DESCRIPTION
A political bond without a digital certificate has no institutional credibility. The document_hash field already exists in the VelarBond Soroban contract but is never populated with a real PDF, so the audit story is incomplete. This task wires the full document upload, hashing, and on-chain storage flow end-to-end.
GOAL
TSE can upload a PDF certificate for each bond, its SHA-256 is stored on-chain in the Soroban contract, and any party can verify the document's authenticity directly in the browser.
REQUIREMENTS
- Supabase Storage: bucket
bond-documents with RLS (only TSE uploads; the current owner downloads)
- Backend:
POST /bonds/:tokenId/document — receives PDF, computes SHA-256 server-side, uploads to Storage, saves the hash in bonds.document_hash, and syncs it to the Soroban contract
- Backend:
GET /bonds/:tokenId/document — authenticated download endpoint
- Frontend: file upload form on the TSE bond issuance page
- Frontend: "Verify Authenticity" button — downloads PDF, recomputes SHA-256 in the browser, compares against the on-chain hash from Soroban
- Accepted file types: PDF only, max 10 MB
ACCEPTANCE CRITERIA
NOTES
Relevant files: contracts/velar-bond/, supabase/migrations/, apps/api/src/bonds/, apps/web/src/app/tse/. The Soroban contract already has document_hash in its data model — check whether initialize() or a dedicated setter should be used. Node.js crypto module (createHash) for server-side hashing; Web Crypto API (SubtleCrypto) for browser verification.
Difficulty: Advanced
Priority: High
DESCRIPTION
A political bond without a digital certificate has no institutional credibility. The
document_hashfield already exists in theVelarBondSoroban contract but is never populated with a real PDF, so the audit story is incomplete. This task wires the full document upload, hashing, and on-chain storage flow end-to-end.GOAL
TSE can upload a PDF certificate for each bond, its SHA-256 is stored on-chain in the Soroban contract, and any party can verify the document's authenticity directly in the browser.
REQUIREMENTS
bond-documentswith RLS (only TSE uploads; the current owner downloads)POST /bonds/:tokenId/document— receives PDF, computes SHA-256 server-side, uploads to Storage, saves the hash inbonds.document_hash, and syncs it to the Soroban contractGET /bonds/:tokenId/document— authenticated download endpointACCEPTANCE CRITERIA
document_hashfieldNOTES
Relevant files:
contracts/velar-bond/,supabase/migrations/,apps/api/src/bonds/,apps/web/src/app/tse/. The Soroban contract already hasdocument_hashin its data model — check whetherinitialize()or a dedicated setter should be used. Node.jscryptomodule (createHash) for server-side hashing; Web Crypto API (SubtleCrypto) for browser verification.Difficulty: Advanced
Priority: High