Qa - Sign and verify feature

[RinkalBhojani]

Summary by CodeRabbit

• New Features

  • Added endpoints and support for signing data and verifying signatures via the agent service, including new DTOs and validation for W3C credentials and raw data.
  • Introduced a custom validation pipe allowing per-class validation overrides.

• Bug Fixes

  • Improved validation and error handling for wallet deletion and tenant creation.
  • Enhanced query filtering for organization agent invitations.

• Refactor

  • Migrated Dockerfiles to use Alpine-based Node images for smaller and more efficient builds.
  • Improved code formatting, consistency, and parameter handling across several modules.

• Chores

  • Updated environment and configuration files for clarity and consistency.
  • Replaced and restructured GitHub issue templates for bug reports and feature requests.

• Documentation

  • Added new response messages for agent signing and verification actions.

[coderabbitai]

Walkthrough

This update introduces new agent signature and verification features, adding endpoints and DTOs for signing and verifying data and credentials. Dockerfiles are migrated to Alpine-based images, and environment/configuration files are refined. Issue templates are restructured to use YAML forms. Minor improvements include a custom validation pipe, refactored repository queries, and enhanced response messages.

Changes

File(s)	Change Summary
.env.demo, agent.env	Minor formatting and value adjustments to environment variables.
.github/ISSUE_TEMPLATE/FEATURE-REQUEST.md, .github/ISSUE_TEMPLATE/bug_report.md	Deleted old Markdown-based GitHub issue templates.
.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml, .github/ISSUE_TEMPLATE/bug_report.yml	Added new YAML-based GitHub issue templates for feature requests and bug reports with structured forms and validation.
Dockerfiles/Dockerfile.cloud-wallet, Dockerfiles/Dockerfile.utility, Dockerfiles/Dockerfile.user, Dockerfiles/Dockerfile.seed	Migrated base images from Debian/Ubuntu Node.js to Alpine Node.js; updated package installation commands accordingly; removed Chrome installation in user Dockerfile.
apps/agent-service/src/agent-service.controller.ts	Added signData and verifysignature message handlers; improved TypeScript syntax.
apps/agent-service/src/agent-service.service.ts	Added signDataFromAgent, verifysignature, and getAgentUrl methods; improved tenant creation and wallet deletion logic.
apps/agent-service/src/repositories/agent-service.repository.ts	Refactored for readability; enhanced getOrgDid method with optional primary DID filter.
apps/api-gateway/src/agent-service/agent-service.controller.ts	Added /sign and /verify-signature endpoints; updated imports and decorator formatting.
apps/api-gateway/src/agent-service/agent-service.service.ts	Added signData and verifysignature methods to proxy agent requests.
apps/api-gateway/src/agent-service/dto/agent-service.dto.ts	Introduced DTOs and validation for W3C credentials, signing, and verification.
apps/api-gateway/src/agent-service/interface/agent-service.interface.ts	Added IVerifySignature interface.
apps/api-gateway/src/issuance/issuance.controller.ts	Changed parameter extraction for issueBulkCredentials to use validated DTO.
apps/api-gateway/src/main.ts	Replaced global ValidationPipe with custom UpdatableValidationPipe.
apps/issuance/src/issuance.processor.ts	Simplified logging by removing job data from log messages.
apps/organization/interfaces/organization.interface.ts	Made IVerificationMethod interface exported.
apps/organization/repositories/organization.repository.ts	Refined agent invitation query to fetch latest multi-use invitation only.
libs/common/src/common.constant.ts	Consolidated and added URL constants for agent signing/verification; formatting and annotation improvements.
libs/common/src/custom-overrideable-validation-pipe.ts	Introduced UpdatableValidationPipe and RewriteValidationOptions decorator for per-class validation overrides.
libs/common/src/response-messages/index.ts	Added agent success messages for sign and verify actions.
libs/enum/src/enum.ts	Converted KeyType from declare to fully defined enum.
libs/prisma-service/prisma/scripts/geo_location_data_import.sh, libs/prisma-service/prisma/scripts/update_client_credential_data.sh	Changed shebang to #!/bin/sh for POSIX compliance; updated conditional syntax.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API_Gateway
    participant Agent_Service
    participant Org_Agent

    Client->>API_Gateway: POST /orgs/:orgId/agents/sign (SignDataDto)
    API_Gateway->>Agent_Service: NATS 'sign-data-from-agent' (data, orgId)
    Agent_Service->>Org_Agent: HTTP POST /sign-data (with payload, auth)
    Org_Agent-->>Agent_Service: Signed data
    Agent_Service-->>API_Gateway: Signed data
    API_Gateway-->>Client: 200 OK + signed data

    Client->>API_Gateway: POST /orgs/:orgId/agents/verify-signature (VerifySignatureDto)
    API_Gateway->>Agent_Service: NATS 'verify-signature-from-agent' (data, orgId)
    Agent_Service->>Org_Agent: HTTP POST /verify-signature (with payload, auth)
    Org_Agent-->>Agent_Service: Verification result
    Agent_Service-->>API_Gateway: Verification result
    API_Gateway-->>Client: 200 OK + result

Loading

Poem

🐇
A hop, a skip, a signature new,
Agents now sign and verify too!
Docker's lighter, scripts more neat,
Templates guide with structured beat.
Validation bends at each DTO’s will—
This bunny’s code brings quite a thrill!

