From d2b4ede76f0f5f4d8ecd1e411ed7e0dea4f8b161 Mon Sep 17 00:00:00 2001
From: Lex Studios <233934133+Lex-Studios@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:10:43 +0000
Subject: [PATCH 1/5] feat(#77): Generate OpenAPI spec for backend API

- Add swagger-jsdoc and swagger-ui-express dependencies
- Create swagger.js configuration with OpenAPI 3.0 spec
- Add JSDoc comments to auth, vaccination, and verify routes
- Serve Swagger UI at GET /docs endpoint
- Document all request/response schemas and error responses
---
 backend/package-lock.json         | 280 +++++++++++++++++++++++++++++-
 backend/package.json              |   2 +
 backend/src/app.js                |   5 +
 backend/src/routes/auth.js        |  86 +++++++++
 backend/src/routes/vaccination.js | 143 +++++++++++++++
 backend/src/routes/verify.js      |  46 +++++
 backend/src/swagger.js            |  70 ++++++++
 7 files changed, 623 insertions(+), 9 deletions(-)
 create mode 100644 backend/src/swagger.js

diff --git a/backend/package-lock.json b/backend/package-lock.json
index 2d4d3b1..10d87ec 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -15,6 +15,8 @@
         "express-rate-limit": "^7.2.0",
         "jsonwebtoken": "^9.0.2",
         "sql.js": "^1.12.0",
+        "swagger-jsdoc": "^6.2.8",
+        "swagger-ui-express": "^5.0.1",
         "winston": "^3.19.0",
         "zod": "^4.3.6"
       },
@@ -24,6 +26,68 @@
         "supertest": "^6.3.4"
       }
     },
+    "node_modules/@apidevtools/json-schema-ref-parser": {
+      "version": "9.1.2",
+      "resolved": "https://registry.npmjs.org/@apidevtools/json-schema-ref-parser/-/json-schema-ref-parser-9.1.2.tgz",
+      "integrity": "sha512-r1w81DpR+KyRWd3f+rk6TNqMgedmAxZP5v5KWlXQWlgMUUtyEJch0DKEci1SorPMiSeM8XPl7MZ3miJ60JIpQg==",
+      "license": "MIT",
+      "dependencies": {
+        "@jsdevtools/ono": "^7.1.3",
+        "@types/json-schema": "^7.0.6",
+        "call-me-maybe": "^1.0.1",
+        "js-yaml": "^4.1.0"
+      }
+    },
+    "node_modules/@apidevtools/json-schema-ref-parser/node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "license": "Python-2.0"
+    },
+    "node_modules/@apidevtools/json-schema-ref-parser/node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/@apidevtools/openapi-schemas": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@apidevtools/openapi-schemas/-/openapi-schemas-2.1.0.tgz",
+      "integrity": "sha512-Zc1AlqrJlX3SlpupFGpiLi2EbteyP7fXmUOGup6/DnkRgjP9bgMM/ag+n91rsv0U1Gpz0H3VILA/o3bW7Ua6BQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@apidevtools/swagger-methods": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@apidevtools/swagger-methods/-/swagger-methods-3.0.2.tgz",
+      "integrity": "sha512-QAkD5kK2b1WfjDS/UQn/qQkbwF31uqRjPTrsCs5ZG9BQGAkjwvqGFjjPqAuzac/IYzpPtRzjCP1WrTuAIjMrXg==",
+      "license": "MIT"
+    },
+    "node_modules/@apidevtools/swagger-parser": {
+      "version": "10.0.3",
+      "resolved": "https://registry.npmjs.org/@apidevtools/swagger-parser/-/swagger-parser-10.0.3.tgz",
+      "integrity": "sha512-sNiLY51vZOmSPFZA5TF35KZ2HbgYklQnTSDnkghamzLb3EkNtcQnrBQEj5AOCxHpTtXpqMCRM1CrmV2rG6nw4g==",
+      "license": "MIT",
+      "dependencies": {
+        "@apidevtools/json-schema-ref-parser": "^9.0.6",
+        "@apidevtools/openapi-schemas": "^2.0.4",
+        "@apidevtools/swagger-methods": "^3.0.2",
+        "@jsdevtools/ono": "^7.1.3",
+        "call-me-maybe": "^1.0.1",
+        "z-schema": "^5.0.1"
+      },
+      "peerDependencies": {
+        "openapi-types": ">=7"
+      }
+    },
     "node_modules/@babel/code-frame": {
       "version": "7.29.0",
       "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -959,6 +1023,12 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@jsdevtools/ono": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/@jsdevtools/ono/-/ono-7.1.3.tgz",
+      "integrity": "sha512-4JQNk+3mVzK3xh2rqd6RB4J46qUR19azEHBneZyTZM+c456qOrbbM/5xcR8huNCCcbVt7+UmizG6GuUvPvKUYg==",
+      "license": "MIT"
+    },
     "node_modules/@noble/hashes": {
       "version": "1.8.0",
       "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
@@ -982,6 +1052,13 @@
         "@noble/hashes": "^1.1.5"
       }
     },
+    "node_modules/@scarf/scarf": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/@scarf/scarf/-/scarf-1.4.0.tgz",
+      "integrity": "sha512-xxeapPiUXdZAE3che6f3xogoJPeZgig6omHEy1rIY5WVsB3H2BHNnZH+gHG6x91SCWyQCzWGsuL2Hh3ClO5/qQ==",
+      "hasInstallScript": true,
+      "license": "Apache-2.0"
+    },
     "node_modules/@sinclair/typebox": {
       "version": "0.27.10",
       "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.27.10.tgz",
@@ -1139,6 +1216,12 @@
         "@types/istanbul-lib-report": "*"
       }
     },
+    "node_modules/@types/json-schema": {
+      "version": "7.0.15",
+      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
+      "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
+      "license": "MIT"
+    },
     "node_modules/@types/node": {
       "version": "25.5.2",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.2.tgz",
@@ -1429,7 +1512,6 @@
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
       "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-      "dev": true,
       "license": "MIT"
     },
     "node_modules/bare-addon-resolve": {
@@ -1568,7 +1650,6 @@
       "version": "1.1.13",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
       "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
-      "dev": true,
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -1725,6 +1806,12 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/call-me-maybe": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-me-maybe/-/call-me-maybe-1.0.2.tgz",
+      "integrity": "sha512-HpX65o1Hnr9HH25ojC1YGs7HCQLq0GCOibSaWER0eNpgJ/Z1MZv2mTc7+xh6WOPxbRVcmgbv4hGU+uSQ/2xFZQ==",
+      "license": "MIT"
+    },
     "node_modules/callsites": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
@@ -1961,6 +2048,15 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/commander": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.0.tgz",
+      "integrity": "sha512-zP4jEKbe8SHzKJYQmq8Y9gYjtO/POJLgIdKgV7B9qNmABVFVc+ctqSX6iXh4mCpJfRBOabiZ2YKPg8ciDw6C+Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
     "node_modules/component-emitter": {
       "version": "1.3.1",
       "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.3.1.tgz",
@@ -1975,7 +2071,6 @@
       "version": "0.0.1",
       "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
       "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
-      "dev": true,
       "license": "MIT"
     },
     "node_modules/content-disposition": {
@@ -2192,6 +2287,18 @@
         "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
       }
     },
+    "node_modules/doctrine": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
+      "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "esutils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
     "node_modules/dotenv": {
       "version": "16.6.1",
       "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
@@ -2370,6 +2477,15 @@
         "node": ">=4"
       }
     },
+    "node_modules/esutils": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/etag": {
       "version": "1.8.1",
       "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
@@ -2669,7 +2785,6 @@
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
       "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
-      "dev": true,
       "license": "ISC"
     },
     "node_modules/fsevents": {
@@ -3002,7 +3117,6 @@
       "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
       "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
       "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
-      "dev": true,
       "license": "ISC",
       "dependencies": {
         "once": "^1.3.0",
@@ -4031,6 +4145,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/lodash.get": {
+      "version": "4.4.2",
+      "resolved": "https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz",
+      "integrity": "sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==",
+      "deprecated": "This package is deprecated. Use the optional chaining (?.) operator instead.",
+      "license": "MIT"
+    },
     "node_modules/lodash.includes": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz",
@@ -4043,6 +4164,13 @@
       "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==",
       "license": "MIT"
     },
+    "node_modules/lodash.isequal": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz",
+      "integrity": "sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==",
+      "deprecated": "This package is deprecated. Use require('node:util').isDeepStrictEqual instead.",
+      "license": "MIT"
+    },
     "node_modules/lodash.isinteger": {
       "version": "4.0.4",
       "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz",
@@ -4067,6 +4195,12 @@
       "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==",
       "license": "MIT"
     },
+    "node_modules/lodash.mergewith": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/lodash.mergewith/-/lodash.mergewith-4.6.2.tgz",
+      "integrity": "sha512-GK3g5RPZWTRSeLSpgP8Xhra+pnjBC56q9FZYe1d5RN3TJ35dbkGy3YqBSMbyCrlbi+CM9Z3Jk5yTL7RCsqboyQ==",
+      "license": "MIT"
+    },
     "node_modules/lodash.once": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz",
@@ -4249,7 +4383,6 @@
       "version": "3.1.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
       "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
-      "dev": true,
       "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
@@ -4483,7 +4616,6 @@
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
       "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "dev": true,
       "license": "ISC",
       "dependencies": {
         "wrappy": "1"
@@ -4514,6 +4646,13 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/openapi-types": {
+      "version": "12.1.3",
+      "resolved": "https://registry.npmjs.org/openapi-types/-/openapi-types-12.1.3.tgz",
+      "integrity": "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw==",
+      "license": "MIT",
+      "peer": true
+    },
     "node_modules/p-limit": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
@@ -4611,7 +4750,6 @@
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
       "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=0.10.0"
@@ -5491,6 +5629,83 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/swagger-jsdoc": {
+      "version": "6.2.8",
+      "resolved": "https://registry.npmjs.org/swagger-jsdoc/-/swagger-jsdoc-6.2.8.tgz",
+      "integrity": "sha512-VPvil1+JRpmJ55CgAtn8DIcpBs0bL5L3q5bVQvF4tAW/k/9JYSj7dCpaYCAv5rufe0vcCbBRQXGvzpkWjvLklQ==",
+      "license": "MIT",
+      "dependencies": {
+        "commander": "6.2.0",
+        "doctrine": "3.0.0",
+        "glob": "7.1.6",
+        "lodash.mergewith": "^4.6.2",
+        "swagger-parser": "^10.0.3",
+        "yaml": "2.0.0-1"
+      },
+      "bin": {
+        "swagger-jsdoc": "bin/swagger-jsdoc.js"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/swagger-jsdoc/node_modules/glob": {
+      "version": "7.1.6",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz",
+      "integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
+      "license": "ISC",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.0.4",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/swagger-parser": {
+      "version": "10.0.3",
+      "resolved": "https://registry.npmjs.org/swagger-parser/-/swagger-parser-10.0.3.tgz",
+      "integrity": "sha512-nF7oMeL4KypldrQhac8RyHerJeGPD1p2xDh900GPvc+Nk7nWP6jX2FcC7WmkinMoAmoO774+AFXcWsW8gMWEIg==",
+      "license": "MIT",
+      "dependencies": {
+        "@apidevtools/swagger-parser": "10.0.3"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/swagger-ui-dist": {
+      "version": "5.32.5",
+      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.5.tgz",
+      "integrity": "sha512-7/FQfWe9A4qoyYFdAwy0chD0uDYidDp/ZT9VQ9LZlgD4AnnHJk8/+ytAA1HkJYOPySmK6helPDdJQMlcumt7HA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@scarf/scarf": "=1.4.0"
+      }
+    },
+    "node_modules/swagger-ui-express": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/swagger-ui-express/-/swagger-ui-express-5.0.1.tgz",
+      "integrity": "sha512-SrNU3RiBGTLLmFU8GIJdOdanJTl4TOmT27tt3bWWHppqYmAZ6IDuEuBvMU6nZq0zLEe6b/1rACXCgLZqO6ZfrA==",
+      "license": "MIT",
+      "dependencies": {
+        "swagger-ui-dist": ">=5.0.0"
+      },
+      "engines": {
+        "node": ">= v0.10.32"
+      },
+      "peerDependencies": {
+        "express": ">=4.0.0 || >=5.0.0-beta"
+      }
+    },
     "node_modules/test-exclude": {
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-6.0.0.tgz",
@@ -5726,6 +5941,15 @@
         "node": ">=10.12.0"
       }
     },
+    "node_modules/validator": {
+      "version": "13.15.35",
+      "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.35.tgz",
+      "integrity": "sha512-TQ5pAGhd5whStmqWvYF4OjQROlmv9SMFVt37qoCBdqRffuuklWYQlCNnEs2ZaIBD1kZRNnikiZOS1eqgkar0iw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
     "node_modules/vary": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
@@ -5840,7 +6064,6 @@
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
       "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
-      "dev": true,
       "license": "ISC"
     },
     "node_modules/write-file-atomic": {
@@ -5874,6 +6097,15 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/yaml": {
+      "version": "2.0.0-1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.0.0-1.tgz",
+      "integrity": "sha512-W7h5dEhywMKenDJh2iX/LABkbFnBxasD27oyXWDS/feDsxiw0dD5ncXdYXgkvAsXIY2MpW/ZKkr9IU30DBdMNQ==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
     "node_modules/yargs": {
       "version": "17.7.2",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
@@ -5916,6 +6148,36 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/z-schema": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/z-schema/-/z-schema-5.0.5.tgz",
+      "integrity": "sha512-D7eujBWkLa3p2sIpJA0d1pr7es+a7m0vFAnZLlCEKq/Ij2k0MLi9Br2UPxoxdYystm5K1yeBGzub0FlYUEWj2Q==",
+      "license": "MIT",
+      "dependencies": {
+        "lodash.get": "^4.4.2",
+        "lodash.isequal": "^4.5.0",
+        "validator": "^13.7.0"
+      },
+      "bin": {
+        "z-schema": "bin/z-schema"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      },
+      "optionalDependencies": {
+        "commander": "^9.4.1"
+      }
+    },
+    "node_modules/z-schema/node_modules/commander": {
+      "version": "9.5.0",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-9.5.0.tgz",
+      "integrity": "sha512-KRs7WVDKg86PWiuAqhDrAQnTXZKraVcCc6vFdL14qrZ/DcWwuRo7VoiYXalXO7S5GKpqYiVEwCbgFDfxNHKJBQ==",
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": "^12.20.0 || >=14"
+      }
+    },
     "node_modules/zod": {
       "version": "4.3.6",
       "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
diff --git a/backend/package.json b/backend/package.json
index 3ffeedd..c307a51 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -16,6 +16,8 @@
     "express-rate-limit": "^7.2.0",
     "jsonwebtoken": "^9.0.2",
     "sql.js": "^1.12.0",
+    "swagger-jsdoc": "^6.2.8",
+    "swagger-ui-express": "^5.0.1",
     "winston": "^3.19.0",
     "zod": "^4.3.6"
   },
diff --git a/backend/src/app.js b/backend/src/app.js
index 177cefd..03af2a2 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -2,9 +2,11 @@ require('dotenv').config();
 const config = require('./config');
 const express = require('express');
 const cors = require('cors');
+const swaggerUi = require('swagger-ui-express');
 const logger = require('./logger');
 const { initDb } = require('./indexer/db');
 const { startPoller, stopPoller } = require('./indexer/poller');
+const swaggerSpec = require('./swagger');
 
