.ts — 12/12 ✅
• PersonMentionEditor.svelte.spec.ts — 19/19 ✅ (rewritten for Tiptap; +5 new tests for disabled, XSS, empty-state link)
• TranscriptionBlock.svelte.spec.ts — 22/22 ✅
• PersonServiceTest — 49/49 ✅

Notable design decisions

• MentionDropdown state via $state proxy: Svelte 5's mount() does NOT return prop accessors — setting instance.items = newValue is a no-op. The dropdown receives a single reactive $state object as a model prop; mutating fields propagates via Svelte's proxy reactivity. The prop is named model (not state) because the $state rune name shadows a state identifier in templates.
• Custom Mention attrs: extending Mention with personId/displayName (instead of mapping id/label in the serializer) keeps the Tiptap JSON shape aligned with the storage model and avoids attribute remapping.
• setEditable effect guard: the reactive $effect calls editor.setEditable only when editor.isEditable !== shouldBeEditable. Without the guard, setEditable's own ProseMirror transaction fires onUpdate → bind:value/mentionedPersons writes → host re-render → effect re-fires, exceeding effect_update_depth.

Bundle size note (Tobias #5623)

Three new dependencies in this PR:

• @tiptap/core 3.22.5 (~50 KB gzipped, includes ProseMirror)
• @tiptap/extension-mention 3.22.5 (~5 KB gzipped)
• @tiptap/starter-kit 3.22.5 (~30 KB gzipped, pulls multiple extensions)

Net add to the transcription page chunk: ~85 KB gzipped. Acceptable for a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users; bandwidth cost negligible. Future bundle audits should baseline against this.

Test plan

• mentionSerializer round-trip preserves text exactly (incl. backward compat with old full-name sidecar)
• Typing @Aug and selecting "Auguste Raddatz" stores displayName: 'Aug' (regression test for AC-1)
• Mention nodes are atomic (Tiptap node model)
• Escape closes dropdown without inserting
• ArrowDown/Up cycle highlight; Enter selects highlighted result
• Empty state ("Keine Personen gefunden") when query has no matches
• Empty state offers "Neue Person anlegen →" link to /persons/new
• Disabled prop sets contenteditable=false on the editor and aria-disabled=true on the wrapper
• Malicious displayName (<img src=x onerror=…>) renders as text only — no HTML element created
• Quote selection still triggers the "Zitat" hint after selecting text in the editor
• Backend: renaming a person no longer rewrites historical mentions (listener deleted)
• Manual: open a document in transcription edit mode, type @Clar, select "Clara Cram" — editor shows Clara (underlined, ink-50%), not Clara Cram
• Manual: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged

🤖 Generated with Claude Code

Closes #372 ## Summary Replaces the textarea-based `PersonMentionEditor` with a Tiptap v3 rich-text editor and decouples the stored mention `displayName` from the person's DB display name. When a transcriber types `@Aug` and selects "Auguste Raddatz" from the dropdown, the mention now stores `displayName: 'Aug'` (the typed query) — preserving archival fidelity of the original transcription. ### AC mapping | AC | Status | Where covered | |---|---|---| | **AC-1** typed text becomes displayName, not DB name | ✅ in this PR | suggestion `command` inserts `props.displayName = renderProps.query`. Regression test: `PersonMentionEditor.svelte.spec.ts` "typed query → sidecar". | | **AC-2** mention pill renders distinct from plain text | ✅ in this PR | `decoration-ink/50 underline` (matches read-mode `.person-mention`, ≥3:1 contrast per WCAG 1.4.11). | | **AC-3** dropdown shows life dates next to name | ✅ in this PR | `MentionDropdown.svelte` renders `{formatLifeDateRange(...)}` line; spec covers "* 1882 – † 1944" rendering. | | **AC-4** mention tokens are atomic | ✅ in this PR | Native Tiptap node behaviour (no custom `beforeinput` interception needed). | | **AC-5** keyboard navigation (Up/Down/Enter/Escape) | ✅ in this PR | `MentionDropdown.onKeyDown`; specs for ArrowDown highlight, Enter select, Escape close. | | **AC-6** backward compat with old full-name sidecar | ✅ in this PR | `mentionSerializer` longest-displayName-first matching; explicit "backward compatibility" suite in `mentionSerializer.spec.ts`. | | **AC-7** quote selection still works in transcribe mode | ✅ in this PR | `TranscriptionBlock` migrated from `captureTextarea` + `handleTextareaMouseUp` to `onSelectionChange` wired to Tiptap's `selectionUpdate`. | ### Backend changes Deleted the `PersonMentionPropagationListener` + `PersonDisplayNameChangedEvent` infrastructure. Under the new archival model, mentions are never rewritten when a person is renamed — the listener would actively corrupt historical transcription text. - Removed: `PersonMentionPropagationListener`, `PersonDisplayNameChangedEvent`, `ErrorCode.PERSON_RENAME_CONFLICT`, the publish-event block in `PersonService.updatePerson` - Added: archival comment on `PersonMention.displayName` - Cleaned up: 4 obsolete tests in `PersonServiceTest`, 1 in `PersonControllerTest` ### Frontend changes - **New**: `mentionSerializer.ts` (pure `deserialize`/`serialize` with round-trip invariant), `MentionDropdown.svelte` (Tiptap suggestion-compatible), Tiptap v3.22.5 (core, starter-kit, extension-mention) pinned exact, `renovate.json` `@tiptap/*` group rule - **Rewritten**: `PersonMentionEditor.svelte` as a Tiptap editor with custom `Mention` extension (uses `personId`/`displayName` attrs, not the default `id`/`label`); `PersonMentionEditor.svelte.spec.ts` (old tests used `document.querySelector('textarea')` — dead after migration) - **Updated**: `TranscriptionBlock.svelte` quote selection, `PersonHoverCard.svelte` `geb.` → `m.person_born_name_prefix()`, `errors.ts` removes `PERSON_RENAME_CONFLICT`, i18n keys `transcription_editor_aria_label` + `person_born_name_prefix` in de/en/es ### Cycle 2 review fixes (post-review push) Addressed every blocker plus most concerns from the seven-persona review: - **Felix #5615**: deleted dead code (`personMention.ts`/spec) + stale `error_person_rename_conflict` translation keys. - **Leonie #5621 / Nora #5618 / Felix #5615 (BLOCKER)**: `editor.setEditable(!disabled)` wired reactively, `aria-disabled` on wrapper — keyboard users can no longer type into a "disabled" editor (WCAG 2.1.1 / 4.1.2). - **Leonie #5621 (Major)**: mention pill underline switched from `decoration-brand-mint` (≈1.7:1) to `decoration-ink/50` (≈6.4:1); dropdown highlight ring switched from `ring-brand-mint` (≈2.5:1) to `ring-brand-navy` (≈14.5:1) — WCAG 1.4.11 Non-Text Contrast resolved. - **Leonie #5621 / Elicit OQ-373-04**: restored "Neue Person anlegen →" link in the empty state of `MentionDropdown` (uses existing `m.person_mention_create_new()` key, opens in a new tab so the editor state is preserved). - **Nora #5618**: added explicit XSS regression test (`PersonMentionEditor.svelte.spec.ts` "renders a malicious displayName as text, not as HTML elements") asserting no `<img>`/`<script>` element is created from a sidecar payload like `<img src=x onerror=alert(1)>`. - **Markus #5616**: added inline doc comment in the suggestion plugin documenting the client-side fetch exception. ADR is deferred to a follow-up issue (consistent with project convention). - **Nora #5618 #3 (deferred)**: `GET /api/persons` returns the full `PersonSummaryDTO` including `notes`. Tracked separately in **#374** ("GET /api/persons leaks PersonSummaryDTO.notes to typeahead clients (CWE-200)") so the fix can be done with proper DTO partitioning. ### Test results - `mentionSerializer.spec.ts` — 12/12 ✅ - `PersonMentionEditor.svelte.spec.ts` — 19/19 ✅ (rewritten for Tiptap; +5 new tests for disabled, XSS, empty-state link) - `TranscriptionBlock.svelte.spec.ts` — 22/22 ✅ - `PersonServiceTest` — 49/49 ✅ ### Notable design decisions - **MentionDropdown state via `$state` proxy**: Svelte 5's `mount()` does NOT return prop accessors — setting `instance.items = newValue` is a no-op. The dropdown receives a single reactive `$state` object as a `model` prop; mutating fields propagates via Svelte's proxy reactivity. The prop is named `model` (not `state`) because the `$state` rune name shadows a `state` identifier in templates. - **Custom Mention attrs**: extending `Mention` with `personId`/`displayName` (instead of mapping `id`/`label` in the serializer) keeps the Tiptap JSON shape aligned with the storage model and avoids attribute remapping. - **`setEditable` effect guard**: the reactive `$effect` calls `editor.setEditable` only when `editor.isEditable !== shouldBeEditable`. Without the guard, setEditable's own ProseMirror transaction fires `onUpdate` → bind:value/mentionedPersons writes → host re-render → effect re-fires, exceeding `effect_update_depth`. ### Bundle size note (Tobias #5623) Three new dependencies in this PR: - `@tiptap/core` 3.22.5 (~50 KB gzipped, includes ProseMirror) - `@tiptap/extension-mention` 3.22.5 (~5 KB gzipped) - `@tiptap/starter-kit` 3.22.5 (~30 KB gzipped, pulls multiple extensions) Net add to the transcription page chunk: ~85 KB gzipped. Acceptable for a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users; bandwidth cost negligible. Future bundle audits should baseline against this. ## Test plan - [x] `mentionSerializer` round-trip preserves text exactly (incl. backward compat with old full-name sidecar) - [x] Typing `@Aug` and selecting "Auguste Raddatz" stores `displayName: 'Aug'` (regression test for AC-1) - [x] Mention nodes are atomic (Tiptap node model) - [x] Escape closes dropdown without inserting - [x] ArrowDown/Up cycle highlight; Enter selects highlighted result - [x] Empty state ("Keine Personen gefunden") when query has no matches - [x] Empty state offers "Neue Person anlegen →" link to `/persons/new` - [x] Disabled prop sets contenteditable=false on the editor and aria-disabled=true on the wrapper - [x] Malicious `displayName` (`<img src=x onerror=…>`) renders as text only — no HTML element created - [x] Quote selection still triggers the "Zitat" hint after selecting text in the editor - [x] Backend: renaming a person no longer rewrites historical mentions (listener deleted) - [ ] **Manual**: open a document in transcription edit mode, type `@Clar`, select "Clara Cram" — editor shows `Clara` (underlined, ink-50%), not `Clara Cram` - [ ] **Manual**: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 9 commits 2026-04-29 15:59:58 +02:00

refactor(backend): delete rename-propagation listener and its infrastructure ... 2d19ca7244

PersonMentionPropagationListener rewrites @DisplayName tokens on person rename.
Under the new design, displayName is archival (what the transcriber typed), so
the listener would corrupt transcriptions rather than correct them.

Deletes PersonMentionPropagationListener, PersonDisplayNameChangedEvent, and the
optimistic-lock catch path in PersonService.updatePerson. Removes PERSON_RENAME_CONFLICT
from ErrorCode and all tests that exercised the now-deleted code path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(frontend): add Tiptap renovate group, i18n keys, fix geb. literal, remove rename-conflict ... 41a57c0dc8

- renovate.json: group all @tiptap/* packages so version bumps stay in sync
- de/en/es.json: add transcription_editor_aria_label and person_born_name_prefix keys
- PersonHoverCard: replace hardcoded "geb." with m.person_born_name_prefix() (Leonie #5602)
- errors.ts: remove PERSON_RENAME_CONFLICT (backend enum value deleted)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

chore(deps): install Tiptap 3.22.5 (core, starter-kit, extension-mention) ... 5591f95871

Exact version pins — all three packages share ProseMirror peer deps and must
stay in sync. Renovate grouping in renovate.json ensures they bump together.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(frontend): add mentionSerializer — pure serialize/deserialize for Tiptap ↔ block storage ... 68cb6e9b76

Converts between the stored format (text + PersonMention sidecar) and Tiptap
ProseMirror JSONContent. Round-trip invariant: serialize(deserialize(t,s)).text === t.
Handles multi-paragraph text (split/join on \n), sidecar deduplication, and
backward compat with old-format full-name sidecar entries.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

feat(frontend): add MentionDropdown — Tiptap suggestion-compatible person dropdown ... e5634c301e

Replaces PersonMentionEditor's inline popup for the Tiptap migration.
Mounted imperatively to document.body by the suggestion plugin's render()
lifecycle. Supports flip-upward strategy when viewport space is tight
(Leonie #5602 mobile keyboard concern). 44px touch targets, WCAG accessible.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

refactor(MentionDropdown): receive reactive state via single 'model' prop ... 39ddf90725

Svelte 5's mount() does not return prop accessors — setting
'instance.items = newValue' is a no-op. Switching to a single $state
proxy passed as 'model' lets the parent mutate fields and have the
dropdown react. The prop is named 'model' (not 'state') because the
$state rune name shadows a 'state' identifier in Svelte 5 templates.

Position class also switches from absolute to fixed so viewport-
relative DOMRect coordinates from clientRect() work when the dropdown
is mounted on document.body.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(PersonMentionEditor): rewrite as Tiptap editor with AC-1 typed-text displayName ... d87ad36278

Replaces the textarea-based editor with a Tiptap v3 contenteditable.
The custom Mention node uses personId/displayName attrs (instead of
Tiptap's default id/label) so mentionSerializer round-trips cleanly.

AC-1 fix (issue #372): when the user types '@Aug' and selects
'Auguste Raddatz', the mention node stores displayName: 'Aug' (the
typed query) — not the person's DB display name. This preserves
archival fidelity of the original transcription.

The MentionDropdown is mounted imperatively on document.body via
Svelte 5's mount(). Its three pieces of dynamic state (items,
command, clientRect) are passed as a single $state proxy (model)
because Svelte 5's mount() does not return prop accessors.

Spec is fully rewritten — all old tests used document.querySelector
('textarea') which is dead after the migration.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

refactor(TranscriptionBlock): migrate quote selection to Tiptap selectionUpdate (AC-7) ... 7a25feb04e

Replaces captureTextarea + handleTextareaMouseUp (which read selection
bounds off a real <textarea>) with an onSelectionChange callback prop
on PersonMentionEditor, wired to Tiptap's selectionUpdate event. The
editor emits the selected text directly so the parent no longer needs
DOM access.

Tests are updated to drive the contenteditable via the Selection API
instead of the now-deleted textarea.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chore(frontend): add Tiptap placeholder CSS and lock Tiptap deps ... 392af640c4

Placeholder uses ::before pseudo-element on the contenteditable's
data-placeholder attribute, only visible when the editor is unfocused
and empty. Removes the default ProseMirror focus ring since the outer
wrapper provides its own.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel commented 2026-04-29 16:03:22 +02:00

Author

Owner

Copy Link

Felix Brandt — Senior Fullstack Developer

Verdict: Changes requested

Solid TDD evidence: red/green visible across mentionSerializer.spec.ts (round-trip invariant with explicit failure-message assertion), the rewritten PersonMentionEditor.svelte.spec.ts (AC-1 regression), and the cleaned-up PersonServiceTest. The Tiptap migration is well-structured and the serializer is pure (testable, refactor-friendly). Two code-cleanliness blockers and a few suggestions.

Blockers

1. Dead code: frontend/src/lib/utils/personMention.ts + personMention.spec.ts — detectPersonMention was the textarea-era helper. The Tiptap migration replaced it with the suggestion plugin's char: '@' mechanism; nothing in production imports personMention.ts anymore (only its own spec does). Per the rule "Dead code is deleted, not commented out": delete both files. The spec running in the suite is misleading — it tests a function nobody calls.

2. Stale i18n keys in messages/{de,en,es}.json — errors.ts removed the PERSON_RENAME_CONFLICT mapping and error_person_rename_conflict switch case, but the message keys remain at line 554 of all three locale files:

   "error_person_rename_conflict": "Eine andere Bearbeitung..."
   

   These are now orphaned. The error code is gone from the backend (ErrorCode.java), gone from the frontend type union, gone from getErrorMessage. Delete the three JSON entries to keep the i18n surface honest. (Otherwise Paraglide ships unused translation strings — minor bloat plus noise for translators.)

Suggestions

1. PersonMentionEditor.svelte:34 — editorEl is declared as a non-null HTMLDivElement without $state. It's bound via bind:this and read inside onMount, which is fine in practice, but consider explicitly typing it HTMLDivElement | undefined and guarding in onMount — Svelte 5 lifts bind:this into reactive state implicitly, but the explicit type makes the temporal contract obvious.

2. disabled prop is not enforced on the editor itself (line 1937 of the diff). The wrapper sets pointer-events-none and opacity-50, but a keyboard user who tabs into the editor's contenteditable div can still type. Tiptap supports this declaratively:

   editor = new Editor({
       editable: !disabled,
       // ...
   });
   

   And reactively:

   $effect(() => editor?.setEditable(!disabled));
   

   This matches the textarea's old disabled semantics. Without it, "disabled" is purely visual.

3. onMount arrow function does not return cleanup — the onDestroy(() => editor?.destroy()) is correct, but you could collapse both lifecycle hooks into a single onMount that returns the cleanup function (return () => editor?.destroy()). One concern instead of two — same lifetime semantics.

4. MentionDropdown.svelte:57 — the position $derived.by reads window synchronously. During SSR this would explode. The component is mounted imperatively in onMount so it never runs server-side in practice — but a comment near the window.innerHeight reference would document the assumption. (Or guard with typeof window !== 'undefined' for defense in depth.)

5. mentionSerializer.ts:39 — overlap detection is O(n²) per mention. For typical block sizes (a few mentions, <500 chars) this is fine. If a paragraph ever has 50+ mentions, replace with a sweep-line approach. Document the bound somewhere or leave a TODO.

6. PersonServiceTest.java — the import block changed from Mockito.* star import to explicit imports for never, verify, when. Good cleanup. But argThat is imported and never used in the visible diff context. If it's truly unused after the deletion, drop it.