✨ Finishing Touches

• 📝 Docstrings were successfully generated. (🔄 Check again to generate docstrings again)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots
7.0% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[coderabbitai]

Actionable comments posted: 16

🔭 Outside diff range comments (3)

Dockerfiles/Dockerfile.cloud-wallet (1)

11-12: 🛠️ Refactor suggestion

Ensure reproducible dependency installs Only package.json is copied before invoking pnpm i. Add the lockfile to pin versions and leverage Docker caching:

COPY package.json pnpm-lock.yaml* ./

Dockerfiles/Dockerfile.utility (1)

11-12: 🛠️ Refactor suggestion

Lockfile inclusion needed Add pnpm-lock.yaml before running pnpm i to lock dependency versions and cache effectively:

COPY package.json pnpm-lock.yaml* ./

apps/api-gateway/src/agent-service/agent-service.controller.ts (1)

34-51: ⚠️ Potential issue

Using plain interface disables validation

@Body() is typed as IVerifySignature (an interface), so NestJS’ validation pipe will NOT run.
Swap to the class-based DTO (VerifySignatureDto) to enforce schema & swagger docs.

-import { AgentSpinupDto, SignDataDto, VerifySignatureDto } from './dto/agent-service.dto';
+import { AgentSpinupDto, SignDataDto, VerifySignatureDto } from './dto/agent-service.dto';
 ...
-import { IVerifySignature } from './interface/agent-service.interface';

…and in the handler (see below).

🧹 Nitpick comments (19)

libs/prisma-service/prisma/scripts/geo_location_data_import.sh (1)

1-1: Enable strict mode for safer execution
After switching to /bin/sh, add set -eu right after the shebang to catch errors and unset variables early:

#!/bin/sh
set -eu

Dockerfiles/Dockerfile.cloud-wallet (2)

4-4: Consolidate package installs Consider combining openssl with any future packages in one apk add command and pin versions if necessary to improve layer caching and reproducibility.

---

29-29: Runtime SSL dependency audit Installing openssl in the final image is valid if the service needs it; otherwise, drop it to reduce image size.

Dockerfiles/Dockerfile.utility (1)

29-29: Trim runtime dependencies Confirm whether openssl is required at runtime; remove it if unnecessary to further slim the image.

Dockerfiles/Dockerfile.user (1)

30-30: Review runtime package footprint If openssl isn’t needed at runtime, drop it to shrink the final image.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml (2)

9-15: Trim trailing whitespace flagged by YAML-lint

Static analysis complains about extra spaces on line 10.
While harmless, it makes diffs noisy.

-        ## Reporting a feature request/enhancement to CREDEBL␠
+        ## Reporting a feature request/enhancement to CREDEBL

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 10-10: trailing spaces

(trailing-spaces)

---

22-23: Fix typo in the contribution-guide link

contibution → contribution

-        - label: "I've read the [contibution guide](https://docs.credebl.id/docs/contribute/how-to-contribute) and agree to it"
+        - label: "I've read the [contribution guide](https://docs.credebl.id/docs/contribute/how-to-contribute) and agree to it"

apps/issuance/src/issuance.processor.ts (1)

14-14: Missing space in log message

Minor readability nit:

-    this.logger.log(`Emitting job status${job.id} of type ${job.name} ...`);
+    this.logger.log(`Emitting job status ${job.id} of type ${job.name} ...`);

apps/api-gateway/src/agent-service/agent-service.service.ts (1)

70-75: Method name casing & typo

verifysignature violates camel-case conventions used elsewhere (createWallet, agentSpinup, …).

- async verifysignature(data: unknown, orgId: string): Promise<AgentStatus> {
+ async verifySignature(data: unknown, orgId: string): Promise<boolean> {

Also reconsider the return type (probably a boolean or a dedicated verification result).

.github/ISSUE_TEMPLATE/bug_report.yml (1)

10-15: Minor template polish

YAML-lint flags trailing spaces (l.10,14) and there’s a typo in the contribution link.

-Thank you for taking time to report the bug on CREDEBL, your contribution will help␠
+Thank you for taking time to report the bug on CREDEBL, your contribution will help
…
-        - label: I have read the contributions guide [contibution guide](https://docs.credebl.id/docs/contribute/how-to-contribute) and agree to it
+        - label: I have read the contribution guide [contribution guide](https://docs.credebl.id/docs/contribute/how-to-contribute) and agree to it

Fixing these prevents validation noise when users open issues.