 const authRoutes = require('./routes/auth');
 const vaccinationRoutes = require('./routes/vaccination');
@@ -17,6 +19,9 @@ const app = express();
 app.use(cors());
 app.use(express.json({ limit: config.BODY_LIMIT }));
 
+// Swagger UI
+app.use('/docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec));
+
 // Request logging middleware
 app.use((req, _res, next) => {
   logger.info('request', { method: req.method, path: req.path });
diff --git a/backend/src/routes/auth.js b/backend/src/routes/auth.js
index 1a65ee2..abe3cdf 100644
--- a/backend/src/routes/auth.js
+++ b/backend/src/routes/auth.js
@@ -25,6 +25,46 @@ const verifySchema = z.object({
   nonce: z.string().min(1, 'nonce is required'),
 });
 
+/**
+ * @swagger
+ * /auth/sep10:
+ *   post:
+ *     summary: Generate SEP-10 challenge transaction
+ *     tags:
+ *       - Authentication
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               public_key:
+ *                 type: string
+ *                 description: Stellar public key
+ *             required:
+ *               - public_key
+ *     responses:
+ *       200:
+ *         description: Challenge transaction generated
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 transaction:
+ *                   type: string
+ *                 nonce:
+ *                   type: string
+ *       400:
+ *         description: Invalid public key
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ *       429:
+ *         description: Rate limit exceeded
+ */
 // POST /auth/sep10 — generate challenge
 router.post('/sep10', sep10Limiter, validate(sep10Schema), async (req, res) => {
   const { public_key } = req.body;
@@ -37,6 +77,52 @@ router.post('/sep10', sep10Limiter, validate(sep10Schema), async (req, res) => {
   }
 });
 
