toolkit/client: fix FindProof to handle self-delegation properly

.github/Repo.toml

@@ -1,20 +0,0 @@
-[scopes]
-ci = [".github/workflows"]
-config = [".github", "go.mod", "go.sum"]
-docs = ["Readme.md", "LICENSE.md"]
-assets = ["assets"]
-pkg = ["pkg"]
-args = ["pkg/args"]
-command = ["pkg/command"]
-container = ["pkg/container"]
-meta = ["pkg/meta"]
-policy = ["pkg/policy"]
-secretbox = ["pkg/secretbox"]
-token = ["token"]
-delegation = ["token/delegation"]
-invocation = ["token/invocation"]
-toolkit = ["toolkit"]
-examples = ["toolkit/_example"]
-client = ["toolkit/client"]
-issuer = ["toolkit/issuer"]
-server = ["toolkit/server"]

Readme.md

@@ -1,5 +1,5 @@
 <div align="center">
-  <a href="https://code.sonr.org/go/ucan" target="_blank">
+  <a href="https://github.com/ucan-wg/go-ucan" target="_blank">
     <img src="https://raw.githubusercontent.com/ucan-wg/go-ucan/v1/assets/logo.png" alt="go-ucan Logo" height="250"></img>
   </a>
 
@@ -7,19 +7,19 @@
 
   <p>
     <img src="https://img.shields.io/badge/UCAN-v1.0.0--rc.1-blue" alt="UCAN v1.0.0-rc.1">
-    <a href="https://code.sonr.org/go/ucan/tags">
+    <a href="https://github.com/ucan-wg/go-ucan/tags">
         <img alt="GitHub Tag" src="https://img.shields.io/github/v/tag/ucan-wg/go-ucan">
     </a>
-    <a href="https://code.sonr.org/go/ucan/actions?query=">
+    <a href="https://github.com/ucan-wg/go-ucan/actions?query=">
-      <img src="https://code.sonr.org/go/ucan/actions/workflows/gotest.yml/badge.svg" alt="Build Status">
+      <img src="https://github.com/ucan-wg/go-ucan/actions/workflows/gotest.yml/badge.svg" alt="Build Status">
     </a>
     <a href="https://ucan-wg.github.io/go-ucan/dev/bench/">
         <img alt="Go benchmarks" src="https://img.shields.io/badge/Benchmarks-go-blue">
     </a>
-    <a href="https://code.sonr.org/go/ucan/blob/v1/LICENSE.md">
+    <a href="https://github.com/ucan-wg/go-ucan/blob/v1/LICENSE.md">
         <img alt="Apache 2.0 OR MIT License" src="https://img.shields.io/badge/License-Apache--2.0_OR_MIT-green">
     </a>
-    <a href="https://pkg.go.dev/code.sonr.org/go/ucan">
+    <a href="https://pkg.go.dev/github.com/ucan-wg/go-ucan">
       <img src="https://img.shields.io/badge/Docs-godoc-blue" alt="Docs">
     </a>
     <a href="https://discord.gg/JSyFG6XgVM">
@@ -54,7 +54,7 @@ Not implemented yet:
 
 ## Status
 
-`go-ucan` currently support the required parts of the UCAN specification: the main specification, delegation and invocation. It leverages the sibling project [`go-did-it`](https://code.sonr.org/go/did-it) for easy and extensible DID support.
+`go-ucan` currently support the required parts of the UCAN specification: the main specification, delegation and invocation. It leverages the sibling project [`go-did-it`](https://github.com/MetaMask/go-did-it) for easy and extensible DID support.
 
 Besides that, `go-ucan` also includes:
 - support for encrypted values in token's metadata
@@ -73,4 +73,4 @@ Artwork by [Bruno Monts](https://www.instagram.com/bruno_monts). Thank you [Rene
 
 ## License
 
-This project is licensed under the dual license [Apache 2.0 OR MIT](https://code.sonr.org/go/ucan/blob/v1/LICENSE.md).
+This project is licensed under the dual license [Apache 2.0 OR MIT](https://github.com/ucan-wg/go-ucan/blob/v1/LICENSE.md).

go.mod

@@ -1,21 +1,21 @@
-module code.sonr.org/go/ucan
+module github.com/ucan-wg/go-ucan
 
 go 1.24.4
 
 toolchain go1.24.5
 
 require (
-	code.sonr.org/go/did-it v1.0.0
+	github.com/MetaMask/go-did-it v1.0.0-pre1
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/ipfs/go-cid v0.5.0
 	github.com/ipld/go-ipld-prime v0.21.0
 	github.com/multiformats/go-multibase v0.2.0
 	github.com/multiformats/go-multicodec v0.9.0
 	github.com/multiformats/go-multihash v0.2.3
-	github.com/multiformats/go-varint v0.1.0
+	github.com/multiformats/go-varint v0.0.7
 	github.com/stretchr/testify v1.10.0
 	github.com/ucan-wg/go-varsig v1.0.0
-	golang.org/x/crypto v0.45.0
+	golang.org/x/crypto v0.40.0
 )
 
 require (
@@ -29,7 +29,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polydawn/refmt v0.89.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect

go.sum

@@ -1,6 +1,6 @@
-code.sonr.org/go/did-it v1.0.0 h1:Wh8igUkD6cuf0Ul3gawi27z2/M1YfdnQ/mD9gBq/2EU=
-code.sonr.org/go/did-it v1.0.0/go.mod h1:PFK6ItvNyB2xbnVqipBbkN9BK1Sq+E2lf1YfOyCA0Og=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/MetaMask/go-did-it v1.0.0-pre1 h1:NTGAC7z52TwFegEF7c+csUr/6Al1nAo6ValAAxOsjto=
+github.com/MetaMask/go-did-it v1.0.0-pre1/go.mod h1:7m9syDnXFTg5GmUEcydpO4Rs3eYT4McFH7vCw5fp3A4=
 github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
 github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -43,8 +43,8 @@ github.com/multiformats/go-multicodec v0.9.0 h1:pb/dlPnzee/Sxv/j4PmkDRxCOi3hXTz3
 github.com/multiformats/go-multicodec v0.9.0/go.mod h1:L3QTQvMIaVBkXOXXtVmYE+LI16i14xuaojr/H7Ai54k=
 github.com/multiformats/go-multihash v0.2.3 h1:7Lyc8XfX/IY2jWb/gI7JP+o7JEq9hOa7BFvVU9RSh+U=
 github.com/multiformats/go-multihash v0.2.3/go.mod h1:dXgKXCXjBzdscBLk9JkjINiEsCKRVch90MdaGiKsvSM=
-github.com/multiformats/go-varint v0.1.0 h1:i2wqFp4sdl3IcIxfAonHQV9qU5OsZ4Ts9IOoETFs5dI=
+github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8=
-github.com/multiformats/go-varint v0.1.0/go.mod h1:5KVAVXegtfmNQQm/lCY+ATvDzvJJhSkUlGQV9wgObdI=
+github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polydawn/refmt v0.89.0 h1:ADJTApkvkeBZsN0tBTx8QjpD9JkmxbKp0cxfr9qszm4=
@@ -67,12 +67,12 @@ github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60Nt
 github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=
 github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/args/args.go