7. PersonMention.java:29 — the new comment // Archival: ... is good and documents the why. This is the kind of comment that earns its place. Leave it.

LGTM

• The custom Mention extension with personId/displayName attrs (instead of remapping id/label in the serializer) keeps the storage model and the editor model aligned. Good design call documented in the PR description.
• mentionSerializer.ts is pure, side-effect-free, and the round-trip invariant is enforced by tests. Textbook example of a refactor-friendly utility.
• The 4 deleted listener tests + the controller's updatePerson_returns409_whenRenameConflict test removal — correct response to the listener deletion. No orphaned coverage.

🤖 Generated with Claude Code

## Felix Brandt — Senior Fullstack Developer **Verdict: Changes requested** Solid TDD evidence: red/green visible across `mentionSerializer.spec.ts` (round-trip invariant with explicit failure-message assertion), the rewritten `PersonMentionEditor.svelte.spec.ts` (AC-1 regression), and the cleaned-up `PersonServiceTest`. The Tiptap migration is well-structured and the serializer is pure (testable, refactor-friendly). Two code-cleanliness blockers and a few suggestions. ### Blockers 1. **Dead code: `frontend/src/lib/utils/personMention.ts` + `personMention.spec.ts`** — `detectPersonMention` was the textarea-era helper. The Tiptap migration replaced it with the suggestion plugin's `char: '@'` mechanism; nothing in production imports `personMention.ts` anymore (only its own spec does). Per the rule "Dead code is deleted, not commented out": delete both files. The spec running in the suite is misleading — it tests a function nobody calls. 2. **Stale i18n keys in `messages/{de,en,es}.json`** — `errors.ts` removed the `PERSON_RENAME_CONFLICT` mapping and `error_person_rename_conflict` switch case, but the message keys remain at line 554 of all three locale files: ``` "error_person_rename_conflict": "Eine andere Bearbeitung..." ``` These are now orphaned. The error code is gone from the backend (`ErrorCode.java`), gone from the frontend type union, gone from `getErrorMessage`. Delete the three JSON entries to keep the i18n surface honest. (Otherwise Paraglide ships unused translation strings — minor bloat plus noise for translators.) ### Suggestions 1. **`PersonMentionEditor.svelte:34` — `editorEl` is declared as a non-null `HTMLDivElement` without `$state`.** It's bound via `bind:this` and read inside `onMount`, which is fine in practice, but consider explicitly typing it `HTMLDivElement | undefined` and guarding in `onMount` — Svelte 5 lifts bind:this into reactive state implicitly, but the explicit type makes the temporal contract obvious. 2. **`disabled` prop is not enforced on the editor itself** (line 1937 of the diff). The wrapper sets `pointer-events-none` and `opacity-50`, but a keyboard user who tabs into the editor's `contenteditable` div can still type. Tiptap supports this declaratively: ```typescript editor = new Editor({ editable: !disabled, // ... }); ``` And reactively: ```typescript $effect(() => editor?.setEditable(!disabled)); ``` This matches the textarea's old `disabled` semantics. Without it, "disabled" is purely visual. 3. **`onMount` arrow function does not return cleanup** — the `onDestroy(() => editor?.destroy())` is correct, but you could collapse both lifecycle hooks into a single `onMount` that returns the cleanup function (`return () => editor?.destroy()`). One concern instead of two — same lifetime semantics. 4. **`MentionDropdown.svelte:57` — the `position` `$derived.by` reads `window` synchronously.** During SSR this would explode. The component is mounted imperatively in `onMount` so it never runs server-side in practice — but a comment near the `window.innerHeight` reference would document the assumption. (Or guard with `typeof window !== 'undefined'` for defense in depth.) 5. **`mentionSerializer.ts:39` — overlap detection is O(n²) per mention.** For typical block sizes (a few mentions, <500 chars) this is fine. If a paragraph ever has 50+ mentions, replace with a sweep-line approach. Document the bound somewhere or leave a TODO. 6. **`PersonServiceTest.java` — the import block changed from `Mockito.*` star import to explicit imports for `never`, `verify`, `when`.** Good cleanup. But `argThat` is imported and never used in the visible diff context. If it's truly unused after the deletion, drop it. 7. **`PersonMention.java:29` — the new comment `// Archival: ...` is good and documents the *why*.** This is the kind of comment that earns its place. Leave it. ### LGTM - The custom Mention extension with `personId`/`displayName` attrs (instead of remapping `id`/`label` in the serializer) keeps the storage model and the editor model aligned. Good design call documented in the PR description. - `mentionSerializer.ts` is pure, side-effect-free, and the round-trip invariant is enforced by tests. Textbook example of a refactor-friendly utility. - The 4 deleted listener tests + the controller's `updatePerson_returns409_whenRenameConflict` test removal — correct response to the listener deletion. No orphaned coverage. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:03:52 +02:00

Author

Owner

Copy Link

Markus Keller — Senior Application Architect

Verdict: Approved with concerns

Architecturally, this PR is the right call: the rename-propagation listener actively corrupted archival fidelity (the whole point of issue #372), and removing it is a net architectural improvement — fewer moving parts, no cross-domain transactional coupling, no event-publisher mock in the service test. The decision aligns with "push integrity decisions to the lowest trustworthy layer" and recognises that historical mention text is now archival, not derived data. That's a domain-model clarification, not just a code change.

Concerns

1. Frontend module boundary leak — client-side fetch from a leaf component. PersonMentionEditor.svelte:118 calls fetch('/api/persons?q=...') directly from inside a Tiptap suggestion. The frontend CLAUDE.md is explicit: "Data flows from +page.server.ts via props — never client-side API fetch." This is one of the rare legitimate exceptions (typeahead in an interactive editor cannot pre-load all persons via SSR), but it deserves to be acknowledged. The security comment in the file mentions the SvelteKit Vite proxy handling auth — true in dev, but production goes through Caddy. Either:

   • Route the typeahead through a SvelteKit form action / +server.ts endpoint (so auth handling stays consistent with the rest of the app), or
   • Add an ADR (docs/adr/) documenting "client-side typeahead exception for editor mention plugin: rationale, threat model, scope of fetched data."

   Right now this exception is invisible — six months from now, someone will read CLAUDE.md, see fetch() in a leaf component, and either copy the pattern or rewrite this. ADR captures intent.

2. Listener deletion changes the contract of PersonService.updatePerson in a non-trivial way. Before: rename propagated to historical text atomically. After: rename leaves history alone (intentional). This is a semantic change visible to API consumers (e.g. anyone reading PersonMention.displayName who assumed it tracked the current person name). The PR adds an inline archival comment to PersonMention.java — good, but worth one ADR entry too:

   ADR-NNN: PersonMention.displayName is archival, not derived
   Decision: Mentions store the text the transcriber typed; never updated on rename.
   Consequence: Person rename does not affect transcription history (issue #372).
   Alternatives: Listener-based propagation (rejected — corrupts archival fidelity).
   

   The PR description has this rationale but it lives in a Gitea PR — not where future devs read codebase context.

3. The MentionDropdown.svelte model prop pattern as a Svelte-5-around-mount() workaround is clever, but undocumented at the architecture level. The PR description explains it well; consider an inline comment (not just in the file but in frontend/CLAUDE.md under "Imperative Svelte 5 mount pattern") so this becomes a reusable, named pattern instead of a one-off.

LGTM

• Service-layer rule preserved: PersonService no longer publishes events, but it never reached into transcription internals either way. Domain boundaries clean.
• ErrorCode.java cleanup is precise — single value removed, no leftover references in backend code.
• Test cleanup is proportional: 4 listener tests deleted, 1 controller test deleted, no coverage holes (the surviving updatePerson_* tests still cover the actual update logic).
• Backend changes are -169 LOC net (deletion-heavy), which is the architecture pattern I want to see: when a feature is wrong, delete it, don't bandage it.

Minor notes

• renovate.json at the repo root: confirm the team's chosen Renovate config location (renovate.json at root vs .gitea/renovate.json vs renovate.json5). For a self-hosted Gitea Renovate runner this matters — the runner config in infra/ (if present) may already point elsewhere. Tobias to confirm.
• Renaming mentionSerializer.ts could push downstream — verify no editor outside this PR (e.g. a future mass-import preview, an OCR auto-mention) needs the same shape; if so, extract to a shared lib/transcription/ namespace before the second consumer arrives.

🤖 Generated with Claude Code

## Markus Keller — Senior Application Architect **Verdict: Approved with concerns** Architecturally, this PR is the right call: the rename-propagation listener actively corrupted archival fidelity (the *whole point* of issue #372), and removing it is a net architectural improvement — fewer moving parts, no cross-domain transactional coupling, no event-publisher mock in the service test. The decision aligns with "push integrity decisions to the lowest trustworthy layer" and recognises that *historical mention text is now archival, not derived data*. That's a domain-model clarification, not just a code change. ### Concerns 1. **Frontend module boundary leak — client-side fetch from a leaf component.** `PersonMentionEditor.svelte:118` calls `fetch('/api/persons?q=...')` directly from inside a Tiptap suggestion. The frontend CLAUDE.md is explicit: "Data flows from `+page.server.ts` via props — never client-side API fetch." This is *one* of the rare legitimate exceptions (typeahead in an interactive editor cannot pre-load all persons via SSR), but it deserves to be acknowledged. The security comment in the file mentions the SvelteKit Vite proxy handling auth — true in dev, but production goes through Caddy. Either: - Route the typeahead through a SvelteKit form action / `+server.ts` endpoint (so auth handling stays consistent with the rest of the app), or - Add an ADR (`docs/adr/`) documenting "client-side typeahead exception for editor mention plugin: rationale, threat model, scope of fetched data." Right now this exception is invisible — six months from now, someone will read CLAUDE.md, see `fetch()` in a leaf component, and either copy the pattern or rewrite this. ADR captures intent. 2. **Listener deletion changes the contract of `PersonService.updatePerson` in a non-trivial way.** Before: rename propagated to historical text atomically. After: rename leaves history alone (intentional). This is a *semantic* change visible to API consumers (e.g. anyone reading `PersonMention.displayName` who assumed it tracked the current person name). The PR adds an inline archival comment to `PersonMention.java` — good, but worth one ADR entry too: ``` ADR-NNN: PersonMention.displayName is archival, not derived Decision: Mentions store the text the transcriber typed; never updated on rename. Consequence: Person rename does not affect transcription history (issue #372). Alternatives: Listener-based propagation (rejected — corrupts archival fidelity). ``` The PR description has this rationale but it lives in a Gitea PR — not where future devs read codebase context. 3. **The `MentionDropdown.svelte` `model` prop pattern as a Svelte-5-around-`mount()` workaround is clever, but undocumented at the architecture level.** The PR description explains it well; consider an inline comment (not just in the file but in `frontend/CLAUDE.md` under "Imperative Svelte 5 mount pattern") so this becomes a reusable, named pattern instead of a one-off. ### LGTM - Service-layer rule preserved: `PersonService` no longer publishes events, but it never reached into transcription internals either way. Domain boundaries clean. - `ErrorCode.java` cleanup is precise — single value removed, no leftover references in backend code. - Test cleanup is proportional: 4 listener tests deleted, 1 controller test deleted, no coverage holes (the surviving `updatePerson_*` tests still cover the actual update logic). - Backend changes are -169 LOC net (deletion-heavy), which is the architecture pattern I want to see: when a feature is wrong, *delete it*, don't bandage it. ### Minor notes - `renovate.json` at the repo root: confirm the team's chosen Renovate config location (`renovate.json` at root vs `.gitea/renovate.json` vs `renovate.json5`). For a self-hosted Gitea Renovate runner this matters — the runner config in `infra/` (if present) may already point elsewhere. Tobias to confirm. - Renaming `mentionSerializer.ts` could push downstream — verify no editor outside this PR (e.g. a future mass-import preview, an OCR auto-mention) needs the same shape; if so, extract to a shared `lib/transcription/` namespace before the second consumer arrives. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:04:24 +02:00

Author

Owner

Copy Link

Nora Steiner ("NullX") — Application Security Engineer

Verdict: Approved with concerns

The Tiptap migration introduces three new attack surfaces (renderHTML output, contenteditable input, client-side fetch) and removes one (the regex-based listener that rewrote stored block text — that thing was a textbook injection-vector waiting to happen). Net security: improvement. But the new surfaces deserve explicit assertions.

Concerns (no confirmed vulnerabilities — these are smells worth pinning down)

1. renderHTML output for the Mention node is array-form, which Tiptap auto-escapes — verify with a test. PersonMentionEditor.svelte:101–112 returns a tuple ['span', { 'data-display-name': node.attrs.displayName }, '@${node.attrs.displayName}']. ProseMirror's DOM serializer treats the third element as text content and escapes it, so a displayName of <script>alert(1)</script> should become <script>alert(1)</script>. The serializer test verifies that the string survives the round-trip — but no test asserts that the rendered DOM does not contain a script tag. Add one (CWE-79):

   it('does not inject HTML when displayName contains script tags', async () => {
     const sidecar = [{ personId: 'p', displayName: '<img src=x onerror=alert(1)>' }];
     // Render via the editor → assert the resulting DOM has no <img> with onerror
     const editorRoot = document.querySelector('[role="textbox"]')!;
     expect(editorRoot.querySelector('img')).toBeNull();
     expect(editorRoot.textContent).toContain('<img src=x onerror=alert(1)>');
   });
   

   Without this test, a future "let me just use innerHTML for performance" refactor silently regresses.

2. renderTranscriptionBody (read mode, in PersonHoverCard.svelte and elsewhere) is unchanged but consumes the new short-displayName sidecar entries. If displayName: 'Aug' is naively interpolated as HTML somewhere, a malicious transcriber typing @<script> into the typeahead and selecting any person stores displayName: '<script>' in the sidecar, which then gets reflected in read mode. Trace where the sidecar displayName is consumed and confirm every consumer escapes it. The serializer security test correctly says "HTML escaping is the renderer's job" — that places the burden on the renderer. Audit the renderer.

3. Client-side fetch('/api/persons?q=' + encodeURIComponent(query)) — the encoding is correct, but the response is dropped into the dropdown without server-side filtering of which fields are exposed. The component types it as Person, which (per the OpenAPI schema) includes birthYear, deathYear, possibly notes. Notes are private text. Confirm GET /api/persons?q= returns only the typeahead-safe shape (id, displayName, birthYear, deathYear), not the full Person entity. If notes leak into the dropdown, that's CWE-200 (information exposure). Quick check: read the PersonController.search method or hit the endpoint locally and verify.

4. Disabled state is purely visual (Felix flagged this for usability — I flag it for security). A disabled editor that still accepts keyboard input means a "read-only" view is not actually read-only. If transcription edit permissions are gated by disabled={!user.canWrite}, a determined user can tab into the contenteditable and modify content client-side — server-side authorization will (correctly) reject the save, but the UI lies about state. Wire editor.setEditable(!disabled) reactively as Felix suggested. Defense in depth: the server is the only authority, but the client should not lie.

5. Suggestion plugin's items callback fetches without a CSRF token — fine for GET, but worth noting. GET requests don't need CSRF; the cookie-based auth via Vite proxy / Caddy works. No action needed; just affirming the request method.

Backend security — clean

• Deleting PersonMentionPropagationListener removes a regex-based string rewriter operating on user-controlled text. The regex was ReDoS-bounded by Pattern.quote, but the concept of "rewrite arbitrary user content based on metadata changes" is a class of vulnerability we don't need.
• ErrorCode.PERSON_RENAME_CONFLICT removal is contained — no information leak from the now-impossible 409 response.
• PersonService.updatePerson no longer catches OptimisticLockingFailureException from the listener path because the listener is gone. The remaining service code path doesn't introduce new exception swallowing. Good.

Detection notes

• Add a Semgrep rule (or ESLint rule) catching innerHTML assignment in the transcription render path so future contributors don't accidentally introduce XSS:

  rules:
    - id: transcription-render-no-inner-html
      pattern: $X.innerHTML = $Y
      paths: { include: ["frontend/src/lib/components/**Transcription*"] }
      message: "Use textContent or framework-escaped binding for transcription text"
      severity: ERROR
  

• Add a unit test that asserts the typeahead's response DTO does not include notes (lock down the API surface).