+/**
+ * @swagger
+ * /auth/verify:
+ *   post:
+ *     summary: Verify signed SEP-10 challenge and issue JWT
+ *     tags:
+ *       - Authentication
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               transaction:
+ *                 type: string
+ *                 description: Signed challenge transaction
+ *               nonce:
+ *                 type: string
+ *                 description: Nonce from challenge
+ *             required:
+ *               - transaction
+ *               - nonce
+ *     responses:
+ *       200:
+ *         description: JWT issued successfully
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 token:
+ *                   type: string
+ *                   description: JWT token
+ *                 publicKey:
+ *                   type: string
+ *                 role:
+ *                   type: string
+ *                   enum: [patient, issuer]
+ *       401:
+ *         description: Invalid signature or nonce
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ */
 // POST /auth/verify — verify signed challenge, issue JWT
 router.post('/verify', validate(verifySchema), (req, res) => {
   const { transaction, nonce } = req.body;
diff --git a/backend/src/routes/vaccination.js b/backend/src/routes/vaccination.js
index bc674ed..f1c5423 100644
--- a/backend/src/routes/vaccination.js
+++ b/backend/src/routes/vaccination.js
@@ -29,6 +29,64 @@ const revokeSchema = z.object({
   token_id: z.union([z.string(), z.number()]).transform((val) => String(val)),
 });
 
+/**
+ * @swagger
+ * /vaccination/issue:
+ *   post:
+ *     summary: Issue a vaccination NFT (issuer only)
+ *     tags:
+ *       - Vaccination
+ *     security:
+ *       - bearerAuth: []
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               patient_address:
+ *                 type: string
+ *                 description: Stellar address of patient
+ *               vaccine_name:
+ *                 type: string
+ *               date_administered:
+ *                 type: string
+ *                 format: date-time
+ *             required:
+ *               - patient_address
+ *               - vaccine_name
+ *               - date_administered
+ *     responses:
+ *       200:
+ *         description: Vaccination NFT issued successfully
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 success:
+ *                   type: boolean
+ *                 tokenId:
+ *                   type: string
+ *                 transactionHash:
+ *                   type: string
+ *                 ledger:
+ *                   type: number
+ *                 timestamp:
+ *                   type: string
+ *                   format: date-time
+ *       401:
+ *         description: Unauthorized
+ *       403:
+ *         description: Forbidden - issuer role required
+ *       500:
+ *         description: Contract invocation failed
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ */
 // POST /vaccination/issue — mint NFT (issuer only)
 router.post(
   '/issue',
@@ -77,6 +135,50 @@ router.post(
   }
 });
 
+/**
+ * @swagger
+ * /vaccination/revoke:
+ *   post:
+ *     summary: Revoke a vaccination record (issuer only)
+ *     tags:
+ *       - Vaccination
+ *     security:
+ *       - bearerAuth: []
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             properties:
+ *               token_id:
+ *                 type: string
+ *                 description: Token ID to revoke
+ *             required:
+ *               - token_id
+ *     responses:
+ *       200:
+ *         description: Vaccination record revoked
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 success:
+ *                   type: boolean
+ *                 token_id:
+ *                   type: string
+ *       401:
+ *         description: Unauthorized
+ *       403:
+ *         description: Forbidden - issuer role required
+ *       500:
+ *         description: Contract invocation failed
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ */
 // POST /vaccination/revoke — revoke a vaccination record (issuer or admin only)
 router.post(
   '/revoke',
@@ -116,6 +218,47 @@ router.post(
   }
 );
 
+/**
+ * @swagger
+ * /vaccination/{wallet}:
+ *   get:
+ *     summary: Fetch all vaccination records for a wallet
+ *     tags:
+ *       - Vaccination
+ *     security:
+ *       - bearerAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: wallet
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Stellar wallet address
+ *     responses:
+ *       200:
+ *         description: Vaccination records retrieved
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 wallet:
+ *                   type: string
+ *                 vaccinated:
+ *                   type: boolean
+ *                 records:
+ *                   type: array
+ *                   items:
+ *                     $ref: '#/components/schemas/VaccinationRecord'
+ *       401:
+ *         description: Unauthorized
+ *       500:
+ *         description: Contract query failed
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ */
 // GET /vaccination/:wallet — fetch all records for a wallet
 router.get('/:wallet', authMiddleware, validateStellarPublicKey('params', 'wallet', 'wallet'), async (req, res) => {
   const { wallet } = req.params;
diff --git a/backend/src/routes/verify.js b/backend/src/routes/verify.js
index 531f58d..346541a 100644
--- a/backend/src/routes/verify.js
+++ b/backend/src/routes/verify.js
@@ -29,6 +29,52 @@ function adaptiveLimiter(req, res, next) {
   return verifyLimiter(req, res, next);
 }
 
+/**
+ * @swagger
+ * /verify/{wallet}:
+ *   get:
+ *     summary: Public vaccination status verification
+ *     tags:
+ *       - Verification
+ *     security:
+ *       - bearerAuth: []
+ *       - apiKeyAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: wallet
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Stellar wallet address to verify
+ *     responses:
+ *       200:
+ *         description: Vaccination status retrieved
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 wallet:
+ *                   type: string
+ *                 vaccinated:
+ *                   type: boolean
+ *                 record_count:
+ *                   type: number
+ *                 records:
+ *                   type: array
+ *                   items:
+ *                     $ref: '#/components/schemas/VaccinationRecord'
+ *       401:
+ *         description: Unauthorized - JWT or API key required
+ *       429:
+ *         description: Rate limit exceeded
+ *       500:
+ *         description: Contract query failed
+ *         content:
+ *           application/json:
+ *             schema:
+ *               $ref: '#/components/schemas/Error'
+ */
 // GET /verify/:wallet — JWT or verifier API key
 router.get(
   '/:wallet',
diff --git a/backend/src/swagger.js b/backend/src/swagger.js
new file mode 100644
index 0000000..3237ddb
--- /dev/null
+++ b/backend/src/swagger.js
@@ -0,0 +1,70 @@
+const swaggerJsdoc = require('swagger-jsdoc');
+
+const options = {
+  definition: {
+    openapi: '3.0.0',
+    info: {
+      title: 'VacciChain Backend API',
+      version: '1.0.0',
+      description: 'Blockchain-based vaccination records on Stellar — soulbound, verifiable, tamper-proof.',
+    },
+    servers: [
+      {
+        url: 'http://localhost:4000',
+        description: 'Development server',
+      },
+      {
+        url: 'http://backend:4000',
+        description: 'Docker server',
+      },
+    ],
+    components: {
+      securitySchemes: {
+        bearerAuth: {
+          type: 'http',
+          scheme: 'bearer',
+          bearerFormat: 'JWT',
+        },
+        apiKeyAuth: {
+          type: 'apiKey',
+          in: 'header',
+          name: 'X-API-Key',
+        },
+      },
+      schemas: {
+        Error: {
+          type: 'object',
+          properties: {
+            error: {
+              type: 'string',
+            },
+          },
+        },
+        VaccinationRecord: {
+          type: 'object',
+          properties: {
+            vaccine_name: {
+              type: 'string',
+            },
+            date_administered: {
+              type: 'string',
+              format: 'date-time',
+            },
+            issuer: {
+              type: 'string',
+            },
+            timestamp: {
+              type: 'string',
+              format: 'date-time',
+            },
+          },
+        },
+      },
+    },
+  },
+  apis: ['./src/routes/*.js'],
+};
+
+const specs = swaggerJsdoc(options);
+
+module.exports = specs;

From affff9262eaba01e47dbe04daf323970cbae8de5 Mon Sep 17 00:00:00 2001
From: Lex Studios <233934133+Lex-Studios@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:25:07 +0000
Subject: [PATCH 2/5] feat(#79): Create contributor onboarding guide

