Verifiable credentials.

Credentials are issued by another identity (the issuer DID), signed with the issuer's wallet, and stored against the subject DID. Presentation re-signs with the holder.

IdentityVerifier::verify_credential_chain() recursively walks issuers up to a trust root, with cycle detection and a depth bound.

update_kyc_tier_with_credential() raises the tier only when the credential is signed by an accredited issuer for the requested tier.

tenzro identity add-credential   --subject did:tenzro:human:...   --type Accreditation   --claims '{"tier":"Enhanced"}'