Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/Backend/01`. backend-convention.md:
- Line 5: The markdown headers (e.g., "## 1) 네이밍 규칙") violate markdownlint MD022
because they lack a blank line before and/or after the header; add a single
empty line above and a single empty line below each header occurrence (including
the headers at the specified locations such as the "## 1) 네이밍 규칙" header and the
other headers referenced) so every header has a blank line separating it from
surrounding content to resolve the lint warnings.

In `@docs/Fontend/01`. frontend_architecture.md:
- Line 42: Headings in the document (e.g., "### 1. 프로젝트 기반 및 환경 설계" and the
other headings referenced at lines 47, 52, 87, 92, 97, 102, 108) violate MD022;
ensure each heading is surrounded by a single blank line above and below it
(i.e., insert an empty line before the heading if missing and an empty line
after the heading), apply this consistently for the listed headings so
markdownlint no longer emits the MD022 warning.

In `@docs/Plan/01`. searchweb_PRD.md:
- Around line 71-72: Remove extra blank lines and stray spaces immediately
before and after Markdown headers and fenced code blocks to satisfy markdownlint
rules MD022 and MD031; specifically edit the sections containing the bullet
lines "* 저장된 링크 중 AI 태그 포함 비율 **60% 이상**" and "* AI 추천 태그 채택률 **50% 이상**" (and
the repeated occurrences at the other noted ranges) so there is exactly one
blank line separating headers/fences from surrounding content and no trailing or
leading spaces adjacent to header/fence markers.

In `@docs/Plan/02`. kpi_measurement_design.md:
- Line 53: PAGE_VIEW is defined as an anonymous Frontend event but the events
table has a member_id NOT NULL constraint, which prevents storing anonymous
events; either make member_id nullable in the schema (remove or change the NOT
NULL constraint on member_id in the events table) so PAGE_VIEW can be saved
without a user, or change the PAGE_VIEW definition to require authenticated
users and ensure Frontend supplies member_id for that event; update the schema
constraint and/or the PAGE_VIEW event definition (and any ingestion validation)
so both definitions are consistent.
- Line 6: Replace the absolute file:// link on the line containing the markdown
link text "searchweb_PRD.md" with a repository-relative path so the link works
in CI/review environments; change `file:///e:/.../searchweb_PRD.md` to a
relative link like `../Plan/searchweb_PRD.md` (or the correct relative path from
docs/Plan/02. kpi_measurement_design.md to the searchweb_PRD.md file) and ensure
the markdown link syntax remains valid.

In `@frontend/next.config.ts`:
- Around line 5-11: The rewrite currently hardcodes destination
'http://localhost:8080' in async rewrites(), which breaks in non-dev
environments; change rewrites() to read the backend base URL from an environment
variable (e.g. process.env.BACKEND_URL) and, if that env var is unset or empty,
return an empty array to disable the rewrite; when set, build the rule using
source '/api/:path*' and destination `${backendUrl}/api/:path*` (ensure
backendUrl includes protocol) so the rewrite works per-environment.

In `@frontend/README.md`:
- Line 1: Add a top-level H1 header as the very first line to satisfy
markdownlint MD041 (e.g., insert a line starting with “# ” above the current
Line 1 content in README.md) so the document begins with a single H1 heading
before the existing paragraph.
- Around line 19-21: The README's template lines reference the wrong entry path
and font; update the sentence that mentions `app/page.tsx` to point to the
actual entry `src/app/page.tsx` (or the project's current app entry) and replace
the `next/font`/Geist description with the actual font setup used in this repo
(Inter via the project's configured method, e.g., `next/font` import of Inter or
local font configuration), ensuring the wording matches the repo's `src/app/*`
structure and the imported font name `Inter` so newcomers won't be misled.

In `@frontend/src/app/globals.css`:
- Around line 125-141: There are two separate `@theme` inline blocks (one
containing variables like --color-primary, --color-background-dark,
--color-text-main, etc. and the other shown here) — merge them into a single
`@theme` inline block that contains the union of all CSS custom properties, remove
the duplicate block, dedupe any repeated variables (keep the intended value),
and preserve ordering/comments so all theme variables (e.g., --color-primary,
--color-primary-dark, --color-background-light, --color-sidebar-dark,
--color-text-secondary-dark) are maintained in one place.

In `@frontend/src/app/layout.tsx`:
- Around line 28-31: Replace the inline Google Fonts <link> in the <head> of the
RootLayout component (the <head> block in frontend/src/app/layout.tsx) with
Next.js font handling: remove the external <link> and either (a) configure the
Material Symbols via next/font (or the new metadata/font entry) to leverage
automatic optimization and self-hosting, or (b) download the variable Material
Symbols font files, add them to /public or import them as local fonts with
next/font/local, then reference that local font in RootLayout so the font is
loaded and applied via the exported font object rather than an external <link>;
if you must keep the Google-hosted variable font, add a clear comment explaining
the variable-font rationale and ensure preconnect or font-display strategies are
configured in metadata.

In `@frontend/src/app/login/page.tsx`:
- Around line 28-30: Two buttons in the login page component (the mobile menu
button with className "md:hidden text-white" containing the "menu" material icon
and the other button near the bottom of the file) are missing an explicit type
and trigger lint errors; update both button elements to include type="button"
(instead of relying on default submit behavior) so they don’t submit forms
unintentionally and lint warnings are resolved.
- Around line 163-179: Replace the two raw <input> elements with the shared
Input component from frontend/src/components/ui/input.tsx to avoid duplicated
styling; import Input and use it for the email and password fields (e.g., <Input
id="email" placeholder="이메일을 입력하세요" type="email" autoComplete="off" /> and
<Input id="password" placeholder="••••••••" type="password" autoComplete="off"
/>), passing the same id/placeholder/type/autoComplete props and any needed
className or other props supported by Input (ensure Input forwards refs/props if
required) and remove the duplicated long className string from these files so
styling is maintained centrally.
- Line 21: The anchor elements using href="#" (e.g., the <a
className="text-white/90 hover:text-white text-sm font-medium
transition-colors"> element with text "문의하기" and the two other similar anchors)
cause accessibility/lint errors; replace each placeholder anchor either with a
proper route/link (e.g., Next.js <Link> or a real href to the intended page) or,
if the target is not implemented yet, convert the element to a <button
type="button"> with the same className and click handler to avoid invalid
navigation; update the three occurrences accordingly (the three <a href="#">
anchors in the login page JSX).
- Around line 141-146: The inline SVG has no accessible title for screen
readers; update the <svg> element (the Google logo SVG in the login page) to
include a <title> with a unique id (e.g., "google-logo-title") and add
aria-labelledby="google-logo-title" (and role="img" if not present) on the
<svg>, ensuring the title string describes the image (e.g., "Sign in with Google
logo").

