docs(TODO): update UCAN v1.0.0-rc.1 migration status and completed items

TODO.md

@@ -6,12 +6,13 @@ Remaining tasks from [MIGRATION.md](./MIGRATION.md) for the Nebula Key Enclave.
 
 | Category | Status | Notes |
 |----------|--------|-------|
-| Schema (10 tables) | Complete | `internal/migrations/schema.sql` |
-| SQLC Queries | Complete | `internal/migrations/query.sql` |
+| Schema (10 tables) | Complete | `internal/migrations/schema.sql` - Updated for v1.0.0-rc.1 |
+| SQLC Queries | Complete | `internal/migrations/query.sql` - CID-based queries added |
 | Generated Code | Complete | `internal/keybase/*.go` |
 | Basic Plugin Functions | Complete | `generate`, `load`, `exec`, `query`, `ping` |
 | Encryption | Not Started | WebAuthn PRF key derivation needed |
-| **UCAN v1.0.0-rc.1** | **In Progress** | Core types, builders, and policies complete. Uses `go-ucan v1.1.0` |
+| **UCAN v1.0.0-rc.1** | **Complete** | Core types, builders, policies, DB actions all complete |
+| UCAN DB Actions | Complete | `actions_delegation.go`, `actions_invocation.go` |
 | MPC Key Shares | Not Started | Key share management missing |
 | Database Serialization | Incomplete | Export dumps comments only |
 
@@ -117,31 +118,51 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
 > Note: go-ucan handles chain validation internally via `ExecutionAllowed()`.
 
 - [x] Chain validation via go-ucan library
-- [ ] Create `internal/crypto/ucan/store.go` - Delegation store
-  - [ ] Implement `delegation.Loader` interface
+- [x] Delegation storage in SQLite via `actions_delegation.go`
+  - [x] `GetDelegationByCID`, `GetDelegationEnvelope` methods
+  - [x] `ListDelegations*` methods for chain traversal
+- [ ] Create `internal/crypto/ucan/store.go` - Delegation loader for go-ucan
+  - [ ] Implement `delegation.Loader` interface wrapping keybase actions
   - [ ] `GetDelegation(cid.Cid) (*delegation.Token, error)`
   - [ ] Cache loaded delegations for performance
 
 ### 1.7 Revocation
 
 - [x] `RevocationInvocation()` helper in `invocation.go`
-- [ ] Create `internal/crypto/ucan/revocation.go` - Revocation handling
-  - [ ] Revocation store implementation
-  - [ ] `IsRevoked(cid.Cid) (bool, error)` query
-  - [ ] Integration with chain validation
+- [x] Revocation storage via `actions_delegation.go`
+  - [x] `RevokeDelegation(ctx, params)` - Create revocation record
+  - [x] `IsDelegationRevoked(ctx, cid) (bool, error)` - Query revocation status
+- [ ] Create `internal/crypto/ucan/revocation.go` - Revocation checker for go-ucan
+  - [ ] Implement revocation checking interface
+  - [ ] Integration with chain validation via `ExecutionAllowed()`
 
 ### 1.8 Database Integration
 
-- [ ] Update `internal/migrations/schema.sql` for v1.0.0-rc.1
-  - [ ] `ucan_delegations` table (cid, envelope_cbor, iss, aud, sub, cmd, exp, created_at)
-  - [ ] `ucan_invocations` table (cid, envelope_cbor, iss, sub, cmd, exp, created_at)
-  - [ ] `ucan_revocations` table (cid, delegation_cid, revoker, created_at)
-  - [ ] Indexes on iss, aud, sub, cmd for efficient queries
+- [x] Update `internal/migrations/schema.sql` for v1.0.0-rc.1
+  - [x] `ucan_delegations` table (cid, envelope BLOB, iss, aud, sub, cmd, pol, nbf, exp, is_root, is_powerline)
+  - [x] `ucan_invocations` table (cid, envelope BLOB, iss, sub, aud, cmd, prf, exp, iat, executed_at, result_cid)
+  - [x] `ucan_revocations` table (delegation_cid, revoked_by, invocation_cid, reason)
+  - [x] Indexes on iss, aud, sub, cmd for efficient queries
 