🤖 Generated with Claude Code

## Nora Steiner ("NullX") — Application Security Engineer **Verdict: Approved with concerns** The Tiptap migration introduces three new attack surfaces (renderHTML output, contenteditable input, client-side fetch) and removes one (the regex-based listener that rewrote stored block text — that thing was a textbook injection-vector waiting to happen). Net security: improvement. But the new surfaces deserve explicit assertions. ### Concerns (no confirmed vulnerabilities — these are smells worth pinning down) 1. **`renderHTML` output for the Mention node is array-form, which Tiptap auto-escapes — verify with a test.** `PersonMentionEditor.svelte:101–112` returns a tuple `['span', { 'data-display-name': node.attrs.displayName }, '@${node.attrs.displayName}']`. ProseMirror's DOM serializer treats the third element as text content and escapes it, so a `displayName` of `<script>alert(1)</script>` should become `&lt;script&gt;alert(1)&lt;/script&gt;`. **The serializer test verifies that the *string* survives the round-trip — but no test asserts that the *rendered DOM* does not contain a script tag.** Add one (CWE-79): ```typescript it('does not inject HTML when displayName contains script tags', async () => { const sidecar = [{ personId: 'p', displayName: '<img src=x onerror=alert(1)>' }]; // Render via the editor → assert the resulting DOM has no <img> with onerror const editorRoot = document.querySelector('[role="textbox"]')!; expect(editorRoot.querySelector('img')).toBeNull(); expect(editorRoot.textContent).toContain('<img src=x onerror=alert(1)>'); }); ``` Without this test, a future "let me just use innerHTML for performance" refactor silently regresses. 2. **`renderTranscriptionBody` (read mode, in `PersonHoverCard.svelte` and elsewhere) is unchanged but consumes the new short-`displayName` sidecar entries.** If `displayName: 'Aug'` is naively interpolated as HTML somewhere, a malicious transcriber typing `@<script>` into the typeahead and selecting any person stores `displayName: '<script>'` in the sidecar, which then gets reflected in read mode. Trace where the sidecar `displayName` is consumed and confirm every consumer escapes it. The serializer security test correctly says "HTML escaping is the renderer's job" — that places the burden on the renderer. Audit the renderer. 3. **Client-side `fetch('/api/persons?q=' + encodeURIComponent(query))` — the encoding is correct, but the response is dropped into the dropdown without server-side filtering of which fields are exposed.** The component types it as `Person`, which (per the OpenAPI schema) includes `birthYear`, `deathYear`, possibly `notes`. Notes are private text. Confirm `GET /api/persons?q=` returns only the typeahead-safe shape (id, displayName, birthYear, deathYear), not the full Person entity. If `notes` leak into the dropdown, that's CWE-200 (information exposure). Quick check: read the `PersonController.search` method or hit the endpoint locally and verify. 4. **Disabled state is purely visual** (Felix flagged this for usability — I flag it for security). A `disabled` editor that still accepts keyboard input means a "read-only" view is not actually read-only. If transcription edit permissions are gated by `disabled={!user.canWrite}`, a determined user can tab into the contenteditable and modify content client-side — server-side authorization will (correctly) reject the save, but the UI lies about state. Wire `editor.setEditable(!disabled)` reactively as Felix suggested. Defense in depth: the server is the only authority, but the client should not lie. 5. **Suggestion plugin's `items` callback fetches without a CSRF token — fine for `GET`, but worth noting.** GET requests don't need CSRF; the cookie-based auth via Vite proxy / Caddy works. No action needed; just affirming the request method. ### Backend security — clean - Deleting `PersonMentionPropagationListener` removes a regex-based string rewriter operating on user-controlled text. The regex was ReDoS-bounded by `Pattern.quote`, but the *concept* of "rewrite arbitrary user content based on metadata changes" is a class of vulnerability we don't need. - `ErrorCode.PERSON_RENAME_CONFLICT` removal is contained — no information leak from the now-impossible 409 response. - `PersonService.updatePerson` no longer catches `OptimisticLockingFailureException` from the listener path because the listener is gone. The remaining service code path doesn't introduce new exception swallowing. Good. ### Detection notes - Add a Semgrep rule (or ESLint rule) catching `innerHTML` assignment in the transcription render path so future contributors don't accidentally introduce XSS: ```yaml rules: - id: transcription-render-no-inner-html pattern: $X.innerHTML = $Y paths: { include: ["frontend/src/lib/components/**Transcription*"] } message: "Use textContent or framework-escaped binding for transcription text" severity: ERROR ``` - Add a unit test that asserts the typeahead's response DTO does not include `notes` (lock down the API surface). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:04:59 +02:00

Author

Owner

Copy Link

Sara Holt — Senior QA Engineer

Verdict: Approved with concerns

The test rewrite is a major improvement: the old document.querySelector('textarea') + dispatchEvent('input') approach was implementation-coupled and brittle. The new userEvent.type + vi.waitFor flow tests user-visible behavior. AC-1 has explicit regression tests with strong assertions ("typed text becomes displayName, not the DB name"). The serializer round-trip invariant is exactly the kind of property test that catches refactoring regressions. 14/14 + 22/22 + 12/12 + 49/49 — green is documented.

Concerns

1. Test pyramid: no integration coverage for the new client→server typeahead path. The component spec mocks fetch globally, so the wire format between Tiptap's items callback and GET /api/persons?q= is never exercised end-to-end. This is acceptable at the unit layer, but I'd want at least one Playwright E2E that types @Aug into a real document's transcription block, sees a real backend response, and selects a person. Without it, a backend change to the search response shape (e.g. wrapping in {items: [...]}) silently breaks the editor and is only caught manually. Add it to frontend/e2e/transcription/mention-typeahead.spec.ts if it doesn't exist.

2. mentionSerializer.spec.ts — strong start but missing edge cases I'd expect:

   • Empty mention: displayName: '' in sidecar — what happens? Should it be skipped or preserved verbatim?
   • Mention overlap with mention: @Anna followed by @Anna Schmidt in text with both in sidecar — current code sorts by length descending, so Anna Schmidt wins where it appears, but is the position-aware matching correct? Add an explicit test case.
   • Unicode in displayName: @Müller round-trip — string compares are byte-aware, JS strings handle UTF-16 surrogates. Add '@François' as a round-trip case.
   • Newlines inside paragraphs: text serializer joins lines with '\n' but the JSON model uses separate paragraphs. 'a\n\nb' (double newline) — verify it produces 3 paragraphs and round-trips.

3. TranscriptionBlock.svelte.spec.ts quote-selection test (line 2533–2554 of the diff) — uses raw document.createRange() + selection.addRange() + manually dispatched input event. This works because Tiptap listens to selection changes. But the test bypasses Tiptap's onSelectionUpdate plugin lifecycle — it depends on the input event triggering the right callback chain. If a future Tiptap upgrade decouples input from selection notifications, this test silently passes for the wrong reason. Use vitest-browser's userEvent.tripleClick(editor) (selects the line) or Tiptap's editor command to drive selection through the official path.

4. Stale test: personMention.spec.ts still runs but tests dead code. Felix flagged the source file. The spec file should either be deleted along with the source, or — if the tests are still valuable as documentation of the regex rules — moved into the mentionSerializer test alongside the deserialize boundary tests. As-is, it's coverage padding.

5. Backend: the listener tests were deleted (PersonMentionPropagationListenerTest.java, full file removal). Correct response to listener deletion. But PersonServiceTest lost 4 tests covering updatePerson_publishesEvent_* paths. Verify these aren't replaced by tests confirming the non-publishing behavior:

   @Test
   void updatePerson_doesNotPublishAnyEvent_whenDisplayNameChanges() {
     // proves the rename-propagation listener path is gone
     verify(eventPublisher, never()).publishEvent(any());
   }
   

   Wait — eventPublisher field was removed from the test class entirely (line 511 of diff: @Mock ApplicationEventPublisher eventPublisher; deleted). That's correct, but it means the negative assertion is now untestable structurally. The architecture decision (no event published) is now enforced by the absence of the dependency, which is a cleaner guarantee. Acceptable.

LGTM

• AC-1 regression test is exactly the right test: it asserts the typed-query becomes the displayName, not the DB name. If a future contributor "fixes" the suggestion to insert props.displayName from person.displayName, this test fails immediately. That's permanent regression value.
• Round-trip invariant test in mentionSerializer.spec.ts is property-style — covers any text/sidecar pair, not just enumerated cases. Good QA hygiene.
• vi.waitFor replaces fake-timer hacks. Real-time tests in browser mode are slower but more honest about what the user sees. Right call.
• The deleted optimistic-locking conflict test was 50+ lines of fragile mock wiring (mocking the publisher to route events back to a real listener instance). Glad to see it go.

Quality gate concerns

• The PR mentions "2 remaining failures are pre-existing on the base branch (DocumentRow tag-click and RichtlinienRuleCard) and unrelated." Confirm with git checkout main && npm run test that these fail on main too, then file Gitea issues. Pre-existing failures are tech debt — name them or fix them.
• E2E suite for transcription editing: I haven't seen evidence in the diff that any Playwright test covers the full flow open document → click into transcription block → type @ → select person → save → reopen → verify mention persists with typed displayName. This is a critical user journey and the heart of issue #372. Add it.

🤖 Generated with Claude Code

## Sara Holt — Senior QA Engineer **Verdict: Approved with concerns** The test rewrite is a major improvement: the old `document.querySelector('textarea')` + `dispatchEvent('input')` approach was implementation-coupled and brittle. The new `userEvent.type` + `vi.waitFor` flow tests user-visible behavior. AC-1 has explicit regression tests with strong assertions ("typed text becomes displayName, not the DB name"). The serializer round-trip invariant is exactly the kind of property test that catches refactoring regressions. 14/14 + 22/22 + 12/12 + 49/49 — green is documented. ### Concerns 1. **Test pyramid: no integration coverage for the new client→server typeahead path.** The component spec mocks `fetch` globally, so the wire format between Tiptap's `items` callback and `GET /api/persons?q=` is never exercised end-to-end. This is acceptable at the unit layer, but I'd want at least one Playwright E2E that types `@Aug` into a real document's transcription block, sees a real backend response, and selects a person. Without it, a backend change to the search response shape (e.g. wrapping in `{items: [...]}`) silently breaks the editor and is only caught manually. Add it to `frontend/e2e/transcription/mention-typeahead.spec.ts` if it doesn't exist. 2. **`mentionSerializer.spec.ts` — strong start but missing edge cases I'd expect:** - Empty mention: `displayName: ''` in sidecar — what happens? Should it be skipped or preserved verbatim? - Mention overlap with mention: `@Anna` followed by `@Anna Schmidt` in text with both in sidecar — current code sorts by length descending, so `Anna Schmidt` wins where it appears, but is the *position-aware* matching correct? Add an explicit test case. - Unicode in displayName: `@Müller` round-trip — string compares are byte-aware, JS strings handle UTF-16 surrogates. Add `'@François'` as a round-trip case. - Newlines inside paragraphs: text serializer joins lines with `'\n'` but the JSON model uses separate paragraphs. `'a\n\nb'` (double newline) — verify it produces 3 paragraphs and round-trips. 3. **`TranscriptionBlock.svelte.spec.ts` quote-selection test (line 2533–2554 of the diff) — uses raw `document.createRange()` + `selection.addRange()` + manually dispatched `input` event.** This works because Tiptap listens to selection changes. But the test bypasses Tiptap's `onSelectionUpdate` plugin lifecycle — it depends on the `input` event triggering the right callback chain. If a future Tiptap upgrade decouples `input` from selection notifications, this test silently passes for the wrong reason. Use `vitest-browser`'s `userEvent.tripleClick(editor)` (selects the line) or Tiptap's editor command to drive selection through the official path. 4. **Stale test: `personMention.spec.ts` still runs but tests dead code.** Felix flagged the source file. The spec file should either be deleted along with the source, or — if the tests are still valuable as documentation of the regex rules — moved into the `mentionSerializer` test alongside the `deserialize` boundary tests. As-is, it's coverage padding. 5. **Backend: the listener tests were deleted (`PersonMentionPropagationListenerTest.java`, full file removal).** Correct response to listener deletion. But `PersonServiceTest` lost 4 tests covering `updatePerson_publishesEvent_*` paths. Verify these aren't replaced by tests confirming the *non-publishing* behavior: ```java @Test void updatePerson_doesNotPublishAnyEvent_whenDisplayNameChanges() { // proves the rename-propagation listener path is gone verify(eventPublisher, never()).publishEvent(any()); } ``` Wait — `eventPublisher` field was removed from the test class entirely (line 511 of diff: `@Mock ApplicationEventPublisher eventPublisher;` deleted). That's correct, but it means the *negative* assertion is now untestable structurally. The architecture decision (no event published) is now enforced by *the absence of the dependency*, which is a cleaner guarantee. Acceptable. ### LGTM - AC-1 regression test is *exactly* the right test: it asserts the typed-query becomes the `displayName`, not the DB name. If a future contributor "fixes" the suggestion to insert `props.displayName` from `person.displayName`, this test fails immediately. That's permanent regression value. - Round-trip invariant test in `mentionSerializer.spec.ts` is property-style — covers any text/sidecar pair, not just enumerated cases. Good QA hygiene. - `vi.waitFor` replaces fake-timer hacks. Real-time tests in browser mode are slower but more honest about what the user sees. Right call. - The deleted optimistic-locking conflict test was 50+ lines of fragile mock wiring (mocking the publisher to route events back to a real listener instance). Glad to see it go. ### Quality gate concerns - The PR mentions "2 remaining failures are pre-existing on the base branch (DocumentRow tag-click and RichtlinienRuleCard) and unrelated." Confirm with `git checkout main && npm run test` that these fail on main too, then file Gitea issues. Pre-existing failures are tech debt — name them or fix them. - E2E suite for transcription editing: I haven't seen evidence in the diff that any Playwright test covers the full flow `open document → click into transcription block → type @ → select person → save → reopen → verify mention persists with typed displayName`. This is a critical user journey and the heart of issue #372. Add it. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:05:35 +02:00

Author

Owner

Copy Link

Leonie Voss — UX Designer & Accessibility Strategist

Verdict: Approved with concerns

The visual model is preserved (mention pill: brand-mint underline, brand-navy text — matches the read-mode rendering). The dropdown's flip-strategy positioning (MentionDropdown.svelte lines 53–63 of the diff) is a real UX improvement over the textarea version, which always opened downward and clipped on long blocks. Touch targets stayed at 44px (min-h-[44px]). i18n keys added for de/en/es. Three accessibility issues need fixing before merge.

Critical

1. disabled is visual-only — keyboard users can still type into a "disabled" editor. PersonMentionEditor.svelte:1937 wraps the editor div with class:opacity-50 and class:pointer-events-none, but pointer-events-none does not block keyboard focus. A user pressing Tab will land in the contenteditable and be able to type. This is a WCAG 2.1.1 (Keyboard) and 4.1.2 (Name, Role, Value) issue: the disabled state is announced by neither name nor role, and keyboard users have no way to know the editor is supposed to be inactive.

   Fix:

   $effect(() => {
       editor?.setEditable(!disabled);
   });
   

   And add aria-disabled="true" to the wrapper when disabled — Tiptap will set contenteditable="false" on the inner div, and screen readers announce "Transkriptionstext, deaktiviert" instead of "Transkriptionstext, edit text."

Major

2. Mention pill class text-brand-navy font-medium underline decoration-brand-mint underline-offset-2 (line 108) — brand-mint #A6DAD8 as an underline on white background has a contrast ratio of ~2.0:1. It fails WCAG 1.4.11 Non-Text Contrast (3:1 minimum). The mint underline communicates "this is a mention" — that's a meaningful visual cue, not decorative. Either thicken to decoration-2 (often perceived as more solid) AND darken to a decoration-brand-mint-700 token, or use a brand-navy underline with brand-mint as the background highlight (bg-brand-mint/20). Test with the senior-on-bright-screen scenario.

3. MentionDropdown.svelte — keyboard highlight ring is ring-2 ring-brand-mint (line 1431 of the diff), same problem as #2. On bg-brand-mint/20, the brand-mint ring is ~2.5:1 against white. Use ring-brand-navy (14.5:1) for the highlighted-row indicator. The screenshot will tell the whole story — please attach one before merging.

Minor

4. MentionDropdown.svelte:32 — let highlightedIndex = $state(0) resets to 0 whenever model.items changes. Result: when the user types @Aug (highlight = first match) then types one more letter @Auge, the highlight jumps back to position 0. If the same result is still in the list at a different index, the previous user expectation breaks. Minor edge case, but for a power user typing fast this is friction. Consider preserving the highlight by personId rather than index.

5. No empty-state "Create new person" link. The old textarea-era component (line 1894 of the diff, deleted) showed "Neue Person anlegen →" when no results matched — that's the m.person_mention_create_new() translation key. The new MentionDropdown.svelte only shows "Keine Personen gefunden" with no creation affordance. This is a regression in workflow: if the transcriber types a name that doesn't exist, they have to (a) close the dropdown, (b) navigate to /persons/new, (c) come back, (d) re-type. Restore the link:

   {#if model.items.length === 0}
       <p class="px-3 py-2.5 font-sans text-sm text-ink-3">{m.person_mention_popup_empty()}</p>
       <a href="/persons/new" target="_blank" rel="noopener" class="..."> {m.person_mention_create_new()} → </a>
   {/if}
   

   The m.person_mention_create_new() key still exists in all three locale files — it's just not rendered.

6. aria-multiline="true" is set on the editor (line 1755 of the diff) — good. But the aria-label="Transkriptionstext" is the only accessible name. For SR users navigating a document with multiple transcription blocks, every block reads as "Transkriptionstext, multiline edit text" with no way to distinguish them. Pass the block's index or label as part of the aria-label: aria-label={\Transkriptionsblock ${blockIndex}: ${m.transcription_editor_aria_label()}`}`. Optional — but improves wayfinding for screen reader users on long letters.

LGTM (visual / brand)

• Brand colors: navy + mint + sand correctly used. No hardcoded hex.
• font-serif on the editor body, font-sans on the dropdown labels and the empty-state text — matches the brand typography system.
• The dropdown's flex flex-col gap-1 rows with min-h-[44px] keep touch targets correct for tablet stylus users (the 60+ transcriber persona).
• font-sans text-xs text-ink-3 for the life-date subline is the correct hierarchy.
• The geb. → m.person_born_name_prefix() change in PersonHoverCard.svelte (line 1461) is the right move — geb. is German-only and was broken for en/es viewers. Now it's née / n. — culturally correct.

Test coverage on a11y

• axe-playwright should run on a document detail page in transcribe mode to catch the contrast issues above automatically. Sara mentioned E2E coverage gaps; an axe pass on transcription edit mode would fold a11y testing into the same coverage push.

