graasp
diff --git a/‎.github/workflows/deploy-db-doc.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/deploy-db-doc.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎DATABASE.md‎
Lines changed: 237 additions & 0 deletions b/‎DATABASE.md‎
Lines changed: 237 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 16 additions & 12 deletions b/‎README.md‎
Lines changed: 16 additions & 12 deletions
diff --git a/‎db-documentation/index.html‎
Lines changed: 0 additions & 11 deletions b/‎db-documentation/index.html‎
Lines changed: 0 additions & 11 deletions
@@ -38,10 +38,10 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-yarn-
 
-      # - name: yarn install and generate docs
-      #   run: |
-      #     yarn
-      #     yarn db-doc:generate
+      - name: yarn install and generate docs
+        run: |
+          yarn
+          yarn db-doc:generate
 
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
 
@@ -60,3 +60,5 @@ secret-key
 # Generated
 openapi.json
 vacuum-report.html
+schema.sql
+db-documentation
@@ -0,0 +1,237 @@
+# Database Structure Guide
+
+## Core Concept: Items & Hierarchies
+
+The heart of this system is **Items**, they are containers for content. Items have a `type` to describe which kind of item they are. Items can be:
+
+- **Folders** (containers that hold other items)
+- **Documents** (text based resources)
+- **Links** (references to external resources)
+- **Files** (images, pdf, etc)
+- **H5P** (references to external resources)
+- **App** (references to an application)
+- **Etherpad** (references to collaborative real-time text editor)
+
+Items are organized in a **tree structure**, similar to folders on your computer:
+
+```
+My Workspace
+├── Project A (#id-1)
+│   ├── Document 1 (#id-2)
+│   └── Document 2 (#id-3)
+└── Project B (#id-4)
+    └── Presentation (#id-5)
+```
+
+Each item has a `path` that shows its location in this hierarchy based on ids, like: `#id_1.#id_2`. Notice `-` are transformed into `_` in a `path`. For simplification this example uses readable ids, but the database structure uses UUID4 for identifiers (ie. `8a12ce1e-c58c-47a6-8ba2-742e0813d4ef`)
+
+Core information about each item:
+
+- `id`: Unique identifier
+- `name`: What it's called
+- `type`: Document, folder, link, etc.
+- `path`: Location in the hierarchy
+- `created_at` / `updated_at`: Timestamps
+- `created_by`: The member who created it
+- `deleted_at`: When it was deleted (`null` if not deleted) ← _Important for tracking deletions_
+
+---
+
+## Apps & Integrations
+
+### Apps
+
+Third-party or built-in applications that users can add to their folders. An app is composed of a name, description, URL, icon, thumbnail, publisher information, and configuration settings.
+
+These curated apps integrate with the Graasp API using a configured API `key`, and can save user-specific data in three forms: `data` for information apps want to remember, `setting` for per-item configurations, and `action` for tracking usage. They are described in the sections below.
+
+### App Data
+
+App Data stores custom information that applications want to remember for each user, with visibility rules that control whether it's accessible to the account owner, the creator, or other users, and it's always tied to both a specific item and account.
+
+### App Settings
+
+App Settings provide per-item configuration that creators can customize and store as JSON data. These settings are available to all users accessing that item, but only administrators can edit them.
+
+### App Actions
+
+App Actions track when apps are used, recording which app was involved, what the user did with it, which item it happened on, and any custom data specific to that app interaction.
+
+---
+
+## Content Management
+
+### Recycled Items
+
+When items are deleted, they aren't actually removed from the database. Instead, a `deleted_at` timestamp marks the entire hierarchy as deleted, and one record in `recycled_item_data` is created for each deleted root item, allowing users to recover deleted content from the recycle bin.
+
+Recycled items older than 3 months are scheduled to be automatically deleted.
+
+### Item Visibility
+
+The visibility of an item defines how it controls the access to it. There are 3 states:
+
+- **Public**: Visible to anyone with the link
+- **Hidden**: Not shown for readers
+- **Private** (= no record): Only visible to people with explicit memberships
+
+You can read more about memberships and access control under "Access & Permissions".
+
+### Likes & Bookmarks
+
+The `item_like` table records when someone "likes" an item.
+
+The bookmarks (legacy name being `favorite` but still uses the table named `item_favorite`) tracks when someone saves an item to their bookmarks and have a quick access to it.
+
+### Published Items
+
+Published items are referenced in the library. An item is published if itself or its parent has a record in `published_items`. Its visibility should also be set to `public`. They can be unpublished at any time by the admins of the item.
+
+### Publication Removal Notices
+
+When administrators unpublish content from the admin panel, the system creates removal notices that record the reason for unpublishing and the date it occurred.
+
+---
+
+## Account Management
+
+### Accounts (Members & Guests)
+
+The system has two types of accounts, "members" and "guests".
+
+#### Individual Members
+
+Individual members are real people using the platform with an email address, a profile (including bio and avatar), and the ability to create items and collaborate with others. Their account `type` is set to `individual`.
+
+#### Guests
+
+Guest accounts are temporary accounts created for specific items, typically used to grant access without requiring full platform membership. Guests have limited permissions and may require passwords to access specific items. Their account `type` is set to `guest`.
+
+**Related tables:**
+
+- `guest_password`: Passwords for guest accounts to access a specific item
