Merge branch 'main' into feature/fix_record_loading_size

.dockerignore

@@ -6,4 +6,6 @@ build
 docs
 dist
 test-reports
-.python-version
\ No newline at end of file
+.python-version
+docker
+env

actions/run-integration-tests/action.yml → .github/actions/run-integration-tests/action.yml

@@ -20,9 +20,12 @@ runs:
     - name: run-integration-tests-acapy
       # to run with external ledger and tails server run as follows (and remove the ledger and tails actions from the workflow):
       # run: LEDGER_URL=http://test.bcovrin.vonx.io PUBLIC_TAILS_URL=https://tails.vonx.io ./run_bdd ${{ inputs.TEST_SCOPE }}
-      run: LEDGER_URL=${{inputs.IN_LEDGER_URL}} PUBLIC_TAILS_URL=${{inputs.IN_PUBLIC_TAILS_URL}} ./run_bdd ${{ inputs.TEST_SCOPE }}
+      run: ./run_bdd ${{ inputs.TEST_SCOPE }}
       shell: bash
       env:
+        LEDGER_URL: ${{ inputs.IN_LEDGER_URL }}
+        PUBLIC_TAILS_URL: ${{ inputs.IN_PUBLIC_TAILS_URL }}
+        LOG_LEVEL: warning
         NO_TTY: "1"
       working-directory: acapy/demo
 branding:

.github/workflows/blackformat.yml

@@ -10,7 +10,9 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
       - name: Black Code Formatter Check
         uses: psf/black@stable

.github/workflows/codeql.yml

@@ -12,15 +12,18 @@ jobs:
     runs-on: ubuntu-latest
     if: (github.event_name == 'pull_request' && github.repository == 'hyperledger/aries-cloudagent-python') || (github.event_name != 'pull_request')
 
+    permissions:
+      security-events: write
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: python
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

.github/workflows/integrationtests.yml

@@ -13,15 +13,15 @@ jobs:
     if: (github.event_name == 'pull_request' && github.repository == 'hyperledger/aries-cloudagent-python') || (github.event_name != 'pull_request')
     steps:
       - name: checkout-acapy
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: acapy
       #- name: run-von-network
-      #  uses: ./acapy/actions/run-von-network
+      #  uses: ./acapy/.github/actions/run-von-network
       #- name: run-indy-tails-server
-      #  uses: ./acapy/actions/run-indy-tails-server
+      #  uses: ./acapy/.github/actions/run-indy-tails-server
       - name: run-integration-tests
-        uses: ./acapy/actions/run-integration-tests
+        uses: ./acapy/.github/actions/run-integration-tests
         # to run with a specific set of tests include the following parameter:
         # with:
         #   TEST_SCOPE: "-t @T001-RFC0037"

.github/workflows/nightly-tests.yml

+name: Nightly Tests
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  tests:
+    name: Tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest"]
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        include:
+          - os: "ubuntu-20.04"
+            python-version: "3.6"
+    uses: ./.github/workflows/tests.yml
+    with:
+      python-version: ${{ matrix.python-version }}
+      os: ${{ matrix.os }}
+
+  tests-indy:
+    name: Tests (Indy)
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest"]
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        include:
+          - os: "ubuntu-20.04"
+            python-version: "3.6"
+
+    uses: ./.github/workflows/tests-indy.yml
+    with:
+      python-version: ${{ matrix.python-version }}
+      os: ${{ matrix.os }}
+      indy-version: "1.16.0"

.github/workflows/pip-audit.yml

@@ -16,8 +16,9 @@ jobs:
         run: |
           python -m venv env/
           source env/bin/activate
+          python -m pip install --upgrade pip
           python -m pip install .
-      - uses: trailofbits/gh-action-pip-audit@v0.0.4
+      - uses: pypa/gh-action-pip-audit@v1.0.0
         with:
           virtual-environment: env/
           local: true

