Add postguard repo website docs content to centralized docs

dobby-coder[bot] · claude · dobby-coder[bot] · commit 24f237b79b30 · 2026-04-14T09:58:07.000Z
The postguard repo contains a Docusaurus docs website in website/ that was not accounted for during the initial documentation centralization. This updates the repos/postguard.md page to incorporate the content from that website, including: - Mention of the existing Docusaurus site and its GitHub Pages URL - Cryptographic primitives table and pg-core feature flags - Full development setup: prerequisites, building each crate, WASM build, docker-compose, environment variables - PKG server setup: key generation, running, Docker deployment - CLI usage examples for encrypt and decrypt - PKG Server API endpoint reference - WASM bindings overview with cross-references to the SDK docs Relates to #8 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/docs/repos/postguard.md b/docs/repos/postguard.md
@@ -4,6 +4,8 @@
 
 The main PostGuard repository. It contains the core encryption library, the Private Key Generator (PKG) server, WebAssembly bindings for browsers, a command-line client, and FFI bindings for native language integration.
 
+The repo also includes a [Docusaurus documentation site](https://encryption4all.github.io/postguard/) in the `website/` directory, covering architecture, API reference, and Yivi integration. That content has been consolidated into this centralized docs site.
+
 ## Workspace Structure
 
 The repository is a Rust workspace with five crates:
@@ -16,6 +18,8 @@ The repository is a Rust workspace with five crates:
 | `pg-cli` | Command-line tool for encrypting and decrypting files |
 | `pg-ffi` | FFI bindings for calling Rust code from other languages (used by [postguard-dotnet](/repos/postguard-dotnet)) |
 
+The `website/` directory contains a Docusaurus site deployed to GitHub Pages via the `docs.yml` workflow.
+
 ## How It Works
 
 PostGuard uses Identity-Based Encryption (IBE). Instead of public keys, the sender only needs the master public key and the recipient's identity (e.g. email address). To decrypt, the recipient proves their identity to the PKG via [Yivi](https://yivi.app) and receives a decryption key.
@@ -32,16 +36,62 @@ A typical session:
 7. The PKG issues a decryption key for that identity.
 8. The recipient's client decrypts the message.
 
+For the full protocol details, see the [architecture overview](/guide/architecture) and [core concepts](/guide/concepts) in the guide.
+
+### Cryptographic Primitives
+
+| Primitive | Implementation |
+|---|---|
+| KEM | CGW-KV anonymous IBE on BLS12-381 ([`ibe`](https://crates.io/crates/ibe) crate) |
+| IBS | GG identity-based signatures ([`ibs`](https://crates.io/crates/ibs) crate) |
+| Symmetric | AES-128-GCM (128-bit security to match BLS12-381) |
+| Hashing | SHA3-512 for identity derivation |
+
+### pg-core Feature Flags
+
+pg-core supports two backends:
+
+- `rust` (default): uses RustCrypto crates for native Rust targets
+- `web`: uses the Web Crypto API for WASM in browsers
+
+Streaming mode is enabled with the `stream` feature flag. When active, encryption and decryption process data in 256 KiB chunks instead of loading everything into memory.
+
 ## Development
 
 ### Prerequisites
 
-- [Rust](https://www.rust-lang.org/tools/install) (stable)
+- [Rust](https://www.rust-lang.org/tools/install) (stable, 1.90.0 or later)
+- Docker and Docker Compose (for the local development environment)
+- [wasm-pack](https://rustwasm.github.io/wasm-pack/) (only for WASM development)
+
+```bash
+# Install wasm-pack (if working on pg-wasm)
+cargo install --git https://github.com/rustwasm/wasm-pack.git
+```
 
 ### Building
 
 ```bash
+# Build the full workspace
 cargo build --release
+
+# Build individual crates
+cargo build --release -p pg-core
+cargo build --release --bin pg-cli
+cargo build --release --bin pg-pkg
+```
+
+### Building WASM Bindings
+
+```bash
+cd pg-wasm
+wasm-pack build --release -d pkg/ --out-name index --scope e4a --target bundler
+```
+
+For web target (without a bundler):
+
+```bash
+wasm-pack build --release -d pkg/ --out-name index --scope e4a --target web
 ```
 
 ### Testing
@@ -60,10 +110,126 @@ wasm-pack test --release --headless --firefox ./pg-wasm
 
 ### Running the PKG Server
 
+Generate a master key pair first (run once):
+
+```bash
+cargo run --release --bin pg-pkg gen
+```
+
+Then start the server:
+
 ```bash
-cargo run -p pg-pkg --release
+cargo run --release --bin pg-pkg server \
+  -t <irma_server_token> \
+  -i <irma_server_url> \
+  -d <postgres_connection_string>
 ```
 
