@ixo/editor 3.2.0 → 3.2.1

package/dist/{chunk-3EZI42YS.mjs → chunk-F2JSGDES.mjs}

@@ -1904,97 +1904,408 @@ registerDiffResolver("evaluateClaim", {
   }
 });
 
-// src/core/lib/ucanDelegationStore.ts
-var ROOT_DELEGATION_KEY = "__root__";
-var STORE_VERSION_KEY = "__version__";
-var CURRENT_VERSION = 2;
-var isValidEntry = (value) => {
-  if (!value || typeof value !== "object") return false;
-  const entry = value;
-  return entry.v === CURRENT_VERSION && entry.data !== void 0;
-};
-var isReservedKey = (key) => key === ROOT_DELEGATION_KEY || key === STORE_VERSION_KEY;
-var createUcanDelegationStore = (yMap) => {
-  const get = (cid) => {
-    if (isReservedKey(cid)) return null;
-    const raw = yMap.get(cid);
-    if (!raw) return null;
-    if (isValidEntry(raw)) return raw.data;
-    return null;
-  };
-  const set = (delegation) => {
-    const entry = { v: CURRENT_VERSION, data: delegation };
-    yMap.set(delegation.cid, entry);
+// src/core/services/ucanService.ts
+import {
+  createDelegation as ucanCreateDelegation,
+  createInvocation as ucanCreateInvocation,
+  serializeDelegation,
+  serializeInvocation,
+  parseDelegation,
+  parseSigner,
+  signerFromMnemonic
+} from "@ixo/ucan";
+function toSupportedDID(did) {
+  if (did.startsWith("did:ixo:") || did.startsWith("did:key:")) {
+    return did;
+  }
+  return void 0;
+}
+function toUcantoCapabilities(capabilities) {
+  return capabilities.map((cap) => ({
+    can: cap.can,
+    with: cap.with,
+    ...cap.nb && { nb: cap.nb }
+  }));
+}
+async function getSigner(handlers, did, didType, entityRoomId, pin) {
+  const supportedDid = toSupportedDID(did);
+  if (handlers.getPrivateKey) {
+    const privateKey = await handlers.getPrivateKey({ did, didType, entityRoomId, pin });
+    return parseSigner(privateKey, supportedDid);
+  }
+  if (handlers.getMnemonic) {
+    const mnemonic = await handlers.getMnemonic({ did, didType, entityRoomId, pin });
+    const result = await signerFromMnemonic(mnemonic, supportedDid);
+    return result.signer;
+  }
+  throw new Error("No signer handler configured (need getPrivateKey or getMnemonic)");
+}
+function getCidFromDelegation(delegation) {
+  return delegation.cid.toString();
+}
+var createUcanService = (config) => {
+  const { delegationStore, invocationStore, handlers, flowOwnerDid } = config;
+  const delegationCache = /* @__PURE__ */ new Map();
+  const isConfigured = () => {
+    const hasSessionHandlers = !!(handlers.createSignerSession && handlers.signWithSession);
+    const hasLegacyHandlers = !!(handlers.getPrivateKey || handlers.getMnemonic);
+    return hasSessionHandlers || hasLegacyHandlers;
   };
-  const remove = (cid) => {
-    yMap.delete(cid);
+  const parseDelegationFromStore = async (cid) => {
+    if (delegationCache.has(cid)) {
+      return delegationCache.get(cid);
+    }
+    const stored = delegationStore.get(cid);
+    if (!stored || !stored.delegation) {
+      return null;
+    }
+    try {
+      const delegation = await parseDelegation(stored.delegation);
+      delegationCache.set(cid, delegation);
+      return delegation;
+    } catch {
+      return null;
+    }
   };
-  const has = (cid) => {
-    return yMap.has(cid) && !isReservedKey(cid);
+  const getProofDelegations = async (proofCids) => {
+    const proofs = [];
+    for (const cid of proofCids) {
+      const delegation = await parseDelegationFromStore(cid);
+      if (delegation) {
+        proofs.push(delegation);
+      }
+    }
+    return proofs;
   };
-  const getRoot = () => {
-    const rootCid = yMap.get(ROOT_DELEGATION_KEY);
-    if (!rootCid) return null;
-    return get(rootCid);
+  const createRootDelegation = async (params) => {
+    const { flowOwnerDid: ownerDid, issuerType, entityRoomId, flowUri: uri, pin } = params;
+    const signer = await getSigner(handlers, ownerDid, issuerType, entityRoomId, pin);
+    const capabilities = [{ can: "flow/*", with: uri }];
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience: ownerDid,
+      capabilities,
+      proofs: []
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid: ownerDid,
+      audienceDid: ownerDid,
+      capabilities,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids: []
+    };
+    delegationStore.set(storedDelegation);
+    delegationStore.setRootCid(cid);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
   };
-  const setRootCid = (cid) => {
-    yMap.set(ROOT_DELEGATION_KEY, cid);
+  const createDelegation = async (params) => {
+    const { issuerDid, issuerType, entityRoomId, audience, capabilities, proofs = [], expiration, pin } = params;
+    const signer = await getSigner(handlers, issuerDid, issuerType, entityRoomId, pin);
+    const proofCids = proofs.length > 0 ? proofs : [delegationStore.getRootCid()].filter(Boolean);
+    const proofDelegations = await getProofDelegations(proofCids);
+    const delegation = await ucanCreateDelegation({
+      issuer: signer,
+      audience,
+      capabilities: toUcantoCapabilities(capabilities),
+      proofs: proofDelegations,
+      expiration: expiration ? Math.floor(expiration / 1e3) : void 0
+    });