- Expand CONTRIBUTING.md with local setup, branching strategy, PR process, and commit conventions
- Add PR template at .github/pull_request_template.md
- Add bug report issue template
- Document Conventional Commits format with examples
- Include code of conduct expectations in CONTRIBUTING.md
---
 .github/ISSUE_TEMPLATE/bug_report.md |  56 +++++++
 .github/pull_request_template.md     |  48 ++++++
 CONTRIBUTING.md                      | 226 ++++++++++++++++++++++++++-
 3 files changed, 322 insertions(+), 8 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..d39b06c
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,56 @@
+---
+name: Bug Report
+about: Report a bug to help us improve
+title: "[BUG] "
+labels: bug
+assignees: ''
+
+---
+
+## Description
+
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+
+Steps to reproduce the behavior:
+
+1. 
+2. 
+3. 
+
+## Expected Behavior
+
+A clear and concise description of what you expected to happen.
+
+## Actual Behavior
+
+A clear and concise description of what actually happened.
+
+## Environment
+
+- **OS**: (e.g., macOS, Linux, Windows)
+- **Node.js version**: (if applicable)
+- **Python version**: (if applicable)
+- **Rust version**: (if applicable)
+- **Docker version**: (if applicable)
+
+## Screenshots
+
+If applicable, add screenshots to help explain your problem.
+
+## Logs
+
+If applicable, paste relevant error logs or stack traces:
+
+```
+[paste logs here]
+```
+
+## Additional Context
+
+Add any other context about the problem here.
+
+## Possible Solution
+
+If you have a suggestion for how to fix this, please describe it here.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..92337c5
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,48 @@
+## Description
+
+Please include a summary of the changes and related context.
+
+Closes #(issue number)
+
+## Type of Change
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation update
+
+## Changes Made
+
+- 
+- 
+- 
+
+## Testing
+
+Please describe the tests you ran and how to reproduce them:
+
+- [ ] Unit tests pass
+- [ ] Integration tests pass
+- [ ] Manual testing completed
+
+**Test Coverage:**
+- 
+
+## Checklist
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests passed locally with my changes
+- [ ] Any dependent changes have been merged and published
+
+## Screenshots (if applicable)
+
+If your changes include UI modifications, please add screenshots here.
+
+## Additional Notes
+
+Any additional information that reviewers should know.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 60fc161..b14c9b9 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,6 +4,224 @@
 
 Thank you for your interest in contributing to VacciChain! This document provides guidelines and instructions for contributing to our project.
 
+## Table of Contents
+
+- [Local Setup](#local-setup)
+- [Branching Strategy](#branching-strategy)
+- [Pull Request Process](#pull-request-process)
+- [Commit Conventions](#commit-conventions)
+- [Code of Conduct](#code-of-conduct)
+- [Docker Base Image Pinning](#docker-base-image-pinning)
+
+## Local Setup
+
+### Prerequisites
+
+- Node.js 18+
+- Python 3.11+
+- Rust + `wasm32-unknown-unknown` target
+- Soroban CLI
+- Docker + Docker Compose
+- Freighter Wallet (for testing)
+
+### Installation Steps
+
+1. **Clone the repository**
+   ```bash
+   git clone https://github.com/dev-fatima-24/VacciChain.git
+   cd VacciChain
+   ```
+
+2. **Copy environment configuration**
+   ```bash
+   cp .env.example .env
+   # Fill in your Stellar keys and contract IDs
+   ```
+
+3. **Install backend dependencies**
+   ```bash
+   cd backend
+   npm install
+   cd ..
+   ```
+
+4. **Install frontend dependencies**
+   ```bash
+   cd frontend
+   npm install
+   cd ..
+   ```
+
+5. **Install Python service dependencies**
+   ```bash
+   cd python-service
+   pip install -r requirements.txt
+   cd ..
+   ```
+
+6. **Deploy smart contract (if needed)**
+   ```bash
+   cd contracts
+   make build
+   make deploy
+   cd ..
+   ```
+
+7. **Run locally**
+   ```bash
+   # Terminal 1: Backend
+   cd backend && npm run dev
+
+   # Terminal 2: Frontend
+   cd frontend && npm run dev
+
+   # Terminal 3: Python service
+   cd python-service && uvicorn main:app --port 8001
+   ```
+
+   Or use Docker Compose:
+   ```bash
+   docker compose up --build
+   ```
+
+## Branching Strategy
+
+We follow a **feature branch** workflow:
+
+- **main**: Production-ready code. Protected branch, requires PR review.
+- **Feature branches**: `feature/<description>` or `issues/<issue-numbers>`
+  - Example: `feature/openapi-spec` or `issues/77-79-82-84`
+  - Branch from `main`
+  - Prefix with issue numbers if addressing GitHub issues
+
+### Creating a Branch
+
+```bash
+git checkout main
+git pull origin main
+git checkout -b issues/77-79-82-84
+```
+
+## Pull Request Process
+
+### Before Submitting
+
+1. **Ensure tests pass**
+   ```bash
+   # Backend
+   cd backend && npm test
+
+   # Contracts
+   cd contracts && cargo test
+
+   # Python service
+   cd python-service && pytest
+   ```
+
+2. **Run linters** (if configured)
+   ```bash
+   cd backend && npm run lint  # if available
+   ```
+
+3. **Update documentation** if your changes affect user-facing features
+
+4. **Commit your changes** using [Conventional Commits](#commit-conventions)
+
+### Submitting a PR
+
+1. **Push your branch**
+   ```bash
+   git push -u origin issues/77-79-82-84
+   ```
+
+2. **Create a pull request** on GitHub
+   - Use the PR template (auto-populated from `.github/pull_request_template.md`)
+   - Link related issues: `Closes #77, #79, #82, #84`
+   - Provide a clear description of changes
+   - Include testing notes
+
+3. **Address review feedback**
+   - Make requested changes
+   - Push updates to the same branch
+   - Respond to comments
+
+4. **Merge** once approved
+   - Use "Squash and merge" for single-commit PRs
+   - Use "Create a merge commit" for multi-commit PRs with logical separation
+
+## Commit Conventions
+
+We follow **Conventional Commits** for clear, semantic commit messages.
+
+### Format
+
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+### Types
+
+- **feat**: A new feature
+- **fix**: A bug fix
+- **docs**: Documentation changes
+- **style**: Code style changes (formatting, missing semicolons, etc.)
+- **refactor**: Code refactoring without feature changes
+- **perf**: Performance improvements
+- **test**: Adding or updating tests
+- **chore**: Build, dependency, or tooling changes
+
+### Scope
+
+Optional. Indicates the area affected:
+- `backend`, `frontend`, `contracts`, `python-service`
+- `auth`, `vaccination`, `verify`, `analytics`
+- `#77`, `#79` (issue numbers)
+
+### Examples
+
+```bash
+git commit -m "feat(backend): add OpenAPI spec generation"
+git commit -m "fix(#77): resolve swagger endpoint routing"
+git commit -m "docs(#79): add contributor onboarding guide"
+git commit -m "test(contracts): add mint_vaccination tests"
+git commit -m "chore: update dependencies"
+```
+
+## Code of Conduct
+
+### Our Pledge
+
+We are committed to providing a welcoming and inspiring community for all. We pledge to:
+
+- Be respectful and inclusive
+- Welcome diverse perspectives and experiences
+- Focus on constructive feedback
+- Respect confidentiality and privacy
+
+### Expected Behavior
+
+- Use welcoming and inclusive language
+- Be respectful of differing opinions and experiences
+- Accept constructive criticism gracefully
+- Focus on what is best for the community
+- Show empathy towards other community members
+
+### Unacceptable Behavior
+
+- Harassment, discrimination, or intimidation
+- Offensive comments related to personal characteristics
+- Deliberate intimidation or threats
+- Unwelcome sexual attention or advances
+- Trolling, insulting, or derogatory comments
+
+### Reporting Issues
+
+If you witness or experience unacceptable behavior, please report it to the maintainers at [contact email]. All reports will be reviewed and investigated.
+
 ## Docker Base Image Pinning
 
 ### Why We Pin Docker Images
@@ -100,14 +318,6 @@ If you need to manually update a base image version:
 **Problem**: Renovate is not creating PRs
 - **Solution**: Check `renovate.json` configuration and ensure Renovate app is installed on the repository
 
-## General Contributing Guidelines
-
-- Follow the existing code style and conventions
-- Write clear commit messages
-- Test your changes before submitting a PR
-- Update tests and documentation as needed
-- Be respectful and inclusive in all interactions
-
 ## Questions?
 
 If you have questions about contributing, please open an issue or reach out to the maintainers.

