build(config): bump go-varint dependency to v0.1.0

fix: sort tokens

.github/Repo.toml

@@ -0,0 +1,20 @@
+[scopes]
+ci = [".github/workflows"]
+config = [".github", "go.mod", "go.sum"]
+docs = ["Readme.md", "LICENSE.md"]
+assets = ["assets"]
+pkg = ["pkg"]
+args = ["pkg/args"]
+command = ["pkg/command"]
+container = ["pkg/container"]
+meta = ["pkg/meta"]
+policy = ["pkg/policy"]
+secretbox = ["pkg/secretbox"]
+token = ["token"]
+delegation = ["token/delegation"]
+invocation = ["token/invocation"]
+toolkit = ["toolkit"]
+examples = ["toolkit/_example"]
+client = ["toolkit/client"]
+issuer = ["toolkit/issuer"]
+server = ["toolkit/server"]

.github/workflows/bench.yml

@@ -2,7 +2,7 @@ name: go continuous benchmark
 on:
   push:
     branches:
-      - v1
+      - main
 
 permissions:
   contents: write
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: "stable"
       - name: Run benchmark

.github/workflows/gotest.yml

@@ -7,14 +7,14 @@ jobs:
       fail-fast: false
       matrix:
         os: [ "ubuntu" ]
-        go: [ "1.21.x", "1.22.x", "1.23.x", ]
+        go: [ "1.22.x", "1.23.x", ]
     env:
       COVERAGES: ""
     runs-on: ${{ matrix.os }}-latest
     name: ${{ matrix.os}} (go ${{ matrix.go }})
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
       - name: Go information
@@ -22,6 +22,6 @@ jobs:
           go version
           go env
       - name: Run tests
-        run: go test -v ./...
+        run: go test -v ./... -tags jwx_es256k
       - name: Check formatted
         run: gofmt -l .

LICENSE.md

@@ -29,7 +29,7 @@ Verbatim copies of both licenses are included below:
 ```
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 

Readme.md

@@ -0,0 +1,76 @@
+<div align="center">
+  <a href="https://code.sonr.org/go/ucan" target="_blank">
+    <img src="https://raw.githubusercontent.com/ucan-wg/go-ucan/v1/assets/logo.png" alt="go-ucan Logo" height="250"></img>
+  </a>
+
+  <h1 align="center">go-ucan</h1>
+
+  <p>
+    <img src="https://img.shields.io/badge/UCAN-v1.0.0--rc.1-blue" alt="UCAN v1.0.0-rc.1">
+    <a href="https://code.sonr.org/go/ucan/tags">
+        <img alt="GitHub Tag" src="https://img.shields.io/github/v/tag/ucan-wg/go-ucan">
+    </a>
+    <a href="https://code.sonr.org/go/ucan/actions?query=">
+      <img src="https://code.sonr.org/go/ucan/actions/workflows/gotest.yml/badge.svg" alt="Build Status">
+    </a>
+    <a href="https://ucan-wg.github.io/go-ucan/dev/bench/">
+        <img alt="Go benchmarks" src="https://img.shields.io/badge/Benchmarks-go-blue">
+    </a>
+    <a href="https://code.sonr.org/go/ucan/blob/v1/LICENSE.md">
+        <img alt="Apache 2.0 OR MIT License" src="https://img.shields.io/badge/License-Apache--2.0_OR_MIT-green">
+    </a>
+    <a href="https://pkg.go.dev/code.sonr.org/go/ucan">
+      <img src="https://img.shields.io/badge/Docs-godoc-blue" alt="Docs">
+    </a>
+    <a href="https://discord.gg/JSyFG6XgVM">
+      <img src="https://img.shields.io/static/v1?label=Discord&message=join%20us!&color=mediumslateblue" alt="Discord">
+    </a>
+  </p>
+</div>
+
+This is a go library to help the next generation of web and decentralized applications make use
+of UCANs in their authorization flows.
+
+User Controlled Authorization Networks (UCANs) are a way of doing authorization where users are fully in control. OAuth is designed for a centralized world, UCAN is the distributed user controlled version.
+
+## Resources
+
+### Specifications
+
+The UCAN specification is separated in multiple sub-spec:
+- [Main specification](https://github.com/ucan-wg/spec)
+- [Delegation](https://github.com/ucan-wg/delegation/tree/v1_ipld)
+- [Invocation](https://github.com/ucan-wg/invocation)
+- [Container](https://github.com/ucan-wg/container)
+
+Not implemented yet:
+- [Revocation](https://github.com/ucan-wg/revocation/tree/first-draft)
+- [Promise](https://github.com/ucan-wg/promise/tree/v1-rc1)
+
+### Talks
+
+- [Decentralizing Auth, and UCAN Too - Brooklyn Zelenka (2023)](https://www.youtube.com/watch?v=MuHfrqw9gQA)
+- [What's New in UCAN 1.0 - Brooklyn Zelenka (2024)](https://www.youtube.com/watch?v=-uohQzZcwF4)
+
+## Status
+
+`go-ucan` currently support the required parts of the UCAN specification: the main specification, delegation and invocation. It leverages the sibling project [`go-did-it`](https://code.sonr.org/go/did-it) for easy and extensible DID support.
+
+Besides that, `go-ucan` also includes:
+- support for encrypted values in token's metadata
+
+## Getting Help
+
+For usage questions, usecases, or issues reach out to us in our `go-ucan`
+[Discord channel](https://discord.gg/3EHEQ6M8BC).
+
+We would be happy to try to answer your question or try opening a new issue on
+Github.
+
+## UCAN Gopher
+
+Artwork by [Bruno Monts](https://www.instagram.com/bruno_monts). Thank you [Renee French](http://reneefrench.blogspot.com/) for creating the [Go Gopher](https://blog.golang.org/gopher)
+
+## License
+
+This project is licensed under the dual license [Apache 2.0 OR MIT](https://code.sonr.org/go/ucan/blob/v1/LICENSE.md).

did/crypto.go

@@ -1,48 +0,0 @@
-package did
-
-import (
-	"errors"
-
-	crypto "github.com/libp2p/go-libp2p/core/crypto"
-	"github.com/libp2p/go-libp2p/core/crypto/pb"
-	"github.com/multiformats/go-multicodec"
-	"github.com/multiformats/go-varint"
-)
-
-func FromPrivKey(privKey crypto.PrivKey) (DID, error) {
-	return FromPubKey(privKey.GetPublic())
-}
-
-func FromPubKey(pubKey crypto.PubKey) (DID, error) {
-	code, ok := map[pb.KeyType]multicodec.Code{
-		pb.KeyType_Ed25519:   multicodec.Ed25519Pub,
-		pb.KeyType_RSA:       multicodec.RsaPub,
-		pb.KeyType_Secp256k1: multicodec.Secp256k1Pub,
-		pb.KeyType_ECDSA:     multicodec.Es256,
-	}[pubKey.Type()]
-	if !ok {
-		return Undef, errors.New("Blah")
-	}
-
-	buf := varint.ToUvarint(uint64(code))
-
-	pubBytes, err := pubKey.Raw()
-	if err != nil {
-		return Undef, err
-	}
-
-	return DID{
-		str:  string(append(buf, pubBytes...)),
-		code: uint64(code),
-		key:  true,
-	}, nil
-}
-
-func ToPubKey(s string) (crypto.PubKey, error) {
-	id, err := Parse(s)
-	if err != nil {
-		return nil, err
-	}
-
-	return id.PubKey()
-}

did/crypto_test.go

@@ -1,51 +0,0 @@
-package did_test
-
-import (
-	"testing"
-
-	"github.com/libp2p/go-libp2p/core/crypto"
-	"github.com/stretchr/testify/require"
-	"github.com/ucan-wg/go-ucan/did"
-)
-
-const (
-	exampleDIDStr    = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
-	examplePubKeyStr = "Lm/M42cB3HkUiODQsXRcweM6TByfzEHGO9ND274JcOY="
-)
-
-func TestFromPubKey(t *testing.T) {
-	t.Parallel()
-
-	id, err := did.FromPubKey(examplePubKey(t))
-	require.NoError(t, err)
-	require.Equal(t, exampleDID(t), id)
-}
-
-func TestToPubKey(t *testing.T) {
-	t.Parallel()
-
-	pubKey, err := did.ToPubKey(exampleDIDStr)
-	require.NoError(t, err)
-	require.Equal(t, examplePubKey(t), pubKey)
-}
-
-func exampleDID(t *testing.T) did.DID {
-	t.Helper()
-
-	id, err := did.Parse(exampleDIDStr)
-	require.NoError(t, err)
-
-	return id
-}
-
-func examplePubKey(t *testing.T) crypto.PubKey {
-	t.Helper()
-
-	pubKeyCfg, err := crypto.ConfigDecodeKey(examplePubKeyStr)
-	require.NoError(t, err)
-
-	pubKey, err := crypto.UnmarshalEd25519PublicKey(pubKeyCfg)
-	require.NoError(t, err)
-
-	return pubKey
-}

did/did.go

@@ -1,126 +0,0 @@
-package did
-
-import (
-	"fmt"
-	"strings"
-
-	crypto "github.com/libp2p/go-libp2p/core/crypto"
-	mbase "github.com/multiformats/go-multibase"
-	"github.com/multiformats/go-multicodec"
-	varint "github.com/multiformats/go-varint"
-)
-
-const Prefix = "did:"
-const KeyPrefix = "did:key:"
-
-const DIDCore = 0x0d1d
-const Ed25519 = 0xed
-const RSA = uint64(multicodec.RsaPub)
-
-var MethodOffset = varint.UvarintSize(uint64(DIDCore))
-
-//
-// [did:key format]: https://w3c-ccg.github.io/did-method-key/
-type DID struct {
-	key  bool
-	code uint64
-	str  string
-}
-
-// Undef can be used to represent a nil or undefined DID, using DID{}
-// directly is also acceptable.
-var Undef = DID{}
-
-func (d DID) Defined() bool {
-	return d.str != ""
-}
-
-func (d DID) Bytes() []byte {
-	if !d.Defined() {
-		return nil
-	}
-	return []byte(d.str)
-}
-
-func (d DID) Code() uint64 {
-	return d.code
-}
-
-func (d DID) DID() DID {
-	return d
-}
-
-func (d DID) Key() bool {
-	return d.key
-}
-
-func (d DID) PubKey() (crypto.PubKey, error) {
-	if !d.key {
-		return nil, fmt.Errorf("unsupported did type: %s", d.String())
-	}
-
-	unmarshaler, ok := map[multicodec.Code]crypto.PubKeyUnmarshaller{
-		multicodec.Ed25519Pub:   crypto.UnmarshalEd25519PublicKey,
-		multicodec.RsaPub:       crypto.UnmarshalRsaPublicKey,
-		multicodec.Secp256k1Pub: crypto.UnmarshalSecp256k1PublicKey,
-		multicodec.Es256:        crypto.UnmarshalECDSAPublicKey,
-	}[multicodec.Code(d.code)]
-	if !ok {
-		return nil, fmt.Errorf("unsupported multicodec: %d", d.code)
-	}
-
-	return unmarshaler(d.Bytes()[varint.UvarintSize(d.code):])
-}
-
-// String formats the decentralized identity document (DID) as a string.
-func (d DID) String() string {
-	if d.key {
-		key, _ := mbase.Encode(mbase.Base58BTC, []byte(d.str))
-		return "did:key:" + key
-	}
-	return "did:" + d.str[MethodOffset:]
-}
-
-func Decode(bytes []byte) (DID, error) {
-	code, _, err := varint.FromUvarint(bytes)
-	if err != nil {
-		return Undef, err
-	}
-	if code == Ed25519 || code == RSA {
-		return DID{str: string(bytes), code: code, key: true}, nil
-	} else if code == DIDCore {
-		return DID{str: string(bytes)}, nil
-	}
-	return Undef, fmt.Errorf("unsupported DID encoding: 0x%x", code)
-}
-
-func Parse(str string) (DID, error) {
-	if !strings.HasPrefix(str, Prefix) {
-		return Undef, fmt.Errorf("must start with 'did:'")
-	}
-
-	if strings.HasPrefix(str, KeyPrefix) {
-		code, bytes, err := mbase.Decode(str[len(KeyPrefix):])
-		if err != nil {
-			return Undef, err
-		}
-		if code != mbase.Base58BTC {
-			return Undef, fmt.Errorf("not Base58BTC encoded")
-		}
-		return Decode(bytes)
-	}
-
-	buf := make([]byte, MethodOffset)
-	varint.PutUvarint(buf, DIDCore)
-	suffix, _ := strings.CutPrefix(str, Prefix)
-	buf = append(buf, suffix...)
-	return DID{str: string(buf), code: DIDCore}, nil
-}
-
-func MustParse(str string) DID {
-	did, err := Parse(str)
-	if err != nil {
-		panic(err)
-	}
-	return did
-}

did/did_test.go

@@ -1,93 +0,0 @@
-package did
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestParseDIDKey(t *testing.T) {
-	str := "did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z"
-	d, err := Parse(str)
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if d.String() != str {
-		t.Fatalf("expected %v to equal %v", d.String(), str)
-	}
-}
-
-func TestMustParseDIDKey(t *testing.T) {
-	str := "did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z"
-	require.NotPanics(t, func() {
-		d := MustParse(str)
-		require.Equal(t, str, d.String())
-	})
-	str = "did:key:z7Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z"
-	require.Panics(t, func() {
-		MustParse(str)
-	})
-}
-
-func TestDecodeDIDKey(t *testing.T) {
-	str := "did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z"
-	d0, err := Parse(str)
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	d1, err := Decode(d0.Bytes())
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if d1.String() != str {
-		t.Fatalf("expected %v to equal %v", d1.String(), str)
-	}
-}
-
-func TestParseDIDWeb(t *testing.T) {
-	str := "did:web:up.web3.storage"
-	d, err := Parse(str)
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if d.String() != str {
-		t.Fatalf("expected %v to equal %v", d.String(), str)
-	}
-}
-
-func TestDecodeDIDWeb(t *testing.T) {
-	str := "did:web:up.web3.storage"
-	d0, err := Parse(str)
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	d1, err := Decode(d0.Bytes())
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-	if d1.String() != str {
-		t.Fatalf("expected %v to equal %v", d1.String(), str)
-	}
-}
-
-func TestEquivalence(t *testing.T) {
-	u0 := DID{}
-	u1 := Undef
-	if u0 != u1 {
-		t.Fatalf("undef DID not equivalent")
-	}
-
-	d0, err := Parse("did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z")
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-
-	d1, err := Parse("did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z")
-	if err != nil {
-		t.Fatalf("%v", err)
-	}
-
-	if d0 != d1 {
-		t.Fatalf("two equivalent DID not equivalent")
-	}
-}

go.mod

@@ -1,24 +1,27 @@
-module github.com/ucan-wg/go-ucan
+module code.sonr.org/go/ucan
 
-go 1.23
+go 1.24.4
+
+toolchain go1.24.5
 
 require (
-	github.com/ipfs/go-cid v0.4.1
+	code.sonr.org/go/did-it v1.0.0
+	github.com/avast/retry-go/v4 v4.6.1
+	github.com/ipfs/go-cid v0.5.0
 	github.com/ipld/go-ipld-prime v0.21.0
-	github.com/libp2p/go-libp2p v0.36.3
 	github.com/multiformats/go-multibase v0.2.0
 	github.com/multiformats/go-multicodec v0.9.0
 	github.com/multiformats/go-multihash v0.2.3
-	github.com/multiformats/go-varint v0.0.7
+	github.com/multiformats/go-varint v0.1.0
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
-	gotest.tools/v3 v3.5.1
+	github.com/ucan-wg/go-varsig v1.0.0
+	golang.org/x/crypto v0.45.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
@@ -26,9 +29,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polydawn/refmt v0.89.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect

go.sum

@@ -1,11 +1,15 @@
+code.sonr.org/go/did-it v1.0.0 h1:Wh8igUkD6cuf0Ul3gawi27z2/M1YfdnQ/mD9gBq/2EU=
+code.sonr.org/go/did-it v1.0.0/go.mod h1:PFK6ItvNyB2xbnVqipBbkN9BK1Sq+E2lf1YfOyCA0Og=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
+github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/crypto/blake256 v1.0.1 h1:7PltbUIQB7u/FfZ39+DGa/ShuMyJ5ilcvdfma9wOH6Y=
+github.com/decred/dcrd/crypto/blake256 v1.1.0 h1:zPMNGQCm0g4QTY27fOCorQW7EryeQ/U0x++OzVrdms8=
-github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
+github.com/decred/dcrd/crypto/blake256 v1.1.0/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/go-yaml/yaml v2.1.0+incompatible/go.mod h1:w2MrLa16VYP0jy6N7M5kHaCkaLENm+P+Tv+MfurjSw0=
@@ -13,22 +17,18 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/ipfs/go-cid v0.4.1 h1:A/T3qGvxi4kpKWWcPC/PgbvDA2bjVLO7n4UeVwnbs/s=
+github.com/ipfs/go-cid v0.5.0 h1:goEKKhaGm0ul11IHA7I6p1GmKz8kEYniqFopaB5Otwg=
-github.com/ipfs/go-cid v0.4.1/go.mod h1:uQHwDeX4c6CtyrFwdqyhpNcxVewur1M7l7fNU7LKwZk=
+github.com/ipfs/go-cid v0.5.0/go.mod h1:0L7vmeNXpQpUS9vt+yEARkJ8rOg43DF3iPgn4GIN0mk=
 github.com/ipld/go-ipld-prime v0.21.0 h1:n4JmcpOlPDIxBcY037SVfpd1G+Sj1nKZah0m6QH9C2E=
 github.com/ipld/go-ipld-prime v0.21.0/go.mod h1:3RLqy//ERg/y5oShXXdx5YIp50cFGOanyMctpPjsvxQ=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/libp2p/go-buffer-pool v0.1.0 h1:oK4mSFcQz7cTQIfqbe4MIj9gLW+mnanjyFtc6cdF0Y8=
-github.com/libp2p/go-buffer-pool v0.1.0/go.mod h1:N+vh8gMqimBzdKkSMVuydVDq+UV5QTWy5HSiZacSbPg=
-github.com/libp2p/go-libp2p v0.36.3 h1:NHz30+G7D8Y8YmznrVZZla0ofVANrvBl2c+oARfMeDQ=
-github.com/libp2p/go-libp2p v0.36.3/go.mod h1:4Y5vFyCUiJuluEPmpnKYf6WFx5ViKPUYs/ixe9ANFZ8=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
 github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
@@ -37,16 +37,14 @@ github.com/multiformats/go-base32 v0.1.0 h1:pVx9xoSPqEIQG8o+UbAe7DNi51oej1NtK+aG
 github.com/multiformats/go-base32 v0.1.0/go.mod h1:Kj3tFY6zNr+ABYMqeUNeGvkIC/UYgtWibDcT0rExnbI=
 github.com/multiformats/go-base36 v0.2.0 h1:lFsAbNOGeKtuKozrtBsAkSVhv1p9D0/qedU9rQyccr0=
 github.com/multiformats/go-base36 v0.2.0/go.mod h1:qvnKE++v+2MWCfePClUEjE78Z7P2a1UV0xHgWc0hkp4=
-github.com/multiformats/go-multiaddr v0.13.0 h1:BCBzs61E3AGHcYYTv8dqRH43ZfyrqM8RXVPT8t13tLQ=
-github.com/multiformats/go-multiaddr v0.13.0/go.mod h1:sBXrNzucqkFJhvKOiwwLyqamGa/P5EIXNPLovyhQCII=
 github.com/multiformats/go-multibase v0.2.0 h1:isdYCVLvksgWlMW9OZRYJEa9pZETFivncJHmHnnd87g=
 github.com/multiformats/go-multibase v0.2.0/go.mod h1:bFBZX4lKCA/2lyOFSAoKH5SS6oPyjtnzK/XTFDPkNuk=
 github.com/multiformats/go-multicodec v0.9.0 h1:pb/dlPnzee/Sxv/j4PmkDRxCOi3hXTz3IbPKOXWJkmg=
 github.com/multiformats/go-multicodec v0.9.0/go.mod h1:L3QTQvMIaVBkXOXXtVmYE+LI16i14xuaojr/H7Ai54k=
 github.com/multiformats/go-multihash v0.2.3 h1:7Lyc8XfX/IY2jWb/gI7JP+o7JEq9hOa7BFvVU9RSh+U=
 github.com/multiformats/go-multihash v0.2.3/go.mod h1:dXgKXCXjBzdscBLk9JkjINiEsCKRVch90MdaGiKsvSM=
-github.com/multiformats/go-varint v0.0.7 h1:sWSGR+f/eu5ABZA2ZpYKBILXTTs9JWpdEM/nEGOHFS8=
+github.com/multiformats/go-varint v0.1.0 h1:i2wqFp4sdl3IcIxfAonHQV9qU5OsZ4Ts9IOoETFs5dI=
-github.com/multiformats/go-varint v0.0.7/go.mod h1:r8PUYw/fD/SjBCiKOoDlGF6QawOELpZAu9eioSos/OU=
+github.com/multiformats/go-varint v0.1.0/go.mod h1:5KVAVXegtfmNQQm/lCY+ATvDzvJJhSkUlGQV9wgObdI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polydawn/refmt v0.89.0 h1:ADJTApkvkeBZsN0tBTx8QjpD9JkmxbKp0cxfr9qszm4=
@@ -61,25 +59,22 @@ github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hg
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/ucan-wg/go-varsig v1.0.0 h1:Hrc437Zg+B5Eoajg+qZQZI3Q3ocPyjlnp3/Bz9ZnlWw=
+github.com/ucan-wg/go-varsig v1.0.0/go.mod h1:Sakln6IPooDPH+ClQ0VvR09TuwUhHcfLqcPiPkMZGh0=
 github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0 h1:GDDkbFiaK8jsSDJfjId/PEGEShv6ugrt4kYsC5UIDaQ=
 github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0/go.mod h1:x6AKhvSSexNrVSrViXSHUEbICjmGXhtgABaHIySUSGw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -88,7 +83,5 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

pkg/args/args.go

@@ -0,0 +1,187 @@
+// Package args provides the type that represents the Arguments passed to
+// a command within an invocation.Token as well as a convenient Add method
+// to incrementally build the underlying map.
+package args
+
+import (
+	"errors"
+	"fmt"
+	"iter"
+	"sort"
+	"strings"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
+	"github.com/ipld/go-ipld-prime/printer"
+
+	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
+)
+
+var ErrNotFound = errors.New("key not found in meta")
+
+// Args are the Command's arguments when an invocation Token is processed by the executor.
+// This also serves as a way to construct the underlying IPLD data with minimum allocations
+// and transformations, while hiding the IPLD complexity from the caller.
+type Args struct {
+	// This type must be compatible with the IPLD type represented by the IPLD
+	// schema { String : Any }.
+
+	Keys   []string
+	Values map[string]ipld.Node
+}
+
+// New returns a pointer to an initialized Args value.
+func New() *Args {
+	return &Args{
+		Values: map[string]ipld.Node{},
+	}
+}
+
+// GetNode retrieves a value as a raw IPLD node.
+// Returns ErrNotFound if the given key is missing.
+func (a *Args) GetNode(key string) (ipld.Node, error) {
+	v, ok := a.Values[key]
+	if !ok {
+		return nil, ErrNotFound
+	}
+	return v, nil
+}
+
+// Add inserts a key/value pair in the Args set.
+//
+// Accepted types for val are any CBOR compatible type, or directly IPLD values.
+func (a *Args) Add(key string, val any) error {
+	if _, ok := a.Values[key]; ok {
+		return fmt.Errorf("duplicate key %q", key)
+	}
+
+	node, err := literal.Any(val)
+	if err != nil {
+		return err
+	}
+
+	if err := limits.ValidateIntegerBoundsIPLD(node); err != nil {
+		return fmt.Errorf("value for key %q: %w", key, err)
+	}
+
+	a.Values[key] = node
+	a.Keys = append(a.Keys, key)
+
+	return nil
+}
+
+type Iterator interface {
+	Iter() iter.Seq2[string, ipld.Node]
+}
+
+// Include merges the provided arguments into the existing arguments.
+//
+// If duplicate keys are encountered, the new value is silently dropped
+// without causing an error.
+func (a *Args) Include(other Iterator) {
+	for key, value := range other.Iter() {
+		if _, ok := a.Values[key]; ok {
+			// don't overwrite
+			continue
+		}
+		a.Values[key] = value
+		a.Keys = append(a.Keys, key)
+	}
+}
+
+// Len return the number of arguments.
+func (a *Args) Len() int {
+	return len(a.Keys)
+}
+
+// Iter iterates over the args key/values
+func (a *Args) Iter() iter.Seq2[string, ipld.Node] {
+	return func(yield func(string, ipld.Node) bool) {
+		for _, key := range a.Keys {
+			if !yield(key, a.Values[key]) {
+				return
+			}
+		}
+	}
+}
+
+// ToIPLD wraps an instance of an Args with an ipld.Node.
+func (a *Args) ToIPLD() (ipld.Node, error) {
+	sort.Strings(a.Keys)
+
+	return qp.BuildMap(basicnode.Prototype.Any, int64(len(a.Keys)), func(ma datamodel.MapAssembler) {
+		for _, key := range a.Keys {
+			qp.MapEntry(ma, key, qp.Node(a.Values[key]))
+		}
+	})
+}
+
+// Equals tells if two Args hold the same values.
+func (a *Args) Equals(other *Args) bool {
+	if len(a.Keys) != len(other.Keys) {
+		return false
+	}
+	if len(a.Values) != len(other.Values) {
+		return false
+	}
+	for _, key := range a.Keys {
+		if !ipld.DeepEqual(a.Values[key], other.Values[key]) {
+			return false
+		}
+	}
+	return true
+}
+
+func (a *Args) String() string {
+	sort.Strings(a.Keys)
+
+	buf := strings.Builder{}
+	buf.WriteString("{")
+
+	for _, key := range a.Keys {
+		buf.WriteString("\n\t")
+		buf.WriteString(key)
+		buf.WriteString(": ")
+		buf.WriteString(strings.ReplaceAll(printer.Sprint(a.Values[key]), "\n", "\n\t"))
+		buf.WriteString(",")
+	}
+
+	if len(a.Keys) > 0 {
+		buf.WriteString("\n")
+	}
+	buf.WriteString("}")
+
+	return buf.String()
+}
+
+// ReadOnly returns a read-only version of Args.
+func (a *Args) ReadOnly() ReadOnly {
+	return ReadOnly{args: a}
+}
+
+// Clone makes a deep copy.
+func (a *Args) Clone() *Args {
+	res := &Args{
+		Keys:   make([]string, len(a.Keys)),
+		Values: make(map[string]ipld.Node, len(a.Values)),
+	}
+	copy(res.Keys, a.Keys)
+	for k, v := range a.Values {
+		res.Values[k] = v
+	}
+	return res
+}
+
+// Validate checks that all values in the Args are valid according to UCAN specs
+func (a *Args) Validate() error {
+	for key, value := range a.Values {
+		if err := limits.ValidateIntegerBoundsIPLD(value); err != nil {
+			return fmt.Errorf("value for key %q: %w", key, err)
+		}
+	}
+
+	return nil
+}

pkg/args/args_test.go

@@ -0,0 +1,297 @@
+package args_test
+
+import (
+	"maps"
+	"sync"
+	"testing"
+
+	"github.com/ipfs/go-cid"
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
+	"github.com/ipld/go-ipld-prime/schema"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"code.sonr.org/go/ucan/pkg/args"
+	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
+)
+
+func TestArgs(t *testing.T) {
+	t.Parallel()
+
+	const (
+		intKey    = "intKey"
+		mapKey    = "mapKey"
+		nilKey    = "nilKey"
+		boolKey   = "boolKey"
+		linkKey   = "linkKey"
+		listKey   = "listKey"
+		nodeKey   = "nodeKey"
+		uintKey   = "uintKey"
+		bytesKey  = "bytesKey"
+		floatKey  = "floatKey"
+		stringKey = "stringKey"
+	)
+
+	const (
+		expIntVal    = int64(-42)
+		expBoolVal   = true
+		expUintVal   = uint(42)
+		expStringVal = "stringVal"
+	)
+
+	var (
+		expMapVal = map[string]string{"keyOne": "valOne", "keyTwo": "valTwo"}
+		// expNilVal = (map[string]string)(nil)
+		expLinkVal  = cid.MustParse("bafzbeigai3eoy2ccc7ybwjfz5r3rdxqrinwi4rwytly24tdbh6yk7zslrm")
+		expListVal  = []string{"elem1", "elem2", "elem3"}
+		expNodeVal  = literal.String("nodeVal")
+		expBytesVal = []byte{0xde, 0xad, 0xbe, 0xef}
+		expFloatVal = 42.0
+	)
+
+	argsIn := args.New()
+
+	for _, a := range []struct {
+		key string
+		val any
+	}{
+		{key: intKey, val: expIntVal},
+		{key: mapKey, val: expMapVal},
+		// {key:  nilKey, val: expNilVal},
+		{key: boolKey, val: expBoolVal},
+		{key: linkKey, val: expLinkVal},
+		{key: listKey, val: expListVal},
+		{key: uintKey, val: expUintVal},
+		{key: nodeKey, val: expNodeVal},
+		{key: bytesKey, val: expBytesVal},
+		{key: floatKey, val: expFloatVal},
+		{key: stringKey, val: expStringVal},
+	} {
+		require.NoError(t, argsIn.Add(a.key, a.val))
+	}
+
+	// Round-trip to DAG-CBOR
+	argsOut := roundTripThroughDAGCBOR(t, argsIn)
+	assert.ElementsMatch(t, argsIn.Keys, argsOut.Keys)
+	assert.Equal(t, argsIn.Values, argsOut.Values)
+
+	actMapVal := map[string]string{}
+	mit := argsOut.Values[mapKey].MapIterator()
+
+	for !mit.Done() {
+		k, v, err := mit.Next()
+		require.NoError(t, err)
+		ks := must(k.AsString())
+		vs := must(v.AsString())
+		actMapVal[ks] = vs
+	}
+
+	actListVal := []string{}
+	lit := argsOut.Values[listKey].ListIterator()
+
+	for !lit.Done() {
+		_, v, err := lit.Next()
+		require.NoError(t, err)
+		vs := must(v.AsString())
+
+		actListVal = append(actListVal, vs)
+	}
+
+	assert.Equal(t, expIntVal, must(argsOut.Values[intKey].AsInt()))
+	assert.Equal(t, expMapVal, actMapVal) // TODO: special accessor
+	// TODO: the nil map comes back empty (but the right type)
+	// assert.Equal(t, expNilVal, actNilVal)
+	assert.Equal(t, expBoolVal, must(argsOut.Values[boolKey].AsBool()))
+	assert.Equal(t, expLinkVal.String(), must(argsOut.Values[linkKey].AsLink()).(datamodel.Link).String()) // TODO: special accessor
+	assert.Equal(t, expListVal, actListVal)                                                                // TODO: special accessor
+	assert.Equal(t, expNodeVal, argsOut.Values[nodeKey])
+	assert.Equal(t, expUintVal, uint(must(argsOut.Values[uintKey].AsInt())))
+	assert.Equal(t, expBytesVal, must(argsOut.Values[bytesKey].AsBytes()))
+	assert.Equal(t, expFloatVal, must(argsOut.Values[floatKey].AsFloat()))
+	assert.Equal(t, expStringVal, must(argsOut.Values[stringKey].AsString()))
+}
+
+func TestArgs_Include(t *testing.T) {
+	t.Parallel()
+
+	argsIn := args.New()
+	require.NoError(t, argsIn.Add("key1", "val1"))
+	require.NoError(t, argsIn.Add("key2", "val2"))
+
+	argsOther := args.New()
+	require.NoError(t, argsOther.Add("key2", "valOther")) // This should not overwrite key2 above
+	require.NoError(t, argsOther.Add("key3", "val3"))
+	require.NoError(t, argsOther.Add("key4", "val4"))
+
+	argsIn.Include(argsOther)
+
+	assert.Len(t, argsIn.Values, 4)
+	assert.Equal(t, "val1", must(argsIn.Values["key1"].AsString()))
+	assert.Equal(t, "val2", must(argsIn.Values["key2"].AsString()))
+	assert.Equal(t, "val3", must(argsIn.Values["key3"].AsString()))
+	assert.Equal(t, "val4", must(argsIn.Values["key4"].AsString()))
+}
+
+func TestIterCloneEquals(t *testing.T) {
+	a := args.New()
+
+	require.NoError(t, a.Add("foo", "bar"))
+	require.NoError(t, a.Add("baz", 1234))
+
+	expected := map[string]ipld.Node{
+		"foo": basicnode.NewString("bar"),
+		"baz": basicnode.NewInt(1234),
+	}
+
+	// args -> iter
+	require.Equal(t, expected, maps.Collect(a.Iter()))
+
+	// readonly -> iter
+	ro := a.ReadOnly()
+	require.Equal(t, expected, maps.Collect(ro.Iter()))
+
+	// args -> clone -> iter
+	clone := a.Clone()
+	require.Equal(t, expected, maps.Collect(clone.Iter()))
+
+	// readonly -> WriteableClone -> iter
+	wclone := ro.WriteableClone()
+	require.Equal(t, expected, maps.Collect(wclone.Iter()))
+
+	require.True(t, a.Equals(wclone))
+	require.True(t, ro.Equals(wclone.ReadOnly()))
+}
+
+func TestInclude(t *testing.T) {
+	a1 := args.New()
+
+	require.NoError(t, a1.Add("samekey", "bar"))
+	require.NoError(t, a1.Add("baz", 1234))
+
+	a2 := args.New()
+
+	require.NoError(t, a2.Add("samekey", "othervalue")) // check no overwrite
+	require.NoError(t, a2.Add("otherkey", 1234))
+
+	a1.Include(a2)
+
+	require.Equal(t, map[string]ipld.Node{
+		"samekey":  basicnode.NewString("bar"),
+		"baz":      basicnode.NewInt(1234),
+		"otherkey": basicnode.NewInt(1234),
+	}, maps.Collect(a1.Iter()))
+}
+
+func TestArgsIntegerBounds(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		key     string
+		val     int64
+		wantErr string
+	}{
+		{
+			name: "valid int",
+			key:  "valid",
+			val:  42,
+		},
+		{
+			name: "max safe integer",
+			key:  "max",
+			val:  limits.MaxInt53,
+		},
+		{
+			name: "min safe integer",
+			key:  "min",
+			val:  limits.MinInt53,
+		},
+		{
+			name:    "exceeds max safe integer",
+			key:     "tooBig",
+			val:     limits.MaxInt53 + 1,
+			wantErr: "exceeds safe integer bounds",
+		},
+		{
+			name:    "below min safe integer",
+			key:     "tooSmall",
+			val:     limits.MinInt53 - 1,
+			wantErr: "exceeds safe integer bounds",
+		},
+		{
+			name:    "duplicate key",
+			key:     "duplicate",
+			val:     42,
+			wantErr: "duplicate key",
+		},
+	}
+
+	a := args.New()
+	require.NoError(t, a.Add("duplicate", 1)) // tests duplicate key
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := a.Add(tt.key, tt.val)
+			if tt.wantErr != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tt.wantErr)
+			} else {
+				require.NoError(t, err)
+				val, err := a.GetNode(tt.key)
+				require.NoError(t, err)
+				i, err := val.AsInt()
+				require.NoError(t, err)
+				require.Equal(t, tt.val, i)
+			}
+		})
+	}
+}
+
+const (
+	argsSchema = "type Args { String : Any }"
+	argsName   = "Args"
+)
+
+var (
+	once      sync.Once
+	ts        *schema.TypeSystem
+	errSchema error
+)
+
+func argsType() schema.Type {
+	once.Do(func() {
+		ts, errSchema = ipld.LoadSchemaBytes([]byte(argsSchema))
+	})
+	if errSchema != nil {
+		panic(errSchema)
+	}
+
+	return ts.TypeByName(argsName)
+}
+
+func roundTripThroughDAGCBOR(t *testing.T, argsIn *args.Args) *args.Args {
+	t.Helper()
+
+	node, err := argsIn.ToIPLD()
+	require.NoError(t, err)
+
+	data, err := ipld.Encode(node, dagcbor.Encode)
+	require.NoError(t, err)
+
+	var argsOut args.Args
+	_, err = ipld.Unmarshal(data, dagcbor.Decode, &argsOut, argsType())
+	require.NoError(t, err)
+
+	return &argsOut
+}
+
+func must[T any](t T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return t
+}

pkg/args/builder.go

@@ -0,0 +1,71 @@
+package args
+
+import (
+	"errors"
+
+	"github.com/ipld/go-ipld-prime"
+)
+
+// Builder allows the fluid construction of an Args.
+type Builder struct {
+	args *Args
+	errs error
+}
+
+// NewBuilder returns a Builder which will assemble the Args.
+func NewBuilder() *Builder {
+	return &Builder{
+		args: New(),
+	}
+}
+
+// Add inserts a new key/val into the Args being assembled while collecting
+// any errors caused by duplicate keys.
+func (b *Builder) Add(key string, val any) *Builder {
+	b.errs = errors.Join(b.errs, b.args.Add(key, val))
+
+	return b
+}
+
+// Build returns the assembled Args or an error containing a list of
+// errors encountered while trying to build the Args.
+func (b *Builder) Build() (*Args, error) {
+	if b.errs != nil {
+		return nil, b.errs
+	}
+
+	return b.args, nil
+}
+
+// BuildIPLD is the same as Build except it takes the additional step of
+// converting the Args to an ipld.Node.
+func (b *Builder) BuildIPLD() (ipld.Node, error) {
+	args, err := b.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	return args.ToIPLD()
+}
+
+// MustBuild is the same as Build except it panics if an error occurs.
+func (b *Builder) MustBuild() *Args {
+	args, err := b.Build()
+
+	if err != nil {
+		panic(b.errs)
+	}
+
+	return args
+}
+
+// MustBuildIPLD is the same as BuildIPLD except it panics if an error
+// occurs.
+func (b *Builder) MustBuildIPLD() ipld.Node {
+	node, err := b.BuildIPLD()
+	if err != nil {
+		panic(err)
+	}
+
+	return node
+}

pkg/args/builder_test.go

@@ -0,0 +1,82 @@
+package args_test
+
+import (
+	"testing"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"code.sonr.org/go/ucan/pkg/args"
+)
+
+func TestBuilder_XXX(t *testing.T) {
+	t.Parallel()
+
+	const (
+		keyOne = "key1"
+		valOne = "string"
+		keyTwo = "key2"
+		valTwo = 42
+	)
+
+	exp := args.New()
+	exp.Add(keyOne, valOne)
+	exp.Add(keyTwo, valTwo)
+
+	expNode, err := exp.ToIPLD()
+	require.NoError(t, err)
+
+	disjointKeys := args.NewBuilder().
+		Add(keyOne, valOne).
+		Add(keyTwo, valTwo)
+
+	duplicateKeys := args.NewBuilder().
+		Add(keyOne, valOne).
+		Add(keyTwo, valTwo).
+		Add(keyOne, "oh no!")
