npm - @kya-os/mcp-i-core - Versions diffs - 1.2.2-canary.25 → 1.2.2-canary.26 - Mend

@kya-os/mcp-i-core 1.2.2-canary.25 → 1.2.2-canary.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +3756 -0
package/.turbo/turbo-test.log +2398 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +20 -64
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +877 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +798 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/.turbo/turbo-test.log ADDED Viewed

@@ -0,0 +1,2398 @@
+> @kya-os/mcp-i-core@1.2.2-canary.24 test /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
+> vitest run
+▲ [WARNING] The condition "types" here will never be used as it comes after both "import" and "require" [package.json]
+    package.json:32:6:
+      32 │       "types": "./dist/utils/did-helpers.d.ts"
+         ╵       ~~~~~~~
+  The "import" condition comes earlier and will be used for all "import" statements:
+    package.json:31:6:
+      31 │       "import": "./dist/utils/did-helpers.js",
+         ╵       ~~~~~~~~
+  The "require" condition comes earlier and will be used for all "require" calls:
+    package.json:30:6:
+      30 │       "require": "./dist/utils/did-helpers.js",
+         ╵       ~~~~~~~~~
+ RUN  v4.0.5 /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use X-API-Key header for new endpoint
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.411Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use Authorization Bearer header for old endpoint
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.414Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.415Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.415Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'project/with/special-chars',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.416Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.416Z'
+}
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.416Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.416Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.416Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.417Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle camelCase field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.417Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should prefer camelCase over snake_case when both present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.417Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.419Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-11-22T06:55:55.419Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'phase1_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.420Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.425Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.425Z'
+}
+stderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_snake_case' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.425Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.426Z'
+}
+ ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 8ms
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'c15ae448-52f1-4753-93d6-1f0d60c8fa0b',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'c15ae448-52f1-4753-93d6-1f0d60c8fa0b',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+ ✓ src/services/__tests__/storage.service.test.ts (17 tests) 16ms
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '3e395c63-242a-4f2a-abf1-9986bab09084',
+  status: 400,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 209,
+  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
+  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '3e395c63-242a-4f2a-abf1-9986bab09084',
+  status: 400,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'error' ],
+  responseData: '{\n' +
+    '  "success": false,\n' +
+    '  "error": {\n' +
+    '    "code": "all_proofs_rejected",\n' +
+    '    "message": "All proofs rejected",\n' +
+    '    "details": {\n' +
+    '      "rejected": 1,\n' +
+    '      "errors": [\n' +
+    '        {\n' +
+    '          "proof_index": 0,\n' +
+    '          "error": {\n' +
+    '            "code": "invalid_signature",\n' +
+    '            "message": "Invalid signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      ]\n' +
+    '    }\n' +
+    '  }\n' +
+    '}'
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '763cbfba-61ff-4bad-8d57-93789f897191',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 206,
+  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-22T06:55:54.452Z"}}',
+  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-22T06:55:54.452Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '763cbfba-61ff-4bad-8d57-93789f897191',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "success": true,\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-22T06:55:54.452Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "success": true,
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-22T06:55:54.452Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE: {
+  correlationId: '763cbfba-61ff-4bad-8d57-93789f897191',
+  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  rejectedType: 'number',
+  outcomesType: 'object',
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '83067c19-4a75-4487-8c41-84154a231b4a',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 42,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '83067c19-4a75-4487-8c41-84154a231b4a',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '04630779-2ff2-4a2d-956c-324823bc9fbc',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '04630779-2ff2-4a2d-956c-324823bc9fbc',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '3dc1bfbc-39a0-41f7-82d3-c87e0093ab55',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 56,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '3dc1bfbc-39a0-41f7-82d3-c87e0093ab55',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {}
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'c8ced6df-58ca-44ec-b9db-c3973e9d7505',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 52,
+  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
+  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'c8ced6df-58ca-44ec-b9db-c3973e9d7505',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data' ],
+  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE: {
+  correlationId: 'c8ced6df-58ca-44ec-b9db-c3973e9d7505',
+  dataKeys: [ 'message' ],
+  hasAccepted: false,
+  hasRejected: false,
+  hasOutcomes: false,
