@kya-os/mcp-i-core 1.2.2-canary.23 → 1.2.2-canary.25

package/dist/cache/oauth-config-cache.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Platform-agnostic cache interface for OAuth provider configurations
+ *
+ * This interface allows different runtime adapters to provide their own
+ * caching implementations (e.g., in-memory for Node.js, KV for Cloudflare)
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { OAuthConfig } from "@kya-os/contracts/config";
+/**
+ * Cache interface for storing and retrieving OAuth provider configurations
+ */
+export interface OAuthConfigCache {
+    /**
+     * Retrieve a cached OAuth configuration
+     * @param key Cache key (typically projectId)
+     * @returns Cached config or null if not found/expired
+     */
+    get(key: string): Promise<OAuthConfig | null>;
+    /**
+     * Store an OAuth configuration in cache
+     * @param key Cache key (typically projectId)
+     * @param value OAuth configuration to cache
+     * @param ttl Time-to-live in milliseconds
+     */
+    set(key: string, value: OAuthConfig, ttl: number): Promise<void>;
+    /**
+     * Clear all cached entries
+     */
+    clear(): Promise<void>;
+    /**
+     * Remove a specific cache entry
+     * @param key Cache key to remove
+     */
+    delete(key: string): Promise<void>;
+}
+/**
+ * In-memory cache implementation
+ *
+ * Suitable for:
+ * - Node.js runtimes
+ * - Development/testing
+ * - Single-instance deployments
+ *
+ * NOT suitable for:
+ * - Multi-instance deployments (cache not shared)
+ * - Serverless environments (state not persisted)
+ */
+export declare class InMemoryOAuthConfigCache implements OAuthConfigCache {
+    private cache;
+    get(key: string): Promise<OAuthConfig | null>;
+    set(key: string, value: OAuthConfig, ttl: number): Promise<void>;
+    clear(): Promise<void>;
+    delete(key: string): Promise<void>;
+}
+/**
+ * No-op cache implementation (disables caching)
+ *
+ * Use when:
+ * - You want to disable caching entirely
+ * - Testing scenarios that require fresh data
+ */
+export declare class NoOpOAuthConfigCache implements OAuthConfigCache {
+    get(_key: string): Promise<OAuthConfig | null>;
+    set(_key: string, _value: OAuthConfig, _ttl: number): Promise<void>;
+    clear(): Promise<void>;
+    delete(_key: string): Promise<void>;
+}
+//# sourceMappingURL=oauth-config-cache.d.ts.map

package/dist/cache/oauth-config-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-config-cache.d.ts","sourceRoot":"","sources":["../../src/cache/oauth-config-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAE9C;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjE;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,wBAAyB,YAAW,gBAAgB;IAC/D,OAAO,CAAC,KAAK,CAGT;IAEE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAgB7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAShE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC;AAED;;;;;;GAMG;AACH,qBAAa,oBAAqB,YAAW,gBAAgB;IACrD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAI9C,GAAG,CACP,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC;IAIV,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG1C"}

package/dist/cache/oauth-config-cache.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * Platform-agnostic cache interface for OAuth provider configurations
+ *
+ * This interface allows different runtime adapters to provide their own
+ * caching implementations (e.g., in-memory for Node.js, KV for Cloudflare)
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoOpOAuthConfigCache = exports.InMemoryOAuthConfigCache = void 0;
+/**
+ * In-memory cache implementation
+ *
+ * Suitable for:
+ * - Node.js runtimes
+ * - Development/testing
+ * - Single-instance deployments
+ *
+ * NOT suitable for:
+ * - Multi-instance deployments (cache not shared)
+ * - Serverless environments (state not persisted)
+ */
+class InMemoryOAuthConfigCache {
+    cache = new Map();
+    async get(key) {
+        const entry = this.cache.get(key);
+        if (!entry) {
+            return null;
+        }
+        // Check if expired
+        if (Date.now() > entry.expiresAt) {
+            this.cache.delete(key);
+            return null;
+        }
+        return entry.value;
+    }
+    async set(key, value, ttl) {
+        // If TTL is <= 0, don't store (entry would be immediately expired)
+        if (ttl <= 0) {
+            return;
+        }
+        const expiresAt = Date.now() + ttl;
+        this.cache.set(key, { value, expiresAt });
+    }
+    async clear() {
+        this.cache.clear();
+    }
+    async delete(key) {
+        this.cache.delete(key);
+    }
+}
+exports.InMemoryOAuthConfigCache = InMemoryOAuthConfigCache;
+/**
+ * No-op cache implementation (disables caching)
+ *
+ * Use when:
+ * - You want to disable caching entirely
+ * - Testing scenarios that require fresh data
+ */
+class NoOpOAuthConfigCache {
+    async get(_key) {
+        return null;
+    }
+    async set(_key, _value, _ttl) {
+        // No-op
+    }
+    async clear() {
+        // No-op
+    }
+    async delete(_key) {
+        // No-op
+    }
+}
+exports.NoOpOAuthConfigCache = NoOpOAuthConfigCache;
+//# sourceMappingURL=oauth-config-cache.js.map

package/dist/cache/oauth-config-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-config-cache.js","sourceRoot":"","sources":["../../src/cache/oauth-config-cache.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAmCH;;;;;;;;;;;GAWG;AACH,MAAa,wBAAwB;IAC3B,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IAEJ,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAElC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAkB,EAAE,GAAW;QACpD,mEAAmE;QACnE,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF;AAtCD,4DAsCC;AAED;;;;;;GAMG;AACH,MAAa,oBAAoB;IAC/B,KAAK,CAAC,GAAG,CAAC,IAAY;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,CACP,IAAY,EACZ,MAAmB,EACnB,IAAY;QAEZ,QAAQ;IACV,CAAC;IAED,KAAK,CAAC,KAAK;QACT,QAAQ;IACV,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,QAAQ;IACV,CAAC;CACF;AApBD,oDAoBC"}