🤖 Generated with Claude Code

## Leonie Voss — UX Designer & Accessibility Strategist **Verdict: Approved with concerns** The visual model is preserved (mention pill: brand-mint underline, brand-navy text — matches the read-mode rendering). The dropdown's flip-strategy positioning (`MentionDropdown.svelte` lines 53–63 of the diff) is a real UX improvement over the textarea version, which always opened downward and clipped on long blocks. Touch targets stayed at 44px (`min-h-[44px]`). i18n keys added for de/en/es. Three accessibility issues need fixing before merge. ### Critical 1. **`disabled` is visual-only — keyboard users can still type into a "disabled" editor.** `PersonMentionEditor.svelte:1937` wraps the editor div with `class:opacity-50` and `class:pointer-events-none`, but `pointer-events-none` does not block keyboard focus. A user pressing Tab will land in the contenteditable and be able to type. This is a WCAG 2.1.1 (Keyboard) and 4.1.2 (Name, Role, Value) issue: the disabled state is announced by neither name nor role, and keyboard users have no way to know the editor is supposed to be inactive. Fix: ```typescript $effect(() => { editor?.setEditable(!disabled); }); ``` And add `aria-disabled="true"` to the wrapper when disabled — Tiptap will set `contenteditable="false"` on the inner div, and screen readers announce "Transkriptionstext, deaktiviert" instead of "Transkriptionstext, edit text." ### Major 2. **Mention pill class `text-brand-navy font-medium underline decoration-brand-mint underline-offset-2` (line 108)** — `brand-mint #A6DAD8` as an underline on white background has a contrast ratio of ~2.0:1. It fails WCAG 1.4.11 Non-Text Contrast (3:1 minimum). The mint underline communicates "this is a mention" — that's a *meaningful* visual cue, not decorative. Either thicken to `decoration-2` (often perceived as more solid) AND darken to a `decoration-brand-mint-700` token, or use a brand-navy underline with brand-mint as the background highlight (`bg-brand-mint/20`). Test with the senior-on-bright-screen scenario. 3. **`MentionDropdown.svelte` — keyboard highlight ring is `ring-2 ring-brand-mint`** (line 1431 of the diff), same problem as #2. On `bg-brand-mint/20`, the brand-mint ring is ~2.5:1 against white. Use `ring-brand-navy` (14.5:1) for the highlighted-row indicator. The screenshot will tell the whole story — please attach one before merging. ### Minor 4. **`MentionDropdown.svelte:32` — `let highlightedIndex = $state(0)`** resets to 0 whenever `model.items` changes. Result: when the user types `@Aug` (highlight = first match) then types one more letter `@Auge`, the highlight jumps back to position 0. If the *same* result is still in the list at a different index, the previous user expectation breaks. Minor edge case, but for a power user typing fast this is friction. Consider preserving the highlight by `personId` rather than index. 5. **No empty-state "Create new person" link.** The old textarea-era component (line 1894 of the diff, deleted) showed "Neue Person anlegen →" when no results matched — that's the `m.person_mention_create_new()` translation key. The new `MentionDropdown.svelte` only shows "Keine Personen gefunden" with no creation affordance. This is a *regression* in workflow: if the transcriber types a name that doesn't exist, they have to (a) close the dropdown, (b) navigate to /persons/new, (c) come back, (d) re-type. Restore the link: ```svelte {#if model.items.length === 0} <p class="px-3 py-2.5 font-sans text-sm text-ink-3">{m.person_mention_popup_empty()}</p> <a href="/persons/new" target="_blank" rel="noopener" class="..."> {m.person_mention_create_new()} → </a> {/if} ``` The `m.person_mention_create_new()` key still exists in all three locale files — it's just not rendered. 6. **`aria-multiline="true"` is set on the editor (line 1755 of the diff) — good.** But the `aria-label="Transkriptionstext"` is the only accessible name. For SR users navigating a document with multiple transcription blocks, every block reads as "Transkriptionstext, multiline edit text" with no way to distinguish them. Pass the block's index or label as part of the aria-label: `aria-label={\`Transkriptionsblock ${blockIndex}: ${m.transcription_editor_aria_label()}\`}`. Optional — but improves wayfinding for screen reader users on long letters. ### LGTM (visual / brand) - Brand colors: navy + mint + sand correctly used. No hardcoded hex. - `font-serif` on the editor body, `font-sans` on the dropdown labels and the empty-state text — matches the brand typography system. - The dropdown's `flex flex-col gap-1` rows with `min-h-[44px]` keep touch targets correct for tablet stylus users (the 60+ transcriber persona). - `font-sans text-xs text-ink-3` for the life-date subline is the correct hierarchy. - The `geb.` → `m.person_born_name_prefix()` change in `PersonHoverCard.svelte` (line 1461) is the right move — `geb.` is German-only and was broken for en/es viewers. Now it's `née` / `n.` — culturally correct. ### Test coverage on a11y - `axe-playwright` should run on a document detail page in transcribe mode to catch the contrast issues above automatically. Sara mentioned E2E coverage gaps; an axe pass on `transcription edit mode` would fold a11y testing into the same coverage push. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:06:06 +02:00

Author

Owner

Copy Link

Tobias Wendt — DevOps & Platform Engineer

Verdict: Approved with concerns

Bundle-size and dependency-management considerations dominate this review. The Tiptap stack is appropriate for the use case but adds non-trivial weight to the frontend; the renovate.json placement and grouping rule need a quick check against the existing infra. No deployment- or backup-affecting changes — backend is purely a deletion, which is cheap to deploy.

Concerns

1. Renovate config placement & integration. The new renovate.json is at the frontend repo root-... wait, no, it's at the monorepo root (line 3215 of the diff). For a monorepo with frontend/, backend/, ocr-service/, this is the right location for repo-wide Renovate runs. Verify three things before merge:

   • Is the self-hosted Renovate runner pointed at this file or at .gitea/renovate.json? If your runner config (in infra/) expects the latter, this PR's file is dead config and Renovate keeps using its defaults.
   • The matchPackagePatterns syntax is the legacy Renovate config — modern Renovate prefers matchPackageNames with regex (/^@tiptap//). Your runner version determines compatibility. The legacy syntax still works but emits a deprecation warning in logs.
   • automerge: false is correct for @tiptap/* (a richtext editor is too API-surface-heavy for blind automerges). But this is the first renovate.json in the repo per the diff context — if you already have one elsewhere (e.g. .github/renovate.json from a Gitea fork), confirm one config wins.

2. Bundle size — three new dependencies.

   @tiptap/core         3.22.5  (~50 KB gzipped, includes ProseMirror)
   @tiptap/extension-mention  3.22.5  (~5 KB gzipped)
   @tiptap/starter-kit  3.22.5  (~30 KB gzipped, pulls multiple extensions)
   

   That's ~85 KB gzipped added to the transcription page bundle. For a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users, this is acceptable — the bandwidth cost is negligible. But add a npm run build size diff to the PR description so future bundle audits have a baseline. (Run npx vite-bundle-visualizer once and commit a note: "transcription chunk: 142 KB → 227 KB after Tiptap.")

3. yarn.lock was modified (line 2869 of the diff) but package-lock.json was also modified (line 676). Pick one. Mixing both is a smell — npm will use one, yarn the other, and CI runners pick the wrong one half the time. The project's documented installer is npm install per frontend/CLAUDE.md, so:

   • Delete yarn.lock
   • Add yarn.lock to .gitignore
   • Confirm CI uses npm ci (not yarn install)

   If yarn was committed by accident from a contributor's local environment, this is the moment to clean it up. Otherwise every Renovate update will create lockfile drift between the two.

4. Pinned exact versions (3.22.5 — no caret). Good — reproducible. Renovate will manage updates. But @tiptap/extension-blockquote and friends in yarn.lock are caret-ranged, suggesting starter-kit pulls them as transitive deps with their own range. The PR description says "Tiptap 3.22.5 (core, starter-kit, extension-mention) pinned exact" — verify the transitive deps stay locked across reinstalls. Use npm ci (not npm install) in CI to enforce lockfile fidelity.

5. No CI workflow changes detected. Adding three dependencies should at least bump the frontend-build job's actions/cache@v4 key (if the cache key includes package-lock.json hash, this is automatic — verify by reading .gitea/workflows/). If the key is hardcoded or hashes only package.json, the new deps cause cache misses but still work; just a missed optimization.

LGTM

• Backend deletion-only changes mean zero migration work, zero rollback risk, zero infra cost change. Deployable as a no-op rolling restart.
• No new env vars, no new ports, no new services. The OCR service, MinIO, Postgres, and Caddy configurations are untouched.
• No log volume change expected — listener removal slightly reduces log churn during person renames (it logged "Propagated rename ..." before).
• renovate.json even existing is a positive step — most family/hobby projects skip dependency management until something breaks.

Action items before merge

1. Delete frontend/yarn.lock, confirm npm-only.
2. Verify Renovate runner config picks up the new renovate.json.
3. Add a one-line bundle size note to the PR description (or commit message).

🤖 Generated with Claude Code

## Tobias Wendt — DevOps & Platform Engineer **Verdict: Approved with concerns** Bundle-size and dependency-management considerations dominate this review. The Tiptap stack is appropriate for the use case but adds non-trivial weight to the frontend; the `renovate.json` placement and grouping rule need a quick check against the existing infra. No deployment- or backup-affecting changes — backend is purely a deletion, which is cheap to deploy. ### Concerns 1. **Renovate config placement & integration.** The new `renovate.json` is at the *frontend repo root*-... wait, no, it's at the *monorepo root* (line 3215 of the diff). For a monorepo with `frontend/`, `backend/`, `ocr-service/`, this is the right location for repo-wide Renovate runs. **Verify three things before merge:** - Is the self-hosted Renovate runner pointed at this file or at `.gitea/renovate.json`? If your runner config (in `infra/`) expects the latter, this PR's file is dead config and Renovate keeps using its defaults. - The `matchPackagePatterns` syntax is the *legacy* Renovate config — modern Renovate prefers `matchPackageNames` with regex (`/^@tiptap//`). Your runner version determines compatibility. The legacy syntax still works but emits a deprecation warning in logs. - `automerge: false` is correct for `@tiptap/*` (a richtext editor is too API-surface-heavy for blind automerges). But this is the *first* `renovate.json` in the repo per the diff context — if you already have one elsewhere (e.g. `.github/renovate.json` from a Gitea fork), confirm one config wins. 2. **Bundle size — three new dependencies.** ``` @tiptap/core 3.22.5 (~50 KB gzipped, includes ProseMirror) @tiptap/extension-mention 3.22.5 (~5 KB gzipped) @tiptap/starter-kit 3.22.5 (~30 KB gzipped, pulls multiple extensions) ``` That's ~85 KB gzipped added to the transcription page bundle. For a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users, this is acceptable — the bandwidth cost is negligible. But add a `npm run build` size diff to the PR description so future bundle audits have a baseline. (Run `npx vite-bundle-visualizer` once and commit a note: "transcription chunk: 142 KB → 227 KB after Tiptap.") 3. **`yarn.lock` was modified (line 2869 of the diff) but `package-lock.json` was also modified (line 676).** Pick one. Mixing both is a smell — npm will use one, yarn the other, and CI runners pick the wrong one half the time. The project's documented installer is `npm install` per `frontend/CLAUDE.md`, so: - Delete `yarn.lock` - Add `yarn.lock` to `.gitignore` - Confirm CI uses `npm ci` (not `yarn install`) If yarn was committed by accident from a contributor's local environment, this is the moment to clean it up. Otherwise every Renovate update will create lockfile drift between the two. 4. **Pinned exact versions (3.22.5 — no caret).** Good — reproducible. Renovate will manage updates. But `@tiptap/extension-blockquote` and friends in `yarn.lock` are caret-ranged, suggesting starter-kit pulls them as transitive deps with their own range. The PR description says "Tiptap 3.22.5 (core, starter-kit, extension-mention) pinned exact" — verify the transitive deps stay locked across reinstalls. Use `npm ci` (not `npm install`) in CI to enforce lockfile fidelity. 5. **No CI workflow changes detected.** Adding three dependencies should at least bump the `frontend-build` job's `actions/cache@v4` key (if the cache key includes `package-lock.json` hash, this is automatic — verify by reading `.gitea/workflows/`). If the key is hardcoded or hashes only `package.json`, the new deps cause cache misses but still work; just a missed optimization. ### LGTM - Backend deletion-only changes mean **zero migration work**, **zero rollback risk**, **zero infra cost change**. Deployable as a no-op rolling restart. - No new env vars, no new ports, no new services. The OCR service, MinIO, Postgres, and Caddy configurations are untouched. - No log volume change expected — listener removal slightly reduces log churn during person renames (it logged "Propagated rename ..." before). - `renovate.json` even existing is a positive step — most family/hobby projects skip dependency management until something breaks. ### Action items before merge 1. Delete `frontend/yarn.lock`, confirm npm-only. 2. Verify Renovate runner config picks up the new `renovate.json`. 3. Add a one-line bundle size note to the PR description (or commit message). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:06:41 +02:00

Author

Owner

Copy Link

Elicit — Requirements Engineer (Brownfield review)

Verdict: Approved with concerns

This PR resolves issue #372 ("Person mention: decouple display text from person name") with a surgically scoped intervention. The acceptance-criteria mapping in the PR description is excellent — AC-1 (typed text → displayName), AC-4 (mention atomicity), AC-6 (backward compat), AC-7 (quote selection still works) are each linked to a concrete test. AC-2/3/5 are not mentioned; verify they're either out-of-scope for this PR (a follow-up) or implicitly covered.

Open Questions / TBD

OQ-373-01 — AC coverage gaps. The PR description maps AC-1, 4, 6, 7. What about AC-2, 3, 5? If they were retired during refinement, link the comment that retired them. If they're for a follow-up issue (B3?), add a "Out of scope" subsection to the PR body. Reviewers should not have to cross-reference issue #372's full AC list to know what is and isn't shipping.

OQ-373-02 — Manual test plan items unchecked.

• Manual: open a document in transcription edit mode, type @Clar, select "Clara Cram" — editor shows Clara (underlined, brand-mint), not Clara Cram
• Manual: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged

These are checkbox items in the test plan that are not yet checked. The behavior they verify is the core promise of issue #372. Are they:

• Actually verified manually but the box wasn't ticked? → Tick them.
• Not yet verified? → Block merge until they are. The whole point of the issue is the second one (rename → no rewrite).

OQ-373-03 — i18n key transcription_editor_aria_label. "Transkriptionstext" / "Transcription text" / "Texto de transcripción" — these are translations of "transcription text," not of "transcription editor" or "transcription text editor." For screen reader users, the announced name is <value>, edit text, multi line (textbox role + multiline). Compare:

• "Transkriptionstext, edit text, multi line" — slightly redundant.
• "Transkription bearbeiten, edit text, multi line" — clearer that it's the editor surface.

Decide which fits the senior persona better; the current text is functional but not optimal.

OQ-373-04 — User story for @ typeahead empty state. The old empty state offered "Neue Person anlegen →" (linked to /persons/new?name=...). The new MentionDropdown.svelte shows only "Keine Personen gefunden". Was this an intentional requirement change ("simplify the empty state — no inline person creation"), or an oversight? The translation key m.person_mention_create_new() is still in all three message files, suggesting the intent was to keep it. Confirm with the product owner; if removed intentionally, drop the orphaned translation key (Felix flagged this elsewhere).

NFR Checklist for the changed surface

NFR Category	Status	Note
Performance	🟡	+85 KB gzipped to transcription page bundle (Tobias). Verify p95 page load on /documents/[id] did not regress.
Accessibility	🟡	disabled not enforced; mint underline contrast questionable (Leonie).
Localization	🟡	New keys in de/en/es — verified. Stale error_person_rename_conflict keys not removed (Felix).
Security	🟡	XSS surface review needed for displayName in DOM (Nora).
Maintainability	🟢	Pure serializer + Tiptap = much more maintainable than the old textarea + regex listener.
Reliability	🟢	Round-trip invariant test prevents data loss on serialize/deserialize.
Compatibility	🟡	Tiptap 3.22.5 in a Svelte 5 / SvelteKit 2 app — confirmed working in tests; document supported browsers (mention atomicity uses contenteditable, IE/old Safari behave differently — irrelevant for the family archive's actual user base, just note it).
Observability	⚪	No new metrics. Person rename used to log "Propagated rename ..." — that log line is gone (intentional).
Backup/Archive	🟢	The whole point of this PR is archival fidelity. No regressions; PR strengthens this NFR.

LGTM

• Issue → PR traceability is excellent. The PR description reads like a spec → implementation report. Future "what changed and why" archeology will be easy.
• The decision to delete the listener instead of patching it is correctly framed in archival-fidelity language ("the listener would actively corrupt historical transcription text"). That framing aligns with the project's product frame (Familienarchiv = archival, not derived data).
• Backward-compat handled explicitly (AC-6) — old format full-name sidecar entries continue to round-trip. Stronger than typical "we'll deal with old data later" promises.

Definition of Done — gating items

• Manual test box #2 (rename → no rewrite) ticked or evidence linked.
• AC-2/3/5 confirmed in scope or moved to a follow-up issue.
• Stale i18n key error_person_rename_conflict deleted or kept with a justification.
• Bundle-size note added (Tobias).
• axe-playwright on the document detail page passing (Sara, Leonie).

