feat(templates): enforce template usage, validate against schema

[daniel-mader]

Description of change

• Templates are required for credential issuance.
• Credential configurations are manged implicitly through the templates.
• Nested structures (such as in Open Badges 3.0) are flattened.
• Some properties in the JSON Schema can be marked as "immutable" through schema_properties_attributes, so they are locked and can never be altered/removed.

BREAKING CHANGE

Require templateId when creating a credential. The two fields data_model and holder_type become immutable after the initial template creation.

Links to any relevant issues

Be sure to reference any related issues by adding fixes issue #.

How the change has been tested

Describe the tests that you ran to verify your changes.
Make sure to provide instructions for the maintainer as well as any relevant configurations.

Definition of Done checklist

Add an x to the boxes that are relevant to your changes.

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have successfully tested this change in a docker environment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 84.86974% with 151 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
agent_api_http/src/v0/issuance/credentials.rs	76.10%	38 Missing ⚠️
agent_application/src/lib.rs	0.00%	36 Missing ⚠️
agent_api_http/src/v0/library/error.rs	0.00%	25 Missing ⚠️
...application/credential_configuration_projection.rs	94.33%	21 Missing ⚠️
agent_library/src/template/aggregate.rs	94.05%	18 Missing ⚠️
agent_api_http/src/lib.rs	0.00%	6 Missing ⚠️
agent_api_http/src/v0/templates/mod.rs	16.66%	5 Missing ⚠️
agent_library/src/template/views/mod.rs	83.33%	1 Missing ⚠️
agent_store/src/lib.rs	66.66%	1 Missing ⚠️

Files with missing lines	Coverage Δ
...v0/authorization/authorization_server/authorize.rs	100.00% <ø> (ø)
...p/src/v0/authorization/authorization_server/par.rs	100.00% <ø> (ø)
...src/v0/authorization/authorization_server/token.rs	95.45% <ø> (ø)
...tp/src/v0/issuance/credential_issuer/credential.rs	97.02% <100.00%> (ø)
.../src/v0/issuance/credential_issuer/notification.rs	98.94% <100.00%> (+0.02%)	⬆️
...v0/issuance/credential_issuer/token_status_list.rs	98.13% <100.00%> (+0.01%)	⬆️
...al_issuer/well_known/oauth_authorization_server.rs	97.61% <100.00%> (+0.11%)	⬆️
...tial_issuer/well_known/openid_credential_issuer.rs	97.14% <100.00%> (+0.17%)	⬆️
agent_api_http/src/v0/issuance/mod.rs	100.00% <100.00%> (ø)
agent_api_http/src/v0/issuance/nonce/mod.rs	100.00% <100.00%> (ø)
... and 14 more

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coplat]

These errors should be added to the problem details documentation. The type_url's should be "library#..." instead of "templates#".

[coplat]

The match arm skips Draft and Deleted but implicitly allows Published and Archived. Should this be intended for Archived?

[daniel-mader]

We should indeed treat "Archived" as "read-only", but that has more implications. We're not actively supporting that at the moment, so we can leave it as is for now and properly cover it in an upcoming task. The main goal for now is to keep the credential configurations and template updates in sync.

[coplat]

this test fn seems to only be called by test_merge_open_badges_defaults_into_empty_schema. but since the actual production code seems to be using validate_open_badges_required_properties as opposed to this auto-merge logic, I think this could be removed as it doesn't reflect the actual production code

[nanderstabel]

Edit: nvm the comment below, I figured out I had to update the status to published 👌

When I Create a new Template:

curl --location 'http://localhost:3033/v0/templates/create-template' \
--header 'Content-Type: application/json' \
--header 'X-API-KEY: {{API_KEY}}' \
--data '{
    "title": "My Example Template",
    "credentialFormat": "w3c_vc_data_model_v1-1",
    "holderType": "organization"
}'

I assumed that a corresponding Credential Configuration would be created and included to the Credential Issuer Metadata, but when I hit:

curl --location 'http://localhost:3033/.well-known/openid-credential-issuer' \
--header 'X-API-KEY: {{API_KEY}}'

No new Credential Configuration (with title "My Example Template") is included in the Metadata. Is this expected, should I somehow trigger a Syncing command explicitly?

[nanderstabel]

The event types can now also be removed from ssi-agent/agent_event_publisher_http/README.md

[nanderstabel]

For OpenBadges, the type value should be an array where the first item must be "VerifiableCredential" and the second item must me either "OpenBadgeCredential" OR "AchievementCredential" (I think in most cases we default to "OpenBadgeCredential") (see: https://www.imsglobal.org/spec/ob/v3p0#achievementcredential)

[nanderstabel]

All these type_urls are supposed to point to a specific Problem Details, but there is no description for them in the /docs/problem-details/library.md file

[nanderstabel]

Not only the Credentials Endpoint includes the credential_configuration_id but also the Offers Endpoint includes the credential_configuration_ids property (in agent_api_http/src/v0/issuance/offers/mod.rs), which is only used for the JIT Credentials flow. I think for consistency it should be removed there as well (or for now add a TODO comment so we can address that at a later point).

[nanderstabel]

Since this PR makes makes Credential Configurations unusable in the API, it also does not make sense anymore to initialize those 'default' Credential Configurations on startup, so imo fn update_credential_configurations in agent_issuance/src/state.rs should be completely removed 🥳

[nanderstabel]

If the provided properties look like this:

"properties": {
            "age": {},
            "name": {}
}

then the claim path pointers will look like this:

• ["age"]
• [name"]

but especially since this code is only executed when format == "vc+sd-jwt", it's more likely that the claim pat pointers end up as:

• ["credentialSubject", "age"]
• ["credentialSubject", name"]

[nanderstabel]

Why only build claims when format == "vc+sd-jwt"? I think you can make it work for "dc+sd-jwt" as well if you rewrite this part to something like this:

    let claims = if format == "vc+sd-jwt" {
        build_claims_from_schema(template, "credentialSubject."])
    } else if format == "dc+sd-jwt" {
        build_claims_from_schema(template, "")
    } else {
        None
    };

where "credentialSubject." can be prepended to key to create the path_elements in fn build_claims_from_schema

related: https://github.com/impierce/ssi-agent/pull/330/changes#r3220225971