+- `member_password`: Stores encrypted passwords for members
+- `member_profile`: Additional info like bio, avatar, preferences
+
+---
+
+## Access & Permissions
+
+### Item Memberships
+
+Controls who has access to an item. They are three levels:
+
+1. **Admin**: Can manage content and share access
+1. **Write**: Can create and edit content
+1. **Read**: Can view only
+
+Each person can have different permission levels on an item hierarchy. From less permissive to most permissive, and the closest permission takes precedence.
+
+For example if we have the following path `A.B.C` it is allowed to set a membership permission at each level for user Alice as followed:
+
+- A: read
+- B: write
+- C: admin
+
+So Alice can only read `A`, but is an admin for `C`.
+
+### Membership Requests
+
+When someone wants to join an item but doesn't have access yet, they create a request. Admins can approve or deny these requests.
+
+### Invitations
+
+Admins can invite people by email to access an item. The invitation includes:
+
+- Email address of the person being invited
+- Permission level they'll receive
+
+### Short Links
+
+Short Links are easy-to-share shortened URLs that point to specific items, redirecting users to the appropriate platform (builder, player, or library) and tracking who created the link and when.
+
+### Item Login Schemas
+
+When the item is private, it requires users to log in before accessing them. Additionally, an item can also allow "pseudonymized" login. If enabled, it will accept usernames, with or without passwords to access the item.
+
+When someone logs in with these credentials, the system automatically creates a guest account linked to that login method. If the same person logs in again with the same credentials, their guest account is reused rather than creating a new one. This allows controlled access to specific items without requiring a full platform account.
+
+Deleting an item login schema will delete all its related guests.
+
+---
+
+## Collaboration & Interaction
+
+### Chat Messages
+
+Each item has its own chatbox where users can have discussions. Each message records who wrote it (`creator_id`), when it was written (`created_at`), the message content (`body`), and which item it belongs to.
+
+### Chat Mentions
+
+Chat Mentions track when someone is mentioned in a chat message (@username), recording who was mentioned, whether they've read the mention, and when it was created.
+
+---
+
+## Item Publication
+
+### Categories & Tags
+
+Items can be organized with metadata that's especially useful for published content. Tags are user-defined and manually added to items, organized in categories like discipline, resource type, or level. Multiple tags can be assigned to each item to help with searching and filtering.
+
+### Validation & Quality Control
+
+Before publication, items are validated through automated checks including image validation. Each validation has a status of `pending`, `success`, or `failed`.
+
+For each publication request, a validation group is created that references multiple validation records. If any validation fails, the item cannot be published.
+
+The review table exists for future use but isn't currently active.
+
+---
+
+## Exports & Data Downloads
+
+### Item Export Requests
+
+When someone wants to download an item's content, the system records who made the request, which item or sub-tree of items they're exporting, the desired format (JSON, CSV, etc.), and when the request was made.
+
+### Action Request Exports
+
+Action Request Exports allow downloads of activity and action logs for user analytics and behavior tracking, capturing all interactions within a specified date range.
+
+---
+
+## Additional Item features
+
+### Item Flags
+
+Item Flags allow users to report problems with items, recording who reported it, the reason (spam, inappropriate content, etc.), and the status of the report (reviewed, resolved, etc.).
+
+This feature is available but not heavily used currently.
+
+### Geolocation
+
+Items can optionally store location information, allowing them to be browsed and discovered on a map interface.
+
+### Page Updates (Beta)
+
+Items with type "page" use an alternative collaborative, real-time content editor. Updates are recorded in a dedicated table, and page content is built from these incremental updates. Retrieving complete page content requires reconstructing it from individual update records and a special library.
+
+---
+
+## Maintenance Notices
+
+When important updates or critical maintenance is needed, the team schedules maintenance windows to inform users in advance. The system records the scheduled downtime period with start and end times, and can display messages to users about the maintenance.
+
+---
+
+## Actions (Analytic traces)
+
+Actions are what users do, captured for analytics and displayed in dashboard graphics. Each action record includes the type of action, geographic location (if the user has allowed location tracking), when it occurred, which item was involved (if applicable), and which account performed it.
+
+The system currently records a set of standard actions, but this list may be extended in the future.
+
+---
+
+## Need More Help?
+
+Each table has detailed column information available. For specific analysis needs, refer to the technical schema documentation or contact the data team.
@@ -31,7 +31,6 @@ In order to run the Graasp backend, it requires:
 - [Postman](https://www.postman.com) : Application to explore and test your APIs.
 - [Starship](https://starship.rs/): A shell prompt enhancer that shows you the current git branch nvm version and package version, very useful for quick look at your environment (works on all shells and is super fast), requires you to use a [NerdFont](https://www.nerdfonts.com/)
 - [VS Code](https://code.visualstudio.com) : IDE to manage the database and make changes to the source code.
-
   - [Remote-Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) : A extension for VS Code. It allows to easily setup the dev environment.
 
