From 3a026f5c10bbdc816c50f1d9ca8478c75dfb7219 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:11:44 -0300
Subject: [PATCH 01/11] feat: add docmdp_level column to libresign_file table

- Add migration to create docmdp_level column (SMALLINT, default 0)
- Add docmdpLevel property to File entity with getters/setters
- Add getDocmdpLevelEnum() and setDocmdpLevelEnum() methods
- DocMDP levels: 0=not certified, 1=no changes, 2=form fill, 3=annotations

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/Db/File.php                               | 12 +++++
 .../Version15001Date20251214000000.php        | 46 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 lib/Migration/Version15001Date20251214000000.php

diff --git a/lib/Db/File.php b/lib/Db/File.php
index 856df3dc3e..07c112f51c 100644
--- a/lib/Db/File.php
+++ b/lib/Db/File.php
@@ -41,6 +41,8 @@
  * @method int getModificationStatus()
  * @method void setSignatureFlow(int $signatureFlow)
  * @method int getSignatureFlow()
+ * @method void setDocmdpLevel(int $docmdpLevel)
+ * @method int getDocmdpLevel()
  */
 class File extends Entity {
 	protected int $nodeId = 0;
@@ -56,6 +58,7 @@ class File extends Entity {
 	protected ?array $metadata = null;
 	protected int $modificationStatus = 0;
 	protected int $signatureFlow = SignatureFlow::NUMERIC_PARALLEL;
+	protected int $docmdpLevel = 0;
 	public const STATUS_NOT_LIBRESIGN_FILE = -1;
 	public const STATUS_DRAFT = 0;
 	public const STATUS_ABLE_TO_SIGN = 1;
@@ -83,6 +86,7 @@ public function __construct() {
 		$this->addType('metadata', Types::JSON);
 		$this->addType('modificationStatus', Types::SMALLINT);
 		$this->addType('signatureFlow', Types::SMALLINT);
+		$this->addType('docmdpLevel', Types::SMALLINT);
 	}
 
 	public function isDeletedAccount(): bool {
@@ -102,4 +106,12 @@ public function getSignatureFlowEnum(): \OCA\Libresign\Enum\SignatureFlow {
 	public function setSignatureFlowEnum(\OCA\Libresign\Enum\SignatureFlow $flow): void {
 		$this->setSignatureFlow($flow->toNumeric());
 	}
+
+	public function getDocmdpLevelEnum(): \OCA\Libresign\Enum\DocMdpLevel {
+		return \OCA\Libresign\Enum\DocMdpLevel::tryFrom($this->docmdpLevel) ?? \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+	}
+
+	public function setDocmdpLevelEnum(\OCA\Libresign\Enum\DocMdpLevel $level): void {
+		$this->setDocmdpLevel($level->value);
+	}
 }
diff --git a/lib/Migration/Version15001Date20251214000000.php b/lib/Migration/Version15001Date20251214000000.php
new file mode 100644
index 0000000000..17f049940c
--- /dev/null
+++ b/lib/Migration/Version15001Date20251214000000.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+/**
+ * Add DocMDP level support per file
+ * - Adds 'docmdp_level' column to libresign_file table to store DocMDP certification level per file
+ */
+class Version15001Date20251214000000 extends SimpleMigrationStep {
+	/**
+	 * @param IOutput $output
+	 * @param Closure(): ISchemaWrapper $schemaClosure
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	#[\Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if ($schema->hasTable('libresign_file')) {
+			$tableFile = $schema->getTable('libresign_file');
+			if (!$tableFile->hasColumn('docmdp_level')) {
+				$tableFile->addColumn('docmdp_level', Types::SMALLINT, [
+					'notnull' => true,
+					'default' => 0,
+					'comment' => 'DocMDP permission level for this file: 0=none, 1=no changes, 2=form fill, 3=form fill + annotations',
+				]);
+			}
+		}
+
+		return $schema;
+	}
+}

From cff28b6ceb0ae1af588940b6c0dc1b7f6749abc0 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:12:12 -0300
Subject: [PATCH 02/11] feat: save DocMDP level from global config to file on
 creation

