cellstate_core/

credentials.rs

//! Verifiable Credentials for Agent Identity
//!
//! Implements a subset of the W3C Verifiable Credentials Data Model v2.0
//! for establishing cryptographic proof of agent identity and capabilities.
//!
//! ## Identity Model
//!
//! Each agent receives a DID (Decentralized Identifier) using the `did:web` method:
//! ```text
//! did:web:cellstate.batterypack.dev:agents:{agent-uuid}
//! ```
//!
//! Agents can hold Verifiable Credentials that attest to:
//! - Identity (who is this agent?)
//! - Capabilities (what can this agent do?)
//! - Provenance (who created this agent?)
//! - Compliance (EU AI Act attestation)

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fmt;
use uuid::Uuid;

// ============================================================================
// DECENTRALIZED IDENTIFIER (DID)
// ============================================================================

/// A Decentralized Identifier (DID) for an agent.
///
/// DIDs follow the W3C DID Core specification. For CELLSTATE agents,
/// we use the `did:web` method which resolves via HTTPS.
///
/// Format: `did:web:{domain}:agents:{agent-uuid}`
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub struct Did(pub String);

impl Did {
    /// Create a `did:web` identifier for an agent.
    ///
    /// # Arguments
    /// * `domain` - The domain hosting the DID document (e.g., "cellstate.batterypack.dev")
    /// * `agent_id` - The agent's UUID
    ///
    /// # Examples
    /// ```
    /// # use uuid::Uuid;
    /// # use cellstate_core::credentials::Did;
    /// let id = Uuid::nil();
    /// let did = Did::web("cellstate.batterypack.dev", id);
    /// assert_eq!(did.0, "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000");
    /// ```
    pub fn web(domain: &str, agent_id: Uuid) -> Self {
        Self(format!("did:web:{}:agents:{}", domain, agent_id))
    }

    /// Parse a DID string, returning `Some(Did)` if it begins with `did:`.
    pub fn parse(s: &str) -> Option<Self> {
        if s.starts_with("did:") {
            Some(Self(s.to_string()))
        } else {
            None
        }
    }

    /// Extract the agent UUID from a `did:web` identifier.
    ///
    /// Returns `None` if the DID is not a `did:web` with the expected
    /// `:agents:{uuid}` suffix.
    pub fn agent_id(&self) -> Option<Uuid> {
        let parts: Vec<&str> = self.0.split(':').collect();
        // did:web:domain:agents:uuid  -> 5 parts minimum
        if parts.len() < 5 || parts[1] != "web" {
            return None;
        }
        // Find the "agents" segment and take the next one as the UUID
        let mut iter = parts.iter();
        while let Some(&segment) = iter.next() {
            if segment == "agents" {
                if let Some(&uuid_str) = iter.next() {
                    return Uuid::parse_str(uuid_str).ok();
                }
            }
        }
        None
    }

    /// Get the DID method (e.g., "web", "key", "pkh").
    ///
    /// Returns the method portion of the DID string (`did:{method}:...`).
    pub fn method(&self) -> &str {
        self.0
            .strip_prefix("did:")
            .and_then(|rest| rest.split(':').next())
            .unwrap_or("")
    }
}

impl fmt::Display for Did {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.0)
    }
}

// ============================================================================
// DID DOCUMENT
// ============================================================================

/// A DID Document containing the agent's public keys and service endpoints.
///
/// Follows the W3C DID Core specification. The document is resolvable via
/// the `did:web` method (HTTPS GET to `/.well-known/did.json`).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DidDocument {
    /// JSON-LD context URIs
    #[serde(rename = "@context")]
    pub context: Vec<String>,
    /// The DID this document describes
    pub id: Did,
    /// The DID of the controller (typically the tenant)
    pub controller: Did,
    /// Public keys and verification methods
    pub verification_method: Vec<VerificationMethod>,
    /// DIDs or key IDs that can authenticate as this DID subject
    pub authentication: Vec<String>,
    /// DIDs or key IDs that can issue assertions (sign credentials)
    pub assertion_method: Vec<String>,
    /// Service endpoints (API URLs, messaging endpoints, etc.)
    pub service: Vec<ServiceEndpoint>,
    /// When this document was created
    pub created: DateTime<Utc>,
    /// When this document was last updated
    pub updated: DateTime<Utc>,
}

impl DidDocument {
    /// Create a DID Document for an agent.
    ///
    /// This generates a standard document structure with a single Ed25519
    /// verification method and the CELLSTATE API service endpoint.
    pub fn for_agent(domain: &str, agent_id: Uuid, tenant_id: Uuid) -> Self {
        let agent_did = Did::web(domain, agent_id);
        let tenant_did = Did::web(domain, tenant_id);
        let now = Utc::now();

        let key_id = format!("{}#key-1", agent_did.0);

