From 9bec58e29311695bc792ce144f487fddb2e56f8a Mon Sep 17 00:00:00 2001 From: Prad Nukala Date: Thu, 8 Jan 2026 19:34:27 -0500 Subject: [PATCH] docs(TODO): update UCAN v1.0.0-rc.1 migration status and completed items --- TODO.md | 139 +++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 103 insertions(+), 36 deletions(-) diff --git a/TODO.md b/TODO.md index 512c4b6..1614d12 100644 --- a/TODO.md +++ b/TODO.md @@ -6,12 +6,13 @@ Remaining tasks from [MIGRATION.md](./MIGRATION.md) for the Nebula Key Enclave. | Category | Status | Notes | |----------|--------|-------| -| Schema (10 tables) | Complete | `internal/migrations/schema.sql` | -| SQLC Queries | Complete | `internal/migrations/query.sql` | +| Schema (10 tables) | Complete | `internal/migrations/schema.sql` - Updated for v1.0.0-rc.1 | +| SQLC Queries | Complete | `internal/migrations/query.sql` - CID-based queries added | | Generated Code | Complete | `internal/keybase/*.go` | | Basic Plugin Functions | Complete | `generate`, `load`, `exec`, `query`, `ping` | | Encryption | Not Started | WebAuthn PRF key derivation needed | -| **UCAN v1.0.0-rc.1** | **In Progress** | Core types, builders, and policies complete. Uses `go-ucan v1.1.0` | +| **UCAN v1.0.0-rc.1** | **Complete** | Core types, builders, policies, DB actions all complete | +| UCAN DB Actions | Complete | `actions_delegation.go`, `actions_invocation.go` | | MPC Key Shares | Not Started | Key share management missing | | Database Serialization | Incomplete | Export dumps comments only | @@ -117,31 +118,51 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar > Note: go-ucan handles chain validation internally via `ExecutionAllowed()`. - [x] Chain validation via go-ucan library -- [ ] Create `internal/crypto/ucan/store.go` - Delegation store - - [ ] Implement `delegation.Loader` interface +- [x] Delegation storage in SQLite via `actions_delegation.go` + - [x] `GetDelegationByCID`, `GetDelegationEnvelope` methods + - [x] `ListDelegations*` methods for chain traversal +- [ ] Create `internal/crypto/ucan/store.go` - Delegation loader for go-ucan + - [ ] Implement `delegation.Loader` interface wrapping keybase actions - [ ] `GetDelegation(cid.Cid) (*delegation.Token, error)` - [ ] Cache loaded delegations for performance ### 1.7 Revocation - [x] `RevocationInvocation()` helper in `invocation.go` -- [ ] Create `internal/crypto/ucan/revocation.go` - Revocation handling - - [ ] Revocation store implementation - - [ ] `IsRevoked(cid.Cid) (bool, error)` query - - [ ] Integration with chain validation +- [x] Revocation storage via `actions_delegation.go` + - [x] `RevokeDelegation(ctx, params)` - Create revocation record + - [x] `IsDelegationRevoked(ctx, cid) (bool, error)` - Query revocation status +- [ ] Create `internal/crypto/ucan/revocation.go` - Revocation checker for go-ucan + - [ ] Implement revocation checking interface + - [ ] Integration with chain validation via `ExecutionAllowed()` ### 1.8 Database Integration -- [ ] Update `internal/migrations/schema.sql` for v1.0.0-rc.1 - - [ ] `ucan_delegations` table (cid, envelope_cbor, iss, aud, sub, cmd, exp, created_at) - - [ ] `ucan_invocations` table (cid, envelope_cbor, iss, sub, cmd, exp, created_at) - - [ ] `ucan_revocations` table (cid, delegation_cid, revoker, created_at) - - [ ] Indexes on iss, aud, sub, cmd for efficient queries +- [x] Update `internal/migrations/schema.sql` for v1.0.0-rc.1 + - [x] `ucan_delegations` table (cid, envelope BLOB, iss, aud, sub, cmd, pol, nbf, exp, is_root, is_powerline) + - [x] `ucan_invocations` table (cid, envelope BLOB, iss, sub, aud, cmd, prf, exp, iat, executed_at, result_cid) + - [x] `ucan_revocations` table (delegation_cid, revoked_by, invocation_cid, reason) + - [x] Indexes