# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - SQLite custom functions for BIP44 derivation - `bip44_derive(pubkey_hex, chain)` - Derive address from any public key - `bip44_derive_from_enclave(enclave_id, chain)` - Derive from stored enclave - Supports: `sonr` (Cosmos 118), `ethereum` (60), `bitcoin` (0) - MPC signing via exec handlers - `accounts sign` - Sign with account's enclave - `enclaves sign` - Sign directly with enclave - Multi-chain account initialization in `generate()` - Creates accounts for sonr, ethereum, and bitcoin on enclave creation ### Changed - `generate()` now returns `enclave_id`, `public_key`, and `accounts` array - `internal/crypto/mpc/verify.go` simplified to use stdlib instead of external curves package ### Removed - `internal/enclave/` package (unused encryption layer) - `internal/crypto/mpc/utils.go` (dead code) --- ## [0.1.0] - 2025-01 ### Added #### Encryption & Serialization - `internal/enclave/crypto.go` - WebAuthn PRF key derivation - `DeriveEncryptionKey()` using HKDF with SHA-256 - `DeriveKeyWithContext()` for purpose-specific keys - AES-256-GCM encryption/decryption (`Encrypt`, `Decrypt`) - `EncryptBytes()` / `DecryptBytes()` convenience functions - `SecureZero()` for memory clearing - `internal/enclave/enclave.go` - Encrypted database wrapper - `Enclave` struct wrapping `Keybase` with encryption - `SerializeEncrypted()` / `LoadEncrypted()` methods - `Export()` / `Import()` with `EncryptedBundle` - `FromExisting()` to wrap existing keybase - `internal/keybase/conn.go` - Native SQLite serialization - `Serialize()` using `serdes.Serialize()` from ncruces/go-sqlite3 - `Load()` using `serdes.Deserialize()` - `RestoreFromDump()` for encrypted bundle loading #### Action Manager Extensions - `internal/keybase/actions_verification.go` - CreateVerificationMethod, ListVerificationMethodsFull - GetVerificationMethod, DeleteVerificationMethod - `internal/keybase/actions_service.go` - CreateService, GetServiceByOrigin, GetServiceByID - UpdateService, ListVerifiedServices - `internal/keybase/actions_grant.go` - CreateGrant, GetGrantByService, UpdateGrantScopes - UpdateGrantLastUsed, SuspendGrant, ReactivateGrant, CountActiveGrants - `internal/keybase/actions_credential.go` - CreateCredential, UpdateCredentialCounter, RenameCredential - DeleteCredential, CountCredentialsByDID - `internal/keybase/actions_session.go` - GetSessionByID, GetCurrentSession, UpdateSessionActivity - SetCurrentSession, DeleteExpiredSessions #### Plugin Exec Handlers - `key_shares` resource - list, get, rotate, archive, delete - `verification_methods` resource - list, get, delete - `services` resource - list, get, get_by_id #### UCAN v1.0.0-rc.1 Database Integration - `internal/migrations/schema.sql` - v1.0.0-rc.1 tables - `ucan_delegations` - CID-indexed delegation storage with envelope BLOB - `ucan_invocations` - CID-indexed invocation storage with execution tracking - `ucan_revocations` - Revocation records with reason and invocation CID - Updated `grants` table to use `delegation_cid` instead of `ucan_id` - `internal/migrations/query.sql` - CID-based queries - Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command - Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed - Revocation: Create, Check revoked, Get revocation, List by revoker - `internal/keybase/actions_delegation.go` - Delegation action handlers - StoreDelegation, GetDelegationByCID, GetDelegationEnvelope - ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience - ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation - DeleteDelegation, CleanExpiredDelegations - `internal/keybase/actions_invocation.go` - Invocation action handlers - StoreInvocation, GetInvocationByCID, GetInvocationEnvelope - ListInvocations, ListInvocationsByCommand, ListPendingInvocations - MarkInvocationExecuted, CleanOldInvocations - `main.go` - Updated exec handlers for v1.0.0-rc.1 - `executeUCANAction` uses delegation methods (list, get, revoke, verify, cleanup) - `executeDelegationAction` uses CID-based methods (list by issuer/audience/command) - `validateUCAN` uses `IsDelegationRevoked` instead of old `IsUCANRevoked` #### UCAN v1.0.0-rc.1 Core Using `github.com/ucan-wg/go-ucan v1.1.0`: - Type re-exports from go-ucan (Delegation, Invocation, Command, Policy) - Sonr command constants (/vault/*, /did/*, /dwn/*) - DelegationBuilder fluent API with Sonr-specific helpers - InvocationBuilder fluent API with Sonr-specific helpers - PolicyBuilder fluent API with all operators - Sonr policy helpers (VaultPolicy, DIDPolicy, ChainPolicy) - ValidationError types matching TypeScript definitions - Capability, ExecutionResult, and related types ### Removed #### Deprecated JWT-based UCAN - `jwt.go` - Old JWT token handling - `capability.go` - Old Attenuation/Resource/Capability model - `verifier.go` - Old JWT verification - `source.go` - Old JWT token creation - `internal/crypto/mpc/spec/` - Old MPC JWT integration - `github.com/golang-jwt/jwt/v5` dependency - Old action files: - `internal/keybase/actions_ucan.go` - Old JWT-based UCAN actions - `internal/keybase/actions_delegation.go` - Old ID-based delegation actions ### Deprecated The following from the old TODO have been superseded by UCAN v1.0.0-rc.1: - "Token Validation" (JWT parsing) -> Replaced by go-ucan validation - "Capability Verification" (`can`/`with` format) -> Replaced by policy evaluation - "Proof Chain Validation" (JWT proof strings) -> Replaced by CID-based chain - "UCAN Token Actions" (old format) -> Replaced by v1.0.0-rc.1 actions - "Delegation Actions" (old model) -> Merged into CID-based actions The old capability model (`Attenuation`, `Resource`, `Capability` interfaces) is replaced by: - `sub` (DID) - Subject of the capability - `cmd` (Command) - Action being delegated - `pol` (Policy) - Constraints on invocation arguments