🤖 Generated with Claude Code

## Elicit — Requirements Engineer (Brownfield review) **Verdict: Approved with concerns** This PR resolves issue #372 ("Person mention: decouple display text from person name") with a surgically scoped intervention. The acceptance-criteria mapping in the PR description is excellent — AC-1 (typed text → displayName), AC-4 (mention atomicity), AC-6 (backward compat), AC-7 (quote selection still works) are each linked to a concrete test. AC-2/3/5 are not mentioned; verify they're either out-of-scope for this PR (a follow-up) or implicitly covered. ### Open Questions / TBD **OQ-373-01 — AC coverage gaps.** The PR description maps AC-1, 4, 6, 7. **What about AC-2, 3, 5?** If they were retired during refinement, link the comment that retired them. If they're for a follow-up issue (B3?), add a "Out of scope" subsection to the PR body. Reviewers should not have to cross-reference issue #372's full AC list to know what is and isn't shipping. **OQ-373-02 — Manual test plan items unchecked.** > - [ ] **Manual**: open a document in transcription edit mode, type `@Clar`, select "Clara Cram" — editor shows `Clara` (underlined, brand-mint), not `Clara Cram` > - [ ] **Manual**: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged These are checkbox items in the test plan that are not yet checked. The behavior they verify is the *core promise* of issue #372. Are they: - Actually verified manually but the box wasn't ticked? → Tick them. - Not yet verified? → Block merge until they are. The whole point of the issue is the second one (rename → no rewrite). **OQ-373-03 — i18n key `transcription_editor_aria_label`.** "Transkriptionstext" / "Transcription text" / "Texto de transcripción" — these are translations of "transcription text," not of "transcription editor" or "transcription text editor." For screen reader users, the announced name is `<value>, edit text, multi line` (textbox role + multiline). Compare: - "Transkriptionstext, edit text, multi line" — slightly redundant. - "Transkription bearbeiten, edit text, multi line" — clearer that it's the editor surface. Decide which fits the senior persona better; the current text is functional but not optimal. **OQ-373-04 — User story for `@` typeahead empty state.** The old empty state offered "Neue Person anlegen →" (linked to `/persons/new?name=...`). The new `MentionDropdown.svelte` shows only "Keine Personen gefunden". Was this an *intentional* requirement change ("simplify the empty state — no inline person creation"), or an oversight? The translation key `m.person_mention_create_new()` is still in all three message files, suggesting the intent was to keep it. Confirm with the product owner; if removed intentionally, drop the orphaned translation key (Felix flagged this elsewhere). ### NFR Checklist for the changed surface | NFR Category | Status | Note | | -------------- | ------ | ---- | | Performance | 🟡 | +85 KB gzipped to transcription page bundle (Tobias). Verify p95 page load on `/documents/[id]` did not regress. | | Accessibility | 🟡 | `disabled` not enforced; mint underline contrast questionable (Leonie). | | Localization | 🟡 | New keys in de/en/es — verified. Stale `error_person_rename_conflict` keys not removed (Felix). | | Security | 🟡 | XSS surface review needed for `displayName` in DOM (Nora). | | Maintainability| 🟢 | Pure serializer + Tiptap = much more maintainable than the old textarea + regex listener. | | Reliability | 🟢 | Round-trip invariant test prevents data loss on serialize/deserialize. | | Compatibility | 🟡 | Tiptap 3.22.5 in a Svelte 5 / SvelteKit 2 app — confirmed working in tests; document supported browsers (mention atomicity uses contenteditable, IE/old Safari behave differently — irrelevant for the family archive's actual user base, just note it). | | Observability | ⚪ | No new metrics. Person rename used to log "Propagated rename ..." — that log line is gone (intentional). | | Backup/Archive | 🟢 | The whole *point* of this PR is archival fidelity. No regressions; PR strengthens this NFR. | ### LGTM - Issue → PR traceability is excellent. The PR description reads like a spec → implementation report. Future "what changed and why" archeology will be easy. - The decision to delete the listener instead of patching it is correctly framed in archival-fidelity language ("the listener would actively corrupt historical transcription text"). That framing aligns with the project's product frame (Familienarchiv = archival, not derived data). - Backward-compat handled explicitly (AC-6) — old format full-name sidecar entries continue to round-trip. Stronger than typical "we'll deal with old data later" promises. ### Definition of Done — gating items - [ ] Manual test box #2 (rename → no rewrite) ticked or evidence linked. - [ ] AC-2/3/5 confirmed in scope or moved to a follow-up issue. - [ ] Stale i18n key `error_person_rename_conflict` deleted or kept with a justification. - [ ] Bundle-size note added (Tobias). - [ ] axe-playwright on the document detail page passing (Sara, Leonie). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel referenced this pull request 2026-04-29 16:22:31 +02:00

GET /api/persons leaks PersonSummaryDTO.notes to typeahead clients (CWE-200) #374

marcel added 8 commits 2026-04-29 16:25:43 +02:00

refactor(frontend): delete orphaned personMention.ts after Tiptap migration ... 4ac94b2feb

The textarea-era detectPersonMention helper has no production callers since
the suggestion plugin's char: '@' mechanism replaced it. Per "Dead code is
deleted, not commented out", remove the source file and its spec — the spec
was running but tested a function nobody calls.

Felix #5615 blocker.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

chore(i18n): remove orphaned error_person_rename_conflict translation key ... 94d0733412

errors.ts no longer references this code (the rename-propagation listener
was deleted) and the matching ErrorCode value is gone from the backend.
The Paraglide-compiled message helpers should not include strings nothing
calls — drop the entries from de/en/es to keep the i18n surface honest.

Felix #5615 + Elicit #5624 blocker.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(PersonMentionEditor): enforce disabled state on the contenteditable ... 6ef888a128

Wrapping the editor with pointer-events-none was visual-only — keyboard users
could still tab into the contenteditable and type. Wire `editable: !disabled`
on the Tiptap Editor and a reactive `$effect` that calls setEditable when the
prop flips after mount; expose `aria-disabled="true"` on the wrapper so
screen readers announce the deactivated state.

Tests assert contenteditable=false and aria-disabled=true when disabled;
contenteditable=true otherwise.

Closes WCAG 2.1.1 / 4.1.2 — Felix #5615 + Leonie #5621 + Nora #5618 BLOCKER.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

test(PersonMentionEditor): assert no HTML injection via mention displayName ... fa7b97acdc

Adds a CWE-79 regression test: a sidecar entry whose displayName contains
an <img onerror=alert(1)> payload must round-trip through deserialize and
the Tiptap renderHTML without producing a real <img> element in the editor
DOM. Locks down the "renderHTML's third tuple entry is a text node, never
parsed as HTML" invariant so a future "use innerHTML for performance"
refactor cannot silently regress.

Nora #5618 detection-gap concern.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(PersonMentionEditor): guard setEditable effect against re-entry loop ... ba88febc77

The disabled-state effect calls editor.setEditable, which triggers a
ProseMirror transaction → onUpdate → bind:value/mentionedPersons writes →
host re-render → child prop pass-through → effect re-fires. Without an
idempotence check, this exceeds Svelte's effect_update_depth and crashes
every consuming spec (TranscriptionBlock 22/22). Compare editor.isEditable
against the desired value first; only call setEditable when it actually
needs to change.

Follow-up to 6ef888a1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fix(person-mention): WCAG 1.4.11 contrast for mention pill and dropdown ring ... f1932fd5f6

Two non-text-contrast failures, both flagged by Leonie #5621:

1. PersonMentionEditor mention pill: decoration-brand-mint (#A6DAD8) on
   white is ≈1.7:1 — fails the 3:1 minimum for meaningful UI indicators.
   Switch to decoration-ink/50, which matches the read-mode .person-mention
   rule (≈6.4:1) and keeps a unified underline language across modes.

2. MentionDropdown highlighted-row ring: ring-brand-mint on bg-brand-mint/20
   is ≈2.5:1 — same failure class. Switch to ring-brand-navy (≈14.5:1
   against the highlight background) so keyboard-driven selection has a
   clearly visible indicator.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

feat(MentionDropdown): restore "Neue Person anlegen" empty-state link ... e6844c403c

The Tiptap rewrite dropped the inline "create new person" affordance the
textarea-era component used to render. Without it the workflow regresses:
transcriber must close the dropdown, navigate to /persons/new, come back,
re-type the query. The m.person_mention_create_new() key is still in all
three locale files — add the link back as a 44px-tall row with a top
border separating it from the empty-state message.

target=_blank keeps document/editor state intact; rel=noopener prevents
reverse-tabnabbing. mousedown preventDefault keeps the editor focused
(the dropdown row pattern used for option rows).

Test: empty-state renders a link to /persons/new with the localised label.

Leonie #5621 (Major) + Elicit OQ-373-04.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs(PersonMentionEditor): document client-side fetch exception inline ... 49443ad16a

Per Markus #5616, the leaf-component fetch in the Tiptap suggestion plugin
violates the project-wide rule from frontend/CLAUDE.md ("Data flows from
+page.server.ts via props — never client-side API fetch"). Add an inline
block-comment explaining why this exception is justified (suggestion runs
client-side per keystroke; same auth surface; no server-side reshape
benefit) and points future readers at the open ADR follow-up plus Nora's
PersonSummaryDTO response-shape audit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

marcel commented 2026-04-29 16:26:32 +02:00

Author

Owner

Copy Link

Felix Brandt — Senior Fullstack Developer (cycle 2 re-review)

Verdict: Approved

Both blockers from my cycle-1 review are gone. Dead code (personMention.ts + spec) deleted in 4ac94b2f; stale error_person_rename_conflict keys removed in all three locale files in 94d07334. Atomic commits, each with a clear "why" message — exactly the diff hygiene I want. Cycle 2 is eight commits, every one a single concern. No bundling.

What I checked again

• frontend/src/lib/utils/personMention.ts — gone. Spec file gone. No dangling imports anywhere in src.
• messages/{de,en,es}.json:554 — the orphaned key is gone in all three files. errors.ts consistent. No translator confusion.
• PersonMentionEditor.svelte disabled semantics — editor: !disabled at construction + $effect(() => editor.setEditable(!disabled)) with the idempotence guard editor.isEditable !== shouldBeEditable. The follow-up commit ba88febc shows TDD-as-truth-discovery: the failing tests caught a re-entry loop that came from setEditable's own ProseMirror transaction → onUpdate → bind:value writes → re-render → effect re-fire. Guard fix is the right shape — compare desired state, only mutate on diff. Same pattern I'd write.
• The XSS test (fa7b97ac) is a characterization test for existing safe behavior — Tiptap's array-form renderHTML is auto-escaped; the test pins that down so a "let me use innerHTML for performance" refactor breaks immediately. Good regression value.

Suggestions (non-blocking)

1. The XSS test asserts negative against the wrong primary: textbox.querySelector('img[onerror]') is correct, but the comment "Tiptap inserts its own ProseMirror-separator " hints at fragility. If a future Tiptap version stops inserting the separator (or changes its attrs), the test still passes but for trivial reasons. Consider also asserting that the displayName text content equals the literal string <img src=x onerror=alert(1)> — that proves the round-trip preserved the payload as text rather than only proving "no element exists with these attrs."

2. docs(PersonMentionEditor): document client-side fetch exception inline is the right move for now — a deferred ADR is a known pattern. But the comment says "Open follow-up: ADR: client-side fetch exception for editor suggestion plugins" without a tracker reference. Either open the placeholder issue and link it (single line in the comment), or strike the "Open follow-up" line so it doesn't drift into "this comment promised an ADR that never materialised."

3. Empty-state link (commit e6844c40) — the border-t border-line separates the "Keine Personen gefunden" message from the link, so visually they read as two units. Good. The target="_blank" rationale (preserve editor state) is valid; the rel="noopener" defensive nit is correct. The mousedown preventDefault matches the dropdown-row pattern used for option rows. Solid.

LGTM

• Eight commits, eight concerns. No bundling, no "fix typo and refactor" mixed messages.
• The setEditable guard fix as a separate commit referencing the parent commit (Follow-up to 6ef888a1) — that's the cleanest way to record "the test caught a real bug in my implementation." Don't amend, do the new commit.
• The decoration-ink/50 choice aligns the editor pill with the read-mode .person-mention rule. One contrast story across the whole transcription surface — easier to maintain.

Cycle-1 blockers all cleared. Approving on this pass.

🤖 Generated with Claude Code

## Felix Brandt — Senior Fullstack Developer (cycle 2 re-review) **Verdict: Approved** Both blockers from my cycle-1 review are gone. Dead code (`personMention.ts` + spec) deleted in `4ac94b2f`; stale `error_person_rename_conflict` keys removed in all three locale files in `94d07334`. Atomic commits, each with a clear "why" message — exactly the diff hygiene I want. Cycle 2 is eight commits, every one a single concern. No bundling. ### What I checked again - `frontend/src/lib/utils/personMention.ts` — gone. Spec file gone. No dangling imports anywhere in `src`. - `messages/{de,en,es}.json:554` — the orphaned key is gone in all three files. `errors.ts` consistent. No translator confusion. - `PersonMentionEditor.svelte` `disabled` semantics — `editor: !disabled` at construction + `$effect(() => editor.setEditable(!disabled))` with the idempotence guard `editor.isEditable !== shouldBeEditable`. The follow-up commit `ba88febc` shows TDD-as-truth-discovery: the failing tests caught a re-entry loop that came from setEditable's own ProseMirror transaction → onUpdate → bind:value writes → re-render → effect re-fire. Guard fix is the right shape — compare desired state, only mutate on diff. Same pattern I'd write. - The XSS test (`fa7b97ac`) is a *characterization* test for existing safe behavior — Tiptap's array-form renderHTML is auto-escaped; the test pins that down so a "let me use innerHTML for performance" refactor breaks immediately. Good regression value. ### Suggestions (non-blocking) 1. **The XSS test asserts negative against the wrong primary**: `textbox.querySelector('img[onerror]')` is correct, but the comment "Tiptap inserts its own ProseMirror-separator <img>" hints at fragility. If a future Tiptap version stops inserting the separator (or changes its attrs), the test still passes but for trivial reasons. Consider also asserting that the `displayName` text content equals the literal string `<img src=x onerror=alert(1)>` — that proves the round-trip preserved the payload as text rather than only proving "no element exists with these attrs." 2. **`docs(PersonMentionEditor): document client-side fetch exception inline`** is the right move for now — a deferred ADR is a known pattern. But the comment says "Open follow-up: ADR: client-side fetch exception for editor suggestion plugins" without a tracker reference. Either open the placeholder issue and link it (single line in the comment), or strike the "Open follow-up" line so it doesn't drift into "this comment promised an ADR that never materialised." 3. **Empty-state link** (commit `e6844c40`) — the `border-t border-line` separates the "Keine Personen gefunden" message from the link, so visually they read as two units. Good. The `target="_blank"` rationale (preserve editor state) is valid; the `rel="noopener"` defensive nit is correct. The mousedown preventDefault matches the dropdown-row pattern used for option rows. Solid. ### LGTM - Eight commits, eight concerns. No bundling, no "fix typo and refactor" mixed messages. - The `setEditable` guard fix as a separate commit referencing the parent commit (`Follow-up to 6ef888a1`) — that's the cleanest way to record "the test caught a real bug in my implementation." Don't amend, do the new commit. - The `decoration-ink/50` choice aligns the editor pill with the read-mode `.person-mention` rule. One contrast story across the whole transcription surface — easier to maintain. Cycle-1 blockers all cleared. Approving on this pass. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:26:59 +02:00

Author

Owner

Copy Link

Markus Keller — Senior Application Architect (cycle 2 re-review)

Verdict: Approved with concerns

Cycle 2 addresses the inline-comment piece of my CLAUDE.md "no client-side API fetch" concern (49443ad1 documents the exception in code), and the deferral of the architectural decision (ADR) is captured by reference rather than left implicit. I appreciate that. The new commits are otherwise localised to the editor surface — no service-layer or domain-model changes — so my architectural review of the listener deletion stands unchanged.

What I checked

• Layer boundaries: still clean. The setEditable guard, contrast tweaks, empty-state link, and disabled-state plumbing are all UI-layer changes. No new repository or service couplings introduced.
• Cross-domain reach: none. The fetch comment in PersonMentionEditor.svelte:124-137 flags the persistent client-side fetch but the call shape is unchanged — same endpoint, same params. Issue #374 (DTO-shape audit) is the right scope for the actual fix.
• $effect discipline: the guard pattern (editor.isEditable !== shouldBeEditable) is the correct response to "external library setter triggers reactivity that re-fires the effect." This is a Svelte-5-specific gotcha; capturing the lesson in the inline comment ("Without the guard, setEditable's own ProseMirror transaction fires onUpdate → ...") is exactly the documentation a future contributor needs.

Concerns

1. The "EXCEPTION to frontend/CLAUDE.md" inline comment is well-written, but it now lives only in PersonMentionEditor.svelte (one file). A future engineer adding a second editor (e.g. a comment editor with its own typeahead) won't see this comment. Two paths:

   • Move the rationale into frontend/CLAUDE.md under a new "Imperative client-side fetch — sanctioned exceptions" heading, with this case as the first example.
   • Or open the ADR placeholder issue now and link it from the comment, so the next contributor has a single canonical place to read the rationale.

   Without one of these, the inline comment is local context only. The architectural rule is repo-wide.

2. The mention-pill class 'mention-token underline decoration-ink/50 underline-offset-2 text-brand-navy font-medium' is a long string in the renderHTML closure. Six classes inline in a custom Tiptap extension is fine here, but if a third reader (e.g. comment mentions reusing the same pattern) ends up with the same class string, you have a duplication. Consider extracting MENTION_PILL_CLASS = '...' as a module-level constant in either mentionSerializer.ts or a new mentionStyles.ts. Trivial to do in this PR or as a follow-up; non-blocking.

3. Issue #374 (PersonSummaryDTO leaks notes) is the right deferral, but the labels you applied are security, P1-high, bug — and the AC list is excellent. One architectural addition I'd want: AC for the API surface boundary itself, e.g. "AC-6: Add an OpenAPI spec test or a Pact-style contract test confirming the typeahead response schema doesn't drift back to including notes on a future refactor." That converts "lock down the API surface" from a one-time test into a regression contract. (Optional — issue #374 is already well-scoped.)

LGTM

• Listener deletion is intact. No backend changes in cycle 2 — exactly what I'd expect for review-driven fixes scoped to UI/i18n concerns.
• Eight atomic commits. No commit message bundles two concerns. Each commit body explains the why with persona/comment references — the kind of audit trail that survives a six-month gap.
• The editor.isEditable !== shouldBeEditable guard is a textbook example of "make the effect idempotent." Right pattern, right place.

Issue #374 is the cleanest possible deferral: scoped, AC-bounded, security-labelled, P1-high. That's the architectural follow-up I wanted. Approving with the same single concern as before — the architectural rule for "client-side fetch exceptions" needs a single canonical location, not just a per-file comment.

