@ixo/editor 3.0.0-beta.28 → 3.0.0-beta.29

package/dist/{chunk-NOMJJJDB.mjs → chunk-77R3T42S.mjs}

@@ -1624,69 +1624,31 @@ registerAction({
 
 // src/core/lib/ucanDelegationStore.ts
 var ROOT_DELEGATION_KEY = "__root__";
-var MIGRATION_VERSION_KEY = "__version__";
+var STORE_VERSION_KEY = "__version__";
 var CURRENT_VERSION = 2;
-var isNewFormat = (value) => {
+var isValidEntry = (value) => {
   if (!value || typeof value !== "object") return false;
   const entry = value;
   return entry.v === CURRENT_VERSION && entry.data !== void 0;
 };
-var isLegacyFormat = (value) => {
-  return typeof value === "string";
-};
-var parseLegacy = (value) => {
-  try {
-    return JSON.parse(value);
-  } catch {
-    return null;
-  }
-};
-var legacyToStoredDelegation = (legacy) => {
-  return {
-    cid: legacy.id,
-    delegation: "",
-    // Empty - CAR requires re-signing
-    issuerDid: legacy.issuer,
-    audienceDid: legacy.audience,
-    capabilities: legacy.capabilities.map((c) => ({
-      can: c.can,
-      with: c.with,
-      nb: c.nb
-    })),
-    expiration: legacy.expiration,
-    createdAt: legacy.issuedAt ? new Date(legacy.issuedAt).getTime() : Date.now(),
-    format: "legacy",
-    proofCids: legacy.proofs
-  };
-};
+var isReservedKey = (key) => key === ROOT_DELEGATION_KEY || key === STORE_VERSION_KEY;
 var createUcanDelegationStore = (yMap) => {
   const get = (cid) => {
-    if (cid === ROOT_DELEGATION_KEY || cid === MIGRATION_VERSION_KEY) return null;
+    if (isReservedKey(cid)) return null;
     const raw = yMap.get(cid);
     if (!raw) return null;
-    if (isNewFormat(raw)) {
-      return raw.data;
-    }
-    if (isLegacyFormat(raw)) {
-      const legacy = parseLegacy(raw);
-      if (legacy) {
-        return legacyToStoredDelegation(legacy);
-      }
-    }
+    if (isValidEntry(raw)) return raw.data;
     return null;
   };
   const set = (delegation) => {
-    const entry = {
-      v: CURRENT_VERSION,
-      data: delegation
-    };
+    const entry = { v: CURRENT_VERSION, data: delegation };
     yMap.set(delegation.cid, entry);
   };
   const remove = (cid) => {
     yMap.delete(cid);
   };
   const has = (cid) => {
-    return yMap.has(cid) && cid !== ROOT_DELEGATION_KEY && cid !== MIGRATION_VERSION_KEY;
+    return yMap.has(cid) && !isReservedKey(cid);
   };
   const getRoot = () => {
     const rootCid = yMap.get(ROOT_DELEGATION_KEY);
@@ -1702,16 +1664,9 @@ var createUcanDelegationStore = (yMap) => {
   const getAll = () => {
     const delegations = [];
     yMap.forEach((value, key) => {
-      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
-      if (isNewFormat(value)) {
+      if (isReservedKey(key)) return;
+      if (isValidEntry(value)) {
         delegations.push(value.data);
-        return;
-      }
-      if (isLegacyFormat(value)) {
-        const legacy = parseLegacy(value);
-        if (legacy) {
-          delegations.push(legacyToStoredDelegation(legacy));
-        }
       }
     });
     return delegations;
@@ -1740,43 +1695,6 @@ var createUcanDelegationStore = (yMap) => {
       })
     );
   };
-  const getVersion = () => {
-    const version = yMap.get(MIGRATION_VERSION_KEY);
-    return version ?? 1;
-  };
-  const setVersion = (version) => {
-    yMap.set(MIGRATION_VERSION_KEY, version);
-  };
-  const getLegacy = (id) => {
-    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return null;
-    const raw = yMap.get(id);
-    if (!raw) return null;
-    if (isLegacyFormat(raw)) {
-      return parseLegacy(raw);
-    }
-    return null;
-  };
-  const hasLegacy = (id) => {
-    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return false;
-    const raw = yMap.get(id);
-    return isLegacyFormat(raw);
-  };
-  const getAllLegacy = () => {
-    const legacyDelegations = [];
-    yMap.forEach((value, key) => {
-      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
-      if (isLegacyFormat(value)) {
-        const legacy = parseLegacy(value);
-        if (legacy) {
-          legacyDelegations.push(legacy);
-        }
-      }
-    });
-    return legacyDelegations;
-  };
-  const convertLegacyToStored = (legacy) => {
-    return legacyToStoredDelegation(legacy);
-  };
   return {
     get,
     set,
@@ -1788,44 +1706,27 @@ var createUcanDelegationStore = (yMap) => {
     getAll,
     getByAudience,
     getByIssuer,
-    findByCapability,
-    getVersion,
-    setVersion,
-    getLegacy,
-    hasLegacy,
-    getAllLegacy,
-    convertLegacyToStored
+    findByCapability
   };
 };
 var createMemoryUcanDelegationStore = () => {
   const store = /* @__PURE__ */ new Map();
   const get = (cid) => {
-    if (cid === ROOT_DELEGATION_KEY || cid === MIGRATION_VERSION_KEY) return null;
+    if (isReservedKey(cid)) return null;
     const raw = store.get(cid);
     if (!raw) return null;
-    if (isNewFormat(raw)) {
-      return raw.data;
-    }
-    if (isLegacyFormat(raw)) {
-      const legacy = parseLegacy(raw);
-      if (legacy) {
-        return legacyToStoredDelegation(legacy);
-      }
-    }
+    if (isValidEntry(raw)) return raw.data;
     return null;
   };
   const set = (delegation) => {
-    const entry = {
-      v: CURRENT_VERSION,
-      data: delegation
-    };
+    const entry = { v: CURRENT_VERSION, data: delegation };
     store.set(delegation.cid, entry);
   };
   const remove = (cid) => {
     store.delete(cid);
   };
   const has = (cid) => {
-    return store.has(cid) && cid !== ROOT_DELEGATION_KEY && cid !== MIGRATION_VERSION_KEY;
+    return store.has(cid) && !isReservedKey(cid);
   };
   const getRoot = () => {
     const rootCid = store.get(ROOT_DELEGATION_KEY);
@@ -1841,16 +1742,9 @@ var createMemoryUcanDelegationStore = () => {
   const getAll = () => {
     const delegations = [];
     store.forEach((value, key) => {
-      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
-      if (isNewFormat(value)) {
+      if (isReservedKey(key)) return;
+      if (isValidEntry(value)) {
         delegations.push(value.data);
-        return;
-      }
-      if (isLegacyFormat(value)) {
-        const legacy = parseLegacy(value);
-        if (legacy) {
-          delegations.push(legacyToStoredDelegation(legacy));
-        }
       }
     });
     return delegations;
@@ -1879,43 +1773,6 @@ var createMemoryUcanDelegationStore = () => {
       })
     );
   };
-  const getVersion = () => {
-    const version = store.get(MIGRATION_VERSION_KEY);
-    return version ?? 1;
-  };
-  const setVersion = (version) => {
-    store.set(MIGRATION_VERSION_KEY, version);
-  };
-  const getLegacy = (id) => {
-    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return null;
-    const raw = store.get(id);
-    if (!raw) return null;
-    if (isLegacyFormat(raw)) {
-      return parseLegacy(raw);
-    }
-    return null;
-  };
-  const hasLegacy = (id) => {
-    if (id === ROOT_DELEGATION_KEY || id === MIGRATION_VERSION_KEY) return false;
-    const raw = store.get(id);
-    return isLegacyFormat(raw);
-  };
-  const getAllLegacy = () => {
-    const legacyDelegations = [];
-    store.forEach((value, key) => {
-      if (key === ROOT_DELEGATION_KEY || key === MIGRATION_VERSION_KEY) return;
-      if (isLegacyFormat(value)) {
-        const legacy = parseLegacy(value);
-        if (legacy) {
-          legacyDelegations.push(legacy);
-        }
-      }
-    });
-    return legacyDelegations;
-  };
-  const convertLegacyToStored = (legacy) => {
-    return legacyToStoredDelegation(legacy);
-  };
   return {
     get,
     set,
@@ -1927,13 +1784,7 @@ var createMemoryUcanDelegationStore = () => {
     getAll,
     getByAudience,
