npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.6 → 1.3.0-canary.clientinfo.20251126003544 - Mend

@kya-os/mcp-i-core 1.2.3-canary.6 → 1.3.0-canary.clientinfo.20251126003544

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4239 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +24 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +43 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/index.d.ts +2 -0
package/dist/services/index.d.ts.map +1 -1
package/dist/services/index.js +4 -1
package/dist/services/index.js.map +1 -1
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/session-registration.service.d.ts +80 -0
package/dist/services/session-registration.service.d.ts.map +1 -0
package/dist/services/session-registration.service.js +172 -0
package/dist/services/session-registration.service.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +271 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +18 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/session-registration.service.ts +251 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/OPUS-plan.md ADDED Viewed

@@ -0,0 +1,352 @@
+# Phase 4 Master Plan: User DID & Identity Linking for MCP-I
+**Document Version:** 2.0 (Polished)
+**Date:** November 2024
+**Status:** Ready for Implementation
+**Impact:** Game-Changing Identity Foundation
+## Executive Summary
+This master plan addresses the critical gap in the MCP-I implementation: persistent user identity. Currently, User DIDs are ephemeral, OAuth integration is disconnected, and delegation creation doesn't follow the MCP-I specification. This plan provides a comprehensive solution that will establish persistent user identity through OAuth linking while maintaining full MCP-I spec compliance.
+**Key Innovation:** By linking OAuth identities to persistent User DIDs, we enable true session continuity while preserving the decentralized, cryptographically verifiable nature of the MCP-I identity model.
+## Critical Architecture Insights
+### The Three-DID Model (Clarified)
+Based on comprehensive analysis, the MCP-I architecture requires tracking three distinct DIDs:
+1. **User DID** (`issuerDid`): The human who grants permissions
+   - Currently ephemeral `did:key:z6MkUser...`
+   - Phase 4 makes persistent via OAuth linking
+   - Used as `issuerDid` in delegations
+2. **Agent DID** (`subjectDid`): The AI/software receiving permissions
+   - Examples: `did:key:z6MkClaude...` (Claude Desktop)
+   - Used as `subjectDid` in delegations
+   - Captured during MCP-I handshake
+3. **Server DID** (`serverDid`): The MCP-I server/bouncer
+   - Example: `did:web:service-x-bouncer`
+   - Provides services and validates delegations
+   - Can also act as an agent when calling upstream services
+### OAuth Integration Architecture
+The AgentShield dashboard already provides OAuth provider configuration:
+- Database: `bouncer_configs` table with OAuth fields
+- UI: `/dashboard/bouncer/config/[projectId]/page.tsx`
+- Current Limitation: Project-level OAuth (not tool-specific)
+### Cross-Agent Delegation Validation
+The bouncer architecture supports validating delegations from ANY agent:
+- Local agents (Claude Desktop)
+- External SaaS agents (`did:web:agent:saavvy-shopping-mcp`)
+- Other bouncers acting as agents
+- Validation via centralized AgentShield database
+## Implementation Plan (Refined)
+### Part A: Fix Core Delegation Flow (Critical - 2 days)
+**Problem:** API schema mismatch causing delegation creation failures.
+**Solution:**
+```typescript
+// Before (BROKEN):
+const delegationRequest = {
+  agent_did: request.agent_did,
+  scopes: request.scopes,
+  expires_in_days: expiresInDays,
+};
+// After (FIXED):
+const userDid = await this.getUserDidForSession(request.session_id);
+const delegationRecord: DelegationRecord = {
+  id: generateDelegationId(),
+  issuerDid: userDid,                    // User who grants
+  subjectDid: request.agent_did,        // Agent who receives
+  vcId: generateVcId(),
+  constraints: {
+    scopes: request.scopes,
+    notAfter: calculateExpiry(expiresInDays),
+  },
+  signature: await this.signDelegation(...),
+  status: 'active',
+  createdAt: Date.now(),
+};
+const delegationRequest = {
+  delegation: delegationRecord  // Full record as expected by API
+};
+```
+### Part B: OAuth Identity Linking (Priority - 3 days)
+**Innovation:** Link OAuth identities to persistent User DIDs.