Also applies to: 20-23

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 10-10: trailing spaces

(trailing-spaces)

apps/agent-service/src/repositories/agent-service.repository.ts (1)

4-14: Snake-case Prisma model imports violate project naming conventions

org_agents, org_dids, … directly leak DB table names into service code and trigger ESLint camel-case errors.
Alias them to a Pascal/Camel case to keep TypeScript layer consistent and quiet the linter.

-import {
-  Prisma,
-  ledgerConfig,
-  ledgers,
-  org_agents,
-  org_agents_type,
-  org_dids,
-  organisation,
-  platform_config,
-  user
-} from '@prisma/client';
+import {
+  Prisma,
+  ledgerConfig as LedgerConfig,
+  ledgers as Ledgers,
+  org_agents as OrgAgents,
+  org_agents_type as OrgAgentsType,
+  org_dids as OrgDids,
+  organisation as Organisation,
+  platform_config as PlatformConfig,
+  user as User
+} from '@prisma/client';

🧰 Tools

🪛 ESLint

[error] 8-8: Identifier 'org_agents' is not in camel case.

(camelcase)

---

[error] 9-9: Identifier 'org_agents_type' is not in camel case.

(camelcase)

---

[error] 10-10: Identifier 'org_dids' is not in camel case.

(camelcase)

---

[error] 12-12: Identifier 'platform_config' is not in camel case.

(camelcase)

libs/common/src/custom-overrideable-validation-pipe.ts (1)

1-13: Typo in header comment

apprach → approach (line 12).

apps/api-gateway/src/issuance/issuance.controller.ts (1)

516-526: Route-param validation implemented but still uses a second @Param('orgId')

@Param(new ValidationPipe()) params: RequestIdQuery already contains orgId and requestId.
Extracting orgId again via another @Param('orgId') duplicates work and may confuse maintainers.

-@Param(new ValidationPipe({ transform: true })) params: RequestIdQuery,
-@Param('orgId') orgId: string,
+@Param(new ValidationPipe({ transform: true })) params: RequestIdQuery,
+// const { orgId } = params;  // derive instead of separate decorator

(Adapt subsequent code accordingly.)

libs/common/src/common.constant.ts (2)

122-126: Duplicate enum values keep growing – consider grouping or namespaces

URL_SHARED_AGENT_SIGN_DATA and many earlier constants share identical values; the list is becoming unmanageable and the @typescript-eslint/no-duplicate-enum-values disables show it.
Moving URL constants into logical enum subsets or plain const objects per domain would restore clarity and let the linter work again.

---

141-144: New agent-sign URLs collide with above shared-agent constants

URL_AGENT_SIGN_DATA and URL_SHARED_AGENT_SIGN_DATA differ only by multi-tenancy prefix.
Document the distinction or add a comment, otherwise the near-duplication will trip future maintainers.

apps/api-gateway/src/agent-service/agent-service.controller.ts (1)

126-135: Missing success/ error response decorators

Unlike other endpoints, /sign lacks @ApiResponse annotations. Adding 200-OK & 400 examples keeps the swagger spec consistent.

apps/agent-service/src/agent-service.service.ts (3)

1596-1605: Side-effect: mutating caller-supplied DTO

credentialPayload.verificationMethod = … mutates the object received from the controller.
If the same instance is reused elsewhere (e.g., logs, cache), this introduces hidden coupling.

Prefer cloning before enrichment:

const enrichedCredential = {
  ...credentialPayload,
  verificationMethod: verificationMethod[0].id
};

…and post the clone instead.

---

2081-2115: getAgentUrl logic duplicates literals – move to constants / enum

Hard-coding the strings 'sign-data-from-agent' & 'verify-signed-data-from-agent' invites typos and makes refactors brittle.
Extract them to an enum AgentAction (or reuse existing constants) so compiler coverage catches future drift.

---

1872-1893: Swallowed error status in _updateIsSchemaArchivedFlag

catch converts any error into a generic HttpException but reuses error.status, which may be undefined, causing a 500. Propagate or default to 500:

-          status: error.status,
+          status: error.status ?? HttpStatus.INTERNAL_SERVER_ERROR,

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29ebbdc and 52143b0.