@@ -16,8 +16,8 @@ import (
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/ipld/go-ipld-prime/printer"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 var ErrNotFound = errors.New("key not found in meta")

pkg/args/args_test.go

@@ -14,9 +14,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 func TestArgs(t *testing.T) {

pkg/args/builder_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
 )
 
 func TestBuilder_XXX(t *testing.T) {

pkg/command/command_test.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
 )
 
 func TestTop(t *testing.T) {

pkg/container/reader.go

@@ -12,9 +12,9 @@ import (
 	"github.com/ipld/go-ipld-prime/codec/cbor"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/token"
+	"github.com/ucan-wg/go-ucan/token"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 var ErrNotFound = fmt.Errorf("not found")

pkg/container/serial_test.go

@@ -9,16 +9,16 @@ import (
 	"testing"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/controller/did-key"
+	"github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 	"github.com/ipfs/go-cid"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 func TestContainerRoundTrip(t *testing.T) {

pkg/meta/meta.go

@@ -10,8 +10,8 @@ import (
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/printer"
 
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/pkg/secretbox"
+	"github.com/ucan-wg/go-ucan/pkg/secretbox"
 )
 
 var ErrNotFound = errors.New("key not found in meta")

pkg/meta/meta_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
 )
 
 func TestMeta_Add(t *testing.T) {

pkg/policy/ipld.go

@@ -9,8 +9,8 @@ import (
 	"github.com/ipld/go-ipld-prime/must"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
-	"code.sonr.org/go/ucan/pkg/policy/selector"
+	"github.com/ucan-wg/go-ucan/pkg/policy/selector"
 )
 
 func FromIPLD(node datamodel.Node) (Policy, error) {

pkg/policy/literal/literal.go

@@ -13,7 +13,7 @@ import (
 	cidlink "github.com/ipld/go-ipld-prime/linking/cid"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 var Bool = basicnode.NewBool

pkg/policy/literal/literal_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/ipld/go-ipld-prime/printer"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 func TestList(t *testing.T) {

pkg/policy/match_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 func TestMatch(t *testing.T) {

pkg/policy/policy.go

@@ -9,7 +9,7 @@ import (
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 
-	selpkg "code.sonr.org/go/ucan/pkg/policy/selector"
+	selpkg "github.com/ucan-wg/go-ucan/pkg/policy/selector"
 )
 
 const (

pkg/policy/policy_test.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 func ExamplePolicy() {

pkg/policy/policytest/spec.go

@@ -3,9 +3,9 @@ package policytest
 import (
 	"github.com/ipld/go-ipld-prime"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 // EmptyPolicy provides a Policy with no statements.

pkg/policy/selector/parsing.go

@@ -7,7 +7,7 @@ import (
 	"strconv"
 	"strings"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 var (

pkg/policy/selector/parsing_test.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 func TestParse(t *testing.T) {

pkg/policy/selector/supported_test.go

@@ -9,7 +9,7 @@ import (
 	basicnode "github.com/ipld/go-ipld-prime/node/basic"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy/selector"
+	"github.com/ucan-wg/go-ucan/pkg/policy/selector"
 )
 
 // TestSupported Forms runs tests against the Selector according to the

token/delegation/delegation.go

@@ -16,13 +16,13 @@ import (
 	"strings"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/internal/nonce"
+	"github.com/ucan-wg/go-ucan/token/internal/nonce"
-	"code.sonr.org/go/ucan/token/internal/parse"
+	"github.com/ucan-wg/go-ucan/token/internal/parse"
 )
 
 // Token is an immutable type that holds the fields of a UCAN delegation.
@@ -238,7 +238,7 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
 
 	tkn.issuer, err = did.Parse(m.Iss)
 	if err != nil {
-		return nil, fmt.Errorf("parse iss: %w", err)
+		return nil, fmt.Errorf("parse issuer: %w", err)
 	}
 
 	if tkn.audience, err = did.Parse(m.Aud); err != nil {

token/delegation/delegation_test.go

@@ -6,12 +6,12 @@ import (
 	"testing"
 	"time"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 //go:embed testdata/new.dagjson

token/delegation/delegationtest/generator/generator.go

@@ -9,17 +9,17 @@ import (
 	"slices"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	didkeyctl "github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/policytest"
+	"github.com/ucan-wg/go-ucan/pkg/policy/policytest"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
 )
 
 const (
@@ -71,6 +71,25 @@ type generator struct {
 	chains []proof
 }
 
+func (g *generator) createSelfDelegations(personas []didtest.Persona) error {
+	for _, persona := range personas {
+		_, err := g.createDelegation(newDelegationParams{
+			privKey: persona.PrivKey(),
+			aud:     persona.DID(),
+			cmd:     delegationtest.NominalCommand,
+			pol:     policytest.EmptyPolicy,
+			sub:     persona.DID(),
+			opts: []delegation.Option{
+				delegation.WithNonce(constantNonce),
+			},
+		}, persona.Name()+persona.Name(), noopVariant())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (g *generator) chainPersonas(personas []didtest.Persona, acc acc, vari variant) error {
 	acc.name += personas[0].Name()
 
@@ -215,7 +234,7 @@ func (g *generator) writeGoFile() error {
 	Println("import (")
 	Println("\t\"github.com/ipfs/go-cid\"")
 	Println()
-	Println("\t\"code.sonr.org/go/ucan/token/delegation\"")
+	Println("\t\"github.com/ucan-wg/go-ucan/token/delegation\"")
 	Println(")")
 
 	refs := make(map[cid.Cid]string, len(g.dlgs))

token/delegation/delegationtest/generator/main.go

@@ -1,12 +1,16 @@
 package main
 
 import (
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 )
 
 func main() {
 	gen := &generator{}
-	err := gen.chainPersonas(didtest.Personas(), acc{}, noopVariant())
+	err := gen.createSelfDelegations(didtest.Personas())
+	if err != nil {
+		panic(err)
+	}
+	err = gen.chainPersonas(didtest.Personas(), acc{}, noopVariant())
 	if err != nil {
 		panic(err)
 	}

token/delegation/delegationtest/token.go

@@ -5,11 +5,11 @@ import (
 	"path/filepath"
 	"sync"
 
-	_ "code.sonr.org/go/did-it/verifiers/did-key"
+	_ "github.com/MetaMask/go-did-it/verifiers/did-key"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 var (

token/delegation/delegationtest/token_gen.go

@@ -5,7 +5,49 @@ package delegationtest
 import (
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
+)
+
+var (
+	TokenAliceAliceCID    = cid.MustParse("bafyreiddqsv5rrpcormtcs3dg7hzwjr2grxyyozc2f2surxdbnctdqpfzi")
+	TokenAliceAliceSealed = mustGetBundle(TokenAliceAliceCID).Sealed
+	TokenAliceAliceBundle = mustGetBundle(TokenAliceAliceCID)
+	TokenAliceAlice       = mustGetBundle(TokenAliceAliceCID).Decoded
+)
+
+var (
+	TokenBobBobCID    = cid.MustParse("bafyreid4dwdov4yijvnb7xxhcndsxifzw5yry4sm4frex6relttlnledo4")
+	TokenBobBobSealed = mustGetBundle(TokenBobBobCID).Sealed
+	TokenBobBobBundle = mustGetBundle(TokenBobBobCID)
+	TokenBobBob       = mustGetBundle(TokenBobBobCID).Decoded
+)
+
+var (
+	TokenCarolCarolCID    = cid.MustParse("bafyreiekuehdsubdfllqecsat4gsfveyqq6442ejuiqfsgu3tplrus5l3e")
+	TokenCarolCarolSealed = mustGetBundle(TokenCarolCarolCID).Sealed
+	TokenCarolCarolBundle = mustGetBundle(TokenCarolCarolCID)
+	TokenCarolCarol       = mustGetBundle(TokenCarolCarolCID).Decoded
+)
+
+var (
+	TokenDanDanCID    = cid.MustParse("bafyreigzd442yhyizbx54kd76ewxssh5owuxv26ziittnblnj4h3a555dm")
+	TokenDanDanSealed = mustGetBundle(TokenDanDanCID).Sealed
+	TokenDanDanBundle = mustGetBundle(TokenDanDanCID)
+	TokenDanDan       = mustGetBundle(TokenDanDanCID).Decoded
+)
+
+var (
+	TokenErinErinCID    = cid.MustParse("bafyreigl5lbogpzq7iyz6qkzhicv4zscu26j62k4ydgcqogdiqmks5tz7q")
+	TokenErinErinSealed = mustGetBundle(TokenErinErinCID).Sealed
+	TokenErinErinBundle = mustGetBundle(TokenErinErinCID)
+	TokenErinErin       = mustGetBundle(TokenErinErinCID).Decoded
+)
+
+var (
+	TokenFrankFrankCID    = cid.MustParse("bafyreic6hgmqf2vwszboldlqeobpy2plpkcmj4dhhug76akcnafb2pt6em")
+	TokenFrankFrankSealed = mustGetBundle(TokenFrankFrankCID).Sealed
+	TokenFrankFrankBundle = mustGetBundle(TokenFrankFrankCID)
+	TokenFrankFrank       = mustGetBundle(TokenFrankFrankCID).Decoded
 )
 
