feat!: revert typed identy and move back to runtime.Identity

[matthiasbruns]

What this PR does / why we need it

We introduces runtime.Typed for both credentials and identities.
While valuable for credentials, our code-base heavily relies on runtime.Identity. The problem is that we have to type-assign at several places just to migrate from runtime.Identity to runtime.Typed. There is no real benefit yet, nor do we have a working concept or even idea how we would provide identity comparison across plugin-boundaries for arbitrary types. We can't even imagine identities that would need such a change right now.

I kept CredentialTypeSchemeProvider for now - no idea if this adds much to our system anymore.

Which issue(s) this PR fixes

Rolls back: open-component-model/ocm-project#800

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	16f6576
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a01a1f700816d000831f9aa
😎 Deploy Preview	https://deploy-preview-2469--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors the Go credentials package to use concrete runtime.Identity types throughout credential resolution instead of generic runtime.Typed values. The IdentityTypeRegistry is refactored to manage identity type aliases internally via a canonicalOf map, removing its dependency on runtime.Scheme. The Resolver interface and all resolution paths are updated to accept runtime.Identity parameters, the toIdentity compatibility helper is removed, and Graph.Resolve is marked deprecated in favor of ResolveTyped.

Changes

Typed Credential Resolution Refactoring

Layer / File(s)	Summary
Interface & Registry Contracts bindings/go/credentials/interface.go, bindings/go/credentials/type_registry.go	Resolver.ResolveTyped parameter tightened from runtime.Typed to runtime.Identity. IdentityTypeRegistry refactored to remove runtime.Scheme dependency and manage aliases internally via canonicalOf map; new IsRegistered method added; scheme-exposing CredentialTypeSchemeProvider interface and GetIdentityTypeScheme() method removed. Constructor and registration methods no longer accept scheme options or prototypes.
DAG Identity Handling bindings/go/credentials/synced_dag.go	getIdentity, matchAnyNode, and addIdentity now work directly with runtime.Identity. Vertex keys derived from identity.String(). Exact matching by key lookup; wildcard matching uses identity.Match() instead of typedMatch helpers. Panic-prone typed-identity code paths removed.
Graph Resolution bindings/go/credentials/graph.go	ResolveTyped parameter changed to runtime.Identity; initial validation calls identity.ParseType(). Deprecation comment added to Graph.Resolve. Error handling unified to produce consistent failed to resolve credentials for identity %q messages using identity.String() with appropriate error wrappers.
Direct & Indirect Resolution bindings/go/credentials/resolve_direct.go, bindings/go/credentials/resolve_indirect.go	Both functions updated to accept runtime.Identity and derive cache keys from identity.String(). Direct path resolves child identities via g.getIdentity(edgeID) without type conversion. Indirect path constructs fallback identities via DeepCopy() and SetType(AnyConsumerIdentityType), replacing toIdentity() conversion.
Static Resolver & Ingestion bindings/go/credentials/resolve_static.go, bindings/go/credentials/ingest.go	StaticCredentialsResolver.ResolveTyped accepts runtime.Identity; lookup uses identity.String(). Ingestion validation uses registry.IsRegistered() directly instead of GetIdentityTypeScheme().IsRegistered().
Compatibility Removal bindings/go/credentials/identity_compat.go, bindings/go/credentials/identity_compat_test.go	Removed toIdentity conversion helper and its three unit tests (Test_toIdentity_Identity, Test_toIdentity_Nil, Test_toIdentity_NonIdentity).
Tests & Validation bindings/go/credentials/type_registry_test.go, bindings/go/credentials/synced_dag_test.go, bindings/go/credentials/ingest_test.go	Registry tests updated to call Register/RegisterWithAcceptedCredentials without &runtime.Raw{} argument; assertions switched to IsRegistered() and AcceptedCredentialTypes(). Added tests for duplicate alias detection and idempotent registration. DAG tests updated to use identity.String() for key comparison; removed nodeID and typedMatch test coverage. Ingestion tests updated for new registry API.
Documentation bindings/go/credentials/doc.go	Clarified that both credential registries are optional (nil-safe) with fallback to legacy v1.DirectCredentials. Updated usage example to describe typed resolution as returning runtime.Typed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• open-component-model/open-component-model#2360: Both PRs modify the Go typed-credentials surface and usage—this PR tightens Resolver.ResolveTyped to accept runtime.Identity and refactors credential graph/registries, while the related PR implements typed OCI credential/identity types and calls ResolveTyped.
• open-component-model/open-component-model#2343: Both PRs modify the credentials bindings to add/alter typed credential resolution (ResolveTyped, resolver/graph/interface/type registry, synced DAG, resolve paths); this PR further refactors that typed-credentials work by tightening Typed→Identity and removing toIdentity indirection.
• open-component-model/open-component-model#2418: This PR's refactor to use runtime.Identity/typed credential APIs and identity type registry changes directly enable the RSA binding PR's migration to strongly-typed credentials and typed identities.