+  hasErrors: false,
+  acceptedType: 'undefined',
+  rejectedType: 'undefined',
+  outcomesType: 'undefined',
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n  "message": "Invalid format"\n}'
+}
+[AccessControl] Wrapped response validation failed {
+  correlationId: 'c8ced6df-58ca-44ec-b9db-c3973e9d7505',
+  zodErrors: [
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    },
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    }
+  ],
+  zodErrorDetails: '[\n' +
+    '  {\n' +
+    '    "code": "invalid_type",\n' +
+    '    "expected": "number",\n' +
+    '    "received": "undefined",\n' +
+    '    "path": [\n' +
+    '      "accepted"\n' +
+    '    ],\n' +
+    '    "message": "Required"\n' +
+    '  },\n' +
+    '  {\n' +
+    '    "code": "invalid_type",\n' +
+    '    "expected": "number",\n' +
+    '    "received": "undefined",\n' +
+    '    "path": [\n' +
+    '      "rejected"\n' +
+    '    ],\n' +
+    '    "message": "Required"\n' +
+    '  }\n' +
+    ']',
+  dataToValidate: '{\n  "message": "Invalid format"\n}',
+  dataWithSuccess: '{\n  "message": "Invalid format",\n  "success": true\n}',
+  dataKeys: [ 'message' ],
+  originalResponse: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+[AccessControl] Original wrapped response: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+[AccessControl] ❌ ZOD VALIDATION FAILED - 2 error(s):
+[AccessControl] Error 1: {
+  path: 'accepted',
+  message: 'Required',
+  code: 'invalid_type',
+  received: 'undefined',
+  expected: 'number'
+}
+[AccessControl] Error 2: {
+  path: 'rejected',
+  message: 'Required',
+  code: 'invalid_type',
+  received: 'undefined',
+  expected: 'number'
+}
+[AccessControl] ❌ Full ZOD errors JSON: [
+  {
+    "code": "invalid_type",
+    "expected": "number",
+    "received": "undefined",
+    "path": [
+      "accepted"
+    ],
+    "message": "Required"
+  },
+  {
+    "code": "invalid_type",
+    "expected": "number",
+    "received": "undefined",
+    "path": [
+      "rejected"
+    ],
+    "message": "Required"
+  }
+]
+[AccessControl] Response validation failed {
+  zodErrors: [
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    },
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    }
+  ],
+  responseData: { success: true, data: { message: 'Invalid format' } }
+}
+[AccessControl] Response validation failed {
+  correlationId: 'c8ced6df-58ca-44ec-b9db-c3973e9d7505',
+  zodErrors: [
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    },
+    {
+      code: 'invalid_type',
+      expected: 'number',
+      received: 'undefined',
+      path: [Array],
+      message: 'Required'
+    }
+  ],
+  zodErrorDetails: '[\n' +
+    '  {\n' +
+    '    "code": "invalid_type",\n' +
+    '    "expected": "number",\n' +
+    '    "received": "undefined",\n' +
+    '    "path": [\n' +
+    '      "accepted"\n' +
+    '    ],\n' +
+    '    "message": "Required"\n' +
+    '  },\n' +
+    '  {\n' +
+    '    "code": "invalid_type",\n' +
+    '    "expected": "number",\n' +
+    '    "received": "undefined",\n' +
+    '    "path": [\n' +
+    '      "rejected"\n' +
+    '    ],\n' +
+    '    "message": "Required"\n' +
+    '  }\n' +
+    ']',
+  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}',
+  responseDataType: 'object',
+  responseKeys: [ 'success', 'data' ],
+  httpStatus: 200,
+  httpStatusText: ''
+}
+[AccessControl] ❌ ZOD VALIDATION FAILED (direct) - 2 error(s):
+[AccessControl] Error 1: {
+  path: 'accepted',
+  message: 'Required',
+  code: 'invalid_type',
+  received: 'undefined',
+  expected: 'number'
+}
+[AccessControl] Error 2: {
+  path: 'rejected',
+  message: 'Required',
+  code: 'invalid_type',
+  received: 'undefined',
+  expected: 'number'
+}
+[AccessControl] ❌ Full ZOD errors JSON: [
+  {
+    "code": "invalid_type",
+    "expected": "number",
+    "received": "undefined",
+    "path": [
+      "accepted"
+    ],
+    "message": "Required"
+  },
+  {
+    "code": "invalid_type",
+    "expected": "number",
+    "received": "undefined",
+    "path": [
+      "rejected"
+    ],
+    "message": "Required"
+  }
+]
+[AccessControl] ❌ ACTUAL RESPONSE DATA: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+ ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 40ms
+ ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 29ms
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
+[MCP-I] Checking tool protection: {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgrpp_mi9xqkbt',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_hkgrpp_mi9xqkbt'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: false,
+  hasConsentProof: true,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] ❌ Delegation verification FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Delegation token expired',
+  errorCode: undefined,
+  errorMessage: undefined,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] ❌ Delegation verification FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Insufficient scopes',
+  errorCode: undefined,
+  errorMessage: undefined,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] ❌ Delegation verification error (API failure) {
+  tool: 'protectedTool',
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+  agentDid: 'did:key:zmock123...',
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
+[MCP-I] Checking tool protection: {
+  errorCode: 'network_error',
+  tool: 'protectedTool',
+  errorMessage: 'API unavailable',
+  agentDid: 'did:key:zmock123...',
+  errorDetails: {}
+  hasDelegation: true
+}
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  tool: 'protectedTool',
+  hasDelegation: true
+}
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+}
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] Checking tool protection: {
+[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  tool: 'protectedTool',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  agentDid: 'did:key:zmock123...',
+  delegationUserIdentifier: 'did:key:zUserB987654...',
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  sessionUserDid: 'did:key:zUserA123456...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+  sessionId: 'session123...',
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] ✅ User identifier validation PASSED {
+  tool: 'protectedTool',
+  reason: 'user_identifier_mismatch',
+  agentDid: 'did:key:zmock123...',
+  severity: 'high'
+}
+  userDid: 'did:key:zUserA123456...',
+  sessionId: 'session123...'
+}
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationUserIdentifier: 'did:key:zUserA123456...',
+  sessionId: 'session123...'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
+[MCP-I] Checking tool protection: {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '310c7df3-f656-4845-9d96-a3d1dde07c85',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '310c7df3-f656-4845-9d96-a3d1dde07c85',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '320c0345-efcf-4339-832f-41a67055e5e2',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 200,
+  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
+  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '320c0345-efcf-4339-832f-41a67055e5e2',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 1,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "invalid_signature",\n' +
+    '        "message": "Invalid JWS signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 0,
+  "rejected": 1,
+  "outcomes": {
+    "success": 0,
+    "failed": 1,
+    "blocked": 0,
+    "error": 0
+  },
+  "errors": [
+    {
+      "proof_index": 0,
+      "error": {
+        "code": "invalid_signature",
+        "message": "Invalid JWS signature"
+      }
+    }
+  ]
+}
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
+[CryptoService] Key ID mismatch
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should allow unprotected tool calls
+[ToolProtectionService] Config loaded from API {
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
+  source: 'api',
+  toolCount: 1,
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  protectedTools: [],
+  tool: 'protectedTool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.479Z'
+  resumeToken: 'resume_hkgr0q_mi9xqkc0',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_hkgr0q_mi9xqkc0'
+}
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.480Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] Protection check {
+  tool: 'checkout',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'checkout' ]
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.480Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should cache tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.482Z'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgqz0_mi9xqkc2',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_hkgqz0_mi9xqkc2'
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write', 'files:read' ],
+  agentDid: 'did:key:zmock123...',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+  resumeToken: 'resume_hkgqz0_mi9xqkc2',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_hkgqz0_mi9xqkc2'
+}
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgqy5_mi9xqkc3',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_hkgqy5_mi9xqkc3'
+}
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  cacheKey: 'config:tool-protections:test-project'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
+[MCP-I] Checking tool protection: {
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+  requiredScopes: [ 'files:write' ],
+}
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgqy5_mi9xqkc3',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_hkgqy5_mi9xqkc3'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'protectedTool',
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  requiredScopes: [ 'files:write' ],
+  reason: 'Tool not configured to require delegation'
+}
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_1dqjpu_mi9xqkc3',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_1dqjpu_mi9xqkc3'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log blocked tool call when audit enabled
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+ ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 15ms
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should share cache across multiple service instances
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.484Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.484Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.484Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 3,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.485Z'
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Protection check {
+  tool: 'add_to_cart',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'search_products', 'add_to_cart', 'checkout' ]
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should handle tool protection service errors gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Concurrent operations > should handle concurrent cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.485Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.485Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.485Z'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgqvk_mi9xqkc6',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_hkgqvk_mi9xqkc6'
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+[MCP-I] Checking tool protection: {
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+  tool: 'protectedTool',
+  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
+}
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_hkgqvk_mi9xqkc6',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_hkgqvk_mi9xqkc6'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_4ieqgu_mi9xqkc6',
+  hasDelegation: false
+}
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_4ieqgu_mi9xqkc6'
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
+[MCP-I] Checking tool protection: {
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+ ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 21ms
+ ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 21ms
+ ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 77ms
+ ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 32ms
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+ ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 77ms
+ ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 161ms
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully
+[UserDidManager] Storage.get failed, generating new DID: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:187:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.set errors gracefully
+[UserDidManager] Storage.set failed, continuing with cached DID: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:196:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.delete errors gracefully
+[UserDidManager] Storage.delete failed, continuing: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:70
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+ ✓ src/__tests__/identity/user-did-manager.test.ts (17 tests) 10ms
+ ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 122ms
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should fetch from project-scoped endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.600Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should handle new endpoint format with toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.602Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should parse oauthProvider from new endpoint format (Phase 2)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.602Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should preserve oauthProvider through cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.602Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.603Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.603Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.603Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.603Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.603Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Cache miss, fetching from API {
+  source: 'api-fetch-start',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  apiUrl: 'https://kya.vouched.id',
+  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
+  method: 'config?agent_did (old)',
+  projectId: 'none',
+  apiKeyPresent: true,
+  apiKeyLength: 18,
+  apiKeyMasked: 'test-api...'