        Self {
            context: vec![
                "https://www.w3.org/ns/did/v1".to_string(),
                "https://w3id.org/security/suites/ed25519-2020/v1".to_string(),
            ],
            id: agent_did.clone(),
            controller: tenant_did,
            verification_method: vec![VerificationMethod {
                id: key_id.clone(),
                method_type: "Ed25519VerificationKey2020".to_string(),
                controller: agent_did.0.clone(),
                public_key_multibase: None, // Populated when keys are generated
            }],
            authentication: vec![key_id.clone()],
            assertion_method: vec![key_id],
            service: vec![ServiceEndpoint {
                id: format!("{}#cellstate-api", agent_did.0),
                service_type: "CellstateAgent".to_string(),
                service_endpoint: format!("https://{}/api/v1/agents/{}", domain, agent_id),
            }],
            created: now,
            updated: now,
        }
    }
}

/// A verification method (public key) in a DID Document.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerificationMethod {
    /// Unique identifier for this key (e.g., "did:web:...#key-1")
    pub id: String,
    /// The type of key (e.g., "Ed25519VerificationKey2020")
    #[serde(rename = "type")]
    pub method_type: String,
    /// The DID of the key controller
    pub controller: String,
    /// The public key encoded in multibase format
    pub public_key_multibase: Option<String>,
}

/// A service endpoint in a DID Document.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ServiceEndpoint {
    /// Unique identifier for this service
    pub id: String,
    /// The type of service (e.g., "CellstateAgent", "LinkedDomains")
    #[serde(rename = "type")]
    pub service_type: String,
    /// The URL of the service endpoint
    #[serde(rename = "serviceEndpoint")]
    pub service_endpoint: String,
}

// ============================================================================
// VERIFIABLE CREDENTIAL
// ============================================================================

/// A W3C Verifiable Credential.
///
/// This structure follows the W3C Verifiable Credentials Data Model v2.0.
/// Credentials attest to claims about a subject (an agent) made by an issuer
/// (typically the CELLSTATE platform or tenant).
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerifiableCredential {
    /// JSON-LD context URIs
    #[serde(rename = "@context")]
    pub context: Vec<String>,
    /// Unique identifier for this credential (URN or URL)
    pub id: String,
    /// The types of this credential (always includes "VerifiableCredential")
    #[serde(rename = "type")]
    pub credential_type: Vec<String>,
    /// Who issued this credential
    pub issuer: CredentialIssuer,
    /// When this credential was issued
    pub issuance_date: DateTime<Utc>,
    /// When this credential expires (if applicable)
    pub expiration_date: Option<DateTime<Utc>>,
    /// The subject and claims of this credential
    pub credential_subject: CredentialSubject,
    /// Cryptographic proof (if signed)
    pub proof: Option<CredentialProof>,
}

/// The issuer of a credential, either a simple DID string or an object with metadata.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(untagged)]
pub enum CredentialIssuer {
    /// Just a DID string
    Simple(String),
    /// An object with id and optional name
    Object {
        /// The issuer's DID
        id: String,
        /// Human-readable name
        name: Option<String>,
    },
}

impl CredentialIssuer {
    /// Get the issuer ID regardless of variant.
    pub fn id(&self) -> &str {
        match self {
            CredentialIssuer::Simple(id) => id,
            CredentialIssuer::Object { id, .. } => id,
        }
    }
}

/// The subject of a credential, including the subject's DID and claims.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialSubject {
    /// The DID of the subject
    pub id: String,
    /// Key-value claims about the subject
    #[serde(flatten)]
    pub claims: HashMap<String, serde_json::Value>,
}

/// A cryptographic proof attached to a credential.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialProof {
    /// The type of proof (e.g., "Ed25519Signature2020")
    #[serde(rename = "type")]
    pub proof_type: String,
    /// When the proof was created
    pub created: DateTime<Utc>,
    /// The verification method (key ID) used to create the proof
    pub verification_method: String,
    /// The purpose of the proof (e.g., "assertionMethod")
    pub proof_purpose: String,
    /// The proof value (signature, encoded)
    pub proof_value: String,
}

// ============================================================================
// AGENT CREDENTIAL TYPES
// ============================================================================

/// Credential types that can be issued to agents.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AgentCredentialType {
    /// Identity credential -- proves who the agent is
    Identity,
    /// Capability credential -- proves what the agent can do
    Capability,
    /// Provenance credential -- proves who created the agent
    Provenance,
    /// Compliance credential -- EU AI Act attestation
    Compliance,
}

impl AgentCredentialType {
    /// Returns the W3C VC type string for this credential type.
    pub fn vc_type(&self) -> &'static str {
        match self {
            AgentCredentialType::Identity => "AgentIdentityCredential",
            AgentCredentialType::Capability => "AgentCapabilityCredential",
            AgentCredentialType::Provenance => "AgentProvenanceCredential",
            AgentCredentialType::Compliance => "AgentComplianceCredential",
        }
    }
}

impl fmt::Display for AgentCredentialType {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.vc_type())
    }
}