In `@frontend/src/app/my-links/page.tsx`:
- Around line 68-86: The clickable folder tile currently uses a plain <div> with
onClick (key symbols: setSelectedFolderId and folder.memberFolderId) which lacks
keyboard and screen-reader accessibility; replace the div with a semantic
interactive element (preferably a <button> or a focusable role="button" element)
or add keyboard handlers and ARIA attributes: ensure the element is focusable
(tabindex if not using button), handle Enter/Space keydown to call
setSelectedFolderId(folder.memberFolderId), and add an accessible
name/aria-label and appropriate role to announce it to assistive tech while
preserving the existing className and visual styling (keep PINNED_COLORS usage
and inner structure).
- Around line 36-57: Several <button> elements in
frontend/src/app/my-links/page.tsx (e.g., the buttons containing the span icons
"search", "tune", "inventory_2", "mark_email_unread", "priority_high", "today"
and the other tag-styled buttons) are missing an explicit type attribute and
default to "submit"; add type="button" to each of these <button> elements so
they don't unintentionally submit forms. Locate the button elements by their
className patterns or the unique span material-symbols-outlined contents and add
type="button" to each instance listed in the review.
- Around line 166-186: The folder card div rendered in the folders?.map loop is
clickable via onClick but lacks keyboard accessibility; update the div (keyed by
folder.memberFolderId) to include role="button", tabIndex={0}, and an onKeyDown
handler that invokes setSelectedFolderId(folder.memberFolderId) when the user
presses Enter or Space (check e.key === 'Enter' or e.key === ' ' / keyCode
13/32) so keyboard users can activate the folder; ensure existing onClick
handler remains and don't change the more_horiz <button> element.

In `@frontend/src/app/page.tsx`:
- Around line 61-66: The inline SVG used in frontend/src/app/page.tsx (the
decorative Google-style icon SVG in the JSX) needs accessibility attributes:
mark it as purely decorative by adding aria-hidden="true" to the <svg> element
(or alternatively add a <title> and role="img" with an appropriate label if it
conveys information). Locate the SVG block (the <svg width="14" height="14"
viewBox="0 0 24 24"> ...</svg>) and update the element to include
aria-hidden="true" (or replace with <title> + role="img" if the icon is
informative).
- Line 26: Several <button> elements in page.tsx (e.g., the one with className
"md:hidden text-white" and the other buttons at the referenced locations) are
missing a type attribute which can cause unintended form submits; update each
bare <button> (search for buttons without a type in frontend/src/app/page.tsx,
including the "md:hidden text-white" button and the buttons near the other
referenced locations) to include type="button" so they do not act as implicit
submit buttons.
- Line 19: Replace the dummy href="#" on the "문의하기" anchor(s) with the real
target or proper behavior: locate the anchor element(s) with className
"text-white/90 hover:text-white text-sm font-medium transition-colors" and link
text "문의하기" (also the same occurrences around lines 292-294) and update them to
point to the correct route or external URL, or if they trigger a JS action
(modal/form) convert them to a <button> with appropriate role/aria attributes
and event handler; ensure accessibility by providing an explicit href or proper
ARIA attributes and keyboard interaction.
- Line 1: 현재 파일 상단의 "use client" 디렉티브를 삭제하세요; 이 페이지는 상태, 이펙트, 이벤트 핸들러가 없고 네비게이션이
NextLink 및 <a> 태그로만 이루어져 있으므로 클라이언트 런타임이 불필요합니다. "use client"를 제거한 뒤
useState/useEffect 등 클라이언트 전용 훅이나 브라우저 전용 API가 임포트되어 있지 않은지 확인하고, 버튼들에 onClick
핸들러가 전혀 없는지(모든 버튼이 정적 링크용인지) 검증하여 서버 컴포넌트로 유지하세요. 마지막으로 Tailwind 기반 호버/애니메이션만
사용하는지 확인하고, 필요없다면 어떤 추가 변경 없이 디렉티브만 제거하면 됩니다.

In `@frontend/src/components/dialogs/CreateFolderDialog.tsx`:
- Around line 88-96: The label in CreateFolderDialog.tsx isn't associated with
the input, so update the <label> and <input> pair to be accessible: either give
the input a unique id (e.g., id="folder-name") and add htmlFor="folder-name" to
the existing <label>, or wrap the <input> inside the <label> element; ensure the
value is still bound to folderName and onChange uses setFolderName.
- Around line 75-78: Buttons in the CreateFolderDialog JSX are missing an
explicit type which can cause unintended form submissions; locate the button
elements (e.g., the one with onClick={() => toggleCreateFolderDialog(false)} and
the other Cancel/close buttons inside the CreateFolderDialog component) and add
type="button" to each button element to prevent them from acting as submit
buttons.
- Around line 28-30: The component defines selectedIcon, selectedColor, and
isPinned but handleCreateFolder and the CreateFolderRequest type do not include
them; update the CreateFolderRequest interface to include icon: string, colorId:
string, and pinned: boolean (matching selectedIcon, selectedColor, isPinned) and
modify handleCreateFolder to include these fields in the payload sent to the API
(e.g., payload.icon = selectedIcon, payload.colorId = selectedColor,
payload.pinned = isPinned); if the backend doesn’t yet accept these fields,
either remove the unused state variables (selectedIcon, selectedColor, isPinned)
or coordinate with the backend to add support and handle validation/defaults
accordingly.