+    const serialized = await serializeDelegation(delegation);
+    const cid = getCidFromDelegation(delegation);
+    const storedDelegation = {
+      cid,
+      delegation: serialized,
+      issuerDid,
+      audienceDid: audience,
+      capabilities,
+      expiration,
+      createdAt: Date.now(),
+      format: "car",
+      proofCids
+    };
+    delegationStore.set(storedDelegation);
+    delegationCache.set(cid, delegation);
+    return storedDelegation;
   };
-  const getRootCid = () => {
-    return yMap.get(ROOT_DELEGATION_KEY) || null;
+  const revokeDelegation = (cid) => {
+    delegationStore.remove(cid);
+    delegationCache.delete(cid);
   };
-  const getAll = () => {
-    const delegations = [];
-    yMap.forEach((value, key) => {
-      if (isReservedKey(key)) return;
-      if (isValidEntry(value)) {
-        delegations.push(value.data);
-      }
-    });
-    return delegations;
+  const getDelegation = (cid) => {
+    return delegationStore.get(cid);
   };
-  const getByAudience = (audienceDid) => {
-    return getAll().filter((d) => d.audienceDid === audienceDid);
+  const getAllDelegations = () => {
+    return delegationStore.getAll();
   };
-  const getByIssuer = (issuerDid) => {
-    return getAll().filter((d) => d.issuerDid === issuerDid);
+  const getRootDelegation = () => {
+    return delegationStore.getRoot();
   };
-  const findByCapability = (can, withUri) => {
-    return getAll().filter(
-      (d) => d.capabilities.some((c) => {
-        if (c.can === can && c.with === withUri) return true;
+  const findValidProofs = async (audienceDid, capability) => {
+    const delegations = delegationStore.getByAudience(audienceDid);
+    if (delegations.length === 0) {
+      const root = delegationStore.getRoot();
+      if (root && root.audienceDid === audienceDid) {
+        return { found: true, proofCids: [root.cid] };
+      }
+      return { found: false, error: "No delegations found for actor" };
+    }
+    for (const delegation of delegations) {
+      const covers = delegation.capabilities.some((c) => {
+        if (c.can === capability.can && c.with === capability.with) return true;
         if (c.can === "*" || c.can === "flow/*") return true;
         if (c.can.endsWith("/*")) {
           const prefix = c.can.slice(0, -1);
-          if (can.startsWith(prefix)) return true;
+          if (capability.can.startsWith(prefix)) return true;
         }
         if (c.with === "*") return true;
         if (c.with.endsWith("*")) {
           const prefix = c.with.slice(0, -1);
-          if (withUri.startsWith(prefix)) return true;
+          if (capability.with.startsWith(prefix)) return true;
         }
         return false;
-      })
-    );
+      });
+      if (covers) {
+        if (delegation.expiration && delegation.expiration < Date.now()) {
+          continue;
+        }
+        const proofCids = [delegation.cid, ...delegation.proofCids];
+        return { found: true, proofCids };
+      }
+    }
+    return { found: false, error: "No valid delegation found for capability" };
   };
-  return {
-    get,
-    set,
-    remove,
-    has,
-    getRoot,
-    setRootCid,
-    getRootCid,
-    getAll,
-    getByAudience,
-    getByIssuer,
-    findByCapability
+  const validateDelegationChain = async (audienceDid, capability) => {
+    const proofsResult = await findValidProofs(audienceDid, capability);
+    if (!proofsResult.found || !proofsResult.proofCids) {
+      return { valid: false, error: proofsResult.error };
+    }
+    const proofChain = [];
+    for (const cid of proofsResult.proofCids) {
+      const delegation = delegationStore.get(cid);
+      if (!delegation) {
+        return { valid: false, error: `Proof delegation ${cid} not found` };
+      }
+      proofChain.push(delegation);
+    }
+    for (let i = 0; i < proofChain.length - 1; i++) {
+      const current = proofChain[i];
+      const parent = proofChain[i + 1];
+      if (parent.audienceDid !== current.issuerDid) {
+        return {
+          valid: false,
+          error: `Chain broken: ${parent.cid} audience (${parent.audienceDid}) != ${current.cid} issuer (${current.issuerDid})`
+        };
+      }
+    }
+    const root = proofChain[proofChain.length - 1];
+    if (root.issuerDid !== flowOwnerDid) {
+      return { valid: false, error: `Root issuer ${root.issuerDid} is not flow owner ${flowOwnerDid}` };
+    }
+    return { valid: true, proofChain };
   };
-};
-var createMemoryUcanDelegationStore = () => {
-  const store = /* @__PURE__ */ new Map();
-  const get = (cid) => {
-    if (isReservedKey(cid)) return null;
+  const createAndValidateInvocation = async (params, _flowId, _blockId) => {
+    const { invokerDid, invokerType, entityRoomId, capability, proofs, pin } = params;
+    const validation = await validateDelegationChain(invokerDid, capability);
+    if (!validation.valid) {
+      return {
+        cid: "",
+        invocation: "",
+        valid: false,
+        error: validation.error
+      };
+    }
+    const signer = await getSigner(handlers, invokerDid, invokerType, entityRoomId, pin);