 var (
@@ -170,6 +212,12 @@ var (
 )
 
 var AllTokens = []*delegation.Token{
+	TokenAliceAlice,
+	TokenBobBob,
+	TokenCarolCarol,
+	TokenDanDan,
+	TokenErinErin,
+	TokenFrankFrank,
 	TokenAliceBob,
 	TokenBobCarol,
 	TokenCarolDan,
@@ -196,6 +244,12 @@ var AllTokens = []*delegation.Token{
 }
 
 var AllBundles = []delegation.Bundle{
+	TokenAliceAliceBundle,
+	TokenBobBobBundle,
+	TokenCarolCarolBundle,
+	TokenDanDanBundle,
+	TokenErinErinBundle,
+	TokenFrankFrankBundle,
 	TokenAliceBobBundle,
 	TokenBobCarolBundle,
 	TokenCarolDanBundle,
@@ -222,6 +276,12 @@ var AllBundles = []delegation.Bundle{
 }
 
 var cidToName = map[cid.Cid]string{
+	TokenAliceAliceCID:                       "TokenAliceAlice",
+	TokenBobBobCID:                           "TokenBobBob",
+	TokenCarolCarolCID:                       "TokenCarolCarol",
+	TokenDanDanCID:                           "TokenDanDan",
+	TokenErinErinCID:                         "TokenErinErin",
+	TokenFrankFrankCID:                       "TokenFrankFrank",
 	TokenAliceBobCID:                         "TokenAliceBob",
 	TokenBobCarolCID:                         "TokenBobCarol",
 	TokenCarolDanCID:                         "TokenCarolDan",

token/delegation/delegationtest/token_test.go

@@ -7,8 +7,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
 )
 
 func TestGetDelegation(t *testing.T) {

token/delegation/examples_test.go

@@ -8,17 +8,17 @@ import (
 	"fmt"
 	"time"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // The following example shows how to create a delegation.Token with

token/delegation/interop_test.go

@@ -7,8 +7,8 @@ import (
 	"fmt"
 	"testing"
 
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 	"github.com/multiformats/go-varint"
 	"github.com/stretchr/testify/require"
 )

token/delegation/ipld.go

@@ -3,8 +3,8 @@ package delegation
 import (
 	"io"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec"
@@ -12,7 +12,7 @@ import (
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // ToSealed wraps the delegation token in an envelope, generates the

token/delegation/schema.go

@@ -10,8 +10,8 @@ import (
 	"github.com/ipld/go-ipld-prime/node/bindnode"
 	"github.com/ipld/go-ipld-prime/schema"
 
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // Tag is the string used as a key within the SigPayload that identifies

token/delegation/schema_test.go

@@ -5,13 +5,13 @@ import (
 	_ "embed"
 	"testing"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 //go:embed delegation.ipldsch

token/inspect.go

@@ -3,7 +3,7 @@ package token
 import (
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 type Info = envelope.Info

token/interface.go

@@ -4,7 +4,7 @@ import (
 	"io"
 	"time"
 
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime/codec"
 )

token/internal/envelope/cid_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 func TestCidFromBytes(t *testing.T) {

token/internal/envelope/example_test.go

@@ -7,8 +7,8 @@ import (
 	"sync"
 	"testing"
 
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/ipld/go-ipld-prime/datamodel"
@@ -18,7 +18,7 @@ import (
 	"github.com/ipld/go-ipld-prime/schema"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 const (

token/internal/envelope/ipld.go

@@ -42,8 +42,8 @@ import (
 	"github.com/ipld/go-ipld-prime/schema"
 	"github.com/ucan-wg/go-varsig"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 )
 
 const (

token/internal/envelope/ipld_test.go

@@ -8,13 +8,13 @@ import (
 	"os"
 	"testing"
 
-	_ "code.sonr.org/go/did-it/verifiers/did-key"
+	_ "github.com/MetaMask/go-did-it/verifiers/did-key"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 func TestDecode(t *testing.T) {

token/internal/parse/parse.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 func OptionalDID(s *string) (did.DID, error) {

token/internal/parse/parse_test.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"github.com/ucan-wg/go-ucan/pkg/policy/limits"
 )
 
 func TestOptionalTimestamp(t *testing.T) {

token/invocation/examples_test.go

@@ -7,17 +7,17 @@ import (
 	"fmt"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	didkeyctl "github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 func ExampleNew() {

token/invocation/invocation.go

@@ -14,15 +14,15 @@ import (
 	"strings"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/internal/nonce"
+	"github.com/ucan-wg/go-ucan/token/internal/nonce"
-	"code.sonr.org/go/ucan/token/internal/parse"
+	"github.com/ucan-wg/go-ucan/token/internal/parse"
 )
 
 // Token is an immutable type that holds the fields of a UCAN invocation.
@@ -109,10 +109,23 @@ func New(iss did.DID, cmd command.Command, sub did.DID, prf []cid.Cid, opts ...O
 	return &tkn, nil
 }
 
+// NewSelfSigned is similar to New, but self-signs the invocation, and therefore does not require a proof.
+// It's similar to having an invocation with a delegation from the invoker to itself.
+// This can be useful in some protocols where the invoker is the same as the subject, or to prove ownership of a resource.
+//
+// You can read it as "(Issuer - I) executes (command) on itself".
+func NewSelfSigned(iss did.DID, cmd command.Command, opts ...Option) (*Token, error) {
+	return New(iss, cmd, iss, nil, opts...)
+}
+
+// ExecutionAllowed verifies that the invocation respects the rules and can be executed.
+// IMPORTANT: this function does NOT verify that the subject (and audience if set) makes sense in your context.
 func (t *Token) ExecutionAllowed(loader delegation.Loader) error {
 	return t.executionAllowed(loader, t.arguments)
 }
 
+// ExecutionAllowedWithArgsHook is the same as ExecutionAllowed, but allows to modify the arguments before verifying them.
+// IMPORTANT: this function does NOT verify that the subject (and audience if set) makes sense in your context.
 func (t *Token) ExecutionAllowedWithArgsHook(loader delegation.Loader, hook func(args args.ReadOnly) (*args.Args, error)) error {
 	newArgs, err := hook(t.arguments.ReadOnly())
 	if err != nil {
@@ -204,6 +217,11 @@ func (t *Token) Cause() *cid.Cid {
 	return t.cause
 }
 