In `@frontend/src/components/dialogs/SaveLinkDialog.tsx`:
- Line 199: The label elements inside the SaveLinkDialog component (e.g., the
"URL" label and the other standalone labels) are not associated with input
controls and should be fixed for accessibility: either replace these purely
decorative/section-heading label tags with non-form elements like <p> or <span>,
or connect them to their corresponding inputs by adding htmlFor attributes that
match the input id attributes (ensure each input has a unique id). Locate these
labels within SaveLinkDialog.tsx and apply one of the two fixes consistently for
the labels at the same spots to eliminate misleading, unpaired <label> elements.
- Around line 281-285: The interactive folder tiles in SaveLinkDialog (the divs
keyed by folder.memberFolderId and using styles.folderTile with onClick that
calls setSelectedFolderId) are not keyboard-accessible; replace those clickable
divs with semantic <button> elements (or add role="button", tabIndex={0}, and
handle onKeyDown to trigger the same setSelectedFolderId logic) and ensure
aria-pressed/aria-selected reflects isActive; update all occurrences (the tiles
at the blocks around the setSelectedFolderId usage: the one using
folder.memberFolderId and the other similar tiles at the commented ranges) so
they are focusable, keyboard-operable, and maintain the same styling (apply
styles.folderTile and styles.folderTileActive to the button).
- Around line 64-85: The effect can apply an out-of-date analyzeUrlMutation
response to displayTitle when a previous request resolves after a newer URL; to
fix, track the latest request (e.g., store current url or an incrementing
requestId in a ref) before calling analyzeUrlMutation.mutate and, in the
onSuccess callback of analyzeUrlMutation.mutate, verify the response belongs to
the current request (compare the saved url or requestId) before calling
setDisplayTitle; touch the useEffect, analyzeUrlMutation.mutate call, and the
onSuccess handler (and use isTitleEdited/displayTitle checks as already present)
so only the latest URL’s title updates displayTitle.

In `@frontend/src/components/layout/Header.tsx`:
- Around line 16-24: The two plain <button> elements in Header (the
notifications button and the dark mode toggle which uses onClick={() =>
document.documentElement.classList.toggle('dark')}) are missing an explicit
type, causing them to default to type="submit" inside forms; update both button
elements to include type="button" to prevent accidental form submission while
preserving their existing className and onClick behavior.

In `@frontend/src/components/layout/Sidebar.tsx`:
- Around line 73-89: Add explicit type="button" attributes to the buttons to
avoid accidental form submissions: update the button that calls
useUIStore.getState().toggleCreateFolderDialog(true) and the button rendered
inside pinnedFolders.map that calls setSelectedFolderId(folder.memberFolderId)
so both have type="button"; this affects the elements associated with the
symbols useUIStore.getState().toggleCreateFolderDialog, pinnedFolders.map,
setSelectedFolderId and preserves existing className and handlers.

In `@frontend/src/components/my-links/FolderCard.tsx`:
- Around line 20-22: The dynamic Tailwind class group-hover:${color} in
FolderCard.tsx won’t be picked up by Tailwind JIT; replace it by mapping the
color prop to explicit Tailwind classes (e.g., a hoverClass map keyed by the
color values and returning strings like "group-hover:bg-blue-500"), or compute
the hover background via inline style if the color is arbitrary, or add the
possible patterns to tailwind.config.js safelist; update the JSX that builds the
container div (the element rendering {icon || <Folder size={20}/>}) to use the
resolved hover class name (or inline style) instead of the runtime-interpolated
group-hover:${color}.

In `@frontend/src/components/my-links/RightPanel.tsx`:
- Around line 204-214: The clickable card currently implemented as a <div> with
onClick in the RightPanel component is not keyboard accessible; update the
element(s) referenced by itemRef in the RightPanel (the card/folder/tag click
handlers around the current onClick blocks) to be a native <button> where
possible, or if you must keep a non-semantic element keep role="button",
tabindex={0} and add keyDown handler that triggers the same logic for Enter and
Space (mirroring the onClick behavior including bulk-select via onToggleSelect
and opening link.originalUrl), and ensure you preserve the className styling and
ARIA attributes (e.g., aria-pressed or aria-label) so keyboard and screen-reader
users get equivalent behavior.
- Around line 876-879: The bulk-delete handler fires
deleteBookmarkMutation.mutate for each id then immediately calls exitBulkMode(),
which hides failures; change to await the async deletions before exiting bulk
mode by using the mutation's async variant (e.g.,
deleteBookmarkMutation.mutateAsync) or return Promises and use
Promise.allSettled on selectedLinkIds.map(id =>
deleteBookmarkMutation.mutateAsync(id)), handle any rejections (show an error
toast or aggregate failures) and only call exitBulkMode() after
successful/settled results so partial failures are surfaced to the user;
reference selectedLinkIds, deleteBookmarkMutation.mutate/mutateAsync, and
exitBulkMode when making the change.
- Around line 150-153: The key handler treates both Enter and Escape as commit;
change handleNoteKeyDown so Enter calls handleNoteEditComplete() but Escape
performs a cancel-and-exit flow: restore the original note value (e.g., reset
the edit input state to the saved/original note copy) and close edit mode
instead of committing; call an existing cancel helper (create one if missing,
e.g., handleNoteEditCancel()) from handleNoteKeyDown for e.key === 'Escape' and
ensure it reverses any temp state and exits editing rather than invoking
handleNoteEditComplete().
- Around line 937-940: The onClick currently only calls
setIsMoveModalOpen(false) and exitBulkMode() but never invokes the move API or
updates the selected bookmarks' memberFolderId; modify the handler to call the
existing move function (e.g., moveBookmarks or moveSelectedItems) passing the
selected bookmark IDs (e.g., selectedBookmarkIds or selectedItems) and the
target folder id, update local state/Redux to set memberFolderId on those
bookmarks (or perform optimistic update), handle API success/failure (rollback
or show error), and only then close the modal with setIsMoveModalOpen(false) and
call exitBulkMode() after success (or still exit on cancel/error as
appropriate). Ensure you reference setIsMoveModalOpen and exitBulkMode in the
updated handler and include error handling/logging for the API call.
- Around line 311-318: The button in the RightPanel component (the inline
element that uses isFolderDropdownOpen and setIsFolderDropdownOpen) and other
button elements in this file lack an explicit type, which defaults to "submit"
in forms; update each <button> (including the one toggling the folder dropdown
that calls setIsFolderDropdownOpen and stops propagation) to include
type="button" to prevent accidental form submission if the component is later
rendered inside a form.

In `@frontend/src/components/ui/popover.tsx`:
- Around line 58-64: PopoverTitle currently types its props as
React.ComponentProps<"h2"> but renders a <div>, breaking semantic structure;
update the PopoverTitle component (function PopoverTitle) to render an <h2>
element instead of a <div> so the rendered element matches the declared props
and accessibility semantics, preserving the data-slot="popover-title", className
handling (cn("font-medium", className)) and spreading {...props} exactly as
before.

In `@frontend/src/lib/api/fetchClient.ts`:
- Around line 28-34: The current fetchClient code calls response.json()
unconditionally which will throw on 204 No Content; update the logic in the
function that parses the response (the block that assigns const json:
ApiResponse<T> = await response.json()) to first check for a no-content response
(e.g., if (response.status === 204 || response.headers.get('content-length') ===
'0') return undefined as unknown as T) and only call response.json() when there
is a body, so functions like deleteFolder that expect void/undefined won't error
on 204 responses.