+    const proofDelegations = await getProofDelegations(proofs);
+    const ucantoCapability = {
+      can: capability.can,
+      with: capability.with,
+      ...capability.nb && { nb: capability.nb }
+    };
+    const invocation = await ucanCreateInvocation({
+      issuer: signer,
+      audience: flowOwnerDid,
+      capability: ucantoCapability,
+      proofs: proofDelegations
+    });
+    const serialized = await serializeInvocation(invocation);
+    const built = await invocation.buildIPLDView();
+    const cid = built.cid.toString();
+    return {
+      cid,
+      invocation: serialized,
+      valid: true
+    };
+  };
+  const executeWithInvocation = async (params, action, flowId, blockId) => {
+    const invocationResult = await createAndValidateInvocation(params, flowId, blockId);
+    if (!invocationResult.valid) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: invocationResult.error
+      };
+    }
+    if (invocationStore.hasBeenInvoked(invocationResult.cid)) {
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: "Invocation has already been used (replay attack prevented)"
+      };
+    }
+    try {
+      const actionResult = await action();
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "success",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: true,
+        invocationCid: invocationResult.cid,
+        result: actionResult,
+        actionResult
+      };
+    } catch (error) {
+      const storedInvocation = {
+        cid: invocationResult.cid,
+        invocation: invocationResult.invocation,
+        invokerDid: params.invokerDid,
+        capability: params.capability,
+        executedAt: Date.now(),
+        flowId,
+        blockId,
+        result: "failure",
+        error: error instanceof Error ? error.message : "Unknown error",
+        proofCids: params.proofs
+      };
+      invocationStore.add(storedInvocation);
+      return {
+        success: false,
+        invocationCid: invocationResult.cid,
+        error: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  };
+  return {
+    createRootDelegation,
+    createDelegation,
+    revokeDelegation,
+    getDelegation,
+    getAllDelegations,
+    getRootDelegation,
+    createAndValidateInvocation,
+    executeWithInvocation,
+    validateDelegationChain,
+    findValidProofs,
+    parseDelegationFromStore,
+    isConfigured
+  };
+};
+
+// src/core/lib/ucanDelegationStore.ts
+var ROOT_DELEGATION_KEY = "__root__";
+var STORE_VERSION_KEY = "__version__";
+var CURRENT_VERSION = 2;
+var isValidEntry = (value) => {
+  if (!value || typeof value !== "object") return false;
+  const entry = value;
+  return entry.v === CURRENT_VERSION && entry.data !== void 0;
+};
+var isReservedKey = (key) => key === ROOT_DELEGATION_KEY || key === STORE_VERSION_KEY;
+var createUcanDelegationStore = (yMap) => {
+  const get = (cid) => {
+    if (isReservedKey(cid)) return null;
+    const raw = yMap.get(cid);
+    if (!raw) return null;
+    if (isValidEntry(raw)) return raw.data;
+    return null;
+  };
+  const set = (delegation) => {
+    const entry = { v: CURRENT_VERSION, data: delegation };
+    yMap.set(delegation.cid, entry);
+  };
+  const remove = (cid) => {
+    yMap.delete(cid);
+  };
+  const has = (cid) => {
+    return yMap.has(cid) && !isReservedKey(cid);
+  };
+  const getRoot = () => {
+    const rootCid = yMap.get(ROOT_DELEGATION_KEY);
+    if (!rootCid) return null;
+    return get(rootCid);
+  };
+  const setRootCid = (cid) => {
+    yMap.set(ROOT_DELEGATION_KEY, cid);
+  };
+  const getRootCid = () => {
+    return yMap.get(ROOT_DELEGATION_KEY) || null;
+  };
+  const getAll = () => {
+    const delegations = [];
+    yMap.forEach((value, key) => {
+      if (isReservedKey(key)) return;
+      if (isValidEntry(value)) {
+        delegations.push(value.data);
+      }
+    });
+    return delegations;
+  };
+  const getByAudience = (audienceDid) => {
+    return getAll().filter((d) => d.audienceDid === audienceDid);
+  };
+  const getByIssuer = (issuerDid) => {
+    return getAll().filter((d) => d.issuerDid === issuerDid);
+  };
+  const findByCapability = (can, withUri) => {
+    return getAll().filter(
+      (d) => d.capabilities.some((c) => {
+        if (c.can === can && c.with === withUri) return true;
+        if (c.can === "*" || c.can === "flow/*") return true;
+        if (c.can.endsWith("/*")) {
+          const prefix = c.can.slice(0, -1);
+          if (can.startsWith(prefix)) return true;
+        }
+        if (c.with === "*") return true;
+        if (c.with.endsWith("*")) {
+          const prefix = c.with.slice(0, -1);
+          if (withUri.startsWith(prefix)) return true;
+        }
+        return false;
+      })
+    );
+  };
+  return {
+    get,
+    set,
+    remove,
+    has,
+    getRoot,
+    setRootCid,
+    getRootCid,
+    getAll,
+    getByAudience,
+    getByIssuer,
+    findByCapability
+  };
+};
+var createMemoryUcanDelegationStore = () => {
+  const store = /* @__PURE__ */ new Map();
+  const get = (cid) => {
+    if (isReservedKey(cid)) return null;
     const raw = store.get(cid);