.github/workflows/pr-tests.yml

+name: PR Tests
+
+on:
+  pull_request:
+
+jobs:
+  tests:
+    name: Tests
+    uses: ./.github/workflows/tests.yml
+    with:
+      python-version: "3.6"
+      os: "ubuntu-20.04"
+
+  tests-indy:
+    name: Tests (Indy)
+    uses: ./.github/workflows/tests-indy.yml
+    with:
+      python-version: "3.6"
+      indy-version: "1.16.0"
+      os: "ubuntu-20.04"

.github/workflows/publish-indy.yml

+name: Publish ACA-Py Image (Indy)
+run-name: Publish ACA-Py ${{ inputs.tag || github.event.release.tag_name }} Image (Indy ${{ inputs.indy_version || '1.16.0' }})
+on:
+  release:
+    types: [published]
+
+  workflow_dispatch:
+    inputs:
+      indy_version:
+        description: 'Indy SDK Version'
+        required: true
+        default: 1.16.0
+        type: string
+      tag:
+        description: 'Image tag'
+        required: true
+        type: string
+      platforms:
+        description: 'Platforms - Comma separated list of the platforms to support.'
+        required: true
+        default: linux/amd64
+        type: string
+      ref:
+        description: 'Optional - The branch, tag or SHA to checkout.'
+        required: false
+        type: string
+
+# Note:
+# - ACA-Py with Indy SDK image builds do not include support for the linux/arm64 platform.
+# - See notes below for details.
+
+env:
+  INDY_VERSION: ${{ inputs.indy_version || '1.16.0' }}
+
+  # Images do not include support for the linux/arm64 platform due to a known issue compiling the postgres plugin
+  # - https://github.com/hyperledger/indy-sdk/issues/2445
+  # There is a pending PR to fix this issue here; https://github.com/hyperledger/indy-sdk/pull/2453
+  #
+  # linux/386 platform support has been disabled pending a permanent fix for https://github.com/hyperledger/aries-cloudagent-python/issues/2124
+  # PLATFORMS: ${{ inputs.platforms || 'linux/amd64,linux/386' }}
+  PLATFORMS: ${{ inputs.platforms || 'linux/amd64' }}
+
+jobs:
+  publish-image:
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.6', '3.9']
+
+    name: Publish ACA-Py Image (Indy)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref || '' }}
+
+      - name: Gather image info
+        id: info
+        run: |
+          echo "repo-owner=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Image Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ steps.info.outputs.repo-owner }}/aries-cloudagent-python
+          tags: |
+            type=raw,value=py${{ matrix.python-version }}-indy-${{ env.INDY_VERSION }}-${{ inputs.tag || github.event.release.tag_name }}
+
+      - name: Build and Push Image to ghcr.io
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          context: .
+          file: docker/Dockerfile.indy
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: main
+          build-args: |
+            python_version=${{ matrix.python-version }}
+            indy_version=${{ env.INDY_VERSION }}
+            acapy_version=${{ inputs.tag || github.event.release.tag_name }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          platforms: ${{ env.PLATFORMS }}
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/publish.yml

+name: Publish ACA-Py Image
+run-name: Publish ACA-Py ${{ inputs.tag || github.event.release.tag_name }} Image
+on:
+  release:
+    types: [published]
+
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Image tag'
+        required: true
+        type: string
+      platforms:
+        description: 'Platforms - Comma separated list of the platforms to support.'
+        required: true
+        default: linux/amd64
+        type: string
+      ref:
+        description: 'Optional - The branch, tag or SHA to checkout.'
+        required: false
+        type: string
+
+env:
+  # linux/386 platform support has been disabled pending a permanent fix for https://github.com/hyperledger/aries-cloudagent-python/issues/2124
+  # PLATFORMS: ${{ inputs.platforms || 'linux/amd64,linux/arm64,linux/386' }}
+  PLATFORMS: ${{ inputs.platforms || 'linux/amd64' }}
+
+jobs:
+  publish-image:
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.6', '3.9']
+
+    name: Publish ACA-Py Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref || '' }}
+
+      - name: Gather image info
+        id: info
+        run: |
+          echo "repo-owner=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Image Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ steps.info.outputs.repo-owner }}/aries-cloudagent-python
+          tags: |
+            type=raw,value=py${{ matrix.python-version }}-${{ inputs.tag || github.event.release.tag_name }}
+
+      - name: Build and Push Image to ghcr.io
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          context: .
+          file: docker/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: main
+          build-args: |
+            python_version=${{ matrix.python-version }}
+            acapy_version=${{ inputs.tag || github.event.release.tag_name }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          platforms: ${{ env.PLATFORMS }}
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/pythonpublish.yml

