# Implementation TODO Remaining tasks from [MIGRATION.md](./MIGRATION.md) for the Nebula Key Enclave. ## Status Summary | Category | Status | Notes | |----------|--------|-------| | Schema (10 tables) | Complete | `internal/migrations/schema.sql` - Updated for v1.0.0-rc.1 | | SQLC Queries | Complete | `internal/migrations/query.sql` - CID-based queries added | | Generated Code | Complete | `internal/keybase/*.go` | | Basic Plugin Functions | Complete | `generate`, `load`, `exec`, `query`, `ping` | | Encryption | Not Started | WebAuthn PRF key derivation needed | | **UCAN v1.0.0-rc.1** | **Complete** | Core types, builders, policies, DB actions all complete | | UCAN DB Actions | Complete | `actions_delegation.go`, `actions_invocation.go` | | MPC Key Shares | Not Started | Key share management missing | | Database Serialization | Incomplete | Export dumps comments only | --- ## 1. UCAN v1.0.0-rc.1 Migration (CRITICAL PRIORITY) > **Status**: Core implementation complete using `github.com/ucan-wg/go-ucan v1.1.0`. Deprecated JWT-based files deleted. Remaining work is database integration and MPC signing. ### Completed Implementation The following files implement UCAN v1.0.0-rc.1 using the official go-ucan library: | File | Status | Description | |------|--------|-------------| | `ucan.go` | ✅ Complete | Type re-exports, Sonr commands, pre-parsed constants | | `policy.go` | ✅ Complete | PolicyBuilder fluent API, Sonr-specific policy helpers | | `delegation.go` | ✅ Complete | DelegationBuilder fluent API, Sonr delegation helpers | | `invocation.go` | ✅ Complete | InvocationBuilder fluent API, Sonr invocation helpers | | `types.go` | ✅ Complete | ValidationError, Capability, ExecutionResult, Sonr types | ### Dependencies Added - `github.com/ucan-wg/go-ucan v1.1.0` - Official UCAN library - `github.com/ipld/go-ipld-prime v0.21.0` - IPLD encoding - `github.com/MetaMask/go-did-it v1.0.0-pre1` - DID handling (indirect) - `github.com/ipfs/go-cid v0.5.0` - Content addressing (indirect) ### Deleted (Deprecated JWT-based) - ~~`jwt.go`~~ - Removed - ~~`capability.go`~~ - Removed - ~~`verifier.go`~~ - Removed - ~~`source.go`~~ - Removed - ~~`internal/crypto/mpc/spec/`~~ - Entire directory removed ### 1.1 Core Data Structures - [x] Create `internal/crypto/ucan/types.go` - v1.0.0-rc.1 types - [x] Re-export `Delegation` and `Invocation` from go-ucan - [x] `Task` struct (sub, cmd, args, nonce) - [x] `ReceiptPayload` struct (iss, ran, out, fx, meta, iat) - [x] `RevocationPayload` struct - [x] `ValidationError` with error codes matching TypeScript - [x] `Capability` struct (sub, cmd, pol) - [x] `ExecutionResult[T, E]` generic type - [x] Sonr-specific types: `VaultCapability`, `DIDCapability`, `DWNCapability` - [x] Create `internal/crypto/ucan/policy.go` - Policy Language - [x] `PolicyBuilder` fluent API with all operators - [x] `Equal`, `NotEqual` - equality statements - [x] `GreaterThan`, `LessThan`, etc. - inequality statements - [x] `Like` - glob pattern matching - [x] `Not`, `And`, `Or` - logical connectives - [x] `All`, `Any` - quantifiers - [x] Sonr helpers: `VaultPolicy`, `DIDPolicy`, `ChainPolicy`, `AccountPolicy` - [x] Create `internal/crypto/ucan/ucan.go` - Command types - [x] `Command` type re-exported from go-ucan - [x] Sonr commands: `/vault/*`, `/did/*`, `/dwn/*`, `/ucan/revoke` - [x] Pre-parsed