Integrate Credo (credo-ts) as SSI/VC foundation for real SD-JWT VC employee credential issuance

[Copilot]

Replaces the unsigned stub credential implementation with cryptographically-signed SD-JWT VCs using Credo (credo-ts) as the SSI framework foundation, addressing FR-0010, FR-0011, and TR-0009.

New modules

• src/agent/CredoAgent.ts — Singleton Credo agent lifecycle. On startup: creates a P-256 key via NodeKeyManagementService, registers a did:jwk issuer DID, then exposes issueEmployeeCredential() backed by agent.sdJwtVc.sign(). All credential claims are selectively disclosable.
• src/storage/InMemoryStorageService.ts — Credo-compatible StorageService using nested Maps. Implements full tag query evaluation including $or, $and, $not and array-contains semantics — required for DID record lookups at signing time.

Updated files

• src/index.ts — Calls initCredoAgent() before app.listen() so the agent (and issuer key/DID) are ready before any request is served.
• src/routes/credentials.ts — POST /credentials/employee is now async; the stub is replaced with issueEmployeeCredential(). Adds a 500 ISSUANCE_ERROR path.

Result

POST /credentials/employee {"firstName":"Jane","lastName":"Doe","jobTitle":"SWE","startDate":"2024-01-15"}
→ {"credential":"eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6IiMwIn0...","format":"vc+sd-jwt"}

Header decodes to {"typ":"vc+sd-jwt","alg":"ES256","kid":"#0"} — real ES256 signature over a did:jwk issuer DID.

Notes

• InMemoryStorageService is intentionally ephemeral (keys and DID regenerate on restart). Replace with Askar or @credo-ts/drizzle-storage + PostgreSQL for production persistence.
• allowInsecureHttpUrls is false in NODE_ENV=production.
• @credo-ts/askar was evaluated but requires native ffi-napi bindings incompatible with Node 24 in this environment; @credo-ts/node's NodeKeyManagementService is used instead for crypto operations.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh auth status (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/curl curl -s -H Authorization: token ****** REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.