Caveat identified during SZ-77 implementation.

Currently updateComment and deleteComment in PullRequestController blanket-block external users via requireInternal(). An external user should be permitted to edit or delete their own comments. Proposed fix: Add getComment(commentId) to PullRequestService, then replace the blanket requireInternal() in both methods with an author-or-internal check — same pattern as updateCommentVisibility in IssueController. Risk until fixed: External users cannot edit or delete their own PR comments. Conservative, not a security gap. Estimate: 1.5 hours.