@@ -8,19 +8,19 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
-    - name: Set up Python
-      uses: actions/setup-python@v1
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python setup.py sdist bdist_wheel
-        twine upload dist/*
+      - uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.x"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install setuptools wheel twine
+      - name: Build and publish
+        env:
+          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
+          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+        run: |
+          python setup.py sdist bdist_wheel
+          twine upload dist/*

.github/workflows/tests-indy.yml

+name: Tests (Indy)
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        required: true
+        type: string
+      indy-version:
+        required: true
+        type: string
+      os:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    name: Test Python ${{ inputs.python-version }} on Indy ${{ inputs.indy-version }}
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache image layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache-test
+          key: ${{ runner.os }}-buildx-test-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-test-
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build test image
+        uses: docker/build-push-action@v3
+        with:
+          load: true
+          context: .
+          file: docker/Dockerfile.indy
+          target: acapy-test
+          tags: acapy-test:latest
+          build-args: |
+            python_version=${{ inputs.python-version }}
+            indy_version=${{ inputs.indy-version }}
+          cache-from: type=local,src=/tmp/.buildx-cache-test
+          cache-to: type=local,dest=/tmp/.buildx-cache-test-new,mode=max
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache-test
+          mv /tmp/.buildx-cache-test-new /tmp/.buildx-cache-test
+
+      - name: Run pytest
+        run: |
+          docker run --rm acapy-test:latest

.github/workflows/tests.yml

+name: Tests
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        required: true
+        type: string
+      os:
+        required: true
+        type: string
+
+jobs:
+  tests:
+    name: Test Python ${{ inputs.python-version }}
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ inputs.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ inputs.python-version }}
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip3 install --no-cache-dir \
+            -r requirements.txt \
+            -r requirements.askar.txt \
+            -r requirements.bbs.txt \
+            -r requirements.dev.txt
+      - name: Tests
+        run: |
+          pytest

.pre-commit-config.yaml

@@ -12,7 +12,7 @@ repos:
     hooks:
       - id: black
         stages: [commit]
-  - repo: https://gitlab.com/pycqa/flake8
+  - repo: https://github.com/pycqa/flake8.git
     rev: 3.9.0
     hooks:
       - id: flake8