+
+	t.Run("MustBuild succeeds with disjoint keys", func(t *testing.T) {
+		t.Parallel()
+
+		var act *args.Args
+
+		require.NotPanics(t, func() {
+			act = disjointKeys.MustBuild()
+		})
+		assert.Equal(t, exp, act)
+	})
+
+	t.Run("MustBuild fails with duplicate keys", func(t *testing.T) {
+		t.Parallel()
+
+		var act *args.Args
+
+		require.Panics(t, func() {
+			act = duplicateKeys.MustBuild()
+		})
+		assert.Nil(t, act)
+	})
+
+	t.Run("MustBuildIPLD succeeds with disjoint keys", func(t *testing.T) {
+		t.Parallel()
+
+		var act ipld.Node
+
+		require.NotPanics(t, func() {
+			act = disjointKeys.MustBuildIPLD()
+		})
+		assert.Equal(t, expNode, act)
+	})
+
+	t.Run("MustBuildIPLD fails with duplicate keys", func(t *testing.T) {
+		t.Parallel()
+
+		var act ipld.Node
+
+		require.Panics(t, func() {
+			act = duplicateKeys.MustBuildIPLD()
+		})
+		assert.Nil(t, act)
+	})
+}

pkg/args/readonly.go

@@ -0,0 +1,39 @@
+package args
+
+import (
+	"iter"
+
+	"github.com/ipld/go-ipld-prime"
+)
+
+type ReadOnly struct {
+	args *Args
+}
+
+func (r ReadOnly) GetNode(key string) (ipld.Node, error) {
+	return r.args.GetNode(key)
+}
+
+func (r ReadOnly) Len() int {
+	return r.args.Len()
+}
+
+func (r ReadOnly) Iter() iter.Seq2[string, ipld.Node] {
+	return r.args.Iter()
+}
+
+func (r ReadOnly) ToIPLD() (ipld.Node, error) {
+	return r.args.ToIPLD()
+}
+
+func (r ReadOnly) Equals(other ReadOnly) bool {
+	return r.args.Equals(other.args)
+}
+
+func (r ReadOnly) String() string {
+	return r.args.String()
+}
+
+func (r ReadOnly) WriteableClone() *Args {
+	return r.args.Clone()
+}

pkg/command/command.go

@@ -98,7 +98,34 @@ func (c Command) Join(segments ...string) Command {
 // Segments returns the ordered segments that comprise the Command as a
 // slice of strings.
 func (c Command) Segments() []string {
-	return strings.Split(string(c), separator)
+	if c == separator {
+		return nil
+	}
+	return strings.Split(string(c), separator)[1:]
+}
+
+// Covers returns true if the command is identical or a parent of the given other command.
+func (c Command) Covers(other Command) bool {
+	// fast-path, equivalent to the code below (verified with fuzzing)
+	if !strings.HasPrefix(string(other), string(c)) {
+		return false
+	}
+	return c == separator || len(c) == len(other) || other[len(c)] == separator[0]
+
+	/* -------
+
+	otherSegments := other.Segments()
+	if len(otherSegments) < len(c.Segments()) {
+		return false
+	}
+	for i, s := range c.Segments() {
+		if otherSegments[i] != s {
+			return false
+		}
+	}
+	return true
+
+	*/
 }
 
 // String returns the composed representation the command.  This is also

pkg/command/command_test.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/ucan-wg/go-ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/command"
 )
 
 func TestTop(t *testing.T) {
@@ -73,6 +73,21 @@ func TestJoin(t *testing.T) {
 	require.Equal(t, "/faz/boz/foo/bar", command.MustParse("/faz/boz").Join("foo", "bar").String())
 }
 
+func TestSegments(t *testing.T) {
+	require.Empty(t, command.Top().Segments())
+	require.Equal(t, []string{"foo", "bar", "baz"}, command.MustParse("/foo/bar/baz").Segments())
+}
+
+func TestCovers(t *testing.T) {
+	require.True(t, command.MustParse("/foo/bar/baz").Covers(command.MustParse("/foo/bar/baz")))
+	require.True(t, command.MustParse("/foo/bar").Covers(command.MustParse("/foo/bar/baz")))
+	require.False(t, command.MustParse("/foo/bar/baz").Covers(command.MustParse("/foo/bar")))
+	require.True(t, command.MustParse("/").Covers(command.MustParse("/foo")))
+	require.True(t, command.MustParse("/").Covers(command.MustParse("/foo/bar/baz")))
+	require.False(t, command.MustParse("/foo").Covers(command.MustParse("/foo00")))
+	require.False(t, command.MustParse("/foo/bar").Covers(command.MustParse("/foo/bar00")))
+}
+
 type testcase struct {
 	name string
 	inp  string

pkg/container/Readme.md

@@ -1,5 +1,7 @@
 # Token container
 
+The specification has been promoted to https://github.com/ucan-wg/container.
+
 ## Why do I need that?
 
 Some common situation asks to package multiple tokens together:

pkg/container/car_test.go

@@ -40,6 +40,13 @@ func TestCarRoundTrip(t *testing.T) {
 }
 
 func FuzzCarRoundTrip(f *testing.F) {
+	// Note: this fuzzing is somewhat broken.
+	// After some time, the fuzzer discover that a varint can be serialized in different
+	// ways that lead to the same integer value. This means that the CAR format can have
+	// multiple legal binary representation for the exact same data, which is what we are
+	// trying to detect here. Ideally, the format would be stricter, but that's how things
+	// are.
+
 	example, err := os.ReadFile("testdata/sample-v1.car")
 	require.NoError(f, err)
 

pkg/container/containertest/Base64StdPaddingGzipped

@@ -0,0 +1 @@
+OH4sIAAAAAAAA/5zXa5MU1R3HcXYjIOAVMQZQUQElCGx3n9M3wLhzn8xl3ZnpuSLB0+ecnp6enft9VBJWjSAkxEVXkBUJAgbULTUq4gULlWhQiauilKiFgiaFoIhoCVFIpXY3VXm2s2/g++RTv+7/+bOGi+nZZfauaNOGzkgrmfzUPZ9cOm50aPP2jdPmvbb81I3vbtiTWHDmwAcZZt+W78+6vCU3Irb6u23LjnR37vp07d5Iz7nHX9+96OnXlsw8e9Oaj87agHQnbDradLTpolyhhFG6hXTEW9k5zBxmdh7PYf+CUYlUJZIgc5O0NrcueJOJrDlsLkKXwBnEYlciBgsAWyqFgdnpy6oxPWU3SCpQE0L+KI9xiugtWibToqI8ptXsJL2rZRtOFAr/3yxqAQfJqG6iS6561FqQsk7ZkecUt9cac9WSpOSGJb9d9njNsIqzmY4lt2HU0YHnLFh4G/qVNqeMOkq0GRdK6vCzJEWL6CFdALzMsQIyEAZUYjlW0nRJJAwPNN5QBY3lAAC8oKuYUsLKqqFRAau8RgGl6UwaU891vofXTUn5Lu58ZDzpRzqlf63e713VHbzpqg8X3iqFfzniqfGtdlx7DrzQfPbDT2RXHLnnX9e/fLJp/eFR27974d9/3HHJyusXt7+Zcoyd9uIPSzePGAZSho/biynJrhC3JrEIFeSUkOc9rmSbwWqlMKl5Wc2d5kRUz1iGjOTLxLwatBZVv9tdkWFIoylbDvjsjjbOXSt7JFhkXVQgBS5ZagSpgewAEkcYqFHAGSojIEJEyCNdFjmMoUoNBjEyIBJhNR0JjEQIkQ1WhiJCSMBkAMl427RzzztvjD8G9jP9SONm9dxw6dFNH78+uqfpgtRV3ZEfJ3jfbfvkw0MLr/J2r205cGjrvOVvdNaa4tPO7GpfMWXU12+8N4ELOK/tu2DJzrc7rztnGEglu0VM521lPl0LmqOuhBRMZ/KC1ahYRXdSUax5bM9nqlRtJ5nKUJFyLjtvMoMyF0yaCvlE0mGLI1MkAKGlFOAEEiaKOx0qUls4YKo3gNRIdgBJpIwIJcgaUCaaJmkaILosaAQLEm8IkgiIpAmY0xECDFUhNhCUiCxzGGgDSIuv+WnPyHPyh1f3XRDuR/p2VXRu29o7XKfEVTN6F/kfv2XLyyfI7vWT+27+NvDZoZk3L7jm+Jm3Os9qPbjd0/fNHdmtTcKnnfKMpnVLf977PTjw2djhfO7CAQLNKFVS89GU325j0/ZcO0ybc+4QnyhhUfTasSoVK1aHxxgqklZIB+yYOjhUZWvRrNNVjqlK1iFUTTZTwFOLpMopW6ZYyeZ03t8AUiPZwSVJjIoAgwxNBSzlOVVWdaRJVOAwMgQKMKQSFXmdcARSEUkGFVUWS4IApAGkhyb+bPHD1yg3jHt1m9KP1D7Z81H2oxu/WEaZY5NOPtrT8fQGafFXc2/7HNw+4q5/2vnn9yJ2zIQFm8907niQ+eKbg9Gde73li/RJnv3dpmV/rY8cBpKRC1lNpmBBL/uSFVd7RkplEuFSOJRzJ4rZTCwlxnRLu9RWZKNCdqhImbBIY6Ag2CxqWrbFcrYsiXj8SibSHpDEWtRjCmeor8x6VL8oNYDUSHZwSVDGEuVYQxR5ATAaAZqu8ghSGQGDhRLAgOVkrGPK8xLPA0OgqkqoIKqDS1o/ZdHt7ldffNPyt3un9yPN+MU73vKTuw8F1z17+fe+51Yefn+s5+rz1t0Fn36m9akHz7viifvOXV1r//KVWRvbn22euGD9LPjK3d0FX2zTe4vgyMuOjRsGkibmcKCuhMPhesxQirLVAkvAEtUDvmilYI5EjIALAIGIfCwcHfKSUgVH0JZJKW2yFpFs2GKEzdlstaLkk0otmw6l7YYt68rURDGXa2RJDWQHkJj/fus4jTeoTCiUACMLOsuyLIepZlABUchCIEm6jCmLeYE3VKgyPOE1QR1Amsif2hd9xD//84nTf92PVDgynzy//f4Pbthd2fXV6dZXxl7bd1oYX7LN61o7f/TyS0bfd2Tes4ww76Y9S5ofK+y7+bONZ59/ZzI/6qLN+49dvX7mlObhHA5Wtz9ZTHJVZ8hU8lS5rN+XUarhUpuiQFeUr+QqcrBsWKyBSMQ0VKR4oEYdqbqYj8slrlyzSL6YyezWqZoTSDgcr5hqCleL1jTBldUbQGokO4gkEkGDCBuiJsssAJKGdEEVMRUhMVRKOVZlBRHoIoZAZBneIAyrchpiODyA9OBLv5tv77LPvqK+98p+pMyOH1b2jFrW+vfukx1XjlkxsnjnNPWdW3t63dHO5nMegCO37Np74uSkNZ7I0i1be0949RWt5y/v/P29k17auiZ0r/PCYS0pqoZ8ArZhD1EVn+IuakF/LOV3hi1WSYmgSDEfzJjSrhCXrg75BE9mcEGwu4uGWrRWg1az3aaLDo56QnWTJeJ3pKqRUnsorNkKXgQaQGokO4DEU5lqiFCDZ6jGMzIiSBcow/EaRw3IExYQwkFGxwKHJIGTDBkwGtIAwoMn+CfL7+77urfL/UxtwS39SH+6sGvR/M3b7j489vTU1OwxHxxnp7rWHVx98fpL9ph/M/fEq1ue+e1N/xDGNz9xCzw8q3vyZT2jp46ePuP9mZvqo/bv+6llOP+kuMfscECbC5eddZJTfHlT2M5bk4GEYvWZS3mxElTCKdkUS8XjcMjXHUtLCaermiY4S2g8zpoiRqIcssplwuUlECoqeiXutikRACONXHcNZAeXpKqCqMmcgURW1lgsAUkHkGUxo6kGhYSIEksg0mXACEjloAGhCmRVZoXBJS2LGo9+PG7/LrnvXXc/0iOu5JnKZS0/9n65Za8n+d3jdfGtx5ZEVtktu9uPT1+9Z8J2T8fGrulTS5mltvn3H+xyHljjfODJHWt3LkycGfOYDYwaBlLF7ra4goKzXg2zyJXysnwlTKS8I2su5R12iiqkXKon4gb0ytyQ30nBONtWymUrZU/cUi9DLppTvJZglavadJxyF5N2wSSBkDNiVWONvJMayP5vSURSkcAYLBYBx0CEVF0SoarxSDQIzyFGRZJMdY2DHBEk2ZA5RmU4BjBwAOlopu2+lb0heeXJP9zxnwAAAP//V8QWnXsQAAA=

pkg/container/containertest/Base64URLGzipped

@@ -0,0 +1 @@
+PH4sIAAAAAAAA_5zW65MU1f3HcS7-hB8igpfIgqUxCqLC0tfTfUADMzs7M87ObubaOzMEsM-lp6eb6Zmee49GvEKwVBQRgygIUVHLCwoqoJAAikCQaJRICCqFGPCCcXVFoaBMJbukKs929h94P3nV-ZzvSg2XrEkV9u7kwFW3J6bv7bj7tflfrjm4e8_grc7Dke4jPx6c_Mm87olH_O9Of35_59-X7z2xe056dKx7156F074aOXzCcemCRe-Y4T3n3v7SNV-fdd4qVfcLA48NPDbwArtYxqo1mcxJT2ebmWZmUgE3s09jtUxqMsmQKSZ1ptRBu5lF0WK75ZbawpVO25NW2rLtfgG5XFZKtlwBr1GPVfyKU9YjZS_BOEv0yVouNxmpBUxr-TH6osmv4Uyx-L9NM5PUWqLtmqTohbQnkWp1i5JlxiOWLxAFAdaJeU13Z0gwWsN2AOdzc267A6tz5uDmGTPvUH-pNVfUOWU6CBfLqP9ZkqUl9fc6w3KqRmTVUDWGB1BiiKoDCBhJptRABAuCxrJY0zHPQBZjbLCY8hKCVBOplbMwDXbdsO9O4ZT5m20fTPywBymh3HfTBjDl5MzlT65xpm15kC4-f_2hlTtKyQUbrj78wBPfjn1e3T9i7OmuEfmt25d4z_q2K_0H36lRiw_9NbK0Szy0d3A_kPKuFk6qOYqVTSCj2uGNknxdT0BN0Etlqklxr8QaSqzF468oQl-R0oo7rztKQaK5crqzmMq7vOV4uh4jFZ2zPIrfFL0hS_ZYOFikDSA1ku1FAqJEZIRUA2gMy0OeY4EOKGVlHmCDIgZKKhYhp2NKGQR5YvBYZAWVp4j0Io1b4N905xU_e_SJj1-4pAfpbefa207fnMit_9XP39xxw7D3Fk0bH7vs09W_3uwcG3Vk5Nxv14yYP2Zj7lLPQ01Nnw0bsmXTssuZprL6-dX3zB3U9NH9q8_tB1KhgwUG8gA54HH5OcMyW1vqjmLnO11GNB0Ph6ut8WI1zAbdSMv2FclKhWK2riCS9trFvDvmd3tC0bpo8SAeC5QExZfiO3LeIOuKePkGkBrJnkEiWJYlnjEg1nhERSKouowIUgEvGUTGRBN5Ims6QiyVZVUwNIp4GUNOxr1I199x4OH_y6103Q-3DOhBuhYw1x1Y9eHYjejREfahp2Z9SNaqo83Xb0yff-mFr3_srFg7at3FV2aEy28atv2p8zbc-313YOQ3y65gm1Z9MHzdipHm0H4gFYmaLrQGWjpFLp4ICmagamWKHI560tlAsoa1uNcotoQKWj7fGuvz3Ck1v5hJgvZQJGYIKTlcFrypWocVLHPuEC_oWa2e0M3OVsen-BuZuwayZ-YOckQARDJ4TLAsChqUdVHVOBkA1pA5GVKGkaiqA04CDISiIcoUMhRjCHuRmjJraxO7f_ji-PiTE3pf0g83F4Zc-hF4-7uTV4XPG7xw986TC__2_qlnjrf9OLDrrKfeXioPGvtN0-NHRv8OHh7_5fzP1V3Lt40Zar-z-c3Vtx5O54b0AykTCrGsVS1iKmkdapQ1q6lqKWkV2gD1J3MIY09SlHw5O6yHgn1FqnoTLU66YobsbASoKq46rmoka2c8LomNkHBFYH2VVldNa-GTQgNIjWR7kTiVAIYRsYEFTcMCgpDqogw4TFXGwKqmYaACRtMJ4ClmEDAQFaHAYAbSXqRXxt9z8fIVxXOXjpjI9SDtXIkK6MJ3T6xbv-WuN7azi9K8UGl5a1t056x9G6fgxJJ5g03lSBk_O2juXV0Lnh2kVHfIwcqrKw-9dboId5X-eU5__iRPLhyxMsF03C9ZnWYKtRfZajIbUDjb68k7XFG2UL5adKesKOwrku42qkgrRaK2lI1jYJaMelnpaLf9RhW0sfmUrjk-FymaAcHBDSA1ku1FYjVeBBpGBqUCpjIUKdI5TuAwwqqhiQAAyvAQ6BoDBCgiwSCizMsSQhzfi_SP-2K_-PGE9saxTzMze5Dy-z0P7Di679olRys3fzdIXbZgbpvy0Krm5oXnnP_1w9yzj0yF8_64bCjzW2H22feEv48NLk6_8UD32fWPNvlf_CS18OUB_UDSE1WcaNUKSsqx_SjA-zNeLYI4T0cybfM4pbMg4AknnbbOetjqK1K-blcKUt4DWcNrVBzBIiJ2fGE7W8gCKZbI4WhBy4KkP9MWhA0gNZL9LxJLVMQhA_KEkTAjEkbnBZFILMQGQRLPi5gSpAOqEShqqoFFWZA4jCHoRRLeO9XcMqtwy7p35cd6kIY99snirRBtnvqcHN9benz4hCuG3LJt9bafZki7thTP_mHpi5PGXfbY6N1Nm68Z992tLD51S-q5DR98dsnhAbNSNzwZvOr_-4FUTdpy0XIjlg0nZSHkqaneUBVUCylgZEtmwQ3LhZrhR3WtkrX7PHegSpISVKtKuCYFyu11s5pK6FHbR112BNtsIZUOt1fSHVIuLzYydw1kz8ydoGqUF4nBizIHZYFyog5ZLHCU0QwEOZGROVEiusr824blDCgBSSIMgGdO8ClPP7KYPJnsQIeKG3uQrnz5teFvvD98hrrOc3nrmK3rn9s_-09PjBzaddOwxDl3Hz1xfEx810uPhvYcbL3sL9dNWjnuxamjXnCFEheAP29i5nXf3tGf6y7r6qwrJZfHlLyGLCvuWCf05Qp6JGDYBaNWqnvS5bKN_VRBVaWvSDnJBG4lHBEAl05yIccVIHZabmmLBttdobSjaKY3FRY9alvY42oAqZFsL5KKCAaEQkMlokgpyzKijhlRpaIoGZClCLCU1ahOIGQhFWSDQwLLqkhlzrwkvOH-ScEtSw68Omr87B6kpYWRa185WbvuC8u8aMC0i1pXbHeO72P9982fsHhh2xbf8WGe0y5Zq-wAk3YenZ05evG93MzVAx78aXJlxr1r2hce7A9Srqh6jIIVjNU7INENUg7Tqmz7tFBb2pfy-oq6zxuOOO0kWo27-3yC58tCwi900DxOtpk-k2txFCfuCGKllnOscqVk-W0N1dmoFcw3coI3kO1FElVWYhiiGhzgCS-xPES6zFKVAZxgyIAXJZWjAOsygppAEG_8Z-wIQZzai7Ri5eyp3V8981nL9fET_woAAP__svLMp3sQAAA

pkg/container/containertest/containertest.go

@@ -0,0 +1,21 @@
+package containertest
+
+import _ "embed"
+
+//go:embed Base64StdPadding
+var Base64StdPadding string
+
+//go:embed Base64StdPaddingGzipped
+var Base64StdPaddingGzipped string
+
+//go:embed Base64URL
+var Base64URL string
+
+//go:embed Base64URLGzipped
+var Base64URLGzipped string
+
+//go:embed Bytes
+var Bytes []byte
+
+//go:embed BytesGzipped
+var BytesGzipped []byte

pkg/container/packaging.go

@@ -0,0 +1,118 @@
+package container
+
+import (
+	"compress/gzip"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+)
+
+const containerVersionTag = "ctn-v1"
+
+type header byte
+
+const (
+	headerRawBytes             = header(0x40)
+	headerBase64StdPadding     = header(0x42)
+	headerBase64URL            = header(0x43)
+	headerRawBytesGzip         = header(0x4D)
+	headerBase64StdPaddingGzip = header(0x4F)
+	headerBase64URLGzip        = header(0x50)
+)
+
+func (h header) encoder(w io.Writer) *payloadWriter {
+	res := &payloadWriter{rawWriter: w, writer: w, header: h}
+
+	switch h {
+	case headerBase64StdPadding, headerBase64StdPaddingGzip:
+		b64Writer := base64.NewEncoder(base64.StdEncoding, res.writer)
+		res.writer = b64Writer
+		res.closers = append([]io.Closer{b64Writer}, res.closers...)
+	case headerBase64URL, headerBase64URLGzip:
+		b64Writer := base64.NewEncoder(base64.RawURLEncoding, res.writer)
+		res.writer = b64Writer
+		res.closers = append([]io.Closer{b64Writer}, res.closers...)
+	}
+
+	switch h {
+	case headerRawBytesGzip, headerBase64StdPaddingGzip, headerBase64URLGzip:
+		gzipWriter := gzip.NewWriter(res.writer)
+		res.writer = gzipWriter
+		res.closers = append([]io.Closer{gzipWriter}, res.closers...)
+	}
+
+	return res
+}
+
+func payloadDecoder(r io.Reader) (io.Reader, error) {
+	headerBuf := make([]byte, 1)
+	_, err := r.Read(headerBuf)
+	if err != nil {
+		return nil, err
+	}
+	h := header(headerBuf[0])
+
+	switch h {
+	case headerRawBytes,
+		headerBase64StdPadding,
+		headerBase64URL,
+		headerRawBytesGzip,
+		headerBase64StdPaddingGzip,
+		headerBase64URLGzip:
+	default:
+		return nil, fmt.Errorf("unknown container header")
+	}
+
+	switch h {
+	case headerBase64StdPadding, headerBase64StdPaddingGzip:
+		r = base64.NewDecoder(base64.StdEncoding, r)
+	case headerBase64URL, headerBase64URLGzip:
+		r = base64.NewDecoder(base64.RawURLEncoding, r)
+	}
+
+	switch h {
+	case headerRawBytesGzip, headerBase64StdPaddingGzip, headerBase64URLGzip:
+		gzipReader, err := gzip.NewReader(r)
+		if err != nil {
+			return nil, err
+		}
+		r = gzipReader
+	}
+
+	return r, nil
+}
+
+var _ io.WriteCloser = &payloadWriter{}
+
+// payloadWriter is tasked with two things:
+// - prepend the header byte
+// - call Close() on all the underlying io.Writer
+type payloadWriter struct {
+	rawWriter   io.Writer
+	writer      io.Writer
+	header      header
+	headerWrote bool
+	closers     []io.Closer
+}
+
+func (w *payloadWriter) Write(p []byte) (n int, err error) {
+	if !w.headerWrote {
+		_, err := w.rawWriter.Write([]byte{byte(w.header)})
+		if err != nil {
+			return 0, err
+		}
+		w.headerWrote = true
+	}
+	return w.writer.Write(p)
+}
+
+func (w *payloadWriter) Close() error {
+	var errs error
+	for _, closer := range w.closers {
+		if err := closer.Close(); err != nil {
+			errs = errors.Join(errs, err)
+		}
+	}
+	return errs
+}

pkg/container/reader.go

@@ -1,98 +1,84 @@
 package container
 
 import (
-	"encoding/base64"
+	"bytes"
 	"fmt"
 	"io"
+	"iter"
+	"strings"
 
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
-	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/cbor"
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"github.com/ucan-wg/go-ucan/token"
+	"code.sonr.org/go/ucan/token"
-	"github.com/ucan-wg/go-ucan/token/delegation"
+	"code.sonr.org/go/ucan/token/delegation"
-	"github.com/ucan-wg/go-ucan/token/invocation"
+	"code.sonr.org/go/ucan/token/invocation"
 )
 
 var ErrNotFound = fmt.Errorf("not found")
+var ErrMultipleInvocations = fmt.Errorf("multiple invocations")
 
 // Reader is a token container reader. It exposes the tokens conveniently decoded.
-type Reader map[cid.Cid]token.Token
+type Reader map[cid.Cid]bundle
 
-// GetToken returns an arbitrary decoded token, from its CID.
+type bundle struct {
-// If not found, ErrNotFound is returned.
+	sealed []byte
-func (ctn Reader) GetToken(cid cid.Cid) (token.Token, error) {
+	token  token.Token
-	tkn, ok := ctn[cid]
-	if !ok {
-		return nil, ErrNotFound
-	}
-	return tkn, nil
 }
 
-// GetDelegation is the same as GetToken but only return a delegation.Token, with the right type.
+// FromBytes decodes a container from a []byte
-func (ctn Reader) GetDelegation(cid cid.Cid) (*delegation.Token, error) {
+func FromBytes(data []byte) (Reader, error) {
-	tkn, err := ctn.GetToken(cid)
+	return FromReader(bytes.NewReader(data))
-	if err != nil {
-		return nil, err
-	}
-	if tkn, ok := tkn.(*delegation.Token); ok {
-		return tkn, nil
-	}
-	return nil, fmt.Errorf("not a delegation token")
 }
 
-// GetInvocation returns the first found invocation.Token.
+// FromString decodes a container from a string
-// If none are found, ErrNotFound is returned.
+func FromString(s string) (Reader, error) {
-func (ctn Reader) GetInvocation() (*invocation.Token, error) {
+	return FromReader(strings.NewReader(s))
-	for _, t := range ctn {
-		if inv, ok := t.(*invocation.Token); ok {
-			return inv, nil
-		}
-	}
-	return nil, ErrNotFound
 }
 
-func FromCar(r io.Reader) (Reader, error) {
+// FromReader decodes a container from an io.Reader.
-	_, it, err := readCar(r)
+func FromReader(r io.Reader) (Reader, error) {
+	payload, err := payloadDecoder(r)
 	if err != nil {
 		return nil, err
 	}
 
-	ctn := make(Reader)
+	n, err := ipld.DecodeStreaming(payload, cbor.Decode)
-
-	for block, err := range it {
-		if err != nil {
-			return nil, err
-		}
-
-		err = ctn.addToken(block.data)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return ctn, nil
-}
-
-func FromCarBase64(r io.Reader) (Reader, error) {
-	return FromCar(base64.NewDecoder(base64.StdEncoding, r))
-}
-
-func FromCbor(r io.Reader) (Reader, error) {
-	n, err := ipld.DecodeStreaming(r, dagcbor.Decode)
 	if err != nil {
 		return nil, err
 	}
-	if n.Kind() != datamodel.Kind_List {
+	if n.Kind() != datamodel.Kind_Map {
-		return nil, fmt.Errorf("not a list")
+		return nil, fmt.Errorf("invalid container format: expected map")
+	}
+	if n.Length() != 1 {
+		return nil, fmt.Errorf("invalid container format: expected single version key")
 	}
 
-	ctn := make(Reader, n.Length())
+	// get the first (and only) key-value pair
+	it := n.MapIterator()
+	key, tokensNode, err := it.Next()
+	if err != nil {
+		return nil, err
+	}
 
-	it := n.ListIterator()
+	version, err := key.AsString()
-	for !it.Done() {
+	if err != nil {
-		_, val, err := it.Next()
+		return nil, fmt.Errorf("invalid container format: version must be string")
+	}
+	if version != containerVersionTag {
+		return nil, fmt.Errorf("unsupported container version: %s", version)
+	}
+
+	if tokensNode.Kind() != datamodel.Kind_List {
+		return nil, fmt.Errorf("invalid container format: tokens must be a list")
+	}
+
+	ctn := make(Reader, tokensNode.Length())
+	it2 := tokensNode.ListIterator()
+	for !it2.Done() {
+		_, val, err := it2.Next()
 		if err != nil {
 			return nil, err
 		}
@@ -108,8 +94,122 @@ func FromCbor(r io.Reader) (Reader, error) {
 	return ctn, nil
 }
 
-func FromCborBase64(r io.Reader) (Reader, error) {
+// GetToken returns an arbitrary decoded token, from its CID.
-	return FromCbor(base64.NewDecoder(base64.StdEncoding, r))
+// If not found, ErrNotFound is returned.
+func (ctn Reader) GetToken(cid cid.Cid) (token.Token, error) {
+	bndl, ok := ctn[cid]
+	if !ok {
+		return nil, ErrNotFound
+	}
+	return bndl.token, nil
+}
+
+// GetSealed returns an arbitrary sealed token, from its CID.
+// If not found, ErrNotFound is returned.
+func (ctn Reader) GetSealed(cid cid.Cid) ([]byte, error) {
+	bndl, ok := ctn[cid]
+	if !ok {
+		return nil, ErrNotFound
+	}
+	return bndl.sealed, nil
+}
+
+// GetAllTokens return all the tokens in the container.
+func (ctn Reader) GetAllTokens() iter.Seq[token.Bundle] {
+	return func(yield func(token.Bundle) bool) {
+		for c, bndl := range ctn {
+			if !yield(token.Bundle{
+				Cid:     c,
+				Decoded: bndl.token,
+				Sealed:  bndl.sealed,
+			}) {
+				return
+			}
+		}
+	}
+}
+
+// GetDelegation is the same as GetToken but only return a delegation.Token, with the right type.
+// If not found, delegation.ErrDelegationNotFound is returned.
+func (ctn Reader) GetDelegation(cid cid.Cid) (*delegation.Token, error) {
+	tkn, err := ctn.GetToken(cid)
+	if err != nil { // only ErrNotFound expected
+		return nil, delegation.ErrDelegationNotFound
+	}
+	if tkn, ok := tkn.(*delegation.Token); ok {
+		return tkn, nil
+	}
+	return nil, delegation.ErrDelegationNotFound
+}
+
+// GetDelegationBundle is the same as GetToken but only return a delegation.Bundle, with the right type.
+// If not found, delegation.ErrDelegationNotFound is returned.
+func (ctn Reader) GetDelegationBundle(cid cid.Cid) (*delegation.Bundle, error) {
+	bndl, ok := ctn[cid]
+	if !ok {
+		return nil, delegation.ErrDelegationNotFound
+	}
+	if tkn, ok := bndl.token.(*delegation.Token); ok {
+		return &delegation.Bundle{
+			Cid:     cid,
+			Decoded: tkn,
+			Sealed:  bndl.sealed,
+		}, nil
+	}
+	return nil, delegation.ErrDelegationNotFound
+}
+
+// GetAllDelegations returns all the delegation.Token in the container.
+func (ctn Reader) GetAllDelegations() iter.Seq[*delegation.Bundle] {
+	return func(yield func(*delegation.Bundle) bool) {
+		for c, bndl := range ctn {
+			if t, ok := bndl.token.(*delegation.Token); ok {
+				if !yield(&delegation.Bundle{
+					Cid:     c,
+					Decoded: t,
+					Sealed:  bndl.sealed,
+				}) {
+					return
+				}
+			}
+		}
+	}
+}
+
+// GetInvocation returns a single invocation.Token.
+// If none are found, ErrNotFound is returned.
+// If more than one invocation exists, ErrMultipleInvocations is returned.
+func (ctn Reader) GetInvocation() (*invocation.Token, error) {
+	var res *invocation.Token
+	for _, bndl := range ctn {
+		if inv, ok := bndl.token.(*invocation.Token); ok {
+			if res != nil {
+				return nil, ErrMultipleInvocations
+			}
+			res = inv
+		}
+	}
+	if res == nil {
+		return nil, ErrNotFound
+	}
+	return res, nil
+}
+
+// GetAllInvocations returns all the invocation.Token in the container.
+func (ctn Reader) GetAllInvocations() iter.Seq[invocation.Bundle] {
+	return func(yield func(invocation.Bundle) bool) {
+		for c, bndl := range ctn {
+			if t, ok := bndl.token.(*invocation.Token); ok {
+				if !yield(invocation.Bundle{
+					Cid:     c,
+					Decoded: t,
+					Sealed:  bndl.sealed,
+				}) {
+					return
+				}
+			}
+		}
+	}
 }
 
 func (ctn Reader) addToken(data []byte) error {
@@ -117,6 +217,19 @@ func (ctn Reader) addToken(data []byte) error {
 	if err != nil {
 		return err
 	}
-	ctn[c] = tkn
+	ctn[c] = bundle{
+		sealed: data,
+		token:  tkn,
+	}
 	return nil
 }
+
+// ToWriter convert a container Reader into a Writer.
+// Most likely, you only want to use this in tests for convenience.
+func (ctn Reader) ToWriter() Writer {
+	writer := NewWriter()
+	for _, bndl := range ctn {
+		writer.AddSealed(bndl.sealed)
+	}
+	return writer
+}

pkg/container/serial_test.go

@@ -9,27 +9,36 @@ import (
 	"testing"
 	"time"
 
+	"code.sonr.org/go/did-it"
+	"code.sonr.org/go/did-it/controller/did-key"
+	"code.sonr.org/go/did-it/crypto/ed25519"
 	"github.com/ipfs/go-cid"
-	"github.com/libp2p/go-libp2p/core/crypto"
 	"github.com/stretchr/testify/require"
 
-	"github.com/ucan-wg/go-ucan/did"
+	"code.sonr.org/go/ucan/pkg/command"
-	"github.com/ucan-wg/go-ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/policy"
-	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
-	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
+	"code.sonr.org/go/ucan/token/delegation"
-	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
 func TestContainerRoundTrip(t *testing.T) {
 	for _, tc := range []struct {
-		name   string
+		name           string
-		writer func(ctn Writer, w io.Writer) error
+		expectedHeader header
-		reader func(io.Reader) (Reader, error)
+		writer         any
 	}{
-		{"car", Writer.ToCar, FromCar},
+		{"Bytes", headerRawBytes, Writer.ToBytes},
-		{"carBase64", Writer.ToCarBase64, FromCarBase64},
+		{"BytesWriter", headerRawBytes, Writer.ToBytesWriter},
-		{"cbor", Writer.ToCbor, FromCbor},
+		{"BytesGzipped", headerRawBytesGzip, Writer.ToBytesGzipped},
-		{"cborBase64", Writer.ToCborBase64, FromCborBase64},
+		{"BytesGzippedWriter", headerRawBytesGzip, Writer.ToBytesGzippedWriter},
+		{"Base64StdPadding", headerBase64StdPadding, Writer.ToBase64StdPadding},
+		{"Base64StdPaddingWriter", headerBase64StdPadding, Writer.ToBase64StdPaddingWriter},
+		{"Base64StdPaddingGzipped", headerBase64StdPaddingGzip, Writer.ToBase64StdPaddingGzipped},
+		{"Base64StdPaddingGzippedWriter", headerBase64StdPaddingGzip, Writer.ToBase64StdPaddingGzippedWriter},
+		{"Base64URL", headerBase64URL, Writer.ToBase64URL},
+		{"Base64URLWriter", headerBase64URL, Writer.ToBase64URLWriter},
+		{"Base64URLGzipped", headerBase64URLGzip, Writer.ToBase64URLGzipped},
+		{"Base64URLGzipWriter", headerBase64URLGzip, Writer.ToBase64URLGzipWriter},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			tokens := make(map[cid.Cid]*delegation.Token)
@@ -39,21 +48,53 @@ func TestContainerRoundTrip(t *testing.T) {
 
 			for i := 0; i < 10; i++ {
 				dlg, c, data := randToken()
-				writer.AddSealed(c, data)
+				writer.AddSealed(data)
 				tokens[c] = dlg
 				dataSize += len(data)
 			}
 
-			buf := bytes.NewBuffer(nil)
+			var reader Reader
+			var serialLen int
 
-			err := tc.writer(writer, buf)
+			switch fn := tc.writer.(type) {
-			require.NoError(t, err)
+			case func(ctn Writer, w io.Writer) error:
+				buf := bytes.NewBuffer(nil)
+				err := fn(writer, buf)
+				require.NoError(t, err)
+				serialLen = buf.Len()
 
-			t.Logf("data size %d", dataSize)
+				h, err := buf.ReadByte()
-			t.Logf("container overhead: %d%%, %d bytes", int(float32(buf.Len()-dataSize)/float32(dataSize)*100.0), buf.Len()-dataSize)
+				require.NoError(t, err)
+				require.Equal(t, byte(tc.expectedHeader), h)
+				err = buf.UnreadByte()
+				require.NoError(t, err)
 
-			reader, err := tc.reader(bytes.NewReader(buf.Bytes()))
+				reader, err = FromReader(bytes.NewReader(buf.Bytes()))
-			require.NoError(t, err)
+				require.NoError(t, err)
+
+			case func(ctn Writer) ([]byte, error):
+				b, err := fn(writer)
+				require.NoError(t, err)
+				serialLen = len(b)
+
+				require.Equal(t, byte(tc.expectedHeader), b[0])
+
+				reader, err = FromBytes(b)
+				require.NoError(t, err)
+
+			case func(ctn Writer) (string, error):
+				s, err := fn(writer)
+				require.NoError(t, err)
+				serialLen = len(s)
+
+				require.Equal(t, byte(tc.expectedHeader), s[0])
+
+				reader, err = FromString(s)
+				require.NoError(t, err)
+			}
+
+			t.Logf("data size %d, container size %d, overhead: %d%%, %d bytes",
+				dataSize, serialLen, int(float32(serialLen-dataSize)/float32(dataSize)*100.0), serialLen-dataSize)
 
 			for c, dlg := range tokens {
 				tknRead, err := reader.GetToken(c)
@@ -98,16 +139,18 @@ func BenchmarkContainerSerialisation(b *testing.B) {
 		writer func(ctn Writer, w io.Writer) error
 		reader func(io.Reader) (Reader, error)
 	}{
-		{"car", Writer.ToCar, FromCar},
+		{"Bytes", Writer.ToBytesWriter, FromReader},
-		{"carBase64", Writer.ToCarBase64, FromCarBase64},
+		{"BytesGzipped", Writer.ToBytesGzippedWriter, FromReader},
-		{"cbor", Writer.ToCbor, FromCbor},
+		{"Base64StdPadding", Writer.ToBase64StdPaddingWriter, FromReader},
-		{"cborBase64", Writer.ToCborBase64, FromCborBase64},
+		{"Base64StdPaddingGzipped", Writer.ToBase64StdPaddingGzippedWriter, FromReader},
+		{"Base64URL", Writer.ToBase64URLWriter, FromReader},
+		{"Base64URLGzip", Writer.ToBase64URLGzipWriter, FromReader},
 	} {
 		writer := NewWriter()
 
 		for i := 0; i < 10; i++ {
-			_, c, data := randToken()
+			_, _, data := randToken()
-			writer.AddSealed(c, data)
+			writer.AddSealed(data)
 		}
 
 		buf := bytes.NewBuffer(nil)
@@ -130,27 +173,18 @@ func BenchmarkContainerSerialisation(b *testing.B) {
 	}
 }
 
-func randBytes(n int) []byte {
+func randDID() (ed25519.PrivateKey, did.DID) {
-	b := make([]byte, n)
+	_, privKey, err := ed25519.GenerateKeyPair()
-	_, _ = rand.Read(b)
-	return b
-}
-
-func randDID() (crypto.PrivKey, did.DID) {
-	privKey, _, err := crypto.GenerateEd25519Key(rand.Reader)
-	if err != nil {
-		panic(err)
-	}
-	d, err := did.FromPrivKey(privKey)
 	if err != nil {
 		panic(err)
 	}
+	d := didkeyctl.FromPrivateKey(privKey)
 	return privKey, d
 }
 
 func randomString(length int) string {
 	b := make([]byte, length/2+1)
-	rand.Read(b)
+	_, _ = rand.Read(b)
 	return fmt.Sprintf("%x", b)[0:length]
 }
 
@@ -166,13 +200,12 @@ func randToken() (*delegation.Token, cid.Cid, []byte) {
 
 	opts := []delegation.Option{
 		delegation.WithExpiration(time.Now().Add(time.Hour)),
-		delegation.WithSubject(iss),
 	}
 	for i := 0; i < 3; i++ {
 		opts = append(opts, delegation.WithMeta(randomString(8), randomString(10)))
 	}
 
-	t, err := delegation.New(priv, aud, cmd, pol, opts...)