+```typescript
+// OAuth callback handler enhancement
+async handleOAuthCallback(request: Request): Promise<Response> {
+  const { provider, userInfo } = await this.validateOAuthCallback(request);
+  // Create persistent User DID linked to OAuth identity
+  const userDid = await this.linkOAuthToUserDid(provider, userInfo.sub);
+  // Store mapping for future retrieval
+  await this.identityStorage.set(
+    `oauth:${provider}:${userInfo.sub}`,
+    {
+      userDid,
+      email: userInfo.email,
+      linkedAt: new Date().toISOString(),
+    },
+    { expirationTtl: 90 * 24 * 60 * 60 } // 90 days
+  );
+  return new Response(null, {
+    status: 302,
+    headers: {
+      'Location': '/consent',
+      'Set-Cookie': `user_did=${userDid}; HttpOnly; Secure; SameSite=Strict`
+    }
+  });
+}
+```
+### Part C: Multi-Tenant Storage Fix (1 day)
+**Problem:** User delegations overwrite each other.
+**Solution:** User+Agent scoped storage keys.
+```typescript
+// Storage key structure
+const keys = {
+  primary: `delegation:user:${userDid}:agent:${agentDid}`,
+  session: `delegation:session:${sessionId}`,
+  agent: `delegation:agent:${agentDid}:users` // List of users
+};
+```
+### Part D: Identity Mode Configuration (2 days)
+**Innovation:** Support different deployment scenarios.
+```typescript
+export enum IdentityMode {
+  EPHEMERAL = 'ephemeral',   // Dev/test: New DID per session
+  PERSISTENT = 'persistent',  // Production: OAuth required
+  HYBRID = 'hybrid'          // Flexible: OAuth optional
+}
+// Mode-based behavior
+switch (config.identityMode) {
+  case IdentityMode.EPHEMERAL:
+    return generateEphemeralDid();
+  case IdentityMode.PERSISTENT:
+    if (!oauthIdentity) throw new Error('OAuth required');
+    return getOrCreatePersistentDid(oauthIdentity);
+  case IdentityMode.HYBRID:
+    return oauthIdentity
+      ? getOrCreatePersistentDid(oauthIdentity)
+      : generateEphemeralDid();
+}
+```
+### Part E: Security & Privacy (2 days)
+**GDPR Compliance & Security:**
+```typescript
+class PrivacyService {
+  async handleRequest(request: PrivacyRequest) {
+    switch (request.type) {
+      case 'export':
+        return this.exportUserData(request.userDid);
+      case 'delete':
+        return this.deleteAllUserData(request.userDid);
+      case 'opt-out':
+        return this.switchToEphemeral(request.userDid);
+    }
+  }
+}
+```
+### Part F: Enhanced Handshake (1 day)
+**Proper DID Exchange:**
+```typescript
+async handleHandshake(request: HandshakeRequest) {
+  const identity = await this.getIdentity();
+  const userDid = await this.userDidManager.getOrCreateUserDid(sessionId);
+  const session = {
+    id: sessionId,
+    userDid,                    // Human user DID
+    agentDid: request.agentDid, // AI agent DID
+    serverDid: identity.did,    // Server/bouncer DID
+    createdAt: Date.now(),
+  };
+  return {
+    sessionId,
+    serverDid: identity.did,
+    userDid,  // Include for transparency
+    capabilities: ['identity', 'proof', 'delegation'],
+  };
+}
+```
+## Architecture Validation
+### Scenario 1: Claude Desktop → Service X
+```
+1. Claude Desktop (agentDid) → Handshake → service-x-bouncer (serverDid)
+2. Tool call requires delegation
+3. OAuth flow → User authenticates with GitHub
+4. User DID created/retrieved: did:key:z6MkUserPersistent
+5. Delegation: User (issuerDid) → Claude (subjectDid)
+6. Future sessions: Same User DID via GitHub identity
+```
+### Scenario 2: SaaS Agent → Service X
+```
+1. saavvy-shopping-mcp (agentDid) → Handshake → service-x-bouncer
+2. Delegation validation via AgentShield API
+3. Cross-agent delegation works seamlessly
+```
+### Scenario 3: Chained Delegations (Future)
+```
+1. User → Shopping Assistant (local MCP)
+2. Shopping Assistant → Service X (delegation chain)
+3. Memory graph storage tracks relationships
+```
+## Success Metrics
+### Technical Metrics