In `@frontend/src/lib/api/folderApi.ts`:
- Around line 29-33: deleteFolder currently returns fetchClient<void>(...) which
can trigger JSON parse errors on 204/empty responses; change deleteFolder to
await the DELETE call and return void explicitly (e.g. await
fetchClient(`/api/folders/${folderId}`, { method: 'DELETE' }); return;), and
ensure fetchClient.ts is updated to treat empty/204 responses as no-content (do
not attempt JSON.parse on empty body). Reference functions: deleteFolder and
fetchClient (in fetchClient.ts).

In `@frontend/src/lib/auth/currentUser.ts`:
- Line 3: TEMP_MEMBER_ID is a hardcoded fallback member id that can cause all
unauthenticated requests to act as the same user; replace this by reading a
dev-only fallback from an env/config (e.g. DEV_FALLBACK_MEMBER_ID) and ensure
the code throws or returns no identity in production when no real auth is
present (check process.env.NODE_ENV === 'production' or an equivalent runtime
flag), and update any usages of TEMP_MEMBER_ID to use the new getter (e.g.
getFallbackMemberId()) so the fallback is only applied when NODE_ENV !==
'production' and the fallback env var is explicitly set.

In `@frontend/src/lib/store/linkStore.ts`:
- Around line 19-48: Extract the default filter object into a single constant
and reference it from the store to avoid duplication: create a const (e.g.,
DEFAULT_FILTERS) containing { searchQuery: '', selectedTags: [], sortType:
'latest' } and use it when initializing useLinkStore's filters and inside
clearFilters; ensure toggleTagFilter, setSearchQuery and setSortType still
spread state.filters (e.g., ...state.filters) so they merge correctly with
DEFAULT_FILTERS rather than hardcoding values.

In `@frontend/src/lib/types/apiResponse.ts`:
- Around line 2-9: Current ApiResponse<T> declares data: T always but backend
sends data: null on failures; convert ApiResponse to a discriminated union so
success=true carries data: T and error:null, and success=false carries data:null
and a populated error object (e.g., union of { success: true; data: T; error:
null } | { success: false; data: null; error: { code: string; message: string }
}). Update the ApiResponse type alias (replacing the existing interface) and
adjust any call sites that rely on ApiResponse<T> (e.g., consumers in
fetchClient.ts) to narrow on the success property before accessing data or
error.

In `@frontend/src/lib/types/bookmark.ts`:
- Line 23: The Bookmark types are inconsistent: BookmarkResponse currently uses
tags: string[] while the request interfaces
(CreateBookmarkRequest/UpdateBookmarkRequest) use tags?: string; make the
contract consistent by changing CreateBookmarkRequest and UpdateBookmarkRequest
to use tags?: string[] (or alternatively change BookmarkResponse to string if
you prefer backend shape) and add explicit serialization/deserialization where
network I/O occurs: when sending requests convert the tags string[] to the
backend-expected delimiter-separated string, and when receiving responses parse
the backend tags string into a string[] so BookmarkResponse consumers always get
string[].

In `@frontend/src/lib/types/folder.ts`:
- Around line 14-16: The CreateFolderRequest type currently exposes
ownerMemberId allowing clients to set ownership; remove ownerMemberId from the
client-facing type and ensure the server derives the owner ID from the
authenticated principal instead. Change the CreateFolderRequest interface to
only include parentFolderId (and other non-auth fields), update any places
constructing or accepting CreateFolderRequest (types/usages) to stop passing
ownerMemberId, and modify server-side controller/handler that reads
CreateFolderRequest to assign ownerMemberId from the authenticated user context
rather than from the request body.

In `@frontend/src/lib/types/tag.ts`:
- Around line 9-11: The CreateTagRequest type currently exposes ownerMemberId
which enables authorization bypass; remove ownerMemberId from CreateTagRequest
and only send tagName from the frontend, then ensure the backend’s
MemberTagController.create uses the authenticated principal (e.g.,
create(`@AuthenticationPrincipal` memberId, req.getTagName()) calling
memberTagService.create(memberId, tagName)) instead of trusting
request.ownerMemberId, and also add ownership checks in
MemberTagController.update() and MemberTagController.delete() to validate the
authenticated member owns the tag before calling memberTagService.update/delete.

In
`@src/main/java/com/web/SearchWeb/bookmark/controller/BookmarkApiController.java`:
- Around line 45-54: The duplicated temporary authentication bypass in
BookmarkApiController (the block setting memberId = 1L when currentUser is null
or "anonymousUser") should be removed from each endpoint and replaced with a
single helper method (e.g., resolveMemberId(currentUser) or
ensureAuthenticated(currentUser)) or handled via AOP around controller methods;
implement resolveMemberId to return the real ID by calling
getMemberId(currentUser), return an Optional or throw an appropriate exception
(Forbidden) when no ID, and ensure the temporary memberId = 1L bypass is
eliminated and flagged so it is not present in production.
- Around line 199-206: The analyzeUrl endpoint in BookmarkApiController (method
analyzeUrl) calls bookmarkService.extractTitle(url) without authentication or
URL safety checks, exposing an SSRF risk; restrict access by requiring
authenticated users (e.g., add `@PreAuthorize`("isAuthenticated()") or use
`@AuthenticationPrincipal` on the controller method) and harden extractTitle in
the BookmarkService to validate URLs before making requests (implement
allowlist/denylist, disallow private/internal IP ranges and localhost/metadata
IPs, and reject non-http(s) schemes); update tests to cover rejected unsafe URLs
and authorized access only.

In `@src/main/java/com/web/SearchWeb/bookmark/dao/MybatisBookmarkDao.java`:
- Around line 109-110: Rename the method parameter from url to canonicalUrl in
MybatisBookmarkDao.selectLinkByCanonicalUrl to make intent clear: change the
signature public Link selectLinkByCanonicalUrl(String url) to use String
canonicalUrl and pass canonicalUrl into
mapper.selectLinkByCanonicalUrl(canonicalUrl); also update any local usages and
callers/overloads that reference this parameter name (or adjust tests) so names
remain consistent with the method purpose.

