feat: issue SD-JWT VC credentials

[nanderstabel]

Description of change

• SD-JWT VC Format Support: Added dc+sd-jwt credential format alongside existing jwt_vc_json
• VCT Metadata Endpoint: Added /vct/{credential_configuration_id}/{version} endpoint for SD-JWT VC type metadata
• Enhanced Credential Configuration: Simplified config structure with type field instead of nested credential_definition (breaking change)
• When the developer profile is enabled, an "SD-JWT Credential Configuration is initialized automatically

Technical Improvements:

• Concrete Types: Replaced Arc<dyn SubjectExt> with Arc<Subject> across services for better type safety

BREAKING CHANGE

BREAKING CHANGE:

• The credential_definition property has been removed from the configuration of Credential Configurations and POST /0/credential-configurations endpoint. For Configurations in the config.yaml file change:

  - credential_configuration_id: example
    format: jwt_vc_json
    credential_definition:
      type:
        - VerifiableCredential

to:

  - credential_configuration_id: example
    format: jwt_vc_json
    type:
      - VerifiableCredential

For requests to the POST /0/credential-configurations endpoint, change:

{
    "credential_configuration_id": "example",
    "format": "jwt_vc_json",
    "credential_definition": {
        "type": ["VerifiableCredential"]
    }
}

to:

{
    "credential_configuration_id": "example",
    "format": "jwt_vc_json",
    "type": ["VerifiableCredential"]
}

Links to any relevant issues

n/a

How the change has been tested

Added test_create_unsigned_credential::case_3_dc_sd_jwt unit test.

For manual testing, follow these steps:

1. run ssi-agent with the developer profile enabled
2. Validate the the Credential Issuer Metadata contains an "SD-JWT" credential configuration:

curl --location 'http://localhost:3033/.well-known/openid-credential-issuer'

3. Create a new SD-JWT VC Credential:

curl --location 'http://localhost:3033/v0/credentials' \
--header 'Content-Type: application/json' \
--data '{
    "offerId":"001",
    "credentialConfigurationId": "SD-JWT",
    "credential": {
        "first_name": "Ferris",
        "last_name": "Crabman",
        "dob": "1982-01-01"
    },
    "expiresAt": "never"
}'

4. Create the offer string:

curl --location 'http://localhost:3033/v0/offers' \
--header 'Content-Type: application/json' \
--data '{
    "offerId": "001"
}'

5. 'Scan' the offer with the latest UniMe version
6. Accept the Offer

Definition of Done checklist

Add an x to the boxes that are relevant to your changes.

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have successfully tested this change in a docker environment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 62.57310% with 192 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...t_api_http/src/v0/issuance/ietf_oauth_sd_jwt_vc.rs	0.00%	70 Missing ⚠️
agent_issuance/src/credential/aggregate.rs	78.81%	57 Missing ⚠️
agent_issuance/src/state.rs	0.00%	27 Missing ⚠️
agent_shared/src/config/mod.rs	0.00%	15 Missing ⚠️
agent_api_http/src/v0/issuance/error.rs	0.00%	10 Missing ⚠️
agent_issuance/src/server_config/aggregate.rs	47.36%	10 Missing ⚠️
agent_identity/src/document/aggregate.rs	0.00%	3 Missing ⚠️

Files with missing lines	Coverage Δ
...tp/src/v0/issuance/credential_issuer/credential.rs	97.04% <100.00%> (+0.03%)	⬆️
agent_api_http/src/v0/issuance/mod.rs	100.00% <100.00%> (ø)
agent_authorization/src/services.rs	100.00% <100.00%> (ø)
agent_holder/src/presentation/aggregate.rs	81.94% <100.00%> (ø)
agent_holder/src/services.rs	85.00% <100.00%> (ø)
agent_issuance/src/credential/event.rs	0.00% <ø> (ø)
agent_issuance/src/credential/views/mod.rs	100.00% <100.00%> (ø)
agent_issuance/src/services.rs	100.00% <100.00%> (ø)
agent_secret_manager/src/service.rs	100.00% <ø> (ø)
agent_secret_manager/src/subject.rs	96.72% <100.00%> (+1.48%)	⬆️
... and 9 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR adds support for issuing SD-JWT (Selective Disclosure JSON Web Token) credentials to UniCore. The implementation includes a new credential format (dc+sd-jwt), restructures the credential configuration format, removes the SubjectExt trait abstraction, and adds a VCT (Verifiable Credential Type) metadata endpoint.

Changes:

• Added SD-JWT credential format support alongside existing jwt_vc_json format
• Restructured credential configuration from credential_format_with_parameters to separate format and type_ fields (breaking change)
• Removed SubjectExt trait, using concrete Subject type directly
• Added JwsSigner implementation for Subject to support SD-JWT signing
• Added VCT metadata endpoint at /vct/{credential_configuration_id}/{version}
• Updated dependencies: openid4vc, identity libraries, iota-sdk, did-manager, product_common

Reviewed changes

Copilot reviewed 30 out of 31 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
agent_shared/src/config/mod.rs	Restructured CredentialConfiguration, added AlgorithmExt trait
agent_secret_manager/src/subject.rs	Removed SubjectExt, added JwsSigner implementation
agent_issuance/src/credential/aggregate.rs	Added SD-JWT credential creation and signing logic
agent_issuance/src/server_config/aggregate.rs	Added VCT URL generation for SD-JWT credentials
agent_api_http/src/v0/issuance/ietf_oauth_sd_jwt_vc.rs	New VCT metadata endpoint
agent_issuance/src/credential/command.rs	Added proof parameter to SignCredential
docs/problem-details/issuance.md	Documented unsupported credential format error
Cargo.toml	Updated multiple dependencies to support SD-JWT
Test files	Added SD-JWT test fixtures and cases

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.