   - [SQLTools](https://marketplace.visualstudio.com/items?itemName=mtxr.sqltools) : A extension for VS Code. It allows easy access to the database.
@@ -66,7 +65,7 @@ This will create 11 containers :
 > To use garage with the Docker installation, it is necessary to edit your `/etc/hosts` with the following line `127.0.0.1 .s3.garage.localhost`. This is necessary because the backend creates signed urls pointing to this subdomain. Without changing the hosts, the development machine cannot resolve urls like `http://s3.garage.localhost:3900` .
 
 > **Troubleshoot**
-> If during setup of the devcontainer you get an error like `nudenet Error pull access denied for public.ecr.aws/g...` 
+> If during setup of the devcontainer you get an error like `nudenet Error pull access denied for public.ecr.aws/g...`
 > This can occure if you previously logged in to the public ECR. When you want to pull from the public ECR, you should be unauthenticated. Simply run the following on you host: `docker logout public.ecr.aws`. It will log you out of the public ECR and you should be able to rebuild the containers without issue. If it persissts please [open an issue](https://github.com/graasp/graasp/issues/new?title=NudeNet%20DevContainer%20Docker%20Install%20Issue)
 
 Then install the required npm packages with `yarn install`. You should run this command in the docker's terminal, because some packages are built depending on the operating system (eg. `bcrypt`).
@@ -235,6 +234,7 @@ You will need to configure the garage instance so you can use the s3 buckets wit
 To simplify the commands you can create an alias to the docker exec command:
 
 Run this on the host machine
+
 ```sh
 # get the container name for the garage service
 docker ps
@@ -243,17 +243,17 @@ docker ps
 alias garage="docker exec -it <container-name> /garage"
 ```
 
-You should now be able to run commands against the garage executable running inside the container. Check that it works by running: 
+You should now be able to run commands against the garage executable running inside the container. Check that it works by running:
 
 ```sh
 garage status
 ```
 