package/dist/identity/idp-token-resolver.d.ts

@@ -0,0 +1,53 @@
+/**
+ * IDP Token Resolver
+ *
+ * Resolves User DID to IDP access token (MH-7 requirement).
+ * Handles token lookup, expiration checking, and automatic refresh.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { IdpTokens } from "@kya-os/contracts/config";
+import type { IIdpTokenStorage } from "./idp-token-storage.interface.js";
+export interface IdpTokenResolverConfig {
+    /** Token storage implementation */
+    tokenStorage: IIdpTokenStorage;
+    /** OAuth service for token refresh */
+    oauthService: {
+        refreshToken(provider: string, refreshToken: string): Promise<IdpTokens | null>;
+    };
+    /** Optional logger callback for diagnostics */
+    logger?: (message: string, data?: unknown) => void;
+}
+/**
+ * Service for resolving User DID to IDP access token
+ *
+ * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
+ *
+ * This service implements the core MH-7 functionality:
+ * - Resolves User DID to IDP access token
+ * - Handles token expiration and automatic refresh
+ * - Supports multiple IDP providers
+ */
+export declare class IdpTokenResolver {
+    private config;
+    constructor(config: IdpTokenResolverConfig);
+    /**
+     * Resolve User DID to IDP access token
+     *
+     * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
+     *
+     * Flow:
+     * 1. Look up token from storage
+     * 2. Check expiration
+     * 3. Auto-refresh if expired and refresh_token available
+     * 4. Update storage after refresh
+     * 5. Return access_token or null
+     *
+     * @param userDid - User DID to resolve
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param scopes - Required scopes for token
+     * @returns Access token or null if not found/expired
+     */
+    resolveTokenFromDid(userDid: string, provider: string, scopes: string[]): Promise<string | null>;
+}
+//# sourceMappingURL=idp-token-resolver.d.ts.map

package/dist/identity/idp-token-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-token-resolver.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAEzE,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,YAAY,EAAE,gBAAgB,CAAC;IAE/B,sCAAsC;IACtC,YAAY,EAAE;QACZ,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;KACjF,CAAC;IAEF,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;GASG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,sBAAsB;IAQ1C;;;;;;;;;;;;;;;;OAgBG;IACG,mBAAmB,CACvB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CA4E1B"}

package/dist/identity/idp-token-resolver.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * IDP Token Resolver
+ *
+ * Resolves User DID to IDP access token (MH-7 requirement).
+ * Handles token lookup, expiration checking, and automatic refresh.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdpTokenResolver = void 0;
+/**
+ * Service for resolving User DID to IDP access token
+ *
+ * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
+ *
+ * This service implements the core MH-7 functionality:
+ * - Resolves User DID to IDP access token
+ * - Handles token expiration and automatic refresh
+ * - Supports multiple IDP providers
+ */
+class IdpTokenResolver {
+    config;
+    constructor(config) {
+        this.config = {
+            tokenStorage: config.tokenStorage,
+            oauthService: config.oauthService,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Resolve User DID to IDP access token
+     *
+     * MH-7 Requirement: resolveTokenFromDid(userDid: string): Promise<string>
+     *
+     * Flow:
+     * 1. Look up token from storage
+     * 2. Check expiration
+     * 3. Auto-refresh if expired and refresh_token available
+     * 4. Update storage after refresh
+     * 5. Return access_token or null
+     *
+     * @param userDid - User DID to resolve
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param scopes - Required scopes for token
+     * @returns Access token or null if not found/expired
+     */
+    async resolveTokenFromDid(userDid, provider, scopes) {
+        // 1. Look up token from storage
+        const storedToken = await this.config.tokenStorage.getToken(userDid, provider, scopes);
+        if (!storedToken) {
+            this.config.logger("[IdpTokenResolver] Token not found", {
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+                scopes,
+            });
+            return null;
+        }
+        // 2. Check expiration
+        const now = Date.now();
+        if (storedToken.expires_at < now) {
+            this.config.logger("[IdpTokenResolver] Token expired, attempting refresh", {
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+                expiresAt: new Date(storedToken.expires_at).toISOString(),
+                hasRefreshToken: !!storedToken.refresh_token,
+            });
+            // 3. Refresh if refresh_token available
+            if (storedToken.refresh_token) {
+                const refreshed = await this.config.oauthService.refreshToken(provider, storedToken.refresh_token);
+                if (refreshed) {
+                    // 4. Update storage with new tokens
+                    await this.config.tokenStorage.storeToken(userDid, provider, scopes, refreshed);
+                    this.config.logger("[IdpTokenResolver] Token refreshed successfully", {
+                        userDid: userDid.substring(0, 20) + "...",
+                        provider,
+                        expiresAt: new Date(refreshed.expires_at).toISOString(),
+                    });
+                    // 5. Return new access_token
+                    return refreshed.access_token;
+                }
+                else {
+                    this.config.logger("[IdpTokenResolver] Token refresh failed", {
+                        userDid: userDid.substring(0, 20) + "...",
+                        provider,
+                    });
+                    return null;
+                }
+            }
+            else {
+                this.config.logger("[IdpTokenResolver] Token expired and no refresh token", {
+                    userDid: userDid.substring(0, 20) + "...",
+                    provider,
+                });
+                return null;
+            }
+        }
+        // 4. Return valid access_token
+        this.config.logger("[IdpTokenResolver] Token resolved successfully", {
+            userDid: userDid.substring(0, 20) + "...",
+            provider,
+            expiresAt: new Date(storedToken.expires_at).toISOString(),
+        });
+        return storedToken.access_token;
+    }
+}
+exports.IdpTokenResolver = IdpTokenResolver;
+//# sourceMappingURL=idp-token-resolver.js.map