+// IsSelfSigned returns true if the token is self-signed, ie it has the same issuer and subject.
+func (t *Token) IsSelfSigned() bool {
+	return t.issuer.Equal(t.subject)
+}
+
 // IsValidNow verifies that the token can be used at the current time, based on expiration or "not before" fields.
 // This does NOT do any other kind of verifications.
 func (t *Token) IsValidNow() bool {
@@ -276,7 +294,7 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
 	)
 
 	if tkn.issuer, err = did.Parse(m.Iss); err != nil {
-		return nil, fmt.Errorf("parse iss: %w", err)
+		return nil, fmt.Errorf("parse issuer: %w", err)
 	}
 
 	if tkn.subject, err = did.Parse(m.Sub); err != nil {

token/invocation/invocation_test.go

@@ -3,159 +3,273 @@ package invocation_test
 import (
 	_ "embed"
 	"testing"
+	"time"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipfs/go-cid"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy/policytest"
+	"github.com/ucan-wg/go-ucan/pkg/policy/policytest"
-	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 //go:embed testdata/new.dagjson
 var newDagJson []byte
 
-const (
+//go:embed testdata/selfsigned.dagjson
-	missingTknCIDStr = "bafyreigwypmw6eul6vadi6g6lnfbsfo2zck7gfzsbjoroqs3djhnzzc7mm"
+var selfsignedDagJson []byte
-)
+
+const missingTknCIDStr = "bafyreigwypmw6eul6vadi6g6lnfbsfo2zck7gfzsbjoroqs3djhnzzc7mm"
 
 var emptyArguments = args.New()
 
 func TestToken_ExecutionAllowed(t *testing.T) {
-	t.Parallel()
+	for _, tc := range []struct {
+		name   string
+		issuer didtest.Persona
+		cmd    command.Command
+		args   *args.Args
+		proofs []cid.Cid
+		opts   []invocation.Option
+		err    error
+	}{
+		// Passes
+		{
+			name:   "passes - only root",
+			issuer: didtest.PersonaBob,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBob,
+			err:    nil,
+		},
+		{
+			name:   "passes - valid chain",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank,
+			err:    nil,
+		},
+		{
+			name:   "passes - proof chain attenuates command",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.AttenuatedCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_ValidAttenuatedCommand,
+			err:    nil,
+		},
+		{
+			name:   "passes - invocation attenuates command",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.AttenuatedCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank,
+			err:    nil,
+		},
+		{
+			name:   "passes - arguments satisfy empty policy",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   policytest.SpecValidArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank,
+			err:    nil,
+		},
+		{
+			name:   "passes - arguments satisfy example policy",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   policytest.SpecValidArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy,
+			err:    nil,
+		},
+		{
+			name:   "passes - self-signed invocation doesn't require proof",
+			issuer: didtest.PersonaAlice,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: nil,
+			err:    nil,
+		},
+		{
+			name:   "passes - self-signed invocation accepts a delegation to itself",
+			issuer: didtest.PersonaAlice,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{delegationtest.TokenAliceAliceCID},
+			err:    nil,
+		},
 
-	t.Run("passes - only root", func(t *testing.T) {
+		// Fails
-		t.Parallel()
+		{
+			name:   "fails - no proof",
+			issuer: didtest.PersonaCarol,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofEmpty,
+			err:    invocation.ErrNoProof,
+		},
+		{
+			name:   "fails - missing referenced delegation",
+			issuer: didtest.PersonaCarol,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{cid.MustParse(missingTknCIDStr), delegationtest.TokenAliceBobCID},
+			err:    invocation.ErrMissingDelegation,
+		},
+		{
+			name:   "fails - referenced delegation expired",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_InvalidExpired,
+			err:    invocation.ErrTokenInvalidNow,
+		},
+		{
+			name:   "fails - referenced delegation inactive",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_InvalidInactive,
+			err:    invocation.ErrTokenInvalidNow,
+		},
+		{
+			name:   "fails - last (or only) delegation not root",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{delegationtest.TokenErinFrankCID, delegationtest.TokenDanErinCID, delegationtest.TokenCarolDanCID},
+			err:    invocation.ErrLastNotRoot,
+		},
+		{
+			name:   "fails - broken chain",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{delegationtest.TokenCarolDanCID, delegationtest.TokenAliceBobCID},
+			err:    invocation.ErrBrokenChain,
+		},
+		{
+			name:   "fails - first not issued to invoker",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{delegationtest.TokenBobCarolCID, delegationtest.TokenAliceBobCID},
+			err:    invocation.ErrBrokenChain,
+		},
+		{
+			name:   "fails - proof chain expands command",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_InvalidExpandedCommand,
+			err:    invocation.ErrCommandNotCovered,
+		},
+		{
+			name:   "fails - invocation expands command",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.ExpandedCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank,
+			err:    invocation.ErrCommandNotCovered,
+		},
+		{
+			name:   "fails - inconsistent subject",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.ExpandedCommand,
+			args:   emptyArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_InvalidSubject,
+			err:    invocation.ErrWrongSub,
+		},
+		{
+			name:   "fails - arguments don't satisfy example policy",
+			issuer: didtest.PersonaFrank,
+			cmd:    delegationtest.NominalCommand,
+			args:   policytest.SpecInvalidArguments,
+			proofs: delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy,
+			err:    invocation.ErrPolicyNotSatisfied,
+		},
+		{
+			name:   "fails - self-signed invocation refuses a delegation to itself for a different DID",
+			issuer: didtest.PersonaAlice,
+			cmd:    delegationtest.NominalCommand,
+			args:   emptyArguments,
+			proofs: []cid.Cid{delegationtest.TokenBobBobCID},
+			err:    invocation.ErrWrongSub,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.opts = append(tc.opts, invocation.WithArguments(tc.args))
 
-		testPasses(t, didtest.PersonaBob, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofAliceBob)
+			tkn, err := invocation.New(tc.issuer.DID(), tc.cmd, didtest.PersonaAlice.DID(), tc.proofs, tc.opts...)
-	})
+			require.NoError(t, err)
 
-	t.Run("passes - valid chain", func(t *testing.T) {
+			t.Log(tkn.String())
-		t.Parallel()
 
-		testPasses(t, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
+			err = tkn.ExecutionAllowed(delegationtest.GetDelegationLoader())
-	})
 
-	t.Run("passes - proof chain attenuates command", func(t *testing.T) {
+			if tc.err != nil {
-		t.Parallel()
+				require.ErrorIs(t, err, tc.err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
 
-		testPasses(t, didtest.PersonaFrank, delegationtest.AttenuatedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_ValidAttenuatedCommand)
+const (
-	})
+	nonce      = "6roDhGi0kiNriQAz7J3d+bOeoI/tj8ENikmQNbtjnD0"
+	subjectCmd = "/foo/bar"
+)
 
-	t.Run("passes - invocation attenuates command", func(t *testing.T) {
+func TestConstructors(t *testing.T) {
-		t.Parallel()
+	cmd, err := command.Parse(subjectCmd)
+	require.NoError(t, err)
 
-		testPasses(t, didtest.PersonaFrank, delegationtest.AttenuatedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
+	iat, err := time.Parse(time.RFC3339, "2100-01-01T00:00:00Z")
-	})
+	require.NoError(t, err)
 
-	t.Run("passes - arguments satisfy empty policy", func(t *testing.T) {
+	exp, err := time.Parse(time.RFC3339, "2200-01-01T00:00:00Z")
-		t.Parallel()
+	require.NoError(t, err)
 
