@ixo/editor 3.1.0 → 3.2.1

package/dist/{chunk-5D26UG3I.mjs → chunk-F2JSGDES.mjs}

@@ -1904,97 +1904,408 @@ registerDiffResolver("evaluateClaim", {
   }
 });
 
-// src/core/lib/ucanDelegationStore.ts
-var ROOT_DELEGATION_KEY = "__root__";
-var STORE_VERSION_KEY = "__version__";
-var CURRENT_VERSION = 2;
-var isValidEntry = (value) => {
-  if (!value || typeof value !== "object") return false;
-  const entry = value;
-  return entry.v === CURRENT_VERSION && entry.data !== void 0;
-};
-var isReservedKey = (key) => key === ROOT_DELEGATION_KEY || key === STORE_VERSION_KEY;
-var createUcanDelegationStore = (yMap) => {
-  const get = (cid) => {
-    if (isReservedKey(cid)) return null;
-    const raw = yMap.get(cid);
-    if (!raw) return null;
-    if (isValidEntry(raw)) return raw.data;
-    return null;
-  };
-  const set = (delegation) => {
-    const entry = { v: CURRENT_VERSION, data: delegation };
-    yMap.set(delegation.cid, entry);
+// src/core/services/ucanService.ts
+import {
+  createDelegation as ucanCreateDelegation,
+  createInvocation as ucanCreateInvocation,
+  serializeDelegation,
+  serializeInvocation,
+  parseDelegation,
+  parseSigner,
+  signerFromMnemonic
+} from "@ixo/ucan";
+function toSupportedDID(did) {
+  if (did.startsWith("did:ixo:") || did.startsWith("did:key:")) {
+    return did;
+  }
+  return void 0;
+}
+function toUcantoCapabilities(capabilities) {
+  return capabilities.map((cap) => ({
+    can: cap.can,
+    with: cap.with,
+    ...cap.nb && { nb: cap.nb }
+  }));
+}
+async function getSigner(handlers, did, didType, entityRoomId, pin) {
+  const supportedDid = toSupportedDID(did);
+  if (handlers.getPrivateKey) {
+    const privateKey = await handlers.getPrivateKey({ did, didType, entityRoomId, pin });
+    return parseSigner(privateKey, supportedDid);
+  }
+  if (handlers.getMnemonic) {
+    const mnemonic = await handlers.getMnemonic({ did, didType, entityRoomId, pin });
+    const result = await signerFromMnemonic(mnemonic, supportedDid);
+    return result.signer;
+  }
+  throw new Error("No signer handler configured (need getPrivateKey or getMnemonic)");
+}
+function getCidFromDelegation(delegation) {
+  return delegation.cid.toString();
+}
+var createUcanService = (config) => {
+  const { delegationStore, invocationStore, handlers, flowOwnerDid } = config;
+  const delegationCache = /* @__PURE__ */ new Map();
+  const isConfigured = () => {
+    const hasSessionHandlers = !!(handlers.createSignerSession && handlers.signWithSession);
+    const hasLegacyHandlers = !!(handlers.getPrivateKey || handlers.getMnemonic);
+    return hasSessionHandlers || hasLegacyHandlers;
   };
-  const remove = (cid) => {
-    yMap.delete(cid);
+  const parseDelegationFromStore = async (cid) => {
+    if (delegationCache.has(cid)) {
+      return delegationCache.get(cid);
+    }
+    const stored = delegationStore.get(cid);
+    if (!stored || !stored.delegation) {
+      return null;
+    }
+    try {
+      const delegation = await parseDelegation(stored.delegation);
+      delegationCache.set(cid, delegation);
+      return delegation;
+    } catch {
+      return null;
+    }
   };
-  const has = (cid) => {
-    return yMap.has(cid) && !isReservedKey(cid);
+  const getProofDelegations = async (proofCids) => {
+    const proofs = [];
+    for (const cid of proofCids) {
+      const delegation = await parseDelegationFromStore(cid);
+      if (delegation) {
+        proofs.push(delegation);
+      }
+    }
+    return proofs;
   };
-  const getRoot = () => {
-    const rootCid = yMap.get(ROOT_DELEGATION_KEY);
-    if (!rootCid) return null;
-    return get(rootCid);
+  const createRootDelegation = async (params) => {
+    const { flowOwnerDid: ownerDid, issuerType, entityRoomId, flowUri: uri, pin } = params;
+    const signer = await getSigner(handlers, ownerDid, issuerType, entityRoomId, pin);
+    const capabilities = [{ can: "flow/*", with: uri }];
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience: ownerDid,
+      capabilities,
+      proofs: []
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid: ownerDid,
+      audienceDid: ownerDid,
+      capabilities,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids: []
+    };
+    delegationStore.set(storedDelegation);
+    delegationStore.setRootCid(cid);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
   };
-  const setRootCid = (cid) => {
-    yMap.set(ROOT_DELEGATION_KEY, cid);
+  const createDelegation = async (params) => {
+    const { issuerDid, issuerType, entityRoomId, audience, capabilities, proofs = [], expiration, pin } = params;
+    const signer = await getSigner(handlers, issuerDid, issuerType, entityRoomId, pin);
+    const proofCids = proofs.length > 0 ? proofs : [delegationStore.getRootCid()].filter(Boolean);
+    const proofDelegations = await getProofDelegations(proofCids);
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience,
+      capabilities: toUcantoCapabilities(capabilities),
+      proofs: proofDelegations,
+      expiration: expiration ? Math.floor(expiration / 1e3) : void 0
