@ixo/editor 3.0.0-beta.2 → 3.0.0-beta.21

package/dist/chunk-3RYZSIC2.mjs

@@ -0,0 +1,3020 @@
+// src/core/lib/actionRegistry/registry.ts
+var actions = /* @__PURE__ */ new Map();
+function registerAction(definition) {
+  actions.set(definition.type, definition);
+}
+function getAction(type) {
+  return actions.get(type);
+}
+function getAllActions() {
+  return Array.from(actions.values());
+}
+function hasAction(type) {
+  return actions.has(type);
+}
+
+// src/core/lib/actionRegistry/adapters.ts
+function buildServicesFromHandlers(handlers) {
+  return {
+    http: {
+      request: async (params) => {
+        const fetchOptions = {
+          method: params.method,
+          headers: { "Content-Type": "application/json", ...params.headers }
+        };
+        if (params.method !== "GET" && params.body) {
+          fetchOptions.body = typeof params.body === "string" ? params.body : JSON.stringify(params.body);
+        }
+        const res = await fetch(params.url, fetchOptions);
+        const data = await res.json().catch(() => ({}));
+        const responseHeaders = {};
+        res.headers.forEach((value, key) => {
+          responseHeaders[key] = value;
+        });
+        return {
+          status: res.status,
+          headers: responseHeaders,
+          data
+        };
+      }
+    },
+    email: handlers?.sendEmail ? {
+      send: async (params) => {
+        const result = await handlers.sendEmail(params);
+        return {
+          messageId: result.id || "",
+          sentAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+    } : void 0,
+    notify: handlers?.sendNotification ? {
+      send: async (params) => {
+        const result = await handlers.sendNotification(params);
+        return {
+          messageId: result.messageId,
+          sentAt: result.timestamp || (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+    } : void 0,
+    bid: handlers?.submitBid && handlers?.approveBid && handlers?.rejectBid && handlers?.approveServiceAgentApplication && handlers?.approveEvaluatorApplication ? {
+      submitBid: async (params) => handlers.submitBid(params),
+      approveBid: async (params) => handlers.approveBid(params),
+      rejectBid: async (params) => handlers.rejectBid(params),
+      approveServiceAgentApplication: async (params) => handlers.approveServiceAgentApplication(params),
+      approveEvaluatorApplication: async (params) => handlers.approveEvaluatorApplication(params)
+    } : void 0,
+    claim: handlers?.requestPin && handlers?.submitClaim && handlers?.evaluateClaim && handlers?.getCurrentUser ? {
+      requestPin: async (config) => handlers.requestPin(config),
+      submitClaim: async (params) => handlers.submitClaim(params),
+      evaluateClaim: async (granteeAddress, did, payload) => handlers.evaluateClaim(granteeAddress, did, payload),
+      getCurrentUser: () => handlers.getCurrentUser(),
+      createUdid: handlers?.createUdid ? async (params) => handlers.createUdid(params) : void 0
+    } : void 0,
+    matrix: handlers?.storeMatrixCredential ? {
+      storeCredential: async (params) => handlers.storeMatrixCredential(params)
+    } : void 0
+  };
+}
+
+// src/core/lib/actionRegistry/actions/httpRequest.ts
+registerAction({
+  type: "http.request",
+  sideEffect: false,
+  defaultRequiresConfirmation: false,
+  run: async (inputs, ctx) => {
+    const { url, method = "GET", headers = {}, body } = inputs;
+    const requestFn = ctx.services.http?.request;
+    if (requestFn) {
+      const result = await requestFn({ url, method, headers, body });
+      return {
+        output: {
+          status: result.status,
+          data: result.data,
+          response: JSON.stringify(result.data, null, 2)
+        }
+      };
+    }
+    const fetchOptions = {
+      method,
+      headers: { "Content-Type": "application/json", ...headers }
+    };
+    if (method !== "GET" && body) {
+      fetchOptions.body = typeof body === "string" ? body : JSON.stringify(body);
+    }
+    const response = await fetch(url, fetchOptions);
+    const data = await response.json().catch(() => ({}));
+    return {
+      output: {
+        status: response.status,
+        data,
+        response: JSON.stringify(data, null, 2)
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/emailSend.ts
+registerAction({
+  type: "email.send",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "email/send",
+  outputSchema: [
+    { path: "messageId", displayName: "Message ID", type: "string", description: "The unique ID of the sent email" },
+    { path: "sentAt", displayName: "Sent At", type: "string", description: "Timestamp when the email was sent" }
+  ],
+  run: async (inputs, ctx) => {
+    if (!ctx.services.email) {
+      throw new Error("Email service not configured");
+    }
+    const { to, subject, template, templateName, templateVersion, variables, cc, bcc, replyTo } = inputs;
+    const resolvedTemplate = template || templateName;
+    if (!resolvedTemplate) throw new Error("No template selected");
+    if (!to) throw new Error("Recipient (to) is required");
+    let resolvedVariables = variables;
+    if (typeof resolvedVariables === "string") {
+      try {
+        resolvedVariables = JSON.parse(resolvedVariables);
+      } catch {
+        resolvedVariables = {};
+      }
+    }
+    const result = await ctx.services.email.send({
+      to,
+      subject,
+      template: resolvedTemplate,
+      templateVersion,
+      variables: resolvedVariables,
+      cc,
+      bcc,
+      replyTo
+    });
+    return {
+      output: {
+        messageId: result.messageId,
+        sentAt: result.sentAt || (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/humanCheckbox.ts
+registerAction({
+  type: "human.checkbox.set",
+  sideEffect: true,
+  defaultRequiresConfirmation: false,
+  requiredCapability: "flow/execute",
+  run: async (inputs) => {
+    const checked = inputs.checked !== void 0 ? !!inputs.checked : true;
+    return { output: { checked } };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/humanForm.ts
+function normalizeAnswers(rawAnswers) {
+  if (rawAnswers == null) {
+    return {};
+  }
+  if (typeof rawAnswers === "string") {
+    try {
+      const parsed = JSON.parse(rawAnswers);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error();
+      }
+      return parsed;
+    } catch {
+      throw new Error("answers must be a valid JSON object");
+    }
+  }
+  if (typeof rawAnswers !== "object" || Array.isArray(rawAnswers)) {
+    throw new Error("answers must be an object");
+  }
+  return rawAnswers;
+}
+function registerFormSubmitAction(type) {
+  registerAction({
+    type,
+    sideEffect: true,
+    defaultRequiresConfirmation: false,
+    requiredCapability: "flow/execute",
+    outputSchema: [
+      { path: "form.answers", displayName: "Form Answers JSON", type: "string", description: "JSON stringified form answers, matching form block runtime output." },
+      { path: "answers", displayName: "Form Answers", type: "object", description: "Parsed form answers object for convenience." }
+    ],
+    run: async (inputs) => {
+      const answers = normalizeAnswers(inputs.answers ?? inputs.form?.answers);
+      const answersJson = JSON.stringify(answers);
+      return {
+        output: {
+          form: {
+            answers: answersJson
+          },
+          answers
+        }
+      };
+    }
+  });
+}
+registerFormSubmitAction("form.submit");
+registerFormSubmitAction("human.form.submit");
+
+// src/core/lib/actionRegistry/actions/notificationPush.ts
+registerAction({
+  type: "notification.push",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "notify/send",
+  run: async (inputs, ctx) => {
+    if (!ctx.services.notify) {
+      throw new Error("Notification service not configured");
+    }
+    const { channel, to, cc, bcc, subject, body, bodyType, from, replyTo } = inputs;
+    if (!to || Array.isArray(to) && to.length === 0) {
+      throw new Error("At least one recipient is required");
+    }
+    const result = await ctx.services.notify.send({
+      channel,
+      to: Array.isArray(to) ? to : [to],
+      cc,
+      bcc,
+      subject,
+      body,
+      bodyType,
+      from,
+      replyTo
+    });
+    return {
+      output: {
+        messageId: result.messageId,
+        sentAt: result.sentAt || (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/bid.ts
+function normalizeBidRole(role) {
+  const normalized = String(role || "").trim().toLowerCase();
+  if (normalized === "service_agent" || normalized === "sa") return "SA";
+  if (normalized === "evaluation_agent" || normalized === "ea") return "EA";
+  throw new Error("Invalid bid role. Expected service_agent or evaluation_agent");
+}
+registerAction({
+  type: "bid",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "bidId", displayName: "Bid ID", type: "string", description: "The submitted bid identifier" },
+    { path: "collectionId", displayName: "Collection ID", type: "string", description: "Claim collection identifier" },
+    { path: "role", displayName: "Role", type: "string", description: "Submitted role (service_agent or evaluation_agent)" },
+    { path: "submitterDid", displayName: "Submitter DID", type: "string", description: "Actor DID that submitted the bid" },
+    { path: "deedDid", displayName: "Deed DID", type: "string", description: "Deed identifier if provided" }
+  ],
+  run: async (inputs, ctx) => {
+    const service = ctx.services.bid;
+    if (!service) {
+      throw new Error("Bid service not configured");
+    }
+    const collectionId = String(inputs.collectionId || "").trim();
+    const roleInput = String(inputs.role || "").trim();
+    let surveyAnswers = inputs.surveyAnswers;
+    const deedDid = String(inputs.deedDid || "").trim();
+    if (!collectionId) throw new Error("collectionId is required");
+    if (!roleInput) throw new Error("role is required");
+    if (typeof surveyAnswers === "string") {
+      try {
+        surveyAnswers = JSON.parse(surveyAnswers);
+      } catch {
+        throw new Error("surveyAnswers must be a valid JSON object");
+      }
+    }
+    if (!surveyAnswers || typeof surveyAnswers !== "object" || Array.isArray(surveyAnswers)) {
+      throw new Error("surveyAnswers must be an object");
+    }
+    const chainRole = normalizeBidRole(roleInput);
+    const submission = await service.submitBid({
+      collectionId,
+      role: chainRole,
+      surveyAnswers
+    });
+    const bidId = String(submission?.claimId || submission?.bidId || submission?.id || "");
+    if (!bidId) {
+      throw new Error("submitBid returned no bid identifier");
+    }
+    return {
+      output: {
+        bidId,
+        collectionId,
+        role: roleInput,
+        submitterDid: ctx.actorDid || "",
+        deedDid
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/evaluateBid.ts
+function normalizeDecision(value) {
+  const normalized = String(value || "").trim().toLowerCase();
+  if (normalized === "approve" || normalized === "reject") {
+    return normalized;
+  }
+  throw new Error("decision must be either approve or reject");
+}
+function isServiceAgentRole(role) {
+  const normalized = String(role || "").trim().toLowerCase();
+  return normalized === "service_agent" || normalized === "sa";
+}
+function isEvaluationAgentRole(role) {
+  const normalized = String(role || "").trim().toLowerCase();
+  return normalized === "evaluation_agent" || normalized === "ea";
+}
+registerAction({
+  type: "evaluateBid",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "bidId", displayName: "Bid ID", type: "string", description: "Evaluated bid identifier" },
+    { path: "decision", displayName: "Decision", type: "string", description: "approve or reject" },
+    { path: "status", displayName: "Status", type: "string", description: "approved or rejected" },
+    { path: "evaluatedByDid", displayName: "Evaluated By DID", type: "string", description: "Actor DID that evaluated the bid" },
+    { path: "evaluatedAt", displayName: "Evaluated At", type: "string", description: "ISO timestamp of evaluation" },
+    { path: "reason", displayName: "Reason", type: "string", description: "Rejection reason when decision is reject" },
+    { path: "collectionId", displayName: "Collection ID", type: "string", description: "Claim collection identifier" },
+    { path: "role", displayName: "Role", type: "string", description: "Applicant role" },
+    { path: "deedDid", displayName: "Deed DID", type: "string", description: "Deed identifier" },
+    { path: "applicantDid", displayName: "Applicant DID", type: "string", description: "Applicant DID" },
+    { path: "applicantAddress", displayName: "Applicant Address", type: "string", description: "Applicant wallet address" }
+  ],
+  run: async (inputs, ctx) => {
+    const service = ctx.services.bid;
+    if (!service) {
+      throw new Error("Bid service not configured");
+    }
+    const decision = normalizeDecision(inputs.decision);
+    const bidId = String(inputs.bidId || "").trim();
+    const collectionId = String(inputs.collectionId || "").trim();
+    const deedDid = String(inputs.deedDid || "").trim();
+    const role = String(inputs.role || "").trim();
+    const applicantDid = String(inputs.applicantDid || "").trim();
+    const applicantAddress = String(inputs.applicantAddress || "").trim();
+    if (!bidId) throw new Error("bidId is required");
+    if (!collectionId) throw new Error("collectionId is required");
+    if (!deedDid) throw new Error("deedDid is required");
+    if (!role) throw new Error("role is required");
+    if (!applicantDid) throw new Error("applicantDid is required");
