motr-enclave/TODO.md

Implementation TODO

Remaining tasks for the Nebula Key Enclave. See AGENTS.md for architecture overview and CHANGELOG.md for completed work.

---

1. UCAN v1.0.0-rc.1 Remaining Work

1.1 SQLite Functions for Policy & Validation

• ucan_policy_match(policy_json, args_json) - Evaluate policy against args
• ucan_cmd_subsumes(parent_cmd, child_cmd) - Check command hierarchy
• ucan_chain_valid(invocation_cid) - Recursive CTE proof chain validation
• ucan_parse_envelope(envelope_blob) - Extract fields from DAG-CBOR as JSON

1.2 SQLite Functions for UCAN Signing

• ucan_sign(enclave_id, payload) - Sign delegation/invocation payloads
• ucan_seal(enclave_id, delegation_json) - Build complete sealed envelope
• Integrate with go-ucan's crypto.Signer interface via SQLite bridge

1.3 Revocation Checker

• Implement revocation checking interface for go-ucan
• Integration with chain validation via ExecutionAllowed()

1.4 Testing

• Unit tests for builders (DelegationBuilder, InvocationBuilder)
• Interoperability tests against TypeScript implementation
• Test vectors from UCAN spec

---

2. Remaining Actions

2.1 Sync Checkpoint Actions

• GetSyncCheckpoint(ctx, resourceType)
• UpsertSyncCheckpoint(ctx, params)
• ListSyncCheckpoints(ctx)

2.2 Invocation Validation

• ValidateInvocation(ctx, invocation) - Requires delegation.Loader

---

3. Plugin Extensions

3.1 Exec Handlers

• Add invocations resource handler
• Add sync_checkpoints resource handler

3.2 Generate Function

• Parse WebAuthn credential properly (CBOR/COSE format)
• Extract public key from credential
• Create initial verification method
• Create initial credential record

3.3 SQLite Functions

• enclave_sign(enclave_id, data) - Sign in queries
• Dedicated sign wasmexport function

---

4. Capability Delegation (v1.0.0-rc.1)

SQLite triggers and views for real-time delegation validation.

4.1 Schema Enhancements

• delegation_depth generated column using recursive CTE
• CHECK constraint for max depth (e.g., 10 levels)
• valid_delegations view joining chain validation
• is_expired / is_active generated columns
• Partial index on is_active = 1

4.2 Policy Functions

• ucan_policy_subsumes(parent_pol, child_pol) - Check attenuation
• ucan_cmd_covers(parent_cmd, child_cmd) - Command hierarchy
• Trigger BEFORE INSERT ON ucan_delegations to validate attenuation

---

5. DID State Sync

• Create internal/enclave/sync.go - DID state sync logic
• Checkpoint tracking (block height, tx hash)
• Fetch DID document updates from chain
• Handle reorgs and rollbacks

---

6. TypeScript SDK

6.1 Core SDK (Partial - Basic wrappers exist)

• Full type definitions for all responses
• Error handling improvements
• Documentation and examples

6.2 UCAN SDK

• Delegation/Invocation builders
• Policy builder helpers
• DAG-CBOR encoding/decoding
• CID computation

6.3 WebAuthn Integration

• Helper for credential creation
• PRF extension output helper

---

7. Testing

• Unit tests for ActionManager methods
• Serialization roundtrip tests
• UCAN policy evaluation tests
• Integration tests (generate -> load -> exec)
• Go <-> TypeScript interoperability

---

8. Security Hardening

• JSON schema validation
• DID format validation
• Constant-time comparison for sensitive data
• Session validation before sensitive ops
• Grant scope checking

---

Priority Order

1. High Priority (SQLite Functions)

   • ucan_sign() / ucan_seal() for UCAN signing
   • ucan_parse_envelope() for JSON extraction
   • ucan_chain_valid() for proof validation
   • enclave_sign() for general signing
   • invocations exec handler

2. Medium Priority (SQLite Automation)

   • Generated columns for delegation status
   • Policy evaluation functions
   • Delegation depth constraints

3. Lower Priority (Enhancement)

   • TypeScript SDK completion
   • DID State Sync
   • Testing
   • Security Hardening

---

See CHANGELOG.md for completed items and version history.