From 6fd6bac0faa572178cac00b1b6f12164fc4f0f14 Mon Sep 17 00:00:00 2001
From: Lex Studios <233934133+Lex-Studios@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:25:38 +0000
Subject: [PATCH 3/5] feat(#82): Create mainnet launch checklist

- Add comprehensive mainnet launch checklist at docs/mainnet-launch.md
- Cover security audit, admin key ceremony, environment configuration
- Include deployment, testing, and launch day procedures
- Define go/no-go criteria for each phase
- Include rollback plan and sign-off section
- Document responsible owners for each checklist item
---
 docs/mainnet-launch.md | 266 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 266 insertions(+)
 create mode 100644 docs/mainnet-launch.md

diff --git a/docs/mainnet-launch.md b/docs/mainnet-launch.md
new file mode 100644
index 0000000..ac68260
--- /dev/null
+++ b/docs/mainnet-launch.md
@@ -0,0 +1,266 @@
+# Mainnet Launch Checklist
+
+This document provides a comprehensive checklist for graduating VacciChain from Stellar Testnet to Mainnet. A missed step could result in lost records or funds.
+
+**Last Updated**: April 28, 2026  
+**Status**: Ready for Review
+
+---
+
+## Pre-Launch Phase (2-4 weeks before)
+
+### 1. Security Audit
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Contract code review by external auditor | Security Lead | ⬜ | Engage third-party auditor; allow 2-3 weeks |
+| Audit report remediation | Dev Lead | ⬜ | Address all critical and high findings |
+| Audit sign-off | Security Lead | ⬜ | Obtain written approval from auditor |
+| Internal security review | Tech Lead | ⬜ | Review auth, key management, rate limiting |
+| Dependency vulnerability scan | DevOps | ⬜ | Run `npm audit`, `cargo audit`, `pip audit` |
+| Penetration testing (optional) | Security Lead | ⬜ | Consider for high-value deployments |
+
+**Go/No-Go Criteria**: All critical findings resolved; audit report approved.
+
+---
+
+### 2. Admin Key Ceremony
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Generate mainnet admin keypair | Security Lead | ⬜ | Use hardware wallet or secure key generation |
+| Backup admin secret key (encrypted) | Security Lead | ⬜ | Store in secure vault (e.g., HashiCorp Vault) |
+| Backup admin public key | Security Lead | ⬜ | Store in version control (non-sensitive) |
+| Generate issuer keypair | Security Lead | ⬜ | Separate from admin key |
+| Backup issuer secret key (encrypted) | Security Lead | ⬜ | Store in secure vault |
+| Generate SEP-10 server keypair | Security Lead | ⬜ | For challenge signing |
+| Backup SEP-10 secret key (encrypted) | Security Lead | ⬜ | Store in secure vault |
+| Document key rotation schedule | Security Lead | ⬜ | Plan for quarterly rotation |
+| Distribute keys to authorized personnel | Security Lead | ⬜ | Use secure channels (e.g., encrypted email, in-person) |
+
+**Go/No-Go Criteria**: All keys generated, backed up, and securely distributed. No keys stored in plaintext.
+
+---
+
+### 3. Environment Configuration
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Create mainnet `.env` file | DevOps | ⬜ | Use mainnet Horizon and Soroban RPC URLs |
+| Set `STELLAR_NETWORK=mainnet` | DevOps | ⬜ | Verify network passphrase matches Stellar mainnet |
+| Set `HORIZON_URL` to mainnet endpoint | DevOps | ⬜ | Use official Stellar Horizon: https://horizon.stellar.org |
+| Set `SOROBAN_RPC_URL` to mainnet endpoint | DevOps | ⬜ | Use official Soroban RPC endpoint |
+| Set `STELLAR_NETWORK_PASSPHRASE` | DevOps | ⬜ | Must be: `Public Global Stellar Network ; September 2015` |
+| Set admin and issuer keys in `.env` | DevOps | ⬜ | Use keys from key ceremony |
+| Set JWT_SECRET to strong random value | DevOps | ⬜ | Min 32 characters; rotate before launch |
+| Configure rate limits for production | DevOps | ⬜ | Adjust based on expected traffic |
+| Set up audit logging | DevOps | ⬜ | Configure `AUDIT_LOG_PATH` to persistent storage |
+| Verify all required env vars are set | DevOps | ⬜ | Run backend startup check |
+
+**Go/No-Go Criteria**: All environment variables configured; backend starts without errors.
+
+---
+
+## Deployment Phase (1 week before)
+
+### 4. Smart Contract Deployment
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Deploy contract to mainnet | Dev Lead | ⬜ | Use `make deploy` with mainnet config |
+| Record contract ID | Dev Lead | ⬜ | Store in version control and `.env` |
+| Verify contract on Stellar Expert | Dev Lead | ⬜ | Check https://stellar.expert/explorer/public |
+| Test contract functions on mainnet | QA Lead | ⬜ | Call mint, verify, revoke with test data |
+| Verify issuer allowlist is empty | Dev Lead | ⬜ | No issuers should be pre-authorized |
+| Add initial issuer (if applicable) | Dev Lead | ⬜ | Call `add_issuer` with authorized healthcare provider |
+| Document contract address | Dev Lead | ⬜ | Share with all teams |
+
+**Go/No-Go Criteria**: Contract deployed; all functions callable; issuer allowlist configured.
+
+---
+
+### 5. Backend Deployment
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Build backend Docker image | DevOps | ⬜ | Tag with version (e.g., `v1.0.0-mainnet`) |
+| Push image to container registry | DevOps | ⬜ | Use private registry or Docker Hub |
+| Deploy to production infrastructure | DevOps | ⬜ | Use Kubernetes, ECS, or similar |
+| Verify backend health endpoint | DevOps | ⬜ | `GET /health` should return `{"status":"ok"}` |
+| Verify Swagger UI is accessible | QA Lead | ⬜ | `GET /docs` should load OpenAPI spec |
+| Test SEP-10 auth flow | QA Lead | ⬜ | Generate challenge, sign, verify JWT |
+| Test vaccination issue endpoint | QA Lead | ⬜ | Issue test vaccination record |
+| Test verification endpoint | QA Lead | ⬜ | Verify test wallet status |
+| Monitor backend logs for errors | DevOps | ⬜ | Check for startup errors, connection issues |
+
+**Go/No-Go Criteria**: Backend running; all endpoints responding; no error logs.
+
+---
+
+### 6. Frontend Deployment
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Build frontend with mainnet config | DevOps | ⬜ | Set backend URL to mainnet endpoint |
+| Deploy frontend to CDN or web server | DevOps | ⬜ | Use HTTPS only |
+| Verify frontend loads | QA Lead | ⬜ | Check landing page, no console errors |
+| Test Freighter wallet connection | QA Lead | ⬜ | Connect with mainnet wallet |
+| Test patient dashboard | QA Lead | ⬜ | View vaccination records |
+| Test issuer dashboard | QA Lead | ⬜ | Issue test vaccination record |
+| Test verification page | QA Lead | ⬜ | Verify test wallet |
+| Verify SSL certificate is valid | DevOps | ⬜ | Check certificate expiration |
+
+**Go/No-Go Criteria**: Frontend loads; all pages functional; no security warnings.
+
+---
+
+### 7. Analytics Service Deployment
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Deploy Python analytics service | DevOps | ⬜ | Use mainnet backend URL |
+| Verify analytics endpoints respond | QA Lead | ⬜ | Test `/analytics/rates`, `/analytics/issuers` |
+| Test batch verification endpoint | QA Lead | ⬜ | Verify multiple wallets |
+| Monitor analytics logs | DevOps | ⬜ | Check for connection errors |
+
+**Go/No-Go Criteria**: Analytics service running; endpoints responding.
+
+---
+
+## Testing Phase (3-5 days before)
+
+### 8. Smoke Tests
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| End-to-end patient flow | QA Lead | ⬜ | Connect wallet → view records → export |
+| End-to-end issuer flow | QA Lead | ⬜ | Issue vaccination → verify on-chain |
+| End-to-end verifier flow | QA Lead | ⬜ | Verify wallet status via public endpoint |
+| Test with real mainnet wallet | QA Lead | ⬜ | Use funded testnet wallet (if available) |
+| Verify audit logs are being written | QA Lead | ⬜ | Check audit log file for entries |
+| Test rate limiting | QA Lead | ⬜ | Verify rate limits are enforced |
+| Test error handling | QA Lead | ⬜ | Trigger errors; verify graceful responses |
+| Load test (optional) | QA Lead | ⬜ | Simulate expected traffic volume |
+
+**Go/No-Go Criteria**: All smoke tests pass; no critical errors; performance acceptable.
+
+---
+
+### 9. Security Verification
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Verify HTTPS is enforced | Security Lead | ⬜ | All endpoints should redirect HTTP to HTTPS |
+| Verify JWT tokens are short-lived | Security Lead | ⬜ | Tokens should expire in 1 hour |
+| Verify API keys are not logged | Security Lead | ⬜ | Check logs for sensitive data |
+| Verify CORS is properly configured | Security Lead | ⬜ | Only allow trusted origins |
+| Verify rate limits are active | Security Lead | ⬜ | Test with excessive requests |
+| Verify contract is immutable | Security Lead | ⬜ | Confirm no upgrade path exists |
+| Verify soulbound enforcement | Security Lead | ⬜ | Attempt transfer; should fail |
+
+**Go/No-Go Criteria**: All security checks pass; no vulnerabilities found.
+
+---
+
+## Launch Day
+
+### 10. Final Checks (2 hours before launch)
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Verify all systems are running | DevOps | ⬜ | Backend, frontend, analytics, contract |
+| Check monitoring and alerting | DevOps | ⬜ | Ensure alerts are configured |
+| Verify backup systems are in place | DevOps | ⬜ | Database backups, key backups |
+| Notify stakeholders | Product Lead | ⬜ | Send launch notification to team |
+| Prepare rollback plan | DevOps | ⬜ | Document rollback steps |
+| Have incident response team on standby | DevOps | ⬜ | Team available for 24 hours post-launch |
+
+**Go/No-Go Criteria**: All systems operational; team ready; rollback plan documented.
+
+---
+
+### 11. Launch Execution
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Announce mainnet launch | Product Lead | ⬜ | Update website, social media, docs |
+| Monitor system health for 1 hour | DevOps | ⬜ | Watch logs, metrics, error rates |
+| Monitor system health for 24 hours | DevOps | ⬜ | Continue monitoring; be ready to rollback |
+| Collect user feedback | Product Lead | ⬜ | Monitor support channels |
+| Document any issues | DevOps | ⬜ | Create issues for post-launch improvements |
+
+**Go/No-Go Criteria**: No critical errors; system stable; users able to transact.
+
+---
+
+## Post-Launch (1-2 weeks after)
+
+### 12. Stabilization
+
+| Item | Owner | Status | Notes |
+|------|-------|--------|-------|
+| Monitor system performance | DevOps | ⬜ | Track latency, error rates, throughput |
+| Review audit logs for anomalies | Security Lead | ⬜ | Look for suspicious activity |
+| Collect metrics on vaccination issuance | Analytics Lead | ⬜ | Track adoption, usage patterns |
+| Address any reported bugs | Dev Lead | ⬜ | Prioritize critical issues |
+| Publish post-launch report | Product Lead | ⬜ | Document launch results, lessons learned |
+
+**Go/No-Go Criteria**: System stable; no critical issues; metrics healthy.
+
+---
+
+## Rollback Plan
+
+If critical issues are discovered, follow this rollback procedure:
+
+### Immediate Actions (within 15 minutes)
+
+1. **Notify all stakeholders** — Send alert to team, leadership, users
+2. **Stop accepting new transactions** — Disable issue/revoke endpoints
+3. **Assess severity** — Determine if rollback is necessary
+4. **Prepare rollback** — Have DevOps team ready to execute
+
+### Rollback Execution (if needed)
+
+1. **Revert frontend** — Deploy previous stable version
+2. **Revert backend** — Deploy previous stable version
+3. **Verify contract state** — Ensure no corrupted data
+4. **Communicate status** — Update users on rollback progress
+5. **Post-mortem** — Document root cause and prevention measures
+
+### Rollback Criteria
+
+- Data corruption detected
+- Security vulnerability exploited
+- System unavailable for >30 minutes
+- Loss of funds or records
+
+---
+
+## Sign-Off
+
+This checklist must be reviewed and approved by at least two contributors before mainnet launch.
+
+### Reviewer 1
+
+- **Name**: ___________________
+- **Role**: ___________________
+- **Date**: ___________________
+- **Signature**: ___________________
+
+### Reviewer 2
+
+- **Name**: ___________________
+- **Role**: ___________________
+- **Date**: ___________________
+- **Signature**: ___________________
+
+---
+
+## References
+
+- [Stellar Documentation](https://developers.stellar.org/)
+- [Soroban Smart Contracts](https://soroban.stellar.org/)
+- [VacciChain Architecture](../README.md)
+- [Security Threat Model](./security/threat-model.md)
+- [Configuration Guide](./configuration.md)

