x/motr-enclave
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ceb4d600f20bf6ddf10022f63bbcfcb86887878
motr-enclave/TODO.md

27 KiB
Raw Blame History

Implementation TODO

Remaining tasks from MIGRATION.md for the Nebula Key Enclave.

Status Summary

Category Status Notes
Schema (10 tables) Complete internal/migrations/schema.sql - Updated for v1.0.0-rc.1
SQLC Queries Complete internal/migrations/query.sql - CID-based queries added
Generated Code Complete internal/keybase/*.go
Basic Plugin Functions Complete generate, load, exec, query, ping
Encryption Complete internal/enclave/ - WebAuthn PRF key derivation + AES-256-GCM
UCAN v1.0.0-rc.1 Complete Core types, builders, policies, DB actions all complete
UCAN DB Actions Complete actions_delegation.go, actions_invocation.go
MPC Key Shares Complete actions_keyshare.go - Full key share management
Database Serialization Complete Native SQLite serialization via ncruces/go-sqlite3/ext/serdes

1. UCAN v1.0.0-rc.1 Migration (CRITICAL PRIORITY)

Status: Core implementation complete using github.com/ucan-wg/go-ucan v1.1.0. Deprecated JWT-based files deleted. Remaining work is database integration and MPC signing.

Completed Implementation

The following files implement UCAN v1.0.0-rc.1 using the official go-ucan library:

File Status Description
ucan.go Complete Type re-exports, Sonr commands, pre-parsed constants
policy.go Complete PolicyBuilder fluent API, Sonr-specific policy helpers
delegation.go Complete DelegationBuilder fluent API, Sonr delegation helpers
invocation.go Complete InvocationBuilder fluent API, Sonr invocation helpers
types.go Complete ValidationError, Capability, ExecutionResult, Sonr types

Dependencies Added

  • github.com/ucan-wg/go-ucan v1.1.0 - Official UCAN library
  • github.com/ipld/go-ipld-prime v0.21.0 - IPLD encoding
  • github.com/MetaMask/go-did-it v1.0.0-pre1 - DID handling (indirect)
  • github.com/ipfs/go-cid v0.5.0 - Content addressing (indirect)

Deleted (Deprecated JWT-based)

  • jwt.go - Removed
  • capability.go - Removed
  • verifier.go - Removed
  • source.go - Removed
  • internal/crypto/mpc/spec/ - Entire directory removed

1.1 Core Data Structures

  • Create internal/crypto/ucan/types.go - v1.0.0-rc.1 types

    • Re-export Delegation and Invocation from go-ucan
    • Task struct (sub, cmd, args, nonce)
    • ReceiptPayload struct (iss, ran, out, fx, meta, iat)
    • RevocationPayload struct
    • ValidationError with error codes matching TypeScript
    • Capability struct (sub, cmd, pol)
    • ExecutionResult[T, E] generic type
    • Sonr-specific types: VaultCapability, DIDCapability, DWNCapability

  • Create internal/crypto/ucan/policy.go - Policy Language

    • PolicyBuilder fluent API with all operators
    • Equal, NotEqual - equality statements
    • GreaterThan, LessThan, etc. - inequality statements
    • Like - glob pattern matching
    • Not, And, Or - logical connectives
    • All, Any - quantifiers
    • Sonr helpers: VaultPolicy, DIDPolicy, ChainPolicy, AccountPolicy

  • Create internal/crypto/ucan/ucan.go - Command types

    • Command type re-exported from go-ucan
    • Sonr commands: /vault/*, /did/*, /dwn/*, /ucan/revoke
    • Pre-parsed command constants: VaultRead, VaultWrite, DIDUpdate, etc.
    • CommandSubsumes() helper using go-ucan's Covers() method

1.2 Envelope Format & Encoding

  • Envelope handling via go-ucan library

    • ToSealed() method produces DAG-CBOR bytes + CID
    • ToDagCbor(), ToDagJson() encoding methods
    • CID computation handled by go-ucan

