npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.6 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.6 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/config.ts ADDED Viewed

@@ -0,0 +1,309 @@
+/**
+ * Provider-based Runtime Configuration
+ *
+ * Core configuration for MCP-I runtime using the provider pattern.
+ * This is the foundation for all platform-specific implementations.
+ *
+ * @module @kya-os/mcp-i-core/config
+ */
+import type {
+  MCPIBaseConfig,
+  RuntimeIdentityConfig,
+  ProofingConfig,
+  DelegationConfig,
+  ToolProtectionSourceConfig
+} from '@kya-os/contracts/config';
+import type {
+  CryptoProvider,
+  ClockProvider,
+  FetchProvider,
+  StorageProvider,
+  NonceCacheProvider,
+  IdentityProvider
+} from './providers/base';
+import type { ToolProtectionService } from './services/tool-protection.service';
+/**
+ * Provider-based runtime configuration
+ *
+ * This configuration is used internally by MCPIRuntimeBase and provides
+ * the foundation for all platform-specific implementations. It uses the
+ * provider pattern for platform abstraction, allowing different implementations
+ * for Node.js, Cloudflare Workers, and other environments.
+ */
+export interface ProviderRuntimeConfig extends MCPIBaseConfig {
+  /**
+   * Cryptographic operations provider
+   * Handles signing, verification, and key generation
+   */
+  cryptoProvider: CryptoProvider;
+  /**
+   * Time operations provider
+   * Provides current time and timestamp generation
+   */
+  clockProvider: ClockProvider;
+  /**
+   * HTTP fetch operations provider
+   * Handles external API calls
+   */
+  fetchProvider: FetchProvider;
+  /**
+   * Storage operations provider
+   * Handles persistent data storage
+   */
+  storageProvider: StorageProvider;
+  /**
+   * Nonce cache provider
+   * Handles replay prevention
+   */
+  nonceCacheProvider: NonceCacheProvider;
+  /**
+   * Identity management provider
+   * Handles agent identity and DID operations
+   */
+  identityProvider: IdentityProvider;
+  /**
+   * Session configuration
+   * Controls session handling and timeouts
+   */
+  session?: {
+    /**
+     * Allowed timestamp skew in seconds
+     * @default 120
+     */
+    timestampSkewSeconds?: number;
+    /**
+     * Session TTL in minutes
+     * @default 30
+     */
+    ttlMinutes?: number;
+  };
+  /**
+   * Identity configuration (optional)
+   * When provided, enables identity features
+   */
+  identity?: RuntimeIdentityConfig;
+  /**
+   * Proofing configuration (optional)
+   * When provided, enables proof generation
+   */
+  proofing?: ProofingConfig;
+  /**
+   * Delegation configuration (optional)
+   * When provided, enables delegation verification
+   */
+  delegation?: DelegationConfig;
+  /**
+   * Tool protection service (optional)
+   * When provided, enables runtime tool protection
+   * Note: This is different from tool registry which is compile-time
+   */
+  toolProtectionService?: ToolProtectionService;
+  /**
+   * Tool protection source configuration (optional)
+   * Alternative to toolProtectionService for configuration-based setup
+   */
+  toolProtection?: ToolProtectionSourceConfig;
+}
+/**
+ * Builder for provider runtime configuration
+ * Helps create valid configurations with proper defaults
+ */
+export class ProviderRuntimeConfigBuilder {
+  private config: Partial<ProviderRuntimeConfig> = {
+    environment: 'development'
+  };
+  /**
+   * Set the providers (required)
+   */
+  withProviders(providers: {
+    cryptoProvider: CryptoProvider;
+    clockProvider: ClockProvider;
+    fetchProvider: FetchProvider;
+    storageProvider: StorageProvider;
+    nonceCacheProvider: NonceCacheProvider;
+    identityProvider: IdentityProvider;
+  }): this {
+    Object.assign(this.config, providers);
+    return this;
+  }
+  /**
+   * Set the environment
+   */
+  withEnvironment(env: 'development' | 'production'): this {
+    this.config.environment = env;
+    return this;
+  }
+  /**
+   * Configure session handling
+   */
+  withSession(session: {
+    timestampSkewSeconds?: number;
+    ttlMinutes?: number;
+  }): this {
+    this.config.session = session;
+    return this;
+  }
+  /**
+   * Enable identity features
+   */
+  withIdentity(identity: RuntimeIdentityConfig): this {
+    this.config.identity = identity;
+    return this;
+  }
+  /**
+   * Enable proofing features
+   */
+  withProofing(proofing: ProofingConfig): this {
+    this.config.proofing = proofing;
+    return this;
+  }
+  /**
+   * Enable delegation features
+   */
+  withDelegation(delegation: DelegationConfig): this {
+    this.config.delegation = delegation;
+    return this;
+  }
+  /**
+   * Set tool protection service
+   */
+  withToolProtectionService(service: ToolProtectionService): this {
+    this.config.toolProtectionService = service;
+    return this;
+  }
+  /**
+   * Set tool protection configuration
+   */
+  withToolProtection(config: ToolProtectionSourceConfig): this {
+    this.config.toolProtection = config;
+    return this;
+  }
+  /**
+   * Enable audit features
+   */
+  withAudit(audit: {
+    enabled: boolean;
+    includeProofHashes?: boolean;
+  }): this {
+    this.config.audit = audit;
+    return this;
+  }
+  /**
+   * Enable well-known endpoints
+   */
+  withWellKnown(wellKnown: {
+    enabled: boolean;
+    serviceName?: string;
+  }): this {
+    this.config.wellKnown = wellKnown;
+    return this;
+  }
+  /**
+   * Build the configuration
+   * Validates that all required providers are set
+   */
+  build(): ProviderRuntimeConfig {
+    const required = [
+      'cryptoProvider',
+      'clockProvider',
+      'fetchProvider',
+      'storageProvider',
+      'nonceCacheProvider',
+      'identityProvider'
+    ];
+    for (const field of required) {
+      if (!(field in this.config)) {
+        throw new Error(`Missing required provider: ${field}`);
+      }
+    }
+    // Apply defaults
+    return {
+      environment: 'development',
+      session: {
+        timestampSkewSeconds: 120,
+        ttlMinutes: 30
+      },
+      ...this.config
+    } as ProviderRuntimeConfig;
+  }
+}
+/**
+ * Re-export base types for convenience
+ */
+export type {
+  MCPIBaseConfig,
+  RuntimeIdentityConfig as BaseIdentityConfig,
+  ProofingConfig,
+  DelegationConfig,
+  ToolProtectionSourceConfig
+} from '@kya-os/contracts/config';
+/**
+ * Re-export remote config utilities
+ */
+export {
+  fetchRemoteConfig,
+  type RemoteConfigOptions,
+  type RemoteConfigCache
+} from './config/remote-config';
+/**
+ * Create a provider runtime configuration
+ * Convenience function for creating configurations
+ */
+export function createProviderRuntimeConfig(
+  providers: {
+    cryptoProvider: CryptoProvider;
+    clockProvider: ClockProvider;
+    fetchProvider: FetchProvider;
+    storageProvider: StorageProvider;
+    nonceCacheProvider: NonceCacheProvider;
+    identityProvider: IdentityProvider;
+  },
+  options?: Partial<Omit<ProviderRuntimeConfig, keyof typeof providers>>
+): ProviderRuntimeConfig {
+  return new ProviderRuntimeConfigBuilder()
+    .withProviders(providers)
+    .withEnvironment(options?.environment || 'development')
+    .withSession(options?.session || {})
+    .withIdentity(options?.identity || { enabled: false, environment: 'development' })
+    .withProofing(options?.proofing || { enabled: false })
+    .withDelegation(options?.delegation || {
+      enabled: false,
+      verifier: { type: 'memory' }
+    })
+    .withAudit(options?.audit || { enabled: false })
+    .withWellKnown(options?.wellKnown || { enabled: true })
+    .build();
+}

package/src/delegation/__tests__/audience-validator.test.ts ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * Tests for Delegation Audience Validation
+ *
+ * @package @kya-os/mcp-i-core/delegation/__tests__
+ */
+import { describe, it, expect } from "vitest";
+import { verifyDelegationAudience } from "../audience-validator";
+import type { DelegationRecord } from "@kya-os/contracts/delegation";
+describe("verifyDelegationAudience", () => {
+  const serverDid = "did:web:server.example.com";
+  it("should return true when delegation has no audience", () => {
+    const delegation: DelegationRecord = {
+      id: "del_001",
+      issuerDid: "did:web:user.com",
+      subjectDid: "did:key:zagent123",
+      controller: "user_alice",
+      vcId: "vc_001",
+      constraints: {
+        scopes: ["tool:execute"],
+        // No audience field
+      },
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 3600000,
+    };
+    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
+  });
+  it("should return true when delegation audience matches server DID", () => {
+    const delegation: DelegationRecord = {
+      id: "del_002",
+      issuerDid: "did:web:user.com",
+      subjectDid: "did:key:zagent123",
+      controller: "user_bob",
+      vcId: "vc_002",
+      constraints: {
+        scopes: ["tool:execute"],
+        audience: serverDid, // Matches server DID
+      },
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 3600000,
+    };
+    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
+  });
+  it("should return false when delegation audience does not match server DID", () => {
+    const delegation: DelegationRecord = {
+      id: "del_003",
+      issuerDid: "did:web:user.com",
+      subjectDid: "did:key:zagent123",
+      controller: "user_charlie",
+      vcId: "vc_003",
+      constraints: {
+        scopes: ["tool:execute"],
+        audience: "did:web:other-server.com", // Different server
+      },
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 3600000,
+    };
+    expect(verifyDelegationAudience(delegation, serverDid)).toBe(false);
+  });
+  it("should return true when server DID is in audience array", () => {
+    const delegation: DelegationRecord = {
+      id: "del_004",
+      issuerDid: "did:web:user.com",
+      subjectDid: "did:key:zagent123",
+      controller: "user_dave",
+      vcId: "vc_004",
+      constraints: {
+        scopes: ["tool:execute"],
+        audience: [
+          "did:web:server1.com",
+          serverDid, // Server DID is in array
+          "did:web:server3.com",
+        ],
+      },
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 3600000,
+    };
+    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
+  });
+  it("should return false when server DID is not in audience array", () => {
+    const delegation: DelegationRecord = {
+      id: "del_005",
+      issuerDid: "did:web:user.com",
+      subjectDid: "did:key:zagent123",
+      controller: "user_eve",
+      vcId: "vc_005",
+      constraints: {
+        scopes: ["tool:execute"],
+        audience: [
+          "did:web:server1.com",
+          "did:web:server2.com",
+          // serverDid not in array
+        ],
+      },
+      createdAt: Date.now(),
+      expiresAt: Date.now() + 3600000,
+    };
+    expect(verifyDelegationAudience(delegation, serverDid)).toBe(false);
+  });
+});