Skip to content

add credential pre-flight check against proof requests#404

Merged
chipp merged 3 commits into
mainfrom
vladimirburdukov/add-credential-pre-flight-check-against
May 15, 2026
Merged

add credential pre-flight check against proof requests#404
chipp merged 3 commits into
mainfrom
vladimirburdukov/add-credential-pre-flight-check-against

Conversation

@chipp
Copy link
Copy Markdown
Contributor

@chipp chipp commented May 14, 2026
edited
Loading

Why

Pre-flight check to determine whether the credential store can satisfy a proof request before attempting proof generation. Also validates the structural integrity of the constraint expression, mirroring ProofRequest::validate_response.

What

  • New credential_check module with check_proof_request (uniffi-exported)
  • CredentialCheckError with Storage, ConstraintTooDeep, and ConstraintTooLarge variants
  • CredentialValidation and CredentialItemValidation records expose per-item and overall satisfaction status
  • Evaluates Any/All/Enumerate constraint expressions against non-expired credentials in the store
  • Validates constraint depth ≤ 2 and node count ≤ MAX_CONSTRAINT_NODES before evaluating
  • Exposes genesis_issued_at from the DB in CredentialRecord and uses it together with expires_at to validate RequestItem time constraints, preventing false-positive is_satisfied results
  • 18 unit tests covering all constraint variants, error cases, and edge cases

Risk

Low — additive; the only changes to existing code are exposing genesis_issued_at in CredentialRecord (query + struct) and the credential_check module re-export.

@chipp chipp force-pushed the vladimirburdukov/add-credential-pre-flight-check-against branch from d278ea9 to c711cd9 Compare May 14, 2026 08:28
@chipp chipp marked this pull request as ready for review May 14, 2026 08:42
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c711cd9a6c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread walletkit-core/src/credential_check.rs Outdated
@chipp chipp force-pushed the vladimirburdukov/add-credential-pre-flight-check-against branch 2 times, most recently from ac09045 to a506906 Compare May 14, 2026 11:28
sujoyg
sujoyg reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/lib.rs Outdated
Comment thread walletkit-core/src/credential_check.rs Outdated
Comment thread walletkit-core/src/credential_check.rs Outdated
Comment thread walletkit-core/src/credential_check.rs Outdated
Comment thread walletkit-core/src/credential_check.rs Outdated
@chipp
add credential pre-flight check against proof requests
a24fe97 
- add `credential_check` module with `check_proof_request` function
- evaluate `Any`/`All`/`Enumerate` constraint expressions against non-expired credentials in the store
- expose genesis_issued_at from the DB in CredentialRecord
@chipp chipp force-pushed the vladimirburdukov/add-credential-pre-flight-check-against branch from a506906 to a24fe97 Compare May 15, 2026 13:37
Dzejkop
Dzejkop reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/issuers/recovery_bindings_manager.rs
@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

I've spawned a subagent to inspect the code — will follow up once it has the details.

sujoyg
sujoyg previously approved these changes May 15, 2026
View reviewed changes
@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

I have enough context. Let me reply to the review comment.
Replied! The short answer: the test module uses cache_embedded_groth16_material and Groth16Materials::from_cache (only compiled with embed-zkeys), and #[tokio::test] + mockito (incompatible with wasm32), so both cfg guards are required for the module to compile successfully under all build configurations.

@Dzejkop
Copy link
Copy Markdown
Contributor

Dzejkop commented May 15, 2026

/otto review with GPT 5.5

@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

Kicking off a GPT-5.5 review of PR #404 — I'll let you know when it's done posting comments.

@chipp @claude
fix: resolve CI failures — rustfmt and rustdoc link errors
d3ba7ab 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
agentotto[bot]
agentotto Bot reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs
agentotto[bot]
agentotto Bot reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs
@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

Thanks for the addition — the new API is a useful UX primitive, and the depth/node-limit checks generally mirror the current validate_response behavior. I left inline comments for the correctness cases I think should be addressed before merging, because they can make the pre-flight result diverge from actual proof generation. Aside from those, the time-bound handling follows the circuit’s strict expiry check and the storage query changes look straightforward.

@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

The subagent only completed one turn and hasn't posted any review comments yet. Let me prompt it to continue.
The subagent had only cloned the repo and started reading the diff before stopping. I've nudged it to continue — it'll now read the main new file in full and post inline + summary comments on the PR.

agentotto[bot]
agentotto Bot reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs Outdated
agentotto[bot]
agentotto Bot reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/storage/vault/mod.rs
@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

Continued review pass completed. Note that the branch currently points at d3ba7ab... even though I used the provided a24fe97... context; the relevant code is materially the same apart from formatting/doc-link tweaks. The lib.rs export and the test-only cfg/import changes in authenticator and recovery_bindings_manager look safe. I left a couple of additional inline notes around API docs/test coverage.

@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

The GPT-5.5 review is complete. It posted:

  • 2 inline comments on proof_request_credential_constraints_check.rs:

    1. A docs/implementation mismatch — the module docs say expires_at >= expires_at_min but the circuit requires strict > (i.e. expires_at > expires_at_min), which could give a misleading is_satisfied = true for credentials expiring exactly at the minimum.
    2. A note that the new genesis_issued_at field exposed in CredentialRecord lacks round-trip tests asserting the value is correctly persisted and returned from the DB query.

  • A summary comment at add credential pre-flight check against proof requests #404 (comment) with high-level observations.

@Dzejkop
Copy link
Copy Markdown
Contributor

Dzejkop commented May 15, 2026

@chipp since worldcoin/world-id-protocol#732 is already merged can we simplify

File: walletkit-core/src/proof_request_credential_constraints_check.rs#L139C1-C74

// TODO: replace with `request.0.validate_constraints()?` once

@chipp @claude
fix: address PR review comments
47b4093 
- fix expires_at doc (>= → >) to match circuit strict comparison
- add vault test asserting genesis_issued_at round-trips through list_credentials
- fix broken rustdoc intra-doc links in module-level comments

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@chipp chipp merged commit 4f3667c into main May 15, 2026
16 checks passed
@chipp chipp deleted the vladimirburdukov/add-credential-pre-flight-check-against branch May 15, 2026 16:59
@agentotto
Copy link
Copy Markdown
Contributor

agentotto Bot commented May 15, 2026

PR #404 merged — nothing to do on my end. 🎉

@wld-walletkit-bot wld-walletkit-bot mentioned this pull request May 15, 2026
Merged
paolodamico
paolodamico reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs
paolodamico
paolodamico reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs
paolodamico
paolodamico reviewed May 15, 2026
View reviewed changes
Comment thread walletkit-core/src/proof_request_credential_constraints_check.rs
@chipp chipp mentioned this pull request May 18, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paolodamico paolodamico paolodamico left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@agentotto agentotto[bot] agentotto[bot] left review comments

@Dzejkop Dzejkop Dzejkop approved these changes

@sujoyg sujoyg sujoyg left review comments

@danielle-tfh danielle-tfh Awaiting requested review from danielle-tfh

@Takaros999 Takaros999 Awaiting requested review from Takaros999

@gbrickley gbrickley Awaiting requested review from gbrickley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chipp @Dzejkop @sujoyg @paolodamico