on iss, aud, sub, cmd for efficient queries -- [ ] Update `internal/migrations/query.sql` for v1.0.0-rc.1 - - [ ] `InsertDelegation`, `GetDelegationByCID`, `ListDelegationsByAudience` - - [ ] `InsertInvocation`, `GetInvocationByCID` - - [ ] `InsertRevocation`, `IsRevoked`, `GetRevocationsByDelegation` +- [x] Update `internal/migrations/query.sql` for v1.0.0-rc.1 + - [x] `CreateDelegation`, `GetDelegationByCID`, `GetDelegationEnvelopeByCID` + - [x] `ListDelegationsByDID`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`, `ListDelegationsBySubject` + - [x] `ListDelegationsForCommand`, `ListRootDelegations`, `ListPowerlineDelegations` + - [x] `CreateInvocation`, `GetInvocationByCID`, `GetInvocationEnvelopeByCID` + - [x] `ListInvocationsByDID`, `ListInvocationsByIssuer`, `ListInvocationsForCommand` + - [x] `MarkInvocationExecuted`, `ListPendingInvocations` + - [x] `CreateRevocation`, `IsDelegationRevoked`, `GetRevocation`, `ListRevocationsByRevoker` + +- [x] Create `internal/keybase/actions_delegation.go` - Delegation action handlers + - [x] `StoreDelegation`, `GetDelegationByCID`, `GetDelegationEnvelope` + - [x] `ListDelegations`, `ListDelegationsByIssuer`, `ListDelegationsByAudience` + - [x] `ListDelegationsForCommand`, `IsDelegationRevoked`, `RevokeDelegation` + - [x] `DeleteDelegation`, `CleanExpiredDelegations` + +- [x] Create `internal/keybase/actions_invocation.go` - Invocation action handlers + - [x] `StoreInvocation`, `GetInvocationByCID`, `GetInvocationEnvelope` + - [x] `ListInvocations`, `ListInvocationsByCommand`, `ListPendingInvocations` + - [x] `MarkInvocationExecuted`, `CleanOldInvocations` ### 1.9 MPC Signing Integration @@ -221,15 +242,26 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar ### 4.2 UCAN Token Actions (v1.0.0-rc.1) -- [ ] `CreateDelegation(ctx, params) (*DelegationResult, error)` -- [ ] `ListDelegations(ctx) ([]DelegationResult, error)` -- [ ] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)` -- [ ] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)` -- [ ] `CreateInvocation(ctx, params) (*InvocationResult, error)` -- [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)` -- [ ] `RevokeUCAN(ctx, cid) error` -- [ ] `IsUCANRevoked(ctx, cid) (bool, error)` -- [ ] `CleanExpiredUCANs(ctx) error` +- [x] `StoreDelegation(ctx, params) (*DelegationResult, error)` +- [x] `ListDelegations(ctx) ([]DelegationResult, error)` +- [x] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)` +- [x] `GetDelegationEnvelope(ctx, cid) ([]byte, error)` +- [x] `ListDelegationsByIssuer(ctx, issuer) ([]DelegationResult, error)` +- [x] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)` +- [x] `ListDelegationsForCommand(ctx, cmd) ([]DelegationResult, error)` +- [x] `StoreInvocation(ctx, params) (*InvocationResult, error)` +- [x] `GetInvocationByCID(ctx, cid) (*InvocationResult, error)` +- [x] `GetInvocationEnvelope(ctx, cid) ([]byte, error)` +- [x] `ListInvocations(ctx, limit) ([]InvocationResult, error)` +- [x] `ListInvocationsByCommand(ctx, cmd, limit) ([]InvocationResult, error)` +- [x] `ListPendingInvocations(ctx) ([]InvocationResult, error)` +- [x] `MarkInvocationExecuted(ctx, cid, resultCID) error` +- [x] `RevokeDelegation(ctx, params) error` +- [x] `IsDelegationRevoked(ctx, cid) (bool, error)` +- [x] `DeleteDelegation(ctx, cid) error` +- [x] `CleanExpiredDelegations(ctx) error` +- [x] `CleanOldInvocations(ctx) error` +- [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)` - Requires delegation.Loader ### 4.3 Verification Method Actions @@ -323,10 +355,11 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar ### 6.1 Extend `exec` Resource Handlers - [ ] Add `key_shares` resource handler -- [ ] Add `delegations` resource