docs: address limitaions

Author: coodos

docs/docs/Infrastructure/Web3-Adapter.md

@@ -45,9 +45,9 @@ The adapter does not poll the database. The platform must detect changes (e.g. v
 
 After data is stored or updated in an eVault, the [Awareness Protocol](/docs/W3DS%20Protocol/Awareness-Protocol) delivers webhooks to all other registered platforms. Those platforms use the same adapter's `fromGlobal` and ID mapping to apply the change locally. So the full loop is: Platform A → adapter → eVault → Awareness Protocol → Platform B's webhook → adapter → Platform B's DB.
 
-### Design implications
+### Design Limitations
 
-You can get better results by:
+Current implementation has the following known limitations, which we aim to fix with subsequent versions:
 
 - **Ontology design**: Clear schema versioning, optional vs required fields, and conventions for references (e.g. eNames vs local IDs in payloads).
 - **Mapping expressiveness**: Richer `ownerEnamePath` (e.g. fallbacks), relation resolution, and handling of arrays and nested structures.
@@ -112,7 +112,7 @@ graph TB
 
 ### Mapping configuration (IMapping)
 
-Mapping configs define how local fields map to the global ontology. For the full syntax (direct fields, relations, arrays, `__date`, `__calc`, owner path), see the **Web3 Adapter Mapping Rules** in the repository at `infrastructure/web3-adapter/MAPPING_RULES.md`.
+Mapping configs define how local fields map to the global ontology. For the full syntax (direct fields, relations, arrays, `__date`, `__calc`, owner path), see the [Web3 Adapter Mapping Rules](../../../infrastructure/web3-adapter/MAPPING_RULES.md).
 
 Each mapping is a JSON file with:
 
@@ -122,8 +122,6 @@ Each mapping is a JSON file with:
 - **localToUniversalMap**: Object mapping local field names to global field names or expressions (e.g. `"createdAt": "__date(createdAt)"`, relation syntax `"tableName(path),globalAlias"`).
 - **readOnly** (optional): If true, `handleChange` does not sync this table to the eVault.
 
-For full syntax (direct, relation, array, `__date`, `__calc`, owner path), see the mapping rules in the repository at `infrastructure/web3-adapter/MAPPING_RULES.md`.
-
 ### Receiving data (inbound)
 
 When a platform receives an awareness protocol packet at `POST /api/webhook`:
@@ -134,7 +132,7 @@ When a platform receives an awareness protocol packet at `POST /api/webhook`:
 4. Call `mappingDb.getLocalId(body.id)`; if found, update the existing local entity; otherwise create and then `mappingDb.storeMapping({ localId: newEntity.id, globalId: body.id })`.
 5. Return 200.
 
-See the [Webhook Controller Guide](/docs/Post%20Platform%20Guide/webhook-controller) for a full implementation example.
+See the [Webhook Controller Guide](/docs/Post%20Platform%20Guide/webhook-controller) for a full implementation example and the [Awareness Protocol](/docs/W3DS%20Protocol/Awareness-Protocol) for the packet format and delivery mechanism.
 