  • Varsig support via go-ucan library

    • Ed25519, P-256, secp256k1 via go-did-it/crypto

1.3 Delegation Operations

  • Create internal/crypto/ucan/delegation.go - Delegation creation/validation
    • DelegationBuilder fluent API
    • NewDelegation, NewRootDelegation, NewPowerlineDelegation re-exports
    • BuildSealed(privKey) for signing
    • Sonr helpers: NewVaultDelegation, NewDIDDelegation, NewDWNDelegation
    • Temporal options: ExpiresAt, ExpiresIn, NotBefore, NotBeforeIn

1.4 Invocation Operations

  • Create internal/crypto/ucan/invocation.go - Invocation creation/validation
    • InvocationBuilder fluent API
    • NewInvocation re-export
    • BuildSealed(privKey) for signing
    • Proof chain management: Proof(), Proofs()
    • Sonr helpers: VaultReadInvocation, VaultSignInvocation, DIDUpdateInvocation

1.5 Policy Evaluation Engine

Note: go-ucan provides ExecutionAllowed() on invocations which validates proofs and evaluates policies.

  • Policy evaluation via go-ucan's invocation.ExecutionAllowed(loader)
  • Create internal/crypto/ucan/eval.go - Additional evaluation helpers (if needed)
    • Custom selector resolution for Sonr-specific args
    • Caching layer for repeated evaluations

1.6 Proof Chain Validation

Note: go-ucan handles chain validation internally via ExecutionAllowed().

  • Chain validation via go-ucan library
  • Delegation storage in SQLite via actions_delegation.go
    • GetDelegationByCID, GetDelegationEnvelope methods
    • ListDelegations* methods for chain traversal
  • Create internal/crypto/ucan/store.go - Delegation loader for go-ucan
    • Implement delegation.Loader interface wrapping keybase actions
    • GetDelegation(cid.Cid) (*delegation.Token, error)
    • Cache loaded delegations for performance

1.7 Revocation

  • RevocationInvocation() helper in invocation.go
  • Revocation storage via actions_delegation.go
    • RevokeDelegation(ctx, params) - Create revocation record
    • IsDelegationRevoked(ctx, cid) (bool, error) - Query revocation status
  • Create internal/crypto/ucan/revocation.go - Revocation checker for go-ucan
    • Implement revocation checking interface
    • Integration with chain validation via ExecutionAllowed()

1.8 Database Integration

  • Update internal/migrations/schema.sql for v1.0.0-rc.1

    • ucan_delegations table (cid, envelope BLOB, iss, aud, sub, cmd, pol, nbf, exp, is_root, is_powerline)
    • ucan_invocations table (cid, envelope BLOB, iss, sub, aud, cmd, prf, exp, iat, executed_at, result_cid)
    • ucan_revocations table (delegation_cid, revoked_by, invocation_cid, reason)
    • Indexes on iss, aud, sub, cmd for efficient queries

  • Update internal/migrations/query.sql for v1.0.0-rc.1

    • CreateDelegation, GetDelegationByCID, GetDelegationEnvelopeByCID
    • ListDelegationsByDID, ListDelegationsByIssuer, ListDelegationsByAudience, ListDelegationsBySubject
    • ListDelegationsForCommand, ListRootDelegations, ListPowerlineDelegations
    • CreateInvocation, GetInvocationByCID, GetInvocationEnvelopeByCID
    • ListInvocationsByDID, ListInvocationsByIssuer, ListInvocationsForCommand
    • MarkInvocationExecuted, ListPendingInvocations
    • CreateRevocation, IsDelegationRevoked, GetRevocation, ListRevocationsByRevoker

  • Create internal/keybase/actions_delegation.go - Delegation action handlers

    • StoreDelegation, GetDelegationByCID, GetDelegationEnvelope
    • ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience
    • ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation
    • DeleteDelegation, CleanExpiredDelegations

