chore: bump world-id-core 0.6 → 0.7

[agentotto]

Summary

Bumps world-id-core (and its transitive world-id-* dependencies) from 0.6 to 0.7, along with the minimal in-code adaptations required by the new upstream API.

Changes

File	What changed
Cargo.toml	world-id-core version 0.6 → 0.7
Cargo.lock	Transitive dependency updates (world-id-authenticator, world-id-primitives, world-id-proof 0.6→0.7; taceo-oprf 0.10, taceo-oprf-client 0.9.1, taceo-oprf-types 0.11)
walletkit-core/src/credential.rs	Field rename: associated_data_hash → associated_data_commitment
walletkit-core/tests/proof_generation_integration.rs	Import OprfKeyId from world_id_core::primitives instead of taceo_oprf::types (re-export moved upstream)

Context

This is the dependency bump portion extracted from #306, separated from the new authenticator management feature to allow independent review and merge.

Verified: cargo build -p walletkit-core compiles cleanly.

---

Note

Medium Risk
Upgrades a core cryptography/proof dependency (world-id-core) and its transitive world-id-*/taceo-oprf* crates, which can subtly change proof generation/verification behavior despite minimal local code changes.

Overview
Bumps world-id-core from 0.6 to 0.7 and refreshes the lockfile accordingly (including world-id-authenticator/world-id-primitives/world-id-proof 0.7 and updated taceo-oprf*/windows-sys versions).

Adapts walletkit-core to upstream API changes by renaming the credential accessor from associated_data_hash to associated_data_commitment, and updating the integration test to import OprfKeyId from world_id_core::primitives instead of taceo_oprf::types.

^{Written by Cursor Bugbot for commit d19d812. This will update automatically on new commits. Configure here.}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: cargo world-id-proof is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: ? → cargo/world-id-core@0.7.0 → cargo/world-id-proof@0.7.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/world-id-proof@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unused taceo-oprf dev-dependency after import migration

Low Severity

Moving the OprfKeyId import from taceo_oprf::types to world_id_core::primitives was the only usage of the taceo-oprf dev-dependency in walletkit-core/Cargo.toml (line 80). That dev-dependency (with its TODO comment about removal) is now completely unused — the remaining taceo_oprf references in logger.rs are just string literals for log filtering, not actual crate imports. The dev-dep can be removed.

 

[paolodamico]

ah yes I added this import. /otto worth removing the direct taceo dep now