motr-enclave/TODO.md

# Implementation TODO

Remaining tasks from [MIGRATION.md](./MIGRATION.md) for the Nebula Key Enclave.

## Status Summary

| Category | Status | Notes |
|----------|--------|-------|
| Schema (10 tables) | Complete | `internal/migrations/schema.sql` - Updated for v1.0.0-rc.1 |
| SQLC Queries | Complete | `internal/migrations/query.sql` - CID-based queries added |
| Generated Code | Complete | `internal/keybase/*.go` |
| Basic Plugin Functions | Complete | `generate`, `load`, `exec`, `query`, `ping` |
| Encryption | Not Started | WebAuthn PRF key derivation needed |
| **UCAN v1.0.0-rc.1** | **Complete** | Core types, builders, policies, DB actions all complete |
| UCAN DB Actions | Complete | `actions_delegation.go`, `actions_invocation.go` |
| MPC Key Shares | Not Started | Key share management missing |
| Database Serialization | Incomplete | Export dumps comments only |

---

## 1. UCAN v1.0.0-rc.1 Migration (CRITICAL PRIORITY)

> **Status**: Core implementation complete using `github.com/ucan-wg/go-ucan v1.1.0`. Deprecated JWT-based files deleted. Remaining work is database integration and MPC signing.

### Completed Implementation

The following files implement UCAN v1.0.0-rc.1 using the official go-ucan library:

| File | Status | Description |
|------|--------|-------------|
| `ucan.go` | ✅ Complete | Type re-exports, Sonr commands, pre-parsed constants |
| `policy.go` | ✅ Complete | PolicyBuilder fluent API, Sonr-specific policy helpers |
| `delegation.go` | ✅ Complete | DelegationBuilder fluent API, Sonr delegation helpers |
| `invocation.go` | ✅ Complete | InvocationBuilder fluent API, Sonr invocation helpers |
| `types.go` | ✅ Complete | ValidationError, Capability, ExecutionResult, Sonr types |

### Dependencies Added

- `github.com/ucan-wg/go-ucan v1.1.0` - Official UCAN library
- `github.com/ipld/go-ipld-prime v0.21.0` - IPLD encoding
- `github.com/MetaMask/go-did-it v1.0.0-pre1` - DID handling (indirect)
- `github.com/ipfs/go-cid v0.5.0` - Content addressing (indirect)

### Deleted (Deprecated JWT-based)

- ~~`jwt.go`~~ - Removed
- ~~`capability.go`~~ - Removed
- ~~`verifier.go`~~ - Removed
- ~~`source.go`~~ - Removed
- ~~`internal/crypto/mpc/spec/`~~ - Entire directory removed

### 1.1 Core Data Structures

- [x] Create `internal/crypto/ucan/types.go` - v1.0.0-rc.1 types
  - [x] Re-export `Delegation` and `Invocation` from go-ucan
  - [x] `Task` struct (sub, cmd, args, nonce)
  - [x] `ReceiptPayload` struct (iss, ran, out, fx, meta, iat)
  - [x] `RevocationPayload` struct
  - [x] `ValidationError` with error codes matching TypeScript
  - [x] `Capability` struct (sub, cmd, pol)
  - [x] `ExecutionResult[T, E]` generic type
  - [x] Sonr-specific types: `VaultCapability`, `DIDCapability`, `DWNCapability`

- [x] Create `internal/crypto/ucan/policy.go` - Policy Language
  - [x] `PolicyBuilder` fluent API with all operators
  - [x] `Equal`, `NotEqual` - equality statements
  - [x] `GreaterThan`, `LessThan`, etc. - inequality statements
  - [x] `Like` - glob pattern matching
  - [x] `Not`, `And`, `Or` - logical connectives
  - [x] `All`, `Any` - quantifiers
  - [x] Sonr helpers: `VaultPolicy`, `DIDPolicy`, `ChainPolicy`, `AccountPolicy`