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid,
+      audienceDid: audience,
+      capabilities,
+      expiration,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids
+    };
+    delegationStore.set(storedDelegation);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
   };
-  const getRootCid = () => {
-    return yMap.get(ROOT_DELEGATION_KEY) || null;
+  const revokeDelegation = (cid) => {
+    delegationStore.remove(cid);
+    delegationCache.delete(cid);
   };
-  const getAll = () => {
-    const delegations = [];
-    yMap.forEach((value, key) => {
-      if (isReservedKey(key)) return;
-      if (isValidEntry(value)) {
-        delegations.push(value.data);
-      }
-    });
-    return delegations;
+  const getDelegation = (cid) => {
+    return delegationStore.get(cid);
   };
-  const getByAudience = (audienceDid) => {
-    return getAll().filter((d) => d.audienceDid === audienceDid);
+  const getAllDelegations = () => {
+    return delegationStore.getAll();
   };
-  const getByIssuer = (issuerDid) => {
-    return getAll().filter((d) => d.issuerDid === issuerDid);
+  const getRootDelegation = () => {
+    return delegationStore.getRoot();
   };
-  const findByCapability = (can, withUri) => {
-    return getAll().filter(
-      (d) => d.capabilities.some((c) => {
-        if (c.can === can && c.with === withUri) return true;
+  const findValidProofs = async (audienceDid, capability) => {
+    const delegations = delegationStore.getByAudience(audienceDid);
+    if (delegations.length === 0) {
+      const root = delegationStore.getRoot();
+      if (root && root.audienceDid === audienceDid) {
+        return { found: true, proofCids: [root.cid] };
+      }
+      return { found: false, error: "No delegations found for actor" };
+    }
+    for (const delegation of delegations) {
+      const covers = delegation.capabilities.some((c) => {
+        if (c.can === capability.can && c.with === capability.with) return true;
         if (c.can === "*" || c.can === "flow/*") return true;
         if (c.can.endsWith("/*")) {
           const prefix = c.can.slice(0, -1);
-          if (can.startsWith(prefix)) return true;
+          if (capability.can.startsWith(prefix)) return true;
         }
         if (c.with === "*") return true;
         if (c.with.endsWith("*")) {
           const prefix = c.with.slice(0, -1);
-          if (withUri.startsWith(prefix)) return true;
+          if (capability.with.startsWith(prefix)) return true;
         }
         return false;
-      })
-    );
+      });
+      if (covers) {
+        if (delegation.expiration && delegation.expiration < Date.now()) {
+          continue;
+        }
+        const proofCids = [delegation.cid, ...delegation.proofCids];
+        return { found: true, proofCids };
+      }
+    }
+    return { found: false, error: "No valid delegation found for capability" };
   };
-  return {
-    get,
-    set,
-    remove,
-    has,
-    getRoot,
-    setRootCid,
-    getRootCid,
-    getAll,
-    getByAudience,
-    getByIssuer,
-    findByCapability
+  const validateDelegationChain = async (audienceDid, capability) => {
+    const proofsResult = await findValidProofs(audienceDid, capability);
+    if (!proofsResult.found || !proofsResult.proofCids) {
+      return { valid: false, error: proofsResult.error };
+    }
+    const proofChain = [];
+    for (const cid of proofsResult.proofCids) {
+      const delegation = delegationStore.get(cid);
+      if (!delegation) {
+        return { valid: false, error: `Proof delegation ${cid} not found` };
+      }
+      proofChain.push(delegation);
+    }
+    for (let i = 0; i < proofChain.length - 1; i++) {
+      const current = proofChain[i];
+      const parent = proofChain[i + 1];
+      if (parent.audienceDid !== current.issuerDid) {
+        return {
+          valid: false,
+          error: `Chain broken: ${parent.cid} audience (${parent.audienceDid}) != ${current.cid} issuer (${current.issuerDid})`
+        };
+      }
+    }
+    const root = proofChain[proofChain.length - 1];
+    if (root.issuerDid !== flowOwnerDid) {
+      return { valid: false, error: `Root issuer ${root.issuerDid} is not flow owner ${flowOwnerDid}` };
+    }
+    return { valid: true, proofChain };
   };
-};
-var createMemoryUcanDelegationStore = () => {
-  const store = /* @__PURE__ */ new Map();
-  const get = (cid) => {
-    if (isReservedKey(cid)) return null;
+  const createAndValidateInvocation = async (params, _flowId, _blockId) => {
+    const { invokerDid, invokerType, entityRoomId, capability, proofs, pin } = params;
+    const validation = await validateDelegationChain(invokerDid, capability);
+    if (!validation.valid) {
+      return {
+        cid: "",
+        invocation: "",
+        valid: false,
+        error: validation.error
+      };
+    }
+    const signer = await getSigner(handlers, invokerDid, invokerType, entityRoomId, pin);
+    const proofDelegations = await getProofDelegations(proofs);
+    const ucantoCapability = {
+      can: capability.can,
+      with: capability.with,