📒 Files selected for processing (28)

• .env.demo (2 hunks)
• .github/ISSUE_TEMPLATE/FEATURE-REQUEST.md (0 hunks)
• .github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml (1 hunks)
• .github/ISSUE_TEMPLATE/bug_report.md (0 hunks)
• .github/ISSUE_TEMPLATE/bug_report.yml (1 hunks)
• Dockerfiles/Dockerfile.cloud-wallet (2 hunks)
• Dockerfiles/Dockerfile.seed (1 hunks)
• Dockerfiles/Dockerfile.user (2 hunks)
• Dockerfiles/Dockerfile.utility (2 hunks)
• agent.env (1 hunks)
• apps/agent-service/src/agent-service.controller.ts (13 hunks)
• apps/agent-service/src/agent-service.service.ts (7 hunks)
• apps/agent-service/src/repositories/agent-service.repository.ts (3 hunks)
• apps/api-gateway/src/agent-service/agent-service.controller.ts (6 hunks)
• apps/api-gateway/src/agent-service/agent-service.service.ts (1 hunks)
• apps/api-gateway/src/agent-service/dto/agent-service.dto.ts (2 hunks)
• apps/api-gateway/src/agent-service/interface/agent-service.interface.ts (1 hunks)
• apps/api-gateway/src/issuance/issuance.controller.ts (2 hunks)
• apps/api-gateway/src/main.ts (3 hunks)
• apps/issuance/src/issuance.processor.ts (1 hunks)
• apps/organization/interfaces/organization.interface.ts (1 hunks)
• apps/organization/repositories/organization.repository.ts (2 hunks)
• libs/common/src/common.constant.ts (12 hunks)
• libs/common/src/custom-overrideable-validation-pipe.ts (1 hunks)
• libs/common/src/response-messages/index.ts (1 hunks)
• libs/enum/src/enum.ts (1 hunks)
• libs/prisma-service/prisma/scripts/geo_location_data_import.sh (1 hunks)
• libs/prisma-service/prisma/scripts/update_client_credential_data.sh (2 hunks)

💤 Files with no reviewable changes (2)

• .github/ISSUE_TEMPLATE/FEATURE-REQUEST.md
• .github/ISSUE_TEMPLATE/bug_report.md

🧰 Additional context used

🧬 Code Graph Analysis (6)

apps/issuance/src/issuance.processor.ts (1)

apps/issuance/interfaces/issuance.interfaces.ts (1)

• IQueuePayload (332-357)

apps/api-gateway/src/issuance/issuance.controller.ts (1)

apps/api-gateway/src/issuance/dtos/issuance.dto.ts (1)

• RequestIdQuery (658-664)

apps/agent-service/src/repositories/agent-service.repository.ts (4)

libs/logger/src/logger.interface.ts (1)

• Logger (6-20)

apps/agent-service/src/interface/agent-service.interface.ts (10)

• ICreateOrgAgent (447-449)
• IStoreOrgAgentDetails (177-201)
• IStoreAgent (460-462)
• IStoreAgent (484-486)
• IStoreDidDetails (203-210)
• IOrgAgent (439-441)
• IOrgAgentsResponse (457-459)
• IOrgLedgers (443-445)
• OrgDid (632-643)
• ILedgers (645-658)

apps/organization/interfaces/organization.interface.ts (1)

• IOrgAgent (43-46)

apps/api-gateway/src/interfaces/ISchemaSearch.interface.ts (1)

• ILedgers (27-39)

apps/api-gateway/src/agent-service/agent-service.controller.ts (6)

apps/api-gateway/src/authz/decorators/roles.decorator.ts (1)

• Roles (6-6)

libs/common/src/interfaces/organization.interface.ts (1)

• User (26-33)

libs/common/src/interfaces/response.interface.ts (1)

• IResponse (8-13)

apps/api-gateway/src/agent-service/dto/agent-service.dto.ts (1)

• VerifySignatureDto (217-299)

apps/api-gateway/src/agent-service/interface/agent-service.interface.ts (1)

• IVerifySignature (28-31)

libs/common/src/cast.helper.ts (1)

• TrimStringParamPipe (164-169)

apps/api-gateway/src/agent-service/dto/agent-service.dto.ts (1)

libs/common/src/custom-overrideable-validation-pipe.ts (1)

• RewriteValidationOptions (22-24)

apps/agent-service/src/agent-service.service.ts (7)

libs/common/src/cast.helper.ts (1)

• ledgerName (75-83)

apps/agent-service/src/interface/agent-service.interface.ts (2)

• LedgerListResponse (571-573)
• IAgentStatus (337-341)

libs/common/src/response-messages/index.ts (1)

• ResponseMessages (1-494)

apps/agent-provisioning/src/interface/agent-provisioning.interfaces.ts (1)

• IAgentStatus (52-58)

apps/organization/interfaces/organization.interface.ts (1)

• IVerificationMethod (260-265)

apps/api-gateway/src/agent-service/agent-service.controller.ts (1)

• deleteWallet (427-449)

apps/api-gateway/src/agent-service/agent-service.service.ts (1)

• deleteWallet (98-103)

🪛 dotenv-linter (3.3.0)

.env.demo

[warning] 79-79: [UnorderedKey] The AWS_S3_STOREOBJECT_REGION key should go before the AWS_S3_STOREOBJECT_SECRET_KEY key

---

[warning] 80-80: [UnorderedKey] The AWS_S3_STOREOBJECT_BUCKET key should go before the AWS_S3_STOREOBJECT_REGION key