From 0b1165ec4002d6b8034331649ff81cb5e24b400b Mon Sep 17 00:00:00 2001
From: Lex Studios <233934133+Lex-Studios@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:26:25 +0000
Subject: [PATCH 4/5] feat(#84): Write patient and issuer user guides

- Create docs/user-guide-patient.md with step-by-step instructions
  - Getting started with Freighter wallet
  - Connecting to VacciChain
  - Viewing and exporting vaccination records
  - Sharing vaccination status
  - Troubleshooting and FAQs

- Create docs/user-guide-issuer.md with issuer workflows
  - Authorization status and verification
  - Issuing vaccination records
  - Managing and revoking records
  - Best practices for data quality and security
  - Compliance and audit trails

- Include screenshots references and security tips
- Add troubleshooting sections for common issues
---
 docs/user-guide-issuer.md  | 368 +++++++++++++++++++++++++++++++++++++
 docs/user-guide-patient.md | 273 +++++++++++++++++++++++++++
 2 files changed, 641 insertions(+)
 create mode 100644 docs/user-guide-issuer.md
 create mode 100644 docs/user-guide-patient.md

diff --git a/docs/user-guide-issuer.md b/docs/user-guide-issuer.md
new file mode 100644
index 0000000..0df7949
--- /dev/null
+++ b/docs/user-guide-issuer.md
@@ -0,0 +1,368 @@
+# Issuer User Guide
+
+Welcome to VacciChain! This guide will help you issue and manage vaccination records as an authorized healthcare provider.
+
+## Table of Contents
+
+- [Getting Started](#getting-started)
+- [Authorization Status](#authorization-status)
+- [Issuing Records](#issuing-records)
+- [Managing Records](#managing-records)
+- [Revoking Records](#revoking-records)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Getting Started
+
+As an authorized healthcare provider, you can issue **soulbound vaccination NFTs** directly to patient wallets on the Stellar blockchain.
+
+### What You'll Need
+
+1. **Freighter Wallet** — A browser extension for managing Stellar assets
+   - Download from [freighter.app](https://www.freighter.app/)
+   - Available for Chrome, Firefox, Edge, and Brave
+
+2. **Authorization** — Your wallet must be authorized by VacciChain administrators
+   - Contact your VacciChain administrator to request authorization
+   - Provide your Stellar public key
+
+3. **Internet Connection** — To access the VacciChain application
+
+### Key Concepts
+
+- **Soulbound Tokens** — Records cannot be transferred; they stay with the patient
+- **Immutable Records** — Once issued, records cannot be modified (only revoked)
+- **On-Chain Verification** — Anyone can verify records instantly on the blockchain
+- **Audit Trail** — All issuances are logged for compliance
+
+---
+
+## Authorization Status
+
+### Checking Your Authorization
+
+1. Visit the VacciChain application
+2. Click "Connect Wallet" on the landing page
+3. Approve the connection in Freighter
+4. You'll be redirected to the Issuer Dashboard
+
+### If You See "Not Authorized"
+
+If you see a message saying you're not authorized:
+
+1. **Verify your wallet address** — Ensure you're using the correct wallet
+2. **Contact your administrator** — Request authorization with your public key
+3. **Wait for confirmation** — Authorization may take a few minutes to propagate
+4. **Refresh the page** — Try again after a few moments
+
+### Understanding Your Role
+
+As an issuer, you have:
+
+- ✅ **Issue Records** — Create vaccination NFTs for patients
+- ✅ **Revoke Records** — Remove records if needed (e.g., data correction)
+- ✅ **View History** — See all records you've issued
+- ❌ **Modify Records** — Cannot change issued records (must revoke and re-issue)
+- ❌ **Access Patient Data** — Cannot see other patients' records
+
+**Screenshot**: Issuer dashboard showing authorization status
+
+---
+
+## Issuing Records
+
+### Step 1: Access the Issue Form
+
+1. On the Issuer Dashboard, click "Issue Vaccination Record"
+2. You'll see a form with the following fields:
+   - Patient Wallet Address
+   - Vaccine Name
+   - Date Administered
+
+### Step 2: Enter Patient Information
+
+**Patient Wallet Address**
+
+- Ask the patient for their Stellar public key
+- It starts with `G` and is 56 characters long
+- Example: `GBRPYHIL2CI3WHZDTOOQFC6EB4KJJGUJGU7WYLBTK2DYHUYXO5IHXF7`
+- Verify the address is correct before proceeding
+
+**Vaccine Name**
+
+- Enter the vaccine type (e.g., "COVID-19 (Pfizer-BioNTech)")
+- Include the manufacturer if applicable
+- Be consistent with naming across records
+
+**Date Administered**
+
+- Select the date the vaccine was given
+- Use the calendar picker or type the date
+- Format: YYYY-MM-DD
+
+### Step 3: Review and Confirm
+
+1. Review all information for accuracy
+2. Click "Preview" to see how the record will appear
+3. Click "Issue Record" to submit
+
+### Step 4: Confirm in Freighter
+
+1. Freighter will prompt you to approve the transaction
+2. Review the transaction details
+3. Click "Approve" to confirm
+4. Wait for the transaction to complete (usually 5-10 seconds)
+
+### Step 5: Confirmation
+
+You'll see a success message with:
+
+- **Token ID** — Unique blockchain identifier
+- **Transaction Hash** — Link to view on Stellar Expert
+- **Timestamp** — When the record was issued
+
+**Screenshot**: Issue vaccination record form
+
+---
+
+## Managing Records
+
+### View Issued Records
+
+1. On the Issuer Dashboard, click "My Records"
+2. You'll see a list of all records you've issued
+3. Each record shows:
+   - Patient wallet address
+   - Vaccine name
+   - Date administered
+   - Issue date
+   - Status (Active or Revoked)
+
+### Search Records
+
+1. Use the search bar to find records by:
+   - Patient wallet address
+   - Vaccine name
+   - Date range
+
+### Export Records
+
+1. Click "Export" to download your records
+2. Choose format:
+   - **CSV** — For spreadsheets
+   - **JSON** — For data analysis
+3. Click "Download"
+
+### Record Details
+
+Click on any record to see:
+
+- Full patient wallet address
+- Complete vaccine information
+- Blockchain verification link
+- Revocation status
+- Audit trail (who issued, when, from where)
+
+**Screenshot**: My records list with search and export options
+
+---
+
+## Revoking Records
+
+### When to Revoke
+
+You may need to revoke a record if:
+
+- ❌ **Data Error** — Wrong vaccine name or date
+- ❌ **Duplicate** — Record was issued twice by mistake
+- ❌ **Patient Request** — Patient asks for removal
+- ❌ **Fraud** — Record was issued in error
+
+### How to Revoke
+
+1. On the Issuer Dashboard, find the record to revoke
+2. Click the three-dot menu (⋯)
+3. Select "Revoke Record"
+4. Enter a reason for revocation (optional)
+5. Click "Confirm Revocation"
+6. Approve the transaction in Freighter
+
+### After Revocation
+
+- The record will be marked as "Revoked"
+- It will no longer appear in patient verification
+- The blockchain will show the revocation
+- You cannot restore a revoked record (must re-issue)
+
+### Revocation Audit Trail
+
+All revocations are logged with:
+
+- Who revoked the record
+- When it was revoked
+- Reason for revocation
+- Transaction hash
+
+**Screenshot**: Revoke record confirmation dialog
+
+---
+
+## Best Practices
+
+### Data Quality
+
+- ✅ **Verify patient identity** — Confirm you have the correct wallet address
+- ✅ **Use consistent naming** — Standardize vaccine names across your organization
+- ✅ **Double-check dates** — Verify dates match your records
+- ✅ **Document everything** — Keep records of what you issued and when
+
+### Security
+
+- ✅ **Protect your wallet** — Never share your recovery phrase
+- ✅ **Use a strong password** — At least 12 characters
+- ✅ **Keep Freighter updated** — Enable automatic updates
+- ✅ **Verify URLs** — Always check you're on the official VacciChain site
+
+### Compliance
+
+- ✅ **Follow regulations** — Comply with local healthcare regulations
+- ✅ **Maintain audit logs** — Keep records of all issuances
+- ✅ **Protect patient privacy** — Only share necessary information
+- ✅ **Report issues** — Notify administrators of suspicious activity
+
+---
+
+## Troubleshooting
+
+### "Not Authorized"
+
+**Problem**: You see "Not Authorized" on the Issuer Dashboard.
+
+**Solution**:
+1. Verify you're using the correct wallet
+2. Contact your VacciChain administrator
+3. Provide your Stellar public key
+4. Wait for authorization to be processed
+5. Refresh the page
+
+### "Transaction Failed"
+
+**Problem**: Issuing a record failed.
+
+**Solution**:
+1. Check your internet connection
+2. Verify the patient wallet address is correct
+3. Ensure you have sufficient Stellar balance (minimum 1 XLM)
+4. Try again in a few moments
+5. Check the error message for details
+
+### "Invalid Wallet Address"
+
+**Problem**: The system says the wallet address is invalid.
+
+**Solution**:
+1. Verify the address starts with `G`
+2. Check that it's 56 characters long
+3. Ensure there are no typos or extra spaces
+4. Ask the patient to provide their address again
+5. Use copy-paste to avoid manual entry errors
+
+### "Freighter Not Responding"
+
+**Problem**: Freighter is not responding to transaction requests.
+
+**Solution**:
+1. Close and reopen Freighter
+2. Restart your browser
+3. Check your internet connection
+4. Reinstall Freighter if the problem persists
+5. Check [Freighter support](https://www.freighter.app/support)
+
+### "Insufficient Balance"
+
+**Problem**: You see "Insufficient balance" error.
+
+**Solution**:
+1. Check your Stellar account balance
+2. You need at least 1 XLM to issue records
+3. Request XLM from your administrator
+4. Wait for the transaction to complete
+5. Try again
+
+### "Duplicate Record"
+
+**Problem**: You accidentally issued the same record twice.
+
+**Solution**:
+1. Revoke one of the duplicate records
+2. Document the revocation reason
+3. Notify the patient if needed
+4. Re-issue if necessary
+
+---
+
+## Frequently Asked Questions
+
+**Q: Can I modify a record after issuing?**  
+A: No. Records are immutable on the blockchain. You must revoke and re-issue if changes are needed.
+
+**Q: How long does it take to issue a record?**  
+A: Usually 5-10 seconds. The blockchain confirms the transaction automatically.
+
+**Q: Can patients see who issued their records?**  