Suggested reviewers

• frewilhelm
• fabianburth
• jakobmoellerdev

---

🐰 A rabbit's verse on identity reform:

Where typed identities once wandered lost,
A canonical map now shows the way,
No schemes to scheme, no conversion cost,
Just .String() keys to save the day!
The DAG hops brightly, credentials align,
Direct and indirect paths now fine. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main change: reverting from runtime.Typed to runtime.Identity for credential resolution, which is the core purpose of this refactoring across multiple files.
Description check	✅ Passed	The PR description clearly explains the rationale for rolling back runtime.Typed usage for identities, citing excessive type-migration overhead without clear benefits and no current use case for cross-plugin identity comparison.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[matthiasbruns]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindings/go/credentials/synced_dag.go`:
- Around line 41-47: The getIdentity method on syncedDag returns a mutable
runtime.Identity by reference; change it to return a defensive copy and likewise
ensure the code path that stores the identity (the place writing
attributeIdentity into vertex.Attributes, referenced around the store in the
same file) also stores a copy instead of the original map. Concretely, when
reading in syncedDag.getIdentity (and when assigning to
vertex.Attributes[attributeIdentity]) clone the runtime.Identity map into a new
map and return/store that copy so external callers cannot mutate internal DAG
state; locate getIdentity, getVertex, and the code that sets attributeIdentity
to implement the copy.

In `@bindings/go/credentials/type_registry.go`:
- Around line 67-71: The registry currently stores and returns caller-owned
slices by reference (r.acceptedCreds and acceptedCredentialTypes), allowing
external mutation; fix this by making defensive copies: when assigning into
r.acceptedCreds (the place where types[0] is used) copy the
acceptedCredentialTypes slice before storing, and when returning slices from the
registry (e.g., the getter that returns acceptedCreds entries) return a copied
slice rather than the internal slice; ensure copies use make/append semantics so
concurrent callers cannot mutate internal state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3ccd56a5-daa4-4196-b0b1-0c3d880a8a05

📥 Commits

Reviewing files that changed from the base of the PR and between 154671b and 109b3a6.

📒 Files selected for processing (14)

• bindings/go/credentials/doc.go
• bindings/go/credentials/graph.go
• bindings/go/credentials/identity_compat.go
• bindings/go/credentials/identity_compat_test.go
• bindings/go/credentials/ingest.go
• bindings/go/credentials/ingest_test.go
• bindings/go/credentials/interface.go
• bindings/go/credentials/resolve_direct.go
• bindings/go/credentials/resolve_indirect.go
• bindings/go/credentials/resolve_static.go
• bindings/go/credentials/synced_dag.go
• bindings/go/credentials/synced_dag_test.go
• bindings/go/credentials/type_registry.go
• bindings/go/credentials/type_registry_test.go

💤 Files with no reviewable changes (2)

• bindings/go/credentials/identity_compat.go
• bindings/go/credentials/identity_compat_test.go