     if (!raw) return null;
     if (isValidEntry(raw)) return raw.data;
@@ -2346,523 +2657,219 @@ var isNodeActive = (node, runtime) => {
     }
   }
   return { active: true };
-};
-
-// src/core/lib/flowEngine/versionManifest.ts
-var VERSION_MANIFEST = {
-  "0.3": {
-    version: "0.3",
-    label: "Legacy",
-    ucanRequired: false,
-    delegationRootRequired: false,
-    whitelistOnlyAllowed: true,
-    unrestrictedAllowed: true,
-    executionPath: "legacy",
-    authorizationFn: "v1",
-    allowedAuthModes: ["anyone", "actors", "capability"],
-    ui: {
-      showDelegationPanel: false,
-      showWhitelistConfig: true,
-      showAnyoneConfig: true,
-      showMigrationBanner: true,
-      requirePinForExecution: false
-    },
-    description: "Legacy version. UCAN optional, whitelist-only authorization accepted."
-  },
-  "1.0.0": {
-    version: "1.0.0",
-    label: "UCAN Required",
-    ucanRequired: true,
-    delegationRootRequired: true,
-    whitelistOnlyAllowed: false,
-    unrestrictedAllowed: false,
-    executionPath: "invocation",
-    authorizationFn: "v2",
-    allowedAuthModes: ["capability"],
-    ui: {
-      showDelegationPanel: true,
-      showWhitelistConfig: false,
-      showAnyoneConfig: false,
-      showMigrationBanner: false,
-      requirePinForExecution: true
-    },
-    description: "UCAN-enforced. Every block execution requires a valid delegation chain."
-  }
-};
-var LATEST_VERSION = "1.0.0";
-function getVersionPolicy(version) {
-  const policy = VERSION_MANIFEST[version];
-  if (!policy) {
-    return VERSION_MANIFEST[LATEST_VERSION];
-  }
-  return policy;
-}
-
-// src/core/lib/flowEngine/authorization.ts
-var isAuthorized = async (blockId, actorDid, ucanService, flowUri, schemaVersion) => {
-  if (schemaVersion) {
-    const policy = getVersionPolicy(schemaVersion);
-    if (!policy.ucanRequired) {
-      return { authorized: true };
-    }
-  }
-  const capability = {
-    can: "flow/block/execute",
-    with: `${flowUri}:${blockId}`
-  };
-  const result = await ucanService.validateDelegationChain(actorDid, capability);
-  if (!result.valid) {
-    return {
-      authorized: false,
-      reason: result.error || "No valid capability chain found"
-    };
-  }
-  const proofCids = result.proofChain?.map((d) => d.cid) || [];
-  return {
-    authorized: true,
-    capabilityId: proofCids[0],
-    proofCids
-  };
-};
-
-// src/core/lib/flowEngine/executor.ts
-var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, invocationCid, now) => {
-  const updates = {
-    submittedByDid: actionResult.submittedByDid || actorDid,
-    evaluationStatus: actionResult.evaluationStatus || "pending",
-    executionTimestamp: now ? now() : Date.now(),
-    lastInvocationCid: invocationCid
-  };
-  if (actionResult.claimId) {
-    updates.claimId = actionResult.claimId;
-  }
-  runtime.update(node.id, updates);
-};
-var executeNode = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
-  const { runtime, ucanService, invocationStore, flowUri, flowId, now } = context;
-  const activation = isNodeActive(node, runtime);
-  if (!activation.active) {
-    return { success: false, stage: "activation", error: activation.reason };
-  }
-  const auth = await isAuthorized(node.id, actorDid, ucanService, flowUri);
-  if (!auth.authorized) {
-    return { success: false, stage: "authorization", error: auth.reason };
-  }
-  if (node.linkedClaim && !node.linkedClaim.collectionId) {
-    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
-  }
-  let invocationCid;
-  let invocationData;
-  if (auth.proofCids && auth.proofCids.length > 0) {
-    const capability = {
-      can: "flow/block/execute",
-      with: `${flowUri}:${node.id}`
-    };
-    try {
-      const invocationResult = await ucanService.createAndValidateInvocation(
-        {
-          invokerDid: actorDid,
-          invokerType: actorType,
-          entityRoomId,
-          capability,
-          proofs: auth.proofCids,
-          pin
-        },
-        flowId,
-        node.id
-      );
-      if (!invocationResult.valid) {
-        return {
-          success: false,
-          stage: "authorization",
-          error: `Invocation validation failed: ${invocationResult.error}`
-        };
-      }
-      invocationCid = invocationResult.cid;
-      invocationData = invocationResult.invocation;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to create invocation";
-      return { success: false, stage: "authorization", error: message };
-    }
-  }
-  try {
-    const result = await action();
-    if (node.linkedClaim && !result.claimId) {
-      if (invocationStore && invocationCid && invocationData) {
-        const storedInvocation = {
-          cid: invocationCid,
-          invocation: invocationData,
-          invokerDid: actorDid,
-          capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-          executedAt: now ? now() : Date.now(),
-          flowId,
-          blockId: node.id,
-          result: "failure",
-          error: "Execution did not return a claimId for linked claim requirement.",
-          proofCids: auth.proofCids || []