- Add DocMdpConfigService dependency to RequestSignatureService
- Create setDocMdpLevelFromGlobalConfig() method
- Save admin DocMDP configuration to file entity on creation
- Allows per-file DocMDP configuration instead of only global

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/Service/RequestSignatureService.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/Service/RequestSignatureService.php b/lib/Service/RequestSignatureService.php
index a57ec9b313..3308a1540a 100644
--- a/lib/Service/RequestSignatureService.php
+++ b/lib/Service/RequestSignatureService.php
@@ -56,6 +56,7 @@ public function __construct(
 		protected IEventDispatcher $eventDispatcher,
 		protected FileStatusService $fileStatusService,
 		protected SignRequestStatusService $signRequestStatusService,
+		protected DocMdpConfigService $docMdpConfigService,
 	) {
 	}
 
@@ -128,6 +129,8 @@ public function saveFile(array $data): FileEntity {
 			$this->setSignatureFlowFromGlobalConfig($file);
 		}
 
+		$this->setDocMdpLevelFromGlobalConfig($file);
+
 		$this->fileMapper->insert($file);
 		return $file;
 	}
@@ -138,6 +141,13 @@ private function setSignatureFlowFromGlobalConfig(FileEntity $file): void {
 		$file->setSignatureFlowEnum($globalFlow);
 	}
 
+	private function setDocMdpLevelFromGlobalConfig(FileEntity $file): void {
+		if ($this->docMdpConfigService->isEnabled()) {
+			$docmdpLevel = $this->docMdpConfigService->getLevel();
+			$file->setDocmdpLevelEnum($docmdpLevel);
+		}
+	}
+
 	private function getFileMetadata(\OCP\Files\Node $node): array {
 		$metadata = [];
 		if ($extension = strtolower($node->getExtension())) {

From 8acb7f8576d3b152d987b5c536b8f9387fe4fae2 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:12:26 -0300
Subject: [PATCH 03/11] feat: validate DocMDP per file before signing

- Update validateDocMdpAllowsSignatures() to check file's docmdpLevel first
- Falls back to PDF extraction for legacy files (level 0)
- Throws consistent error message for DocMDP level 1
- Prevents adding signatures to certified documents with no changes allowed

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/Service/SignFileService.php | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/lib/Service/SignFileService.php b/lib/Service/SignFileService.php
index 5c167e7813..0d517059b3 100644
--- a/lib/Service/SignFileService.php
+++ b/lib/Service/SignFileService.php
@@ -338,17 +338,28 @@ public function sign(): File {
 	 * @throws LibresignException If the document has DocMDP level 1 (no changes allowed)
 	 */
 	protected function validateDocMdpAllowsSignatures(): void {
-		$resource = $this->getLibreSignFileAsResource();
+		$docmdpLevel = $this->libreSignFile->getDocmdpLevelEnum();
 
-		try {
-			if (!$this->docMdpHandler->allowsAdditionalSignatures($resource)) {
-				throw new LibresignException(
-					$this->l10n->t('This document has been certified with no changes allowed, so no additional signatures can be added.'),
-					AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
-				);
+		if ($docmdpLevel === \OCA\Libresign\Enum\DocMdpLevel::CERTIFIED_NO_CHANGES_ALLOWED) {
+			throw new LibresignException(
+				$this->l10n->t('This document has been certified with no changes allowed. You cannot add more signers to this document.'),
+				AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+
+		if ($docmdpLevel === \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED) {
+			$resource = $this->getLibreSignFileAsResource();
+
+			try {
+				if (!$this->docMdpHandler->allowsAdditionalSignatures($resource)) {
+					throw new LibresignException(
+						$this->l10n->t('This document has been certified with no changes allowed. You cannot add more signers to this document.'),
+						AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
+					);
+				}
+			} finally {
+				fclose($resource);
 			}
-		} finally {
-			fclose($resource);
 		}
 	}
 

