From 0b3f69beedbd8c2e9bd524b8e25d6598d0794e8c Mon Sep 17 00:00:00 2001
From: usingtechnology <39388115+usingtechnology@users.noreply.github.com>
Date: Thu, 11 Jun 2026 11:49:44 -0700
Subject: [PATCH 1/2] feat: CCP-4873 Github templates

get some standards for developer contribution
---
 .github/ISSUE_TEMPLATE/bug.md           |  35 +++++++
 .github/ISSUE_TEMPLATE/custom.md        |   8 ++
 .github/ISSUE_TEMPLATE/decision.md      |  18 ++++
 .github/ISSUE_TEMPLATE/documentation.md |  26 +++++
 .github/ISSUE_TEMPLATE/epic.md          |  20 ++++
 .github/ISSUE_TEMPLATE/feature.md       |  26 +++++
 .github/ISSUE_TEMPLATE/question.md      |  17 +++
 .github/ISSUE_TEMPLATE/task.md          |  20 ++++
 .github/ISSUE_TEMPLATE/ux.md            |  22 ++++
 .github/codeowners                      |  15 +++
 .github/pull_request_template.md        |  71 +++++++++++++
 .github/workflows/pr_validate.yaml      |  48 +++++++++
 .vscode/launch.json                     |   4 +-
 CODE_OF_CONDUCT.md                      | 128 ++++++++++++++++++++++
 COMPLIANCE.yaml                         |  11 ++
 CONTRIBUTING.md                         |  16 +++
 DEVELOPER.md                            | 134 +++++++++++++++---------
 SECURITY.md                             |  46 ++++++++
 18 files changed, 611 insertions(+), 54 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/bug.md
 create mode 100644 .github/ISSUE_TEMPLATE/custom.md
 create mode 100644 .github/ISSUE_TEMPLATE/decision.md
 create mode 100644 .github/ISSUE_TEMPLATE/documentation.md
 create mode 100644 .github/ISSUE_TEMPLATE/epic.md
 create mode 100644 .github/ISSUE_TEMPLATE/feature.md
 create mode 100644 .github/ISSUE_TEMPLATE/question.md
 create mode 100644 .github/ISSUE_TEMPLATE/task.md
 create mode 100644 .github/ISSUE_TEMPLATE/ux.md
 create mode 100644 .github/codeowners
 create mode 100644 .github/pull_request_template.md
 create mode 100644 .github/workflows/pr_validate.yaml
 create mode 100644 CODE_OF_CONDUCT.md
 create mode 100644 COMPLIANCE.yaml
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/.github/ISSUE_TEMPLATE/bug.md b/.github/ISSUE_TEMPLATE/bug.md
new file mode 100644
index 0000000..3841d1e
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug.md
@@ -0,0 +1,35 @@
+---
+name: Bug
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Bug**
+A clear and concise description of what the bug is.
+
+**Expected Behaviour**
+A clear and concise description of what you expected to happen.
+
+**Actual Behaviour**
+A clear and concise description of what actually happened.
+
+**Steps To Reproduce**
+Steps to reproduce the behaviour:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md
new file mode 100644
index 0000000..b1069d8
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/custom.md
@@ -0,0 +1,8 @@
+---
+name: Custom issue template
+about: Describe this issue template's purpose here
+title: ''
+labels: ''
+assignees: ''
+
+---
diff --git a/.github/ISSUE_TEMPLATE/decision.md b/.github/ISSUE_TEMPLATE/decision.md
new file mode 100644
index 0000000..12bedda
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/decision.md
@@ -0,0 +1,18 @@
+---
+name: Decision
+about: A significant decision that has been made or raised to the Product Owner
+title: ''
+labels: decision
+assignees: ''
+
+---
+
+**Decision**
+A clear and concise description of the decision to be made or that was made.
+
+**Context**
+- why is this decision needed?
+- what options were considered?
+
+**Outcome**
+- the decision reached, and who made it
diff --git a/.github/ISSUE_TEMPLATE/documentation.md b/.github/ISSUE_TEMPLATE/documentation.md
new file mode 100644
index 0000000..917aa24
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/documentation.md
@@ -0,0 +1,26 @@
+---
+name: Documentation
+about: Documentation for a specific area or need
+title: ''
+labels: documentation
+assignees: ''
+
+---
+
+**As a** *(User Type/Persona)* **I want** *(Feature/enhancement)* **So That** *(Value, why is this wanted, what is the user trying to accomplish)*
+
+**Additional Context**
+- enter text here
+- enter text here
+
+**Acceptance Criteria**
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
+
+**Definition of Done**
+- [ ] Ready to Demo in Sprint Review
+- [ ] Does what I have made have appropriate test coverage?
+- [ ] Documentation exists and can be found
+- [ ] Peer Reviewed by the team
+- [ ] Manual testing of all PRs in Dev and Prod
+- [ ] Merged
diff --git a/.github/ISSUE_TEMPLATE/epic.md b/.github/ISSUE_TEMPLATE/epic.md
new file mode 100644
index 0000000..6b6b4e5
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/epic.md
@@ -0,0 +1,20 @@
+---
+name: Epic
+about: A User Story large enough that it cannot be completed in a single sprint, the desired end state of a feature
+title: ''
+labels: epic
+assignees: ''
+
+---
+
+**As a** *(User Type/Persona)* **I want** *(Feature/enhancement)* **So That** *(Value, why is this wanted, what is the user trying to accomplish)*
+
+**Additional Context**
+
+- enter text here
+- enter text here
+
+**Acceptance Criteria**
+
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
diff --git a/.github/ISSUE_TEMPLATE/feature.md b/.github/ISSUE_TEMPLATE/feature.md
new file mode 100644
index 0000000..df8804f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature.md
@@ -0,0 +1,26 @@
+---
+name: Feature request / user story
+about: Suggest an idea from the perspective of a user
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**As a** *(User Type/Persona)* **I want** *(Feature/enhancement)* **So That** *(Value, why is this wanted, what is the user trying to accomplish)*
+
+**Additional Context**
+- enter text here
+- enter text here
+
+**Acceptance Criteria**
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
+- [ ] Given (Context), When (action carried out), Then (expected outcome)
+
+**Definition of Done**
+- [ ] Ready to Demo in Sprint Review
+- [ ] Does what I have made have appropriate test coverage?
+- [ ] Documentation exists and can be found
+- [ ] Peer Reviewed by the team
+- [ ] Manual testing of all PRs in Dev and Prod
+- [ ] Merged
diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md
new file mode 100644
index 0000000..c2e8a26
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -0,0 +1,17 @@
+---
+name: Question
+about: Ask us a question!
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Your question**
+A clear and concise statement of what you would like to know.
+
+**Context**
+- any background or details that help us answer the question
+
+**Additional context**
+- any additional details that could not be captured above
diff --git a/.github/ISSUE_TEMPLATE/task.md b/.github/ISSUE_TEMPLATE/task.md
new file mode 100644
index 0000000..f9b5f1f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/task.md
@@ -0,0 +1,20 @@
+---
+name: Task
+about: Work for the team that cannot be written as a user story
+title: ''
+labels: task
+assignees: ''
+
+---
+
+**Describe the task**
+A clear and concise description of what the task is.
+
+**Acceptance Criteria**
+- [ ] first
+- [ ] second
+- [ ] third
+
+**Additional context**
+- Add any other context about the task here.
+- Or here
diff --git a/.github/ISSUE_TEMPLATE/ux.md b/.github/ISSUE_TEMPLATE/ux.md
new file mode 100644
index 0000000..e6b0d32
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/ux.md
@@ -0,0 +1,22 @@
+---
+name: UX Task
+about: This is a Task for UX Research, Design or Testing
+title: ''
+labels: ux
+assignees: ''
+
+---
+
+**Describe the task**
+Basic description of the task. Is it focused on research with users or the business area? Is it design focused on either co-design or wireframing? Is it user testing or compiling results?
+
+**Acceptance Criteria**
+- [ ] what is required for this task to be complete?
+- what is the finishing point or end state of this task?
+- [ ] what is the output of this task?
+
+**SME/User Contact**
+(may want to use a persona to fill this in)
+
+**Additional context**
+- any additional details that could not be captured above
diff --git a/.github/codeowners b/.github/codeowners
new file mode 100644
index 0000000..4e48e51
--- /dev/null
+++ b/.github/codeowners
@@ -0,0 +1,15 @@
+# Code owners for the SOBA repository.
+#
+# Owners listed here are automatically requested for review when someone opens
+# a pull request that modifies matching files. Uncomment and fill in the GitHub
+# handles for your team before relying on this.
+#
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Matched against repo root (asterisk)
+# *                         @owner1 @owner2
+
+# Matched against directories
+# /.github/workflows/       @owner1 @owner2
+# /backend/                 @owner1 @owner2
+# /frontend/                @owner1 @owner2
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..86d056f
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,71 @@
+<!--
+Provide a general summary of your changes in the Title above, using the format:
+    type: CCP-1234 short description of your change
+
+For example:
+    feat: CCP-1234 add submission export to CSV
+-->
+
+**References ticket:** CCP-NNNN
+
+<!-- Replace NNNN with the Jira ticket number. If this also closes a GitHub issue, add a line below: Fixes #123 -->
+
+# Description
+
+Please provide a summary of the change and the issue fixed. Please include relevant context. List dependency changes.
+
+## Type of change
+
+<!-- Please delete options that are not relevant. -->
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] This change requires a documentation update
+- [ ] Documentation update
+
+# How Has This Been Tested?
+
+<!-- Please describe the tests you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration -->
+
+<!-- Please delete options that are not relevant. -->
+
+- [ ] New unit tests
+- [ ] New integration tests
+- [ ] New end-to-end tests (Playwright)
+- [ ] No new tests are required
+- [ ] Manual tests (description below)
+- [ ] Updated existing tests
+
+## How to verify
+
+<!--
+Provide steps a reviewer can follow to confirm this PR does what it says it does,
+ideally reproducible in another environment (e.g. the PR/dev deployment).
+
+For a bug fix: first describe how to reproduce the original bug, then how to
+confirm it no longer occurs with this change.
+-->
+
+1. ...
+2. ...
+3. Expected result: ...
+
+## Checklist
+
+<!-- Go over all the following points, and put an `x` in all the boxes that apply. -->
+<!-- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+
+- [ ] I have read the [CONTRIBUTING](../CONTRIBUTING.md) doc
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] I have run lint on the affected backend and/or frontend workspace
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+- [ ] Any dependent changes have already been accepted and merged
+
+## Further comments
+
+<!-- If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc... -->
diff --git a/.github/workflows/pr_validate.yaml b/.github/workflows/pr_validate.yaml
new file mode 100644
index 0000000..ae71554
--- /dev/null
+++ b/.github/workflows/pr_validate.yaml
@@ -0,0 +1,48 @@
+# Validates the pull request title (conventional commits) and rejects forks.
+# Only the PR title is checked — individual commits are not inspected — because
+# merges use the PR title as the squash commit message.
+name: PR Validate
+run-name: PR-${{ github.event.number }} validate
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize, ready_for_review]
+
+permissions:
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    name: Validate PR
+    runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.draft }}
+    steps:
+      - name: Reject forks
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          echo "::error::Pull requests from forks are not accepted. Please create a branch in this repository and open your PR from there."
+          exit 1
+
+      - name: Validate PR title
+        uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Allowed conventional-commit types. The Jira id (e.g. CCP-1234)
+          # belongs in the subject: "feat: CCP-1234 add submission export".
+          types: |
+            feat
+            fix
+            build
+            ci
+            docs
+            perf
+            refactor
+            revert
+            style
+            test
+            chore
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 79efd0a..5eb30f7 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -52,8 +52,8 @@
       "name": "SOBA Frontend (Chrome)",
       "type": "chrome",
       "request": "launch",
-      "url": "http://localhost:5173",
-      "webRoot": "${workspaceFolder}/frontend/src"
+      "url": "http://localhost:3000",
+      "webRoot": "${workspaceFolder}/frontend"
     }
   ]
 }
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..c97423d
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+<submit.digital@gov.bc.ca>. All complaints will be reviewed and investigated
+promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
diff --git a/COMPLIANCE.yaml b/COMPLIANCE.yaml
new file mode 100644
index 0000000..6495c8a
--- /dev/null
+++ b/COMPLIANCE.yaml
@@ -0,0 +1,11 @@
+name: compliance
+description: |
+  This document is used to track a projects PIA and STRA
+  compliance.
+spec:
+  - name: PIA
+    status: not-required
+    last-updated: '2026-06-11T00:00:00.000Z'
+  - name: STRA
+    status: not-required
+    last-updated: '2026-06-11T00:00:00.000Z'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..e5750b4
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,16 @@
+# How to contribute
+
+Government employees, public and members of the private sector are encouraged to contribute to the repository by **creating a branch and submitting a pull request**. Pull requests from forks are not accepted — please open your branch within this repository.
+
+(If you are new to GitHub, you might start with a [basic tutorial](https://help.github.com/articles/set-up-git) and check out a more detailed guide to [pull requests](https://help.github.com/articles/using-pull-requests/).)
+
+## Before you begin
+
+- Please bring your change ideas to the team before starting work.
+- Contributors must follow the [Code of Conduct](./CODE_OF_CONDUCT.md).
+- Changes should include test coverage, documentation, and comments where appropriate.
+- Pull request titles should follow the format `type: CCP-1234 short description` (for example, `feat: CCP-1234 add submission export`).
+
+Pull requests will be evaluated by the repository guardians on a schedule and if deemed beneficial will be committed to the main branch.
+
+All contributors retain the original copyright to their stuff, but by contributing to this project, you grant a world-wide, royalty-free, perpetual, irrevocable, non-exclusive, transferable license to all users **under the terms of the [license](./LICENSE) under which this project is distributed**.
diff --git a/DEVELOPER.md b/DEVELOPER.md
index 7075f8a..67705fb 100644
--- a/DEVELOPER.md
+++ b/DEVELOPER.md
@@ -55,12 +55,14 @@ docker compose -f .devcontainer/docker-compose.yml up -d
 This starts:
 