+      ...capability.nb && { nb: capability.nb }
+    };
+    const invocation = await ucanCreateInvocation({
+      issuer: signer,
+      audience: flowOwnerDid,
+      capability: ucantoCapability,
+      proofs: proofDelegations
+    });
+    const serialized = await serializeInvocation(invocation);
+    const built = await invocation.buildIPLDView();
+    const cid = built.cid.toString();
+    return {
+      cid,
+      invocation: serialized,
+      valid: true
+    };
+  };
+  const executeWithInvocation = async (params, action, flowId, blockId) => {
+    const invocationResult = await createAndValidateInvocation(params, flowId, blockId);
+    if (!invocationResult.valid) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: invocationResult.error
+      };
+    }
+    if (invocationStore.hasBeenInvoked(invocationResult.cid)) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: "Invocation has already been used (replay attack prevented)"
+      };
+    }
+    try {
+      const actionResult = await action();
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "success",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: true,
+        invocationCid: invocationResult.cid,
+        result: actionResult,
+        actionResult
+      };
+    } catch (error) {
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "failure",
+        error: error instanceof Error ? error.message : "Unknown error",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  };
+  return {
+    createRootDelegation,
+    createDelegation,
+    revokeDelegation,
+    getDelegation,
+    getAllDelegations,
+    getRootDelegation,
+    createAndValidateInvocation,
+    executeWithInvocation,
+    validateDelegationChain,
+    findValidProofs,
+    parseDelegationFromStore,
+    isConfigured
+  };
+};
+
+// src/core/lib/ucanDelegationStore.ts
+var ROOT_DELEGATION_KEY = "__root__";
+var STORE_VERSION_KEY = "__version__";
+var CURRENT_VERSION = 2;
+var isValidEntry = (value) => {
+  if (!value || typeof value !== "object") return false;
+  const entry = value;
+  return entry.v === CURRENT_VERSION && entry.data !== void 0;
+};
+var isReservedKey = (key) => key === ROOT_DELEGATION_KEY || key === STORE_VERSION_KEY;
+var createUcanDelegationStore = (yMap) => {
+  const get = (cid) => {
+    if (isReservedKey(cid)) return null;
+    const raw = yMap.get(cid);
+    if (!raw) return null;
+    if (isValidEntry(raw)) return raw.data;
+    return null;
+  };
+  const set = (delegation) => {
+    const entry = { v: CURRENT_VERSION, data: delegation };
+    yMap.set(delegation.cid, entry);
+  };
+  const remove = (cid) => {
+    yMap.delete(cid);
+  };
+  const has = (cid) => {
+    return yMap.has(cid) && !isReservedKey(cid);
+  };
+  const getRoot = () => {
+    const rootCid = yMap.get(ROOT_DELEGATION_KEY);
+    if (!rootCid) return null;
+    return get(rootCid);
+  };
+  const setRootCid = (cid) => {
+    yMap.set(ROOT_DELEGATION_KEY, cid);
+  };
+  const getRootCid = () => {
+    return yMap.get(ROOT_DELEGATION_KEY) || null;
+  };
+  const getAll = () => {
+    const delegations = [];
+    yMap.forEach((value, key) => {
+      if (isReservedKey(key)) return;
+      if (isValidEntry(value)) {
+        delegations.push(value.data);
+      }
+    });
+    return delegations;
+  };
+  const getByAudience = (audienceDid) => {
+    return getAll().filter((d) => d.audienceDid === audienceDid);
+  };
+  const getByIssuer = (issuerDid) => {
+    return getAll().filter((d) => d.issuerDid === issuerDid);
+  };
+  const findByCapability = (can, withUri) => {
+    return getAll().filter(
+      (d) => d.capabilities.some((c) => {
+        if (c.can === can && c.with === withUri) return true;
+        if (c.can === "*" || c.can === "flow/*") return true;
+        if (c.can.endsWith("/*")) {
+          const prefix = c.can.slice(0, -1);
+          if (can.startsWith(prefix)) return true;
+        }
+        if (c.with === "*") return true;
+        if (c.with.endsWith("*")) {
+          const prefix = c.with.slice(0, -1);
+          if (withUri.startsWith(prefix)) return true;
+        }
+        return false;
+      })
+    );
+  };
+  return {
+    get,
+    set,
+    remove,
+    has,
+    getRoot,
+    setRootCid,
+    getRootCid,
+    getAll,
+    getByAudience,
+    getByIssuer,
+    findByCapability
+  };
+};
+var createMemoryUcanDelegationStore = () => {
+  const store = /* @__PURE__ */ new Map();
+  const get = (cid) => {
+    if (isReservedKey(cid)) return null;
     const raw = store.get(cid);
     if (!raw) return null;
     if (isValidEntry(raw)) return raw.data;
@@ -2341,473 +2652,372 @@ var isNodeActive = (node, runtime) => {
     if (!upstreamActor) {
       return { active: false, reason: "Upstream submission actor is unknown." };
     }
-    if (!upstreamState.lastInvocationCid) {
-      return { active: false, reason: "Upstream execution has no invocation proof." };
-    }
-  }
-  return { active: true };
-};
-
-// src/core/lib/flowEngine/authorization.ts
-var isAuthorized = async (blockId, actorDid, ucanService, flowUri) => {