From c43159c777e95cdfd46e3da7637249742d3ee42a Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:13:21 -0300
Subject: [PATCH 04/11] feat: include docmdpLevel in API responses

- Add docmdp_level to SELECT and GROUP BY in SignRequestMapper
- Format docmdpLevel as integer in API response
- Add docmdpLevel to FileService::loadLibreSignData()
- Ensures frontend receives per-file DocMDP configuration

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/Db/SignRequestMapper.php | 4 ++++
 lib/Service/FileService.php  | 1 +
 2 files changed, 5 insertions(+)

diff --git a/lib/Db/SignRequestMapper.php b/lib/Db/SignRequestMapper.php
index e1da090b47..afb4046e26 100644
--- a/lib/Db/SignRequestMapper.php
+++ b/lib/Db/SignRequestMapper.php
@@ -502,6 +502,7 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 				'f.metadata',
 				'f.created_at',
 				'f.signature_flow',
+				'f.docmdp_level',
 			)
 				->groupBy(
 					'f.id',
@@ -513,6 +514,7 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 					'f.status',
 					'f.created_at',
 					'f.signature_flow',
+					'f.docmdp_level',
 				);
 			// metadata is a json column, the right way is to use f.metadata::text
 			// when the database is PostgreSQL. The problem is that the command
@@ -624,12 +626,14 @@ private function formatListRow(array $row): array {
 
 		$row['name'] = $this->removeExtensionFromName($row['name'], $row['metadata']);
 		$row['signatureFlow'] = SignatureFlow::fromNumeric((int)($row['signature_flow']))->value;
+		$row['docmdpLevel'] = (int)($row['docmdp_level'] ?? 0);
 
 		unset(
 			$row['user_id'],
 			$row['node_id'],
 			$row['signed_node_id'],
 			$row['signature_flow'],
+			$row['docmdp_level'],
 		);
 		return $row;
 	}
diff --git a/lib/Service/FileService.php b/lib/Service/FileService.php
index e75cb9f845..1d0ed76c0b 100644
--- a/lib/Service/FileService.php
+++ b/lib/Service/FileService.php
@@ -712,6 +712,7 @@ private function loadLibreSignData(): void {
 		$this->fileData->statusText = $this->fileMapper->getTextOfStatus($this->file->getStatus());
 		$this->fileData->nodeId = $this->file->getNodeId();
 		$this->fileData->signatureFlow = $this->file->getSignatureFlow();
+		$this->fileData->docmdpLevel = $this->file->getDocmdpLevel();
 
 		$this->fileData->requested_by = [
 			'userId' => $this->file->getUserId(),

From 99e2c0258ab8fc5b03c70b57f893fe224335bf03 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:13:51 -0300
Subject: [PATCH 05/11] feat: block adding signers when DocMDP level 1 is set

- Add isDocMdpNoChangesAllowed() method to files store
- Update canAddSigner() to check DocMDP level 1 with existing signers
- Only blocks after first signer is added (not before)
- Encapsulates logic in reusable method

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 src/store/files.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/store/files.js b/src/store/files.js
index 0b210bc129..c9efae2836 100644
--- a/src/store/files.js
+++ b/src/store/files.js
@@ -133,6 +133,11 @@ export const useFilesStore = function(...args) {
 			},
 			canAddSigner(file) {
 				file = this.getFile(file)
+
+				if (this.isDocMdpNoChangesAllowed(file)) {
+					return false
+				}
+
 				return this.canRequestSign
 					&& (
 						!Object.hasOwn(file, 'requested_by')
@@ -141,6 +146,10 @@ export const useFilesStore = function(...args) {
 					&& !this.isPartialSigned(file)
 					&& !this.isFullSigned(file)
 			},
+			isDocMdpNoChangesAllowed(file) {
+				file = this.getFile(file)
+				return file.docmdpLevel === 1 && file.signers && file.signers.length > 0
+			},
 			canSave(file) {
 				file = this.getFile(file)
 				return this.canRequestSign

From 5689200ba3567c9eabc6be779a0e97c445408d62 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:14:09 -0300
Subject: [PATCH 06/11] feat: show warning when DocMDP prevents adding signers