 - **MongoDB** (port 27017) — used by Form.io
-- **[PostgreSQL](https://www.postgresql.org) 17** (port 5432) — app DB
+- **[PostgreSQL](https://www.postgresql.org) 17** (port 5432) — app DB (default DB `postgres`; migrate creates `soba`)
 - **Form.io** (port 3001) — form runtime
+- **Temporal** (gRPC port 7233) — workflow engine
+- **Temporal UI** (port 8088) — workflow dashboard
 
-**Inside the devcontainer** use `host.docker.internal` to reach these services (e.g. `mongodb://host.docker.internal:27017`, `postgresql://postgres:postgres@host.docker.internal:5432/postgres`, `http://host.docker.internal:3001`). The devcontainer is started with `--add-host=host.docker.internal:host-gateway` so that this hostname works on Linux as well as on Docker Desktop (Mac/Windows). On the host machine use `localhost` and the same ports. **Using the app from a browser on the host** (e.g. http://localhost:3000): the frontend example uses `NEXT_PUBLIC_SOBA_API_BASE_URL=http://localhost:4000/api/v1` so client-side API calls go to the forwarded backend; no change needed. Form.io login: `formio@localhost.com` / `formio`.
+**Inside the devcontainer** use `host.docker.internal` to reach sidecars from backend processes (e.g. `mongodb://host.docker.internal:27017`, `postgresql://postgres:postgres@host.docker.internal:5432/postgres`, `http://host.docker.internal:3001`). The devcontainer is started with `--add-host=host.docker.internal:host-gateway` so that this hostname works on Linux as well as on Docker Desktop (Mac/Windows). **Committed `.env.example` files use `localhost`** for DB, Form.io, and API URLs — that works when the browser and forwarded ports are on the host (e.g. http://localhost:3000 with `NEXT_PUBLIC_SOBA_API_BASE_URL=http://localhost:4000/api/v1`). Use `host.docker.internal` in backend env when the API server runs inside the container and must reach compose services. Form.io login: `formio@localhost.com` / `formio`.
 
-**Database (migrate + seed):** After the sidecars are up, from the repo root run `pnpm db:init` to run pending migrations and seed data. See [Drizzle](#drizzle) for individual `db:migrate` / `db:seed` commands.
+**Database (migrate + seed):** After the sidecars are up, from the repo root run `pnpm db:init` (or `pnpm dev:db:up` to start services and init in one step). See [Drizzle](#drizzle) for individual `db:migrate` / `db:seed` commands.
 
 ---
 
@@ -88,10 +90,14 @@ The repo is a **[pnpm](https://pnpm.io) workspace** (faster installs, shared sto
 | `pnpm lint:fix:frontend` / `pnpm lint:fix:backend` | Lint fix one app                                                |
 | `pnpm check`                                       | Type/style checks for both apps                                 |
 | `pnpm check:frontend` / `pnpm check:backend`       | Check one app                                                   |
+| `pnpm qa`                                          | `check` then `test` (PR readiness shortcut)                     |
+| `pnpm qa:build`                                    | `qa` then `build`                                               |
+| `pnpm dev:services:up`                             | Start sidecars via docker compose (`up -d --wait`)              |
+| `pnpm dev:db:up`                                   | `dev:services:up` then `db:init`                                |
 | `pnpm clean:workspace`                             | Remove deps, build outputs, and test artifacts (keeps `.env`)   |
 | `pnpm clean:workspace:full`                        | Same as above, plus remove gitignored env files                 |
 
-Package manager is pinned in `package.json` (`packageManager`: `pnpm@10.28.2`). The `integration` app lives outside the workspace and has its own `pnpm-lock.yaml`; use `pnpm -C integration/playwright <script>` for integration-specific commands.
+Package manager is pinned in `package.json` (`packageManager`: `pnpm@10.28.2`). The `integration` app lives outside the workspace and uses **`package-lock.json`** (npm); post-create runs `npm ci --prefix integration/playwright`. From the repo root you can still run `pnpm -C integration/playwright test` once deps are installed.
 
 **Troubleshooting installs:** If `pnpm install` fails with `EINVAL` on a VM-backed workspace mount (Docker Desktop, Rancher, Cursor remote), run `pnpm clean:workspace && pnpm install` from the repo root.
 
@@ -103,19 +109,21 @@ VS Code config lives in `.vscode/launch.json` and `.vscode/tasks.json`.
 
 **Launch (`launch.json`):** Run and debug from the Run and Debug view.
 
-| Configuration                 | Purpose                                                 |
-| ----------------------------- | ------------------------------------------------------- |
-| **SOBA Backend**              | Start backend dev server (`pnpm dev` in `backend/`)     |
-| **SOBA Frontend**             | Start frontend dev server (`pnpm dev` in `frontend/`)   |
-| **SOBA (Backend + Frontend)** | Compound: starts both                                   |
-| **SOBA Frontend (Chrome)**    | Attach Chrome to frontend (URL `http://localhost:5173`) |
+| Configuration                          | Purpose                                                          |
+| -------------------------------------- | ---------------------------------------------------------------- |
+| **SOBA Backend**                       | Start backend dev server (`pnpm dev` in `backend/`)              |
+| **SOBA Temporal Worker**               | Start Temporal worker (`tsx watch temporal-worker.ts`)           |
+| **SOBA Frontend**                      | Start frontend dev server (`pnpm dev:watch` in `frontend/`)      |
+| **SOBA (Backend + Temporal + Frontend)** | Compound: backend, Temporal worker, and frontend               |
+| **SOBA (Backend + Temporal)**          | Compound: backend and Temporal worker                            |
+| **SOBA Frontend (Chrome)**             | Attach Chrome to frontend (URL `http://localhost:3000`)          |
 
 **Tasks (`tasks.json`):** Run from Command Palette → “Tasks: Run Task”.
 
-| Task                   | Purpose                                            |
-| ---------------------- | -------------------------------------------------- |
-| **Dev Services: Up**   | Start MongoDB, PostgreSQL, Form.io, Temporal, etc. |
-| **Dev Services: Down** | Stop and remove the dev service containers         |
+| Task                   | Purpose                                                         |
+| ---------------------- | --------------------------------------------------------------- |
+| **Dev Services: Up**   | Start sidecars (`docker compose ... up -d --build`)             |
+| **Dev Services: Down** | Stop and remove the dev service containers                    |
 
 You can also run `docker compose -f .devcontainer/docker-compose.yml up -d` in a terminal, or right-click `docker-compose.yml` and use **Compose Up**.
 
@@ -127,7 +135,7 @@ You can also run `docker compose -f .devcontainer/docker-compose.yml up -d` in a
 
 **Not committed:** `.env` and `.env.local` (active config, often contain secrets).
 
-Example files are set up by default for **devcontainer usage** (e.g. `host.docker.internal`, local sidecars). When adding external services, use **development** endpoints and config where they exist — never production URLs or production-only settings in examples. **Never put secrets or passwords for external services in example files**; document the keys and put real values in `.env.local` (or equivalent local override) only.
+Example files use **`localhost`** for local sidecars and the SOBA API so host-browser dev works out of the box. When backend processes run inside the devcontainer and must reach compose services directly, switch DB/Form.io URLs to **`host.docker.internal`** (see [Docker Compose](#docker-compose-sidecar-services)). When adding external services, use **development** endpoints and config where they exist — never production URLs or production-only settings in examples. **Never put secrets or passwords for external services in example files**; document the keys and put real values in `.env.local` (or equivalent local override) only.
 
 The devcontainer **initialize** and **post-create** steps copy from example files only when the target does not exist (`cp -n`). **Post-start** refreshes `.env` from `.env.example` on each container start so base config stays in sync with the repo. **`.env.local` is never overwritten** — it is created once from `.env.local.example` and is up to you to maintain (secrets, credential overrides, local defaults). If you add secrets or change defaults in `.env.local`, keep it updated yourself; tooling will not replace it.
 
@@ -158,24 +166,34 @@ The devcontainer **initialize** and **post-create** steps copy from example file
 
 | Command                  | Purpose                                                    |
 | ------------------------ | ---------------------------------------------------------- |
-| `pnpm dev`               | TypeScript watch + nodemon; backend dev server (port 4000) |
+| `pnpm dev`               | nodemon: `tsc && node dist/src/app.js` on change (port 4000) |
 | `pnpm build`             | Compile TypeScript to `dist/`                              |
-| `pnpm serve`             | Build then run `node dist/app.js`                          |
-| `pnpm start`             | Run `node dist/app.js` (assumes already built)             |
+| `pnpm serve`             | Build then run `node dist/src/app.js`                      |
+| `pnpm start`             | Run `node dist/src/app.js` (assumes already built)         |
 | `pnpm test`              | Run Jest unit tests                                        |
 | `pnpm test:watch`        | Jest in watch mode                                         |
 | `pnpm test:coverage`     | Jest with coverage report                                  |
+| `pnpm test:parallel`     | Jest with `--maxWorkers=2`                                 |
 | `pnpm lint` / `lint:fix` | ESLint; fix applies auto-fix                               |
+| `pnpm format` / `format:check` | Prettier write / check                             |
 | `pnpm type-check`        | `tsc --noEmit`                                             |
 | `pnpm check`             | Type-check + lint (run before PR)                          |
+| `pnpm temporal-worker`   | Run Temporal worker once (`tsx temporal-worker.ts`)        |
+| `pnpm temporal-worker:dev` | Run Temporal worker with watch                           |
 
 Tests live under `backend/tests/`. See [In Detail — Testing](#testing) for approach and supertest usage.
 
+### Temporal
+
+[Temporal](https://temporal.io) sidecar runs in compose (port 7233; UI on 8088). Worker scripts above poll `TEMPORAL_TASK_QUEUE` (default `soba`). **`TEMPORAL_ALLOWED=false`** by default — worker exits without connecting; set `true` for local workflow dev. See `docs/temporal.md` for workflow details.
+
 ### API layout
 
-- **Base path:** `/api/v1`. All core domains and (when mounted) plugin APIs live under this prefix.
+- **Base path:** `/api/v1`. Core domains live under this prefix.
 - **Public (no JWT):** `/api/v1/meta`, `/api/v1/health`. OpenAPI spec: `/api/docs/openapi.json`; Swagger UI: `/api/docs`.
-- **Protected:** Routes under `/api/v1` use `checkJwt()` then `resolveActor`; core context (workspace, etc.) is required for domain routes. Admin routes under `/api/v1/admin` additionally require SOBA admin (`requireSobaAdmin`).
+- **Public submissions (optional JWT):** `POST /api/v1/submissions` and `POST /api/v1/submissions/:id/save` are mounted **before** the JWT middleware. They use optional auth (`checkJwtOptional`, `resolveActorOptional`) and **`checkFormVisibility`** so anonymous users can submit when the form version's `visibility` allows it.
+- **Protected:** Other `/api/v1` routes use `checkJwt()` then `resolveActor`; core context (workspace, etc.) is required for domain routes. Admin routes under `/api/v1/admin` additionally require SOBA admin (`requireSobaAdmin`).
+- **CORS:** All origins allowed in `development`; in other environments set comma-separated **`CORS_ORIGIN`** or cross-origin requests are blocked.
 