+}
+ ✓ src/__tests__/runtime/base.test.ts (55 tests) 14ms
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] API response received {
+  source: 'api-fetch-complete',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  responseKeys: [ 'success', 'data', 'metadata' ],
+  dataKeys: [ 'tools' ],
+  rawToolProtections: null,
+  rawTools: [
+    { name: 'valid_tool', requiresDelegation: true },
+    { requiresDelegation: false }
+  ],
+  responseMetadata: {}
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'valid_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.604Z'
+}
+[ToolProtectionService] API fetch successful, config cached {
+  source: 'cache-write',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  toolCount: 1,
+  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
+  ttlMs: 300000,
+  ttlMinutes: 5,
+  expiresAt: '2025-11-22T07:00:54.604Z',
+  expiresIn: '300s'
+}
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'ECONNREFUSED',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.610Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.610Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 600000,
+  cacheExpiresAt: '2025-11-22T07:05:54.611Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.611Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.611Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.612Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.613Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'other_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.613Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: false,
+  isWildcard: true,
+  requiresDelegation: false,
+  availableTools: [ 'other_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.614Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*', 'specific_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should prioritize specific tool protection over wildcard
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.614Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] Protection check {
+  tool: 'any_tool',
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*' ]
+}
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.614Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Protection check {
+  tool: 'protected_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'protected_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.615Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.615Z'
+}
+ ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 21ms
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
+[CryptoService] Ed25519 verification error: Error: Verification failed
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token '', "" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
+[CryptoService] Unsupported algorithm: RS256, expected EdDSA
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
+[CryptoService] Unsupported algorithm: HS256, expected EdDSA
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
+ ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 5ms
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
+[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
+[CryptoService] Key ID mismatch
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
+[CryptoService] Unsupported algorithm: EdDSA, expected RS256
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
+[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
+    at CryptoService.jwkToBase64PublicKey (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+ ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 11ms
+stderr | src/services/__tests__/proof-verifier.test.ts > ProofVerifier Security > Signature Verification > should handle signature verification errors gracefully
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+ ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 15ms
+ ✓ src/__tests__/providers/memory.test.ts (34 tests) 13ms
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from camelCase field
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.666Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from snake_case field
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.671Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should prefer camelCase over snake_case when both present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.672Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should handle missing oauthProvider field (backward compatible)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.672Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with camelCase
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.672Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with snake_case
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should prefer camelCase over snake_case in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with camelCase
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with snake_case
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should prefer camelCase over snake_case in object format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Caching > should cache oauthProvider field correctly
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.673Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should include oauthProvider in returned ToolProtection objects when present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool_with_provider', 'tool_without_provider' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.674Z'
+}
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should handle empty string oauthProvider gracefully
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_empty_provider' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:54.674Z'
+}
+ ✓ src/__tests__/services/tool-protection-oauth-provider.test.ts (14 tests) 9ms
+ ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 9ms
+ ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 7ms
+ ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 4ms
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zeqxrq_Zh-Oegc6fQD_kt1M9ErLXRWDI6","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554785,"timestampFormatted":"2025-11-22T06:55:54.785Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"c530c14265ef07e0c752bc47783137c9","timestamp":1763794554785},"timestamp":1763794554785,"timestampFormatted":"2025-11-22T06:55:54.785Z"}
+ ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 7ms
+stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zxzn59vlikLFcjp4Ms1ky9NT58tfd_Nga","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554790,"timestampFormatted":"2025-11-22T06:55:54.790Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zCwsCghSNSMbm1LFk7gdrOt_2A4wnZKDX","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554790,"timestampFormatted":"2025-11-22T06:55:54.790Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:zCwsCghSNSMbm1LFk7gdrOt_2A4wnZKDX","newDid":"did:key:za1bflbxqV3z4fePIgP0pDA9sPJwT-c-2","timestamp":1763794554790},"timestamp":1763794554790,"timestampFormatted":"2025-11-22T06:55:54.790Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zMX2zYkeub9P4A0KJFcf2Ub6CkG5Zm7Qx","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554790,"timestampFormatted":"2025-11-22T06:55:54.790Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zJVjnn3r9EqEgOzvAdoqVWPqXoWwW6fb1","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554791,"timestampFormatted":"2025-11-22T06:55:54.791Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z8CR_h7UfAeM44qxgD7oaWnVXpThED5o2","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554791,"timestampFormatted":"2025-11-22T06:55:54.791Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zKEZjNv2uz55rsGbJ2-sGcSuqChtFX-tL","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554791,"timestampFormatted":"2025-11-22T06:55:54.791Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z833pBdL_6KZzuMEWAYx92Y1mpe9aQ7ef","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554791,"timestampFormatted":"2025-11-22T06:55:54.791Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zJDzMR3c5sqTz2BmfkXQNIpD9RhDLr5td","environment":"development","userDidGeneration":"disabled"},"timestamp":1763794554792,"timestampFormatted":"2025-11-22T06:55:54.792Z"}
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API request fails
+[RemoteConfig] API returned 404: Not Found
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle empty scopes array
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify gmail → google mapping works
+[ProviderResolver] Inferred provider "google" from scopes
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify calendar → google mapping works
+[ProviderResolver] Inferred provider "google" from scopes
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle ambiguous scopes (multiple providers inferred)
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify outlook → microsoft mapping works
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+[ProviderResolver] Inferred provider "microsoft" from scopes
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Provider name case sensitivity > should handle provider names case-insensitively in inference
+[ProviderResolver] Inferred provider "github" from scopes
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Multiple scopes with same provider > should handle multiple scopes from same provider
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle unknown scope prefixes
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+[ProviderResolver] Inferred provider "github" from scopes
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle scopes without colons
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle inferred provider not in registry
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "google" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Fallback behavior (Priority 3) > should use first configured provider when oauthProvider not specified
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API throws error
+ ✓ src/__tests__/integration.test.ts (9 tests) 8ms
+[RemoteConfig] Failed to fetch config: Error: Network error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if neither projectId nor agentDid provided
+[RemoteConfig] Neither projectId nor agentDid provided
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should handle cache read errors gracefully
+[RemoteConfig] Cache read failed: Error: Cache error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+ ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (19 tests | 1 skipped) 6ms
+ ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 5ms
+ ✓ src/__tests__/providers/base.test.ts (14 tests) 7ms
+ ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 3ms
+ ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 4ms
+ ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 8ms
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
+[ProviderResolver] Inferred provider "github" from scopes
+stderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should return null for ambiguous scopes
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
+[ProviderResolver] Inferred provider "google" from scopes
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+ ✓ src/services/__tests__/provider-resolver.test.ts (8 tests) 6ms
+stderr | src/services/__tests__/provider-resolution.integration.test.ts > Provider Resolution Integration > Backward compatibility > should work with Phase 1 tools (no oauthProvider field)
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+ ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 5ms
+ ✓ src/delegation/__tests__/utils.test.ts (28 tests) 3ms
+ ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 5ms
+ ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 2ms
+ ✓ src/utils/__tests__/did-helpers.test.ts (11 tests) 2ms
+ ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 2ms
+ ✓ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts (14 tests) 3ms
+ ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 1ms
+ ↓ src/__tests__/delegation-e2e.test.ts (14 tests | 14 skipped)
+ ✓ src/__tests__/index.test.ts (4 tests) 2ms
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-11-22T06:55:56.520Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 4,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:55.520Z'
+}
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
+[ToolProtectionService] API fetch failed, using fallback config {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:55.521Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:55.521Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-22T07:00:55.521Z'
+}
+ ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1112ms
+       ✓ should respect cache TTL  1101ms
+ Test Files  42 passed | 1 skipped (43)
+      Tests  864 passed | 16 skipped (880)
+   Start at  00:55:54
+   Duration  1.38s (transform 2.11s, setup 0ms, collect 3.19s, tests 1.92s, environment 3ms, prepare 321ms)