+Or run via Docker:
+
+```bash
+docker build -t postguard-pkg .
+docker run -p 8080:8080 postguard-pkg server \
+  -t <irma_token> \
+  -i <irma_url> \
+  -d <postgres_url>
+```
+
+### Local Development Environment
+
+Docker Compose starts PostgreSQL and a Yivi (IRMA) server for local development:
+
+```bash
+docker-compose up
+```
+
+Then run the PKG server against the local services:
+
+```bash
+cargo run --release --bin pg-pkg server \
+  -d postgres://devuser:devpassword@localhost/devdb \
+  -t <irma_token> \
+  -i http://localhost:8088
+```
+
+### Environment Variables
+
+| Variable | Description | Default |
+|---|---|---|
+| `IRMA_SERVER` | Yivi/IRMA server URL | `https://is.yivi.app` |
+| `DATABASE_URL` | PostgreSQL connection string | (required) |
+| `RUST_LOG` | Log level (`debug`, `info`, `warn`, `error`) | (none) |
+
+### Using the CLI
+
+Encrypt a file:
+
+```bash
+cargo run --bin pg-cli enc \
+  -i '{"recipient@example.com": [{"t": "pbdf.sidn-pbdf.email.email", "v": "recipient@example.com"}]}' \
+  --pub-sign-id '[{"t": "pbdf.gemeente.personalData.fullname"}]' \
+  myfile.txt
+```
+
+This starts a Yivi session (displays a QR code) to obtain signing keys, then encrypts `myfile.txt` into `myfile.txt.enc`.
+
+Decrypt a file:
+
+```bash
+cargo run --bin pg-cli dec myfile.txt.enc
+```
+
+The CLI shows the recipient policies in the header, prompts you to select your identity, and starts a Yivi session to obtain your decryption key.
+
+## PKG Server API
+
+The PKG server (`pg-pkg`) exposes an HTTP API. By default it listens on `http://localhost:8080`.
+
+### Public Parameters
+
+| Method | Endpoint | Description |
+|---|---|---|
+| `GET` | `/v2/parameters` | Fetch the Master Public Key (MPK). Supports ETag/Cache-Control caching. |
+| `GET` | `/v2/sign/parameters` | Fetch the public verification key for signature checking. |
+
+### Yivi Sessions
+
+| Method | Endpoint | Description |
+|---|---|---|
+| `POST` | `/v2/irma/start` | Start a Yivi identity verification session. |
+| `GET` | `/v2/irma/jwt/{token}` | Retrieve the JWT result of a completed Yivi session. |
+
+### Key Issuance
+
+| Method | Endpoint | Description |
+|---|---|---|
+| `GET` | `/v2/irma/key/{timestamp}` | Retrieve a User Secret Key (USK). Requires `Authorization: Bearer <jwt>`. |
+| `POST` | `/v2/irma/sign/key` | Retrieve signing keys. Authenticate with a Yivi JWT or API key (`PG-API-<key>`). |
+
+### Health
+
+| Method | Endpoint | Description |
+|---|---|---|
+| `GET` | `/health` | Health check. |
+| `GET` | `/metrics` | Prometheus metrics. |
+
+For the full API details with request/response examples, see the [architecture page](/guide/architecture#api-endpoints).
+
+## WASM Bindings (pg-wasm)
+
+The `@e4a/pg-wasm` package provides WebAssembly bindings for PostGuard in browser environments. Install via npm:
+
+```bash
+npm install @e4a/pg-wasm
+```
+
+The package exports:
+
+- `seal()` and `sealStream()` for encryption (in-memory and streaming)
+- `Unsealer` and `StreamUnsealer` for decryption (in-memory and streaming)
+
+Both streaming variants use the Web Streams API (`ReadableStream`/`WritableStream`). For usage examples and the full JavaScript/TypeScript API, see the [SDK reference](/sdk/overview).
+
 ## Releasing
 
 This repository uses [Release-plz](https://release-plz.ieni.dev/) for automated versioning and releases. When changes are merged to `main`, Release-plz creates a release PR. Merging that PR triggers:
@@ -80,4 +246,4 @@ This repository uses [Release-plz](https://release-plz.ieni.dev/) for automated
 |---|---|---|
 | `build.yml` | Push/PR | Formatting checks, tests for all workspace members |
 | `delivery.yml` | Push to main | Release-plz, Docker build, FFI compilation, npm publish |
-| `docs.yml` | Push to main | Deploys API docs to GitHub Pages |
+| `docs.yml` | Push to main | Builds the Docusaurus site in `website/` and deploys to [GitHub Pages](https://encryption4all.github.io/postguard/) |