 ### Core domains
 
@@ -186,10 +204,12 @@ Tests live under `backend/tests/`. See [In Detail — Testing](#testing) for app
 | `/api/v1/workspaces`, `/api/v1/workspaces/current` | List workspaces, current workspace                                    | Protected |
 | `/api/v1/me`                                       | Current actor                                                         | Protected |
 | `/api/v1/members`                                  | Workspace members                                                     | Protected |
-| `/api/v1/forms`, `/api/v1/form-versions`, …        | Forms and form versions CRUD, save draft, publish                     | Protected |
-| `/api/v1/submissions`, …                           | Submissions CRUD, save draft                                          | Protected |
+| `/api/v1/forms`, `/api/v1/form-versions`, …        | Forms and form versions CRUD, save, publish/unpublish/restore, schema | Protected |
+| `/api/v1/submissions`, …                           | Submissions CRUD, save, read data (`GET /:id/data`)                   | Protected (+ public create/save above) |
 | `/api/v1/admin`                                    | SOBA platform admins (list, add, remove)                              | Admin     |
 
+Key form-version routes: `POST /:id/publish`, `POST /:id/unpublish`, `POST /:id/restore`, `GET|POST /:id/schema` (read/provision schema in the form engine).
+
 ### Plugin implementations
 
 The backend uses a **plugin architecture** so that workspace resolution, form engines, auth (IdP), cache, message bus, and optional feature APIs can be swapped or extended without changing core. Plugins are discovered from `backend/src/plugins/` (each directory is a plugin module). Configuration is via env (e.g. which plugins are enabled, plugin-specific keys). For auth, Passport is now the protected-route entry point, but IdP plugins still provide provider-specific token verification and claim mapping. See [In Detail — Configuration of plugins and features](#configuration-of-plugins-and-features).
@@ -203,9 +223,13 @@ The backend uses a **plugin architecture** so that workspace resolution, form en
 | **IdP (auth)**         | JWT validation, claim mapping          | `idp-bcgov-sso` (BC Gov Keycloak), `idp-github`                     |
 | **Cache**              | Key-value cache                        | `cache-memory`; future: Redis                                       |
 | **Message bus**        | Async messaging                        | `messagebus-memory`; future: Redis, NATS                            |
-| **Feature API**        | Optional REST API per plugin           | e.g. `personal-local` (exposes `pluginApiDefinition` with basePath) |
+| **Feature API**        | Optional REST API per plugin           | e.g. `personal-local` (exports `pluginApiDefinition`; not mounted in `app.ts` yet) |
 
-Workspace and IdP plugins are ordered via env (`WORKSPACE_PLUGINS_ALLOWED`, `IDP_PLUGINS`); the first successful resolver or IdP wins. For IdP auth, Passport orchestrates the ordered plugin attempts and the winning plugin still supplies the mapped identity used by core. Plugin APIs (from plugins that export both a workspace resolver and a feature API definition) are registered via `createPluginApiRouter()` and can be mounted under `/api/v1` when desired.
+Workspace and IdP plugins are ordered via env (`WORKSPACE_PLUGINS_ALLOWED`, `IDP_PLUGINS`); the first successful resolver or IdP wins. For IdP auth, Passport orchestrates the ordered plugin attempts and the winning plugin still supplies the mapped identity used by core. IdP env prefixes follow plugin codes (e.g. `bcgov-sso` → `PLUGIN_BCGOV_SSO_*`, `idp-github` → `PLUGIN_IDP_GITHUB_*`).
+
+### Workspace context
+
+Resolved per request by workspace plugins in `coreContextMiddleware`. **`personal-local`** (default alongside `enterprise-cstar`): reads workspace from cookie `PLUGIN_PERSONAL_LOCAL_COOKIE_KEY` (default `soba_workspace_id`) or header **`x-workspace-id`** when `PLUGIN_PERSONAL_LOCAL_ALLOW_HEADER_OVERRIDE=true`; falls back to auto-created home workspace. The frontend sends `x-workspace-id` on protected form/submission API calls.
 
 ### Features
 
@@ -213,13 +237,13 @@ Workspace and IdP plugins are ordered via env (`WORKSPACE_PLUGINS_ALLOWED`, `IDP
 
 ### Form engines and formio-v5
 
-Form rendering and submission storage are delegated to a **form engine** plugin. The default is `formio-v5` (Form.io v5). The core stores form and submission metadata and draft state in PostgreSQL; the form engine (e.g. Form.io) holds the form definition and can persist submission payloads. The **FormioEngineAdapter** (`backend/src/plugins/formio-v5/`) talks to Form.io over HTTP. Config is via `PLUGIN_FORMIO_V5_*` (API base URL, admin credentials, etc.). `FORM_ENGINE_DEFAULT_CODE` selects which engine to use; forms reference an engine code.
+Form rendering and submission storage are delegated to a **form engine** plugin. The default is `formio-v5` (Form.io v5). The core stores form and submission metadata in PostgreSQL; the form engine (Form.io/Mongo) holds form definitions and submission payloads. The **FormioEngineAdapter** (`backend/src/plugins/formio-v5/`) talks to Form.io over HTTP using a **server-side admin client**. Config is via `PLUGIN_FORMIO_V5_*` (API URLs, admin credentials). `FORM_ENGINE_DEFAULT_CODE` selects which engine to use; forms reference an engine code.
 
-Form engine plugins can optionally expose **HTTP routes** (e.g. a Form.io CE proxy) by setting **`routeBasePath`** and **`createRouter(config)`**; routes are mounted only when **`PLUGIN_<CODE>_ROUTES_ALLOWED=true`** (explicit per-engine). For formio-v5, set **`PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true`** to mount the proxy at **`/api/v1/formio-v5`** (path from **`PLUGIN_FORMIO_V5_PROXY_PATH`**, default `/formio-v5`). The proxy is **protected** (same auth as v1 API: app JWT in `Authorization: Bearer`). It forwards to Form.io CE and optionally passes through **`x-jwt-token`**; otherwise it uses the server-side admin client. Health remains on the adapter and is reported via `/api/v1/health`. See [In Detail — Configuration of plugins and features](#configuration-of-plugins-and-features).
+**Server-mediated flow (no browser → Form.io proxy):** The browser never calls Form.io directly. Protected API routes provision and read schemas (`POST|GET /form-versions/:id/schema`); `SubmissionService.save()` creates submission documents in the engine server-side and stores `engine_submission_ref`. `engine_sync_status` on domain rows tracks provisioning state. Readiness is on the adapter and reported via `/api/v1/health/ready`. See [In Detail — Form engine cross-references](#form-engine-cross-references).
 
 ### Form engine cross-references
 
-Data lives in **two systems**: domain metadata/draft state in **PostgreSQL** and the form definition/submission payloads in the **form engine** (e.g. Form.io/Mongo). To match records across them we store the engine's reference on the domain row: `form_version.engine_schema_ref` (the Form.io form id/path) and `submission.engine_submission_ref`. The client creates the resource in the form engine and passes the returned reference to the SOBA save endpoint, which persists it. See [In Detail — Form engine cross-references](#form-engine-cross-references).
+Data lives in **two systems**: domain metadata in **PostgreSQL** and form definitions/submission payloads in the **form engine**. Cross-reference columns: `form_version.engine_schema_ref`, `submission.engine_submission_ref`. Provision via `POST /form-versions/:id/schema`; saves can still accept `engine_schema_ref` on `POST /form-versions/:id/save` when needed. See [In Detail — Form engine cross-references](#form-engine-cross-references).
 
 ### Auth plugins and responsibilities
 
@@ -237,7 +261,7 @@ Schema and queries live in TypeScript; migrations are SQL in `backend/drizzle/`.
 | `npx drizzle-kit generate` | `backend/`              | Generate a new migration from schema changes (writes SQL into `drizzle/`) |
 | `npx drizzle-kit studio`   | `backend/`              | Open Drizzle Studio (DB GUI); requires `DATABASE_URL`                     |
 
-Schema modules: `backend/src/core/db/schema/` (e.g. `core.ts`, `forms.ts`, `roles.ts`, `feature.ts`, `codes.ts`). After changing schema, run `drizzle-kit generate`, then `pnpm db:migrate` to apply.
+Schema modules: `backend/src/core/db/schema/` — `core.ts` (users, workspaces, IdPs, `idp_group`), `forms.ts` (forms, versions, submissions, revisions), `codes.ts`, `feature.ts`, `roles.ts`, `plugins.enterprise.ts`. Migrations live in `backend/drizzle/` (currently `0000`–`0005`). After changing schema, run `drizzle-kit generate`, then `pnpm db:migrate` to apply.
 
 ---
 
@@ -265,9 +289,10 @@ Tests live under `frontend/tests/`. See [In Detail — Testing](#testing).
 
 ### App structure and routing
 
-- **App Router:** `app/` holds layouts and pages; `app/layout.tsx` is the root (html/body, globals.css); `app/[lang]/layout.tsx` wraps locale routes with `DictionaryProvider`, `Header`, and main content. The home page is `app/[lang]/page.tsx`; locale is required (e.g. `/en`, `/fr`).
-- **Where code lives:** `app/` — pages, layouts, shared UI (`app/ui/`). `src/` — features (`src/features/`), shared API/config (`src/shared/`), app-level plugins and types (`src/app/`). `lib/` — Redux store, slices, hooks, runtime config loader. Path aliases: `@/lib`, `@/app`, `@/src`.
-- **Adding pages:** Add under `app/[lang]/` (e.g. `app/[lang]/forms/page.tsx`) or new segments; use the locale layout for nav and dictionary.
+- **App Router:** `app/layout.tsx` is the root (html/body, globals.css). `app/[lang]/layout.tsx` wraps locale routes with `DictionaryProvider`, `Header`, `SideNav`, `<main>`, and `Footer`. Locale is required (e.g. `/en`, `/fr`). Home (`app/[lang]/page.tsx`) redirects logged-in users to `/forms`.
+- **Key routes:** `/{lang}/designer` (design-mode), `/{lang}/forms` (form list), `/{lang}/form/{formId}` (submit/render), `/{lang}/submissions/...`, `/{lang}/meta` (meta-review).
+- **Where code lives:** `app/` — pages, layouts, shared UI (`app/ui/`). `src/features/` — feature UI (designer, submit-mode, formio-v5, workspaces, meta-review). `src/shared/` — API, config, feature flags. `src/app/` — plugin types and registry. `lib/` — Redux store, slices, hooks, runtime config. Path aliases: `@/lib`, `@/app`, `@/src`.
+- **Adding pages:** Add under `app/[lang]/`; use the locale layout for nav and dictionary.
 
 ### Runtime config and env
 
@@ -285,15 +310,15 @@ Tests live under `frontend/tests/`. See [In Detail — Testing](#testing).
 
 ### Redux store
 
-- **Slices:** `keycloak` (token, auth state), `currentUser` (data from /me, status), `notification` (toast state). Store is created with next-redux-wrapper so it’s available in App Router; use `useAppDispatch` / `useAppSelector` (typed). See [In Detail — Redux store shape (frontend)](#redux-store-shape-frontend).
+- **Slices:** `keycloak` (token, auth state), `currentUser` (data from /me, status), `workspace` (`workspaces`, `activeWorkspaceId`), `notification` (toast state). Store is created with next-redux-wrapper so it’s available in App Router; use `useAppDispatch` / `useAppSelector` (typed). Header loads workspaces and exposes a workspace switcher. See [In Detail — Redux store shape (frontend)](#redux-store-shape-frontend).
 
 ### API layer
 
-- **Location:** `src/shared/api/sobaApi.ts`. Functions use `getSobaApiBaseUrl()` (from runtime config cache or env fallback). Protected endpoints take the token and send `Authorization: Bearer ${token}`. Examples: `fetchHealth()`, `fetchWorkspaces(token)`, `fetchCurrentUser(token)`. See [In Detail — API layer (frontend)](#api-layer-frontend).
+- **Location:** `src/shared/api/sobaApi.ts` and `sobaApiForms.ts`. Functions use `getSobaApiBaseUrl()` (from runtime config cache or env fallback). Protected endpoints send `Authorization: Bearer ${token}` and, for form/submission calls, **`x-workspace-id`** from the active workspace. Examples: `fetchHealth()`, `fetchWorkspaces(token)`, `fetchCurrentUser(token)`, `getFormVersionSchema(token, ...)`. See [In Detail — API layer (frontend)](#api-layer-frontend).
 
-### Plugins and home sections
+### Plugins and navigation
 
-- **AppPlugin:** id, optional `featureCode`, order, getNavItem. The **registry** (`src/app/plugins/registry.ts`) lists plugins, filters with `createIsFeatureAllowed(meta)` from `src/shared/featureFlags/flags.ts`, and exposes `getNavigationItems(..., isFeatureAllowed)`. The workspaces plugin is the reference implementation (no `featureCode` — always on). See [In Detail — Plugins (frontend)](#plugins-frontend).
+- **AppPlugin:** id, optional `featureCode`, order, `getNavItem`, optional `showInHeaderNav`. The **registry** (`src/app/plugins/registry.ts`) registers: **workspaces** (always on), **designer** (`design-mode`), **submit-mode**, **meta-review** (`meta`). Plugins are filtered with `createIsFeatureAllowed(meta)`; `getHeaderNavigationItems` and `getOverlayNavigationItems` drive Header and SideNav. See [In Detail — Plugins (frontend)](#plugins-frontend).
 
 ### Feature flags
 
@@ -301,10 +326,10 @@ Tests live under `frontend/tests/`. See [In Detail — Testing](#testing).
 - **Per-frontend deployment:** **`NEXT_PUBLIC_SOBA_FEATURES_ALLOWED`** — comma-separated codes (same as meta, e.g. `workspaces`, `design-mode`, `submit-mode`, `marketing`), or **`*`** / **`all`** alone to allow every platform-allowed feature. **Empty/unset** = no codes allowed at the frontend layer (intersected with `platformAllowed`). Use a subset for submit-only or design-only Next.js images that share one API.
 - **`createIsFeatureAllowed(meta)`** returns `isFeatureAllowed(code)` = `platformAllowed && frontendAllowlist`. Constants: `FEATURE_CODES` in `src/shared/featureFlags/flags.ts`.
 