+	t, err := delegation.Root(iss, aud, cmd, pol, opts...)
 	if err != nil {
 		panic(err)
 	}
@@ -182,3 +215,29 @@ func randToken() (*delegation.Token, cid.Cid, []byte) {
 	}
 	return t, c, b
 }
+
+func FuzzContainerRead(f *testing.F) {
+	// Generate a corpus
+	for tokenCount := 0; tokenCount < 10; tokenCount++ {
+		writer := NewWriter()
+		for i := 0; i < tokenCount; i++ {
+			_, _, data := randToken()
+			writer.AddSealed(data)
+		}
+		data, err := writer.ToBytes()
+		require.NoError(f, err)
+
+		f.Add(data)
+	}
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		start := time.Now()
+
+		// search for panics
+		_, _ = FromBytes(data)
+
+		if time.Since(start) > 100*time.Millisecond {
+			panic("too long")
+		}
+	})
+}

pkg/container/writer.go

@@ -1,61 +1,145 @@
 package container
 
 import (
-	"encoding/base64"
+	"bytes"
 	"io"
+	"slices"
 
-	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
-	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/cbor"
 	"github.com/ipld/go-ipld-prime/datamodel"
 	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 )
 
-// TODO: should we have a multibase to wrap the cbor? but there is no reader/write in go-multibase :-(
-
 // Writer is a token container writer. It provides a convenient way to aggregate and serialize tokens together.
-type Writer map[cid.Cid][]byte
+type Writer map[string]struct{}
 
 func NewWriter() Writer {
 	return make(Writer)
 }
 
 // AddSealed includes a "sealed" token (serialized with a ToSealed* function) in the container.
-func (ctn Writer) AddSealed(cid cid.Cid, data []byte) {
+func (ctn Writer) AddSealed(data []byte) {
-	ctn[cid] = data
+	ctn[string(data)] = struct{}{}
 }
 
-func (ctn Writer) ToCar(w io.Writer) error {
+// ToBytes encode the container into raw bytes.
-	return writeCar(w, nil, func(yield func(carBlock, error) bool) {
+func (ctn Writer) ToBytes() ([]byte, error) {
-		for c, bytes := range ctn {
+	return ctn.toBytes(headerRawBytes)
-			if !yield(carBlock{c: c, data: bytes}, nil) {
+}
-				return
+
+// ToBytesWriter is the same as ToBytes, but with an io.Writer.
+func (ctn Writer) ToBytesWriter(w io.Writer) error {
+	return ctn.toWriter(headerRawBytes, w)
+}
+
+// ToBytesGzipped encode the container into gzipped bytes.
+func (ctn Writer) ToBytesGzipped() ([]byte, error) {
+	return ctn.toBytes(headerRawBytesGzip)
+}
+
+// ToBytesGzippedWriter is the same as ToBytesGzipped, but with an io.Writer.
+func (ctn Writer) ToBytesGzippedWriter(w io.Writer) error {
+	return ctn.toWriter(headerRawBytesGzip, w)
+}
+
+// ToBase64StdPadding encode the container into a base64 string, with standard encoding and padding.
+func (ctn Writer) ToBase64StdPadding() (string, error) {
+	return ctn.toString(headerBase64StdPadding)
+}
+
+// ToBase64StdPaddingWriter is the same as ToBase64StdPadding, but with an io.Writer.
+func (ctn Writer) ToBase64StdPaddingWriter(w io.Writer) error {
+	return ctn.toWriter(headerBase64StdPadding, w)
+}
+
+// ToBase64StdPaddingGzipped encode the container into a pre-gzipped base64 string, with standard encoding and padding.
+func (ctn Writer) ToBase64StdPaddingGzipped() (string, error) {
+	return ctn.toString(headerBase64StdPaddingGzip)
+}
+
+// ToBase64StdPaddingGzippedWriter is the same as ToBase64StdPaddingGzipped, but with an io.Writer.
+func (ctn Writer) ToBase64StdPaddingGzippedWriter(w io.Writer) error {
+	return ctn.toWriter(headerBase64StdPaddingGzip, w)
+}
+
+// ToBase64URL encode the container into base64 string, with URL-safe encoding and no padding.
+func (ctn Writer) ToBase64URL() (string, error) {
+	return ctn.toString(headerBase64URL)
+}
+
+// ToBase64URLWriter is the same as ToBase64URL, but with an io.Writer.
+func (ctn Writer) ToBase64URLWriter(w io.Writer) error {
+	return ctn.toWriter(headerBase64URL, w)
+}
+
+// ToBase64URLGzipped encode the container into pre-gzipped base64 string, with URL-safe encoding and no padding.
+func (ctn Writer) ToBase64URLGzipped() (string, error) {
+	return ctn.toString(headerBase64URLGzip)
+}
+
+// ToBase64URLGzipWriter is the same as ToBase64URL, but with an io.Writer.
+func (ctn Writer) ToBase64URLGzipWriter(w io.Writer) error {
+	return ctn.toWriter(headerBase64URLGzip, w)
+}
+
+func (ctn Writer) toBytes(header header) ([]byte, error) {
+	var buf bytes.Buffer
+	err := ctn.toWriter(header, &buf)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+func (ctn Writer) toString(header header) (string, error) {
+	var buf bytes.Buffer
+	err := ctn.toWriter(header, &buf)
+	if err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}
+
+func (ctn Writer) toWriter(header header, w io.Writer) (err error) {
+	encoder := header.encoder(w)
+
+	defer func() {
+		err = encoder.Close()
+	}()
+	node, err := qp.BuildMap(basicnode.Prototype.Any, 1, func(ma datamodel.MapAssembler) {
+		qp.MapEntry(ma, containerVersionTag, qp.List(int64(len(ctn)), func(la datamodel.ListAssembler) {
+			tokens := make([][]byte, 0, len(ctn))
+			for data := range ctn {
+				tokens = append(tokens, []byte(data))
 			}
-		}
+			slices.SortFunc(tokens, bytes.Compare)
-	})
+			for _, data := range tokens {
-}
+				qp.ListEntry(la, qp.Bytes(data))
-
+			}
-func (ctn Writer) ToCarBase64(w io.Writer) error {
+		}))
-	w2 := base64.NewEncoder(base64.StdEncoding, w)
-	defer w2.Close()
-	return ctn.ToCar(w2)
-}
-
-func (ctn Writer) ToCbor(w io.Writer) error {
-	node, err := qp.BuildList(basicnode.Prototype.Any, int64(len(ctn)), func(la datamodel.ListAssembler) {
-		for _, bytes := range ctn {
-			qp.ListEntry(la, qp.Bytes(bytes))
-		}
 	})
 	if err != nil {
 		return err
 	}
-	return ipld.EncodeStreaming(w, node, dagcbor.Encode)
+
+	return ipld.EncodeStreaming(encoder, node, cbor.Encode)
 }
 
-func (ctn Writer) ToCborBase64(w io.Writer) error {
+// ToReader convert a container Writer into a Reader.
-	w2 := base64.NewEncoder(base64.StdEncoding, w)
+// Most likely, you only want to use this in tests for convenience.
-	defer w2.Close()
+// This is not optimized and can panic.
-	return ctn.ToCbor(w2)
+func (ctn Writer) ToReader() Reader {
+	data, err := ctn.ToBytes()
+	if err != nil {
+		panic(err)
+	}
+
+	reader, err := FromBytes(data)
+	if err != nil {
+		panic(err)
+	}
+
+	return reader
 }

pkg/container/writer_test.go

@@ -0,0 +1,18 @@
+package container
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestWriterDedup(t *testing.T) {
+	ctn := NewWriter()
+
+	_, _, sealed := randToken()
+	ctn.AddSealed(sealed)
+	require.Len(t, ctn, 1)
+
+	ctn.AddSealed(sealed)
+	require.Len(t, ctn, 1)
+}

pkg/meta/meta.go

@@ -3,23 +3,28 @@ package meta
 import (
 	"errors"
 	"fmt"
-	"reflect"
+	"iter"
+	"sort"
 	"strings"
 
 	"github.com/ipld/go-ipld-prime"
-	"github.com/ipld/go-ipld-prime/datamodel"
-	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/ipld/go-ipld-prime/printer"
+
+	"code.sonr.org/go/ucan/pkg/policy/literal"
+	"code.sonr.org/go/ucan/pkg/secretbox"
 )
 
-var ErrUnsupported = errors.New("failure adding unsupported type to meta")
+var ErrNotFound = errors.New("key not found in meta")
 
-var ErrNotFound = errors.New("key-value not found in meta")
+var ErrNotEncryptable = errors.New("value of this type cannot be encrypted")
 
 // Meta is a container for meta key-value pairs in a UCAN token.
-// This also serves as a way to construct the underlying IPLD data with minimum allocations and transformations,
+// This also serves as a way to construct the underlying IPLD data with minimum allocations
-// while hiding the IPLD complexity from the caller.
+// and transformations, while hiding the IPLD complexity from the caller.
 type Meta struct {
+	// This type must be compatible with the IPLD type represented by the IPLD
+	// schema { String : Any }.
+
 	Keys   []string
 	Values map[string]ipld.Node
 }
@@ -51,6 +56,21 @@ func (m *Meta) GetString(key string) (string, error) {
 	return v.AsString()
 }
 
+// GetEncryptedString decorates GetString and decrypt its output with the given symmetric encryption key.
+func (m *Meta) GetEncryptedString(key string, encryptionKey []byte) (string, error) {
+	v, err := m.GetBytes(key)
+	if err != nil {
+		return "", err
+	}
+
+	decrypted, err := secretbox.DecryptStringWithKey(v, encryptionKey)
+	if err != nil {
+		return "", err
+	}
+
+	return string(decrypted), nil
+}
+
 // GetInt64 retrieves a value as an int64.
 // Returns ErrNotFound if the given key is missing.
 // Returns datamodel.ErrWrongKind if the value has the wrong type.
@@ -84,9 +104,23 @@ func (m *Meta) GetBytes(key string) ([]byte, error) {
 	return v.AsBytes()
 }
 
+// GetEncryptedBytes decorates GetBytes and decrypt its output with the given symmetric encryption key.
+func (m *Meta) GetEncryptedBytes(key string, encryptionKey []byte) ([]byte, error) {
+	v, err := m.GetBytes(key)
+	if err != nil {
+		return nil, err
+	}
+
+	decrypted, err := secretbox.DecryptStringWithKey(v, encryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return decrypted, nil
+}
+
 // GetNode retrieves a value as a raw IPLD node.
 // Returns ErrNotFound if the given key is missing.
-// Returns datamodel.ErrWrongKind if the value has the wrong type.
 func (m *Meta) GetNode(key string) (ipld.Node, error) {
 	v, ok := m.Values[key]
 	if !ok {
@@ -96,35 +130,84 @@ func (m *Meta) GetNode(key string) (ipld.Node, error) {
 }
 
 // Add adds a key/value pair in the meta set.
-// Accepted types for the value are: bool, string, int, int32, int64, []byte,
+// Accepted types for val are any CBOR compatible type, or directly IPLD values.
-// and ipld.Node.
 func (m *Meta) Add(key string, val any) error {
-	switch val := val.(type) {
+	if _, ok := m.Values[key]; ok {
-	case bool:
+		return fmt.Errorf("duplicate key %q", key)
-		m.Values[key] = basicnode.NewBool(val)
-	case string:
-		m.Values[key] = basicnode.NewString(val)
-	case int:
-		m.Values[key] = basicnode.NewInt(int64(val))
-	case int32:
-		m.Values[key] = basicnode.NewInt(int64(val))
-	case int64:
-		m.Values[key] = basicnode.NewInt(val)
-	case float32:
-		m.Values[key] = basicnode.NewFloat(float64(val))
-	case float64:
-		m.Values[key] = basicnode.NewFloat(val)
-	case []byte:
-		m.Values[key] = basicnode.NewBytes(val)
-	case datamodel.Node:
-		m.Values[key] = val
-	default:
-		return fmt.Errorf("%w: %s", ErrUnsupported, fqtn(val))
 	}
+
+	node, err := literal.Any(val)
+	if err != nil {
+		return err
+	}
+
 	m.Keys = append(m.Keys, key)
+	m.Values[key] = node
+
 	return nil
 }
 
+// AddEncrypted adds a key/value pair in the meta set.
+// The value is encrypted with the given encryptionKey.
+// Accepted types for the value are: string, []byte.
+// The ciphertext will be 40 bytes larger than the plaintext due to encryption overhead.
+func (m *Meta) AddEncrypted(key string, val any, encryptionKey []byte) error {
+	var encrypted []byte
+	var err error
+
+	switch val := val.(type) {
+	case string:
+		encrypted, err = secretbox.EncryptWithKey([]byte(val), encryptionKey)
+		if err != nil {
+			return err
+		}
+	case []byte:
+		encrypted, err = secretbox.EncryptWithKey(val, encryptionKey)
+		if err != nil {
+			return err
+		}
+	default:
+		return ErrNotEncryptable
+	}
+
+	return m.Add(key, encrypted)
+}
+
+type Iterator interface {
+	Iter() iter.Seq2[string, ipld.Node]
+}
+
+// Include merges the provided meta into the existing one.
+//
+// If duplicate keys are encountered, the new value is silently dropped
+// without causing an error.
+func (m *Meta) Include(other Iterator) {
+	for key, value := range other.Iter() {
+		if _, ok := m.Values[key]; ok {
+			// don't overwrite
+			continue
+		}
+		m.Values[key] = value
+		m.Keys = append(m.Keys, key)
+	}
+}
+
+// Len returns the number of key/values.
+func (m *Meta) Len() int {
+	return len(m.Values)
+}
+
+// Iter iterates over the meta key/values
+func (m *Meta) Iter() iter.Seq2[string, ipld.Node] {
+	return func(yield func(string, ipld.Node) bool) {
+		for _, key := range m.Keys {
+			if !yield(key, m.Values[key]) {
+				return
+			}
+		}
+	}
+}
+
 // Equals tells if two Meta hold the same key/values.
 func (m *Meta) Equals(other *Meta) bool {
 	if len(m.Keys) != len(other.Keys) {
@@ -142,32 +225,41 @@ func (m *Meta) Equals(other *Meta) bool {
 }
 
 func (m *Meta) String() string {
+	sort.Strings(m.Keys)
+
 	buf := strings.Builder{}
 	buf.WriteString("{")
 
-	var i int
 	for key, node := range m.Values {
-		if i > 0 {
+		buf.WriteString("\n\t")
-			buf.WriteString(", ")
-		}
-		i++
 		buf.WriteString(key)
-		buf.WriteString(":")
+		buf.WriteString(": ")
-		buf.WriteString(printer.Sprint(node))
+		buf.WriteString(strings.ReplaceAll(printer.Sprint(node), "\n", "\n\t"))
+		buf.WriteString(",")
 	}
 
+	if len(m.Values) > 0 {
+		buf.WriteString("\n")
+	}
 	buf.WriteString("}")
+
 	return buf.String()
 }
 
-func fqtn(val any) string {
+// ReadOnly returns a read-only version of Meta.
-	var name string
+func (m *Meta) ReadOnly() ReadOnly {
-
+	return ReadOnly{meta: m}
-	t := reflect.TypeOf(val)
+}
-	for t.Kind() == reflect.Pointer {
+
-		name += "*"
+// Clone makes a deep copy.
-		t = t.Elem()
+func (m *Meta) Clone() *Meta {
-	}
+	res := &Meta{
-
+		Keys:   make([]string, len(m.Keys)),
-	return name + t.PkgPath() + "." + t.Name()
+		Values: make(map[string]ipld.Node, len(m.Values)),
+	}
+	copy(res.Keys, m.Keys)
+	for k, v := range m.Values {
+		res.Values[k] = v
+	}
+	return res
 }

pkg/meta/meta_test.go

@@ -1,11 +1,15 @@
 package meta_test
 
 import (
+	"crypto/rand"
+	"maps"
 	"testing"
 
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
 	"github.com/stretchr/testify/require"
-	"github.com/ucan-wg/go-ucan/pkg/meta"
+
-	"gotest.tools/v3/assert"
+	"code.sonr.org/go/ucan/pkg/meta"
 )
 
 func TestMeta_Add(t *testing.T) {
@@ -13,11 +17,114 @@ func TestMeta_Add(t *testing.T) {
 
 	type Unsupported struct{}
 
-	t.Run("error if not primative or Node", func(t *testing.T) {
+	t.Run("error if not primitive or Node", func(t *testing.T) {
 		t.Parallel()
 
 		err := (&meta.Meta{}).Add("invalid", &Unsupported{})
-		require.ErrorIs(t, err, meta.ErrUnsupported)
+		require.Error(t, err)
-		assert.ErrorContains(t, err, "*github.com/ucan-wg/go-ucan/pkg/meta_test.Unsupported")
+	})
+
+	t.Run("encrypted meta", func(t *testing.T) {
+		t.Parallel()
+
+		key := make([]byte, 32)
+		_, err := rand.Read(key)
+		require.NoError(t, err)
+
+		m := meta.NewMeta()
+
+		// string encryption
+		err = m.AddEncrypted("secret", "hello world", key)
+		require.NoError(t, err)
+
+		_, err = m.GetString("secret")
+		require.Error(t, err) // the ciphertext is saved as []byte instead of string
+
+		decrypted, err := m.GetEncryptedString("secret", key)
+		require.NoError(t, err)
+		require.Equal(t, "hello world", decrypted)
+
+		// bytes encryption
+		originalBytes := make([]byte, 128)
+		_, err = rand.Read(originalBytes)
+		require.NoError(t, err)
+		err = m.AddEncrypted("secret-bytes", originalBytes, key)
+		require.NoError(t, err)
+
+		encryptedBytes, err := m.GetBytes("secret-bytes")
+		require.NoError(t, err)
+		require.NotEqual(t, originalBytes, encryptedBytes)
+
+		decryptedBytes, err := m.GetEncryptedBytes("secret-bytes", key)
+		require.NoError(t, err)
+		require.Equal(t, originalBytes, decryptedBytes)
+
+		// error cases
+		t.Run("error on unsupported type", func(t *testing.T) {
+			err := m.AddEncrypted("invalid", 123, key)
+			require.ErrorIs(t, err, meta.ErrNotEncryptable)
+		})
+
+		t.Run("error on invalid key size", func(t *testing.T) {
+			err := m.AddEncrypted("invalid", "test", []byte("short-key"))
+			require.Error(t, err)
+			require.Contains(t, err.Error(), "invalid key size")
+		})
+
+		t.Run("error on nil key", func(t *testing.T) {
+			err := m.AddEncrypted("invalid", "test", nil)
+			require.Error(t, err)
+			require.Contains(t, err.Error(), "encryption key is required")
+		})
 	})
 }
+
+func TestIterCloneEquals(t *testing.T) {
+	m := meta.NewMeta()
+
+	require.NoError(t, m.Add("foo", "bar"))
+	require.NoError(t, m.Add("baz", 1234))
+
+	expected := map[string]ipld.Node{
+		"foo": basicnode.NewString("bar"),
+		"baz": basicnode.NewInt(1234),
+	}
+
+	// meta -> iter
+	require.Equal(t, expected, maps.Collect(m.Iter()))
+
+	// readonly -> iter
+	ro := m.ReadOnly()
+	require.Equal(t, expected, maps.Collect(ro.Iter()))
+
+	// meta -> clone -> iter
+	clone := m.Clone()
+	require.Equal(t, expected, maps.Collect(clone.Iter()))
+
+	// readonly -> WriteableClone -> iter
+	wclone := ro.WriteableClone()
+	require.Equal(t, expected, maps.Collect(wclone.Iter()))
+
+	require.True(t, m.Equals(wclone))
+	require.True(t, ro.Equals(wclone.ReadOnly()))
+}
+
+func TestInclude(t *testing.T) {
+	m1 := meta.NewMeta()
+
+	require.NoError(t, m1.Add("samekey", "bar"))
+	require.NoError(t, m1.Add("baz", 1234))
+
+	m2 := meta.NewMeta()
+
+	require.NoError(t, m2.Add("samekey", "othervalue")) // check no overwrite
+	require.NoError(t, m2.Add("otherkey", 1234))
+
+	m1.Include(m2)
+
+	require.Equal(t, map[string]ipld.Node{
+		"samekey":  basicnode.NewString("bar"),
+		"baz":      basicnode.NewInt(1234),
+		"otherkey": basicnode.NewInt(1234),
+	}, maps.Collect(m1.Iter()))
+}

pkg/meta/readonly.go

@@ -0,0 +1,64 @@
+package meta
+
+import (
+	"iter"
+
+	"github.com/ipld/go-ipld-prime"
+)
+
+// ReadOnly wraps a Meta into a read-only facade.
+type ReadOnly struct {
+	meta *Meta
+}
+
+func (r ReadOnly) GetBool(key string) (bool, error) {
+	return r.meta.GetBool(key)
+}
+
+func (r ReadOnly) GetString(key string) (string, error) {
+	return r.meta.GetString(key)
+}
+
+func (r ReadOnly) GetEncryptedString(key string, encryptionKey []byte) (string, error) {
+	return r.meta.GetEncryptedString(key, encryptionKey)
+}
+
+func (r ReadOnly) GetInt64(key string) (int64, error) {
+	return r.meta.GetInt64(key)
+}
+
+func (r ReadOnly) GetFloat64(key string) (float64, error) {
+	return r.meta.GetFloat64(key)
+}
+
+func (r ReadOnly) GetBytes(key string) ([]byte, error) {
+	return r.meta.GetBytes(key)
+}
+
+func (r ReadOnly) GetEncryptedBytes(key string, encryptionKey []byte) ([]byte, error) {
+	return r.meta.GetEncryptedBytes(key, encryptionKey)
+}
+
+func (r ReadOnly) GetNode(key string) (ipld.Node, error) {
+	return r.meta.GetNode(key)
+}
+
+func (r ReadOnly) Len() int {
+	return r.meta.Len()
+}
+
+func (r ReadOnly) Iter() iter.Seq2[string, ipld.Node] {
+	return r.meta.Iter()
+}
+
+func (r ReadOnly) Equals(other ReadOnly) bool {
+	return r.meta.Equals(other.meta)
+}
+
+func (r ReadOnly) String() string {
+	return r.meta.String()
+}
+
+func (r ReadOnly) WriteableClone() *Meta {
+	return r.meta.Clone()
+}

pkg/policy/ipld.go

@@ -9,10 +9,15 @@ import (
 	"github.com/ipld/go-ipld-prime/must"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
 
-	"github.com/ucan-wg/go-ucan/pkg/policy/selector"
+	"code.sonr.org/go/ucan/pkg/policy/limits"
+	"code.sonr.org/go/ucan/pkg/policy/selector"
 )
 
 func FromIPLD(node datamodel.Node) (Policy, error) {
+	if err := limits.ValidateIntegerBoundsIPLD(node); err != nil {
+		return nil, fmt.Errorf("policy contains integer values outside safe bounds: %w", err)
+	}
+
 	return statementsFromIPLD("/", node)
 }
 
@@ -76,7 +81,7 @@ func statementFromIPLD(path string, node datamodel.Node) (Statement, error) {
 		}
 	case 3:
 		switch op {
-		case KindEqual, KindLessThan, KindLessThanOrEqual, KindGreaterThan, KindGreaterThanOrEqual:
+		case KindEqual, KindNotEqual, KindLessThan, KindLessThanOrEqual, KindGreaterThan, KindGreaterThanOrEqual:
 			sel, err := arg2AsSelector(op)
 			if err != nil {
 				return nil, err

pkg/policy/ipld_test.go

@@ -21,10 +21,31 @@ func TestIpldRoundTrip(t *testing.T) {
   ]
 ]`
 
+	// must contain all the operators
+	const allOps = `
+[
+  ["and", [
+    ["==", ".foo1", ".bar1"],
+    ["!=", ".foo2", ".bar2"]
+  ]],
+  ["or", [
+    [">", ".foo5", 5.2],
+    [">=", ".foo6", 6.2]
+  ]],
+  ["not", ["like", ".foo7", "*@example.com"]],
+  ["all", ".foo8",
+    ["<", ".foo3", 3]
+  ],
+  ["any", ".foo9",
+    ["<=", ".foo4", 4]
+  ]
+]`
+
 	for _, tc := range []struct {
 		name, dagJsonStr string
 	}{
 		{"illustrativeExample", illustrativeExample},
+		{"allOps", allOps},
 	} {
 		nodes, err := ipld.Decode([]byte(tc.dagJsonStr), dagjson.Decode)
 		require.NoError(t, err)

pkg/policy/limits/int.go

@@ -0,0 +1,49 @@
+package limits
+
+import (
+	"fmt"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/must"
+)
+
+const (
+	// MaxInt53 represents the maximum safe integer in JavaScript (2^53 - 1)
+	MaxInt53 int64 = 9007199254740991
+	// MinInt53 represents the minimum safe integer in JavaScript (-2^53 + 1)
+	MinInt53 int64 = -9007199254740991
+)
+
+func ValidateIntegerBoundsIPLD(node ipld.Node) error {
+	switch node.Kind() {
+	case ipld.Kind_Int:
+		val := must.Int(node)
+		if val > MaxInt53 || val < MinInt53 {
+			return fmt.Errorf("integer value %d exceeds safe bounds", val)
+		}
+	case ipld.Kind_List:
+		it := node.ListIterator()
+		for !it.Done() {
+			_, v, err := it.Next()
+			if err != nil {
+				return err
+			}
+			if err := ValidateIntegerBoundsIPLD(v); err != nil {
+				return err
+			}
+		}
+	case ipld.Kind_Map:
+		it := node.MapIterator()
+		for !it.Done() {
+			_, v, err := it.Next()
+			if err != nil {
+				return err
+			}
+			if err := ValidateIntegerBoundsIPLD(v); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

pkg/policy/limits/int_test.go

@@ -0,0 +1,82 @@
+package limits
+
+import (
+	"testing"
+
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateIntegerBoundsIPLD(t *testing.T) {
+	buildMap := func() datamodel.Node {
+		nb := basicnode.Prototype.Any.NewBuilder()
+		qp.Map(1, func(ma datamodel.MapAssembler) {
+			qp.MapEntry(ma, "foo", qp.Int(MaxInt53+1))
+		})(nb)
+		return nb.Build()
+	}
+
+	buildList := func() datamodel.Node {
+		nb := basicnode.Prototype.Any.NewBuilder()
+		qp.List(1, func(la datamodel.ListAssembler) {
+			qp.ListEntry(la, qp.Int(MinInt53-1))
+		})(nb)
+		return nb.Build()
+	}
+
+	tests := []struct {
+		name    string
+		input   datamodel.Node
+		wantErr bool
+	}{
+		{
+			name:    "valid int",
+			input:   basicnode.NewInt(42),
+			wantErr: false,
+		},
+		{
+			name:    "max safe int",
+			input:   basicnode.NewInt(MaxInt53),
+			wantErr: false,
+		},
+		{
+			name:    "min safe int",
+			input:   basicnode.NewInt(MinInt53),
+			wantErr: false,
+		},
+		{
+			name:    "above MaxInt53",
+			input:   basicnode.NewInt(MaxInt53 + 1),
+			wantErr: true,
+		},
+		{
+			name:    "below MinInt53",
+			input:   basicnode.NewInt(MinInt53 - 1),
+			wantErr: true,
+		},
+		{
+			name:    "nested map with invalid int",
+			input:   buildMap(),
+			wantErr: true,
+		},
+		{
+			name:    "nested list with invalid int",
+			input:   buildList(),
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateIntegerBoundsIPLD(tt.input)
+			if tt.wantErr {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), "exceeds safe bounds")
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

pkg/policy/literal/literal.go

@@ -2,47 +2,26 @@
 package literal
 
 import (
+	"fmt"
+	"reflect"
+	"sort"
+
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
 	cidlink "github.com/ipld/go-ipld-prime/linking/cid"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
+
+	"code.sonr.org/go/ucan/pkg/policy/limits"
 )
 
-func Bool(val bool) ipld.Node {
+var Bool = basicnode.NewBool
-	nb := basicnode.Prototype.Bool.NewBuilder()
+var Int = basicnode.NewInt
-	nb.AssignBool(val)
+var Float = basicnode.NewFloat
-	return nb.Build()
+var String = basicnode.NewString
-}
+var Bytes = basicnode.NewBytes
-
+var Link = basicnode.NewLink
-func Int(val int64) ipld.Node {
-	nb := basicnode.Prototype.Int.NewBuilder()
-	nb.AssignInt(val)
-	return nb.Build()
-}
-
-func Float(val float64) ipld.Node {
-	nb := basicnode.Prototype.Float.NewBuilder()
-	nb.AssignFloat(val)
-	return nb.Build()
-}
-
-func String(val string) ipld.Node {
-	nb := basicnode.Prototype.String.NewBuilder()
-	nb.AssignString(val)
-	return nb.Build()
-}
-
-func Bytes(val []byte) ipld.Node {
-	nb := basicnode.Prototype.Bytes.NewBuilder()
-	nb.AssignBytes(val)
-	return nb.Build()
-}
-
-func Link(link ipld.Link) ipld.Node {
-	nb := basicnode.Prototype.Link.NewBuilder()
-	nb.AssignLink(link)
-	return nb.Build()
-}
 
 func LinkCid(cid cid.Cid) ipld.Node {
 	return Link(cidlink.Link{Cid: cid})
@@ -53,3 +32,174 @@ func Null() ipld.Node {
 	nb.AssignNull()
 	return nb.Build()
 }
+
+// Map creates an IPLD node from a map[string]any
+func Map[T any](m map[string]T) (ipld.Node, error) {
+	return qp.BuildMap(basicnode.Prototype.Any, int64(len(m)), func(ma datamodel.MapAssembler) {
+		// deterministic iteration
+		keys := make([]string, 0, len(m))
+		for key := range m {
+			keys = append(keys, key)
+		}
+		sort.Strings(keys)
+		for _, key := range keys {
+			qp.MapEntry(ma, key, anyAssemble(m[key]))
+		}
+	})
+}
+
+// List creates an IPLD node from a []any
+func List[T any](l []T) (ipld.Node, error) {
+	return qp.BuildList(basicnode.Prototype.Any, int64(len(l)), func(la datamodel.ListAssembler) {
+		for _, val := range l {
+			qp.ListEntry(la, anyAssemble(val))
+		}
+	})
+}
+
+// Any creates an IPLD node from any value
+// If possible, use another dedicated function for your type for performance.
+func Any(v any) (res ipld.Node, err error) {
+	// some fast path
+	switch val := v.(type) {
+	case bool:
+		return basicnode.NewBool(val), nil
+	case string:
+		return basicnode.NewString(val), nil
+	case int:
+		i := int64(val)
+		if i > limits.MaxInt53 || i < limits.MinInt53 {
+			return nil, fmt.Errorf("integer value %d exceeds safe integer bounds", i)
+		}
+		return basicnode.NewInt(i), nil
+	case int8:
+		return basicnode.NewInt(int64(val)), nil
+	case int16:
+		return basicnode.NewInt(int64(val)), nil
+	case int32:
+		return basicnode.NewInt(int64(val)), nil
+	case int64:
+		if val > limits.MaxInt53 || val < limits.MinInt53 {
+			return nil, fmt.Errorf("integer value %d exceeds safe integer bounds", val)
+		}
+		return basicnode.NewInt(val), nil
+	case uint:
+		return basicnode.NewInt(int64(val)), nil
+	case uint8:
+		return basicnode.NewInt(int64(val)), nil
+	case uint16:
+		return basicnode.NewInt(int64(val)), nil
+	case uint32:
+		return basicnode.NewInt(int64(val)), nil
+	case uint64:
+		if val > uint64(limits.MaxInt53) {
+			return nil, fmt.Errorf("unsigned integer value %d exceeds safe integer bounds", val)
+		}
+		return basicnode.NewInt(int64(val)), nil
+	case float32:
+		return basicnode.NewFloat(float64(val)), nil
+	case float64:
+		return basicnode.NewFloat(val), nil
+	case []byte:
+		return basicnode.NewBytes(val), nil
+	case datamodel.Node:
+		return val, nil
+	case cid.Cid:
+		return LinkCid(val), nil
+	default:
+	}
+
+	builder := basicnode.Prototype__Any{}.NewBuilder()
+
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("%v", r)
+			res = nil
+		}
+	}()
+
+	anyAssemble(v)(builder)
+
+	return builder.Build(), nil
+}
+
+func anyAssemble(val any) qp.Assemble {
+	var rt reflect.Type
+	var rv reflect.Value
+
+	// support for recursive calls, staying in reflection land
+	if cast, ok := val.(reflect.Value); ok {
+		rt = cast.Type()
+		rv = cast
+	} else {
+		rt = reflect.TypeOf(val)
+		rv = reflect.ValueOf(val)
+	}
+
+	// we need to dereference in some cases, to get the real value type
+	if rt.Kind() == reflect.Ptr || rt.Kind() == reflect.Interface {
+		rv = rv.Elem()
+		rt = rv.Type()
+	}
+
+	switch rt.Kind() {
+	case reflect.Array:
+		if rt.Elem().Kind() == reflect.Uint8 {
+			panic("bytes array are not supported yet")
+		}
+		return qp.List(int64(rv.Len()), func(la datamodel.ListAssembler) {
+			for i := range rv.Len() {
+				qp.ListEntry(la, anyAssemble(rv.Index(i)))
+			}
+		})
+	case reflect.Slice:
+		if rt.Elem().Kind() == reflect.Uint8 {
+			return qp.Bytes(val.([]byte))
+		}
+		return qp.List(int64(rv.Len()), func(la datamodel.ListAssembler) {
+			for i := range rv.Len() {
+				qp.ListEntry(la, anyAssemble(rv.Index(i)))
+			}
+		})
+	case reflect.Map:
+		if rt.Key().Kind() != reflect.String {
+			break
+		}
+		// deterministic iteration
+		keys := rv.MapKeys()
+		sort.Slice(keys, func(i, j int) bool {
+			return keys[i].String() < keys[j].String()
+		})
+		return qp.Map(int64(rv.Len()), func(ma datamodel.MapAssembler) {
+			for _, key := range keys {
+				qp.MapEntry(ma, key.String(), anyAssemble(rv.MapIndex(key)))
+			}
+		})
+	case reflect.Bool:
+		return qp.Bool(rv.Bool())
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		i := rv.Int()
+		if i > limits.MaxInt53 || i < limits.MinInt53 {
+			panic(fmt.Sprintf("integer %d exceeds safe bounds", i))
+		}
+		return qp.Int(i)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		u := rv.Uint()
+		if u > uint64(limits.MaxInt53) {
+			panic(fmt.Sprintf("unsigned integer %d exceeds safe bounds", u))
+		}
+		return qp.Int(int64(u))
+	case reflect.Float32, reflect.Float64:
+		return qp.Float(rv.Float())
+	case reflect.String:
+		return qp.String(rv.String())
+	case reflect.Struct:
+		if rt == reflect.TypeOf(cid.Cid{}) {
+			c := rv.Interface().(cid.Cid)
+			return qp.Link(cidlink.Link{Cid: c})
+		}
+	default:
+	}
+
+	panic(fmt.Sprintf("unsupported type %T", val))
+}

pkg/policy/literal/literal_test.go

@@ -0,0 +1,314 @@
+package literal
+
+import (
+	"testing"
+
+	"github.com/ipfs/go-cid"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	cidlink "github.com/ipld/go-ipld-prime/linking/cid"
+	"github.com/ipld/go-ipld-prime/printer"
+	"github.com/stretchr/testify/require"
+
+	"code.sonr.org/go/ucan/pkg/policy/limits"
+)
+
+func TestList(t *testing.T) {
+	n, err := List([]int{1, 2, 3})
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, n.Kind())
+	require.Equal(t, int64(3), n.Length())
+	require.Equal(t, `list{
+	0: int{1}
+	1: int{2}
+	2: int{3}
+}`, printer.Sprint(n))
+
+	n, err = List([][]int{{1, 2, 3}, {4, 5, 6}})
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, n.Kind())
+	require.Equal(t, int64(2), n.Length())
+	require.Equal(t, `list{
+	0: list{
+		0: int{1}
+		1: int{2}
+		2: int{3}
+	}
+	1: list{
+		0: int{4}
+		1: int{5}
+		2: int{6}
+	}
+}`, printer.Sprint(n))
+}
+
+func TestMap(t *testing.T) {
+	n, err := Map(map[string]any{
+		"bool":   true,
+		"string": "foobar",
+		"bytes":  []byte{1, 2, 3, 4},
+		"int":    1234,
+		"uint":   uint(12345),
+		"float":  1.45,
+		"slice":  []int{1, 2, 3},
+		"array":  [2]int{1, 2},
+		"map": map[string]any{
+			"foo": "bar",
+			"foofoo": map[string]string{
+				"barbar": "foo",
+			},
+		},
+		"link": cid.MustParse("bafzbeigai3eoy2ccc7ybwjfz5r3rdxqrinwi4rwytly24tdbh6yk7zslrm"),
+	})
+	require.NoError(t, err)
+
+	v, err := n.LookupByString("bool")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Bool, v.Kind())
+	require.Equal(t, true, must(v.AsBool()))
+
+	v, err = n.LookupByString("string")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_String, v.Kind())
+	require.Equal(t, "foobar", must(v.AsString()))
+
+	v, err = n.LookupByString("bytes")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Bytes, v.Kind())
+	require.Equal(t, []byte{1, 2, 3, 4}, must(v.AsBytes()))
+
+	v, err = n.LookupByString("int")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Int, v.Kind())
+	require.Equal(t, int64(1234), must(v.AsInt()))
+
+	v, err = n.LookupByString("uint")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Int, v.Kind())
+	require.Equal(t, int64(12345), must(v.AsInt()))
+
+	v, err = n.LookupByString("float")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Float, v.Kind())
+	require.Equal(t, 1.45, must(v.AsFloat()))
+
+	v, err = n.LookupByString("slice")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, v.Kind())
+	require.Equal(t, int64(3), v.Length())
+	require.Equal(t, `list{
+	0: int{1}
+	1: int{2}
+	2: int{3}
+}`, printer.Sprint(v))
+
+	v, err = n.LookupByString("array")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, v.Kind())
+	require.Equal(t, int64(2), v.Length())
+	require.Equal(t, `list{
+	0: int{1}
+	1: int{2}
+}`, printer.Sprint(v))
+
+	v, err = n.LookupByString("map")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Map, v.Kind())
+	require.Equal(t, int64(2), v.Length())
+	require.Equal(t, `map{
+	string{"foo"}: string{"bar"}
+	string{"foofoo"}: map{
+		string{"barbar"}: string{"foo"}
+	}
+}`, printer.Sprint(v))
+
+	v, err = n.LookupByString("link")
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Link, v.Kind())
+	asLink, err := v.AsLink()
+	require.NoError(t, err)
+	require.True(t, asLink.(cidlink.Link).Equals(cid.MustParse("bafzbeigai3eoy2ccc7ybwjfz5r3rdxqrinwi4rwytly24tdbh6yk7zslrm")))
+}
+
+func TestAny(t *testing.T) {
+	data := map[string]any{
+		"bool":   true,
+		"string": "foobar",
+		"bytes":  []byte{1, 2, 3, 4},
+		"int":    1234,
+		"uint":   uint(12345),
+		"float":  1.45,
+		"slice":  []int{1, 2, 3},
+		"array":  [2]int{1, 2},
+		"map": map[string]any{
+			"foo": "bar",
+			"foofoo": map[string]string{
+				"barbar": "foo",
+			},
+		},
+		"link": cid.MustParse("bafzbeigai3eoy2ccc7ybwjfz5r3rdxqrinwi4rwytly24tdbh6yk7zslrm"),
+		"func": func() {},
+	}
+
+	v, err := Any(data["bool"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Bool, v.Kind())
+	require.Equal(t, true, must(v.AsBool()))
+
+	v, err = Any(data["string"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_String, v.Kind())
+	require.Equal(t, "foobar", must(v.AsString()))
+
+	v, err = Any(data["bytes"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Bytes, v.Kind())
+	require.Equal(t, []byte{1, 2, 3, 4}, must(v.AsBytes()))
+
+	v, err = Any(data["int"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Int, v.Kind())
+	require.Equal(t, int64(1234), must(v.AsInt()))
+
+	v, err = Any(data["uint"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Int, v.Kind())
+	require.Equal(t, int64(12345), must(v.AsInt()))
+
+	v, err = Any(data["float"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Float, v.Kind())
+	require.Equal(t, 1.45, must(v.AsFloat()))
+
+	v, err = Any(data["slice"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, v.Kind())
+	require.Equal(t, int64(3), v.Length())
+	require.Equal(t, `list{
+	0: int{1}
+	1: int{2}
+	2: int{3}
+}`, printer.Sprint(v))
+
+	v, err = Any(data["array"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_List, v.Kind())
+	require.Equal(t, int64(2), v.Length())
+	require.Equal(t, `list{
+	0: int{1}
+	1: int{2}
+}`, printer.Sprint(v))
+
+	v, err = Any(data["map"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Map, v.Kind())
+	require.Equal(t, int64(2), v.Length())
+	require.Equal(t, `map{
+	string{"foo"}: string{"bar"}
+	string{"foofoo"}: map{
+		string{"barbar"}: string{"foo"}
+	}
+}`, printer.Sprint(v))
+
+	v, err = Any(data["link"])
+	require.NoError(t, err)
+	require.Equal(t, datamodel.Kind_Link, v.Kind())
+	asLink, err := v.AsLink()
+	require.NoError(t, err)
+	require.True(t, asLink.(cidlink.Link).Equals(cid.MustParse("bafzbeigai3eoy2ccc7ybwjfz5r3rdxqrinwi4rwytly24tdbh6yk7zslrm")))
+
+	_, err = Any(data["func"])
+	require.Error(t, err)
+}
+
+func BenchmarkAny(b *testing.B) {
+	b.Run("bool", func(b *testing.B) {
+		b.ReportAllocs()
+
+		for n := 0; n < b.N; n++ {
+			_, _ = Any(true)
+		}
+	})
+
+	b.Run("string", func(b *testing.B) {
+		b.ReportAllocs()
+		for n := 0; n < b.N; n++ {
+			_, _ = Any("foobar")
+		}
+	})
+
+	b.Run("bytes", func(b *testing.B) {
+		b.ReportAllocs()
+		for n := 0; n < b.N; n++ {
+			_, _ = Any([]byte{1, 2, 3, 4})
+		}
+	})
+
+	b.Run("map", func(b *testing.B) {
+		b.ReportAllocs()
+		for n := 0; n < b.N; n++ {
+			_, _ = Any(map[string]any{
+				"foo": "bar",
+				"foofoo": map[string]string{
+					"barbar": "foo",
+				},
+			})
+		}
+	})
+}
+
+func TestAnyAssembleIntegerOverflow(t *testing.T) {
+	tests := []struct {
+		name      string
+		input     interface{}
+		shouldErr bool
+	}{
+		{
+			name:      "valid int",
+			input:     42,
+			shouldErr: false,
+		},
+		{
+			name:      "max safe int",
+			input:     limits.MaxInt53,
+			shouldErr: false,
+		},
+		{
+			name:      "min safe int",
+			input:     limits.MinInt53,
+			shouldErr: false,
+		},
+		{
+			name:      "overflow int",
+			input:     int64(limits.MaxInt53 + 1),
+			shouldErr: true,
+		},
+		{
+			name:      "underflow int",
+			input:     int64(limits.MinInt53 - 1),
+			shouldErr: true,
+		},
+		{
+			name:      "overflow uint",
+			input:     uint64(limits.MaxInt53 + 1),
+			shouldErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := Any(tt.input)
+			if tt.shouldErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
+func must[T any](t T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return t
+}

pkg/policy/match.go

@@ -3,6 +3,7 @@ package policy
 import (
 	"cmp"
 	"fmt"
+	"math"
 
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/datamodel"
@@ -10,265 +11,272 @@ import (
 )
 
 // Match determines if the IPLD node satisfies the policy.