-- [ ] Update `internal/migrations/query.sql` for v1.0.0-rc.1
-  - [ ] `InsertDelegation`, `GetDelegationByCID`, `ListDelegationsByAudience`
-  - [ ] `InsertInvocation`, `GetInvocationByCID`
-  - [ ] `InsertRevocation`, `IsRevoked`, `GetRevocationsByDelegation`
+- [x] Update `internal/migrations/query.sql` for v1.0.0-rc.1
+  - [x] `CreateDelegation`, `GetDelegationByCID`, `GetDelegationEnvelopeByCID`
+  - [x] `ListDelegationsByDID`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`, `ListDelegationsBySubject`
+  - [x] `ListDelegationsForCommand`, `ListRootDelegations`, `ListPowerlineDelegations`
+  - [x] `CreateInvocation`, `GetInvocationByCID`, `GetInvocationEnvelopeByCID`
+  - [x] `ListInvocationsByDID`, `ListInvocationsByIssuer`, `ListInvocationsForCommand`
+  - [x] `MarkInvocationExecuted`, `ListPendingInvocations`
+  - [x] `CreateRevocation`, `IsDelegationRevoked`, `GetRevocation`, `ListRevocationsByRevoker`
+
+- [x] Create `internal/keybase/actions_delegation.go` - Delegation action handlers
+  - [x] `StoreDelegation`, `GetDelegationByCID`, `GetDelegationEnvelope`
+  - [x] `ListDelegations`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`
+  - [x] `ListDelegationsForCommand`, `IsDelegationRevoked`, `RevokeDelegation`
+  - [x] `DeleteDelegation`, `CleanExpiredDelegations`
+
+- [x] Create `internal/keybase/actions_invocation.go` - Invocation action handlers
+  - [x] `StoreInvocation`, `GetInvocationByCID`, `GetInvocationEnvelope`
+  - [x] `ListInvocations`, `ListInvocationsByCommand`, `ListPendingInvocations`
+  - [x] `MarkInvocationExecuted`, `CleanOldInvocations`
 
 ### 1.9 MPC Signing Integration
 
@@ -221,15 +242,26 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
 
 ### 4.2 UCAN Token Actions (v1.0.0-rc.1)
 
-- [ ] `CreateDelegation(ctx, params) (*DelegationResult, error)`
-- [ ] `ListDelegations(ctx) ([]DelegationResult, error)`
-- [ ] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)`
-- [ ] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)`
-- [ ] `CreateInvocation(ctx, params) (*InvocationResult, error)`
-- [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)`
-- [ ] `RevokeUCAN(ctx, cid) error`
-- [ ] `IsUCANRevoked(ctx, cid) (bool, error)`
-- [ ] `CleanExpiredUCANs(ctx) error`
+- [x] `StoreDelegation(ctx, params) (*DelegationResult, error)`
+- [x] `ListDelegations(ctx) ([]DelegationResult, error)`
+- [x] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)`
+- [x] `GetDelegationEnvelope(ctx, cid) ([]byte, error)`
+- [x] `ListDelegationsByIssuer(ctx, issuer) ([]DelegationResult, error)`
+- [x] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)`
+- [x] `ListDelegationsForCommand(ctx, cmd) ([]DelegationResult, error)`
+- [x] `StoreInvocation(ctx, params) (*InvocationResult, error)`
+- [x] `GetInvocationByCID(ctx, cid) (*InvocationResult, error)`
+- [x] `GetInvocationEnvelope(ctx, cid) ([]byte, error)`
+- [x] `ListInvocations(ctx, limit) ([]InvocationResult, error)`
+- [x] `ListInvocationsByCommand(ctx, cmd, limit) ([]InvocationResult, error)`
+- [x] `ListPendingInvocations(ctx) ([]InvocationResult, error)`
+- [x] `MarkInvocationExecuted(ctx, cid, resultCID) error`
+- [x] `RevokeDelegation(ctx, params) error`
+- [x] `IsDelegationRevoked(ctx, cid) (bool, error)`
+- [x] `DeleteDelegation(ctx, cid) error`
+- [x] `CleanExpiredDelegations(ctx) error`
+- [x] `CleanOldInvocations(ctx) error`
+- [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)` - Requires delegation.Loader
 
 ### 4.3 Verification Method Actions
 
@@ -323,10 +355,11 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
 ### 6.1 Extend `exec` Resource Handlers
 