// ============================================================================
// CREDENTIAL BUILDER
// ============================================================================

/// Builder for creating Verifiable Credentials.
///
/// Uses the builder pattern to construct well-formed credentials with
/// required and optional fields.
///
/// # Example
/// ```
/// # use cellstate_core::credentials::*;
/// # use chrono::Utc;
/// let credential = CredentialBuilder::new()
///     .issuer("did:web:cellstate.batterypack.dev")
///     .subject("did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000")
///     .credential_type(AgentCredentialType::Identity)
///     .claim("name", serde_json::json!("test-agent"))
///     .build()
///     .expect("credential should build");
/// ```
pub struct CredentialBuilder {
    issuer: Option<String>,
    subject: Option<String>,
    credential_type: Option<AgentCredentialType>,
    claims: HashMap<String, serde_json::Value>,
    expiration: Option<DateTime<Utc>>,
}

impl CredentialBuilder {
    /// Create a new empty credential builder.
    pub fn new() -> Self {
        Self {
            issuer: None,
            subject: None,
            credential_type: None,
            claims: HashMap::new(),
            expiration: None,
        }
    }

    /// Set the issuer DID.
    pub fn issuer(mut self, issuer: &str) -> Self {
        self.issuer = Some(issuer.to_string());
        self
    }

    /// Set the subject DID.
    pub fn subject(mut self, subject_did: &str) -> Self {
        self.subject = Some(subject_did.to_string());
        self
    }

    /// Set the credential type.
    pub fn credential_type(mut self, cred_type: AgentCredentialType) -> Self {
        self.credential_type = Some(cred_type);
        self
    }

    /// Add a claim to the credential subject.
    pub fn claim(mut self, key: &str, value: serde_json::Value) -> Self {
        self.claims.insert(key.to_string(), value);
        self
    }

    /// Set the expiration date.
    pub fn expiration(mut self, expires: DateTime<Utc>) -> Self {
        self.expiration = Some(expires);
        self
    }

    /// Build the Verifiable Credential.
    ///
    /// Returns `Err` if required fields (issuer, subject) are missing.
    pub fn build(self) -> Result<VerifiableCredential, CredentialError> {
        let issuer = self.issuer.ok_or(CredentialError::MissingIssuer)?;
        let subject = self.subject.ok_or(CredentialError::MissingSubject)?;

        let mut types = vec!["VerifiableCredential".to_string()];
        if let Some(ref cred_type) = self.credential_type {
            types.push(cred_type.vc_type().to_string());
        }

        let credential_id = format!("urn:uuid:{}", Uuid::now_v7());

        Ok(VerifiableCredential {
            context: vec![
                "https://www.w3.org/2018/credentials/v1".to_string(),
                "https://cellstate.batterypack.dev/credentials/v1".to_string(),
            ],
            id: credential_id,
            credential_type: types,
            issuer: CredentialIssuer::Simple(issuer),
            issuance_date: Utc::now(),
            expiration_date: self.expiration,
            credential_subject: CredentialSubject {
                id: subject,
                claims: self.claims,
            },
            proof: None,
        })
    }
}

impl Default for CredentialBuilder {
    fn default() -> Self {
        Self::new()
    }
}

// ============================================================================
// CREDENTIAL ERRORS
// ============================================================================

/// Errors that can occur during credential operations.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum CredentialError {
    /// The credential is missing an issuer
    MissingIssuer,
    /// The credential is missing a subject
    MissingSubject,
    /// The DID string is malformed
    InvalidDid(String),
    /// The credential has expired
    Expired,
    /// The proof is invalid or cannot be verified
    InvalidProof,
    /// The proof type is not supported
    UnsupportedProofType(String),
}

impl fmt::Display for CredentialError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            CredentialError::MissingIssuer => write!(f, "Credential is missing an issuer"),
            CredentialError::MissingSubject => write!(f, "Credential is missing a subject"),
            CredentialError::InvalidDid(did) => write!(f, "Invalid DID: {}", did),
            CredentialError::Expired => write!(f, "Credential has expired"),
            CredentialError::InvalidProof => write!(f, "Credential proof is invalid"),
            CredentialError::UnsupportedProofType(t) => {
                write!(f, "Unsupported proof type: {}", t)
            }
        }
    }
}

impl std::error::Error for CredentialError {}

// ============================================================================
// CREDENTIAL VERIFIER
// ============================================================================