- [x] Create `internal/crypto/ucan/ucan.go` - Command types
  - [x] `Command` type re-exported from go-ucan
  - [x] Sonr commands: `/vault/*`, `/did/*`, `/dwn/*`, `/ucan/revoke`
  - [x] Pre-parsed command constants: `VaultRead`, `VaultWrite`, `DIDUpdate`, etc.
  - [x] `CommandSubsumes()` helper using go-ucan's `Covers()` method

### 1.2 Envelope Format & Encoding

- [x] Envelope handling via go-ucan library
  - [x] `ToSealed()` method produces DAG-CBOR bytes + CID
  - [x] `ToDagCbor()`, `ToDagJson()` encoding methods
  - [x] CID computation handled by go-ucan

- [x] Varsig support via go-ucan library
  - [x] Ed25519, P-256, secp256k1 via `go-did-it/crypto`

### 1.3 Delegation Operations

- [x] Create `internal/crypto/ucan/delegation.go` - Delegation creation/validation
  - [x] `DelegationBuilder` fluent API
  - [x] `NewDelegation`, `NewRootDelegation`, `NewPowerlineDelegation` re-exports
  - [x] `BuildSealed(privKey)` for signing
  - [x] Sonr helpers: `NewVaultDelegation`, `NewDIDDelegation`, `NewDWNDelegation`
  - [x] Temporal options: `ExpiresAt`, `ExpiresIn`, `NotBefore`, `NotBeforeIn`

### 1.4 Invocation Operations

- [x] Create `internal/crypto/ucan/invocation.go` - Invocation creation/validation
  - [x] `InvocationBuilder` fluent API
  - [x] `NewInvocation` re-export
  - [x] `BuildSealed(privKey)` for signing
  - [x] Proof chain management: `Proof()`, `Proofs()`
  - [x] Sonr helpers: `VaultReadInvocation`, `VaultSignInvocation`, `DIDUpdateInvocation`

### 1.5 Policy Evaluation Engine

> Note: go-ucan provides `ExecutionAllowed()` on invocations which validates proofs and evaluates policies.

- [x] Policy evaluation via go-ucan's `invocation.ExecutionAllowed(loader)`
- [ ] Create `internal/crypto/ucan/eval.go` - Additional evaluation helpers (if needed)
  - [ ] Custom selector resolution for Sonr-specific args
  - [ ] Caching layer for repeated evaluations

### 1.6 Proof Chain Validation

> Note: go-ucan handles chain validation internally via `ExecutionAllowed()`.

- [x] Chain validation via go-ucan library
- [x] Delegation storage in SQLite via `actions_delegation.go`
  - [x] `GetDelegationByCID`, `GetDelegationEnvelope` methods
  - [x] `ListDelegations*` methods for chain traversal
- [ ] Create `internal/crypto/ucan/store.go` - Delegation loader for go-ucan
  - [ ] Implement `delegation.Loader` interface wrapping keybase actions
  - [ ] `GetDelegation(cid.Cid) (*delegation.Token, error)`
  - [ ] Cache loaded delegations for performance

### 1.7 Revocation

- [x] `RevocationInvocation()` helper in `invocation.go`
- [x] Revocation storage via `actions_delegation.go`
  - [x] `RevokeDelegation(ctx, params)` - Create revocation record
  - [x] `IsDelegationRevoked(ctx, cid) (bool, error)` - Query revocation status
- [ ] Create `internal/crypto/ucan/revocation.go` - Revocation checker for go-ucan
  - [ ] Implement revocation checking interface
  - [ ] Integration with chain validation via `ExecutionAllowed()`

### 1.8 Database Integration

- [x] Update `internal/migrations/schema.sql` for v1.0.0-rc.1
  - [x] `ucan_delegations` table (cid, envelope BLOB, iss, aud, sub, cmd, pol, nbf, exp, is_root, is_powerline)
  - [x] `ucan_invocations` table (cid, envelope BLOB, iss, sub, aud, cmd, prf, exp, iat, executed_at, result_cid)
  - [x] `ucan_revocations` table (delegation_cid, revoked_by, invocation_cid, reason)
  - [x] Indexes on iss, aud, sub, cmd for efficient queries

