docs: Rebuild documentation as enterprise-grade TLAS platform

- Migrate from custom HTTP server to VitePress framework
- Rename project to Tokenized License Approval System (TLAS)
- Add comprehensive documentation for all stakeholders:
  - Business: Executive summary, value proposition, governance
  - Operations: Infrastructure, installation, monitoring, backup
  - Departments: User guide, workflows, verification, issuance
  - Developers: API reference, authentication, webhooks, SDKs
  - Compliance: OWASP, DPDP Act, IT Act, audit framework
- Add modern theme with dark mode and full-text search
- Update Dockerfile for VitePress build process

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Documentation/compliance/audit.md

@@ -0,0 +1,86 @@
+# Audit Framework
+
+## Audit Logging
+
+### What is Logged
+
+| Event Type | Details Captured |
+|------------|------------------|
+| Authentication | User ID, timestamp, IP, success/failure |
+| Application Actions | User, action, application ID, before/after state |
+| Document Access | User, document ID, action (view/download) |
+| Configuration Changes | User, setting, old value, new value |
+| System Events | Service, event type, severity |
+
+### Log Format
+
+```json
+{
+  "timestamp": "2026-02-09T10:30:00.000Z",
+  "eventType": "APPLICATION_APPROVED",
+  "userId": "DEPT-OFFICER-001",
+  "sessionId": "sess_abc123",
+  "ipAddress": "10.0.1.50",
+  "resource": {
+    "type": "APPLICATION",
+    "id": "APP-2026-00001"
+  },
+  "action": "APPROVE",
+  "previousState": "IN_REVIEW",
+  "newState": "APPROVED",
+  "metadata": {
+    "stage": "SUPERVISOR_APPROVAL",
+    "notes": "Documents verified"
+  }
+}
+```
+
+### Log Retention
+
+| Log Type | Retention Period |
+|----------|------------------|
+| Security events | 7 years |
+| Application actions | 7 years |
+| System logs | 1 year |
+| Debug logs | 30 days |
+
+## Audit Reports
+
+### Standard Reports
+
+| Report | Frequency | Recipients |
+|--------|-----------|------------|
+| Login Activity | Daily | Security team |
+| Application Processing | Weekly | Department heads |
+| SLA Compliance | Weekly | Management |
+| System Health | Daily | IT operations |
+
+### On-Demand Reports
+
+Available through Admin Console:
+- User activity by date range
+- Application history
+- Document access log
+- Configuration change history
+
+## Compliance Audits
+
+### Internal Audits
+
+- Quarterly access review
+- Annual security assessment
+- Monthly SLA review
+
+### External Audits
+
+- Annual third-party security audit
+- Regulatory compliance review as required
+- Blockchain transaction verification
+
+## Tamper Detection
+
+Audit logs are protected by:
+- Append-only storage
+- Cryptographic hash chaining
+- Separate log storage from application database
+- Real-time replication to secure archive

Documentation/compliance/data-protection.md

@@ -0,0 +1,64 @@
+# Data Protection
+
+## Data Classification
+
+| Classification | Examples | Handling |
+|----------------|----------|----------|
+| **Public** | Published license numbers, verification status | No restrictions |
+| **Internal** | Processing statistics, workflow configurations | Staff access only |
+| **Confidential** | Applicant personal data, documents | Role-based access |
+| **Restricted** | Authentication credentials, encryption keys | System access only |
+
+## Personal Data Inventory
+
+| Data Category | Fields | Purpose | Retention |
+|---------------|--------|---------|-----------|
+| Identity | Name, Aadhaar (masked), photo | Applicant identification | License validity + 7 years |
+| Contact | Email, phone, address | Communication | License validity + 7 years |
+| Business | Business name, registration | License application | License validity + 7 years |
+| Documents | Uploaded files | Verification | License validity + 7 years |
+| Activity | Login times, actions | Audit | 7 years |
+
+## Data Subject Rights
+
+### Right to Access
+Applicants can view all their personal data through the portal under "My Profile" and "My Applications."
+
+### Right to Correction
+Applicants can request corrections through the portal. Changes require verification for critical fields.
+
+### Right to Erasure
+Limited by legal retention requirements. Non-essential data can be erased upon request after license expiry.
+
+### Right to Portability
+Data export available in JSON and PDF formats through the portal.
+
+## Data Security Controls
+
+### Encryption
+
+| State | Method |
+|-------|--------|
+| At Rest | AES-256 (database, files) |
+| In Transit | TLS 1.3 |
+| Backups | AES-256 with separate key |
+
+### Access Control
+
+- Role-based permissions
+- Department-level data isolation
+- Session timeout after inactivity
+- Failed login lockout
+
+### Anonymization
+
+For analytics and reporting, personal identifiers are removed or pseudonymized.
+
+## Breach Response
+
+1. Detection and containment
+2. Impact assessment
+3. Notification to affected individuals (within 72 hours)
+4. Notification to CERT-In (as required)
+5. Root cause analysis
+6. Remediation

