motr-enclave/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• SQLite custom functions for BIP44 derivation
  • bip44_derive(pubkey_hex, chain) - Derive address from any public key
  • bip44_derive_from_enclave(enclave_id, chain) - Derive from stored enclave
  • Supports: sonr (Cosmos 118), ethereum (60), bitcoin (0)
• MPC signing via exec handlers
  • accounts sign - Sign with account's enclave
  • enclaves sign - Sign directly with enclave
• Multi-chain account initialization in generate()
  • Creates accounts for sonr, ethereum, and bitcoin on enclave creation

Changed

• generate() now returns enclave_id, public_key, and accounts array
• internal/crypto/mpc/verify.go simplified to use stdlib instead of external curves package

Removed

• internal/enclave/ package (unused encryption layer)
• internal/crypto/mpc/utils.go (dead code)

---

[0.1.0] - 2025-01

Added

Encryption & Serialization

• internal/enclave/crypto.go - WebAuthn PRF key derivation

  • DeriveEncryptionKey() using HKDF with SHA-256
  • DeriveKeyWithContext() for purpose-specific keys
  • AES-256-GCM encryption/decryption (Encrypt, Decrypt)
  • EncryptBytes() / DecryptBytes() convenience functions
  • SecureZero() for memory clearing

• internal/enclave/enclave.go - Encrypted database wrapper

  • Enclave struct wrapping Keybase with encryption
  • SerializeEncrypted() / LoadEncrypted() methods
  • Export() / Import() with EncryptedBundle
  • FromExisting() to wrap existing keybase

• internal/keybase/conn.go - Native SQLite serialization

  • Serialize() using serdes.Serialize() from ncruces/go-sqlite3
  • Load() using serdes.Deserialize()
  • RestoreFromDump() for encrypted bundle loading

Action Manager Extensions

• internal/keybase/actions_verification.go

  • CreateVerificationMethod, ListVerificationMethodsFull
  • GetVerificationMethod, DeleteVerificationMethod

• internal/keybase/actions_service.go

  • CreateService, GetServiceByOrigin, GetServiceByID
  • UpdateService, ListVerifiedServices

• internal/keybase/actions_grant.go

  • CreateGrant, GetGrantByService, UpdateGrantScopes
  • UpdateGrantLastUsed, SuspendGrant, ReactivateGrant, CountActiveGrants

• internal/keybase/actions_credential.go

  • CreateCredential, UpdateCredentialCounter, RenameCredential
  • DeleteCredential, CountCredentialsByDID

• internal/keybase/actions_session.go

  • GetSessionByID, GetCurrentSession, UpdateSessionActivity
  • SetCurrentSession, DeleteExpiredSessions

Plugin Exec Handlers

• key_shares resource - list, get, rotate, archive, delete
• verification_methods resource - list, get, delete
• services resource - list, get, get_by_id

UCAN v1.0.0-rc.1 Database Integration

• internal/migrations/schema.sql - v1.0.0-rc.1 tables

  • ucan_delegations - CID-indexed delegation storage with envelope BLOB
  • ucan_invocations - CID-indexed invocation storage with execution tracking
  • ucan_revocations - Revocation records with reason and invocation CID
  • Updated grants table to use delegation_cid instead of ucan_id

• internal/migrations/query.sql - CID-based queries

  • Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command
  • Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed
  • Revocation: Create, Check revoked, Get revocation, List by revoker

• internal/keybase/actions_delegation.go - Delegation action handlers

  • StoreDelegation, GetDelegationByCID, GetDelegationEnvelope
  • ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience
  • ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation
  • DeleteDelegation, CleanExpiredDelegations

• internal/keybase/actions_invocation.go - Invocation action handlers

  • StoreInvocation, GetInvocationByCID, GetInvocationEnvelope
  • ListInvocations, ListInvocationsByCommand, ListPendingInvocations
  • MarkInvocationExecuted, CleanOldInvocations

• main.go - Updated exec handlers for v1.0.0-rc.1

  • executeUCANAction uses delegation methods (list, get, revoke, verify, cleanup)
  • executeDelegationAction uses CID-based methods (list by issuer/audience/command)
  • validateUCAN uses IsDelegationRevoked instead of old IsUCANRevoked

UCAN v1.0.0-rc.1 Core

Using github.com/ucan-wg/go-ucan v1.1.0:

• Type re-exports from go-ucan (Delegation, Invocation, Command, Policy)
• Sonr command constants (/vault/, /did/, /dwn/*)
• DelegationBuilder fluent API with Sonr-specific helpers
• InvocationBuilder fluent API with Sonr-specific helpers
• PolicyBuilder fluent API with all operators
• Sonr policy helpers (VaultPolicy, DIDPolicy, ChainPolicy)
• ValidationError types matching TypeScript definitions
• Capability, ExecutionResult, and related types

Removed

Deprecated JWT-based UCAN

• jwt.go - Old JWT token handling

• capability.go - Old Attenuation/Resource/Capability model

• verifier.go - Old JWT verification

• source.go - Old JWT token creation

• internal/crypto/mpc/spec/ - Old MPC JWT integration

• github.com/golang-jwt/jwt/v5 dependency

• Old action files:

  • internal/keybase/actions_ucan.go - Old JWT-based UCAN actions
  • internal/keybase/actions_delegation.go - Old ID-based delegation actions

Deprecated

The following from the old TODO have been superseded by UCAN v1.0.0-rc.1:

• "Token Validation" (JWT parsing) -> Replaced by go-ucan validation
• "Capability Verification" (can/with format) -> Replaced by policy evaluation
• "Proof Chain Validation" (JWT proof strings) -> Replaced by CID-based chain
• "UCAN Token Actions" (old format) -> Replaced by v1.0.0-rc.1 actions
• "Delegation Actions" (old model) -> Merged into CID-based actions

The old capability model (Attenuation, Resource, Capability interfaces) is replaced by:

• sub (DID) - Subject of the capability
• cmd (Command) - Action being delegated
• pol (Policy) - Constraints on invocation arguments