     getByIssuer,
-    findByCapability,
-    getVersion,
-    setVersion,
-    getLegacy,
-    hasLegacy,
-    getAllLegacy,
-    convertLegacyToStored
+    findByCapability
   };
 };
 
@@ -2104,25 +1955,6 @@ var createMemoryInvocationStore = () => {
 };
 
 // src/core/lib/flowEngine/utils.ts
-var parseActors = (value) => {
-  if (!value) return [];
-  if (Array.isArray(value)) {
-    return value.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean);
-  }
-  if (typeof value === "string") {
-    const trimmed = value.trim();
-    if (!trimmed) return [];
-    try {
-      const parsed = JSON.parse(trimmed);
-      if (Array.isArray(parsed)) {
-        return parsed.filter((item) => typeof item === "string").map((item) => item.trim()).filter(Boolean);
-      }
-    } catch {
-    }
-    return trimmed.split(",").map((item) => item.trim()).filter(Boolean);
-  }
-  return [];
-};
 var parseActivationStatus = (value) => {
   if (value === "pending" || value === "approved" || value === "rejected") {
     return value;
@@ -2130,17 +1962,10 @@ var parseActivationStatus = (value) => {
   return void 0;
 };
 var buildAuthzFromProps = (props) => {
-  const authorisedActors = parseActors(props.authorisedActors);
   const activationRequiredStatus = parseActivationStatus(props.activationRequiredStatus);
   const activationUpstreamNodeId = typeof props.activationUpstreamNodeId === "string" ? props.activationUpstreamNodeId.trim() : "";
   const linkedClaimCollectionId = typeof props.linkedClaimCollectionId === "string" ? props.linkedClaimCollectionId.trim() : "";
   const authz = {};
-  if (typeof props.parentCapability === "string" && props.parentCapability.trim()) {
-    authz.parentCapability = props.parentCapability.trim();
-  }
-  if (authorisedActors.length > 0) {
-    authz.authorisedActors = authorisedActors;
-  }
   if (linkedClaimCollectionId) {
     authz.linkedClaim = { collectionId: linkedClaimCollectionId };
   }
@@ -2234,304 +2059,54 @@ var isNodeActive = (node, runtime) => {
     if (!upstreamActor) {
       return { active: false, reason: "Upstream submission actor is unknown." };
     }
-    const upstreamAuthorised = Array.isArray(upstreamState.authorisedActorsSnapshot) ? upstreamState.authorisedActorsSnapshot : [];
-    if (upstreamAuthorised.length > 0 && !upstreamAuthorised.includes(upstreamActor)) {
-      return { active: false, reason: "Upstream claim not submitted by an authorised actor." };
+    if (!upstreamState.lastInvocationCid) {
+      return { active: false, reason: "Upstream execution has no invocation proof." };
     }
   }
   return { active: true };
 };
 
-// src/core/lib/flowEngine/capabilityValidation.ts
-var capabilityCovers = (granted, required) => {
-  if (granted.can !== required.can && granted.can !== "*") {
-    if (granted.can.endsWith("/*")) {
-      const prefix = granted.can.slice(0, -2);
-      if (!required.can.startsWith(prefix)) return false;
-    } else {
-      return false;
-    }
-  }
-  if (granted.with !== required.with && granted.with !== "*") {
-    if (granted.with.endsWith("/*")) {
-      const prefix = granted.with.slice(0, -2);
-      if (!required.with.startsWith(prefix)) return false;
-    } else if (granted.with.endsWith("*")) {
-      const prefix = granted.with.slice(0, -1);
-      if (!required.with.startsWith(prefix)) return false;
-    } else {
-      return false;
-    }
-  }
-  return true;
-};
-var validateCapabilityChain = async (params) => {
-  const { capability, actorDid, requiredCapability, delegationStore, verifySignature, rootIssuer } = params;
-  const chain = [];
-  const visited = /* @__PURE__ */ new Set();
-  let current = capability;
-  while (current) {
-    if (visited.has(current.id)) {
-      return { valid: false, error: "Circular delegation detected" };
-    }
-    visited.add(current.id);
-    chain.unshift(current);
-    if (current.expiration && current.expiration < Date.now()) {
-      return { valid: false, error: `Capability ${current.id} has expired` };
-    }
-    const signatureResult = await verifySignature(JSON.stringify(current), current.issuer);
-    if (!signatureResult.valid) {
-      return { valid: false, error: `Invalid signature on capability ${current.id}: ${signatureResult.error}` };
-    }
-    if (current.proofs.length === 0) {
-      if (current.issuer !== rootIssuer) {
-        return { valid: false, error: `Root capability issuer mismatch. Expected ${rootIssuer}, got ${current.issuer}` };
-      }
-      break;
-    }
-    const parentId = current.proofs[0];
-    const parent = delegationStore.get(parentId);
-    if (!parent) {
-      return { valid: false, error: `Parent capability ${parentId} not found` };
-    }
-    if (parent.audience !== current.issuer) {
-      return { valid: false, error: `Delegation chain broken: ${parent.audience} !== ${current.issuer}` };
-    }
-    current = parent;
-  }
-  const finalCap = chain[chain.length - 1];
-  if (finalCap.audience !== actorDid) {
-    return { valid: false, error: `Capability not granted to actor. Expected ${actorDid}, got ${finalCap.audience}` };
-  }
-  for (const cap of chain) {
-    const hasRequiredCap = cap.capabilities.some((c) => capabilityCovers(c, requiredCapability));
-    if (!hasRequiredCap) {
-      return { valid: false, error: `Capability ${cap.id} does not grant required permission` };
-    }
-  }
-  return { valid: true, chain };
-};
-var findValidCapability = async (params) => {
-  const { actorDid, requiredCapability, delegationStore, verifySignature, rootIssuer } = params;
-  const allDelegations = delegationStore.getAll();
-  const actorDelegations = allDelegations.filter((d) => d.audience === actorDid);
-  for (const delegation of actorDelegations) {
-    const result = await validateCapabilityChain({
-      capability: delegation,
-      actorDid,
-      requiredCapability,
-      delegationStore,
-      verifySignature,
-      rootIssuer
-    });
-    if (result.valid) {
-      return { found: true, capabilityId: delegation.id };
-    }
-  }
-  const root = delegationStore.getRoot();
-  if (root && root.audience === actorDid) {
-    const result = await validateCapabilityChain({
-      capability: root,
-      actorDid,
-      requiredCapability,
-      delegationStore,
-      verifySignature,
-      rootIssuer
-    });
-    if (result.valid) {
-      return { found: true, capabilityId: root.id };
-    }
-  }
-  return { found: false, error: "No valid capability found for actor" };
-};
-
 // src/core/lib/flowEngine/authorization.ts
-var isActorAuthorized = async (node, actorDid, context) => {
-  if (node.authorisedActors && node.authorisedActors.length > 0) {
-    if (!node.authorisedActors.includes(actorDid)) {
-      return {
-        authorized: false,
-        reason: `Actor ${actorDid} is not in the authorized actors list for this block.`
-      };
-    }
-    if (!node.parentCapability) {
-      return { authorized: true };
-    }
-  }
-  if (node.parentCapability && context?.delegationStore && context?.verifySignature && context?.rootIssuer) {
-    const requiredCapability = {
-      can: "flow/block/execute",
-      with: context.flowUri ? `${context.flowUri}:${node.id}` : `ixo:flow:*:${node.id}`
-    };
-    const result = await findValidCapability({
-      actorDid,
-      requiredCapability,
-      delegationStore: context.delegationStore,
-      verifySignature: context.verifySignature,
-      rootIssuer: context.rootIssuer
-    });
-    if (!result.found) {
-      return {
-        authorized: false,
-        reason: result.error || "No valid capability found"
-      };
-    }