 - [ ] Add `key_shares` resource handler
-- [ ] Add `delegations` resource handler (v1.0.0-rc.1)
+- [x] Add `ucans` resource handler (v1.0.0-rc.1 delegations)
+- [x] Add `delegations` resource handler (v1.0.0-rc.1)
 - [ ] Add `invocations` resource handler (v1.0.0-rc.1)
-- [ ] Add `verification_methods` resource handler
-- [ ] Add `services` resource handler
+- [x] Add `verification_methods` resource handler
+- [x] Add `services` resource handler
 - [ ] Add `sync_checkpoints` resource handler
 
 ### 6.2 Extend `generate` Function
@@ -478,13 +511,13 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
 
 ## Priority Order
 
-1. **CRITICAL (Spec Compliance)** - ✅ Core Complete
-   - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ Core types, builders, policies done
+1. **CRITICAL (Spec Compliance)** - ✅ Complete
+   - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ All core items complete
    - ~~Core data structures (1.1)~~ ✅ Using go-ucan v1.1.0
    - ~~Envelope format (1.2)~~ ✅ Handled by go-ucan
    - ~~Delegation operations (1.3)~~ ✅ DelegationBuilder complete
    - ~~Invocation operations (1.4)~~ ✅ InvocationBuilder complete
-   - Database integration (1.8) - Next priority
+   - ~~Database integration (1.8)~~ ✅ Schema, queries, and actions complete
    - MPC signing integration (1.9) - Next priority
 
 2. **High Priority (Core Functionality)**
@@ -492,11 +525,10 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
    - Credential Creation (6.2, 4.7)
    - Key Share Actions (4.1)
    - Account Actions (4.6)
-   - UCAN Database Integration (1.8)
+   - Delegation Loader for go-ucan (1.6)
 
 3. **Medium Priority (Authorization)**
-   - Delegation store (1.6)
-   - Revocation store (1.7)
+   - Revocation checker for go-ucan (1.7)
    - MPC Signing (1.9)
    - Encryption Strategy (2.1, 2.2)
 
@@ -511,6 +543,41 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar
 
 ## Completed Items
 
+### UCAN v1.0.0-rc.1 Database Integration (January 2025)
+
+Schema and action handlers for storing/querying UCAN delegations and invocations:
+
+- ✅ `internal/migrations/schema.sql` - v1.0.0-rc.1 tables
+  - `ucan_delegations` - CID-indexed delegation storage with envelope BLOB
+  - `ucan_invocations` - CID-indexed invocation storage with execution tracking
+  - `ucan_revocations` - Revocation records with reason and invocation CID
+  - Updated `grants` table to use `delegation_cid` instead of `ucan_id`
+
+- ✅ `internal/migrations/query.sql` - CID-based queries
+  - Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command
+  - Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed
+  - Revocation: Create, Check revoked, Get revocation, List by revoker
+
+- ✅ `internal/keybase/actions_delegation.go` - Delegation action handlers
+  - StoreDelegation, GetDelegationByCID, GetDelegationEnvelope
+  - ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience
+  - ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation
+  - DeleteDelegation, CleanExpiredDelegations
+
+- ✅ `internal/keybase/actions_invocation.go` - Invocation action handlers
+  - StoreInvocation, GetInvocationByCID, GetInvocationEnvelope
+  - ListInvocations, ListInvocationsByCommand, ListPendingInvocations
+  - MarkInvocationExecuted, CleanOldInvocations
+
+- ✅ `main.go` - Updated exec handlers for v1.0.0-rc.1
+  - `executeUCANAction` uses delegation methods (list, get, revoke, verify, cleanup)
+  - `executeDelegationAction` uses CID-based methods (list by issuer/audience/command)
+  - `validateUCAN` uses `IsDelegationRevoked` instead of old `IsUCANRevoked`
+
+- ✅ Deleted old action files
+  - `internal/keybase/actions_ucan.go` - Old JWT-based UCAN actions
+  - `internal/keybase/actions_delegation.go` - Old ID-based delegation actions
+
 ### UCAN v1.0.0-rc.1 Core (January 2025)
 
 The following was completed using `github.com/ucan-wg/go-ucan v1.1.0`: