feat(shared-kernel): add application-level authorization hook

[florishafkenscheid]

Description of change

Added a shared-kernel authorization hook around application command and query execution.

This introduces neutral authorization primitives (Actor, AuthorizationRequest, AuthorizationOperation, and AuthorizationChecker) plus a default allow-all checker for existing open-source behavior. ServiceHandle can now dispatch commands and queries with optional actor context, and ApplicationService authorizes each command/query before calling the bounded context.

The goal is to make authorization enforceable below inbound adapters such as HTTP, GraphQL, gRPC, or queues, rather than tying access checks to a specific API transport.

Links to any relevant issues

N/A

How the change has been tested

Verified locally with:

cargo fmt --check
cargo test -p shared-kernel
cargo clippy -p shared-kernel -- -D warnings
cargo check --workspace
git diff --check

The shared-kernel tests cover default allow-all behavior, actor context propagation, authorization request construction, denied command/query execution, error mapping, dropped reply channels, and service shutdown.

Definition of Done checklist

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have successfully tested this change in a docker environment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 59.87506% with 835 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
agent_identity/src/state.rs	0.00%	141 Missing ⚠️
agent_api_http/src/v0/identity/connections/mod.rs	0.00%	86 Missing ⚠️
...ent_api_http/src/v0/identity/services/linked_vp.rs	0.00%	70 Missing ⚠️
agent_api_http/src/v0/identity/profiles/mod.rs	0.00%	58 Missing ⚠️
agent_api_http/src/v0/templates/mod.rs	73.85%	57 Missing ⚠️
...ent_api_http/src/v0/holder/holder/offers/accept.rs	0.00%	49 Missing ⚠️
...api_http/src/v0/holder/holder/presentations/mod.rs	0.00%	48 Missing ⚠️
...t_api_http/src/v0/holder/holder/credentials/mod.rs	0.00%	41 Missing ⚠️
agent_issuance/src/state.rs	25.58%	32 Missing ⚠️
agent_api_http/src/v0/identity/documents/mod.rs	0.00%	31 Missing ⚠️
... and 21 more

Files with missing lines	Coverage Δ
agent_api_http/src/extractors.rs	100.00% <100.00%> (ø)
agent_api_http/src/handlers.rs	100.00% <100.00%> (ø)
...src/v0/authorization/authorization_server/token.rs	95.45% <ø> (ø)
...tp/src/v0/issuance/credential_issuer/credential.rs	97.14% <100.00%> (+0.08%)	⬆️
.../src/v0/issuance/credential_issuer/notification.rs	98.98% <100.00%> (ø)
...v0/issuance/credential_issuer/token_status_list.rs	98.36% <100.00%> (+0.08%)	⬆️
...al_issuer/well_known/oauth_authorization_server.rs	97.61% <100.00%> (ø)
...tial_issuer/well_known/openid_credential_issuer.rs	97.50% <100.00%> (ø)
agent_api_http/src/v0/issuance/nonce/mod.rs	100.00% <100.00%> (ø)
...http/src/v0/verification/relying_party/redirect.rs	94.02% <100.00%> (ø)
... and 51 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nanderstabel]

Some more places in the code need to utilize a public command handler, see: 20734ae

[Copilot]

Pull request overview

This PR introduces an application-layer authorization hook that wraps command/query execution across bounded contexts, allowing authorization to be enforced below inbound adapters (HTTP, queues, etc.) while preserving current default allow-all behavior.

Changes:

• Added shared authorization primitives (Actor, AuthorizationRequest, AuthorizationOperation, AuthorizationChecker) and wired them into ApplicationService + ServiceHandle dispatch.
• Introduced HTTP actor extraction middleware + RequestActor extractor, and applied actor-required middleware to the configuration endpoint.
• Updated shared handler utilities, state wiring, and documentation/configuration to support authorization and dev-only settings.

