rebase

Signed-off-by: Patrick St-Louis <[email protected]>

Author: PatStLouis

.github/workflows/pages.yml

@@ -0,0 +1,27 @@
+name: Documentation
+on:
+  push:
+    branches:
+      - main
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+jobs:
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - run: pip install zensical
+      - run: zensical build --clean 
+      - uses: actions/upload-pages-artifact@v4
+        with:
+          path: site
+      - uses: actions/deploy-pages@v4

README.md

@@ -4,57 +4,8 @@ A Web Server component for a DID WebVH implementation built with FastAPI.
 
 **DID WebVH Specification**: [https://identity.foundation/didwebvh](https://identity.foundation/didwebvh)
 
-## Abstract
-
-This server enables controllers to deposit their DID documents, DID logs, and attested resources (including AnonCreds objects) in a secure, policy-driven environment.
-
-By separating the storage of verification material from the signing operations, the architecture provides:
-- **Security**: Signing material isolation
-- **Governance**: Configurable policies for witness requirements, endorsement, portability, and more
-- **Verifiability**: Cryptographic proofs and append-only history
-- **Interoperability**: Support for AnonCreds, W3C Verifiable Credentials, and DID Attested Resources
-
-## How It Works
-
-The DID WebVH Server follows a policy-driven approach where controllers request DID paths, receive policy parameters, and submit signed log entries for verification and publication.
-
-### Key Workflow
-
-1. **Controller requests a DID path** from the server
-2. **Server returns policy-driven parameters** that must be used
-3. **Controller creates and signs** the initial log entry
-4. **Controller obtains witness signatures** (if required by policy)
-5. **Controller submits** the log entry with witness proofs
-6. **Server verifies and publishes** the DID document and history
-
-### Registering a New DID
-
-```mermaid
-sequenceDiagram
-    participant WebVH Server
-    participant Controller
-    participant Witness
-    Controller->>WebVH Server: Request a did path.
-    WebVH Server->>Controller: Provide log input document with policy.
-    Controller->>Controller: Create and sign initial log entry.
-    Controller->>Witness: Request witness signature if required.
-    Controller->>WebVH Server: Send initial log entry and did witness signature.
-    WebVH Server->>WebVH Server: Verify and publish DID.
-```
-
-## Features
-
-- **DID Management**: Create, resolve, and manage DIDs with WebVH method
-- **Attested Resources**: Upload and manage AnonCreds objects, schemas, credential definitions
-- **Witness Registry**: Manage known witness services and their invitation URLs
-- **Policy Enforcement**: Configurable policies for witness, endorsement, portability, prerotation
-- **Web Explorer**: Interactive UI for browsing DIDs, resources, and witness network
-- **Multiple Storage**: SQLite (default) or PostgreSQL backends
-
 ## Quick Start
 
-See [`server/README.md`](server/README.md) for detailed setup instructions.
-
 ```bash
 # Install dependencies
 cd server
@@ -68,41 +19,31 @@ cp env.example .env
 uv run python main.py
 ```
 
+The server will be available at `http://localhost:8000` with:
+- **API Documentation**: `http://localhost:8000/docs` (Swagger UI)
+- **Web Explorer**: `http://localhost:8000/api/explorer`
+
 ## Documentation
 
-📚 **For complete documentation, see the [User Manual](docs/content/index.md)**
+📚 **Complete documentation is available in the [User Manual](docs/index.md)**
 
-The user manual includes:
-- **Getting Started**: Installation and setup
-- **Configuration**: All environment variables and settings
-- **API Endpoints**: Complete API reference
-- **Protocols**: Detailed protocol flows (Connecting to Witness, Requesting DID Path, Creating Log Entry)
-- **Roles**: Admin, Witness, Controller, and Watcher responsibilities
-- **Admin Operations**: Managing witnesses and policies
-- **DID Operations**: Creating, updating, and resolving DIDs
-- **AnonCreds**: Publishing and resolving AnonCreds objects
-- **Examples**: Practical use cases
+To view the documentation locally:
 
-## Additional Resources
+```bash
+# Install Zensical
+pip install zensical
 
-- **[Server README](server/README.md)**: Quick setup guide for the server
-- **Interactive API Docs**: Swagger UI available at `/docs` when server is running
-- **Demo**: See the `demo/` directory for example usage
+# Start the documentation server
+zensical serve
+```
 
-## Project Structure
+The documentation will be available at `http://localhost:8000` (or the port specified in `zensical.toml`).
 
-```
-didwebvh-server-py/
-├── server/              # FastAPI server application
-│   ├── app/
-│   │   ├── routers/    # API route handlers
-│   │   ├── plugins/    # Core plugins
-│   │   └── templates/  # Web explorer UI
-│   └── env.example     # Environment configuration template
-├── docs/               # User manual and documentation
-└── demo/               # Demonstration examples
-```
+## Additional Resources
+
+- **[Server README](server/README.md)**: Quick setup guide
+- **Demo**: See the `demo/` directory for load testing and examples
 
 ## License
 
-Apache License 2.0
+Apache License 2.0

docs/.gitignore

@@ -0,0 +1,14 @@
+# Zensical build output (HTML files and directories)
+*.html
+!content/**/*.html
+assets/
+.zensical
+
+# Python cache
+__pycache__
+*.pyc
+
+# Keep source content and README
+!content/
+!README.md
+

docs/about.md

@@ -0,0 +1,134 @@
+# About
+
+The DID WebVH Server is a FastAPI-based server for managing Decentralized Identifiers (DIDs) using the WebVH (Web Verifiable History) method. It provides endpoints for creating, updating, and resolving DIDs, as well as managing witness services and server policies.
+
+## What is DID WebVH?
+
+**DID WebVH** (Decentralized Identifier Web Verifiable History) is a DID method specification that provides a secure, policy-driven approach to managing Decentralized Identifiers on the web.
+
+This server implementation enables controllers to deposit their DID documents, DID logs, and attested resources (including AnonCreds objects) in a secure, policy-driven environment.
+
+## Key Benefits
+
+### 🔒 Security
+
+By separating the storage of verification material from the signing operations, the architecture provides:
+
+- **Signing Material Isolation**: Signing keys remain with controllers and witnesses, not on the server
+- **Cryptographic Proofs**: All operations are cryptographically verified
+- **Append-Only History**: Immutable log entries ensure verifiable history
+
+### ⚖️ Governance
+
+Configurable policies allow you to control:
+
+- **Witness Requirements**: Require witness signatures for DID operations
+- **Endorsement Policies**: Control which resources and credentials need endorsement
+- **Portability**: Enable or disable DID portability features
+- **Prerotation**: Configure key rotation policies
+
+### 📜 Verifiability
+
+- **Cryptographic Verification**: All log entries are cryptographically signed
+- **Append-Only Logs**: Immutable history ensures auditability
+- **Version Control**: Track all changes to DID documents over time
+
+### 🔗 Interoperability
+
+Full support for:
+
+- **AnonCreds**: Publish and resolve AnonCreds schemas and credential definitions
+- **W3C Verifiable Credentials**: Support for standard VC formats
+- **DID Attested Resources**: Manage any type of attested resource
+
+## Architecture
+
+The DID WebVH Server follows a policy-driven workflow:
+
+```mermaid
+sequenceDiagram
+    participant Controller
+    participant Server
+    participant Witness
+    
+    Controller->>Server: Request DID path
+    Server->>Controller: Return policy parameters
+    Controller->>Controller: Create and sign log entry
+    Controller->>Witness: Request witness signature (if required)
+    Witness->>Controller: Provide witness signature
+    Controller->>Server: Submit log entry with proofs
+    Server->>Server: Verify and publish DID
+```
+
+## Components
+
+### Server
+
+The server component is responsible for:
+
+- **Policy Management**: Enforcing configurable policies for DID operations
+- **Verification**: Verifying signatures and proofs from controllers and witnesses
+- **Storage**: Hosting DID documents (`did.json`) and log files (`did.jsonl`)
+- **Resource Management**: Managing attested resources and their metadata
+
+### Controller
+
+The controller role:
+
+- **Creates DIDs**: Requests DID paths and creates initial log entries
+- **Updates DIDs**: Submits signed log entries for updates
+- **Manages Resources**: Uploads and manages attested resources
+- **Interacts with Witnesses**: Requests witness signatures when required
+
+### Witness
+
+The witness role:
+
+- **Signs Operations**: Provides cryptographic signatures for DID operations
+- **Endorses Resources**: Endorses attested resources and verifiable credentials
+- **Verifies Requests**: Validates controller requests before signing
+
+### Watcher
+
+The watcher role (optional):
+
+- **Monitors Changes**: Watches for DID document and log changes
+- **Receives Notifications**: Gets notified of updates and new resources
+- **Audit Trail**: Maintains audit logs of all operations
+
+## Key Features
+
+- **DID Creation and Management**: Create and manage DIDs with verifiable history
+- **Witness Services**: Integrate with witness services for DID attestation
+- **Policy Enforcement**: Configurable policies for witness requirements, portability, prerotation, and more
+- **Admin API**: Administrative endpoints for managing witnesses and policies
+- **Resource Management**: Store and serve attested resources bound to DIDs
+- **Web Explorer**: Interactive web interface for browsing DIDs, resources, and witness network
+- **AnonCreds Support**: Publish and resolve AnonCreds objects as Attested Resources
+
+## Technology Stack
+
+- **Framework**: FastAPI (Python)
+- **Database**: SQLite or PostgreSQL
+- **Storage**: Configurable storage backends
+- **API**: RESTful API with OpenAPI documentation
+- **Web UI**: Modern web explorer interface
+
+## Specification
+
+This server implements the [DID WebVH Specification](https://identity.foundation/didwebvh) maintained by the Decentralized Identity Foundation (DIF).
+
+## License
+
+This project is open source and available under the Apache 2.0 License.
+
+## Community
+
+- **Repository**: [GitHub](https://github.com/decentralized-identity/didwebvh-server-py)
+- **Issues**: [GitHub Issues](https://github.com/decentralized-identity/didwebvh-server-py/issues)
+- **Discussions**: [GitHub Discussions](https://github.com/decentralized-identity/didwebvh-server-py/discussions)
+
+## Getting Started
+
+Ready to get started? Check out our [Getting Started Guide](getting-started.md) or explore the [User Guide](user-manual.md) for comprehensive documentation.
+

docs/admin-operations.md

@@ -0,0 +1,70 @@
+# Admin Operations
+
+Admin endpoints require API key authentication via the `x-api-key` header.
+
+## Witness Management
+
+### Add Witness
+
+- **POST** `/api/admin/witnesses`
+  - **Headers**: `x-api-key: <WEBVH_ADMIN_API_KEY>`
+  - **Body**:
+    ```json
+    {
+      "id": "did:key:z6Mk...",
+      "label": "Example Witness Service",
+      "invitationUrl": "https://witness.example.com/oob-invite?oob=<base64_encoded_invitation>"
+    }
+    ```
+  - Decodes the invitation, stores it, and creates a short URL in the registry
+
+### Remove Witness
+
+- **DELETE** `/api/admin/witnesses/{multikey}`
+  - **Headers**: `x-api-key: <WEBVH_ADMIN_API_KEY>`
+  - Removes a witness from the registry
+
+## Policy Management
+
+### Get Parameters
+
+- **GET** `/api/admin/parameters`
+  - **Headers**: `x-api-key: <WEBVH_ADMIN_API_KEY>`
+  - Returns the parameters generated from the active policy
+  - Includes witness configuration, method version, and other policy-driven settings
+
+## Witness Management
+
+### Automatic Registration
+
+If both `WEBVH_WITNESS_ID` and `WEBVH_WITNESS_INVITATION` are set, the server will automatically:
+
+1. Decode the invitation from the URL
+2. Store the invitation using the witness DID as the key
+3. Update the witness registry with a short URL (`https://{DOMAIN}/api/invitations?_oobid={witness_key}`)
+4. Update the invitation if it changes on restart
+
+### Invitation Lookup
+
+Witness invitations can be retrieved via the root endpoint:
+
+- **GET** `/api/invitations?_oobid={witness_key}`
+  - Returns the stored invitation as JSON
+  - The `witness_key` is the multikey portion of the `did:key` identifier
+
+### Short URLs
+
+The server generates short URLs for witness invitations in the format:
+```
+https://{DOMAIN}/api/invitations?_oobid={witness_key}
+```
+
+These URLs are:
+- Stored in the witness registry as `serviceEndpoint`
+- Included in the server's DID document under `WitnessInvitation` services
+- Resolvable via the root endpoint to return the full invitation JSON
+
+
+
+
+