- Add NcNoteCard warning message for DocMDP level 1
- Add showDocMdpWarning computed property
- Warning only shows when button is hidden
- Prevents UI flash during state transitions
- Uses consistent error message with backend

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 src/Components/RightSidebar/RequestSignatureTab.vue | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/Components/RightSidebar/RequestSignatureTab.vue b/src/Components/RightSidebar/RequestSignatureTab.vue
index 3391749c23..e8ea7a1a83 100644
--- a/src/Components/RightSidebar/RequestSignatureTab.vue
+++ b/src/Components/RightSidebar/RequestSignatureTab.vue
@@ -4,6 +4,9 @@
 -->
 <template>
 	<div id="request-signature-tab">
+		<NcNoteCard v-if="showDocMdpWarning" type="warning">
+			{{ t('libresign', 'This document has been certified with no changes allowed. You cannot add more signers to this document.') }}
+		</NcNoteCard>
 		<NcButton v-if="filesStore.canAddSigner()"
 			:variant="hasSigners ? 'secondary' : 'primary'"
 			@click="addSigner">
@@ -209,6 +212,7 @@ import NcDialog from '@nextcloud/vue/components/NcDialog'
 import NcIconSvgWrapper from '@nextcloud/vue/components/NcIconSvgWrapper'
 import NcLoadingIcon from '@nextcloud/vue/components/NcLoadingIcon'
 import NcModal from '@nextcloud/vue/components/NcModal'
+import NcNoteCard from '@nextcloud/vue/components/NcNoteCard'
 
 import IdentifySigner from '../Request/IdentifySigner.vue'
 import VisibleElements from '../Request/VisibleElements.vue'
@@ -247,6 +251,7 @@ export default {
 		NcIconSvgWrapper,
 		NcLoadingIcon,
 		NcModal,
+		NcNoteCard,
 		NcDialog,
 		Delete,
 		Draw,
@@ -292,6 +297,9 @@ export default {
 		isOrderedNumeric() {
 			return this.signatureFlow === 'ordered_numeric'
 		},
+		showDocMdpWarning() {
+			return this.filesStore.isDocMdpNoChangesAllowed() && !this.filesStore.canAddSigner()
+		},
 		canEditSigningOrder() {
 			return (signer) => {
 				return this.isOrderedNumeric

From 4073b0c22471de00356f8dbde54301e32ede5643 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:14:56 -0300
Subject: [PATCH 07/11] chore: bump version

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 appinfo/info.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appinfo/info.xml b/appinfo/info.xml
index cbc81d6d17..2f7f30187c 100644
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@@ -25,7 +25,7 @@ Developed with ❤️ by [LibreCode](https://librecode.coop). Help us transform
 
 * [Donate with GitHub Sponsor: ![Donate using GitHub Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&color=%23fe8e86)](https://github.com/sponsors/libresign)
 	]]></description>
-	<version>13.0.0-dev.2</version>
+	<version>13.0.0-dev.3</version>
 	<licence>agpl</licence>
 	<author mail="contact@librecode.coop" homepage="https://librecode.coop">LibreCode</author>
 	<types>

From 114b4eabd168a6833ab592eb8c39f4cdc856ad2d Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:31:34 -0300
Subject: [PATCH 08/11] test: fix unit tests for DocMDP per-file feature

- Add docmdpLevel to LibresignValidateFile schema in ResponseDefinitions
- Add DocMdpConfigService mock to RequestSignatureServiceTest
- Fix constructor parameter order in RequestSignatureServiceTest
- Mock validateDocMdpAllowsSignatures in SignFileServiceTest
- Mock getDocmdpLevelEnum to return NOT_CERTIFIED in test scenarios
- Fixes OpenAPI schema validation errors
- Fixes ArgumentCountError in RequestSignatureService tests
- Fixes enum mocking issues in SignFileService tests