command constants: `VaultRead`, `VaultWrite`, `DIDUpdate`, etc. - [x] `CommandSubsumes()` helper using go-ucan's `Covers()` method ### 1.2 Envelope Format & Encoding - [x] Envelope handling via go-ucan library - [x] `ToSealed()` method produces DAG-CBOR bytes + CID - [x] `ToDagCbor()`, `ToDagJson()` encoding methods - [x] CID computation handled by go-ucan - [x] Varsig support via go-ucan library - [x] Ed25519, P-256, secp256k1 via `go-did-it/crypto` ### 1.3 Delegation Operations - [x] Create `internal/crypto/ucan/delegation.go` - Delegation creation/validation - [x] `DelegationBuilder` fluent API - [x] `NewDelegation`, `NewRootDelegation`, `NewPowerlineDelegation` re-exports - [x] `BuildSealed(privKey)` for signing - [x] Sonr helpers: `NewVaultDelegation`, `NewDIDDelegation`, `NewDWNDelegation` - [x] Temporal options: `ExpiresAt`, `ExpiresIn`, `NotBefore`, `NotBeforeIn` ### 1.4 Invocation Operations - [x] Create `internal/crypto/ucan/invocation.go` - Invocation creation/validation - [x] `InvocationBuilder` fluent API - [x] `NewInvocation` re-export - [x] `BuildSealed(privKey)` for signing - [x] Proof chain management: `Proof()`, `Proofs()` - [x] Sonr helpers: `VaultReadInvocation`, `VaultSignInvocation`, `DIDUpdateInvocation` ### 1.5 Policy Evaluation Engine > Note: go-ucan provides `ExecutionAllowed()` on invocations which validates proofs and evaluates policies. - [x] Policy evaluation via go-ucan's `invocation.ExecutionAllowed(loader)` - [ ] Create `internal/crypto/ucan/eval.go` - Additional evaluation helpers (if needed) - [ ] Custom selector resolution for Sonr-specific args - [ ] Caching layer for repeated evaluations ### 1.6 Proof Chain Validation > Note: go-ucan handles chain validation internally via `ExecutionAllowed()`. - [x] Chain validation via go-ucan library - [x] Delegation storage in SQLite via `actions_delegation.go` - [x] `GetDelegationByCID`, `GetDelegationEnvelope` methods - [x] `ListDelegations*` methods for chain traversal - [ ] Create `internal/crypto/ucan/store.go` - Delegation loader for go-ucan - [ ] Implement `delegation.Loader` interface wrapping keybase actions - [ ] `GetDelegation(cid.Cid) (*delegation.Token, error)` - [ ] Cache loaded delegations for performance ### 1.7 Revocation - [x] `RevocationInvocation()` helper in `invocation.go` - [x] Revocation storage via `actions_delegation.go` - [x] `RevokeDelegation(ctx, params)` - Create revocation record - [x] `IsDelegationRevoked(ctx, cid) (bool, error)` - Query revocation status - [ ] Create `internal/crypto/ucan/revocation.go` - Revocation checker for go-ucan - [ ] Implement revocation checking interface - [ ] Integration with chain validation via `ExecutionAllowed()` ### 1.8 Database Integration - [x] Update `internal/migrations/schema.sql` for v1.0.0-rc.1 - [x] `ucan_delegations` table (cid, envelope BLOB, iss, aud, sub, cmd, pol, nbf, exp, is_root, is_powerline) - [x] `ucan_invocations` table (cid, envelope BLOB, iss, sub, aud, cmd, prf, exp, iat, executed_at, result_cid) - [x] `ucan_revocations` table (delegation_cid, revoked_by, invocation_cid, reason) - [x] Indexes on iss, aud, sub, cmd for efficient queries - [x] Update `internal/migrations/query.sql` for v1.0.0-rc.1 - [x] `CreateDelegation`, `GetDelegationByCID`, `GetDelegationEnvelopeByCID` - [x] `ListDelegationsByDID`, `ListDelegationsByIssuer`, `ListDelegationsByAudience`, `ListDelegationsBySubject` - [x] `ListDelegationsForCommand`, `ListRootDelegations`, `ListPowerlineDelegations` - [x] `CreateInvocation`, `GetInvocationByCID`, `GetInvocationEnvelopeByCID` - [x] `ListInvocationsByDID`, `ListInvocationsByIssuer`, `ListInvocationsForCommand` - [x] `MarkInvocationExecuted`, `ListPendingInvocations` - [x] `CreateRevocation`, `IsDelegationRevoked`, `GetRevocation`, `ListRevocationsByRevoker` - [x] Create `internal/keybase/actions_delegation.go` - Delegation action handlers - [x] `StoreDelegation`, `GetDelegationByCID`, `GetDelegationEnvelope` - [x] `ListDelegations`, `ListDelegationsByIssuer`, `ListDelegationsByAudience` - [x] `ListDelegationsForCommand`, `IsDelegationRevoked`, `RevokeDelegation` - [x] `DeleteDelegation`, `CleanExpiredDelegations` - [x] Create `internal/keybase/actions_invocation.go` - Invocation action handlers - [x] `StoreInvocation`, `GetInvocationByCID`, `GetInvocationEnvelope` - [x] `ListInvocations`, `ListInvocationsByCommand`, `ListPendingInvocations` - [x] `MarkInvocationExecuted`, `CleanOldInvocations` ### 1.9 MPC Signing Integration - [ ] Create `internal/crypto/ucan/signer.go` - MPC key integration - [ ] Implement `crypto.PrivateKeySigningBytes` interface for MPC - [ ] Sign delegations with MPC key shares - [ ] Sign invocations with MPC key shares ### 1.10 Testing - [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder) - [ ] Unit tests for policy helpers - [ ] Unit tests for Sonr-specific invocations - [ ] Interoperability tests against TypeScript implementation - [ ] Test vectors from UCAN spec --- ## 2. Encryption Strategy > Reference: MIGRATION.md lines 770-814 ### 2.1 WebAuthn PRF Key Derivation - [ ] Implement `DeriveEncryptionKey(prfOutput []byte) ([]byte, error)` - [ ] Use HKDF with SHA-256 to derive 256-bit encryption key - [ ] Salt with `"nebula-enclave-v1"` as info parameter ### 2.2 Database Encryption - [ ] Implement application-level AES-GCM encryption for serialized pages - [ ] Add encryption wrapper around `Serialize()` output - [ ] Add decryption wrapper for `Load()` input - [ ] Store encryption metadata (IV, auth tag) with serialized data ### 2.3 Encrypted Database Wrapper - [ ] Create `internal/enclave/enclave.go` - Encrypted database wrapper - [ ] Create `internal/enclave/crypto.go` - WebAuthn PRF key derivation - [ ] Integrate with existing `internal/keybase` package --- ## 3. Database Serialization > Current implementation in `conn.go:exportDump()` only outputs comments ### 3.1 Proper Serialization - [ ] Implement full row export with proper SQL INSERT statements - [ ] Handle JSON columns correctly (escape special characters) - [ ] Include table creation order for foreign key constraints - [ ] Add version header for migration compatibility ### 3.2 Proper Deserialization - [ ] Parse serialized SQL dump in `Load()` - [ ] Execute INSERT statements to restore data - [ ] Validate data integrity after restore - [ ] Handle schema version mismatches --- ## 4. Action Manager Extensions > Reference: `internal/keybase/actions.go` ### 4.1 Key Share Actions - [x] `CreateKeyShare(ctx, params) (*KeyShareResult, error)` - [x] `ListKeyShares(ctx) ([]KeyShareResult, error)` - [x] `GetKeyShareByID(ctx, shareID) (*KeyShareResult, error)` - [x] `GetKeyShareByKeyID(ctx, keyID) (*KeyShareResult, error)` - [x] `RotateKeyShare(ctx, shareID) error` - [x] `ArchiveKeyShare(ctx, shareID) error` - [x] `DeleteKeyShare(ctx, shareID) error` ### 