-		testPasses(t, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.SpecValidArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
+	t.Run("New", func(t *testing.T) {
-	})
+		tkn, err := invocation.New(
-
+			didtest.PersonaAlice.DID(), cmd, didtest.PersonaBob.DID(),
-	t.Run("passes - arguments satify example policy", func(t *testing.T) {
+			delegationtest.ProofAliceBob,
-		t.Parallel()
+			invocation.WithNonce([]byte(nonce)),
-
+			invocation.WithIssuedAt(iat),
-		testPasses(t, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.SpecValidArguments, delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy)
+			invocation.WithExpiration(exp),
-	})
+			invocation.WithArgument("foo", "bar"),
-
+			invocation.WithMeta("baz", 123),
-	t.Run("fails - no proof", func(t *testing.T) {
+		)
-		t.Parallel()
-
-		testFails(t, invocation.ErrNoProof, didtest.PersonaCarol, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofEmpty)
-	})
-
-	t.Run("fails - missing referenced delegation", func(t *testing.T) {
-		t.Parallel()
-
-		missingTknCID, err := cid.Parse(missingTknCIDStr)
 		require.NoError(t, err)
 
-		prf := []cid.Cid{missingTknCID, delegationtest.TokenAliceBobCID}
+		require.False(t, tkn.IsSelfSigned())
-		testFails(t, invocation.ErrMissingDelegation, didtest.PersonaCarol, delegationtest.NominalCommand, emptyArguments, prf)
+
+		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
+		require.NoError(t, err)
+
+		require.JSONEq(t, string(newDagJson), string(data))
 	})
 
-	t.Run("fails - referenced delegation expired", func(t *testing.T) {
+	t.Run("Self-Signed", func(t *testing.T) {
-		t.Parallel()
+		tkn, err := invocation.NewSelfSigned(
+			didtest.PersonaAlice.DID(), cmd,
+			invocation.WithNonce([]byte(nonce)),
+			invocation.WithIssuedAt(iat),
+			invocation.WithExpiration(exp),
+			invocation.WithArgument("foo", "bar"),
+			invocation.WithMeta("baz", 123),
+		)
+		require.NoError(t, err)
 
-		testFails(t, invocation.ErrTokenInvalidNow, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_InvalidExpired)
+		require.True(t, tkn.IsSelfSigned())
 
+		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
+		require.NoError(t, err)
+
+		require.JSONEq(t, string(selfsignedDagJson), string(data))
 	})
-
-	t.Run("fails - referenced delegation inactive", func(t *testing.T) {
-		t.Parallel()
-
-		testFails(t, invocation.ErrTokenInvalidNow, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_InvalidInactive)
-	})
-
-	t.Run("fails - last (or only) delegation not root", func(t *testing.T) {
-		t.Parallel()
-
-		prf := []cid.Cid{delegationtest.TokenErinFrankCID, delegationtest.TokenDanErinCID, delegationtest.TokenCarolDanCID}
-		testFails(t, invocation.ErrLastNotRoot, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, prf)
-	})
-
-	t.Run("fails - broken chain", func(t *testing.T) {
-		t.Parallel()
-
-		prf := []cid.Cid{delegationtest.TokenCarolDanCID, delegationtest.TokenAliceBobCID}
-		testFails(t, invocation.ErrBrokenChain, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, prf)
-	})
-
-	t.Run("fails - first not issued to invoker", func(t *testing.T) {
-		t.Parallel()
-
-		prf := []cid.Cid{delegationtest.TokenBobCarolCID, delegationtest.TokenAliceBobCID}
-		testFails(t, invocation.ErrBrokenChain, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, prf)
-	})
-
-	t.Run("fails - proof chain expands command", func(t *testing.T) {
-		t.Parallel()
-
-		testFails(t, invocation.ErrCommandNotCovered, didtest.PersonaFrank, delegationtest.NominalCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_InvalidExpandedCommand)
-	})
-
-	t.Run("fails - invocation expands command", func(t *testing.T) {
-		t.Parallel()
-
-		testFails(t, invocation.ErrCommandNotCovered, didtest.PersonaFrank, delegationtest.ExpandedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank)
-	})
-
-	t.Run("fails - inconsistent subject", func(t *testing.T) {
-		t.Parallel()
-
-		testFails(t, invocation.ErrWrongSub, didtest.PersonaFrank, delegationtest.ExpandedCommand, emptyArguments, delegationtest.ProofAliceBobCarolDanErinFrank_InvalidSubject)
-	})
-
-	t.Run("passes - arguments satisfy example policy", func(t *testing.T) {
-		t.Parallel()
-
-		testFails(t, invocation.ErrPolicyNotSatisfied, didtest.PersonaFrank, delegationtest.NominalCommand, policytest.SpecInvalidArguments, delegationtest.ProofAliceBobCarolDanErinFrank_ValidExamplePolicy)
-	})
-
-}
-
-func test(t *testing.T, persona didtest.Persona, cmd command.Command, args *args.Args, prf []cid.Cid, opts ...invocation.Option) error {
-	t.Helper()
-
-	opts = append(opts, invocation.WithArguments(args))
-
-	tkn, err := invocation.New(persona.DID(), cmd, didtest.PersonaAlice.DID(), prf, opts...)
-	require.NoError(t, err)
-
-	return tkn.ExecutionAllowed(delegationtest.GetDelegationLoader())
-}
-
-func testFails(t *testing.T, expErr error, persona didtest.Persona, cmd command.Command, args *args.Args, prf []cid.Cid, opts ...invocation.Option) {
-	err := test(t, persona, cmd, args, prf, opts...)
-	require.ErrorIs(t, err, expErr)
-}
-
-func testPasses(t *testing.T, persona didtest.Persona, cmd command.Command, args *args.Args, prf []cid.Cid, opts ...invocation.Option) {
-	err := test(t, persona, cmd, args, prf, opts...)
-	require.NoError(t, err)
 }

token/invocation/ipld.go

@@ -3,8 +3,8 @@ package invocation
 import (
 	"io"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec"
@@ -12,7 +12,7 @@ import (
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // ToSealed wraps the invocation token in an envelope, generates the

token/invocation/ipld_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 func TestSealUnsealRoundtrip(t *testing.T) {

token/invocation/options.go

@@ -3,10 +3,10 @@ package invocation
 import (
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
 )
 
 // Option is a type that allows optional fields to be set during the

token/invocation/proof.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"time"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 // # Invocation token validation
@@ -18,11 +18,11 @@ import (
 //  1. When a token is read/unsealed from its containing envelope (`envelope` package):
 //     a. The envelope can be decoded.
 //     b. The envelope contains a Signature, VarsigHeader and Payload.
-//     c. The Payload contains an iss field that contains a valid `did:key`.
+//     c. The Payload contains an iss field that contains a valid DID.
-//     d. The public key can be extracted from the `did:key`.
+//     d. One or more public keys can be derived from the DID.
-//     e. The public key type is supported by go-ucan.
+//     e. One or more public keys are supported by go-ucan.
 //     f. The Signature can be decoded per the VarsigHeader.
-//     g. The SigPayload can be verified using the Signature and public key.
+//     g. The SigPayload can be verified using the Signature and one public key.
 //     h. The field key of the TokenPayload matches the expected tag.
 //
 //  2. When the token is created or passes step one (token constructor or decoder):
@@ -35,7 +35,7 @@ import (
 //     c. All the delegation must be active (nbf in the past or absent).
 //
 //  4. When the proof chain is being validated (verifyProofs below):
-//     a. There must be at least one delegation in the proof chain.
+//     a. Self-signed invocations (issuer == subject) are allowed and don't require further proof. Otherwise, proof is required.
 //     b. All referenced delegations must be available.
 //     c. The first proof must be issued to the Invoker (audience DID).
 //     d. The Issuer of each delegation must be the Audience in the next one.
@@ -51,8 +51,11 @@ import (
 // - principal alignment
 // - command alignment
 func (t *Token) verifyProofs(delegations []*delegation.Token) error {
-	// There must be at least one delegation referenced - 4a
+	// Self-signed invocations (issuer == subject) are allowed and don't require further proof. Otherwise, proof is required. - 4a
-	if len(delegations) < 1 {
+	if len(delegations) == 0 && t.issuer.Equal(t.subject) {
+		return nil
+	}
+	if len(delegations) == 0 {
 		return ErrNoProof
 	}
 

