npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.6 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.6 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/__tests__/integration.test.ts ADDED Viewed

@@ -0,0 +1,281 @@
+/**
+ * Integration tests demonstrating full runtime usage
+ */
+import { describe, it, expect, beforeEach } from 'vitest';
+import { MCPIRuntimeBase } from '../runtime/base';
+import {
+  MemoryStorageProvider,
+  MemoryNonceCacheProvider,
+  MemoryIdentityProvider
+} from '../providers/memory';
+import { MockCryptoProvider, MockClockProvider, MockFetchProvider } from './utils/mock-providers';
+describe('Integration Tests', () => {
+  let runtime: MCPIRuntimeBase;
+  let cryptoProvider: MockCryptoProvider;
+  let clockProvider: MockClockProvider;
+  let fetchProvider: MockFetchProvider;
+  beforeEach(async () => {
+    // Set up providers
+    cryptoProvider = new MockCryptoProvider();
+    clockProvider = new MockClockProvider();
+    fetchProvider = new MockFetchProvider();
+    // Create runtime with real memory providers
+    runtime = new MCPIRuntimeBase({
+      cryptoProvider,
+      clockProvider,
+      fetchProvider,
+      storageProvider: new MemoryStorageProvider(),
+      nonceCacheProvider: new MemoryNonceCacheProvider(),
+      identityProvider: new MemoryIdentityProvider(cryptoProvider),
+      environment: 'development',
+      timestampSkewSeconds: 120,
+      sessionTtlMinutes: 30,
+      audit: {
+        enabled: true,
+        includePayloads: true
+      }
+    });
+    await runtime.initialize();
+  });
+  describe('Full handshake and tool execution flow', () => {
+    it('should complete full authentication and tool execution cycle', async () => {
+      // Step 1: Client initiates handshake
+      const handshakeRequest = {
+        clientDid: 'did:key:zclient789',
+        audience: 'https://app.example.com'
+      };
+      const handshakeResponse = await runtime.handleHandshake(handshakeRequest);
+      expect(handshakeResponse.sessionId).toBeDefined();
+      expect(handshakeResponse.agentDid).toMatch(/^did:key:z/);
+      expect(handshakeResponse.signature).toBeDefined();
+      expect(handshakeResponse.capabilities).toContain('identity');
+      // Step 2: Get session and issue nonce
+      const session = await runtime.getCurrentSession();
+      expect(session).toBeDefined();
+      const nonce = await runtime.issueNonce(session!.id);
+      session!.nonce = nonce;
+      // Step 3: Execute tool with session
+      const toolHandler = async (args: any) => {
+        return {
+          message: `Hello ${args.name}!`,
+          timestamp: Date.now()
+        };
+      };
+      const result = await runtime.processToolCall(
+        'greetingTool',
+        { name: 'Alice' },
+        toolHandler,
+        session
+      );
+      expect(result.message).toBe('Hello Alice!');
+      // Step 4: Verify proof was created
+      const proof = runtime.getLastProof();
+      expect(proof).toBeDefined();
+      expect(proof.nonce).toBe(nonce);
+      expect(proof.sessionId).toBe(session!.id);
+      expect(proof.audience).toBe('https://app.example.com');
+      // Step 5: Set up DID resolution for verification
+      const identity = await runtime.getIdentity();
+      fetchProvider.setDIDDocument(identity.did, {
+        '@context': ['https://www.w3.org/ns/did/v1'],
+        id: identity.did,
+        verificationMethod: [{
+          id: `${identity.did}#key-1`,
+          type: 'Ed25519VerificationKey2020',
+          controller: identity.did,
+          publicKeyBase64: identity.publicKey
+        }]
+      });
+      // Step 6: Clear nonce cache to simulate fresh verification
+      // In real-world usage, verification would happen on a different system
+      const nonceCacheProvider = (runtime as any).nonceCache as MemoryNonceCacheProvider;
+      await nonceCacheProvider.destroy();
+      // Step 7: Verify the proof
+      const isValid = await runtime.verifyProof(result, proof);