- [x] Update `internal/migrations/query.sql` for v1.0.0-rc.1
  - [x] `CreateDelegation`, `GetDelegationByCID`, `GetDelegationEnvelopeByCID`
  - [x] `ListDelegationsByDID`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`, `ListDelegationsBySubject`
  - [x] `ListDelegationsForCommand`, `ListRootDelegations`, `ListPowerlineDelegations`
  - [x] `CreateInvocation`, `GetInvocationByCID`, `GetInvocationEnvelopeByCID`
  - [x] `ListInvocationsByDID`, `ListInvocationsByIssuer`, `ListInvocationsForCommand`
  - [x] `MarkInvocationExecuted`, `ListPendingInvocations`
  - [x] `CreateRevocation`, `IsDelegationRevoked`, `GetRevocation`, `ListRevocationsByRevoker`

- [x] Create `internal/keybase/actions_delegation.go` - Delegation action handlers
  - [x] `StoreDelegation`, `GetDelegationByCID`, `GetDelegationEnvelope`
  - [x] `ListDelegations`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`
  - [x] `ListDelegationsForCommand`, `IsDelegationRevoked`, `RevokeDelegation`
  - [x] `DeleteDelegation`, `CleanExpiredDelegations`

- [x] Create `internal/keybase/actions_invocation.go` - Invocation action handlers
  - [x] `StoreInvocation`, `GetInvocationByCID`, `GetInvocationEnvelope`
  - [x] `ListInvocations`, `ListInvocationsByCommand`, `ListPendingInvocations`
  - [x] `MarkInvocationExecuted`, `CleanOldInvocations`

### 1.9 MPC Signing Integration

- [ ] Create `internal/crypto/ucan/signer.go` - MPC key integration
  - [ ] Implement `crypto.PrivateKeySigningBytes` interface for MPC
  - [ ] Sign delegations with MPC key shares
  - [ ] Sign invocations with MPC key shares

### 1.10 Testing

- [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder)
- [ ] Unit tests for policy helpers
- [ ] Unit tests for Sonr-specific invocations
- [ ] Interoperability tests against TypeScript implementation
- [ ] Test vectors from UCAN spec

---

## 2. Encryption Strategy

> Reference: MIGRATION.md lines 770-814

### 2.1 WebAuthn PRF Key Derivation

- [ ] Implement `DeriveEncryptionKey(prfOutput []byte) ([]byte, error)`
- [ ] Use HKDF with SHA-256 to derive 256-bit encryption key
- [ ] Salt with `"nebula-enclave-v1"` as info parameter

### 2.2 Database Encryption

- [ ] Implement application-level AES-GCM encryption for serialized pages
- [ ] Add encryption wrapper around `Serialize()` output
- [ ] Add decryption wrapper for `Load()` input
- [ ] Store encryption metadata (IV, auth tag) with serialized data

### 2.3 Encrypted Database Wrapper

- [ ] Create `internal/enclave/enclave.go` - Encrypted database wrapper
- [ ] Create `internal/enclave/crypto.go` - WebAuthn PRF key derivation
- [ ] Integrate with existing `internal/keybase` package

---

## 3. Database Serialization

> Current implementation in `conn.go:exportDump()` only outputs comments

### 3.1 Proper Serialization

- [ ] Implement full row export with proper SQL INSERT statements
- [ ] Handle JSON columns correctly (escape special characters)
- [ ] Include table creation order for foreign key constraints
- [ ] Add version header for migration compatibility

### 3.2 Proper Deserialization

- [ ] Parse serialized SQL dump in `Load()`
- [ ] Execute INSERT statements to restore data
- [ ] Validate data integrity after restore
- [ ] Handle schema version mismatches

