Indicio-tech
diff --git a/‎.github/workflows/oid4vc-conformance-tests.yaml‎
Lines changed: 149 additions & 0 deletions b/‎.github/workflows/oid4vc-conformance-tests.yaml‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎.github/workflows/pr-linting-and-unit-tests.yaml‎
Lines changed: 0 additions & 2 deletions b/‎.github/workflows/pr-linting-and-unit-tests.yaml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎oid4vc/docker/Dockerfile‎
Lines changed: 98 additions & 26 deletions b/‎oid4vc/docker/Dockerfile‎
Lines changed: 98 additions & 26 deletions
diff --git a/‎oid4vc/docker/dev-verifier.yml‎
Lines changed: 3 additions & 5 deletions b/‎oid4vc/docker/dev-verifier.yml‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎oid4vc/integration/tests/conftest.py‎
Lines changed: 8 additions & 5 deletions b/‎oid4vc/integration/tests/conftest.py‎
Lines changed: 8 additions & 5 deletions
@@ -0,0 +1,149 @@
+name: OID4VC Conformance Tests
+# Runs the OIDF HAIP conformance suite against ACA-Py OID4VCI issuer and
+# OID4VP verifier.  The suite is started from source inside Docker Compose and
+# all test results are written to a JUnit XML artifact.
+#
+# Trigger conditions:
+#   - PR or push that touches oid4vc/** source files
+#   - Manual run via workflow_dispatch (always runs regardless of changed files)
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - "**"
+    paths:
+      - "oid4vc/**"
+  push:
+    branches:
+      - main
+    paths:
+      - "oid4vc/**"
+  workflow_dispatch:
+
+jobs:
+  conformance-tests:
+    name: "OID4VC Conformance Tests"
+    runs-on: ubuntu-latest
+    # Skip draft PRs (same policy as integration-tests)
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'push') ||
+      (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+    timeout-minutes: 90
+
+    steps:
+      # ── Checkout ────────────────────────────────────────────────────────────
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      # ── Docker Buildx (enables layer cache via GitHub Actions cache) ────────
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # ── Pre-build ACA-Py issuer image (Rust/isomdl, ~10 min cold) ──────────
+      # Both issuer and verifier share the same Dockerfile; the verifier build
+      # hits cache after the issuer build completes.
+      - name: Build acapy-issuer image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: oid4vc/docker/Dockerfile
+          push: false
+          load: true
+          tags: oid4vc-integration-acapy-issuer:latest
+          build-args: |
+            ACAPY_VERSION=1.4.0
+            ISOMDL_BRANCH=fix/python-build-system
+          cache-from: type=gha,scope=acapy-oid4vc
+          cache-to: type=gha,mode=max,scope=acapy-oid4vc
+
+      - name: Build acapy-verifier image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: oid4vc/docker/Dockerfile
+          push: false
+          load: true
+          tags: oid4vc-integration-acapy-verifier:latest
+          build-args: |
+            ACAPY_VERSION=1.4.0
+            ISOMDL_BRANCH=fix/python-build-system
+          # Issuer + verifier share all layers; use same cache scope.
+          cache-from: type=gha,scope=acapy-oid4vc
+
+      # ── Pre-build OIDF conformance server (Maven build, ~15 min cold) ───────
+      - name: Build conformance-server image
+        uses: docker/build-push-action@v6
+        with:
+          context: oid4vc/integration/conformance
+          file: oid4vc/integration/conformance/Dockerfile.server
+          push: false
+          load: true
+          tags: oid4vc-integration-conformance-server:latest
+          build-args: |
+            CONFORMANCE_SUITE_BRANCH=master
+          cache-from: type=gha,scope=conformance-server
+          cache-to: type=gha,mode=max,scope=conformance-server
+
+      # ── Pre-build conformance runner (lightweight Python image) ─────────────
+      - name: Build conformance-runner image
+        uses: docker/build-push-action@v6
+        with:
+          context: oid4vc/integration
+          file: oid4vc/integration/conformance/Dockerfile.runner
+          push: false
+          load: true
+          tags: oid4vc-integration-conformance-runner:latest
+          cache-from: type=gha,scope=conformance-runner
+          cache-to: type=gha,mode=max,scope=conformance-runner
+
+      # ── Run conformance suite ────────────────────────────────────────────────
+      # DOCKER_PLATFORM is detected automatically by the shell script based on
+      # `uname -m`; set explicitly here to avoid any ambiguity on CI runners.
+      - name: Run conformance tests
+        env:
+          DOCKER_PLATFORM: linux/amd64
+        run: |
+          bash oid4vc/integration/run-conformance-tests.sh run all
+
+      # ── Collect results ──────────────────────────────────────────────────────
+      - name: Upload JUnit test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: conformance-junit-results
+          path: oid4vc/integration/test-results/conformance-junit.xml
+          if-no-files-found: warn
+
+      - name: Publish JUnit test summary
+        if: always()
+        uses: mikepenz/action-junit-report@v4
+        with:
+          report_paths: "oid4vc/integration/test-results/conformance-junit.xml"
+          check_name: "OIDF Conformance Results"
+          fail_on_failure: false
+          require_tests: false
+
+      # ── Collect Docker logs on failure ───────────────────────────────────────
+      - name: Dump Docker Compose logs
+        if: failure()
+        run: |
+          mkdir -p /tmp/conformance-logs
+          cd oid4vc/integration
+          # Capture all service logs for post-mortem analysis
+          docker compose --profile conformance logs --no-color \
+            > /tmp/conformance-logs/docker-compose.log 2>&1 || true
+          docker compose --profile conformance logs --no-color acapy-issuer \
+            > /tmp/conformance-logs/acapy-issuer.log 2>&1 || true
+          docker compose --profile conformance logs --no-color acapy-verifier \
+            > /tmp/conformance-logs/acapy-verifier.log 2>&1 || true
+          docker compose --profile conformance logs --no-color conformance-server \
+            > /tmp/conformance-logs/conformance-server.log 2>&1 || true
+
+      - name: Upload Docker logs artifact
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: conformance-docker-logs
+          path: /tmp/conformance-logs/
+          retention-days: 7
@@ -100,7 +100,6 @@ jobs:
       #----------------------------------------------
       - name: Unit test plugins
         id: unit-tests
-        continue-on-error: true
         run: |
           for dir in ${{ steps.changed-plugins.outputs.changed-plugins }}; do
             cd $dir
@@ -110,7 +109,6 @@ jobs:
   integration-tests:
     name: "Integration tests"
     runs-on: ubuntu-latest
-    continue-on-error: true
     needs: linting-and-unit-tests
     if: needs.linting-and-unit-tests.result == 'success'
     steps:
 