In `@src/main/java/com/web/SearchWeb/bookmark/service/BookmarkServiceImpl.java`:
- Around line 279-299: The extractTitle method (and the other Jsoup.connect
usage around lines 335-338) currently accepts user-provided URLs directly and
can cause SSRF and NPE; before calling Jsoup.connect or extractYoutubeTitle,
validate the input for null/blank and parse it with URI/URL to ensure a safe
scheme (only http/https), then resolve the hostname to IP(s) and block any
loopback, link-local, site-local, multicast, unspecified, or known metadata
addresses (e.g., 169.254.169.254) and private ranges; if any check fails, reject
the URL with an error. Apply the same validation/check function to both
extractTitle and the other methods that call Jsoup.connect, and only then
proceed to fetch; log validation failures and avoid attempting the fetch to
prevent SSRF.

In `@src/main/resources/application.properties`:
- Line 13: Remove the global DEBUG setting for the application package by
changing the default application.properties so it does not set
logging.level.com.web.SearchWeb=DEBUG (leave it as INFO or unset), and move the
DEBUG line into a profile-specific file (e.g., application-dev.properties or
application-local.properties) so that logging.level.com.web.SearchWeb=DEBUG is
only active for dev/local profiles; update documentation or README to mention
activating the dev/local profile to enable DEBUG.

---

Outside diff comments:
In `@src/main/java/com/web/SearchWeb/bookmark/service/BookmarkServiceImpl.java`:
- Around line 187-208: getOrCreateLink has a race between
selectLinkByCanonicalUrl and insertLink that can cause duplicate-insert
exceptions; wrap the insert (bookmarkDao.insertLink(newLink)) in a try/catch for
the database uniqueness exception (e.g., DataIntegrityViolationException or the
specific duplicate-key exception used) and on catch re-query
bookmarkDao.selectLinkByCanonicalUrl(canonicalUrl) and return that existing
Link; keep the original successful return path for the newly inserted Link and
ensure canonicalUrl/newLink/insertLink/selectLinkByCanonicalUrl are the
referenced symbols to locate the change.
- Around line 217-224: BookmarkServiceImpl currently normalizes the URL via
normalizeUrl and fetches Link with
bookmarkDao.selectLinkByCanonicalUrl(canonicalUrl) but then calls
bookmarkDao.checkBookmarkExistsByUrl(memberId, url) which has no MyBatis mapping
and risks mismatch; fix by adding a proper SQL mapper in
src/main/resources/mapper/bookmark-mapper.xml and change the service to reuse
the found Link (e.g., call a new checkBookmarkExistsByLinkId(memberId, linkId)
mapped in bookmark-mapper.xml) or alternatively add a
checkBookmarkExistsByCanonicalUrl(memberId, canonicalUrl) SQL mapping and call
that from BookmarkServiceImpl so the lookup is consistent with
selectLinkByCanonicalUrl.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@build.gradle`:
- Line 37: The added dependency implementation 'org.jsoup:jsoup:1.17.2' is
appropriate and safe for HTML title extraction; no functional change required,
but add a short TODO or upgrade note near the dependency declaration
(implementation 'org.jsoup:jsoup:1.17.2') to consider bumping to 1.21.2+ in the
future for improved XSS/ReDoS protections and note that current version includes
patches for CVE-2022-36033 and CVE-2021-37714.

In `@docs/Plan/02`. kpi_measurement_design.md:
- Around line 711-719: Update the fenced code block that begins with
"┌─────────────────────────────────┐" (the "Daily KPI Batch (매일 03:00)" ASCII
diagram) to include a language identifier on the opening fence (e.g., change ```
to ```text) so the Markdown linter recognizes the block language and enables
proper syntax highlighting; ensure only the opening fence is changed and the
closing ``` remains the same.

In `@frontend/.gitignore`:
- Line 34: 현재 .gitignore에 있는 `.env*` 규칙이 샘플 파일까지 무시하므로 `.env.example`가 제외되지 않도록
예외 규칙을 추가하세요: 수정 대상은 frontend/.gitignore의 기존 `.env*` 항목이며, 그 아래에 `.env.example`을
허용하는 부정 패턴을 추가하여 샘플 환경파일이 깃에서 관리되도록 만드세요 (즉, `.env*`는 유지하되 `.env.example`은 무시
대상에서 제외).

In `@frontend/package.json`:
- Line 19: package.json shows "next": "16.1.6" while the frontend architecture
doc states "Next.js 15 (App Router)"; either update the doc to reflect Next.js
16 or change the "next" field in package.json to the intended 15.x version.
Locate the "next" entry in package.json and the architecture documentation
mentioning "Next.js 15 (App Router)" and make them consistent, and if upgrading
to 16 keep any migration notes (App Router compatibility) and update
README/changelog accordingly.

In `@frontend/src/app/layout.tsx`:
- Line 32: The global body element in layout.tsx sets overflow-hidden which
blocks page scrolling; remove the overflow-hidden token from the body class
string in layout.tsx and instead apply scroll-lock only to the specific shell
container(s) that require it (for example the AppShell, Sidebar, or Header
wrapping element), or conditionally apply overflow-hidden when a
modal/side-drawer is open; update the class on the element(s) (e.g., AppShell or
the div that currently controls layout) to manage overflow and preserve h-screen
and transition classes on body.

In `@frontend/src/app/my-links/page.tsx`:
- Around line 105-139: Replace direct getState() calls with hooked actions:
instead of calling useUIStore.getState().toggleCreateFolderDialog(true) and
useUIStore.getState().toggleSaveLinkDialog(true) inline, pull the actions from
the hook at the top of the component (e.g., const toggleCreateFolderDialog =
useUIStore(s => s.toggleCreateFolderDialog) and const toggleSaveLinkDialog =
useUIStore(s => s.toggleSaveLinkDialog)) and call those functions in the button
onClick handlers; this keeps usage consistent with the existing hook pattern and
avoids mixing getState() with hook selectors.

In `@frontend/src/components/dialogs/CreateFolderDialog.tsx`:
- Line 104: The <label> elements inside the CreateFolderDialog component that
are not tied to form controls (e.g., the "Appearance" label at the reported
locations) should be changed to a semantic section header element such as <p> or
<span> so they aren't misinterpreted as control labels; update the two
occurrences (the "Appearance" label and the similar one around line 134) by
replacing the <label> tags with <p> (or <span>) while preserving the existing
classes (e.g., "text-sm font-semibold text-gray-700 dark:text-gray-200") and
surrounding structure so styling stays the same and accessibility semantics are
correct.