+    if (!applicantAddress) throw new Error("applicantAddress is required");
+    if (decision === "approve") {
+      const adminAddress = String(inputs.adminAddress || "").trim();
+      if (!adminAddress) {
+        throw new Error("adminAddress is required when decision is approve");
+      }
+      if (isServiceAgentRole(role)) {
+        await service.approveServiceAgentApplication({
+          adminAddress,
+          collectionId,
+          agentQuota: 30,
+          deedDid,
+          currentUserAddress: applicantAddress
+        });
+      } else if (isEvaluationAgentRole(role)) {
+        let maxAmounts = inputs.maxAmounts;
+        if (typeof maxAmounts === "string") {
+          try {
+            maxAmounts = JSON.parse(maxAmounts);
+          } catch {
+            throw new Error("maxAmounts must be valid JSON when provided");
+          }
+        }
+        await service.approveEvaluatorApplication({
+          adminAddress,
+          collectionId,
+          deedDid,
+          evaluatorAddress: applicantAddress,
+          agentQuota: 10,
+          maxAmounts: Array.isArray(maxAmounts) ? maxAmounts : void 0
+        });
+      } else {
+        throw new Error("Invalid role for evaluation. Expected service_agent or evaluation_agent");
+      }
+      await service.approveBid({
+        bidId,
+        collectionId,
+        did: applicantDid
+      });
+    } else {
+      const reason = String(inputs.reason || "").trim();
+      if (!reason) {
+        throw new Error("reason is required when decision is reject");
+      }
+      await service.rejectBid({
+        bidId,
+        collectionId,
+        did: deedDid,
+        reason
+      });
+    }
+    return {
+      output: {
+        bidId,
+        decision,
+        status: decision === "approve" ? "approved" : "rejected",
+        evaluatedByDid: ctx.actorDid || "",
+        evaluatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        reason: decision === "reject" ? String(inputs.reason || "") : "",
+        collectionId,
+        role,
+        deedDid,
+        applicantDid,
+        applicantAddress
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/claim.ts
+registerAction({
+  type: "claim",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "claimId", displayName: "Claim ID", type: "string", description: "The submitted claim identifier" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "Submission transaction hash" },
+    { path: "collectionId", displayName: "Collection ID", type: "string", description: "Claim collection identifier" },
+    { path: "deedDid", displayName: "Deed DID", type: "string", description: "Deed identifier" },
+    { path: "submittedByDid", displayName: "Submitted By DID", type: "string", description: "Actor DID that submitted the claim" },
+    { path: "submittedAt", displayName: "Submitted At", type: "string", description: "ISO timestamp of submission" }
+  ],
+  run: async (inputs, ctx) => {
+    const service = ctx.services.claim;
+    if (!service) {
+      throw new Error("Claim service not configured");
+    }
+    const deedDid = String(inputs.deedDid || "").trim();
+    const collectionId = String(inputs.collectionId || "").trim();
+    const adminAddress = String(inputs.adminAddress || "").trim();
+    if (!deedDid) throw new Error("deedDid is required");
+    if (!collectionId) throw new Error("collectionId is required");
+    if (!adminAddress) throw new Error("adminAddress is required");
+    let surveyAnswers = inputs.surveyAnswers;
+    if (typeof surveyAnswers === "string") {
+      try {
+        surveyAnswers = JSON.parse(surveyAnswers);
+      } catch {
+        throw new Error("surveyAnswers must be valid JSON");
+      }
+    }
+    if (!surveyAnswers || typeof surveyAnswers !== "object" || Array.isArray(surveyAnswers)) {
+      throw new Error("surveyAnswers must be an object");
+    }
+    let pin = String(inputs.pin || "").trim();
+    if (!pin) {
+      pin = await service.requestPin({
+        title: "Verify Identity",
+        description: "Enter your PIN to submit the claim",
+        submitText: "Verify"
+      });
+    }
+    if (!pin) {
+      throw new Error("PIN is required to submit claim");
+    }
+    const result = await service.submitClaim({
+      surveyData: surveyAnswers,
+      deedDid,
+      collectionId,
+      adminAddress,
+      pin
+    });
+    const claimId = String(result?.claimId || result?.id || "");
+    if (!claimId) {
+      throw new Error("submitClaim returned no claim identifier");
+    }
+    return {
+      output: {
+        claimId,
+        transactionHash: String(result?.transactionHash || ""),
+        collectionId,
+        deedDid,
+        submittedByDid: ctx.actorDid || "",
+        submittedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/evaluateClaim.ts
+function normalizeDecision2(value) {
+  const normalized = String(value || "").trim().toLowerCase();
+  if (normalized === "approve" || normalized === "reject") {
+    return normalized;
+  }
+  throw new Error("decision must be either approve or reject");
+}
+function toStatus(decision) {
+  return decision === "approve" ? 1 : 2;
+}
+function isEvaluatorRole(role) {
+  const normalized = String(role || "").trim().toLowerCase();
+  return normalized === "ea" || normalized === "evaluation_agent";
+}
+registerAction({
+  type: "evaluateClaim",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "claimId", displayName: "Claim ID", type: "string", description: "Evaluated claim identifier" },
+    { path: "decision", displayName: "Decision", type: "string", description: "approve or reject" },
+    { path: "status", displayName: "Status", type: "string", description: "approved or rejected" },
+    { path: "verificationProof", displayName: "Verification Proof", type: "string", description: "UDID URL proof if generated" },
+    { path: "collectionId", displayName: "Collection ID", type: "string", description: "Claim collection identifier" },
+    { path: "deedDid", displayName: "Deed DID", type: "string", description: "Deed identifier" },
+    { path: "evaluatedByDid", displayName: "Evaluated By DID", type: "string", description: "Actor DID that evaluated the claim" },
+    { path: "evaluatedAt", displayName: "Evaluated At", type: "string", description: "ISO timestamp of evaluation" }
+  ],
+  run: async (inputs, ctx) => {
+    const service = ctx.services.claim;
+    if (!service) {
+      throw new Error("Claim service not configured");
+    }
+    const decision = normalizeDecision2(inputs.decision);
+    const claimId = String(inputs.claimId || "").trim();
+    const collectionId = String(inputs.collectionId || "").trim();
+    const deedDid = String(inputs.deedDid || "").trim();
+    const adminAddress = String(inputs.adminAddress || "").trim();
+    if (!claimId) throw new Error("claimId is required");
+    if (!collectionId) throw new Error("collectionId is required");
+    if (!deedDid) throw new Error("deedDid is required");
+    if (!adminAddress) throw new Error("adminAddress is required");
+    const handlers = ctx.handlers;
+    const actorAddress = String(ctx.actorDid || service.getCurrentUser?.()?.address || "").trim();
+    if (!actorAddress) {
+      throw new Error("Unable to resolve actor address for evaluator authorization");
+    }
+    if (typeof handlers?.getUserRoles !== "function") {
+      throw new Error("Evaluator authorization check unavailable (getUserRoles handler missing)");
+    }
+    const roles = await handlers.getUserRoles({
+      userAddress: actorAddress,
+      adminAddress,
+      deedDid,
+      collectionIds: [collectionId]
+    });
+    const roleForCollection = Array.isArray(roles) ? roles.find((r) => r?.collectionId === collectionId)?.role : void 0;
+    if (!isEvaluatorRole(roleForCollection)) {
+      throw new Error("Not authorized: evaluator role required to evaluate claims for this collection");
+    }
+    let amount = inputs.amount;
+    if (typeof amount === "string" && amount.trim()) {
+      try {
+        amount = JSON.parse(amount);
+      } catch {
+        throw new Error("amount must be valid JSON when provided as string");
+      }
+    }
+    const normalizeCoin = (coin) => {
+      if (!coin || typeof coin !== "object" || Array.isArray(coin)) return null;
+      const denom = String(coin.denom || "").trim();
+      const tokenAmount = String(coin.amount || "").trim();
+      if (!denom || !tokenAmount) return null;
+      return { denom, amount: tokenAmount };
+    };
+    let normalizedAmounts;
+    if (Array.isArray(amount)) {
+      normalizedAmounts = amount.map(normalizeCoin).filter((coin) => !!coin);
+      if (normalizedAmounts.length !== amount.length) {
+        throw new Error("amount must contain valid coin objects with denom and amount");
+      }
+    } else if (amount != null) {
+      const coin = normalizeCoin(amount);
+      if (!coin) {
+        throw new Error("amount must be a coin object or an array of coin objects");
+      }
+      normalizedAmounts = [coin];
+    }
+    let verificationProof = String(inputs.verificationProof || "").trim();
+    const shouldCreateUdid = Boolean(inputs.createUdid);
+    if (!verificationProof && shouldCreateUdid && service.createUdid) {
+      const pin = await service.requestPin({
+        title: "Sign Evaluation Result",
+        description: "Enter your PIN to sign the evaluation UDID",
+        submitText: "Sign"
+      });
+      if (!pin) {
+        throw new Error("PIN is required to sign evaluation proof");
+      }
+      const udid = await service.createUdid({
+        claimCid: claimId,
+        deedDid,
+        collectionId,
+        capabilityCid: String(inputs.capabilityCid || deedDid),
+        rubricAuthority: String(inputs.rubricAuthority || deedDid),
+        rubricId: String(inputs.rubricId || deedDid),
+        outcome: toStatus(decision),
+        tag: decision === "approve" ? "approved" : "rejected",
+        issuerType: "user",
+        pin,
+        traceCid: inputs.traceCid,
+        items: inputs.items,
+        patch: inputs.patch
+      });
+      verificationProof = String(udid?.url || udid?.cid || "");
+    }
+    const currentUser = service.getCurrentUser();
+    const granteeAddress = String(inputs.granteeAddress || currentUser?.address || "").trim();
+    if (!granteeAddress) {
+      throw new Error("granteeAddress could not be resolved");
+    }
+    await service.evaluateClaim(granteeAddress, deedDid, {
+      claimId,
+      collectionId,
+      adminAddress,
+      status: toStatus(decision),
+      verificationProof,
+      amount: normalizedAmounts && normalizedAmounts.length > 0 ? normalizedAmounts.length === 1 ? normalizedAmounts[0] : normalizedAmounts : void 0
+    });
+    return {
+      output: {
+        claimId,
+        decision,
+        status: decision === "approve" ? "approved" : "rejected",
+        verificationProof,
+        collectionId,
+        deedDid,
+        evaluatedByDid: ctx.actorDid || granteeAddress,
+        evaluatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/proposalCreate.ts
+registerAction({
+  type: "proposal.create",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "proposalId", displayName: "Proposal ID", type: "string", description: "The on-chain proposal identifier" },
+    { path: "status", displayName: "Proposal Status", type: "string", description: "Current proposal status (open, passed, rejected, executed, etc.)" },
+    { path: "proposalContractAddress", displayName: "Proposal Contract Address", type: "string", description: "The proposal module contract address" },
+    { path: "coreAddress", displayName: "Core Address", type: "string", description: "The DAO core contract address" },
+    { path: "createdAt", displayName: "Created At", type: "string", description: "ISO timestamp of proposal creation" }
+  ],
+  run: async (inputs, ctx) => {
+    const handlers = ctx.handlers;
+    if (!handlers) {
+      throw new Error("Handlers not available");
+    }
+    const coreAddress = String(inputs.coreAddress || "").trim();
+    const title = String(inputs.title || "").trim();
+    const description = String(inputs.description || "").trim();
+    if (!coreAddress) throw new Error("coreAddress is required");
+    if (!title) throw new Error("title is required");
+    if (!description) throw new Error("description is required");
+    let actions2 = [];
+    if (inputs.actions) {
+      if (typeof inputs.actions === "string") {
+        try {
+          actions2 = JSON.parse(inputs.actions);
+        } catch {
+          throw new Error("actions must be valid JSON array");
+        }
+      } else if (Array.isArray(inputs.actions)) {
+        actions2 = inputs.actions;
+      }
+    }
+    const { preProposalContractAddress } = await handlers.getPreProposalContractAddress({
+      coreAddress
+    });
+    const { groupContractAddress } = await handlers.getGroupContractAddress({
+      coreAddress
+    });
+    const { proposalContractAddress } = await handlers.getProposalContractAddress({
+      coreAddress
+    });
+    const params = {
+      preProposalContractAddress,
+      title,
+      description,
+      actions: actions2.length > 0 ? actions2 : void 0,
+      coreAddress,
+      groupContractAddress
+    };
+    const proposalId = await handlers.createProposal(params);
+    return {
+      output: {
+        proposalId: String(proposalId),
+        status: "open",
+        proposalContractAddress: proposalContractAddress || "",
+        coreAddress,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/proposalVote.ts
+registerAction({
+  type: "proposal.vote",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "vote", displayName: "Vote", type: "string", description: "The vote cast (yes, no, no_with_veto, abstain)" },