+A: Yes. The issuer address is visible on the blockchain. This is intentional for transparency.
+
+**Q: What if a patient loses their wallet?**  
+A: The record remains on the blockchain. If they restore their wallet with their recovery phrase, they'll have access again.
+
+**Q: Can I issue records in bulk?**  
+A: Currently, records are issued one at a time. Contact your administrator about bulk issuance features.
+
+**Q: How do I verify a patient's records?**  
+A: Use the public verification endpoint or ask the patient to share their verification link.
+
+**Q: What happens if I revoke a record?**  
+A: The record is marked as revoked on the blockchain. It will no longer appear in patient verification.
+
+**Q: Can I see records issued by other providers?**  
+A: No. You can only see records you've issued. This protects patient privacy.
+
+---
+
+## Compliance and Regulations
+
+### Data Protection
+
+- VacciChain complies with HIPAA and GDPR requirements
+- Patient data is encrypted and only accessible to the patient
+- Audit logs are maintained for compliance
+
+### Record Retention
+
+- Records are permanent on the blockchain
+- You cannot delete records (only revoke)
+- Maintain local backups for your records
+
+### Reporting
+
+- Export records regularly for your records
+- Report any suspicious activity to administrators
+- Maintain compliance with local regulations
+
+---
+
+## Getting Help
+
+- **Email**: support@vaccichain.example.com
+- **Discord**: [Join our community](https://discord.gg/vaccichain)
+- **GitHub Issues**: [Report a bug](https://github.com/dev-fatima-24/VacciChain/issues)
+- **Administrator**: Contact your VacciChain administrator for authorization issues
+
+---
+
+## Next Steps
+
+- [View the Patient Guide](./user-guide-patient.md) to understand the patient experience
+- [Learn about Stellar](https://developers.stellar.org/learn) for technical details
+- [Review the API Documentation](../README.md#backend-api) for integration details
diff --git a/docs/user-guide-patient.md b/docs/user-guide-patient.md
new file mode 100644
index 0000000..d6af3b5
--- /dev/null
+++ b/docs/user-guide-patient.md
@@ -0,0 +1,273 @@
+# Patient User Guide
+
+Welcome to VacciChain! This guide will help you view and manage your vaccination records on the blockchain.
+
+## Table of Contents
+
+- [Getting Started](#getting-started)
+- [Connecting Your Wallet](#connecting-your-wallet)
+- [Viewing Your Records](#viewing-your-records)
+- [Exporting Your Certificate](#exporting-your-certificate)
+- [Sharing Your Status](#sharing-your-status)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Getting Started
+
+VacciChain stores your vaccination records as **soulbound NFTs** on the Stellar blockchain. This means:
+
+- ✅ **Your records are yours** — Only you can access them
+- ✅ **Tamper-proof** — Records cannot be forged or altered
+- ✅ **Portable** — Your records follow you, not tied to any institution
+- ✅ **Verifiable** — Anyone can verify your status instantly
+
+### What You'll Need
+
+1. **Freighter Wallet** — A browser extension for managing Stellar assets
+   - Download from [freighter.app](https://www.freighter.app/)
+   - Available for Chrome, Firefox, Edge, and Brave
+
+2. **A Stellar Account** — Created automatically when you install Freighter
+
+3. **Internet Connection** — To access the VacciChain application
+
+---
+
+## Connecting Your Wallet
+
+### Step 1: Install Freighter
+
+1. Visit [freighter.app](https://www.freighter.app/)
+2. Click "Download" and select your browser
+3. Follow the installation prompts
+4. Create a new wallet or import an existing one
+5. **Important**: Save your recovery phrase in a safe place
+
+### Step 2: Switch to Testnet (if applicable)
+
+If you're testing VacciChain on testnet:
+
+1. Open Freighter
+2. Click the network selector (top-right)
+3. Select "Testnet"
+4. Your wallet will now show testnet assets
+
+### Step 3: Connect to VacciChain
+
+1. Visit the VacciChain application
+2. Click "Connect Wallet" on the landing page
+3. Freighter will prompt you to approve the connection
+4. Click "Approve"
+5. You'll be redirected to your Patient Dashboard
+
+**Screenshot**: Landing page with "Connect Wallet" button
+
+---
+
+## Viewing Your Records
+
+### Patient Dashboard
+
+Once connected, you'll see your Patient Dashboard with:
+
+- **Your Wallet Address** — Your unique Stellar identifier
+- **Vaccination Records** — All your vaccination NFTs
+- **Record Details** — Vaccine name, date administered, issuer
+
+### Understanding Your Records
+
+Each vaccination record shows:
+
+| Field | Meaning |
+|-------|---------|
+| **Vaccine Name** | Type of vaccine (e.g., COVID-19, Influenza) |
+| **Date Administered** | When you received the vaccine |
+| **Issuer** | Healthcare provider who issued the record |
+| **Token ID** | Unique blockchain identifier |
+
+### Example Record
+
+```
+Vaccine: COVID-19 (Pfizer-BioNTech)
+Date: March 15, 2026
+Issuer: City Health Department
+Status: ✅ Verified on blockchain
+```
+
+**Screenshot**: Patient dashboard showing vaccination records
+
+---
+
+## Exporting Your Certificate
+
+### Generate a Certificate
+
+1. On your Patient Dashboard, click "Export Certificate"
+2. Select the vaccination record you want to export
+3. Choose format:
+   - **PDF** — For printing or email
+   - **JSON** — For digital verification
+4. Click "Download"
+
+### What's Included
+
+Your certificate contains:
+
+- Your name and wallet address
+- Vaccine details (name, date, issuer)
+- Blockchain verification link
+- QR code for quick verification
+
+### Using Your Certificate
+
+- **Travel**: Show to border agents or airlines
+- **Employment**: Provide to employers requiring proof
+- **Education**: Submit to schools or universities
+- **Healthcare**: Share with medical providers
+
+**Screenshot**: Export certificate dialog
+
+---
+
+## Sharing Your Status
+
+### Public Verification Link
+
+You can share a link that allows others to verify your vaccination status:
+
+1. On your Patient Dashboard, click "Share Status"
+2. Copy the verification link
+3. Share via email, messaging, or QR code
+4. Others can verify your status without accessing your full records
+
+### What Others Can See
+
+When someone verifies your status, they see:
+
+- ✅ Whether you are vaccinated
+- ✅ Number of vaccination records
+- ✅ Vaccine names and dates (if you allow)
+- ❌ Your wallet address (hidden)
+- ❌ Your personal information
+
+### Privacy Controls
+
+1. Click "Privacy Settings"
+2. Choose what information to share:
+   - [ ] Show vaccine names
+   - [ ] Show dates
+   - [ ] Show issuer information
+3. Click "Save"
+
+**Screenshot**: Share status dialog with privacy options
+
+---
+
+## Troubleshooting
+
+### "Wallet Not Connected"
+
+**Problem**: The app says your wallet is not connected.
+
+**Solution**:
+1. Check that Freighter is installed and open
+2. Verify you're on the correct network (Testnet or Mainnet)
+3. Click "Connect Wallet" again
+4. Approve the connection in Freighter
+
+### "No Records Found"
+
+**Problem**: You don't see any vaccination records.
+
+**Solution**:
+1. Verify you're using the correct wallet address
+2. Check that you're on the correct network
+3. Wait a few moments for records to load
+4. Refresh the page
+5. Contact your healthcare provider to issue a record
+
+### "Transaction Failed"
+
+**Problem**: An action (like exporting) failed.
+
+**Solution**:
+1. Check your internet connection
+2. Verify you have sufficient Stellar balance (minimum 1 XLM)
+3. Try again in a few moments
+4. If the problem persists, contact support
+
+### "Freighter Not Responding"
+
+**Problem**: Freighter is not responding to connection requests.
+
+**Solution**:
+1. Close and reopen Freighter
+2. Restart your browser
+3. Reinstall Freighter if the problem persists
+4. Check [Freighter support](https://www.freighter.app/support)
+
+### "Certificate Export Not Working"
+
+**Problem**: You cannot export your certificate.
+
+**Solution**:
+1. Ensure you have at least one vaccination record
+2. Check that your browser allows downloads
+3. Try a different browser
+4. Contact support if the problem persists
+
+---
+
+## Security Tips
+
+### Protect Your Wallet
+
+- ✅ **Never share your recovery phrase** — Anyone with it can access your wallet
+- ✅ **Use a strong password** — At least 12 characters with mixed case and numbers
+- ✅ **Keep Freighter updated** — Enable automatic updates
+- ✅ **Verify URLs** — Always check you're on the official VacciChain site
+
+### Verify Records
+
+- ✅ **Check the issuer** — Ensure records come from trusted healthcare providers
+- ✅ **Verify dates** — Confirm vaccination dates match your records
+- ✅ **Use blockchain verification** — Click the verification link to confirm on-chain
+
+---
+
+## Frequently Asked Questions
+
+**Q: Is my data private?**  
+A: Yes. Your records are encrypted and only accessible with your wallet. VacciChain cannot access your data.
+
+**Q: Can I lose my records?**  
+A: No. Records are stored on the Stellar blockchain permanently. As long as you have access to your wallet, you have access to your records.
+
+**Q: What if I lose my wallet?**  
+A: If you have your recovery phrase, you can restore your wallet on any device. Without it, your records are inaccessible.
+
+**Q: Can I delete my records?**  
+A: No. Records are permanent on the blockchain. However, you can request revocation from the issuing healthcare provider.
+
+**Q: How much does this cost?**  
+A: VacciChain is free. You only pay minimal Stellar network fees (typically <$0.01).
+
+**Q: Can I use this on mobile?**  
+A: Yes, if your mobile browser supports Freighter (iOS Safari, Android Chrome).
+
+---
+
+## Getting Help
+
+- **Email**: support@vaccichain.example.com
+- **Discord**: [Join our community](https://discord.gg/vaccichain)
+- **GitHub Issues**: [Report a bug](https://github.com/dev-fatima-24/VacciChain/issues)
+
+---
+
+## Next Steps
+
+- [View the Issuer Guide](./user-guide-issuer.md) if you're a healthcare provider
+- [Learn about Stellar](https://developers.stellar.org/learn) for technical details
+- [Verify someone's status](../README.md#verification) using the public verification endpoint