In `@frontend/src/components/dialogs/SaveLinkDialog.tsx`:
- Around line 155-156: Remove the client-supplied ownerMemberId (and
TEMP_MEMBER_ID usage) from the tag creation payload in SaveLinkDialog.tsx;
instead send only the tagName (e.g., { tagName: tagName.trim() }) and let the
server determine the owner from the authenticated request context. Update the
API call invocation (the function/method that receives this object) and any
related TypeScript types/interfaces to no longer require ownerMemberId so the
client cannot override ownership.
- Line 199: The review flags multiple standalone <label> elements in
SaveLinkDialog.tsx (e.g., the "URL" label at the label with className "block
text-[10px] font-extrabold text-slate-500 uppercase tracking-widest" and other
similar labels at the other noted positions) that are not associated with form
controls; fix by either replacing these decorative/section-title labels with
non-semantic elements (span or p) or by properly linking each label to its input
using htmlFor on the label and a matching id on the corresponding input (update
the relevant JSX for the URL, and the other occurrences at the noted positions
in SaveLinkDialog component). Ensure accessibility by choosing one of those two
approaches consistently across all listed occurrences.
- Around line 281-285: Replace the clickable divs used for folder tiles with
semantic buttons to restore keyboard accessibility: change the element that
currently uses key={folder.memberFolderId} onClick={() =>
setSelectedFolderId(isActive ? null : folder.memberFolderId)}
className={`${styles.folderTile} ${isActive ? styles.folderTileActive : ''}
group`} to a <button type="button"> while preserving the same key, onClick
handler, and className (and any children/attributes). Do the same replacement
for the other occurrences that render folder tiles (the blocks referenced around
the other ranges) so that all interactive folder items use button type="button"
instead of div.
- Around line 64-85: The effect calls analyzeUrlMutation.mutate on every url
change causing race conditions where slower responses overwrite newer titles;
modify the useEffect (and related hooks) to debounce the analyzeUrlMutation call
(e.g., 200–500ms) and ensure only the latest response updates state by tracking
request identity or comparing the response against the current url before
calling setDisplayTitle. Keep the immediate domain fallback
(setDisplayTitle(domain)) and the isTitleEdited guard, but replace the direct
analyzeUrlMutation.mutate call with a debounced invocation (use a timeout ref or
a requestId ref) and cancel/ignore previous pending responses so
analyzeUrlMutation.mutate and its onSuccess only setDisplayTitle when the
response matches the latest url/requestId.

In `@frontend/src/components/layout/Header.tsx`:
- Around line 19-23: In Header component replace the direct DOM toggle in the
onClick handler (document.documentElement.classList.toggle('dark')) with a
React-driven theme state: use a theme provider or next-themes' useTheme (or a
ThemeContext) to read/set theme and guard updates until after mount (e.g., check
mounted flag or useEffect) to avoid SSR hydration mismatches; update the
button's onClick to call the theme setter (e.g., setTheme or toggleTheme) and
remove any direct document.documentElement manipulation so theme state and UI
stay synchronized.

In `@frontend/src/components/my-links/RightPanel.tsx`:
- Line 47: Replace the loose any[] type on the RightPanel component prop
`folders` with the concrete interface/array type `FolderResponse[]` (or the
correct exported type name) so TypeScript can catch field-access mistakes;
update the prop/interface/type declaration that mentions `folders?: any[]` to
`folders?: FolderResponse[]` and import or declare `FolderResponse` where
`RightPanel` (or its props type) is defined.
- Around line 210-212: Validate and sanitize data.link.originalUrl before
calling window.open in RightPanel (where the current branch uses
window.open(data.link.originalUrl,...)); use the URL constructor to parse the
string and only allow protocols 'http:' or 'https:' (reject or no-op for other
schemes), and pass the validated URL string to window.open with the same target
and features ('_blank', 'noopener,noreferrer') to prevent opening malicious
schemes.
- Around line 877-879: The current loop calls deleteBookmarkMutation.mutate for
each id and immediately calls exitBulkMode(), which hides partial failures;
instead, perform asynchronous deletions and wait for results before exiting bulk
mode: use deleteBookmarkMutation.mutateAsync (or collect mutation promises) for
each id, await Promise.allSettled on those promises, count failures, and then
handle failures (show notification and/or trigger retries for failed ids) before
calling exitBulkMode(); reference selectedLinkIds,
deleteBookmarkMutation.mutateAsync (or mutate), and exitBulkMode() to locate and
update the code path.
- Around line 204-214: The clickable container div (referenced by itemRef in
RightPanel.tsx with the onClick that uses isBulkEditMode, onToggleSelect,
data.bookmarkId, isNoteEditing, isTitleEditing, data.link?.originalUrl) is not
keyboard-accessible; change this element to a semantic <button> (or if keeping a
div, add role="button", tabIndex={0} and an onKeyDown handler) so keyboard users
can activate it with Enter/Space. Ensure the onKeyDown mirrors the onClick logic
(call onToggleSelect for bulk mode, otherwise open originalUrl) and preserve
aria states if needed (e.g., aria-pressed or aria-selected) for selection; apply
the same change to the other instances called out (around lines noted: the other
two similar blocks). Ensure focus styles remain consistent and that
pointer/cursor behavior is unchanged.
- Around line 937-940: The onClick handler currently only closes the modal and
calls exitBulkMode but never invokes the move API; update the onClick of the
move confirmation button (the anonymous function where setIsMoveModalOpen(false)
and exitBulkMode() are called) to call the move function that performs the API
request (e.g., moveSelectedLinks, moveLinksToFolder, or performMove) with the
selected link IDs and target folder ID, await its result (or handle its
promise), only then close the modal and call exitBulkMode on success, and add
error handling to surface failures (e.g., set an error state or show a toast)
and refresh local state (or call fetchLinks/refreshLinks) after a successful
move so the UI reflects the change.

In `@frontend/src/components/ui/dialog.tsx`:
- Around line 50-82: DialogContent and DialogFooter both accept showCloseButton
causing duplicate close buttons; remove showCloseButton from DialogContent
(delete it from the prop signature and stop conditionally rendering
DialogPrimitive.Close in DialogContent) and let DialogFooter control the
close-button rendering via its showCloseButton prop (or, if you must keep both,
rename one prop and add a JSDoc comment on DialogFooter/DialogContent explaining
which component owns the close button); update references to showCloseButton in
DialogContent, DialogFooter, and any callers accordingly and add a short JSDoc
on the remaining prop to document expected usage.