-### IDP groups
+### IDP groups and form visibility
 
-- **Concept:** `soba.identity_provider` holds discrete IdPs (e.g. `idir`, `azureidir`). `soba.idp_group` + `soba.idp_group_member` group them logically so business functions can treat several IdPs the same (e.g. `bcgov` = `idir` + `azureidir`). Seeded groups: `bcgov` (BC Government), `bceid` (BCeID), `bc-citizens` (BC Citizens). This is a reusable primitive for future pluggable Form Access.
-- **Resolution:** `idpGroupRepo.listGroupsForIdp(code)` returns the group codes an IdP belongs to. Form visibility matches a stored token when it equals the user's IdP code or one of the user's group codes.
+- **Concept:** `soba.identity_provider` holds discrete IdPs (seeded: `idir` inactive, `azureidir` active, `bceidbusiness` inactive). `soba.idp_group` + `soba.idp_group_member` group them logically: **`bcgov`** (`idir`, `azureidir`), **`bceid`** (`bceidbusiness`). Reusable for form access and public submissions.
+- **Form visibility:** `form_version.visibility` is a text array of allowed IdP or group codes. `idpGroupRepo.listGroupsForIdp(code)` resolves group membership. **`checkFormVisibility`** middleware enforces visibility on public submission routes; empty visibility falls back to workspace membership when authenticated.
 
 ### i18n / dictionaries
 
@@ -316,8 +341,9 @@ Tests live under `frontend/tests/`. See [In Detail — Testing](#testing).
 
 ### Forms
 
-- Form-related UI lives under `app/ui/forms/` (e.g. ShareForm for manage flows).
-- **Form.io v5 proxy (frontend):** Code under **`src/features/formio-v5/`**: proxy `fetch` helpers, Keycloak **`Formio.registerPlugin`** on **`@formio/js`**, **Submit** page lists forms (`GET /form`); **`/{lang}/forms/{formId}`** renders with **`FormioProvider`** + **`Form`** from **`@formio/react`** ([FormioProvider](https://github.com/formio/react?tab=readme-ov-file#formioprovider)). With `PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true`, the API mounts **`/api/v1/formio-v5`**. Use **Keycloak `Authorization: Bearer`** (`getFormioProxyBaseUrl()` = `getSobaApiBaseUrl() + '/formio-v5'`). The Express proxy is a **subset** of Form.io CE (`backend/src/plugins/formio-v5/formioV5Routes.ts`). **Renderer CSS:** avoid importing Form.io bundled CSS globally with Turbopack; load next to `<Form />` or use a CDN when needed.
+- **Designer** (`src/features/designer/`, `design-mode`): form list and builder at `/{lang}/designer`; provisions schema via `POST /form-versions/:id/schema`, loads schema via `GET /form-versions/:id/schema`.
+- **Submit** (`src/features/submit-mode/`, `submit-mode`): form list at `/{lang}/forms`; render at `/{lang}/form/{formId}` via **`src/features/formio-v5/`** (`FormioProvider` + `DynamicForm` from `@formio/react`). **The browser does not call Form.io** — schema and submissions go through the SOBA API only.
+- **Renderer CSS:** static copies under `public/formio-v5/`; `useFormioV5FormChrome` loads them next to `<Form />` (avoid global Form.io CSS imports with Turbopack).
 
 ### Testing
 
@@ -354,18 +380,20 @@ Optional deeper dives for onboarding: plugin/feature configuration, auth flow, f
 
 ### Form engine cross-references
 
-Form data spans two systems: domain metadata and draft state in **PostgreSQL**, and the form definition plus submission payloads in the **form engine** (e.g. Form.io/Mongo). We keep a reference to the engine record on each domain row so the two systems can be matched:
+Form data spans two systems: domain metadata in **PostgreSQL**, and form definitions plus submission payloads in the **form engine** (Form.io/Mongo). Cross-reference columns:
+
+- **form_version.engine_schema_ref** — engine reference for the form schema (e.g. Form.io form id/path).
+- **submission.engine_submission_ref** — engine reference for a submission document.
 
-- **form_version.engine_schema_ref** — the form engine's reference for the form schema (e.g. Form.io form id/path), used to render or submit against it.
-- **submission.engine_submission_ref** — the form engine's reference for a submission record.
+**Provisioning (server-side):** `FormVersionService.provision()` calls the adapter to create/update the schema in Form.io, sets `engine_schema_ref`, and tracks `engine_sync_status` (`provisioning` → `ready` or `error`). Exposed as `POST /form-versions/:id/schema`; read back via `GET /form-versions/:id/schema`. The designer UI sends schema JSON to this endpoint — browsers never talk to Form.io directly.
 
-The client creates/updates the resource in the form engine directly (the formio-v5 proxy, mounted when `PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true`), then sends the returned id to the SOBA save endpoint (`POST /form-versions/{id}/save` with `engine_schema_ref`), which stores it on the `form_version` row. `engine_sync_status` records the sync state for the row.
+**Submissions (server-side):** `SubmissionService.save()` calls `adapter.createSubmission()`, then `appendSubmissionRevision()` stores the new `engine_submission_ref`. Payload reads use `GET /submissions/:id/data`.
 
-The Form.io CE client (`backend/src/plugins/formio-v5/formioV5Client.ts`) automatically re-logs in and retries once on **HTTP 440** when the request used the server **admin** JWT only; if the Formio proxy forwarded an end-user **`x-jwt-token`**, 440 is not auto-retried and that session must be refreshed.
+The Form.io admin client (`backend/src/plugins/formio-v5/formioV5Client.ts`) automatically re-logs in and retries once on **HTTP 440** when the admin JWT expires.
 
 ### Configuration of plugins and features
 
-- **Plugin discovery:** Plugins live under `backend/src/plugins/<pluginDir>/`. Each plugin module can export one or more of: `workspacePluginDefinition`, `formEnginePluginDefinition`, `pluginApiDefinition`, `idpPluginDefinition`, `cachePluginDefinition`, `messageBusPluginDefinition`. The registry validates with Zod and builds caches at startup.
+- **Plugin discovery:** Plugins live under `backend/src/plugins/<pluginDir>/`. Each plugin module can export one or more of: `workspacePluginDefinition`, `formEnginePluginDefinition`, `pluginApiDefinition`, `idpPluginDefinition`, `cachePluginDefinition`, `messagebusPluginDefinition`. The registry validates with Zod and builds caches at startup.
 - **Which plugins run:** Workspace resolvers: `WORKSPACE_PLUGINS_ALLOWED` (comma-separated codes). IdP: `IDP_PLUGINS` (comma-separated; default from `IDP_PLUGIN_DEFAULT_CODE`). Cache / message bus: `CACHE_DEFAULT_CODE`, `MESSAGEBUS_DEFAULT_CODE`. Form engine: `FORM_ENGINE_DEFAULT_CODE`. Only plugins that are both discovered and listed in the relevant env are used. For auth, Passport uses the ordered IdP plugin list as its provider chain and stops at the first successful plugin. `WORKSPACE_PLUGINS_STRICT_MODE=true` fails startup if any enabled workspace plugin is missing.
 - **Plugin config:** Each plugin gets a `PluginConfigReader` built from env with a prefix. Prefix is `PLUGIN_<NORMALIZED_CODE>_` (e.g. `PLUGIN_FORMIO_V5_API_BASE_URL`). The reader exposes `getRequired`, `getOptional`, `getBoolean`, `getNumber`, `getCsv`. Use `.env.example` and `.env.local` for secrets; document keys in examples only.
 - **Features (DB):** The `soba.feature` and `soba.feature_status` tables are seeded via `pnpm db:seed`. Feature status (e.g. `enabled`/`disabled`) drives feature-flag behaviour. Roles and code tables support `source` and (for roles) `feature_code` so features can add codes and roles; see [Enable/Disable features, add codes + roles](#enabledisable-features-add-codes--roles-for-feature).
@@ -395,8 +423,8 @@ Auth-related env: `IDP_PLUGINS`, `IDP_PLUGIN_DEFAULT_*`, and per-IdP `PLUGIN_<ID
 ### App structure (frontend)
 
 - **Root layout** (`app/layout.tsx`): Minimal — html/body, globals.css. No providers here so the tree stays simple.
-- **Locale layout** (`app/[lang]/layout.tsx`): Wraps all `[lang]` routes. Loads dictionary server-side with `getDictionary(lang)`, provides `DictionaryProvider`, renders `Header` and `<main>{children}</main>`. All locale-aware pages live under `app/[lang]/`.
-- **Folders:** `app/ui/` — shared presentational components (Header, forms, base). `lib/` — Redux store, slices, hooks, Keycloak init, runtime config loader (used by client components). `src/features/` — feature UI (e.g. workspaces list). `src/shared/` — API client, config, feature flags. `src/app/` — plugin types and registry. Use `@/lib`, `@/app`, `@/src` for imports.
+- **Locale layout** (`app/[lang]/layout.tsx`): Wraps all `[lang]` routes. Loads dictionary and features meta server-side, provides `DictionaryProvider`, renders `Header`, `SideNav`, `<main>{children}</main>`, and `Footer`. SideNav shows home (when `marketing` allowed) and app links (when `design-mode` or `submit-mode` allowed).
+- **Folders:** `app/ui/` — shared UI (Header, SideNav, Footer, forms). `lib/` — Redux store, slices, hooks, Keycloak init, runtime config. `src/features/` — designer, submit-mode, formio-v5, workspaces, meta-review. `src/shared/` — API client, config, feature flags. `src/app/` — plugin types and registry. Use `@/lib`, `@/app`, `@/src` for imports.
 
 ### Runtime config (frontend)
 
@@ -407,7 +435,7 @@ Auth-related env: `IDP_PLUGINS`, `IDP_PLUGIN_DEFAULT_*`, and per-IdP `PLUGIN_<ID
 
 1. **Page load** — A client component (e.g. Header) mounts and dispatches `initKeycloak()`. That thunk calls `loadFrontendRuntimeConfig()`, then creates Keycloak and runs `kc.init({ onLoad: 'check-sso', ... })`. No redirect if session exists; token and authenticated state are stored in Redux.
 2. **Login** — User clicks login; dispatch `login()` which calls `kc.login()`. Keycloak redirects to IdP and back; on return, token is available and Redux is updated.
-3. **After authenticated** — Header (or similar) sees `authenticated && token`, dispatches `loadCurrentUser(token)` to fill the currentUser slice, and shows display name and logout.
+3. **After authenticated** — Header sees `authenticated && token`, dispatches `loadCurrentUser(token)` and `loadWorkspaces(token)`, and shows display name, workspace switcher, and logout.
 4. **Logout** — Dispatch `clearCurrentUser()` then `logout()`; Keycloak clears session and optionally redirects.
 
 ### Current user flow (frontend)
@@ -420,17 +448,19 @@ Auth-related env: `IDP_PLUGINS`, `IDP_PLUGIN_DEFAULT_*`, and per-IdP `PLUGIN_<ID
 
 - **keycloak:** token (string | undefined), idTokenParsed, authenticated (boolean), initializing, error. Keycloak instance is not in state (non-serializable); it’s held in a module variable and accessed via getKeycloakInstance().
 - **currentUser:** data (CurrentUserResponse | null), status (idle | loading | succeeded | failed), error, lastToken. Cleared on logout; set by loadCurrentUser.fulfilled.
+- **workspace:** workspaces (WorkspaceItem[]), activeWorkspaceId, status, error. Loaded after auth; auto-selects personal workspace when none active. Cleared on logout via `clearWorkspaceState`.
 - **notification:** Toast/notification state (used by useNotificationStore and NotificationToast). Use useAppDispatch / useAppSelector with RootState for typing.
 
 ### API layer (frontend)
 
 - **Base URL:** From `getSobaApiBaseUrl()` in `src/shared/config/runtimeConfig.ts` (cached config or `NEXT_PUBLIC_SOBA_API_BASE_URL`).
-- **Pattern:** Protected calls take the token and set `Authorization: Bearer ${token}`. Use fetch with cache: 'no-store' for dynamic data. Types for responses live in sobaApi.ts (e.g. WorkspacesResponse, CurrentUserResponse). Add new endpoints as functions that call getSobaApiBaseUrl() and pass the token where required.
+- **Pattern:** Protected calls set `Authorization: Bearer ${token}`. Form/submission helpers in `sobaApiForms.ts` also send **`x-workspace-id`** when a workspace is selected. Use fetch with cache: 'no-store' for dynamic data. Types for responses live in sobaApi.ts / sobaApiForms.ts.
 