  • Create internal/keybase/actions_invocation.go - Invocation action handlers

    • StoreInvocation, GetInvocationByCID, GetInvocationEnvelope
    • ListInvocations, ListInvocationsByCommand, ListPendingInvocations
    • MarkInvocationExecuted, CleanOldInvocations

1.9 MPC Signing Integration

  • Create internal/crypto/ucan/signer.go - MPC key integration
    • Implement crypto.PrivateKeySigningBytes interface for MPC
    • Sign delegations with MPC key shares
    • Sign invocations with MPC key shares

1.10 Testing

  • Unit tests for builders (DelegationBuilder, InvocationBuilder)
  • Unit tests for policy helpers
  • Unit tests for Sonr-specific invocations
  • Interoperability tests against TypeScript implementation
  • Test vectors from UCAN spec

2. Encryption Strategy

Reference: MIGRATION.md lines 770-814 Status: Complete - Implemented in internal/enclave/

2.1 WebAuthn PRF Key Derivation

  • Implement DeriveEncryptionKey(prfOutput []byte) ([]byte, error)
  • Use HKDF with SHA-256 to derive 256-bit encryption key
  • Salt with "nebula-enclave-v1" as info parameter
  • DeriveKeyWithContext() for purpose-specific key derivation

2.2 Database Encryption

  • Implement application-level AES-256-GCM encryption for serialized pages
  • Add encryption wrapper around Serialize() output (EncryptBytes())
  • Add decryption wrapper for Load() input (DecryptBytes())
  • Store encryption metadata (version, nonce, auth tag) with serialized data
  • SecureZero() for memory clearing of sensitive data

2.3 Encrypted Database Wrapper

  • Create internal/enclave/enclave.go - Encrypted database wrapper
    • Enclave struct wrapping Keybase with encryption key
    • SerializeEncrypted() - Export encrypted database
    • LoadEncrypted() - Load from encrypted bytes
    • Export() / Import() - Full bundle operations with DID
    • EncryptedBundle struct with JSON marshaling
  • Create internal/enclave/crypto.go - WebAuthn PRF key derivation
    • Encrypt() / Decrypt() with EncryptedData struct
    • EncryptBytes() / DecryptBytes() convenience functions
    • GenerateNonce() for secure random nonce generation
  • Integrate with existing internal/keybase package via FromExisting()

3. Database Serialization

Status: Complete - Using native SQLite serialization via ncruces/go-sqlite3/ext/serdes

3.1 Native SQLite Serialization

  • Serialize() using serdes.Serialize(conn, "main") - Binary database export
  • Full database state captured as byte slice
  • No SQL parsing needed - direct database format
  • Preserves all data types, indexes, and constraints

3.2 Native SQLite Deserialization

  • Load() using serdes.Deserialize(conn, "main", data) - Binary import
  • RestoreFromDump() for encrypted bundle loading
  • Automatic DID context restoration after load
  • Integrated with internal/enclave for encrypted storage

4. Action Manager Extensions

Reference: internal/keybase/actions.go

4.1 Key Share Actions

  • CreateKeyShare(ctx, params) (*KeyShareResult, error)
  • ListKeyShares(ctx) ([]KeyShareResult, error)
  • GetKeyShareByID(ctx, shareID) (*KeyShareResult, error)
  • GetKeyShareByKeyID(ctx, keyID) (*KeyShareResult, error)
  • RotateKeyShare(ctx, shareID) error
  • ArchiveKeyShare(ctx, shareID) error
  • DeleteKeyShare(ctx, shareID) error