---

[warning] 84-84: [QuoteCharacter] The value has quote characters (', ")

---

[warning] 85-85: [QuoteCharacter] The value has quote characters (', ")

---

[warning] 85-85: [UnorderedKey] The DEEPLINK_DOMAIN key should go before the SHORTENED_URL_DOMAIN key

🪛 YAMLlint (1.37.1)

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

[error] 10-10: trailing spaces

(trailing-spaces)

.github/ISSUE_TEMPLATE/bug_report.yml

[error] 10-10: trailing spaces

(trailing-spaces)

🪛 ESLint

apps/agent-service/src/repositories/agent-service.repository.ts

[error] 8-8: Identifier 'org_agents' is not in camel case.

(camelcase)

---

[error] 9-9: Identifier 'org_agents_type' is not in camel case.

(camelcase)

---

[error] 10-10: Identifier 'org_dids' is not in camel case.

(camelcase)

---

[error] 12-12: Identifier 'platform_config' is not in camel case.

(camelcase)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (javascript)

🔇 Additional comments (23)

agent.env (1)

23-23: Confirm intentional removal of default SERVER_URL
You’ve cleared the SERVER_URL value in agent.env. Ensure this change is deliberate and that your service code provides a fallback or consumes this variable correctly (e.g., via another config or default).

.env.demo (3)

32-32: Approve formatting cleanup on SENDGRID_API_KEY
Trailing spaces were removed, and the key is now ready for an actual value to be provided.

---

79-79: Approve formatting cleanup on AWS_S3_STOREOBJECT_REGION
Removed trailing spaces for consistency with other AWS variables.

🧰 Tools

🪛 dotenv-linter (3.3.0)

[warning] 79-79: [UnorderedKey] The AWS_S3_STOREOBJECT_REGION key should go before the AWS_S3_STOREOBJECT_SECRET_KEY key

---

87-87: Verify updated CORS whitelist
The ENABLE_CORS_IP_LIST value was simplified to four localhost URLs without spaces. Confirm that your CORS parsing logic handles comma-separated lists correctly and that no required origins were inadvertently omitted.

libs/prisma-service/prisma/scripts/update_client_credential_data.sh (1)

33-33: POSIX-compliant condition check
The revised if [ -n "$CLIENT_ID" ] && [ -n "$CLIENT_SECRET" ] is correct and preserves the original intent in a POSIX /bin/sh context.

Dockerfiles/Dockerfile.cloud-wallet (2)

2-2: Base image standardization Migrating the build stage to node:18-alpine shrinks the image and aligns with other services.

---

27-27: Final stage base image consistency Using node:18-alpine in the final stage is correct and consistent with the build stage.

Dockerfiles/Dockerfile.seed (4)

1-1: Alpine base image approved Switching to node:18-alpine reduces footprint and aligns with the cloud-wallet and utility services.

---

6-6: PostgreSQL client & OpenSSL install Bundling postgresql-client and openssl in one apk add is fine. Verify you only include required client tools.

---

12-13: Executable Prisma scripts Granting chmod +x to each seed script is necessary for runtime seeding.

---

15-15: Skip Puppeteer download Setting PUPPETEER_SKIP_DOWNLOAD=true correctly avoids unwanted Chromium downloads during install.

Dockerfiles/Dockerfile.utility (3)

2-2: Build stage base image update Switching to node:18-alpine is consistent with other microservices and reduces image size.

---

5-5: OpenSSL installation Installing openssl early ensures SSL-dependent tools in the build stage work as expected.

---

27-27: Final image consistency The final stage’s node:18-alpine remains consistent and slim.

Dockerfiles/Dockerfile.user (4)

2-2: Alpine base image adoption Migrating both stages to node:18-alpine matches other services and shrinks image size.

---

5-5: OpenSSL setup Installing openssl with apk is correct for SSL operations.

---

14-14: Puppeteer flags verification You removed PUPPETEER_SKIP_CHROMIUM_DOWNLOAD. Double-check that Puppeteer use-cases don’t require a headless browser in this container.

---

28-28: Final stage base consistency The final stage’s use of Alpine is consistent with the build stage.

libs/enum/src/enum.ts (1)

40-50:

❓ Verification inconclusive

Concrete enum may clash with pre-existing ambient declaration

declare enum KeyType was formerly only a type definition – introducing a runtime enum means a JS object is now emitted.
If another declare enum KeyType still exists in consumer packages, the compiler will happily merge the types, but at runtime you could end up with two different KeyTypes on different module paths, or a duplicate identifier error if the ambient file was converted to JS somewhere else.