 ## Sequence: Platform → Adapter → eVault
 
@@ -165,10 +163,9 @@ sequenceDiagram
     end
 ```
 
-## Extension points
+## Limitations & Planned Extensions
 
-- **Ontology versioning**: Today `schemaId` is a single UUID; you could version schemas and map multiple local tables to different versions.
+- **Ontology versioning**: Today `schemaId` is a single UUID, there are plans for adding a `schemaVersion` key to allow for schema versioning.
 - **Conflict resolution**: Add version or timestamp fields and resolve conflicts in the adapter or in a separate service.
 - **Idempotency**: Use idempotency keys in payloads or in the mapping DB to make webhook handling and outbound sync idempotent.
-- **ID mapping storage**: Replace SQLite with a shared store if multiple instances of the platform need the same mappings.
 - **Transactional outbox**: Have the platform write changes to an outbox table and have a worker call `handleChange` so that sync is tied to the same transaction as the local write.

docs/docs/W3DS Protocol/Awareness-Protocol.md

@@ -5,7 +5,7 @@ sidebar_position: 4
 # Awareness Protocol
 
 :::warning Prototype-level implementation
-The Awareness Protocol described here is **prototype-level**. The packet format, delivery behavior, and platform contract are subject to change. Do not rely on them for production without checking for updates.
+The Awareness Protocol described here is **prototype-level**. The packet format, delivery behavior, and platform contract are subject to change in upcoming updates
 :::
 
 The Awareness Protocol is the webhook deliverability mechanism in W3DS. When data in an eVault changes (create or update), the eVault notifies all other registered platforms so they can stay in sync. "Awareness" means platforms become aware of changes that happened elsewhere.
@@ -101,11 +101,11 @@ For a step-by-step implementation guide, see the [Webhook Controller Guide](/doc
 
 ## Limitations and Extension Points
 
-The current protocol has intentional limitations that readers may improve in their own implementations:
+The current protocol has  limitations which are going to be improved in subsequent versions:
 
 - **No retries**: Failed webhooks are not retried. A more robust system could add retries with backoff or a dead-letter queue.
 - **No ordering guarantee**: Webhooks to different platforms are sent in parallel; there is no guarantee of order across platforms or across multiple mutations.
 - **No at-least-once guarantee**: Because delivery is fire-and-forget and there are no retries, a platform might never receive a given update. At-least-once delivery would require acknowledgments and retries (and possibly idempotency keys).
-- **Platform list from Registry**: The set of recipients is whatever the Registry returns for `GET /platforms`. How that list is maintained and updated is registry-specific.
+- **Platform list from Registry**: The set of recipients is whatever the Registry returns for `GET /platforms`.  This is a prototype level shortcut and will be phased out.
 
 Designing retries, ordering, or delivery guarantees would be natural extension points for a production-grade awareness mechanism.

platforms/esigner-api/IMPLEMENTATION.md

@@ -0,0 +1,157 @@
+# eSigner API – Implementation Details (Workflow / Diagrams)
+
+## Overview
+
+eSigner API is an Express (Node.js) backend for document signature containers. Users upload files, invite signees, and sign via QR/deep link with an eID Wallet. Signatures are verified against the W3DS registry and stored with the file.
+
+**Stack:** Express, TypeORM (Postgres), JWT auth, SSE for session status, Web3Adapter for sync with registry/file-manager.
+
+---
+
+## High-Level Architecture
+
+```
+Client (eSigner Svelte app)
+    |
+    |  JWT (Bearer)
+    v
+Express API (authMiddleware → authGuard on protected routes)
+    |
+    +-- AuthController     (public: offer, login, SSE session)
+    +-- FileController     (CRUD files, list, download, signatures)
+    +-- InvitationController (invite, list, decline)
+    +-- SignatureController  (create session, SSE status, callback from wallet)
+    +-- UserController      (current user, search)
+    +-- WebhookController   (public: POST /api/webhook – registry sync)
+    |
+    v
+Services: FileService, InvitationService, SignatureService, UserService,
+          NotificationService, PlatformEVaultService, MessageService, GroupService
+    |
+    v
+Database (Postgres): files, file_signees, signature_containers, users, groups, messages, user_evault_mappings
+```
+
+---
+
+## Auth Flow
+
+- **Public:** `GET /api/auth/offer` → returns `w3ds://auth?redirect=...&session=<uuid>&platform=esigner`.
+- **Login:** Client opens wallet with that URI; wallet signs and POSTs to `POST /api/auth` with `{ ename, session, appVersion, signature }`. API verifies signature (signature-validator), finds/creates user, signs JWT, emits result on SSE for `session`; client polls `GET /api/auth/sessions/:id` (SSE) to get token.
+- **Protected routes:** After `authMiddleware` (optional: parses Bearer, sets `req.user`), `authGuard` requires `req.user`; 401 if missing.
+
+---
+
+## Main Entities (ER for Diagrams)
+
+| Entity | Purpose |
+|--------|--------|
+| **File** | Document blob. `id`, `name`, `displayName`, `description`, `mimeType`, `size`, `md5Hash`, `data` (bytea), `ownerId`. Soft-delete: `name === "[[deleted]]"` hidden in eSigner. |
+| **FileSignee** | Invitation to sign a file. `fileId`, `userId`, `invitedBy`, `status` (pending \| signed \| declined), `invitedAt`, `signedAt`, `declinedAt`. Owner is auto-added as signee when inviting. |
+| **SignatureContainer** | One signature on a file. `fileId`, `userId`, `fileSigneeId`, `md5Hash`, `signature`, `publicKey`, `message`. Links to File and FileSignee. |
+
+Relations: `File` 1─N `FileSignee`, `File` 1─N `SignatureContainer`, `FileSignee` 1─1 `SignatureContainer` (optional).