AnoncredsProofValidation.md

+# Anoncreds Proof Validation in Aca-Py
+
+Aca-Py does some pre-validation when verifying Anoncreds presentations (proofs), some scenarios are rejected (things that are indicative of tampering, for example) and some attributes are removed before running the anoncreds validation (for example removing superfluous non-revocation timestamps).  Any Aca-Py validations or presentation modifications are indicated by the "verify_msgs" attribute in the final presentation exchange object
+
+The list of possible verification messages is [here](https://github.com/hyperledger/aries-cloudagent-python/blob/main/aries_cloudagent/indy/verifier.py#L24), and consists of:
+
+```
+class PresVerifyMsg(str, Enum):
+    """Credential verification codes."""
+
+    RMV_REFERENT_NON_REVOC_INTERVAL = "RMV_RFNT_NRI"
+    RMV_GLOBAL_NON_REVOC_INTERVAL = "RMV_GLB_NRI"
+    TSTMP_OUT_NON_REVOC_INTRVAL = "TS_OUT_NRI"
+    CT_UNREVEALED_ATTRIBUTES = "UNRVL_ATTR"
+    PRES_VALUE_ERROR = "VALUE_ERROR"
+    PRES_VERIFY_ERROR = "VERIFY_ERROR"
+```
+
+If there is additional information, it will be included like this:  `TS_OUT_NRI::19_uuid` (which means the attribute identified by `19_uuid` contained a timestamp outside of the non-revocation interval (which is just a warning)).
+
+A presentation verification may include multiple messages, for example:
+
+```
+    ...
+    "verified": "true",
+    "verified_msgs": [
+        "TS_OUT_NRI::18_uuid",
+        "TS_OUT_NRI::18_id_GE_uuid",
+        "TS_OUT_NRI::18_busid_GE_uuid"
+    ],
+    ...
+```
+
+... or it may include a single message, for example:
+
+```
+    ...
+    "verified": "false",
+    "verified_msgs": [
+        "VALUE_ERROR::Encoded representation mismatch for 'Preferred Name'"
+    ],
+    ...
+```
+
+... or the `verified_msgs` may be null or an empty array.
+
+## Presentation Modifications and Warnings
+
+The following modifications/warnings may be done by Aca-Py which shouldn't affect the verification of the received proof):
+
+- "RMV_RFNT_NRI":  Referent contains a non-revocation interval for a non-revocable credential (timestamp is removed)
+- "RMV_GLB_NRI":  Presentation contains a global interval for a non-revocable credential (timestamp is removed)
+- "TS_OUT_NRI":  Presentation contains a non-revocation timestamp outside of the requested non-revocation interval (warning)
+- "UNRVL_ATTR":  Presentation contains attributes with unrevealed values (warning)
+
+## Presentation Pre-validation Errors
+
+The following pre-verification checks are done, which will fail the proof (before calling anoncreds) and will result in the following message:
+
+```
+VALUE_ERROR::<description of the failed validation>
+```
+
+These validations are all done within the [Indy verifier class](https://github.com/hyperledger/aries-cloudagent-python/blob/main/aries_cloudagent/indy/verifier.py) - to see the detailed validation just look for anywhere a `raise ValueError(...)` appears in the code.
+
+A summary of the possible errors is:
+
+- information missing in presentation exchange record
+- timestamp provided for irrevocable credential
+- referenced revocation registry not found on ledger
+- timestamp outside of reasonable range (future date or pre-dates revocation registry)
+- mis-match between provided and requested timestamps for non-revocation
+- mis-match between requested and provided attributes or predicates
+- self-attested attribute is provided for a requested attribute with restrictions
+- encoded value doesn't match raw value
+
+## Anoncreds Verification Exceptions
+
+Typically when you call the anoncreds `verifier_verify_proof()` method, it will return a `True` or `False` based on whether the presentation cryptographically verifies.  However in the case where anoncreds throws an exception, the exception text will be included in a verification message as follows:
+
+```
+VERIFY_ERROR::<the exception text>
+```
+