/// Verifier for Verifiable Credentials.
///
/// Performs structural validation, expiry checks, and subject matching.
/// Cryptographic proof verification requires the issuer's public key,
/// which must be resolved via the DID Document.
pub struct CredentialVerifier;

impl CredentialVerifier {
    /// Verify a credential's structure and expiry.
    ///
    /// Checks:
    /// - The credential has a non-empty `id`
    /// - The type array includes "VerifiableCredential"
    /// - The subject has a non-empty `id`
    /// - The credential has not expired
    ///
    /// This does NOT verify the cryptographic proof (that requires the
    /// issuer's public key resolved from their DID Document).
    pub fn verify_structure(credential: &VerifiableCredential) -> Result<(), CredentialError> {
        // Check credential ID
        if credential.id.is_empty() {
            return Err(CredentialError::InvalidDid(
                "Credential ID is empty".to_string(),
            ));
        }

        // Check type includes base type
        if !credential
            .credential_type
            .iter()
            .any(|t| t == "VerifiableCredential")
        {
            return Err(CredentialError::InvalidDid(
                "Missing VerifiableCredential base type".to_string(),
            ));
        }

        // Check subject ID
        if credential.credential_subject.id.is_empty() {
            return Err(CredentialError::MissingSubject);
        }

        // Check expiry
        if Self::is_expired(credential) {
            return Err(CredentialError::Expired);
        }

        Ok(())
    }

    /// Check if a credential has expired.
    ///
    /// Returns `false` if the credential has no expiration date.
    pub fn is_expired(credential: &VerifiableCredential) -> bool {
        if let Some(expiration) = credential.expiration_date {
            Utc::now() > expiration
        } else {
            false
        }
    }

    /// Verify the credential was issued for the given subject DID.
    pub fn verify_subject(credential: &VerifiableCredential, subject_did: &str) -> bool {
        credential.credential_subject.id == subject_did
    }
}

// ============================================================================
// TESTS
// ============================================================================

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    // ------------------------------------------------------------------------
    // DID Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_did_web_creation() {
        let agent_id = Uuid::nil();
        let did = Did::web("cellstate.batterypack.dev", agent_id);
        assert_eq!(
            did.0,
            "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000"
        );
    }

    #[test]
    fn test_did_web_with_real_uuid() {
        let agent_id = Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap();
        let did = Did::web("example.com", agent_id);
        assert_eq!(
            did.0,
            "did:web:example.com:agents:550e8400-e29b-41d4-a716-446655440000"
        );
    }

    #[test]
    fn test_did_parse_valid() {
        let did = Did::parse(
            "did:web:cellstate.batterypack.dev:agents:550e8400-e29b-41d4-a716-446655440000",
        );
        assert!(did.is_some());
        assert_eq!(
            did.unwrap().0,
            "did:web:cellstate.batterypack.dev:agents:550e8400-e29b-41d4-a716-446655440000"
        );
    }

    #[test]
    fn test_did_parse_other_method() {
        let did = Did::parse("did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK");
        assert!(did.is_some());
    }

    #[test]
    fn test_did_parse_invalid() {
        assert!(Did::parse("not-a-did").is_none());
        assert!(Did::parse("").is_none());
        assert!(Did::parse("http://example.com").is_none());
    }

    #[test]
    fn test_did_agent_id_extraction() {
        let uuid = Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap();
        let did = Did::web("cellstate.batterypack.dev", uuid);
        assert_eq!(did.agent_id(), Some(uuid));
    }

    #[test]
    fn test_did_agent_id_nil() {
        let did = Did::web("cellstate.batterypack.dev", Uuid::nil());
        assert_eq!(did.agent_id(), Some(Uuid::nil()));
    }

    #[test]
    fn test_did_agent_id_non_web() {
        let did = Did("did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK".to_string());
        assert!(did.agent_id().is_none());
    }

    #[test]
    fn test_did_agent_id_malformed() {
        let did = Did("did:web:cellstate.batterypack.dev".to_string());
        assert!(did.agent_id().is_none());
    }

    #[test]
    fn test_did_agent_id_bad_uuid() {
        let did = Did("did:web:cellstate.batterypack.dev:agents:not-a-uuid".to_string());
        assert!(did.agent_id().is_none());
    }

    #[test]
    fn test_did_method_web() {
        let did = Did::web("cellstate.batterypack.dev", Uuid::nil());
        assert_eq!(did.method(), "web");
    }

    #[test]
    fn test_did_method_key() {
        let did = Did("did:key:z6Mk...".to_string());
        assert_eq!(did.method(), "key");
    }

    #[test]
    fn test_did_method_empty() {
        let did = Did("not-a-did".to_string());
        assert_eq!(did.method(), "");
    }

    #[test]
    fn test_did_display() {
        let did = Did::web("cellstate.batterypack.dev", Uuid::nil());
        let displayed = format!("{}", did);
        assert_eq!(
            displayed,
            "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000"
        );
    }

    #[test]
    fn test_did_serde_roundtrip() {
        let did = Did::web("cellstate.batterypack.dev", Uuid::nil());
        let json = serde_json::to_string(&did).unwrap();
        let deserialized: Did = serde_json::from_str(&json).unwrap();
        assert_eq!(did, deserialized);
    }