-    return { authorized: true, capabilityId: result.capabilityId };
-  }
-  if (node.parentCapability && context?.ucanManager) {
-    try {
-      const parent = await context.ucanManager.loadParentCapability(node.parentCapability);
-      const derived = await context.ucanManager.deriveNodeCapability(parent, node.id, actorDid);
-      await context.ucanManager.validateDerivedCapability(derived, node.id, actorDid);
-      return { authorized: true, derived };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Capability derivation failed";
-      return { authorized: false, reason: message };
-    }
-  }
-  if (node.parentCapability && !context?.delegationStore && !context?.ucanManager) {
-    return {
-      authorized: false,
-      reason: "Capability validation required but neither delegation store nor UCAN manager configured."
-    };
-  }
-  return { authorized: true };
-};
-var isActorAuthorizedV2 = async (node, actorDid, context) => {
-  if (node.authorisedActors && node.authorisedActors.length > 0) {
-    if (!node.authorisedActors.includes(actorDid)) {
-      return {
-        authorized: false,
-        reason: `Actor ${actorDid} is not in the authorized actors list for this block.`
-      };
-    }
-    if (!node.parentCapability) {
-      return { authorized: true };
-    }
-  }
-  if (node.parentCapability && context?.ucanService && context?.flowUri) {
-    const requiredCapability = {
-      can: "flow/block/execute",
-      with: `${context.flowUri}:${node.id}`
-    };
-    const validationResult = await context.ucanService.validateDelegationChain(actorDid, requiredCapability);
-    if (!validationResult.valid) {
-      return {
-        authorized: false,
-        reason: validationResult.error || "No valid capability chain found"
-      };
-    }
-    const proofCids = validationResult.proofChain?.map((d) => d.cid) || [];
-    return {
-      authorized: true,
-      capabilityId: proofCids[0],
-      // First in chain is the actor's delegation
-      proofCids
-    };
-  }
-  if (node.parentCapability && context?.delegationStore && context?.verifySignature && context?.rootIssuer) {
-    const requiredCapability = {
-      can: "flow/block/execute",
-      with: context.flowUri ? `${context.flowUri}:${node.id}` : `ixo:flow:*:${node.id}`
-    };
-    const result = await findValidCapability({
-      actorDid,
-      requiredCapability,
-      delegationStore: context.delegationStore,
-      verifySignature: context.verifySignature,
-      rootIssuer: context.rootIssuer
-    });
-    if (!result.found) {
-      return {
-        authorized: false,
-        reason: result.error || "No valid capability found"
-      };
-    }
-    return { authorized: true, capabilityId: result.capabilityId };
-  }
-  if (node.parentCapability && context?.ucanManager) {
-    try {
-      const parent = await context.ucanManager.loadParentCapability(node.parentCapability);
-      const derived = await context.ucanManager.deriveNodeCapability(parent, node.id, actorDid);
-      await context.ucanManager.validateDerivedCapability(derived, node.id, actorDid);
-      return { authorized: true, derived };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Capability derivation failed";
-      return { authorized: false, reason: message };
-    }
-  }
-  if (node.parentCapability && !context?.ucanService && !context?.delegationStore && !context?.ucanManager) {
+var isAuthorized = async (blockId, actorDid, ucanService, flowUri) => {
+  const capability = {
+    can: "flow/block/execute",
+    with: `${flowUri}:${blockId}`
+  };
+  const result = await ucanService.validateDelegationChain(actorDid, capability);
+  if (!result.valid) {
     return {
       authorized: false,
-      reason: "Capability validation required but no UCAN service or delegation store configured."