+    { path: "rationale", displayName: "Rationale", type: "string", description: "Optional rationale provided with the vote" },
+    { path: "proposalId", displayName: "Proposal ID", type: "string", description: "The proposal that was voted on" },
+    { path: "votedAt", displayName: "Voted At", type: "string", description: "ISO timestamp of when the vote was cast" }
+  ],
+  run: async (inputs, ctx) => {
+    const handlers = ctx.handlers;
+    if (!handlers) {
+      throw new Error("Handlers not available");
+    }
+    const proposalId = Number(inputs.proposalId);
+    const vote = String(inputs.vote || "").trim();
+    const rationale = String(inputs.rationale || "").trim();
+    const proposalContractAddress = String(inputs.proposalContractAddress || "").trim();
+    if (!proposalId || isNaN(proposalId)) throw new Error("proposalId is required");
+    if (!vote) throw new Error("vote is required");
+    if (!proposalContractAddress) throw new Error("proposalContractAddress is required");
+    const validVotes = ["yes", "no", "no_with_veto", "abstain"];
+    if (!validVotes.includes(vote)) {
+      throw new Error(`vote must be one of: ${validVotes.join(", ")}`);
+    }
+    await handlers.vote({
+      proposalId,
+      vote,
+      rationale: rationale || void 0,
+      proposalContractAddress
+    });
+    return {
+      output: {
+        vote,
+        rationale: rationale || "",
+        proposalId: String(proposalId),
+        votedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/protocolSelect.ts
+registerAction({
+  type: "protocol.select",
+  sideEffect: false,
+  defaultRequiresConfirmation: false,
+  outputSchema: [
+    { path: "selectedProtocolDid", displayName: "Selected Protocol DID", type: "string", description: "DID of the selected protocol" },
+    { path: "selectedProtocolName", displayName: "Selected Protocol Name", type: "string", description: "Display name of the selected protocol" },
+    { path: "selectedProtocolType", displayName: "Selected Protocol Type", type: "string", description: "Type of the selected protocol" }
+  ],
+  run: async (inputs, _ctx) => {
+    const selectedProtocolDid = String(inputs.selectedProtocolDid || "").trim();
+    const selectedProtocolName = String(inputs.selectedProtocolName || "").trim();
+    const selectedProtocolType = String(inputs.selectedProtocolType || "").trim();
+    if (!selectedProtocolDid) throw new Error("selectedProtocolDid is required");
+    return {
+      output: {
+        selectedProtocolDid,
+        selectedProtocolName,
+        selectedProtocolType
+      }
+    };
+  }
+});
+
+// src/mantine/blocks/domainCreator/utils/buildVerifiableCredential.ts
+var DOMAIN_CARD_CONTEXT = [
+  "https://w3id.org/ixo/context/v1",
+  {
+    schema: "https://schema.org/",
+    ixo: "https://w3id.org/ixo/vocab/v1",
+    prov: "http://www.w3.org/ns/prov#",
+    proj: "http://www.w3.org/ns/project#",
+    id: "@id",
+    type: "@type",
+    "@protected": true
+  }
+];
+var DOMAIN_CARD_SCHEMA = {
+  id: "https://w3id.org/ixo/protocol/schema/v1#domainCard",
+  type: "JsonSchema"
+};
+function toISOString(dateInput, fallback = /* @__PURE__ */ new Date()) {
+  if (!dateInput) {
+    return fallback.toISOString();
+  }
+  if (dateInput instanceof Date) {
+    return dateInput.toISOString();
+  }
+  if (/^\d{4}-\d{2}-\d{2}$/.test(dateInput)) {
+    return (/* @__PURE__ */ new Date(dateInput + "T00:00:00.000Z")).toISOString();
+  }
+  if (/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}$/.test(dateInput)) {
+    return (/* @__PURE__ */ new Date(dateInput + ":00.000Z")).toISOString();
+  }
+  const parsed = new Date(dateInput);
+  if (!isNaN(parsed.getTime())) {
+    return parsed.toISOString();
+  }
+  return fallback.toISOString();
+}
+function getDefaultValidUntil(validFrom) {
+  const fromDate = new Date(validFrom);
+  const untilDate = new Date(fromDate);
+  untilDate.setFullYear(untilDate.getFullYear() + 5);
+  return untilDate.toISOString();
+}
+function buildVerifiableCredential(params) {
+  const { entityDid, issuerDid, credentialSubject, validFrom, validUntil } = params;
+  const validFromISO = toISOString(validFrom);
+  const validUntilISO = validUntil ? toISOString(validUntil) : getDefaultValidUntil(validFromISO);
+  return {
+    "@context": DOMAIN_CARD_CONTEXT,
+    id: `${entityDid}#dmn`,
+    type: ["VerifiableCredential", "ixo:DomainCard"],
+    issuer: {
+      id: issuerDid
+    },
+    validFrom: validFromISO,
+    validUntil: validUntilISO,
+    credentialSchema: DOMAIN_CARD_SCHEMA,
+    credentialSubject: {
+      ...credentialSubject,
+      // Ensure the subject ID matches the entity DID
+      id: entityDid
+    }
+  };
+}
+function buildDomainCardLinkedResource(params) {
+  return {
+    id: `${params.entityDid}#dmn`,
+    type: "domainCard",
+    proof: params.cid,
+    right: "",
+    encrypted: "false",
+    mediaType: "application/json",
+    description: params.description || "Domain Card",
+    serviceEndpoint: params.serviceEndpoint
+  };
+}
+
+// src/mantine/blocks/domainCreatorSign/utils/buildLinkedEntityResource.ts
+function parseLinkedEntities(entitiesString) {
+  if (!entitiesString || entitiesString === "[]") return [];
+  try {
+    return JSON.parse(entitiesString);
+  } catch {
+    return [];
+  }
+}
+function buildGovernanceGroupLinkedEntities(linkedEntities) {
+  return linkedEntities.filter((entity) => entity.type === "governanceGroup" && entity.coreAddress).map((entity) => ({
+    id: entity.coreAddress,
+    type: "group",
+    relationship: "governs",
+    service: ""
+  }));
+}
+
+// src/core/lib/actionRegistry/actions/domainSign.ts
+registerAction({
+  type: "domain.sign",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "entityDid", displayName: "Entity DID", type: "string", description: "The DID of the newly created domain entity" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "The on-chain transaction hash for domain creation" }
+  ],
+  run: async (inputs, ctx) => {
+    const handlers = ctx.handlers;
+    if (!handlers) {
+      throw new Error("Handlers not available");
+    }
+    if (!handlers.requestPin) throw new Error("requestPin handler not available");
+    if (!handlers.signCredential) throw new Error("signCredential handler not implemented");
+    if (!handlers.publicFileUpload) throw new Error("publicFileUpload handler not available");
+    if (!handlers.createDomain) throw new Error("createDomain handler not implemented");
+    let domainCardData;
+    if (typeof inputs.domainCardData === "string") {
+      try {
+        domainCardData = JSON.parse(inputs.domainCardData);
+      } catch {
+        throw new Error("domainCardData must be valid JSON");
+      }
+    } else if (inputs.domainCardData && typeof inputs.domainCardData === "object") {
+      domainCardData = inputs.domainCardData;
+    } else {
+      throw new Error("domainCardData is required");
+    }
+    if (!domainCardData?.credentialSubject?.name) {
+      throw new Error("domainCardData is missing or invalid (credentialSubject.name required)");
+    }
+    const extractEntityType = (type) => type.replace(/^schema:/i, "").toLowerCase();
+    const entityType = String(inputs.entityType || "").trim() || (domainCardData.credentialSubject?.type?.[0] ? extractEntityType(domainCardData.credentialSubject.type[0]) : "dao");
+    const issuerDid = handlers.getEntityDid?.() || handlers.getCurrentUser?.()?.address;
+    if (!issuerDid) throw new Error("Unable to determine issuer DID");
+    const entityDidPlaceholder = "did:ixo:entity:pending";
+    const validFrom = domainCardData.validFrom || (/* @__PURE__ */ new Date()).toISOString();
+    const validUntil = domainCardData.validUntil || (() => {
+      const d = /* @__PURE__ */ new Date();
+      d.setFullYear(d.getFullYear() + 100);
+      return d.toISOString();
+    })();
+    const credentialSubject = {
+      ...domainCardData.credentialSubject,
+      id: entityDidPlaceholder
+    };
+    const unsignedCredential = buildVerifiableCredential({
+      entityDid: entityDidPlaceholder,
+      issuerDid,
+      credentialSubject,
+      validFrom,
+      validUntil
+    });
+    const pin = await handlers.requestPin({
+      title: "Sign Domain Card",
+      description: "Enter your PIN to sign the Domain Card credential",
+      submitText: "Sign"
+    });
+    const { signedCredential } = await handlers.signCredential({
+      issuerDid,
+      issuerType: "user",
+      credential: unsignedCredential,
+      pin
+    });
+    const credentialBlob = new Blob([JSON.stringify(signedCredential, null, 2)], {
+      type: "application/json"
+    });
+    const credentialFile = new File([credentialBlob], "domainCard.json", {
+      type: "application/json"
+    });
+    const uploadResult = await handlers.publicFileUpload(credentialFile);
+    const domainCardLinkedResource = buildDomainCardLinkedResource({
+      entityDid: entityDidPlaceholder,
+      cid: uploadResult.cid,
+      serviceEndpoint: uploadResult.url,
+      description: `Domain Card for ${domainCardData.credentialSubject?.name || "Domain"}`
+    });
+    let linkedEntitiesData = [];
+    if (inputs.linkedEntities) {
+      if (typeof inputs.linkedEntities === "string") {
+        try {
+          linkedEntitiesData = JSON.parse(inputs.linkedEntities);
+        } catch {
+        }
+      } else if (Array.isArray(inputs.linkedEntities)) {
+        linkedEntitiesData = inputs.linkedEntities;
+      }
+    }
+    const governanceGroupLinkedEntities = buildGovernanceGroupLinkedEntities(parseLinkedEntities(JSON.stringify(linkedEntitiesData)));
+    const endDate = domainCardData.endDate || validUntil;
+    const { entityDid: newEntityDid, transactionHash } = await handlers.createDomain({
+      entityType,
+      linkedResource: [domainCardLinkedResource],
+      linkedEntity: governanceGroupLinkedEntities.length > 0 ? governanceGroupLinkedEntities : void 0,
+      startDate: validFrom,
+      endDate
+    });
+    return {
+      output: {
+        entityDid: newEntityDid,
+        transactionHash
+      }
+    };
+  }
+});
+
+// src/mantine/blocks/domainCreator/utils/transformSurveyToCredentialSubject.ts
+function extractPanelDynamicItems(surveyData, panelName, itemMapper) {
+  const items = surveyData[panelName];
+  if (!Array.isArray(items)) return [];
+  return items.map(itemMapper).filter((item) => item !== null);
+}
+function parseCommaSeparated(value) {
+  if (!value || typeof value !== "string") return [];
+  return value.split(",").map((s) => s.trim()).filter(Boolean);
+}
+function parseLanguageCodes(value) {
+  return parseCommaSeparated(value);
+}
+function buildImageObject(url) {
+  if (!url) return null;
+  return {
+    type: "schema:ImageObject",
+    id: url,
+    contentUrl: url
+  };
+}
+function transformSurveyToCredentialSubject(surveyData, entityDid) {
+  const types = [];
+  if (surveyData["type_1"]) types.push(`ixo:${surveyData["type_1"]}`);
+  if (surveyData["type_2"]) types.push(surveyData["type_2"]);
+  const additionalType = [];
+  if (surveyData["daoType"]) additionalType.push(surveyData["daoType"]);
+  const alternateNames = extractPanelDynamicItems(surveyData, "pannel_schema:alternateName", (item) => item["schema:alternateName"] || null);
+  const sameAsUrls = extractPanelDynamicItems(surveyData, "schema:sameAs", (item) => item["schema:sameAs.url"] || null);
+  const logoUrl = surveyData["ixo:imageLogo_url"] || surveyData["ixo:imageLogo"]?.[0]?.content;
+  const logo = buildImageObject(logoUrl);
+  const profileImageUrl = surveyData["ixo:imageProfile_url"] || surveyData["ixo:imageProfile"]?.[0]?.content;
+  const profileImage = buildImageObject(profileImageUrl);
+  const keywords = parseCommaSeparated(surveyData["schema:keywords"]);
+  const knowsAbout = extractPanelDynamicItems(surveyData, "pannel_ixo:knowsAbout", (item) => item["ixo:knowsAbout"] || null);
+  const hasAddressData = surveyData["schema:streetAddress"] || surveyData["schema:addressLocality"] || surveyData["schema:addressRegion"] || surveyData["schema:postalCode"] || surveyData["schema:addressCountry"];
+  const address = hasAddressData ? {
+    type: "schema:PostalAddress",
+    streetAddress: surveyData["schema:streetAddress"] || void 0,
+    addressLocality: surveyData["schema:addressLocality"] || void 0,
+    addressRegion: surveyData["schema:addressRegion"] || void 0,
+    postalCode: surveyData["schema:postalCode"] || void 0,
+    addressCountry: surveyData["schema:addressCountry"] || void 0
+  } : void 0;
+  const areaServed = surveyData["schema:AdministrativeArea"] ? {
+    type: "schema:AdministrativeArea",
+    name: surveyData["schema:AdministrativeArea"]
+  } : void 0;
+  const contactPoints = extractPanelDynamicItems(surveyData, "pannel:schema_contactPoint", (item) => {
+    if (!item["schema:contactType"] && !item["schema:email"] && !item["schema:telephone"]) return null;
+    return {
+      type: "schema:ContactPoint",
+      contactType: item["schema:contactType"] || "general",
+      email: item["schema:email"] || void 0,
+      telephone: item["schema:telephone"] || void 0,
+      availableLanguage: parseLanguageCodes(item["schema:availableLanguage"])
+    };
+  });
+  const hasParts = extractPanelDynamicItems(surveyData, "schema:hasPart", (item) => {
+    if (!item["schema:hasPart.name"] && !item["schema:hasPart.id"]) return null;
+    return {
+      type: "schema:CreativeWork",
+      id: item["schema:hasPart.id"] || void 0,
+      name: item["schema:hasPart.name"] || void 0,
+      description: item["schema:hasPart.description"] || void 0,
+      url: item["schema:hasPart.url"] || void 0,
+      creator: item["schema:hasPart.creator.name"] ? {