-        };
-        invocationStore.add(storedInvocation);
-      }
-      return {
-        success: false,
-        stage: "claim",
-        error: "Execution did not return a claimId for linked claim requirement.",
-        invocationCid
-      };
-    }
-    if (invocationStore && invocationCid && invocationData) {
-      const storedInvocation = {
-        cid: invocationCid,
-        invocation: invocationData,
-        invokerDid: actorDid,
-        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-        executedAt: now ? now() : Date.now(),
-        flowId,
-        blockId: node.id,
-        result: "success",
-        proofCids: auth.proofCids || [],
-        claimId: result.claimId
-      };
-      invocationStore.add(storedInvocation);
-    }
-    updateRuntimeAfterSuccess(node, actorDid, runtime, result, invocationCid || auth.capabilityId, now);
-    return {
-      success: true,
-      stage: "complete",
-      result,
-      capabilityId: auth.capabilityId,
-      invocationCid
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Execution failed";
-    if (invocationStore && invocationCid && invocationData) {
-      const storedInvocation = {
-        cid: invocationCid,
-        invocation: invocationData,
-        invokerDid: actorDid,
-        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
-        executedAt: now ? now() : Date.now(),
-        flowId,
-        blockId: node.id,
-        result: "failure",
-        error: message,
-        proofCids: auth.proofCids || []
-      };
-      invocationStore.add(storedInvocation);
-    }
-    return { success: false, stage: "action", error: message, invocationCid };
-  }
-};
-
-// src/core/services/ucanService.ts
-import {
-  createDelegation as ucanCreateDelegation,
-  createInvocation as ucanCreateInvocation,
-  serializeDelegation,
-  serializeInvocation,
-  parseDelegation,
-  parseSigner,
-  signerFromMnemonic
-} from "@ixo/ucan";
-function toSupportedDID(did) {
-  if (did.startsWith("did:ixo:") || did.startsWith("did:key:")) {
-    return did;
-  }
-  return void 0;
-}
-function toUcantoCapabilities(capabilities) {
-  return capabilities.map((cap) => ({
-    can: cap.can,
-    with: cap.with,
-    ...cap.nb && { nb: cap.nb }
-  }));
-}
-async function getSigner(handlers, did, didType, entityRoomId, pin) {
-  const supportedDid = toSupportedDID(did);
-  if (handlers.getPrivateKey) {
-    const privateKey = await handlers.getPrivateKey({ did, didType, entityRoomId, pin });
-    return parseSigner(privateKey, supportedDid);
-  }
-  if (handlers.getMnemonic) {
-    const mnemonic = await handlers.getMnemonic({ did, didType, entityRoomId, pin });
-    const result = await signerFromMnemonic(mnemonic, supportedDid);
-    return result.signer;
-  }
-  throw new Error("No signer handler configured (need getPrivateKey or getMnemonic)");
-}
-function getCidFromDelegation(delegation) {
-  return delegation.cid.toString();
-}
-var createUcanService = (config) => {
-  const { delegationStore, invocationStore, handlers, flowOwnerDid } = config;
-  const delegationCache = /* @__PURE__ */ new Map();
-  const isConfigured = () => {
-    const hasSessionHandlers = !!(handlers.createSignerSession && handlers.signWithSession);
-    const hasLegacyHandlers = !!(handlers.getPrivateKey || handlers.getMnemonic);
-    return hasSessionHandlers || hasLegacyHandlers;
-  };
-  const parseDelegationFromStore = async (cid) => {
-    if (delegationCache.has(cid)) {
-      return delegationCache.get(cid);
-    }
-    const stored = delegationStore.get(cid);
-    if (!stored || !stored.delegation) {
-      return null;
-    }
-    try {
-      const delegation = await parseDelegation(stored.delegation);
-      delegationCache.set(cid, delegation);
-      return delegation;
-    } catch {
-      return null;
-    }
-  };
-  const getProofDelegations = async (proofCids) => {
-    const proofs = [];
-    for (const cid of proofCids) {
-      const delegation = await parseDelegationFromStore(cid);
-      if (delegation) {
-        proofs.push(delegation);
-      }
-    }
-    return proofs;
-  };
-  const createRootDelegation = async (params) => {
-    const { flowOwnerDid: ownerDid, issuerType, entityRoomId, flowUri: uri, pin } = params;
-    const signer = await getSigner(handlers, ownerDid, issuerType, entityRoomId, pin);
-    const capabilities = [{ can: "flow/*", with: uri }];
-    const delegation = await ucanCreateDelegation({
-      issuer: signer,
-      audience: ownerDid,
-      capabilities,
-      proofs: []
-    });
-    const serialized = await serializeDelegation(delegation);
-    const cid = getCidFromDelegation(delegation);
-    const storedDelegation = {
-      cid,
-      delegation: serialized,
-      issuerDid: ownerDid,
-      audienceDid: ownerDid,
-      capabilities,
-      createdAt: Date.now(),
-      format: "car",
-      proofCids: []
-    };
-    delegationStore.set(storedDelegation);
-    delegationStore.setRootCid(cid);
-    delegationCache.set(cid, delegation);
-    return storedDelegation;
-  };
-  const createDelegation = async (params) => {