+- ✅ User DIDs persist across sessions via OAuth
+- ✅ Delegations include proper `issuerDid` and `subjectDid`
+- ✅ API schema matches AgentShield expectations
+- ✅ Multi-tenant conflicts resolved
+- ✅ <100ms overhead for DID operations
+- ✅ 95% test coverage for new code
+### Business Impact
+- 🎯 Users authenticate once, delegations persist
+- 🎯 True "Know Your User" capability
+- 🎯 Foundation for reputation systems
+- 🎯 GDPR compliant with privacy controls
+- 🎯 Enterprise-ready identity management
+## Risk Mitigation
+### Risk: Performance Impact
+- **Mitigation:** Aggressive caching, async operations
+- **Monitoring:** Track p95 latency for DID operations
+### Risk: Privacy Concerns
+- **Mitigation:** Clear consent, data deletion API, identity modes
+- **Compliance:** GDPR audit before launch
+### Risk: OAuth Provider Downtime
+- **Mitigation:** Multi-provider support, graceful fallback
+- **Monitoring:** Provider health checks
+## Timeline
+### Week 1: Foundation (5 days)
+- Days 1-2: Part A - Fix delegation API
+- Days 3-5: Part B - OAuth integration (partial)
+### Week 2: Core Identity (5 days)
+- Days 6-7: Part B - Complete OAuth linking
+- Day 8: Part C - Storage fixes
+- Days 9-10: Part D - Identity modes
+### Week 3: Enhancement (4 days)
+- Days 11-12: Part E - Security/privacy
+- Day 13: Part F - Enhanced handshake
+- Day 14: Integration testing
+**Total: 14 working days**
+## Testing Strategy
+### Unit Tests
+```typescript
+describe('OAuth Identity Linking', () => {
+  it('creates persistent User DID for new OAuth identity');
+  it('retrieves same User DID for returning OAuth user');
+  it('handles multiple OAuth providers per user');
+  it('respects identity mode configuration');
+});
+```
+### Integration Tests
+- Full OAuth → Consent → Delegation flow
+- Multi-user, multi-agent scenarios
+- Cross-session persistence validation
+### E2E Tests
+- User journey: Login → Approve → Return next day
+- Privacy: Request data export/deletion
+- Security: Token expiration, revocation
+## Why This Plan Is Game-Changing
+### 1. **True Persistent Identity**
+Unlike current ephemeral DIDs, users maintain identity across sessions, enabling:
+- Reputation building
+- Audit trails
+- Compliance tracking
+### 2. **OAuth Bridge to Decentralized Identity**
+Leverages familiar OAuth while establishing decentralized DIDs:
+- Easy user onboarding
+- Enterprise integration ready
+- Progressive decentralization path
+### 3. **Multi-Agent Ecosystem Ready**
+Supports complex delegation scenarios:
+- Agent-to-agent delegations
+- Service composition
+- Delegation chains
+### 4. **Privacy-First Architecture**
+Users control their identity:
+- Choose persistence level
+- Delete data anytime
+- Switch modes dynamically
+### 5. **MCP-I Spec Compliance**
+Full alignment with spec while solving real-world needs:
+- Proper issuer/subject model
+- W3C VC compatibility
+- CRISP constraints support
+## Comparison with V3 Plan
+### Dependencies Identified
+1. V3 Scaffolder Refactor MUST complete first
+2. Consent service creation can merge with Part A fixes
+3. Security work can parallelize
+### Unified Approach
+- Phase 4 provides detailed implementation for V3's Phase 1
+- Total timeline: 3 weeks with parallel work
+- Clear execution order established
+## Conclusion
+This Phase 4 plan transforms the MCP-I implementation from a proof-of-concept to a production-ready identity system. By establishing persistent User DIDs through OAuth linking, we create a foundation for trust, reputation, and compliance in the AI agent ecosystem.
+The plan addresses all critical issues identified during review, provides clear implementation steps, and maintains full MCP-I specification compliance while solving real-world identity persistence needs.
+**This is not just an implementation plan—it's the blueprint for the future of verifiable AI agent identity.**