TODO.md

# Implementation TODO

Remaining tasks for the Nebula Key Enclave. See [AGENTS.md](./AGENTS.md) for architecture overview and [CHANGELOG.md](./CHANGELOG.md) for completed work.

---

## 1. UCAN v1.0.0-rc.1 Remaining Work

### 1.1 SQLite Functions for Policy & Validation

- [ ] `ucan_policy_match(policy_json, args_json)` - Evaluate policy against args
- [ ] `ucan_cmd_subsumes(parent_cmd, child_cmd)` - Check command hierarchy
- [ ] `ucan_chain_valid(invocation_cid)` - Recursive CTE proof chain validation
- [ ] `ucan_parse_envelope(envelope_blob)` - Extract fields from DAG-CBOR as JSON

### 1.2 SQLite Functions for UCAN Signing

- [ ] `ucan_sign(enclave_id, payload)` - Sign delegation/invocation payloads
- [ ] `ucan_seal(enclave_id, delegation_json)` - Build complete sealed envelope
- [ ] Integrate with go-ucan's `crypto.Signer` interface via SQLite bridge

### 1.3 Revocation Checker

- [ ] Implement revocation checking interface for go-ucan
- [ ] Integration with chain validation via `ExecutionAllowed()`

### 1.4 Testing

- [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder)
- [ ] Interoperability tests against TypeScript implementation
- [ ] Test vectors from UCAN spec

---

## 2. Remaining Actions

### 2.1 Sync Checkpoint Actions

- [ ] `GetSyncCheckpoint(ctx, resourceType)`
- [ ] `UpsertSyncCheckpoint(ctx, params)`
- [ ] `ListSyncCheckpoints(ctx)`

### 2.2 Invocation Validation

- [ ] `ValidateInvocation(ctx, invocation)` - Requires delegation.Loader

---

## 3. Plugin Extensions

### 3.1 Exec Handlers

- [ ] Add `invocations` resource handler
- [ ] Add `sync_checkpoints` resource handler

### 3.2 Generate Function

- [ ] Parse WebAuthn credential properly (CBOR/COSE format)
- [ ] Extract public key from credential
- [ ] Create initial verification method
- [ ] Create initial credential record

### 3.3 SQLite Functions

- [ ] `enclave_sign(enclave_id, data)` - Sign in queries
- [ ] Dedicated `sign` wasmexport function

---

## 4. Capability Delegation (v1.0.0-rc.1)

SQLite triggers and views for real-time delegation validation.

### 4.1 Schema Enhancements

- [ ] `delegation_depth` generated column using recursive CTE
- [ ] CHECK constraint for max depth (e.g., 10 levels)
- [ ] `valid_delegations` view joining chain validation
- [ ] `is_expired` / `is_active` generated columns
- [ ] Partial index on `is_active = 1`

### 4.2 Policy Functions

- [ ] `ucan_policy_subsumes(parent_pol, child_pol)` - Check attenuation
- [ ] `ucan_cmd_covers(parent_cmd, child_cmd)` - Command hierarchy
- [ ] Trigger `BEFORE INSERT ON ucan_delegations` to validate attenuation

---

## 5. DID State Sync

- [ ] Create `internal/enclave/sync.go` - DID state sync logic
- [ ] Checkpoint tracking (block height, tx hash)
- [ ] Fetch DID document updates from chain
- [ ] Handle reorgs and rollbacks

---

## 6. TypeScript SDK

### 6.1 Core SDK (Partial - Basic wrappers exist)

- [ ] Full type definitions for all responses
- [ ] Error handling improvements
- [ ] Documentation and examples

### 6.2 UCAN SDK

- [ ] Delegation/Invocation builders
- [ ] Policy builder helpers
- [ ] DAG-CBOR encoding/decoding
- [ ] CID computation

### 6.3 WebAuthn Integration

- [ ] Helper for credential creation
- [ ] PRF extension output helper

---

## 7. Testing

- [ ] Unit tests for ActionManager methods
- [ ] Serialization roundtrip tests
- [ ] UCAN policy evaluation tests
- [ ] Integration tests (generate -> load -> exec)
- [ ] Go <-> TypeScript interoperability

---

## 8. Security Hardening

- [ ] JSON schema validation
- [ ] DID format validation
- [ ] Constant-time comparison for sensitive data
- [ ] Session validation before sensitive ops
- [ ] Grant scope checking

---

## Priority Order

1. **High Priority (SQLite Functions)**
   - `ucan_sign()` / `ucan_seal()` for UCAN signing
   - `ucan_parse_envelope()` for JSON extraction
   - `ucan_chain_valid()` for proof validation
   - `enclave_sign()` for general signing
   - `invocations` exec handler

2. **Medium Priority (SQLite Automation)**
   - Generated columns for delegation status
   - Policy evaluation functions
   - Delegation depth constraints

3. **Lower Priority (Enhancement)**
   - TypeScript SDK completion
   - DID State Sync
   - Testing
   - Security Hardening