-    const { issuerDid, issuerType, entityRoomId, audience, capabilities, proofs = [], expiration, pin } = params;
-    const signer = await getSigner(handlers, issuerDid, issuerType, entityRoomId, pin);
-    const proofCids = proofs.length > 0 ? proofs : [delegationStore.getRootCid()].filter(Boolean);
-    const proofDelegations = await getProofDelegations(proofCids);
-    const delegation = await ucanCreateDelegation({
-      issuer: signer,
-      audience,
-      capabilities: toUcantoCapabilities(capabilities),
-      proofs: proofDelegations,
-      expiration: expiration ? Math.floor(expiration / 1e3) : void 0
-    });
-    const serialized = await serializeDelegation(delegation);
-    const cid = getCidFromDelegation(delegation);
-    const storedDelegation = {
-      cid,
-      delegation: serialized,
-      issuerDid,
-      audienceDid: audience,
-      capabilities,
-      expiration,
-      createdAt: Date.now(),
-      format: "car",
-      proofCids
-    };
-    delegationStore.set(storedDelegation);
-    delegationCache.set(cid, delegation);
-    return storedDelegation;
-  };
-  const revokeDelegation = (cid) => {
-    delegationStore.remove(cid);
-    delegationCache.delete(cid);
-  };
-  const getDelegation = (cid) => {
-    return delegationStore.get(cid);
-  };
-  const getAllDelegations = () => {
-    return delegationStore.getAll();
-  };
-  const getRootDelegation = () => {
-    return delegationStore.getRoot();
-  };
-  const findValidProofs = async (audienceDid, capability) => {
-    const delegations = delegationStore.getByAudience(audienceDid);
-    if (delegations.length === 0) {
-      const root = delegationStore.getRoot();
-      if (root && root.audienceDid === audienceDid) {
-        return { found: true, proofCids: [root.cid] };
-      }
-      return { found: false, error: "No delegations found for actor" };
-    }
-    for (const delegation of delegations) {
-      const covers = delegation.capabilities.some((c) => {
-        if (c.can === capability.can && c.with === capability.with) return true;
-        if (c.can === "*" || c.can === "flow/*") return true;
-        if (c.can.endsWith("/*")) {
-          const prefix = c.can.slice(0, -1);
-          if (capability.can.startsWith(prefix)) return true;
-        }
-        if (c.with === "*") return true;
-        if (c.with.endsWith("*")) {
-          const prefix = c.with.slice(0, -1);
-          if (capability.with.startsWith(prefix)) return true;
-        }
-        return false;
-      });
-      if (covers) {
-        if (delegation.expiration && delegation.expiration < Date.now()) {
-          continue;
-        }
-        const proofCids = [delegation.cid, ...delegation.proofCids];
-        return { found: true, proofCids };
-      }
-    }
-    return { found: false, error: "No valid delegation found for capability" };
-  };
-  const validateDelegationChain = async (audienceDid, capability) => {
-    const proofsResult = await findValidProofs(audienceDid, capability);
-    if (!proofsResult.found || !proofsResult.proofCids) {
-      return { valid: false, error: proofsResult.error };
-    }
-    const proofChain = [];
-    for (const cid of proofsResult.proofCids) {
-      const delegation = delegationStore.get(cid);
-      if (!delegation) {
-        return { valid: false, error: `Proof delegation ${cid} not found` };
-      }
-      proofChain.push(delegation);
-    }
-    for (let i = 0; i < proofChain.length - 1; i++) {
-      const current = proofChain[i];
-      const parent = proofChain[i + 1];
-      if (parent.audienceDid !== current.issuerDid) {
-        return {
-          valid: false,
-          error: `Chain broken: ${parent.cid} audience (${parent.audienceDid}) != ${current.cid} issuer (${current.issuerDid})`
-        };
-      }
-    }
-    const root = proofChain[proofChain.length - 1];
-    if (root.issuerDid !== flowOwnerDid) {
-      return { valid: false, error: `Root issuer ${root.issuerDid} is not flow owner ${flowOwnerDid}` };
-    }
-    return { valid: true, proofChain };
-  };
-  const createAndValidateInvocation = async (params, _flowId, _blockId) => {
-    const { invokerDid, invokerType, entityRoomId, capability, proofs, pin } = params;
-    const validation = await validateDelegationChain(invokerDid, capability);
-    if (!validation.valid) {
-      return {
-        cid: "",
-        invocation: "",
-        valid: false,
-        error: validation.error
-      };
+};
+
+// src/core/lib/flowEngine/versionManifest.ts
+var VERSION_MANIFEST = {
+  "0.3": {
+    version: "0.3",
+    label: "Legacy",
+    ucanRequired: false,
+    delegationRootRequired: false,
+    whitelistOnlyAllowed: true,
+    unrestrictedAllowed: true,
+    executionPath: "legacy",
+    authorizationFn: "v1",
+    allowedAuthModes: ["anyone", "actors", "capability"],
+    ui: {
+      showDelegationPanel: false,
+      showWhitelistConfig: true,
+      showAnyoneConfig: true,
+      showMigrationBanner: true,
+      requirePinForExecution: false
+    },
+    description: "Legacy version. UCAN optional, whitelist-only authorization accepted."