package/dist/identity/idp-token-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-token-resolver.js","sourceRoot":"","sources":["../../src/identity/idp-token-resolver.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAkBH;;;;;;;;;GASG;AACH,MAAa,gBAAgB;IACnB,MAAM,CAEZ;IAEF,YAAY,MAA8B;QACxC,IAAI,CAAC,MAAM,GAAG;YACZ,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,mBAAmB,CACvB,OAAe,EACf,QAAgB,EAChB,MAAgB;QAEhB,gCAAgC;QAChC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CACzD,OAAO,EACP,QAAQ,EACR,MAAM,CACP,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE;gBACvD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,MAAM;aACP,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,sBAAsB;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,WAAW,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sDAAsD,EAAE;gBACzE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;gBACzD,eAAe,EAAE,CAAC,CAAC,WAAW,CAAC,aAAa;aAC7C,CAAC,CAAC;YAEH,wCAAwC;YACxC,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,YAAY,CAC3D,QAAQ,EACR,WAAW,CAAC,aAAa,CAC1B,CAAC;gBAEF,IAAI,SAAS,EAAE,CAAC;oBACd,oCAAoC;oBACpC,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,CACvC,OAAO,EACP,QAAQ,EACR,MAAM,EACN,SAAS,CACV,CAAC;oBAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,iDAAiD,EAAE;wBACpE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;wBACzC,QAAQ;wBACR,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;qBACxD,CAAC,CAAC;oBAEH,6BAA6B;oBAC7B,OAAO,SAAS,CAAC,YAAY,CAAC;gBAChC,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,yCAAyC,EAAE;wBAC5D,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;wBACzC,QAAQ;qBACT,CAAC,CAAC;oBACH,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,uDAAuD,EAAE;oBAC1E,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;oBACzC,QAAQ;iBACT,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gDAAgD,EAAE;YACnE,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;YACzC,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;SAC1D,CAAC,CAAC;QAEH,OAAO,WAAW,CAAC,YAAY,CAAC;IAClC,CAAC;CACF;AA9GD,4CA8GC"}

package/dist/identity/idp-token-storage.interface.d.ts

@@ -0,0 +1,42 @@
+/**
+ * IDP Token Storage Interface
+ *
+ * Platform-agnostic interface for storing and retrieving IDP tokens.
+ * Platform-specific implementations (Cloudflare KV, Node.js database, etc.)
+ * implement this interface.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { IdpTokens } from "@kya-os/contracts/config";
+/**
+ * Interface for IDP token storage
+ */
+export interface IIdpTokenStorage {
+    /**
+     * Store IDP tokens
+     *
+     * @param userDid - User DID to associate tokens with
+     * @param provider - OAuth provider name
+     * @param scopes - Scopes granted for these tokens
+     * @param tokens - IDP tokens to store
+     */
+    storeToken(userDid: string, provider: string, scopes: string[], tokens: IdpTokens): Promise<void>;
+    /**
+     * Retrieve IDP tokens
+     *
+     * @param userDid - User DID to retrieve tokens for
+     * @param provider - OAuth provider name
+     * @param scopes - Scopes to retrieve tokens for
+     * @returns IDP tokens or null if not found
+     */
+    getToken(userDid: string, provider: string, scopes: string[]): Promise<IdpTokens | null>;
+    /**
+     * Delete IDP tokens
+     *
+     * @param userDid - User DID
+     * @param provider - OAuth provider name
+     * @param scopes - Scopes
+     */
+    deleteToken(userDid: string, provider: string, scopes: string[]): Promise<void>;
+}
+//# sourceMappingURL=idp-token-storage.interface.d.ts.map

package/dist/identity/idp-token-storage.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-token-storage.interface.d.ts","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;;;;OAOG;IACH,UAAU,CACR,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjB;;;;;;;OAOG;IACH,QAAQ,CACN,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IAE7B;;;;;;OAMG;IACH,WAAW,CACT,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB"}

package/dist/identity/idp-token-storage.interface.js

@@ -0,0 +1,12 @@
+"use strict";
+/**
+ * IDP Token Storage Interface
+ *
+ * Platform-agnostic interface for storing and retrieving IDP tokens.
+ * Platform-specific implementations (Cloudflare KV, Node.js database, etc.)
+ * implement this interface.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=idp-token-storage.interface.js.map

package/dist/identity/idp-token-storage.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-token-storage.interface.js","sourceRoot":"","sources":["../../src/identity/idp-token-storage.interface.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG"}

package/dist/index.d.ts

@@ -17,6 +17,21 @@ export { ProofVerifier } from "./services/proof-verifier";
 export type { ProofVerificationResult, ProofVerifierConfig, } from "./services/proof-verifier";
 export { AccessControlApiService } from "./services/access-control.service";
 export type { AccessControlApiServiceConfig, AccessControlApiServiceMetrics, } from "./services/access-control.service";
+export { OAuthConfigService } from "./services/oauth-config.service";
+export type { OAuthConfigServiceConfig } from "./services/oauth-config.service";
+export { OAuthService } from "./services/oauth-service";
+export type { OAuthServiceConfig } from "./services/oauth-service";
+export { ToolContextBuilder } from "./services/tool-context-builder";
+export type { ToolContextBuilderConfig } from "./services/tool-context-builder";
+export { OAuthProviderRegistry } from "./services/oauth-provider-registry";
+export { ProviderResolver } from "./services/provider-resolver";
+export { ProviderValidator, ProviderValidationError } from "./services/provider-validator";
+export { OAuthTokenRetrievalService } from "./services/oauth-token-retrieval.service";
+export type { OAuthTokenRetrievalServiceConfig } from "./services/oauth-token-retrieval.service";
+export { BatchDelegationService } from "./services/batch-delegation.service";
+export type { ToolGroup } from "./services/batch-delegation.service";
+export { InMemoryOAuthConfigCache, NoOpOAuthConfigCache, } from "./cache/oauth-config-cache";
+export type { OAuthConfigCache } from "./cache/oauth-config-cache";
 export { createStorageProviders, StorageKeyHelpers, migrateLegacyKeys, } from "./services/storage.service";
 export type { StorageServiceConfig, StorageProviders, } from "./services/storage.service";
 export { ProofVerificationError, PROOF_VERIFICATION_ERROR_CODES, createProofVerificationError, } from "./services/errors";
@@ -24,6 +39,8 @@ export type { ProofVerificationErrorCode } from "./services/errors";
 export { ToolProtectionCache, InMemoryToolProtectionCache, NoOpToolProtectionCache, } from "./cache/tool-protection-cache";
 export type { ToolProtection, ToolProtectionConfig, ToolProtectionServiceConfig, } from "./types/tool-protection";
 export { DelegationRequiredError } from "./types/tool-protection";
+export { OAuthRequiredError } from "./types/oauth-required-error";
+export type { OAuthRequiredErrorOptions } from "./types/oauth-required-error";
 export { DelegationCredentialIssuer, createDelegationIssuer, type IssueDelegationOptions, type VCSigningFunction, type IdentityProvider as DelegationIdentityProvider, } from "./delegation/vc-issuer";
 export { DelegationCredentialVerifier, createDelegationVerifier, type DelegationVCVerificationResult, type VerifyDelegationVCOptions, type DIDResolver, type DIDDocument, type VerificationMethod, type StatusListResolver, type SignatureVerificationFunction, } from "./delegation/vc-verifier";
 export { StatusList2021Manager, createStatusListManager, type StatusListStorageProvider, type StatusListIdentityProvider, } from "./delegation/statuslist-manager";
@@ -41,4 +58,7 @@ export * from "./config";
 export { fetchRemoteConfig, type RemoteConfigCache, type RemoteConfigOptions, } from "./config/remote-config";
 export { UserDidManager } from "./identity/user-did-manager";
 export type { UserDidStorage, UserDidManagerConfig, } from "./identity/user-did-manager";
+export { IdpTokenResolver } from "./identity/idp-token-resolver";
+export type { IdpTokenResolverConfig } from "./identity/idp-token-resolver";
+export type { IIdpTokenStorage } from "./identity/idp-token-storage.interface";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAG/D,YAAY,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAG3D,cAAc,SAAS,CAAC;AAExB,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAG3E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE1D,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE1D,YAAY,EACV,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,YAAY,EACV,6BAA6B,EAC7B,8BAA8B,GAC/B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EACL,sBAAsB,EACtB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,4BAA4B,CAAC;AAEpC,YAAY,EACV,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAEpE,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AAEvC,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAGlE,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,IAAI,0BAA0B,GACpD,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC9B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,GACnC,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,gBAAgB,EAChB,UAAU,EACV,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,KAAK,cAAc,EACnB,KAAK,8BAA8B,GACpC,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,0BAA0B,EAC1B,gCAAgC,EAChC,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gDAAgD,CAAC;AAEzF,OAAO,EAAE,4BAA4B,EAAE,MAAM,2CAA2C,CAAC;AAGzF,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,kBAAkB,EAClB,cAAc,GACf,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAItD,OAAO,KAAK,EACV,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,eAAe,EACf,WAAW,EACZ,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,eAAe,EACf,WAAW,GACZ,CAAC;AAGF,cAAc,UAAU,CAAC;AAGzB,OAAO,EACL,iBAAiB,EACjB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,YAAY,EACV,cAAc,EACd,oBAAoB,GACrB,MAAM,6BAA6B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,YAAY,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAG/D,YAAY,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAG3D,cAAc,SAAS,CAAC;AAExB,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAG3E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE1D,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE1D,YAAY,EACV,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,YAAY,EACV,6BAA6B,EAC7B,8BAA8B,GAC/B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAErE,YAAY,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAGhF,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAGnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAErE,YAAY,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAGhF,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAG3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAGhE,OAAO,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAG3F,OAAO,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AACtF,YAAY,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAGjG,OAAO,EAAE,sBAAsB,EAAE,MAAM,qCAAqC,CAAC;AAC7E,YAAY,EAAE,SAAS,EAAE,MAAM,qCAAqC,CAAC;AAGrE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,4BAA4B,CAAC;AAEpC,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAGnE,OAAO,EACL,sBAAsB,EACtB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,4BAA4B,CAAC;AAEpC,YAAY,EACV,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAEpE,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AAEvC,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,2BAA2B,GAC5B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,YAAY,EAAE,yBAAyB,EAAE,MAAM,8BAA8B,CAAC;AAG9E,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,IAAI,0BAA0B,GACpD,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC9B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,GACnC,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,gBAAgB,EAChB,UAAU,EACV,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,KAAK,cAAc,EACnB,KAAK,8BAA8B,GACpC,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,0BAA0B,EAC1B,gCAAgC,EAChC,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gDAAgD,CAAC;AAEzF,OAAO,EAAE,4BAA4B,EAAE,MAAM,2CAA2C,CAAC;AAGzF,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EACL,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,kBAAkB,EAClB,cAAc,GACf,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAItD,OAAO,KAAK,EACV,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,eAAe,EACf,WAAW,EACZ,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,aAAa,EACb,eAAe,EACf,WAAW,GACZ,CAAC;AAGF,cAAc,UAAU,CAAC;AAGzB,OAAO,EACL,iBAAiB,EACjB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,YAAY,EACV,cAAc,EACd,oBAAoB,GACrB,MAAM,6BAA6B,CAAC;AAGrC,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC5E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC"}