+      reason: result.error || "No valid capability chain found"
     };
   }
-  return { authorized: true };
+  const proofCids = result.proofChain?.map((d) => d.cid) || [];
+  return {
+    authorized: true,
+    capabilityId: proofCids[0],
+    proofCids
+  };
 };
 
 // src/core/lib/flowEngine/executor.ts
-var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, capabilityId, now) => {
+var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, invocationCid, now) => {
   const updates = {
     submittedByDid: actionResult.submittedByDid || actorDid,
     evaluationStatus: actionResult.evaluationStatus || "pending",
     executionTimestamp: now ? now() : Date.now(),
-    derivedUcan: capabilityId,
-    authorisedActorsSnapshot: node.authorisedActors
+    lastInvocationCid: invocationCid
   };
   if (actionResult.claimId) {
     updates.claimId = actionResult.claimId;
   }
   runtime.update(node.id, updates);
 };
-var executeNode = async ({ node, actorDid, context, action }) => {
-  const { runtime, delegationStore, verifySignature, rootIssuer, flowUri, ucanManager, now } = context;
+var executeNode = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
+  const { runtime, ucanService, invocationStore, flowUri, flowId, now } = context;
   const activation = isNodeActive(node, runtime);
   if (!activation.active) {
     return { success: false, stage: "activation", error: activation.reason };
   }
-  const authContext = {
-    delegationStore,
-    verifySignature,
-    rootIssuer,
-    flowUri,
-    ucanManager
-  };
-  const auth = await isActorAuthorized(node, actorDid, authContext);
-  if (!auth.authorized) {
-    return { success: false, stage: "authorization", error: auth.reason };
-  }
-  if (node.linkedClaim && !node.linkedClaim.collectionId) {
-    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
-  }
-  try {
-    const result = await action();
-    if (node.linkedClaim && !result.claimId) {
-      return { success: false, stage: "claim", error: "Execution did not return a claimId for linked claim requirement." };
-    }
-    updateRuntimeAfterSuccess(node, actorDid, runtime, result, auth.capabilityId, now);
-    return { success: true, stage: "complete", result, capabilityId: auth.capabilityId };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Execution failed";
-    return { success: false, stage: "action", error: message };
-  }
-};
-var executeNodeWithInvocation = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
-  const { runtime, ucanService, invocationStore, flowUri, flowId, flowOwnerDid, now } = context;
-  const activation = isNodeActive(node, runtime);
-  if (!activation.active) {
-    return { success: false, stage: "activation", error: activation.reason };
-  }
-  const authContext = {
-    ucanService,
-    flowUri,
-    flowOwnerDid,
-    // Legacy fallbacks
-    delegationStore: context.delegationStore,
-    verifySignature: context.verifySignature,
-    rootIssuer: context.rootIssuer,
-    ucanManager: context.ucanManager
-  };
-  const auth = await isActorAuthorizedV2(node, actorDid, authContext);
+  const auth = await isAuthorized(node.id, actorDid, ucanService, flowUri);
   if (!auth.authorized) {
     return { success: false, stage: "authorization", error: auth.reason };
   }
@@ -2540,7 +2115,7 @@ var executeNodeWithInvocation = async ({ node, actorDid, actorType, entityRoomId
   }
   let invocationCid;
   let invocationData;
-  if (ucanService && auth.proofCids && auth.proofCids.length > 0) {
+  if (auth.proofCids && auth.proofCids.length > 0) {
     const capability = {
       can: "flow/block/execute",
       with: `${flowUri}:${node.id}`
