delegation offer over didcomm (#537)

* didcomm delegation offer

* address PR review feedback for delegation offer flow

* add ISSUE_CREDENTIAL_HANDLER for holder-side credential receipt and ACK

* update gitignore

* harden delegation offer flow: expiration, slim OOB payload, security checks

* test: rejection paths for delegation offer handlers

* fix: treat EDV 404 responses as empty find results

The EDV server returns HTTP 404 on /query for vaults with no indices yet
(e.g. fresh vaults from wrong biometric credentials). ky now surfaces this
as 'Request failed with status code 404 Not Found' rather than the
legacy 'Not Found' message the universal-wallet catch handles, so
biometric authentication failures were leaking raw HTTP errors instead of
the domain-level 'Invalid identifier' error.

* narrow EDV 404 handling to /query endpoint

* require caller to supply OOB invitation goal text

* validate delegationPolicy in createDelegationOffer and request handler

Author: maycon-mello

.gitignore

@@ -32,4 +32,6 @@ poc
 *.db
 reports/
 .turbo
-packages/react-native/public/*.module.wasm
+packages/react-native/public/*.module.wasm
+
+integration-tests/debugging/*

integration-tests/delegation-offer-handlers.test.ts

@@ -0,0 +1,235 @@
+import {
+  DELEGATION_REQUEST_HANDLER,
+  ISSUE_CREDENTIAL_HANDLER,
+} from '../packages/core/src/delegation/delegation-offer';
+
+function createStubWallet(offer: any) {
+  const documents: Record<string, any> = {};
+  if (offer) {
+    documents[offer.id] = offer;
+  }
+  return {
+    documents,
+    sentMessages: [] as any[],
+    emittedEvents: [] as any[],
+    getDocumentById: jest.fn(async (id: string) => documents[id]),
+    addDocument: jest.fn(async (doc: any) => {
+      documents[doc.id] = doc;
+      return doc;
+    }),
+    updateDocument: jest.fn(async (doc: any) => {
+      documents[doc.id] = doc;
+      return doc;
+    }),
+    eventManager: {
+      emit: jest.fn(),
+    },
+  };
+}
+
+function createStubMessageProvider() {
+  return {
+    sendMessage: jest.fn(async () => undefined),
+  };
+}
+
+describe('DELEGATION_REQUEST_HANDLER rejection paths', () => {
+  const offerId = 'offer-1';
+  const issuerDID = 'did:test:issuer';
+  const holderDID = 'did:test:holder';
+  const attackerDID = 'did:test:attacker';
+
+  function buildRequest(overrides: any = {}) {
+    return {
+      type: 'https://didcomm.org/issue-credential/3.0/request-credential',
+      from: holderDID,
+      to: issuerDID,
+      body: {
+        goal_code: 'dock.offer-delegation',
+        offer_id: offerId,
+      },
+      ...overrides,
+    };
+  }
+
+  function buildStoredOffer(overrides: any = {}) {
+    return {
+      id: offerId,
+      type: 'DelegationOffer',
+      issuerDID,
+      status: 'sent',
+      credentialId: 'cred-1',
+      delegationPolicy: {},
+      delegationRole: 'role-1',
+      sentAt: new Date().toISOString(),
+      expiresAt: new Date(Date.now() + 60_000).toISOString(),
+      ...overrides,
+    };
+  }
+
+  it('returns silently when no offer is found for the request', async () => {
+    const wallet = createStubWallet(null);
+    const messageProvider = createStubMessageProvider();
+
+    await DELEGATION_REQUEST_HANDLER.handle(buildRequest(), {
+      wallet,
+      messageProvider,
+    });
+
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.updateDocument).not.toHaveBeenCalled();
+  });
+
+  it('rejects requests for offers not in `sent` state', async () => {
+    const wallet = createStubWallet(buildStoredOffer({status: 'accepted'}));
+    const messageProvider = createStubMessageProvider();
+
+    await DELEGATION_REQUEST_HANDLER.handle(buildRequest(), {
+      wallet,
+      messageProvider,
+    });
+
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.updateDocument).not.toHaveBeenCalled();
+  });
+
+  it('rejects requests from senders not in offer.to (array form)', async () => {
+    const wallet = createStubWallet(
+      buildStoredOffer({to: [holderDID]}),
+    );
+    const messageProvider = createStubMessageProvider();
+
+    await DELEGATION_REQUEST_HANDLER.handle(