package/dist/index.js

@@ -20,7 +20,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UserDidManager = exports.fetchRemoteConfig = exports.canonicalizeJSON = exports.getSchemaStats = exports.getCriticalSchemas = exports.getSchemaById = exports.getSchemasByCategory = exports.getAllSchemas = exports.SCHEMA_REGISTRY = exports.createSchemaVerifier = exports.SchemaVerifier = exports.MemoryDelegationGraphStorage = exports.MemoryStatusListStorage = exports.createCascadingRevocationManager = exports.CascadingRevocationManager = exports.createDelegationGraph = exports.DelegationGraphManager = exports.isIndexSet = exports.BitstringManager = exports.createStatusListManager = exports.StatusList2021Manager = exports.createDelegationVerifier = exports.DelegationCredentialVerifier = exports.createDelegationIssuer = exports.DelegationCredentialIssuer = exports.DelegationRequiredError = exports.NoOpToolProtectionCache = exports.InMemoryToolProtectionCache = exports.createProofVerificationError = exports.PROOF_VERIFICATION_ERROR_CODES = exports.ProofVerificationError = exports.migrateLegacyKeys = exports.StorageKeyHelpers = exports.createStorageProviders = exports.AccessControlApiService = exports.ProofVerifier = exports.CryptoService = exports.ToolProtectionService = exports.MCPIRuntimeBase = exports.MemoryIdentityProvider = exports.MemoryNonceCacheProvider = exports.MemoryStorageProvider = exports.IdentityProvider = exports.NonceCacheProvider = exports.StorageProvider = exports.FetchProvider = exports.ClockProvider = exports.CryptoProvider = void 0;
+exports.SchemaVerifier = exports.MemoryDelegationGraphStorage = exports.MemoryStatusListStorage = exports.createCascadingRevocationManager = exports.CascadingRevocationManager = exports.createDelegationGraph = exports.DelegationGraphManager = exports.isIndexSet = exports.BitstringManager = exports.createStatusListManager = exports.StatusList2021Manager = exports.createDelegationVerifier = exports.DelegationCredentialVerifier = exports.createDelegationIssuer = exports.DelegationCredentialIssuer = exports.OAuthRequiredError = exports.DelegationRequiredError = exports.NoOpToolProtectionCache = exports.InMemoryToolProtectionCache = exports.createProofVerificationError = exports.PROOF_VERIFICATION_ERROR_CODES = exports.ProofVerificationError = exports.migrateLegacyKeys = exports.StorageKeyHelpers = exports.createStorageProviders = exports.NoOpOAuthConfigCache = exports.InMemoryOAuthConfigCache = exports.BatchDelegationService = exports.OAuthTokenRetrievalService = exports.ProviderValidationError = exports.ProviderValidator = exports.ProviderResolver = exports.OAuthProviderRegistry = exports.ToolContextBuilder = exports.OAuthService = exports.OAuthConfigService = exports.AccessControlApiService = exports.ProofVerifier = exports.CryptoService = exports.ToolProtectionService = exports.MCPIRuntimeBase = exports.MemoryIdentityProvider = exports.MemoryNonceCacheProvider = exports.MemoryStorageProvider = exports.IdentityProvider = exports.NonceCacheProvider = exports.StorageProvider = exports.FetchProvider = exports.ClockProvider = exports.CryptoProvider = void 0;
+exports.IdpTokenResolver = exports.UserDidManager = exports.fetchRemoteConfig = exports.canonicalizeJSON = exports.getSchemaStats = exports.getCriticalSchemas = exports.getSchemaById = exports.getSchemasByCategory = exports.getAllSchemas = exports.SCHEMA_REGISTRY = exports.createSchemaVerifier = void 0;
 // Base providers
 var base_1 = require("./providers/base");
 Object.defineProperty(exports, "CryptoProvider", { enumerable: true, get: function () { return base_1.CryptoProvider; } });
@@ -51,6 +52,35 @@ Object.defineProperty(exports, "ProofVerifier", { enumerable: true, get: functio
 // Access Control API Service (stub for Phase 3)
 var access_control_service_1 = require("./services/access-control.service");
 Object.defineProperty(exports, "AccessControlApiService", { enumerable: true, get: function () { return access_control_service_1.AccessControlApiService; } });
+// OAuth Config Service (Phase 1)
+var oauth_config_service_1 = require("./services/oauth-config.service");
+Object.defineProperty(exports, "OAuthConfigService", { enumerable: true, get: function () { return oauth_config_service_1.OAuthConfigService; } });
+// OAuth Service (Phase 1)
+var oauth_service_1 = require("./services/oauth-service");
+Object.defineProperty(exports, "OAuthService", { enumerable: true, get: function () { return oauth_service_1.OAuthService; } });
+// Tool Context Builder (Phase 1)
+var tool_context_builder_1 = require("./services/tool-context-builder");
+Object.defineProperty(exports, "ToolContextBuilder", { enumerable: true, get: function () { return tool_context_builder_1.ToolContextBuilder; } });
+// OAuth Provider Registry (Phase 2)
+var oauth_provider_registry_1 = require("./services/oauth-provider-registry");
+Object.defineProperty(exports, "OAuthProviderRegistry", { enumerable: true, get: function () { return oauth_provider_registry_1.OAuthProviderRegistry; } });
+// Provider Resolver (Phase 2)
+var provider_resolver_1 = require("./services/provider-resolver");
+Object.defineProperty(exports, "ProviderResolver", { enumerable: true, get: function () { return provider_resolver_1.ProviderResolver; } });
+// Provider Validator (Phase 3)
+var provider_validator_1 = require("./services/provider-validator");
+Object.defineProperty(exports, "ProviderValidator", { enumerable: true, get: function () { return provider_validator_1.ProviderValidator; } });
+Object.defineProperty(exports, "ProviderValidationError", { enumerable: true, get: function () { return provider_validator_1.ProviderValidationError; } });
+// OAuth Token Retrieval Service (Phase 3)
+var oauth_token_retrieval_service_1 = require("./services/oauth-token-retrieval.service");
+Object.defineProperty(exports, "OAuthTokenRetrievalService", { enumerable: true, get: function () { return oauth_token_retrieval_service_1.OAuthTokenRetrievalService; } });
+// Batch Delegation Service (Phase 2)
+var batch_delegation_service_1 = require("./services/batch-delegation.service");
+Object.defineProperty(exports, "BatchDelegationService", { enumerable: true, get: function () { return batch_delegation_service_1.BatchDelegationService; } });