4.2 UCAN Token Actions (v1.0.0-rc.1)

  • StoreDelegation(ctx, params) (*DelegationResult, error)
  • ListDelegations(ctx) ([]DelegationResult, error)
  • GetDelegationByCID(ctx, cid) (*DelegationResult, error)
  • GetDelegationEnvelope(ctx, cid) ([]byte, error)
  • ListDelegationsByIssuer(ctx, issuer) ([]DelegationResult, error)
  • ListDelegationsByAudience(ctx, audience) ([]DelegationResult, error)
  • ListDelegationsForCommand(ctx, cmd) ([]DelegationResult, error)
  • StoreInvocation(ctx, params) (*InvocationResult, error)
  • GetInvocationByCID(ctx, cid) (*InvocationResult, error)
  • GetInvocationEnvelope(ctx, cid) ([]byte, error)
  • ListInvocations(ctx, limit) ([]InvocationResult, error)
  • ListInvocationsByCommand(ctx, cmd, limit) ([]InvocationResult, error)
  • ListPendingInvocations(ctx) ([]InvocationResult, error)
  • MarkInvocationExecuted(ctx, cid, resultCID) error
  • RevokeDelegation(ctx, params) error
  • IsDelegationRevoked(ctx, cid) (bool, error)
  • DeleteDelegation(ctx, cid) error
  • CleanExpiredDelegations(ctx) error
  • CleanOldInvocations(ctx) error
  • ValidateInvocation(ctx, invocation) (*ValidationResult, error) - Requires delegation.Loader

4.3 Verification Method Actions

  • CreateVerificationMethod(ctx, params) (*VerificationMethodResult, error)
  • ListVerificationMethodsFull(ctx) ([]VerificationMethodResult, error)
  • GetVerificationMethod(ctx, methodID) (*VerificationMethodResult, error)
  • DeleteVerificationMethod(ctx, methodID) error

4.4 Service Actions

  • CreateService(ctx, params) (*ServiceResult, error)
  • GetServiceByOrigin(ctx, origin) (*ServiceResult, error)
  • GetServiceByID(ctx, serviceID) (*ServiceResult, error)
  • UpdateService(ctx, params) error
  • ListVerifiedServices(ctx) ([]ServiceResult, error)

4.5 Grant Actions (Extend Existing)

  • CreateGrant(ctx, params) (*GrantResult, error)
  • GetGrantByService(ctx, serviceID) (*GrantResult, error)
  • UpdateGrantScopes(ctx, grantID, scopes, accounts) error
  • UpdateGrantLastUsed(ctx, grantID) error
  • SuspendGrant(ctx, grantID) error
  • ReactivateGrant(ctx, grantID) error
  • CountActiveGrants(ctx) (int64, error)

4.6 Account Actions (Extend Existing)

  • CreateAccount(ctx, params) (*AccountResult, error)
  • ListAccountsByChain(ctx, chainID) ([]AccountResult, error)
  • GetDefaultAccount(ctx, chainID) (*AccountResult, error)
  • SetDefaultAccount(ctx, accountID, chainID) error
  • UpdateAccountLabel(ctx, accountID, label) error
  • DeleteAccount(ctx, accountID) error

4.7 Credential Actions (Extend Existing)

  • CreateCredential(ctx, params) (*CredentialResult, error)
  • UpdateCredentialCounter(ctx, credentialID, signCount) error
  • RenameCredential(ctx, credentialID, name) error
  • DeleteCredential(ctx, credentialID) error
  • CountCredentialsByDID(ctx) (int64, error)

4.8 Session Actions (Extend Existing)

  • GetSessionByID(ctx, sessionID) (*SessionResult, error)
  • GetCurrentSession(ctx) (*SessionResult, error)
  • UpdateSessionActivity(ctx, sessionID) error
  • SetCurrentSession(ctx, sessionID) error
  • DeleteExpiredSessions(ctx) error

4.9 Sync Checkpoint Actions

  • GetSyncCheckpoint(ctx, resourceType) (*SyncCheckpointResult, error)
  • UpsertSyncCheckpoint(ctx, params) error
  • ListSyncCheckpoints(ctx) ([]SyncCheckpointResult, error)

5. MPC Key Share Management

Reference: MIGRATION.md lines 823-824

5.1 Key Share Storage

  • Parse key share data from MPC protocol - KeyShareInput in generate
  • Store public key and chain code - CreateKeyShare action
  • Track party index and threshold - stored in key_shares table
  • Encrypt share data before storage - PRF key derivation needed