-  const capability = {
-    can: "flow/block/execute",
-    with: `${flowUri}:${blockId}`
-  };
-  const result = await ucanService.validateDelegationChain(actorDid, capability);
-  if (!result.valid) {
-    return {
-      authorized: false,
-      reason: result.error || "No valid capability chain found"
-    };
-  }
-  const proofCids = result.proofChain?.map((d) => d.cid) || [];
-  return {
-    authorized: true,
-    capabilityId: proofCids[0],
-    proofCids
-  };
-};
-
-// src/core/lib/flowEngine/executor.ts
-var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, invocationCid, now) => {
-  const updates = {
-    submittedByDid: actionResult.submittedByDid || actorDid,
-    evaluationStatus: actionResult.evaluationStatus || "pending",
-    executionTimestamp: now ? now() : Date.now(),
-    lastInvocationCid: invocationCid
-  };
-  if (actionResult.claimId) {
-    updates.claimId = actionResult.claimId;
-  }
-  runtime.update(node.id, updates);
-};
-var executeNode = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
-  const { runtime, ucanService, invocationStore, flowUri, flowId, now } = context;
-  const activation = isNodeActive(node, runtime);
-  if (!activation.active) {
-    return { success: false, stage: "activation", error: activation.reason };
-  }
-  const auth = await isAuthorized(node.id, actorDid, ucanService, flowUri);
-  if (!auth.authorized) {
-    return { success: false, stage: "authorization", error: auth.reason };
-  }
-  if (node.linkedClaim && !node.linkedClaim.collectionId) {
-    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
-  }
-  let invocationCid;
-  let invocationData;
-  if (auth.proofCids && auth.proofCids.length > 0) {
-    const capability = {
-      can: "flow/block/execute",
-      with: `${flowUri}:${node.id}`
-    };
-    try {
-      const invocationResult = await ucanService.createAndValidateInvocation(
-        {
-          invokerDid: actorDid,
-          invokerType: actorType,
-          entityRoomId,
-          capability,
-          proofs: auth.proofCids,
-          pin
-        },
-        flowId,
-        node.id
-      );
-      if (!invocationResult.valid) {
-        return {
-          success: false,
-          stage: "authorization",
-          error: `Invocation validation failed: ${invocationResult.error}`
-        };
-      }
-      invocationCid = invocationResult.cid;
-      invocationData = invocationResult.invocation;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to create invocation";
-      return { success: false, stage: "authorization", error: message };
-    }
-  }
-  try {
-    const result = await action();
-    if (node.linkedClaim && !result.claimId) {
-      if (invocationStore && invocationCid && invocationData) {
-        const storedInvocation = {
-          cid: invocationCid,
-          invocation: invocationData,
-          invokerDid: actorDid,
-          capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-          executedAt: now ? now() : Date.now(),
-          flowId,
-          blockId: node.id,
-          result: "failure",
-          error: "Execution did not return a claimId for linked claim requirement.",
-          proofCids: auth.proofCids || []
-        };
-        invocationStore.add(storedInvocation);
-      }
-      return {
-        success: false,
-        stage: "claim",
-        error: "Execution did not return a claimId for linked claim requirement.",
-        invocationCid
-      };
-    }
-    if (invocationStore && invocationCid && invocationData) {
-      const storedInvocation = {
-        cid: invocationCid,
-        invocation: invocationData,
-        invokerDid: actorDid,
-        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-        executedAt: now ? now() : Date.now(),
-        flowId,
-        blockId: node.id,
-        result: "success",
-        proofCids: auth.proofCids || [],
-        claimId: result.claimId
-      };
-      invocationStore.add(storedInvocation);
-    }
-    updateRuntimeAfterSuccess(node, actorDid, runtime, result, invocationCid || auth.capabilityId, now);
-    return {
-      success: true,
-      stage: "complete",
-      result,
-      capabilityId: auth.capabilityId,
-      invocationCid
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Execution failed";
-    if (invocationStore && invocationCid && invocationData) {
-      const storedInvocation = {
-        cid: invocationCid,
-        invocation: invocationData,
-        invokerDid: actorDid,
-        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-        executedAt: now ? now() : Date.now(),
-        flowId,
-        blockId: node.id,
-        result: "failure",
-        error: message,
-        proofCids: auth.proofCids || []
-      };
-      invocationStore.add(storedInvocation);
-    }
-    return { success: false, stage: "action", error: message, invocationCid };
-  }
-};
-
-// src/core/services/ucanService.ts
-import {
-  createDelegation as ucanCreateDelegation,
-  createInvocation as ucanCreateInvocation,
-  serializeDelegation,