Run a quick scan to confirm there are no other KeyType declarations that would emit JS:

---

🏁 Script executed:

#!/bin/bash
# Find any other non-ambient KeyType enums
rg --type ts -n $'^\\s*export\\s+enum\\s+KeyType\\b' | grep -v 'libs/enum/src/enum.ts'

Length of output: 81

---

🏁 Script executed:

#!/bin/bash
# Search for any ambient KeyType declarations (e.g., in .d.ts files)
rg -n 'declare\s+enum\s+KeyType\b'

# Search for any other enum KeyType definitions besides libs/enum/src/enum.ts
rg -n '^\s*enum\s+KeyType\b' | grep -v 'libs/enum/src/enum.ts'

Length of output: 99

---

Internal scan passes; please verify external declarations
I searched the repo for other export enum KeyType and declare enum KeyType definitions and found none outside libs/enum/src/enum.ts (lines 40–50). Introducing this as a runtime enum won’t collide internally, but downstream consumer packages with their own ambient declare enum KeyType could still merge types at compile-time or clash at runtime.

• libs/enum/src/enum.ts (40–50): emits the KeyType enum at runtime.

Ensure any external declare enum KeyType definitions are removed or that consumers upgrade alongside this change, as it’s a breaking change.

libs/common/src/response-messages/index.ts (1)

215-216: Messages added – looks good

The new success messages are consistent with existing naming and keep the tense/style uniform.
No further action needed.

apps/organization/interfaces/organization.interface.ts (1)

260-265: Export looks fine

Making IVerificationMethod public aligns with its new cross-module usage.
No structural issues spotted.

apps/organization/repositories/organization.repository.ts (1)

482-489:

❌ Incorrect review comment

Possible mismatch between expected cardinality and result shape

take: 1 limits the nested agent_invitations array to a single element, but consumers still receive an array.
If callers assume a single object they now need to index [0], risking undefined when no record exists.

Options:

- agent_invitations: {
-   where: { multiUse: true },
-   orderBy: { lastChangedDateTime: SortValue.DESC },
-   take: 1,
-   select: { … }
- },
+ agent_invitation: {              // rename & use 1-to-1 alias
+   where: { multiUse: true },
+   orderBy: { lastChangedDateTime: 'desc' },
+   select: { … },
+ }

or fetch with findFirst in a separate query.

Verify downstream usage before merging.

---

🏁 Script executed:

#!/bin/bash
# Search for all occurrences of the nested relation and any indexing usage
rg -n "agent_invitations" .
rg -n "agent_invitations\[" .

Length of output: 9309

---

🏁 Script executed:

#!/bin/bash
# Show context around the nested agent_invitations include in the organization repository
sed -n '430,550p' apps/organization/repositories/organization.repository.ts

Length of output: 2914

---

Incorrect assumption about nested agent_invitations usage

We reviewed the codebase and found:

• The nested include is correctly typed as agent_invitations: IAgentInvitation[], matching the Prisma API.
• No downstream code is indexing into that array (e.g. .agent_invitations[0]); consumers treat it as an array.
• Prisma does not support aliasing a nested include to a singular field, so renaming to agent_invitation isn’t feasible without major changes.

If you truly need a single record, call findFirst or findUnique in a separate query and return it as an object. Otherwise, the current array shape is correct and no refactoring is required.

Likely an incorrect or invalid review comment.

apps/api-gateway/src/main.ts (1)

94-97: Global pipe switched – re-run DTO tests

Replacing ValidationPipe with UpdatableValidationPipe is fine, but double-check:

1. All DTOs that depended on forbidUnknownValues, errorHttpStatusCode, etc., still behave as expected.
2. The custom pipe honours transform and whitelist when metadata overrides are absent.

A quick e2e smoke test will catch regressions before QA.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Critical: local is a Bashism and breaks under /bin/sh
You've updated the shebang to /bin/sh (POSIX shell) but the function uses local, which is not part of POSIX and will error out (e.g., in dash). Remove the local keywords to ensure compatibility.

Apply this diff:

--- a/libs/prisma-service/prisma/scripts/update_client_credential_data.sh
+++ b/libs/prisma-service/prisma/scripts/update_client_credential_data.sh
@@ -9,7 +9,7 @@ update_client_credentials() {
-    local update_query="UPDATE \"user\" SET \"clientId\" = '${CLIENT_ID}', \"clientSecret\" = '${CLIENT_SECRET}' WHERE \"clientId\" IS NULL AND \"clientSecret\" IS NULL;"
+    update_query="UPDATE \"user\" SET \"clientId\" = '${CLIENT_ID}', \"clientSecret\" = '${CLIENT_SECRET}' WHERE \"clientId\" IS NULL AND \"clientSecret\" IS NULL;"
@@ -15,7 +15,7 @@ update_client_credentials() {
-    local result=$(psql "$DB_URL" -c "$update_query" 2>&1)
+    result=$(psql "$DB_URL" -c "$update_query" 2>&1)
     echo "$result"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#!/bin/sh
	#!/bin/sh
	update_client_credentials() {
	update_query="UPDATE \"user\" SET \"clientId\" = '${CLIENT_ID}', \"clientSecret\" = '${CLIENT_SECRET}' WHERE \"clientId\" IS NULL AND \"clientSecret\" IS NULL;"
	result=$(psql "$DB_URL" -c "$update_query" 2>&1)
	echo "$result"
	}

🤖 Prompt for AI Agents

In libs/prisma-service/prisma/scripts/update_client_credential_data.sh at line
1, the script uses the `local` keyword inside functions, which is a
Bash-specific feature and not supported by the POSIX-compliant `/bin/sh` shell
specified in the shebang. To fix this, remove all `local` declarations from the
functions to ensure the script runs correctly under `/bin/sh`.

