Add endpoint to list (about-to-)expired wallet credentials

[reinkrul]

Closes #4217.

Summary

• Adds GET /internal/vcr/v2/holder/expiring?within=<duration> — aggregates across all wallets on the node, returns a JSON object keyed by subject ID with the list of expired or about-to-expire credentials per subject.
• Default within is 720h (30 days); 0s returns only already-expired credentials. Negative or unparseable values give 400.
• Response uses a focused monitoring DTO (id, holder, issuer, type, expirationDate) rather than the raw VC, so the shape stays uniform regardless of whether the underlying credential is JSON-LD or JWT-encoded. Operators needing the full VC can fetch it by id via existing wallet endpoints.

{
  "90BC1AE9-752B-432F-ADC3-DD9F9C61843C": [
    {
      "id":             "did:web:issuer.example.com#abc",
      "holder":         "did:web:example.com:iam:123",
      "issuer":         "did:web:issuer.example.com",
      "type":           ["NutsOrganizationCredential"],
      "expirationDate": "2026-05-15T12:00:00Z"
    }
  ]
}

Subjects with no expiring credentials are omitted from the response.

Test plan

• Unit tests covering: groups across subjects, custom within, within=0 (only already-expired), no subjects (empty map), invalid within, negative within, subject manager error
• go build ./...
• go test ./vcr/api/vcr/v2/...

Assisted by AI

[qltysh]

1 new issue

Tool	Category	Rule	Count
qlty	Structure	Function with many returns (count = 6): NewGetExpiringCredentialsInWalletRequest	1

[reinkrul]

TODO / open question — filtering by credential type:

Some credential types are expected to expire and shouldn't trigger refresh alerts, but operators still want to keep them in the wallet for audit / paper-trail purposes (e.g. NutsAuthorizationCredential). For those, deleting is not an option.

We may want to add type-based filtering to this endpoint, e.g. ?excludeType=NutsAuthorizationCredential (and/or ?includeType=...), so monitoring tools can suppress credentials that are expected to expire.

Assisted by AI

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.02%.

Modified Files with Diff Coverage (1)

Rating	File	% Diff	Uncovered Line #s
	vcr/api/vcr/v2/api.go	96.1%	525-526
	Total	96.1%

🤖 Increase coverage with AI coding...

In the `4217-expiring-credentials-endpoint` branch, add test coverage for this new code:

- `vcr/api/vcr/v2/api.go` -- Line 525-526

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.