@@ -2641,106 +2216,6 @@ var executeNodeWithInvocation = async ({ node, actorDid, actorType, entityRoomId
   }
 };
 
-// src/core/lib/delegationStore.ts
-var ROOT_CAPABILITY_KEY = "__root__";
-var createDelegationStore = (yMap) => {
-  return {
-    get: (capabilityId) => {
-      const raw = yMap.get(capabilityId);
-      if (!raw || capabilityId === ROOT_CAPABILITY_KEY) return null;
-      try {
-        return JSON.parse(raw);
-      } catch {
-        return null;
-      }
-    },
-    set: (capability) => {
-      yMap.set(capability.id, JSON.stringify(capability));
-    },
-    remove: (capabilityId) => {
-      yMap.delete(capabilityId);
-    },
-    getRoot: () => {
-      const rootId = yMap.get(ROOT_CAPABILITY_KEY);
-      if (!rootId) return null;
-      const raw = yMap.get(rootId);
-      if (!raw) return null;
-      try {
-        return JSON.parse(raw);
-      } catch {
-        return null;
-      }
-    },
-    setRootId: (capabilityId) => {
-      yMap.set(ROOT_CAPABILITY_KEY, capabilityId);
-    },
-    getAll: () => {
-      const capabilities = [];
-      yMap.forEach((value, key) => {
-        if (key !== ROOT_CAPABILITY_KEY) {
-          try {
-            capabilities.push(JSON.parse(value));
-          } catch {
-          }
-        }
-      });
-      return capabilities;
-    },
-    has: (capabilityId) => {
-      return yMap.has(capabilityId);
-    }
-  };
-};
-var createMemoryDelegationStore = () => {
-  const store = /* @__PURE__ */ new Map();
-  return {
-    get: (capabilityId) => {
-      const raw = store.get(capabilityId);
-      if (!raw || capabilityId === ROOT_CAPABILITY_KEY) return null;
-      try {
-        return JSON.parse(raw);
-      } catch {
-        return null;
-      }
-    },
-    set: (capability) => {
-      store.set(capability.id, JSON.stringify(capability));
-    },
-    remove: (capabilityId) => {
-      store.delete(capabilityId);
-    },
-    getRoot: () => {
-      const rootId = store.get(ROOT_CAPABILITY_KEY);
-      if (!rootId) return null;
-      const raw = store.get(rootId);
-      if (!raw) return null;
-      try {
-        return JSON.parse(raw);
-      } catch {
-        return null;
-      }
-    },
-    setRootId: (capabilityId) => {
-      store.set(ROOT_CAPABILITY_KEY, capabilityId);
-    },
-    getAll: () => {
-      const capabilities = [];
-      store.forEach((value, key) => {
-        if (key !== ROOT_CAPABILITY_KEY) {
-          try {
-            capabilities.push(JSON.parse(value));
-          } catch {
-          }
-        }
-      });
-      return capabilities;
-    },
-    has: (capabilityId) => {
-      return store.has(capabilityId);
-    }
-  };
-};
-
 // src/core/services/ucanService.ts
 import {
   createDelegation as ucanCreateDelegation,
@@ -2793,8 +2268,7 @@ var createUcanService = (config) => {
       return delegationCache.get(cid);
     }
     const stored = delegationStore.get(cid);
-    if (!stored) return null;
-    if (stored.format === "legacy" || !stored.delegation) {
+    if (!stored || !stored.delegation) {
       return null;
     }
     try {
@@ -2853,7 +2327,6 @@ var createUcanService = (config) => {
       capabilities: toUcantoCapabilities(capabilities),
       proofs: proofDelegations,
       expiration: expiration ? Math.floor(expiration / 1e3) : void 0
-      // Convert ms to seconds
     });
     const serialized = await serializeDelegation(delegation);
     const cid = getCidFromDelegation(delegation);
@@ -3038,54 +2511,6 @@ var createUcanService = (config) => {
       };
     }
   };
-  const migrateLegacyDelegation = async (legacyId, pin) => {
-    const legacy = delegationStore.getLegacy(legacyId);