 ### Plugins (frontend)
 
-- **Adding a plugin:** (1) Optionally add a row to `soba.feature` if the surface is platform-gated; use a stable `code` and reference it as `featureCode` on the plugin when the plugin should hide when that feature is not allowed. Omit `featureCode` for always-on shell (e.g. workspaces). (2) Create a feature folder under `src/features/<name>/` with a component for the home section and a `plugin.tsx` that exports an `AppPlugin`: id, optional featureCode, order, getNavItem. (3) Register the plugin in `src/app/plugins/registry.ts`. Nav and home sections include it when `isFeatureAllowed(featureCode)` is true (or when `featureCode` is omitted).
-- **getNavItem** returns { id, href, label } for the Header nav; href typically includes locale (e.g. `/${locale}/`).
+- **Registered plugins:** workspaces (no `featureCode`), designer (`design-mode`), submit-mode, meta-review (`meta`). Marketing is a feature flag only (SideNav home link), not a separate plugin.
+- **Adding a plugin:** (1) Optionally add a row to `soba.feature` if platform-gated; set `featureCode` on the plugin. Omit for always-on shell (e.g. workspaces). (2) Create `src/features/<name>/plugin.tsx` exporting `AppPlugin`: id, optional featureCode, order, getNavItem, optional showInHeaderNav. (3) Register in `src/app/plugins/registry.ts`.
+- **getNavItem** returns { id, href, label }; href includes locale (e.g. `/${locale}/designer`).
 
 ### Testing
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a5a26e8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,46 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the SOBA project.
+
+- [Supported Versions](#supported-versions)
+- [Reporting a Vulnerability](#reporting-a-vulnerability)
+- [Disclosure Policy](#disclosure-policy)
+- [Comments on this Policy](#comments-on-this-policy)
+
+## Supported Versions
+
+At this time, only the latest version of SOBA is supported.
+
+## Reporting a Vulnerability
+
+The SOBA team and community take all security bugs in SOBA seriously.
+Thank you for improving the security of SOBA. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by sending an email to <submit.digital@gov.bc.ca>.
+
+The team will acknowledge your email within 48 hours, and will send a more
+detailed response within 48 hours indicating the next steps in handling your
+report. After the initial reply to your report, the team will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+- Confirm the problem and determine the affected versions.
+- Audit code to find any potential similar problems.
+- Prepare fixes for all releases still under maintenance. These fixes will be
+  released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

From 950e605086c971e1b1890f5b44f8d45930c2d87e Mon Sep 17 00:00:00 2001
From: usingtechnology <39388115+usingtechnology@users.noreply.github.com>
Date: Thu, 11 Jun 2026 11:51:42 -0700
Subject: [PATCH 2/2] Delete DEVELOPER_GETTING_STARTED.md

---
 DEVELOPER_GETTING_STARTED.md | 677 -----------------------------------
 1 file changed, 677 deletions(-)
 delete mode 100644 DEVELOPER_GETTING_STARTED.md

