Block a user
fix(a11y): add skip-to-main-content link in layout for keyboard navigation
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- This is a WCAG Level A requirement (2.4.1 — Bypass Blocks). It's not optional. Every keyboard…
fix(security): add Content-Security-Policy headers to SvelteKit responses
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- CSP enforcement can break visual design silently. When Phase 2 enforcement goes live, any inline…
fix(ui): replace localStorage panel state restore with SvelteKit snapshot API to eliminate flash on load
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- The flash is a real problem, not just a polish issue. On first load, the panel briefly appearing…
fix(a11y): replace clickable divs with button elements in PdfViewer and AnnotationLayer
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- This is critical for our senior users. Keyboard navigation is not a niche use case — it's…
refactor(frontend): extract extractErrorCode() helper to eliminate repeated as-unknown-as type assertions
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
No UI/UX concerns from my angle — this is a backend TypeScript utility refactor with no user-facing rendering changes. No visual…
fix(security): enforce maximum file upload size limit
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- Show the limit upfront, not just on error. The upload form should display the maximum file size…
fix(security): add rate limiting to login and password-reset endpoints
🎨 Leonie Voss — UI/UX Designer & Accessibility Strategist
Questions & Observations
- The 429 error must be user-readable, not just an HTTP status code. A family member who has…
fix(a11y): add skip-to-main-content link in layout for keyboard navigation
🏗️ Markus Keller — Application Architect
Questions & Observations
- Trivial change, correct approach.
+layout.svelteis the right place — one change, every route gets the skip…
fix(security): add Content-Security-Policy headers to SvelteKit responses
🏗️ Markus Keller — Application Architect
Questions & Observations
svelte.config.jskit.cspvs manual header injection — use the framework. SvelteKit's built-in CSP support…
fix(ui): replace localStorage panel state restore with SvelteKit snapshot API to eliminate flash on load
🏗️ Markus Keller — Application Architect
Questions & Observations
- The snapshot API is exactly the right tool. It is SvelteKit's native answer to "persist state across same-tab…
fix(a11y): replace clickable divs with button elements in PdfViewer and AnnotationLayer
🏗️ Markus Keller — Application Architect
Questions & Observations
- No architectural concerns. This is a component-internal fix — it doesn't cross module boundaries, doesn't affect…
refactor(frontend): extract extractErrorCode() helper to eliminate repeated as-unknown-as type assertions
🏗️ Markus Keller — Application Architect
Questions & Observations
- Correct placement.
api.server.tsis the right home — it's the module that wraps all backend communication, so…
fix(security): enforce maximum file upload size limit
🏗️ Markus Keller — Application Architect
Questions & Observations
@ControllerAdviceis the correct mechanism, not@ExceptionHandlerin a controller. `MaxUploadSizeExceededExcep…
fix(security): add rate limiting to login and password-reset endpoints
🏗️ Markus Keller — Application Architect
Questions & Observations
- Resilience4j over the ConcurrentHashMap alternative. The manual map has no TTL cleanup, no burst tolerance…
fix(a11y): add skip-to-main-content link in layout for keyboard navigation
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
Skip links require a real browser and keyboard simulation — Playwright only, no Vitest.
E2E — Playwright:
t…
fix(security): add Content-Security-Policy headers to SvelteKit responses
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
CSP headers are response-header tests — Playwright is the right layer, not unit tests.
E2E — Playwright (Phase 1):
fix(ui): replace localStorage panel state restore with SvelteKit snapshot API to eliminate flash on load
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
The snapshot API requires a real browser navigation — this cannot be tested with Vitest unit tests. Playwright is the right…
fix(a11y): replace clickable divs with button elements in PdfViewer and AnnotationLayer
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
Component tests (@testing-library/svelte):
it('annotation toggle button is reachable by keyboard', async ()…
refactor(frontend): extract extractErrorCode() helper to eliminate repeated as-unknown-as type assertions
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
This is a pure unit test target — a small, pure function with no side effects.
**Vitest unit tests (extractErrorCode.test.ts…
fix(security): enforce maximum file upload size limit
🧪 Sara Holt — QA Engineer & Test Strategist
Test Strategy
Backend integration test — @SpringBootTest:
@Test
void shouldReturn413WhenFileSizeExceedsLimit() throws…