+  },
+  "1.0.0": {
+    version: "1.0.0",
+    label: "UCAN Required",
+    ucanRequired: true,
+    delegationRootRequired: true,
+    whitelistOnlyAllowed: false,
+    unrestrictedAllowed: false,
+    executionPath: "invocation",
+    authorizationFn: "v2",
+    allowedAuthModes: ["capability"],
+    ui: {
+      showDelegationPanel: true,
+      showWhitelistConfig: false,
+      showAnyoneConfig: false,
+      showMigrationBanner: false,
+      requirePinForExecution: true
+    },
+    description: "UCAN-enforced. Every block execution requires a valid delegation chain."
+  }
+};
+var LATEST_VERSION = "1.0.0";
+function getVersionPolicy(version) {
+  const policy = VERSION_MANIFEST[version];
+  if (!policy) {
+    return VERSION_MANIFEST[LATEST_VERSION];
+  }
+  return policy;
+}
+
+// src/core/lib/flowEngine/authorization.ts
+var isAuthorized = async (blockId, actorDid, ucanService, flowUri, schemaVersion) => {
+  const policy = schemaVersion ? getVersionPolicy(schemaVersion) : null;
+  if (policy && !policy.ucanRequired) {
+    return { authorized: true };
+  }
+  if (!ucanService) {
+    if (!policy) {
+      return { authorized: true };
     }
-    const signer = await getSigner(handlers, invokerDid, invokerType, entityRoomId, pin);
-    const proofDelegations = await getProofDelegations(proofs);
-    const ucantoCapability = {
-      can: capability.can,
-      with: capability.with,
-      ...capability.nb && { nb: capability.nb }
+    return {
+      authorized: false,
+      reason: "UCAN service is not configured. This flow version requires UCAN authorization."
     };
-    const invocation = await ucanCreateInvocation({
-      issuer: signer,
-      audience: flowOwnerDid,
-      capability: ucantoCapability,
-      proofs: proofDelegations
-    });
-    const serialized = await serializeInvocation(invocation);
-    const built = await invocation.buildIPLDView();
-    const cid = built.cid.toString();
+  }
+  const capability = {
+    can: "flow/block/execute",
+    with: `${flowUri}:${blockId}`
+  };
+  const result = await ucanService.validateDelegationChain(actorDid, capability);
+  if (!result.valid) {
     return {
-      cid,
-      invocation: serialized,
-      valid: true
+      authorized: false,
+      reason: result.error || "No valid capability chain found"
     };
+  }
+  const proofCids = result.proofChain?.map((d) => d.cid) || [];
+  return {
+    authorized: true,
+    capabilityId: proofCids[0],
+    proofCids
   };
-  const executeWithInvocation = async (params, action, flowId, blockId) => {
-    const invocationResult = await createAndValidateInvocation(params, flowId, blockId);
-    if (!invocationResult.valid) {
-      return {
-        success: false,
-        invocationCid: invocationResult.cid,
-        error: invocationResult.error
-      };
+};
+
+// src/core/lib/flowEngine/executor.ts
+var updateRuntimeAfterSuccess = (node, actorDid, runtime, actionResult, invocationCid, now) => {
+  const updates = {
+    submittedByDid: actionResult.submittedByDid || actorDid,
+    evaluationStatus: actionResult.evaluationStatus || "pending",
+    executionTimestamp: now ? now() : Date.now(),
+    lastInvocationCid: invocationCid
+  };
+  if (actionResult.claimId) {
+    updates.claimId = actionResult.claimId;
+  }
+  runtime.update(node.id, updates);
+};
+var executeNode = async ({ node, actorDid, actorType, entityRoomId, context, action, pin }) => {
+  const { runtime, ucanService, invocationStore, flowUri, flowId, schemaVersion, now } = context;
+  const activation = isNodeActive(node, runtime);
+  if (!activation.active) {
+    return { success: false, stage: "activation", error: activation.reason };
+  }
+  const auth = await isAuthorized(node.id, actorDid, ucanService, flowUri, schemaVersion);
+  if (!auth.authorized) {
+    return { success: false, stage: "authorization", error: auth.reason };
+  }
+  if (node.linkedClaim && !node.linkedClaim.collectionId) {
+    return { success: false, stage: "claim", error: "Linked claim collection is required but missing." };
+  }
+  let invocationCid;
+  let invocationData;
+  if (ucanService && auth.proofCids && auth.proofCids.length > 0) {
+    const capability = {
+      can: "flow/block/execute",
+      with: `${flowUri}:${node.id}`
+    };
+    try {
+      const invocationResult = await ucanService.createAndValidateInvocation(
+        {
+          invokerDid: actorDid,
+          invokerType: actorType,
+          entityRoomId,
+          capability,
+          proofs: auth.proofCids,
+          pin
+        },
+        flowId,
+        node.id
+      );