@@ -1,44 +1,116 @@
+# =============================================================================
+# Stage 1: Build isomdl-uniffi wheel (requires Rust)
+# =============================================================================
+FROM python:3.12-slim-bookworm AS isomdl-build
+
+WORKDIR /build
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    git \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Rust toolchain (minimal profile to save space)
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Clone isomdl-uniffi with shallow clone
+ARG ISOMDL_BRANCH=fix/python-build-system
+RUN git clone --depth 1 --branch ${ISOMDL_BRANCH} \
+    https://github.com/Indicio-tech/isomdl-uniffi.git /build/isomdl-uniffi
+
+WORKDIR /build/isomdl-uniffi/python
+
+# Build wheel — limit Cargo parallelism to avoid Docker VM OOM on resource-constrained hosts
+# (CARGO_BUILD_JOBS=2 cuts peak memory roughly in half vs. the default all-cores build)
+RUN pip install --no-cache-dir build wheel setuptools
+ENV CARGO_BUILD_JOBS=2
+RUN python setup.py bdist_wheel
+
+# =============================================================================
+# Stage 2: Install ACA-Py and plugin dependencies
+# =============================================================================
 FROM python:3.12-slim-bookworm AS base
+
 WORKDIR /usr/src/app
 
-# Install and configure poetry
-USER root
+# Install only required build/runtime dependencies (no Rust needed here)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    jq \
+    git \
+    && rm -rf /var/lib/apt/lists/*
 
-# Install and configure poetry
-WORKDIR /usr/src/app
-ENV POETRY_VERSION=2.1.2
-ENV POETRY_HOME=/opt/poetry
-RUN apt-get update && apt-get install -y curl jq && apt-get clean
-RUN curl -sSL https://install.python-poetry.org | python -
+# Accept build argument for ACA-Py version
+ARG ACAPY_VERSION=1.4.0
 
-ENV PATH="/opt/poetry/bin:$PATH"
-RUN poetry config virtualenvs.in-project true
+# Clone ACA-Py source with shallow clone
+RUN git clone --depth 1 --branch ${ACAPY_VERSION} \
+    https://github.com/openwallet-foundation/acapy.git /usr/src/acapy
 
-# Setup project
-RUN mkdir oid4vc && touch oid4vc/__init__.py
-RUN mkdir jwt_vc_json && touch jwt_vc_json/__init__.py
-RUN mkdir sd_jwt_vc && touch sd_jwt_vc/__init__.py
-RUN mkdir mso_mdoc && touch mso_mdoc/__init__.py
-COPY oid4vc/pyproject.toml oid4vc/poetry.lock oid4vc/README.md ./
-RUN poetry install --without dev --all-extras
-USER $user
+WORKDIR /usr/src/acapy
 