-  serializeInvocation,
-  parseDelegation,
-  parseSigner,
-  signerFromMnemonic
-} from "@ixo/ucan";
-function toSupportedDID(did) {
-  if (did.startsWith("did:ixo:") || did.startsWith("did:key:")) {
-    return did;
-  }
-  return void 0;
-}
-function toUcantoCapabilities(capabilities) {
-  return capabilities.map((cap) => ({
-    can: cap.can,
-    with: cap.with,
-    ...cap.nb && { nb: cap.nb }
-  }));
-}
-async function getSigner(handlers, did, didType, entityRoomId, pin) {
-  const supportedDid = toSupportedDID(did);
-  if (handlers.getPrivateKey) {
-    const privateKey = await handlers.getPrivateKey({ did, didType, entityRoomId, pin });
-    return parseSigner(privateKey, supportedDid);
-  }
-  if (handlers.getMnemonic) {
-    const mnemonic = await handlers.getMnemonic({ did, didType, entityRoomId, pin });
-    const result = await signerFromMnemonic(mnemonic, supportedDid);
-    return result.signer;
-  }
-  throw new Error("No signer handler configured (need getPrivateKey or getMnemonic)");
-}
-function getCidFromDelegation(delegation) {
-  return delegation.cid.toString();
-}
-var createUcanService = (config) => {
-  const { delegationStore, invocationStore, handlers, flowOwnerDid } = config;
-  const delegationCache = /* @__PURE__ */ new Map();
-  const isConfigured = () => {
-    const hasSessionHandlers = !!(handlers.createSignerSession && handlers.signWithSession);
-    const hasLegacyHandlers = !!(handlers.getPrivateKey || handlers.getMnemonic);
-    return hasSessionHandlers || hasLegacyHandlers;
-  };
-  const parseDelegationFromStore = async (cid) => {
-    if (delegationCache.has(cid)) {
-      return delegationCache.get(cid);
-    }
-    const stored = delegationStore.get(cid);
-    if (!stored || !stored.delegation) {
-      return null;
-    }
-    try {
-      const delegation = await parseDelegation(stored.delegation);
-      delegationCache.set(cid, delegation);
-      return delegation;
-    } catch {
-      return null;
-    }
-  };
-  const getProofDelegations = async (proofCids) => {
-    const proofs = [];
-    for (const cid of proofCids) {
-      const delegation = await parseDelegationFromStore(cid);
-      if (delegation) {
-        proofs.push(delegation);
-      }
-    }
-    return proofs;
-  };
-  const createRootDelegation = async (params) => {
-    const { flowOwnerDid: ownerDid, issuerType, entityRoomId, flowUri: uri, pin } = params;
-    const signer = await getSigner(handlers, ownerDid, issuerType, entityRoomId, pin);
-    const capabilities = [{ can: "flow/*", with: uri }];
-    const delegation = await ucanCreateDelegation({
-      issuer: signer,
-      audience: ownerDid,
-      capabilities,
-      proofs: []
-    });
-    const serialized = await serializeDelegation(delegation);
-    const cid = getCidFromDelegation(delegation);
-    const storedDelegation = {
-      cid,
-      delegation: serialized,
-      issuerDid: ownerDid,
-      audienceDid: ownerDid,
-      capabilities,
-      createdAt: Date.now(),
-      format: "car",
-      proofCids: []
-    };
-    delegationStore.set(storedDelegation);
-    delegationStore.setRootCid(cid);
-    delegationCache.set(cid, delegation);
-    return storedDelegation;
-  };
-  const createDelegation = async (params) => {
-    const { issuerDid, issuerType, entityRoomId, audience, capabilities, proofs = [], expiration, pin } = params;
-    const signer = await getSigner(handlers, issuerDid, issuerType, entityRoomId, pin);
-    const proofCids = proofs.length > 0 ? proofs : [delegationStore.getRootCid()].filter(Boolean);
-    const proofDelegations = await getProofDelegations(proofCids);
-    const delegation = await ucanCreateDelegation({
-      issuer: signer,
-      audience,
-      capabilities: toUcantoCapabilities(capabilities),
-      proofs: proofDelegations,
-      expiration: expiration ? Math.floor(expiration / 1e3) : void 0
-    });
-    const serialized = await serializeDelegation(delegation);
-    const cid = getCidFromDelegation(delegation);
-    const storedDelegation = {
-      cid,
-      delegation: serialized,
-      issuerDid,
-      audienceDid: audience,
-      capabilities,
-      expiration,
-      createdAt: Date.now(),
-      format: "car",
-      proofCids
-    };
-    delegationStore.set(storedDelegation);
-    delegationCache.set(cid, delegation);
-    return storedDelegation;
-  };
-  const revokeDelegation = (cid) => {
-    delegationStore.remove(cid);
-    delegationCache.delete(cid);
-  };
-  const getDelegation = (cid) => {
-    return delegationStore.get(cid);
-  };
-  const getAllDelegations = () => {
-    return delegationStore.getAll();
-  };
-  const getRootDelegation = () => {
-    return delegationStore.getRoot();
-  };
-  const findValidProofs = async (audienceDid, capability) => {
-    const delegations = delegationStore.getByAudience(audienceDid);
-    if (delegations.length === 0) {
-      const root = delegationStore.getRoot();
-      if (root && root.audienceDid === audienceDid) {
-        return { found: true, proofCids: [root.cid] };
-      }