+      if (!invocationResult.valid) {
+        return {
+          success: false,
+          stage: "authorization",
+          error: `Invocation validation failed: ${invocationResult.error}`
+        };
+      }
+      invocationCid = invocationResult.cid;
+      invocationData = invocationResult.invocation;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Failed to create invocation";
+      return { success: false, stage: "authorization", error: message };
     }
-    if (invocationStore.hasBeenInvoked(invocationResult.cid)) {
+  }
+  try {
+    const result = await action();
+    if (node.linkedClaim && !result.claimId) {
+      if (invocationStore && invocationCid && invocationData) {
+        const storedInvocation = {
+          cid: invocationCid,
+          invocation: invocationData,
+          invokerDid: actorDid,
+          capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+          executedAt: now ? now() : Date.now(),
+          flowId,
+          blockId: node.id,
+          result: "failure",
+          error: "Execution did not return a claimId for linked claim requirement.",
+          proofCids: auth.proofCids || []
+        };
+        invocationStore.add(storedInvocation);
+      }
       return {
         success: false,
-        invocationCid: invocationResult.cid,
-        error: "Invocation has already been used (replay attack prevented)"
+        stage: "claim",
+        error: "Execution did not return a claimId for linked claim requirement.",
+        invocationCid
       };
     }
-    try {
-      const actionResult = await action();
+    if (invocationStore && invocationCid && invocationData) {
       const storedInvocation = {
-        cid: invocationResult.cid,
-        invocation: invocationResult.invocation,
-        invokerDid: params.invokerDid,
-        capability: params.capability,
-        executedAt: Date.now(),
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
         flowId,
-        blockId,
+        blockId: node.id,
         result: "success",
-        proofCids: params.proofs
+        proofCids: auth.proofCids || [],
+        claimId: result.claimId
       };
       invocationStore.add(storedInvocation);
-      return {
-        success: true,
-        invocationCid: invocationResult.cid,
-        result: actionResult,
-        actionResult
-      };
-    } catch (error) {
+    }
+    updateRuntimeAfterSuccess(node, actorDid, runtime, result, invocationCid || auth.capabilityId, now);
+    return {
+      success: true,
+      stage: "complete",
+      result,
+      capabilityId: auth.capabilityId,
+      invocationCid
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Execution failed";
+    if (invocationStore && invocationCid && invocationData) {
       const storedInvocation = {
-        cid: invocationResult.cid,
-        invocation: invocationResult.invocation,
-        invokerDid: params.invokerDid,
-        capability: params.capability,
-        executedAt: Date.now(),
+        cid: invocationCid,
+        invocation: invocationData,
+        invokerDid: actorDid,
+        capability: { can: "flow/block/execute", with: `${flowUri}:${node.id}` },
+        executedAt: now ? now() : Date.now(),
         flowId,
-        blockId,
+        blockId: node.id,
         result: "failure",
-        error: error instanceof Error ? error.message : "Unknown error",
-        proofCids: params.proofs
+        error: message,
+        proofCids: auth.proofCids || []
       };
       invocationStore.add(storedInvocation);
-      return {
-        success: false,
-        invocationCid: invocationResult.cid,
-        error: error instanceof Error ? error.message : "Unknown error"
-      };
     }
-  };
-  return {
-    createRootDelegation,
-    createDelegation,
-    revokeDelegation,
-    getDelegation,
-    getAllDelegations,
-    getRootDelegation,
-    createAndValidateInvocation,
-    executeWithInvocation,
-    validateDelegationChain,
-    findValidProofs,
-    parseDelegationFromStore,
-    isConfigured
-  };
+    return { success: false, stage: "action", error: message, invocationCid };
+  }
 };
 
 // src/core/lib/flowEngine/migration.ts
@@ -3035,6 +3042,7 @@ export {
   didToMatrixUserId,
   findOrCreateDMRoom,
   sendDirectMessage,
+  createUcanService,
   createUcanDelegationStore,
   createMemoryUcanDelegationStore,
   createInvocationStore,
@@ -3046,7 +3054,6 @@ export {
   clearRuntimeForTemplateClone,
   isNodeActive,
   isAuthorized,
-  executeNode,
-  createUcanService
+  executeNode
 };
-//# sourceMappingURL=chunk-3EZI42YS.mjs.map
+//# sourceMappingURL=chunk-F2JSGDES.mjs.map