+        type: "schema:Organization",
+        name: item["schema:hasPart.creator.name"]
+      } : void 0
+    };
+  });
+  const subjectOf = extractPanelDynamicItems(surveyData, "schema:subjectOf", (item) => {
+    if (!item["schema:subjectOf.name"]) return null;
+    return {
+      type: "schema:CreativeWork",
+      name: item["schema:subjectOf.name"],
+      url: item["schema:subjectOf.url"] || void 0,
+      author: item["schema:subjectOf.author.name"] ? {
+        type: "schema:Organisation",
+        name: item["schema:subjectOf.author.name"]
+      } : void 0
+    };
+  });
+  const composition = hasParts.length > 0 || subjectOf.length > 0 ? {
+    type: "schema:Collection",
+    hasPart: hasParts.length > 0 ? hasParts : void 0,
+    subjectOf: subjectOf.length > 0 ? subjectOf : void 0
+  } : void 0;
+  const makesOffer = extractPanelDynamicItems(surveyData, "schema:makesOffer", (item) => {
+    if (!item["schema:itemOffered.name"]) return null;
+    return {
+      type: "schema:Offer",
+      itemOffered: {
+        type: item["schema:itemOffered.type"] === "service" ? "schema:Service" : "schema:Product",
+        name: item["schema:itemOffered.name"] || void 0,
+        description: item["schema:itemOffered.description"] || void 0,
+        url: item["schema:itemOffered.url"] || void 0
+      }
+    };
+  });
+  const memberOf = extractPanelDynamicItems(surveyData, "schema:memberOf", (item) => {
+    if (!item["schema:memberOf.name"]) return null;
+    return {
+      type: "schema:Organization",
+      name: item["schema:memberOf.name"]
+    };
+  });
+  const wasAssociatedWith = extractPanelDynamicItems(surveyData, "schema:wasAssociatedWith", (item) => {
+    if (!item["schema:wasAssociatedWith.name"]) return null;
+    return {
+      type: "schema:Organization",
+      name: item["schema:wasAssociatedWith.name"],
+      url: item["schema:wasAssociatedWith.url"] || void 0
+    };
+  });
+  const funding = extractPanelDynamicItems(surveyData, "schema:funding", (item) => {
+    if (!item["schema:funder.name"]) return null;
+    return {
+      type: "schema:MonetaryGrant",
+      funder: {
+        type: "schema:Organization",
+        name: item["schema:funder.name"]
+      },
+      amount: item["schema:amount.value"] || item["schema:amount.currency"] ? {
+        type: "schema:MonetaryAmount",
+        currency: item["schema:amount.currency"] || "USD",
+        value: item["schema:amount.value"] || "0"
+      } : void 0
+    };
+  });
+  const relationships = memberOf.length > 0 || wasAssociatedWith.length > 0 || funding.length > 0 ? {
+    memberOf: memberOf.length > 0 ? memberOf : void 0,
+    "prov:wasAssociatedWith": wasAssociatedWith.length > 0 ? wasAssociatedWith : void 0,
+    funding: funding.length > 0 ? funding : void 0
+  } : void 0;
+  const agents = extractPanelDynamicItems(surveyData, "ixo:agentCard", (item) => {
+    if (!item["ixo:agentCard.name"] && !item["ixo:agentCard.id"]) return null;
+    return {
+      type: "ixo:AgentCard",
+      id: item["ixo:agentCard.id"] || void 0,
+      name: item["ixo:agentCard.name"] || void 0,
+      description: item["ixo:agentCard.description"] || void 0
+    };
+  });
+  const credentials = extractPanelDynamicItems(surveyData, "ixo:verifiableCredential", (item) => {
+    if (!item["schema:Name"] && !item["schema:ID"]) return null;
+    return {
+      type: "VerifiableCredential",
+      id: item["schema:ID"] || void 0,
+      name: item["schema:Name"] || void 0,
+      description: item["schema:description"] || void 0
+    };
+  });
+  const attributes = extractPanelDynamicItems(surveyData, "ixo:attribute", (item) => {
+    if (!item["schema:name_2"]) return null;
+    return {
+      "@type": "ixo:Attribute",
+      "@id": item["schema:ID_2"] || `attribute:${item["schema:name_2"].replace(/\s+/g, "_").toLowerCase()}`,
+      name: item["schema:name_2"],
+      value: item["schema:description_2"] || ""
+    };
+  });
+  const projects = extractPanelDynamicItems(surveyData, "pannel_proj:project", (item) => {
+    if (!item["proj:project.name"]) return null;
+    const objectives = extractPanelDynamicItems(item, "proj:project.hadObjective", (objItem) => objItem["proj:hadObjective"] || null);
+    const projectFunding = extractPanelDynamicItems(item, "proj:wasFundedThrough", (fundItem) => ({
+      type: "proj:FundingAssociation",
+      moneyAmount: fundItem["proj:moneyAmount"] || void 0,
+      moneyCurrency: fundItem["proj:moneyCurrency"] || void 0,
+      agent: fundItem["prov.agent.name"] || fundItem["prov:agent.id"] ? {
+        type: "prov:Agent",
+        id: fundItem["prov:agent.id"] || void 0,
+        name: fundItem["prov.agent.name"] || void 0
+      } : void 0
+    }));
+    return {
+      type: "proj:Project",
+      name: item["proj:project.name"],
+      description: item["proj:project.description"] || void 0,
+      hadObjective: objectives.length > 0 ? objectives : void 0,
+      plannedStart: item["proj:plannedStart"] || void 0,
+      plannedEnd: item["proj:plannedEnd"] || void 0,
+      wasFundedThrough: projectFunding.length > 0 ? projectFunding : void 0
+    };
+  });
+  const project = projects.length > 0 ? projects[0] : void 0;
+  const seedQueries = extractPanelDynamicItems(surveyData, "ixo:ResearchProfile", (item) => item["ixo:seedQueries"] || null);
+  const citations = extractPanelDynamicItems(surveyData, "schema:creativeWork", (item) => {
+    if (!item["schema:creativeWork.name"]) return null;
+    return {
+      type: "schema:CreativeWork",
+      name: item["schema:creativeWork.name"],
+      url: item["schema:creativeWork.url"] || void 0,
+      publisher: item["schema:creativeWork.publisher"] || void 0,
+      datePublished: item["schema:creativeWork.datePublished"] || void 0
+    };
+  });
+  const researchProfile = seedQueries.length > 0 || citations.length > 0 ? {
+    type: "ixo:ResearchProfile",
+    "ixo:seedQueries": seedQueries.length > 0 ? seedQueries : void 0,
+    citation: citations.length > 0 ? citations : void 0,
+    dateModified: (/* @__PURE__ */ new Date()).toISOString()
+  } : void 0;
+  const credentialSubject = {
+    id: entityDid,
+    type: types.length > 0 ? types : ["ixo:dao"],
+    name: surveyData["schema:name"] || "",
+    description: surveyData["schema.description"] || ""
+  };
+  if (additionalType.length > 0) credentialSubject.additionalType = additionalType;
+  if (alternateNames.length > 0) credentialSubject.alternateName = alternateNames;
+  if (surveyData["schema:url"]) credentialSubject.url = surveyData["schema:url"];
+  if (sameAsUrls.length > 0) credentialSubject.sameAs = sameAsUrls;
+  if (logo) credentialSubject.logo = logo;
+  if (profileImage) credentialSubject.image = [profileImage];
+  if (keywords.length > 0) credentialSubject.keywords = keywords;
+  if (knowsAbout.length > 0) credentialSubject.knowsAbout = knowsAbout;
+  if (address) credentialSubject.address = address;
+  if (areaServed) credentialSubject.areaServed = areaServed;
+  if (contactPoints.length > 0) credentialSubject.contactPoint = contactPoints;
+  if (composition) credentialSubject.composition = composition;
+  if (makesOffer.length > 0) credentialSubject.makesOffer = makesOffer;
+  if (relationships) credentialSubject.relationships = relationships;
+  if (agents.length > 0) credentialSubject.agents = agents;
+  if (credentials.length > 0) credentialSubject.credentials = credentials;
+  if (attributes.length > 0) credentialSubject.attributes = attributes;
+  if (project) credentialSubject.project = project;
+  if (researchProfile) credentialSubject.researchProfile = researchProfile;
+  return credentialSubject;
+}
+
+// src/mantine/blocks/domainCreator/utils/extractSurveyAnswersTemplate.ts
+function extractFieldsFromElements(elements, fields) {
+  for (const element of elements) {
+    if (element.type === "panel" && element.elements) {
+      extractFieldsFromElements(element.elements, fields);
+      continue;
+    }
+    if (element.type === "paneldynamic" && element.name) {
+      fields[element.name] = [];
+      if (element.templateElements) {
+        extractFieldsFromElements(element.templateElements, fields);
+      }
+      continue;
+    }
+    if (element.name && element.type !== "panel") {
+      switch (element.type) {
+        case "boolean":
+          fields[element.name] = false;
+          break;
+        case "checkbox":
+          fields[element.name] = [];
+          break;
+        case "file":
+          fields[element.name] = [];
+          break;
+        default:
+          fields[element.name] = "";
+      }
+    }
+    if (element.elements) {
+      extractFieldsFromElements(element.elements, fields);
+    }
+  }
+}
+function extractSurveyAnswersTemplate(surveyDef) {
+  const fields = {};
+  for (const page of surveyDef.pages) {
+    extractFieldsFromElements(page.elements, fields);
+  }
+  return fields;
+}
+
+// src/core/lib/actionRegistry/actions/domainCreate.ts
+registerAction({
+  type: "domain.create",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "entityDid", displayName: "Entity DID", type: "string", description: "The created domain entity DID" },
+    { path: "transactionHash", displayName: "Transaction Hash", type: "string", description: "Blockchain transaction hash" },
+    { path: "credentialId", displayName: "Credential ID", type: "string", description: "The uploaded domain card credential identifier (CID)" },
+    { path: "entityType", displayName: "Entity Type", type: "string", description: "The type of domain entity created" }
+  ],
+  run: async (inputs, ctx) => {
+    const handlers = ctx.handlers;
+    if (!handlers) throw new Error("Handlers not available");
+    if (!handlers.signCredential) throw new Error("signCredential handler not implemented");
+    if (!handlers.publicFileUpload) throw new Error("publicFileUpload handler not available");
+    if (!handlers.createDomain) throw new Error("createDomain handler not implemented");
+    if (!handlers.requestPin) throw new Error("requestPin handler not available");
+    const configEntityType = String(inputs.entityType || "dao").trim();
+    let surveyData = {};
+    if (inputs.surveyData) {
+      if (typeof inputs.surveyData === "string") {
+        try {
+          surveyData = JSON.parse(inputs.surveyData);
+        } catch {
+          throw new Error("surveyData must be valid JSON");
+        }
+      } else if (typeof inputs.surveyData === "object" && !Array.isArray(inputs.surveyData)) {
+        surveyData = inputs.surveyData;
+      }
+    }
+    const issuerDid = handlers.getEntityDid?.() || handlers.getCurrentUser?.()?.address;
+    if (!issuerDid) throw new Error("Unable to determine issuer DID");
+    const entityDid = "did:ixo:entity:pending";
+    const credentialSubject = transformSurveyToCredentialSubject(surveyData, entityDid);
+    const unsignedCredential = buildVerifiableCredential({
+      entityDid,
+      issuerDid,
+      credentialSubject,
+      validFrom: surveyData["schema:validFrom"] || (/* @__PURE__ */ new Date()).toISOString(),
+      validUntil: surveyData["schema:validUntil"]
+    });
+    const pin = await handlers.requestPin({
+      title: "Sign Domain Card",
+      description: "Enter your PIN to sign the Domain Card credential",
+      submitText: "Sign"
+    });
+    const { signedCredential } = await handlers.signCredential({
+      issuerDid,
+      issuerType: "user",
+      credential: unsignedCredential,
+      pin
+    });
+    const credentialBlob = new Blob([JSON.stringify(signedCredential, null, 2)], {
+      type: "application/json"
+    });
+    const credentialFile = new File([credentialBlob], "domainCard.json", {
+      type: "application/json"
+    });
+    const uploadResult = await handlers.publicFileUpload(credentialFile);
+    const domainCardLinkedResource = buildDomainCardLinkedResource({
+      entityDid,
+      cid: uploadResult.cid,
+      serviceEndpoint: uploadResult.url,
+      description: `Domain Card for ${surveyData["schema:name"] || "Domain"}`
+    });
+    const finalEntityType = surveyData["type_2"] || surveyData["daoType"] || configEntityType;
+    const { entityDid: newEntityDid, transactionHash } = await handlers.createDomain({
+      entityType: finalEntityType,
+      linkedResource: [domainCardLinkedResource],
+      startDate: surveyData["schema:validFrom"],
+      endDate: surveyData["schema:validUntil"]
+    });
+    return {
+      output: {
+        entityDid: newEntityDid,
+        transactionHash,
+        credentialId: uploadResult.cid,
+        entityType: finalEntityType
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/oracle.ts
+registerAction({
+  type: "oracle",
+  sideEffect: false,
+  defaultRequiresConfirmation: false,
+  outputSchema: [{ path: "prompt", displayName: "Prompt", type: "string", description: "The prompt sent to the companion" }],
+  run: async (inputs, ctx) => {
+    const prompt = String(inputs.prompt || "").trim();
+    if (!prompt) throw new Error("prompt is required");
+    if (!ctx.handlers?.askCompanion) {
+      throw new Error("askCompanion handler is not available");
+    }
+    await ctx.handlers.askCompanion(prompt);
+    return {
+      output: { prompt }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/credentialStore.ts
+registerAction({
+  type: "credential.store",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/execute",
+  outputSchema: [
+    { path: "credentialKey", displayName: "Credential Key", type: "string", description: "Key under which credential was stored (e.g. kycamllevel1)" },
+    { path: "cid", displayName: "Content ID", type: "string", description: "IPFS-compatible CID of the credential (used for deduplication)" },
