Fix SonarCloud security issues

- Remove example secret from config.yaml - use empty string for public client
- Add wildcard (**/) prefix to config.yaml resource patterns
- Add secrets: prefixed rule exclusions (secrets analyzer may use different keys)

The static client example now shows a public client configuration (no secret
required) instead of a confidential client with a placeholder secret.

Author: leifj

config.yaml

@@ -177,20 +177,20 @@ verifier:
     # Note: secrets.yaml currently only supports oidc.subject_salt, not static client secrets.
     # For production, consider using dynamic client registration or environment variables.
     # static_clients:
-    #   - client_id: "my-static-client"
-    #     client_secret: "my-secret"  # Stored in plaintext here; secrets.yaml not yet supported
+    #   - client_id: "example-client-id"
+    #     client_secret: ""  # Set via environment variable or leave empty for public clients
     #     redirect_uris:
     #       - "https://example.com/callback"
     #     allowed_scopes:  # If omitted, defaults to openid, profile, email, address, phone
     #       - "openid"
     #       - "profile"
     #       - "pid"
-    #     token_endpoint_auth_method: "client_secret_basic"  # Or "none" for public clients
+    #     token_endpoint_auth_method: "none"  # Use "none" for public clients (no secret required)
     #     grant_types:  # Optional, default: ["authorization_code"]
     #       - "authorization_code"
     #     response_types:  # Optional, default: ["code"]
     #       - "code"
-    #     client_name: "My Static Client"  # Optional
+    #     client_name: "Example Static Client"  # Optional
   openid4vp:
     presentation_timeout: 300
     # Template-based presentation requests (optional)

internal/verifier/apiv1/handler_client_registration_test.go

@@ -1082,9 +1082,9 @@ func TestGetClientByID(t *testing.T) {
 	client, mockDB := CreateTestClientWithMock(&model.Cfg{
 		Verifier: &model.Verifier{
 			OIDC: &model.OIDCConfig{
-				Issuer:      "https://test.example.com",
-				SubjectType: "pairwise",
-				SubjectSalt: "test-salt",
+				Issuer:        "https://test.example.com",
+				SubjectType:   "pairwise",
+				SubjectSalt:   "test-salt",
 				StaticClients: staticClients,
 			},
 		},

sonar-project.properties

@@ -29,7 +29,7 @@ sonar.go.coverage.reportPaths=coverage.out,didcomm_coverage.out
 #    - This is a key-wrapping primitive, not general-purpose encryption
 #
 # These patterns are required for standards compliance and interoperability.
-sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7,e8
+sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7,e8,e9,e10,e11,e12
 
 # Exclude S5542 from JWE crypto implementation (AES-CBC for content encryption, AES Key Wrap)
 sonar.issue.ignore.multicriteria.e1.ruleKey=go:S5542
@@ -55,12 +55,25 @@ sonar.issue.ignore.multicriteria.e5.resourceKey=**/*_test.go
 
 # Exclude from example config - commented examples show format, not real credentials
 sonar.issue.ignore.multicriteria.e6.ruleKey=go:S6418
-sonar.issue.ignore.multicriteria.e6.resourceKey=config.yaml
+sonar.issue.ignore.multicriteria.e6.resourceKey=**/config.yaml
 
 # S2068 (go:S2068) - "Credentials should not be hard-coded"
 # Same rationale as S6418 above
 sonar.issue.ignore.multicriteria.e7.ruleKey=go:S2068
 sonar.issue.ignore.multicriteria.e7.resourceKey=**/*_test.go
 
 sonar.issue.ignore.multicriteria.e8.ruleKey=go:S2068
-sonar.issue.ignore.multicriteria.e8.resourceKey=config.yaml
+sonar.issue.ignore.multicriteria.e8.resourceKey=**/config.yaml
+
+# Secrets analyzer rules (may use different prefix)
+sonar.issue.ignore.multicriteria.e9.ruleKey=secrets:S6418
+sonar.issue.ignore.multicriteria.e9.resourceKey=**/*_test.go
+
+sonar.issue.ignore.multicriteria.e10.ruleKey=secrets:S6418
+sonar.issue.ignore.multicriteria.e10.resourceKey=**/config.yaml
+
+sonar.issue.ignore.multicriteria.e11.ruleKey=secrets:S2068
+sonar.issue.ignore.multicriteria.e11.resourceKey=**/*_test.go
+
+sonar.issue.ignore.multicriteria.e12.ruleKey=secrets:S2068
+sonar.issue.ignore.multicriteria.e12.resourceKey=**/config.yaml