docs: add infrastructure, protocol, and getting started docs

[coodos]

Description of change

Add documentation around

• Protocols (auth, signing)
• Infrastructure (eVault, eID Wallet)
• Getting Started Guide

Issue Number

Type of change

• Docs (changes to the documentation)

How the change has been tested

Local

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• Documentation
  • Replaced tutorial-style Getting Started content with a detailed W3DS conceptual and architectural overview (ownership, data flow, examples, diagrams).
  • Added comprehensive eID Wallet, eVault, Authentication, and Signing protocol docs with flows, examples, and security guidance.
  • Adjusted signature-format page heading/position and updated eVault-Key-Delegation metadata.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@coodos has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 38 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

This PR adds and restructures extensive W3DS documentation: new protocol specifications for Authentication and Signing, new infrastructure pages for eVault and eID-Wallet, and reworks Getting Started guides toward conceptual and architectural content (diagrams, data flows, webhook lifecycle, and payload examples).

Changes

Cohort / File(s)	Summary
Getting Started Restructuring docs/docs/Getting Started/getting-started.md, docs/docs/W3DS Basics/getting-started.md	Replaced terse tutorial steps with detailed W3DS conceptual guides: eVault ownership model, data flow (Platform → eVault → Platforms), webhook lifecycle, MetaEnvelopes, example GraphQL/HTTP payloads, and architecture diagrams.
W3DS Protocol Documentation docs/docs/W3DS Protocol/Authentication.md, docs/docs/W3DS Protocol/Signing.md, docs/docs/W3DS Protocol/Signature-Formats.md	Added Authentication and Signing protocol specs (ECDSA P-256 flows, session/offers, signature creation and verification, TypeScript examples); updated Signature-Formats header and sidebar position.
W3DS Infrastructure Documentation docs/docs/Infrastructure/eVault.md, docs/docs/Infrastructure/eID-Wallet.md, docs/docs/Infrastructure/eVault-Key-Delegation.md	Added eVault and eID-Wallet architecture and API/reference docs (data models, GraphQL/HTTP APIs, ACLs, webhook delivery, key management, provisioning, multi-device sync); minor metadata change to eVault-Key-Delegation sidebar position.

Sequence Diagram(s)

sequenceDiagram
    participant Platform
    participant User as eID Wallet
    participant EVault
    participant Registry
    participant Validator

    Platform->>Platform: generate login offer (session UUID, w3ds://auth URI)
    Platform-->>User: return offer / display QR or deep link
    User->>EVault: sign session (private key) & send signed payload to redirect URL
    Platform->>Registry: resolve w3id / fetch public key(s)
    Platform->>EVault: (optional) fetch meta-envelope or certificate for verification
    Platform->>Validator: verify signature against public key / certificate
    Validator-->>Platform: verification result (ok / fail)
    Platform-->>User: issue auth token / complete login

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• docs: add docs for key delegation and auth #720: Modifies overlapping documentation (eVault-Key-Delegation, auth/signature docs) and navigation structure.
• docs: add getting started guide #624: Updates getting-started / auth flow content similar to the changes here.

Suggested reviewers

• xPathin
• JulienAuvo

Poem

🐇
I nibble docs in morning light,
eVaults stitched tidy, signatures tight.
Wallets hum, webhooks take flight,
Platforms talk through day and night.
Hooray — the docs are cozy and bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concisely summarizes the main changes: adding documentation for infrastructure, protocols, and getting started content.
Description check	✅ Passed	The description covers most required sections but lacks specific details in 'How the change has been tested' and could expand on 'Issue Number' context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Fix all issues with AI agents