diff --git a/DEVELOPER_GETTING_STARTED.md b/DEVELOPER_GETTING_STARTED.md
deleted file mode 100644
index 5986775..0000000
--- a/DEVELOPER_GETTING_STARTED.md
+++ /dev/null
@@ -1,677 +0,0 @@
-# Developer Getting Started
-
-For developers joining the project. Read [DEVELOPER.md](./DEVELOPER.md) first.
-
-## State of the union: March 9 2026...
-
-We map what’s built and working, what exists but isn’t wired up, and what’s schema or placeholder only. Treat the codebase as a starting point: if you see a simpler or more scalable approach that keeps flexibility, we want to hear it.
-
-This doc isn’t complete. I may have missed things or misstated how ideas, code, or files work — I was trying a lot of approaches and iterating. If something doesn’t match what you see in the repo, the code is probably right and flag the doc. Or simply raise it and we will figure it out together!
-
----
-
-## Table of Contents
-
-1. [Stack checklist for adding code](#stack-checklist-for-adding-code)
-2. [Environment Variables](#environment-variables)
-3. [Database](#database)
-4. [Auth](#auth)
-5. [Workspace](#workspace)
-6. [Project Structure](#project-structure)
-7. [Backend](#backend)
-   - [Request Pipeline](#request-pipeline)
-   - [Plugin Architecture](#plugin-architecture)
-   - [Features](#features)
-   - [Meta API](#meta-api)
-   - [Form Engine](#form-engine)
-   - [Cache](#cache)
-   - [Message Bus](#message-bus)
-   - [API Overview](#api-overview)
-   - [Forms and Submissions](#forms-and-submissions)
-8. [Error Handling](#error-handling)
-9. [Logging](#logging)
-10. [Rate Limiting](#rate-limiting)
-11. [Testing](#testing)
-12. [Frontend](#frontend)
-13. [Discussion Points](#discussion-points)
-
----
-
-# Stack checklist for adding code
-
-When estimating or implementing a new piece of functionality, use this as a map of what you’ll touch. Before diving into the stack, have a **design-time discussion** about where the new code belongs.
-
-## Design-time: core, plugin, or feature?
-
-- **Core** — Behaviour that every deployment needs and that lives in `backend/src/core/` (or the frontend equivalent). Examples: workspace resolution, auth, forms/submissions domain.
-- **Plugin** — Swappable or extensible behaviour: workspace resolvers, IdP, form engine, cache, message bus, or an optional REST API mounted under `/api/v1`. Lives in `backend/src/plugins/<name>/`; selected and configured via env. Use when the capability might be replaced (e.g. different IdP or form engine) or when it’s optional and self-contained.
-- **Feature** — Optional capability toggled per deployment via `soba.feature` (status `enabled`/`disabled`). Can add its own codes and roles with `source = 'feature'` and `feature_code`. Use when the capability is optional but not a full plugin (e.g. a new workflow or UI area that can be turned off without changing resolvers or engines).
-
-Deciding core vs plugin vs feature affects where code lives, how it’s configured, and whether you add env, feature rows, or plugin exports. See [Plugin Architecture](#plugin-architecture) and [Features](#features) for details.
-
-## Stack checklist (typical new API + UI)
-
-Use this when scoping or estimating. Not every item applies to every change.
-
-| Layer                  | What you’ll typically touch                                                                                                                                                                                                                                                                                                                                                                                      |
-| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Backend**            | Zod schema(s) for request/response → `validateRequest` → controller → API service → domain service → repo. Optionally: new or changed tables → schema in `backend/src/core/db/schema/` → `drizzle-kit generate` → migration → `db:migrate` (and seed if adding codes/roles). If the flow spans Postgres and the form engine: the client provisions the engine resource and passes its reference (`engine_schema_ref`) to the save endpoint. |
-| **Route registration** | Add or extend a router; ensure it’s mounted in the app (e.g. `app.ts`) with the right auth and context middleware.                                                                                                                                                                                                                                                                                               |
-| **Frontend**           | Page under `app/[lang]/` (locale layout, dictionary keys if needed); components (e.g. under `app/ui/` or `src/features/`); API client in `src/shared/api/sobaApi.ts` (token, types); Redux slice/thunk if you need client state; nav item if the plugin exposes `getNavItem`.                                                                                                                                    |
-| **Testids**            | Add `data-testid` to new interactive elements, landmarks, lists, and status/state so integration tests can target them (see [DEVELOPER.md](./DEVELOPER.md) — Integration).                                                                                                                                                                                                                                       |
-| **Tests**              | Backend: unit tests for new logic (e.g. services, helpers); optionally a small Supertest for a new route. Frontend: Vitest for new slices or utilities. Integration: Playwright if you add a new flow; requires the testids above.                                                                                                                                                                               |
-| **Config / env**       | New env vars → document in `.env.example`, use in core via `env.ts` or in plugins via `PluginConfigReader`; if deployed via Helm, update charts to match.                                                                                                                                                                                                                                                        |
-| **PR readiness**       | `pnpm check` (type-check + lint), tests passing, before requesting review.                                                                                                                                                                                                                                                                                                                                       |
-
----
-
-# Environment Variables
-
-> **Pipeline / CICD:** The current [helm charts](https://github.com/bcgov/helm-charts/tree/master/charts/soba) don’t match this env set. We need to sync them.
-
-### Loading
-
-The backend uses `dotenv` to load env in a specific order (last wins):
-
-1. `backend/.env` — base config (kept in sync with `.env.example` on each container start)
-2. `backend/.env.local` — local overrides and secrets (created once, never overwritten by tooling)
-
-`loadEnv()` in `backend/src/core/config/env.ts` runs once on import. In tests you can pass a fake env into `createEnvReader()` so tests don’t depend on the real environment.
-
-### Core env reader
-
-Use the `env` object in `env.ts` for all core config; don’t read `process.env` directly. It gives you typed accessors (`getRequiredEnv`, `getOptionalEnv`, `getBooleanEnv`, etc.) and named helpers like `env.getDatabaseUrl()`. Auth vars live in `authEnv.ts`.
-
-### Plugin and feature config
-
-Plugins use a `PluginConfigReader` from `createPluginConfigReader(pluginCode)`. Env keys are namespaced as `PLUGIN_<NORMALIZED_CODE>_` (e.g. `formio-v5` → `PLUGIN_FORMIO_V5_<KEY>`). Same typed accessors as core. Core never reads plugin-specific env; each plugin owns its config.
-
----
-
-# Database
-
-PostgreSQL via **Drizzle ORM**. All tables live in the `soba` Postgres schema (never `public`). Schema is defined in TypeScript; migrations are generated SQL files in `backend/drizzle/`.
-
-## Schema modules
-
-Each file in `backend/src/core/db/schema/` owns a slice of the schema:
-
-| File                    | Tables                                                                                                                                               |
-| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `core.ts`               | `identity_provider`, `app_user`, `user_identity`, `workspace`, `workspace_membership`, `workspace_group`, `workspace_group_membership`, `soba_admin` |
-| `forms.ts`              | `form`, `form_version`, `form_version_revision`                                                                                                      |
-| `roles.ts`              | `role`, `role_status`                                                                                                                                |
-| `codes.ts`              | `form_status`, `form_version_state`, `workspace_membership_role`, `workspace_membership_status`                                                      |
-| `feature.ts`            | `feature`, `feature_status`                                                                                                                          |
-| `plugins.enterprise.ts` | Enterprise-specific tables (e.g. ministry/group bindings)                                                                                            |
-
-## Helpers
-
-**`audit.ts`** — Three reusable column factories spread into table definitions:
-
-- `idColumn()` — UUID primary key with UUIDv7 default
-- `auditColumns()` — `created_at`, `updated_at`, `created_by`, `updated_by`
-- `softDeleteColumns()` — `deleted_at`, `deleted_by` (opt-in, not on every table)
-
-**`codes.ts`** — Code/lookup tables use the same `codeColumns()` shape: `(code, source)` PK, `display`, `sort_order`, `is_active`. `source` is `'core'` or a feature code so features can add rows without touching core.
-
-**`codes/index.ts`** — All code string constants live here (`Roles`, `WorkspaceMembershipRole`, etc.). Import from here; don’t use raw strings in app logic.
-
-## Repos
-
-Each repo (`backend/src/core/db/repos/`) owns queries for one domain. Key functions:
-
-| Repo              | Key functions                                                                                                                                                        |
-| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `membershipRepo`  | `findOrCreateUserByIdentity`, `actorBelongsToWorkspace`, `getWorkspaceForUser`, `listWorkspacesForUser`, `listMembersForWorkspace`, `invalidateMembershipCache`      |
-| `workspaceRepo`   | `ensureHomeWorkspace`, `getWorkspaceOwnersGroup`, `canManageWorkspaceOwners`                                                                                         |
-| `formRepo`        | `createForm`, `getFormById`, `listFormsForWorkspace`, `updateForm`, `markFormDeleted`, `getFormEngineCodeForForm`                                                    |
-| `formVersionRepo` | `createEmptyFormVersionDraft`, `getFormVersionById`, `listFormVersionsForWorkspace`, `updateFormVersionDraft`, `appendFormVersionRevision`, `markFormVersionDeleted` |
-| `submissionRepo`  | `createEmptySubmission`, `getSubmissionById`, `listSubmissionsForWorkspace`, `updateSubmissionDraft`, `appendSubmissionRevision`, `markSubmissionDeleted`            |
-| `sobaAdminRepo`   | `isSobaAdmin`, `upsertSobaAdminFromIdp`, `addDirectSobaAdmin`, `removeDirectSobaAdmin`, `listSobaAdmins`                                                             |
-| `roleRepo`        | `listRoles`, `getRoleByCode`                                                                                                                                         |
-| `featureRepo`     | `listFeatures`, `getFeatureByCode`, `isFeatureEnabled`                                                                                                               |
-| `appUserRepo`     | `findAppUserById`, `findUserIdByEmail`                                                                                                                               |
-| `identityLookup`  | `findUserIdByIdentity`                                                                                                                                               |
-
-Repos are plain async functions (no classes, no active record). They take typed inputs and return rows; the service layer does the orchestration.
-
-> **Pagination:** The cursor helpers (`encode/decode`, `buildNextCursor`, `resolveCursorMode`) are implemented and tested in `pagination.test.ts`; all five list repos use them. The actual paginated SQL in the repos (the `lt(id, ...)` / `lt(updatedAt, ...)` conditions) has no tests — that needs a real DB. Before we rely on list endpoints, validate cursor behaviour (first page, next page, boundaries) via integration tests or a manual pass.
-
-## Codes — seeded vs. active in logic
-
-Code constants live in `backend/src/core/db/codes/index.ts` and are seeded with `pnpm db:seed`. The table below shows which ones the app actually uses in logic.
-
-| Constant                    | Codes                                               | Seeded         | Active in logic                                                                                                                                 |
-| --------------------------- | --------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| `Roles`                     | `workspace_owner`, `form_owner`                     | Yes            | `workspace_owner` — used in group creation and `canManageWorkspaceOwners`; `form_owner` — seeded only                                           |
-| `RoleStatus`                | `active`, `deprecated`                              | Yes            | `active` — used when seeding and filtering roles                                                                                                |
-| `WorkspaceMembershipRole`   | `owner`, `admin`, `member`, `viewer`                | Yes            | `owner` — set on auto-home workspace creation and filtered in membership queries; `admin` / `member` / `viewer` — seeded only, **under review** |
-| `WorkspaceMembershipStatus` | `active`, `inactive`, `pending`                     | Yes            | `active` — filtered on in every membership query; `inactive` / `pending` — seeded only, no flow sets them                                       |
-| `WorkspaceMembershipSource` | `auto_home`                                         | No (code only) | Used in `ensureHomeWorkspace` to tag and identify auto-created memberships                                                                      |
-| `FormStatus`                | `active`, `archived`, `deleted`                     | Yes            | `active` on create; `deleted` on soft-delete; `archived` — seeded only                                                                          |
-| `FormVersionState`          | `draft`, `published`, `deleted`                     | Yes            | `draft` on create; `published` on publish; `deleted` on soft-delete                                                                             |
-| `FeatureStatus`             | `enabled`, `disabled`, `experimental`, `deprecated` | Yes            | `enabled` — checked by `isFeatureEnabled()`; others seeded and available but only `enabled` triggers active behaviour                           |
-
-**Features seeded** (in `soba.feature`): `form-versions` (enabled), `submissions` (enabled), `meta` (enabled). These are the only feature rows; no feature-specific roles or code extensions exist yet.
-
-**System user:** The seed also creates a `system` IdP and a `SOBA System` app user (`SOBA_SYSTEM_SUBJECT`). We use it for audit stamps when there’s no human actor.
-
-> **Important:** Roles and codes are placeholders. We need a proper catalog before building enforcement. See [Discussion Points — Roles and codes catalog](#roles-and-codes-catalog).
-
----
-
-# Auth
-
-## Admin
-
-SOBA admins are platform-wide. You can get there two ways:
-
-- **IdP-granted:** The IdP’s claim mapper returns `sobaAdmin: true`. For `idp-bcgov-sso` that means the `soba_admin` Keycloak role (in `realm_access.roles`, `roles`, or `client_roles`). We upsert the `soba_admin` row on every login and revoke it when the IdP stops reporting the role.
-- **Direct grant:** An existing SOBA admin adds you via `POST /api/v1/admin`. That grant sticks even if the IdP revokes the role; it’s only removed with `DELETE /api/v1/admin/:userId`.
-
-The `soba_admin` table stores the source (`idp` or `direct`). `/api/v1/admin` is the only route group guarded by `requireSobaAdmin`.
-
-## Sign in and Context
-
-### Done
-
-Protected routes go through three steps:
-
-1. **`checkJwt()`** — Passport-backed auth entry point. It calls `passport.authenticate(..., { session: false })`, and the composite Passport strategy tries each IdP plugin in `IDP_PLUGINS` order until one succeeds. The winning plugin sets `req.idpPluginCode` and `req.authPayload`; otherwise the request gets a 401. `session: false` is intentional because the API is bearer-token based, stays stateless, scales more easily across instances, and remains compatible with trying multiple IdP plugins in order.
-
-2. **`resolveActor`** — The winning IdP’s `claimMapper` turns claims into an internal actor. We call `findOrCreateUserByIdentity` (creates `app_user` on first login) and, if the mapper says `sobaAdmin`, upsert or revoke the `soba_admin` row. Sets `req.actorId` and `req.isSobaAdmin`. Passport is the auth entry point; IdP plugins still own provider-specific token validation and claim mapping.
-
-3. **`coreContextMiddleware`** — Workspace resolvers figure out which workspace the request is for. We check the actor has an active membership there (cached as `membership:{workspaceId}:{userId}`) and set `req.coreContext`.
-
-### Not Done
-
-- **No role-based authorization middleware** — `coreContext` confirms the actor is a workspace member, but no middleware or guard checks whether their membership role (`owner`, `admin`, `member`, `viewer`) permits the action being taken
-- **`canManageWorkspaceOwners`** exists in `workspaceRepo.ts` and works correctly, but is not called from any route handler yet
-- **Workspace membership roles are under review** — the four role codes (`owner`, `admin`, `member`, `viewer`) are seeded and defined, but the model may change before any enforcement logic is written. Do not build on top of these values until the role design is settled
-- No group-level authorization — group membership exists in the DB (via `workspace_group_membership`) but is not checked in any request path beyond the owner-group query in `workspaceRepo.ts`