+// OAuth Config Cache
+var oauth_config_cache_1 = require("./cache/oauth-config-cache");
+Object.defineProperty(exports, "InMemoryOAuthConfigCache", { enumerable: true, get: function () { return oauth_config_cache_1.InMemoryOAuthConfigCache; } });
+Object.defineProperty(exports, "NoOpOAuthConfigCache", { enumerable: true, get: function () { return oauth_config_cache_1.NoOpOAuthConfigCache; } });
 // Storage Service Factory
 var storage_service_1 = require("./services/storage.service");
 Object.defineProperty(exports, "createStorageProviders", { enumerable: true, get: function () { return storage_service_1.createStorageProviders; } });
@@ -66,6 +96,8 @@ Object.defineProperty(exports, "InMemoryToolProtectionCache", { enumerable: true
 Object.defineProperty(exports, "NoOpToolProtectionCache", { enumerable: true, get: function () { return tool_protection_cache_1.NoOpToolProtectionCache; } });
 var tool_protection_1 = require("./types/tool-protection");
 Object.defineProperty(exports, "DelegationRequiredError", { enumerable: true, get: function () { return tool_protection_1.DelegationRequiredError; } });
+var oauth_required_error_1 = require("./types/oauth-required-error");
+Object.defineProperty(exports, "OAuthRequiredError", { enumerable: true, get: function () { return oauth_required_error_1.OAuthRequiredError; } });
 // Delegation (W3C VC-based)
 var vc_issuer_1 = require("./delegation/vc-issuer");
 Object.defineProperty(exports, "DelegationCredentialIssuer", { enumerable: true, get: function () { return vc_issuer_1.DelegationCredentialIssuer; } });
@@ -113,4 +145,7 @@ Object.defineProperty(exports, "fetchRemoteConfig", { enumerable: true, get: fun
 // User DID Manager (Phase 4)
 var user_did_manager_1 = require("./identity/user-did-manager");
 Object.defineProperty(exports, "UserDidManager", { enumerable: true, get: function () { return user_did_manager_1.UserDidManager; } });
+// IDP Token Resolver (Phase 1 - MH-7)
+var idp_token_resolver_1 = require("./identity/idp-token-resolver");
+Object.defineProperty(exports, "IdpTokenResolver", { enumerable: true, get: function () { return idp_token_resolver_1.IdpTokenResolver; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;AAEH,iBAAiB;AACjB,yCAQ0B;AAPxB,sGAAA,cAAc,OAAA;AACd,qGAAA,aAAa,OAAA;AACb,qGAAA,aAAa,OAAA;AACb,uGAAA,eAAe,OAAA;AACf,0GAAA,kBAAkB,OAAA;AAClB,wGAAA,gBAAgB,OAAA;AAIlB,mBAAmB;AACnB,6CAI4B;AAH1B,+GAAA,qBAAqB,OAAA;AACrB,kHAAA,wBAAwB,OAAA;AACxB,gHAAA,sBAAsB,OAAA;AAGxB,UAAU;AACV,uCAAiD;AAAxC,uGAAA,eAAe,OAAA;AAMxB,YAAY;AACZ,0CAAwB;AACxB,kBAAkB;AAClB,8EAA2E;AAAlE,gIAAA,qBAAqB,OAAA;AAE9B,iBAAiB;AACjB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAItB,yBAAyB;AACzB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAOtB,gDAAgD;AAChD,4EAA4E;AAAnE,iIAAA,uBAAuB,OAAA;AAOhC,0BAA0B;AAC1B,8DAIoC;AAHlC,yHAAA,sBAAsB,OAAA;AACtB,oHAAA,iBAAiB,OAAA;AACjB,oHAAA,iBAAiB,OAAA;AAQnB,4BAA4B;AAC5B,4CAI2B;AAHzB,gHAAA,sBAAsB,OAAA;AACtB,wHAAA,8BAA8B,OAAA;AAC9B,sHAAA,4BAA4B,OAAA;AAK9B,uEAIuC;AAFrC,oIAAA,2BAA2B,OAAA;AAC3B,gIAAA,uBAAuB,OAAA;AASzB,2DAAkE;AAAzD,0HAAA,uBAAuB,OAAA;AAEhC,4BAA4B;AAC5B,oDAMgC;AAL9B,uHAAA,0BAA0B,OAAA;AAC1B,mHAAA,sBAAsB,OAAA;AAMxB,wDAUkC;AAThC,2HAAA,4BAA4B,OAAA;AAC5B,uHAAA,wBAAwB,OAAA;AAU1B,iBAAiB;AACjB,sEAKyC;AAJvC,2HAAA,qBAAqB,OAAA;AACrB,6HAAA,uBAAuB,OAAA;AAKzB,oDAKgC;AAJ9B,6GAAA,gBAAgB,OAAA;AAChB,uGAAA,UAAU,OAAA;AAKZ,0CAA0C;AAC1C,kEAKuC;AAJrC,0HAAA,sBAAsB,OAAA;AACtB,yHAAA,qBAAqB,OAAA;AAKvB,0EAM2C;AALzC,kIAAA,0BAA0B,OAAA;AAC1B,wIAAA,gCAAgC,OAAA;AAMlC,qDAAqD;AACrD,4FAAyF;AAAhF,oIAAA,uBAAuB,OAAA;AAEhC,kFAAyF;AAAhF,oIAAA,4BAA4B,OAAA;AAErC,8DAA8D;AAC9D,gEAOsC;AANpC,iHAAA,cAAc,OAAA;AACd,uHAAA,oBAAoB,OAAA;AAOtB,gEAOsC;AANpC,kHAAA,eAAe,OAAA;AACf,gHAAA,aAAa,OAAA;AACb,uHAAA,oBAAoB,OAAA;AACpB,gHAAA,aAAa,OAAA;AACb,qHAAA,kBAAkB,OAAA;AAClB,iHAAA,cAAc,OAAA;AAGhB,4CAAsD;AAA7C,yGAAA,gBAAgB,OAAA;AA4BzB,oCAAoC;AACpC,2CAAyB;AAEzB,gCAAgC;AAChC,wDAIgC;AAH9B,kHAAA,iBAAiB,OAAA;AAKnB,6BAA6B;AAC7B,gEAA6D;AAApD,kHAAA,cAAc,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;AAEH,iBAAiB;AACjB,yCAQ0B;AAPxB,sGAAA,cAAc,OAAA;AACd,qGAAA,aAAa,OAAA;AACb,qGAAA,aAAa,OAAA;AACb,uGAAA,eAAe,OAAA;AACf,0GAAA,kBAAkB,OAAA;AAClB,wGAAA,gBAAgB,OAAA;AAIlB,mBAAmB;AACnB,6CAI4B;AAH1B,+GAAA,qBAAqB,OAAA;AACrB,kHAAA,wBAAwB,OAAA;AACxB,gHAAA,sBAAsB,OAAA;AAGxB,UAAU;AACV,uCAAiD;AAAxC,uGAAA,eAAe,OAAA;AAMxB,YAAY;AACZ,0CAAwB;AACxB,kBAAkB;AAClB,8EAA2E;AAAlE,gIAAA,qBAAqB,OAAA;AAE9B,iBAAiB;AACjB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAItB,yBAAyB;AACzB,4DAA0D;AAAjD,+GAAA,aAAa,OAAA;AAOtB,gDAAgD;AAChD,4EAA4E;AAAnE,iIAAA,uBAAuB,OAAA;AAOhC,iCAAiC;AACjC,wEAAqE;AAA5D,0HAAA,kBAAkB,OAAA;AAI3B,0BAA0B;AAC1B,0DAAwD;AAA/C,6GAAA,YAAY,OAAA;AAIrB,iCAAiC;AACjC,wEAAqE;AAA5D,0HAAA,kBAAkB,OAAA;AAI3B,oCAAoC;AACpC,8EAA2E;AAAlE,gIAAA,qBAAqB,OAAA;AAE9B,8BAA8B;AAC9B,kEAAgE;AAAvD,qHAAA,gBAAgB,OAAA;AAEzB,+BAA+B;AAC/B,oEAA2F;AAAlF,uHAAA,iBAAiB,OAAA;AAAE,6HAAA,uBAAuB,OAAA;AAEnD,0CAA0C;AAC1C,0FAAsF;AAA7E,2IAAA,0BAA0B,OAAA;AAGnC,qCAAqC;AACrC,gFAA6E;AAApE,kIAAA,sBAAsB,OAAA;AAG/B,qBAAqB;AACrB,iEAGoC;AAFlC,8HAAA,wBAAwB,OAAA;AACxB,0HAAA,oBAAoB,OAAA;AAKtB,0BAA0B;AAC1B,8DAIoC;AAHlC,yHAAA,sBAAsB,OAAA;AACtB,oHAAA,iBAAiB,OAAA;AACjB,oHAAA,iBAAiB,OAAA;AAQnB,4BAA4B;AAC5B,4CAI2B;AAHzB,gHAAA,sBAAsB,OAAA;AACtB,wHAAA,8BAA8B,OAAA;AAC9B,sHAAA,4BAA4B,OAAA;AAK9B,uEAIuC;AAFrC,oIAAA,2BAA2B,OAAA;AAC3B,gIAAA,uBAAuB,OAAA;AASzB,2DAAkE;AAAzD,0HAAA,uBAAuB,OAAA;AAChC,qEAAkE;AAAzD,0HAAA,kBAAkB,OAAA;AAG3B,4BAA4B;AAC5B,oDAMgC;AAL9B,uHAAA,0BAA0B,OAAA;AAC1B,mHAAA,sBAAsB,OAAA;AAMxB,wDAUkC;AAThC,2HAAA,4BAA4B,OAAA;AAC5B,uHAAA,wBAAwB,OAAA;AAU1B,iBAAiB;AACjB,sEAKyC;AAJvC,2HAAA,qBAAqB,OAAA;AACrB,6HAAA,uBAAuB,OAAA;AAKzB,oDAKgC;AAJ9B,6GAAA,gBAAgB,OAAA;AAChB,uGAAA,UAAU,OAAA;AAKZ,0CAA0C;AAC1C,kEAKuC;AAJrC,0HAAA,sBAAsB,OAAA;AACtB,yHAAA,qBAAqB,OAAA;AAKvB,0EAM2C;AALzC,kIAAA,0BAA0B,OAAA;AAC1B,wIAAA,gCAAgC,OAAA;AAMlC,qDAAqD;AACrD,4FAAyF;AAAhF,oIAAA,uBAAuB,OAAA;AAEhC,kFAAyF;AAAhF,oIAAA,4BAA4B,OAAA;AAErC,8DAA8D;AAC9D,gEAOsC;AANpC,iHAAA,cAAc,OAAA;AACd,uHAAA,oBAAoB,OAAA;AAOtB,gEAOsC;AANpC,kHAAA,eAAe,OAAA;AACf,gHAAA,aAAa,OAAA;AACb,uHAAA,oBAAoB,OAAA;AACpB,gHAAA,aAAa,OAAA;AACb,qHAAA,kBAAkB,OAAA;AAClB,iHAAA,cAAc,OAAA;AAGhB,4CAAsD;AAA7C,yGAAA,gBAAgB,OAAA;AA4BzB,oCAAoC;AACpC,2CAAyB;AAEzB,gCAAgC;AAChC,wDAIgC;AAH9B,kHAAA,iBAAiB,OAAA;AAKnB,6BAA6B;AAC7B,gEAA6D;AAApD,kHAAA,cAAc,OAAA;AAMvB,sCAAsC;AACtC,oEAAiE;AAAxD,sHAAA,gBAAgB,OAAA"}