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/ResponseDefinitions.php                   |  1 +
 .../Service/RequestSignatureServiceTest.php   |  4 +++
 .../php/Unit/Service/SignFileServiceTest.php  | 35 +++++++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/lib/ResponseDefinitions.php b/lib/ResponseDefinitions.php
index 2b40542a06..a8b88477ff 100644
--- a/lib/ResponseDefinitions.php
+++ b/lib/ResponseDefinitions.php
@@ -187,6 +187,7 @@
  *     statusText: string,
  *     nodeId: non-negative-int,
  *     signatureFlow: int,
+ *     docmdpLevel: int,
  *     totalPages: non-negative-int,
  *     size: non-negative-int,
  *     pdfVersion: string,
diff --git a/tests/php/Unit/Service/RequestSignatureServiceTest.php b/tests/php/Unit/Service/RequestSignatureServiceTest.php
index da78cc2579..4aca01c0fa 100644
--- a/tests/php/Unit/Service/RequestSignatureServiceTest.php
+++ b/tests/php/Unit/Service/RequestSignatureServiceTest.php
@@ -13,6 +13,7 @@
 use OCA\Libresign\Db\SignRequestMapper;
 use OCA\Libresign\Handler\DocMdpHandler;
 use OCA\Libresign\Helper\ValidateHelper;
+use OCA\Libresign\Service\DocMdpConfigService;
 use OCA\Libresign\Service\FileElementService;
 use OCA\Libresign\Service\FileStatusService;
 use OCA\Libresign\Service\FolderService;
@@ -56,6 +57,7 @@ final class RequestSignatureServiceTest extends \OCA\Libresign\Tests\Unit\TestCa
 	private IEventDispatcher&MockObject $eventDispatcher;
 	private FileStatusService&MockObject $fileStatusService;
 	private SignRequestStatusService&MockObject $signRequestStatusService;
+	private DocMdpConfigService&MockObject $docMdpConfigService;
 
 	public function setUp(): void {
 		parent::setUp();
@@ -85,6 +87,7 @@ public function setUp(): void {
 		$this->eventDispatcher = $this->createMock(IEventDispatcher::class);
 		$this->fileStatusService = $this->createMock(FileStatusService::class);
 		$this->signRequestStatusService = $this->createMock(SignRequestStatusService::class);
+		$this->docMdpConfigService = $this->createMock(DocMdpConfigService::class);
 	}
 
 	private function getService(?SequentialSigningService $sequentialSigningService = null): RequestSignatureService {
@@ -109,6 +112,7 @@ private function getService(?SequentialSigningService $sequentialSigningService
 			$this->eventDispatcher,
 			$this->fileStatusService,
 			$this->signRequestStatusService,
+			$this->docMdpConfigService,
 		);
 	}
 
diff --git a/tests/php/Unit/Service/SignFileServiceTest.php b/tests/php/Unit/Service/SignFileServiceTest.php
index c18ebfeeaf..e77bf0b64e 100644
--- a/tests/php/Unit/Service/SignFileServiceTest.php
+++ b/tests/php/Unit/Service/SignFileServiceTest.php
@@ -278,11 +278,13 @@ public function testSignGenerateASha256OfSignedFile(string $signedContent):void
 			'getEngine',
 			'setNewStatusIfNecessary',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn($signedContent);
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
 
 		$pkcs12Handler = $this->createMock(Pkcs12Handler::class);
 		$pkcs12Handler->method('sign')->willReturn($nextcloudFile);
@@ -301,6 +303,8 @@ public function testSignGenerateASha256OfSignedFile(string $signedContent):void
 					return 1;
 				case 'getSigningOrder':
 					return 1;
+				case 'getDocmdpLevelEnum':
+					return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
 				default: return null;
 			}
 		};
@@ -330,11 +334,13 @@ public function testUpdateDatabaseWhenSign(): void {
 			'setNewStatusIfNecessary',
 			'computeHash',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
 
 		$this->fileMapper->expects($this->once())->method('update');
 		$this->signRequestMapper->expects($this->once())->method('update');
@@ -350,6 +356,12 @@ public function testUpdateDatabaseWhenSign(): void {
 			}
 		});
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('__call')->willReturnCallback(function ($method) {
+			if ($method === 'getDocmdpLevelEnum') {
+				return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+			}
+			return null;
+		});
 