    #[test]
    fn test_did_equality_and_hash() {
        let id = Uuid::nil();
        let did1 = Did::web("cellstate.batterypack.dev", id);
        let did2 = Did::web("cellstate.batterypack.dev", id);
        let did3 = Did::web("other.com", id);

        assert_eq!(did1, did2);
        assert_ne!(did1, did3);

        // Test as HashMap key
        let mut map = HashMap::new();
        map.insert(did1.clone(), "value");
        assert_eq!(map.get(&did2), Some(&"value"));
        assert_eq!(map.get(&did3), None);
    }

    // ------------------------------------------------------------------------
    // DID Document Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_did_document_for_agent() {
        let agent_id = Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap();
        let tenant_id = Uuid::parse_str("660e8400-e29b-41d4-a716-446655440000").unwrap();
        let doc = DidDocument::for_agent("cellstate.batterypack.dev", agent_id, tenant_id);

        // Check context
        assert_eq!(doc.context.len(), 2);
        assert!(doc.context[0].contains("did/v1"));

        // Check id
        assert_eq!(doc.id, Did::web("cellstate.batterypack.dev", agent_id));

        // Check controller is the tenant
        assert_eq!(
            doc.controller,
            Did::web("cellstate.batterypack.dev", tenant_id)
        );

        // Check verification method
        assert_eq!(doc.verification_method.len(), 1);
        assert_eq!(
            doc.verification_method[0].method_type,
            "Ed25519VerificationKey2020"
        );
        assert!(doc.verification_method[0].id.contains("#key-1"));

        // Check authentication and assertion_method reference the key
        assert_eq!(doc.authentication.len(), 1);
        assert!(doc.authentication[0].contains("#key-1"));
        assert_eq!(doc.assertion_method.len(), 1);

        // Check service endpoint
        assert_eq!(doc.service.len(), 1);
        assert_eq!(doc.service[0].service_type, "CellstateAgent");
        assert!(doc.service[0]
            .service_endpoint
            .contains(&agent_id.to_string()));
    }

    #[test]
    fn test_did_document_serde_roundtrip() {
        let doc = DidDocument::for_agent("cellstate.batterypack.dev", Uuid::nil(), Uuid::nil());
        let json = serde_json::to_string(&doc).unwrap();
        let deserialized: DidDocument = serde_json::from_str(&json).unwrap();
        assert_eq!(deserialized.id, doc.id);
        assert_eq!(deserialized.controller, doc.controller);
        assert_eq!(deserialized.verification_method.len(), 1);
        assert_eq!(deserialized.service.len(), 1);
    }

    #[test]
    fn test_did_document_json_ld_context() {
        let doc = DidDocument::for_agent("cellstate.batterypack.dev", Uuid::nil(), Uuid::nil());
        let json_value: serde_json::Value = serde_json::to_value(&doc).unwrap();
        // @context should be serialized correctly
        assert!(json_value.get("@context").is_some());
        let ctx = json_value["@context"].as_array().unwrap();
        assert_eq!(ctx.len(), 2);
    }

    // ------------------------------------------------------------------------
    // Credential Builder Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_credential_builder_identity() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Identity)
            .claim("name", json!("test-agent"))
            .claim("agentType", json!("coder"))
            .build()
            .unwrap();

        assert!(cred.id.starts_with("urn:uuid:"));
        assert!(cred
            .credential_type
            .contains(&"VerifiableCredential".to_string()));
        assert!(cred
            .credential_type
            .contains(&"AgentIdentityCredential".to_string()));
        assert_eq!(cred.credential_subject.claims["name"], json!("test-agent"));
        assert_eq!(cred.credential_subject.claims["agentType"], json!("coder"));
        assert!(cred.expiration_date.is_none());
        assert!(cred.proof.is_none());
    }

    #[test]
    fn test_credential_builder_capability() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Capability)
            .claim("capabilities", json!(["read", "write", "execute"]))
            .build()
            .unwrap();

        assert!(cred
            .credential_type
            .contains(&"AgentCapabilityCredential".to_string()));
        assert_eq!(
            cred.credential_subject.claims["capabilities"],
            json!(["read", "write", "execute"])
        );
    }

    #[test]
    fn test_credential_builder_provenance() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Provenance)
            .claim("creator", json!("tenant-admin"))
            .claim("createdAt", json!("2025-01-01T00:00:00Z"))
            .build()
            .unwrap();

        assert!(cred
            .credential_type
            .contains(&"AgentProvenanceCredential".to_string()));
    }

    #[test]
    fn test_credential_builder_compliance() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Compliance)
            .claim("regulation", json!("EU AI Act"))
            .claim("riskCategory", json!("limited"))
            .claim("transparencyProvided", json!(true))
            .build()
            .unwrap();

        assert!(cred
            .credential_type
            .contains(&"AgentComplianceCredential".to_string()));
        assert_eq!(
            cred.credential_subject.claims["regulation"],
            json!("EU AI Act")
        );
    }