[coderabbitai]

🛠️ Refactor suggestion

Add lockfile before install The Dockerfile runs pnpm i but never copies pnpm-lock.yaml. Include it alongside package.json for deterministic builds:

COPY pnpm-lock.yaml* package.json ./

🤖 Prompt for AI Agents

In Dockerfiles/Dockerfile.seed at line 17, the Dockerfile runs `pnpm i` without
copying the `pnpm-lock.yaml` file, which can cause non-deterministic builds. Fix
this by modifying the COPY instruction to include `pnpm-lock.yaml` alongside
`package.json`, for example: `COPY pnpm-lock.yaml* package.json ./`.

[coderabbitai]

🛠️ Refactor suggestion

Include lockfile for pinned installs Copy pnpm-lock.yaml alongside package.json before pnpm i to ensure deterministic installs:

COPY pnpm-lock.yaml* package.json ./

🤖 Prompt for AI Agents

In Dockerfiles/Dockerfile.user at line 17, the Dockerfile runs `pnpm i
--ignore-scripts` without copying the `pnpm-lock.yaml` file first, which can
lead to non-deterministic installs. To fix this, add a line before the `RUN pnpm
i --ignore-scripts` command to copy both `pnpm-lock.yaml` (if it exists) and
`package.json` into the image using `COPY pnpm-lock.yaml* package.json ./`. This
ensures the lockfile is present and installs are pinned and reproducible.

[coderabbitai]

⚠️ Potential issue

Async processor does not await the service call

issueCredential is declared async, but processIssuanceData isn’t awaited.
Bull marks the job complete when the handler resolves; un-awaited promises may keep running after the job is “finished”, losing error propagation and retries.

-    this.logger.log(`Processing job ${job.id} of type ${job.name} ...`);
-
-    this.issuanceService.processIssuanceData(job.data);
+    this.logger.log(`Processing job ${job.id} of type ${job.name} ...`);
+
+    await this.issuanceService.processIssuanceData(job.data);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async issueCredential(job: Job<IQueuePayload>): Promise<void> {
	this.logger.log(`Processing job ${job.id} of type ${job.name} ...`);
	this.issuanceService.processIssuanceData(job.data);
	}
	async issueCredential(job: Job<IQueuePayload>): Promise<void> {
	this.logger.log(`Processing job ${job.id} of type ${job.name} ...`);
	await this.issuanceService.processIssuanceData(job.data);
	}

🤖 Prompt for AI Agents

In apps/issuance/src/issuance.processor.ts around lines 18 to 22, the async
method issueCredential calls processIssuanceData without awaiting it. To fix
this, add the await keyword before
this.issuanceService.processIssuanceData(job.data) to ensure the job handler
waits for the promise to resolve or reject, enabling proper error handling and
retries.

[coderabbitai]

🛠️ Refactor suggestion

Prefer a stronger payload type over unknown

credential is typed as unknown, which defeats static-type benefits.
If the credential is a generic JSON-LD VC, consider:

export interface JsonLdCredential extends Record<string, unknown> {
  '@context': string | string[];
  id?: string;
  type: string | string[];
  issuer?: string | { id: string };
  // …other common VC keys
}

export interface IVerifySignature {
  credential: JsonLdCredential;
  verifyCredentialStatus?: boolean;
}

Even a looser Record<string, unknown> is an improvement and still allows arbitrary structures.

🤖 Prompt for AI Agents

In apps/api-gateway/src/agent-service/interface/agent-service.interface.ts
around lines 28 to 31, the credential property is typed as unknown, which limits
static type checking benefits. Replace the unknown type with a stronger type
such as a JsonLdCredential interface that extends Record<string, unknown> and
includes common JSON-LD VC fields like '@context', id, type, and issuer. Update
the IVerifySignature interface to use this new JsonLdCredential type for the
credential property to improve type safety while allowing flexibility.

[coderabbitai]

⚠️ Potential issue

ValidateIf condition typo disables validation for rawPayload

'data' === o.dataTypeToSign never matches ('rawData' is the valid literal), so rawPayload is never validated.

