# Implementation TODO Remaining tasks for the Nebula Key Enclave. See [AGENTS.md](./AGENTS.md) for architecture overview and [CHANGELOG.md](./CHANGELOG.md) for completed work. --- ## 1. UCAN v1.0.0-rc.1 Remaining Work ### 1.1 SQLite Functions for Policy & Validation - [ ] `ucan_policy_match(policy_json, args_json)` - Evaluate policy against args - [ ] `ucan_cmd_subsumes(parent_cmd, child_cmd)` - Check command hierarchy - [ ] `ucan_chain_valid(invocation_cid)` - Recursive CTE proof chain validation - [ ] `ucan_parse_envelope(envelope_blob)` - Extract fields from DAG-CBOR as JSON ### 1.2 SQLite Functions for UCAN Signing - [ ] `ucan_sign(enclave_id, payload)` - Sign delegation/invocation payloads - [ ] `ucan_seal(enclave_id, delegation_json)` - Build complete sealed envelope - [ ] Integrate with go-ucan's `crypto.Signer` interface via SQLite bridge ### 1.3 Revocation Checker - [ ] Implement revocation checking interface for go-ucan - [ ] Integration with chain validation via `ExecutionAllowed()` ### 1.4 Testing - [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder) - [ ] Interoperability tests against TypeScript implementation - [ ] Test vectors from UCAN spec --- ## 2. Remaining Actions ### 2.1 Sync Checkpoint Actions - [ ] `GetSyncCheckpoint(ctx, resourceType)` - [ ] `UpsertSyncCheckpoint(ctx, params)` - [ ] `ListSyncCheckpoints(ctx)` ### 2.2 Invocation Validation - [ ] `ValidateInvocation(ctx, invocation)` - Requires delegation.Loader --- ## 3. Plugin Extensions ### 3.1 Exec Handlers - [ ] Add `invocations` resource handler - [ ] Add `sync_checkpoints` resource handler ### 3.2 Generate Function - [ ] Parse WebAuthn credential properly (CBOR/COSE format) - [ ] Extract public key from credential - [ ] Create initial verification method - [ ] Create initial credential record ### 3.3 SQLite Functions - [ ] `enclave_sign(enclave_id, data)` - Sign in queries - [ ] Dedicated `sign` wasmexport function --- ## 4. Capability Delegation (v1.0.0-rc.1) SQLite triggers and views for real-time delegation validation. ### 4.1 Schema Enhancements - [ ] `delegation_depth` generated column using recursive CTE - [ ] CHECK constraint for max depth (e.g., 10 levels) - [ ] `valid_delegations` view joining chain validation - [ ] `is_expired` / `is_active` generated columns - [ ] Partial index on `is_active = 1` ### 4.2 Policy Functions - [ ] `ucan_policy_subsumes(parent_pol, child_pol)` - Check attenuation - [ ] `ucan_cmd_covers(parent_cmd, child_cmd)` - Command hierarchy - [ ] Trigger `BEFORE INSERT ON ucan_delegations` to validate attenuation --- ## 5. DID State Sync - [ ] Create `internal/enclave/sync.go` - DID state sync logic - [ ] Checkpoint tracking (block height, tx hash) - [ ] Fetch DID document updates from chain - [ ] Handle reorgs and rollbacks --- ## 6. TypeScript SDK ### 6.1 Core SDK (Partial - Basic wrappers exist) - [ ] Full type definitions for all responses - [ ] Error handling improvements - [ ] Documentation and examples ### 6.2 UCAN SDK - [ ] Delegation/Invocation builders - [ ] Policy builder helpers - [ ] DAG-CBOR encoding/decoding - [ ] CID computation ### 6.3 WebAuthn Integration - [ ] Helper for credential creation - [ ] PRF extension output helper --- ## 7. Testing - [ ] Unit tests for ActionManager methods - [ ] Serialization roundtrip tests - [ ] UCAN policy evaluation tests - [ ] Integration tests (generate -> load -> exec) - [ ] Go <-> TypeScript interoperability --- ## 8. Security Hardening - [ ] JSON schema validation - [ ] DID format validation - [ ] Constant-time comparison for sensitive data - [ ] Session validation before sensitive ops - [ ] Grant scope checking --- ## Priority Order 1. **High Priority (SQLite Functions)** - `ucan_sign()` / `ucan_seal()` for UCAN signing - `ucan_parse_envelope()` for JSON extraction - `ucan_chain_valid()` for proof validation - `enclave_sign()` for general signing - `invocations` exec handler 2. **Medium Priority (SQLite Automation)** - Generated columns for delegation status - Policy evaluation functions - Delegation depth constraints 3. **Lower Priority (Enhancement)** - TypeScript SDK completion - DID State Sync - Testing - Security Hardening --- See [CHANGELOG.md](./CHANGELOG.md) for completed items and version history.