+    { path: "storedAt", displayName: "Stored At", type: "string", description: "ISO timestamp of when the credential was stored" },
+    { path: "duplicate", displayName: "Duplicate", type: "boolean", description: "Whether this credential was already stored (matched by CID)" }
+  ],
+  run: async (inputs, ctx) => {
+    const { credential, credentialKey, roomId } = inputs;
+    if (!credentialKey) throw new Error("credentialKey is required");
+    if (!credential) throw new Error("credential is required");
+    let parsedCredential = credential;
+    if (typeof parsedCredential === "string") {
+      for (let i = 0; i < 3 && typeof parsedCredential === "string"; i++) {
+        try {
+          parsedCredential = JSON.parse(parsedCredential);
+        } catch {
+          throw new Error("credential must be a valid JSON object or JSON string");
+        }
+      }
+    }
+    if (typeof parsedCredential !== "object" || parsedCredential === null || Array.isArray(parsedCredential)) {
+      throw new Error("credential must be a JSON object");
+    }
+    if (!ctx.services.matrix?.storeCredential) {
+      throw new Error("Matrix credential storage service not configured");
+    }
+    const { computeJsonCID } = await import("./cid-6O646X2I.mjs");
+    const cid = await computeJsonCID(parsedCredential);
+    const result = await ctx.services.matrix.storeCredential({
+      roomId: roomId || "",
+      credentialKey: String(credentialKey),
+      credential: parsedCredential,
+      cid
+    });
+    return {
+      output: {
+        credentialKey: String(credentialKey),
+        cid,
+        storedAt: result.storedAt,
+        duplicate: result.duplicate
+      }
+    };
+  }
+});
+
+// src/core/lib/actionRegistry/actions/payment.ts
+registerAction({
+  type: "payment",
+  sideEffect: true,
+  defaultRequiresConfirmation: true,
+  requiredCapability: "flow/block/execute",
+  outputSchema: [
+    { path: "transactionId", displayName: "Transaction ID", type: "string", description: "Payment transaction identifier from the provider" },
+    { path: "status", displayName: "Status", type: "string", description: "Payment status (proposed, submitted, pending, completed, failed)" },
+    { path: "proposal", displayName: "Proposal", type: "object", description: "Payment proposal object for review before execution" },
+    { path: "summary", displayName: "Summary", type: "object", description: "Human-readable payment summary" }
+  ],
+  run: async (inputs, ctx) => {
+    const config = inputs.paymentConfig;
+    if (!config || typeof config === "string" && !config.trim()) {
+      throw new Error("paymentConfig is required");
+    }
+    if (!ctx.handlers?.askCompanion) {
+      throw new Error("askCompanion handler is not available");
+    }
+    const parsed = typeof config === "string" ? JSON.parse(config) : config;
+    const configJson = JSON.stringify(parsed, null, 2);
+    await ctx.handlers.askCompanion(
+      [
+        "Execute payment action with this configuration.",
+        "IMPORTANT: First read the flow context and settings \u2014 the flow may contain parameters required by the skill. Also review all blocks in the flow to understand the basic workflow before executing.",
+        `Payment configuration JSON:
+${configJson}`
+      ].join("\n")
+    );
+    return {
+      output: {
+        status: "requested",
+        paymentConfig: parsed
+      }
+    };
+  }
+});
+
+// src/core/lib/ucanDelegationStore.ts
+var ROOT_DELEGATION_KEY = "__root__";
+var MIGRATION_VERSION_KEY = "__version__";
+var CURRENT_VERSION = 2;
+var isNewFormat = (value) => {
+  if (!value || typeof value !== "object") return false;
+  const entry = value;
+  return entry.v === CURRENT_VERSION && entry.data !== void 0;
+};
+var isLegacyFormat = (value) => {
+  return typeof value === "string";
+};
+var parseLegacy = (value) => {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+};
+var legacyToStoredDelegation = (legacy) => {
+  return {
+    cid: legacy.id,
+    delegation: "",
+    // Empty - CAR requires re-signing
+    issuerDid: legacy.issuer,
+    audienceDid: legacy.audience,
+    capabilities: legacy.capabilities.map((c) => ({
+      can: c.can,
+      with: c.with,
+      nb: c.nb
+    })),
+    expiration: legacy.expiration,
+    createdAt: legacy.issuedAt ? new Date(legacy.issuedAt).getTime() : Date.now(),
+    format: "legacy",
+    proofCids: legacy.proofs
+  };
+};
+var createUcanDelegationStore = (yMap) => {
+  const get = (cid) => {
+    if (cid === ROOT_DELEGATION_KEY || cid === MIGRATION_VERSION_KEY) return null;
+    const raw = yMap.get(cid);
+    if (!raw) return null;
+    if (isNewFormat(raw)) {
+      return raw.data;
+    }
+    if (isLegacyFormat(raw)) {
+      const legacy = parseLegacy(raw);
+      if (legacy) {
+        return legacyToStoredDelegation(legacy);
+      }
+    }
+    return null;
+  };
+  const set = (delegation) => {
+    const entry = {
+      v: CURRENT_VERSION,
+      data: delegation
+    };
+    yMap.set(delegation.cid, entry);
+  };
+  const remove = (cid) => {
+    yMap.delete(cid);
+  };
+  const has = (cid) => {
+    return yMap.has(cid) && cid !== ROOT_DELEGATION_KEY && cid !== MIGRATION_VERSION_KEY;
+  };
+  const getRoot = () => {
+    const rootCid = yMap.get(ROOT_DELEGATION_KEY);
+    if (!rootCid) return null;
+    return get(rootCid);
+  };
+  const setRootCid = (cid) => {
+    yMap.set(ROOT_DELEGATION_KEY, cid);
+  };
+  const getRootCid = () => {
+    return yMap.get(ROOT_DELEGATION_KEY) || null;
+  };
+  const getAll = () => {
+    const delegations = [];
+    yMap.forEach((value, key) => {
+      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
+      if (isNewFormat(value)) {
+        delegations.push(value.data);
+        return;
+      }
+      if (isLegacyFormat(value)) {
+        const legacy = parseLegacy(value);
+        if (legacy) {
+          delegations.push(legacyToStoredDelegation(legacy));
+        }
+      }
+    });
+    return delegations;
+  };
+  const getByAudience = (audienceDid) => {
+    return getAll().filter((d) => d.audienceDid === audienceDid);
+  };
+  const getByIssuer = (issuerDid) => {
+    return getAll().filter((d) => d.issuerDid === issuerDid);
+  };
+  const findByCapability = (can, withUri) => {
+    return getAll().filter(
+      (d) => d.capabilities.some((c) => {
+        if (c.can === can && c.with === withUri) return true;
+        if (c.can === "*" || c.can === "flow/*") return true;
+        if (c.can.endsWith("/*")) {
+          const prefix = c.can.slice(0, -1);
+          if (can.startsWith(prefix)) return true;
+        }
+        if (c.with === "*") return true;
+        if (c.with.endsWith("*")) {
+          const prefix = c.with.slice(0, -1);
+          if (withUri.startsWith(prefix)) return true;
+        }
+        return false;
+      })
+    );
+  };
+  const getVersion = () => {
+    const version = yMap.get(MIGRATION_VERSION_KEY);
+    return version ?? 1;
+  };
+  const setVersion = (version) => {
+    yMap.set(MIGRATION_VERSION_KEY, version);
+  };
+  const getLegacy = (id) => {
+    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return null;
+    const raw = yMap.get(id);
+    if (!raw) return null;
+    if (isLegacyFormat(raw)) {
+      return parseLegacy(raw);
+    }
+    return null;
+  };
+  const hasLegacy = (id) => {
+    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return false;
+    const raw = yMap.get(id);
+    return isLegacyFormat(raw);
+  };
+  const getAllLegacy = () => {
+    const legacyDelegations = [];
+    yMap.forEach((value, key) => {
+      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
+      if (isLegacyFormat(value)) {
+        const legacy = parseLegacy(value);
+        if (legacy) {
+          legacyDelegations.push(legacy);
+        }
+      }
+    });
+    return legacyDelegations;
+  };
+  const convertLegacyToStored = (legacy) => {
+    return legacyToStoredDelegation(legacy);
+  };
+  return {
+    get,
+    set,
+    remove,
+    has,
+    getRoot,
+    setRootCid,
+    getRootCid,
+    getAll,
+    getByAudience,
+    getByIssuer,
+    findByCapability,
+    getVersion,
+    setVersion,
+    getLegacy,
+    hasLegacy,
+    getAllLegacy,
+    convertLegacyToStored
+  };
+};
+var createMemoryUcanDelegationStore = () => {
+  const store = /* @__PURE__ */ new Map();
+  const get = (cid) => {
+    if (cid === ROOT_DELEGATION_KEY || cid === MIGRATION_VERSION_KEY) return null;
+    const raw = store.get(cid);
+    if (!raw) return null;
+    if (isNewFormat(raw)) {
+      return raw.data;
+    }
+    if (isLegacyFormat(raw)) {
+      const legacy = parseLegacy(raw);
+      if (legacy) {
+        return legacyToStoredDelegation(legacy);
+      }
+    }
+    return null;
+  };
+  const set = (delegation) => {
+    const entry = {
+      v: CURRENT_VERSION,
+      data: delegation
+    };
+    store.set(delegation.cid, entry);
+  };
+  const remove = (cid) => {
+    store.delete(cid);
+  };
+  const has = (cid) => {
+    return store.has(cid) && cid !== ROOT_DELEGATION_KEY && cid !== MIGRATION_VERSION_KEY;
+  };
+  const getRoot = () => {
+    const rootCid = store.get(ROOT_DELEGATION_KEY);
+    if (!rootCid) return null;
+    return get(rootCid);
+  };
+  const setRootCid = (cid) => {
+    store.set(ROOT_DELEGATION_KEY, cid);
+  };
+  const getRootCid = () => {
+    return store.get(ROOT_DELEGATION_KEY) || null;
+  };
+  const getAll = () => {
+    const delegations = [];
+    store.forEach((value, key) => {
+      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
+      if (isNewFormat(value)) {
+        delegations.push(value.data);
+        return;
+      }
+      if (isLegacyFormat(value)) {
+        const legacy = parseLegacy(value);
+        if (legacy) {
+          delegations.push(legacyToStoredDelegation(legacy));
+        }
+      }
+    });
+    return delegations;
+  };
+  const getByAudience = (audienceDid) => {
+    return getAll().filter((d) => d.audienceDid === audienceDid);
+  };
+  const getByIssuer = (issuerDid) => {
+    return getAll().filter((d) => d.issuerDid === issuerDid);
+  };
+  const findByCapability = (can, withUri) => {
+    return getAll().filter(
+      (d) => d.capabilities.some((c) => {
+        if (c.can === can && c.with === withUri) return true;
+        if (c.can === "*" || c.can === "flow/*") return true;
+        if (c.can.endsWith("/*")) {
+          const prefix = c.can.slice(0, -1);
+          if (can.startsWith(prefix)) return true;
+        }
+        if (c.with === "*") return true;
+        if (c.with.endsWith("*")) {
+          const prefix = c.with.slice(0, -1);
+          if (withUri.startsWith(prefix)) return true;
+        }
+        return false;
+      })
+    );
+  };
+  const getVersion = () => {
+    const version = store.get(MIGRATION_VERSION_KEY);
+    return version ?? 1;
+  };
+  const setVersion = (version) => {
+    store.set(MIGRATION_VERSION_KEY, version);
+  };
+  const getLegacy = (id) => {
+    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return null;
+    const raw = store.get(id);
+    if (!raw) return null;
+    if (isLegacyFormat(raw)) {
+      return parseLegacy(raw);
+    }
+    return null;
+  };
+  const hasLegacy = (id) => {
+    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return false;
+    const raw = store.get(id);
+    return isLegacyFormat(raw);
+  };
+  const getAllLegacy = () => {
+    const legacyDelegations = [];
+    store.forEach((value, key) => {
+      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
+      if (isLegacyFormat(value)) {
+        const legacy = parseLegacy(value);
+        if (legacy) {
+          legacyDelegations.push(legacy);
+        }
+      }
+    });
+    return legacyDelegations;
+  };
+  const convertLegacyToStored = (legacy) => {
+    return legacyToStoredDelegation(legacy);
+  };
+  return {
+    get,
+    set,
+    remove,
+    has,
+    getRoot,
+    setRootCid,
+    getRootCid,
+    getAll,
+    getByAudience,
+    getByIssuer,
+    findByCapability,
+    getVersion,
+    setVersion,
+    getLegacy,
+    hasLegacy,
+    getAllLegacy,
+    convertLegacyToStored
+  };
+};
+
+// src/core/lib/invocationStore.ts
+var createInvocationStore = (yMap) => {
+  const add = (invocation) => {
+    yMap.set(invocation.cid, invocation);
+  };
+  const get = (cid) => {
+    const raw = yMap.get(cid);
+    if (!raw || typeof raw !== "object") return null;
+    return raw;
+  };
+  const remove = (cid) => {
+    yMap.delete(cid);
+  };
+  const getAll = () => {
+    const invocations = [];
+    yMap.forEach((value) => {
+      if (value && typeof value === "object" && "cid" in value) {
+        invocations.push(value);
+      }
+    });
+    return invocations.sort((a, b) => b.executedAt - a.executedAt);
+  };
+  const getByInvoker = (invokerDid) => {
+    return getAll().filter((i) => i.invokerDid === invokerDid);
+  };
+  const getByFlow = (flowId) => {
+    return getAll().filter((i) => i.flowId === flowId);
+  };
+  const getByBlock = (flowId, blockId) => {
+    return getAll().filter((i) => i.flowId === flowId && i.blockId === blockId);
+  };
+  const getByCapability = (can, withUri) => {
+    return getAll().filter((i) => i.capability.can === can && i.capability.with === withUri);
+  };
+  const hasBeenInvoked = (cid) => {
+    return yMap.has(cid);
+  };
+  const getInDateRange = (startMs, endMs) => {
+    return getAll().filter((i) => i.executedAt >= startMs && i.executedAt <= endMs);
+  };
+  const getSuccessful = () => {
+    return getAll().filter((i) => i.result === "success");
+  };
+  const getFailures = () => {
+    return getAll().filter((i) => i.result === "failure");
+  };