token/invocation/schema.go

@@ -10,9 +10,9 @@ import (
 	"github.com/ipld/go-ipld-prime/node/bindnode"
 	"github.com/ipld/go-ipld-prime/schema"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // [Tag] is the string used as a key within the SigPayload that identifies

token/invocation/schema_test.go

@@ -2,21 +2,25 @@ package invocation_test
 
 import (
 	"bytes"
+	_ "embed"
 	"encoding/base64"
 	"testing"
 
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
+//go:embed testdata/full_example.dagjson
+var fullExampleDagJson []byte
+
 const (
 	issuerPrivKeyCfg = "BeAgktAj8irGgWjp4PGk/fV67e5CcML/KRmmHSldco3etP5lRiuYQ+VVO/39ol3XXruJC8deSuBxoEXzgdYpYw=="
-	newCID           = "zdpuB1NjhETofEUp5iYzoHjSc2KKgZvSoT6FBaLMoVzzsxiR1"
+	fullExampleCID   = "zdpuB1NjhETofEUp5iYzoHjSc2KKgZvSoT6FBaLMoVzzsxiR1"
 )
 
 func TestSchemaRoundTrip(t *testing.T) {
@@ -30,12 +34,12 @@ func TestSchemaRoundTrip(t *testing.T) {
 		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
 		// function:      DecodeDagJson()           Seal()        Unseal()          EncodeDagJson()
 
-		p1, err := invocation.FromDagJson(newDagJson)
+		p1, err := invocation.FromDagJson(fullExampleDagJson)
 		require.NoError(t, err)
 
 		cborBytes, id, err := p1.ToSealed(privKey)
 		require.NoError(t, err)
-		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+		assert.Equal(t, fullExampleCID, envelope.CIDToBase58BTC(id))
 
 		p2, c2, err := invocation.FromSealed(cborBytes)
 		require.NoError(t, err)
@@ -44,13 +48,13 @@ func TestSchemaRoundTrip(t *testing.T) {
 		readJson, err := p2.ToDagJson(privKey)
 		require.NoError(t, err)
 
-		assert.JSONEq(t, string(newDagJson), string(readJson))
+		assert.JSONEq(t, string(fullExampleDagJson), string(readJson))
 	})
 
 	t.Run("via streaming", func(t *testing.T) {
 		t.Parallel()
 
-		buf := bytes.NewBuffer(newDagJson)
+		buf := bytes.NewBuffer(fullExampleDagJson)
 
 		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
 		// function:      DecodeDagJson()           Seal()         Unseal()         EncodeDagJson()
@@ -61,7 +65,7 @@ func TestSchemaRoundTrip(t *testing.T) {
 		cborBytes := &bytes.Buffer{}
 		id, err := p1.ToSealedWriter(cborBytes, privKey)
 		require.NoError(t, err)
-		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+		assert.Equal(t, fullExampleCID, envelope.CIDToBase58BTC(id))
 
 		p2, c2, err := invocation.FromSealedReader(cborBytes)
 		require.NoError(t, err)
@@ -70,7 +74,7 @@ func TestSchemaRoundTrip(t *testing.T) {
 		readJson := &bytes.Buffer{}
 		require.NoError(t, p2.ToDagJsonWriter(readJson, privKey))
 
-		assert.JSONEq(t, string(newDagJson), readJson.String())
+		assert.JSONEq(t, string(fullExampleDagJson), readJson.String())
 	})
 }
 

token/invocation/testdata/full_example.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"tRKNRahqwdyR6OpytuGIdcYI7HxXvKI5I594zznCLbN2C6WP5f8FIfIQlo0Nnqg4xFgKjJGAbIEVqeCZdib1Dw"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/inv@1.0.0-rc.1":{"args":{"headers":{"Content-Type":"application/json"},"payload":{"body":"UCAN is great","draft":true,"title":"UCAN for Fun and Profit","topics":["authz","journal"]},"uri":"https://example.com/blog/posts"},"cmd":"/crud/create","exp":1753965668,"iss":"did:key:z6MkuScdGeTmbWubyoWWpPmX9wkwdZAshkTcLKb1bf4Cyj8N","meta":{"env":"development","tags":["blog","post","pr#123"]},"nonce":{"/":{"bytes":"BBR5znl7VpRof4ac"}},"prf":[{"/":"bafyreigx3qxd2cndpe66j2mdssj773ecv7tqd7wovcnz5raguw6lj7sjoe"},{"/":"bafyreib34ira254zdqgehz6f2bhwme2ja2re3ltcalejv4x4tkcveujvpa"},{"/":"bafyreibkb66tpo2ixqx3fe5hmekkbuasrod6olt5bwm5u5pi726mduuwlq"}],"sub":"did:key:z6MkuQU8kqxCAUeurotHyrnMgkMUBtJN8ozYxkwctnop4zzB"}}]

token/invocation/testdata/new.dagjson

@@ -1 +1 @@
-[{"/":{"bytes":"tRKNRahqwdyR6OpytuGIdcYI7HxXvKI5I594zznCLbN2C6WP5f8FIfIQlo0Nnqg4xFgKjJGAbIEVqeCZdib1Dw"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/inv@1.0.0-rc.1":{"args":{"headers":{"Content-Type":"application/json"},"payload":{"body":"UCAN is great","draft":true,"title":"UCAN for Fun and Profit","topics":["authz","journal"]},"uri":"https://example.com/blog/posts"},"cmd":"/crud/create","exp":1753965668,"iss":"did:key:z6MkuScdGeTmbWubyoWWpPmX9wkwdZAshkTcLKb1bf4Cyj8N","meta":{"env":"development","tags":["blog","post","pr#123"]},"nonce":{"/":{"bytes":"BBR5znl7VpRof4ac"}},"prf":[{"/":"bafyreigx3qxd2cndpe66j2mdssj773ecv7tqd7wovcnz5raguw6lj7sjoe"},{"/":"bafyreib34ira254zdqgehz6f2bhwme2ja2re3ltcalejv4x4tkcveujvpa"},{"/":"bafyreibkb66tpo2ixqx3fe5hmekkbuasrod6olt5bwm5u5pi726mduuwlq"}],"sub":"did:key:z6MkuQU8kqxCAUeurotHyrnMgkMUBtJN8ozYxkwctnop4zzB"}}]
+[{"/":{"bytes":"8BxXBbXtPVoqn/z804w2w2gZH9m6kT55ivv7u2kxqptAfDcFzlRWBu3YKE9ijfIezpa79Btq5ja0PpqwjfSLAw"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/inv@1.0.0-rc.1":{"args":{"foo":"bar"},"cmd":"/foo/bar","exp":7258118400,"iat":4102444800,"iss":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC","meta":{"baz":123},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"prf":[{"/":"bafyreifa35rjstdm37cjudzs72ab22rnh5blny725khtapox63fnsj6pbe"}],"sub":"did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1"}}]