ContainerImagesAndGithubActions.md

+# Container Images and Github Actions
+
+Aries Cloud Agent - Python is most frequently deployed using containers. From
+the first release of ACA-Py up through 0.7.4, much of the community has built
+their Aries stack using the container images graciously provided by BC Gov and
+hosted through their `bcgovimages` docker hub account. These images have been
+critical to the adoption of not only ACA-Py but also Hyperledger Aries and SSI
+more generally.
+
+Recognizing how critical these images are to the success of ACA-Py and
+consistent with Hyperledger's commitment to open collaboration, container images
+are now built and published directly from the Aries Cloud Agent - Python project
+repository and made available through the [Github Packages Container
+Registry](https://ghcr.io).
+
+
+## Image
+
+This project builds and publishes the `ghcr.io/hyperledger/aries-cloudagent-python` image.
+Multiple variants are available; see [Tags](#tags).
+
+### Tags
+
+ACA-Py is a foundation for building decentralized identity applications; to this
+end, there are multiple variants of ACA-Py built to suit the needs of a variety
+of environments and workflows. There are currently two main variants:
+
+- "Standard" - The default configuration of ACA-Py, including:
+    - Aries Askar for secure storage
+    - Indy VDR for Indy ledger communication
+    - Indy Shared Libraries for AnonCreds
+- "Indy" - The legacy configuration of ACA-Py, including:
+    - Indy SDK Wallet for secure storage
+    - Indy SDK Ledger for Indy ledger communication
+    - Indy SDK for AnonCreds
+
+These two image variants are largely distinguished by providers for Indy Network
+and AnonCreds support. The Standard variant is recommended for new projects.
+Migration from an Indy based image (whether the new Indy image variant or the
+original BC Gov images) to the Standard image is outside of the scope of this
+document.
+
+The ACA-Py images built by this project are tagged to indicate which of the
+above variants it is. Other tags may also be generated for use by developers.
+
+Below is a table of all generated images and their tags:
+
+Tag                     | Variant  | Example                  | Description                                                                                     |
+------------------------|----------|--------------------------|-------------------------------------------------------------------------------------------------|
+py3.6-X.Y.Z             | Standard | py3.6-0.7.4              | Standard image variant built on Python 3.6 for ACA-Py version X.Y.Z                             |
+py3.7-X.Y.Z             | Standard | py3.7-0.7.4              | Standard image variant built on Python 3.7 for ACA-Py version X.Y.Z                             |
+py3.8-X.Y.Z             | Standard | py3.8-0.7.4              | Standard image variant built on Python 3.8 for ACA-Py version X.Y.Z                             |
+py3.9-X.Y.Z             | Standard | py3.9-0.7.4              | Standard image variant built on Python 3.9 for ACA-Py version X.Y.Z                             |
+py3.10-X.Y.Z            | Standard | py3.10-0.7.4             | Standard image variant built on Python 3.10 for ACA-Py version X.Y.Z                            |
+py3.7-indy-A.B.C-X.Y.Z  | Indy     | py3.7-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.7 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.8-indy-A.B.C-X.Y.Z  | Indy     | py3.8-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.8 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.9-indy-A.B.C-X.Y.Z  | Indy     | py3.9-indy-1.16.0-0.7.4  | Standard image variant built on Python 3.9 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C  |
+py3.10-indy-A.B.C-X.Y.Z | Indy     | py3.10-indy-1.16.0-0.7.4 | Standard image variant built on Python 3.10 for ACA-Py version X.Y.Z and Indy SDK Version A.B.C |
+
+### Image Comparison
+
+There are several key differences that should be noted between the two image
+variants and between the BC Gov ACA-Py images.
+
+- Standard Image
+    - Based on slim variant of Debian
+    - Does **NOT** include `libindy`
+    - Default user is `aries`
+    - Uses container's system python environment rather than `pyenv`
+    - Askar and Indy Shared libraries are installed as dependencies of ACA-Py through pip from pre-compiled binaries included in the python wrappers
+    - Built from repo contents
+- Indy Image
+    - Based on slim variant of Debian
+    - Built from multi-stage build step (`indy-base` in the Dockerfile) which includes Indy dependencies; this could be replaced with an explicit `indy-python` image from the Indy SDK repo
+    - Includes `libindy` but does **NOT** include the Indy CLI
+    - Default user is `indy`
+    - Uses container's system python environment rather than `pyenv`
+    - Askar and Indy Shared libraries are installed as dependencies of ACA-Py through pip from pre-compiled binaries included in the python wrappers
+    - Built from repo contents
+    - Includes Indy postgres storage plugin
+- `bcgovimages/aries-cloudagent`
+    - (Usually) based on Ubuntu
+    - Based on `von-image`
+    - Default user is `indy`
+    - Includes `libindy` and Indy CLI
+    - Uses `pyenv`
+    - Askar and Indy Shared libraries built from source
+    - Built from ACA-Py python package uploaded to PyPI
+    - Includes Indy postgres storage plugin
+
+## Github Actions
+
+- Tests (`.github/workflows/tests.yml`) - A reusable workflow that runs tests
+  for the Standard ACA-Py variant for a given python version.
+- Tests (Indy) (`.github/workflows/tests-indy.yml`) - A reusable workflow that
+  runs tests for the Indy ACA-Py variant for a given python and indy version.
+- PR Tests (`.github/workflows/pr-tests.yml`) - Run on pull requests; runs tests
+  for the Standard and Indy ACA-Py variants for a "default" python version.
+  Check this workflow for the current default python and Indy versions in use.
+- Nightly Tests (`.github/workflows/nightly-tests.yml`) - Run nightly; runs
+  tests for the Standard and Indy ACA-Py variants for all currently supported
+  python versions. Check this workflow for the set of currently supported
+  versions and Indy version(s) in use.
+- Publish (`.github/workflows/publish.yml`) - Run on new release published or
+  when manually triggered; builds and pushes the Standard ACA-Py variant to the
+  Github Container Registry.
+- Publish (Indy) (`.github/workflows/publish-indy.yml`) - Run on new release
+  published or when manually triggered; builds and pushes the Indy ACA-Py
+  variant to the Github Container Registry.
+- Integration Tests (`.github/workflows/integrationtests.yml`) - Run on pull
+  requests (to the hyperledger fork only); runs BDD integration tests.
+- Black Format (`.github/workflows/blackformat.yml`) - Run on pull requests;
+  checks formatting of files modified by the PR.
+- CodeQL (`.github/workflows/codeql.yml`) - Run on pull requests; performs
+  CodeQL analysis.
+- Python Publish (`.github/workflows/pythonpublish.yml`) - Run on release
+  created; publishes ACA-Py python package to PyPI.
+- PIP Audit (`.github/workflows/pipaudit.yml`) - Run when manually triggered;
+  performs pip audit.

