feat!: adopt web-identity-schemas, drop zod v3#116
Merged
Conversation
Make `web-identity-schemas` (v0.3.0) the source of truth for DID/JWT/VC
validation schemas and DID/JWT types, and drop Zod v3 support.
- Collapse the `./schemas/zod/v3` + `./schemas/zod/v4` subpath exports into a
single `./schemas/zod` (Zod v4) across every package (and `./a2a/schemas/zod`);
bump the `zod` optional peer to `^4.0.0` and the catalog to `4.4.3`.
- `did`: `didUriSchema`/`isDidUri` now delegate to w-i-s `DidSchema`/`isDid`
(full DID-core validation); `DidUri` re-exported from w-i-s `Did`.
- `jwt`: `jwtPayloadSchema` backed by w-i-s; `JwtString` re-exported from w-i-s;
`jwtStringSchema` keeps ACK's non-empty-signature regex and `jwtHeaderSchema`
keeps the narrow ES256/ES256K/EdDSA alg set.
- `vc`: `credentialSchema` backed by w-i-s `CredentialV1Schema`, preserving the
issuer string->{id} normalization and `JwtProof2020` passthrough; ACK's VC
types stay local (did-jwt-vc remains the signing engine).
- CAIP, payment, A2A, controller-claim, and JwtProof2020 schemas remain
hand-rolled. Add `web-identity-schemas` as a dependency of did/jwt/vc.
- Update issuer route tests for the new DID validation error shape; update READMEs,
AGENTS.md, and add a changeset.
AI usage: implemented by Claude Code (plan hardened via a multi-agent panel-plan
loop). See AI_POLICY.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
WalkthroughAdopts Changesweb-identity-schemas adoption and Zod v3 removal
keys package secp256r1 subpath export build
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@AGENTS.md`:
- Around line 44-52: The fenced code block in AGENTS.md displaying the directory
structure (starting with `src/schemas/` and showing the valibot.ts and zod.ts
files) is missing a language identifier on the opening triple backticks, which
violates the MD040 markdownlint rule. Add an appropriate language tag such as
`text` or `bash` to the opening backticks of this code fence to resolve the
linting error.
In `@packages/did/package.json`:
- Line 67: The peerDependency for zod in packages/did/package.json uses a caret
version range (^4.0.0) which violates the exact version policy for
peerDependencies. Update the zod entry to use an exact version by removing the
caret prefix, changing it from "^4.0.0" to "4.0.0". Apply the same fix to
packages/vc/package.json and ensure all other peerDependencies (valibot,
`@a2a-js/sdk`) across the workspace follow the same exact version pattern to
maintain consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 9001f656-a368-4cc4-89d2-5d3fd1d0e83c
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (57)
.changeset/web-identity-schemas-adoption.mdAGENTS.mddemos/skyfire-kya/src/kya-token.tsexamples/issuer/src/routes/credentials.test.tsexamples/issuer/src/routes/receipts.test.tspackages/ack-id/README.mdpackages/ack-id/package.jsonpackages/ack-id/src/a2a/schemas/zod.tspackages/ack-id/src/a2a/schemas/zod/v3.tspackages/ack-id/src/schemas/zod.tspackages/ack-id/src/schemas/zod/v4.tspackages/ack-id/tsdown.config.tspackages/ack-pay/README.mdpackages/ack-pay/package.jsonpackages/ack-pay/src/schemas/zod.tspackages/ack-pay/src/schemas/zod/v3.tspackages/ack-pay/tsdown.config.tspackages/agentcommercekit/AGENTS.mdpackages/agentcommercekit/package.jsonpackages/agentcommercekit/src/a2a/schemas/zod.tspackages/agentcommercekit/src/a2a/schemas/zod/v3.tspackages/agentcommercekit/src/a2a/schemas/zod/v4.tspackages/agentcommercekit/src/schemas/zod.tspackages/agentcommercekit/src/schemas/zod/v3.tspackages/agentcommercekit/src/schemas/zod/v4.tspackages/agentcommercekit/tsdown.config.tspackages/caip/AGENTS.mdpackages/caip/README.mdpackages/caip/package.jsonpackages/caip/src/schemas/schemas.test.tspackages/caip/src/schemas/zod.tspackages/caip/src/schemas/zod/v4.tspackages/caip/tsdown.config.tspackages/did/README.mdpackages/did/package.jsonpackages/did/src/did-uri.tspackages/did/src/schemas/valibot.tspackages/did/src/schemas/zod.tspackages/did/src/schemas/zod/v3.tspackages/did/src/schemas/zod/v4.tspackages/did/tsdown.config.tspackages/jwt/README.mdpackages/jwt/package.jsonpackages/jwt/src/jwt-string.tspackages/jwt/src/schemas/valibot.tspackages/jwt/src/schemas/zod.tspackages/jwt/src/schemas/zod/v3.tspackages/jwt/src/schemas/zod/v4.tspackages/jwt/tsdown.config.tspackages/vc/README.mdpackages/vc/package.jsonpackages/vc/src/schemas/valibot.tspackages/vc/src/schemas/zod.tspackages/vc/src/schemas/zod/v3.tspackages/vc/src/schemas/zod/v4.tspackages/vc/tsdown.config.tspnpm-workspace.yaml
💤 Files with no reviewable changes (16)
- packages/jwt/src/schemas/zod/v3.ts
- examples/issuer/src/routes/receipts.test.ts
- packages/agentcommercekit/src/schemas/zod/v4.ts
- packages/ack-id/src/a2a/schemas/zod/v3.ts
- packages/ack-pay/src/schemas/zod/v3.ts
- packages/ack-id/src/schemas/zod/v4.ts
- packages/vc/src/schemas/zod/v4.ts