token/invocation/testdata/selfsigned.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"ejXoQIdp3OGXewEkfQF4Z4Vd8c3H0XF319dsNh5DEP/2l9Nt9H1IhMpks1+HXoYFOKN3QmtxpPMoYmf/rhKaAQ"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/inv@1.0.0-rc.1":{"args":{"foo":"bar"},"cmd":"/foo/bar","exp":7258118400,"iat":4102444800,"iss":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC","meta":{"baz":123},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"prf":[],"sub":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC"}}]

token/read.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"io"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec"
@@ -12,9 +12,9 @@ import (
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/internal/envelope"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 // FromSealed decodes an arbitrary token type from the binary data,

toolkit/_example/_protocol-issuer/request-resolver.go

@@ -4,10 +4,10 @@ import (
 	"encoding/json"
 	"net/http"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/toolkit/issuer"
+	"github.com/ucan-wg/go-ucan/toolkit/issuer"
 )
 
 func RequestResolver(r *http.Request) (*issuer.ResolvedRequest, error) {

toolkit/_example/_protocol-issuer/requester.go

@@ -8,13 +8,13 @@ import (
 	"log"
 	"net/http"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 
-	"code.sonr.org/go/ucan/toolkit/client"
+	"github.com/ucan-wg/go-ucan/toolkit/client"
-	"code.sonr.org/go/ucan/toolkit/issuer"
+	"github.com/ucan-wg/go-ucan/toolkit/issuer"
 )
 
 var _ client.DelegationRequester = &Requester{}

toolkit/_example/alice-client-issuer/alice.go

@@ -13,20 +13,20 @@ import (
 	"syscall"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 
-	example "code.sonr.org/go/ucan/toolkit/_example"
+	example "github.com/ucan-wg/go-ucan/toolkit/_example"
-	protocol "code.sonr.org/go/ucan/toolkit/_example/_protocol-issuer"
+	protocol "github.com/ucan-wg/go-ucan/toolkit/_example/_protocol-issuer"
-	"code.sonr.org/go/ucan/toolkit/client"
+	"github.com/ucan-wg/go-ucan/toolkit/client"
-	"code.sonr.org/go/ucan/toolkit/issuer"
+	"github.com/ucan-wg/go-ucan/toolkit/issuer"
-	"code.sonr.org/go/ucan/toolkit/server/bearer"
+	"github.com/ucan-wg/go-ucan/toolkit/server/bearer"
 )
 
 func main() {

toolkit/_example/bob-client/bob.go

@@ -12,17 +12,17 @@ import (
 	"syscall"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	didkeyctl "github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
 
-	example "code.sonr.org/go/ucan/toolkit/_example"
+	example "github.com/ucan-wg/go-ucan/toolkit/_example"
-	protocol "code.sonr.org/go/ucan/toolkit/_example/_protocol-issuer"
+	protocol "github.com/ucan-wg/go-ucan/toolkit/_example/_protocol-issuer"
-	"code.sonr.org/go/ucan/toolkit/client"
+	"github.com/ucan-wg/go-ucan/toolkit/client"
-	"code.sonr.org/go/ucan/toolkit/server/bearer"
+	"github.com/ucan-wg/go-ucan/toolkit/server/bearer"
 )
 
 func main() {

toolkit/_example/service-issuer/issuer.go

@@ -11,17 +11,17 @@ import (
 	"syscall"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 
-	example "code.sonr.org/go/ucan/toolkit/_example"
+	example "github.com/ucan-wg/go-ucan/toolkit/_example"
-	protocol "code.sonr.org/go/ucan/toolkit/_example/_protocol-issuer"
+	protocol "github.com/ucan-wg/go-ucan/toolkit/_example/_protocol-issuer"
-	"code.sonr.org/go/ucan/toolkit/issuer"
+	"github.com/ucan-wg/go-ucan/toolkit/issuer"
 )
 
 func main() {

toolkit/_example/service/service.go

@@ -9,10 +9,10 @@ import (
 	"os/signal"
 	"syscall"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	example "code.sonr.org/go/ucan/toolkit/_example"
+	example "github.com/ucan-wg/go-ucan/toolkit/_example"
-	"code.sonr.org/go/ucan/toolkit/server/exectx"
+	"github.com/ucan-wg/go-ucan/toolkit/server/exectx"
 )
 
 func main() {

toolkit/_example/shared_values.go

@@ -3,10 +3,10 @@ package example
 import (
 	"encoding/base64"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	didkeyctl "github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
-	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/MetaMask/go-did-it/crypto/ed25519"
 )
 
 // Endpoints

toolkit/client/client.go

@@ -5,15 +5,15 @@ import (
 	"fmt"
 	"iter"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 type Client struct {

toolkit/client/client_test.go

@@ -6,13 +6,13 @@ import (
 	"iter"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 func ExampleNewClient() {

toolkit/client/clientissuer.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"iter"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 // DlgIssuingLogic is a function that decides what powers are given to a client.

toolkit/client/pool.go

@@ -6,11 +6,11 @@ import (
 	"sync"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 type Pool struct {

toolkit/client/proof.go

@@ -4,11 +4,11 @@ import (
 	"iter"
 	"math"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/ipfs/go-cid"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 // FindProof find in the pool the best (shortest, smallest in bytes) chain of delegation(s) matching the given invocation parameters.
@@ -21,8 +21,7 @@ import (
 // Note: the returned delegation(s) don't have to match exactly the parameters, as long as they allow them.
 // Note: the implemented algorithm won't perform well with a large number of delegations.
 func FindProof(dlgs func() iter.Seq[*delegation.Bundle], issuer did.DID, cmd command.Command, subject did.DID) []cid.Cid {
-	// TODO: maybe that should be part of delegation.Token directly?
+	continuePath := func(dlg *delegation.Token, issuer did.DID, cmd command.Command, subject did.DID) bool {
-	dlgMatch := func(dlg *delegation.Token, issuer did.DID, cmd command.Command, subject did.DID) bool {
 		// The Subject of each delegation must equal the invocation's Subject (or Audience if defined). - 4f
 		if !dlg.Subject().Equal(subject) {
 			return false
@@ -47,7 +46,7 @@ func FindProof(dlgs func() iter.Seq[*delegation.Bundle], issuer did.DID, cmd com
 	var candidateLeaf []*delegation.Bundle
 
 	for bundle := range dlgs() {
-		if !dlgMatch(bundle.Decoded, issuer, cmd, subject) {
+		if !continuePath(bundle.Decoded, issuer, cmd, subject) {
 			continue
 		}
 		candidateLeaf = append(candidateLeaf, bundle)
@@ -83,7 +82,12 @@ func FindProof(dlgs func() iter.Seq[*delegation.Bundle], issuer did.DID, cmd com
 
 			// find parent delegation for our current delegation
 			for candidate := range dlgs() {
-				if !dlgMatch(candidate.Decoded, at.Decoded.Issuer(), at.Decoded.Command(), subject) {
+				// Prune the delegations that don't match the current proof.
+				if !continuePath(candidate.Decoded, at.Decoded.Issuer(), at.Decoded.Command(), subject) {
+					continue
+				}
+				// Prune the self-delegations as they can't get us closer to what we are looking for.
+				if candidate.Decoded.Issuer().Equal(candidate.Decoded.Audience()) {
 					continue
 				}
 

toolkit/client/proof_test.go

@@ -4,12 +4,14 @@ import (
 	"iter"
 	"testing"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it"
+	"github.com/MetaMask/go-did-it/didtest"
+	"github.com/ipfs/go-cid"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+	"github.com/ucan-wg/go-ucan/token/delegation/delegationtest"
 )
 
 func TestFindProof(t *testing.T) {
@@ -23,17 +25,76 @@ func TestFindProof(t *testing.T) {
 		}
 	}
 