    #[test]
    fn test_credential_builder_with_expiration() {
        let expires = Utc::now() + chrono::Duration::days(365);
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Identity)
            .expiration(expires)
            .build()
            .unwrap();

        assert_eq!(cred.expiration_date, Some(expires));
    }

    #[test]
    fn test_credential_builder_no_type() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .build()
            .unwrap();

        // Should still have base type
        assert_eq!(cred.credential_type, vec!["VerifiableCredential"]);
    }

    #[test]
    fn test_credential_builder_missing_issuer() {
        let result = CredentialBuilder::new()
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .build();

        assert_eq!(result.unwrap_err(), CredentialError::MissingIssuer);
    }

    #[test]
    fn test_credential_builder_missing_subject() {
        let result = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .build();

        assert_eq!(result.unwrap_err(), CredentialError::MissingSubject);
    }

    #[test]
    fn test_credential_builder_missing_both() {
        let result = CredentialBuilder::new().build();
        // Issuer is checked first
        assert_eq!(result.unwrap_err(), CredentialError::MissingIssuer);
    }

    #[test]
    fn test_credential_builder_default() {
        let builder = CredentialBuilder::default();
        // Default builder should fail to build (no issuer/subject)
        assert!(builder.build().is_err());
    }

    // ------------------------------------------------------------------------
    // Credential Verifier Tests
    // ------------------------------------------------------------------------

    fn make_valid_credential() -> VerifiableCredential {
        CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Identity)
            .claim("name", json!("test-agent"))
            .build()
            .unwrap()
    }

    #[test]
    fn test_verify_structure_valid() {
        let cred = make_valid_credential();
        assert!(CredentialVerifier::verify_structure(&cred).is_ok());
    }

    #[test]
    fn test_verify_structure_empty_id() {
        let mut cred = make_valid_credential();
        cred.id = String::new();
        let result = CredentialVerifier::verify_structure(&cred);
        assert!(matches!(result, Err(CredentialError::InvalidDid(_))));
    }

    #[test]
    fn test_verify_structure_missing_base_type() {
        let mut cred = make_valid_credential();
        cred.credential_type = vec!["AgentIdentityCredential".to_string()];
        let result = CredentialVerifier::verify_structure(&cred);
        assert!(matches!(result, Err(CredentialError::InvalidDid(_))));
    }

    #[test]
    fn test_verify_structure_empty_subject() {
        let mut cred = make_valid_credential();
        cred.credential_subject.id = String::new();
        let result = CredentialVerifier::verify_structure(&cred);
        assert_eq!(result.unwrap_err(), CredentialError::MissingSubject);
    }

    #[test]
    fn test_verify_structure_expired() {
        let mut cred = make_valid_credential();
        cred.expiration_date = Some(Utc::now() - chrono::Duration::hours(1));
        let result = CredentialVerifier::verify_structure(&cred);
        assert_eq!(result.unwrap_err(), CredentialError::Expired);
    }

    #[test]
    fn test_is_expired_no_expiration() {
        let cred = make_valid_credential();
        assert!(!CredentialVerifier::is_expired(&cred));
    }

    #[test]
    fn test_is_expired_future() {
        let mut cred = make_valid_credential();
        cred.expiration_date = Some(Utc::now() + chrono::Duration::days(365));
        assert!(!CredentialVerifier::is_expired(&cred));
    }

    #[test]
    fn test_is_expired_past() {
        let mut cred = make_valid_credential();
        cred.expiration_date = Some(Utc::now() - chrono::Duration::seconds(1));
        assert!(CredentialVerifier::is_expired(&cred));
    }

    #[test]
    fn test_verify_subject_match() {
        let cred = make_valid_credential();
        assert!(CredentialVerifier::verify_subject(
            &cred,
            "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000"
        ));
    }

    #[test]
    fn test_verify_subject_mismatch() {
        let cred = make_valid_credential();
        assert!(!CredentialVerifier::verify_subject(
            &cred,
            "did:web:cellstate.batterypack.dev:agents:11111111-1111-1111-1111-111111111111"
        ));
    }

    #[test]
    fn test_verify_subject_empty() {
        let cred = make_valid_credential();
        assert!(!CredentialVerifier::verify_subject(&cred, ""));
    }

    // ------------------------------------------------------------------------
    // Credential Issuer Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_credential_issuer_simple_id() {
        let issuer = CredentialIssuer::Simple("did:web:cellstate.batterypack.dev".to_string());
        assert_eq!(issuer.id(), "did:web:cellstate.batterypack.dev");
    }

    #[test]
    fn test_credential_issuer_object_id() {
        let issuer = CredentialIssuer::Object {
            id: "did:web:cellstate.batterypack.dev".to_string(),
            name: Some("CELLSTATE Platform".to_string()),
        };
        assert_eq!(issuer.id(), "did:web:cellstate.batterypack.dev");
    }