---

## 4. Action Manager Extensions

> Reference: `internal/keybase/actions.go`

### 4.1 Key Share Actions

- [x] `CreateKeyShare(ctx, params) (*KeyShareResult, error)`
- [x] `ListKeyShares(ctx) ([]KeyShareResult, error)`
- [x] `GetKeyShareByID(ctx, shareID) (*KeyShareResult, error)`
- [x] `GetKeyShareByKeyID(ctx, keyID) (*KeyShareResult, error)`
- [x] `RotateKeyShare(ctx, shareID) error`
- [x] `ArchiveKeyShare(ctx, shareID) error`
- [x] `DeleteKeyShare(ctx, shareID) error`

### 4.2 UCAN Token Actions (v1.0.0-rc.1)

- [x] `StoreDelegation(ctx, params) (*DelegationResult, error)`
- [x] `ListDelegations(ctx) ([]DelegationResult, error)`
- [x] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)`
- [x] `GetDelegationEnvelope(ctx, cid) ([]byte, error)`
- [x] `ListDelegationsByIssuer(ctx, issuer) ([]DelegationResult, error)`
- [x] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)`
- [x] `ListDelegationsForCommand(ctx, cmd) ([]DelegationResult, error)`
- [x] `StoreInvocation(ctx, params) (*InvocationResult, error)`
- [x] `GetInvocationByCID(ctx, cid) (*InvocationResult, error)`
- [x] `GetInvocationEnvelope(ctx, cid) ([]byte, error)`
- [x] `ListInvocations(ctx, limit) ([]InvocationResult, error)`
- [x] `ListInvocationsByCommand(ctx, cmd, limit) ([]InvocationResult, error)`
- [x] `ListPendingInvocations(ctx) ([]InvocationResult, error)`
- [x] `MarkInvocationExecuted(ctx, cid, resultCID) error`
- [x] `RevokeDelegation(ctx, params) error`
- [x] `IsDelegationRevoked(ctx, cid) (bool, error)`
- [x] `DeleteDelegation(ctx, cid) error`
- [x] `CleanExpiredDelegations(ctx) error`
- [x] `CleanOldInvocations(ctx) error`
- [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)` - Requires delegation.Loader

### 4.3 Verification Method Actions

- [ ] `CreateVerificationMethod(ctx, params) (*VerificationMethodResult, error)`
- [ ] `ListVerificationMethods(ctx) ([]VerificationMethodResult, error)`
- [ ] `GetVerificationMethod(ctx, methodID) (*VerificationMethodResult, error)`
- [ ] `DeleteVerificationMethod(ctx, methodID) error`

### 4.4 Service Actions

- [ ] `CreateService(ctx, params) (*ServiceResult, error)`
- [ ] `GetServiceByOrigin(ctx, origin) (*ServiceResult, error)`
- [ ] `GetServiceByID(ctx, serviceID) (*ServiceResult, error)`
- [ ] `UpdateService(ctx, params) error`
- [ ] `ListVerifiedServices(ctx) ([]ServiceResult, error)`

### 4.5 Grant Actions (Extend Existing)

- [ ] `CreateGrant(ctx, params) (*GrantResult, error)`
- [ ] `GetGrantByService(ctx, serviceID) (*GrantResult, error)`
- [ ] `UpdateGrantScopes(ctx, grantID, scopes, accounts) error`
- [ ] `UpdateGrantLastUsed(ctx, grantID) error`
- [ ] `SuspendGrant(ctx, grantID) error`
- [ ] `ReactivateGrant(ctx, grantID) error`
- [ ] `CountActiveGrants(ctx) (int64, error)`

### 4.6 Account Actions (Extend Existing)

- [x] `CreateAccount(ctx, params) (*AccountResult, error)`
- [x] `ListAccountsByChain(ctx, chainID) ([]AccountResult, error)`
- [x] `GetDefaultAccount(ctx, chainID) (*AccountResult, error)`
- [x] `SetDefaultAccount(ctx, accountID, chainID) error`
- [x] `UpdateAccountLabel(ctx, accountID, label) error`
- [x] `DeleteAccount(ctx, accountID) error`