 		$service
 			->setSignRequest($signRequest)
@@ -363,11 +375,13 @@ public function testDispatchEventWhenSign(): void {
 			'setNewStatusIfNecessary',
 			'computeHash',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
 
 		$this->eventDispatcher
 			->expects($this->once())
@@ -385,6 +399,12 @@ public function testDispatchEventWhenSign(): void {
 			}
 		});
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('__call')->willReturnCallback(function ($method) {
+			if ($method === 'getDocmdpLevelEnum') {
+				return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+			}
+			return null;
+		});
 
 		$service
 			->setSignRequest($signRequest)
@@ -1227,7 +1247,18 @@ public function testSignThrowsExceptionWhenDocMdpLevel1Detected(): void {
 		$service->method('getEngine')->willReturn($engineMock);
 
 		$signRequest = $this->createMock(SignRequest::class);
+		$signRequest->method('__call')->willReturnCallback(function ($method) {
+			switch ($method) {
+				case 'getFileId':
+					return 1;
+				case 'getSigningOrder':
+					return 1;
+				default: return null;
+			}
+		});
+		
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('getDocmdpLevelEnum')->willReturn(\OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED);
 
 		$service
 			->setSignRequest($signRequest)
@@ -1255,6 +1286,10 @@ public function testValidateDocMdpAllowsSignaturesWithVariousPdfFixtures(
 
 		$service->method('getLibreSignFileAsResource')->willReturn($resource);
 
+		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('getDocmdpLevelEnum')->willReturn(\OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED);
+		$service->setLibreSignFile($libreSignFile);
+
 		self::invokePrivate($service, 'validateDocMdpAllowsSignatures');
 	}
 

From d23ae7b51cf9ed2bafdd28ebbe7738d4bca1d347 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:33:21 -0300
Subject: [PATCH 09/11] fix: cs

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 tests/php/Unit/Service/SignFileServiceTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/php/Unit/Service/SignFileServiceTest.php b/tests/php/Unit/Service/SignFileServiceTest.php
index e77bf0b64e..3995bd1c91 100644
--- a/tests/php/Unit/Service/SignFileServiceTest.php
+++ b/tests/php/Unit/Service/SignFileServiceTest.php
@@ -1256,7 +1256,7 @@ public function testSignThrowsExceptionWhenDocMdpLevel1Detected(): void {
 				default: return null;
 			}
 		});
-		
+
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
 		$libreSignFile->method('getDocmdpLevelEnum')->willReturn(\OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED);
 

From 3beca7f23e40ab2d0dddf7c6161ea0b2f109df54 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:34:05 -0300
Subject: [PATCH 10/11] chore: add docblock of openapi.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 openapi-full.json                 | 5 +++++
 openapi.json                      | 5 +++++
 src/types/openapi/openapi-full.ts | 2 ++
 src/types/openapi/openapi.ts      | 2 ++
 4 files changed, 14 insertions(+)