    #[test]
    fn test_credential_issuer_serde_simple() {
        let issuer = CredentialIssuer::Simple("did:web:cellstate.batterypack.dev".to_string());
        let json = serde_json::to_string(&issuer).unwrap();
        assert_eq!(json, "\"did:web:cellstate.batterypack.dev\"");
    }

    #[test]
    fn test_credential_issuer_serde_object() {
        let issuer = CredentialIssuer::Object {
            id: "did:web:cellstate.batterypack.dev".to_string(),
            name: Some("CELLSTATE".to_string()),
        };
        let json = serde_json::to_value(&issuer).unwrap();
        assert_eq!(json["id"], "did:web:cellstate.batterypack.dev");
        assert_eq!(json["name"], "CELLSTATE");
    }

    // ------------------------------------------------------------------------
    // Credential Serde Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_credential_serde_roundtrip() {
        let cred = CredentialBuilder::new()
            .issuer("did:web:cellstate.batterypack.dev")
            .subject(
                "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000",
            )
            .credential_type(AgentCredentialType::Identity)
            .claim("name", json!("agent-1"))
            .claim("version", json!(1))
            .build()
            .unwrap();

        let json = serde_json::to_string(&cred).unwrap();
        let deserialized: VerifiableCredential = serde_json::from_str(&json).unwrap();

        assert_eq!(deserialized.id, cred.id);
        assert_eq!(deserialized.credential_type, cred.credential_type);
        assert_eq!(
            deserialized.credential_subject.id,
            cred.credential_subject.id
        );
        assert_eq!(
            deserialized.credential_subject.claims["name"],
            json!("agent-1")
        );
    }

    #[test]
    fn test_credential_json_structure() {
        let cred = make_valid_credential();
        let json_value: serde_json::Value = serde_json::to_value(&cred).unwrap();

        // Verify JSON-LD @context is present
        assert!(json_value.get("@context").is_some());
        // Verify type field
        assert!(json_value.get("type").is_some());
        let types = json_value["type"].as_array().unwrap();
        assert!(types.iter().any(|t| t == "VerifiableCredential"));
    }

    // ------------------------------------------------------------------------
    // Credential Error Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_credential_error_display() {
        assert_eq!(
            format!("{}", CredentialError::MissingIssuer),
            "Credential is missing an issuer"
        );
        assert_eq!(
            format!("{}", CredentialError::MissingSubject),
            "Credential is missing a subject"
        );
        assert_eq!(
            format!("{}", CredentialError::InvalidDid("bad".to_string())),
            "Invalid DID: bad"
        );
        assert_eq!(
            format!("{}", CredentialError::Expired),
            "Credential has expired"
        );
        assert_eq!(
            format!("{}", CredentialError::InvalidProof),
            "Credential proof is invalid"
        );
        assert_eq!(
            format!(
                "{}",
                CredentialError::UnsupportedProofType("RSA".to_string())
            ),
            "Unsupported proof type: RSA"
        );
    }

    #[test]
    fn test_credential_error_is_error() {
        let err: Box<dyn std::error::Error> = Box::new(CredentialError::MissingIssuer);
        assert_eq!(err.to_string(), "Credential is missing an issuer");
    }

    // ------------------------------------------------------------------------
    // AgentCredentialType Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_agent_credential_type_vc_type() {
        assert_eq!(
            AgentCredentialType::Identity.vc_type(),
            "AgentIdentityCredential"
        );
        assert_eq!(
            AgentCredentialType::Capability.vc_type(),
            "AgentCapabilityCredential"
        );
        assert_eq!(
            AgentCredentialType::Provenance.vc_type(),
            "AgentProvenanceCredential"
        );
        assert_eq!(
            AgentCredentialType::Compliance.vc_type(),
            "AgentComplianceCredential"
        );
    }

    #[test]
    fn test_agent_credential_type_display() {
        assert_eq!(
            format!("{}", AgentCredentialType::Identity),
            "AgentIdentityCredential"
        );
    }

    #[test]
    fn test_agent_credential_type_equality() {
        assert_eq!(AgentCredentialType::Identity, AgentCredentialType::Identity);
        assert_ne!(
            AgentCredentialType::Identity,
            AgentCredentialType::Capability
        );
    }

    #[test]
    fn test_agent_credential_type_serde_roundtrip() {
        let cred_type = AgentCredentialType::Compliance;
        let json = serde_json::to_string(&cred_type).unwrap();
        let deserialized: AgentCredentialType = serde_json::from_str(&json).unwrap();
        assert_eq!(cred_type, deserialized);
    }