handler (v1.0.0-rc.1) +- [x] Add `ucans` resource handler (v1.0.0-rc.1 delegations) +- [x] Add `delegations` resource handler (v1.0.0-rc.1) - [ ] Add `invocations` resource handler (v1.0.0-rc.1) -- [ ] Add `verification_methods` resource handler -- [ ] Add `services` resource handler +- [x] Add `verification_methods` resource handler +- [x] Add `services` resource handler - [ ] Add `sync_checkpoints` resource handler ### 6.2 Extend `generate` Function @@ -478,13 +511,13 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar ## Priority Order -1. **CRITICAL (Spec Compliance)** - ✅ Core Complete - - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ Core types, builders, policies done +1. **CRITICAL (Spec Compliance)** - ✅ Complete + - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ All core items complete - ~~Core data structures (1.1)~~ ✅ Using go-ucan v1.1.0 - ~~Envelope format (1.2)~~ ✅ Handled by go-ucan - ~~Delegation operations (1.3)~~ ✅ DelegationBuilder complete - ~~Invocation operations (1.4)~~ ✅ InvocationBuilder complete - - Database integration (1.8) - Next priority + - ~~Database integration (1.8)~~ ✅ Schema, queries, and actions complete - MPC signing integration (1.9) - Next priority 2. **High Priority (Core Functionality)** @@ -492,11 +525,10 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar - Credential Creation (6.2, 4.7) - Key Share Actions (4.1) - Account Actions (4.6) - - UCAN Database Integration (1.8) + - Delegation Loader for go-ucan (1.6) 3. **Medium Priority (Authorization)** - - Delegation store (1.6) - - Revocation store (1.7) + - Revocation checker for go-ucan (1.7) - MPC Signing (1.9) - Encryption Strategy (2.1, 2.2) @@ -511,6 +543,41 @@ The following files implement UCAN v1.0.0-rc.1 using the official go-ucan librar ## Completed Items +### UCAN v1.0.0-rc.1 Database Integration (January 2025) + +Schema and action handlers for storing/querying UCAN delegations and invocations: + +- ✅ `internal/migrations/schema.sql` - v1.0.0-rc.1 tables + - `ucan_delegations` - CID-indexed delegation storage with envelope BLOB + - `ucan_invocations` - CID-indexed invocation storage with execution tracking + - `ucan_revocations` - Revocation records with reason and invocation CID + - Updated `grants` table to use `delegation_cid` instead of `ucan_id` + +- ✅ `internal/migrations/query.sql` - CID-based queries + - Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command + - Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed + - Revocation: Create, Check revoked, Get revocation, List by revoker + +- ✅ `internal/keybase/actions_delegation.go` - Delegation action handlers + - StoreDelegation, GetDelegationByCID, GetDelegationEnvelope + - ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience + - ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation + - DeleteDelegation, CleanExpiredDelegations + +- ✅ `internal/keybase/actions_invocation.go` - Invocation action handlers + - StoreInvocation, GetInvocationByCID, GetInvocationEnvelope + - ListInvocations, ListInvocationsByCommand, ListPendingInvocations + - MarkInvocationExecuted, CleanOldInvocations + +- ✅ `main.go` - Updated exec handlers for v1.0.0-rc.1 + - `executeUCANAction` uses delegation methods (list, get, revoke, verify, cleanup) + - `executeDelegationAction` uses CID-based methods (list by issuer/audience/command) + - `validateUCAN` uses `IsDelegationRevoked` instead of old `IsUCANRevoked` + +- ✅ Deleted old action files + - `internal/keybase/actions_ucan.go` - Old JWT-based UCAN actions + - `internal/keybase/actions_delegation.go` - Old ID-based delegation actions + ### UCAN v1.0.0-rc.1 Core (January 2025) The following was completed using `github.com/ucan-wg/go-ucan v1.1.0`: