From 5c773de0ac510e326e3542fdb6df2742df434ddd Mon Sep 17 00:00:00 2001
From: SentienceDEV <ivytony@gmail.com>
Date: Tue, 10 Mar 2026 21:33:10 -0700
Subject: [PATCH] add MandateStore when using delegation

---
 src/http/mod.rs | 10 ++++++++++
 src/main.rs     |  7 +++++++
 2 files changed, 17 insertions(+)

diff --git a/src/http/mod.rs b/src/http/mod.rs
index c784ac8..2dfac66 100644
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@@ -359,6 +359,16 @@ async fn authorize_handler(
                     "1 scope".to_string()
                 }
             );
+
+            // Store mandate in mandate store for /v1/execute endpoint
+            if let Some(ref mandate_store) = state.mandate_store {
+                mandate_store.store(mandate.clone());
+                debug!(
+                    "Stored mandate {} for execution proxying",
+                    mandate.claims.mandate_id
+                );
+            }
+
             decision.mandate = Some(mandate);
         }
     }
diff --git a/src/main.rs b/src/main.rs
index d4c5dd6..afb2dd1 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -629,6 +629,13 @@ async fn main() -> anyhow::Result<()> {
             "Chain delegation enabled (max_depth: {}, ttl: {}s)",
             cli.max_delegation_depth, delegation_ttl_s
         );
+
+        // Add mandate store for /v1/execute endpoint support
+        // This enables execution proxying (zero-trust mode)
+        use predicate_authorityd::mandate::MandateStore;
+        let mandate_store = MandateStore::new();
+        state = state.with_mandate_store(mandate_store);
+        info!("Execution proxying enabled (/v1/execute endpoint)");
     }
 
     // Initialize control-plane client if in cloud_connected mode