Documentation/compliance/index.md

@@ -0,0 +1,72 @@
+# Compliance Framework
+
+## Overview
+
+TLAS is designed and operated in compliance with applicable Indian laws, government standards, and international security frameworks.
+
+## Regulatory Compliance
+
+### Information Technology Act, 2000
+
+| Requirement | Implementation |
+|-------------|----------------|
+| Section 3A: Electronic signatures | Digital certificates with PKI |
+| Section 4: Legal recognition of electronic records | Blockchain-based immutable records |
+| Section 43A: Data protection | Encryption at rest and in transit |
+| Section 72A: Breach notification | Incident response procedures |
+
+### Digital Personal Data Protection Act, 2023
+
+| Principle | Implementation |
+|-----------|----------------|
+| Lawful purpose | Data collected only for licensing functions |
+| Purpose limitation | No secondary use without consent |
+| Data minimization | Only necessary fields collected |
+| Accuracy | Applicant can update their information |
+| Storage limitation | Defined retention periods |
+| Security safeguards | Technical and organizational measures |
+
+### Government Guidelines
+
+| Standard | Compliance |
+|----------|------------|
+| GIGW 3.0 | Web accessibility guidelines followed |
+| MeitY Cloud Guidelines | Data residency in India |
+| NIC Security Guidelines | Network and application security |
+
+## Security Standards
+
+### OWASP Top 10 Mitigation
+
+| Vulnerability | Control |
+|---------------|---------|
+| Injection | Parameterized queries, input validation |
+| Broken Authentication | JWT with secure configuration |
+| Sensitive Data Exposure | TLS 1.3, AES-256 encryption |
+| XML External Entities | XML parsing disabled where not needed |
+| Broken Access Control | RBAC with principle of least privilege |
+| Security Misconfiguration | Hardened deployment checklist |
+| Cross-Site Scripting | Output encoding, CSP headers |
+| Insecure Deserialization | Schema validation |
+| Components with Vulnerabilities | Automated dependency scanning |
+| Insufficient Logging | Comprehensive audit logging |
+
+### ISO 27001 Alignment
+
+TLAS security controls align with ISO 27001 Annex A:
+
+- A.5: Information security policies
+- A.6: Organization of information security
+- A.9: Access control
+- A.10: Cryptography
+- A.12: Operations security
+- A.14: System acquisition and development
+- A.16: Incident management
+- A.18: Compliance
+
+## Documentation Index
+
+- [Data Protection](/compliance/data-protection) - Personal data handling procedures
+- [Audit Framework](/compliance/audit) - Logging, monitoring, and audit procedures
+- [Security Standards](/compliance/security) - Technical security controls
+- [Regulatory Alignment](/compliance/regulatory) - Detailed compliance mapping

