fix: updated empty credential verifier check

[Moiz47]

Summary by CodeRabbit

• New Features

  • Streamlined credential verification: no configuration required during verification.

• Bug Fixes

  • Consistent, clearer error messaging when a document is not a valid signed credential.
  • More predictable success/failure results with explicit VALID status on success.

• Refactor

  • Simplified verification flow to use a lightweight signed-document check.
  • Removed unnecessary external dependency to improve maintainability.

[coderabbitai]

Walkthrough

Replaced W3C signature verification with a boolean type-guard check using isSignedDocument from @trustvc/w3c-vc; verifier no longer uses VerifierOptions parameter; success returns { status: VALID, data: true }, failure returns { status: INVALID, data: false, error: "Document is not a valid SignedVerifiableCredential" }.

Changes

Cohort / File(s)

Summary of Changes

W3C Empty Credential Status Verifier src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts

Replaced verifyW3CSignature(..., VerifierOptions) with isSignedDocument(...) boolean check; removed VerifierOptions import and usage; added eslint-disable-next-line to ignore unused verifierOptions parameter; on success return { status: VALID, data: true }, on failure return { status: INVALID, data: false, error: "Document is not a valid SignedVerifiableCredential" }; adjusted imports to use isSignedDocument and SignedVerifiableCredential.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller
  participant Verifier as w3cEmptyCredentialStatus.verify
  note over Verifier: Uses isSignedDocument(doc) boolean guard

  Caller->>Verifier: verify(document)
  alt isSignedDocument(document) == true
    Verifier-->>Caller: { status: VALID, data: true }
  else
    Verifier-->>Caller: { status: INVALID, data: false, error: "Document is not a valid SignedVerifiableCredential" }
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: update document builder to data model 2.0 #104 — Similar refactor in verification fragments switching to isSignedDocument and updating @trustvc/w3c-vc imports.

Suggested reviewers

• RishabhS7
• rongquan1

Poem

I hop through code and check each pad,
I peek for signatures, quiet or glad.
If isSignedDocument nods with a grin,
I mark it valid — a soft rabbit win.
Else I thump once and bound off to begin. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 29744e6 and f1d262b.

📒 Files selected for processing (1)

• src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/emptyCredential-verifier-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (1)

25-32: Guard against null/undefined documents in test() to avoid runtime TypeError.

Accessing doc.credentialStatus without optional chaining will throw when document is null/undefined. Make test null-safe.

Apply this diff:

-  test: (document: unknown) => {
-    const doc = document as SignedVerifiableCredential;
-    return (
-      !!doc.credentialStatus === false ||
-      (Array.isArray(doc.credentialStatus) && doc.credentialStatus.length === 0) ||
-      Object.keys(doc.credentialStatus)?.length === 0
-    );
-  },
+  test: (document: unknown) => {
+    const cs = (document as Partial<SignedVerifiableCredential> | null | undefined)?.credentialStatus;
+    return (
+      !cs ||
+      (Array.isArray(cs) && cs.length === 0) ||
+      (!Array.isArray(cs) && typeof cs === 'object' && cs !== null && Object.keys(cs).length === 0)
+    );
+  },

🧹 Nitpick comments (1)

src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (1)

7-10: DRY: use a shared isSignedVerifiableCredential helper instead of duplicating.

This guard appears elsewhere. Centralize it (e.g., src/verify/utils/isSignedVerifiableCredential.ts) and import here for consistency and easier updates.

Example helper:

// src/verify/utils/isSignedVerifiableCredential.ts
import { SignedVerifiableCredential } from '@trustvc/w3c-vc';
export function isSignedVerifiableCredential(document: unknown): document is SignedVerifiableCredential {
  return typeof document === 'object' && document !== null && 'proof' in (document as object);
}

Then:

- function isSignedVerifiableCredential(document: unknown): document is SignedVerifiableCredential {
-   return typeof document === 'object' && document !== null && 'proof' in document;
- }
+ import { isSignedVerifiableCredential } from '../../../utils/isSignedVerifiableCredential';

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2d449cb and 84dd61b.

📒 Files selected for processing (1)

• src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (3)

src/verify/fragments/document-status/w3cCredentialStatus.ts (2)

• document (57-117)
• document (41-55)

src/verify/fragments/document-integrity/ecdsaW3CSignatureIntegrity.ts (2)

• document (33-93)
• isSignedVerifiableCredential (10-12)

src/verify/fragments/document-integrity/w3cSignatureIntegrity.ts (1)

• document (26-47)

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Keep verify(document, verifierOptions) signature and tighten naming.

Maintain the second parameter for backward compatibility and rename the boolean for clarity.

-  verify: async (document: unknown) => {
+  verify: async (document: unknown, _verifierOptions: VerifierOptions) => {
     const doc = document as SignedVerifiableCredential;
-    const verificationResult = isSignedVerifiableCredential(doc);
-    if (verificationResult) {
+    const isSigned = isSignedVerifiableCredential(doc);
+    if (isSigned) {
       return {
         type,
         name,
         data: true,
         status: 'VALID',
       };
     } else {
       return {
         type,
         name,
         data: false,
         reason: {
-          message: 'Document is not a valid SignedVerifiableCredential',
+          message: 'Document is not a valid SignedVerifiableCredential',
         },
         status: 'INVALID',
       };
     }
   },

Run to confirm signature parity across fragments:

Also applies to: 50-55

---

🏁 Script executed:

#!/bin/bash
# Verify other fragments still accept verifierOptions
rg -nP -C1 "verify:\s*async\s*\(\s*document:\s*unknown,\s*verifierOptions" src/verify

# Check this fragment’s usage and name occurrences
rg -n "W3CEmptyCredentialStatus|w3cEmptyCredentialStatus" -C2

Length of output: 5130

---

Add missing verifierOptions parameter & rename verificationResult
In src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts (lines 34–38, 50–55):

• Change

  verify: async (document: unknown) =>

  to

  verify: async (document: unknown, _verifierOptions: VerifierOptions) =>

• Rename

  const verificationResult = isSignedVerifiableCredential(doc);
  if (verificationResult) {
    …
  }

  to

  const isSigned = isSignedVerifiableCredential(doc);
  if (isSigned) {
    …
  }

🤖 Prompt for AI Agents

In src/verify/fragments/document-status/w3cEmptyCredentialStatus/index.ts around
lines 34–38 and 50–55, the verify function is missing the verifierOptions
parameter and the variable name verificationResult is unclear; update the
function signature to accept (document: unknown, _verifierOptions:
VerifierOptions) and rename the local const verificationResult to isSigned (and
update its uses) where you call isSignedVerifiableCredential(doc) so the
parameter is present for future use and the boolean variable name accurately
reflects its purpose.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nghaninn]

🎉 This PR is included in version 2.0.4 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