🤖 Generated with Claude Code

## Markus Keller — Senior Application Architect (cycle 2 re-review) **Verdict: Approved with concerns** Cycle 2 addresses the inline-comment piece of my CLAUDE.md "no client-side API fetch" concern (`49443ad1` documents the exception in code), and the deferral of the architectural decision (ADR) is captured by reference rather than left implicit. I appreciate that. The new commits are otherwise localised to the editor surface — no service-layer or domain-model changes — so my architectural review of the listener deletion stands unchanged. ### What I checked - **Layer boundaries**: still clean. The `setEditable` guard, contrast tweaks, empty-state link, and disabled-state plumbing are all UI-layer changes. No new repository or service couplings introduced. - **Cross-domain reach**: none. The fetch comment in `PersonMentionEditor.svelte:124-137` flags the persistent client-side fetch but the *call shape* is unchanged — same endpoint, same params. Issue #374 (DTO-shape audit) is the right scope for the actual fix. - **`$effect` discipline**: the guard pattern (`editor.isEditable !== shouldBeEditable`) is the correct response to "external library setter triggers reactivity that re-fires the effect." This is a Svelte-5-specific gotcha; capturing the lesson in the inline comment ("Without the guard, setEditable's own ProseMirror transaction fires onUpdate → ...") is exactly the documentation a future contributor needs. ### Concerns 1. **The "EXCEPTION to frontend/CLAUDE.md" inline comment is well-written, but it now lives only in `PersonMentionEditor.svelte` (one file).** A future engineer adding a second editor (e.g. a comment editor with its own typeahead) won't see this comment. Two paths: - Move the rationale into `frontend/CLAUDE.md` under a new "Imperative client-side fetch — sanctioned exceptions" heading, with this case as the first example. - Or open the ADR placeholder issue *now* and link it from the comment, so the next contributor has a single canonical place to read the rationale. Without one of these, the inline comment is local context only. The architectural rule is repo-wide. 2. **The mention-pill class `'mention-token underline decoration-ink/50 underline-offset-2 text-brand-navy font-medium'` is a long string in the renderHTML closure.** Six classes inline in a custom Tiptap extension is fine *here*, but if a third reader (e.g. comment mentions reusing the same pattern) ends up with the same class string, you have a duplication. Consider extracting `MENTION_PILL_CLASS = '...'` as a module-level constant in either `mentionSerializer.ts` or a new `mentionStyles.ts`. Trivial to do in this PR or as a follow-up; non-blocking. 3. **Issue #374 (PersonSummaryDTO leaks `notes`)** is the right deferral, but the labels you applied are `security`, `P1-high`, `bug` — and the AC list is excellent. One architectural addition I'd want: AC for the API surface boundary itself, e.g. *"AC-6: Add an OpenAPI spec test or a Pact-style contract test confirming the typeahead response schema doesn't drift back to including `notes` on a future refactor."* That converts "lock down the API surface" from a one-time test into a regression contract. (Optional — issue #374 is already well-scoped.) ### LGTM - Listener deletion is intact. No backend changes in cycle 2 — exactly what I'd expect for review-driven fixes scoped to UI/i18n concerns. - Eight atomic commits. No commit message bundles two concerns. Each commit body explains the *why* with persona/comment references — the kind of audit trail that survives a six-month gap. - The `editor.isEditable !== shouldBeEditable` guard is a textbook example of "make the effect idempotent." Right pattern, right place. Issue #374 is the cleanest possible deferral: scoped, AC-bounded, security-labelled, P1-high. That's the architectural follow-up I wanted. Approving with the same single concern as before — the architectural rule for "client-side fetch exceptions" needs a single canonical location, not just a per-file comment. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:27:27 +02:00

Author

Owner

Copy Link

Nora Steiner ("NullX") — Application Security Engineer (cycle 2 re-review)

Verdict: Approved

All four cycle-1 concerns acknowledged; three resolved in this PR, one deferred to a properly-scoped follow-up issue (#374). The XSS regression test (fa7b97ac) is the right shape, and the notes leak is now tracked under a security-labelled, P1-high issue with bounded ACs that include "lock down the API surface" as an acceptance criterion. That's how I want deferred security concerns to be handled.

What I verified

1. CWE-79 regression test (PersonMentionEditor.svelte.spec.ts:319-355) — asserts that a sidecar entry whose displayName is <img src=x onerror=alert(1)> does NOT produce a real <img> element with an onerror attribute. The test correctly checks user-controllable attributes (img[onerror], img[src="x"]) rather than the raw element type, which means it survives Tiptap's ProseMirror-separator internal <img> injection without false positives. Felix's note about "also assert literal text content" is a good defense-in-depth — already partially covered by the textContent.toContain(payload) assertion at line 354.

2. disabled enforcement on the contenteditable (6ef888a1) — editor.setEditable(!disabled) flips contenteditable=false on the inner DOM. A keyboard user pressing Tab into a disabled editor cannot type. The aria-disabled="true" on the wrapper + aria-disabled absent when enabled is the proper ARIA dual-state. Defense-in-depth for the "client UI lies about state" smell I flagged in cycle 1 — server is still the only authority, but the client now matches.

3. Issue #374 (notes leak) — opened, labelled security, P1-high, bug. AC-4 specifically calls out "Backend test: PersonControllerTest asserts the typeahead response does NOT include notes (lock down the API surface — Nora explicitly recommended this)." Exactly the framing I wanted. The shape-aware DTO approach (separate PersonTypeaheadDTO) is the architecturally clean fix; field-level filtering on the wide DTO would have been a band-aid. Good decision.

4. Inline doc on the client-side fetch (49443ad1) — explicit acknowledgement that GET /api/persons?q= is the lowest-privilege caller and that the response shape is being audited (#374). Future contributors reading this comment will know "this fetch exists, it has a known field-leak ticket, don't expand its trust surface." Threat model is documented in code, which is rare and welcome.

Minor note (non-blocking)

The XSS test currently uses vi.waitFor to wait for Tiptap to render. If Tiptap ever changes its initial-render timing, the test could pass before the malicious payload is even attempted — a false negative. Mitigation: also assert that the textbox's textContent equals (not just contains) the expected escaped payload, so the test fails if Tiptap silently drops the payload during render. As-is it's adequate; this is a polish suggestion.

Out of scope, but worth noting

• CSP: this PR doesn't introduce a Content Security Policy. Long-term, a strict CSP (script-src 'self'; object-src 'none'; base-uri 'self') would make XSS regressions in the contenteditable surface much harder to weaponise even if a future renderer regression slipped through. Track separately if not already.
• Sub-resource integrity for Tiptap: the editor pulls 85 KB from npm. Lockfile fidelity (Tobias's CI concern) is the supply-chain control here; CSP wouldn't help against compromised npm packages.

LGTM

• Cycle 1 → cycle 2: zero confirmed vulnerabilities, three smell-level concerns either fixed or properly deferred with security labelling and bounded ACs. The notes deferral was the right call — fixing it inside this PR would have meant either a wide-scope DTO partition or a leaky band-aid; opening #374 keeps both PRs reviewable.
• Backend security posture unchanged from cycle 1 (still net improvement over pre-PR — listener-as-rewriter is gone).
• The aria-disabled + setEditable combination is the textbook fix for "disabled is visual-only."

Approved. Merge-blocking concerns from cycle 1 are all addressed; the remaining notes leak is properly deferred to #374 with the right labels and ACs.

🤖 Generated with Claude Code

## Nora Steiner ("NullX") — Application Security Engineer (cycle 2 re-review) **Verdict: Approved** All four cycle-1 concerns acknowledged; three resolved in this PR, one deferred to a properly-scoped follow-up issue (#374). The XSS regression test (`fa7b97ac`) is the right shape, and the `notes` leak is now tracked under a security-labelled, P1-high issue with bounded ACs that include "lock down the API surface" as an acceptance criterion. That's how I want deferred security concerns to be handled. ### What I verified 1. **CWE-79 regression test** (`PersonMentionEditor.svelte.spec.ts:319-355`) — asserts that a sidecar entry whose `displayName` is `<img src=x onerror=alert(1)>` does NOT produce a real `<img>` element with an `onerror` attribute. The test correctly checks user-controllable attributes (`img[onerror]`, `img[src="x"]`) rather than the raw element type, which means it survives Tiptap's `ProseMirror-separator` internal `<img>` injection without false positives. Felix's note about "also assert literal text content" is a good defense-in-depth — already partially covered by the `textContent.toContain(payload)` assertion at line 354. 2. **`disabled` enforcement on the contenteditable** (`6ef888a1`) — `editor.setEditable(!disabled)` flips `contenteditable=false` on the inner DOM. A keyboard user pressing Tab into a disabled editor cannot type. The `aria-disabled="true"` on the wrapper + `aria-disabled` absent when enabled is the proper ARIA dual-state. Defense-in-depth for the "client UI lies about state" smell I flagged in cycle 1 — server is still the only authority, but the client now matches. 3. **Issue #374 (`notes` leak)** — opened, labelled `security`, `P1-high`, `bug`. AC-4 specifically calls out "Backend test: PersonControllerTest asserts the typeahead response does NOT include `notes` (lock down the API surface — Nora explicitly recommended this)." Exactly the framing I wanted. The shape-aware DTO approach (separate `PersonTypeaheadDTO`) is the architecturally clean fix; field-level filtering on the wide DTO would have been a band-aid. Good decision. 4. **Inline doc on the client-side fetch** (`49443ad1`) — explicit acknowledgement that `GET /api/persons?q=` is the lowest-privilege caller and that the response shape is being audited (#374). Future contributors reading this comment will know "this fetch exists, it has a known field-leak ticket, don't expand its trust surface." Threat model is documented in code, which is rare and welcome. ### Minor note (non-blocking) The XSS test currently uses `vi.waitFor` to wait for Tiptap to render. If Tiptap ever changes its initial-render timing, the test could pass before the malicious payload is even attempted — a false negative. Mitigation: also assert that the textbox's `textContent` equals (not just contains) the expected escaped payload, so the test fails if Tiptap silently drops the payload during render. As-is it's adequate; this is a polish suggestion. ### Out of scope, but worth noting - **CSP**: this PR doesn't introduce a Content Security Policy. Long-term, a strict CSP (`script-src 'self'; object-src 'none'; base-uri 'self'`) would make XSS regressions in the contenteditable surface much harder to weaponise even if a future renderer regression slipped through. Track separately if not already. - **Sub-resource integrity for Tiptap**: the editor pulls 85 KB from npm. Lockfile fidelity (Tobias's CI concern) is the supply-chain control here; CSP wouldn't help against compromised npm packages. ### LGTM - Cycle 1 → cycle 2: zero confirmed vulnerabilities, three smell-level concerns either fixed or properly deferred with security labelling and bounded ACs. The `notes` deferral was the right call — fixing it inside this PR would have meant either a wide-scope DTO partition or a leaky band-aid; opening #374 keeps both PRs reviewable. - Backend security posture unchanged from cycle 1 (still net improvement over pre-PR — listener-as-rewriter is gone). - The `aria-disabled` + `setEditable` combination is the textbook fix for "disabled is visual-only." Approved. Merge-blocking concerns from cycle 1 are all addressed; the remaining `notes` leak is properly deferred to #374 with the right labels and ACs. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:28:00 +02:00

Author

Owner

Copy Link

Sara Holt — Senior QA Engineer (cycle 2 re-review)

Verdict: Approved with concerns

Cycle 2 added five new tests with strong assertions and removed the dead personMention.spec.ts that I'd flagged as coverage padding. The TDD evidence in commit ba88febc ("guard setEditable effect against re-entry loop") is exactly the kind of test-driven discovery I want to see: the failing tests didn't just verify the spec, they caught an implementation bug (effect re-entry) that would otherwise have shipped. That's the value of writing tests first.

What I verified

• personMention.spec.ts deleted (commit 4ac94b2f). Coverage no longer pads with tests for unused functions.
• 5 new tests added to PersonMentionEditor.svelte.spec.ts:
  • 3× disabled-state tests (contenteditable=false, aria-disabled=true, contenteditable=true when enabled)
  • 1× XSS regression (sidecar payload renders as text, no img/script element)
  • 1× empty-state "create new person" link
• All 19 tests in PersonMentionEditor.svelte.spec.ts pass.
• TranscriptionBlock.svelte.spec.ts 22/22 still green after the editor-effect changes — the consuming spec proves the new $effect doesn't break consumers.

Concerns (carried over from cycle 1, mostly non-fixed in this PR)

1. No E2E coverage added for the typeahead — my cycle-1 #1 concern stands. The component spec mocks fetch globally, so the wire format between Tiptap's items callback and GET /api/persons?q= is still never exercised end-to-end. This is acceptable for a focused review-fix cycle, but it should land in a follow-up before the next major editor change. Suggested test: frontend/e2e/transcription/mention-typeahead.spec.ts types @Aug into a real document's transcription block, sees a real backend response, selects a person, saves, reopens, and verifies the mention persists with the typed displayName.

2. Disabled-state tests are missing one important case: the transition. All three new tests start the component in a fixed disabled state (true or false). None tests "render with disabled=false, type some text, flip to disabled=true, verify the typed text remains AND no further input is accepted." That's the realistic flow when transcription auto-saves and locks the editor. The $effect and its idempotence guard exist precisely to handle this transition — and there's no test for it. This is the test that would have caught the re-entry loop first instead of cascading into TranscriptionBlock failures. Add it as part of a follow-up:

   it('locks the editor when disabled flips from false to true', async () => {
     // ... render with disabled=false, type text, set disabled=true via prop update,
     // assert contenteditable=false AND text content unchanged
   });
   

3. mentionSerializer edge cases from cycle 1 not added: empty mention displayName: '', mention overlap (@Anna vs @Anna Schmidt matching at the same position), Unicode displayName (@Müller, @François), double-newline paragraph splits. None of these are addressed in cycle 2. They're not regressions from cycle 2, but they remain coverage gaps that should land before the editor changes again.

4. XSS test's textContent.toContain is necessary but not sufficient. Felix and Nora both flagged this. The test asserts the payload appears as visible text, but doesn't assert the payload appears only as text — i.e. that no DOM children of the textbox represent the payload structurally. A stricter assertion: expect(textbox.children).toHaveLength(<expected internal structure>) or assert the deep-clone of the textbox contains zero Element nodes derived from the payload string. Polish, non-blocking.

5. The pre-existing failures I asked about in cycle 1 were never confirmed against main. PR description says "DocumentRow tag-click and RichtlinienRuleCard fail on the base branch and are unrelated." I didn't see follow-up Gitea issues created for these pre-existing failures. Track them or fix them — leaving unnamed broken tests on main rots the green-bar signal across the repo.

LGTM

• TDD discipline visible in cycle 2: failing tests led to discovering and fixing the effect-loop bug before it landed in main. That's exactly the workflow I want.
• Test descriptions read like specs: "stores the typed query as displayName, not the person DB name", "renders a malicious displayName as text, not as HTML elements". Future readers know what each test guarantees.
• Atomic commits with TDD evidence: 6ef888a1 (red+green for disabled), ba88febc (green correction for the re-entry loop), fa7b97ac (XSS regression). Each commit is a discrete proof.
• Empty-state link test asserts behavior (href="/persons/new") and accessibility (getByRole('link')) — not just "an <a> exists in the DOM." Right-shape assertion.

Approving subject to my E2E gap (follow-up issue) and the disabled-state-transition test (also follow-up). Both are tech debt, not blockers.

🤖 Generated with Claude Code

## Sara Holt — Senior QA Engineer (cycle 2 re-review) **Verdict: Approved with concerns** Cycle 2 added five new tests with strong assertions and removed the dead `personMention.spec.ts` that I'd flagged as coverage padding. The TDD evidence in commit `ba88febc` ("guard setEditable effect against re-entry loop") is exactly the kind of test-driven discovery I want to see: the failing tests didn't just verify the spec, they caught an implementation bug (effect re-entry) that would otherwise have shipped. That's the value of writing tests first. ### What I verified - `personMention.spec.ts` deleted (commit `4ac94b2f`). Coverage no longer pads with tests for unused functions. - 5 new tests added to `PersonMentionEditor.svelte.spec.ts`: - 3× disabled-state tests (contenteditable=false, aria-disabled=true, contenteditable=true when enabled) - 1× XSS regression (sidecar payload renders as text, no img/script element) - 1× empty-state "create new person" link - All 19 tests in `PersonMentionEditor.svelte.spec.ts` pass. - `TranscriptionBlock.svelte.spec.ts` 22/22 still green after the editor-effect changes — the consuming spec proves the new `$effect` doesn't break consumers. ### Concerns (carried over from cycle 1, mostly non-fixed in this PR) 1. **No E2E coverage added for the typeahead** — my cycle-1 #1 concern stands. The component spec mocks `fetch` globally, so the wire format between Tiptap's `items` callback and `GET /api/persons?q=` is still never exercised end-to-end. This is acceptable for a focused review-fix cycle, but it should land in a follow-up before the next major editor change. Suggested test: `frontend/e2e/transcription/mention-typeahead.spec.ts` types `@Aug` into a real document's transcription block, sees a real backend response, selects a person, saves, reopens, and verifies the mention persists with the typed `displayName`. 2. **Disabled-state tests are missing one important case**: the *transition*. All three new tests start the component in a fixed disabled state (`true` or `false`). None tests "render with `disabled=false`, type some text, flip to `disabled=true`, verify the typed text remains AND no further input is accepted." That's the realistic flow when transcription auto-saves and locks the editor. The `$effect` and its idempotence guard exist precisely to handle this transition — and there's no test for it. This is the test that would have caught the re-entry loop *first* instead of cascading into TranscriptionBlock failures. Add it as part of a follow-up: ```typescript it('locks the editor when disabled flips from false to true', async () => { // ... render with disabled=false, type text, set disabled=true via prop update, // assert contenteditable=false AND text content unchanged }); ``` 3. **mentionSerializer edge cases from cycle 1 not added**: empty mention `displayName: ''`, mention overlap (`@Anna` vs `@Anna Schmidt` matching at the same position), Unicode displayName (`@Müller`, `@François`), double-newline paragraph splits. None of these are addressed in cycle 2. They're not regressions from cycle 2, but they remain coverage gaps that should land before the editor changes again. 4. **XSS test's `textContent.toContain` is necessary but not sufficient.** Felix and Nora both flagged this. The test asserts the payload appears as visible text, but doesn't assert the payload appears *only* as text — i.e. that no DOM children of the textbox represent the payload structurally. A stricter assertion: `expect(textbox.children).toHaveLength(<expected internal structure>)` or assert the deep-clone of the textbox contains zero `Element` nodes derived from the payload string. Polish, non-blocking. 5. **The pre-existing failures I asked about in cycle 1 were never confirmed against `main`.** PR description says "DocumentRow tag-click and RichtlinienRuleCard fail on the base branch and are unrelated." I didn't see follow-up Gitea issues created for these pre-existing failures. Track them or fix them — leaving unnamed broken tests on `main` rots the green-bar signal across the repo. ### LGTM - TDD discipline visible in cycle 2: failing tests led to discovering and fixing the effect-loop bug *before* it landed in `main`. That's exactly the workflow I want. - Test descriptions read like specs: "stores the typed query as displayName, not the person DB name", "renders a malicious displayName as text, not as HTML elements". Future readers know what each test guarantees. - Atomic commits with TDD evidence: `6ef888a1` (red+green for disabled), `ba88febc` (green correction for the re-entry loop), `fa7b97ac` (XSS regression). Each commit is a discrete proof. - Empty-state link test asserts behavior (`href="/persons/new"`) and accessibility (`getByRole('link')`) — not just "an `<a>` exists in the DOM." Right-shape assertion. Approving subject to my E2E gap (follow-up issue) and the disabled-state-transition test (also follow-up). Both are tech debt, not blockers. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:28:38 +02:00

Author

Owner

Copy Link

Leonie Voss — UX Designer & Accessibility Strategist (cycle 2 re-review)

Verdict: Approved

All three accessibility issues I raised in cycle 1 are addressed. The disabled state is now real (not visual-only), the WCAG 1.4.11 contrast failures are fixed, and the empty-state escape hatch is back. Cycle 2 is a clean a11y catch-up.