-func (p Policy) Match(node datamodel.Node) bool {
+// The first Statement failing to match is returned as well.
+func (p Policy) Match(node datamodel.Node) (bool, Statement) {
 	for _, stmt := range p {
-		ok := matchStatement(stmt, node)
+		res, leaf := matchStatement(stmt, node)
-		if !ok {
+		switch res {
-			return false
+		case matchResultNoData, matchResultFalse:
+			return false, leaf
+		case matchResultOptionalNoData, matchResultTrue:
+			// continue
 		}
 	}
-	return true
+	return true, nil
 }
 
-// Filter performs a recursive filtering of the Statement, and prunes what doesn't match the given path
+// PartialMatch returns false IIF one non-optional Statement has the corresponding data and doesn't match.
-func (p Policy) Filter(path ...string) Policy {
+// If the data is missing or the non-optional Statement is matching, true is returned.
-	var filtered Policy
+//
-
+// This allows performing the policy checking in multiple steps, and find immediately if a Statement already failed.
+// A final call to Match is necessary to make sure that the policy is fully matched, with no missing data
+// (apart from optional values).
+//
+// The first Statement failing to match is returned as well.
+func (p Policy) PartialMatch(node datamodel.Node) (bool, Statement) {
 	for _, stmt := range p {
-		newChild, remain := filter(stmt, path)
+		res, leaf := matchStatement(stmt, node)
-		if newChild != nil && len(remain) == 0 {
+		switch res {
-			filtered = append(filtered, newChild)
+		case matchResultFalse:
+			return false, leaf
+		case matchResultNoData, matchResultOptionalNoData, matchResultTrue:
+			// continue
+		}
+	}
+	return true, nil
+}
+
+type matchResult int8
+
+const (
+	matchResultTrue           matchResult = iota // statement has data and resolve to true
+	matchResultFalse                             // statement has data and resolve to false
+	matchResultNoData                            // statement has no data
+	matchResultOptionalNoData                    // statement has no data and is optional
+)
+
+// matchStatement evaluate the policy against the given ipld.Node and returns:
+// - matchResultTrue: if the selector matched and the statement evaluated to true.
+// - matchResultFalse: if the selector matched and the statement evaluated to false.
+// - matchResultNoData: if the selector didn't match the expected data.
+// For matchResultTrue and matchResultNoData, the leaf-most (innermost) statement failing to be true is returned,
+// as well as the corresponding root-most encompassing statement.
+func matchStatement(cur Statement, node ipld.Node) (_ matchResult, leafMost Statement) {
+	var boolToRes = func(v bool) (matchResult, Statement) {
+		if v {
+			return matchResultTrue, nil
+		} else {
+			return matchResultFalse, cur
 		}
 	}
 
-	return filtered
+	switch cur.Kind() {
-}
-
-func matchStatement(statement Statement, node ipld.Node) bool {
-	switch statement.Kind() {
 	case KindEqual:
-		if s, ok := statement.(equality); ok {
+		if s, ok := cur.(equality); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
 			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			if one != nil {
+			if res == nil { // optional selector didn't match
-				return datamodel.DeepEqual(s.value, one)
+				return matchResultOptionalNoData, nil
 			}
-
+			return boolToRes(datamodel.DeepEqual(s.value, res))
-			return false
+		}
+	case KindNotEqual:
+		if s, ok := cur.(equality); ok {
+			res, err := s.selector.Select(node)
+			if err != nil {
+				return matchResultNoData, cur
+			}
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			return boolToRes(!datamodel.DeepEqual(s.value, res))
 		}
 	case KindGreaterThan:
-		if s, ok := statement.(equality); ok {
+		if s, ok := cur.(equality); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
-			if err != nil || one == nil {
+			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			return isOrdered(s.value, one, gt)
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			return boolToRes(isOrdered(s.value, res, gt))
 		}
 	case KindGreaterThanOrEqual:
-		if s, ok := statement.(equality); ok {
+		if s, ok := cur.(equality); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
-			if err != nil || one == nil {
+			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			return isOrdered(s.value, one, gte)
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			return boolToRes(isOrdered(s.value, res, gte))
 		}
 	case KindLessThan:
-		if s, ok := statement.(equality); ok {
+		if s, ok := cur.(equality); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
-			if err != nil || one == nil {
+			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			return isOrdered(s.value, one, lt)
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			return boolToRes(isOrdered(s.value, res, lt))
 		}
 	case KindLessThanOrEqual:
-		if s, ok := statement.(equality); ok {
+		if s, ok := cur.(equality); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
-			if err != nil || one == nil {
+			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			return isOrdered(s.value, one, lte)
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			return boolToRes(isOrdered(s.value, res, lte))
 		}
 	case KindNot:
-		if s, ok := statement.(negation); ok {
+		if s, ok := cur.(negation); ok {
-			return !matchStatement(s.statement, node)
+			res, leaf := matchStatement(s.statement, node)
+			switch res {
+			case matchResultNoData, matchResultOptionalNoData:
+				return res, leaf
+			case matchResultTrue:
+				return matchResultFalse, cur
+			case matchResultFalse:
+				return matchResultTrue, nil
+			}
 		}
 	case KindAnd:
-		if s, ok := statement.(connective); ok {
+		if s, ok := cur.(connective); ok {
 			for _, cs := range s.statements {
-				r := matchStatement(cs, node)
+				res, leaf := matchStatement(cs, node)
-				if !r {
+				switch res {
-					return false
+				case matchResultNoData, matchResultOptionalNoData:
+					return res, leaf
+				case matchResultTrue:
+					// continue
+				case matchResultFalse:
+					return matchResultFalse, leaf
 				}
 			}
-			return true
+			return matchResultTrue, nil
 		}
 	case KindOr:
-		if s, ok := statement.(connective); ok {
+		if s, ok := cur.(connective); ok {
 			if len(s.statements) == 0 {
-				return true
+				return matchResultTrue, nil
 			}
 			for _, cs := range s.statements {
-				r := matchStatement(cs, node)
+				res, leaf := matchStatement(cs, node)
-				if r {
+				switch res {
-					return true
+				case matchResultNoData, matchResultOptionalNoData:
+					return res, leaf
+				case matchResultTrue:
+					return matchResultTrue, leaf
+				case matchResultFalse:
+					// continue
 				}
 			}
-			return false
+			return matchResultFalse, cur
 		}
 	case KindLike:
-		if s, ok := statement.(wildcard); ok {
+		if s, ok := cur.(wildcard); ok {
-			one, _, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
-			if err != nil || one == nil {
-				return false
-			}
-			v, err := one.AsString()
 			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-			return s.pattern.Match(v)
+			if res == nil { // optional selector didn't match
+				return matchResultOptionalNoData, nil
+			}
+			v, err := res.AsString()
+			if err != nil {
+				return matchResultFalse, cur // not a string
+			}
+			return boolToRes(s.pattern.Match(v))
 		}
 	case KindAll:
-		if s, ok := statement.(quantifier); ok {
+		if s, ok := cur.(quantifier); ok {
-			one, many, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
 			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-
+			if res == nil {
-			if one != nil {
+				return matchResultOptionalNoData, nil
-				it := one.ListIterator()
+			}
-				if it != nil {
+			it := res.ListIterator()
-					for !it.Done() {
+			if it == nil {
-						_, v, err := it.Next()
+				return matchResultFalse, cur // not a list
-						if err != nil {
+			}
-							return false
+			for !it.Done() {
-						}
+				_, v, err := it.Next()
-						ok := matchStatement(s.statement, v)
+				if err != nil {
-						if !ok {
+					panic("should never happen")
-							return false
+				}
-						}
+				matchRes, leaf := matchStatement(s.statement, v)
-					}
+				switch matchRes {
-				} else {
+				case matchResultNoData, matchResultOptionalNoData:
-					ok := matchStatement(s.statement, one)
+					return matchRes, leaf
-					if !ok {
+				case matchResultTrue:
-						return false
+					// continue
-					}
+				case matchResultFalse:
+					return matchResultFalse, leaf
 				}
 			}
-
+			return matchResultTrue, nil
-			if len(many) > 0 {
-				for _, n := range many {
-					ok := matchStatement(s.statement, n)
-					if !ok {
-						return false
-					}
-				}
-			}
-
-			return true
 		}
 	case KindAny:
-		if s, ok := statement.(quantifier); ok {
+		if s, ok := cur.(quantifier); ok {
-			one, many, err := s.selector.Select(node)
+			res, err := s.selector.Select(node)
 			if err != nil {
-				return false
+				return matchResultNoData, cur
 			}
-
+			if res == nil {
-			if one != nil {
+				return matchResultOptionalNoData, nil
-				it := one.ListIterator()
+			}
-				if it != nil {
+			it := res.ListIterator()
-					for !it.Done() {
+			if it == nil {
-						_, v, err := it.Next()
+				return matchResultFalse, cur // not a list
-						if err != nil {
+			}
-							return false
+			for !it.Done() {
-						}
+				_, v, err := it.Next()
-						ok := matchStatement(s.statement, v)
+				if err != nil {
-						if ok {
+					panic("should never happen")
-							return true
+				}
-						}
+				matchRes, leaf := matchStatement(s.statement, v)
-					}
+				switch matchRes {
-				} else {
+				case matchResultNoData, matchResultOptionalNoData:
-					ok := matchStatement(s.statement, one)
+					return matchRes, leaf
-					if ok {
+				case matchResultTrue:
-						return true
+					return matchResultTrue, nil
-					}
+				case matchResultFalse:
+					// continue
 				}
 			}
-
+			return matchResultFalse, cur
-			if len(many) > 0 {
-				for _, n := range many {
-					ok := matchStatement(s.statement, n)
-					if ok {
-						return true
-					}
-				}
-			}
-
-			return false
 		}
 	}
-	panic(fmt.Errorf("unimplemented statement kind: %s", statement.Kind()))
+	panic(fmt.Errorf("unimplemented statement kind: %s", cur.Kind()))
-}
-
-// filter performs a recursive filtering of the Statement, and prunes what doesn't match the given path
-func filter(stmt Statement, path []string) (Statement, []string) {
-	// For each kind, we do some of the following if it applies:
-	// - test the path against the selector, consuming segments
-	// - for terminal statements (equality, wildcard), require all the segments to have been consumed
-	// - recursively filter child (negation, quantifier) or children (connective) statements with the remaining path
-	switch stmt.(type) {
-	case equality:
-		match, remain := stmt.(equality).selector.MatchPath(path...)
-		if match && len(remain) == 0 {
-			return stmt, remain
-		}
-		return nil, nil
-	case negation:
-		newChild, remain := filter(stmt.(negation).statement, path)
-		if newChild != nil && len(remain) == 0 {
-			return negation{
-				statement: newChild,
-			}, nil
-		}
-		return nil, nil
-	case connective:
-		var newChildren []Statement
-		for _, child := range stmt.(connective).statements {
-			newChild, remain := filter(child, path)
-			if newChild != nil && len(remain) == 0 {
-				newChildren = append(newChildren, newChild)
-			}
-		}
-		if len(newChildren) == 0 {
-			return nil, nil
-		}
-		return connective{
-			kind:       stmt.(connective).kind,
-			statements: newChildren,
-		}, nil
-	case wildcard:
-		match, remain := stmt.(wildcard).selector.MatchPath(path...)
-		if match && len(remain) == 0 {
-			return stmt, remain
-		}
-		return nil, nil
-	case quantifier:
-		match, remain := stmt.(quantifier).selector.MatchPath(path...)
-		if match && len(remain) == 0 {
-			return stmt, remain
-		}
-		if !match {
-			return nil, nil
-		}
-		newChild, remain := filter(stmt.(quantifier).statement, remain)
-		if newChild != nil && len(remain) == 0 {
-			return quantifier{
-				kind:      stmt.(quantifier).kind,
-				selector:  stmt.(quantifier).selector,
-				statement: newChild,
-			}, nil
-		}
-		return nil, nil
-	default:
-		panic(fmt.Errorf("unimplemented statement kind: %s", stmt.Kind()))
-	}
 }
 
+// isOrdered compares two IPLD nodes and returns true if they satisfy the given ordering function.
+// It supports comparison of integers and floats, returning false for:
+//   - Nodes of different or unsupported kinds
+//   - Integer values outside JavaScript's safe integer bounds (±2^53-1)
+//   - Non-finite floating point values (NaN or ±Inf)
+//
+// The satisfies parameter is a function that interprets the comparison result:
+//   - For ">" it returns true when order is 1
+//   - For ">=" it returns true when order is 0 or 1
+//   - For "<" it returns true when order is -1
+//   - For "<=" it returns true when order is -1 or 0
 func isOrdered(expected ipld.Node, actual ipld.Node, satisfies func(order int) bool) bool {
 	if expected.Kind() == ipld.Kind_Int && actual.Kind() == ipld.Kind_Int {
 		a := must.Int(actual)
 		b := must.Int(expected)
+
 		return satisfies(cmp.Compare(a, b))
 	}
 
@@ -281,6 +289,11 @@ func isOrdered(expected ipld.Node, actual ipld.Node, satisfies func(order int) b
 		if err != nil {
 			panic(fmt.Errorf("extracting selector float: %w", err))
 		}
+
+		if math.IsInf(a, 0) || math.IsNaN(a) || math.IsInf(b, 0) || math.IsNaN(b) {
+			return false
+		}
+
 		return satisfies(cmp.Compare(a, b))
 	}
 

pkg/policy/policy.go

@@ -9,11 +9,12 @@ import (
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 
-	selpkg "github.com/ucan-wg/go-ucan/pkg/policy/selector"
+	selpkg "code.sonr.org/go/ucan/pkg/policy/selector"
 )
 
 const (
 	KindEqual              = "=="   // implemented by equality
+	KindNotEqual           = "!="   // implemented by equality
 	KindGreaterThan        = ">"    // implemented by equality
 	KindGreaterThanOrEqual = ">="   // implemented by equality
 	KindLessThan           = "<"    // implemented by equality
@@ -87,6 +88,13 @@ func Equal(selector string, value ipld.Node) Constructor {
 	}
 }
 
+func NotEqual(selector string, value ipld.Node) Constructor {
+	return func() (Statement, error) {
+		sel, err := selpkg.Parse(selector)
+		return equality{kind: KindNotEqual, selector: sel, value: value}, err
+	}
+}
+
 func GreaterThan(selector string, value ipld.Node) Constructor {
 	return func() (Statement, error) {
 		sel, err := selpkg.Parse(selector)
@@ -125,7 +133,7 @@ func (n negation) Kind() string {
 
 func (n negation) String() string {
 	child := n.statement.String()
-	return fmt.Sprintf(`["%s", "%s"]`, n.Kind(), strings.ReplaceAll(child, "\n", "\n  "))
+	return fmt.Sprintf(`["%s", %s]`, n.Kind(), strings.ReplaceAll(child, "\n", "\n  "))
 }
 
 func Not(cstor Constructor) Constructor {
@@ -149,7 +157,7 @@ func (c connective) String() string {
 	for i, statement := range c.statements {
 		childs[i] = strings.ReplaceAll(statement.String(), "\n", "\n  ")
 	}
-	return fmt.Sprintf("[\"%s\", [\n  %s]]\n", c.kind, strings.Join(childs, ",\n  "))
+	return fmt.Sprintf("[\"%s\", [\n  %s\n]]", c.kind, strings.Join(childs, ",\n  "))
 }
 
 func And(cstors ...Constructor) Constructor {
@@ -208,7 +216,7 @@ func (n quantifier) Kind() string {
 
 func (n quantifier) String() string {
 	child := n.statement.String()
-	return fmt.Sprintf("[\"%s\", \"%s\",\n  %s]", n.Kind(), n.selector, strings.ReplaceAll(child, "\n", "\n  "))
+	return fmt.Sprintf("[\"%s\", \"%s\",\n  %s\n]", n.Kind(), n.selector, strings.ReplaceAll(child, "\n", "\n  "))
 }
 
 func All(selector string, cstor Constructor) Constructor {

pkg/policy/policy_test.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"code.sonr.org/go/ucan/pkg/policy"
-	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
 )
 
 func ExamplePolicy() {
@@ -28,12 +28,47 @@ func ExamplePolicy() {
 	// [
 	//   ["==", ".status", "draft"],
 	//   ["all", ".reviewer",
-	//     ["like", ".email", "*@example.com"]],
+	//     ["like", ".email", "*@example.com"]
+	//   ],
 	//   ["any", ".tags",
 	//     ["or", [
 	//       ["==", ".", "news"],
-	//       ["==", ".", "press"]]]
+	//       ["==", ".", "press"]
-	//     ]
+	//     ]]
+	//   ]
+	// ]
+}
+
+func ExamplePolicy_accumulate() {
+	var statements []policy.Constructor
+
+	statements = append(statements, policy.Equal(".status", literal.String("draft")))
+
+	statements = append(statements, policy.All(".reviewer",
+		policy.Like(".email", "*@example.com"),
+	))
+
+	statements = append(statements, policy.Any(".tags", policy.Or(
+		policy.Equal(".", literal.String("news")),
+		policy.Equal(".", literal.String("press")),
+	)))
+
+	pol := policy.MustConstruct(statements...)
+
+	fmt.Println(pol)
+
+	// Output:
+	// [
+	//   ["==", ".status", "draft"],
+	//   ["all", ".reviewer",
+	//     ["like", ".email", "*@example.com"]
+	//   ],
+	//   ["any", ".tags",
+	//     ["or", [
+	//       ["==", ".", "news"],
+	//       ["==", ".", "press"]
+	//     ]]
+	//   ]
 	// ]
 }
 

pkg/policy/policytest/spec.go

@@ -0,0 +1,67 @@
+package policytest
+
+import (
+	"github.com/ipld/go-ipld-prime"
+
+	"code.sonr.org/go/ucan/pkg/args"
+	"code.sonr.org/go/ucan/pkg/policy"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
+)
+
+// EmptyPolicy provides a Policy with no statements.
+var EmptyPolicy = policy.Policy{}
+
+// SpecPolicy provides a  valid Policy containing the statements that are included
+// in the second code block of the [Validation] section of the delegation specification.
+//
+// [Validation]: https://github.com/ucan-wg/delegation/tree/v1_ipld#validation
+var SpecPolicy = policy.MustConstruct(
+	policy.Equal(".from", literal.String("alice@example.com")),
+	policy.Any(".to", policy.Like(".", "*@example.com")),
+)
+
+// TODO: Replace the URL for [Validation] above when the delegation
+//       specification has been finished/merged.
+
+// SpecValidArguments provides valid, instantiated Arguments containing
+// the key/value pairs that are included in portion of the second code block
+// of the [Validation] section of the delegation specification.
+//
+// [Validation]: https://github.com/ucan-wg/delegation/tree/v1_ipld#validation
+var SpecValidArguments = args.NewBuilder().
+	Add("from", "alice@example.com").
+	Add("to", []string{
+		"bob@example.com",
+		"carol@not.example.com",
+	}).
+	Add("title", "Coffee").
+	Add("body", "Still on for coffee").
+	MustBuild()
+
+var specValidArgumentsIPLD = mustIPLD(SpecValidArguments)
+
+// SpecInvalidArguments provides invalid, instantiated Arguments containing
+// the key/value pairs that are included in portion of the second code block
+// of the [Validation] section of the delegation specification.
+//
+// [Validation]: https://github.com/ucan-wg/delegation/tree/v1_ipld#validation
+var SpecInvalidArguments = args.NewBuilder().
+	Add("from", "alice@example.com").
+	Add("to", []string{
+		"bob@null.com",
+		"carol@elsewhere.example.com",
+	}).
+	Add("title", "Coffee").
+	Add("body", "Still on for coffee").
+	MustBuild()
+
+var specInvalidArgumentsIPLD = mustIPLD(SpecInvalidArguments)
+
+func mustIPLD(args *args.Args) ipld.Node {
+	node, err := args.ToIPLD()
+	if err != nil {
+		panic(err)
+	}
+
+	return node
+}

pkg/policy/policytest/spec_test.go

@@ -0,0 +1,32 @@
+package policytest
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestInvocationValidation applies the example policy to the second
+// example arguments as defined in the [Validation] section of the
+// invocation specification.
+//
+// [Validation]: https://github.com/ucan-wg/delegation/tree/v1_ipld#validation
+func TestInvocationValidationSpecExamples(t *testing.T) {
+	t.Parallel()
+
+	t.Run("with passing args", func(t *testing.T) {
+		t.Parallel()
+
+		exec, stmt := SpecPolicy.Match(specValidArgumentsIPLD)
+		assert.True(t, exec)
+		assert.Nil(t, stmt)
+	})
+
+	t.Run("fails on recipients (second statement)", func(t *testing.T) {
+		t.Parallel()
+
+		exec, stmt := SpecPolicy.Match(specInvalidArgumentsIPLD)
+		assert.False(t, exec)
+		assert.NotNil(t, stmt)
+	})
+}

pkg/policy/selector/parsing.go

@@ -2,16 +2,28 @@ package selector
 
 import (
 	"fmt"
+	"math"
 	"regexp"
 	"strconv"
 	"strings"
+
+	"code.sonr.org/go/ucan/pkg/policy/limits"
 )
 
 var (
-	identity   = Selector{segment{str: ".", identity: true}}
 	indexRegex = regexp.MustCompile(`^-?\d+$`)
 	sliceRegex = regexp.MustCompile(`^((\-?\d+:\-?\d*)|(\-?\d*:\-?\d+))$`)
-	fieldRegex = regexp.MustCompile(`^\.[a-zA-Z_]*?$`)
+
+	// Field name requirements:
+	// - Must start with ASCII letter, Unicode letter, or underscore
+	// - Can contain:
+	//   - ASCII letters (a-z, A-Z)
+	//   - ASCII digits (0-9)
+	//   - Unicode letters (\p{L})
+	//   - Dollar sign ($)
+	//   - Underscore (_)
+	//   - Hyphen (-)
+	fieldRegex = regexp.MustCompile(`^\.[a-zA-Z_\p{L}][a-zA-Z0-9$_\p{L}\-]*$`)
 )
 
 func Parse(str string) (Selector, error) {
@@ -22,7 +34,10 @@ func Parse(str string) (Selector, error) {
 		return nil, newParseError("selector must start with identity segment '.'", str, 0, string(str[0]))
 	}
 	if str == "." {
-		return identity, nil
+		return Selector{segment{str: ".", identity: true}}, nil
+	}
+	if str == ".?" {
+		return Selector{segment{str: ".?", identity: true, optional: true}}, nil
 	}
 
 	col := 0
@@ -31,56 +46,79 @@ func Parse(str string) (Selector, error) {
 		seg := tok
 		opt := strings.HasSuffix(tok, "?")
 		if opt {
-			seg = tok[0 : len(tok)-1]
+			seg = strings.TrimRight(tok, "?")
 		}
-		switch seg {
+		switch {
-		case ".":
+		case seg == ".":
 			if len(sel) > 0 && sel[len(sel)-1].Identity() {
 				return nil, newParseError("selector contains unsupported recursive descent segment: '..'", str, col, tok)
 			}
 			sel = append(sel, segment{str: ".", identity: true})
-		case "[]":
-			sel = append(sel, segment{str: tok, optional: opt, iterator: true})
-		default:
-			if strings.HasPrefix(seg, "[") && strings.HasSuffix(seg, "]") {
-				lookup := seg[1 : len(seg)-1]
 
-				if indexRegex.MatchString(lookup) { // index
+		case seg == "[]":
-					idx, err := strconv.Atoi(lookup)
+			sel = append(sel, segment{str: tok, optional: opt, iterator: true})
-					if err != nil {
+
-						return nil, newParseError("invalid index", str, col, tok)
+		case strings.HasPrefix(seg, "[") && strings.HasSuffix(seg, "]"):
-					}
+			lookup := seg[1 : len(seg)-1]
-					sel = append(sel, segment{str: tok, optional: opt, index: idx})
+
-				} else if strings.HasPrefix(lookup, "\"") && strings.HasSuffix(lookup, "\"") { // explicit field
+			switch {
-					sel = append(sel, segment{str: tok, optional: opt, field: lookup[1 : len(lookup)-1]})
+			// index, [123]
-				} else if sliceRegex.MatchString(lookup) { // slice [3:5] or [:5] or [3:]
+			case indexRegex.MatchString(lookup):
-					var rng []int
+				idx, err := strconv.Atoi(lookup)
-					splt := strings.Split(lookup, ":")
+				if err != nil {
-					if splt[0] == "" {
+					return nil, newParseError("invalid index", str, col, tok)
-						rng = append(rng, 0)
+				}
-					} else {
+				if int64(idx) > limits.MaxInt53 || int64(idx) < limits.MinInt53 {
-						i, err := strconv.Atoi(splt[0])
+					return nil, newParseError(fmt.Sprintf("index %d exceeds safe integer bounds", idx), str, col, tok)
-						if err != nil {
+				}
-							return nil, newParseError("invalid slice index", str, col, tok)
+				sel = append(sel, segment{str: tok, optional: opt, index: idx})
-						}
+
-						rng = append(rng, i)
+			// explicit field, ["abcd"]
-					}
+			case strings.HasPrefix(lookup, "\"") && strings.HasSuffix(lookup, "\""):
-					if splt[1] != "" {
+				fieldName := lookup[1 : len(lookup)-1]
-						i, err := strconv.Atoi(splt[1])
+				if strings.Contains(fieldName, ":") {
-						if err != nil {
-							return nil, newParseError("invalid slice index", str, col, tok)
-						}
-						rng = append(rng, i)
-					}
-					sel = append(sel, segment{str: tok, optional: opt, slice: rng})
-				} else {
 					return nil, newParseError(fmt.Sprintf("invalid segment: %s", seg), str, col, tok)
 				}
-			} else if fieldRegex.MatchString(seg) {
+				sel = append(sel, segment{str: tok, optional: opt, field: fieldName})
-				sel = append(sel, segment{str: tok, optional: opt, field: seg[1:]})
+
-			} else {
+			// slice [3:5] or [:5] or [3:], also negative numbers
+			case sliceRegex.MatchString(lookup):
+				var rng [2]int64
+				splt := strings.Split(lookup, ":")
+				if splt[0] == "" {
+					rng[0] = math.MinInt
+				} else {
+					i, err := strconv.ParseInt(splt[0], 10, 0)
+					if err != nil {
+						return nil, newParseError("invalid slice index", str, col, tok)
+					}
+					if i > limits.MaxInt53 || i < limits.MinInt53 {
+						return nil, newParseError(fmt.Sprintf("slice index %d exceeds safe integer bounds", i), str, col, tok)
+					}
+					rng[0] = i
+				}
+				if splt[1] == "" {
+					rng[1] = math.MaxInt
+				} else {
+					i, err := strconv.ParseInt(splt[1], 10, 0)
+					if err != nil {
+						return nil, newParseError("invalid slice index", str, col, tok)
+					}
+					if i > limits.MaxInt53 || i < limits.MinInt53 {
+						return nil, newParseError(fmt.Sprintf("slice index %d exceeds safe integer bounds", i), str, col, tok)
+					}
+					rng[1] = i
+				}
+				sel = append(sel, segment{str: tok, optional: opt, slice: rng[:]})
+
+			default:
 				return nil, newParseError(fmt.Sprintf("invalid segment: %s", seg), str, col, tok)
 			}
+
+		case fieldRegex.MatchString(seg):
+			sel = append(sel, segment{str: tok, optional: opt, field: seg[1:]})
+		default:
+			return nil, newParseError(fmt.Sprintf("invalid segment: %s", seg), str, col, tok)
 		}
 		col += len(tok)
 	}
@@ -135,37 +173,37 @@ func tokenize(str string) []string {
 	return toks
 }
 
-type parseerr struct {
+type parseErr struct {
 	msg string
 	src string
 	col int
 	tok string
 }
 
-func (p parseerr) Name() string {
+func (p parseErr) Name() string {
 	return "ParseError"
 }
 
-func (p parseerr) Message() string {
+func (p parseErr) Message() string {
 	return p.msg
 }
 
-func (p parseerr) Column() int {
+func (p parseErr) Column() int {
 	return p.col
 }
 
-func (p parseerr) Error() string {
+func (p parseErr) Error() string {
 	return p.msg
 }
 
-func (p parseerr) Source() string {
+func (p parseErr) Source() string {
 	return p.src
 }
 
-func (p parseerr) Token() string {
+func (p parseErr) Token() string {
 	return p.tok
 }
 
 func newParseError(message string, source string, column int, token string) error {
-	return parseerr{message, source, column, token}
+	return parseErr{message, source, column, token}
 }

pkg/policy/selector/parsing_test.go

@@ -0,0 +1,641 @@
+package selector
+
+import (
+	"fmt"
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"code.sonr.org/go/ucan/pkg/policy/limits"
+)
+
+func TestParse(t *testing.T) {
+	t.Run("identity", func(t *testing.T) {
+		sel, err := Parse(".")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+	})
+
+	t.Run("dotted field name", func(t *testing.T) {
+		sel, err := Parse(".foo")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.False(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo")
+		require.Empty(t, sel[0].Index())
+
+		sel, err = Parse(".foo_bar")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.False(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo_bar")
+		require.Empty(t, sel[0].Index())
+
+		sel, err = Parse(".foo-bar")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.False(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo-bar")
+		require.Empty(t, sel[0].Index())
+
+		sel, err = Parse(".foo*bar")
+		require.ErrorContains(t, err, "invalid segment")
+	})
+
+	t.Run("explicit field", func(t *testing.T) {
+		sel, err := Parse(`.["foo"]`)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Equal(t, sel[1].Field(), "foo")
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("iterator, collection value", func(t *testing.T) {
+		sel, err := Parse(".[]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.True(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("index", func(t *testing.T) {
+		sel, err := Parse(".[138]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Equal(t, sel[1].Index(), 138)
+	})
+
+	t.Run("negative index", func(t *testing.T) {
+		sel, err := Parse(".[-138]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Equal(t, sel[1].Index(), -138)
+	})
+
+	t.Run("List slice", func(t *testing.T) {
+		sel, err := Parse(".[7:11]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{7, 11})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[2:]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{2, math.MaxInt})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[:42]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{math.MinInt, 42})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[0:-2]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{0, -2})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("optional identity", func(t *testing.T) {
+		sel, err := Parse(".?")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.True(t, sel[0].Identity())
+		require.True(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+	})
+
+	t.Run("optional dotted field name", func(t *testing.T) {
+		sel, err := Parse(".foo?")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.False(t, sel[0].Identity())
+		require.True(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo")
+		require.Empty(t, sel[0].Index())
+	})
+
+	t.Run("optional explicit field", func(t *testing.T) {
+		sel, err := Parse(`.["foo"]?`)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Equal(t, sel[1].Field(), "foo")
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("optional iterator", func(t *testing.T) {
+		sel, err := Parse(".[]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.True(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("optional index", func(t *testing.T) {
+		sel, err := Parse(".[138]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Equal(t, sel[1].Index(), 138)
+	})
+
+	t.Run("optional negative index", func(t *testing.T) {
+		sel, err := Parse(".[-138]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Equal(t, sel[1].Index(), -138)
+	})
+
+	t.Run("optional list slice", func(t *testing.T) {
+		sel, err := Parse(".[7:11]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{7, 11})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[2:]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{2, math.MaxInt})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[:42]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{math.MinInt, 42})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+
+		sel, err = Parse(".[0:-2]?")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.True(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{0, -2})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("idempotent optional", func(t *testing.T) {
+		sel, err := Parse(".foo???")
+		require.NoError(t, err)
+		require.Equal(t, 1, len(sel))
+		require.False(t, sel[0].Identity())
+		require.True(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo")
+		require.Empty(t, sel[0].Index())
+	})
+
+	t.Run("deny multi dot", func(t *testing.T) {
+		_, err := Parse("..")
+		require.Error(t, err)
+	})
+
+	t.Run("nesting", func(t *testing.T) {
+		str := `.foo.["bar"].[138]?.baz[1:]`
+		sel, err := Parse(str)
+		require.NoError(t, err)
+		require.Equal(t, str, sel.String())
+		require.Equal(t, 7, len(sel))
+		require.False(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Equal(t, sel[0].Field(), "foo")
+		require.Empty(t, sel[0].Index())
+		require.True(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+		require.False(t, sel[2].Identity())
+		require.False(t, sel[2].Optional())
+		require.False(t, sel[2].Iterator())
+		require.Empty(t, sel[2].Slice())
+		require.Equal(t, sel[2].Field(), "bar")
+		require.Empty(t, sel[2].Index())
+		require.True(t, sel[3].Identity())
+		require.False(t, sel[3].Optional())
+		require.False(t, sel[3].Iterator())
+		require.Empty(t, sel[3].Slice())
+		require.Empty(t, sel[3].Field())
+		require.Empty(t, sel[3].Index())
+		require.False(t, sel[4].Identity())
+		require.True(t, sel[4].Optional())
+		require.False(t, sel[4].Iterator())
+		require.Empty(t, sel[4].Slice())
+		require.Empty(t, sel[4].Field())
+		require.Equal(t, sel[4].Index(), 138)
+		require.False(t, sel[5].Identity())
+		require.False(t, sel[5].Optional())
+		require.False(t, sel[5].Iterator())
+		require.Empty(t, sel[5].Slice())
+		require.Equal(t, sel[5].Field(), "baz")
+		require.Empty(t, sel[5].Index())
+		require.False(t, sel[6].Identity())
+		require.False(t, sel[6].Optional())
+		require.False(t, sel[6].Iterator())
+		require.Equal(t, sel[6].Slice(), []int64{1, math.MaxInt})
+		require.Empty(t, sel[6].Field())
+		require.Empty(t, sel[6].Index())
+	})
+
+	t.Run("non dotted", func(t *testing.T) {
+		_, err := Parse("foo")
+		require.NotNil(t, err)
+	})
+
+	t.Run("non quoted", func(t *testing.T) {
+		_, err := Parse(".[foo]")
+		require.NotNil(t, err)
+	})
+
+	t.Run("slice with negative start and positive end", func(t *testing.T) {
+		sel, err := Parse(".[0:-2]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{0, -2})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("slice with start greater than end", func(t *testing.T) {
+		sel, err := Parse(".[5:2]")
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{5, 2})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("slice on string", func(t *testing.T) {
+		sel, err := Parse(`.["foo"].[1:3]`)
+		require.NoError(t, err)
+		require.Equal(t, 4, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Equal(t, sel[1].Field(), "foo")
+		require.Empty(t, sel[1].Index())
+		require.True(t, sel[2].Identity())
+		require.False(t, sel[2].Optional())
+		require.False(t, sel[2].Iterator())
+		require.Empty(t, sel[2].Slice())
+		require.Empty(t, sel[2].Field())
+		require.Empty(t, sel[2].Index())
+		require.False(t, sel[3].Identity())
+		require.False(t, sel[3].Optional())
+		require.False(t, sel[3].Iterator())
+		require.Equal(t, sel[3].Slice(), []int64{1, 3})
+		require.Empty(t, sel[3].Field())
+		require.Empty(t, sel[3].Index())
+	})
+
+	t.Run("slice on array", func(t *testing.T) {
+		sel, err := Parse(`.[1:3]`)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Equal(t, sel[1].Slice(), []int64{1, 3})
+		require.Empty(t, sel[1].Field())
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("index on array", func(t *testing.T) {
+		sel, err := Parse(`.[1]`)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Empty(t, sel[1].Field())
+		require.Equal(t, sel[1].Index(), 1)
+	})
+
+	t.Run("invalid slice on object", func(t *testing.T) {
+		_, err := Parse(`.["foo":"bar"]`)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "invalid segment")
+	})
+
+	t.Run("index on object", func(t *testing.T) {
+		sel, err := Parse(`.["foo"]`)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(sel))
+		require.True(t, sel[0].Identity())
+		require.False(t, sel[0].Optional())
+		require.False(t, sel[0].Iterator())
+		require.Empty(t, sel[0].Slice())
+		require.Empty(t, sel[0].Field())
+		require.Empty(t, sel[0].Index())
+		require.False(t, sel[1].Identity())
+		require.False(t, sel[1].Optional())
+		require.False(t, sel[1].Iterator())
+		require.Empty(t, sel[1].Slice())
+		require.Equal(t, sel[1].Field(), "foo")
+		require.Empty(t, sel[1].Index())
+	})
+
+	t.Run("slice with non-integer start", func(t *testing.T) {
+		_, err := Parse(".[foo:3]")
+		require.Error(t, err)
+	})
+
+	t.Run("slice with non-integer end", func(t *testing.T) {
+		_, err := Parse(".[1:bar]")
+		require.Error(t, err)
+	})
+
+	t.Run("index with non-integer", func(t *testing.T) {
+		_, err := Parse(".[foo]")
+		require.Error(t, err)
+	})
+
+	t.Run("extended field names", func(t *testing.T) {
+		validFields := []string{
+			".basic",
+			".user_name",
+			".user-name",
+			".userName$special",
+			".αβγ",        // Greek letters
+			".użytkownik", // Polish characters
+			".用户",         // Chinese characters
+			".사용자",        // Korean characters
+			"._private",
+			".number123",
+			".camelCase",
+			".snake_case",
+			".kebab-case",
+			".mixed_kebab-case",
+			".with$dollar",
+			".MIXED_Case_123",
+			".unicodeø",
+		}
+
+		for _, field := range validFields {
+			sel, err := Parse(field)
+			require.NoError(t, err, "field: %s", field)
+			require.NotNil(t, sel)
+		}
+
+		invalidFields := []string{
+			".123number",         // Can't start with digit
+			".@special",          // @ not allowed
+			".space name",        // No spaces
+			".#hashtag",          // No #
+			".name!",             // No !
