feat: update specs and add auth service test

.trellis/spec/frontend/index.md

@@ -40,15 +40,15 @@ Before frontend implementation, read:
 - `.trellis/spec/frontend/state-management.md`
 - `.trellis/spec/frontend/type-safety.md`
 - `.trellis/spec/frontend/quality-guidelines.md`
-- `.trellis/tasks/00-bootstrap-guidelines/research/project-requirements.md`
+- `.trellis/tasks/archive/2026-04/00-bootstrap-guidelines/research/project-requirements.md`
 
 ---
 
 ## Evidence
 
-- `.trellis/tasks/00-bootstrap-guidelines/research/repo-scan.md` records that
-  no application source code exists yet.
-- `.trellis/tasks/00-bootstrap-guidelines/research/project-requirements.md`
+- `.trellis/tasks/archive/2026-04/00-bootstrap-guidelines/research/repo-scan.md`
+  records the initial pre-scaffold repo scan.
+- `.trellis/tasks/archive/2026-04/00-bootstrap-guidelines/research/project-requirements.md`
   records the developer-provided JSP presentation approach and image-to-JSP
   workflow.
 

.trellis/spec/frontend/type-safety.md

@@ -23,6 +23,81 @@ rendering.
 
 ---
 
+## Scenario: Login JSP And Servlet Contract
+
+### 1. Scope / Trigger
+
+- Trigger: the initial login scaffold introduced a cross-layer JSP/Servlet
+  contract for authentication screens and protected role pages.
+
+### 2. Signatures
+
+- Login form: `POST /login`.
+- Request fields: `username`, `password`, and optional `redirect`.
+- Login JSP request attributes: `errorMessage`, `username`, and `redirect`.
+- Dashboard/role JSP session attributes: `authenticatedUser`, `userRole`, and
+  `userPermissions`.
+- Role page request attributes: `areaName` and `areaSummary`.
+
+### 3. Contracts
+
+- `username` is trimmed in the Servlet before service authentication and may be
+  echoed back only through JSP escaping.
+- `password` is submitted to the Servlet and must never be written to a request
+  attribute or session attribute.
+- `redirect` must be a same-application path beginning with one `/`; invalid
+  values are ignored.
+- JSPs render data with JSP EL/JSTL, not scriptlet Java.
+- JSPs may read safe session snapshots, but they must not call DAOs or inspect
+  password hashes.
+
+### 4. Validation & Error Matrix
+
+- Missing `username` or `password` -> `errorMessage` displays
+  `Username and password are required.`
+- Invalid credentials -> `errorMessage` displays
+  `Invalid username or password.`
+- Login service unavailable -> `errorMessage` displays a generic unavailable
+  message; details stay in server logs.
+- Missing authenticated session on protected pages -> redirect to `/login` with
+  a safe `redirect` value.
+- Insufficient role permission -> render `/unauthorized`.
+
+### 5. Good/Base/Bad Cases
+
+- Good: failed login keeps the escaped username and never redisplays the
+  password.
+- Base: dashboard reads `sessionScope.authenticatedUser.displayName` and
+  `sessionScope.userRole` only for display/navigation.
+- Bad: JSP uses scriptlets, JDBC, or raw request parameters to decide
+  authentication.
+
+### 6. Tests Required
+
+- Scan JSPs to confirm there are no scriptlets beyond directives.
+- Scan JSP/static assets to confirm no SQL/JDBC access exists in presentation
+  files.
+- Run service-level auth checks for required fields, invalid credentials,
+  success, DAO fallback, and permission checks.
+- When Maven/Tomcat is available, run a Servlet/JSP compile or package check.
+
+### 7. Wrong vs Correct
+
+#### Wrong
+
+```jsp
+<%-- JSP checks request.getParameter("password") or runs SQL directly. --%>
+```
+
+#### Correct
+
+```text
+login.jsp displays attributes set by LoginServlet; AuthService and UserDao own
+authentication and database access.
+```
+
+---
+
 ## Validation
 
 - Parse and validate IDs, dates, enum/status values, and required strings in