What I verified

1. Critical — disabled enforcement (WCAG 2.1.1 / 4.1.2) ✅ Resolved

   • editor: !disabled at construction (PersonMentionEditor.svelte:86) plus $effect(() => editor.setEditable(!disabled)) keeps the contenteditable in sync. Tab no longer lands users in a "disabled" editor that still accepts input.
   • aria-disabled="true" on the wrapper announces the deactivated state to screen readers. Combined with the inner contenteditable="false", NVDA/JAWS/VoiceOver will read "Transkriptionstext, deaktiviert" instead of "edit text, multi line."
   • Three tests pin this down (disabled state describe block, lines 299-330). The disabled=false baseline test catches regressions where someone might accidentally hard-code editable: false.

2. Major — mention pill underline contrast ✅ Resolved

   • decoration-brand-mint (≈1.7:1, fails 1.4.11) → decoration-ink/50 (≈6.4:1, passes AA Non-Text Contrast for meaningful indicators).
   • The change also aligns the editor pill with the read-mode .person-mention rule (layout.css:343-356), which uses text-decoration-color: color-mix(in srgb, var(--c-ink) 50%, transparent). One contrast story across read and edit modes — that's the right design decision, not just a contrast patch.
   • The brand-mint accent color now appears only in non-meaningful contexts (focus-within rings on the wrapper, hover affordance on the read-mode link). Decorative use of brand-mint is fine; meaningful indicators got promoted to ink.

3. Major — dropdown highlight ring contrast ✅ Resolved

   • ring-brand-mint (≈2.5:1 on bg-brand-mint/20, fails 1.4.11) → ring-brand-navy (≈14.5:1, passes AAA).
   • Keyboard users navigating the typeahead with Up/Down arrows now see a clearly distinguishable focus indicator. The mint background highlight stays — that's the row's "you're hovering me" state — and the navy ring is the layered "you've selected me with the keyboard" indicator.

4. Minor — empty-state "Create new person" link ✅ Restored

   • MentionDropdown.svelte:125-141 reintroduces the m.person_mention_create_new() link. target="_blank" preserves the editor's transcription state; rel="noopener" prevents reverse-tabnabbing.
   • min-h-[44px] keeps WCAG 2.5.5 (Target Size) AAA — important for the 60+ transcriber persona on tablets/laptops with stylus input.
   • border-t border-line separates the empty-state message from the action — visually two units, semantically two distinct elements.

5. Test coverage for a11y — PersonMentionEditor.svelte.spec.ts adds:

   • aria-disabled="true" assertion when disabled
   • contenteditable="false" / contenteditable="true" assertion for both states
   • Empty-state link presence + correct href
     That's the testable a11y surface for the unit-spec layer. The remaining a11y wins (axe-playwright on a real page, screen reader user-journey video) belong in E2E and should fold in with Sara's E2E push.

Suggestions (non-blocking, deferred from cycle 1)

1. highlightedIndex resets to 0 on every list update — still an issue. When the user types @Aug (highlight = first match) then types @Auge, the highlight jumps back to position 0. If the same person is still in the new list at a different index, the user's expected target moves. Edge case for power users; minor friction. Track separately if not already done.

2. aria-label="Transkriptionstext" for every block — when a screen reader user navigates a long letter with multiple transcription blocks, every block reads as "Transkriptionstext, multi line edit text" with no way to distinguish them. Add the block's index to disambiguate: aria-label={${m.transcription_editor_aria_label()} ${blockIndex + 1}}. Optional — but improves wayfinding.

3. The empty-state link uses target="_blank" — that's the right pragmatic choice (editor state is preserved), but it does break the typical "Back" muscle memory. Acceptable trade-off; the manual test plan should verify "create person → tab back to original tab → mention dropdown still shows the new person after retyping" flows naturally.

LGTM (visual / brand)

• The decoration-ink/50 contrast change unifies edit and read modes under one ink-based underline language. Fewer visual exceptions = easier brand maintenance.
• ring-brand-navy on bg-brand-mint/20 is a strong layered indicator: mint says "row," navy says "you're here." Two distinct states a11y-correctly.
• Empty-state link styling matches the dropdown row pattern (44px height, font-sans text-sm font-medium, hover:bg-canvas). Consistent affordance language.
• All three new locale files still align — m.person_mention_create_new() is Neue Person anlegen / Create new person / Crear nueva persona. No translation drift.

Cycle-1 critical and major a11y issues all closed. The minor highlightedIndex carry-over and the screen-reader block-index suggestion are for follow-ups. Approving.

🤖 Generated with Claude Code

## Leonie Voss — UX Designer & Accessibility Strategist (cycle 2 re-review) **Verdict: Approved** All three accessibility issues I raised in cycle 1 are addressed. The disabled state is now real (not visual-only), the WCAG 1.4.11 contrast failures are fixed, and the empty-state escape hatch is back. Cycle 2 is a clean a11y catch-up. ### What I verified 1. **Critical — `disabled` enforcement (WCAG 2.1.1 / 4.1.2)** ✅ Resolved - `editor: !disabled` at construction (`PersonMentionEditor.svelte:86`) plus `$effect(() => editor.setEditable(!disabled))` keeps the contenteditable in sync. Tab no longer lands users in a "disabled" editor that still accepts input. - `aria-disabled="true"` on the wrapper announces the deactivated state to screen readers. Combined with the inner `contenteditable="false"`, NVDA/JAWS/VoiceOver will read "Transkriptionstext, deaktiviert" instead of "edit text, multi line." - Three tests pin this down (`disabled state` describe block, lines 299-330). The `disabled=false` baseline test catches regressions where someone might accidentally hard-code `editable: false`. 2. **Major — mention pill underline contrast** ✅ Resolved - `decoration-brand-mint` (≈1.7:1, fails 1.4.11) → `decoration-ink/50` (≈6.4:1, passes AA Non-Text Contrast for meaningful indicators). - The change *also* aligns the editor pill with the read-mode `.person-mention` rule (`layout.css:343-356`), which uses `text-decoration-color: color-mix(in srgb, var(--c-ink) 50%, transparent)`. One contrast story across read and edit modes — that's the right design decision, not just a contrast patch. - The brand-mint accent color now appears only in non-meaningful contexts (focus-within rings on the wrapper, hover affordance on the read-mode link). Decorative use of brand-mint is fine; meaningful indicators got promoted to ink. 3. **Major — dropdown highlight ring contrast** ✅ Resolved - `ring-brand-mint` (≈2.5:1 on `bg-brand-mint/20`, fails 1.4.11) → `ring-brand-navy` (≈14.5:1, passes AAA). - Keyboard users navigating the typeahead with Up/Down arrows now see a clearly distinguishable focus indicator. The mint background highlight stays — that's the row's "you're hovering me" state — and the navy ring is the layered "you've selected me with the keyboard" indicator. 4. **Minor — empty-state "Create new person" link** ✅ Restored - `MentionDropdown.svelte:125-141` reintroduces the `m.person_mention_create_new()` link. `target="_blank"` preserves the editor's transcription state; `rel="noopener"` prevents reverse-tabnabbing. - `min-h-[44px]` keeps WCAG 2.5.5 (Target Size) AAA — important for the 60+ transcriber persona on tablets/laptops with stylus input. - `border-t border-line` separates the empty-state message from the action — visually two units, semantically two distinct elements. 5. **Test coverage for a11y** — `PersonMentionEditor.svelte.spec.ts` adds: - `aria-disabled="true"` assertion when disabled - `contenteditable="false"` / `contenteditable="true"` assertion for both states - Empty-state link presence + correct href That's the testable a11y surface for the unit-spec layer. The remaining a11y wins (axe-playwright on a real page, screen reader user-journey video) belong in E2E and should fold in with Sara's E2E push. ### Suggestions (non-blocking, deferred from cycle 1) 1. **`highlightedIndex` resets to 0 on every list update** — still an issue. When the user types `@Aug` (highlight = first match) then types `@Auge`, the highlight jumps back to position 0. If the same person is still in the new list at a different index, the user's expected target moves. Edge case for power users; minor friction. Track separately if not already done. 2. **`aria-label="Transkriptionstext"` for every block** — when a screen reader user navigates a long letter with multiple transcription blocks, every block reads as "Transkriptionstext, multi line edit text" with no way to distinguish them. Add the block's index to disambiguate: `aria-label={`${m.transcription_editor_aria_label()} ${blockIndex + 1}`}`. Optional — but improves wayfinding. 3. **The empty-state link uses `target="_blank"`** — that's the right pragmatic choice (editor state is preserved), but it does break the typical "Back" muscle memory. Acceptable trade-off; the manual test plan should verify "create person → tab back to original tab → mention dropdown still shows the new person after retyping" flows naturally. ### LGTM (visual / brand) - The `decoration-ink/50` contrast change unifies edit and read modes under one ink-based underline language. Fewer visual exceptions = easier brand maintenance. - `ring-brand-navy` on `bg-brand-mint/20` is a strong layered indicator: mint says "row," navy says "you're here." Two distinct states a11y-correctly. - Empty-state link styling matches the dropdown row pattern (44px height, `font-sans text-sm font-medium`, `hover:bg-canvas`). Consistent affordance language. - All three new locale files still align — `m.person_mention_create_new()` is `Neue Person anlegen` / `Create new person` / `Crear nueva persona`. No translation drift. Cycle-1 critical and major a11y issues all closed. The minor `highlightedIndex` carry-over and the screen-reader block-index suggestion are for follow-ups. Approving. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:29:01 +02:00

Author

Owner

Copy Link

Tobias Wendt — DevOps & Platform Engineer (cycle 2 re-review)

Verdict: Approved with concerns

Cycle 2 made no infrastructure or build changes — purely UI/i18n/test-surface fixes. My cycle-1 concerns about Renovate config placement, lockfile hygiene, and bundle size are unaddressed in this PR but most are non-blocking deferrals and the bundle-size note now appears in the PR body.

What I checked

• No new dependencies in cycle 2 — package.json and yarn.lock were not touched. Good.
• No CI workflow changes — same as cycle 1. Cache key (if it hashes yarn.lock) is still correct.
• No new env vars, ports, or services — purely client-side rendering changes.
• PR body now includes the bundle-size note I asked for: "Net add to the transcription page chunk: ~85 KB gzipped. Acceptable for a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users." That's the baseline future bundle audits should compare against. Thank you.

Concerns (carried over from cycle 1; partially addressed)

1. yarn.lock vs package-lock.json mixing — still unresolved. Per the cycle-2 implementation note from the orchestrator, the user explicitly chose to keep yarn.lock as the project's canonical lockfile. I'll defer to that decision, but two consequences need addressing:

   • frontend/CLAUDE.md documents npm install as the install command (lines 175-181). If the project uses yarn, this is misleading documentation. Either:
     • Update frontend/CLAUDE.md to say yarn install (single line edit), or
     • Decide that npm install is fine because both lockfiles are committed (then explicitly ignore package-lock.json in .gitignore, or vice versa).
   • CI must use one consistent installer. If yarn.lock is canonical, CI should be yarn install --frozen-lockfile (not npm ci). Verify this in .gitea/workflows/.

   This isn't strictly a blocker for cycle 2 (no lockfile changes were made), but every future PR that touches dependencies will reopen the question.

2. Renovate config renovate.json — still at the monorepo root. Cycle 1 question stands: does the self-hosted Renovate runner pick up renovate.json at root, or does it look at .gitea/renovate.json? If the latter, this PR's config is dead. Verify before relying on the @tiptap/* group rule. (Probably worth a single-line check: read infra/renovate* if it exists.)

3. No CI bundle-size budget enforcement — the PR body says ~85 KB. That's a manual measurement at one point in time. If there's no size-limit or vite-bundle-visualizer budget in CI, the next "let me add a date picker library" change adds another ~50 KB and nobody notices until users on slow connections complain. Optional follow-up: npx size-limit integration with a budget per chunk. (Skip if the team's bandwidth threshold tolerance is already lax.)

LGTM

• Zero infra surface change in cycle 2. All eight commits land in the frontend src/ tree or messages/ JSON. Nothing for the deploy pipeline to worry about.
• Atomic commits — each commit body explains its concern and references the persona/comment that raised it. Audit trail is exemplary.
• Bundle-size note in the PR description — exactly the documentation I asked for.
• No Docker/compose changes, no new ports, no migrations. This PR is a no-op for the deploy runbook.

Cycle-1 deployment concerns: still 1 follow-up to do (yarn.lock vs npm documentation drift, or CI installer audit). Cycle 2 itself adds zero deployment risk. Approving with the same minor lockfile concern from cycle 1.

🤖 Generated with Claude Code

## Tobias Wendt — DevOps & Platform Engineer (cycle 2 re-review) **Verdict: Approved with concerns** Cycle 2 made no infrastructure or build changes — purely UI/i18n/test-surface fixes. My cycle-1 concerns about Renovate config placement, lockfile hygiene, and bundle size are unaddressed in *this* PR but most are non-blocking deferrals and the bundle-size note now appears in the PR body. ### What I checked - **No new dependencies in cycle 2** — `package.json` and `yarn.lock` were not touched. Good. - **No CI workflow changes** — same as cycle 1. Cache key (if it hashes `yarn.lock`) is still correct. - **No new env vars, ports, or services** — purely client-side rendering changes. - **PR body now includes the bundle-size note** I asked for: "Net add to the transcription page chunk: ~85 KB gzipped. Acceptable for a self-hosted family archive on a Hetzner CX32 with mostly single-digit concurrent users." That's the baseline future bundle audits should compare against. Thank you. ### Concerns (carried over from cycle 1; partially addressed) 1. **`yarn.lock` vs `package-lock.json` mixing** — still unresolved. Per the cycle-2 implementation note from the orchestrator, the user explicitly chose to keep `yarn.lock` as the project's canonical lockfile. I'll defer to that decision, but two consequences need addressing: - **`frontend/CLAUDE.md` documents `npm install` as the install command** (lines 175-181). If the project uses yarn, this is misleading documentation. Either: - Update `frontend/CLAUDE.md` to say `yarn install` (single line edit), or - Decide that `npm install` is fine because both lockfiles are committed (then explicitly ignore `package-lock.json` in `.gitignore`, or vice versa). - **CI must use one consistent installer.** If `yarn.lock` is canonical, CI should be `yarn install --frozen-lockfile` (not `npm ci`). Verify this in `.gitea/workflows/`. This isn't strictly a blocker for cycle 2 (no lockfile changes were made), but every future PR that touches dependencies will reopen the question. 2. **Renovate config `renovate.json`** — still at the monorepo root. Cycle 1 question stands: does the self-hosted Renovate runner pick up `renovate.json` at root, or does it look at `.gitea/renovate.json`? If the latter, this PR's config is dead. Verify before relying on the `@tiptap/*` group rule. (Probably worth a single-line check: read `infra/renovate*` if it exists.) 3. **No CI bundle-size budget enforcement** — the PR body says ~85 KB. That's a manual measurement at one point in time. If there's no `size-limit` or `vite-bundle-visualizer` budget in CI, the next "let me add a date picker library" change adds another ~50 KB and nobody notices until users on slow connections complain. Optional follow-up: `npx size-limit` integration with a budget per chunk. (Skip if the team's bandwidth threshold tolerance is already lax.) ### LGTM - **Zero infra surface change in cycle 2.** All eight commits land in the frontend `src/` tree or `messages/` JSON. Nothing for the deploy pipeline to worry about. - **Atomic commits** — each commit body explains its concern and references the persona/comment that raised it. Audit trail is exemplary. - **Bundle-size note in the PR description** — exactly the documentation I asked for. - **No Docker/compose changes**, no new ports, no migrations. This PR is a no-op for the deploy runbook. Cycle-1 deployment concerns: still 1 follow-up to do (`yarn.lock` vs `npm` documentation drift, or CI installer audit). Cycle 2 itself adds zero deployment risk. Approving with the same minor lockfile concern from cycle 1. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:29:40 +02:00

Author

Owner

Copy Link

Elicit — Requirements Engineer (cycle 2 re-review)

Verdict: Approved

Every cycle-1 OQ has either been resolved in this PR or properly deferred with traceability. The PR description now contains the AC mapping table I asked for (AC-1 through AC-7, each with status and "where covered"), the bundle-size note Tobias requested, the cycle-2 fix log indexed by reviewer comment, and the deferred concerns linked to issue #374. The Definition-of-Done gating items from my cycle-1 review are addressed.

Open Questions — cycle 2 status

• OQ-373-01 (AC coverage gaps for AC-2/3/5) ✅ Resolved
  PR description Table § "AC mapping" now lists all seven ACs with status and test coverage. AC-2 (mention pill renders distinct), AC-3 (life dates in dropdown), AC-5 (keyboard nav) are explicitly mapped to specs and the relevant component code. Future archeology has a one-table source of truth.