### 4.7 Credential Actions (Extend Existing)

- [ ] `CreateCredential(ctx, params) (*CredentialResult, error)`
- [ ] `UpdateCredentialCounter(ctx, credentialID, signCount) error`
- [ ] `RenameCredential(ctx, credentialID, name) error`
- [ ] `DeleteCredential(ctx, credentialID) error`
- [ ] `CountCredentialsByDID(ctx) (int64, error)`

### 4.8 Session Actions (Extend Existing)

- [ ] `GetSessionByID(ctx, sessionID) (*SessionResult, error)`
- [ ] `GetCurrentSession(ctx) (*SessionResult, error)`
- [ ] `UpdateSessionActivity(ctx, sessionID) error`
- [ ] `SetCurrentSession(ctx, sessionID) error`
- [ ] `DeleteExpiredSessions(ctx) error`

### 4.9 Sync Checkpoint Actions

- [ ] `GetSyncCheckpoint(ctx, resourceType) (*SyncCheckpointResult, error)`
- [ ] `UpsertSyncCheckpoint(ctx, params) error`
- [ ] `ListSyncCheckpoints(ctx) ([]SyncCheckpointResult, error)`

---

## 5. MPC Key Share Management

> Reference: MIGRATION.md lines 823-824

### 5.1 Key Share Storage

- [x] Parse key share data from MPC protocol - `KeyShareInput` in generate
- [x] Store public key and chain code - `CreateKeyShare` action
- [x] Track party index and threshold - stored in `key_shares` table
- [ ] Encrypt share data before storage - PRF key derivation needed

### 5.2 Account Derivation

- [x] Basic address derivation from public key - `deriveCosmosAddress()`
- [x] Create initial account during generate - `createInitialAccount()`
- [ ] Implement BIP44 derivation path parsing
- [ ] Support multiple chains (Cosmos 118, Ethereum 60)
- [ ] Generate proper bech32 address encoding per chain

### 5.3 Key Rotation

- [x] Implement key rotation workflow - `RotateKeyShare` action
- [x] Archive old shares - `ArchiveKeyShare` action
- [x] Status transitions - managed in database
- [ ] Handle rotation failures gracefully

---

## 6. Plugin Function Extensions

> Reference: `main.go`

### 6.1 Extend `exec` Resource Handlers

- [ ] Add `key_shares` resource handler
- [x] Add `ucans` resource handler (v1.0.0-rc.1 delegations)
- [x] Add `delegations` resource handler (v1.0.0-rc.1)
- [ ] Add `invocations` resource handler (v1.0.0-rc.1)
- [x] Add `verification_methods` resource handler
- [x] Add `services` resource handler
- [ ] Add `sync_checkpoints` resource handler

### 6.2 Extend `generate` Function

- [x] Accept optional MPC keyshare data in input
- [x] Create initial keyshare if provided
- [x] Create initial account from keyshare
- [ ] Parse WebAuthn credential properly (CBOR/COSE format)
- [ ] Extract public key from credential
- [ ] Create initial verification method
- [ ] Create initial credential record

### 6.3 Signing Function

- [ ] Implement `sign` wasmexport function
- [ ] Support signing with MPC key shares
- [ ] Return signature in appropriate format
- [ ] Log signing operations for audit

---

## 7. Capability Delegation (v1.0.0-rc.1)

> Reference: UCAN Delegation specification

### 7.1 Delegation Chain Management

- [ ] Enforce maximum delegation depth (prevent infinite chains)
- [ ] Validate delegator has capability to delegate (sub field)
- [ ] Ensure proper capability attenuation (cmd + pol)
- [ ] Track parent-child relationships via CID references

### 7.2 Policy Attenuation

- [ ] Child policy must be more restrictive than parent
- [ ] Implement policy subsumption checking
- [ ] Command hierarchy validation (`/crud/*` subsumes `/crud/read`)

### 7.3 Delegation Status

- [ ] Implement expiration checking
- [ ] Handle revocation cascades (revoke chain)
- [ ] Update status on expiry