-- **No API key or service-account access** — only human IdP JWTs work today. External systems and scripts can’t call the API. See [Discussion Points — API access for external clients](#api-access-for-external-clients).
-- **How workspace/tenant context is determined is undefined** — we don’t yet know how personal or enterprise resolvers will decide which workspace a request belongs to, or how the user’s selection is communicated. For personal-local we need to decide: does switching workspace set a cookie, a header, or do we mint a token? See [Discussion Points — Workspace / tenant context](#workspace-tenant-context).
-
----
-
-# Workspace
-
-A workspace is the tenancy boundary: forms, submissions, and members all belong to one. We resolve it on every protected request in `coreContextMiddleware` (see Auth).
-
-We have two resolver plugins, chosen via `WORKSPACE_PLUGINS_ALLOWED`:
-
-- **`personal-local`** — resolves a personal workspace for the actor; auto-creates it on first login via `ensureHomeWorkspace`
-- **`enterprise-cstar`** — resolves workspace from an enterprise context (e.g. a ministry or team); intended for multi-user shared workspaces
-
-### Done
-
-- Personal workspace auto-created on first login (workspace + membership + owners group + group membership, all in one step)
-- `GET /api/v1/workspaces` — list workspaces the actor belongs to, paginated, filterable by kind and status
-- `GET /api/v1/workspaces/current` — returns the workspace resolved for the current request
-- `GET /api/v1/members` — list members of the current workspace, filterable by role and status
-- Schema fully in place: `workspace`, `workspace_membership`, `workspace_group`, `workspace_group_membership`
-
-## Ownership
-
-Ownership is modelled with two complementary pieces:
-
-- **Membership role `owner`** — set on the `workspace_membership` row when a user is added as an owner
-- **Platform role `workspace_owner`** — assigned to a `workspace_group` named `'Workspace owners'`; membership in that group is what the authorization check (`canManageWorkspaceOwners`) actually queries
-
-Right now, first login runs `ensureHomeWorkspace` and every user gets a personal workspace and owner role with no gate.
-
-> **Important:** That’s a placeholder. We need a workspace-creation gate before production. See [Discussion Points — Workspace creation gate](#workspace-creation-gate).
-
-### Not Done
-
-- **Enterprise** (`enterprise-cstar`): plugin can resolve a workspace but member sync, group bindings (`external_group_id`), and IdP group mapping aren’t built.
-- No `POST /workspaces` or workspace management API.
-- No member management — no invite/add/update role/remove; invitation columns exist in schema but unused.
-- No group management API; we only auto-create the owners group.
-- `pending` and `inactive` membership statuses are seeded but no flow sets them.
-
----
-
-# Project Structure
-
-We use a **pnpm workspace** monorepo. In `pnpm-workspace.yaml` we declare two packages: `backend/` (Express, Drizzle, TypeScript) and `frontend/` (Next.js, React, Redux). The `integration/` app (Playwright e2e tests) sits at the repo root with its own `package.json` and isn’t in the workspace. No shared packages yet — no `@soba/shared`; types and constants aren’t shared between frontend and backend.
-
----
-
-# Backend
-
-## Request Pipeline
-
-Every domain route follows the same layered pattern:
-
-```
-route → validateRequest → controller → service → repo → DB
-```
-
-**`validateRequest(schemas)`** (`validation.ts`) — Validates `body`, `params`, and/or `query` with Zod. Fail → `400` and `{ error, details[] }`. Success → we overwrite `req.body` / `params` / `query` with the parsed values so handlers see typed data.
-
-**`asyncHandler(fn)`** (`asyncHandler.ts`) — Wraps async controllers so rejections go to `next(error)`. No try/catch in handlers; `coreErrorHandler` deals with everything.
-
-**Controller** — Pulls `req.coreContext`, calls the API service, returns the response. No business logic.
-
-**API service** (each domain has a `serviceFactory.ts`) — Calls domain services, maps rows to DTOs, does cursor encoding for lists. Created by a factory that gets the domain services it needs.
-
-**Domain service** (`backend/src/core/services/`) — Where the rules live: preconditions, repo coordination, form engine references. `FormService`, `FormVersionService`, `SubmissionService` own behaviour; repos are just data.
-
-**Repo** — Data access only (see [Repos](#repos)).
-
-Example route:
-
-```typescript
-router.post(
-  "/forms",
-  validateRequest({ body: CreateFormBodySchema }),
-  createForm,
-);
-```
-
-(`createForm` is just the controller wrapped in `asyncHandler`.)
-
-### Revision tables
-
-Form versions and submissions both use a **main row + revision table**: the main row holds current state; each save appends an immutable revision row with `revisionNo`, `eventType`, `changedBy`, `changeNote`, and before/after engine refs. So we get a full audit trail without overwriting. `POST /:id/save` appends a revision and bumps `currentRevisionNo` in one go. What should live in these tables once we have real content is still open — see [Discussion Points — Revision tables](#revision-tables--current-state-vs-history).
-
-## Plugin Architecture
-
-We use a plugin system for workspace resolution, auth, form engines, cache, message bus, and optional feature APIs so we can swap or extend without changing core. Same pattern everywhere: implement the interface, export the right constant from the plugin’s `index.ts`, and the registry picks it up.
-
-### Discovery and loading
-
-At startup, [`PluginRegistry.ts`](./backend/src/core/integrations/plugins/PluginRegistry.ts) scans every directory under `backend/src/plugins/`. For each directory it attempts a `require()` and inspects the exports for known named exports, validating each with Zod:
-
-| Export name                  | Plugin type                                        | Selected by env                                            |
-| ---------------------------- | -------------------------------------------------- | ---------------------------------------------------------- |
-| `workspacePluginDefinition`  | Workspace resolver                                 | `WORKSPACE_PLUGINS_ALLOWED` (comma-separated, ordered)     |
-| `idpPluginDefinition`        | Identity provider (JWT validation + claim mapping) | `IDP_PLUGINS` (comma-separated, ordered)                   |
-| `formEnginePluginDefinition` | Form engine adapter                                | `FORM_ENGINE_DEFAULT_CODE`                                 |
-| —                            | Form engine **routes** (optional proxy/API)        | `PLUGIN_<CODE>_ROUTES_ALLOWED=true` (per-engine, explicit) |
-| `cachePluginDefinition`      | Cache adapter                                      | `CACHE_DEFAULT_CODE`                                       |
-| `messagebusPluginDefinition` | Message bus adapter                                | `MESSAGEBUS_DEFAULT_CODE`                                  |
-| `pluginApiDefinition`        | Optional REST API mounted under `/api/v1`          | Enabled automatically when the workspace plugin is enabled |
-
-A single plugin directory can export more than one type — for example `personal-local` exports both a workspace resolver and a feature API.
-
-### Selection and priority
-
-- **Workspace resolvers** — all plugins listed in `WORKSPACE_PLUGINS_ALLOWED` are activated. They are sorted by `priority` and tried in order on each request; the first resolver that returns a workspace wins.
-- **IdP plugins** — Passport uses `IDP_PLUGINS` as the ordered provider chain; the first plugin that successfully validates the token and maps claims wins.
-- **Cache, message bus, form engine** — single active instance selected by code; the registry creates it lazily on first use.
-
-If `WORKSPACE_PLUGINS_STRICT_MODE=true`, startup fails if any enabled workspace plugin is not found. Otherwise a warning is logged.
-
-### Interfaces — the contract between core and plugins
-
-Each plugin type has a TypeScript interface (or definition type) that is the contract a plugin must satisfy. These all live under `backend/src/core/`:
-
-| Plugin type         | Interface file                                                                      |
-| ------------------- | ----------------------------------------------------------------------------------- |
-| Workspace resolver  | `integrations/workspace/WorkspaceResolver.ts`                                       |
-| IdP                 | `auth/IdpPlugin.ts`                                                                 |
-| Form engine adapter | `integrations/form-engine/FormEngineAdapter.ts` and `FormEnginePluginDefinition.ts` |
-| Cache adapter       | `integrations/cache/CacheAdapter.ts`                                                |
-| Message bus adapter | `integrations/messagebus/MessageBusAdapter.ts`                                      |
-| Feature API         | `integrations/plugins/FeatureApiDefinition.ts`                                      |
-
-To add a plugin: implement the interface, export the right constant from `index.ts`, and the registry picks it up.
-
-### Plugin config
-
-See [Environment Variables — Plugin and feature config](#plugin-and-feature-config). Each plugin receives a scoped `PluginConfigReader`; core never reads plugin-specific env.
-
-### Current plugins
-
-| Directory           | Normalized code prefix      | Types exported                  | Notes                                                                                                                  |
-| ------------------- | --------------------------- | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
-| `personal-local`    | `PLUGIN_PERSONAL_LOCAL_`    | Workspace resolver, Feature API | Personal workspace; auto-creates home workspace on first login                                                         |
-| `enterprise-cstar`  | `PLUGIN_ENTERPRISE_CSTAR_`  | Workspace resolver              | Enterprise/ministry workspace; group sync not yet implemented                                                          |
-| `idp-bcgov-sso`     | `PLUGIN_IDP_BCGOV_SSO_`     | IdP                             | BC Gov Keycloak SSO; maps `soba_admin` Keycloak role                                                                   |
-| `idp-github`        | `PLUGIN_IDP_GITHUB_`        | IdP                             | GitHub OAuth; alternative IdP                                                                                          |
-| `formio-v5`         | `PLUGIN_FORMIO_V5_`         | Form engine                     | Form.io CE; API client and proxy when `PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true` (proxy at `/api/v1/formio-v5`, protected) |
-| `cache-memory`      | `PLUGIN_CACHE_MEMORY_`      | Cache                           | In-process; default. Redis plugin not yet written                                                                      |
-| `messagebus-memory` | `PLUGIN_MESSAGEBUS_MEMORY_` | Message bus                     | In-process; default. Redis/NATS plugin not yet written                                                                 |
-
-## Features
-
-Features are optional capabilities toggled per deployment in `soba.feature`. Each row has `code`, `name`, `description`, `version`, and `status` (from `feature_status`: enabled, disabled, experimental, deprecated).
-
-### Done
-
-- `soba.feature` and `soba.feature_status` tables exist and are seeded
-- Core features seeded in `soba.feature` include `form-versions`, `submissions`, `meta`, `workspaces`, `design-mode`, `submit-mode`, `marketing` (all enabled by default in seed)
-- `featureRepo` exposes `listFeatures()`, `getFeatureByCode()`, and `isFeatureEnabled(status)`
-- `GET /api/v1/meta` returns all features and their status — this is the backend source of truth
-- Roles and code tables support `source = 'feature'` and `feature_code` so a feature can register its own roles and codes without touching core rows
-
-### Not Done
-
-- No route, service, or repo actually gates on features. We only call `isFeatureEnabled()` in the meta service and in `roleService` (for feature-linked roles).
-- Frontend loads `/meta/features` for **`platformAllowed`** and intersects with optional **`NEXT_PUBLIC_SOBA_FEATURES_ALLOWED`** per deployment — see [Frontend](#frontend).
-
-### Adding a feature
-
-1. Insert a row in `soba.feature` in `seed.ts` (unique `code`, `name`, `status`).
-2. Add feature-specific codes to the right code table with `source = '<feature_code>'`.
-3. Add feature-specific roles in `soba.role` with `source = 'feature'` and `feature_code`.
-4. In the service or middleware that implements the feature, call `getFeatureByCode(code)` and `isFeatureEnabled(row.status)` before doing the work.
-5. In the frontend, gate optional surfaces with `createIsFeatureAllowed(meta)` and a matching `featureCode` on the plugin (see `DEVELOPER.md` — Plugins).
-
-## Meta API
-
-All `/api/v1/meta` endpoints are **public** (no JWT). They’re the source of truth for config and reference data so the frontend and tools can bootstrap without hardcoding.
-
-| Endpoint                    | Returns                                                                                                                            | Query params                                               |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
-| `GET /meta/plugins`         | Discovered plugin catalog — **`allowedPluginCodes`** (from env), per-plugin `enabled` flag, workspace resolver / feature API flags | —                                                          |
-| `GET /meta/features`        | All feature rows from `soba.feature` with **`platformAllowed`** (from status)                                                      | —                                                          |
-| `GET /meta/form-engines`    | Installed form engine plugins with `isDefault` flag                                                                                | —                                                          |
-| `GET /meta/build`           | Build metadata — version, `gitSha`, `gitTag`, `imageTag`                                                                           | —                                                          |
-| `GET /meta/frontend-config` | Keycloak config (url, realm, clientId), API base URL, build name/version                                                           | —                                                          |
-| `GET /meta/codes`           | All code tables keyed by name (e.g. `form_status`, `workspace_membership_role`)                                                    | `code_set`, `source`, `is_active`, `only_enabled_features` |
-| `GET /meta/roles`           | All platform roles from `soba.role`                                                                                                | `code`, `source`, `status`, `only_enabled_features`        |
-
-The `/meta/codes` endpoint supports filtering to a specific code set (e.g. `?code_set=workspace_membership_role`) or multiple sets comma-separated. The `only_enabled_features=true` flag excludes codes and roles that belong to disabled features.
-
-> **TODO — Frontend:** Load and cache `/meta/codes`, `/meta/roles`, `/meta/form-engines` when needed. **`/meta/features`** is loaded for SSR (layout + home) alongside platform allowlist + `NEXT_PUBLIC_SOBA_FEATURES_ALLOWED`. Keycloak init still loads `/meta/frontend-config`. Keep `/api/v1/health` live (no cache) for liveness.
-
-## Form Engine
-
-Form.io CE runs as a sidecar. The frontend can talk to it via the **same-origin proxy** when form-engine routes are enabled.
-
-### Form-engine routes (optional)
-
-Form engine plugins can optionally expose HTTP routes (e.g. a Form.io CE proxy) by defining **`routeBasePath`** and **`createRouter(config)`** on the plugin definition. Routes are **only mounted** when the plugin’s config sets **`PLUGIN_<CODE>_ROUTES_ALLOWED=true`** (explicit per-engine; not tied to workspace enablement). The path can be static or a function of config (e.g. `PROXY_PATH`). See `getFormEngineRouteDefinitions()` in `PluginRegistry.ts`.
-
-### formio-v5 proxy
-
-When **`PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true`**, the formio-v5 plugin mounts a Form.io CE API proxy at **`/api/v1/formio-v5`** (path from **`PLUGIN_FORMIO_V5_PROXY_PATH`**, default `/formio-v5`, prefixed with `/api/v1`). The route is **protected**: it uses the same auth as the rest of the v1 API (`checkJwt()`, `resolveActor`), so the client must send a valid app JWT in `Authorization: Bearer`. The proxy forwards requests to the Form.io CE server (using `ADMIN_API_URL`) and optionally passes through **`x-jwt-token`** from the client; otherwise it uses the server-side admin client. This gives the frontend a same-origin base URL for `FormioProvider` (e.g. `baseUrl: '/api/v1/formio-v5'`). All options (base URL, admin credentials) come from plugin config (`PLUGIN_FORMIO_V5_*`); there is no URL logging. Readiness checks stay on the adapter (`readinessCheck()`); readiness is reported via existing `/api/v1/health/ready`.
-
-### Done
-
-- `formio-v5` plugin is wired in and selected via `FORM_ENGINE_DEFAULT_CODE`
-- Form.io CE API client and proxy in `formio-v5`; mount with `PLUGIN_FORMIO_V5_ROUTES_ALLOWED=true`
-
-### Not Done
-
-- Form field conventions not decided (title, tags, etc.) — worth exploring Formio tags as a way to associate forms with a Workspace (tenancy)
-
-## Cache
-
-Same adapter pattern as other plugins (`CACHE_DEFAULT_CODE`).
-
-### Done
-
-- `CacheAdapter` interface: `get`, `set`, `delete`, `getOrSet`
-- `cache-memory` plugin active by default
-- One cache key in use: `membership:{workspaceId}:{userId}` — avoids repeated DB lookups per request, invalidated on membership changes
-
-### Not Done
-
-- No Redis implementation yet — expected production backend
-- Only one cache key exists; more will be needed as the app grows
-
-## Message Bus
-
-Same adapter pattern (`MESSAGEBUS_DEFAULT_CODE`).
-
-### Done
-
-- `MessageBusAdapter` interface: `publish`, optional `subscribe`
-- `messagebus-memory` plugin active by default
-
-### Not Done
-
-- No Redis or NATS implementation yet (NATS preferred for pub/sub at scale)
-- `publish` is not called anywhere in core — in place for when async flows need to fan out events
-- No events or message contracts defined
-
-## API Overview
-
-Backend runs on port 4000. Routes live under `/api/`. Per-route-group middleware:
-
-| Route group                           | Auth                                                  | Rate limit | Notes                                         |
-| ------------------------------------- | ----------------------------------------------------- | ---------- | --------------------------------------------- |
-| `/api/docs`, `/api/docs/openapi.json` | None                                                  | Public     | Swagger UI and raw OpenAPI JSON spec          |