-      return { found: false, error: "No delegations found for actor" };
-    }
-    for (const delegation of delegations) {
-      const covers = delegation.capabilities.some((c) => {
-        if (c.can === capability.can && c.with === capability.with) return true;
-        if (c.can === "*" || c.can === "flow/*") return true;
-        if (c.can.endsWith("/*")) {
-          const prefix = c.can.slice(0, -1);
-          if (capability.can.startsWith(prefix)) return true;
-        }
-        if (c.with === "*") return true;
-        if (c.with.endsWith("*")) {
-          const prefix = c.with.slice(0, -1);
-          if (capability.with.startsWith(prefix)) return true;
-        }
-        return false;
-      });
-      if (covers) {
-        if (delegation.expiration && delegation.expiration < Date.now()) {
-          continue;
-        }
-        const proofCids = [delegation.cid, ...delegation.proofCids];
-        return { found: true, proofCids };
-      }
-    }
-    return { found: false, error: "No valid delegation found for capability" };
-  };
-  const validateDelegationChain = async (audienceDid, capability) => {
-    const proofsResult = await findValidProofs(audienceDid, capability);
-    if (!proofsResult.found || !proofsResult.proofCids) {
-      return { valid: false, error: proofsResult.error };
-    }
-    const proofChain = [];
-    for (const cid of proofsResult.proofCids) {
-      const delegation = delegationStore.get(cid);
-      if (!delegation) {
-        return { valid: false, error: `Proof delegation ${cid} not found` };
-      }
-      proofChain.push(delegation);
-    }
-    for (let i = 0; i < proofChain.length - 1; i++) {
-      const current = proofChain[i];
-      const parent = proofChain[i + 1];
-      if (parent.audienceDid !== current.issuerDid) {
-        return {
-          valid: false,
-          error: `Chain broken: ${parent.cid} audience (${parent.audienceDid}) != ${current.cid} issuer (${current.issuerDid})`
-        };
-      }
-    }
-    const root = proofChain[proofChain.length - 1];
-    if (root.issuerDid !== flowOwnerDid) {
-      return { valid: false, error: `Root issuer ${root.issuerDid} is not flow owner ${flowOwnerDid}` };
-    }
-    return { valid: true, proofChain };
-  };
-  const createAndValidateInvocation = async (params, _flowId, _blockId) => {
-    const { invokerDid, invokerType, entityRoomId, capability, proofs, pin } = params;
-    const validation = await validateDelegationChain(invokerDid, capability);
-    if (!validation.valid) {
-      return {
-        cid: "",
-        invocation: "",
-        valid: false,
-        error: validation.error
-      };
+    if (!upstreamState.lastInvocationCid) {
+      return { active: false, reason: "Upstream execution has no invocation proof." };
     }
-    const signer = await getSigner(handlers, invokerDid, invokerType, entityRoomId, pin);
-    const proofDelegations = await getProofDelegations(proofs);
-    const ucantoCapability = {
-      can: capability.can,
-      with: capability.with,
-      ...capability.nb && { nb: capability.nb }
+  }
+  return { active: true };
+};
+
+// src/core/lib/flowEngine/versionManifest.ts
+var VERSION_MANIFEST = {
+  "0.3": {
+    version: "0.3",
+    label: "Legacy",
+    ucanRequired: false,
+    delegationRootRequired: false,
+    whitelistOnlyAllowed: true,
+    unrestrictedAllowed: true,
+    executionPath: "legacy",
+    authorizationFn: "v1",
+    allowedAuthModes: ["anyone", "actors", "capability"],
+    ui: {
+      showDelegationPanel: false,
+      showWhitelistConfig: true,
+      showAnyoneConfig: true,
+      showMigrationBanner: true,
+      requirePinForExecution: false
+    },
+    description: "Legacy version. UCAN optional, whitelist-only authorization accepted."
+  },
+  "1.0.0": {
+    version: "1.0.0",
+    label: "UCAN Required",
+    ucanRequired: true,
+    delegationRootRequired: true,
+    whitelistOnlyAllowed: false,
+    unrestrictedAllowed: false,
+    executionPath: "invocation",
+    authorizationFn: "v2",
+    allowedAuthModes: ["capability"],
+    ui: {
+      showDelegationPanel: true,
+      showWhitelistConfig: false,
+      showAnyoneConfig: false,
+      showMigrationBanner: false,
+      requirePinForExecution: true
+    },
+    description: "UCAN-enforced. Every block execution requires a valid delegation chain."
+  }
+};
+var LATEST_VERSION = "1.0.0";
+function getVersionPolicy(version) {
+  const policy = VERSION_MANIFEST[version];
+  if (!policy) {
+    return VERSION_MANIFEST[LATEST_VERSION];
+  }
+  return policy;
+}
+
+// src/core/lib/flowEngine/authorization.ts
+var isAuthorized = async (blockId, actorDid, ucanService, flowUri, schemaVersion) => {
+  const policy = schemaVersion ? getVersionPolicy(schemaVersion) : null;
+  if (policy && !policy.ucanRequired) {
+    return { authorized: true };
+  }
+  if (!ucanService) {
+    if (!policy) {
+      return { authorized: true };
+    }
+    return {
+      authorized: false,
+      reason: "UCAN service is not configured. This flow version requires UCAN authorization."