5.2 Account Derivation

  • Basic address derivation from public key - deriveCosmosAddress()
  • Create initial account during generate - createInitialAccount()
  • Implement BIP44 derivation path parsing
  • Support multiple chains (Cosmos 118, Ethereum 60)
  • Generate proper bech32 address encoding per chain

5.3 Key Rotation

  • Implement key rotation workflow - RotateKeyShare action
  • Archive old shares - ArchiveKeyShare action
  • Status transitions - managed in database
  • Handle rotation failures gracefully

6. Plugin Function Extensions

Reference: main.go

6.1 Extend exec Resource Handlers

  • Add key_shares resource handler (list, get, rotate, archive, delete)
  • Add ucans resource handler (v1.0.0-rc.1 delegations - list, get, revoke, verify, cleanup)
  • Add delegations resource handler (v1.0.0-rc.1 - list, list_received, list_command, get, revoke, verify)
  • Add invocations resource handler (v1.0.0-rc.1)
  • Add verification_methods resource handler (list, get, delete)
  • Add services resource handler (list, get, get_by_id)
  • Add sync_checkpoints resource handler

6.2 Extend generate Function

  • Accept optional MPC keyshare data in input
  • Create initial keyshare if provided
  • Create initial account from keyshare
  • Parse WebAuthn credential properly (CBOR/COSE format)
  • Extract public key from credential
  • Create initial verification method
  • Create initial credential record

6.3 Signing Function

  • Implement sign wasmexport function
  • Support signing with MPC key shares
  • Return signature in appropriate format
  • Log signing operations for audit

7. Capability Delegation (v1.0.0-rc.1)

Reference: UCAN Delegation specification

7.1 Delegation Chain Management

  • Enforce maximum delegation depth (prevent infinite chains)
  • Validate delegator has capability to delegate (sub field)
  • Ensure proper capability attenuation (cmd + pol)
  • Track parent-child relationships via CID references

7.2 Policy Attenuation

  • Child policy must be more restrictive than parent
  • Implement policy subsumption checking
  • Command hierarchy validation (/crud/* subsumes /crud/read)

7.3 Delegation Status

  • Implement expiration checking
  • Handle revocation cascades (revoke chain)
  • Update status on expiry

8. DID State Sync

Reference: MIGRATION.md line 827

8.1 Sync Infrastructure

  • Create internal/enclave/sync.go - DID state sync logic
  • Implement checkpoint tracking
  • Store last synced block height
  • Track last processed transaction hash

8.2 Sync Operations

  • Fetch DID document updates from chain
  • Validate on-chain document hash
  • Update local state on changes
  • Handle reorgs and rollbacks

9. TypeScript SDK

Reference: README.md, src/ directory

9.1 Core SDK

  • Implement createEnclave(wasmPath) factory
  • Implement generate(credential) wrapper
  • Implement load(database) wrapper
  • Implement exec(filter, token?) wrapper
  • Implement query(did?) wrapper

9.2 UCAN SDK (v1.0.0-rc.1)

  • Delegation builder using src/ucan.ts types
  • Invocation builder
  • Policy builder helpers
  • Envelope encoding/decoding (DAG-CBOR)
  • CID computation

9.3 WebAuthn Integration

  • Helper for credential creation
  • Helper for PRF extension output
  • Proper encoding/decoding utilities

10. Testing

10.1 Unit Tests

  • Test all ActionManager methods
  • Test serialization/deserialization roundtrip
  • Test encryption/decryption
  • Test UCAN policy evaluation
  • Test UCAN envelope encoding

10.2 Integration Tests

  • Test full generate -> load -> exec flow
  • Test credential lifecycle
  • Test session management
  • Test grant management
  • Test UCAN delegation chain

10.3 Plugin Tests

  • Extend make test-plugin with all functions
  • Add error case testing
  • Test with various input formats

10.4 Interoperability Tests

  • Go <-> TypeScript UCAN envelope compatibility
  • CID computation consistency
  • Policy evaluation consistency

