🗳️ Decision Queue — Action Required
5 decisions need your input before implementation starts.
Architecture
- Domain coupling: direct call vs. ApplicationEvent.
PersonService…
📋 Elicit — Requirements Engineer
Observations
detectMention()space constraint is an unspecified UX gap. The existingmention.tsfunction kills detection as soon as the query…
🚀 Tobias Wendt — DevOps & Platform Engineer
Observations
- No infrastructure changes required. This feature is entirely application-level — no new Docker services, no new…
🎨 Leonie Voss — UX Designer & Accessibility Strategist
Observations
<button>for navigation is semantically wrong. The spec renders mention links as `<button class="person-mentio…
🧪 Sara Holt — Senior QA Engineer
Observations
propagateDisplayNameChange()has no test plan in the spec, and it is the highest-risk method in this feature. It mutates stored…
🔐 Nora "NullX" Steiner — Application Security Engineer
Observations
- XSS in
renderTranscriptionBody(). The spec generates `{…
👨💻 Felix Brandt — Senior Fullstack Developer
Observations
- CRITICAL:
detectMention()breaks on multi-word person names. I checkedfrontend/src/lib/utils/mention.ts:23: …
🏗️ Markus Keller — Senior Application Architect
Observations
- Cross-domain coupling is inverted. The spec has
PersonService.propagateDisplayNameChange()call `TranscriptionBlockSe…
📋 Elicit — Requirements Engineer
Verdict: ✅ Approved
Requirements coverage
The PR closes #358 and the implementation aligns closely with the feature scope described in the PR…
🎨 Leonie Voss — UX Design & Accessibility
Verdict: ⚠️ Approved with concerns
Critical (WCAG blocker)
1. Delete button touch target: 32px — fails WCAG 2.2 SC 2.5.8
`Relationsh…
⚙️ Tobias Wendt — DevOps & Platform Engineer
Verdict: ✅ Approved
What I checked
This PR adds no changes to docker-compose.yml, CI workflow files, Dockerfile, or infrastructure…
🧪 Sara Holt — QA Engineer
Verdict: ⚠️ Approved with concerns
What's there (and looks good)
🔒 Nora "NullX" Steiner — Security Engineer
Verdict: ✅ Approved
What I checked
Authentication on read endpoints (no @RequirePermission)
The controller comment is explicit:…
🏛️ Markus Keller — Application Architect
Verdict: ✅ Approved
Layer boundaries
RelationshipService→PersonService.getById()/findAllFamilyMembers()/getAllById()—…
👨💻 Felix Brandt — Senior Fullstack Developer
Verdict: ⚠️ Approved with concerns
Blockers
**1. DRY violation: PersonRelationshipsCard.svelte re-implements chipLabel() and…
Round 2 concerns addressed
All 5 open reviewer concerns resolved. Backend: 1413/1413 green. Frontend: 889/889+ pass (3 pre-existing HelpPopover browser-mode flakes unrelated to this…
9b750a0698
docs(stammbaum): document intentional auth design on RelationshipController GET endpoints
eec1b9d1c3
test(stammbaum): prove DELETE and PATCH /family-member return 403 for READ_ALL-only users
7cbf51763f
test(stammbaum): prove GET /api/network and GET /api/persons/{id}/relationships reject unauthenticated requests (401)
b24dc75c60
refactor(stammbaum): use shared chipLabel/otherName from relationshipLabels in both components
S4: A S3: Is the cookie needed anyway? If it's needed, we make HttpOnly false, if its not needed, remove it. Please verify beforehand.
🎨 Leonie Voss — UX Designer & Accessibility Strategist
Verdict: ⚠️ Approved with concerns
The visual design follows the brand system. One WCAG violation that needs fixing before merge.…