+			".{brackets}",        // No brackets
+			".name/with/slashes", // No slashes
+		}
+
+		for _, field := range invalidFields {
+			sel, err := Parse(field)
+			require.Error(t, err, "field: %s", field)
+			require.Nil(t, sel)
+		}
+	})
+
+	t.Run("integer overflow", func(t *testing.T) {
+		sel, err := Parse(fmt.Sprintf(".[%d]", limits.MaxInt53+1))
+		require.Error(t, err)
+		require.Nil(t, sel)
+
+		sel, err = Parse(fmt.Sprintf(".[%d]", limits.MinInt53-1))
+		require.Error(t, err)
+		require.Nil(t, sel)
+
+		// Test slice overflow
+		sel, err = Parse(fmt.Sprintf(".[%d:42]", limits.MaxInt53+1))
+		require.Error(t, err)
+		require.Nil(t, sel)
+
+		sel, err = Parse(fmt.Sprintf(".[1:%d]", limits.MaxInt53+1))
+		require.Error(t, err)
+		require.Nil(t, sel)
+	})
+}

pkg/policy/selector/selector.go

@@ -2,12 +2,14 @@ package selector
 
 import (
 	"fmt"
+	"math"
+	"strconv"
 	"strings"
 
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/ipld/go-ipld-prime/node/basicnode"
-	"github.com/ipld/go-ipld-prime/schema"
 )
 
 // Selector describes a UCAN policy selector, as specified here:
@@ -15,17 +17,14 @@ import (
 type Selector []segment
 
 // Select perform the selection described by the selector on the input IPLD DAG.
-// If no error, Select returns either one ipld.Node or a []ipld.Node.
+// Select can return:
-func (s Selector) Select(subject ipld.Node) (ipld.Node, []ipld.Node, error) {
+//   - exactly one matched IPLD node
+//   - a resolutionErr error if not being able to resolve to a node
+//   - nil and no errors, if the selector couldn't match on an optional segment (with ?).
+func (s Selector) Select(subject ipld.Node) (ipld.Node, error) {
 	return resolve(s, subject, nil)
 }
 
-// MatchPath tells if the selector operates on the given (string only) path segments.
-// It returns the segments that didn't get consumed by the matching.
-func (s Selector) MatchPath(pathSegment ...string) (bool, []string) {
-	return matchPath(s, pathSegment)
-}
-
 func (s Selector) String() string {
 	var res strings.Builder
 	for _, seg := range s {
@@ -39,7 +38,7 @@ type segment struct {
 	identity bool
 	optional bool
 	iterator bool
-	slice    []int
+	slice    []int64 // either 0-length or 2-length
 	field    string
 	index    int
 }
@@ -65,7 +64,7 @@ func (s segment) Iterator() bool {
 }
 
 // Slice flags that this segment targets a range of a slice.
-func (s segment) Slice() []int {
+func (s segment) Slice() []int64 {
 	return s.slice
 }
 
@@ -79,335 +78,168 @@ func (s segment) Index() int {
 	return s.index
 }
 
-func resolve(sel Selector, subject ipld.Node, at []string) (ipld.Node, []ipld.Node, error) {
+func resolve(sel Selector, subject ipld.Node, at []string) (ipld.Node, error) {
-	cur := subject
+	errIfNotOptional := func(s segment, err error) error {
-	for i, seg := range sel {
+		if !s.Optional() {
-		if seg.Identity() {
+			return err
-			continue
-		}
-
-		// 1st level: handle the different segment types (iterator, field, slice, index)
-		// 2nd level: handle different node kinds (list, map, string, bytes)
-		switch {
-		case seg.Iterator():
-			if cur == nil || cur.Kind() == datamodel.Kind_Null {
-				if seg.Optional() {
-					// build empty list
-					nb := basicnode.Prototype.List.NewBuilder()
-					assembler, err := nb.BeginList(0)
-					if err != nil {
-						return nil, nil, err
-					}
-
-					if err = assembler.Finish(); err != nil {
-						return nil, nil, err
-					}
-
-					return nb.Build(), nil, nil
-				} else {
-					return nil, nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(cur)), at)
-				}
-			} else {
-				var many []ipld.Node
-				switch cur.Kind() {
-				case datamodel.Kind_List:
-					it := cur.ListIterator()
-					for !it.Done() {
-						_, v, err := it.Next()
-						if err != nil {
-							return nil, nil, err
-						}
-
-						// check if there are more iterator segments
-						if len(sel) > i+1 && sel[i+1].Iterator() {
-							if v.Kind() == datamodel.Kind_List {
-								// recursively resolve the remaining selector segments
-								var o ipld.Node
-								var m []ipld.Node
-								o, m, err = resolve(sel[i+1:], v, at)
-								if err != nil {
-									// if the segment is optional and an error occurs, skip the current iteration.
-									if seg.Optional() {
-										continue
-									} else {
-										return nil, nil, err
-									}
-								}
-								if m != nil {
-									many = append(many, m...)
-								} else if o != nil {
-									many = append(many, o)
-								}
-							} else {
-								// if the current value is not a list and the next segment is optional, skip the current iteration
-								if sel[i+1].Optional() {
-									continue
-								} else {
-									return nil, nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(v)), at)
-								}
-							}
-						} else {
-							// if there are no more iterator segments, append the current value to the result
-							many = append(many, v)
-						}
-					}
-				case datamodel.Kind_Map:
-					it := cur.MapIterator()
-					for !it.Done() {
-						_, v, err := it.Next()
-						if err != nil {
-							return nil, nil, err
-						}
-
-						if len(sel) > i+1 && sel[i+1].Iterator() {
-							if v.Kind() == datamodel.Kind_List {
-								var o ipld.Node
-								var m []ipld.Node
-								o, m, err = resolve(sel[i+1:], v, at)
-								if err != nil {
-									if seg.Optional() {
-										continue
-									} else {
-										return nil, nil, err
-									}
-								}
-								if m != nil {
-									many = append(many, m...)
-								} else if o != nil {
-									many = append(many, o)
-								}
-							} else {
-								if sel[i+1].Optional() {
-									continue
-								} else {
-									return nil, nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(v)), at)
-								}
-							}
-						} else {
-							many = append(many, v)
-						}
-					}
-				default:
-					return nil, nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(cur)), at)
-				}
-
-				return nil, many, nil
-			}
-
-		case seg.Field() != "":
-			at = append(at, seg.Field())
-			if cur == nil {
-				if seg.Optional() {
-					cur = nil
-				} else {
-					return nil, nil, newResolutionError(fmt.Sprintf("can not access field: %s on kind: %s", seg.Field(), kindString(cur)), at)
-				}
-			} else {
-				switch cur.Kind() {
-				case datamodel.Kind_Map:
-					n, err := cur.LookupByString(seg.Field())
-					if err != nil {
-						if isMissing(err) {
-							if seg.Optional() {
-								cur = nil
-							} else {
-								return nil, nil, newResolutionError(fmt.Sprintf("object has no field named: %s", seg.Field()), at)
-							}
-						} else {
-							return nil, nil, err
-						}
-					} else {
-						cur = n
-					}
-				case datamodel.Kind_List:
-					var many []ipld.Node
-					it := cur.ListIterator()
-					for !it.Done() {
-						_, v, err := it.Next()
-						if err != nil {
-							return nil, nil, err
-						}
-						if v.Kind() == datamodel.Kind_Map {
-							n, err := v.LookupByString(seg.Field())
-							if err == nil {
-								many = append(many, n)
-							}
-						}
-					}
-					if len(many) > 0 {
-						cur = nil
-						return nil, many, nil
-					} else if seg.Optional() {
-						cur = nil
-					} else {
-						return nil, nil, newResolutionError(fmt.Sprintf("no elements in list have field named: %s", seg.Field()), at)
-					}
-				default:
-					if seg.Optional() {
-						cur = nil
-					} else {
-						return nil, nil, newResolutionError(fmt.Sprintf("can not access field: %s on kind: %s", seg.Field(), kindString(cur)), at)
-					}
-				}
-			}
-
-		case seg.Slice() != nil:
-			if cur == nil {
-				if seg.Optional() {
-					cur = nil
-				} else {
-					return nil, nil, newResolutionError(fmt.Sprintf("can not slice on kind: %s", kindString(cur)), at)
-				}
-			} else {
-				slice := seg.Slice()
-				var start, end, length int64
-				switch cur.Kind() {
-				case datamodel.Kind_List:
-					length = cur.Length()
-					start, end = resolveSliceIndices(slice, length)
-				case datamodel.Kind_Bytes:
-					b, _ := cur.AsBytes()
-					length = int64(len(b))
-					start, end = resolveSliceIndices(slice, length)
-				case datamodel.Kind_String:
-					str, _ := cur.AsString()
-					length = int64(len(str))
-					start, end = resolveSliceIndices(slice, length)
-				default:
-					return nil, nil, newResolutionError(fmt.Sprintf("can not slice on kind: %s", kindString(cur)), at)
-				}
-
-				if start < 0 || end < start || end > length {
-					if seg.Optional() {
-						cur = nil
-					} else {
-						return nil, nil, newResolutionError(fmt.Sprintf("slice out of bounds: [%d:%d]", start, end), at)
-					}
-				} else {
-					switch cur.Kind() {
-					case datamodel.Kind_List:
-						if end > cur.Length() {
-							end = cur.Length()
-						}
-						nb := basicnode.Prototype.List.NewBuilder()
-						assembler, _ := nb.BeginList(int64(end - start))
-						for i := start; i < end; i++ {
-							item, _ := cur.LookupByIndex(int64(i))
-							assembler.AssembleValue().AssignNode(item)
-						}
-						assembler.Finish()
-						cur = nb.Build()
-					case datamodel.Kind_Bytes:
-						b, _ := cur.AsBytes()
-						l := int64(len(b))
-						if end > l {
-							end = l
-						}
-						cur = basicnode.NewBytes(b[start:end])
-					case datamodel.Kind_String:
-						str, _ := cur.AsString()
-						l := int64(len(str))
-						if end > l {
-							end = l
-						}
-						cur = basicnode.NewString(str[start:end])
-					}
-				}
-			}
-
-		default: // Index()
-			at = append(at, fmt.Sprintf("%d", seg.Index()))
-			if cur == nil {
-				if seg.Optional() {
-					cur = nil
-				} else {
-					return nil, nil, newResolutionError(fmt.Sprintf("can not access index: %d on kind: %s", seg.Index(), kindString(cur)), at)
-				}
-			} else {
-				idx := seg.Index()
-				switch cur.Kind() {
-				case datamodel.Kind_List:
-					if idx < 0 {
-						idx = int(cur.Length()) + idx
-					}
-					if idx < 0 || idx >= int(cur.Length()) {
-						if seg.Optional() {
-							cur = nil
-						} else {
-							return nil, nil, newResolutionError(fmt.Sprintf("index out of bounds: %d", seg.Index()), at)
-						}
-					} else {
-						cur, _ = cur.LookupByIndex(int64(idx))
-					}
-				case datamodel.Kind_String:
-					str, _ := cur.AsString()
-					if idx < 0 {
-						idx = len(str) + idx
-					}
-					if idx < 0 || idx >= len(str) {
-						if seg.Optional() {
-							cur = nil
-						} else {
-							return nil, nil, newResolutionError(fmt.Sprintf("index out of bounds: %d", seg.Index()), at)
-						}
-					} else {
-						cur = basicnode.NewString(string(str[idx]))
-					}
-				case datamodel.Kind_Bytes:
-					b, _ := cur.AsBytes()
-					if idx < 0 {
-						idx = len(b) + idx
-					}
-					if idx < 0 || idx >= len(b) {
-						if seg.Optional() {
-							cur = nil
-						} else {
-							return nil, nil, newResolutionError(fmt.Sprintf("index out of bounds: %d", seg.Index()), at)
-						}
-					} else {
-						cur = basicnode.NewInt(int64(b[idx]))
-					}
-				default:
-					return nil, nil, newResolutionError(fmt.Sprintf("can not access index: %d on kind: %s", seg.Index(), kindString(cur)), at)
-				}
-			}
 		}
+		return nil
 	}
 
-	return cur, nil, nil
+	cur := subject
-}
-
-func matchPath(sel Selector, path []string) (bool, []string) {
 	for _, seg := range sel {
-		if len(path) == 0 {
+		// 1st level: handle the different segment types (iterator, field, slice, index)
-			return true, path
+		// 2nd level: handle different node kinds (list, map, string, bytes)
-		}
 		switch {
 		case seg.Identity():
 			continue
 
 		case seg.Iterator():
-			// we have reached a [] iterator, it should have matched earlier
+			switch {
-			return false, nil
+			case cur == nil || cur.Kind() == datamodel.Kind_Null:
+				if seg.Optional() {
+					// build an empty list
+					n, _ := qp.BuildList(basicnode.Prototype.Any, 0, func(_ datamodel.ListAssembler) {})
+					return n, nil
+				}
+				return nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(cur)), at)
+
+			case cur.Kind() == datamodel.Kind_List:
+				// iterators are no-op on list
+				continue
+
+			case cur.Kind() == datamodel.Kind_Map:
+				// iterators on maps collect the values
+				nd, err := qp.BuildList(basicnode.Prototype.Any, cur.Length(), func(l datamodel.ListAssembler) {
+					it := cur.MapIterator()
+					for !it.Done() {
+						_, v, err := it.Next()
+						if err != nil {
+							// recovered by BuildList
+							// Error is bubbled up, but should never occur as we already checked the type,
+							// and are using the iterator correctly.
+							// This is verified with fuzzing.
+							panic(err)
+						}
+						qp.ListEntry(l, qp.Node(v))
+					}
+				})
+				if err != nil {
+					panic("should never happen")
+				}
+				return nd, nil
+
+			default:
+				return nil, newResolutionError(fmt.Sprintf("can not iterate over kind: %s", kindString(cur)), at)
+			}
 
 		case seg.Field() != "":
-			// if exact match on the segment, we continue
+			at = append(at, seg.Field())
-			if path[0] == seg.Field() {
+			switch {
-				path = path[1:]
+			case cur == nil:
-				continue
+				err := newResolutionError(fmt.Sprintf("can not access field: %s on kind: %s", seg.Field(), kindString(cur)), at)
-			}
+				return nil, errIfNotOptional(seg, err)
-			return false, nil
 
-		case seg.Slice() != nil:
+			case cur.Kind() == datamodel.Kind_Map:
-			// we have reached a [<int>:<int>] slicing, it should have matched earlier
+				n, err := cur.LookupByString(seg.Field())
-			return false, nil
+				if err != nil {
+					// the only possible error is missing field as we already check the type
+					if seg.Optional() {
+						cur = nil
+					} else {
+						return nil, newResolutionError(fmt.Sprintf("object has no field named: %s", seg.Field()), at)
+					}
+				} else {
+					cur = n
+				}
+
+			default:
+				err := newResolutionError(fmt.Sprintf("can not access field: %s on kind: %s", seg.Field(), kindString(cur)), at)
+				return nil, errIfNotOptional(seg, err)
+			}
+
+		case len(seg.Slice()) > 0:
+			if cur == nil {
+				err := newResolutionError(fmt.Sprintf("can not slice on kind: %s", kindString(cur)), at)
+				return nil, errIfNotOptional(seg, err)
+			}
+
+			slice := seg.Slice()
+
+			switch cur.Kind() {
+			case datamodel.Kind_List:
+				start, end := resolveSliceIndices(slice, cur.Length())
+				sliced, err := qp.BuildList(basicnode.Prototype.Any, end-start, func(l datamodel.ListAssembler) {
+					for i := start; i < end; i++ {
+						item, err := cur.LookupByIndex(i)
+						if err != nil {
+							// recovered by BuildList
+							// Error is bubbled up, but should never occur as we already checked the type and boundaries
+							// This is verified with fuzzing.
+							panic(err)
+						}
+						qp.ListEntry(l, qp.Node(item))
+					}
+				})
+				if err != nil {
+					panic("should never happen")
+				}
+				cur = sliced
+
+			case datamodel.Kind_Bytes:
+				b, _ := cur.AsBytes()
+				start, end := resolveSliceIndices(slice, int64(len(b)))
+				cur = basicnode.NewBytes(b[start:end])
+
+			case datamodel.Kind_String:
+				str, _ := cur.AsString()
+				runes := []rune(str)
+				start, end := resolveSliceIndices(slice, int64(len(runes)))
+				cur = basicnode.NewString(string(runes[start:end]))
+
+			default:
+				return nil, newResolutionError(fmt.Sprintf("can not slice on kind: %s", kindString(cur)), at)
+			}
 
 		default: // Index()
-			// we have reached a [<int>] indexing, it should have matched earlier
+			at = append(at, strconv.Itoa(seg.Index()))
-			return false, nil
+
+			if cur == nil {
+				err := newResolutionError(fmt.Sprintf("can not access index: %d on kind: %s", seg.Index(), kindString(cur)), at)
+				return nil, errIfNotOptional(seg, err)
+			}
+
+			idx := seg.Index()
+			switch cur.Kind() {
+			case datamodel.Kind_List:
+				if idx < 0 {
+					idx = int(cur.Length()) + idx
+				}
+				if idx < 0 || idx >= int(cur.Length()) {
+					err := newResolutionError(fmt.Sprintf("index out of bounds: %d", seg.Index()), at)
+					return nil, errIfNotOptional(seg, err)
+				}
+				cur, _ = cur.LookupByIndex(int64(idx))
+
+			case datamodel.Kind_Bytes:
+				b, _ := cur.AsBytes()
+				if idx < 0 {
+					idx = len(b) + idx
+				}
+				if idx < 0 || idx >= len(b) {
+					err := newResolutionError(fmt.Sprintf("index %d out of bounds for bytes of length %d", seg.Index(), len(b)), at)
+					return nil, errIfNotOptional(seg, err)
+				}
+				cur = basicnode.NewInt(int64(b[idx]))
+
+			default:
+				return nil, newResolutionError(fmt.Sprintf("can not access index: %d on kind: %s", seg.Index(), kindString(cur)), at)
+			}
 		}
 	}
-	return true, path
+
+	// segment exhausted, we return where we are
+	return cur, nil
 }
 
 // resolveSliceIndices resolves the start and end indices for slicing a list or byte array.
@@ -421,29 +253,60 @@ func matchPath(sel Selector, path []string) (bool, []string) {
 //
 // Returns:
 //   - start: The resolved start index for slicing.
-//   - end: The resolved end index for slicing.
+//   - end: The resolved **excluded** end index for slicing.
-func resolveSliceIndices(slice []int, length int64) (int64, int64) {
+func resolveSliceIndices(slice []int64, length int64) (start int64, end int64) {
-	start, end := int64(0), length
+	if len(slice) != 2 {
-	if len(slice) > 0 {
+		panic("should always be 2-length")
-		start = int64(slice[0])
-		if start < 0 {
-			start = length + start
-			if start < 0 {
-				start = 0
-			}
-		}
 	}
-	if len(slice) > 1 {
+
-		end = int64(slice[1])
+	start, end = slice[0], slice[1]
-		if end <= 0 {
+
-			end = length + end
+	// adjust boundaries
-			if end < start {
+	switch {
-				end = start
+	case slice[0] == math.MinInt:
-			}
+		start = 0
+	case slice[0] < 0:
+		// Check for potential overflow before adding
+		if -slice[0] > length {
+			start = 0
+		} else {
+			start = length + slice[0]
 		}
 	}
 
-	return start, end
+	switch {
+	case slice[1] == math.MaxInt:
+		end = length
+	case slice[1] < 0:
+		// Check for potential overflow before adding
+		if -slice[1] > length {
+			end = 0
+		} else {
+			end = length + slice[1]
+		}
+	}
+
+	// backward iteration is not allowed, shortcut to an empty result
+	if start >= end {
+		start, end = 0, 0
+		return
+	}
+
+	// clamp out of bound
+	if start < 0 {
+		start = 0
+	}
+	if start > length {
+		start = length
+	}
+	if end < 0 {
+		end = 0
+	}
+	if end > length {
+		end = length
+	}
+
+	return
 }
 
 func kindString(n datamodel.Node) string {
@@ -453,40 +316,27 @@ func kindString(n datamodel.Node) string {
 	return n.Kind().String()
 }
 
-func isMissing(err error) bool {
+type resolutionErr struct {
-	if _, ok := err.(datamodel.ErrNotExists); ok {
-		return true
-	}
-	if _, ok := err.(schema.ErrNoSuchField); ok {
-		return true
-	}
-	if _, ok := err.(schema.ErrInvalidKey); ok {
-		return true
-	}
-	return false
-}
-
-type resolutionerr struct {
 	msg string
 	at  []string
 }
 
-func (r resolutionerr) Name() string {
+func (r resolutionErr) Name() string {
 	return "ResolutionError"
 }
 
-func (r resolutionerr) Message() string {
+func (r resolutionErr) Message() string {
 	return fmt.Sprintf("can not resolve path: .%s", strings.Join(r.at, "."))
 }
 
-func (r resolutionerr) At() []string {
+func (r resolutionErr) At() []string {
 	return r.at
 }
 
-func (r resolutionerr) Error() string {
+func (r resolutionErr) Error() string {
 	return r.Message()
 }
 
 func newResolutionError(message string, at []string) error {
-	return resolutionerr{message, at}
+	return resolutionErr{message, at}
 }

pkg/policy/selector/selector_test.go

@@ -1,252 +1,21 @@
 package selector
 
 import (
-	"fmt"
+	"errors"
+	"math"
 	"strings"
 	"testing"
 
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
 	"github.com/ipld/go-ipld-prime/must"
 	basicnode "github.com/ipld/go-ipld-prime/node/basic"
 	"github.com/ipld/go-ipld-prime/node/bindnode"
-	"github.com/ipld/go-ipld-prime/printer"
 	"github.com/stretchr/testify/require"
 )
 
-func TestParse(t *testing.T) {
-	t.Run("identity", func(t *testing.T) {
-		sel, err := Parse(".")
-		require.NoError(t, err)
-		require.Equal(t, 1, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-	})
-
-	t.Run("field", func(t *testing.T) {
-		sel, err := Parse(".foo")
-		require.NoError(t, err)
-		require.Equal(t, 1, len(sel))
-		require.False(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Equal(t, sel[0].Field(), "foo")
-		require.Empty(t, sel[0].Index())
-	})
-
-	t.Run("explicit field", func(t *testing.T) {
-		sel, err := Parse(`.["foo"]`)
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.False(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Equal(t, sel[1].Field(), "foo")
-		require.Empty(t, sel[1].Index())
-	})
-
-	t.Run("index", func(t *testing.T) {
-		sel, err := Parse(".[138]")
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.False(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Equal(t, sel[1].Index(), 138)
-	})
-
-	t.Run("negative index", func(t *testing.T) {
-		sel, err := Parse(".[-138]")
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.False(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Equal(t, sel[1].Index(), -138)
-	})
-
-	t.Run("iterator", func(t *testing.T) {
-		sel, err := Parse(".[]")
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.False(t, sel[1].Optional())
-		require.True(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Empty(t, sel[1].Index())
-	})
-
-	t.Run("optional field", func(t *testing.T) {
-		sel, err := Parse(".foo?")
-		require.NoError(t, err)
-		require.Equal(t, 1, len(sel))
-		require.False(t, sel[0].Identity())
-		require.True(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Equal(t, sel[0].Field(), "foo")
-		require.Empty(t, sel[0].Index())
-	})
-
-	t.Run("optional explicit field", func(t *testing.T) {
-		sel, err := Parse(`.["foo"]?`)
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.True(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Equal(t, sel[1].Field(), "foo")
-		require.Empty(t, sel[1].Index())
-	})
-
-	t.Run("optional index", func(t *testing.T) {
-		sel, err := Parse(".[138]?")
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.True(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Equal(t, sel[1].Index(), 138)
-	})
-
-	t.Run("optional iterator", func(t *testing.T) {
-		sel, err := Parse(".[]?")
-		require.NoError(t, err)
-		require.Equal(t, 2, len(sel))
-		require.True(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Empty(t, sel[0].Field())
-		require.Empty(t, sel[0].Index())
-		require.False(t, sel[1].Identity())
-		require.True(t, sel[1].Optional())
-		require.True(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Empty(t, sel[1].Index())
-	})
-
-	t.Run("nesting", func(t *testing.T) {
-		str := `.foo.["bar"].[138]?.baz[1:]`
-		sel, err := Parse(str)
-		require.NoError(t, err)
-		printSegments(sel)
-		require.Equal(t, str, sel.String())
-		require.Equal(t, 7, len(sel))
-		require.False(t, sel[0].Identity())
-		require.False(t, sel[0].Optional())
-		require.False(t, sel[0].Iterator())
-		require.Empty(t, sel[0].Slice())
-		require.Equal(t, sel[0].Field(), "foo")
-		require.Empty(t, sel[0].Index())
-		require.True(t, sel[1].Identity())
-		require.False(t, sel[1].Optional())
-		require.False(t, sel[1].Iterator())
-		require.Empty(t, sel[1].Slice())
-		require.Empty(t, sel[1].Field())
-		require.Empty(t, sel[1].Index())
-		require.False(t, sel[2].Identity())
-		require.False(t, sel[2].Optional())
-		require.False(t, sel[2].Iterator())
-		require.Empty(t, sel[2].Slice())
-		require.Equal(t, sel[2].Field(), "bar")
-		require.Empty(t, sel[2].Index())
-		require.True(t, sel[3].Identity())
-		require.False(t, sel[3].Optional())
-		require.False(t, sel[3].Iterator())
-		require.Empty(t, sel[3].Slice())
-		require.Empty(t, sel[3].Field())
-		require.Empty(t, sel[3].Index())
-		require.False(t, sel[4].Identity())
-		require.True(t, sel[4].Optional())
-		require.False(t, sel[4].Iterator())
-		require.Empty(t, sel[4].Slice())
-		require.Empty(t, sel[4].Field())
-		require.Equal(t, sel[4].Index(), 138)
-		require.False(t, sel[5].Identity())
-		require.False(t, sel[5].Optional())
-		require.False(t, sel[5].Iterator())
-		require.Empty(t, sel[5].Slice())
-		require.Equal(t, sel[5].Field(), "baz")
-		require.Empty(t, sel[5].Index())
-		require.False(t, sel[6].Identity())
-		require.False(t, sel[6].Optional())
-		require.False(t, sel[6].Iterator())
-		require.Equal(t, sel[6].Slice(), []int{1})
-		require.Empty(t, sel[6].Field())
-		require.Empty(t, sel[6].Index())
-	})
-
-	t.Run("non dotted", func(t *testing.T) {
-		_, err := Parse("foo")
-		require.NotNil(t, err)
-		fmt.Println(err)
-	})
-
-	t.Run("non quoted", func(t *testing.T) {
-		_, err := Parse(".[foo]")
-		require.NotNil(t, err)
-		fmt.Println(err)
-	})
-}
-
-func printSegments(s Selector) {
-	for i, seg := range s {
-		fmt.Printf("%d: %s\n", i, seg.String())
-	}
-}
-
 func TestSelect(t *testing.T) {
 	type name struct {
 		First  string
@@ -313,14 +82,11 @@ func TestSelect(t *testing.T) {
 		sel, err := Parse(".")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		res, err := sel.Select(anode)
 		require.NoError(t, err)
-		require.NotEmpty(t, one)
+		require.NotEmpty(t, res)
-		require.Empty(t, many)
 
-		fmt.Println(printer.Sprint(one))
+		age := must.Int(must.Node(res.LookupByString("age")))
-
-		age := must.Int(must.Node(one.LookupByString("age")))
 		require.Equal(t, int64(alice.Age), age)
 	})
 
@@ -328,24 +94,18 @@ func TestSelect(t *testing.T) {
 		sel, err := Parse(".name.first")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		res, err := sel.Select(anode)
 		require.NoError(t, err)
-		require.NotEmpty(t, one)
+		require.NotEmpty(t, res)
-		require.Empty(t, many)
 
-		fmt.Println(printer.Sprint(one))
+		name := must.String(res)
-
-		name := must.String(one)
 		require.Equal(t, alice.Name.First, name)
 
-		one, many, err = sel.Select(bnode)
+		res, err = sel.Select(bnode)
 		require.NoError(t, err)
-		require.NotEmpty(t, one)
+		require.NotEmpty(t, res)
-		require.Empty(t, many)
 
-		fmt.Println(printer.Sprint(one))
+		name = must.String(res)
-
-		name = must.String(one)
 		require.Equal(t, bob.Name.First, name)
 	})
 
@@ -353,108 +113,178 @@ func TestSelect(t *testing.T) {
 		sel, err := Parse(".name.middle?")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		res, err := sel.Select(anode)
 		require.NoError(t, err)
-		require.NotEmpty(t, one)
+		require.NotEmpty(t, res)
-		require.Empty(t, many)
 
-		fmt.Println(printer.Sprint(one))
+		name := must.String(res)
-
-		name := must.String(one)
 		require.Equal(t, *alice.Name.Middle, name)
 
-		one, many, err = sel.Select(bnode)
+		res, err = sel.Select(bnode)
 		require.NoError(t, err)
-		require.Empty(t, one)
+		require.Empty(t, res)
-		require.Empty(t, many)
 	})
 
 	t.Run("not exists", func(t *testing.T) {
 		sel, err := Parse(".name.foo")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		res, err := sel.Select(anode)
 		require.Error(t, err)
-		require.Empty(t, one)
+		require.Empty(t, res)
-		require.Empty(t, many)
 
-		fmt.Println(err)
+		require.ErrorAs(t, err, &resolutionErr{}, "error should be a resolution error")
-
-		require.ErrorAs(t, err, &resolutionerr{}, "error was not a resolution error")
 	})
 
 	t.Run("optional not exists", func(t *testing.T) {
 		sel, err := Parse(".name.foo?")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		one, err := sel.Select(anode)
 		require.NoError(t, err)
 		require.Empty(t, one)
-		require.Empty(t, many)
 	})
 
 	t.Run("iterator", func(t *testing.T) {
 		sel, err := Parse(".interests[]")
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		res, err := sel.Select(anode)
 		require.NoError(t, err)
-		require.Empty(t, one)
+		require.NotEmpty(t, res)
-		require.NotEmpty(t, many)
 
-		for _, n := range many {
+		iname := must.String(must.Node(must.Node(res.LookupByIndex(0)).LookupByString("name")))
-			fmt.Println(printer.Sprint(n))
-		}
-
-		iname := must.String(must.Node(many[0].LookupByString("name")))
 		require.Equal(t, alice.Interests[0].Name, iname)
 
-		iname = must.String(must.Node(many[1].LookupByString("name")))
+		iname = must.String(must.Node(must.Node(res.LookupByIndex(1)).LookupByString("name")))
 		require.Equal(t, alice.Interests[1].Name, iname)
 	})
 
-	t.Run("map iterator", func(t *testing.T) {
+	t.Run("slice on string", func(t *testing.T) {
-		sel, err := Parse(".interests[0][]")
+		sel, err := Parse(`.[1:3]`)
 		require.NoError(t, err)
 
-		one, many, err := sel.Select(anode)
+		node := basicnode.NewString("hello")
+		res, err := sel.Select(node)
 		require.NoError(t, err)
-		require.Empty(t, one)
+		require.NotEmpty(t, res)
-		require.NotEmpty(t, many)
 
-		for _, n := range many {
+		str, err := res.AsString()
-			fmt.Println(printer.Sprint(n))
+		require.NoError(t, err)
-		}
+		require.Equal(t, "el", str) // assert sliced substring
-
-		require.Equal(t, alice.Interests[0].Name, must.String(many[0]))
-		require.Equal(t, alice.Interests[0].Experience, int(must.Int(many[2])))
 	})
-}
 
-func TestMatch(t *testing.T) {
+	t.Run("out of bounds slicing", func(t *testing.T) {
-	for _, tc := range []struct {
+		node, err := qp.BuildList(basicnode.Prototype.Any, 3, func(la datamodel.ListAssembler) {
-		sel       string
+			qp.ListEntry(la, qp.Int(1))
-		path      []string
+			qp.ListEntry(la, qp.Int(2))
-		want      bool
+			qp.ListEntry(la, qp.Int(3))
-		remaining []string
-	}{
-		{sel: ".foo.bar", path: []string{"foo", "bar"}, want: true, remaining: []string{}},
-		{sel: ".foo.bar", path: []string{"foo"}, want: true, remaining: []string{}},
-		{sel: ".foo.bar", path: []string{"foo", "bar", "baz"}, want: true, remaining: []string{"baz"}},
-		{sel: ".foo.bar", path: []string{"foo", "faa"}, want: false},
-		{sel: ".foo.[]", path: []string{"foo", "faa"}, want: false},
-		{sel: ".foo.[]", path: []string{"foo"}, want: true, remaining: []string{}},
-		{sel: ".foo.bar?", path: []string{"foo"}, want: true, remaining: []string{}},
-		{sel: ".foo.bar?", path: []string{"foo", "bar"}, want: true, remaining: []string{}},
-		{sel: ".foo.bar?", path: []string{"foo", "baz"}, want: false},
-	} {
-		t.Run(tc.sel, func(t *testing.T) {
-			sel := MustParse(tc.sel)
-			res, remain := sel.MatchPath(tc.path...)