Documentation/compliance/regulatory.md

@@ -0,0 +1,65 @@
+# Regulatory Alignment
+
+## Indian Legal Framework
+
+### Information Technology Act, 2000
+
+| Section | Requirement | Compliance |
+|---------|-------------|------------|
+| 3A | Electronic signatures | Digital certificates with PKI infrastructure |
+| 4 | Legal recognition of e-records | Blockchain provides immutable records |
+| 43A | Reasonable security | ISO 27001-aligned controls |
+| 72A | Breach notification | Incident response procedures documented |
+
+### Digital Personal Data Protection Act, 2023
+
+| Principle | Implementation |
+|-----------|----------------|
+| Lawful processing | Consent obtained for data collection |
+| Purpose limitation | Data used only for license processing |
+| Data minimization | Only necessary fields collected |
+| Accuracy | Self-service data correction available |
+| Storage limitation | Retention policy enforced |
+| Security safeguards | Encryption and access controls |
+
+### Government of India Guidelines
+
+| Standard | Scope | Compliance |
+|----------|-------|------------|
+| GIGW 3.0 | Web accessibility | WCAG 2.1 AA compliant |
+| MeitY Cloud | Data residency | All data in India |
+| NIC Guidelines | Security | Penetration tested |
+
+## Audit Compliance
+
+### Annual Requirements
+
+| Audit Type | Frequency | Conducted By |
+|------------|-----------|--------------|
+| Security audit | Annual | Empaneled auditor |
+| Compliance review | Annual | Internal audit |
+| Access review | Quarterly | Department admins |
+
+### Documentation Maintained
+
+- Security policy documents
+- Risk assessment reports
+- Incident response records
+- Access control matrices
+- Change management logs
+- Training records
+
+## Certifications
+
+| Certification | Status | Validity |
+|---------------|--------|----------|
+| STQC Certification | Pending | - |
+| ISO 27001 | Aligned | - |
+| MeitY Empanelment | Applied | - |
+
+## Data Localization
+
+All data stored within India:
+- Primary servers: Mumbai region
+- Backup servers: Delhi region
+- No cross-border data transfer

Documentation/compliance/security.md

@@ -0,0 +1,82 @@
+# Security Standards
+
+## OWASP Top 10 Compliance
+
+### A01: Broken Access Control
+
+| Control | Implementation |
+|---------|----------------|
+| RBAC enforcement | All endpoints check user roles |
+| Resource isolation | Department data segregation |
+| CORS configuration | Strict origin validation |
+
+### A02: Cryptographic Failures
+
+| Control | Implementation |
+|---------|----------------|
+| TLS 1.3 | All traffic encrypted |
+| AES-256 | Data encrypted at rest |
+| Key rotation | Quarterly secret rotation |
+
+### A03: Injection
+
+| Control | Implementation |
+|---------|----------------|
+| Parameterized queries | ORM with parameter binding |
+| Input validation | Schema validation on all inputs |
+| Output encoding | Context-aware escaping |
+
+### A04: Insecure Design
+
+| Control | Implementation |
+|---------|----------------|
+| Threat modeling | Security review in design phase |
+| Least privilege | Minimal permissions by default |
+| Defense in depth | Multiple security layers |
+
+### A05: Security Misconfiguration
+
+| Control | Implementation |
+|---------|----------------|
+| Hardened defaults | Security-first configuration |
+| Automated scanning | CI/CD security checks |
+| Error handling | No sensitive data in errors |
+
+### A06: Vulnerable Components
+
+| Control | Implementation |
+|---------|----------------|
+| Dependency scanning | Weekly automated scans |
+| Update policy | Critical patches within 48h |
+| SBOM | Software bill of materials tracked |
+
+### A07: Authentication Failures
+
+| Control | Implementation |
+|---------|----------------|
+| Strong passwords | Minimum 12 characters |
+| Account lockout | 5 failed attempts |
+| Session management | Secure cookie settings |
+
+### A08: Integrity Failures
+
+| Control | Implementation |
+|---------|----------------|
+| Signed artifacts | All deployments verified |
+| Blockchain verification | Certificates on chain |
+| Audit logging | Tamper-evident logs |
+
+### A09: Logging Failures
+
+| Control | Implementation |
+|---------|----------------|
+| Comprehensive logging | All security events captured |
+| Log protection | Append-only storage |
+| Monitoring | Real-time alerting |
+
+### A10: SSRF
+
+| Control | Implementation |
+|---------|----------------|
+| URL validation | Allowlist for external requests |
+| Network segmentation | Internal services isolated |