-FROM python:3.12-bookworm
+# Install ACA-Py
+RUN pip install --no-cache-dir -e .
+RUN pip install --no-cache-dir configargparse
 
+# Setup plugin project structure
 WORKDIR /usr/src/app
-COPY --from=base /usr/src/app/.venv /usr/src/app/.venv
-ENV PATH="/usr/src/app/.venv/bin:$PATH"
-RUN apt-get update && apt-get install -y curl jq && apt-get clean
+
+# Copy the entire plugin source tree
+COPY oid4vc/pyproject.toml ./
+COPY oid4vc/README.md ./
+COPY oid4vc/oid4vc/ oid4vc/
 COPY oid4vc/jwt_vc_json/ jwt_vc_json/
 COPY oid4vc/mso_mdoc/ mso_mdoc/
 COPY oid4vc/sd_jwt_vc/ sd_jwt_vc/
-COPY oid4vc/oid4vc/ oid4vc/
 COPY status_list/ status_list/
 RUN pip install -e ./status_list
+
+# Install isomdl-uniffi from builder stage
+COPY --from=isomdl-build /build/isomdl-uniffi/python/dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl
+
+# Install the plugin with extras for mso_mdoc and sd_jwt_vc
+RUN pip install --no-cache-dir -e ".[mso_mdoc,sd_jwt_vc]"
+
+# =============================================================================
+# Stage 3: Final slim runtime image
+# =============================================================================
+FROM python:3.12-slim-bookworm
+
+WORKDIR /usr/src/app
+
+# Copy the complete environment from base stage
+COPY --from=base /usr/src/acapy /usr/src/acapy
+COPY --from=base /usr/src/app /usr/src/app
+
+# Install only runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    jq \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy the entire Python environment from base stage, including site-packages
+COPY --from=base /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
+COPY --from=base /usr/local/bin /usr/local/bin
+
+# Copy dev config
 RUN mkdir -p /usr/src/app/docker
 COPY oid4vc/docker/dev.yml /usr/src/app/docker/dev.yml
 COPY oid4vc/docker/dev-verifier.yml /usr/src/app/docker/dev-verifier.yml
-COPY oid4vc/docker/default.yml /usr/src/app/default.yml
+COPY oid4vc/docker/default.yml /usr/src/app/docker/default.yml
+
+# Expose ports
+EXPOSE 8030 8031 8032
+
+# Add health check
+HEALTHCHECK --interval=10s --timeout=5s --retries=12 --start-period=60s \
+  CMD curl -f http://localhost:${ACAPY_ADMIN_PORT:-8021}/status/ready || exit 1
 
-ENTRYPOINT ["/bin/bash", "-c", "aca-py \"$@\"", "--"]
-CMD ["start", "--arg-file", "default.yml"]
+# Set working directory and run ACA-Py
+WORKDIR /usr/src/acapy
+CMD ["python", "-m", "acapy_agent", "start", "--arg-file", "/usr/src/app/docker/dev.yml"]
@@ -22,13 +22,11 @@ plugin:
   - sd_jwt_vc
   - mso_mdoc
 
-# OID4VC plugin configuration - Use different ports for OID4VCI and OID4VP servers
+# OID4VC plugin configuration - both OID4VCI and OID4VP routes served on the same port
 plugin-config-value:
   - oid4vci.host=0.0.0.0
-  - oid4vci.port=8033
-  - oid4vci.endpoint=${OID4VCI_ENDPOINT:-http://localhost:8033}
-  - oid4vp.host=0.0.0.0
-  - oid4vp.port=8032
+  - oid4vci.port=8032
+  - oid4vci.endpoint=${OID4VCI_ENDPOINT:-http://localhost:8032}
   - oid4vp.endpoint=${OID4VP_ENDPOINT:-http://localhost:8032}
 
 # Ledger configuration - use no-ledger for simple development
 
@@ -47,11 +47,14 @@
 async def credo_client():
     """HTTP client for Credo agent service."""
     async with httpx.AsyncClient(base_url=CREDO_AGENT_URL, timeout=30.0) as client:
-        # Wait for service to be ready
-        for _ in range(5):  # Reduced since services should already be ready
-            response = await client.get("/health")
-            if response.status_code == 200:
-                break
+        # Wait for service to be ready (30 retries to handle brief unavailability)
+        for _ in range(30):
+            try:
+                response = await client.get("/health")
+                if response.status_code == 200:
+                    break
+            except httpx.ConnectError:
+                pass
             await asyncio.sleep(1)
         else:
             raise RuntimeError("Credo agent service not available")