1/ this does not make any sense at all:
$cmt_id = $DB->insert_record('comments', $newcmt);
$newcmt->id = $cmt_id;
$newcmt->time = userdate($now);
$newcmt->username = fullname($USER);
$newcmt->content = format_text($newcmt->content);
$newcmt->avatar = print_user_picture($USER, $this->course->id, NULL, 16, true);
because use exceptions now.
I personally do not like error constants COMMENT_ERROR_MODULE_REJECT and COMMENT_ERROR_INSUFFICIENT_CAPS either, this is exactly the place where exceptions make sense - in 99% of cases it succeeds because the access control and other logic is printed correctly in HTML before submission, only if something changes concurrently or somebody tries to hack moodle exception occurs.
2/ pretty please stop including formslib from core libraries! instead create a separate file with your form definition and include it only when needed
3/ class comments have some weird spacing in commentlib.php - it breaks phpdocs rules pretty badly I think
4/ using optional_param() deen in library functions is not recommended - is that really necessary?
5/ magic methods like setup_course() which try to guess or not good coding style IMO
6/ moodle/comment:post and moodle/comment:view or not assignable or overridable in a standard way - this will cause major usability problem and a lot of confusion, why is it still there?
7/ $cm = get_coursemodule_from_id('', $context->instanceid); - is a total nonsense, we MUST verify context level first to make sure it really is CONTEXT_MODULE!
8/ $courseid = optional_param('courseid', SITEID, PARAM_INT); $contextid = optional_param('contextid', SYSCONTEXTID, PARAM_INT);
those constants should be used in core only and defaults in ajax code are not used anyway
9/ license headers are missing or incomplete