package/dist/services/access-control.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access-control.service.d.ts","sourceRoot":"","sources":["../../src/services/access-control.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,uBAAuB,EACvB,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,EACtB,uBAAuB,EACxB,MAAM,mCAAmC,CAAC;AAS3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AASvD,MAAM,WAAW,6BAA6B;IAC5C,2EAA2E;IAC3E,OAAO,EAAE,MAAM,CAAC;IAEhB,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IAEf,8CAA8C;IAC9C,aAAa,EAAE,aAAa,CAAC;IAE7B,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAEnD,mCAAmC;IACnC,WAAW,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IAEF,6DAA6D;IAC7D,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/C;AAED,MAAM,WAAW,8BAA8B;IAC7C,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IAErB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;CACpB;AA0BD;;;;;GAKG;AACH,qBAAa,uBAAuB;IAClC,OAAO,CAAC,MAAM,CAAwC;IACtD,OAAO,CAAC,OAAO,CAAiC;gBAEpC,MAAM,EAAE,6BAA6B;IAwBjD;;;;OAIG;IACG,WAAW,CAAC,OAAO,EAAE;QACzB,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,+BAA+B,CAAC;IAkD5C;;;;OAIG;IACG,gBAAgB,CACpB,OAAO,EAAE,uBAAuB,EAChC,OAAO,CAAC,EAAE;QACR,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GACA,OAAO,CAAC,2BAA2B,CAAC;IAwHvC;;;;OAIG;IACG,YAAY,CAChB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,uBAAuB,CAAC;IA2TnC;;OAEG;IACH,UAAU,IAAI,8BAA8B;IAI5C;;OAEG;IACH,YAAY,IAAI,IAAI;IAQpB;;;;OAIG;YACW,gBAAgB;IAkC9B;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAmCxB;;;;;OAKG;IACH,OAAO,CAAC,KAAK;IAIb;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAyBzB;;;;OAIG;IACH,OAAO,CAAC,oBAAoB;IAa5B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;CAkC5B"}
+{"version":3,"file":"access-control.service.d.ts","sourceRoot":"","sources":["../../src/services/access-control.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,uBAAuB,EACvB,2BAA2B,EAC3B,+BAA+B,EAC/B,sBAAsB,EACtB,uBAAuB,EACxB,MAAM,mCAAmC,CAAC;AAS3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AASvD,MAAM,WAAW,6BAA6B;IAC5C,2EAA2E;IAC3E,OAAO,EAAE,MAAM,CAAC;IAEhB,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IAEf,8CAA8C;IAC9C,aAAa,EAAE,aAAa,CAAC;IAE7B,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAEnD,mCAAmC;IACnC,WAAW,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IAEF,6DAA6D;IAC7D,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/C;AAED,MAAM,WAAW,8BAA8B;IAC7C,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IAErB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;CACpB;AA0BD;;;;;GAKG;AACH,qBAAa,uBAAuB;IAClC,OAAO,CAAC,MAAM,CAAwC;IACtD,OAAO,CAAC,OAAO,CAAiC;gBAEpC,MAAM,EAAE,6BAA6B;IAwBjD;;;;OAIG;IACG,WAAW,CAAC,OAAO,EAAE;QACzB,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC,+BAA+B,CAAC;IAkD5C;;;;OAIG;IACG,gBAAgB,CACpB,OAAO,EAAE,uBAAuB,EAChC,OAAO,CAAC,EAAE;QACR,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GACA,OAAO,CAAC,2BAA2B,CAAC;IAwHvC;;;;OAIG;IACG,YAAY,CAChB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,uBAAuB,CAAC;IAoWnC;;OAEG;IACH,UAAU,IAAI,8BAA8B;IAI5C;;OAEG;IACH,YAAY,IAAI,IAAI;IAQpB;;;;OAIG;YACW,gBAAgB;IAkC9B;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAmCxB;;;;;OAKG;IACH,OAAO,CAAC,KAAK;IAIb;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAyBzB;;;;OAIG;IACH,OAAO,CAAC,oBAAoB;IAa5B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;CAkC5B"}