In `@frontend/src/lib/api/bookmarkApi.ts`:
- Around line 74-79: The hook useBookmarks currently always fires
fetchBookmarks; add an enabled condition to the useQuery options so the query
only runs when search params are valid (e.g., when params.folderId is
defined/non-null or other required fields are present). Update the useQuery call
in useBookmarks to include an enabled flag derived from params (for example
based on params.folderId !== undefined && params.folderId !== null) while
keeping queryKey and queryFn (useBookmarks, params, fetchBookmarks) intact.

In `@frontend/src/lib/api/fetchClient.ts`:
- Around line 14-17: The current headers merge uses object spread and fails for
RequestInit.headers types like Headers or string[][]; update the headers
construction in fetchClient (where headers are set) to create a Headers instance
first (e.g., const headers = new Headers({'Content-Type': 'application/json'}),
then if options?.headers is a Headers iterate with forEach to copy entries, if
it's an array (string[][]) loop through pairs and set, and if it's a plain
object use Object.entries to set each key/value; finally assign that Headers
instance to the request init so all RequestInit.headers shapes are supported.

In `@frontend/src/lib/api/tagApi.ts`:
- Around line 47-49: Narrow the cache invalidation to the current user instead
of invalidating ['tags'] globally: update the onSuccess in the mutation to call
queryClient.invalidateQueries({ queryKey: ['tags', userId] }) (or the equivalent
user-scoped key your app uses) by passing the relevant userId (from the mutation
variables, auth store, or callback context) so queryClient.invalidateQueries and
the tags cache key become ['tags', userId] rather than just ['tags'].
- Around line 10-12: The client must not accept ownerMemberId from callers;
remove the ownerMemberId parameter from fetchTags and the other tag functions
(e.g., createTag and updateTag in this file) and call the server endpoint that
derives the owner from the authenticated session (e.g., GET /api/tags or GET
/api/tags/me and POST/PUT /api/tags) instead of embedding the owner in the
path/body; update fetchTags, createTag, and updateTag signatures to drop
ownerMemberId, change their fetchClient calls to the ownerless routes, and
update all local callers to stop passing ownerMemberId so ownership is enforced
by the server auth context.

In `@src/main/java/com/web/SearchWeb/bookmark/service/BookmarkServiceImpl.java`:
- Around line 233-234: In BookmarkServiceImpl replace the current silent
normalization that returns an empty string for blank URLs (the line `if (url ==
null || url.isBlank()) return "";`) with rejecting the request by throwing a
validation exception (e.g., IllegalArgumentException or a custom
BadRequestException) so an invalid/empty URL does not produce an abnormal link
key; update any callers or tests to expect/handle the thrown exception from the
method in BookmarkServiceImpl.
- Around line 334-343: In BookmarkServiceImpl replace the raw string
concatenation that builds oEmbedUrl so the url parameter is URL-encoded (use
URLEncoder.encode(url, StandardCharsets.UTF_8)) before appending to oEmbedUrl,
and after parsing the JSON title from root.path("title").asText() convert
empty/blank titles to null (e.g., if title == null or title.isBlank() return
null) so the upper-level fallback chain can run; update references to oEmbedUrl
and the title extraction logic accordingly.
- Around line 291-299: The extractTitle method in BookmarkServiceImpl currently
passes the raw URL into Jsoup.connect(), enabling SSRF; add strict URL
validation both at the controller entry and at the start of extractTitle: verify
the scheme is exactly http or https, parse the host and resolve it to an IP
(InetAddress) and reject if the hostname is localhost or 127.0.0.1 or
169.254.169.254 or maps to any private RFC1918 ranges (10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/16) or IPv6 equivalents, and fail the request with a
clear error before calling Jsoup.connect(); keep the validation centralized
(e.g., a private validateUrlOrThrow(URL) helper used by the controller and
extractTitle) so Jsoup.connect(url) is only reached after the checks pass.

---

Outside diff comments:
In `@src/main/java/com/web/SearchWeb/bookmark/service/BookmarkServiceImpl.java`:
- Around line 217-224: The existence check uses the original url instead of the
normalized canonicalUrl, causing misses; update the logic in BookmarkServiceImpl
so after obtaining canonicalUrl (via normalizeUrl) and confirming a Link exists
(selectLinkByCanonicalUrl), you perform the bookmark existence check using the
canonical identifier (e.g., pass canonicalUrl to
bookmarkDao.checkBookmarkExistsByUrl or use the Link's id from
selectLinkByCanonicalUrl) instead of the raw url (memberId and url), so the
check is consistent with the canonicalization strategy.

---

Duplicate comments:
In `@docs/Backend/01`. backend-convention.md:
- Line 5: Add a single blank line immediately after the markdown heading "## 1)
네이밍 규칙" (and likewise after any other headings in this file that are directly
followed by content) to satisfy MD022; find occurrences where a heading is
followed on the next line by text or a list and insert one empty line between
the heading and the content so all headings have a blank line beneath them.

In `@docs/Fontend/01`. frontend_architecture.md:
- Line 42: Add a single blank line before and after each top-level/subheading to
satisfy markdownlint MD022: for example ensure there is one empty line above and
below "### 1. 프로젝트 기반 및 환경 설계" and do the same for the other affected headings
(the headings at the other flagged locations), so every heading has exactly one
blank line surrounding it; update the markdown accordingly and re-run lint to
confirm the MD022 warnings are resolved.

In `@docs/Plan/01`. searchweb_PRD.md:
- Around line 16-312: The document violates markdownlint rules MD022/MD058/MD047
due to missing blank lines around headers and tables and a missing final
newline; fix by ensuring there is exactly one empty line before and after each
header (e.g., "### 🗺️ MVP 우선순위 및 핵심 가치 (Roadmap)", "## 2. Problem &
Hypothesis", "## 3. Goal", etc.) and before/after every table block (the
pipe-style tables under Problem & Hypothesis, FR sections, etc.), remove any
extra multiple blank lines so only a single blank line surrounds those blocks,
and add a single newline character at the end of the file to ensure a final
newline.

In `@frontend/next.config.ts`:
- Around line 5-11: The rewrites() in next.config.ts currently hardcodes
'http://localhost:8080' causing failures in staging/production; change
rewrites() to build the destination from an environment variable (e.g.,
process.env.BACKEND_URL or NEXT_PUBLIC_BACKEND_URL) with a sensible localhost
default for local dev, and update any runtime config or .env docs so BACKEND_URL
is set in each environment; specifically modify the destination for source
'/api/:path*' to use that env var (keeping the '/api/:path*' suffix) so
deployments point to the correct backend URL.