-    if (!legacy) {
-      return null;
-    }
-    const newDelegation = await createDelegation({
-      issuerDid: legacy.issuer,
-      issuerType: "user",
-      // Assume user, host app should verify
-      audience: legacy.audience,
-      capabilities: legacy.capabilities,
-      proofs: legacy.proofs,
-      expiration: legacy.expiration,
-      pin
-    });
-    return newDelegation;
-  };
-  const migrateAllLegacy = async (pin) => {
-    const report = {
-      total: 0,
-      migrated: 0,
-      failed: 0,
-      errors: []
-    };
-    const legacyDelegations = delegationStore.getAllLegacy();
-    report.total = legacyDelegations.length;
-    for (const legacy of legacyDelegations) {
-      try {
-        const migrated = await migrateLegacyDelegation(legacy.id, pin);
-        if (migrated) {
-          report.migrated++;
-        } else {
-          report.failed++;
-          report.errors.push({ id: legacy.id, error: "Migration returned null" });
-        }
-      } catch (error) {
-        report.failed++;
-        report.errors.push({
-          id: legacy.id,
-          error: error instanceof Error ? error.message : "Unknown error"
-        });
-      }
-    }
-    return report;
-  };
-  const getLegacyCount = () => {
-    return delegationStore.getAllLegacy().length;
-  };
   return {
     createRootDelegation,
     createDelegation,
@@ -3098,57 +2523,10 @@ var createUcanService = (config) => {
     validateDelegationChain,
     findValidProofs,
     parseDelegationFromStore,
-    migrateLegacyDelegation,
-    migrateAllLegacy,
-    getLegacyCount,
     isConfigured
   };
 };
 
-// src/core/services/ucanManager.ts
-var parseGrant = (value) => {
-  const trimmed = value.trim();
-  if (!trimmed) {
-    throw new Error("Empty capability value");
-  }
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (parsed && typeof parsed === "object") {
-      return {
-        raw: trimmed,
-        with: typeof parsed.with === "string" ? parsed.with : void 0,
-        audience: typeof parsed.aud === "string" ? parsed.aud : void 0,
-        expiresAt: typeof parsed.exp === "number" ? parsed.exp * 1e3 : void 0,
-        action: typeof parsed.can === "string" ? parsed.can : void 0
-      };
-    }
-  } catch {
-  }
-  return { raw: trimmed };
-};
-var SimpleUCANManager = class {
-  async loadParentCapability(capability) {
-    return parseGrant(capability);
-  }
-  async deriveNodeCapability(parent, nodeId, actorDid) {
-    if (parent.expiresAt && parent.expiresAt < Date.now()) {
-      throw new Error("Parent capability expired");
-    }
-    if (parent.audience && parent.audience !== actorDid) {
-      throw new Error(`Actor ${actorDid} is not the audience for the capability`);
-    }
-    if (parent.with && !(parent.with.endsWith("*") || parent.with.includes(nodeId))) {
-      throw new Error(`Capability resource ${parent.with} does not cover node ${nodeId}`);
-    }
-    return { ...parent };
-  }
-  async validateDerivedCapability(derived) {
-    if (derived.expiresAt && derived.expiresAt < Date.now()) {
-      throw new Error("Derived capability expired");
-    }
-  }
-};
-
 export {
   resolveActionType,
   registerAction,
@@ -3179,15 +2557,8 @@ export {
   createRuntimeStateManager,
   clearRuntimeForTemplateClone,
   isNodeActive,
-  validateCapabilityChain,
-  findValidCapability,
-  isActorAuthorized,
-  isActorAuthorizedV2,
+  isAuthorized,
   executeNode,
-  executeNodeWithInvocation,
-  createDelegationStore,
-  createMemoryDelegationStore,
-  createUcanService,
-  SimpleUCANManager
+  createUcanService
 };
-//# sourceMappingURL=chunk-NOMJJJDB.mjs.map
+//# sourceMappingURL=chunk-77R3T42S.mjs.map