add logging

.trellis/spec/backend/database-guidelines.md

@@ -630,6 +630,14 @@ reports/dashboard.jsp <- ReportServlet <- ReportService <- ReportDao <- books/re
 - `users.username`: unique login identifier submitted by `LoginServlet`.
 - `users.password_hash`: PBKDF2 hash in
   `pbkdf2_sha256$iterations$saltBase64$hashBase64` format.
+- Local scaffold demo users must have documented, known initial passwords for
+  new deployments: `admin/admin123`, `librarian/librarian123`, and
+  `reader/reader123`. Their `schema.sql` hashes must verify through
+  `PasswordHasher.verify` and must be treated as local/demo-only credentials,
+  never production credentials.
+- `schema.sql` uses `INSERT IGNORE` for demo `users` rows. Replaying the schema
+  must not be assumed to reset existing account passwords; README reset
+  guidance must call this out explicitly.
 - `users.role_code`: foreign key to `roles.code`; supported scaffold values
   are `administrator`, `librarian`, and `reader`.
 - `users.active`: only rows with `active = 1` can authenticate.