---

See [CHANGELOG.md](./CHANGELOG.md) for completed items and version history.
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			`# Implementation TODO`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`Remaining tasks for the Nebula Key Enclave. See [AGENTS.md](./AGENTS.md) for architecture overview and [CHANGELOG.md](./CHANGELOG.md) for completed work.`
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00
			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 1. UCAN v1.0.0-rc.1 Remaining Work`
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 1.1 SQLite Functions for Policy & Validation`
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `ucan_policy_match(policy_json, args_json)` - Evaluate policy against args
			- [ ] `ucan_cmd_subsumes(parent_cmd, child_cmd)` - Check command hierarchy
			- [ ] `ucan_chain_valid(invocation_cid)` - Recursive CTE proof chain validation
			- [ ] `ucan_parse_envelope(envelope_blob)` - Extract fields from DAG-CBOR as JSON
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 1.2 SQLite Functions for UCAN Signing`
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `ucan_sign(enclave_id, payload)` - Sign delegation/invocation payloads
			- [ ] `ucan_seal(enclave_id, delegation_json)` - Build complete sealed envelope
			- [ ] Integrate with go-ucan's `crypto.Signer` interface via SQLite bridge
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 1.3 Revocation Checker`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] Implement revocation checking interface for go-ucan`
			- [ ] Integration with chain validation via `ExecutionAllowed()`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 1.4 Testing`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
refactor(keybase): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 16:37:36 -05:00			`- [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder)`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00			`- [ ] Interoperability tests against TypeScript implementation`
			`- [ ] Test vectors from UCAN spec`

			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 2. Remaining Actions`
docs(todo): update migration tasks and references 2026-01-08 15:25:54 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 2.1 Sync Checkpoint Actions`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `GetSyncCheckpoint(ctx, resourceType)`
			- [ ] `UpsertSyncCheckpoint(ctx, params)`
			- [ ] `ListSyncCheckpoints(ctx)`
docs(todo): update migration tasks and references 2026-01-08 15:25:54 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 2.2 Invocation Validation`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `ValidateInvocation(ctx, invocation)` - Requires delegation.Loader
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 3. Plugin Extensions`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 3.1 Exec Handlers`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] Add `invocations` resource handler
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			- [ ] Add `sync_checkpoints` resource handler

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 3.2 Generate Function`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			`- [ ] Parse WebAuthn credential properly (CBOR/COSE format)`
			`- [ ] Extract public key from credential`
			`- [ ] Create initial verification method`
			`- [ ] Create initial credential record`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 3.3 SQLite Functions`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `enclave_sign(enclave_id, data)` - Sign in queries
			- [ ] Dedicated `sign` wasmexport function
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 4. Capability Delegation (v1.0.0-rc.1)`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`SQLite triggers and views for real-time delegation validation.`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 4.1 Schema Enhancements`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] `delegation_depth` generated column using recursive CTE
			`- [ ] CHECK constraint for max depth (e.g., 10 levels)`
			- [ ] `valid_delegations` view joining chain validation
			- [ ] `is_expired` / `is_active` generated columns
			- [ ] Partial index on `is_active = 1`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 4.2 Policy Functions`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00			- [ ] `ucan_policy_subsumes(parent_pol, child_pol)` - Check attenuation
			- [ ] `ucan_cmd_covers(parent_cmd, child_cmd)` - Command hierarchy
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			- [ ] Trigger `BEFORE INSERT ON ucan_delegations` to validate attenuation
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 5. DID State Sync`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			- [ ] Create `internal/enclave/sync.go` - DID state sync logic
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] Checkpoint tracking (block height, tx hash)`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			`- [ ] Fetch DID document updates from chain`
			`- [ ] Handle reorgs and rollbacks`

			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 6. TypeScript SDK`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 6.1 Core SDK (Partial - Basic wrappers exist)`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] Full type definitions for all responses`
			`- [ ] Error handling improvements`
			`- [ ] Documentation and examples`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 6.2 UCAN SDK`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] Delegation/Invocation builders`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00			`- [ ] Policy builder helpers`
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] DAG-CBOR encoding/decoding`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00			`- [ ] CID computation`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`### 6.3 WebAuthn Integration`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			`- [ ] Helper for credential creation`
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] PRF extension output helper`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 7. Testing`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] Unit tests for ActionManager methods`
			`- [ ] Serialization roundtrip tests`
			`- [ ] UCAN policy evaluation tests`
			`- [ ] Integration tests (generate -> load -> exec)`
			`- [ ] Go <-> TypeScript interoperability`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00			`---`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`## 8. Security Hardening`
chore(deps): update dependencies for enclave module 2026-01-07 23:39:40 -05:00
docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`- [ ] JSON schema validation`
			`- [ ] DID format validation`
			`- [ ] Constant-time comparison for sensitive data`
			`- [ ] Session validation before sensitive ops`
			`- [ ] Grant scope checking`
chore: add todo list for enclave implementation 2026-01-07 21:54:32 -05:00
			`---`

			`## Priority Order`

docs(AGENTS.md): update agent guidelines and todos 2026-01-10 18:20:32 -05:00			`1. High Priority (SQLite Functions)`
			- `ucan_sign()` / `ucan_seal()` for UCAN signing
			- `ucan_parse_envelope()` for JSON extraction
			- `ucan_chain_valid()` for proof validation
			- `enclave_sign()` for general signing
			- `invocations` exec handler

			`2. Medium Priority (SQLite Automation)`
			`- Generated columns for delegation status`
			`- Policy evaluation functions`
			`- Delegation depth constraints`

			`3. Lower Priority (Enhancement)`
			`- TypeScript SDK completion`
			`- DID State Sync`
			`- Testing`
			`- Security Hardening`
feat(ucan): migrate to UCAN v1.0.0-rc.1 envelope format 2026-01-08 14:54:40 -05:00
			`---`

docs(TODO): update with new sqlite functions and priorities 2026-01-10 17:10:45 -05:00			`See [CHANGELOG.md](./CHANGELOG.md) for completed items and version history.`