    // ------------------------------------------------------------------------
    // CredentialProof Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_credential_proof_serde() {
        let proof = CredentialProof {
            proof_type: "Ed25519Signature2020".to_string(),
            created: Utc::now(),
            verification_method: "did:web:cellstate.batterypack.dev#key-1".to_string(),
            proof_purpose: "assertionMethod".to_string(),
            proof_value: "z58DAdFfa9SkqZMVPxAQpic7ndTn".to_string(),
        };

        let json = serde_json::to_string(&proof).unwrap();
        let deserialized: CredentialProof = serde_json::from_str(&json).unwrap();
        assert_eq!(deserialized.proof_type, "Ed25519Signature2020");
        assert_eq!(
            deserialized.verification_method,
            "did:web:cellstate.batterypack.dev#key-1"
        );
        assert_eq!(deserialized.proof_purpose, "assertionMethod");
    }

    // ------------------------------------------------------------------------
    // Integration-style Tests
    // ------------------------------------------------------------------------

    #[test]
    fn test_full_credential_lifecycle() {
        let agent_id = Uuid::parse_str("550e8400-e29b-41d4-a716-446655440000").unwrap();
        let tenant_id = Uuid::parse_str("660e8400-e29b-41d4-a716-446655440000").unwrap();
        let domain = "cellstate.batterypack.dev";

        // Step 1: Create DID Document
        let doc = DidDocument::for_agent(domain, agent_id, tenant_id);
        assert_eq!(doc.id, Did::web(domain, agent_id));

        // Step 2: Build identity credential
        let cred = CredentialBuilder::new()
            .issuer(&doc.controller.0)
            .subject(&doc.id.0)
            .credential_type(AgentCredentialType::Identity)
            .claim("name", json!("agent-alpha"))
            .claim("agentType", json!("coder"))
            .claim("tenantId", json!(tenant_id.to_string()))
            .build()
            .unwrap();

        // Step 3: Verify structure
        assert!(CredentialVerifier::verify_structure(&cred).is_ok());

        // Step 4: Verify subject
        assert!(CredentialVerifier::verify_subject(&cred, &doc.id.0));

        // Step 5: Not expired
        assert!(!CredentialVerifier::is_expired(&cred));

        // Step 6: Extract agent_id from DID
        assert_eq!(doc.id.agent_id(), Some(agent_id));
    }

    #[test]
    fn test_multiple_credential_types_for_agent() {
        let agent_did =
            "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000";
        let issuer = "did:web:cellstate.batterypack.dev";

        let identity = CredentialBuilder::new()
            .issuer(issuer)
            .subject(agent_did)
            .credential_type(AgentCredentialType::Identity)
            .claim("name", json!("agent-1"))
            .build()
            .unwrap();

        let capability = CredentialBuilder::new()
            .issuer(issuer)
            .subject(agent_did)
            .credential_type(AgentCredentialType::Capability)
            .claim("capabilities", json!(["read", "write"]))
            .build()
            .unwrap();

        let provenance = CredentialBuilder::new()
            .issuer(issuer)
            .subject(agent_did)
            .credential_type(AgentCredentialType::Provenance)
            .claim("creator", json!("admin"))
            .build()
            .unwrap();

        let compliance = CredentialBuilder::new()
            .issuer(issuer)
            .subject(agent_did)
            .credential_type(AgentCredentialType::Compliance)
            .claim("regulation", json!("EU AI Act"))
            .build()
            .unwrap();

        // All should be valid
        for cred in [&identity, &capability, &provenance, &compliance] {
            assert!(CredentialVerifier::verify_structure(cred).is_ok());
            assert!(CredentialVerifier::verify_subject(cred, agent_did));
        }

        // All should have unique IDs
        let ids: Vec<&str> = [&identity, &capability, &provenance, &compliance]
            .iter()
            .map(|c| c.id.as_str())
            .collect();
        let unique: std::collections::HashSet<&&str> = ids.iter().collect();
        assert_eq!(unique.len(), 4);
    }

    #[test]
    fn test_verification_method_serde() {
        let vm = VerificationMethod {
            id: "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000#key-1".to_string(),
            method_type: "Ed25519VerificationKey2020".to_string(),
            controller: "did:web:cellstate.batterypack.dev:agents:00000000-0000-0000-0000-000000000000"
                .to_string(),
            public_key_multibase: Some("z6MkhaXgBZDvotDk".to_string()),
        };

        let json = serde_json::to_value(&vm).unwrap();
        assert_eq!(json["type"], "Ed25519VerificationKey2020");
        assert!(
            json.get("publicKeyMultibase").is_some() || json.get("public_key_multibase").is_some()
        );
    }

    #[test]
    fn test_service_endpoint_serde() {
        let ep = ServiceEndpoint {
            id: "did:web:cellstate.batterypack.dev#api".to_string(),
            service_type: "CellstateAgent".to_string(),
            service_endpoint: "https://cellstate.batterypack.dev/api/v1/agents/test".to_string(),
        };

        let json = serde_json::to_value(&ep).unwrap();
        assert_eq!(json["type"], "CellstateAgent");
        assert_eq!(
            json["serviceEndpoint"],
            "https://cellstate.batterypack.dev/api/v1/agents/test"
        );
    }
}