-			require.Equal(t, tc.want, res)
-			require.EqualValues(t, tc.remaining, remain)
 		})
-	}
+		require.NoError(t, err)
+
+		sel, err := Parse(`.[10:20]`)
+		require.NoError(t, err)
+
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotEmpty(t, res)
+		require.Equal(t, int64(0), res.Length())
+
+		_, err = res.LookupByIndex(0)
+		require.ErrorIs(t, err, datamodel.ErrNotExists{}) // assert empty result for out of bounds slice
+	})
+
+	t.Run("backward slicing", func(t *testing.T) {
+		node, err := qp.BuildList(basicnode.Prototype.Any, 3, func(la datamodel.ListAssembler) {
+			qp.ListEntry(la, qp.Int(1))
+			qp.ListEntry(la, qp.Int(2))
+			qp.ListEntry(la, qp.Int(3))
+		})
+		require.NoError(t, err)
+
+		sel, err := Parse(`.[5:2]`)
+		require.NoError(t, err)
+
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotEmpty(t, res)
+		require.Equal(t, int64(0), res.Length())
+
+		_, err = res.LookupByIndex(0)
+		require.ErrorIs(t, err, datamodel.ErrNotExists{}) // assert empty result for backward slice
+	})
+
+	t.Run("slice with negative index", func(t *testing.T) {
+		node, err := qp.BuildList(basicnode.Prototype.Any, 3, func(la datamodel.ListAssembler) {
+			qp.ListEntry(la, qp.Int(1))
+			qp.ListEntry(la, qp.Int(2))
+			qp.ListEntry(la, qp.Int(3))
+		})
+		require.NoError(t, err)
+
+		sel, err := Parse(`.[0:-1]`)
+		require.NoError(t, err)
+
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotEmpty(t, res)
+
+		val, err := res.LookupByIndex(1)
+		require.NoError(t, err)
+		require.Equal(t, 2, int(must.Int(val))) // Assert sliced value at index 1
+	})
+
+	t.Run("slice on bytes", func(t *testing.T) {
+		sel, err := Parse(`.[1:3]`)
+		require.NoError(t, err)
+
+		node := basicnode.NewBytes([]byte{0x01, 0x02, 0x03, 0x04, 0x05})
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotEmpty(t, res)
+
+		bytes, err := res.AsBytes()
+		require.NoError(t, err)
+		require.Equal(t, []byte{0x02, 0x03}, bytes) // assert sliced bytes
+	})
+
+	t.Run("index on bytes", func(t *testing.T) {
+		sel, err := Parse(`.[2]`)
+		require.NoError(t, err)
+
+		node := basicnode.NewBytes([]byte{0x01, 0x02, 0x03, 0x04, 0x05})
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotEmpty(t, res)
+
+		val, err := res.AsInt()
+		require.NoError(t, err)
+		require.Equal(t, int64(0x03), val) // assert indexed byte value
+	})
+
+	t.Run("out of bounds slicing on bytes", func(t *testing.T) {
+		sel, err := Parse(`.[10:20]`)
+		require.NoError(t, err)
+
+		node := basicnode.NewBytes([]byte{0x01, 0x02, 0x03})
+		res, err := sel.Select(node)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+
+		bytes, err := res.AsBytes()
+		require.NoError(t, err)
+		require.Empty(t, bytes) // assert empty result for out of bounds slice
+	})
+
+	t.Run("out of bounds indexing on bytes", func(t *testing.T) {
+		sel, err := Parse(`.[10]`)
+		require.NoError(t, err)
+
+		node := basicnode.NewBytes([]byte{0x01, 0x02, 0x03})
+		_, err = sel.Select(node)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "can not resolve path: .10") // assert error for out of bounds index
+	})
 }
 
 func FuzzParse(f *testing.F) {
@@ -520,6 +350,64 @@ func FuzzParseAndSelect(f *testing.F) {
 		}
 
 		// look for panic()
-		_, _, _ = sel.Select(node)
+		_, err = sel.Select(node)
+		if err != nil && !errors.As(err, &resolutionErr{}) {
+			// not normal, we should only have resolution errors
+			t.Fatal(err)
+		}
 	})
 }
+
+func TestResolveSliceIndices(t *testing.T) {
+	tests := []struct {
+		name      string
+		slice     []int64
+		length    int64
+		wantStart int64
+		wantEnd   int64
+	}{
+		{
+			name:      "normal case",
+			slice:     []int64{1, 3},
+			length:    5,
+			wantStart: 1,
+			wantEnd:   3,
+		},
+		{
+			name:      "negative indices",
+			slice:     []int64{-2, -1},
+			length:    5,
+			wantStart: 3,
+			wantEnd:   4,
+		},
+		{
+			name:      "overflow protection negative start",
+			slice:     []int64{math.MinInt64, 3},
+			length:    5,
+			wantStart: 0,
+			wantEnd:   3,
+		},
+		{
+			name:      "overflow protection negative end",
+			slice:     []int64{0, math.MinInt64},
+			length:    5,
+			wantStart: 0,
+			wantEnd:   0,
+		},
+		{
+			name:      "max bounds",
+			slice:     []int64{0, math.MaxInt64},
+			length:    5,
+			wantStart: 0,
+			wantEnd:   5,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			start, end := resolveSliceIndices(tt.slice, tt.length)
+			require.Equal(t, tt.wantStart, start)
+			require.Equal(t, tt.wantEnd, end)
+		})
+	}
+}

pkg/policy/selector/supported_test.go

@@ -1,18 +1,15 @@
 package selector_test
 
 import (
-	"bytes"
 	"strings"
 	"testing"
 
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
-	"github.com/ipld/go-ipld-prime/datamodel"
 	basicnode "github.com/ipld/go-ipld-prime/node/basic"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/ucan-wg/go-ucan/pkg/policy/selector"
+	"code.sonr.org/go/ucan/pkg/policy/selector"
 )
 
 // TestSupported Forms runs tests against the Selector according to the
@@ -26,17 +23,15 @@ func TestSupportedForms(t *testing.T) {
 		Output   string
 	}
 
-	// Pass
+	// Pass and return a node
 	for _, testcase := range []Testcase{
 		{Name: "Identity", Selector: `.`, Input: `{"x":1}`, Output: `{"x":1}`},
 		{Name: "Iterator", Selector: `.[]`, Input: `[1, 2]`, Output: `[1, 2]`},
 		{Name: "Optional Null Iterator", Selector: `.[]?`, Input: `null`, Output: `[]`},
-		{Name: "Optional Iterator", Selector: `.[][]?`, Input: `[[1], 2, [3]]`, Output: `[1, 3]`},
 		{Name: "Object Key", Selector: `.x`, Input: `{"x": 1 }`, Output: `1`},
 		{Name: "Quoted Key", Selector: `.["x"]`, Input: `{"x": 1}`, Output: `1`},
 		{Name: "Index", Selector: `.[0]`, Input: `[1, 2]`, Output: `1`},
 		{Name: "Negative Index", Selector: `.[-1]`, Input: `[1, 2]`, Output: `2`},
-		{Name: "String Index", Selector: `.[0]`, Input: `"Hi"`, Output: `"H"`},
 		{Name: "Bytes Index", Selector: `.[0]`, Input: `{"/":{"bytes":"AAE"}}`, Output: `0`},
 		{Name: "Array Slice", Selector: `.[0:2]`, Input: `[0, 1, 2]`, Output: `[0, 1]`},
 		{Name: "Array Slice", Selector: `.[1:]`, Input: `[0, 1, 2]`, Output: `[1, 2]`},
@@ -52,35 +47,16 @@ func TestSupportedForms(t *testing.T) {
 			require.NoError(t, err)
 
 			// attempt to select
-			node, nodes, err := sel.Select(makeNode(t, tc.Input))
+			res, err := sel.Select(makeNode(t, tc.Input))
 			require.NoError(t, err)
-			require.NotEqual(t, node != nil, len(nodes) > 0) // XOR (only one of node or nodes should be set)
+			require.NotNil(t, res)
-
-			// make an IPLD List node from a []datamodel.Node
-			if node == nil {
-				nb := basicnode.Prototype.List.NewBuilder()
-				la, err := nb.BeginList(int64(len(nodes)))
-				require.NoError(t, err)
-
-				for _, n := range nodes {
-					// TODO: This code is probably not needed if the Select operation properly prunes nil values - e.g.: Optional Iterator
-					if n == nil {
-						n = datamodel.Null
-					}
-
-					require.NoError(t, la.AssembleValue().AssignNode(n))
-				}
-				require.NoError(t, la.Finish())
-
-				node = nb.Build()
-			}
 
 			exp := makeNode(t, tc.Output)
-			equalIPLD(t, exp, node)
+			require.True(t, ipld.DeepEqual(exp, res))
 		})
 	}
 
-	// null
+	// No error and return null, as optional
 	for _, testcase := range []Testcase{
 		{Name: "Optional Missing Key", Selector: `.x?`, Input: `{}`},
 		{Name: "Optional Null Key", Selector: `.x?`, Input: `null`},
@@ -97,19 +73,15 @@ func TestSupportedForms(t *testing.T) {
 			require.NoError(t, err)
 
 			// attempt to select
-			node, nodes, err := sel.Select(makeNode(t, tc.Input))
+			res, err := sel.Select(makeNode(t, tc.Input))
 			require.NoError(t, err)
-			// TODO: should Select return a single node which is sometimes a list or null?
+			require.Nil(t, res)
-			// require.Equal(t, datamodel.Null, node)
-			assert.Nil(t, node)
-			assert.Empty(t, nodes)
 		})
 	}
 
-	// error
+	// fail to select and return an error
 	for _, testcase := range []Testcase{
 		{Name: "Null Iterator", Selector: `.[]`, Input: `null`},
-		{Name: "Nested Iterator", Selector: `.[][]`, Input: `[[1], 2, [3]]`},
 		{Name: "Missing Key", Selector: `.x`, Input: `{}`},
 		{Name: "Null Key", Selector: `.x`, Input: `null`},
 		{Name: "Array Key", Selector: `.x`, Input: `[]`},
@@ -124,31 +96,13 @@ func TestSupportedForms(t *testing.T) {
 			require.NoError(t, err)
 
 			// attempt to select
-			node, nodes, err := sel.Select(makeNode(t, tc.Input))
+			res, err := sel.Select(makeNode(t, tc.Input))
 			require.Error(t, err)
-			assert.Nil(t, node)
+			require.Nil(t, res)
-			assert.Empty(t, nodes)
 		})
 	}
 }
 
-func equalIPLD(t *testing.T, expected datamodel.Node, actual datamodel.Node) bool {
-	t.Helper()
-
-	exp, act := &bytes.Buffer{}, &bytes.Buffer{}
-	if err := dagjson.Encode(expected, exp); err != nil {
-		return assert.Fail(t, "Failed to encode json for expected IPLD node")
-	}
-
-	if err := dagjson.Encode(actual, act); err != nil {
-		return assert.Fail(t, "Failed to encode JSON for actual IPLD node")
-	}
-
-	require.JSONEq(t, exp.String(), act.String())
-
-	return true
-}
-
 func makeNode(t *testing.T, dagJsonInput string) ipld.Node {
 	t.Helper()
 

pkg/secretbox/secretbox.go

@@ -0,0 +1,90 @@
+package secretbox
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+
+	"golang.org/x/crypto/nacl/secretbox"
+)
+
+const keySize = 32 // secretbox allows only 32-byte keys
+
+var ErrShortCipherText = errors.New("ciphertext too short")
+var ErrNoEncryptionKey = errors.New("encryption key is required")
+var ErrInvalidKeySize = errors.New("invalid key size: must be 32 bytes")
+var ErrZeroKey = errors.New("encryption key cannot be all zeros")
+
+// GenerateKey generates a random 32-byte key to be used by EncryptWithKey and DecryptWithKey
+func GenerateKey() ([]byte, error) {
+	key := make([]byte, keySize)
+	if _, err := io.ReadFull(rand.Reader, key); err != nil {
+		return nil, fmt.Errorf("failed to generate key: %w", err)
+	}
+	return key, nil
+}
+
+// EncryptWithKey encrypts data using NaCl's secretbox with the provided key.
+// 40 bytes of overhead (24-byte nonce + 16-byte MAC) are added to the plaintext size.
+func EncryptWithKey(data, key []byte) ([]byte, error) {
+	if err := validateKey(key); err != nil {
+		return nil, err
+	}
+
+	var secretKey [keySize]byte
+	copy(secretKey[:], key)
+
+	// Generate 24 bytes of random data as nonce
+	var nonce [24]byte
+	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
+		return nil, err
+	}
+
+	// Encrypt and authenticate data
+	encrypted := secretbox.Seal(nonce[:], data, &nonce, &secretKey)
+	return encrypted, nil
+}
+
+// DecryptStringWithKey decrypts data using secretbox with the provided key
+func DecryptStringWithKey(data, key []byte) ([]byte, error) {
+	if err := validateKey(key); err != nil {
+		return nil, err
+	}
+
+	if len(data) < 24 {
+		return nil, ErrShortCipherText
+	}
+
+	var secretKey [keySize]byte
+	copy(secretKey[:], key)
+
+	var nonce [24]byte
+	copy(nonce[:], data[:24])
+
+	decrypted, ok := secretbox.Open(nil, data[24:], &nonce, &secretKey)
+	if !ok {
+		return nil, errors.New("decryption failed")
+	}
+
+	return decrypted, nil
+}
+
+func validateKey(key []byte) error {
+	if key == nil {
+		return ErrNoEncryptionKey
+	}
+
+	if len(key) != keySize {
+		return ErrInvalidKeySize
+	}
+
+	// check if key is all zeros
+	for _, b := range key {
+		if b != 0 {
+			return nil
+		}
+	}
+
+	return ErrZeroKey
+}

pkg/secretbox/secretbox_test.go

@@ -0,0 +1,144 @@
+package secretbox
+
+import (
+	"bytes"
+	"crypto/rand"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSecretBoxEncryption(t *testing.T) {
+	t.Parallel()
+
+	key := make([]byte, keySize) // generate random 32-byte key
+	_, errKey := rand.Read(key)
+	require.NoError(t, errKey)
+
+	tests := []struct {
+		name    string
+		data    []byte
+		key     []byte
+		wantErr error
+	}{
+		{
+			name: "valid encryption/decryption",
+			data: []byte("hello world"),
+			key:  key,
+		},
+		{
+			name:    "nil key returns error",
+			data:    []byte("hello world"),
+			key:     nil,
+			wantErr: ErrNoEncryptionKey,
+		},
+		{
+			name: "empty data",
+			data: []byte{},
+			key:  key,
+		},
+		{
+			name:    "invalid key size",
+			data:    []byte("hello world"),
+			key:     make([]byte, 16), // Only 32 bytes allowed now
+			wantErr: ErrInvalidKeySize,
+		},
+		{
+			name:    "zero key returns error",
+			data:    []byte("hello world"),
+			key:     make([]byte, keySize),
+			wantErr: ErrZeroKey,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			encrypted, err := EncryptWithKey(tt.data, tt.key)
+			if tt.wantErr != nil {
+				require.ErrorIs(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+
+			// Verify encrypted data is different and includes nonce
+			require.Greater(t, len(encrypted), 24) // At least nonce size
+			if len(tt.data) > 0 {
+				require.NotEqual(t, tt.data, encrypted[24:]) // Ignore nonce prefix
+			}
+
+			decrypted, err := DecryptStringWithKey(encrypted, tt.key)
+			require.NoError(t, err)
+			require.True(t, bytes.Equal(tt.data, decrypted))
+		})
+	}
+}
+
+func TestDecryptionErrors(t *testing.T) {
+	t.Parallel()
+
+	key := make([]byte, keySize)
+	_, err := rand.Read(key)
+	require.NoError(t, err)
+
+	// Create valid encrypted data for tampering tests
+	validData := []byte("test message")
+	encrypted, err := EncryptWithKey(validData, key)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		data   []byte
+		key    []byte
+		errMsg string
+	}{
+		{
+			name:   "short ciphertext",
+			data:   make([]byte, 23), // Less than nonce size
+			key:    key,
+			errMsg: "ciphertext too short",
+		},
+		{
+			name:   "invalid ciphertext",
+			data:   make([]byte, 24), // Just nonce size
+			key:    key,
+			errMsg: "decryption failed",
+		},
+		{
+			name:   "tampered ciphertext",
+			data:   tamperWithBytes(encrypted),
+			key:    key,
+			errMsg: "decryption failed",
+		},
+		{
+			name:   "missing key",
+			data:   encrypted,
+			key:    nil,
+			errMsg: "encryption key is required",
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := DecryptStringWithKey(tt.data, tt.key)
+			require.Error(t, err)
+			require.Contains(t, err.Error(), tt.errMsg)
+		})
+	}
+}
+
+// tamperWithBytes modifies a byte in the encrypted data to simulate tampering
+func tamperWithBytes(data []byte) []byte {
+	if len(data) < 25 { // Need at least nonce + 1 byte
+		return data
+	}
+	tampered := make([]byte, len(data))
+	copy(tampered, data)
+	tampered[24] ^= 0x01 // Modify first byte after nonce
+	return tampered
+}

token/delegation/delegation.go

@@ -10,17 +10,19 @@ package delegation
 // TODO: change the "delegation" link above when the specification is merged
 
 import (
-	"crypto/rand"
+	"encoding/base64"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
-	"github.com/libp2p/go-libp2p/core/crypto"
+	"code.sonr.org/go/did-it"
 
-	"github.com/ucan-wg/go-ucan/did"
+	"code.sonr.org/go/ucan/pkg/command"
-	"github.com/ucan-wg/go-ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/meta"
-	"github.com/ucan-wg/go-ucan/pkg/meta"
+	"code.sonr.org/go/ucan/pkg/policy"
-	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"code.sonr.org/go/ucan/token/internal/nonce"
+	"code.sonr.org/go/ucan/token/internal/parse"
 )
 
 // Token is an immutable type that holds the fields of a UCAN delegation.
@@ -45,21 +47,15 @@ type Token struct {
 	expiration *time.Time
 }
 
-// New creates a validated Token from the provided parameters and options.
+// New creates a validated delegation Token from the provided parameters and options.
+// This is typically used to delegate a given power to another agent.
 //
-// When creating a delegated token, the Issuer's (iss) DID is assembed
+// You can read it as "(issuer) allows (audience) to perform (cmd+pol) on (subject)".
-// using the public key associated with the private key sent as the first
+func New(iss did.DID, aud did.DID, cmd command.Command, pol policy.Policy, sub did.DID, opts ...Option) (*Token, error) {
-// parameter.
-func New(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
-	iss, err := did.FromPrivKey(privKey)
-	if err != nil {
-		return nil, err
-	}
-
 	tkn := &Token{
 		issuer:   iss,
 		audience: aud,
-		subject:  did.Undef,
+		subject:  sub,
 		command:  cmd,
 		policy:   pol,
 		meta:     meta.NewMeta(),
@@ -72,8 +68,9 @@ func New(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Po
 		}
 	}
 
+	var err error
 	if len(tkn.nonce) == 0 {
-		tkn.nonce, err = generateNonce()
+		tkn.nonce, err = nonce.Generate()
 		if err != nil {
 			return nil, err
 		}
@@ -86,21 +83,27 @@ func New(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Po
 	return tkn, nil
 }
 
-// Root creates a validated UCAN delegation Token from the provided
+// Root creates a validated UCAN delegation Token from the provided parameters and options.
-// parameters and options.
+// This is typically used to create and give power to an agent.
 //
-// When creating a root token, both the Issuer's (iss) and Subject's
+// You can read it as "(issuer) allows (audience) to perform (cmd+pol) on itself".
-// (sub) DIDs are assembled from the public key associated with the
+func Root(iss did.DID, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
-// private key passed as the first argument.
+	return New(iss, aud, cmd, pol, iss, opts...)
-func Root(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
+}
-	sub, err := did.FromPrivKey(privKey)
-	if err != nil {
-		return nil, err
-	}
 
-	opts = append(opts, WithSubject(sub))
+// Powerline creates a validated UCAN delegation Token from the provided parameters and options.
-
+//
-	return New(privKey, aud, cmd, pol, opts...)
+// Powerline is a pattern for automatically delegating all future delegations to another agent regardless of Subject.
+// This is a very powerful pattern, use it only if you understand it.
+// Powerline delegations MUST NOT be used as the root delegation to a resource
+//
+// A very common use case for Powerline is providing a stable DID across multiple agents (e.g. representing a user with
+// multiple devices). This enables the automatic sharing of authority across their devices without needing to share keys
+// or set up a threshold scheme. It is also flexible, since a Powerline delegation MAY be revoked.
+//
+// You can read it as "(issuer) allows (audience) to perform (cmd+pol) on anything".
+func Powerline(iss did.DID, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
+	return New(iss, aud, cmd, pol, nil, opts...)
 }
 
 // Issuer returns the did.DID representing the Token's issuer.
@@ -138,8 +141,8 @@ func (t *Token) Nonce() []byte {
 }
 
 // Meta returns the Token's metadata.
-func (t *Token) Meta() *meta.Meta {
+func (t *Token) Meta() meta.ReadOnly {
-	return t.meta
+	return t.meta.ReadOnly()
 }
 
 // NotBefore returns the time at which the Token becomes "active".
@@ -152,11 +155,65 @@ func (t *Token) Expiration() *time.Time {
 	return t.expiration
 }
 
+// IsRoot tells if the token is a root delegation.
+func (t *Token) IsRoot() bool {
+	return t.issuer.Equal(t.subject)
+}
+
+// IsPowerline tells if the token is a powerline delegation.
+func (t *Token) IsPowerline() bool {
+	return t.subject == nil
+}
+
+// IsValidNow verifies that the token can be used at the current time, based on expiration or "not before" fields.
+// This does NOT do any other kind of verifications.
+func (t *Token) IsValidNow() bool {
+	return t.IsValidAt(time.Now())
+}
+
+// IsValidNow verifies that the token can be used at the given time, based on expiration or "not before" fields.
+// This does NOT do any other kind of verifications.
+func (t *Token) IsValidAt(ti time.Time) bool {
+	if t.expiration != nil && ti.After(*t.expiration) {
+		return false
+	}
+	if t.notBefore != nil && ti.Before(*t.notBefore) {
+		return false
+	}
+	return true
+}
+
+func (t *Token) String() string {
+	var res strings.Builder
+
+	var kind string
+	switch {
+	case t.issuer == t.subject:
+		kind = " (root delegation)"
+	case t.subject == nil:
+		kind = " (powerline delegation)"
+	default:
+		kind = " (normal delegation)"
+	}
+
+	res.WriteString(fmt.Sprintf("Issuer: %s\n", t.Issuer()))
+	res.WriteString(fmt.Sprintf("Audience: %s\n", t.Audience()))
+	res.WriteString(fmt.Sprintf("Subject: %s%s\n", t.Subject(), kind))
+	res.WriteString(fmt.Sprintf("Command: %s\n", t.Command()))
+	res.WriteString(fmt.Sprintf("Policy: %s\n", t.Policy()))
+	res.WriteString(fmt.Sprintf("Nonce: %s\n", base64.StdEncoding.EncodeToString(t.Nonce())))
+	res.WriteString(fmt.Sprintf("Meta: %s\n", t.Meta()))
+	res.WriteString(fmt.Sprintf("NotBefore: %v\n", t.NotBefore()))
+	res.WriteString(fmt.Sprintf("Expiration: %v", t.Expiration()))
+
+	return res.String()
+}
+
 func (t *Token) validate() error {
 	var errs error
 
 	requiredDID := func(id did.DID, fieldname string) {
-		if !id.Defined() {
+		if id == nil {
 			errs = errors.Join(errs, fmt.Errorf(`a valid did is required for %s: %s`, fieldname, id.String()))
 		}
 	}
@@ -184,27 +241,19 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
 		return nil, fmt.Errorf("parse iss: %w", err)
 	}
 
-	tkn.audience, err = did.Parse(m.Aud)
+	if tkn.audience, err = did.Parse(m.Aud); err != nil {
-	if err != nil {
 		return nil, fmt.Errorf("parse audience: %w", err)
 	}
 
-	if m.Sub != nil {
+	if tkn.subject, err = parse.OptionalDID(m.Sub); err != nil {
-		tkn.subject, err = did.Parse(*m.Sub)
+		return nil, fmt.Errorf("parse subject: %w", err)
-		if err != nil {
-			return nil, fmt.Errorf("parse subject: %w", err)
-		}
-	} else {
-		tkn.subject = did.Undef
 	}
 
-	tkn.command, err = command.Parse(m.Cmd)
+	if tkn.command, err = command.Parse(m.Cmd); err != nil {
-	if err != nil {
 		return nil, fmt.Errorf("parse command: %w", err)
 	}
 
-	tkn.policy, err = policy.FromIPLD(m.Pol)
+	if tkn.policy, err = policy.FromIPLD(m.Pol); err != nil {
-	if err != nil {
 		return nil, fmt.Errorf("parse policy: %w", err)
 	}
 
@@ -213,16 +262,19 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
 	}
 	tkn.nonce = m.Nonce
 
-	tkn.meta = &m.Meta
+	tkn.meta = m.Meta
-
+	if tkn.meta == nil {
-	if m.Nbf != nil {
+		tkn.meta = meta.NewMeta()
-		t := time.Unix(*m.Nbf, 0)
-		tkn.notBefore = &t
 	}
 
-	if m.Exp != nil {
+	tkn.notBefore, err = parse.OptionalTimestamp(m.Nbf)
-		t := time.Unix(*m.Exp, 0)
+	if err != nil {
-		tkn.expiration = &t
+		return nil, fmt.Errorf("parse notBefore: %w", err)
+	}
+
+	tkn.expiration, err = parse.OptionalTimestamp(m.Exp)
+	if err != nil {
+		return nil, fmt.Errorf("parse expiration: %w", err)
 	}
 
 	if err := tkn.validate(); err != nil {
@@ -231,14 +283,3 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) {
 
 	return &tkn, nil
 }
-
-// generateNonce creates a 12-byte random nonce.
-// TODO: some crypto scheme require more, is that our case?
-func generateNonce() ([]byte, error) {
-	res := make([]byte, 12)
-	_, err := rand.Read(res)
-	if err != nil {
-		return nil, err
-	}
-	return res, nil
-}

token/delegation/delegation.ipldsch

@@ -20,7 +20,7 @@ type Payload struct {
     nonce Bytes
 
     # Arbitrary Metadata
-    meta {String : Any}
+    meta optional {String : Any}
 
     # "Not before" UTC Unix Timestamp in seconds (valid from), 53-bits integer
     nbf optional Int

token/delegation/delegation_test.go

@@ -1,83 +1,53 @@
 package delegation_test
 
 import (
+	_ "embed"
+	"encoding/base64"
 	"testing"
 	"time"
 
-	"github.com/libp2p/go-libp2p/core/crypto"
+	"code.sonr.org/go/did-it/didtest"
 	"github.com/stretchr/testify/require"
-	"gotest.tools/v3/golden"
 
-	"github.com/ucan-wg/go-ucan/did"
+	"code.sonr.org/go/ucan/pkg/command"
-	"github.com/ucan-wg/go-ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/policy"
-	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"code.sonr.org/go/ucan/token/delegation"
-	"github.com/ucan-wg/go-ucan/token/delegation"
 )
 
+//go:embed testdata/new.dagjson
+var newDagJson []byte
+
+//go:embed testdata/powerline.dagjson
+var powerlineDagJson []byte
+
+//go:embed testdata/root.dagjson
+var rootDagJson []byte
+
 const (
 	nonce = "6roDhGi0kiNriQAz7J3d+bOeoI/tj8ENikmQNbtjnD0"
 
-	AudiencePrivKeyCfg = "CAESQL1hvbXpiuk2pWr/XFbfHJcZNpJ7S90iTA3wSCTc/BPRneCwPnCZb6c0vlD6ytDWqaOt0HEOPYnqEpnzoBDprSM="
+	subJectCmd = "/foo/bar"
-	AudienceDID        = "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv"
+	subjectPol = `
-
-	issuerPrivKeyCfg = "CAESQLSql38oDmQXIihFFaYIjb73mwbPsc7MIqn4o8PN4kRNnKfHkw5gRP1IV9b6d0estqkZayGZ2vqMAbhRixjgkDU="
-	issuerDID        = "did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2"
-
-	subjectPrivKeyCfg = "CAESQL9RtjZ4dQBeXtvDe53UyvslSd64kSGevjdNiA1IP+hey5i/3PfRXSuDr71UeJUo1fLzZ7mGldZCOZL3gsIQz5c="
-	subjectDID        = "did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"
-	subJectCmd        = "/foo/bar"
-	subjectPol        = `
 [
-	[
+  ["==", ".status", "draft"],
-		"==",
+  ["all", ".reviewer",
-		".status",
+    ["like", ".email", "*@example.com"]
-		"draft"
+  ],
-	],
+  ["any", ".tags",
-	[
+    ["or", [
-		"all",
+      ["==", ".", "news"],
-		".reviewer",
+      ["==", ".", "press"]
-		[
+    ]]
-			"like",
+  ]
-			".email",
-			"*@example.com"
-		]
-	],
-	[
-		"any",
-		".tags",
-		[
-			"or",
-			[
-				[
-					"==",
-					".",
-					"news"
-				],
-				[
-					"==",
-					".",
-					"press"
-				]
-			]
-		]
-	]
 ]
 `
 
-	newCID  = "zdpuAn9JgGPvnt2WCmTaKktZdbuvcVGTg9bUT5kQaufwUtZ6e"
+	aesKey = "xQklMmNTnVrmaPBq/0pwV5fEwuv/iClF5HWak9MsgI8="
-	rootCID = "zdpuAkgGmUp5JrXvehGuuw9JA8DLQKDaxtK3R8brDQQVC2i5X"
 )
 
 func TestConstructors(t *testing.T) {
 	t.Parallel()
 
-	privKey := privKey(t, issuerPrivKeyCfg)
-
-	aud, err := did.Parse(AudienceDID)
-
-	sub, err := did.Parse(subjectDID)
-	require.NoError(t, err)
-
 	cmd, err := command.Parse(subJectCmd)
 	require.NoError(t, err)
 
@@ -88,27 +58,25 @@ func TestConstructors(t *testing.T) {
 	require.NoError(t, err)
 
 	t.Run("New", func(t *testing.T) {
-		tkn, err := delegation.New(privKey, aud, cmd, pol,
+		tkn, err := delegation.New(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, didtest.PersonaCarol.DID(),
 			delegation.WithNonce([]byte(nonce)),
-			delegation.WithSubject(sub),
 			delegation.WithExpiration(exp),
 			delegation.WithMeta("foo", "fooo"),
 			delegation.WithMeta("bar", "barr"),
 		)
 		require.NoError(t, err)
 
-		data, err := tkn.ToDagJson(privKey)
+		require.False(t, tkn.IsRoot())
+		require.False(t, tkn.IsPowerline())
+
+		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
 		require.NoError(t, err)
 
-		t.Log(string(data))
+		require.Equal(t, newDagJson, data)
-
-		golden.Assert(t, string(data), "new.dagjson")
 	})
 
 	t.Run("Root", func(t *testing.T) {
-		t.Parallel()
+		tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
-
-		tkn, err := delegation.Root(privKey, aud, cmd, pol,
 			delegation.WithNonce([]byte(nonce)),
 			delegation.WithExpiration(exp),
 			delegation.WithMeta("foo", "fooo"),
@@ -116,21 +84,130 @@ func TestConstructors(t *testing.T) {
 		)
 		require.NoError(t, err)
 
-		data, err := tkn.ToDagJson(privKey)
+		require.True(t, tkn.IsRoot())
+		require.False(t, tkn.IsPowerline())
+
+		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
 		require.NoError(t, err)
 
-		t.Log(string(data))
+		require.Equal(t, rootDagJson, data)
+	})
 
-		golden.Assert(t, string(data), "root.dagjson")
+	t.Run("Powerline", func(t *testing.T) {
+		tkn, err := delegation.Powerline(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
+			delegation.WithNonce([]byte(nonce)),
+			delegation.WithExpiration(exp),
+			delegation.WithMeta("foo", "fooo"),
+			delegation.WithMeta("bar", "barr"),
+		)
+		require.NoError(t, err)
+
+		require.False(t, tkn.IsRoot())
+		require.True(t, tkn.IsPowerline())
+
+		data, err := tkn.ToDagJson(didtest.PersonaAlice.PrivKey())
+		require.NoError(t, err)
+
+		require.Equal(t, powerlineDagJson, data)
 	})
 }
 
-func privKey(t require.TestingT, privKeyCfg string) crypto.PrivKey {
+func TestEncryptedMeta(t *testing.T) {
-	privKeyMar, err := crypto.ConfigDecodeKey(privKeyCfg)
+	t.Parallel()
+
+	cmd, err := command.Parse(subJectCmd)
+	require.NoError(t, err)
+	pol, err := policy.FromDagJson(subjectPol)
 	require.NoError(t, err)
 
-	privKey, err := crypto.UnmarshalPrivateKey(privKeyMar)
+	encryptionKey, err := base64.StdEncoding.DecodeString(aesKey)
 	require.NoError(t, err)
+	require.Len(t, encryptionKey, 32)
 
-	return privKey
+	tests := []struct {
+		name        string
+		key         string
+		value       string
+		expectError bool
+	}{
+		{
+			name:  "simple string",
+			key:   "secret1",
+			value: "hello world",
+		},
+		{
+			name:  "empty string",
+			key:   "secret2",
+			value: "",
+		},
+		{
+			name:  "special characters",
+			key:   "secret3",
+			value: "!@#$%^&*()_+-=[]{}|;:,.<>?",
+		},
+		{
+			name:  "unicode characters",
+			key:   "secret4",
+			value: "Hello, 世界! 👋",
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
+				delegation.WithEncryptedMetaString(tt.key, tt.value, encryptionKey),
+			)
+			require.NoError(t, err)
+
+			data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())
+			require.NoError(t, err)
+
+			decodedTkn, _, err := delegation.FromSealed(data)
+			require.NoError(t, err)
+
+			_, err = decodedTkn.Meta().GetString(tt.key)
+			require.Error(t, err)
+
+			decrypted, err := decodedTkn.Meta().GetEncryptedString(tt.key, encryptionKey)
+			require.NoError(t, err)
+			// Verify the decrypted value is equal to the original
+			require.Equal(t, tt.value, decrypted)
+
+			// Try to decrypt with wrong key
+			wrongKey := make([]byte, 32)
+			_, err = decodedTkn.Meta().GetEncryptedString(tt.key, wrongKey)
+			require.Error(t, err)
+		})
+	}
+
+	t.Run("multiple encrypted values in the same token", func(t *testing.T) {
+		values := map[string]string{
+			"secret1": "value1",
+			"secret2": "value2",
+			"secret3": "value3",
+		}
+		var opts []delegation.Option
+		for k, v := range values {
+			opts = append(opts, delegation.WithEncryptedMetaString(k, v, encryptionKey))
+		}
+
+		// Create token with multiple encrypted values
+		tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol, opts...)
+		require.NoError(t, err)
+
+		data, err := tkn.ToDagCbor(didtest.PersonaAlice.PrivKey())
+		require.NoError(t, err)
+
+		decodedTkn, _, err := delegation.FromSealed(data)
+		require.NoError(t, err)
+
+		for k, v := range values {
+			decrypted, err := decodedTkn.Meta().GetEncryptedString(k, encryptionKey)
+			require.NoError(t, err)
+			require.Equal(t, v, decrypted)
+		}
+	})
 }

token/delegation/delegationtest/README.md

@@ -0,0 +1,5 @@
+# delegationtest
+
+See the package documentation for instructions on how to use the generated
+tokens as well as information on how to regenerate the code if changes have
+been made.

token/delegation/delegationtest/doc.go

@@ -0,0 +1,33 @@
+// Package delegationtest provides a set of pre-built delegation tokens
+// for a variety of test cases.
+//
+// For all delegation tokens, the name of the delegation token is the
+// Issuer appended with the Audience.  The tokens are generated so that
+// an invocation can be created for any didtest.Persona.
+//
+// Delegation proof-chain names contain each didtest.Persona name in
+// order starting with the root delegation (which will always be generated
+// by Alice). This is the opposite of the list of cic.Cids that represent the
+// proof chain.
+//
+// For both the generated delegation tokens granted to Carol's Persona and
+// the proof chains containing Carol's delegations to Dan, if there is no
+// suffix, the proof chain will be deemed valid.  If there is a suffix, it
+// will consist of either the word "Valid" or "Invalid" and the name of the
+// field that has been altered. Only optional fields will generate proof
+// chains with Valid suffixes.
+//
+// If changes are made to the list of Personas included in the chain, or
+// in the variants that are specified, the generated Go file and delegation
+// tokens stored in the data/ directory should be regenerated by running
+// the following command in this directory:
+//
+//	cd generator && go run .
+//
+// Generated delegation Tokens are stored in the data/ directory and loaded
+// into the delegation.Loader.
+// Generated references to these tokens and the tokens themselves are
+// created in the token_gen.go file. See /token/invocation/invocation_test.go
+// for an example of how these delegation tokens and proof-chains can
+// be used during testing.
+package delegationtest

token/delegation/delegationtest/generator/generator.go

@@ -0,0 +1,273 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"os"
+	"path/filepath"
+	"slices"
+	"time"
+
+	"code.sonr.org/go/did-it"
+	didkeyctl "code.sonr.org/go/did-it/controller/did-key"
+	"code.sonr.org/go/did-it/crypto"
+	"code.sonr.org/go/did-it/didtest"
+	"github.com/ipfs/go-cid"
+
+	"code.sonr.org/go/ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/policy"
+	"code.sonr.org/go/ucan/pkg/policy/policytest"
+	"code.sonr.org/go/ucan/token/delegation"
+	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+)
+
+const (
+	tokenNamePrefix      = "Token"
+	proorChainNamePrefix = "Proof"
+	tokenExt             = ".dagcbor"
+)
+
+var constantNonce = []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b}
+
+type newDelegationParams struct {
+	privKey crypto.PrivateKeySigningBytes // iss
+	aud     did.DID
+	cmd     command.Command
+	pol     policy.Policy
+	sub     did.DID
+	opts    []delegation.Option
+}
+
+type token struct {
+	name string
+	id   cid.Cid
+}
+
+type proof struct {
+	name string
+	prf  []cid.Cid
+}
+
+type acc struct {
+	name  string
+	chain []cid.Cid
+}
+
+type variant struct {
+	name    string
+	variant func(*newDelegationParams)
+}
+
+func noopVariant() variant {
+	return variant{
+		name:    "",
+		variant: func(_ *newDelegationParams) {},
+	}
+}
+
+type generator struct {
+	dlgs   []token
+	chains []proof
+}
+
+func (g *generator) chainPersonas(personas []didtest.Persona, acc acc, vari variant) error {
+	acc.name += personas[0].Name()
+
+	proofName := acc.name
+	if len(vari.name) > 0 {
+		proofName += "_" + vari.name
+	}
+	g.createProofChain(proofName, acc.chain)
+
+	if len(personas) < 2 {
+		return nil
+	}
+
+	name := personas[0].Name() + personas[1].Name()
+
+	params := newDelegationParams{
+		privKey: personas[0].PrivKey(),
+		aud:     personas[1].DID(),
+		cmd:     delegationtest.NominalCommand,
+		pol:     policytest.EmptyPolicy,
+		sub:     didtest.PersonaAlice.DID(),
+		opts: []delegation.Option{
+			delegation.WithNonce(constantNonce),
+		},
+	}
+
+	// Create each nominal token and continue the chain
+	id, err := g.createDelegation(params, name, vari)
+	if err != nil {
+		return err
+	}
+	acc.chain = append(acc.chain, id)
+	err = g.chainPersonas(personas[1:], acc, vari)
+	if err != nil {
+		return err
+	}
+
+	// If the user is Carol, create variants for each invalid and/or optional
+	// parameter and also continue the chain
+	if personas[0] == didtest.PersonaCarol {
+		variants := []variant{
+			{name: "InvalidExpandedCommand", variant: func(p *newDelegationParams) {
+				p.cmd = delegationtest.ExpandedCommand
+			}},
+			{name: "ValidAttenuatedCommand", variant: func(p *newDelegationParams) {
+				p.cmd = delegationtest.AttenuatedCommand
+			}},
+			{name: "InvalidSubject", variant: func(p *newDelegationParams) {
+				p.sub = didtest.PersonaBob.DID()
+			}},
+			{name: "InvalidExpired", variant: func(p *newDelegationParams) {
+				// Note: this makes the generator not deterministic
+				p.opts = append(p.opts, delegation.WithExpiration(time.Now().Add(time.Second)))
+			}},
+			{name: "InvalidInactive", variant: func(p *newDelegationParams) {
+				nbf, err := time.Parse(time.RFC3339, "2070-01-01T00:00:00Z")
+				if err != nil {
+					panic(err)
+				}
+				p.opts = append(p.opts, delegation.WithNotBefore(nbf))
+			}},
+			{name: "ValidExamplePolicy", variant: func(p *newDelegationParams) {
+				p.pol = policytest.SpecPolicy
+			}},
+		}
+
+		// Start a branch in the recursion for each of the variants
+		for _, v := range variants {
+			id, err := g.createDelegation(params, name, v)
+			if err != nil {
+				return err
+			}
+
+			// replace the previous Carol token id with the one from the variant
+			acc.chain[len(acc.chain)-1] = id
+			err = g.chainPersonas(personas[1:], acc, v)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (g *generator) createDelegation(params newDelegationParams, name string, vari variant) (cid.Cid, error) {
+	vari.variant(&params)
+
+	issDID := didkeyctl.FromPrivateKey(params.privKey)
+
+	tkn, err := delegation.New(issDID, params.aud, params.cmd, params.pol, params.sub, params.opts...)
+	if err != nil {
+		return cid.Undef, err
+	}
+
+	data, id, err := tkn.ToSealed(params.privKey)
+	if err != nil {
+		return cid.Undef, err
+	}
+
+	dlgName := tokenNamePrefix + name
+	if len(vari.name) > 0 {
+		dlgName += "_" + vari.name
+	}
+
+	err = os.WriteFile(filepath.Join("..", delegationtest.TokenDir, dlgName+tokenExt), data, 0o644)
+	if err != nil {
+		return cid.Undef, err
+	}
+
+	g.dlgs = append(g.dlgs, token{
+		name: dlgName,
+		id:   id,
+	})
+
+	return id, nil
+}
+
+func (g *generator) createProofChain(name string, prf []cid.Cid) {
+	if len(prf) < 1 {
+		return
+	}
+
+	clone := make([]cid.Cid, len(prf))
+	copy(clone, prf)
+
+	g.chains = append(g.chains, proof{
+		name: proorChainNamePrefix + name,
+		prf:  clone,
+	})
+}
+
+func (g *generator) writeGoFile() error {
+	buf := bytes.NewBuffer(nil)
+
+	Println := func(a ...any) { _, _ = fmt.Fprintln(buf, a...) }
+	Printf := func(format string, a ...any) { _, _ = fmt.Fprintf(buf, format, a...) }
+
+	Println("// Code generated by delegationtest - DO NOT EDIT.")
