# ATP Work Session: 2026-06-16 Project Analysis

## Objective

Introduce a docs/ workflow scaffold and record a read-only full-project analysis focused on architecture, security, quality, and domain behavior.

## Constraints

- Do not modify `src/`.
- Do not modify `pom.xml`.
- Documentation and project guidance files only.

## Files Added

- `docs/index.md`
- `docs/analysis/README.md`
- `docs/analysis/2026-06-16-project-analysis.md`
- `docs/security/README.md`
- `docs/security/security-remediation-checklist.md`
- `docs/architecture/README.md`
- `docs/development/README.md`
- `docs/adr/README.md`
- `CLAUDE.md`
- `.atp/work-session`
- `.serena/project.yml`

## Files Updated

- `docs/db-update-query-generator.md`
- `docs/user-signup-schema.md`

## Findings

- SQL injection surface was not found in scanned mapper/controller code because MyBatis mapper SQL uses `#{}` binding and no `${}` dynamic replacement was found.
- Password storage uses PBKDF2-SHA256 with 210,000 iterations.
- Most state-changing endpoints use `CsrfTokens.isValid`.
- `POST /login` and `POST /signup` do not validate CSRF and are the primary MED security gap.
- Prototype leftovers include `abstracts`, `header.jspf`, and empty `GameCatalog`.
- Likes/comments have mapper/schema traces but the game detail UI persists them only in `localStorage`.
- Tests are currently insufficient for security regressions.

## Next Work

- B1: Add CSRF validation to login/signup.
- B2: Remove or document prototype dead code.
- B3: Connect likes/comments to server persistence after policy decisions.
- B4: Pin Spring Boot release version, harden session cookies, and add dependency CVE scanning.