fix: resolve top 5 SonarQube issues (weekly sweep)

[devin-ai-integration]

Summary

Weekly SonarQube sweep. Ranked open issues by severity → type → effort → recency and fixed the top 5 (4 CRITICAL + 1 MAJOR). All changes are minimal and scoped to the exact lines flagged.

#	Key	Severity	Rule	Location	Fix
1	AZ1u3HBdEnUkF3fpjVtN	CRITICAL	java:S1948 — Fields in a Serializable class should be transient or serializable	InvalidRequestException.java:7	Marked errors (Spring Errors, not Serializable) as transient.
2	AZ1u3HCaEnUkF3fpjVtj	CRITICAL	java:S1452 — Generic wildcard types should not be used in return types	ArticleApi.java:36	Changed ResponseEntity<?> → ResponseEntity<Map<String, Object>> on article(...).
3	AZ1u3HCaEnUkF3fpjVtk	CRITICAL	java:S1452	ArticleApi.java:45	Changed ResponseEntity<?> → ResponseEntity<Map<String, Object>> on updateArticle(...).
4	AZ1u3HBkEnUkF3fpjVtQ	CRITICAL	java:S1452	CommentsApi.java:41	Changed ResponseEntity<?> → ResponseEntity<Map<String, Object>> on createComment(...).
5	AZ1u3HJJEnUkF3fpjVwb	MAJOR	java:S3415 — Assertion arguments in wrong order	ArticleQueryServiceTest.java:65	Swapped assertEquals(fetched.getFavoritesCount(), 0) → assertEquals(0, fetched.getFavoritesCount()).

./gradlew test passes locally.

./gradlew spotlessCheck fails on both this branch and master due to a pre-existing JDK 17 incompatibility between Spotless 6.2.1 / Google Java Format and the jdk.compiler module (IllegalAccessError on com.sun.tools.javac.parser.Tokens$TokenKind). Not introduced by this PR. The repo has no CI workflows, so this does not block merging, but the underlying tooling should probably be upgraded in a follow-up.

Review & Testing Checklist for Human

• Confirm that the narrowed return type ResponseEntity<Map<String, Object>> in ArticleApi / CommentsApi is acceptable. The existing bodies are HashMap<String, Object> subclasses, so this compiles and serializes identically, but if any caller/consumer depends on the raw/wildcard type at the source level (e.g., other controllers, tests, or tooling), double-check it still compiles.
• Confirm that making InvalidRequestException.errors transient is acceptable. If the exception ever gets serialized (e.g., distributed caches, session replication), the validation errors will be null after deserialization. In practice this exception is only thrown/caught within a single JVM via @ControllerAdvice, so this should be safe.
• Sanity-check that ./gradlew test still passes in your environment.

Notes

• Only the 5 selected issues were fixed; the remaining S1452 / S1948 / S3415 occurrences are untouched and will appear in future sweeps.
• Spotless formatting was not re-run because the tool is broken under JDK 17 in this repo; the edits preserve existing formatting line-for-line, so Google Java Format compliance should be unchanged.

Link to Devin session: https://app.devin.ai/sessions/24d4dee58c10454a8966573cd192f2d8
Requested by: @choikh0423

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.