-  @ValidateIf((o) => 'data' === o.dataTypeToSign)
+  @ValidateIf((o) => 'rawData' === o.dataTypeToSign)

🤖 Prompt for AI Agents

In apps/api-gateway/src/agent-service/dto/agent-service.dto.ts around lines 211
to 214, the ValidateIf condition uses 'data' instead of the correct literal
'rawData', causing rawPayload validation to be skipped. Update the condition to
check if o.dataTypeToSign equals 'rawData' to enable proper validation of
rawPayload.

[coderabbitai]

⚠️ Potential issue

defaultMessage() must return a string – throwing here breaks validation flow

class-validator expects defaultMessage() to synchronously return an error string.
Throwing BadRequestException will bubble out before the ValidationPipe formats the error array, resulting in a 500 rather than a 400.

-  defaultMessage(): string {
-    throw new BadRequestException('At least one of publicKeyBase58, did, or method must be provided in SignRawDataDto');
-  }
+  defaultMessage(): string {
+    return 'At least one of publicKeyBase58, did, or method must be provided.';
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@ValidatorConstraint({ name: 'AtLeastOneKey', async: false })
	class AtLeastOneKeyConstraint implements ValidatorConstraintInterface {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	validate(_: any, args: ValidationArguments): boolean {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	const obj = args.object as any;
	return Boolean(obj.publicKeyBase58 || obj.did || obj.method);
	}
	defaultMessage(): string {
	throw new BadRequestException('At least one of publicKeyBase58, did, or method must be provided in SignRawDataDto');
	}
	}
	@ValidatorConstraint({ name: 'AtLeastOneKey', async: false })
	class AtLeastOneKeyConstraint implements ValidatorConstraintInterface {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	validate(_: any, args: ValidationArguments): boolean {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	const obj = args.object as any;
	return Boolean(obj.publicKeyBase58 || obj.did || obj.method);
	}
	defaultMessage(): string {
	return 'At least one of publicKeyBase58, did, or method must be provided.';
	}
	}

🤖 Prompt for AI Agents

In apps/api-gateway/src/agent-service/dto/agent-service.dto.ts between lines 144
and 156, the defaultMessage() method incorrectly throws a BadRequestException
instead of returning a string. To fix this, change defaultMessage() so it
returns the error message string directly without throwing an exception,
ensuring the validation flow completes properly and the ValidationPipe can
format the error response as intended.

[coderabbitai]

🛠️ Refactor suggestion

storeCredential should be optional

When the client is signing rawData, this field is irrelevant, yet it is always required and validated.
Mark it optional (and/or add ValidateIf) to avoid forcing callers to supply meaningless data.

-  @ValidateIf((o) => 'jsonLd' === o.dataTypeToSign)
-  @IsBoolean()
-  storeCredential: boolean = false;
+  @ValidateIf((o) => 'jsonLd' === o.dataTypeToSign)
+  @IsBoolean()
+  @IsOptional()
+  storeCredential = false;

🤖 Prompt for AI Agents

In apps/api-gateway/src/agent-service/dto/agent-service.dto.ts around lines 199
to 202, the storeCredential field is currently required and validated even when
dataTypeToSign is not 'jsonLd', making it irrelevant in those cases. To fix
this, mark storeCredential as optional and add a ValidateIf decorator that only
validates it when dataTypeToSign equals 'jsonLd', so callers are not forced to
provide this field unnecessarily.

[coderabbitai]

⚠️ Potential issue

Swap IVerifySignature for VerifySignatureDto to enable validation

-  @Body() data: IVerifySignature,
+  @Body() data: VerifySignatureDto,

Failing to do so allows malformed payloads to bypass runtime validation and contradicts the documented schema.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@Param('orgId') orgId: string,
	@Body() data: IVerifySignature,
	@Res() res: Response
	@Param('orgId') orgId: string,
	@Body() data: VerifySignatureDto,
	@Res() res: Response

🤖 Prompt for AI Agents

In apps/api-gateway/src/agent-service/agent-service.controller.ts around lines
165 to 167, replace the type annotation of the data parameter from
IVerifySignature to VerifySignatureDto. This change enables runtime validation
of the request body against the defined DTO schema, preventing malformed
payloads from bypassing validation and ensuring compliance with the documented
schema.

[coderabbitai]

🛠️ Refactor suggestion

Concurrent Promise error handling: consider Promise.allSettled result typing

getApiKeyResult.value is typed as string | undefined, but later used as headers without null-check.
Add explicit guard to prevent undefined headers leading to unauthorised 401s at runtime.

🤖 Prompt for AI Agents

In apps/agent-service/src/agent-service.service.ts around lines 1790 to 1808,
the getApiKeyResult.value can be undefined but is used directly as headers
without a null check, which may cause unauthorized 401 errors. Add an explicit
check to verify getApiKeyResult.value is defined before using it as headers, and
throw an appropriate error or handle the undefined case to prevent runtime
issues.

[coderabbitai]

Note

Generated docstrings for this pull request at #1288