11. Security Hardening

11.1 Input Validation

  • Validate all JSON inputs against schemas
  • Sanitize SQL-sensitive characters in serialization
  • Validate DID format on all inputs
  • Validate base64 encoding

11.2 Cryptographic Security

  • Use constant-time comparison for sensitive data
  • Clear sensitive data from memory after use
  • Validate key sizes and formats
  • Implement proper nonce generation

11.3 Access Control

  • Enforce DID ownership on all mutations
  • Validate session before sensitive operations
  • Check grant scopes before data access
  • Log security-relevant operations

Priority Order

  1. CRITICAL (Spec Compliance) - Complete

    • UCAN v1.0.0-rc.1 Migration (Section 1) All core items complete
    • Core data structures (1.1) Using go-ucan v1.1.0
    • Envelope format (1.2) Handled by go-ucan
    • Delegation operations (1.3) DelegationBuilder complete
    • Invocation operations (1.4) InvocationBuilder complete
    • Database integration (1.8) Schema, queries, and actions complete
    • MPC signing integration (1.9) - Next priority

  2. High Priority (Core Functionality) - Mostly Complete

    • Database Serialization (3.1, 3.2) Native SQLite serdes
    • Credential Actions (4.7) All CRUD operations
    • Key Share Actions (4.1) All operations
    • Account Actions (4.6) All operations
    • Delegation Loader for go-ucan (1.6) - Remaining
    • Invocations exec handler (6.1) - Remaining

  3. Medium Priority (Authorization) - Partially Complete

    • Revocation checker for go-ucan (1.7) - Remaining
    • MPC Signing (1.9) - Remaining
    • Encryption Strategy (2.1, 2.2, 2.3) Complete

  4. Lower Priority (Enhancement)

    • TypeScript SDK (9.x)
    • DID State Sync (8.x)
    • Sync checkpoints handler (6.1)
    • Testing (10.x)
    • Security Hardening (11.x)

Completed Items

Encryption & Serialization (January 2025)

Full encryption layer and native SQLite serialization implemented:

  • internal/enclave/crypto.go - WebAuthn PRF key derivation

    • DeriveEncryptionKey() using HKDF with SHA-256
    • DeriveKeyWithContext() for purpose-specific keys
    • AES-256-GCM encryption/decryption (Encrypt, Decrypt)
    • EncryptBytes() / DecryptBytes() convenience functions
    • SecureZero() for memory clearing

  • internal/enclave/enclave.go - Encrypted database wrapper

    • Enclave struct wrapping Keybase with encryption
    • SerializeEncrypted() / LoadEncrypted() methods
    • Export() / Import() with EncryptedBundle
    • FromExisting() to wrap existing keybase

  • internal/keybase/conn.go - Native SQLite serialization

    • Serialize() using serdes.Serialize() from ncruces/go-sqlite3
    • Load() using serdes.Deserialize()
    • RestoreFromDump() for encrypted bundle loading

Action Manager Extensions (January 2025)

All CRUD action handlers completed for remaining entities:

  • internal/keybase/actions_verification.go

    • CreateVerificationMethod, ListVerificationMethodsFull
    • GetVerificationMethod, DeleteVerificationMethod

  • internal/keybase/actions_service.go

    • CreateService, GetServiceByOrigin, GetServiceByID
    • UpdateService, ListVerifiedServices

  • internal/keybase/actions_grant.go

    • CreateGrant, GetGrantByService, UpdateGrantScopes
    • UpdateGrantLastUsed, SuspendGrant, ReactivateGrant, CountActiveGrants

  • internal/keybase/actions_credential.go

    • CreateCredential, UpdateCredentialCounter, RenameCredential
    • DeleteCredential, CountCredentialsByDID

  • internal/keybase/actions_session.go

    • GetSessionByID, GetCurrentSession, UpdateSessionActivity
    • SetCurrentSession, DeleteExpiredSessions

Plugin Exec Handlers (January 2025)

Extended exec function with new resource handlers:

  • key_shares - list, get, rotate, archive, delete
  • verification_methods - list, get, delete
  • services - list, get, get_by_id

