chore(sidecar): pin world-id-core to 0.10.1 release by Takaros999 · Pull Request #233 · worldcoin/simulator

Takaros999 · 2026-04-29T21:24:49Z

Summary

Replace the world-id-core git dependency with the published 0.10.1 release (aligned with walletkit-core 0.16.0) and switch features to embed-zkeys + zstd-compress-zkeys.
Migrate the proof flow to the new API: use requests::ProofRequest/ProofResponse, CredentialInput, and the consolidated Authenticator::generate_proof instead of orchestrating nullifier / session-id / per-credential proofs by hand.
Expand the example identity seed in identities.example.json to 32 bytes to match the new validation.

Test plan

cargo build -p sidecar
cargo clippy -p sidecar --all-targets
Smoke-test /v1/proof and /v1/session-proof against a sample identity and confirm the response matches a known-good IDKit verification

🤖 Generated with Claude Code

Switch from a git dependency to the published 0.10.1 crate (aligned with walletkit-core 0.16.0) and migrate to its updated proof API: use the combined `generate_proof` flow, the new `requests`/`CredentialInput` types, and `embed-zkeys` + `zstd-compress-zkeys` features. Also expand the example identity seed to 32 bytes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

vercel · 2026-04-29T21:24:53Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
worldcoin-simulator	Ready	Preview, Comment	Apr 30, 2026 1:13am

socket-security · 2026-04-29T21:25:45Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: Brillig: Heap corruption in foreign call results with nested tuple arrays CVE: GHSA-jj7c-x25r-r8r3 Brillig: Heap corruption in foreign call results with nested tuple arrays (CRITICAL) Affected versions: < 1.0.0-beta.19 Patched version: 1.0.0-beta.19 From: `?` → `cargo/world-id-proof@0.10.1` → `cargo/world-id-core@0.10.1` → `cargo/brillig@1.0.0-beta.11` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/brillig@1.0.0-beta.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `lzma-sys` under GPL-2.0+ License: GPL-2.0+ - The applicable license policy does not permit this license (5) (lzma-sys-0.1.20/xz-5.2/COPYING) License: GPL-2.0-or-later - the applicable license policy does not allow this license (4) (lzma-sys-0.1.20/xz-5.2/COPYING) License: GPL-3.0-or-later - the applicable license policy does not allow this license (4) (lzma-sys-0.1.20/xz-5.2/COPYING) License: GPL-2.0-only - The applicable license policy does not permit this license (5) (lzma-sys-0.1.20/xz-5.2/COPYING) License: GPL-3.0 - The applicable license policy does not permit this license (5) (lzma-sys-0.1.20/xz-5.2/COPYING) License: GPL-2.0+ - The applicable license policy does not permit this license (5) (lzma-sys-0.1.20/xz-5.2/COPYING.GPLv2) License: GPL-3.0 - The applicable license policy does not permit this license (5) (lzma-sys-0.1.20/xz-5.2/COPYING.GPLv3) From: `?` → `cargo/world-id-proof@0.10.1` → `cargo/world-id-core@0.10.1` → `cargo/lzma-sys@0.1.20` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/lzma-sys@0.1.20`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `webpki-root-certs` under CDLA-Permissive-2.0 License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-0.26.11/Cargo.toml) License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-0.26.11/LICENSE) From: `?` → `cargo/world-id-proof@0.10.1` → `cargo/webpki-root-certs@0.26.11` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/webpki-root-certs@0.26.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `webpki-root-certs` under CDLA-Permissive-2.0 License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/Cargo.toml) License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/LICENSE) From: `?` → `cargo/world-id-proof@0.10.1` → `cargo/world-id-core@0.10.1` → `cargo/webpki-root-certs@1.0.7` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/webpki-root-certs@1.0.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sidecar previously returned 500 for any AuthenticatorError, including request-level failures like invalid_rp_signature / rp_signature_expired that originate from the RP, not the sidecar. Map these to 400 with a structured `{error_code, error}` body, walking the source chain to extract the WorldIdRequestAuthError snake_case code when present. Request-validation errors (malformed proof_request, endpoint/type mismatch) likewise become 400. In the simulator UI, any 4xx response carrying an `error_code` is now forwarded to the bridge via `rejectRequestV4` and the drawer closes silently. The error modal is reserved for 5xx and network failures. This lets IDKit surface the real error to the dapp instead of the simulator showing its own generic failure state. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Add /target/, sidecar/target-docker/, and .claude/ to .gitignore so local Rust build outputs and tool state don't pollute git status. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…rors The live sidecar populates both fields and the precise snake_case code ends up in `error` (e.g. `error: "invalid_rp_signature"`) while `error_code` may be a generic bucket like `proof_generation_failed`. Forward the more specific value to the bridge so IDKit sees the real failure code instead of the generic one. Also tighten the sidecar's error_code extraction so future builds stop emitting the generic bucket whenever Display already surfaces the code: walking source() never reaches the inner WorldIdRequestAuthError because thiserror's `#[error(transparent)]` forwards source through it. Use the AuthenticatorError's own Display when it looks like a snake_case identifier (which it does for transparent request-auth errors). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Replace the regex heuristic with a direct pattern match on `AuthenticatorError::ProofError(ProofError::RequestAuthError(_))` so the sidecar always emits the right snake_case code in `error_code` (e.g. `invalid_rp_signature`). Adds `world-id-proof` as a direct dep, pinned to the same 0.10.1 already pulled in transitively. With the sidecar fixed, drop the simulator's `error` vs `error_code` preference dance — `error_code` is now authoritative. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

vercel Bot deployed to Preview April 29, 2026 21:26 View deployment

Takaros999 and others added 2 commits April 29, 2026 16:32

chore: ignore rust build artifacts

e55f5e8

Add /target/, sidecar/target-docker/, and .claude/ to .gitignore so local Rust build outputs and tool state don't pollute git status. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

vercel Bot deployed to Preview April 29, 2026 23:35 View deployment

vercel Bot deployed to Preview April 30, 2026 01:04 View deployment

vercel Bot deployed to Preview April 30, 2026 01:13 View deployment

Takaros999 merged commit 6b86385 into main Apr 30, 2026
10 checks passed

Takaros999 deleted the pkak/sidecar-pin-world-id-core-0.10.1 branch April 30, 2026 01:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(sidecar): pin world-id-core to 0.10.1 release#233

chore(sidecar): pin world-id-core to 0.10.1 release#233
Takaros999 merged 5 commits into
mainfrom
pkak/sidecar-pin-world-id-core-0.10.1

Takaros999 commented Apr 29, 2026

Uh oh!

vercel Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

Takaros999 commented Apr 29, 2026

Summary

Test plan

Uh oh!

vercel Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel Bot commented Apr 29, 2026 •

edited

Loading

socket-security Bot commented Apr 29, 2026 •

edited

Loading