diff --git a/openapi-full.json b/openapi-full.json
index 3aaf844a4b..de9ee08dc6 100644
--- a/openapi-full.json
+++ b/openapi-full.json
@@ -1013,6 +1013,7 @@
                     "statusText",
                     "nodeId",
                     "signatureFlow",
+                    "docmdpLevel",
                     "totalPages",
                     "size",
                     "pdfVersion",
@@ -1050,6 +1051,10 @@
                         "type": "integer",
                         "format": "int64"
                     },
+                    "docmdpLevel": {
+                        "type": "integer",
+                        "format": "int64"
+                    },
                     "totalPages": {
                         "type": "integer",
                         "format": "int64",
diff --git a/openapi.json b/openapi.json
index ae39e7a0b4..217121894d 100644
--- a/openapi.json
+++ b/openapi.json
@@ -863,6 +863,7 @@
                     "statusText",
                     "nodeId",
                     "signatureFlow",
+                    "docmdpLevel",
                     "totalPages",
                     "size",
                     "pdfVersion",
@@ -900,6 +901,10 @@
                         "type": "integer",
                         "format": "int64"
                     },
+                    "docmdpLevel": {
+                        "type": "integer",
+                        "format": "int64"
+                    },
                     "totalPages": {
                         "type": "integer",
                         "format": "int64",
diff --git a/src/types/openapi/openapi-full.ts b/src/types/openapi/openapi-full.ts
index 62aa3199dd..d62a0f5623 100644
--- a/src/types/openapi/openapi-full.ts
+++ b/src/types/openapi/openapi-full.ts
@@ -1759,6 +1759,8 @@ export type components = {
             /** Format: int64 */
             signatureFlow: number;
             /** Format: int64 */
+            docmdpLevel: number;
+            /** Format: int64 */
             totalPages: number;
             /** Format: int64 */
             size: number;
diff --git a/src/types/openapi/openapi.ts b/src/types/openapi/openapi.ts
index 89d12c914f..70783f69de 100644
--- a/src/types/openapi/openapi.ts
+++ b/src/types/openapi/openapi.ts
@@ -1281,6 +1281,8 @@ export type components = {
             /** Format: int64 */
             signatureFlow: number;
             /** Format: int64 */
+            docmdpLevel: number;
+            /** Format: int64 */
             totalPages: number;
             /** Format: int64 */
             size: number;

From 50b66c4f793b7c5153c5dc97e34d674c5e6a8a36 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Sun, 14 Dec 2025 16:37:22 -0300
Subject: [PATCH 11/11] fix: unit tests

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 tests/php/Unit/Service/RequestSignatureServiceTest.php | 4 ++--
 tests/php/Unit/Service/SignFileServiceTest.php         | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/php/Unit/Service/RequestSignatureServiceTest.php b/tests/php/Unit/Service/RequestSignatureServiceTest.php
index 4aca01c0fa..414927c50b 100644
--- a/tests/php/Unit/Service/RequestSignatureServiceTest.php
+++ b/tests/php/Unit/Service/RequestSignatureServiceTest.php
@@ -90,7 +90,7 @@ public function setUp(): void {
 		$this->docMdpConfigService = $this->createMock(DocMdpConfigService::class);
 	}
 
-	private function getService(?SequentialSigningService $sequentialSigningService = null): RequestSignatureService {
+	private function getService(): RequestSignatureService {
 		return new RequestSignatureService(
 			$this->l10n,
 			$this->identifyMethodService,
@@ -107,7 +107,7 @@ private function getService(?SequentialSigningService $sequentialSigningService
 			$this->client,
 			$this->docMdpHandler,
 			$this->loggerInterface,
-			$sequentialSigningService ?? $this->sequentialSigningService,
+			$this->sequentialSigningService,
 			$this->appConfig,
 			$this->eventDispatcher,
 			$this->fileStatusService,
diff --git a/tests/php/Unit/Service/SignFileServiceTest.php b/tests/php/Unit/Service/SignFileServiceTest.php
index 3995bd1c91..415f2a397a 100644
--- a/tests/php/Unit/Service/SignFileServiceTest.php
+++ b/tests/php/Unit/Service/SignFileServiceTest.php
@@ -284,7 +284,7 @@ public function testSignGenerateASha256OfSignedFile(string $signedContent):void
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn($signedContent);
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
-		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$pkcs12Handler = $this->createMock(Pkcs12Handler::class);
 		$pkcs12Handler->method('sign')->willReturn($nextcloudFile);
@@ -340,7 +340,7 @@ public function testUpdateDatabaseWhenSign(): void {
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
-		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$this->fileMapper->expects($this->once())->method('update');
 		$this->signRequestMapper->expects($this->once())->method('update');
@@ -381,7 +381,7 @@ public function testDispatchEventWhenSign(): void {
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
-		$service->method('validateDocMdpAllowsSignatures')->willReturn(null);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$this->eventDispatcher
 			->expects($this->once())