+
+---
+
+## File Workflows
+
+### 1. Upload and list
+
+- **POST /api/files** (multipart): `authGuard` → `FileController.uploadFile` → `FileService.createFile`. Validates name ≠ `[[deleted]]`, computes MD5, stores file. Optional `displayName`, `description`.
+- **GET /api/files**: `FileService.getDocumentsWithStatus(userId, listMode)`. `getUserFiles(userId)` = owned files (createdAt DESC) + files where user is in `file_signees`; merged list sorted by `createdAt` DESC. If `listMode === 'containers'`, only files with at least one signee. Response includes derived status: draft \| pending \| partially_signed \| fully_signed, plus signee/signature counts.
+- **GET /api/files/:id**, **PATCH**, **DELETE**, **GET :id/download**, **GET :id/signatures**: all gated by owner or presence in `file_signees`.
+
+### 2. Invite signees
+
+- **POST /api/files/:fileId/invite** body `{ userIds: string[] }`. `InvitationService.inviteSignees`: file must exist and caller is owner; file must have zero signatures (single-use); owner is always added as signee if not already; then each `userId` gets a `FileSignee` (status pending). Notifications sent (fire-and-forget). Returns created invitations.
+
+### 3. Get invitations
+
+- **GET /api/files/:fileId/invitations**: list invitations for that file (caller must be owner or signee).
+- **GET /api/invitations**: list invitations for current user (files they’re invited to).
+- **POST /api/invitations/:id/decline**: set that invitation to declined.
+
+---
+
+## Signing Session Flow (Core for Diagrams)
+
+1. **Create session (user has pending invitation)**  
+   **POST /api/signatures/session** body `{ fileId }`.  
+   - `SignatureService.createSession(fileId, userId)`:
+     - Ensures user has a pending `FileSignee` for that file.
+     - Loads file, gets `md5Hash`.
+     - `sessionId = userId_md5` (so signed payload binds user + file hash).
+     - Builds message `{ message, md5Hash, sessionId }`, base64, then `qrData = w3ds://sign?session=...&data=...&redirect_uri=.../api/signatures/callback`.
+     - In-memory session store: `sessions.set(sessionId, { sessionId, fileId, userId, md5Hash, qrData, expiresAt, status: "pending" })`. Expires in 15 minutes (status → "expired").
+   - Response: `{ sessionId, qrData, expiresAt }`.
+
+2. **Poll session status (SSE)**  
+   **GET /api/signatures/session/:id** (no auth).  
+   - Streams SSE. Sends initial status then polls every 1s. Events: `type: "signed", status: "completed"` \| `type: "expired"` \| `type: "security_violation"` \| `type: "error"`. Cleans up on client disconnect.
+
+3. **Wallet callback (signature submission)**  
+   **POST /api/signatures/callback** (no auth) body `{ sessionId, signature, w3id, message }`.  
+   - `SignatureService.processSignedPayload`:
+     - Load session by `sessionId`; must be "pending".
+     - Validates payload structure; ename/signature verified via `verifySignature` (signature-validator + registry). Ensures signed message equals `userId_md5`, and `publicKey` matches user ename.
+     - Creates `SignatureContainer` (fileId, userId, fileSigneeId, md5Hash, signature, publicKey, message).
+     - Updates `FileSignee` to status "signed", sets `signedAt`.
+     - Sets in-memory session status to "completed".
+   - Returns 200 with success/error; SSE clients see "signed" and close.
+
+---
+
+## Status Derivation (List View)
+
+For each file in "documents with status":
+
+- No signees → **draft**
+- Signees exist, no one signed yet → **pending**
+- Some signed, not all → **partially_signed**
+- All signees signed → **fully_signed**
+
+Computed from `File.signees` (counts by `status === 'signed'` / `'pending'` / `'declined'`).
+
+---
+
+## Webhook and Sync
+
+- **POST /api/webhook**: Receives events from registry/file-manager (Web3Adapter). `schemaId` + `id` + `data`; adapter mapping picks entity (users, groups, messages, files, signature_containers). Actions: create/update/delete local rows and store globalId↔localId mapping. Used to keep eSigner in sync with external systems (e.g. file renames/deletes from file-manager; `[[deleted]]` files are hidden in eSigner).
+
+---
+
+## External Dependencies
+
+- **Registry:** `PUBLIC_REGISTRY_URL` – used by signature-validator for ename/signature verification.
+- **Platform eVault:** On startup, `PlatformEVaultService` ensures a platform eVault exists for eSigner.
+- **Optional:** `ANCHR_URL` – webhook payloads are forwarded to `ANCHR_URL/esigner` for analytics/monitoring.
+
+---
+
+## Key Files for Diagrams
+
+| Concern | File(s) |
+|--------|--------|
+| Routes | `src/index.ts` |
+| Auth | `src/controllers/AuthController.ts`, `src/middleware/auth.ts` |
+| Files | `src/controllers/FileController.ts`, `src/services/FileService.ts` |
+| Invitations | `src/controllers/InvitationController.ts`, `src/services/InvitationService.ts` |
+| Signing flow | `src/controllers/SignatureController.ts`, `src/services/SignatureService.ts` |
+| Entities | `src/database/entities/File.ts`, `FileSignee.ts`, `SignatureContainer.ts` |
+| Webhook/sync | `src/controllers/WebhookController.ts`, `src/web3adapter/watchers/subscriber.ts` |
+
+---
+
+## Mermaid Snippet Ideas
+
+- **Sequence: Create reference → Invite → Sign**
+  - Actor: Owner; Boundary: API; Participants: FileService, InvitationService, SignatureService; Wallet as external (callback).
+- **State: FileSignee**  
+  - pending → signed | declined.
+- **State: Signing session (in-memory)**  
+  - pending → completed | expired | security_violation.
+- **Flow: GET /api/files**  
+  - authGuard → getDocumentsWithStatus → getUserFiles (owned + invited) → sort by createdAt → filter containers vs all → map to status.
+
+Use this doc to drive workflow diagrams (sequences, state machines, data flow) for docs or onboarding.