4.2 UCAN Token Actions (v1.0.0-rc.1) - [x] `StoreDelegation(ctx, params) (*DelegationResult, error)` - [x] `ListDelegations(ctx) ([]DelegationResult, error)` - [x] `GetDelegationByCID(ctx, cid) (*DelegationResult, error)` - [x] `GetDelegationEnvelope(ctx, cid) ([]byte, error)` - [x] `ListDelegationsByIssuer(ctx, issuer) ([]DelegationResult, error)` - [x] `ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)` - [x] `ListDelegationsForCommand(ctx, cmd) ([]DelegationResult, error)` - [x] `StoreInvocation(ctx, params) (*InvocationResult, error)` - [x] `GetInvocationByCID(ctx, cid) (*InvocationResult, error)` - [x] `GetInvocationEnvelope(ctx, cid) ([]byte, error)` - [x] `ListInvocations(ctx, limit) ([]InvocationResult, error)` - [x] `ListInvocationsByCommand(ctx, cmd, limit) ([]InvocationResult, error)` - [x] `ListPendingInvocations(ctx) ([]InvocationResult, error)` - [x] `MarkInvocationExecuted(ctx, cid, resultCID) error` - [x] `RevokeDelegation(ctx, params) error` - [x] `IsDelegationRevoked(ctx, cid) (bool, error)` - [x] `DeleteDelegation(ctx, cid) error` - [x] `CleanExpiredDelegations(ctx) error` - [x] `CleanOldInvocations(ctx) error` - [ ] `ValidateInvocation(ctx, invocation) (*ValidationResult, error)` - Requires delegation.Loader ### 4.3 Verification Method Actions - [ ] `CreateVerificationMethod(ctx, params) (*VerificationMethodResult, error)` - [ ] `ListVerificationMethods(ctx) ([]VerificationMethodResult, error)` - [ ] `GetVerificationMethod(ctx, methodID) (*VerificationMethodResult, error)` - [ ] `DeleteVerificationMethod(ctx, methodID) error` ### 4.4 Service Actions - [ ] `CreateService(ctx, params) (*ServiceResult, error)` - [ ] `GetServiceByOrigin(ctx, origin) (*ServiceResult, error)` - [ ] `GetServiceByID(ctx, serviceID) (*ServiceResult, error)` - [ ] `UpdateService(ctx, params) error` - [ ] `ListVerifiedServices(ctx) ([]ServiceResult, error)` ### 4.5 Grant Actions (Extend Existing) - [ ] `CreateGrant(ctx, params) (*GrantResult, error)` - [ ] `GetGrantByService(ctx, serviceID) (*GrantResult, error)` - [ ] `UpdateGrantScopes(ctx, grantID, scopes, accounts) error` - [ ] `UpdateGrantLastUsed(ctx, grantID) error` - [ ] `SuspendGrant(ctx, grantID) error` - [ ] `ReactivateGrant(ctx, grantID) error` - [ ] `CountActiveGrants(ctx) (int64, error)` ### 4.6 Account Actions (Extend Existing) - [x] `CreateAccount(ctx, params) (*AccountResult, error)` - [x] `ListAccountsByChain(ctx, chainID) ([]AccountResult, error)` - [x] `GetDefaultAccount(ctx, chainID) (*AccountResult, error)` - [x] `SetDefaultAccount(ctx, accountID, chainID) error` - [x] `UpdateAccountLabel(ctx, accountID, label) error` - [x] `DeleteAccount(ctx, accountID) error` ### 4.7 Credential Actions (Extend Existing) - [ ] `CreateCredential(ctx, params) (*CredentialResult, error)` - [ ] `UpdateCredentialCounter(ctx, credentialID, signCount) error` - [ ] `RenameCredential(ctx, credentialID, name) error` - [ ] `DeleteCredential(ctx, credentialID) error` - [ ] `CountCredentialsByDID(ctx) (int64, error)` ### 4.8 Session Actions (Extend Existing) - [ ] `GetSessionByID(ctx, sessionID) (*SessionResult, error)` - [ ] `GetCurrentSession(ctx) (*SessionResult, error)` - [ ] `UpdateSessionActivity(ctx, sessionID) error` - [ ] `SetCurrentSession(ctx, sessionID) error` - [ ] `DeleteExpiredSessions(ctx) error` ### 4.9 Sync Checkpoint Actions - [ ] `GetSyncCheckpoint(ctx, resourceType) (*SyncCheckpointResult, error)` - [ ] `UpsertSyncCheckpoint(ctx, params) error` - [ ] `ListSyncCheckpoints(ctx) ([]SyncCheckpointResult, error)` --- ## 5. MPC Key Share Management > Reference: MIGRATION.md lines 823-824 ### 5.1 Key Share Storage - [x] Parse key share data from MPC protocol - `KeyShareInput` in generate - [x] Store public key and chain code - `CreateKeyShare` action - [x] Track party index and threshold - stored in `key_shares` table - [ ] Encrypt share data before storage - PRF key derivation needed ### 5.2 Account Derivation - [x] Basic address derivation from public key - `deriveCosmosAddress()` - [x] Create initial account during generate - `createInitialAccount()` - [ ] Implement BIP44 derivation path parsing - [ ] Support multiple chains (Cosmos 118, Ethereum 60) - [ ] Generate proper bech32 address encoding per chain ### 5.3 Key Rotation - [x] Implement key rotation workflow - `RotateKeyShare` action - [x] Archive old shares - `ArchiveKeyShare` action - [x] Status transitions - managed in database - [ ] Handle rotation failures gracefully --- ## 6. Plugin Function Extensions > Reference: `main.go` ### 6.1 Extend `exec` Resource Handlers - [ ] Add `key_shares` resource handler - [x] Add `ucans` resource handler (v1.0.0-rc.1 delegations) - [x] Add `delegations` resource handler (v1.0.0-rc.1) - [ ] Add `invocations` resource handler (v1.0.0-rc.1) - [x] Add `verification_methods` resource handler - [x] Add `services` resource handler - [ ] Add `sync_checkpoints` resource handler ### 6.2 Extend `generate` Function - [x] Accept optional MPC keyshare data in input - [x] Create initial keyshare if provided - [x] Create initial account from keyshare - [ ] Parse WebAuthn credential properly (CBOR/COSE format) - [ ] Extract public key from credential - [ ] Create initial verification method - [ ] Create initial credential record ### 6.3 Signing Function - [ ] Implement `sign` wasmexport function - [ ] Support signing with MPC key shares - [ ] Return signature in appropriate format - [ ] Log signing operations for audit --- ## 7. Capability Delegation (v1.0.0-rc.1) > Reference: UCAN Delegation specification ### 7.1 Delegation Chain Management - [ ] Enforce maximum delegation depth (prevent infinite chains) - [ ] Validate delegator has capability to delegate (sub field) - [ ] Ensure proper capability attenuation (cmd + pol) - [ ] Track parent-child relationships via CID references ### 7.2 Policy Attenuation - [ ] Child policy must be more restrictive than parent - [ ] Implement policy subsumption checking - [ ] Command hierarchy validation (`/crud/*` subsumes `/crud/read`) ### 7.3 Delegation Status - [ ] Implement expiration checking - [ ] Handle revocation cascades (revoke chain) - [ ] Update status on expiry --- ## 8. DID State Sync > Reference: MIGRATION.md line 827 ### 8.1 Sync Infrastructure - [ ] Create `internal/enclave/sync.go` - DID state sync logic - [ ] Implement checkpoint tracking - [ ] Store last synced block height - [ ] Track last processed transaction hash ### 8.2 Sync Operations - [ ] Fetch DID document updates from chain - [ ] Validate on-chain document hash - [ ] Update local state on changes - [ ] Handle reorgs and rollbacks --- ## 9. TypeScript SDK > Reference: README.md, `src/` directory ### 9.1 Core SDK - [ ] Implement `createEnclave(wasmPath)` factory - [ ] Implement `generate(credential)` wrapper - [ ] Implement `load(database)` wrapper - [ ] Implement `exec(filter, token?)