+      buildRequest({from: attackerDID}),
+      {wallet, messageProvider},
+    );
+
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.updateDocument).not.toHaveBeenCalled();
+  });
+
+  it('rejects requests from senders not matching offer.to (string form)', async () => {
+    const wallet = createStubWallet(buildStoredOffer({to: holderDID}));
+    const messageProvider = createStubMessageProvider();
+
+    await DELEGATION_REQUEST_HANDLER.handle(
+      buildRequest({from: attackerDID}),
+      {wallet, messageProvider},
+    );
+
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.updateDocument).not.toHaveBeenCalled();
+  });
+
+  it('rejects expired offers', async () => {
+    const wallet = createStubWallet(
+      buildStoredOffer({
+        expiresAt: new Date(Date.now() - 60_000).toISOString(),
+      }),
+    );
+    const messageProvider = createStubMessageProvider();
+
+    await DELEGATION_REQUEST_HANDLER.handle(buildRequest(), {
+      wallet,
+      messageProvider,
+    });
+
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.updateDocument).not.toHaveBeenCalled();
+  });
+});
+
+describe('ISSUE_CREDENTIAL_HANDLER rejection paths', () => {
+  const offerId = 'offer-2';
+  const issuerDID = 'did:test:issuer';
+  const holderDID = 'did:test:holder';
+  const attackerDID = 'did:test:attacker';
+
+  function buildIssueMessage(overrides: any = {}) {
+    return {
+      id: 'msg-1',
+      type: 'https://didcomm.org/issue-credential/3.0/issue-credential',
+      from: issuerDID,
+      to: [holderDID],
+      body: {
+        goal_code: 'dock.offer-delegation',
+        delegationOfferId: offerId,
+        credentials: [{id: 'delegated-cred-1', type: ['DelegationCredential']}],
+        delegationChain: [],
+      },
+      ...overrides,
+    };
+  }
+
+  function buildStoredOffer(overrides: any = {}) {
+    return {
+      id: offerId,
+      type: 'DelegationOffer',
+      issuerDID,
+      status: 'requested',
+      ...overrides,
+    };
+  }
+
+  it('returns when delegationOfferId is missing from the message', async () => {
+    const wallet = createStubWallet(buildStoredOffer());
+    const messageProvider = createStubMessageProvider();
+
+    await ISSUE_CREDENTIAL_HANDLER.handle(
+      buildIssueMessage({
+        body: {goal_code: 'dock.offer-delegation', credentials: []},
+      }),
+      {wallet, messageProvider},
+    );
+
+    expect(wallet.addDocument).not.toHaveBeenCalled();
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+  });
+
+  it('returns when no stored offer exists for the delegationOfferId', async () => {
+    const wallet = createStubWallet(null);
+    const messageProvider = createStubMessageProvider();
+
+    await ISSUE_CREDENTIAL_HANDLER.handle(buildIssueMessage(), {
+      wallet,
+      messageProvider,
+    });
+
+    expect(wallet.addDocument).not.toHaveBeenCalled();
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+  });
+
+  it('rejects credentials from a DID other than the stored issuerDID', async () => {
+    const wallet = createStubWallet(buildStoredOffer());
+    const messageProvider = createStubMessageProvider();
+
+    await ISSUE_CREDENTIAL_HANDLER.handle(
+      buildIssueMessage({from: attackerDID}),
+      {wallet, messageProvider},
+    );
+
+    expect(wallet.addDocument).not.toHaveBeenCalled();
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+    expect(wallet.eventManager.emit).not.toHaveBeenCalled();
+  });
+
+  it('returns when the credentials array is empty', async () => {
+    const wallet = createStubWallet(buildStoredOffer());
+    const messageProvider = createStubMessageProvider();
+
+    await ISSUE_CREDENTIAL_HANDLER.handle(
+      buildIssueMessage({
+        body: {
+          goal_code: 'dock.offer-delegation',
+          delegationOfferId: offerId,
+          credentials: [],
+          delegationChain: [],
+        },
+      }),
+      {wallet, messageProvider},
+    );
+
+    expect(wallet.addDocument).not.toHaveBeenCalled();
+    expect(messageProvider.sendMessage).not.toHaveBeenCalled();
+  });
+});