- packages/vc/src/schemas/zod/v3.ts
- packages/agentcommercekit/src/a2a/schemas/zod/v4.ts
- packages/agentcommercekit/src/schemas/zod/v3.ts
- packages/jwt/src/schemas/zod/v4.ts
- packages/did/src/schemas/zod/v4.ts
- packages/agentcommercekit/src/a2a/schemas/zod/v3.ts
- packages/caip/src/schemas/zod/v4.ts
- packages/did/src/schemas/zod/v3.ts
- examples/issuer/src/routes/credentials.test.ts
Comment on lines
+44
to
+52
| Valibot is primary (runtime dependency); Zod (v4) is an optional peer everywhere. Standards-tracked DID/JWT/VC schemas come from the [`web-identity-schemas`](https://github.com/catena-labs/web-identity-schemas) package; ACK only hand-rolls the schemas w-i-s doesn't cover (CAIP, payment, A2A, controller-claim, JwtProof2020). Each package exposes schemas through two files / two export paths: | ||
|
|
||
| ``` | ||
| src/schemas/ | ||
| ├── valibot.ts → ./schemas/valibot | ||
| └── zod/ | ||
| ├── v3.ts → ./schemas/zod/v3 AND ./schemas/zod (alias) | ||
| └── v4.ts → ./schemas/zod/v4 | ||
| └── zod.ts → ./schemas/zod (zod v4 only; zod v3 is not supported) | ||
| ``` | ||
|
|
||
| Adding a new type requires updating all three schema files **and** the `exports` map in `package.json` **and** the entry array in `tsdown.config.ts`. (`keys` is the exception — it exports curve-specific files and encoding, no schemas.) | ||
| Adding a new type requires updating both schema files **and** the `exports` map in `package.json` **and** the entry array in `tsdown.config.ts`. (`keys` is the exception — it exports curve-specific files and encoding, no schemas.) |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Add a language tag to the example fence.
The fenced block at Line 46 is missing a language identifier, which triggers MD040 in markdownlint.
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 46-46: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@AGENTS.md` around lines 44 - 52, The fenced code block in AGENTS.md
displaying the directory structure (starting with `src/schemas/` and showing the
valibot.ts and zod.ts files) is missing a language identifier on the opening
triple backticks, which violates the MD040 markdownlint rule. Add an appropriate
language tag such as `text` or `bash` to the opening backticks of this code
fence to resolve the linting error.
Source: Linters/SAST tools
| }, | ||
| "peerDependencies": { | ||
| "zod": "^3.25.0" | ||
| "zod": "^4.0.0" |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Checking exact-version policy signal:"
rg -n '^save-exact\s*=\s*true$' .npmrc || true
echo
echo "Current zod peerDependency specs across packages:"
fd -a '^package\.json$' packages --exec jq -r '
.name as $name
| (.peerDependencies.zod // empty) as $peer
| if $peer == empty then empty else "\($name)\t\($peer)" end
' {}Repository: agentcommercekit/ack
Length of output: 265
🏁 Script executed:
# Check the actual content at the specified lines
echo "=== packages/did/package.json around line 67 ==="
sed -n '60,75p' packages/did/package.json | cat -n
echo
echo "=== packages/vc/package.json around line 64 ==="
sed -n '57,72p' packages/vc/package.json | cat -nRepository: agentcommercekit/ack
Length of output: 1016
🏁 Script executed:
# Check all peerDependencies across the workspace
echo "=== All peerDependencies in the workspace ==="
fd -a '^package\.json$' packages --exec jq -r '
.name as $name
| (.peerDependencies // {}) as $peers
| if $peers | length > 0 then
$peers | to_entries[] | "\($name)\t\(.key)\t\(.value)"
else empty end
' {} | sortRepository: agentcommercekit/ack
Length of output: 1993
🏁 Script executed:
# Check all peerDependencies in the workspace
echo "=== All peerDependencies in the workspace ==="
find packages -name 'package.json' -type f | while read file; do
jq -r '.name as $name | (.peerDependencies // {}) as $peers | if $peers | length > 0 then $peers | to_entries[] | "\($name)\t\(.key)\t\(.value)" else empty end' "$file"
done | sortRepository: agentcommercekit/ack
Length of output: 624
🏁 Script executed:
# Check for peerDependencies mentions in documentation or config
echo "=== Searching for peerDependencies references ==="
rg -i 'peerdepend' --type md --type txt --type json . 2>/dev/null | head -20
echo
echo "=== Check .npmrc for any peer-related settings ==="
cat .npmrcRepository: agentcommercekit/ack
Length of output: 1072
🏁 Script executed:
# Check for any README or contributing guidelines that explain dependency versioning
echo "=== Checking for documentation about dependencies ==="
find . -maxdepth 2 -type f \( -name "README*" -o -name "CONTRIBUTING*" -o -name ".github" -type d \) | head -10
echo
echo "=== Check pnpm-workspace.yaml for catalog definitions ==="
cat pnpm-workspace.yaml | head -50Repository: agentcommercekit/ack
Length of output: 850
Pin peerDependencies.zod to exact version or document exemption.
