# Solution Architecture

## System Overview

```
┌─────────────────────────────────────────────────────────────────────┐
│                           TLAS Platform                              │
├─────────────────────────────────────────────────────────────────────┤
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐              │
│  │   Applicant  │  │  Department  │  │    Admin     │              │
│  │    Portal    │  │    Portal    │  │   Console    │              │
│  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘              │
│         │                 │                 │                       │
│         └─────────────────┼─────────────────┘                       │
│                           │                                         │
│                    ┌──────▼───────┐                                 │
│                    │  API Gateway │                                 │
│                    │   (NestJS)   │                                 │
│                    └──────┬───────┘                                 │
│                           │                                         │
│         ┌─────────────────┼─────────────────┐                       │
│         │                 │                 │                       │
│  ┌──────▼──────┐   ┌──────▼──────┐   ┌──────▼──────┐               │
│  │  PostgreSQL │   │ Hyperledger │   │  External   │               │
│  │  Database   │   │    Besu     │   │  Services   │               │
│  └─────────────┘   └─────────────┘   └─────────────┘               │
└─────────────────────────────────────────────────────────────────────┘
```

## Component Responsibilities

| Component | Function |
|-----------|----------|
| **Applicant Portal** | Application submission, document upload, status tracking, certificate download |
| **Department Portal** | Queue management, application review, approval actions, reporting |
| **Admin Console** | Department onboarding, workflow configuration, system monitoring |
| **API Gateway** | Authentication, authorization, request routing, rate limiting |
| **PostgreSQL** | Application data, user accounts, workflow definitions, audit logs |
| **Hyperledger Besu** | NFT minting, certificate verification, immutable transaction record |

## Data Flow: License Issuance

```
1. Applicant submits application
         │
         ▼
2. System validates documents and routes to workflow
         │
         ▼
3. Officers process through defined approval stages
         │
         ▼
4. Final approval triggers blockchain transaction
         │
         ▼
5. NFT minted with license metadata
         │
         ▼
6. Certificate generated with embedded verification QR
         │
         ▼
7. Applicant notified and certificate available for download
```

## Blockchain Integration

Hyperledger Besu serves as the certificate authority:

- **Private network**: Government-controlled nodes, no public exposure
- **Permissioned access**: Only authorized services can mint tokens
- **Smart contract**: ERC-721 implementation for license NFTs
- **Verification API**: Public endpoint for certificate validation

### NFT Structure

```json
{
  "tokenId": "0x...",
  "licenseNumber": "GOA/TRADE/2026/00001",
  "holder": {
    "name": "Applicant Name",
    "identifier": "AADHAAR-XXXX"
  },
  "issuingDepartment": "Department of Trade",
  "issueDate": "2026-02-09",
  "validUntil": "2027-02-08",
  "documentHash": "SHA256:abcd1234..."
}
```

## Security Architecture

| Layer | Controls |
|-------|----------|
| **Network** | HTTPS only, WAF, DDoS protection |
| **Authentication** | JWT tokens, session management, DigiLocker OAuth |
| **Authorization** | Role-based access control, department isolation |
| **Data** | Encryption at rest (AES-256), TLS 1.3 in transit |
| **Application** | Input validation, SQL injection prevention, XSS protection |
| **Audit** | Immutable logs, tamper detection, compliance reporting |