     };
-    const invocation = await ucanCreateInvocation({
-      issuer: signer,
-      audience: flowOwnerDid,
-      capability: ucantoCapability,
-      proofs: proofDelegations
-    });
-    const serialized = await serializeInvocation(invocation);
-    const built = await invocation.buildIPLDView();
-    const cid = built.cid.toString();
+  }
+  const capability = {
+    can: "flow/block/execute",
+    with: `${flowUri}:${blockId}`
+  };
+  const result = await ucanService.validateDelegationChain(actorDid, capability);
+  if (!result.valid) {
     return {
-      cid,
-      invocation: serialized,
-      valid: true
+      authorized: false,
+      reason: result.error || "No valid capability chain found"
     };
+  }
+  const proofCids = result.proofChain?.map((d) => d.cid) || [];
+  return {
+    authorized: true,
+    capabilityId: proofCids[0],
+    proofCids
   };
-  const executeWithInvocation = async (params, action, flowId, blockId) => {
-    const invocationResult = await createAndValidateInvocation(params, flowId, blockId);
-    if (!invocationResult.valid) {
-      return {
-        success: false,
-        invocationCid: invocationResult.cid,
-        error: invocationResult.error
-      };
+};
+
+// src/core/lib/flowEngine/executor.ts
+var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, invocationCid, now) => {
+  const updates = {
+    submittedByDid: actionResult.submittedByDid || actorDid,
+    evaluationStatus: actionResult.evaluationStatus || "pending",
+    executionTimestamp: now ? now() : Date.now(),
+    lastInvocationCid: invocationCid
+  };
+  if (actionResult.claimId) {
+    updates.claimId = actionResult.claimId;
+  }
+  runtime.update(node.id, updates);
+};
+var executeNode = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
+  const { runtime, ucanService, invocationStore, flowUri, flowId, schemaVersion, now } = context;
+  const activation = isNodeActive(node, runtime);
+  if (!activation.active) {
+    return { success: false, stage: "activation", error: activation.reason };
+  }
+  const auth = await isAuthorized(node.id, actorDid, ucanService, flowUri, schemaVersion);
+  if (!auth.authorized) {
+    return { success: false, stage: "authorization", error: auth.reason };
+  }
+  if (node.linkedClaim && !node.linkedClaim.collectionId) {
+    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
+  }
+  let invocationCid;
+  let invocationData;
+  if (ucanService && auth.proofCids && auth.proofCids.length > 0) {
+    const capability = {
+      can: "flow/block/execute",
+      with: `${flowUri}:${node.id}`
+    };
+    try {
+      const invocationResult = await ucanService.createAndValidateInvocation(
+        {
+          invokerDid: actorDid,
+          invokerType: actorType,
+          entityRoomId,
+          capability,
+          proofs: auth.proofCids,
+          pin
+        },
+        flowId,
+        node.id
+      );
+      if (!invocationResult.valid) {
+        return {
+          success: false,
+          stage: "authorization",
+          error: `Invocation validation failed: ${invocationResult.error}`
+        };
+      }
+      invocationCid = invocationResult.cid;
+      invocationData = invocationResult.invocation;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Failed to create invocation";
+      return { success: false, stage: "authorization", error: message };
     }
-    if (invocationStore.hasBeenInvoked(invocationResult.cid)) {
+  }
+  try {
+    const result = await action();
+    if (node.linkedClaim && !result.claimId) {
+      if (invocationStore && invocationCid && invocationData) {
+        const storedInvocation = {
+          cid: invocationCid,
+          invocation: invocationData,
+          invokerDid: actorDid,
+          capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+          executedAt: now ? now() : Date.now(),
+          flowId,
+          blockId: node.id,
+          result: "failure",
+          error: "Execution did not return a claimId for linked claim requirement.",
+          proofCids: auth.proofCids || []
+        };
+        invocationStore.add(storedInvocation);
+      }
       return {
         success: false,
-        invocationCid: invocationResult.cid,
-        error: "Invocation has already been used (replay attack prevented)"
+        stage: "claim",
+        error: "Execution did not return a claimId for linked claim requirement.",
+        invocationCid
       };
     }
-    try {
-      const actionResult = await action();
+    if (invocationStore && invocationCid && invocationData) {
       const storedInvocation = {
-        cid: invocationResult.cid,
-        invocation: invocationResult.invocation,
-        invokerDid: params.invokerDid,
-        capability: params.capability,
-        executedAt: Date.now(),
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
         flowId,
-        blockId,
+        blockId: node.id,
         result: "success",
-        proofCids: params.proofs
+        proofCids: auth.proofCids || [],
+        claimId: result.claimId
       };
       invocationStore.add(storedInvocation);
-      return {
-        success: true,
-        invocationCid: invocationResult.cid,
-        result: actionResult,
-        actionResult
-      };
-    } catch (error) {
+    }
+    updateRuntimeAfterSuccess(node, actorDid, runtime, result, invocationCid || auth.capabilityId, now);
+    return {
+      success: true,
+      stage: "complete",
+      result,
+      capabilityId: auth.capabilityId,
+      invocationCid
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Execution failed";
+    if (invocationStore && invocationCid && invocationData) {
       const storedInvocation = {
-        cid: invocationResult.cid,
-        invocation: invocationResult.invocation,
-        invokerDid: params.invokerDid,
-        capability: params.capability,
-        executedAt: Date.now(),
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
         flowId,
-        blockId,
+        blockId: node.id,
         result: "failure",
-        error: error instanceof Error ? error.message : "Unknown error",
-        proofCids: params.proofs
+        error: message,
+        proofCids: auth.proofCids || []
       };