+  const getPendingSubmission = () => {
+    return getAll().filter((i) => i.result === "success" && !i.transactionHash);
+  };
+  const markSubmitted = (cid, transactionHash) => {
+    const invocation = get(cid);
+    if (invocation) {
+      const updated = {
+        ...invocation,
+        transactionHash
+      };
+      yMap.set(cid, updated);
+    }
+  };
+  const getCount = () => {
+    return getAll().length;
+  };
+  const getCountByResult = () => {
+    const all = getAll();
+    return {
+      success: all.filter((i) => i.result === "success").length,
+      failure: all.filter((i) => i.result === "failure").length
+    };
+  };
+  return {
+    add,
+    get,
+    remove,
+    getAll,
+    getByInvoker,
+    getByFlow,
+    getByBlock,
+    getByCapability,
+    hasBeenInvoked,
+    getInDateRange,
+    getSuccessful,
+    getFailures,
+    getPendingSubmission,
+    markSubmitted,
+    getCount,
+    getCountByResult
+  };
+};
+var createMemoryInvocationStore = () => {
+  const store = /* @__PURE__ */ new Map();
+  const add = (invocation) => {
+    store.set(invocation.cid, invocation);
+  };
+  const get = (cid) => {
+    return store.get(cid) || null;
+  };
+  const remove = (cid) => {
+    store.delete(cid);
+  };
+  const getAll = () => {
+    const invocations = Array.from(store.values());
+    return invocations.sort((a, b) => b.executedAt - a.executedAt);
+  };
+  const getByInvoker = (invokerDid) => {
+    return getAll().filter((i) => i.invokerDid === invokerDid);
+  };
+  const getByFlow = (flowId) => {
+    return getAll().filter((i) => i.flowId === flowId);
+  };
+  const getByBlock = (flowId, blockId) => {
+    return getAll().filter((i) => i.flowId === flowId && i.blockId === blockId);
+  };
+  const getByCapability = (can, withUri) => {
+    return getAll().filter((i) => i.capability.can === can && i.capability.with === withUri);
+  };
+  const hasBeenInvoked = (cid) => {
+    return store.has(cid);
+  };
+  const getInDateRange = (startMs, endMs) => {
+    return getAll().filter((i) => i.executedAt >= startMs && i.executedAt <= endMs);
+  };
+  const getSuccessful = () => {
+    return getAll().filter((i) => i.result === "success");
+  };
+  const getFailures = () => {
+    return getAll().filter((i) => i.result === "failure");
+  };
+  const getPendingSubmission = () => {
+    return getAll().filter((i) => i.result === "success" && !i.transactionHash);
+  };
+  const markSubmitted = (cid, transactionHash) => {
+    const invocation = get(cid);
+    if (invocation) {
+      store.set(cid, { ...invocation, transactionHash });
+    }
+  };
+  const getCount = () => {
+    return store.size;
+  };
+  const getCountByResult = () => {
+    const all = getAll();
+    return {
+      success: all.filter((i) => i.result === "success").length,
+      failure: all.filter((i) => i.result === "failure").length
+    };
+  };
+  return {
+    add,
+    get,
+    remove,
+    getAll,
+    getByInvoker,
+    getByFlow,
+    getByBlock,
+    getByCapability,
+    hasBeenInvoked,
+    getInDateRange,
+    getSuccessful,
+    getFailures,
+    getPendingSubmission,
+    markSubmitted,
+    getCount,
+    getCountByResult
+  };
+};
+
+// src/core/lib/flowEngine/utils.ts
+var parseActors = (value) => {
+  if (!value) return [];
+  if (Array.isArray(value)) {
+    return value.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean);
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (!trimmed) return [];
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (Array.isArray(parsed)) {
+        return parsed.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean);
+      }
+    } catch {
+    }
+    return trimmed.split(",").map((item) => item.trim()).filter(Boolean);
+  }
+  return [];
+};
+var parseActivationStatus = (value) => {
+  if (value === "pending" || value === "approved" || value === "rejected") {
+    return value;
+  }
+  return void 0;
+};
+var buildAuthzFromProps = (props) => {
+  const authorisedActors = parseActors(props.authorisedActors);
+  const activationRequiredStatus = parseActivationStatus(props.activationRequiredStatus);
+  const activationUpstreamNodeId = typeof props.activationUpstreamNodeId === "string" ? props.activationUpstreamNodeId.trim() : "";
+  const linkedClaimCollectionId = typeof props.linkedClaimCollectionId === "string" ? props.linkedClaimCollectionId.trim() : "";
+  const authz = {};
+  if (typeof props.parentCapability === "string" && props.parentCapability.trim()) {
+    authz.parentCapability = props.parentCapability.trim();
+  }
+  if (authorisedActors.length > 0) {
+    authz.authorisedActors = authorisedActors;
+  }
+  if (linkedClaimCollectionId) {
+    authz.linkedClaim = { collectionId: linkedClaimCollectionId };
+  }
+  if (activationUpstreamNodeId && activationRequiredStatus) {
+    authz.activationCondition = {
+      upstreamNodeId: activationUpstreamNodeId,
+      requiredStatus: activationRequiredStatus,
+      requireAuthorisedActor: Boolean(props.activationRequireAuthorisedActor)
+    };
+  }
+  return authz;
+};
+var buildFlowNodeFromBlock = (block) => {
+  const base = {
+    id: block.id,
+    type: block.type,
+    props: block.props || {}
+  };
+  const authz = buildAuthzFromProps(block.props || {});
+  return {
+    ...base,
+    ...authz
+  };
+};
+
+// src/core/lib/flowEngine/runtime.ts
+var ensureStateObject = (value) => {
+  if (!value || typeof value !== "object") {
+    return {};
+  }
+  return { ...value };
+};
+var createYMapManager = (map) => {
+  return {
+    get: (nodeId) => {
+      const stored = map.get(nodeId);
+      return ensureStateObject(stored);
+    },
+    update: (nodeId, updates) => {
+      const current = ensureStateObject(map.get(nodeId));
+      map.set(nodeId, { ...current, ...updates });
+    }
+  };
+};
+var createMemoryManager = () => {
+  const memory = /* @__PURE__ */ new Map();
+  return {
+    get: (nodeId) => ensureStateObject(memory.get(nodeId)),
+    update: (nodeId, updates) => {
+      const current = ensureStateObject(memory.get(nodeId));
+      memory.set(nodeId, { ...current, ...updates });
+    }
+  };
+};
+var createRuntimeStateManager = (editor) => {
+  if (editor?._yRuntime) {
+    return createYMapManager(editor._yRuntime);
+  }
+  return createMemoryManager();
+};
+function clearRuntimeForTemplateClone(yDoc) {
+  const runtime = yDoc.getMap("runtime");
+  const invocations = yDoc.getMap("invocations");
+  yDoc.transact(() => {
+    runtime.forEach((_, key) => runtime.delete(key));
+    invocations.forEach((_, key) => invocations.delete(key));
+  });
+}
+
+// src/core/lib/flowEngine/activation.ts
+var isNodeActive = (node, runtime) => {
+  if (!node.activationCondition) {
+    return { active: true };
+  }
+  const { upstreamNodeId, requiredStatus, requireAuthorisedActor } = node.activationCondition;
+  if (!upstreamNodeId) {
+    return { active: true };
+  }
+  const upstreamState = runtime.get(upstreamNodeId);
+  if (!upstreamState.claimId) {
+    return { active: false, reason: `Upstream node ${upstreamNodeId} has no claim submission yet.` };
+  }
+  if (upstreamState.evaluationStatus !== requiredStatus) {
+    return {
+      active: false,
+      reason: `Upstream node ${upstreamNodeId} status is ${upstreamState.evaluationStatus || "unknown"}, requires ${requiredStatus}.`
+    };
+  }
+  if (requireAuthorisedActor) {
+    const upstreamActor = upstreamState.submittedByDid;
+    if (!upstreamActor) {
+      return { active: false, reason: "Upstream submission actor is unknown." };
+    }
+    const upstreamAuthorised = Array.isArray(upstreamState.authorisedActorsSnapshot) ? upstreamState.authorisedActorsSnapshot : [];
+    if (upstreamAuthorised.length > 0 && !upstreamAuthorised.includes(upstreamActor)) {
+      return { active: false, reason: "Upstream claim not submitted by an authorised actor." };
+    }
+  }
+  return { active: true };
+};
+
+// src/core/lib/flowEngine/capabilityValidation.ts
+var capabilityCovers = (granted, required) => {
+  if (granted.can !== required.can && granted.can !== "*") {
+    if (granted.can.endsWith("/*")) {
+      const prefix = granted.can.slice(0, -2);
+      if (!required.can.startsWith(prefix)) return false;
+    } else {
+      return false;
+    }
+  }
+  if (granted.with !== required.with && granted.with !== "*") {
+    if (granted.with.endsWith("/*")) {
+      const prefix = granted.with.slice(0, -2);
+      if (!required.with.startsWith(prefix)) return false;
+    } else if (granted.with.endsWith("*")) {
+      const prefix = granted.with.slice(0, -1);
+      if (!required.with.startsWith(prefix)) return false;
+    } else {
+      return false;
+    }
+  }
+  return true;
+};
+var validateCapabilityChain = async (params) => {
+  const { capability, actorDid, requiredCapability, delegationStore, verifySignature, rootIssuer } = params;
+  const chain = [];
+  const visited = /* @__PURE__ */ new Set();
+  let current = capability;
+  while (current) {
+    if (visited.has(current.id)) {
+      return { valid: false, error: "Circular delegation detected" };
+    }
+    visited.add(current.id);
+    chain.unshift(current);
+    if (current.expiration && current.expiration < Date.now()) {
+      return { valid: false, error: `Capability ${current.id} has expired` };
+    }
+    const signatureResult = await verifySignature(JSON.stringify(current), current.issuer);
+    if (!signatureResult.valid) {
+      return { valid: false, error: `Invalid signature on capability ${current.id}: ${signatureResult.error}` };
+    }
+    if (current.proofs.length === 0) {
+      if (current.issuer !== rootIssuer) {
+        return { valid: false, error: `Root capability issuer mismatch. Expected ${rootIssuer}, got ${current.issuer}` };
+      }
+      break;
+    }
+    const parentId = current.proofs[0];
+    const parent = delegationStore.get(parentId);
+    if (!parent) {
+      return { valid: false, error: `Parent capability ${parentId} not found` };
+    }
+    if (parent.audience !== current.issuer) {
+      return { valid: false, error: `Delegation chain broken: ${parent.audience} !== ${current.issuer}` };
+    }
+    current = parent;
+  }
+  const finalCap = chain[chain.length - 1];
+  if (finalCap.audience !== actorDid) {
+    return { valid: false, error: `Capability not granted to actor. Expected ${actorDid}, got ${finalCap.audience}` };
+  }
+  for (const cap of chain) {
+    const hasRequiredCap = cap.capabilities.some((c) => capabilityCovers(c, requiredCapability));
+    if (!hasRequiredCap) {
+      return { valid: false, error: `Capability ${cap.id} does not grant required permission` };
+    }
+  }
+  return { valid: true, chain };
+};
+var findValidCapability = async (params) => {
+  const { actorDid, requiredCapability, delegationStore, verifySignature, rootIssuer } = params;
+  const allDelegations = delegationStore.getAll();
+  const actorDelegations = allDelegations.filter((d) => d.audience === actorDid);
+  for (const delegation of actorDelegations) {
+    const result = await validateCapabilityChain({
+      capability: delegation,
+      actorDid,
+      requiredCapability,
+      delegationStore,
+      verifySignature,
+      rootIssuer
+    });
+    if (result.valid) {
+      return { found: true, capabilityId: delegation.id };
+    }
+  }
+  const root = delegationStore.getRoot();
+  if (root && root.audience === actorDid) {
+    const result = await validateCapabilityChain({
+      capability: root,
+      actorDid,
+      requiredCapability,
+      delegationStore,
+      verifySignature,
+      rootIssuer
+    });
+    if (result.valid) {
+      return { found: true, capabilityId: root.id };
+    }
+  }
+  return { found: false, error: "No valid capability found for actor" };
+};
+
+// src/core/lib/flowEngine/authorization.ts
+var isActorAuthorized = async (node, actorDid, context) => {
+  if (node.authorisedActors && node.authorisedActors.length > 0) {
+    if (!node.authorisedActors.includes(actorDid)) {
+      return {
+        authorized: false,
+        reason: `Actor ${actorDid} is not in the authorized actors list for this block.`
+      };
+    }
+    if (!node.parentCapability) {
+      return { authorized: true };
+    }
+  }
+  if (node.parentCapability && context?.delegationStore && context?.verifySignature && context?.rootIssuer) {
+    const requiredCapability = {
+      can: "flow/block/execute",
+      with: context.flowUri ? `${context.flowUri}:${node.id}` : `ixo:flow:*:${node.id}`
+    };
+    const result = await findValidCapability({
+      actorDid,
+      requiredCapability,
+      delegationStore: context.delegationStore,
+      verifySignature: context.verifySignature,
+      rootIssuer: context.rootIssuer
+    });
+    if (!result.found) {
+      return {
+        authorized: false,
+        reason: result.error || "No valid capability found"
+      };
+    }
+    return { authorized: true, capabilityId: result.capabilityId };
+  }
+  if (node.parentCapability && context?.ucanManager) {
+    try {
+      const parent = await context.ucanManager.loadParentCapability(node.parentCapability);
+      const derived = await context.ucanManager.deriveNodeCapability(parent, node.id, actorDid);
+      await context.ucanManager.validateDerivedCapability(derived, node.id, actorDid);
+      return { authorized: true, derived };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Capability derivation failed";
+      return { authorized: false, reason: message };
+    }
+  }
+  if (node.parentCapability && !context?.delegationStore && !context?.ucanManager) {
+    return {
+      authorized: false,
+      reason: "Capability validation required but neither delegation store nor UCAN manager configured."
