🚨 BLOCKER — Fragile mixed injection + ReflectionTestUtils hack
⚠️ MAJOR — Notification failure can silently roll back the parent comment
⚠️ MAJOR — Several service method paths are untested
⚠️ MAJOR — notifyMentions() call path has no test coverage
🔵 MINOR — setTimeout(100) magic delay for deep-link scroll is flaky
ℹ️ INFO — Unused method: findByRecipientIdOrderByCreatedAtDesc
🚨 BLOCKER — User enumeration endpoint has no permission check
⚠️ MAJOR — @Transient field + FetchType.LAZY = potential LazyInitializationException at runtime
🔵 MINOR — debounceTimer not cleared on component destroy
ℹ️ INFO — Unused method: findByRecipientIdOrderByCreatedAtDesc
⚠️ MAJOR — Stored XSS vector in renderBody: mention display names are not escaped
QA Review — Sara Holt, Senior QA Engineer
🔵 MINOR — relativeTime() returns hard-coded German strings
🔵 MINOR — aria-label="ungelesen" is hard-coded German
🔵 MINOR — <div role="button"> does not handle the Space key
🔵 MINOR — XSS coverage missing in renderBody test suite
🚨 BLOCKER — User enumeration endpoint has no permission check
⚠️ MAJOR — @Transient field + FetchType.LAZY = potential LazyInitializationException at runtime
🚨 BLOCKER — Architecture violation: direct repository access across domain boundary
🚨 BLOCKER — Fragile mixed injection + ReflectionTestUtils hack