` wrapper - [ ] Implement `query(did?)` wrapper ### 9.2 UCAN SDK (v1.0.0-rc.1) - [ ] Delegation builder using `src/ucan.ts` types - [ ] Invocation builder - [ ] Policy builder helpers - [ ] Envelope encoding/decoding (DAG-CBOR) - [ ] CID computation ### 9.3 WebAuthn Integration - [ ] Helper for credential creation - [ ] Helper for PRF extension output - [ ] Proper encoding/decoding utilities --- ## 10. Testing ### 10.1 Unit Tests - [ ] Test all ActionManager methods - [ ] Test serialization/deserialization roundtrip - [ ] Test encryption/decryption - [ ] Test UCAN policy evaluation - [ ] Test UCAN envelope encoding ### 10.2 Integration Tests - [ ] Test full generate -> load -> exec flow - [ ] Test credential lifecycle - [ ] Test session management - [ ] Test grant management - [ ] Test UCAN delegation chain ### 10.3 Plugin Tests - [ ] Extend `make test-plugin` with all functions - [ ] Add error case testing - [ ] Test with various input formats ### 10.4 Interoperability Tests - [ ] Go <-> TypeScript UCAN envelope compatibility - [ ] CID computation consistency - [ ] Policy evaluation consistency --- ## 11. Security Hardening ### 11.1 Input Validation - [ ] Validate all JSON inputs against schemas - [ ] Sanitize SQL-sensitive characters in serialization - [ ] Validate DID format on all inputs - [ ] Validate base64 encoding ### 11.2 Cryptographic Security - [ ] Use constant-time comparison for sensitive data - [ ] Clear sensitive data from memory after use - [ ] Validate key sizes and formats - [ ] Implement proper nonce generation ### 11.3 Access Control - [ ] Enforce DID ownership on all mutations - [ ] Validate session before sensitive operations - [ ] Check grant scopes before data access - [ ] Log security-relevant operations --- ## Priority Order 1. **CRITICAL (Spec Compliance)** - ✅ Complete - ~~UCAN v1.0.0-rc.1 Migration (Section 1)~~ ✅ All core items complete - ~~Core data structures (1.1)~~ ✅ Using go-ucan v1.1.0 - ~~Envelope format (1.2)~~ ✅ Handled by go-ucan - ~~Delegation operations (1.3)~~ ✅ DelegationBuilder complete - ~~Invocation operations (1.4)~~ ✅ InvocationBuilder complete - ~~Database integration (1.8)~~ ✅ Schema, queries, and actions complete - MPC signing integration (1.9) - Next priority 2. **High Priority (Core Functionality)** - Database Serialization (3.1, 3.2) - Credential Creation (6.2, 4.7) - Key Share Actions (4.1) - Account Actions (4.6) - Delegation Loader for go-ucan (1.6) 3. **Medium Priority (Authorization)** - Revocation checker for go-ucan (1.7) - MPC Signing (1.9) - Encryption Strategy (2.1, 2.2) 4. **Lower Priority (Enhancement)** - TypeScript SDK (9.x) - DID State Sync (8.x) - Additional exec handlers (6.1) - Testing (10.x) - Security Hardening (11.x) --- ## Completed Items ### UCAN v1.0.0-rc.1 Database Integration (January 2025) Schema and action handlers for storing/querying UCAN delegations and invocations: - ✅ `internal/migrations/schema.sql` - v1.0.0-rc.1 tables - `ucan_delegations` - CID-indexed