Skip to main content

SPEC 007 — Documents and Document Generation

FieldValue
StatusDRAFT
PriorityP1 — Core Product
Backendequa-server/modules/data-room/, equa-server/modules/doc-gen/, equa-server/modules/file-storage/
APIequa-server/modules/api/src/endpoints/data-room-endpoints.ts, organization-endpoints.ts, captable-endpoints.ts
Frontendequa-web/src/modules/documents/, equa-web/src/modules/agreements/

1. Feature Purpose

Documents and DocGen provides the file management infrastructure for the entire Equa platform. It covers three areas:
  1. Data Room — General-purpose virtual file storage with folders, uploads, renaming, and deletion
  2. Governing Documents — Categorized legal document repository (formation, operating, shareholder, board, employment, investor, compliance)
  3. Document Generation — Automated creation of stock certificates (SVG templates rendered to PDF) and operating agreements (Handlebars DOCX templates)
All files are stored on AWS S3 with content-addressed hashing. The system supports DOCX-to-PDF server-side conversion for inline viewing.

2. Current State (Verified)

2.1 Backend

ComponentPath
Data room persistence (read)equa-server/modules/persistence/src/data-room/reading.ts
Data room persistence (write)equa-server/modules/persistence/src/data-room/writing.ts
File storage (S3)equa-server/modules/file-storage/src/s3.ts
Upload middlewareequa-server/modules/file-storage/src/uploading.ts
Doc-gen moduleequa-server/modules/doc-gen/
Certificate templatesequa-server/modules/doc-gen/res/templates/certificate-front.svg, certificate-back.svg
API doc-gen wrappersequa-server/modules/api/src/doc-gen/generation.ts
Data room endpointsequa-server/modules/api/src/endpoints/data-room-endpoints.ts
Organization endpoints (files)equa-server/modules/api/src/endpoints/organization-endpoints.ts
Cap table endpoints (certs)equa-server/modules/api/src/endpoints/captable-endpoints.ts
Authorization persistenceequa-server/modules/persistence/src/organizations/reading.ts, writing.ts

2.2 Frontend

ComponentPath
Data room moduleequa-web/src/modules/documents/
Agreements moduleequa-web/src/modules/agreements/
Web client (upload/download)equa-web/src/service/services/web-client.ts
Shared documents componentequa-web/src/shared/components/documents-and-notes.tsx
ESOP plan documentsequa-web/src/modules/esop/pages/all-plan-documents.tsx
Cap table doc/notes pageequa-web/src/modules/captable/pages/documents-and-notes-page.tsx

3. Data Model

3.1 DirectoryItems

Virtual filesystem entries (files and folders) organized by path.
ColumnTypeConstraintsDescription
organizationuuidPK (composite)Owning organization
parentPathvarcharPK (composite)Parent folder path (e.g., / or /legal/)
namevarcharPK (composite)File or folder name
fileuuidnullable, FK → FilesNull for folders, set for files
typesmallintunsigned2 = folder, other = file
sizenumberFile size in bytes (0 for folders)
Extends: CreatedModifiedDeleted Source: schema.ts lines 564–582

3.2 Files

Content-addressed file records stored on S3.
ColumnTypeConstraintsDescription
iduuidPKFile identifier
hashHashnullableContent hash for deduplication
filenamevarcharOriginal filename
urlvarcharS3 URL or path
extensionvarcharFile extension (e.g., pdf, docx)
contentTypevarcharMIME type
sizenumberFile size in bytes
owneruuidFK → UsersUploading user
Extends: CreatedModified Source: schema.ts lines 585–609

3.3 Authorizations

Document authorizations linking approval records to organizations.
ColumnTypeConstraintsDescription
(hash)HashPK (from HashedTable)Content-addressed identifier
authorizationDatedatenullableDate of authorization
documentHashnullableReference to authorized document
notetextnullableFree-text note
organizationuuidFK → OrganizationsOwning organization
reasonuuidnullableReason reference
targetvarcharTarget entity or path
documentTypeNamevarcharnullableType label (e.g., “Issuance Agreement”)
deletedbooleandefault: falseSoft-delete flag
Extends: HashedTable Source: schema.ts lines 1378–1402

3.4 OrganizationTemplates

Stored document templates (certificate legends, operating agreement content).
ColumnTypeConstraintsDescription
organizationuuidPK (composite)Owning organization
typevarcharPK (composite)Template type identifier
contentHashContent-addressed template body
Extends: CreatedModifiedDeleted Source: schema.ts lines 1405–1414

3.5 DataRoomsMembers (Access Control)

This section covers the data model previously planned as Spec 008 (Data Rooms). The entity and persistence functions exist, but no REST API endpoints or frontend UI are implemented for managing data room membership. The legacy Microsoft path restriction (processRestrictedPath in microsoft/src/reading.ts) is deprecated. Modern data room access control needs a separate specification.
Member-level access control for named data rooms.
ColumnTypeConstraintsDescription
dataRoomNamevarcharPK (composite)Named data room (maps to folder path)
memberuuidPK (composite), FK → MembersAuthorized member
permissionuuidPK (composite), FK → PermissionsGranted permission
Source: schema.ts lines 164–174 Persistence functions (exist, not exposed via REST):
  • getDataRoomsPermissionsForMember(db, organization, member) — Query by org + member (common/reading.ts line 576)
  • getDataRoomsPermissionsForOrganizationAnUser(db, organization, user) — Query by org + user, joins through Members (common/reading.ts line 580)
  • insertDataRoomsMembers(db, record) — Insert single record (common/writing.ts line 319)
Legacy path restriction (deprecated): processRestrictedPath in microsoft/src/reading.ts line 51 restricts folder paths for non-admin users based on their dataRoomName entries. Admins bypass. This was built for Microsoft Graph/SharePoint storage and is not used with the current native file storage. Gap: No endpoints exist for granting/revoking data room access. No frontend UI for data room member management. A future spec should define modern access control for Google Drive integration or native storage.

3.6 File Storage Backend

Files are stored on AWS S3 (file-storage/src/s3.ts):
  • Upload: uploadS3(config, hash, stream) — stores with hash as S3 object name
  • Download: downloadS3(config, hash) — retrieves by hash
  • Configuration: AwsFileStorageConfig with accessKeyId, secretAccessKey, bucket, cacheBucket, region, tempPath

Relationships

4. API Endpoints

Data Room Endpoints

MethodPathAuth GuardDescription
GET/organization/:organization/documentcanViewOrganizationList documents at path (query: ?path=/)
GET/organization/:organization/document/:document/contentcanViewDocumentsDownload file (attachment disposition)
GET/organization/:organization/document/:document/content/:namecanViewDocumentsView file inline (supports ?format=pdf for DOCX conversion)
POST/organization/:organization/documentcanEditDocumentsUpload files (multipart, max 10 MB default)
POST/organization/:organization/foldercanEditDocumentsCreate folder
POST/organization/:organization/document/:document/movecanEditDocumentsRename or move document/folder
DELETE/organization/:organization/document/:documentcanEditDocumentsDelete document (query: ?fullPath=...)
Source: data-room-endpoints.ts lines 40–117 Upload middleware: uploadMiddlewareUsingMemory with maxSizeMegabytes: parseInt(process.env.DATA_ROOM_UPLOAD_SIZE_LIMIT_MB || '10')

Organization File Endpoints

MethodPathAuth GuardDescription
POST/organization/:organization/filecanEditDocumentsUpload organization file (max 21 MB default)
GET/file/:file/contentDownload file by ID
GET/file/:file/content/:nameView file inline by ID
GET/authorizationGet authorizations
POST/organization/:organization/authorizationcanEditDocumentsCreate authorization
DELETE/organization/:organization/authorization/:authorizationcanEditDocumentsDelete authorization
Source: organization-endpoints.ts lines 208–251

Certificate Generation Endpoints

MethodPathAuth GuardDescription
GET/shareholding/:holding/certificatecanViewCapTableGenerate shareholding certificate PDF
GET/legend/:legend/certificatecanViewCapTableGenerate legend certificate PDF
GET/shareholding/:holding/certificate/copycanViewCapTableGenerate certificate copy PDF
Source: captable-endpoints.ts lines 207–222

5. Frontend Components

Data Room

ComponentFilePurpose
DataRoomPagedocuments/documents.tsxMain data room with folder navigation, upload dropzone, modals
DocumentSectiondocuments/components/document-section.tsxFile/folder table with actions (view, rename, delete)
DocumentButtonsdocuments/components/document-buttons.tsxUpload controls (file, folder, link)
Modalsdocuments/components/modals.tsxDelete confirmation, rename, new folder, add link, introduction
DataRoomPage behavior:
  • Dropzone supports file and folder uploads with progress tracking
  • Link creation generates .url files (Windows Internet Shortcut format)
  • Permission-gated: checks canEditDocument for write operations
  • Introduction modal shown on first visit to empty data room
  • Supports legacy Microsoft Graph paths via legacyDataRoom org flag

Governing Documents

ComponentFilePurpose
AgreementsPageagreements/agreements-page.tsxCategory-filtered document list with upload/view/delete
AgreementsTableagreements/components/agreements-table.tsxDocument table within a category
Agreement Categories (8 total, from agreements/utils.ts):
CategoryStorage PathDescription
allgoverningShow all governing documents
formationgoverning/formationArticles of incorporation, bylaws
operatinggoverning/operatingOperating agreements
shareholdergoverning/shareholderShareholder agreements
boardgoverning/boardBoard resolutions, minutes
employmentgoverning/employmentEmployment agreements
investorgoverning/investorInvestor rights, ROFR
compliancegoverning/complianceRegulatory filings

Document Generation

The doc-gen module generates:
  1. Stock certificates — Front and back pages rendered from SVG templates (certificate-front.svg, certificate-back.svg) using pdf-lib for PDF output. Populated with shareholding data (holder name, share count, serial number, legend text, signatures).
  2. Legend certificates — Standalone legend document generated from legend content.
  3. Operating agreements — DOCX documents generated from Handlebars templates via modules/api/src/doc-gen/generation.ts. Templates stored in OrganizationTemplates entity.

Shared Components

ComponentFilePurpose
DocumentsAndNotesshared/components/documents-and-notes.tsxReusable form section for document uploads with metadata (type name, approval date, notes). Uses FieldArray for multiple docs.

Routes

RouteComponent
/organization/:organization/dataroomDataRoomPage
/organization/:organization/documents/governingAgreementsPage
/organization/:organization/documents/governing/:categoryAgreementsPage (filtered)
${captableCertificatePath}/documentsAndNotesDocumentsAndNotesPage
${planPath}/documentsAllPlanDocuments

6. Business Rules and Validation

RuleDescriptionEnforcement
Composite path uniquenessNo two items can have the same (organization, parentPath, name)Database PK constraint
Upload size limitsData room: 10 MB (configurable via DATA_ROOM_UPLOAD_SIZE_LIMIT_MB); General: 21 MB (via DOCUMENT_UPLOAD_SIZE_LIMIT_MB)Server-side middleware
File type validationCurrently not enforced — validation code exists but is commented out in file-storage/src/validation.ts line 48None (gap)
Content-addressed deduplicationFiles with identical content share the same S3 object (hash-based naming)S3 upload uses formatS3ObjectName(hash)
DOCX-to-PDF conversionInline viewing of DOCX files triggers server-side conversion via ?format=pdf query parameterBackend conversion on request
Permission gatingData room operations require canViewDocuments (read) or canEditDocuments (write)API endpoint guards
Soft delete on authorizationsAuthorizations use deleted: boolean flag rather than hard deleteApplication-level check
Folder type markerDirectoryItems with type = 2 are folders; others are filesApplication convention
Legacy data room flagOrganizations with legacyDataRoom = true use Microsoft Graph paths; newer orgs use native S3 storageFrontend path handling

7. Acceptance Criteria

  • Users with editDocuments permission can upload files to the data room (up to configured size limit)
  • Folder creation works with nested paths (e.g., /legal/contracts/)
  • Files can be renamed and moved between folders
  • File deletion removes the DirectoryItem record (file content retained in S3 via hash)
  • DOCX files can be viewed inline as PDF via the ?format=pdf parameter
  • Governing documents page filters correctly by all 8 categories
  • Each category maps to the correct governing/[category] storage path
  • Stock certificate generation produces a PDF with front/back pages containing holder info, legend, and signatures
  • Authorizations can be created and deleted, with soft-delete flag
  • Upload progress is displayed in the frontend during file uploads
  • Link creation generates a valid .url file in the data room
  • Introduction modal appears on first visit to an empty data room
  • canViewDocuments and canEditDocuments guards correctly gate all endpoints
  • DataRoomsMembers entity stores access control records (no REST API or UI — documented gap)

8. Risks and Edge Cases

RiskImpactMitigation
No file type validationMalicious files could be uploadedRe-enable validation in file-storage/src/validation.ts
Upload size limit mismatch (10 MB vs 21 MB)User confusion about different limits for data room vs org filesUnify limits or display the applicable limit in the UI
S3 credential exposureFile storage compromiseCredentials stored in environment variables, not in code
DOCX-to-PDF conversion failureUnsupported DOCX features may produce corrupt PDFFallback to download link when conversion fails
Hash collision (content-addressed)Wrong file servedSHA-256 makes collision negligible; add unique constraint on hash
Legacy Microsoft Graph pathsBroken file access for old organizationsMigration path needed; legacyDataRoom flag identifies affected orgs
DataRoomsMembers has no API/UICannot manage data room access via the productFuture spec needed for modern access control
Concurrent uploads to same pathNaming conflict for duplicate filenamesServer checks for existing names; appends suffix or rejects

9. Dependencies

DependencyTypeStatus
001-Authentication (user sessions)Required beforeDRAFT
002-Organization ManagementRequired beforeDRAFT
012-Team Members and Roles (permissions)Required beforeDRAFT
003-Cap Table (certificate generation)Integrates withDRAFT
023-File Storage (S3 infrastructure)Integrates withNOT STARTED
016-Google Drive IntegrationIntegrates withNOT STARTED