-	require.Equal(t, delegationtest.ProofAliceBob,
+	for _, tc := range []struct {
-		FindProof(dlgs, didtest.PersonaBob.DID(), delegationtest.NominalCommand, didtest.PersonaAlice.DID()))
+		name     string
-	require.Equal(t, delegationtest.ProofAliceBobCarol,
+		issuer   did.DID
-		FindProof(dlgs, didtest.PersonaCarol.DID(), delegationtest.NominalCommand, didtest.PersonaAlice.DID()))
+		command  command.Command
-	require.Equal(t, delegationtest.ProofAliceBobCarolDan,
+		subject  did.DID
-		FindProof(dlgs, didtest.PersonaDan.DID(), delegationtest.NominalCommand, didtest.PersonaAlice.DID()))
+		expected []cid.Cid
-	require.Equal(t, delegationtest.ProofAliceBobCarolDanErin,
+	}{
-		FindProof(dlgs, didtest.PersonaErin.DID(), delegationtest.NominalCommand, didtest.PersonaAlice.DID()))
+		// Passes
-	require.Equal(t, delegationtest.ProofAliceBobCarolDanErinFrank,
+		{
-		FindProof(dlgs, didtest.PersonaFrank.DID(), delegationtest.NominalCommand, didtest.PersonaAlice.DID()))
+			name:     "Alice --> Alice (self-delegation)",
+			issuer:   didtest.PersonaAlice.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: []cid.Cid{delegationtest.TokenAliceAliceCID},
+		},
+		{
+			name:     "Alice --> Bob",
+			issuer:   didtest.PersonaBob.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: delegationtest.ProofAliceBob,
+		},
+		{
+			name:     "Alice --> Bob --> Carol",
+			issuer:   didtest.PersonaCarol.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: delegationtest.ProofAliceBobCarol,
+		},
+		{
+			name:     "Alice --> Bob --> Carol --> Dan",
+			issuer:   didtest.PersonaDan.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: delegationtest.ProofAliceBobCarolDan,
+		},
+		{
+			name:     "Alice --> Bob --> Carol --> Dan --> Erin",
+			issuer:   didtest.PersonaErin.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: delegationtest.ProofAliceBobCarolDanErin,
+		},
+		{
+			name:     "Alice --> Bob --> Carol --> Dan --> Erin --> Frank",
+			issuer:   didtest.PersonaFrank.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaAlice.DID(),
+			expected: delegationtest.ProofAliceBobCarolDanErinFrank,
+		},
 
-	// wrong command
+		// Fails
-	require.Empty(t, FindProof(dlgs, didtest.PersonaBob.DID(), command.New("foo"), didtest.PersonaAlice.DID()))
+		{
+			name:     "wrong command",
+			issuer:   didtest.PersonaBob.DID(),
+			command:  command.New("foo"),
+			subject:  didtest.PersonaAlice.DID(),
+			expected: nil,
+		},
+		{
+			name:     "wrong subject",
+			issuer:   didtest.PersonaBob.DID(),
+			command:  delegationtest.NominalCommand,
+			subject:  didtest.PersonaDan.DID(),
+			expected: nil,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			res := FindProof(dlgs, tc.issuer, tc.command, tc.subject)
+			require.Equal(t, tc.expected, res)
+		})
+	}
 }

toolkit/client/requester.go

@@ -5,11 +5,11 @@ import (
 	"iter"
 	"time"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 	"github.com/avast/retry-go/v4"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 type DelegationRequester interface {

toolkit/issuer/http_wrapper.go

@@ -6,12 +6,12 @@ import (
 	"iter"
 	"net/http"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/toolkit/client"
+	"github.com/ucan-wg/go-ucan/toolkit/client"
 )
 
 type RequestResolver func(r *http.Request) (*ResolvedRequest, error)

toolkit/issuer/root_issuer.go

@@ -5,13 +5,13 @@ import (
 	"fmt"
 	"iter"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
-	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	didkeyctl "github.com/MetaMask/go-did-it/controller/did-key"
-	"code.sonr.org/go/did-it/crypto"
+	"github.com/MetaMask/go-did-it/crypto"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/toolkit/client"
+	"github.com/ucan-wg/go-ucan/toolkit/client"
 )
 
 // RootIssuingLogic is a function that decides what powers are given to a client.

toolkit/server/bearer/bearer.go

@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"strings"
 
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
 )
 
 var ErrNoUcan = fmt.Errorf("no ucan")

toolkit/server/bearer/bearer_test.go

@@ -4,11 +4,11 @@ import (
 	"net/http"
 	"testing"
 
-	_ "code.sonr.org/go/did-it/verifiers/did-key"
+	_ "github.com/MetaMask/go-did-it/verifiers/did-key"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/pkg/container/containertest"
+	"github.com/ucan-wg/go-ucan/pkg/container/containertest"
 )
 
 func TestHTTPBearer(t *testing.T) {

toolkit/server/exectx/middlewares.go

@@ -4,9 +4,9 @@ import (
 	"errors"
 	"net/http"
 
-	"code.sonr.org/go/did-it"
+	"github.com/MetaMask/go-did-it"
 
-	"code.sonr.org/go/ucan/toolkit/server/bearer"
+	"github.com/ucan-wg/go-ucan/toolkit/server/bearer"
 )
 
 // ExtractMW returns an HTTP middleware tasked with:

toolkit/server/exectx/middlewares_test.go

@@ -6,13 +6,13 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipfs/go-cid"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 func TestExtractMW(t *testing.T) {

toolkit/server/exectx/ucanctx.go

@@ -9,14 +9,14 @@ import (
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
-	"code.sonr.org/go/ucan/toolkit/server/extargs"
+	"github.com/ucan-wg/go-ucan/toolkit/server/extargs"
 )
 
 var _ delegation.Loader = &UcanCtx{}

toolkit/server/exectx/ucanctx_test.go

@@ -8,19 +8,19 @@ import (
 	"testing"
 	"time"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime/datamodel"
 	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/container"
+	"github.com/ucan-wg/go-ucan/pkg/container"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/delegation"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
-	"code.sonr.org/go/ucan/toolkit/server/exectx"
+	"github.com/ucan-wg/go-ucan/toolkit/server/exectx"
 )
 
 const (

toolkit/server/extargs/custom.go

@@ -9,8 +9,8 @@ import (
 	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
 )
 
 type CustomExtArgs struct {

toolkit/server/extargs/custom_test.go

@@ -8,8 +8,8 @@ import (
 	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
 )
 
 func ExampleCustomExtArgs() {

toolkit/server/extargs/http.go

@@ -14,9 +14,9 @@ import (
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/multiformats/go-multihash"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 // HttpArgsKey is the key in the args, used for:

toolkit/server/extargs/http_test.go

@@ -5,15 +5,15 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"code.sonr.org/go/did-it/didtest"
+	"github.com/MetaMask/go-did-it/didtest"
 	"github.com/multiformats/go-multihash"
 	"github.com/stretchr/testify/require"
 
-	"code.sonr.org/go/ucan/pkg/args"
+	"github.com/ucan-wg/go-ucan/pkg/args"
-	"code.sonr.org/go/ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/command"
-	"code.sonr.org/go/ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
-	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
-	"code.sonr.org/go/ucan/token/invocation"
+	"github.com/ucan-wg/go-ucan/token/invocation"
 )
 
 func TestHttp(t *testing.T) {