In `@docs/docs/Infrastructure/eID-Wallet.md`:
- Around line 182-189: The fenced code block containing the message sequence
starting with "Wallet → Registry: GET /entropy" is missing a Markdown language
tag; update the opening triple-backtick fence to include a language such as text
(or http) so markdownlint stops flagging it (e.g., change ``` to ```text) and
ensure the rest of the block remains unchanged.
- Around line 95-98: Current doc text contradicts itself between the "Real
KYC/Verification" and "Hardware Available" bullets; update the wording so "Real
KYC/Verification" is explicitly hardware-only with no software fallback except
for the limited pre-verification/test-user case, and change the "Hardware
Available" bullet to state it applies only to non-KYC/test flows (e.g., "For
non-KYC flows: prefer hardware, fall back to software for test/pre-verification
users"). Ensure both bullets reference the same exception scope
(pre-verification/test users) and remove any phrasing that implies a general
fallback for Real KYC/Verification.
- Around line 383-386: The auth payload uses the property ename (ename:
vault.ename) but the protocol and signing workflow expect w3id; change the
payload property from ename to w3id (e.g., replace ename: vault.ename with w3id:
<vault identifier>) so the payload field matches the signing workflow and server
lookups, and update any code that constructs or consumes this payload (including
places that read sessionId, signature, and appVersion) to use w3id consistently
so public key retrieval in the signing workflow works correctly.

In `@docs/docs/Infrastructure/eVault.md`:
- Around line 367-384: The env docs block is missing required DB and
verification variables; update the code block that lists environment variables
to include PostgreSQL connection URLs (e.g., PROVISIONER_DATABASE_URL and
REGISTRY_DATABASE_URL), Veriff integration keys (PUBLIC_VERIFF_KEY and
VERIFF_HMAC_KEY), PUBLIC_EVAULT_SERVER_URI, optional DB_CA_CERT for SSL, and the
demo code variable (DEMO_CODE_W3DS) so the documented envs match the deployment
requirements and architecture diagram.

In `@docs/docs/W3DS` Protocol/Authentication.md:
- Around line 258-263: The example calls isVersionValid(appVersion, "0.4.0") but
never defines it; add a clear implementation or example in the docs that shows
how to compare semantic versions (e.g., parse appVersion and minVersion into
major/minor/patch numbers and compare them lexicographically) and reference the
function name isVersionValid, the parameters appVersion and minVersion, and the
expected boolean return so implementers can copy or adapt it directly.

In `@docs/docs/W3DS` Protocol/Signing.md:
- Around line 326-330: Change the phrase that currently reads "Certificates
expire 1 hour after issuance." to use a hyphenated form "Certificates have
1-hour validity." (or "Certificates expire after 1-hour validity.") — update the
sentence in the section that mentions the `exp` claim and the `publicKey`
extraction under "JWT Payload Structure" so the documentation uses the
hyphenated "1-hour validity".

🧹 Nitpick comments (8)

docs/docs/Infrastructure/eVault.md (2)

88-90: Add language identifier to fenced code block.

The fenced code block showing the Neo4j storage structure should specify a language identifier for proper syntax highlighting and better readability.

📝 Suggested fix

-```
+```cypher
 (MetaEnvelope {id, ontology, acl}) -[:LINKS_TO]-> (Envelope {id, value, valueType})

</details>

---

`294-299`: **Document the rationale for the 3-second webhook delay.**

The 3-second delay to prevent "webhook ping-pong" is mentioned but not fully explained. Consider adding more context:
- What exactly is webhook ping-pong?
- Why is 3 seconds the chosen duration?
- Are there edge cases where this delay might cause issues?



This would help implementers understand the design decision and potential trade-offs.

</blockquote></details>
<details>
<summary>docs/docs/W3DS Basics/getting-started.md (2)</summary><blockquote>

`280-283`: **Add language identifier to fenced code block.**

The fenced code block showing W3ID resolution should specify a language identifier for proper rendering.



<details>
<summary>📝 Suggested fix</summary>

```diff
-```
+```http
 GET /resolve?w3id=@user-a.w3id
 → Returns: https://evault.example.com/users/user-a

</details>

---

`148-165`: **Consider adding webhook retry/failure handling guidance.**

The webhook payload documentation is clear, but it doesn't address what happens if webhook delivery fails. Based on eVault.md, webhooks are fire-and-forget with no retries, but this could lead to data inconsistency across platforms.



Consider adding a note about:
- What happens when webhook delivery fails
- How platforms can detect missing updates
- Whether platforms should implement a polling mechanism as backup
- Handling eventual consistency

</blockquote></details>
<details>
<summary>docs/docs/W3DS Protocol/Authentication.md (2)</summary><blockquote>

`65-67`: **Add language identifier to fenced code block.**

The w3ds://auth URI example should specify a language identifier for proper rendering.



<details>
<summary>📝 Suggested fix</summary>

```diff
-   ```
+   ```text
    w3ds://auth?redirect={redirectUrl}&session={sessionId}&platform={platformName}
    ```

---

163-163: Clarify the appVersion sunset timeline.