Reviewed changes

Copilot reviewed 70 out of 71 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
shared-kernel/src/service_registry.rs	Adds actor-aware dispatch APIs and maps authorization errors through service handle.
shared-kernel/src/lib.rs	Exposes the new authorization module from shared-kernel.
shared-kernel/src/authorization.rs	Introduces core authorization/actor traits and error types.
shared-kernel/src/application_service.rs	Adds authorization checks before executing commands/queries; introduces shared error wrapper.
docs/problem-details/authorization.md	Documents 401/403 problem details for authorization failures.
docs/configuration/profiles.md	Documents dev-only configuration settings (e.g., UNICORE__DEV__API_KEY).
Cargo.lock	Locks new/updated workspace dependencies (e.g., async-trait, shared-kernel references).
agent_verification/src/state.rs	Adds authorization_checker to verification state.
agent_verification/Cargo.toml	Adds shared-kernel dependency.
agent_store/src/lib.rs	Wires AllowAllAuthorizationChecker into each bounded-context state.
agent_store/Cargo.toml	Adds shared-kernel dependency.
agent_shared/src/profile.rs	Makes ApplicationProfile Clone + Copy to support profile application.
agent_shared/src/handlers.rs	Adds authorized command/query handlers plus public (no-auth) variants; introduces handler error wrappers.
agent_shared/src/config/mod.rs	Adds dev configuration section and profile-based clearing in production.
agent_shared/Cargo.toml	Adds shared-kernel dependency.
agent_macros/src/lib.rs	Calls apply_profile() after loading derived config structs.
agent_library/src/state.rs	Adds authorization_checker to library state.
agent_library/Cargo.toml	Adds shared-kernel dependency.
agent_issuance/src/status_list/application/token_status_list_service.rs	Switches to public query helper for protocol-level access.
agent_issuance/src/state.rs	Adds authorization_checker and threads it into internal command invocations.
agent_issuance/src/application/nonce_validation_service.rs	Switches nonce operations to public command/query helpers.
agent_issuance/Cargo.toml	Adds shared-kernel dependency.
agent_identity/src/state.rs	Adds authorization_checker and updates initialization flows to use public queries + authorized commands.
agent_identity/Cargo.toml	Adds shared-kernel dependency.
agent_holder/src/state.rs	Adds authorization_checker to holder state.
agent_holder/Cargo.toml	Adds shared-kernel dependency.
agent_authorization/src/state.rs	Adds authorization_checker and updates initialization to use authorized commands/public queries.
agent_authorization/src/application/token_issuance_service.rs	Switches protocol operations to public command/query helpers.
agent_authorization/src/application/pushed_authorization_service.rs	Switches protocol operations to public command/query helpers.
agent_authorization/src/application/oauth2_authorization_service.rs	Switches protocol operations to public command/query helpers.
agent_authorization/src/application/consent_service.rs	Switches protocol operations to public command/query helpers.
agent_authorization/src/application/consent_query_service.rs	Switches protocol operations to public query helper.
agent_authorization/Cargo.toml	Adds shared-kernel dependency.
agent_application/src/lib.rs	Allows injecting a custom ActorExtractor; requires actor for configuration route.
agent_application/Cargo.toml	Adds shared-kernel dependency.
agent_api_http/src/v0/verification/relying_party/request.rs	Switches to public query helper for relying party request retrieval.
agent_api_http/src/v0/verification/relying_party/redirect.rs	Switches to public command helper for relying party redirect handling.
agent_api_http/src/v0/verification/authorization_requests.rs	Threads RequestActor into handlers and uses authorized command/query wrappers.
agent_api_http/src/v0/templates/mod.rs	Threads RequestActor into template handlers and uses authorized command/query wrappers.
agent_api_http/src/v0/issuance/offers/send.rs	Threads RequestActor into offer send endpoints and uses authorized command wrapper.
agent_api_http/src/v0/issuance/offers/mod.rs	Threads RequestActor into offer endpoints and uses authorized command/query wrappers.
agent_api_http/src/v0/issuance/nonce/mod.rs	Switches nonce creation endpoint to public command helper.
agent_api_http/src/v0/issuance/ietf_oauth_sd_jwt_vc.rs	Switches type metadata endpoint to public query helper.
agent_api_http/src/v0/issuance/credentials.rs	Threads RequestActor into credential endpoints and uses authorized command/query wrappers.
agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs	Switches well-known endpoint to public query helper.
agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs	Switches well-known endpoint to public query helper.
agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs	Updates tests to call authorized command handler signature.
agent_api_http/src/v0/issuance/credential_issuer/notification.rs	Switches notification endpoint to public command/query helpers.
agent_api_http/src/v0/issuance/credential_issuer/credential.rs	Switches credential issuance flow to public command/query helpers; updates tests accordingly.
agent_api_http/src/v0/issuance/credential_issuer/credential_offer.rs	Switches credential-offer endpoint to public query helper.
agent_api_http/src/v0/issuance/credential_configurations.rs	Threads RequestActor into endpoint and uses authorized command wrapper.
agent_api_http/src/v0/identity/well_known/did.rs	Switches DID well-known endpoint to public query helper.
agent_api_http/src/v0/identity/well_known/did_configuration.rs	Switches DID configuration endpoint to public query helper.
agent_api_http/src/v0/identity/services/mod.rs	Threads RequestActor into services endpoints and uses authorized query wrapper.
agent_api_http/src/v0/identity/services/linked_vp.rs	Threads RequestActor and uses authorized command/query wrappers for linked VP.
agent_api_http/src/v0/identity/profiles/mod.rs	Threads RequestActor into profile endpoints and uses authorized command/query wrappers.
agent_api_http/src/v0/identity/documents/mod.rs	Threads RequestActor into document endpoints and uses authorized query wrapper.
agent_api_http/src/v0/identity/connections/mod.rs	Threads RequestActor into connection endpoints and uses authorized command/query wrappers.
agent_api_http/src/v0/holder/openid4vci/mod.rs	Threads RequestActor into holder offers ingestion endpoint and uses authorized command wrapper.
agent_api_http/src/v0/holder/holder/presentations/presentation_signed.rs	Switches presentation-signed endpoint to public query helper.
agent_api_http/src/v0/holder/holder/presentations/mod.rs	Threads RequestActor and uses authorized command/query wrappers for presentations.
agent_api_http/src/v0/holder/holder/offers/reject.rs	Threads RequestActor and uses authorized command wrapper for offer rejection.
agent_api_http/src/v0/holder/holder/offers/mod.rs	Threads RequestActor and uses authorized query wrappers for offers listing/get.
agent_api_http/src/v0/holder/holder/offers/accept.rs	Threads RequestActor and uses authorized command/query wrappers for offer acceptance flow.
agent_api_http/src/v0/holder/holder/credentials/mod.rs	Threads RequestActor and uses authorized command/query wrappers for holder credentials.
agent_api_http/src/lib.rs	Adds actor extraction middleware (extract_actor / require_actor) and HTTP adapter for ToActor.
agent_api_http/src/handlers.rs	Updates API-layer handler wrappers to pass authorization + adds public helpers.
agent_api_http/src/extractors.rs	Adds RequestActor extractor reading Actor from request extensions.
agent_api_http/src/error.rs	Adds mapping for authorization/handler errors to problem details/public errors.
agent_api_http/Cargo.toml	Adds shared-kernel and async-trait dependencies.
.env.example	Documents UNICORE__DEV__API_KEY env var for development.

[nanderstabel]

nit: You've already added Sync as a supertrait of ToActor so you do not need to add it again in these method signatures. So you can simply change all occurrences of &(dyn ToActor + Sync) back to dyn ToActor