OrgEdge
SysEdge — case study · Documenso · e-signature platform

Documenso — five specification gaps in an e-signature platform

Documenso is an open-source DocuSign alternative. We cloned it cold from GitHub, built a domain model from the Prisma schema, seeded a Neo4j graph, and ran SysEdge's AI-powered audit commands. No prior knowledge of the codebase. The findings are real — from the actual source and test files. Token savings are not the story this time. The story is what was never written.

Repo: github.com/documenso/documenso — open-source e-signature platform, TypeScript/Next.js, cloned cold
Tools used: coverage-review (AS-REQ 7-dimension spec audit), audit-test (AS-TEST-UC 7-dimension test quality audit), test-gaps
Time from clone to findings: ~15 minutes. Neo4j + seed: 2 min. Three coverage-review runs: 4 min. One audit-test run: 90 sec. AI calls: haiku model, ~$0.30 total. No prior knowledge of the codebase required.

Finding 1 — No happy-path test for the expiration job

$ python3 cli/sys_edge.py audit-test --uc UC-DOC-004 \ --file packages/app-tests/e2e/envelopes/envelope-expiration-signing.spec.ts [FAIL] AS-TEST-UC-003 UC Test: Happy Path No test exercises the main UC success scenario: scheduled job runs, queries for envelopes with expiresAt in the past, sets status EXPIRED, invalidates signing tokens, fires ENVELOPE_EXPIRED webhook, sends notification emails to sender. → Create a test that seeds a PENDING envelope with expiresAt in the past, invokes the expiration job, and asserts all post-conditions.

Documenso's expiration test suite (envelope-expiration-signing.spec.ts) tests what a recipient sees when trying to sign an expired envelope — the error page, the blocked form. That test is correct and passes. What has no test is the Inngest job handler that actually marks envelopes as expired: expire-recipients-sweep.handler.ts and process-recipient-expired.handler.ts in packages/lib/jobs/definitions/internal/. The entire jobs/ directory has zero test files. The job exists in the code and the UI correctly shows its effects — but whether the job itself runs correctly, handles partial failures, or fires the right webhooks is untested.

Finding 2 — Expiration exception paths never specified

$ python3 cli/sys_edge.py coverage-review --uc UC-DOC-004 [FAIL] AS-REQ-003 Requirements: Exception Coverage UC describes the happy path only. No behaviour specified for: scheduled job exception during status update, webhook endpoint unreachable, email service unavailable, database transaction failing mid-batch (partial token invalidation). → Add exception scenarios for each failure path.
AS-REQ-003 FAIL — Expiration exceptions unspecified
The specification describes what happens when everything works. It does not specify what happens when the database write fails halfway through token invalidation, when the webhook endpoint times out, or when email delivery fails. An e-signature platform where envelope expiration silently fails is a legal liability — time-limited agreements can be signed after their deadline.
AS-REQ-002 FAIL — Authorization boundaries absent
The UC does not state which roles can trigger, configure, or observe envelope expiration. Can an admin manually trigger the job? Can a recipient see that an envelope expired before they received notification? No CASL permission string can be derived from the specification.

Finding 3 — Void envelope exception paths unspecified

AS-REQ-003 FAIL — Void envelope atomicity undefined
The void UC specifies the happy path (status → VOIDED, tokens invalidated, webhook fired) but does not specify: what happens if the envelope is already VOIDED or EXPIRED, whether void is atomic (does the webhook fire even if the DB write fails?), what the minimum/maximum length of the void reason field is, or whether voiding is reversible. For a document with legal standing, "what happens if it goes wrong" must be written down before the code is written.

An envelope that is voided mid-write — status updated, webhook dispatched, but token invalidation interrupted by a database error — leaves signing tokens live against an envelope the sender believes is closed. For a legally-binding document, that is not an edge case. It is precisely the scenario the specification must address first.

Finding 4 — Zero specification derivation in all existing tests

[FAIL] AS-TEST-UC-007 UC Test: Specification Derivation No test function or test class includes a comment tracing it to the UC specification. Test names use the ENVELOPE_EXPIRATION label but none reference UC-DOC-004 main flow steps or acceptance criteria.

None of Documenso's existing Playwright tests contain a comment linking the test to a named specification artefact — a UC step, a precondition, or an acceptance criterion. This is not cosmetic. A test that does not trace to the specification cannot demonstrate that the specification was tested. For a system asserting legal validity of signatures, the ability to say "this test verifies that specification clause" is precisely the evidence a compliance audit requires.

Finding 5 — Test coverage zero across all feature tiers

$ python3 cli/sys_edge.py test-gaps --instance signing ✗ COMPONENT GAPS (14 of 14 features uncovered) MOD-signing Signing Engine (4 gaps) ✗ F-SIG-003 Timestamp authority (TSA) integration ✗ F-SIG-004 Signature validation on completion ✗ USECASE GAPS (14 of 14 features uncovered) MOD-audit Audit Log & Certificate (2 gaps) ✗ F-AUD-001 Document audit log ✗ F-AUD-002 Signing certificate download

The graph shows zero component or integration tests linked to any of the 14 signing features — including F-SIG-003 (TSA timestamping) and F-SIG-004 (signature validation on completion). Documenso has 94 Playwright e2e tests and 3 unit test files (2 for webhook URL validation, 1 for CSS sanitization) — none cover the cryptographic signing pipeline. The include-document-certificate.spec.ts test verifies that a certificate appears in the completed PDF; it does not test signature validity or TSA timestamp integrity.

"The Inngest job handlers that process envelope expiration have no tests. The specification that describes what happens when it fails doesn't exist. Code review can't catch either — because there is no diff for the thing that was never written."

See what your specification is missing

SysEdge runs the same audit commands against your codebase that produced these findings — against a real open-source project with no prior knowledge of the code. The free CLI gives you the graph. The bootstrap kit adds the AI audit commands (coverage-review, audit-test) that surface the gaps.

Get SysEdge → Read the Formbricks case study →
Validated on Documenso — open-source e-signature platform, TypeScript/Next.js

Specification gaps are invisible until they are in the graph.

Five findings from a cold clone. No prior knowledge of the codebase. The Inngest job handlers that process envelope expiration have no tests. The void atomicity is unspecified. The cryptographic pipeline is uncovered at every tier. None of this is visible from the diff — because none of it was written. SysEdge makes the absence of specification a query result, not a discovery after the fact.

No happy-path test for the expiration job
AS-TEST-UC-003 FAIL · job mechanism never exercised
Expiration exception paths unspecified
AS-REQ-003 FAIL · partial token invalidation undefined
Void atomicity undefined
AS-REQ-003 FAIL · legal documents, undefined failure mode
Zero specification derivation in tests
AS-TEST-UC-007 FAIL · no test traces to a UC clause
14 of 14 signing features uncovered
TSA, signature validation — zero test links across all tiers
No diff for what was never written
code review cannot surface what was never specified