The documentation mentions that appVersion is temporary and will be sunset "after the rollout is completed," but there's no indication of when that might be or what the rollout refers to. This could cause confusion for platform implementers.

Consider adding:

• An approximate timeline or milestone for when this field will be removed
• What "rollout" refers to (e.g., "eID wallet version 1.0 adoption")
• Whether platforms should plan to handle both the presence and absence of this field

docs/docs/Getting Started/getting-started.md (2)

127-129: Add language identifier to fenced code block.

The data flow diagram should specify a language identifier for proper rendering.

📝 Suggested fix

-```
+```text
 User Action → Platform Database → Web3 Adapter → User's eVault → Webhooks → All Platforms

</details>

---

`140-144`: **Consider clarifying the relationship between the two "Getting Started" docs.**

There are now two "getting-started.md" files in different directories:
- `docs/docs/Getting Started/getting-started.md` (this file)
- `docs/docs/W3DS Basics/getting-started.md`

While this file provides a high-level overview and the W3DS Basics version provides deeper technical detail, new users might be confused about which to read first.



Consider:
1. Adding a note at the top of each file explaining their relationship
2. Renaming one to better differentiate (e.g., "Overview" vs "Deep Dive")
3. Adding cross-references between the two

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docs/docs/Infrastructure/eID-Wallet.md`:
- Around line 397-402: Update the "Hardware keys not available" section to
remove the incorrect fallback claim and state that the eID Wallet enforces a
hardware key manager during onboarding with no fallback to software keys;
specifically, replace the bullet that reads "If hardware is unavailable, the
wallet will fallback to software keys" with a clear statement that onboarding
cannot proceed without hardware keys and ensure the note about KYC-verified
users always using hardware keys (referenced around line 96) remains consistent.

♻️ Duplicate comments (4)

docs/docs/Infrastructure/eID-Wallet.md (2)

182-189: Add language tag to code fence.

The code fence is missing a language specifier.

✍️ Proposed fix

-```
+```text
 Wallet → Registry: GET /entropy
 Registry → Wallet: JWT entropy token
 Wallet → Provisioner: POST /provision (entropy, namespace, publicKey)
 Provisioner → Registry: Request key binding certificate
 Registry → Provisioner: JWT certificate
 Provisioner → Wallet: w3id, evaultUri
 ```

---

95-98: Clarify hardware key enforcement without fallback.

Lines 96 and 97-98 contradict each other. Line 96 correctly states that real KYC/verification always uses hardware keys with no software fallback, but line 97-98 suggests a fallback exists. This contradicts the actual implementation.

✍️ Suggested fix

 1. **Pre-verification Mode**: Always uses software keys (for testing/fake users only)
 2. **Real KYC/Verification**: Always uses hardware keys (never software keys)
-3. **Hardware Available**: Prefers hardware keys, falls back to software only if hardware is unavailable
+3. **Hardware Pre-test**: The wallet performs a pre-test during onboarding to verify hardware key availability. If hardware keys are unavailable, onboarding cannot proceed for real users.
 4. **Explicit Request**: Can force hardware or software based on configuration

Based on learnings, in the eID Wallet, hardware key manager is always enforced on onboarding flows. The wallet performs a pre-test to check if hardware keys are available, and there is no fallback to software keys for real users.

docs/docs/Infrastructure/eVault.md (1)

364-391: Add missing PostgreSQL environment variables.

The deployment requirements (line 361) explicitly state "PostgreSQL: For verification and notification storage," but the environment variables section does not document any PostgreSQL connection strings (e.g., PROVISIONER_DATABASE_URL, REGISTRY_DATABASE_URL). This creates a gap between stated requirements and configuration guidance.

Based on learnings, the project uses Digital Ocean managed PostgreSQL which requires specific SSL configuration for database connections.

docs/docs/W3DS Protocol/Authentication.md (1)

258-263: Provide implementation for isVersionValid function.

The example code calls isVersionValid(appVersion, "0.4.0") but this function is never defined or explained. Platform implementers may not know how to implement version validation correctly.

💡 Suggested implementation example

Add a note or code example explaining version validation:

// Helper function for semantic version comparison
function isVersionValid(appVersion: string, minVersion: string): boolean {
  if (!appVersion) return false;
  
  const [major, minor, patch] = appVersion.split('.').map(Number);
  const [minMajor, minMinor, minPatch] = minVersion.split('.').map(Number);
  
  if (major > minMajor) return true;
  if (major < minMajor) return false;
  if (minor > minMinor) return true;
  if (minor < minMinor) return false;
  return patch >= minPatch;
}

🧹 Nitpick comments (4)

docs/docs/Infrastructure/eVault.md (1)

86-88: Add language tag to code fence.

The code fence is missing a language specifier, reducing readability.

✍️ Proposed fix

-```
+```text
 (MetaEnvelope {id, ontology, acl}) -[:LINKS_TO]-> (Envelope {id, value, valueType})

</details>

</blockquote></details>
<details>
<summary>docs/docs/W3DS Protocol/Signing.md (3)</summary><blockquote>

`67-69`: **Add language tag to code fence.**

The code fence displaying the URI format is missing a language specifier.



<details>
<summary>✍️ Proposed fix</summary>