+	Println()
+	Println("package delegationtest")
+	Println()
+	Println("import (")
+	Println("\t\"github.com/ipfs/go-cid\"")
+	Println()
+	Println("\t\"code.sonr.org/go/ucan/token/delegation\"")
+	Println(")")
+
+	refs := make(map[cid.Cid]string, len(g.dlgs))
+
+	for _, d := range g.dlgs {
+		refs[d.id] = d.name + "CID"
+
+		Println()
+		Println("var (")
+		Printf("\t%sCID    = cid.MustParse(\"%s\")\n", d.name, d.id.String())
+		Printf("\t%sSealed = mustGetBundle(%s).Sealed\n", d.name, d.name+"CID")
+		Printf("\t%sBundle = mustGetBundle(%s)\n", d.name, d.name+"CID")
+		Printf("\t%s       = mustGetBundle(%s).Decoded\n", d.name, d.name+"CID")
+		Println(")")
+	}
+
+	Println()
+	Println("var AllTokens = []*delegation.Token{")
+	for _, d := range g.dlgs {
+		Printf("\t%s,\n", d.name)
+	}
+	Println("}")
+
+	Println()
+	Println("var AllBundles = []delegation.Bundle{")
+	for _, d := range g.dlgs {
+		Printf("\t%sBundle,\n", d.name)
+	}
+	Println("}")
+
+	Println()
+	Println("var cidToName = map[cid.Cid]string{")
+	for _, d := range g.dlgs {
+		Printf("\t%sCID: \"%s\",\n", d.name, d.name)
+	}
+	Println("}")
+
+	for _, c := range g.chains {
+		Println()
+		Printf("var %s = []cid.Cid{\n", c.name)
+
+		for _, d := range slices.Backward(c.prf) {
+			Printf("\t%s,\n", refs[d])
+		}
+
+		Println("}")
+	}
+
+	out, err := format.Source(buf.Bytes())
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile("../token_gen.go", out, 0666)
+}

token/delegation/delegationtest/generator/main.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"code.sonr.org/go/did-it/didtest"
+)
+
+func main() {
+	gen := &generator{}
+	err := gen.chainPersonas(didtest.Personas(), acc{}, noopVariant())
+	if err != nil {
+		panic(err)
+	}
+	err = gen.writeGoFile()
+	if err != nil {
+		panic(err)
+	}
+}

token/delegation/delegationtest/token.go

@@ -0,0 +1,116 @@
+package delegationtest
+
+import (
+	"embed"
+	"path/filepath"
+	"sync"
+
+	_ "code.sonr.org/go/did-it/verifiers/did-key"
+	"github.com/ipfs/go-cid"
+
+	"code.sonr.org/go/ucan/pkg/command"
+	"code.sonr.org/go/ucan/token/delegation"
+)
+
+var (
+	// ExpandedCommand is the parent of the NominalCommand and represents
+	// the cases where the delegation proof-chain or invocation token tries
+	// to increase the privileges granted by the root delegation token.
+	// Execution of this command is generally prohibited in tests.
+	ExpandedCommand = command.MustParse("/expanded")
+
+	// NominalCommand is the command used for most test tokens and proof-chains.
+	// Execution of this command is generally allowed in tests.
+	NominalCommand = ExpandedCommand.Join("nominal")
+
+	// AttenuatedCommand is a sub-command of the NominalCommand.
+	// Execution of this command is generally allowed in tests.
+	AttenuatedCommand = NominalCommand.Join("attenuated")
+)
+
+// ProofEmpty provides an empty proof chain for testing purposes.
+var ProofEmpty = []cid.Cid{}
+
+const TokenDir = "data"
+
+//go:embed data
+var fs embed.FS
+
+var _ delegation.Loader = (*DelegationLoader)(nil)
+
+type DelegationLoader struct {
+	bundles map[cid.Cid]delegation.Bundle
+}
+
+var (
+	once sync.Once
+	ldr  *DelegationLoader
+)
+
+// GetDelegationLoader returns a singleton instance of a test
+// DelegationLoader containing all the tokens present in the data/
+// directory.
+func GetDelegationLoader() *DelegationLoader {
+	once.Do(func() {
+		var err error
+		ldr, err = loadDelegations()
+		if err != nil {
+			panic(err)
+		}
+	})
+	return ldr
+}
+
+// GetDelegation implements invocation.DelegationLoader.
+func (l *DelegationLoader) GetDelegation(id cid.Cid) (*delegation.Token, error) {
+	bundle, ok := l.bundles[id]
+	if !ok {
+		return nil, delegation.ErrDelegationNotFound
+	}
+	return bundle.Decoded, nil
+}
+
+func loadDelegations() (*DelegationLoader, error) {
+	dirEntries, err := fs.ReadDir(TokenDir)
+	if err != nil {
+		return nil, err
+	}
+
+	bundles := make(map[cid.Cid]delegation.Bundle, len(dirEntries))
+
+	for _, dirEntry := range dirEntries {
+		data, err := fs.ReadFile(filepath.Join(TokenDir, dirEntry.Name()))
+		if err != nil {
+			return nil, err
+		}
+
+		tkn, id, err := delegation.FromSealed(data)
+		if err != nil {
+			return nil, err
+		}
+
+		bundles[id] = delegation.Bundle{Cid: id, Decoded: tkn, Sealed: data}
+	}
+
+	return &DelegationLoader{
+		bundles: bundles,
+	}, nil
+}
+
+// GetDelegation is a shortcut that gets (or creates) the DelegationLoader
+// and attempts to return the token referenced by the provided CID.
+func GetDelegation(id cid.Cid) (*delegation.Token, error) {
+	return GetDelegationLoader().GetDelegation(id)
+}
+
+func CidToName(id cid.Cid) string {
+	return cidToName[id]
+}
+
+func mustGetBundle(id cid.Cid) delegation.Bundle {
+	bundle, ok := GetDelegationLoader().bundles[id]
+	if !ok {
+		panic(delegation.ErrDelegationNotFound)
+	}
+	return bundle
+}

token/delegation/delegationtest/token_gen.go

@@ -0,0 +1,404 @@
+// Code generated by delegationtest - DO NOT EDIT.
+
+package delegationtest
+
+import (
+	"github.com/ipfs/go-cid"
+
+	"code.sonr.org/go/ucan/token/delegation"
+)
+
+var (
+	TokenAliceBobCID    = cid.MustParse("bafyreifa35rjstdm37cjudzs72ab22rnh5blny725khtapox63fnsj6pbe")
+	TokenAliceBobSealed = mustGetBundle(TokenAliceBobCID).Sealed
+	TokenAliceBobBundle = mustGetBundle(TokenAliceBobCID)
+	TokenAliceBob       = mustGetBundle(TokenAliceBobCID).Decoded
+)
+
+var (
+	TokenBobCarolCID    = cid.MustParse("bafyreiaysaafvfplhjsjywaqfletlr2sziui3sekkczwp2srszdoezwc7u")
+	TokenBobCarolSealed = mustGetBundle(TokenBobCarolCID).Sealed
+	TokenBobCarolBundle = mustGetBundle(TokenBobCarolCID)
+	TokenBobCarol       = mustGetBundle(TokenBobCarolCID).Decoded
+)
+
+var (
+	TokenCarolDanCID    = cid.MustParse("bafyreibwpzxcvrere7g5riv3dhza4xibrvulxcvj2nwxu6ozp572o2sbfa")
+	TokenCarolDanSealed = mustGetBundle(TokenCarolDanCID).Sealed
+	TokenCarolDanBundle = mustGetBundle(TokenCarolDanCID)
+	TokenCarolDan       = mustGetBundle(TokenCarolDanCID).Decoded
+)
+
+var (
+	TokenDanErinCID    = cid.MustParse("bafyreichxodkcokcbvomxhmlf3g3j3zokruxvca63itynf7ib3hsmi4hla")
+	TokenDanErinSealed = mustGetBundle(TokenDanErinCID).Sealed
+	TokenDanErinBundle = mustGetBundle(TokenDanErinCID)
+	TokenDanErin       = mustGetBundle(TokenDanErinCID).Decoded
+)
+
+var (
+	TokenErinFrankCID    = cid.MustParse("bafyreigg434khwxqyfasnk63pi542uwtbrlpfd5sgjfrddqqcba3tardlu")
+	TokenErinFrankSealed = mustGetBundle(TokenErinFrankCID).Sealed
+	TokenErinFrankBundle = mustGetBundle(TokenErinFrankCID)
+	TokenErinFrank       = mustGetBundle(TokenErinFrankCID).Decoded
+)
+
+var (
+	TokenCarolDan_InvalidExpandedCommandCID    = cid.MustParse("bafyreifxdve23izhlg7fhzqh32i6wxtw33rqidm3cb72pghxlovnensjwe")
+	TokenCarolDan_InvalidExpandedCommandSealed = mustGetBundle(TokenCarolDan_InvalidExpandedCommandCID).Sealed
+	TokenCarolDan_InvalidExpandedCommandBundle = mustGetBundle(TokenCarolDan_InvalidExpandedCommandCID)
+	TokenCarolDan_InvalidExpandedCommand       = mustGetBundle(TokenCarolDan_InvalidExpandedCommandCID).Decoded
+)
+
+var (
+	TokenDanErin_InvalidExpandedCommandCID    = cid.MustParse("bafyreieblevkqh2xnbr4x5mosvwv7rboat7ip6ucqvefb2pomrb4qjg4wu")
+	TokenDanErin_InvalidExpandedCommandSealed = mustGetBundle(TokenDanErin_InvalidExpandedCommandCID).Sealed
+	TokenDanErin_InvalidExpandedCommandBundle = mustGetBundle(TokenDanErin_InvalidExpandedCommandCID)
+	TokenDanErin_InvalidExpandedCommand       = mustGetBundle(TokenDanErin_InvalidExpandedCommandCID).Decoded
+)
+
+var (
+	TokenErinFrank_InvalidExpandedCommandCID    = cid.MustParse("bafyreia2ckukamhpeqpcdhevr75ym66vqem432dx4dwbdrdkh63pke3r3i")
+	TokenErinFrank_InvalidExpandedCommandSealed = mustGetBundle(TokenErinFrank_InvalidExpandedCommandCID).Sealed
+	TokenErinFrank_InvalidExpandedCommandBundle = mustGetBundle(TokenErinFrank_InvalidExpandedCommandCID)
+	TokenErinFrank_InvalidExpandedCommand       = mustGetBundle(TokenErinFrank_InvalidExpandedCommandCID).Decoded
+)
+
+var (
+	TokenCarolDan_ValidAttenuatedCommandCID    = cid.MustParse("bafyreibftsq3mhjd5itg6jbos4doccwspvmnilpuduniv2el7mnl45z33y")
+	TokenCarolDan_ValidAttenuatedCommandSealed = mustGetBundle(TokenCarolDan_ValidAttenuatedCommandCID).Sealed
+	TokenCarolDan_ValidAttenuatedCommandBundle = mustGetBundle(TokenCarolDan_ValidAttenuatedCommandCID)
+	TokenCarolDan_ValidAttenuatedCommand       = mustGetBundle(TokenCarolDan_ValidAttenuatedCommandCID).Decoded
+)
+
+var (
+	TokenDanErin_ValidAttenuatedCommandCID    = cid.MustParse("bafyreig5gsifqn3afnyaoqtjhnud2w7tnrda57eiel3d45vbp47hjyayey")
+	TokenDanErin_ValidAttenuatedCommandSealed = mustGetBundle(TokenDanErin_ValidAttenuatedCommandCID).Sealed
+	TokenDanErin_ValidAttenuatedCommandBundle = mustGetBundle(TokenDanErin_ValidAttenuatedCommandCID)
+	TokenDanErin_ValidAttenuatedCommand       = mustGetBundle(TokenDanErin_ValidAttenuatedCommandCID).Decoded
+)
+
+var (
+	TokenErinFrank_ValidAttenuatedCommandCID    = cid.MustParse("bafyreiex2qyrw3xmye4fk5wdf6ukea3ojbokq77k6y566hupj6cicszi3e")
+	TokenErinFrank_ValidAttenuatedCommandSealed = mustGetBundle(TokenErinFrank_ValidAttenuatedCommandCID).Sealed
+	TokenErinFrank_ValidAttenuatedCommandBundle = mustGetBundle(TokenErinFrank_ValidAttenuatedCommandCID)
+	TokenErinFrank_ValidAttenuatedCommand       = mustGetBundle(TokenErinFrank_ValidAttenuatedCommandCID).Decoded
+)
+
+var (
+	TokenCarolDan_InvalidSubjectCID    = cid.MustParse("bafyreie7snyknubaeh4ruig7wxvos54b7skmwsnegf6k23bsffs5btbiiq")
+	TokenCarolDan_InvalidSubjectSealed = mustGetBundle(TokenCarolDan_InvalidSubjectCID).Sealed
+	TokenCarolDan_InvalidSubjectBundle = mustGetBundle(TokenCarolDan_InvalidSubjectCID)
+	TokenCarolDan_InvalidSubject       = mustGetBundle(TokenCarolDan_InvalidSubjectCID).Decoded
+)
+
+var (
+	TokenDanErin_InvalidSubjectCID    = cid.MustParse("bafyreicrfmlw4nqqk5t7j6r7ct3c7jlxeasyetb6fq3556vmtihcnbi54i")
+	TokenDanErin_InvalidSubjectSealed = mustGetBundle(TokenDanErin_InvalidSubjectCID).Sealed
+	TokenDanErin_InvalidSubjectBundle = mustGetBundle(TokenDanErin_InvalidSubjectCID)
+	TokenDanErin_InvalidSubject       = mustGetBundle(TokenDanErin_InvalidSubjectCID).Decoded
+)
+
+var (
+	TokenErinFrank_InvalidSubjectCID    = cid.MustParse("bafyreietx2sjsm72sbgjnosdnejwlqc5dadlolh2bjl6ifxdllslup7ecm")
+	TokenErinFrank_InvalidSubjectSealed = mustGetBundle(TokenErinFrank_InvalidSubjectCID).Sealed
+	TokenErinFrank_InvalidSubjectBundle = mustGetBundle(TokenErinFrank_InvalidSubjectCID)
+	TokenErinFrank_InvalidSubject       = mustGetBundle(TokenErinFrank_InvalidSubjectCID).Decoded
+)
+
+var (
+	TokenCarolDan_InvalidExpiredCID    = cid.MustParse("bafyreifhdiem6r5fh3wwaa6uszqe5uashfwaastqjyvzssbiju4mravx3y")
+	TokenCarolDan_InvalidExpiredSealed = mustGetBundle(TokenCarolDan_InvalidExpiredCID).Sealed
+	TokenCarolDan_InvalidExpiredBundle = mustGetBundle(TokenCarolDan_InvalidExpiredCID)
+	TokenCarolDan_InvalidExpired       = mustGetBundle(TokenCarolDan_InvalidExpiredCID).Decoded
+)
+
+var (
+	TokenDanErin_InvalidExpiredCID    = cid.MustParse("bafyreiff7fqutstzz2ep5gzs2mqnt4rka7ezscrzpijyc4jjeopqm7oxxq")
+	TokenDanErin_InvalidExpiredSealed = mustGetBundle(TokenDanErin_InvalidExpiredCID).Sealed
+	TokenDanErin_InvalidExpiredBundle = mustGetBundle(TokenDanErin_InvalidExpiredCID)
+	TokenDanErin_InvalidExpired       = mustGetBundle(TokenDanErin_InvalidExpiredCID).Decoded
+)
+
+var (
+	TokenErinFrank_InvalidExpiredCID    = cid.MustParse("bafyreigxfwcynzsy4v4po36s3mz5nf6mg4kpptw6rpld3sc3c3mthq4noa")
+	TokenErinFrank_InvalidExpiredSealed = mustGetBundle(TokenErinFrank_InvalidExpiredCID).Sealed
+	TokenErinFrank_InvalidExpiredBundle = mustGetBundle(TokenErinFrank_InvalidExpiredCID)
+	TokenErinFrank_InvalidExpired       = mustGetBundle(TokenErinFrank_InvalidExpiredCID).Decoded
+)
+
+var (
+	TokenCarolDan_InvalidInactiveCID    = cid.MustParse("bafyreifw4j2mxg4bovuhihvnhqgln7m57lvajt6fza4x4jc7sncyh66wxm")
+	TokenCarolDan_InvalidInactiveSealed = mustGetBundle(TokenCarolDan_InvalidInactiveCID).Sealed
+	TokenCarolDan_InvalidInactiveBundle = mustGetBundle(TokenCarolDan_InvalidInactiveCID)
+	TokenCarolDan_InvalidInactive       = mustGetBundle(TokenCarolDan_InvalidInactiveCID).Decoded
+)
+
+var (
+	TokenDanErin_InvalidInactiveCID    = cid.MustParse("bafyreigrrfefw4wvjitiheonigeldnem2loo4yp5cghdskteunuxyozkiq")
+	TokenDanErin_InvalidInactiveSealed = mustGetBundle(TokenDanErin_InvalidInactiveCID).Sealed
+	TokenDanErin_InvalidInactiveBundle = mustGetBundle(TokenDanErin_InvalidInactiveCID)
+	TokenDanErin_InvalidInactive       = mustGetBundle(TokenDanErin_InvalidInactiveCID).Decoded
+)
+
+var (
+	TokenErinFrank_InvalidInactiveCID    = cid.MustParse("bafyreicdlvnc7iinl2eay3xc3yvtmwezifvfxywjud3defssstusngt6du")
+	TokenErinFrank_InvalidInactiveSealed = mustGetBundle(TokenErinFrank_InvalidInactiveCID).Sealed
+	TokenErinFrank_InvalidInactiveBundle = mustGetBundle(TokenErinFrank_InvalidInactiveCID)
+	TokenErinFrank_InvalidInactive       = mustGetBundle(TokenErinFrank_InvalidInactiveCID).Decoded
+)
+
+var (
+	TokenCarolDan_ValidExamplePolicyCID    = cid.MustParse("bafyreidvi5y42befcnb2qud23yt5memf4itn2v6xmw7gvdpihbnanvgqly")
+	TokenCarolDan_ValidExamplePolicySealed = mustGetBundle(TokenCarolDan_ValidExamplePolicyCID).Sealed
+	TokenCarolDan_ValidExamplePolicyBundle = mustGetBundle(TokenCarolDan_ValidExamplePolicyCID)
+	TokenCarolDan_ValidExamplePolicy       = mustGetBundle(TokenCarolDan_ValidExamplePolicyCID).Decoded
+)
+
+var (
+	TokenDanErin_ValidExamplePolicyCID    = cid.MustParse("bafyreid3mr53fjsntyyfbbzjx2n32d7atj3v4ztfufdkamrodm6kcjww64")
+	TokenDanErin_ValidExamplePolicySealed = mustGetBundle(TokenDanErin_ValidExamplePolicyCID).Sealed
+	TokenDanErin_ValidExamplePolicyBundle = mustGetBundle(TokenDanErin_ValidExamplePolicyCID)
+	TokenDanErin_ValidExamplePolicy       = mustGetBundle(TokenDanErin_ValidExamplePolicyCID).Decoded
+)
+
+var (
+	TokenErinFrank_ValidExamplePolicyCID    = cid.MustParse("bafyreiegytubdwqnl3gd7dddfmqhr4kyo4sb5446kjyqvvolk2wmwum6ae")
+	TokenErinFrank_ValidExamplePolicySealed = mustGetBundle(TokenErinFrank_ValidExamplePolicyCID).Sealed
+	TokenErinFrank_ValidExamplePolicyBundle = mustGetBundle(TokenErinFrank_ValidExamplePolicyCID)
+	TokenErinFrank_ValidExamplePolicy       = mustGetBundle(TokenErinFrank_ValidExamplePolicyCID).Decoded
+)
+
+var AllTokens = []*delegation.Token{
+	TokenAliceBob,
+	TokenBobCarol,
+	TokenCarolDan,
+	TokenDanErin,
+	TokenErinFrank,
+	TokenCarolDan_InvalidExpandedCommand,
+	TokenDanErin_InvalidExpandedCommand,
+	TokenErinFrank_InvalidExpandedCommand,
+	TokenCarolDan_ValidAttenuatedCommand,
+	TokenDanErin_ValidAttenuatedCommand,
+	TokenErinFrank_ValidAttenuatedCommand,
+	TokenCarolDan_InvalidSubject,
+	TokenDanErin_InvalidSubject,
+	TokenErinFrank_InvalidSubject,
+	TokenCarolDan_InvalidExpired,
+	TokenDanErin_InvalidExpired,
+	TokenErinFrank_InvalidExpired,
+	TokenCarolDan_InvalidInactive,
+	TokenDanErin_InvalidInactive,
+	TokenErinFrank_InvalidInactive,
+	TokenCarolDan_ValidExamplePolicy,
+	TokenDanErin_ValidExamplePolicy,
+	TokenErinFrank_ValidExamplePolicy,
+}
+
+var AllBundles = []delegation.Bundle{
+	TokenAliceBobBundle,
+	TokenBobCarolBundle,
+	TokenCarolDanBundle,
+	TokenDanErinBundle,
+	TokenErinFrankBundle,
+	TokenCarolDan_InvalidExpandedCommandBundle,
+	TokenDanErin_InvalidExpandedCommandBundle,
+	TokenErinFrank_InvalidExpandedCommandBundle,
+	TokenCarolDan_ValidAttenuatedCommandBundle,
+	TokenDanErin_ValidAttenuatedCommandBundle,
+	TokenErinFrank_ValidAttenuatedCommandBundle,
+	TokenCarolDan_InvalidSubjectBundle,
+	TokenDanErin_InvalidSubjectBundle,
+	TokenErinFrank_InvalidSubjectBundle,
+	TokenCarolDan_InvalidExpiredBundle,
+	TokenDanErin_InvalidExpiredBundle,
+	TokenErinFrank_InvalidExpiredBundle,
+	TokenCarolDan_InvalidInactiveBundle,
+	TokenDanErin_InvalidInactiveBundle,
+	TokenErinFrank_InvalidInactiveBundle,
+	TokenCarolDan_ValidExamplePolicyBundle,
+	TokenDanErin_ValidExamplePolicyBundle,
+	TokenErinFrank_ValidExamplePolicyBundle,
+}
+
+var cidToName = map[cid.Cid]string{
+	TokenAliceBobCID:                         "TokenAliceBob",
+	TokenBobCarolCID:                         "TokenBobCarol",
+	TokenCarolDanCID:                         "TokenCarolDan",
+	TokenDanErinCID:                          "TokenDanErin",
+	TokenErinFrankCID:                        "TokenErinFrank",
+	TokenCarolDan_InvalidExpandedCommandCID:  "TokenCarolDan_InvalidExpandedCommand",
+	TokenDanErin_InvalidExpandedCommandCID:   "TokenDanErin_InvalidExpandedCommand",
+	TokenErinFrank_InvalidExpandedCommandCID: "TokenErinFrank_InvalidExpandedCommand",
+	TokenCarolDan_ValidAttenuatedCommandCID:  "TokenCarolDan_ValidAttenuatedCommand",
+	TokenDanErin_ValidAttenuatedCommandCID:   "TokenDanErin_ValidAttenuatedCommand",
+	TokenErinFrank_ValidAttenuatedCommandCID: "TokenErinFrank_ValidAttenuatedCommand",
+	TokenCarolDan_InvalidSubjectCID:          "TokenCarolDan_InvalidSubject",
+	TokenDanErin_InvalidSubjectCID:           "TokenDanErin_InvalidSubject",
+	TokenErinFrank_InvalidSubjectCID:         "TokenErinFrank_InvalidSubject",
+	TokenCarolDan_InvalidExpiredCID:          "TokenCarolDan_InvalidExpired",
+	TokenDanErin_InvalidExpiredCID:           "TokenDanErin_InvalidExpired",
+	TokenErinFrank_InvalidExpiredCID:         "TokenErinFrank_InvalidExpired",
+	TokenCarolDan_InvalidInactiveCID:         "TokenCarolDan_InvalidInactive",
+	TokenDanErin_InvalidInactiveCID:          "TokenDanErin_InvalidInactive",
+	TokenErinFrank_InvalidInactiveCID:        "TokenErinFrank_InvalidInactive",
+	TokenCarolDan_ValidExamplePolicyCID:      "TokenCarolDan_ValidExamplePolicy",
+	TokenDanErin_ValidExamplePolicyCID:       "TokenDanErin_ValidExamplePolicy",
+	TokenErinFrank_ValidExamplePolicyCID:     "TokenErinFrank_ValidExamplePolicy",
+}
+
+var ProofAliceBob = []cid.Cid{
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarol = []cid.Cid{
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan = []cid.Cid{
+	TokenCarolDanCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin = []cid.Cid{
+	TokenDanErinCID,
+	TokenCarolDanCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank = []cid.Cid{
+	TokenErinFrankCID,
+	TokenDanErinCID,
+	TokenCarolDanCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_InvalidExpandedCommand = []cid.Cid{
+	TokenCarolDan_InvalidExpandedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_InvalidExpandedCommand = []cid.Cid{
+	TokenDanErin_InvalidExpandedCommandCID,
+	TokenCarolDan_InvalidExpandedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_InvalidExpandedCommand = []cid.Cid{
+	TokenErinFrank_InvalidExpandedCommandCID,
+	TokenDanErin_InvalidExpandedCommandCID,
+	TokenCarolDan_InvalidExpandedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_ValidAttenuatedCommand = []cid.Cid{
+	TokenCarolDan_ValidAttenuatedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_ValidAttenuatedCommand = []cid.Cid{
+	TokenDanErin_ValidAttenuatedCommandCID,
+	TokenCarolDan_ValidAttenuatedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_ValidAttenuatedCommand = []cid.Cid{
+	TokenErinFrank_ValidAttenuatedCommandCID,
+	TokenDanErin_ValidAttenuatedCommandCID,
+	TokenCarolDan_ValidAttenuatedCommandCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_InvalidSubject = []cid.Cid{
+	TokenCarolDan_InvalidSubjectCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_InvalidSubject = []cid.Cid{
+	TokenDanErin_InvalidSubjectCID,
+	TokenCarolDan_InvalidSubjectCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_InvalidSubject = []cid.Cid{
+	TokenErinFrank_InvalidSubjectCID,
+	TokenDanErin_InvalidSubjectCID,
+	TokenCarolDan_InvalidSubjectCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_InvalidExpired = []cid.Cid{
+	TokenCarolDan_InvalidExpiredCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_InvalidExpired = []cid.Cid{
+	TokenDanErin_InvalidExpiredCID,
+	TokenCarolDan_InvalidExpiredCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_InvalidExpired = []cid.Cid{
+	TokenErinFrank_InvalidExpiredCID,
+	TokenDanErin_InvalidExpiredCID,
+	TokenCarolDan_InvalidExpiredCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_InvalidInactive = []cid.Cid{
+	TokenCarolDan_InvalidInactiveCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_InvalidInactive = []cid.Cid{
+	TokenDanErin_InvalidInactiveCID,
+	TokenCarolDan_InvalidInactiveCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_InvalidInactive = []cid.Cid{
+	TokenErinFrank_InvalidInactiveCID,
+	TokenDanErin_InvalidInactiveCID,
+	TokenCarolDan_InvalidInactiveCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDan_ValidExamplePolicy = []cid.Cid{
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErin_ValidExamplePolicy = []cid.Cid{
+	TokenDanErin_ValidExamplePolicyCID,
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}
+
+var ProofAliceBobCarolDanErinFrank_ValidExamplePolicy = []cid.Cid{
+	TokenErinFrank_ValidExamplePolicyCID,
+	TokenDanErin_ValidExamplePolicyCID,
+	TokenCarolDan_ValidExamplePolicyCID,
+	TokenBobCarolCID,
+	TokenAliceBobCID,
+}

token/delegation/delegationtest/token_test.go

@@ -0,0 +1,30 @@
+package delegationtest_test
+
+import (
+	"testing"
+
+	"github.com/ipfs/go-cid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"code.sonr.org/go/ucan/token/delegation"
+	"code.sonr.org/go/ucan/token/delegation/delegationtest"
+)
+
+func TestGetDelegation(t *testing.T) {
+	t.Run("passes with valid CID", func(t *testing.T) {
+		t.Parallel()
+
+		tkn, err := delegationtest.GetDelegation(delegationtest.TokenAliceBobCID)
+		require.NoError(t, err)
+		assert.NotZero(t, tkn)
+	})
+
+	t.Run("fails with unknown CID", func(t *testing.T) {
+		t.Parallel()
+
+		tkn, err := delegationtest.GetDelegation(cid.Undef)
+		require.ErrorIs(t, err, delegation.ErrDelegationNotFound)
+		assert.Nil(t, tkn)
+	})
+}

token/delegation/examples_test.go

@@ -2,39 +2,29 @@ package delegation_test
 
 import (
 	"bytes"
-	"crypto/rand"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"time"
 
+	"code.sonr.org/go/did-it/didtest"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
-	"github.com/libp2p/go-libp2p/core/crypto"
 
-	"github.com/ucan-wg/go-ucan/did"
+	"code.sonr.org/go/ucan/pkg/command"
-	"github.com/ucan-wg/go-ucan/pkg/command"
+	"code.sonr.org/go/ucan/pkg/policy"
-	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"code.sonr.org/go/ucan/pkg/policy/literal"
-	"github.com/ucan-wg/go-ucan/pkg/policy/literal"
+	"code.sonr.org/go/ucan/token/delegation"
-	"github.com/ucan-wg/go-ucan/token/delegation"
+	"code.sonr.org/go/ucan/token/internal/envelope"
-	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // The following example shows how to create a delegation.Token with
 // distinct DIDs for issuer (iss), audience (aud) and subject (sub).
 func ExampleNew() {
-	issPriv, issPub, err := crypto.GenerateEd25519Key(rand.Reader)
+	fmt.Println("issDid:", didtest.PersonaBob.DID().String())
-	printThenPanicOnErr(err)
-
-	issDid, err := did.FromPubKey(issPub)
-	printThenPanicOnErr(err)
-	fmt.Println("issDid:", issDid)
-
-	audDid := did.MustParse(AudienceDID)
-	subDid := did.MustParse(subjectDID)
 
 	// The command defines the shape of the arguments that will be evaluated against the policy
 	cmd := command.MustParse("/foo/bar")
@@ -51,8 +41,7 @@ func ExampleNew() {
 		)),
 	)
 
-	tkn, err := delegation.New(issPriv, audDid, cmd, pol,
+	tkn, err := delegation.New(didtest.PersonaBob.DID(), didtest.PersonaCarol.DID(), cmd, pol, didtest.PersonaAlice.DID(),
-		delegation.WithSubject(subDid),
 		delegation.WithExpirationIn(time.Hour),
 		delegation.WithNotBeforeIn(time.Minute),
 		delegation.WithMeta("foo", "bar"),
@@ -61,101 +50,91 @@ func ExampleNew() {
 	printThenPanicOnErr(err)
 
 	// "Seal", meaning encode and wrap into a signed envelope.
-	data, id, err := tkn.ToSealed(issPriv)
+	data, id, err := tkn.ToSealed(didtest.PersonaBob.PrivKey())
 	printThenPanicOnErr(err)
 
 	printCIDAndSealed(id, data)
 
 	// Example output:
 	//
-	// issDid: did:key:z6MkhVFznPeR572rTK51UjoTNpnF8cxuWfPm9oBMPr7y8ABe
+	// issDid: did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1
 	//
-	// CID (base58BTC): zdpuAv6g2eJSc4RJwEpmooGLVK4wJ4CZpnM92tPVYt5jtMoLW
+	// CID (base58BTC): zdpuB1bzMdGAtzBej9ZBJbW3ppsjP2Cf9KZ8xMjdhUjaf3vz1
-	//
-	// DAG-CBOR (base64) out: glhA5rvl8uKmDVGvAVSt4m/0MGiXl9dZwljJJ9m2qHCoIB617l26UvMxyH5uvN9hM7ozfVATiq4mLhoGgm9IGnEEAqJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGpY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cBpnDWzqY2lzc3g4ZGlkOmtleTp6Nk1raFZGem5QZVI1NzJyVEs1MVVqb1ROcG5GOGN4dVdmUG05b0JNUHI3eThBQmVjbmJmGmcNXxZjcG9sg4NiPT1nLnN0YXR1c2VkcmFmdINjYWxsaS5yZXZpZXdlcoNkbGlrZWYuZW1haWxtKkBleGFtcGxlLmNvbYNjYW55ZS50YWdzgmJvcoKDYj09YS5kbmV3c4NiPT1hLmVwcmVzc2NzdWJ4OGRpZDprZXk6ejZNa3RBMXVCZENwcTR1SkJxRTlqak1pTHl4WkJnOWE2eGdQUEtKak1xc3M2WmMyZG1ldGGiY2Jhehh7Y2Zvb2NiYXJlbm9uY2VMu0HMgJ5Y+M84I/66
 	//
+	// DAG-CBOR (base64) out: glhAQhZTTb4U1rin/oLFre618Ol5/leaP758T6EkHYfQaNmFYad7yVTer8bbM1Zp2LxrV3eEYeWkHeL3F0V3zWC/CaJhaEg0Ae0B7QETcXN1Y2FuL2RsZ0AxLjAuMC1yYy4xqWNhdWR4OGRpZDprZXk6ejZNa2pXRlU4SHRmTXF1V241TUVROXIyMnpXcXlDTjF2YXpHdzZnNnB6Y2l6aU5WY2NtZGgvZm9vL2JhcmNleHAaaItoW2Npc3N4OGRpZDprZXk6ejZNa2Y0V3RDd1BEdGFtc1p2QkpBNGVTVmNFN3ZadVJQeTVTa200SGFvUXY4MWkxY25iZhpoi1qHY3BvbIODYj09Zy5zdGF0dXNlZHJhZnSDY2FsbGkucmV2aWV3ZXKDZGxpa2VmLmVtYWlsbSpAZXhhbXBsZS5jb22DY2FueWUudGFnc4Jib3KCg2I9PWEuZG5ld3ODYj09YS5lcHJlc3Njc3VieDhkaWQ6a2V5Ono2TWtuVXoxbVNqNHB2UzZhVVVIZWtDSGRVUHY3SEJoRHlEQlpRMlczVnVqYzVxQ2RtZXRhomNiYXoYe2Nmb29jYmFyZW5vbmNlTHa1D4DJ78LvscA/hg==
 	// Converted to DAG-JSON out:
-	// [
+	//	[
-	//	{
+	//		{
-	//		"/": {
-	//			"bytes": "5rvl8uKmDVGvAVSt4m/0MGiXl9dZwljJJ9m2qHCoIB617l26UvMxyH5uvN9hM7ozfVATiq4mLhoGgm9IGnEEAg"
-	//		}
-	//	},
-	//	{
-	//		"h": {
 	//			"/": {
-	//				"bytes": "NO0BcQ"
+	//				"bytes": "QhZTTb4U1rin/oLFre618Ol5/leaP758T6EkHYfQaNmFYad7yVTer8bbM1Zp2LxrV3eEYeWkHeL3F0V3zWC/CQ"
 	//			}
 	//		},
-	//		"ucan/dlg@1.0.0-rc.1": {
+	//		{
-	//			"aud": "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv",
+	//			"h": {
-	//			"cmd": "/foo/bar",
-	//			"exp": 1728933098,
-	//			"iss": "did:key:z6MkhVFznPeR572rTK51UjoTNpnF8cxuWfPm9oBMPr7y8ABe",
-	//			"meta": {
-	//				"baz": 123,
-	//				"foo": "bar"
-	//			},
-	//			"nbf": 1728929558,
-	//			"nonce": {
 	//				"/": {
-	//					"bytes": "u0HMgJ5Y+M84I/66"
+	//					"bytes": "NAHtAe0BE3E"
 	//				}
 	//			},
-	//			"pol": [
+	//			"ucan/dlg@1.0.0-rc.1": {
-	//				[
+	//				"aud": "did:key:z6MkjWFU8HtfMquWn5MEQ9r22zWqyCN1vazGw6g6pzciziNV",
-	//					"==",
+	//				"cmd": "/foo/bar",
-	//					".status",
+	//				"exp": 1753966683,
-	//					"draft"
+	//				"iss": "did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1",
-	//				],
+	//				"meta": {
-	//				[
+	//					"baz": 123,
-	//					"all",
+	//					"foo": "bar"
-	//					".reviewer",
+	//				},
+	//				"nbf": 1753963143,
+	//				"nonce": {
+	//					"/": {
+	//						"bytes": "drUPgMnvwu+xwD+G"
+	//					}
+	//				},
+	//				"pol": [
 	//					[
-	//						"like",
+	//						"==",
-	//						".email",
+	//						".status",
-	//						"*@example.com"
+	//						"draft"
-	//					]
+	//					],
-	//				],
-	//				[
-	//					"any",
-	//					".tags",
 	//					[
-	//						"or",
+	//						"all",
+	//						".reviewer",
 	//						[
+	//							"like",
+	//							".email",
+	//							"*@example.com"
+	//						]
+	//					],
+	//					[
+	//						"any",
+	//						".tags",
+	//						[
+	//							"or",
 	//							[
-	//								"==",
+	//								[
-	//								".",
+	//									"==",
-	//								"news"
+	//									".",
-	//							],
+	//									"news"
-	//							[
+	//								],
-	//								"==",
+	//								[
-	//								".",
+	//									"==",
-	//								"press"
+	//									".",
+	//									"press"
+	//								]
 	//							]
 	//						]
 	//					]
-	//				]
+	//				],
-	//			],
+	//				"sub": "did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC"
-	//			"sub": "did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"
+	//			}
 	//		}
-	//	}
+	//	]
-	// ]
 }
 
 // The following example shows how to create a UCAN root delegation.Token
 // - a delegation.Token with the subject (sub) set to the value of issuer
 // (iss).
 func ExampleRoot() {
-	issPriv, issPub, err := crypto.GenerateEd25519Key(rand.Reader)
-	printThenPanicOnErr(err)
-
-	issDid, err := did.FromPubKey(issPub)
-	printThenPanicOnErr(err)
-	fmt.Println("issDid:", issDid)
-
-	audDid := did.MustParse(AudienceDID)
-
 	// The command defines the shape of the arguments that will be evaluated against the policy
 	cmd := command.MustParse("/foo/bar")
 
@@ -171,7 +150,7 @@ func ExampleRoot() {
 		)),
 	)
 
-	tkn, err := delegation.Root(issPriv, audDid, cmd, pol,
+	tkn, err := delegation.Root(didtest.PersonaAlice.DID(), didtest.PersonaBob.DID(), cmd, pol,
 		delegation.WithExpirationIn(time.Hour),
 		delegation.WithNotBeforeIn(time.Minute),
 		delegation.WithMeta("foo", "bar"),
@@ -180,92 +159,90 @@ func ExampleRoot() {
 	printThenPanicOnErr(err)
 
 	// "Seal", meaning encode and wrap into a signed envelope.