From 5b6043a81c6cdd5bdf95cbb86b5aec3ba67d4b51 Mon Sep 17 00:00:00 2001
From: Lex Studios <233934133+Lex-Studios@users.noreply.github.com>
Date: Tue, 28 Apr 2026 04:26:37 +0000
Subject: [PATCH 5/5] feat(#79): Add feature request issue template

- Create feature request template at .github/ISSUE_TEMPLATE/feature_request.md
- Include problem statement, proposed solution, and acceptance criteria
- Add priority levels for issue triage
---
 .github/ISSUE_TEMPLATE/feature_request.md | 45 +++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md

diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 0000000..e91629f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,45 @@
+---
+name: Feature Request
+about: Suggest an idea for this project
+title: "[FEATURE] "
+labels: enhancement
+assignees: ''
+
+---
+
+## Description
+
+A clear and concise description of what the feature is.
+
+## Problem Statement
+
+Is your feature request related to a problem? Please describe the problem you're trying to solve.
+
+## Proposed Solution
+
+Describe the solution you'd like in detail.
+
+## Alternative Solutions
+
+Describe any alternative solutions or features you've considered.
+
+## Use Cases
+
+Describe the use cases for this feature. Who would benefit from it?
+
+## Additional Context
+
+Add any other context or screenshots about the feature request here.
+
+## Acceptance Criteria
+
+- [ ] 
+- [ ] 
+- [ ] 
+
+## Priority
+
+- [ ] Low
+- [ ] Medium
+- [ ] High
+- [ ] Critical