In `@frontend/src/app/login/page.tsx`:
- Line 22: The anchor using href="#" for the "문의하기" link in page.tsx is a
placeholder causing accessibility/lint issues; replace it with a real navigation
or a button: either change the element to a proper Link/anchor with the real
path (e.g., "/contact") using your routing method, or convert the <a ...
href="#"> element with className "text-white/90 hover:text-white text-sm
font-medium transition-colors" and inner text "문의하기" into a <button
type="button"> and wire the click to navigate (e.g., router.push or onClick
handler). Apply the same change for the other duplicate occurrences (the other
"문의하기" anchors noted in the file).

In `@frontend/src/app/page.tsx`:
- Line 1: 현재 파일에 불필요한 "use client" 디렉티브가 있어 이 페이지는 서버 컴포넌트로 충분하므로 최상단의 "use
client" 문자열을 제거하세요; 제거 후 page.tsx에서
useState/useEffect/useRef/useMemo/useCallback 또는 onX 이벤트 핸들러 같은 클라이언트 전용 API가
사용되지 않는지 (예: 검색 정규식으로 검사한 결과) 확인하고, 만약 있다면 해당 로직을 클라이언트 컴포넌트로 분리하거나 제거하여 서버 컴포넌트
규약을 유지하도록 수정하세요.
- Around line 61-66: The SVG used as a decorative icon should be hidden from
assistive tech; update the <svg> element in frontend/src/app/page.tsx (the
inline Google-logo SVG) to include accessibility attributes such as
aria-hidden="true" and focusable="false" (and remove any title/desc that would
expose it) so screen readers ignore it; ensure you apply these attributes
directly on the svg tag that contains the four <path> children.
- Line 26: Several plain <button> elements in the page component are missing an
explicit type and can trigger unintended form submissions; update each button
element (e.g., the one with className "md:hidden text-white" and the other
similar buttons flagged in the review) to include type="button" so they do not
act as submit buttons inside form contexts, ensuring you add the attribute to
every <button> instance noted in the diff.
- Line 19: The anchor elements using href="#" (the <a className="text-white/90
hover:text-white text-sm font-medium transition-colors" href="#">문의하기</a> and
the duplicate occurrences) must be replaced with real targets or appropriate
controls: update each anchor's href to the actual route or external URL (e.g.,
"/contact" or "mailto:...") or, if it triggers a JS action rather than
navigation, replace with a button element or an accessible element with
role="button" and proper onClick handler; ensure to update the instances
referenced by the symbol of that anchor in this file and the duplicate
occurrences (lines noted in the review) so the links are navigable and
accessible.

In `@frontend/src/components/dialogs/CreateFolderDialog.tsx`:
- Around line 27-30: The UI state for selectedIcon, selectedColor, and isPinned
is not being sent to the backend; update the folder creation submit handler
(e.g., the function that dispatches createFolder / handleCreate / onCreateSubmit
in CreateFolderDialog.tsx) to include folderName, selectedIcon, selectedColor
and isPinned in the API payload, ensuring the same state variables
(selectedIcon, selectedColor, isPinned, folderName) are referenced; if the
backend API does not accept those fields, remove or hide the icon/color/pinned
controls from the dialog UI (or gate them behind a feature flag) so the UI
reflects available backend support.
- Around line 75-78: Multiple buttons inside CreateFolderDialog (e.g., the close
button with onClick={() => toggleCreateFolderDialog(false)} and other non-submit
buttons later in the component) are missing type="button", which can trigger
unwanted form submission; update every non-submit button in the
CreateFolderDialog component to include type="button" (for example add
type="button" to the button that calls toggleCreateFolderDialog(false) and to
the other action buttons in this component) so only the intended submit control
triggers form submit.

In `@frontend/src/components/layout/Sidebar.tsx`:
- Around line 82-89: The pinned folder button in Sidebar (the <button
key={folder.memberFolderId} onClick={() =>
setSelectedFolderId(folder.memberFolderId)} ...> element) is missing an explicit
type and should have type="button" added so clicking it does not trigger form
submission; update that button element in Sidebar.tsx to include type="button"
alongside its existing props.
- Around line 73-78: The button in Sidebar.tsx that calls
useUIStore.getState().toggleCreateFolderDialog(true) is missing an explicit type
and can accidentally submit a surrounding form; update the <button> element
rendering the "add" icon to include type="button" so it won't act as a submit
button when placed inside a form.

In `@frontend/src/lib/auth/currentUser.ts`:
- Line 3: TEMP_MEMBER_ID is a hardcoded fallback that can cause all requests to
be treated as the same user; update the exported TEMP_MEMBER_ID handling so that
in production it does not provide a fallback (throw or return null/error when
auth is missing) and only returns a safe explicit fallback when NODE_ENV ===
'development' or a dedicated DEV_FALLBACK flag is set; modify currentUser.ts to
replace the unconditional export with logic that reads process.env.NODE_ENV or a
DEV flag, returns the temporary id only in dev, and rejects/throws or returns
undefined in production so callers must handle missing authentication.

In `@frontend/src/lib/types/folder.ts`:
- Around line 14-16: The CreateFolderRequest interface exposes ownerMemberId
which allows clients to set the folder owner; remove ownerMemberId from the
CreateFolderRequest type definition and any client-side construction of that
payload (search for usages of CreateFolderRequest and ownerMemberId), update API
call sites to stop sending ownerMemberId, and ensure server-side folder creation
uses the authenticated user (not client-provided owner) to set the owner; also
update any tests/types that referenced ownerMemberId accordingly.

In `@frontend/src/lib/types/tag.ts`:
- Around line 9-11: The CreateTagRequest type exposes ownerMemberId which must
be removed so ownership is enforced server-side; delete the ownerMemberId field
from the CreateTagRequest interface and update all call sites that construct or
type-check CreateTagRequest (e.g., tag creation helpers, API client methods, and
any components or tests) to stop passing or expecting ownerMemberId, instead
rely on server/auth context to set the owner; ensure compile errors are fixed by
updating signatures like the createTag API call and related serializers/parsers
to reflect the new shape.

In `@src/main/resources/application.properties`:
- Line 13: Replace the hardcoded DEBUG setting in application.properties for
logging.level.com.web.SearchWeb with a non-DEBUG default (e.g., remove the key
or set to INFO) and move the DEBUG override into profile-specific files (e.g.,
application-dev.properties or application-local.properties) so that DEBUG is
only enabled in dev/local environments; update any documentation or README that
references logging setup to reflect the profile-based DEBUG configuration.