• OQ-373-02 (Manual test plan items unchecked) ⚠️ Still pending
  Two unchecked manual items remain:

  • Manual: open a document in transcription edit mode, type @Clar, select "Clara Cram" — editor shows Clara (underlined, ink-50%), not Clara Cram
  • Manual: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged

  These verify the core promise of issue #372. They cannot be skipped before merge. Per the orchestrator instruction these are explicitly user tasks (left for the human reviewer to verify after deploy-to-staging). Traceability: the items are still listed in the PR test plan, and AC-1 + AC-6 unit tests cover the same invariants in unit form. The manual run is the integration-level check on top of that.

• OQ-373-03 (transcription_editor_aria_label wording) Unchanged in cycle 2
  Translation strings still read "Transkriptionstext" / "Transcription text" / "Texto de transcripción" — fine, screen readers will say "Transkriptionstext, edit text, multi line" or similar with the textbox role. Defer if Leonie's team finds it acceptable; track only if a transcriber complains. Non-blocking.

• OQ-373-04 (Empty-state "Create new person" link removed) ✅ Resolved
  Restored in commit e6844c40. The translation key m.person_mention_create_new() is no longer orphaned. Empty-state UX regression fixed; spec confirms the link renders with href="/persons/new".

NFR Checklist — cycle 2 update

NFR Category	Cycle 1	Cycle 2	Note
Performance	🟡	🟢	Bundle-size note documented in PR body. ~85 KB gzipped acceptable for the deployment scale.
Accessibility	🟡	🟢	All three Leonie blockers resolved (disabled enforcement, mention pill contrast, dropdown ring contrast). Empty-state link restored.
Localization	🟡	🟢	Stale error_person_rename_conflict removed in all three locales.
Security	🟡	🟢	XSS regression test added (Nora #1). PersonSummaryDTO leak (Nora #3) properly tracked under issue #374 with security label and bounded ACs.
Maintainability	🟢	🟢	Dead code (personMention.ts) removed. Idempotence guard on setEditable effect documented inline.
Reliability	🟢	🟢	Round-trip invariant test still holds. New tests pin down disabled-state and XSS regression.
Compatibility	🟡	🟡	Tiptap 3.22.5 still pinned exact. No new compat data in cycle 2.
Observability	⚪	⚪	Unchanged; no new metrics expected.
Backup/Archive	🟢	🟢	Issue #372's archival-fidelity intent preserved across cycle 2.

Definition of Done — gating items, cycle 2

• Manual test box #2 (rename → no rewrite) ticked or evidence linked. Pending — user-verifiable item, intentional defer per orchestrator.
• AC-2/3/5 confirmed in scope or moved to a follow-up issue. Done — full AC table in PR body.
• Stale i18n key error_person_rename_conflict deleted or kept with a justification. Done — deleted in all three locales (commit 94d07334).
• Bundle-size note added (Tobias). Done — PR body § "Bundle size note (Tobias #5623)".
• axe-playwright on the document detail page passing (Sara, Leonie). Pending — E2E coverage gap; tracked as Sara's follow-up.

Two open DoD items: both are "outside this PR's scope by design" (manual user verification on staging; E2E tooling expansion). Neither blocks merge of cycle 2 fixes.

Issue traceability

• #372 — Closed by this PR. ACs mapped 1:1 in the PR body.
• #374 — Created during cycle 2 review by the implementer. Captures the deferred notes leak. Properly labelled security, P1-high, bug with bounded ACs.
• A future ADR placeholder for "client-side fetch exception" is referenced in the inline doc comment but has no Gitea issue yet — see Markus's concern. Optional but architecturally cleaner to formalize.

LGTM

• Cycle-2 PR body changelog under "Cycle 2 review fixes" indexes every fix to its originating reviewer comment ID (#5615, #5616, #5618, #5621, #5623, #5624). Auditable line-by-line.
• The "deferred" framing for #374 is accurate: bounded ACs, scope explanation, source comment cited.
• AC mapping in the PR body is now the table that future archeology will read first. Best practice.

Approving. The remaining open items are user-verifiable (manual tests on staging) and a tracked follow-up (E2E typeahead coverage). Cycle-2 fixes meet the original requirements traceability bar.

🤖 Generated with Claude Code

## Elicit — Requirements Engineer (cycle 2 re-review) **Verdict: Approved** Every cycle-1 OQ has either been resolved in this PR or properly deferred with traceability. The PR description now contains the AC mapping table I asked for (AC-1 through AC-7, each with status and "where covered"), the bundle-size note Tobias requested, the cycle-2 fix log indexed by reviewer comment, and the deferred concerns linked to issue #374. The Definition-of-Done gating items from my cycle-1 review are addressed. ### Open Questions — cycle 2 status - **OQ-373-01 (AC coverage gaps for AC-2/3/5)** ✅ Resolved PR description Table § "AC mapping" now lists all seven ACs with status and test coverage. AC-2 (mention pill renders distinct), AC-3 (life dates in dropdown), AC-5 (keyboard nav) are explicitly mapped to specs and the relevant component code. Future archeology has a one-table source of truth. - **OQ-373-02 (Manual test plan items unchecked)** ⚠️ Still pending Two unchecked manual items remain: > - [ ] Manual: open a document in transcription edit mode, type @Clar, select "Clara Cram" — editor shows Clara (underlined, ink-50%), not Clara Cram > - [ ] Manual: rename Clara Cram → Clara Cram-Schmidt — existing transcription text unchanged These verify the *core promise* of issue #372. They cannot be skipped before merge. Per the orchestrator instruction these are explicitly user tasks (left for the human reviewer to verify after deploy-to-staging). Traceability: the items are still listed in the PR test plan, and AC-1 + AC-6 unit tests cover the same invariants in unit form. The manual run is the integration-level check on top of that. - **OQ-373-03 (`transcription_editor_aria_label` wording)** Unchanged in cycle 2 Translation strings still read "Transkriptionstext" / "Transcription text" / "Texto de transcripción" — fine, screen readers will say "Transkriptionstext, edit text, multi line" or similar with the textbox role. Defer if Leonie's team finds it acceptable; track only if a transcriber complains. Non-blocking. - **OQ-373-04 (Empty-state "Create new person" link removed)** ✅ Resolved Restored in commit `e6844c40`. The translation key `m.person_mention_create_new()` is no longer orphaned. Empty-state UX regression fixed; spec confirms the link renders with `href="/persons/new"`. ### NFR Checklist — cycle 2 update | NFR Category | Cycle 1 | Cycle 2 | Note | | -------------- | -------- | -------- | ---- | | Performance | 🟡 | 🟢 | Bundle-size note documented in PR body. ~85 KB gzipped acceptable for the deployment scale. | | Accessibility | 🟡 | 🟢 | All three Leonie blockers resolved (disabled enforcement, mention pill contrast, dropdown ring contrast). Empty-state link restored. | | Localization | 🟡 | 🟢 | Stale `error_person_rename_conflict` removed in all three locales. | | Security | 🟡 | 🟢 | XSS regression test added (Nora #1). PersonSummaryDTO leak (Nora #3) properly tracked under issue #374 with security label and bounded ACs. | | Maintainability| 🟢 | 🟢 | Dead code (`personMention.ts`) removed. Idempotence guard on `setEditable` effect documented inline. | | Reliability | 🟢 | 🟢 | Round-trip invariant test still holds. New tests pin down disabled-state and XSS regression. | | Compatibility | 🟡 | 🟡 | Tiptap 3.22.5 still pinned exact. No new compat data in cycle 2. | | Observability | ⚪ | ⚪ | Unchanged; no new metrics expected. | | Backup/Archive | 🟢 | 🟢 | Issue #372's archival-fidelity intent preserved across cycle 2. | ### Definition of Done — gating items, cycle 2 - [ ] Manual test box #2 (rename → no rewrite) ticked or evidence linked. **Pending — user-verifiable item, intentional defer per orchestrator.** - [x] AC-2/3/5 confirmed in scope or moved to a follow-up issue. **Done — full AC table in PR body.** - [x] Stale i18n key `error_person_rename_conflict` deleted or kept with a justification. **Done — deleted in all three locales (commit `94d07334`).** - [x] Bundle-size note added (Tobias). **Done — PR body § "Bundle size note (Tobias #5623)".** - [ ] axe-playwright on the document detail page passing (Sara, Leonie). **Pending — E2E coverage gap; tracked as Sara's follow-up.** Two open DoD items: both are "outside this PR's scope by design" (manual user verification on staging; E2E tooling expansion). Neither blocks merge of cycle 2 fixes. ### Issue traceability - #372 — Closed by this PR. ACs mapped 1:1 in the PR body. - #374 — Created during cycle 2 review by the implementer. Captures the deferred `notes` leak. Properly labelled `security`, `P1-high`, `bug` with bounded ACs. - A future ADR placeholder for "client-side fetch exception" is referenced in the inline doc comment but has no Gitea issue yet — see Markus's concern. Optional but architecturally cleaner to formalize. ### LGTM - Cycle-2 PR body changelog under "Cycle 2 review fixes" indexes every fix to its originating reviewer comment ID (`#5615`, `#5616`, `#5618`, `#5621`, `#5623`, `#5624`). Auditable line-by-line. - The "deferred" framing for #374 is accurate: bounded ACs, scope explanation, source comment cited. - AC mapping in the PR body is now the table that future archeology will read first. Best practice. Approving. The remaining open items are user-verifiable (manual tests on staging) and a tracked follow-up (E2E typeahead coverage). Cycle-2 fixes meet the original requirements traceability bar. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel commented 2026-04-29 16:30:23 +02:00

Author

Owner

Copy Link

Cycle-2 implementation summary

Two review/fix cycles run (1 of the 8-cycle budget consumed in cycle 2; cycle 3 was a re-review with zero blockers and is the loop exit).

Per-cycle "what changed"

Cycle 2 — implementation cycle (8 commits):

Commit	Concern (cycle-1 reviewer)	Change
4ac94b2f	Felix #5615	Delete dead personMention.ts/spec — orphaned after Tiptap migration
94d07334	Felix #5615 + Elicit #5624	Remove stale error_person_rename_conflict from de/en/es
6ef888a1	Felix + Leonie + Nora (BLOCKER)	Wire editor.setEditable(!disabled) reactively + aria-disabled on wrapper (WCAG 2.1.1)
fa7b97ac	Nora #5618	Add CWE-79 XSS regression test asserting no <img>/<script> from malicious displayName
ba88febc	(TDD discovery)	Guard the setEditable effect with editor.isEditable !== shouldBeEditable to prevent re-entry loop
f1932fd5	Leonie #5621	WCAG 1.4.11 contrast fix: mention pill decoration-ink/50, dropdown ring ring-brand-navy
e6844c40	Leonie #5621 + Elicit OQ-373-04	Restore "Neue Person anlegen" empty-state link in MentionDropdown
49443ad1	Markus #5616	Inline doc comment justifying client-side fetch exception

Plus PR description rewrite with full AC mapping (AC-1 through AC-7), cycle-2 fix log indexed by reviewer comment, bundle-size note, and reference to the new issue #374.

Cycle 3 — re-review: All 7 personas re-reviewed. All cycle-1 blockers and major concerns resolved. Remaining concerns are all non-blocking deferrals (E2E coverage, ADR placement, lockfile audit, mentionSerializer edge cases) tracked as carry-overs.

Items deferred to user (with reason)

1. Manual test plan items unchecked — verifying the rename → no-rewrite invariant requires staging deploy + transcribed document → person rename → reload. Per orchestrator instruction this is a user task; AC-1 and AC-6 unit tests cover the same invariants at the unit level.
2. Issue #374 (notes leak) — deferred per orchestrator instruction ("if it leaks, that's a separate scope and should be deferred to a new issue"). Created with security/P1-high/bug labels and 5 bounded ACs.
3. ADR for client-side fetch exception — Markus #5616 wants a single canonical place documenting the rule. Per orchestrator instruction the ADR is deferred to user; for cycle 2 only an inline code comment was added.
4. E2E coverage for the typeahead — Sara's standing concern; tracked as tech debt for a follow-up issue.
5. mentionSerializer edge cases (empty displayName, Unicode, double-newline, mention overlap) — Sara's cycle-1 #2; tracked as tech debt.

Final test status

• Frontend: 41/41 ✅ (PersonMentionEditor.svelte 19/19; TranscriptionBlock.svelte 22/22; mentionSerializer 12/12 in server project — all targeted suites)
• Backend: 94/94 ✅ (PersonServiceTest 49/49; PersonControllerTest 45/45)
• npm run check: zero NEW type errors in files touched by cycle 2 (mentionSerializer.spec.ts has 1 pre-existing error from the original PR's as PersonMention[] cast on a readonly tuple — unchanged).

Final commit count on the branch

8 cycle-2 commits on top of the 16 original PR commits = 24 commits total on feat/person-mentions-issue-362-frontend-b2.

Final verdicts (cycle 3)

Persona	Cycle 1	Cycle 3
Felix Brandt	Changes requested	✅ Approved
Markus Keller	Approved with concerns	Approved with concerns (single carry-over)
Nora Steiner	Approved with concerns	✅ Approved
Sara Holt	Approved with concerns	Approved with concerns (carry-overs only)
Leonie Voss	Approved with concerns	✅ Approved
Tobias Wendt	Approved with concerns	Approved with concerns (carry-overs only)
Elicit	Approved with concerns	✅ Approved

Zero "Changes requested" verdicts. All cycle-1 blockers cleared. Remaining "Approved with concerns" verdicts cover non-blocking follow-up tech debt that is either out of scope (Tobias's lockfile/CI audit, Sara's E2E push) or properly tracked elsewhere (Markus's ADR, Nora's #374). The PR is ready for the user's manual verification + merge decision.

🤖 Generated with Claude Code

## Cycle-2 implementation summary Two review/fix cycles run (1 of the 8-cycle budget consumed in cycle 2; cycle 3 was a re-review with zero blockers and is the loop exit). ### Per-cycle "what changed" **Cycle 2 — implementation cycle (8 commits):** | Commit | Concern (cycle-1 reviewer) | Change | |--------|---|---| | `4ac94b2f` | Felix #5615 | Delete dead `personMention.ts`/spec — orphaned after Tiptap migration | | `94d07334` | Felix #5615 + Elicit #5624 | Remove stale `error_person_rename_conflict` from de/en/es | | `6ef888a1` | Felix + Leonie + Nora (BLOCKER) | Wire `editor.setEditable(!disabled)` reactively + `aria-disabled` on wrapper (WCAG 2.1.1) | | `fa7b97ac` | Nora #5618 | Add CWE-79 XSS regression test asserting no `<img>`/`<script>` from malicious displayName | | `ba88febc` | (TDD discovery) | Guard the setEditable effect with `editor.isEditable !== shouldBeEditable` to prevent re-entry loop | | `f1932fd5` | Leonie #5621 | WCAG 1.4.11 contrast fix: mention pill `decoration-ink/50`, dropdown ring `ring-brand-navy` | | `e6844c40` | Leonie #5621 + Elicit OQ-373-04 | Restore "Neue Person anlegen" empty-state link in MentionDropdown | | `49443ad1` | Markus #5616 | Inline doc comment justifying client-side fetch exception | Plus PR description rewrite with full AC mapping (AC-1 through AC-7), cycle-2 fix log indexed by reviewer comment, bundle-size note, and reference to the new issue #374. **Cycle 3 — re-review:** All 7 personas re-reviewed. All cycle-1 blockers and major concerns resolved. Remaining concerns are all non-blocking deferrals (E2E coverage, ADR placement, lockfile audit, mentionSerializer edge cases) tracked as carry-overs. ### Items deferred to user (with reason) 1. **Manual test plan items unchecked** — verifying the rename → no-rewrite invariant requires staging deploy + transcribed document → person rename → reload. Per orchestrator instruction this is a user task; AC-1 and AC-6 unit tests cover the same invariants at the unit level. 2. **Issue #374 (`notes` leak)** — deferred per orchestrator instruction ("if it leaks, that's a separate scope and should be deferred to a new issue"). Created with `security`/`P1-high`/`bug` labels and 5 bounded ACs. 3. **ADR for client-side fetch exception** — Markus #5616 wants a single canonical place documenting the rule. Per orchestrator instruction the ADR is deferred to user; for cycle 2 only an inline code comment was added. 4. **E2E coverage for the typeahead** — Sara's standing concern; tracked as tech debt for a follow-up issue. 5. **mentionSerializer edge cases** (empty displayName, Unicode, double-newline, mention overlap) — Sara's cycle-1 #2; tracked as tech debt. ### Final test status - **Frontend**: 41/41 ✅ (PersonMentionEditor.svelte 19/19; TranscriptionBlock.svelte 22/22; mentionSerializer 12/12 in server project — all targeted suites) - **Backend**: 94/94 ✅ (PersonServiceTest 49/49; PersonControllerTest 45/45) - **`npm run check`**: zero NEW type errors in files touched by cycle 2 (mentionSerializer.spec.ts has 1 pre-existing error from the original PR's `as PersonMention[]` cast on a `readonly` tuple — unchanged). ### Final commit count on the branch 8 cycle-2 commits on top of the 16 original PR commits = **24 commits total** on `feat/person-mentions-issue-362-frontend-b2`. ### Final verdicts (cycle 3) | Persona | Cycle 1 | Cycle 3 | |---|---|---| | Felix Brandt | Changes requested | ✅ Approved | | Markus Keller | Approved with concerns | Approved with concerns (single carry-over) | | Nora Steiner | Approved with concerns | ✅ Approved | | Sara Holt | Approved with concerns | Approved with concerns (carry-overs only) | | Leonie Voss | Approved with concerns | ✅ Approved | | Tobias Wendt | Approved with concerns | Approved with concerns (carry-overs only) | | Elicit | Approved with concerns | ✅ Approved | **Zero "Changes requested" verdicts. All cycle-1 blockers cleared.** Remaining "Approved with concerns" verdicts cover non-blocking follow-up tech debt that is either out of scope (Tobias's lockfile/CI audit, Sara's E2E push) or properly tracked elsewhere (Markus's ADR, Nora's #374). The PR is ready for the user's manual verification + merge decision. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel merged commit 49443ad16a into main 2026-04-29 16:55:53 +02:00

marcel deleted branch feat/person-mentions-issue-362-frontend-b2 2026-04-29 16:55:55 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#373