UCAN v1.0.0-rc.1 Database Integration (January 2025)

Schema and action handlers for storing/querying UCAN delegations and invocations:

  • internal/migrations/schema.sql - v1.0.0-rc.1 tables

    • ucan_delegations - CID-indexed delegation storage with envelope BLOB
    • ucan_invocations - CID-indexed invocation storage with execution tracking
    • ucan_revocations - Revocation records with reason and invocation CID
    • Updated grants table to use delegation_cid instead of ucan_id

  • internal/migrations/query.sql - CID-based queries

    • Delegation CRUD: Create, Get by CID, List by DID/Issuer/Audience/Subject/Command
    • Invocation CRUD: Create, Get by CID, List by DID/Issuer/Command, Mark executed
    • Revocation: Create, Check revoked, Get revocation, List by revoker

  • internal/keybase/actions_delegation.go - Delegation action handlers

    • StoreDelegation, GetDelegationByCID, GetDelegationEnvelope
    • ListDelegations, ListDelegationsByIssuer, ListDelegationsByAudience
    • ListDelegationsForCommand, IsDelegationRevoked, RevokeDelegation
    • DeleteDelegation, CleanExpiredDelegations

  • internal/keybase/actions_invocation.go - Invocation action handlers

    • StoreInvocation, GetInvocationByCID, GetInvocationEnvelope
    • ListInvocations, ListInvocationsByCommand, ListPendingInvocations
    • MarkInvocationExecuted, CleanOldInvocations

  • main.go - Updated exec handlers for v1.0.0-rc.1

    • executeUCANAction uses delegation methods (list, get, revoke, verify, cleanup)
    • executeDelegationAction uses CID-based methods (list by issuer/audience/command)
    • validateUCAN uses IsDelegationRevoked instead of old IsUCANRevoked

  • Deleted old action files

    • internal/keybase/actions_ucan.go - Old JWT-based UCAN actions
    • internal/keybase/actions_delegation.go - Old ID-based delegation actions

UCAN v1.0.0-rc.1 Core (January 2025)

The following was completed using github.com/ucan-wg/go-ucan v1.1.0:

  • Type re-exports from go-ucan (Delegation, Invocation, Command, Policy)
  • Sonr command constants (/vault/, /did/, /dwn/*)
  • DelegationBuilder fluent API with Sonr-specific helpers
  • InvocationBuilder fluent API with Sonr-specific helpers
  • PolicyBuilder fluent API with all operators
  • Sonr policy helpers (VaultPolicy, DIDPolicy, ChainPolicy)
  • ValidationError types matching TypeScript definitions
  • Capability, ExecutionResult, and related types

Deleted (Deprecated JWT-based)

  • Deleted jwt.go - Old JWT token handling
  • Deleted capability.go - Old Attenuation/Resource/Capability model
  • Deleted verifier.go - Old JWT verification
  • Deleted source.go - Old JWT token creation
  • Deleted internal/crypto/mpc/spec/ - Old MPC JWT integration
  • Removed github.com/golang-jwt/jwt/v5 dependency

Deprecated Items (Removed)

The following items from the previous TODO have been removed as they reference the deprecated JWT-based UCAN format:

  • Section 4.1 "Token Validation" - JWT parsing -> Replaced by go-ucan validation
  • Section 4.2 "Capability Verification" - can/with format -> Replaced by policy evaluation
  • Section 4.3 "Proof Chain Validation" - JWT proof strings -> Replaced by CID-based chain
  • Section 3.2 "UCAN Token Actions" - Old format -> Replaced by v1.0.0-rc.1 actions (4.2)
  • Section 3.3 "Delegation Actions" - Old delegation model -> Merged into Section 1 and 4.2

The old capability model (Attenuation, Resource, Capability interfaces) is replaced by:

  • sub (DID) - Subject of the capability
  • cmd (Command) - Action being delegated
  • pol (Policy) - Constraints on invocation arguments
Reference in New Issue View Git Blame Copy Permalink