---

## 8. DID State Sync

> Reference: MIGRATION.md line 827

### 8.1 Sync Infrastructure

- [ ] Create `internal/enclave/sync.go` - DID state sync logic
- [ ] Implement checkpoint tracking
- [ ] Store last synced block height
- [ ] Track last processed transaction hash

### 8.2 Sync Operations

- [ ] Fetch DID document updates from chain
- [ ] Validate on-chain document hash
- [ ] Update local state on changes
- [ ] Handle reorgs and rollbacks

---

## 9. TypeScript SDK

> Reference: README.md, `src/` directory

### 9.1 Core SDK

- [ ] Implement `createEnclave(wasmPath)` factory
- [ ] Implement `generate(credential)` wrapper
- [ ] Implement `load(database)` wrapper
- [ ] Implement `exec(filter, token?)` wrapper
- [ ] Implement `query(did?)` wrapper

### 9.2 UCAN SDK (v1.0.0-rc.1)

- [ ] Delegation builder using `src/ucan.ts` types
- [ ] Invocation builder
- [ ] Policy builder helpers
- [ ] Envelope encoding/decoding (DAG-CBOR)
- [ ] CID computation

### 9.3 WebAuthn Integration

- [ ] Helper for credential creation
- [ ] Helper for PRF extension output
- [ ] Proper encoding/decoding utilities

---

## 10. Testing

### 10.1 Unit Tests

- [ ] Test all ActionManager methods
- [ ] Test serialization/deserialization roundtrip
- [ ] Test encryption/decryption
- [ ] Test UCAN policy evaluation
- [ ] Test UCAN envelope encoding

### 10.2 Integration Tests

- [ ] Test full generate -> load -> exec flow
- [ ] Test credential lifecycle
- [ ] Test session management
- [ ] Test grant management
- [ ] Test UCAN delegation chain

### 10.3 Plugin Tests

- [ ] Extend `make test-plugin` with all functions
- [ ] Add error case testing
- [ ] Test with various input formats

### 10.4 Interoperability Tests

- [ ] Go <-> TypeScript UCAN envelope compatibility
- [ ] CID computation consistency
- [ ] Policy evaluation consistency

---

## 11. Security Hardening

### 11.1 Input Validation

- [ ] Validate all JSON inputs against schemas
- [ ] Sanitize SQL-sensitive characters in serialization
- [ ] Validate DID format on all inputs
- [ ] Validate base64 encoding

### 11.2 Cryptographic Security

- [ ] Use constant-time comparison for sensitive data
- [ ] Clear sensitive data from memory after use
- [ ] Validate key sizes and formats
- [ ] Implement proper nonce generation

### 11.3 Access Control

- [ ] Enforce DID ownership on all mutations
- [ ] Validate session before sensitive operations
- [ ] Check grant scopes before data access
- [ ] Log security-relevant operations

---

## Priority Order

1. **CRITICAL (Spec Compliance)** - ✅ Complete
   - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ All core items complete
   - ~~Core data structures (1.1)~~ ✅ Using go-ucan v1.1.0
   - ~~Envelope format (1.2)~~ ✅ Handled by go-ucan
   - ~~Delegation operations (1.3)~~ ✅ DelegationBuilder complete
   - ~~Invocation operations (1.4)~~ ✅ InvocationBuilder complete
   - ~~Database integration (1.8)~~ ✅ Schema, queries, and actions complete
   - MPC signing integration (1.9) - Next priority

2. **High Priority (Core Functionality)**
   - Database Serialization (3.1, 3.2)
   - Credential Creation (6.2, 4.7)
   - Key Share Actions (4.1)
   - Account Actions (4.6)
   - Delegation Loader for go-ucan (1.6)

3. **Medium Priority (Authorization)**
   - Revocation checker for go-ucan (1.7)
   - MPC Signing (1.9)
   - Encryption Strategy (2.1, 2.2)

4. **Lower Priority (Enhancement)**
   - TypeScript SDK (9.x)
   - DID State Sync (8.x)
   - Additional exec handlers (6.1)
   - Testing (10.x)
   - Security Hardening (11.x)