+      expect(isValid).toBe(true);
+    });
+  });
+  describe('Session expiry handling', () => {
+    it('should handle expired sessions correctly', async () => {
+      // Create session
+      await runtime.handleHandshake({
+        clientDid: 'did:key:zclient',
+        audience: 'https://app.example.com'
+      });
+      // Verify session exists
+      let session = await runtime.getCurrentSession();
+      expect(session).toBeDefined();
+      // Advance time past expiry
+      clockProvider.setTime(Date.now() + (31 * 60 * 1000));
+      // Session should now be expired
+      session = await runtime.getCurrentSession();
+      expect(session).toBeNull();
+    });
+  });
+  describe('Key rotation flow', () => {
+    it('should handle key rotation and maintain functionality', async () => {
+      // Get initial identity
+      const oldIdentity = await runtime.getIdentity();
+      expect(oldIdentity.did).toMatch(/^did:key:z/);
+      // Create session with old identity
+      const handshakeResponse = await runtime.handleHandshake({
+        clientDid: 'did:key:zclient',
+        audience: 'https://app.example.com'
+      });
+      expect(handshakeResponse.agentDid).toBe(oldIdentity.did);
+      // Rotate keys
+      const newIdentity = await runtime.rotateKeys();
+      expect(newIdentity.did).not.toBe(oldIdentity.did);
+      // New handshakes should use new identity
+      const newHandshakeResponse = await runtime.handleHandshake({
+        clientDid: 'did:key:zclient2',
+        audience: 'https://app2.example.com'
+      });
+      expect(newHandshakeResponse.agentDid).toBe(newIdentity.did);
+    });
+  });
+  describe('Well-known endpoints', () => {
+    it('should provide identity discovery endpoints', async () => {
+      const handler = runtime.createWellKnownHandler({
+        serviceName: 'Test MCP Service',
+        serviceEndpoint: 'https://mcp.example.com'
+      });
+      // Test DID document endpoint
+      const didDocResponse = await handler('/.well-known/did.json');
+      expect(didDocResponse).toBeDefined();
+      expect(didDocResponse.body).toBeDefined();
+      const didDoc = JSON.parse(didDocResponse.body);
+      expect(didDoc.id).toMatch(/^did:key:z/);
+      expect(didDoc.verificationMethod).toHaveLength(1);
+      expect(didDoc.verificationMethod[0].type).toBe('Ed25519VerificationKey2020');
+      // Test MCP identity endpoint
+      const mcpIdentity = await handler('/.well-known/mcp-identity');
+      expect(mcpIdentity).toBeDefined();
+      expect(mcpIdentity.did).toBe(didDoc.id);
+      expect(mcpIdentity.serviceName).toBe('Test MCP Service');
+      expect(mcpIdentity.serviceEndpoint).toBe('https://mcp.example.com');
+    });
+  });
+  describe('Nonce replay protection', () => {
+    it('should prevent nonce reuse', async () => {
+      // Create a proof with a specific nonce
+      const nonce = await runtime.issueNonce('session123');
+      const data = { test: 'data' };
+      const proof = await runtime.createProof(data, { nonce });
+      // First use of nonce should fail (already in cache from issueNonce)
+      const isValid = await runtime.verifyProof(data, proof);
+      expect(isValid).toBe(false);
+      // Create proof with fresh nonce
+      const freshProof = await runtime.createProof(data);
+      // Set up DID resolution
+      const identity = await runtime.getIdentity();
+      fetchProvider.setDIDDocument(identity.did, {
+        verificationMethod: [{
+          publicKeyBase64: identity.publicKey
+        }]
+      });
+      // Clear nonce cache to simulate fresh verification
+      const nonceCacheProvider = (runtime as any).nonceCache as MemoryNonceCacheProvider;
+      await nonceCacheProvider.destroy();
+      // Fresh nonce should verify successfully
+      const isValidFresh = await runtime.verifyProof(data, freshProof);
+      expect(isValidFresh).toBe(true);
+    });
+  });
+  describe('Error handling', () => {
+    it('should handle network errors gracefully', async () => {
+      // Set up fetch to fail
+      fetchProvider.resolveDID = async () => {
+        throw new Error('Network error');
+      };
+      const data = { test: 'data' };
+      const proof = await runtime.createProof(data);
+      // Verification should fail gracefully
+      const isValid = await runtime.verifyProof(data, proof);
+      expect(isValid).toBe(false);
+    });
+    it('should handle malformed DID documents', async () => {
+      const identity = await runtime.getIdentity();
+      // Set up malformed DID document
+      fetchProvider.setDIDDocument(identity.did, {
+        // Missing verificationMethod
+      });
+      const data = { test: 'data' };
+      const proof = await runtime.createProof(data);
+      // Should fail verification due to missing public key
+      const isValid = await runtime.verifyProof(data, proof);
+      expect(isValid).toBe(false);
+    });
+  });
+  describe('Debug endpoint', () => {
+    it('should provide debug information in development', async () => {
+      const debugEndpoint = runtime.createDebugEndpoint();
+      expect(debugEndpoint).toBeDefined();
+      const debugInfo = await debugEndpoint!();
+      expect(debugInfo).toBeDefined();
+      expect(debugInfo.identity).toBeDefined();
+      expect(debugInfo.identity.did).toMatch(/^did:key:z/);
+      expect(debugInfo.config.environment).toBe('development');
+      expect(debugInfo.timestamp).toBe(clockProvider.now());
+    });
+    it('should be disabled in production', () => {
+      const prodRuntime = new MCPIRuntimeBase({
+        cryptoProvider,
+        clockProvider,
+        fetchProvider,
+        storageProvider: new MemoryStorageProvider(),
+        nonceCacheProvider: new MemoryNonceCacheProvider(),
+        identityProvider: new MemoryIdentityProvider(cryptoProvider),
+        environment: 'production'
+      });
+      const debugEndpoint = prodRuntime.createDebugEndpoint();
+      expect(debugEndpoint).toBeNull();
+    });
+  });
+});

package/src/__tests__/providers/base.test.ts ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * Tests for Base Provider Classes
+ *
+ * These tests verify that the abstract base classes are properly defined
+ * and that implementations must provide all required methods.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  CryptoProvider,
+  ClockProvider,
+  FetchProvider,
+  StorageProvider,
+  NonceCacheProvider,
+  IdentityProvider
+} from '../../providers/base';
+describe('Base Provider Classes', () => {
+  describe('CryptoProvider', () => {
+    it('should be defined as a class', () => {
+      expect(CryptoProvider).toBeDefined();
+      expect(typeof CryptoProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      // TypeScript abstract methods don't exist at runtime
+      // They're enforced at compile-time, not runtime
+      class TestCrypto extends CryptoProvider {}
+      const instance = new TestCrypto();
+      // These methods are undefined because they're abstract
+      expect(instance.sign).toBeUndefined();
+      expect(instance.verify).toBeUndefined();
+      expect(instance.generateKeyPair).toBeUndefined();
+      expect(instance.hash).toBeUndefined();
+      expect(instance.randomBytes).toBeUndefined();
+    });
+    it('should work when properly implemented', async () => {
+      class TestCrypto extends CryptoProvider {
+        async sign(data: Uint8Array, privateKey: string): Promise<Uint8Array> {
+          return new Uint8Array([1, 2, 3]);
+        }
+        async verify(data: Uint8Array, signature: Uint8Array, publicKey: string): Promise<boolean> {
+          return true;
+        }
+        async generateKeyPair(): Promise<{ privateKey: string; publicKey: string }> {
+          return { privateKey: 'test-private', publicKey: 'test-public' };
+        }
+        async hash(data: Uint8Array): Promise<Uint8Array> {
+          return new Uint8Array([4, 5, 6]);
+        }
+        async randomBytes(length: number): Promise<Uint8Array> {
+          return new Uint8Array(length);
+        }
+      }
+      const instance = new TestCrypto();
+      expect(await instance.sign(new Uint8Array(), '')).toEqual(new Uint8Array([1, 2, 3]));
+      expect(await instance.verify(new Uint8Array(), new Uint8Array(), '')).toBe(true);
+      expect(await instance.generateKeyPair()).toEqual({ privateKey: 'test-private', publicKey: 'test-public' });
+      expect(await instance.hash(new Uint8Array())).toEqual(new Uint8Array([4, 5, 6]));
+      expect(await instance.randomBytes(5)).toHaveLength(5);
+    });
+  });
+  describe('ClockProvider', () => {
+    it('should be defined as a class', () => {
+      expect(ClockProvider).toBeDefined();
+      expect(typeof ClockProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      class TestClock extends ClockProvider {}
+      const instance = new TestClock();
+      expect(instance.now).toBeUndefined();
+      expect(instance.isWithinSkew).toBeUndefined();
+      expect(instance.hasExpired).toBeUndefined();
+      expect(instance.calculateExpiry).toBeUndefined();
+      expect(instance.format).toBeUndefined();
+    });
+  });
+  describe('FetchProvider', () => {
+    it('should be defined as a class', () => {
+      expect(FetchProvider).toBeDefined();
+      expect(typeof FetchProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      class TestFetch extends FetchProvider {}
+      const instance = new TestFetch();
+      expect(instance.resolveDID).toBeUndefined();
+      expect(instance.fetchStatusList).toBeUndefined();
+      expect(instance.fetchDelegationChain).toBeUndefined();
+      expect(instance.fetch).toBeUndefined();
+    });
+  });
+  describe('StorageProvider', () => {
+    it('should be defined as a class', () => {
+      expect(StorageProvider).toBeDefined();
+      expect(typeof StorageProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      class TestStorage extends StorageProvider {}
+      const instance = new TestStorage();
+      expect(instance.get).toBeUndefined();
+      expect(instance.set).toBeUndefined();
+      expect(instance.delete).toBeUndefined();
+      expect(instance.exists).toBeUndefined();
+      expect(instance.list).toBeUndefined();
+    });
+  });
+  describe('NonceCacheProvider', () => {
+    it('should be defined as a class', () => {
+      expect(NonceCacheProvider).toBeDefined();
+      expect(typeof NonceCacheProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      class TestNonceCache extends NonceCacheProvider {}
+      const instance = new TestNonceCache();
+      expect(instance.has).toBeUndefined();
+      expect(instance.add).toBeUndefined();
+      expect(instance.cleanup).toBeUndefined();
+      expect(instance.destroy).toBeUndefined();
+    });
+  });
+  describe('IdentityProvider', () => {
+    it('should be defined as a class', () => {
+      expect(IdentityProvider).toBeDefined();
+      expect(typeof IdentityProvider).toBe('function');
+    });
+    it('should require implementation of abstract methods', () => {
+      class TestIdentity extends IdentityProvider {}
+      const instance = new TestIdentity();
+      expect(instance.getIdentity).toBeUndefined();
+      expect(instance.saveIdentity).toBeUndefined();
+      expect(instance.rotateKeys).toBeUndefined();
+      expect(instance.deleteIdentity).toBeUndefined();
+    });
+  });
+  describe('AgentIdentity interface', () => {
+    it('should have proper type structure', () => {
+      const validIdentity = {
+        did: 'did:key:z123',
+        kid: 'did:key:z123#key-1',
+        privateKey: 'private-key',
+        publicKey: 'public-key',
+        createdAt: new Date().toISOString(),
+        type: 'development' as const,
+        metadata: { foo: 'bar' }
+      };
+      // Type checking is done at compile time
+      // This test just verifies the shape is correct
+      expect(validIdentity.did).toBe('did:key:z123');
+      expect(validIdentity.type).toBe('development');
+      expect(validIdentity.metadata).toEqual({ foo: 'bar' });
+    });
+  });
+});