# brainstorm: start coding

## Goal

Build the initial Java Web project scaffold and a login/permission skeleton for this JSP + Servlet + MySQL library-management system.

## What I already know

* The user asked to start writing code.
* There is no active task before this one.
* The repository currently has Trellis project guidance but no application source code files.
* Existing project specs describe a B/S Java web application using JSP, Servlet, MySQL, Tomcat, and IDEA.
* Backend guidance expects a layered structure: JSP/CSS presentation -> Servlet controller -> Service/business -> DAO -> MySQL.
* Frontend guidance expects JSP/CSS pages, JSP includes or fragments, static assets, and small page scripts when needed.
* The user selected option A: build the Java Web foundation and login/permission skeleton first.

## Assumptions (temporary)

* The desired work is to start building the library-management system rather than editing an existing application.
* Maven is a reasonable default for Java web project scaffolding unless the user prefers plain IDEA/Tomcat project files.
* The first implementation should establish a compilable structure and a minimal login flow rather than complete every business module.

## Open Questions

* None currently blocking.

## Requirements (evolving)

* Follow the existing Trellis backend and frontend specs.
* Keep backend and frontend conventions aligned with JSP + Servlet + MySQL, not SPA frameworks.
* Create or update tests/checks where practical for the selected implementation scope.
* Create the base Java Web project structure for Tomcat deployment.
* Add a login/permission skeleton covering administrator, librarian, and reader roles.
* Add model/entity, DAO, service, servlet/controller, JSP, and static asset structure needed for the login slice.
* Include database initialization or schema notes for user/role data needed by the skeleton.
* Keep business logic layered: Servlet parameter/session handling, Service authentication and role checks, DAO persistence access.
* Include safe error handling for invalid credentials, missing parameters, and unauthorized access.

## Acceptance Criteria (evolving)

* [x] The selected first module or feature is explicitly confirmed.
* [x] The implementation follows the documented JSP + Servlet + MySQL layered architecture.
* [x] A fresh checkout has recognizable Java Web/Tomcat project structure and build configuration.
* [x] Login page submits credentials to a Servlet controller and displays validation/authentication failures safely.
* [x] Authentication logic is represented through service and DAO boundaries rather than embedded in JSP.
* [x] Session state stores the authenticated user and role in a controlled way.
* [x] Basic role/permission constants or helpers exist for administrator, librarian, and reader.
* [x] SQL/schema guidance exists for the minimal account/role tables needed by login.
* [x] Lint, type-check, compile, or equivalent project validation is run where available.

## Definition of Done (team quality bar)

* Tests added/updated where appropriate.
* Lint / typecheck / compile / CI-equivalent checks are green where available.
* Docs/notes updated if behavior changes.
* Rollout/rollback considered if risky.

## Out of Scope (explicit)

* Choosing React, Vue, TypeScript, SPA routing, or frontend hook/state-library conventions unless the user explicitly changes the stack.
* Implementing full book, reader, borrowing, statistics, backup, or logging modules beyond placeholders needed for navigation or role skeleton.
* Implementing production-grade password reset, remember-me, MFA, or external identity provider integration.

## Technical Notes

* Relevant spec indexes: `.trellis/spec/backend/index.md`, `.trellis/spec/frontend/index.md`.
* Backend pre-development checklist includes directory structure, database, error handling, logging, and quality guidelines.
* Frontend pre-development checklist includes directory structure, JSP component guidelines, state management, type safety, and quality guidelines.
* Codebase retrieval on 2026-04-27 found no application source code and surfaced the project specs as the main implementation context.
* Spec indexes reference `.trellis/tasks/00-bootstrap-guidelines/research/project-requirements.md`, but that file is absent in the current workspace, so context curation uses only present spec files.
* Implementation completed the scaffold under `src/main/`, added two standalone service checks under `src/test/`, and updated code-specs for the login database/JSP contracts.
* Local verification passed for non-Servlet Java compilation, `PermissionPolicyCheck`, `AuthServiceCheck`, and JSP/static boundary scans.
* Full Maven/Tomcat compile remains blocked in this environment because `mvn` is not installed and no local Servlet API jar is available outside Maven.