[INJIVER-1369] Document CWT VC support and limitations

[jaswanthkumartw]

Summary by CodeRabbit

• New Features

  • Added support for CBOR Web Token (CWT) Verifiable Credential (VC) format across validation and verification flows.
  • Public APIs updated to accept CWT as a credential format option.

• Documentation

  • Added CWT VC validation guidance, expanded verification/status matrices, and CWT-specific validation steps and error codes.
  • Noted limitation: RSA algorithm gap for CWT.

• Chores

  • Published artifact versions bumped to 1.7.0-RC5.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds CWT (CBOR Web Token) Verifiable Credential validation docs and support: introduces public CWT_VC credential format, a public CwtValidator, updates verification/status API signatures to accept CWT_VC, and bumps Kotlin vc-verifier artifacts from 1.7.0-RC4 to 1.7.0-RC5.

Changes

Cohort / File(s)	Summary
Documentation vc-verifier/kotlin/README.md	Adds "3.4 CWT VC Validation", updates Supported VC Formats matrix, verification/status flows, error-code sections, examples showing CWT_VC, and a limitations note about RSA support.
Public API / Validation Code vc-verifier/kotlin/vcverifier/...	Adds enum member CWT_VC to CredentialFormat, introduces public CwtValidator class, and extends verify, verifyAndGetCredentialStatus, and getCredentialStatus signatures to accept CWT_VC.
Build Configuration vc-verifier/kotlin/vcverifier/publish-artifact.gradle	Bumps published artifact versions for vcverifier-aar and vcverifier-jar from 1.7.0-RC4 to 1.7.0-RC5.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [INJIVER-1369] using com.authlete:cbor libray and add the unit tests #219 — Adds CWT parsing/verification implementation and related tests; directly related to CWT API surface and validator changes.
• [INJIVER-1369] Enforce CWT tag (61) and unwrap before COSE signature verification #221 — Enforces CWT unwrap/tag handling and provides COSE utilities; closely tied to CWT verification behavior.
• [INJIVER-1369]: updated the artifact version #220 — Also updates publish-artifact.gradle version bumps for the same Maven publications.

Suggested reviewers

• mayuradesh

Poem

🐰 I hop through CBOR, soft and quick,
New CWT leaves a tiny tick.
Docs and enums now join the race,
Validator springs into place —
I nibble bytes and tidy the picks. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main changes in the changeset: documenting CWT VC support and limitations in the README, updating version numbers, and adding CwtValidator class.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@vc-verifier/kotlin/README.md`:
- Around line 58-60: Remove the stray closing bold marker by deleting the
trailing "**" after "PS256" in the sentence "RSA-based algorithms (e.g., RS256 /
PS256)** are not supported for CWT verification"; update the text so it reads
normally (e.g., "RSA-based algorithms (e.g., RS256 / PS256) are not supported
for CWT verification") to eliminate the malformed Markdown bolding.
- Line 13: Update the broken TOC link in README.md by replacing the incorrect
anchor in the TOC entry "3.4 [CWT VC Validation](`#34-sd-jwt-vc-validation`)" with
the correct anchor that matches the heading "CWT VC Validation" (use
"#cwt-vc-validation" or "#34-cwt-vc-validation" depending on your TOC/anchor
generation policy) so the link targets the "CWT VC Validation" section
correctly.

🧹 Nitpick comments (1)

vc-verifier/kotlin/README.md (1)

128-188: Comprehensive CWT VC validation documentation.

The validation flow is well-documented, covering COSE_Sign1 structure, protected header validation, CWT claims, and temporal checks.

One optional consideration: the nested list indentation uses 4 spaces where the linter (markdownlint) expects 2 spaces. If you want linter compliance, reduce indentation from 4 to 2 spaces for nested items. However, this is a style preference and doesn't affect readability.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@vc-verifier/kotlin/README.md`:
- Around line 55-56: Update the inconsistent format name from "vc-cwt" to
"cwt_vc" in the sentence that mentions planned support for other VC formats so
it matches the supported formats table and other occurrences; locate the string
"vc-cwt" in the README.md (the sentence that lists `vc+sd-jwt`,`vc-cwt`) and
replace it with `cwt_vc`.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

vc-verifier/kotlin/README.md (1)

388-396: Align API examples and feature matrix documentation for CWT_VC status check support.

The API documentation lists CWT_VC as a valid credentialFormat parameter for getCredentialStatus (lines 388-396), but the feature matrix marks status check as ❌ for cwt_vc (lines 771-776). The implementation accepts CWT_VC and returns an empty status map rather than throwing an unsupported error. Clarify whether this format should list ✔️ with a note like "returns empty status" or be removed from the API examples if intentionally unsupported.

🤖 Fix all issues with AI agents

In `@vc-verifier/kotlin/README.md`:
- Around line 908-909: Replace the bold Markdown line "**cwt_vc Format VC Error
Codes**" with a proper heading to satisfy markdownlint MD036; for example change
it to "#### cwt_vc Format VC Error Codes" so the section uses a heading level
instead of bold text (locate the exact bold text string in the README.md and
update it accordingly).
- Around line 133-186: The markdown bullets under "CWT payload validation" and
the nested "Numeric date validation (RFC 8392)" block are mis-indented causing
MD007; fix by normalizing indentation so top-level bullets use no extra leading
spaces, nested bullets (e.g., the items under "Numeric date validation" and the
three temporal claims `exp`, `nbf`, `iat`) are indented by 2 spaces, and any
sub-nested bullets (like the conditions under each temporal claim) are indented
by 4 spaces; apply this consistently for the sections referencing "CWT payload
validation", "Numeric date validation (RFC 8392)", and the list of temporal
checks so markdownlint no longer flags MD007.