"zod": "^4.0.0" in both packages/did/package.json (line 67) and packages/vc/package.json (line 64) violates the exact version policy. This pattern is consistent across all peerDependencies in the workspace (zod, valibot, @a2a-js/sdk all use caret ranges). Either enforce exact versions for peerDependencies workspace-wide, or explicitly document this as an intentional exemption in coding guidelines.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/did/package.json` at line 67, The peerDependency for zod in
packages/did/package.json uses a caret version range (^4.0.0) which violates the
exact version policy for peerDependencies. Update the zod entry to use an exact
version by removing the caret prefix, changing it from "^4.0.0" to "4.0.0".
Apply the same fix to packages/vc/package.json and ensure all other
peerDependencies (valibot, `@a2a-js/sdk`) across the workspace follow the same
exact version pattern to maintain consistency.
Source: Coding guidelines
The `./secp256r1` export was declared in package.json but its entry was missing
from tsdown.config.ts, so dist/curves/secp256r1.{js,d.ts} were never emitted —
importing `@agentcommercekit/keys/secp256r1` failed and publint flagged the
missing files. Add the build entry so the export resolves.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make
web-identity-schemas(v0.3.0) the source of truth for DID/JWT/VC validation schemas and DID/JWT types, replacing ACK's hand-rolled definitions, and drop Zod v3 support (w-i-s ships Zod v4 only)../schemas/zod/v3+./schemas/zod/v4subpaths (and./a2a/schemas/zod/*) collapse into a single./schemas/zod(Zod v4).zodoptional peer bumped to^4.0.0; catalogzod→4.4.3;web-identity-schemasadded to the catalog.packages/did):didUriSchema→ w-i-sDidSchema;isDidUridelegates to w-i-sisDid(full DID-core validation);DidUrire-exported from w-i-sDid.packages/jwt):jwtPayloadSchemabacked by w-i-s;JwtStringre-exported from w-i-s.jwtStringSchemakeeps ACK's non-empty-signature regex andjwtHeaderSchemakeeps the narrowES256/ES256K/EdDSAalg set.packages/vc):credentialSchemabacked by w-i-s' unsignedCredentialV1Schema, preserving ACK'sissuerstring→{ id }normalization,type/@contextarray coercion, andJwtProof2020passthrough. ACK's VC types (W3CCredential,Verifiable) stay local —did-jwt-vcremains the signing/verification engine.JwtProof2020schemas remain hand-rolled (not covered by w-i-s).Breaking changes
./schemas/zod/v3and./schemas/zod/v4exports → use./schemas/zod.zodpeer is now^4.0.0.didUriSchema/isDidUriandcredentialSchema/isCredentialvalidate more strictly (DID-core syntax; VC Data Model v1.1 shape). ACK-issued credentials are unaffected; the credential-verification path (parseJwtCredential/verifyParsedCredential) is unchanged. See the changeset for details.Verification
pnpm run checkis green (47/47 tasks: build + types + lint + format + test).publintclean for all published packages;knipclean. Includes amajorchangeset for the affected published packages.AI usage disclosure
Per AI_POLICY.md: authored with Claude Code (Opus 4.8). The plan was hardened through a multi-agent panel-plan loop and the implementation through a panel-review loop (independent
codex/claude/opencodeCLI reviewers); all findings were triaged and addressed or documented by the author. A human is reviewing before merge.🤖 Generated with Claude Code
Summary by CodeRabbit
zodpeer bumped to^4.0.0), and versioned./schemas/zod/v3+./schemas/zod/v4entry points are gone in favor of a single./schemas/zod.web-identity-schemas), with tighter schema/type validation and changed error details.web-identity-schemas, including updated type exports (e.g.,DidUri,JwtString).secp256r1curve.