From c1e7d772a18bdffc2b0c6f0e742e993891a10ecf Mon Sep 17 00:00:00 2001 From: Prad Nukala Date: Thu, 8 Jan 2026 15:25:54 -0500 Subject: [PATCH] docs(todo): update migration tasks and references --- TODO.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/TODO.md b/TODO.md index ed5d4d2..bfc8b93 100644 --- a/TODO.md +++ b/TODO.md @@ -36,6 +36,7 @@ The following files use the **old JWT-based format** and must be rewritten: ### Reference Implementation (Already Compliant) These files are already aligned with v1.0.0-rc.1: + - `src/ucan.ts` - TypeScript types with envelope format - `internal/codec/ucan-schemas.json` - JSON Schema definitions @@ -164,17 +165,20 @@ These files are already aligned with v1.0.0-rc.1: > Reference: MIGRATION.md lines 770-814 ### 2.1 WebAuthn PRF Key Derivation + - [ ] Implement `DeriveEncryptionKey(prfOutput []byte) ([]byte, error)` - [ ] Use HKDF with SHA-256 to derive 256-bit encryption key - [ ] Salt with `"nebula-enclave-v1"` as info parameter ### 2.2 Database Encryption + - [ ] Implement application-level AES-GCM encryption for serialized pages - [ ] Add encryption wrapper around `Serialize()` output - [ ] Add decryption wrapper for `Load()` input - [ ] Store encryption metadata (IV, auth tag) with serialized data ### 2.3 Encrypted Database Wrapper + - [ ] Create `internal/enclave/enclave.go` - Encrypted database wrapper - [ ] Create `internal/enclave/crypto.go` - WebAuthn PRF key derivation - [ ] Integrate with existing `internal/keybase` package @@ -186,12 +190,14 @@ These files are already aligned with v1.0.0-rc.1: > Current implementation in `conn.go:exportDump()` only outputs comments ### 3.1 Proper Serialization + - [ ] Implement full row export with proper SQL INSERT statements - [ ] Handle JSON columns correctly (escape special characters) - [ ] Include table creation order for foreign key constraints - [ ] Add version header for migration compatibility ### 3.2 Proper Deserialization + - [ ] Parse serialized SQL dump in `Load()` - [ ] Execute INSERT statements to restore data - [ ] Validate data integrity after restore @@ -204,6 +210,7 @@ These files are already aligned with v1.0.0-rc.1: > Reference: `internal/keybase/actions.go` ### 4.1 Key Share Actions + - [ ] `CreateKeyShare(ctx, params) (*KeyShareResult, error)` - [ ] `ListKeyShares(ctx) ([]KeyShareResult, error)` - [ ] `GetKeyShareByID(ctx, shareID) (*KeyShareResult, error)` @@ -213,6 +220,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `DeleteKeyShare(ctx, shareID) error` ### 4.2 UCAN Token Actions (v1.0.0-rc.1) + - [ ] `CreateDelegation(ctx, params) (*DelegationResult, error)` - [ ] `ListDelegations(ctx) ([]DelegationResult, error)` - [ ] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)` @@ -224,12 +232,14 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `CleanExpiredUCANs(ctx) error` ### 4.3 Verification Method Actions + - [ ] `CreateVerificationMethod(ctx, params) (*VerificationMethodResult, error)` - [ ] `ListVerificationMethods(ctx) ([]VerificationMethodResult, error)` - [ ] `GetVerificationMethod(ctx, methodID) (*VerificationMethodResult, error)` - [ ] `DeleteVerificationMethod(ctx, methodID) error` ### 4.4 Service Actions + - [ ] `CreateService(ctx, params) (*ServiceResult, error)` - [ ] `GetServiceByOrigin(ctx, origin) (*ServiceResult, error)` - [ ] `GetServiceByID(ctx, serviceID) (*ServiceResult, error)` @@ -237,6 +247,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `ListVerifiedServices(ctx) ([]ServiceResult, error)` ### 4.5 Grant Actions (Extend Existing) + - [ ] `CreateGrant(ctx, params) (*GrantResult, error)` - [ ] `GetGrantByService(ctx, serviceID) (*GrantResult, error)` - [ ] `UpdateGrantScopes(ctx, grantID, scopes, accounts) error` @@ -246,6 +257,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `CountActiveGrants(ctx) (int64, error)` ### 4.6 Account Actions (Extend Existing) + - [ ] `CreateAccount(ctx, params) (*AccountResult, error)` - [ ] `ListAccountsByChain(ctx, chainID) ([]AccountResult, error)` - [ ] `GetDefaultAccount(ctx, chainID) (*AccountResult, error)` @@ -254,6 +266,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `DeleteAccount(ctx, accountID) error` ### 4.7 Credential Actions (Extend Existing) + - [ ] `CreateCredential(ctx, params) (*CredentialResult, error)` - [ ] `UpdateCredentialCounter(ctx, credentialID, signCount) error` - [ ] `RenameCredential(ctx, credentialID, name) error` @@ -261,6 +274,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `CountCredentialsByDID(ctx) (int64, error)` ### 4.8 Session Actions (Extend Existing) + - [ ] `GetSessionByID(ctx, sessionID) (*SessionResult, error)` - [ ] `GetCurrentSession(ctx) (*SessionResult, error)` - [ ] `UpdateSessionActivity(ctx, sessionID) error` @@ -268,6 +282,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] `DeleteExpiredSessions(ctx) error` ### 4.9 Sync Checkpoint Actions + - [ ] `GetSyncCheckpoint(ctx, resourceType) (*SyncCheckpointResult, error)` - [ ] `UpsertSyncCheckpoint(ctx, params) error` - [ ] `ListSyncCheckpoints(ctx) ([]SyncCheckpointResult, error)` @@ -279,18 +294,21 @@ These files are already aligned with v1.0.0-rc.1: > Reference: MIGRATION.md lines 823-824 ### 5.1 Key Share Storage + - [ ] Parse key share data from MPC protocol - [ ] Encrypt share data before storage - [ ] Store public key and chain code - [ ] Track party index and threshold ### 5.2 Account Derivation + - [ ] Implement BIP44 derivation path parsing - [ ] Derive addresses from public keys - [ ] Support multiple chains (Cosmos 118, Ethereum 60) - [ ] Generate proper address encoding per chain ### 5.3 Key Rotation + - [ ] Implement key rotation workflow - [ ] Archive old shares - [ ] Update status transitions @@ -365,6 +383,7 @@ These files are already aligned with v1.0.0-rc.1: - [ ] Track last processed transaction hash ### 8.2 Sync Operations + - [ ] Fetch DID document updates from chain - [ ] Validate on-chain document hash - [ ] Update local state on changes @@ -498,6 +517,7 @@ The following items from the previous TODO have been removed as they reference t - ~~Section 3.3 "Delegation Actions" - Old delegation model~~ -> Merged into Section 1 and 4.2 The old capability model (`Attenuation`, `Resource`, `Capability` interfaces) is replaced by: + - `sub` (DID) - Subject of the capability - `cmd` (Command) - Action being delegated - `pol` (Policy) - Constraints on invocation arguments