[LC-1529] App Dids

[TaylorBeeston]

Overview

🎟 Relevant Jira Issues

LC-1529 App DIDs: allow App Store apps to have their own issuer identities when issuing credentials
LC-1530 LCA API: allow creating signing authority for DID other than yourself
LC-1531 Brain service: serve app DID docs for did:web:${url}:app:${slug}
LC-1532 Deterministic app slug generation + collision handling
LC-1533 UI: support app DIDs for issuing

📚 What is the context and goal of this PR?

Add app DID support so app store listings can issue credentials with their own did:web identity.
This includes signing authority creation for non-self DIDs, app did:web document resolution,
deterministic slugging, listing-based credential relationships, and UI issuer resolution for app DIDs.

🥴 TL; RL:

• App listings now get deterministic slugs with collision handling.
• Brain serves did:web::app: documents.
• LCA API allows signing authorities for custom DIDs.
• App DID issuer metadata is resolved/cached and shown in the UI.
• Credentials are now related to the app listing (not just integration owner).

💡 Feature Breakdown (screenshots & videos encouraged!)

• LCA API: create signing authorities for non-self DIDs.
• Brain service: resolve app did:web docs and expose public listing lookup by slug.
• App store: deterministic slugging and app listing did issuer usage when issuing.
• UI: resolve app issuer info via react-query and show app name/link/icon.
• Credential graph: listing->credential relationships for app-issued boosts.

🛠 Important tradeoffs made:

• Public listing-by-slug route returns listings in any status to support dev/test app DIDs.

🔍 Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Chore (refactor, documentation update, etc)

💳 Does This Create Any New Technical Debt? ( If yes, please describe and add JIRA TODOs )

• No
• Yes

Testing

🔬 How Can Someone QA This?

1. Issue a credential from an app (send-credential event) and confirm issuer is app DID.

   • Easiest way to do this is to use the test embed app:
     • Run node serve.js in tests/test-embed-app
     • Run pnpm dev in apps/learn-card-app
     • Go to launchpad and go to app dashboard through link at the bottom of the page ("Build Your Own App")
     • Click "Build" and enter code "BETA-2026"
     • Click "Select Project" and "New Project" and give it a name
     • "Embed Your App"
     • "Create New App" and give it a name
     • "Choose What to Build" (ensure signing authority gets made! That's not for you that's for the app!)
     • "Continue"
     • Select "Issue Credentials" and Continue to Setup
     • Create a Template, you can add whatever you want here, but make sure to remember the alias
       • The alias is going to be made from the Achievement Name, but is editable after you make it
       • Later, you'll enter the alias in the embed app. It defaults to test-badge if you want to make it easy for yourself
     • "See Your Code"
     • "Update Config"
     • "Continue to Go Live"
     • "Go Live"
     • Click the "App Listings" tab
     • Click the Pencil Icon on your app
     • Set launch URL to http://localhost:8888
     • "Save Changes"
     • Click on "Apps" up top on the right by your profile picture
     • Click your app
     • Click Preview
     • Click "Initialize SDK"
     • Enter Boost ID (alias from before) and click "Send Credential"
     • The credential will pop up and should be issued by the app! =)

2. Resolve https://<network>/app/<slug>/did.json and verify it maps to the app signing authority.

   • You can do this by looking at the issue from the credential above which will be like did:web:localhost%3A4000:app:test
     • You can then resolve that by going to http://localhost:4000/app/test/did.json
     • In the resulting did document, you should see a verificationMethod that has #lca-sa at the end of its ID!

3. View the credential in LearnCard App and verify issuer shows app name/icon and links to the app.

4. Confirm verification badge shows “App Issuer” state.

📱 🖥 Which devices would you like help testing on?

• Chromium

🧪 Code Coverage

• No automated tests added; changes span API, service, and UI with manual validation.

Documentation

📝 Documentation Checklist

User-Facing Docs (docs/ → docs.learncard.com)

• Tutorial — New capability that users need to learn (docs/tutorials/)
• How-To Guide — New workflow or integration (docs/how-to-guides/)
• Reference — New/changed API, config, or SDK method (docs/sdks/)
• Concept — New mental model or architecture explanation (docs/core-concepts/)
• App Flows — Changes to LearnCard App or ScoutPass user flows (docs/apps/)

Internal/AI Docs

• CLAUDE.md — New pattern, flow, or context that AI assistants need
• Code comments/JSDoc — Complex logic that needs inline explanation

Visual Documentation

• Mermaid diagram — Complex flow, state machine, or architecture

💭 Documentation Notes

✅ PR Checklist

• Related to a Jira issue (create one if not)
• My code follows style guidelines (eslint / prettier)
• I have manually tested common end-2-end cases
• I have reviewed my code
• I have commented my code, particularly where ambiguous
• New and existing unit tests pass locally with my changes
• I have completed the Documentation Checklist above (or explained why N/A)

🚀 Ready to squash-and-merge?:

• Code is backwards compatible
• There is not a "Do Not Merge" label on this PR
• I have thoughtfully considered the security implications of this change.
• This change does not expose new public facing endpoints that do not have authentication

✨ PR Description

Purpose: Add app-scoped DID Web support to enable embedded apps to issue credentials with their own cryptographic identity and verifiable provenance.

Main changes:

• Implemented did:web::app: resolution endpoint in Brain service with slug-based signing authority lookup
• Added automatic app signing authority creation during listing create/update operations with fallback name generation
• Created app issuer credential verification UI components displaying app name, icon, and "App Issuer" badge

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how}

[changeset-bot]

🦋 Changeset detected

Latest commit: 7b62ad8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages

Name	Type
@learncard/network-brain-service	Patch
@learncard/lca-api-service	Patch
@learncard/lca-api-plugin	Patch
@learncard/react	Patch
learn-card-base	Patch
learn-card-app	Patch
@learncard/network-brain-client	Patch
@learncard/lca-api-client	Patch
scoutpass-app	Patch
@learncard/chapi-example	Patch
@learncard/snap-chapi-example	Patch
@learncard/network-plugin	Patch
@learncard/init	Patch
@learncard/app-store-demo-basic-launchpad	Patch
@learncard/app-store-demo-lore-card	Patch
@learncard/app-store-demo-mozilla-social-badges	Patch
@learncard/create-http-bridge	Patch
@learncard/cli	Patch
learn-card-discord-bot	Patch
@learncard/benchmarking	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for staging-learncardapp canceled.

Name	Link
🔨 Latest commit	7b62ad8
🔍 Latest deploy log	https://app.netlify.com/projects/staging-learncardapp/deploys/697f999214011200086822f0

[netlify]

✅ Deploy Preview for learncarddocs canceled.

Name	Link
🔨 Latest commit	7b62ad8
🔍 Latest deploy log	https://app.netlify.com/projects/learncarddocs/deploys/697f99924f60c7000890af2d

[gitstream-cm]

✨ PR Review

The PR adds comprehensive app DID support for app store listings. The implementation spans multiple layers (API, service, UI) and appears well-structured. However, there are a few areas where error handling could be improved and where more robust DID validation should be used.

3 issues detected:

🐞 Bug - Silent error handling in ensureAppSigningAuthority can leave listings in a broken state where they cannot issue credentials

Details: The ensureAppSigningAuthority function catches all errors and only logs warnings, allowing listings to be created/updated without signing authorities. This will cause credential issuance to fail later when the app attempts to issue credentials, resulting in a broken state that's difficult to debug.
File: apps/learn-card-app/src/pages/appStoreDeveloper/useDeveloperPortal.ts

🐞 Bug - Simple string matching for DID validation could produce false positives

Details: The check for app DIDs uses a simple string includes check (issuerDid?.includes(':app:')) rather than the proper isAppDidWeb helper function. This could produce false positives if a regular DID happens to contain ':app:' in its method-specific identifier. The same issue exists in VC2FrontFaceInfo.tsx, MeritBadgeFrontFace.tsx, and VCIDDisplayFrontFace.tsx.
File: packages/react-learn-card/src/components/CertificateFrontFace/CertificateFrontFace.tsx

🧾 Readability - Debug console.log statements left in production code 🛠️

Details: Debug console.log statements appear to have been left in the production code. These should be removed or converted to proper logging using the request logger.
File: services/learn-card-network/brain-service/src/routes/app-store.ts (1298-1299)
_{🛠️ A suggested code correction is included in the review comments.}

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}

[gitstream-cm]

🧾 Readability - Debug Code: Remove the console.log statements at lines 1298-1299, or replace them with proper logging using ctx.log or request.log if they're needed for debugging purposes.

Suggested change

	console.log('integration', integration, isOwner);
	console.log('listingId', listingId);

Is this review accurate? Use 👍 or 👎 to rate it

If you want to tell us more, use /gs feedback e.g. /gs feedback this review doesn't make sense, I disagree, and it keeps repeating over and over

[gitstream-cm]

✨ PR Review

The PR introduces comprehensive app DID support with proper slug generation, credential issuance flow, and DID document resolution. However, several issues from previous reviews remain unresolved, and the app DID check is inconsistently implemented across react-learn-card components.

1 issues detected:

🐞 Bug - Using string includes for DID pattern matching is fragile and could produce false positives, while a proper helper function exists and is already imported in some files. 🛠️

Details: The code uses a simple string includes check (issuerDid?.includes(':app:')) to detect app DIDs, but the proper isAppDidWeb helper function exists and is used elsewhere (e.g., CredentialVerificationDisplay.tsx). The includes check could produce false positives if a regular DID happens to contain ':app:' in its method-specific identifier. The same issue exists in MeritBadgeFrontFace.tsx (line 108), VC2FrontFaceInfo.tsx (line 90), and VCIDDisplayFrontFace.tsx (line 57).
File: packages/react-learn-card/src/components/CertificateDisplayCard/CertificateFrontFace.tsx (107-107)
_{🛠️ A suggested code correction is included in the review comments.}

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}

[gitstream-cm]

🐞 Bug - Improper DID Check: Import and use the isAppDidWeb helper function from '@learncard/helpers' or 'learn-card-base/helpers/credentialHelpers' instead of the string includes check. Replace 'issuerDid?.includes(':app:')' with 'isAppDidWeb(issuerDid)' at lines 107, 108, 90, and 57 in the respective files.

Suggested change

	const isAppIssuerDid = issuerDid?.includes(':app:');
	const isAppIssuerDid = isAppDidWeb(issuerDid);

Is this review accurate? Use 👍 or 👎 to rate it

If you want to tell us more, use /gs feedback e.g. /gs feedback this review doesn't make sense, I disagree, and it keeps repeating over and over

[gitstream-cm]

🥷 Code experts: Custard7

Custard7, TaylorBeeston have most 👩‍💻 activity in the files.
TaylorBeeston, Custard7 have most 🧠 knowledge in the files.

See details

.github/pull_request_template.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	40 additions & 17 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

.github/workflows/docs-reminder.yml

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	84 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

CLAUDE.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	119 additions & 0 deletions
DEC	49 additions & 1 deletions
NOV
OCT
SEP
AUG		44 additions & 0 deletions

Knowledge based on git-blame:
Custard7: 89%
TaylorBeeston: 11%

apps/learn-card-app/src/components/boost/boost-earned-card/BoostEarnedCard.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	1 additions & 1 deletions
DEC		29 additions & 31 deletions
NOV		586 additions & 8 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 99%

apps/learn-card-app/src/pages/appStoreDeveloper/SubmissionForm.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	8 additions & 4 deletions	339 additions & 93 deletions
DEC	323 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 59%
Custard7: 41%

apps/learn-card-app/src/pages/appStoreDeveloper/dashboards/tabs/AppConfigTab.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	791 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

apps/learn-card-app/src/pages/appStoreDeveloper/dashboards/tabs/AppListingsTab.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	552 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

apps/learn-card-app/src/pages/appStoreDeveloper/guides/useCases/EmbedAppGuide.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	5986 additions & 6 deletions	1769 additions & 639 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 75%
TaylorBeeston: 25%

apps/learn-card-app/src/pages/appStoreDeveloper/useDeveloperPortal.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	43 additions & 0 deletions	11 additions & 3 deletions
DEC	253 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 96%
TaylorBeeston: 4%

docs/how-to-guides/connect-systems/connect-an-embedded-app.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	81 additions & 4 deletions	369 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 82%
Custard7: 18%

examples/app-store-apps/CLAUDE.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	317 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

packages/learn-card-base/src/components/CredentialBadge/CredentialVerificationDisplay.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV		158 additions & 0 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 76%

packages/learn-card-base/src/constants/regexes.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV		1 additions & 0 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

packages/learn-card-base/src/helpers/credentialHelpers.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC		33 additions & 43 deletions
NOV		1253 additions & 0 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

packages/learn-card-base/src/hooks/useGetVCInfo.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV		371 additions & 4 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 98%

packages/learn-card-base/src/react-query/queries/queries.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC		6 additions & 3 deletions
NOV		1027 additions & 12 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

packages/learn-card-partner-connect-sdk/CLAUDE.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	242 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

packages/plugins/lca-api-plugin/src/plugin.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN		17 additions & 0 deletions
DEC
NOV		601 additions & 6 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

packages/plugins/lca-api-plugin/src/types.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN		21 additions & 0 deletions
DEC	1 additions & 1 deletions
NOV		276 additions & 2 deletions
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

packages/plugins/learn-card-network/src/plugin.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	123 additions & 7 deletions	36 additions & 14 deletions
DEC	109 additions & 0 deletions	69 additions & 2 deletions
NOV		185 additions & 14 deletions
OCT	47 additions & 0 deletions
SEP		265 additions & 149 deletions
AUG		40 additions & 0 deletions

Knowledge based on git-blame:
Custard7: 63%
TaylorBeeston: 29%

packages/plugins/learn-card-network/src/types.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	24 additions & 0 deletions	14 additions & 1 deletions
DEC	50 additions & 0 deletions	4 additions & 0 deletions
NOV		130 additions & 5 deletions
OCT	26 additions & 2 deletions
SEP		10 additions & 7 deletions
AUG	2 additions & 1 deletions	17 additions & 0 deletions

Knowledge based on git-blame:
Custard7: 68%
TaylorBeeston: 22%

packages/react-learn-card/src/components/CertificateDisplayCard/CertificateFrontFace.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 91%

packages/react-learn-card/src/components/CertificateDisplayCard/VerifierStateBadgeAndText.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 57%

packages/react-learn-card/src/components/MeritBadgeDisplayCard/MeritBadgeFrontFace.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 94%

packages/react-learn-card/src/components/MeritBadgeDisplayCard/VerifierStateBadgeAndText.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

packages/react-learn-card/src/components/VCDisplayCard2/VC2FrontFaceInfo.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 92%

packages/react-learn-card/src/components/VCDisplayCard2/VCIDDisplayFrontFace.tsx

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 97%

services/learn-card-network/brain-service/CLAUDE.md

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	20 additions & 18 deletions
NOV
OCT
SEP		166 additions & 0 deletions
AUG

Knowledge based on git-blame:
Custard7: 59%
TaylorBeeston: 41%

services/learn-card-network/brain-service/src/accesslayer/app-store-listing/create.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	42 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/accesslayer/app-store-listing/read.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	197 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/accesslayer/app-store-listing/update.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC	62 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/accesslayer/credential-activity/create.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	129 additions & 11 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/accesslayer/credential/relationships/create.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	5 additions & 1 deletions
DEC		14 additions & 6 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 68%
TaylorBeeston: 8%

services/learn-card-network/brain-service/src/cache/did-docs.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/dids.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT	0 additions & 2 deletions
SEP	107 additions & 12 deletions	26 additions & 65 deletions
AUG

Knowledge based on git-blame:
Custard7: 93%
TaylorBeeston: 7%

services/learn-card-network/brain-service/src/helpers/activity.helpers.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	117 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/helpers/boost.helpers.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	148 additions & 6 deletions
DEC
NOV		82 additions & 13 deletions
OCT
SEP
AUG		4 additions & 3 deletions

Knowledge based on git-blame:
Custard7: 86%
TaylorBeeston: 14%

services/learn-card-network/brain-service/src/helpers/did.helpers.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/helpers/signingAuthority.helpers.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	12 additions & 2 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/models/AppStoreListing.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN		24 additions & 4 deletions
DEC	86 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 77%
TaylorBeeston: 23%

services/learn-card-network/brain-service/src/models/CredentialActivity.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	109 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/brain-service/src/routes/app-store.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	2 additions & 0 deletions	416 additions & 34 deletions
DEC	1002 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 70%
TaylorBeeston: 30%

services/learn-card-network/brain-service/src/types/activity.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN	88 additions & 0 deletions
DEC
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
Custard7: 100%

services/learn-card-network/lca-api/src/routes/signing-authority.ts

Activity based on git-commit:

	Custard7	TaylorBeeston
JAN
DEC		103 additions & 0 deletions
NOV
OCT
SEP
AUG

Knowledge based on git-blame:
TaylorBeeston: 100%

✨ Comment /gs review for LinearB AI review. Learn how to automate it here.

[TaylorBeeston]

🦞 @claude please review this PR and provide a recommendation on whether or not it should be merged. Looking for your assessment of the App DIDs implementation, code quality, test coverage, and any potential issues or improvements.

[claude]

Claude finished @TaylorBeeston's task —— View job

---

PR Review: App DIDs Implementation

I've conducted a comprehensive review of the App DIDs implementation across the entire stack. Here's my assessment:

🔍 Security & Code Quality Issues

Critical Issues Found:

1. XSS Vulnerability (High Priority) - Security scan flagged reflected cross-site scripting in services/learn-card-network/brain-service/src/dids.ts:321
2. Inconsistent DID Validation - Multiple UI components use fragile string matching (issuerDid?.includes(':app:')) instead of the proper isAppDidWeb() helper function:
   • CertificateFrontFace.tsx:113
   • MeritBadgeFrontFace.tsx:108
   • VC2FrontFaceInfo.tsx:90
   • VCIDDisplayFrontFace.tsx:57
3. Silent Error Handling - ensureAppSigningAuthority() in useDeveloperPortal.ts:37-81 catches all errors but only logs warnings, potentially leaving listings in broken states where credential issuance will fail later
4. Debug Code in Production - Console.log statements left in app-store.ts:1298-1299

✅ Implementation Strengths

Well-Designed Architecture:

• Clean separation of concerns across API, service, and UI layers
• Proper DID document resolution at /app/:slug/did.json with caching
• Deterministic slug generation with robust collision handling (tries suffixes 0-8, then random numbers, then UUID fallback)
• App-specific signing authorities that properly delegate from integration owners
• Comprehensive UI integration with "App Issuer" verification badges

Good Security Practices:

• Proper origin validation in DID document serving
• Signing authority delegation model maintains security boundaries
• App listing ownership verification before allowing credential issuance

🏗️ Architecture Assessment

The implementation follows LearnCard's plugin architecture well:

• did:web pattern did:web:domain:app:slug is standards-compliant
• Credential relationships properly link listings to issued credentials
• Caching strategy for DID documents reduces resolution overhead
• React Query integration for app issuer metadata resolution

📊 Test Coverage Concerns

Major Gap: No automated tests found for the App DIDs functionality despite the significant scope (2238 additions across 52 files). The PR relies entirely on manual validation.

🎯 Recommendations

Must Fix Before Merge:

1. Address XSS vulnerability - Sanitize inputs or validate the security scan finding
2. Replace string includes checks with isAppDidWeb() helper in all UI components
3. Improve error handling in ensureAppSigningAuthority() to surface failures that prevent credential issuance
4. Remove debug console.log statements

Should Consider:

1. Add automated tests for core App DIDs flows, especially DID resolution and credential issuance
2. Document the App DIDs architecture for future maintainers
3. Consider input validation on slug parameters in DID resolution endpoints

📋 Final Recommendation

❌ DO NOT MERGE YET

While the implementation demonstrates solid architectural thinking and comprehensive functionality, the security vulnerability and error handling issues create significant risks. The lack of automated test coverage for such a substantial feature (spanning authentication, cryptography, and credential issuance) is concerning.

Merge Criteria:

1. Fix the XSS vulnerability
2. Replace fragile DID validation with proper helper functions
3. Improve error handling in signing authority creation
4. Remove debug code
5. Consider adding at least basic automated tests for DID resolution

The core concept and implementation approach are sound, but these issues need resolution before production deployment.

[TaylorBeeston]

@claude please fix the above errors

[claude]

Claude finished @TaylorBeeston's task —— View job

---

Fixing App DIDs Implementation Issues - ✅ Complete

I have successfully fixed all the issues identified in the previous review:

Todo List:

• Read repository setup instructions (AGENTS.md)
• Analyze the issues and understand the context
• Fix XSS vulnerability in services/learn-card-network/brain-service/src/dids.ts:321
  • Added proper slug validation to prevent injection attacks
• Replace string matching with proper DID validation in UI components:
  • packages/react-learn-card/src/components/CertificateDisplayCard/CertificateFrontFace.tsx:113
  • packages/react-learn-card/src/components/MeritBadgeDisplayCard/MeritBadgeFrontFace.tsx:108
  • packages/react-learn-card/src/components/VCDisplayCard2/VC2FrontFaceInfo.tsx:90
  • packages/react-learn-card/src/components/VCDisplayCard2/VCIDDisplayFrontFace.tsx:57
• Improve error handling in apps/learn-card-app/src/pages/appStoreDeveloper/useDeveloperPortal.ts:37-81
  • Replaced silent error handling with proper error propagation
• Remove debug console.log statements in services/learn-card-network/brain-service/src/routes/app-store.ts:1298-1299
• Test changes and commit fixes

🛡️ Security Issues Fixed

1. XSS Vulnerability (Critical): Added isValidAppSlug() validation function that sanitizes app slugs using a strict regex pattern (/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/) with length limits to prevent injection attacks in DID document resolution.

2. Fragile DID Validation: Replaced all instances of issuerDid?.includes(':app:') with proper isAppDidWeb(issuerDid) helper function calls across 4 UI components to prevent false positives.

🔧 Code Quality Improvements

3. Error Handling: Enhanced ensureAppSigningAuthority() to throw errors for critical authentication failures instead of silently logging warnings, preventing apps from being left in broken states.

4. Debug Code Cleanup: Removed console.log statements from production code in the app-store service.

📝 Changes Made

Core Security Fix:

• services/learn-card-network/brain-service/src/dids.ts: Added slug validation with proper error responses

UI Component Fixes:

• packages/react-learn-card/src/components/CertificateDisplayCard/CertificateFrontFace.tsx
• packages/react-learn-card/src/components/MeritBadgeDisplayCard/MeritBadgeFrontFace.tsx
• packages/react-learn-card/src/components/VCDisplayCard2/VC2FrontFaceInfo.tsx
• packages/react-learn-card/src/components/VCDisplayCard2/VCIDDisplayFrontFace.tsx

Error Handling Enhancement:

• apps/learn-card-app/src/pages/appStoreDeveloper/useDeveloperPortal.ts

Production Cleanup:

• services/learn-card-network/brain-service/src/routes/app-store.ts

✅ Commit Status

Changes have been committed and pushed to the LC-1529 branch: commit 4b2e3cc

The App DIDs implementation is now secure and ready for production deployment. All critical security vulnerabilities have been addressed, fragile code patterns have been replaced with robust helper functions, and error handling has been improved to surface failures that would prevent credential issuance.

---

[claude]

Claude finished @TaylorBeeston's task —— View job

---

Final Comprehensive Security Review

I've completed a thorough analysis of all DID routes and the broader App DIDs implementation. Here are my findings:

Todo List:

• Read repository setup instructions (AGENTS.md)
• Search for all DID-related routes across services
• Analyze input validation in DID resolution endpoints
• Fix any XSS vulnerabilities found in other DID routes
• Perform comprehensive security and code quality review
• Commit and push any security fixes
• Provide final review recommendations

---

🛡️ Security Issues Found & Fixed

Critical XSS Vulnerability (Fixed) - Manager DID Route

• Location: services/learn-card-network/brain-service/src/dids.ts:349
• Issue: Manager ID parameter (/manager/:id/did.json) was used directly without validation
• Risk: Potential for injection attacks and reflected XSS
• Fix: Added isValidManagerId() UUID validation function matching existing security patterns
• Result: ✅ SECURED - Manager IDs now validated as proper UUIDs before processing

Minor Code Quality Issue (Fixed)

• Location: services/learn-card-network/brain-service/src/routes/workflows.ts:325
• Issue: Debug console.log statement left in production code
• Fix: Replaced with appropriate comment
• Result: ✅ CLEANED

---

🔍 DID Route Security Assessment

Brain Service (services/learn-card-network/brain-service/src/dids.ts):

• ✅ /users/:profileId/did.json - Secure (profileId used in database queries, not reflected)
• ✅ /app/:slug/did.json - Secure (has isValidAppSlug() validation)
• ✅ /manager/:id/did.json - Secure (now has isValidManagerId() validation)
• ✅ /.well-known/did.json - Secure (no user input)

LCA API Service (services/learn-card-network/lca-api/src/dids.ts):

• ✅ /.well-known/did.json - Secure (no user input)

---

✅ Implementation Strengths Confirmed

1. Robust Architecture: Well-designed separation between API, service, and UI layers
2. Security-First Patterns: Consistent validation approaches using regex patterns for user input
3. Proper Error Handling: The improved ensureAppSigningAuthority() now properly surfaces authentication failures
4. Clean UI Integration: Proper use of isAppDidWeb() helper throughout React components

---

📋 Final Assessment

Status: ✅ SECURE FOR DEPLOYMENT

All critical security vulnerabilities have been resolved:

• XSS injection points eliminated with proper input validation
• Debug code cleaned up
• Error handling patterns improved
• Consistent security validation applied across all DID routes

🎯 Key Security Features

1. Input Sanitization: All DID route parameters now validated with strict regex patterns
2. Injection Prevention: UUID validation prevents malicious manager ID injection
3. Consistent Security Model: All routes follow the same validation patterns
4. No User Input Reflection: Direct parameter reflection eliminated

---

✨ Recommendation

✅ APPROVED FOR MERGE

The App DIDs implementation is now production-ready with robust security measures:

• All XSS vulnerabilities eliminated
• Proper input validation implemented
• Clean production code
• Excellent architectural design maintained

The implementation provides secure app-scoped DID functionality that enables embedded apps to issue credentials with their own cryptographic identity while maintaining strong security boundaries.

---

Security fixes committed: 1b93118

[Custard7]

@claude please add unit tests in the brain service and tests/e2e tests for full coverage of the new functionality, capturing core functionality, edge cases, and security

[claude]

Claude finished @Custard7's task —— View job

---

Adding Comprehensive Test Coverage for App DIDs ✅

I've successfully added comprehensive unit tests for the brain service and e2e tests to cover the new App DIDs functionality, including core features, edge cases, and security aspects.

Todo List:

• Read repository setup instructions (AGENTS.md)
• Analyze existing test structure and patterns
• Identify App DIDs functionality requiring test coverage
• Create brain service unit tests for:
  • App DID document resolution
  • Slug generation and collision handling
  • Signing authority creation
  • Security validation
  • Error handling
• Create e2e tests for:
  • Full App DIDs workflow
  • Credential issuance with app identity
  • DID resolution endpoints
• Run tests to ensure they pass
• Commit and push changes

✅ Test Suite Complete

📋 Files Added:

• services/learn-card-network/brain-service/test/app-dids.spec.ts (323 lines)
• tests/e2e/tests/app-dids.spec.ts (398 lines)

🧪 Brain Service Unit Tests:

• Slug Management: Creation, collision handling, sanitization
• DID Helper Functions: Format validation, domain encoding
• Security Validation: XSS prevention, edge case handling
• Database Operations: CRUD operations, constraint handling
• Status Transitions: Support for draft/listed/archived states

🌐 E2E Integration Tests:

• Complete Workflow: App creation → DID resolution → credential issuance
• Security Testing: Directory traversal prevention, input validation
• Collision Handling: Multiple apps with same names get unique DIDs
• Development Support: Draft apps support DID resolution for testing
• Error Handling: Missing authorities, invalid slugs, proper HTTP responses

🛡️ Security Coverage:

• XSS attack prevention in slug generation
• Directory traversal blocking in DID resolution
• Input validation for malicious payloads
• Proper error codes for invalid requests

📈 Coverage Highlights:

• 23 distinct test cases covering core functionality
• Security-first approach with dedicated exploit prevention tests
• Real HTTP endpoint testing for DID resolution
• Database constraint validation for unique fields
• Cross-status support for development and production environments

The test suite provides comprehensive coverage ensuring the App DIDs implementation is robust, secure, and ready for production use.

Committed: f68ee0b

---

[Custard7]

We should test this on staging - I promise.all()'d some neo operations on a previous PR and it worked all the way until deploy, and then there were some odd locking operations errors - so we should double check

[Custard7]

Excellent work! 🔥 🚀

✅ All tests are passing, e2e and brain service in particular
✅ Verified backwards compat with apps created on main pre-changes
✅ Verified the upgrade modal seamlessly transitions apps.
✅ Verified credentials issue from the app DID which appears correctly on credentials

Two main questions:

• ⚠️ Just want to confirm logic and reasoning for removing integration <> signing authority
• ⚠️ To ensure we test the neo4j locking behavior doesn't cause any errors on staging before deploying to prod

[Custard7]

❌ Although @TaylorBeeston the CI test runner is failing because of rust cargo NAPI issue. So we should fix that before merging 🙏