---

## Completed Items

### UCAN v1.0.0-rc.1 Database Integration (January 2025)

Schema and action handlers for storing/querying UCAN delegations and invocations:

- ✅ `internal/migrations/schema.sql` - v1.0.0-rc.1 tables
  - `ucan_delegations` - CID-indexed delegation storage with envelope BLOB
  - `ucan_invocations` - CID-indexed invocation storage with execution tracking
  - `ucan_revocations` - Revocation records with reason and invocation CID
  - Updated `grants` table to use `delegation_cid` instead of `ucan_id`

- ✅ `internal/migrations/query.sql` - CID-based queries
  - Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command
  - Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed
  - Revocation: Create, Check revoked, Get revocation, List by revoker

- ✅ `internal/keybase/actions_delegation.go` - Delegation action handlers
  - StoreDelegation, GetDelegationByCID, GetDelegationEnvelope
  - ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience
  - ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation
  - DeleteDelegation, CleanExpiredDelegations

- ✅ `internal/keybase/actions_invocation.go` - Invocation action handlers
  - StoreInvocation, GetInvocationByCID, GetInvocationEnvelope
  - ListInvocations, ListInvocationsByCommand, ListPendingInvocations
  - MarkInvocationExecuted, CleanOldInvocations

- ✅ `main.go` - Updated exec handlers for v1.0.0-rc.1
  - `executeUCANAction` uses delegation methods (list, get, revoke, verify, cleanup)
  - `executeDelegationAction` uses CID-based methods (list by issuer/audience/command)
  - `validateUCAN` uses `IsDelegationRevoked` instead of old `IsUCANRevoked`

- ✅ Deleted old action files
  - `internal/keybase/actions_ucan.go` - Old JWT-based UCAN actions
  - `internal/keybase/actions_delegation.go` - Old ID-based delegation actions

### UCAN v1.0.0-rc.1 Core (January 2025)

The following was completed using `github.com/ucan-wg/go-ucan v1.1.0`:

- ✅ Type re-exports from go-ucan (Delegation, Invocation, Command, Policy)
- ✅ Sonr command constants (/vault/*, /did/*, /dwn/*)
- ✅ DelegationBuilder fluent API with Sonr-specific helpers
- ✅ InvocationBuilder fluent API with Sonr-specific helpers
- ✅ PolicyBuilder fluent API with all operators
- ✅ Sonr policy helpers (VaultPolicy, DIDPolicy, ChainPolicy)
- ✅ ValidationError types matching TypeScript definitions
- ✅ Capability, ExecutionResult, and related types

### Deleted (Deprecated JWT-based)

- ✅ Deleted `jwt.go` - Old JWT token handling
- ✅ Deleted `capability.go` - Old Attenuation/Resource/Capability model
- ✅ Deleted `verifier.go` - Old JWT verification
- ✅ Deleted `source.go` - Old JWT token creation
- ✅ Deleted `internal/crypto/mpc/spec/` - Old MPC JWT integration
- ✅ Removed `github.com/golang-jwt/jwt/v5` dependency

---

## Deprecated Items (Removed)

The following items from the previous TODO have been removed as they reference the **deprecated JWT-based UCAN format**:

- ~~Section 4.1 "Token Validation" - JWT parsing~~ -> Replaced by go-ucan validation
- ~~Section 4.2 "Capability Verification" - `can`/`with` format~~ -> Replaced by policy evaluation
- ~~Section 4.3 "Proof Chain Validation" - JWT proof strings~~ -> Replaced by CID-based chain
- ~~Section 3.2 "UCAN Token Actions" - Old format~~ -> Replaced by v1.0.0-rc.1 actions (4.2)
- ~~Section 3.3 "Delegation Actions" - Old delegation model~~ -> Merged into Section 1 and 4.2

The old capability model (`Attenuation`, `Resource`, `Capability` interfaces) is replaced by:

- `sub` (DID) - Subject of the capability
- `cmd` (Command) - Action being delegated
- `pol` (Policy) - Constraints on invocation arguments