+    };
+  }
+  return { authorized: true };
+};
+var isActorAuthorizedV2 = async (node, actorDid, context) => {
+  if (node.authorisedActors && node.authorisedActors.length > 0) {
+    if (!node.authorisedActors.includes(actorDid)) {
+      return {
+        authorized: false,
+        reason: `Actor ${actorDid} is not in the authorized actors list for this block.`
+      };
+    }
+    if (!node.parentCapability) {
+      return { authorized: true };
+    }
+  }
+  if (node.parentCapability && context?.ucanService && context?.flowUri) {
+    const requiredCapability = {
+      can: "flow/block/execute",
+      with: `${context.flowUri}:${node.id}`
+    };
+    const validationResult = await context.ucanService.validateDelegationChain(actorDid, requiredCapability);
+    if (!validationResult.valid) {
+      return {
+        authorized: false,
+        reason: validationResult.error || "No valid capability chain found"
+      };
+    }
+    const proofCids = validationResult.proofChain?.map((d) => d.cid) || [];
+    return {
+      authorized: true,
+      capabilityId: proofCids[0],
+      // First in chain is the actor's delegation
+      proofCids
+    };
+  }
+  if (node.parentCapability && context?.delegationStore && context?.verifySignature && context?.rootIssuer) {
+    const requiredCapability = {
+      can: "flow/block/execute",
+      with: context.flowUri ? `${context.flowUri}:${node.id}` : `ixo:flow:*:${node.id}`
+    };
+    const result = await findValidCapability({
+      actorDid,
+      requiredCapability,
+      delegationStore: context.delegationStore,
+      verifySignature: context.verifySignature,
+      rootIssuer: context.rootIssuer
+    });
+    if (!result.found) {
+      return {
+        authorized: false,
+        reason: result.error || "No valid capability found"
+      };
+    }
+    return { authorized: true, capabilityId: result.capabilityId };
+  }
+  if (node.parentCapability && context?.ucanManager) {
+    try {
+      const parent = await context.ucanManager.loadParentCapability(node.parentCapability);
+      const derived = await context.ucanManager.deriveNodeCapability(parent, node.id, actorDid);
+      await context.ucanManager.validateDerivedCapability(derived, node.id, actorDid);
+      return { authorized: true, derived };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Capability derivation failed";
+      return { authorized: false, reason: message };
+    }
+  }
+  if (node.parentCapability && !context?.ucanService && !context?.delegationStore && !context?.ucanManager) {
+    return {
+      authorized: false,
+      reason: "Capability validation required but no UCAN service or delegation store configured."
+    };
+  }
+  return { authorized: true };
+};
+
+// src/core/lib/flowEngine/executor.ts
+var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, capabilityId, now) => {
+  const updates = {
+    submittedByDid: actionResult.submittedByDid || actorDid,
+    evaluationStatus: actionResult.evaluationStatus || "pending",
+    executionTimestamp: now ? now() : Date.now(),
+    derivedUcan: capabilityId,
+    authorisedActorsSnapshot: node.authorisedActors
+  };
+  if (actionResult.claimId) {
+    updates.claimId = actionResult.claimId;
+  }
+  runtime.update(node.id, updates);
+};
+var executeNode = async ({ node, actorDid, context, action }) => {
+  const { runtime, delegationStore, verifySignature, rootIssuer, flowUri, ucanManager, now } = context;
+  const activation = isNodeActive(node, runtime);
+  if (!activation.active) {
+    return { success: false, stage: "activation", error: activation.reason };
+  }
+  const authContext = {
+    delegationStore,
+    verifySignature,
+    rootIssuer,
+    flowUri,
+    ucanManager
+  };
+  const auth = await isActorAuthorized(node, actorDid, authContext);
+  if (!auth.authorized) {
+    return { success: false, stage: "authorization", error: auth.reason };
+  }
+  if (node.linkedClaim && !node.linkedClaim.collectionId) {
+    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
+  }
+  try {
+    const result = await action();
+    if (node.linkedClaim && !result.claimId) {
+      return { success: false, stage: "claim", error: "Execution did not return a claimId for linked claim requirement." };
+    }
+    updateRuntimeAfterSuccess(node, actorDid, runtime, result, auth.capabilityId, now);
+    return { success: true, stage: "complete", result, capabilityId: auth.capabilityId };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Execution failed";
+    return { success: false, stage: "action", error: message };
+  }
+};
+var executeNodeWithInvocation = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
+  const { runtime, ucanService, invocationStore, flowUri, flowId, flowOwnerDid, now } = context;
+  const activation = isNodeActive(node, runtime);
+  if (!activation.active) {
+    return { success: false, stage: "activation", error: activation.reason };
+  }
+  const authContext = {
+    ucanService,
+    flowUri,
+    flowOwnerDid,
+    // Legacy fallbacks
+    delegationStore: context.delegationStore,
+    verifySignature: context.verifySignature,
+    rootIssuer: context.rootIssuer,
+    ucanManager: context.ucanManager
+  };
+  const auth = await isActorAuthorizedV2(node, actorDid, authContext);
+  if (!auth.authorized) {
+    return { success: false, stage: "authorization", error: auth.reason };
+  }
+  if (node.linkedClaim && !node.linkedClaim.collectionId) {
+    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
+  }
+  let invocationCid;
+  let invocationData;
+  if (ucanService && auth.proofCids && auth.proofCids.length > 0) {
+    const capability = {
+      can: "flow/block/execute",
+      with: `${flowUri}:${node.id}`
+    };
+    try {
+      const invocationResult = await ucanService.createAndValidateInvocation(
+        {
+          invokerDid: actorDid,
+          invokerType: actorType,
+          entityRoomId,
+          capability,
+          proofs: auth.proofCids,
+          pin
+        },
+        flowId,
+        node.id
+      );
+      if (!invocationResult.valid) {
+        return {
+          success: false,
+          stage: "authorization",
+          error: `Invocation validation failed: ${invocationResult.error}`
+        };
+      }
+      invocationCid = invocationResult.cid;
+      invocationData = invocationResult.invocation;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Failed to create invocation";
+      return { success: false, stage: "authorization", error: message };
+    }
+  }
+  try {
+    const result = await action();
+    if (node.linkedClaim && !result.claimId) {
+      if (invocationStore && invocationCid && invocationData) {
+        const storedInvocation = {
+          cid: invocationCid,
+          invocation: invocationData,
+          invokerDid: actorDid,
+          capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+          executedAt: now ? now() : Date.now(),
+          flowId,
+          blockId: node.id,
+          result: "failure",
+          error: "Execution did not return a claimId for linked claim requirement.",
+          proofCids: auth.proofCids || []
+        };
+        invocationStore.add(storedInvocation);
+      }
+      return {
+        success: false,
+        stage: "claim",
+        error: "Execution did not return a claimId for linked claim requirement.",
+        invocationCid
+      };
+    }
+    if (invocationStore && invocationCid && invocationData) {
+      const storedInvocation = {
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
+        flowId,
+        blockId: node.id,
+        result: "success",
+        proofCids: auth.proofCids || [],
+        claimId: result.claimId
+      };
+      invocationStore.add(storedInvocation);
+    }
+    updateRuntimeAfterSuccess(node, actorDid, runtime, result, invocationCid || auth.capabilityId, now);
+    return {
+      success: true,
+      stage: "complete",
+      result,
+      capabilityId: auth.capabilityId,
+      invocationCid
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Execution failed";
+    if (invocationStore && invocationCid && invocationData) {
+      const storedInvocation = {
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
+        flowId,
+        blockId: node.id,
+        result: "failure",
+        error: message,
+        proofCids: auth.proofCids || []
+      };
+      invocationStore.add(storedInvocation);
+    }
+    return { success: false, stage: "action", error: message, invocationCid };
+  }
+};
+
+// src/core/lib/delegationStore.ts
+var ROOT_CAPABILITY_KEY = "__root__";
+var createDelegationStore = (yMap) => {
+  return {
+    get: (capabilityId) => {
+      const raw = yMap.get(capabilityId);
+      if (!raw || capabilityId === ROOT_CAPABILITY_KEY) return null;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return null;
+      }
+    },
+    set: (capability) => {
+      yMap.set(capability.id, JSON.stringify(capability));
+    },
+    remove: (capabilityId) => {
+      yMap.delete(capabilityId);
+    },
+    getRoot: () => {
+      const rootId = yMap.get(ROOT_CAPABILITY_KEY);
+      if (!rootId) return null;
+      const raw = yMap.get(rootId);
+      if (!raw) return null;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return null;
+      }
+    },
+    setRootId: (capabilityId) => {
+      yMap.set(ROOT_CAPABILITY_KEY, capabilityId);
+    },
+    getAll: () => {
+      const capabilities = [];
+      yMap.forEach((value, key) => {
+        if (key !== ROOT_CAPABILITY_KEY) {
+          try {
+            capabilities.push(JSON.parse(value));
+          } catch {
+          }
+        }
+      });
+      return capabilities;
+    },
+    has: (capabilityId) => {
+      return yMap.has(capabilityId);
+    }
+  };
+};
+var createMemoryDelegationStore = () => {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    get: (capabilityId) => {
+      const raw = store.get(capabilityId);
+      if (!raw || capabilityId === ROOT_CAPABILITY_KEY) return null;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return null;
+      }
+    },
+    set: (capability) => {
+      store.set(capability.id, JSON.stringify(capability));
+    },
+    remove: (capabilityId) => {
+      store.delete(capabilityId);
+    },
+    getRoot: () => {
+      const rootId = store.get(ROOT_CAPABILITY_KEY);
+      if (!rootId) return null;
+      const raw = store.get(rootId);
+      if (!raw) return null;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return null;
+      }
+    },
+    setRootId: (capabilityId) => {
+      store.set(ROOT_CAPABILITY_KEY, capabilityId);
+    },
+    getAll: () => {
+      const capabilities = [];
+      store.forEach((value, key) => {
+        if (key !== ROOT_CAPABILITY_KEY) {
+          try {
+            capabilities.push(JSON.parse(value));
+          } catch {
+          }
+        }
+      });
+      return capabilities;
+    },
+    has: (capabilityId) => {
+      return store.has(capabilityId);
+    }
+  };
+};
+
+// src/core/services/ucanService.ts
+import {
+  createDelegation as ucanCreateDelegation,
+  createInvocation as ucanCreateInvocation,
+  serializeDelegation,
+  serializeInvocation,
+  parseDelegation,
+  parseSigner,
+  signerFromMnemonic
+} from "@ixo/ucan";
+function toSupportedDID(did) {
+  if (did.startsWith("did:ixo:") || did.startsWith("did:key:")) {
+    return did;
+  }
+  return void 0;
+}
+function toUcantoCapabilities(capabilities) {
+  return capabilities.map((cap) => ({
+    can: cap.can,
+    with: cap.with,
+    ...cap.nb && { nb: cap.nb }
+  }));
+}
+async function getSigner(handlers, did, didType, entityRoomId, pin) {
+  const supportedDid = toSupportedDID(did);
+  if (handlers.getPrivateKey) {
+    const privateKey = await handlers.getPrivateKey({ did, didType, entityRoomId, pin });
+    return parseSigner(privateKey, supportedDid);
+  }
+  if (handlers.getMnemonic) {
+    const mnemonic = await handlers.getMnemonic({ did, didType, entityRoomId, pin });
+    const result = await signerFromMnemonic(mnemonic, supportedDid);
+    return result.signer;
+  }
+  throw new Error("No signer handler configured (need getPrivateKey or getMnemonic)");
+}
+function getCidFromDelegation(delegation) {