package/dist/services/access-control.service.js

@@ -352,6 +352,7 @@ class AccessControlApiService {
                     const validationErrorLog = {
                         correlationId,
                         zodErrors: dataParsed.error.errors,
+                        zodErrorDetails: JSON.stringify(dataParsed.error.errors, null, 2),
                         dataToValidate: JSON.stringify(dataToValidate, null, 2).substring(0, 2000),
                         dataWithSuccess: JSON.stringify(dataWithSuccess, null, 2).substring(0, 2000),
                         dataKeys: Object.keys(dataToValidate),
@@ -361,8 +362,24 @@ class AccessControlApiService {
                     // Also log to console.error for visibility in production
                     console.error(`[AccessControl] Wrapped response validation failed`, validationErrorLog);
                     console.error(`[AccessControl] Original wrapped response:`, JSON.stringify(responseData, null, 2));
-                    console.error(`[AccessControl] ❌ ZOD VALIDATION ERRORS:`, JSON.stringify(dataParsed.error.errors, null, 2));
-                    console.error(`[AccessControl] ❌ ZOD VALIDATION ERRORS:`, JSON.stringify(dataParsed.error.errors, null, 2));
+                    // CRITICAL: Log each zod error individually for easier debugging
+                    console.error(`[AccessControl] ❌ ZOD VALIDATION FAILED - ${dataParsed.error.errors.length} error(s):`);
+                    dataParsed.error.errors.forEach((err, idx) => {
+                        const errorDetails = {
+                            path: err.path.join('.') || '(root)',
+                            message: err.message,
+                            code: err.code,
+                        };
+                        // Only include properties that exist on specific error types
+                        if ('received' in err)
+                            errorDetails.received = err.received;
+                        if ('expected' in err)
+                            errorDetails.expected = err.expected;
+                        if ('input' in err)
+                            errorDetails.input = err.input;
+                        console.error(`[AccessControl] Error ${idx + 1}:`, errorDetails);
+                    });
+                    console.error(`[AccessControl] ❌ Full ZOD errors JSON:`, JSON.stringify(dataParsed.error.errors, null, 2));
                 }
             }
             // Try parsing as direct ProofSubmissionResponse
@@ -381,8 +398,32 @@ class AccessControlApiService {
                 };
                 this.config.logger(`[AccessControl] Response validation failed`, validationErrorLog);
                 // CRITICAL: Log to console.error with full details for debugging
+                // This format matches test expectations: single call with message and error object
+                // This log must include 'Response validation failed' in the message for test compatibility
+                console.error(`[AccessControl] Response validation failed`, {
+                    zodErrors: parsed.error.errors,
+                    responseData: responseData,
+                });
+                // Additional detailed logging for debugging
                 console.error(`[AccessControl] Response validation failed`, validationErrorLog);
-                console.error(`[AccessControl] ❌ ZOD ERRORS:`, JSON.stringify(parsed.error.errors, null, 2));
+                // CRITICAL: Log each zod error individually for easier debugging
+                console.error(`[AccessControl] ❌ ZOD VALIDATION FAILED (direct) - ${parsed.error.errors.length} error(s):`);
+                parsed.error.errors.forEach((err, idx) => {
+                    const errorDetails = {
+                        path: err.path.join('.') || '(root)',
+                        message: err.message,
+                        code: err.code,
+                    };
+                    // Only include properties that exist on specific error types
+                    if ('received' in err)
+                        errorDetails.received = err.received;
+                    if ('expected' in err)
+                        errorDetails.expected = err.expected;
+                    if ('input' in err)
+                        errorDetails.input = err.input;
+                    console.error(`[AccessControl] Error ${idx + 1}:`, errorDetails);
+                });
+                console.error(`[AccessControl] ❌ Full ZOD errors JSON:`, JSON.stringify(parsed.error.errors, null, 2));
                 console.error(`[AccessControl] ❌ ACTUAL RESPONSE DATA:`, JSON.stringify(responseData, null, 2));
                 throw new agentshield_api_2.AgentShieldAPIError("invalid_response", "Response validation failed", { zodErrors: parsed.error.errors, responseData });
             }