-| `/api/v1/health`                      | None                                                  | Public     | Liveness and readiness                        |
-| `/api/v1/meta/*`                      | None                                                  | Public     | See [Meta API](#meta-api)                     |
-| `/api/v1/*` (core)                    | `checkJwt` → `resolveActor` → `coreContextMiddleware` | API        | All domain routes; workspace context required |
-| `/api/v1/admin/*`                     | `checkJwt` → `resolveActor` → `requireSobaAdmin`      | API        | Platform admin only; no workspace context     |
-
-Core domain routes (all under `/api/v1`, all protected):
-
-| Path                                 | Domain                       |
-| ------------------------------------ | ---------------------------- |
-| `/workspaces`, `/workspaces/current` | Workspace list and current   |
-| `/me`                                | Current actor profile        |
-| `/members`                           | Workspace member list        |
-| `/forms`, `/form-versions`           | Forms and form versions CRUD |
-| `/submissions`                       | Submissions CRUD             |
-
-**OpenAPI / Swagger:** We generate the spec at runtime from Zod with `@asteasolutions/zod-to-openapi`. Each domain registers its routes. Spec at `/api/docs/openapi.json`, UI at `/api/docs`. Both public.
-
-**Health:** Under `/api/v1/health`, `GET /` is liveness (`{ status: 'OK', timestamp }`, no deps). `GET /ready` is readiness: we run `SELECT 1` and call `readinessCheck()` on every form engine adapter; 200 when all pass, 503 with per-component detail when something fails.
-
-**CORS:** All origins in dev; blocked in production. No allow-list yet.
-
-### Not Done
-
-- **No versioning strategy** — all routes are under `/api/v1` with no plan yet for how breaking changes would be handled
-- **No search/filter completeness** — all list endpoints are cursor-paginated, but filter coverage varies by resource. Additional filters will be needed as the UI matures
-- **Plugin feature APIs not mounted** — `pluginApiDefinition` allows plugins to expose their own routes under `/api/v1`, but `createPluginApiRouter()` is not called in `app.ts`; plugin APIs are defined but never registered
-- **CORS is all-or-nothing** — no fine-grained origin allow-list for production
-
-## Forms and Submissions
-
-> **Important:** The API below is a technical skeleton; we don’t have locked-down business requirements yet. See [Discussion Points — Forms and submissions](#forms-and-submissions--business-requirements).
-
-### What is wired through to Postgres
-
-All endpoints below are fully connected end-to-end through the service → repo chain to PostgreSQL. Every CRUD operation works at the DB level:
-
-| Resource      | Endpoints                                                                       | Notes                                                                                   |
-| ------------- | ------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
-| Forms         | `GET` (list), `POST`, `GET /:id`, `PATCH /:id`, `DELETE /:id`                   | List supports cursor pagination, `q` text filter, `status` filter; delete is soft       |
-| Form versions | `GET` (list), `POST`, `GET /:id`, `PATCH /:id`, `POST /:id/save`, `DELETE /:id` | List filters by `formId` and `state`; save appends a revision row                       |
-| Submissions   | `GET` (list), `POST`, `GET /:id`, `PATCH /:id`, `POST /:id/save`, `DELETE /:id` | List filters by `formId`, `formVersionId`, `workflowState`; save appends a revision row |
-
-### What is NOT wired — Form.io / Mongo
-
-**Server-side provisioning to Form.io / Mongo is not done.** The client creates the Form.io form directly (via the formio-v5 proxy) and passes the returned id to `POST /form-versions/{id}/save` as `engine_schema_ref`, which is stored on the `form_version` row. Submissions, however, do not yet populate `engine_submission_ref`, and there is no server-side reconciliation if the client and Postgres get out of sync.
-
-### Not Done
-
-- No dedicated publish flow; we can set state to `published` via PATCH but there’s no publish endpoint or rules (e.g. draft-only, one published version per form).
-- Submission revisions store metadata/notes, not form field values (those would come from Form.io).
-- No workflow rules for `workflowState`; no transitions or validations.
-- No per-form or per-submission access control; any workspace member can read/write/delete everything.
-
----
-
-# Error Handling
-
-We have a small error hierarchy in `backend/src/core/errors.ts` that maps to HTTP status codes. Use these everywhere; `coreErrorHandler` catches them:
-
-| Class             | Status | Default message           |
-| ----------------- | ------ | ------------------------- |
-| `ValidationError` | 400    | `'Validation failed'`     |
-| `ForbiddenError`  | 403    | `'Forbidden'`             |
-| `NotFoundError`   | 404    | `'Not found'`             |
-| `ConflictError`   | 409    | `'Conflict'`              |
-| `InternalError`   | 500    | `'Internal server error'` |
-
-All five extend `AppError`. Anything else becomes a 500 and gets logged. `AppError` responses are `{ error: string }`. Don’t throw raw `Error` for expected failures — use the subclasses so status and shape stay consistent.
-
----
-
-# Logging
-
-### Done
-
-- **Pino** in `backend/src/core/logging/logger.ts`. Use `log` — `log.info()`, `log.warn()`, etc. Level from `LOG_LEVEL` (default `debug` in dev, `info` in prod).
-- **HTTP:** `pino-http` logs every request (method, URL, status, duration). Level depends on status (4xx → warn, 5xx → error).
-- **Request ID:** `cls-rtracer` gives each request a UUID in async local storage. Every log line gets `requestId`; we send it back as `X-Request-Id` and honour an incoming `x-request-id`.
-- **Redaction:** `Authorization`, `Cookie`, `set-cookie` are redacted in logs.
-- **DB:** Drizzle’s `drizzleQueryLogger` logs SQL at `debug` with the request ID.
-- **Dev:** `pino-pretty` for readable, coloured one-liners.
-
-### Not Done
-
-- No log shipping or aggregation (OpenShift, Splunk, etc.) — that’s ops/deployment.
-- No frontend logging — we don’t capture or ship client errors.
-
----
-
-# Rate Limiting
-
-We use three `express-rate-limit` limiters, each tunable by env:
-
-| Limiter           | Default window | Default max | Applied to                            |
-| ----------------- | -------------- | ----------- | ------------------------------------- |
-| `globalRateLimit` | 60s            | 100         | Every request                         |
-| `apiRateLimit`    | 60s            | 60          | Authenticated / mutating API routes   |
-| `publicRateLimit` | 60s            | 200         | Public endpoints (health, meta, docs) |
-
-They return standard `RateLimit-*` headers. Limits are in-process only; for multiple replicas we’d need something like Redis.
-
----
-
-# Testing
-
-### Backend — Jest
-
-Tests live in `backend/tests/` (same shape as `src/`). Right now we have:
-
-- `env`, `pluginConfig`, `workspacePlugins` — config reader and env parsing
-- `jwtClaims` — IdP claim mapping and profile helpers
-- `validation`, `schema`, `pagination` — shared API middleware and helpers
-- `errors`, `errorHandler` — error class and HTTP response mapping
-- `cacheKeys` — integration utility tests
-
-A few route-level tests use Supertest (e.g. validation, error handler): they spin up a minimal Express app and assert status + shape without the full server.
-
-Rules:
-
-- Test outcomes, not side effects — do not test that a write is made to the error log to indicate a successful test
-- Keep mocking to a minimum — a test that is mainly mocks is not very valuable
-- Keep supertest tests to basic scenarios (validation, auth rejection, one success path). Deeper flows belong in integration tests
-
-### Frontend — Vitest
-
-Tests live in `frontend/tests/`. What exists today:
-
-- `notificationSlice` — Redux notification state
-- `runtimeConfig` — runtime config loading and caching
-- `shareForm.url` — URL helpers for form sharing
-- `constants` — shared constants
-
-### Integration — Playwright
-
-Lives in `integration/` at the repo root. It runs against a live frontend and backend and uses `data-testid` for selectors — so we need those on interactive elements, landmarks, lists, and status bits.
-
-### API-only integration tests (recommended)
-
-Between unit tests and full Playwright E2E, we should add **API-level integration tests**: sign in once (e.g. call the auth/login or token endpoint with test credentials, or use a test-only token helper), then drive business flows using only HTTP requests to the backend. No browser, no UI — just authenticated API calls through the real stack (DB, services, middleware). This gives faster, more stable coverage of backend behaviour and multi-step flows (e.g. create workspace → create form → create submission) without the cost of E2E. Keep Playwright for a small set of critical user journeys; use API-only integration tests for the bulk of flow coverage.
-
-### Not Done
-
-- No tests yet for repos, services, or domain logic — only infra and helpers.
-- No real integration tests beyond the Playwright setup; adding API-only integration tests (see above) would fill the gap before investing in more E2E.
-- We should add more backend unit tests for services and repos as we build features.
-
----
-
-# Frontend
-
-### Done
-
-- Runtime config from backend (`GET /meta/frontend-config`): Keycloak URL, realm, client ID, API base; cached on first load.
-- SSO via Keycloak (`idp-bcgov-sso`): login/logout, token in Redux (`keycloak` slice).
-- Current user from `GET /me` after auth (`currentUser` slice); Header falls back to id-token claims while loading.
-- i18n with `en`/`fr` and `useDictionary()`.
-- Redux with typed hooks (`useAppDispatch`, `useAppSelector`).
-- Feature gating: `loadFeaturesMeta()` + `createIsFeatureAllowed()` (`platformAllowed` ∩ `NEXT_PUBLIC_SOBA_FEATURES_ALLOWED`); plugin/home-section registry; workspaces plugin has no `featureCode` (always on).
-
-### Not Done
-
-- Header renders plugin nav when `getNavItem` returns an item (workspaces plugin supplies the home link).
-- No real landing page; home sections are plugin-driven but empty.
-- Platform feature truth from `/meta/features`; per-frontend narrowing via `NEXT_PUBLIC_SOBA_FEATURES_ALLOWED` (see `DEVELOPER.md`).
-- No role-aware UI (owner, admin, member, viewer).
-- No workspace management UI — we can fetch workspaces but there’s no switch/create/manage.
-- Form rendering UI is minimal; backend path exists, frontend pages are stubs.
-- **No admin UI** — `/api/v1/admin` works (list/add/remove SOBA admins) but there’s no route, page, or nav for it.
-- **No feature management UI** — nowhere to view or toggle feature status; that would be a good first admin screen to validate the pattern.
-
----
-
-# Discussion Points
-
-Things we haven’t decided yet and need input on.
-
-## Roles and codes catalog
-
-We added roles and codes to get the skeleton working. Before we build any real auth or membership logic we need to answer: what roles do we actually need (platform, workspace, form) and what does each allow? Do we keep `admin`, `member`, `viewer` or change them? Do we need more code tables (e.g. submission status)? What’s the full feature set and which roles/codes belong where? We should end up with a committed reference (or extended seed) as the source of truth. **Don’t build enforcement on the current role codes until we have that.**
-
-## Workspace creation gate
-
-Right now any logged-in user gets a personal workspace and owner role on first login. We need a gate: what qualifies someone to create and own a workspace? Could be an IdP role, a SOBA admin grant, an allow-list, or something else. CHEFS only lets IDIR create forms; for us it’s likely a mix of IdP and workspace plugin (e.g. Enterprise decides who owns a tenancy).
-
-## Workspace / tenant context
-
-We don’t yet know how personal or enterprise resolvers will determine which workspace (tenant) a request belongs to. Today personal-local effectively assumes “the user’s one personal workspace” and we don’t have a real “selection” story. Once a user can belong to multiple workspaces we need a contract: how does the client tell the backend which workspace is active? Options to discuss for **personal-local** (and by analogy for enterprise): **cookie** (set on workspace switch, sent automatically; works for same-origin browser, not for API-only or cross-origin), **header** (e.g. `X-Workspace-Id` or `X-Tenant-Id`; explicit, works for API clients and SPAs; client must send it every time), **mint a token** (e.g. short-lived JWT or opaque token that encodes workspace; can be passed in header or cookie; revocable and auditable but we own token lifecycle). Enterprise may get context from a different source (e.g. IdP or gateway). We need to decide and document the contract so frontend and API consumers know what to send.
-
-## Passport-backed IdP auth
-
-Passport is now the protected-route auth entry point for the backend API. `checkJwt()` uses Passport in stateless mode (`session: false`) for per-request token verification, while IdP plugins remain customizable and still own provider-specific token validation and claim mapping. `IDP_PLUGINS` still controls provider order, and the first successful plugin wins.
-
-## Two frontends
-
-We’re aiming for two apps: **Manage/Design/Admin** and **Submit**. Do we add a second skeleton now and rename current `/frontend`? Submit should be highly modular — form rendering via an embedded web component so it’s a clear example of what lives in the form vs. the host (see [chefs-embed](https://github.com/usingtechnology/chefs-embed)). We’d support different “flows”: first one like CHEFS (single form → submit), then maybe multi-form flows.
-
-## Integration test layout — backend API-only vs. Manage vs. Submit
-
-We want to add API-only backend integration tests (see [Testing — API-only integration tests](#api-only-integration-tests-recommended)) and will eventually have E2E for both Manage and Submit. **Our integration specialist should drive the decision** on how to lay out and organize these. Open questions: What's the best way to keep **backend API-only** integration tests separate from **frontend Manage** and **frontend Submit** E2E (e.g. directories, configs, CI jobs)? Should API-only tests live under `backend/` (e.g. a dedicated suite and Jest config) or in a top-level folder (e.g. alongside or separate from the current `integration/` Playwright app)? For the two frontends, do we use one E2E suite with Playwright projects and different base URLs, or separate suites per app? Deciding this up front will keep test runs and ownership clear.
-
-## Frontend feature flags
-
-**Resolved:** `GET /meta/features` supplies **`platformAllowed`** per `code`. Each frontend deployment sets **`NEXT_PUBLIC_SOBA_FEATURES_ALLOWED`**: comma-separated codes, or **`*`** / **`all`** for every platform-allowed feature; **empty/unset** = none. Effective UI gate: `platformAllowed && (wildcard || listed)`. See `DEVELOPER.md` — Feature flags.
-
-## Revision tables — current state vs. history
-
-Today the revision tables are append-only audit: each save inserts a row with `revisionNo`, `eventType`, `changedBy`, `changeNote`, and before/after engine refs; the main row gets a new `currentRevisionNo`. We only store metadata — no schema or submission payload. The before/after refs are both set to the same value (no diff) because we don’t have a Form.io client yet.
-
-**Form.io CE doesn’t do revisions.** We have to own history. Two broad approaches:
-
-- **Store JSON in our revision tables** — put the full schema or submission payload in a `jsonb` column. Postgres holds all history; Form.io only has “current”. Simple and queryable, but big payloads grow the table.
-- **One Form.io record per revision** — each revision row points to a different `engine_schema_ref` / `engine_submission_ref`. History is split: metadata in Postgres, content in Form.io/Mongo. Saves storing big JSON here but we get more API calls, orphan cleanup, and Form.io is required to read history.
-
-Then there’s how we use the main vs. revision rows:
-
-- **A — Main = current, revision = history (what we do now).** One query for latest. Revisions are audit only. Point-in-time is hard unless we snapshot content in revisions.
-- **B — Revision holds content, main is a pointer.** Every change is an immutable revision with full content; main row just has `currentRevisionNo` (or `latestRevisionId`). Easy “show version N” and undo; reads need a join.
-- **C — Both.** Main and revision both have content. Fast reads and full history, but duplication and risk of drift.
-
-We need to decide where the JSON lives and how we structure history before wiring Form.io.
-
-## API access for external clients
-
-Right now only human IdP JWTs can call the API. External systems, scripts, and pipelines can’t. We need to fix that; CHEFS has a lot of API consumers.
-
-**Route shape:** (1) Same `/api/v1` routes, different auth (API key, client credentials, etc.) — one surface to maintain, but response shapes are built for the UI and may not fit integrators; or (2) dedicated routes (e.g. `/api/ext/v1`) with simpler, stable shapes for API clients — clearer boundary and easier to version/rate-limit, but more to maintain and keep in sync; or (3) same routes, middleware that adapts by client type (serializer, filters, rate limits). Single surface but trickier to reason about.
-
-**How do machine clients get credentials?** Options:
-
-- **BC Gov API Gateway (Kong)** — consumers register at the gateway and get a client ID. Gateway does rate limiting, metrics, key lifecycle. We just bind client ID → workspace. Offloads key management; we depend on the gateway team and need a story for local dev.
-- **Keycloak client credentials** — register a client in the realm; client gets a JWT via client_id/client_secret. Our existing `checkJwt` can validate it; we’d need a claim mapper so the token carries workspace (or we resolve it from the client id). Standard OAuth2; Keycloak admin per consumer.
-- **We issue API keys** — store hashed keys per workspace (with expiry). Middleware validates the key and resolves workspace. No external dependency; we own rotation, revocation, and abuse handling.
-
-We could combine (e.g. gateway in front, Keycloak or our keys behind). The decision is who owns lifecycle and how a credential maps to a workspace.
-
-## Forms and submissions — business requirements
-
-The forms/submissions API is a technical skeleton. We don’t have locked requirements yet for: form lifecycle (draft → published → archived, versioning), submission workflow states and transitions, who can do what beyond workspace membership, or what the submission payload contains and where it lives (Postgres, Form.io, or both).