       invocationStore.add(storedInvocation);
-      return {
-        success: false,
-        invocationCid: invocationResult.cid,
-        error: error instanceof Error ? error.message : "Unknown error"
-      };
     }
-  };
-  return {
-    createRootDelegation,
-    createDelegation,
-    revokeDelegation,
-    getDelegation,
-    getAllDelegations,
-    getRootDelegation,
-    createAndValidateInvocation,
-    executeWithInvocation,
-    validateDelegationChain,
-    findValidProofs,
-    parseDelegationFromStore,
-    isConfigured
-  };
+    return { success: false, stage: "action", error: message, invocationCid };
+  }
+};
+
+// src/core/lib/flowEngine/migration.ts
+var MIGRATION_REGISTRY = {};
+function registerMigration(definition) {
+  const key = `${definition.from}->${definition.to}`;
+  MIGRATION_REGISTRY[key] = definition;
+}
+
+// src/core/lib/flowEngine/migrations/v0_3_to_v1_0_0.ts
+var NON_EXECUTABLE_BLOCK_TYPES = /* @__PURE__ */ new Set(["paragraph", "heading", "bulletListItem", "numberedListItem", "image", "table"]);
+function hasDelegationForBlock(ctx, blockId) {
+  const delegations = ctx.ucanService.getAllDelegations();
+  const resourceUri = `${ctx.flowUri}:${blockId}`;
+  return delegations.some((d) => d.capabilities.some((c) => c.can === "flow/block/execute" && c.with === resourceUri));
+}
+var migration_0_3_to_1_0_0 = {
+  from: "0.3",
+  to: "1.0.0",
+  preconditions: [
+    {
+      id: "has_flow_owner",
+      description: "Flow must have a flowOwnerDid set",
+      check: (ctx) => {
+        const ownerDid = ctx.editor.getFlowOwnerDid?.() || ctx.flowOwnerDid;
+        return !!ownerDid;
+      },
+      blocking: true
+    },
+    {
+      id: "is_owner",
+      description: "Only the flow owner can initiate migration",
+      check: (ctx) => {
+        const ownerDid = ctx.editor.getFlowOwnerDid?.() || ctx.flowOwnerDid;
+        return ctx.actorDid === ownerDid;
+      },
+      blocking: true
+    },
+    {
+      id: "ucan_service_available",
+      description: "UCAN service must be configured",
+      check: (ctx) => {
+        return !!ctx.ucanService && ctx.ucanService.isConfigured();
+      },
+      blocking: true
+    }
+  ],
+  async analyze(ctx) {
+    const items = [];
+    const blocks = ctx.editor.document;
+    const rootDelegation = ctx.ucanService.getRootDelegation();
+    if (!rootDelegation) {
+      items.push({
+        id: "__root_delegation__",
+        nodeId: "",
+        type: "create_root_delegation",
+        status: "pending",
+        requiresUserAction: true,
+        description: "Create root delegation for flow owner"
+      });
+    }
+    if (blocks) {
+      for (const block of blocks) {
+        if (NON_EXECUTABLE_BLOCK_TYPES.has(block.type)) continue;
+        if (!hasDelegationForBlock(ctx, block.id)) {
+          items.push({
+            id: `node_delegation_${block.id}`,
+            nodeId: block.id,
+            type: "create_node_delegation",
+            status: "pending",
+            requiresUserAction: true,
+            description: `Create delegation for block "${block.type}" (${block.id})`
+          });
+        }
+      }
+    }
+    return items;
+  },
+  async executeItem(ctx, item) {
+    try {
+      switch (item.type) {
+        case "create_root_delegation": {
+          await ctx.ucanService.createRootDelegation({
+            flowOwnerDid: ctx.flowOwnerDid,
+            issuerType: ctx.actorType,
+            entityRoomId: ctx.entityRoomId,
+            flowUri: ctx.flowUri,
+            pin: ctx.pin
+          });
+          return { success: true };
+        }
+        case "create_node_delegation":
+        case "backfill_capability": {
+          const capability = {
+            can: "flow/block/execute",
+            with: `${ctx.flowUri}:${item.nodeId}`
+          };
+          await ctx.ucanService.createDelegation({
+            issuerDid: ctx.flowOwnerDid,
+            issuerType: ctx.actorType,
+            entityRoomId: ctx.entityRoomId,
+            audience: ctx.flowOwnerDid,
+            // Owner delegates to self initially; actors get sub-delegations
+            capabilities: [capability],
+            pin: ctx.pin
+          });
+          return { success: true };
+        }
+        default:
+          return { success: false, error: `Unknown work item type: ${item.type}` };
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return { success: false, error: message };
+    }
+  },
+  async postValidate(ctx) {
+    const errors = [];
+    const blocks = ctx.editor.document;
+    const rootDelegation = ctx.ucanService.getRootDelegation();
+    if (!rootDelegation) {
+      errors.push("Root delegation is missing after migration");
+    }
+    if (blocks) {
+      for (const block of blocks) {
+        if (NON_EXECUTABLE_BLOCK_TYPES.has(block.type)) continue;
+        const requiredCapability = {
+          can: "flow/block/execute",
+          with: `${ctx.flowUri}:${block.id}`
+        };
+        const validation = await ctx.ucanService.validateDelegationChain(ctx.flowOwnerDid, requiredCapability);
+        if (!validation.valid) {
+          errors.push(`Block "${block.type}" (${block.id}): delegation chain invalid \u2014 ${validation.error || "unknown error"}`);
+        }
+      }
+    }
+    return { valid: errors.length === 0, errors };
+  },
+  finalize(ctx) {
+    const root = ctx.editor._yRoot;
+    if (!root) {
+      throw new Error("Cannot finalize: editor _yRoot not available");
+    }
+    root.set("schema_version", "1.0.0");
+    root.set("@context", "https://ixo.world/flow/1.0");
+  }
 };
+registerMigration(migration_0_3_to_1_0_0);
 
 export {
   resolveActionType,
@@ -2832,17 +3042,18 @@ export {
   didToMatrixUserId,
   findOrCreateDMRoom,
   sendDirectMessage,
+  createUcanService,
   createUcanDelegationStore,
   createMemoryUcanDelegationStore,
   createInvocationStore,
   createMemoryInvocationStore,
+  LATEST_VERSION,
   buildAuthzFromProps,
   buildFlowNodeFromBlock,
   createRuntimeStateManager,
   clearRuntimeForTemplateClone,
   isNodeActive,
   isAuthorized,
-  executeNode,
-  createUcanService
+  executeNode
 };
-//# sourceMappingURL=chunk-5D26UG3I.mjs.map
+//# sourceMappingURL=chunk-F2JSGDES.mjs.map