-	data, id, err := tkn.ToSealed(issPriv)
+	data, id, err := tkn.ToSealed(didtest.PersonaAlice.PrivKey())
 	printThenPanicOnErr(err)
 
 	printCIDAndSealed(id, data)
 
 	// Example output:
 	//
-	// issDid: did:key:z6MknWJqz17Y4AfsXSJUFKomuBR4GTkViM7kJYutzTMkCyFF
+	// CID (base58BTC): zdpuAkwYz8nY7uU8j3F6wVTfFY1VEoExwvUAYBEwRWfTozddE
 	//
-	// CID (base58BTC): zdpuAwLojgfvFCbjz2FsKrvN1khDQ9mFGT6b6pxjMfz73Roed
+	// DAG-CBOR (base64) out: glhATIXb2wnBByq/llaQ4RLoWTxheAwamCNo2sKL8SQJbq0EVRvdfUQDKNpuMVkvtyUR6tUdZlKv1BcXjfGEaF2XAKJhaEg0Ae0B7QETcXN1Y2FuL2RsZ0AxLjAuMC1yYy4xqWNhdWR4OGRpZDprZXk6ejZNa2Y0V3RDd1BEdGFtc1p2QkpBNGVTVmNFN3ZadVJQeTVTa200SGFvUXY4MWkxY2NtZGgvZm9vL2JhcmNleHAaaItnfWNpc3N4OGRpZDprZXk6ejZNa25VejFtU2o0cHZTNmFVVUhla0NIZFVQdjdIQmhEeURCWlEyVzNWdWpjNXFDY25iZhpoi1mpY3BvbIODYj09Zy5zdGF0dXNlZHJhZnSDY2FsbGkucmV2aWV3ZXKDZGxpa2VmLmVtYWlsbSpAZXhhbXBsZS5jb22DY2FueWUudGFnc4Jib3KCg2I9PWEuZG5ld3ODYj09YS5lcHJlc3Njc3VieDhkaWQ6a2V5Ono2TWtuVXoxbVNqNHB2UzZhVVVIZWtDSGRVUHY3SEJoRHlEQlpRMlczVnVqYzVxQ2RtZXRhomNiYXoYe2Nmb29jYmFyZW5vbmNlTGxwbjHKcevt5dZ0Xg==
-	//
-	// DAG-CBOR (base64) out: glhA6dBhbhhGE36CW22OxjOEIAqdDmBqCNsAhCRljnBdXd7YrVOUG+bnXGCIwd4dTGgpEdmY06PFIl7IXKXCh/ESBqJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGpY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cBpnDW0wY2lzc3g4ZGlkOmtleTp6Nk1rbldKcXoxN1k0QWZzWFNKVUZLb211QlI0R1RrVmlNN2tKWXV0elRNa0N5RkZjbmJmGmcNX1xjcG9sg4NiPT1nLnN0YXR1c2VkcmFmdINjYWxsaS5yZXZpZXdlcoNkbGlrZWYuZW1haWxtKkBleGFtcGxlLmNvbYNjYW55ZS50YWdzgmJvcoKDYj09YS5kbmV3c4NiPT1hLmVwcmVzc2NzdWJ4OGRpZDprZXk6ejZNa25XSnF6MTdZNEFmc1hTSlVGS29tdUJSNEdUa1ZpTTdrSll1dHpUTWtDeUZGZG1ldGGiY2Jhehh7Y2Zvb2NiYXJlbm9uY2VMJOsjYi1Pq3OIB0La
 	//
 	// Converted to DAG-JSON out:
-	// [
+	//	[
-	//	{
+	//		{
-	//		"/": {
-	//			"bytes": "6dBhbhhGE36CW22OxjOEIAqdDmBqCNsAhCRljnBdXd7YrVOUG+bnXGCIwd4dTGgpEdmY06PFIl7IXKXCh/ESBg"
-	//		}
-	//	},
-	//	{
-	//		"h": {
 	//			"/": {
-	//				"bytes": "NO0BcQ"
+	//				"bytes": "TIXb2wnBByq/llaQ4RLoWTxheAwamCNo2sKL8SQJbq0EVRvdfUQDKNpuMVkvtyUR6tUdZlKv1BcXjfGEaF2XAA"
 	//			}
 	//		},
-	//		"ucan/dlg@1.0.0-rc.1": {
+	//		{
-	//			"aud": "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv",
+	//			"h": {
-	//			"cmd": "/foo/bar",
-	//			"exp": 1728933168,
-	//			"iss": "did:key:z6MknWJqz17Y4AfsXSJUFKomuBR4GTkViM7kJYutzTMkCyFF",
-	//			"meta": {
-	//				"baz": 123,
-	//				"foo": "bar"
-	//			},
-	//			"nbf": 1728929628,
-	//			"nonce": {
 	//				"/": {
-	//					"bytes": "JOsjYi1Pq3OIB0La"
+	//					"bytes": "NAHtAe0BE3E"
 	//				}
 	//			},
-	//			"pol": [
+	//			"ucan/dlg@1.0.0-rc.1": {
-	//				[
+	//				"aud": "did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1",
-	//					"==",
+	//				"cmd": "/foo/bar",
-	//					".status",
+	//				"exp": 1753966461,
-	//					"draft"
+	//				"iss": "did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC",
-	//				],
+	//				"meta": {
-	//				[
+	//					"baz": 123,
-	//					"all",
+	//					"foo": "bar"
-	//					".reviewer",
+	//				},
+	//				"nbf": 1753962921,
+	//				"nonce": {
+	//					"/": {
+	//						"bytes": "bHBuMcpx6+3l1nRe"
+	//					}
+	//				},
+	//				"pol": [
 	//					[
-	//						"like",
+	//						"==",
-	//						".email",
+	//						".status",
-	//						"*@example.com"
+	//						"draft"
-	//					]
+	//					],
-	//				],
-	//				[
-	//					"any",
-	//					".tags",
 	//					[
-	//						"or",
+	//						"all",
+	//						".reviewer",
 	//						[
+	//							"like",
+	//							".email",
+	//							"*@example.com"
+	//						]
+	//					],
+	//					[
+	//						"any",
+	//						".tags",
+	//						[
+	//							"or",
 	//							[
-	//								"==",
+	//								[
-	//								".",
+	//									"==",
-	//								"news"
+	//									".",
-	//							],
+	//									"news"
-	//							[
+	//								],
-	//								"==",
+	//								[
-	//								".",
+	//									"==",
-	//								"press"
+	//									".",
+	//									"press"
+	//								]
 	//							]
 	//						]
 	//					]
-	//				]
+	//				],
-	//			],
+	//				"sub": "did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC"
-	//			"sub": "did:key:z6MknWJqz17Y4AfsXSJUFKomuBR4GTkViM7kJYutzTMkCyFF"
+	//			}
 	//		}
-	//	}
+	//	]
-	// ]
 }
 
 // The following example demonstrates how to get a delegation.Token from
 // a DAG-CBOR []byte.
-func ExampleToken_FromSealed() {
+func ExampleFromSealed() {
-	const cborBase64 = "glhAmnAkgfjAx4SA5pzJmtaHRJtTGNpF1y6oqb4yhGoM2H2EUGbBYT4rVDjMKBgCjhdGHjipm00L8iR5SsQh3sIEBaJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGoY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cPZjaXNzeDhkaWQ6a2V5Ono2TWtwem4ybjNaR1QyVmFxTUdTUUMzdHptelY0VFM5UzcxaUZzRFhFMVdub05IMmNwb2yDg2I9PWcuc3RhdHVzZWRyYWZ0g2NhbGxpLnJldmlld2Vyg2RsaWtlZi5lbWFpbG0qQGV4YW1wbGUuY29tg2NhbnllLnRhZ3OCYm9ygoNiPT1hLmRuZXdzg2I9PWEuZXByZXNzY3N1Yng4ZGlkOmtleTp6Nk1rdEExdUJkQ3BxNHVKQnFFOWpqTWlMeXhaQmc5YTZ4Z1BQS0pqTXFzczZaYzJkbWV0YaBlbm9uY2VMAAECAwQFBgcICQoL"
+	const cborBase64 = "glhACBuW/rjVKyBPUVPxexsafwBe7y84k0yzywq3hQW2rs2TNmWA5wexAQ+jTkSQ07zhmQRA/wytBfqWkx24+sjlD6JhaEg0Ae0B7QETcXN1Y2FuL2RsZ0AxLjAuMC1yYy4xp2NhdWR4OGRpZDprZXk6ejZNa2pXRlU4SHRmTXF1V241TUVROXIyMnpXcXlDTjF2YXpHdzZnNnB6Y2l6aU5WY2NtZGgvZm9vL2JhcmNleHD2Y2lzc3g4ZGlkOmtleTp6Nk1rZjRXdEN3UER0YW1zWnZCSkE0ZVNWY0U3dlp1UlB5NVNrbTRIYW9RdjgxaTFjcG9sg4NiPT1nLnN0YXR1c2VkcmFmdINjYWxsaS5yZXZpZXdlcoNkbGlrZWYuZW1haWxtKkBleGFtcGxlLmNvbYNjYW55ZS50YWdzgmJvcoKDYj09YS5kbmV3c4NiPT1hLmVwcmVzc2NzdWJ4OGRpZDprZXk6ejZNa25VejFtU2o0cHZTNmFVVUhla0NIZFVQdjdIQmhEeURCWlEyVzNWdWpjNXFDZW5vbmNlTDVJDkO3LVTKnhxKKw=="
 
 	cborBytes, err := base64.StdEncoding.DecodeString(cborBase64)
 	printThenPanicOnErr(err)
@@ -285,22 +262,24 @@ func ExampleToken_FromSealed() {
 	fmt.Println("Expiration (exp):", tkn.Expiration())
 
 	// Output:
-	// CID (base58BTC): zdpuAw26pFuvZa2Z9YAtpZZnWN6VmnRFr7Z8LVY5c7RVWoxGY
+	// CID (base58BTC): zdpuAsgmtmC849BEApGCJm2fTSzwtHiAqQnuJCMBBBCbFiadd
-	// Issuer (iss): did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2
+	// Issuer (iss): did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1
-	// Audience (aud): did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv
+	// Audience (aud): did:key:z6MkjWFU8HtfMquWn5MEQ9r22zWqyCN1vazGw6g6pzciziNV
-	// Subject (sub): did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2
+	// Subject (sub): did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC
 	// Command (cmd): /foo/bar
 	// Policy (pol): [
 	//   ["==", ".status", "draft"],
 	//   ["all", ".reviewer",
-	//     ["like", ".email", "*@example.com"]],
+	//     ["like", ".email", "*@example.com"]
+	//   ],
 	//   ["any", ".tags",
 	//     ["or", [
 	//       ["==", ".", "news"],
-	//       ["==", ".", "press"]]]
+	//       ["==", ".", "press"]
-	//     ]
+	//     ]]
+	//   ]
 	// ]
-	// Nonce (nonce): 000102030405060708090a0b
+	// Nonce (nonce): 35490e43b72d54ca9e1c4a2b
 	// Meta (meta): {}
 	// NotBefore (nbf): <nil>
 	// Expiration (exp): <nil>

token/delegation/interop_test.go

@@ -0,0 +1,108 @@
+package delegation
+
+import (
+	_ "embed"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"code.sonr.org/go/did-it/crypto"
+	"code.sonr.org/go/did-it/crypto/ed25519"
+	"github.com/multiformats/go-varint"
+	"github.com/stretchr/testify/require"
+)
+
+// This comes from https://github.com/ucan-wg/spec/blob/main/fixtures/1.0.0/delegation.json
+//
+//go:embed testdata/interop_delegation.json
+var interopDelegation []byte
+
+type interop struct {
+	Version    string            `json:"version"`
+	Comments   string            `json:"comments"`
+	Principals map[string]string `json:"principals"`
+	Valid      []validTestCase   `json:"valid"`
+}
+
+type validTestCase struct {
+	Name     string       `json:"name"`
+	Token    string       `json:"token"`
+	CID      string       `json:"cid"`
+	Envelope envelopeData `json:"envelope"`
+}
+
+type envelopeData struct {
+	Payload   payloadData `json:"payload"`
+	Signature string      `json:"signature"`
+	Algorithm string      `json:"alg"`
+	Encoding  string      `json:"enc"`
+	Spec      string      `json:"spec"`
+	Version   string      `json:"version"`
+}
+
+type payloadData struct {
+	Issuer    string          `json:"iss"`
+	Audience  string          `json:"aud"`
+	Subject   string          `json:"sub"`
+	Command   string          `json:"cmd"`
+	Policies  json.RawMessage `json:"pol"`
+	ExpiresAt int64           `json:"exp"`
+	Nonce     string          `json:"nonce"`
+}
+
+func TestInterop(t *testing.T) {
+	var testData interop
+	err := json.Unmarshal(interopDelegation, &testData)
+	require.NoError(t, err)
+
+	require.Equal(t, "1.0.0-rc.1", testData.Version)
+
+	// alice, err := decodeKey(testData.Principals["alice"])
+	// require.NoError(t, err)
+	// bob, err := decodeKey(testData.Principals["bob"])
+	// require.NoError(t, err)
+	// carol, err := decodeKey(testData.Principals["carol"])
+	// require.NoError(t, err)
+
+	t.Run("valid", func(t *testing.T) {
+		for _, tc := range testData.Valid {
+			t.Run(tc.Name, func(t *testing.T) {
+				dlgBytes, err := base64.StdEncoding.DecodeString(tc.Token)
+				require.NoError(t, err)
+
+				dlg, c, err := FromSealed(dlgBytes)
+				require.NoError(t, err)
+				require.Equal(t, tc.CID, c.String())
+
+				require.Equal(t, tc.Envelope.Payload.Issuer, dlg.Issuer().String())
+				require.Equal(t, tc.Envelope.Payload.Audience, dlg.Audience().String())
+				require.Equal(t, tc.Envelope.Payload.Subject, dlg.Subject().String())
+				require.Equal(t, tc.Envelope.Payload.Command, dlg.Command().String())
+				require.Equal(t, tc.Envelope.Payload.Command, dlg.Command().String())
+				require.JSONEq(t, string(tc.Envelope.Payload.Policies), dlg.Policy().String())
+				require.Equal(t, tc.Envelope.Payload.ExpiresAt, dlg.expiration.Unix())
+				nonceBytes, err := base64.StdEncoding.DecodeString(tc.Envelope.Payload.Nonce)
+				require.NoError(t, err)
+				require.Equal(t, nonceBytes, dlg.Nonce())
+			})
+		}
+	})
+}
+
+func decodeKey(key string) (crypto.PrivateKeySigningBytes, error) {
+	bytes, err := base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		return nil, err
+	}
+
+	code, read, err := varint.FromUvarint(bytes)
+	if err != nil {
+		return nil, err
+	}
+	if code != 0x1300 {
+		return nil, fmt.Errorf("invalid varint code: %d", code)
+	}
+
+	return ed25519.PrivateKeyFromSeed(bytes[read:])
+}

token/delegation/ipld.go

@@ -3,22 +3,22 @@ package delegation
 import (
 	"io"
 
+	"code.sonr.org/go/did-it"
+	"code.sonr.org/go/did-it/crypto"
 	"github.com/ipfs/go-cid"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/ipld/go-ipld-prime/codec"
 	"github.com/ipld/go-ipld-prime/codec/dagcbor"
 	"github.com/ipld/go-ipld-prime/codec/dagjson"
 	"github.com/ipld/go-ipld-prime/datamodel"
-	"github.com/libp2p/go-libp2p/core/crypto"
 
-	"github.com/ucan-wg/go-ucan/did"
+	"code.sonr.org/go/ucan/token/internal/envelope"
-	"github.com/ucan-wg/go-ucan/token/internal/envelope"
 )
 
 // ToSealed wraps the delegation token in an envelope, generates the
 // signature, encodes the result to DAG-CBOR and calculates the CID of
 // the resulting binary data.
-func (t *Token) ToSealed(privKey crypto.PrivKey) ([]byte, cid.Cid, error) {
+func (t *Token) ToSealed(privKey crypto.PrivateKeySigningBytes) ([]byte, cid.Cid, error) {
 	data, err := t.ToDagCbor(privKey)
 	if err != nil {
 		return nil, cid.Undef, err
@@ -33,7 +33,7 @@ func (t *Token) ToSealed(privKey crypto.PrivKey) ([]byte, cid.Cid, error) {
 }
 
 // ToSealedWriter is the same as ToSealed but accepts an io.Writer.
-func (t *Token) ToSealedWriter(w io.Writer, privKey crypto.PrivKey) (cid.Cid, error) {
+func (t *Token) ToSealedWriter(w io.Writer, privKey crypto.PrivateKeySigningBytes) (cid.Cid, error) {
 	cidWriter := envelope.NewCIDWriter(w)
 
 	if err := t.ToDagCborWriter(cidWriter, privKey); err != nil {
@@ -47,8 +47,8 @@ func (t *Token) ToSealedWriter(w io.Writer, privKey crypto.PrivKey) (cid.Cid, er
 // verifies that the envelope's signature is correct based on the public
 // key taken from the issuer (iss) field and calculates the CID of the
 // incoming data.
-func FromSealed(data []byte) (*Token, cid.Cid, error) {
+func FromSealed(data []byte, resolvOpts ...did.ResolutionOption) (*Token, cid.Cid, error) {
-	tkn, err := FromDagCbor(data)
+	tkn, err := FromDagCbor(data, resolvOpts...)
 	if err != nil {
 		return nil, cid.Undef, err
 	}
@@ -62,10 +62,10 @@ func FromSealed(data []byte) (*Token, cid.Cid, error) {
 }
 
 // FromSealedReader is the same as Unseal but accepts an io.Reader.
-func FromSealedReader(r io.Reader) (*Token, cid.Cid, error) {
+func FromSealedReader(r io.Reader, resolvOpts ...did.ResolutionOption) (*Token, cid.Cid, error) {
 	cidReader := envelope.NewCIDReader(r)
 
-	tkn, err := FromDagCborReader(cidReader)
+	tkn, err := FromDagCborReader(cidReader, resolvOpts...)
 	if err != nil {
 		return nil, cid.Undef, err
 	}
@@ -80,7 +80,7 @@ func FromSealedReader(r io.Reader) (*Token, cid.Cid, error) {
 
 // Encode marshals a Token to the format specified by the provided
 // codec.Encoder.
-func (t *Token) Encode(privKey crypto.PrivKey, encFn codec.Encoder) ([]byte, error) {
+func (t *Token) Encode(privKey crypto.PrivateKeySigningBytes, encFn codec.Encoder) ([]byte, error) {
 	node, err := t.toIPLD(privKey)
 	if err != nil {
 		return nil, err
@@ -90,7 +90,7 @@ func (t *Token) Encode(privKey crypto.PrivKey, encFn codec.Encoder) ([]byte, err
 }
 
 // EncodeWriter is the same as Encode, but accepts an io.Writer.
-func (t *Token) EncodeWriter(w io.Writer, privKey crypto.PrivKey, encFn codec.Encoder) error {
+func (t *Token) EncodeWriter(w io.Writer, privKey crypto.PrivateKeySigningBytes, encFn codec.Encoder) error {
 	node, err := t.toIPLD(privKey)
 	if err != nil {
 		return err
@@ -100,22 +100,22 @@ func (t *Token) EncodeWriter(w io.Writer, privKey crypto.PrivKey, encFn codec.En
 }
 
 // ToDagCbor marshals the Token to the DAG-CBOR format.
-func (t *Token) ToDagCbor(privKey crypto.PrivKey) ([]byte, error) {
+func (t *Token) ToDagCbor(privKey crypto.PrivateKeySigningBytes) ([]byte, error) {
 	return t.Encode(privKey, dagcbor.Encode)
 }
 
 // ToDagCborWriter is the same as ToDagCbor, but it accepts an io.Writer.
-func (t *Token) ToDagCborWriter(w io.Writer, privKey crypto.PrivKey) error {
+func (t *Token) ToDagCborWriter(w io.Writer, privKey crypto.PrivateKeySigningBytes) error {
 	return t.EncodeWriter(w, privKey, dagcbor.Encode)
 }
 
 // ToDagJson marshals the Token to the DAG-JSON format.
-func (t *Token) ToDagJson(privKey crypto.PrivKey) ([]byte, error) {
+func (t *Token) ToDagJson(privKey crypto.PrivateKeySigningBytes) ([]byte, error) {
 	return t.Encode(privKey, dagjson.Encode)
 }
 
 // ToDagJsonWriter is the same as ToDagJson, but it accepts an io.Writer.
-func (t *Token) ToDagJsonWriter(w io.Writer, privKey crypto.PrivKey) error {
+func (t *Token) ToDagJsonWriter(w io.Writer, privKey crypto.PrivateKeySigningBytes) error {
 	return t.EncodeWriter(w, privKey, dagjson.Encode)
 }
 
@@ -124,29 +124,29 @@ func (t *Token) ToDagJsonWriter(w io.Writer, privKey crypto.PrivKey) error {
 //
 // An error is returned if the conversion fails, or if the resulting
 // Token is invalid.
-func Decode(b []byte, decFn codec.Decoder) (*Token, error) {
+func Decode(b []byte, decFn codec.Decoder, resolvOpts ...did.ResolutionOption) (*Token, error) {
 	node, err := ipld.Decode(b, decFn)
 	if err != nil {
 		return nil, err
 	}
-	return FromIPLD(node)
+	return FromIPLD(node, resolvOpts...)
 }
 
 // DecodeReader is the same as Decode, but accept an io.Reader.
-func DecodeReader(r io.Reader, decFn codec.Decoder) (*Token, error) {
+func DecodeReader(r io.Reader, decFn codec.Decoder, resolvOpts ...did.ResolutionOption) (*Token, error) {
 	node, err := ipld.DecodeStreaming(r, decFn)
 	if err != nil {
 		return nil, err
 	}
-	return FromIPLD(node)
+	return FromIPLD(node, resolvOpts...)
 }
 
 // FromDagCbor unmarshals the input data into a Token.
 //
 // An error is returned if the conversion fails, or if the resulting
 // Token is invalid.
-func FromDagCbor(data []byte) (*Token, error) {
+func FromDagCbor(data []byte, resolvOpts ...did.ResolutionOption) (*Token, error) {
-	pay, err := envelope.FromDagCbor[*tokenPayloadModel](data)
+	pay, err := envelope.FromDagCbor[*tokenPayloadModel](data, resolvOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -160,26 +160,26 @@ func FromDagCbor(data []byte) (*Token, error) {
 }
 
 // FromDagCborReader is the same as FromDagCbor, but accept an io.Reader.
-func FromDagCborReader(r io.Reader) (*Token, error) {
+func FromDagCborReader(r io.Reader, resolvOpts ...did.ResolutionOption) (*Token, error) {
-	return DecodeReader(r, dagcbor.Decode)
+	return DecodeReader(r, dagcbor.Decode, resolvOpts...)
 }
 
 // FromDagJson unmarshals the input data into a Token.
 //
 // An error is returned if the conversion fails, or if the resulting
 // Token is invalid.
-func FromDagJson(data []byte) (*Token, error) {
+func FromDagJson(data []byte, resolvOpts ...did.ResolutionOption) (*Token, error) {
-	return Decode(data, dagjson.Decode)
+	return Decode(data, dagjson.Decode, resolvOpts...)
 }
 
 // FromDagJsonReader is the same as FromDagJson, but accept an io.Reader.
-func FromDagJsonReader(r io.Reader) (*Token, error) {
+func FromDagJsonReader(r io.Reader, resolvOpts ...did.ResolutionOption) (*Token, error) {
-	return DecodeReader(r, dagjson.Decode)
+	return DecodeReader(r, dagjson.Decode, resolvOpts...)
 }
 
 // FromIPLD decode the given IPLD representation into a Token.
-func FromIPLD(node datamodel.Node) (*Token, error) {
+func FromIPLD(node datamodel.Node, resolvOpts ...did.ResolutionOption) (*Token, error) {
-	pay, err := envelope.FromIPLD[*tokenPayloadModel](node)
+	pay, err := envelope.FromIPLD[*tokenPayloadModel](node, resolvOpts...)
 	if err != nil {
 		return nil, err
 	}
@@ -192,10 +192,9 @@ func FromIPLD(node datamodel.Node) (*Token, error) {
 	return tkn, err
 }
 
-func (t *Token) toIPLD(privKey crypto.PrivKey) (datamodel.Node, error) {
+func (t *Token) toIPLD(privKey crypto.PrivateKeySigningBytes) (datamodel.Node, error) {
 	var sub *string
-
+	if t.subject != nil {
-	if t.subject != did.Undef {
 		s := t.subject.String()
 		sub = &s
 	}
@@ -224,10 +223,15 @@ func (t *Token) toIPLD(privKey crypto.PrivKey) (datamodel.Node, error) {
 		Cmd:   t.command.String(),
 		Pol:   pol,
 		Nonce: t.nonce,
-		Meta:  *t.meta,
+		Meta:  t.meta,
 		Nbf:   nbf,
 		Exp:   exp,
 	}
 
+	// seems like it's a requirement to have a null meta if there are no values?
+	if len(model.Meta.Keys) == 0 {
+		model.Meta = nil
+	}
+
 	return envelope.ToIPLD(privKey, model)
 }

token/delegation/options.go

@@ -3,8 +3,6 @@ package delegation
 import (
 	"fmt"
 	"time"
-
-	"github.com/ucan-wg/go-ucan/did"
 )
 
 // Option is a type that allows optional fields to be set during the
@@ -44,6 +42,24 @@ func WithMeta(key string, val any) Option {
 	}
 }
 
+// WithEncryptedMetaString adds a key/value pair in the "meta" field.
+// The string value is encrypted with the given key.
+// The ciphertext will be 40 bytes larger than the plaintext due to encryption overhead.
+func WithEncryptedMetaString(key, val string, encryptionKey []byte) Option {
+	return func(t *Token) error {
+		return t.meta.AddEncrypted(key, val, encryptionKey)
+	}
+}
+
+// WithEncryptedMetaBytes adds a key/value pair in the "meta" field.
+// The []byte value is encrypted with the given key.
+// The ciphertext will be 40 bytes larger than the plaintext due to encryption overhead.
+func WithEncryptedMetaBytes(key string, val, encryptionKey []byte) Option {
+	return func(t *Token) error {
+		return t.meta.AddEncrypted(key, val, encryptionKey)
+	}
+}
+
 // WithNotBefore set's the Token's optional "notBefore" field to the value
 // of the provided time.Time.
 func WithNotBefore(nbf time.Time) Option {
@@ -67,20 +83,6 @@ func WithNotBeforeIn(nbf time.Duration) Option {
 	}
 }
 
-// WithSubject sets the Tokens's optional "subject" field to the value of
-// provided did.DID.
-//
-// This Option should only be used with the New constructor - since
-// Subject is a required parameter when creating a Token via the Root
-// constructor, any value provided via this Option will be silently
-// overwritten.
-func WithSubject(sub did.DID) Option {
-	return func(t *Token) error {
-		t.subject = sub
-		return nil
-	}
-}
-
 // WithNonce sets the Token's nonce with the given value.
 // If this option is not used, a random 12-byte nonce is generated for this required field.
 func WithNonce(nonce []byte) Option {

token/delegation/schema.go

@@ -10,14 +10,14 @@ import (
 	"github.com/ipld/go-ipld-prime/node/bindnode"
 	"github.com/ipld/go-ipld-prime/schema"
 
-	"github.com/ucan-wg/go-ucan/pkg/meta"
+	"code.sonr.org/go/ucan/pkg/meta"
-	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+	"code.sonr.org/go/ucan/token/internal/envelope"
 )
 
-// [Tag] is the string used as a key within the SigPayload that identifies
+// Tag is the string used as a key within the SigPayload that identifies
 // that the TokenPayload is a delegation.
 //
-// [Tag]: https://github.com/ucan-wg/delegation/tree/v1_ipld#type-tag
+// See: https://github.com/ucan-wg/delegation/tree/v1_ipld#type-tag
 const Tag = "ucan/dlg@1.0.0-rc.1"
 
 // TODO: update the above Tag URL once the delegation specification is merged.
@@ -26,17 +26,17 @@ const Tag = "ucan/dlg@1.0.0-rc.1"
 var schemaBytes []byte
 
 var (
-	once sync.Once
+	once      sync.Once
-	ts   *schema.TypeSystem
+	ts        *schema.TypeSystem
-	err  error
+	errSchema error
 )
 
 func mustLoadSchema() *schema.TypeSystem {
 	once.Do(func() {
-		ts, err = ipld.LoadSchemaBytes(schemaBytes)
+		ts, errSchema = ipld.LoadSchemaBytes(schemaBytes)
 	})
-	if err != nil {
+	if errSchema != nil {
-		panic(fmt.Errorf("failed to load IPLD schema: %s", err))
+		panic(fmt.Errorf("failed to load IPLD schema: %s", errSchema))
 	}
 	return ts
 }
@@ -66,7 +66,7 @@ type tokenPayloadModel struct {
 	Nonce []byte
 
 	// Arbitrary Metadata
-	Meta meta.Meta
+	Meta *meta.Meta
 
 	// "Not before" UTC Unix Timestamp in seconds (valid from), 53-bits integer
 	// optional: can be nil

token/delegation/schema_test.go

@@ -3,16 +3,15 @@ package delegation_test
 import (
 	"bytes"
 	_ "embed"
-	"fmt"
 	"testing"
 
+	"code.sonr.org/go/did-it/didtest"
 	"github.com/ipld/go-ipld-prime"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gotest.tools/v3/golden"
 
-	"github.com/ucan-wg/go-ucan/token/delegation"
+	"code.sonr.org/go/ucan/token/delegation"
-	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+	"code.sonr.org/go/ucan/token/internal/envelope"
 )
 
 //go:embed delegation.ipldsch
@@ -21,8 +20,7 @@ var schemaBytes []byte
 func TestSchemaRoundTrip(t *testing.T) {
 	t.Parallel()
 
-	delegationJson := golden.Get(t, "new.dagjson")
+	privKey := didtest.PersonaAlice.PrivKey()
-	privKey := privKey(t, issuerPrivKeyCfg)
 
 	t.Run("via buffers", func(t *testing.T) {
 		t.Parallel()
@@ -30,32 +28,30 @@ func TestSchemaRoundTrip(t *testing.T) {
 		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
 		// function:      DecodeDagJson()           Seal()        Unseal()          EncodeDagJson()
 
-		p1, err := delegation.FromDagJson(delegationJson)
+		p1, err := delegation.FromDagJson(newDagJson)
+		require.NoError(t, err)
+
+		_, newCID, err := p1.ToSealed(privKey)
 		require.NoError(t, err)
 
 		cborBytes, id, err := p1.ToSealed(privKey)
 		require.NoError(t, err)
-		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+		assert.Equal(t, envelope.CIDToBase58BTC(newCID), envelope.CIDToBase58BTC(id))
-		fmt.Println("cborBytes length", len(cborBytes))
-		fmt.Println("cbor", string(cborBytes))
 
 		p2, c2, err := delegation.FromSealed(cborBytes)
 		require.NoError(t, err)
 		assert.Equal(t, id, c2)
-		fmt.Println("read Cbor", p2)
 
 		readJson, err := p2.ToDagJson(privKey)
 		require.NoError(t, err)
-		fmt.Println("readJson length", len(readJson))
-		fmt.Println("json: ", string(readJson))
 
-		assert.JSONEq(t, string(delegationJson), string(readJson))
+		assert.JSONEq(t, string(newDagJson), string(readJson))
 	})
 
 	t.Run("via streaming", func(t *testing.T) {
 		t.Parallel()
 
-		buf := bytes.NewBuffer(delegationJson)
+		buf := bytes.NewBuffer(newDagJson)
 
 		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
 		// function:      DecodeDagJson()           Seal()         Unseal()         EncodeDagJson()
@@ -63,11 +59,13 @@ func TestSchemaRoundTrip(t *testing.T) {
 		p1, err := delegation.FromDagJsonReader(buf)
 		require.NoError(t, err)
 
+		_, newCID, err := p1.ToSealed(privKey)
+		require.NoError(t, err)
+
 		cborBytes := &bytes.Buffer{}
 		id, err := p1.ToSealedWriter(cborBytes, privKey)
-		t.Log(len(id.Bytes()), id.Bytes())
 		require.NoError(t, err)
-		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+		assert.Equal(t, envelope.CIDToBase58BTC(newCID), envelope.CIDToBase58BTC(id))
 
 		// buf = bytes.NewBuffer(cborBytes.Bytes())
 		p2, c2, err := delegation.FromSealedReader(cborBytes)
@@ -77,7 +75,7 @@ func TestSchemaRoundTrip(t *testing.T) {
 		readJson := &bytes.Buffer{}
 		require.NoError(t, p2.ToDagJsonWriter(readJson, privKey))
 
-		assert.JSONEq(t, string(delegationJson), readJson.String())
+		assert.JSONEq(t, string(newDagJson), readJson.String())
 	})
 }
 
@@ -89,11 +87,10 @@ func BenchmarkSchemaLoad(b *testing.B) {
 }
 
 func BenchmarkRoundTrip(b *testing.B) {
-	delegationJson := golden.Get(b, "new.dagjson")
+	privKey := didtest.PersonaAlice.PrivKey()
-	privKey := privKey(b, issuerPrivKeyCfg)
 
 	b.Run("via buffers", func(b *testing.B) {
-		p1, _ := delegation.FromDagJson(delegationJson)
+		p1, _ := delegation.FromDagJson(newDagJson)
 		cborBytes, _, _ := p1.ToSealed(privKey)
 		p2, _, _ := delegation.FromSealed(cborBytes)
 
@@ -102,7 +99,7 @@ func BenchmarkRoundTrip(b *testing.B) {
 		b.Run("FromDagJson", func(b *testing.B) {
 			b.ReportAllocs()
 			for i := 0; i < b.N; i++ {
-				_, _ = delegation.FromDagJson(delegationJson)
+				_, _ = delegation.FromDagJson(newDagJson)
 			}
 		})
 
@@ -129,7 +126,7 @@ func BenchmarkRoundTrip(b *testing.B) {
 	})
 
 	b.Run("via streaming", func(b *testing.B) {
-		p1, _ := delegation.FromDagJsonReader(bytes.NewReader(delegationJson))
+		p1, _ := delegation.FromDagJsonReader(bytes.NewReader(newDagJson))
 		cborBuf := &bytes.Buffer{}
 		_, _ = p1.ToSealedWriter(cborBuf, privKey)
 		cborBytes := cborBuf.Bytes()
@@ -139,7 +136,7 @@ func BenchmarkRoundTrip(b *testing.B) {
 
 		b.Run("FromDagJsonReader", func(b *testing.B) {
 			b.ReportAllocs()
-			reader := bytes.NewReader(delegationJson)
+			reader := bytes.NewReader(newDagJson)
 			for i := 0; i < b.N; i++ {
 				_, _ = reader.Seek(0, 0)
 				_, _ = delegation.FromDagJsonReader(reader)

token/delegation/testdata/interop_delegation.json

@@ -0,0 +1,32 @@
+{
+	"version": "1.0.0-rc.1",
+	"comments": "Principals private keys encoded as base64pad(varint(0x1300) + privateKey) and all other binary fields are encoded as base64pad.",
+	"principals": {
+		"carol": "gCZC43QGw7ZvYQuKTtBwBy+tdjYrKf0hXU3dd+J0HON5dw==",
+		"bob": "gCZfj9+RzU2U518TMBNK/fjdGQz34sB4iKE6z+9lQDpCIQ==",
+		"alice": "gCa9UfZv+yI5/rvUIt21DaGI7EZJlzFO1uDc5AyJ30c6/w=="
+	},
+	"valid": [
+		{
+			"name": "basic delegation bob > carol",
+			"token": "glhAd7jvZs44lTWmjSG/PWBRXvAdJA6Pq0fj86WQOVBYSw3fLrpjF7OMvjUlTynZZblPHzFsiBeBlUqtbCAHvhppCaJhaEg0Ae0B7QETcXN1Y2FuL2RsZ0AxLjAuMC1yYy4xp2NhdWR4OGRpZDprZXk6ejZNa21KY2VWb1FTSHM0NWNSZUVYb0x0V20xd29zQ0c4Ukx4Zkt3aHhvcXpvVGtDY2NtZGgvYWNjb3VudGNleHAaaIIMsWNpc3N4OGRpZDprZXk6ejZNa21UOWo2ZlZacXpYVjh1MndWVlN1NDlnWVNSWUdTUW5kdVdYRjZmb0FKcnF6Y3BvbIBjc3VieDhkaWQ6a2V5Ono2TWttVDlqNmZWWnF6WFY4dTJ3VlZTdTQ5Z1lTUllHU1FuZHVXWEY2Zm9BSnJxemVub25jZUwnbSv2keQn/Kg2KsM=",
+			"cid": "bafyreifqsojs54lpxxyx5xfqxiwkc4paglcyqd7vjzrcyapxi557extz6m",
+			"envelope": {
+				"payload": {
+					"iss": "did:key:z6MkmT9j6fVZqzXV8u2wVVSu49gYSRYGSQnduWXF6foAJrqz",
+					"aud": "did:key:z6MkmJceVoQSHs45cReEXoLtWm1wosCG8RLxfKwhxoqzoTkC",
+					"sub": "did:key:z6MkmT9j6fVZqzXV8u2wVVSu49gYSRYGSQnduWXF6foAJrqz",
+					"cmd": "/account",
+					"pol": [],
+					"exp": 1753353393,
+					"nonce": "J20r9pHkJ/yoNirD"
+				},
+				"signature": "d7jvZs44lTWmjSG/PWBRXvAdJA6Pq0fj86WQOVBYSw3fLrpjF7OMvjUlTynZZblPHzFsiBeBlUqtbCAHvhppCQ==",
+				"alg": "Ed25519",
+				"enc": "DAG-CBOR",
+				"spec": "dlg",
+				"version": "1.0.0-rc.1"
+			}
+		}
+	]
+}

token/delegation/testdata/new.dagjson

@@ -1 +1 @@
-[{"/":{"bytes":"FM6otj0r/noJWiGAC5WV86xAazxrF173IihuHJgEt35CtSzjeaelrR3UwaSr8xbE9sLpo5xJhUbo0QLI273hDA"}},{"h":{"/":{"bytes":"NO0BcQ"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"}}]
+[{"/":{"bytes":"7Df/QlkgvQ/j1sr2NUFryQbTxo16rsOPfDPX8evBmA0hV6Omv+sScM8HC30KHr/kXCl+DzxDg+/EOwiZ9ApNBQ"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6MkjWFU8HtfMquWn5MEQ9r22zWqyCN1vazGw6g6pzciziNV"}}]

token/delegation/testdata/powerline.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"pcdEo4gSPlBWE1kQUUjFOQNRLvXDw6BTLmgoIrU/o1JCAeSYiiIQFrHB1KIm0phZfMHqp5O6k6QxHuldxUARBQ"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]]}}]

token/delegation/testdata/root.dagjson

@@ -1 +1 @@
-[{"/":{"bytes":"aYBq08tfm0zQZnPg/5tB9kM5mklRU9PPIkV7CK68jEgbd76JbCGuu75vfLyBu3WTqKzLSJ583pbwu668m/7MBQ"}},{"h":{"/":{"bytes":"NO0BcQ"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2"}}]
+[{"/":{"bytes":"jS5WzBU0JybWoQAJjJTgxke5U7vbwOJTYbe3bipYbmhz3Lcrl1B/68dK4xhWSv6wc3zZqXFJ7/Kw2jDLCOZWDA"}},{"h":{"/":{"bytes":"NAHtAe0BE3E"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkf4WtCwPDtamsZvBJA4eSVcE7vZuRPy5Skm4HaoQv81i1","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6MknUz1mSj4pvS6aUUHekCHdUPv7HBhDyDBZQ2W3Vujc5qC"}}]

token/delegation/utilities.go

@@ -0,0 +1,24 @@
+package delegation
+
+import (
+	"fmt"
+
+	"github.com/ipfs/go-cid"
+)
+
+// ErrDelegationNotFound is returned if a delegation token is not found
+var ErrDelegationNotFound = fmt.Errorf("delegation not found")
+
+// Loader is a delegation token loader.
+type Loader interface {
+	// GetDelegation returns the delegation.Token matching the given CID.
+	// If not found, ErrDelegationNotFound is returned.
+	GetDelegation(cid cid.Cid) (*Token, error)
+}
+
+// Bundle carries together a decoded token with its Cid and raw signed data.
+type Bundle struct {
+	Cid     cid.Cid
+	Decoded *Token
+	Sealed  []byte
+}

token/inspect.go

@@ -3,7 +3,7 @@ package token
 import (
 	"github.com/ipld/go-ipld-prime/datamodel"
 
-	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+	"code.sonr.org/go/ucan/token/internal/envelope"
 )
 
 type Info = envelope.Info