-You should see an output similar to: 
+You should see an output similar to:
 
 ```
-2025-09-11T05:42:45.393828Z  INFO garage_net::netapp: Connected to 127.0.0.1:3901, negotiating handshake...    
-2025-09-11T05:42:45.436392Z  INFO garage_net::netapp: Connection established to fca7df6b0fe8115c    
+2025-09-11T05:42:45.393828Z  INFO garage_net::netapp: Connected to 127.0.0.1:3901, negotiating handshake...
+2025-09-11T05:42:45.436392Z  INFO garage_net::netapp: Connection established to fca7df6b0fe8115c
 ==== HEALTHY NODES ====
 ID                Hostname    Address         Tags  Zone  Capacity   DataAvail         Version
 fca7df6b0fe8115c  garage  127.0.0.1:3901  []    dc1   1000.0 MB  365.8 GB (36.8%)  v2.0.0
@@ -264,12 +264,14 @@ fca7df6b0fe8115c  garage  127.0.0.1:3901  []    dc1   1000.0 MB  365.8 GB (36.8%
 Now for the real configuration part.
 
 We will:
+
 - setup the layout for the storage (this is required by garage to know how it allocates the capacity)
 - create the file-items bucket (h5p bucket can be configured too, guide does not do it currently)
 - create an access key for the bucket
 - make the correct configurations to be able to access the bucket
 
 Layout setup
+
 ```sh
 # get the node id
 garage status
@@ -282,6 +284,7 @@ garage layout apply --version 1
 ```
 
 Create a bucket
+
 ```sh
 garage bucket create file-items
 
@@ -291,16 +294,14 @@ garage bucket info file-items
 ```
 
 Create an access key. Make not of the secret key as it will not be shown again !
+
 ```sh
 garage key create core-s3-key
 
 # allow the key to access the bucket
 garage bucket allow --read --write --owner file-items --key core-s3-key
 ```
 
-
-
-
 ### Umami
 
 To log into umami in your local instance: [Umami login documentation](https://umami.is/docs/login)
@@ -317,7 +318,7 @@ You can also run `yarn seed` to feed the database with predefined mock data.
 
 The development [docker-compose.yml](.devcontainer/docker-compose.yml) provides an instance of [mailcatcher](https://mailcatcher.me/), which emulates a SMTP server for sending e-mails. When using the email authentication flow, the mailbox web UI is accessible at [http://localhost:1080](http://localhost:1080).
 
-The development [docker-compose.yml](.devcontainer/docker-compose.yml) provides a [s3-compatible service](https://garagehq.deuxfleurs.fr/) for serving files. Ensure you have setup your /etc/hosts so that it works. 
+The development [docker-compose.yml](.devcontainer/docker-compose.yml) provides a [s3-compatible service](https://garagehq.deuxfleurs.fr/) for serving files. Ensure you have setup your /etc/hosts so that it works.
 
 ## Testing
 
@@ -332,7 +333,9 @@ This will ensure your tests run on the second database container. As they will c
 
 ## Database and Migrations
 
-The application will run migrations on start.
+By default, the application will run migrations on start.
+
+For more information about the structure of the database, see [our database structure documentation](./DATABASE.md) as well as [the interactive database schema explorer](https://graasp.github.io/graasp).
 
 ### Create a migration
 
@@ -365,13 +368,14 @@ Up tests start from the previous migration state, insert mock data and apply the
 
 ### Nudenet Container can not be pulled
 
-It is possible that the nudenet container pull fails with a 403 status code. This is likely because you are authenticated to the public AWS ECR and trying to pull a public image. Log out of the public ECR with `docker logout public.ecr.aws` and try building the devContainer again. 
+It is possible that the nudenet container pull fails with a 403 status code. This is likely because you are authenticated to the public AWS ECR and trying to pull a public image. Log out of the public ECR with `docker logout public.ecr.aws` and try building the devContainer again.
 
 ### Uploading files results in "AuthorizationHeaderMalformed: Authorization header malformed, unexpected scope"
 
 This upload error occurs when we try to upload a file to s3 (mocked by garage on local dev setup).
 
 You need to check that you:
+
 - have access and secret keys in your env
 - have set the region to the same value as the ".devcontainer/garage/garage.toml" file (look under the `s3.api` section for the `s3_region` value.) By default it should be `garage` and not `us-east-1`. Update the value in your `.env.development` file.