164 lines
4.3 KiB
Markdown
164 lines
4.3 KiB
Markdown
# Implementation TODO
|
|
|
|
Remaining tasks for the Nebula Key Enclave. See [AGENTS.md](./AGENTS.md) for architecture overview and [CHANGELOG.md](./CHANGELOG.md) for completed work.
|
|
|
|
---
|
|
|
|
## 1. UCAN v1.0.0-rc.1 Remaining Work
|
|
|
|
### 1.1 SQLite Functions for Policy & Validation
|
|
|
|
- [ ] `ucan_policy_match(policy_json, args_json)` - Evaluate policy against args
|
|
- [ ] `ucan_cmd_subsumes(parent_cmd, child_cmd)` - Check command hierarchy
|
|
- [ ] `ucan_chain_valid(invocation_cid)` - Recursive CTE proof chain validation
|
|
- [ ] `ucan_parse_envelope(envelope_blob)` - Extract fields from DAG-CBOR as JSON
|
|
|
|
### 1.2 SQLite Functions for UCAN Signing
|
|
|
|
- [ ] `ucan_sign(enclave_id, payload)` - Sign delegation/invocation payloads
|
|
- [ ] `ucan_seal(enclave_id, delegation_json)` - Build complete sealed envelope
|
|
- [ ] Integrate with go-ucan's `crypto.Signer` interface via SQLite bridge
|
|
|
|
### 1.3 Revocation Checker
|
|
|
|
- [ ] Implement revocation checking interface for go-ucan
|
|
- [ ] Integration with chain validation via `ExecutionAllowed()`
|
|
|
|
### 1.4 Testing
|
|
|
|
- [ ] Unit tests for builders (DelegationBuilder, InvocationBuilder)
|
|
- [ ] Interoperability tests against TypeScript implementation
|
|
- [ ] Test vectors from UCAN spec
|
|
|
|
---
|
|
|
|
## 2. Remaining Actions
|
|
|
|
### 2.1 Sync Checkpoint Actions
|
|
|
|
- [ ] `GetSyncCheckpoint(ctx, resourceType)`
|
|
- [ ] `UpsertSyncCheckpoint(ctx, params)`
|
|
- [ ] `ListSyncCheckpoints(ctx)`
|
|
|
|
### 2.2 Invocation Validation
|
|
|
|
- [ ] `ValidateInvocation(ctx, invocation)` - Requires delegation.Loader
|
|
|
|
---
|
|
|
|
## 3. Plugin Extensions
|
|
|
|
### 3.1 Exec Handlers
|
|
|
|
- [ ] Add `invocations` resource handler
|
|
- [ ] Add `sync_checkpoints` resource handler
|
|
|
|
### 3.2 Generate Function
|
|
|
|
- [ ] Parse WebAuthn credential properly (CBOR/COSE format)
|
|
- [ ] Extract public key from credential
|
|
- [ ] Create initial verification method
|
|
- [ ] Create initial credential record
|
|
|
|
### 3.3 SQLite Functions
|
|
|
|
- [ ] `enclave_sign(enclave_id, data)` - Sign in queries
|
|
- [ ] Dedicated `sign` wasmexport function
|
|
|
|
---
|
|
|
|
## 4. Capability Delegation (v1.0.0-rc.1)
|
|
|
|
SQLite triggers and views for real-time delegation validation.
|
|
|
|
### 4.1 Schema Enhancements
|
|
|
|
- [ ] `delegation_depth` generated column using recursive CTE
|
|
- [ ] CHECK constraint for max depth (e.g., 10 levels)
|
|
- [ ] `valid_delegations` view joining chain validation
|
|
- [ ] `is_expired` / `is_active` generated columns
|
|
- [ ] Partial index on `is_active = 1`
|
|
|
|
### 4.2 Policy Functions
|
|
|
|
- [ ] `ucan_policy_subsumes(parent_pol, child_pol)` - Check attenuation
|
|
- [ ] `ucan_cmd_covers(parent_cmd, child_cmd)` - Command hierarchy
|
|
- [ ] Trigger `BEFORE INSERT ON ucan_delegations` to validate attenuation
|
|
|
|
---
|
|
|
|
## 5. DID State Sync
|
|
|
|
- [ ] Create `internal/enclave/sync.go` - DID state sync logic
|
|
- [ ] Checkpoint tracking (block height, tx hash)
|
|
- [ ] Fetch DID document updates from chain
|
|
- [ ] Handle reorgs and rollbacks
|
|
|
|
---
|
|
|
|
## 6. TypeScript SDK
|
|
|
|
### 6.1 Core SDK (Partial - Basic wrappers exist)
|
|
|
|
- [ ] Full type definitions for all responses
|
|
- [ ] Error handling improvements
|
|
- [ ] Documentation and examples
|
|
|
|
### 6.2 UCAN SDK
|
|
|
|
- [ ] Delegation/Invocation builders
|
|
- [ ] Policy builder helpers
|
|
- [ ] DAG-CBOR encoding/decoding
|
|
- [ ] CID computation
|
|
|
|
### 6.3 WebAuthn Integration
|
|
|
|
- [ ] Helper for credential creation
|
|
- [ ] PRF extension output helper
|
|
|
|
---
|
|
|
|
## 7. Testing
|
|
|
|
- [ ] Unit tests for ActionManager methods
|
|
- [ ] Serialization roundtrip tests
|
|
- [ ] UCAN policy evaluation tests
|
|
- [ ] Integration tests (generate -> load -> exec)
|
|
- [ ] Go <-> TypeScript interoperability
|
|
|
|
---
|
|
|
|
## 8. Security Hardening
|
|
|
|
- [ ] JSON schema validation
|
|
- [ ] DID format validation
|
|
- [ ] Constant-time comparison for sensitive data
|
|
- [ ] Session validation before sensitive ops
|
|
- [ ] Grant scope checking
|
|
|
|
---
|
|
|
|
## Priority Order
|
|
|
|
1. **High Priority (SQLite Functions)**
|
|
- `ucan_sign()` / `ucan_seal()` for UCAN signing
|
|
- `ucan_parse_envelope()` for JSON extraction
|
|
- `ucan_chain_valid()` for proof validation
|
|
- `enclave_sign()` for general signing
|
|
- `invocations` exec handler
|
|
|
|
2. **Medium Priority (SQLite Automation)**
|
|
- Generated columns for delegation status
|
|
- Policy evaluation functions
|
|
- Delegation depth constraints
|
|
|
|
3. **Lower Priority (Enhancement)**
|
|
- TypeScript SDK completion
|
|
- DID State Sync
|
|
- Testing
|
|
- Security Hardening
|
|
|
|
---
|
|
|
|
See [CHANGELOG.md](./CHANGELOG.md) for completed items and version history.
|