feathers-reviewlisted

# FeathersJS Code Review Walk the changed/affected files and check the items below. Report findings grouped by severity (Critical → Warning → Style), each with the file, the problem, and a concrete fix. Don't just restate the code — say what's wrong and what to change. ## Critical (security / correctness) 1. **Authentication present.** Each non-public service should have `authenticate('jwt')` in `around.all`. Flag any service exposed externally (`methods` includes mutating verbs) without it. Confirm "public" services are public on purpose. 2. **Authorization actually enforced.** Ownership/tenancy checks belong in the **query resolver** (`<name>QueryResolver`) so they cover `find`/`get`/`patch`/`remove`, not only in a data resolver (which misses reads/removes). Verify writes are pinned to `context.params.user`, not to a client-supplied id. 3. **Sensitive fields hidden.** Every schema with secrets (`password`, tokens, internal ids) needs an **external resolver** setting them to `undefined`. A missing external resolver leaks them in API responses. 4. **Ownership derived from auth, not body.** `userId`/`ownerId` should be set in the data resolver from `context.params.user`, never trusted from `context.data`. 5. **Service is registered.** The configure function must be `app.configure(...)`-ed in `src/services/index.ts`. An unregistered service silently 404s. 6. **Hooks are wired.** A hook/resolver that's defined but not added to the `.hooks({...})` object never runs — check eac