```diff
-   ```
+   ```text
    w3ds://sign?session={sessionId}&data={base64Data}&redirect_uri={encodedRedirectUri}
    ```

---

272-274: Add language tag to code fence.

The code fence is missing a language specifier for the HTTP request example.

✍️ Proposed fix

-```
+```http
 GET {registryBaseUrl}/resolve?w3id=@user-a.w3id

</details>

---

`290-294`: **Add language tag to code fence.**

The code fence is missing a language specifier for the HTTP request example.



<details>
<summary>✍️ Proposed fix</summary>

```diff
-```
+```http
 GET {evaultUrl}/whois
 Headers:
   X-ENAME: `@user-a.w3id`

</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[nsergey82]

not just frontends, but also acting as cache and aggregators

[nsergey82]

we want to emphasisze that 2+3 == interoperability
and 1 and 4 is quite similar and related

[nsergey82]

this formulation will sound spooky to a lot of people out there

[nsergey82]

again, it feels that the first and the last should be united

[nsergey82]

if it is bidirectional why did we bother to say sync local db to vault above?

[nsergey82]

I thought Alex wanted the registry to sign this, because again, spoofing and holding them accountable for resolution of enames? Did we convince him not to do it in the prototype?

[nsergey82]

I thought Alex wanted the registry to sign this, because again, spoofing and holding them accountable for resolution of enames? Did we convince him not to do it in the prototype?

[nsergey82]

should mention the QR vs. deeplink flows distinctions

[nsergey82]

there should be an explanation why -- because if you don't this bad thing may happen

[nsergey82]

generic but helpful

[sosweetham]

add recommendation on message delivery queue implementation to account for evault/platform downtime

[sosweetham]

rename parent block to evault provider maybe?

[sosweetham]

if we are not implying that other platforms will not be able to use registry service, maybe consider showing a dashed line reference

[sosweetham]

also might be worth having a sequence diagram of interactions between the layers inclusive of web 3 adapter internal implementation

registration sequence diagram might also help to understand the role of the provisioner and registry better for theoretical knowledge required to setup a w3ds environment locally

[sosweetham]

atm these but it's all dependent on what we decide to support in the plugin, maybe link it over here to give context?

[sosweetham]

should have determination layer above as we sort of logically autodetect the hardware support depending on the

• environment the app is being used in (preverification code based/kyc based)
• device hardware module support

[sosweetham]

maybe have an explicit mention to the plugin lib implementation to avoid shadow/implied knowledge on these limitations

[sosweetham]

this shows platforms interacting directly with evaults without having the web3adapter abstraction layer

[sosweetham]

someone might waste time looking into postgres implementation on blabsy when it uses firebase, consider using pictique as an example here instead or change it to firebase

[sosweetham]

add session id refresh/invalidation on 60 seconds without authentication note and reasoning for practice in existing platforms