+  return delegation.cid.toString();
+}
+var createUcanService = (config) => {
+  const { delegationStore, invocationStore, handlers, flowOwnerDid } = config;
+  const delegationCache = /* @__PURE__ */ new Map();
+  const isConfigured = () => {
+    const hasSessionHandlers = !!(handlers.createSignerSession && handlers.signWithSession);
+    const hasLegacyHandlers = !!(handlers.getPrivateKey || handlers.getMnemonic);
+    return hasSessionHandlers || hasLegacyHandlers;
+  };
+  const parseDelegationFromStore = async (cid) => {
+    if (delegationCache.has(cid)) {
+      return delegationCache.get(cid);
+    }
+    const stored = delegationStore.get(cid);
+    if (!stored) return null;
+    if (stored.format === "legacy" || !stored.delegation) {
+      return null;
+    }
+    try {
+      const delegation = await parseDelegation(stored.delegation);
+      delegationCache.set(cid, delegation);
+      return delegation;
+    } catch {
+      return null;
+    }
+  };
+  const getProofDelegations = async (proofCids) => {
+    const proofs = [];
+    for (const cid of proofCids) {
+      const delegation = await parseDelegationFromStore(cid);
+      if (delegation) {
+        proofs.push(delegation);
+      }
+    }
+    return proofs;
+  };
+  const createRootDelegation = async (params) => {
+    const { flowOwnerDid: ownerDid, issuerType, entityRoomId, flowUri: uri, pin } = params;
+    const signer = await getSigner(handlers, ownerDid, issuerType, entityRoomId, pin);
+    const capabilities = [{ can: "flow/*", with: uri }];
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience: ownerDid,
+      capabilities,
+      proofs: []
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid: ownerDid,
+      audienceDid: ownerDid,
+      capabilities,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids: []
+    };
+    delegationStore.set(storedDelegation);
+    delegationStore.setRootCid(cid);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
+  };
+  const createDelegation = async (params) => {
+    const { issuerDid, issuerType, entityRoomId, audience, capabilities, proofs = [], expiration, pin } = params;
+    const signer = await getSigner(handlers, issuerDid, issuerType, entityRoomId, pin);
+    const proofCids = proofs.length > 0 ? proofs : [delegationStore.getRootCid()].filter(Boolean);
+    const proofDelegations = await getProofDelegations(proofCids);
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience,
+      capabilities: toUcantoCapabilities(capabilities),
+      proofs: proofDelegations,
+      expiration: expiration ? Math.floor(expiration / 1e3) : void 0
+      // Convert ms to seconds
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid,
+      audienceDid: audience,
+      capabilities,
+      expiration,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids
+    };
+    delegationStore.set(storedDelegation);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
+  };
+  const revokeDelegation = (cid) => {
+    delegationStore.remove(cid);
+    delegationCache.delete(cid);
+  };
+  const getDelegation = (cid) => {
+    return delegationStore.get(cid);
+  };
+  const getAllDelegations = () => {
+    return delegationStore.getAll();
+  };
+  const getRootDelegation = () => {
+    return delegationStore.getRoot();
+  };
+  const findValidProofs = async (audienceDid, capability) => {
+    const delegations = delegationStore.getByAudience(audienceDid);
+    if (delegations.length === 0) {
+      const root = delegationStore.getRoot();
+      if (root && root.audienceDid === audienceDid) {
+        return { found: true, proofCids: [root.cid] };
+      }
+      return { found: false, error: "No delegations found for actor" };
+    }
+    for (const delegation of delegations) {
+      const covers = delegation.capabilities.some((c) => {
+        if (c.can === capability.can && c.with === capability.with) return true;
+        if (c.can === "*" || c.can === "flow/*") return true;
+        if (c.can.endsWith("/*")) {
+          const prefix = c.can.slice(0, -1);
+          if (capability.can.startsWith(prefix)) return true;
+        }
+        if (c.with === "*") return true;
+        if (c.with.endsWith("*")) {
+          const prefix = c.with.slice(0, -1);
+          if (capability.with.startsWith(prefix)) return true;
+        }
+        return false;
+      });
+      if (covers) {
+        if (delegation.expiration && delegation.expiration < Date.now()) {
+          continue;
+        }
+        const proofCids = [delegation.cid, ...delegation.proofCids];
+        return { found: true, proofCids };
+      }
+    }
+    return { found: false, error: "No valid delegation found for capability" };
+  };
+  const validateDelegationChain = async (audienceDid, capability) => {
+    const proofsResult = await findValidProofs(audienceDid, capability);
+    if (!proofsResult.found || !proofsResult.proofCids) {
+      return { valid: false, error: proofsResult.error };
+    }
+    const proofChain = [];
+    for (const cid of proofsResult.proofCids) {
+      const delegation = delegationStore.get(cid);
+      if (!delegation) {
+        return { valid: false, error: `Proof delegation ${cid} not found` };
+      }
+      proofChain.push(delegation);
+    }
+    for (let i = 0; i < proofChain.length - 1; i++) {
+      const current = proofChain[i];
+      const parent = proofChain[i + 1];
+      if (parent.audienceDid !== current.issuerDid) {
+        return {
+          valid: false,
+          error: `Chain broken: ${parent.cid} audience (${parent.audienceDid}) != ${current.cid} issuer (${current.issuerDid})`
+        };
+      }
+    }
+    const root = proofChain[proofChain.length - 1];
+    if (root.issuerDid !== flowOwnerDid) {
+      return { valid: false, error: `Root issuer ${root.issuerDid} is not flow owner ${flowOwnerDid}` };
+    }
+    return { valid: true, proofChain };
+  };
+  const createAndValidateInvocation = async (params, _flowId, _blockId) => {
+    const { invokerDid, invokerType, entityRoomId, capability, proofs, pin } = params;
+    const validation = await validateDelegationChain(invokerDid, capability);
+    if (!validation.valid) {
+      return {
+        cid: "",
+        invocation: "",
+        valid: false,
+        error: validation.error
+      };
+    }
+    const signer = await getSigner(handlers, invokerDid, invokerType, entityRoomId, pin);
+    const proofDelegations = await getProofDelegations(proofs);
+    const ucantoCapability = {
+      can: capability.can,
+      with: capability.with,
+      ...capability.nb && { nb: capability.nb }
+    };
+    const invocation = await ucanCreateInvocation({
+      issuer: signer,
+      audience: flowOwnerDid,
+      capability: ucantoCapability,
+      proofs: proofDelegations
+    });
+    const serialized = await serializeInvocation(invocation);
+    const built = await invocation.buildIPLDView();
+    const cid = built.cid.toString();
+    return {
+      cid,
+      invocation: serialized,
+      valid: true
+    };
+  };
+  const executeWithInvocation = async (params, action, flowId, blockId) => {
+    const invocationResult = await createAndValidateInvocation(params, flowId, blockId);
+    if (!invocationResult.valid) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: invocationResult.error
+      };
+    }
+    if (invocationStore.hasBeenInvoked(invocationResult.cid)) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: "Invocation has already been used (replay attack prevented)"
+      };
+    }
+    try {
+      const actionResult = await action();
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "success",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: true,
+        invocationCid: invocationResult.cid,
+        result: actionResult,
+        actionResult
+      };
+    } catch (error) {
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "failure",
+        error: error instanceof Error ? error.message : "Unknown error",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  };
+  const migrateLegacyDelegation = async (legacyId, pin) => {
+    const legacy = delegationStore.getLegacy(legacyId);
+    if (!legacy) {
+      return null;
+    }
+    const newDelegation = await createDelegation({
+      issuerDid: legacy.issuer,
+      issuerType: "user",
+      // Assume user, host app should verify
+      audience: legacy.audience,
+      capabilities: legacy.capabilities,
+      proofs: legacy.proofs,
+      expiration: legacy.expiration,
+      pin
+    });
+    return newDelegation;
+  };
+  const migrateAllLegacy = async (pin) => {
+    const report = {
+      total: 0,
+      migrated: 0,
+      failed: 0,
+      errors: []
+    };
+    const legacyDelegations = delegationStore.getAllLegacy();
+    report.total = legacyDelegations.length;
+    for (const legacy of legacyDelegations) {
+      try {
+        const migrated = await migrateLegacyDelegation(legacy.id, pin);
+        if (migrated) {
+          report.migrated++;
+        } else {
+          report.failed++;
+          report.errors.push({ id: legacy.id, error: "Migration returned null" });
+        }
+      } catch (error) {
+        report.failed++;
+        report.errors.push({
+          id: legacy.id,
+          error: error instanceof Error ? error.message : "Unknown error"
+        });
+      }
+    }
+    return report;
+  };
+  const getLegacyCount = () => {
+    return delegationStore.getAllLegacy().length;
+  };
+  return {
+    createRootDelegation,
+    createDelegation,
+    revokeDelegation,
+    getDelegation,
+    getAllDelegations,
+    getRootDelegation,
+    createAndValidateInvocation,
+    executeWithInvocation,
+    validateDelegationChain,
+    findValidProofs,
+    parseDelegationFromStore,
+    migrateLegacyDelegation,
+    migrateAllLegacy,
+    getLegacyCount,
+    isConfigured
+  };
+};
+
+// src/core/services/ucanManager.ts
+var parseGrant = (value) => {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    throw new Error("Empty capability value");
+  }
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (parsed && typeof parsed === "object") {
+      return {
+        raw: trimmed,
+        with: typeof parsed.with === "string" ? parsed.with : void 0,
+        audience: typeof parsed.aud === "string" ? parsed.aud : void 0,
+        expiresAt: typeof parsed.exp === "number" ? parsed.exp * 1e3 : void 0,
+        action: typeof parsed.can === "string" ? parsed.can : void 0
+      };
+    }
+  } catch {
+  }
+  return { raw: trimmed };
+};
+var SimpleUCANManager = class {
+  async loadParentCapability(capability) {
+    return parseGrant(capability);
+  }
+  async deriveNodeCapability(parent, nodeId, actorDid) {
+    if (parent.expiresAt && parent.expiresAt < Date.now()) {
+      throw new Error("Parent capability expired");
+    }
+    if (parent.audience && parent.audience !== actorDid) {
+      throw new Error(`Actor ${actorDid} is not the audience for the capability`);
+    }
+    if (parent.with && !(parent.with.endsWith("*") || parent.with.includes(nodeId))) {
+      throw new Error(`Capability resource ${parent.with} does not cover node ${nodeId}`);
+    }
+    return { ...parent };
+  }
+  async validateDerivedCapability(derived) {
+    if (derived.expiresAt && derived.expiresAt < Date.now()) {
+      throw new Error("Derived capability expired");
+    }
+  }
+};
+
+export {
+  registerAction,
+  getAction,
+  getAllActions,
+  hasAction,
+  buildServicesFromHandlers,
+  buildVerifiableCredential,
+  buildDomainCardLinkedResource,
+  parseLinkedEntities,
+  buildGovernanceGroupLinkedEntities,
+  transformSurveyToCredentialSubject,
+  extractSurveyAnswersTemplate,
+  createUcanDelegationStore,
+  createMemoryUcanDelegationStore,
+  createInvocationStore,
+  createMemoryInvocationStore,
+  buildAuthzFromProps,
+  buildFlowNodeFromBlock,
+  createRuntimeStateManager,
+  clearRuntimeForTemplateClone,
+  isNodeActive,
+  validateCapabilityChain,
+  findValidCapability,
+  isActorAuthorized,
+  isActorAuthorizedV2,
+  executeNode,
+  executeNodeWithInvocation,
+  createDelegationStore,
+  createMemoryDelegationStore,
+  createUcanService,
+  SimpleUCANManager
+};
+//# sourceMappingURL=chunk-3RYZSIC2.mjs.map