DIDMethods.md

+# DID methods in ACA-Py
+Decentralized Identifiers, or DIDs, are URIs that point to documents that describe cryptographic primitives and protocols used in decentralized identity management.
+DIDs include methods that describe where and how documents can be retrieved.
+DID methods support specific types of keys and may or may not require the holder to specify the DID itself.
+
+ACA-Py provides a `DIDMethods` registry holding all the DID methods supported for storage in a wallet
+
+> :warning: Askar and InMemory are the only wallets supporting this registry.
+
+## Registering a DID method
+By default, ACA-Py supports `did:key` and `did:sov`.
+Plugins can register DID additional methods to make them available to holders. 
+Here's a snippet adding support for `did:web` to the registry from a plugin `setup` method.
+
+```python=
+WEB = DIDMethod(
+    name="web",
+    key_types=[ED25519, BLS12381G2],
+    rotation=True,
+    holder_defined_did=HolderDefinedDid.REQUIRED  # did:web is not derived from key material but from a user-provided respository name
+)
+
+async def setup(context: InjectionContext):
+    methods = context.inject(DIDMethods)
+    methods.register(WEB)
+```
+
+## Creating a DID
+
+`POST /wallet/did/create` can be provided with parameters for any registered DID method. Here's a follow-up to the
+`did:web` method example:
+
+```json=
+{
+    "method": "web",
+    "options": {
+        "did": "did:web:doma.in",
+        "key_type": "ed25519"
+    }
+}
+```
+
+## Resolving DIDs
+
+For specifics on how DIDs are resolved in ACA-Py, see: [DID Resolution](DIDResolution.md).