delegation storage with envelope BLOB - `ucan_invocations` - CID-indexed invocation storage with execution tracking - `ucan_revocations` - Revocation records with reason and invocation CID - Updated `grants` table to use `delegation_cid` instead of `ucan_id` - ✅ `internal/migrations/query.sql` - CID-based queries - Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command - Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed - Revocation: Create, Check revoked, Get revocation, List by revoker - ✅ `internal/keybase/actions_delegation.go` - Delegation action handlers - StoreDelegation, GetDelegationByCID, GetDelegationEnvelope - ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience - ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation - DeleteDelegation, CleanExpiredDelegations - ✅ `internal/keybase/actions_invocation.go` - Invocation action handlers - StoreInvocation, GetInvocationByCID, GetInvocationEnvelope - ListInvocations, ListInvocationsByCommand, ListPendingInvocations - MarkInvocationExecuted, CleanOldInvocations - ✅ `main.go` - Updated exec handlers for v1.0.0-rc.1 - `executeUCANAction` uses delegation methods (list, get, revoke, verify, cleanup) - `executeDelegationAction` uses CID-based methods (list by issuer/audience/command) - `validateUCAN` uses `IsDelegationRevoked` instead of old `IsUCANRevoked` - ✅ Deleted old action files - `internal/keybase/actions_ucan.go` - Old JWT-based UCAN actions - `internal/keybase/actions_delegation.go` - Old ID-based delegation actions ### UCAN v1.0.0-rc.1 Core (January 2025) The following was completed using `github.com/ucan-wg/go-ucan v1.1.0`: - ✅ Type re-exports from go-ucan (Delegation, Invocation, Command, Policy) - ✅ Sonr command constants (/vault/*, /did/*, /dwn/*) - ✅ DelegationBuilder fluent API with Sonr-specific helpers - ✅ InvocationBuilder fluent API with Sonr-specific helpers - ✅ PolicyBuilder fluent API with all operators - ✅ Sonr policy helpers (VaultPolicy, DIDPolicy, ChainPolicy) - ✅ ValidationError types matching TypeScript definitions - ✅ Capability, ExecutionResult, and related types ### Deleted (Deprecated JWT-based) - ✅ Deleted `jwt.go` - Old JWT token handling - ✅ Deleted `capability.go` - Old Attenuation/Resource/Capability model - ✅ Deleted `verifier.go` - Old JWT verification - ✅ Deleted `source.go` - Old JWT token creation - ✅ Deleted `internal/crypto/mpc/spec/` - Old MPC JWT integration - ✅ Removed `github.com/golang-jwt/jwt/v5` dependency --- ## Deprecated Items (Removed) The following items from the previous TODO have been removed as they reference the **deprecated JWT-based UCAN format**: - ~~Section 4.1 "Token Validation" - JWT parsing~~ -> Replaced by go-ucan validation - ~~Section 4.2 "Capability Verification" - `can`/`with` format~~ -> Replaced by policy evaluation - ~~Section 4.3 "Proof Chain Validation" - JWT proof strings~~ -> Replaced by CID-based chain - ~~Section 3.2 "UCAN Token Actions" - Old format~~ -> Replaced by v1.0.0-rc.1 actions (4.2) - ~~Section 3.3 "Delegation Actions" - Old delegation model~~ -> Merged into Section 1 and 4.2 The old capability model (`Attenuation`, `Resource`, `Capability` interfaces) is replaced by: - `sub` (DID) - Subject of the capability - `cmd` (Command) - Action being delegated - `pol` (Policy) - Constraints on invocation arguments