npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.6 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.6 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/services/storage.service.ts ADDED Viewed

@@ -0,0 +1,566 @@
+/**
+ * Storage Service Factory
+ *
+ * Auto-selects storage providers based on available configuration.
+ * Priority: Redis > Cloudflare KV > Cloudflare Durable Objects > Memory
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import { StorageProvider, NonceCacheProvider } from "../providers/base.js";
+import {
+  MemoryStorageProvider,
+  MemoryNonceCacheProvider,
+} from "../providers/memory.js";
+/**
+ * Storage service configuration
+ */
+export interface StorageServiceConfig {
+  /** Redis URL (e.g., "redis://localhost:6379") */
+  redisUrl?: string;
+  /** Cloudflare KV namespace */
+  kvNamespace?: {
+    get(key: string): Promise<string | null>;
+    put(
+      key: string,
+      value: string,
+      options?: { expirationTtl?: number }
+    ): Promise<void>;
+    delete(key: string): Promise<void>;
+    list(options?: {
+      prefix?: string;
+    }): Promise<{ keys: Array<{ name: string }> }>;
+  };
+  /** Cloudflare Durable Object state */
+  durableObjectState?: {
+    storage: {
+      get(key: string): Promise<string | undefined>;
+      put(key: string, value: string): Promise<void>;
+      delete(key: string): Promise<void>;
+      list(options?: { prefix?: string }): Promise<Map<string, string>>;
+    };
+  };
+  /** Fallback to memory if no external storage configured (default: true) */
+  fallbackToMemory?: boolean;
+}
+/**
+ * Storage providers result
+ */
+export interface StorageProviders {
+  storageProvider: StorageProvider;
+  nonceCacheProvider: NonceCacheProvider;
+}
+/**
+ * Key helper functions for consistent key formatting
+ */
+export class StorageKeyHelpers {
+  /**
+   * Build delegation key using composite format
+   * Format: delegation:${userDid}:${agentDid}:${projectId}
+   */
+  static buildDelegationKey(
+    userDid: string,
+    agentDid: string,
+    projectId: string
+  ): string {
+    return `delegation:${userDid}:${agentDid}:${projectId}`;
+  }
+  /**
+   * Build session key
+   * Format: session:${sessionId}
+   */
+  static buildSessionKey(sessionId: string): string {
+    return `session:${sessionId}`;
+  }
+  /**
+   * Build nonce key
+   * Format: nonce:${agentDid}:${nonce}
+   */
+  static buildNonceKey(agentDid: string, nonce: string): string {
+    return `nonce:${agentDid}:${nonce}`;
+  }
+  /**
+   * Parse delegation key back into components
+   *
+   * Format: delegation:${userDid}:${agentDid}:${projectId}
+   *
+   * Note: DIDs contain colons (e.g., did:key:z123), so we can't simply split by ":"
+   * Instead, we:
+   * 1. Check that key starts with "delegation:"
+   * 2. Take the last part as projectId (doesn't contain colons)
+   * 3. Find where agentDid starts (look for "did:" pattern)
+   * 4. Everything before agentDid is userDid, everything between agentDid and projectId is agentDid
+   *
+   * Strategy: Since DIDs always start with "did:", we can find the second occurrence of "did:"
+   * to determine where agentDid begins. However, this assumes userDid and agentDid both start with "did:".
+   *
+   * For keys like "delegation:did:key:user123:did:key:agent456:project-789":
+   * - Remove "delegation:" prefix → "did:key:user123:did:key:agent456:project-789"
+   * - Find last ":" → separates agentDid from projectId
+   * - projectId = "project-789"
+   * - Find second occurrence of "did:" → separates userDid from agentDid
+   * - userDid = "did:key:user123"
+   * - agentDid = "did:key:agent456"
+   */
+  static parseDelegationKey(
+    key: string
+  ): { userDid: string; agentDid: string; projectId: string } | null {
+    if (!key.startsWith("delegation:")) {
+      return null;
+    }
+    // Remove "delegation:" prefix
+    const rest = key.slice("delegation:".length);
+    // Find the last colon (separates agentDid from projectId)
+    const lastColonIndex = rest.lastIndexOf(":");
+    if (lastColonIndex === -1) {
+      return null; // No colon found, invalid format
+    }
+    // Last part is projectId (doesn't contain colons)
+    const projectId = rest.slice(lastColonIndex + 1);
+    if (!projectId) {
+      return null; // Empty projectId
+    }
+    // Everything before the last colon is userDid:agentDid
+    const userDidAndAgentDid = rest.slice(0, lastColonIndex);
+    // Find the second occurrence of "did:" to separate userDid from agentDid
+    // First occurrence is at the start (userDid), second is agentDid
+    const firstDidIndex = userDidAndAgentDid.indexOf("did:");
+    if (firstDidIndex !== 0) {
+      return null; // userDid must start with "did:"
+    }
+    // Find where the first DID ends by looking for the pattern "did:method:identifier"
+    // A DID has the format: did:method:identifier (where identifier may contain colons)
+    // We need to find the next "did:" that appears after a complete DID
+    // Strategy: Find the method separator colon (after "did:"), then search for the next "did:" after that
+    // This ensures we find the second complete DID, not a substring within the first DID's identifier
+    const firstMethodColon = userDidAndAgentDid.indexOf(
+      ":",
+      firstDidIndex + "did:".length
+    );
+    if (firstMethodColon === -1) {
+      return null; // Invalid DID format - no method separator
+    }
+    // Now search for the next "did:" after the first complete DID
+    // The first DID ends somewhere after the method colon, so search from there
+    const secondDidIndex = userDidAndAgentDid.indexOf(
+      "did:",
+      firstMethodColon + 1
+    );
+    if (secondDidIndex === -1) {
+      return null; // No second "did:" found, can't separate userDid and agentDid
+    }
+    // userDid is everything before the second "did:", agentDid is everything after
+    const userDid = userDidAndAgentDid.slice(0, secondDidIndex);
+    const agentDid = userDidAndAgentDid.slice(secondDidIndex);
+    // Remove trailing colon from userDid if present
+    const cleanUserDid = userDid.endsWith(":") ? userDid.slice(0, -1) : userDid;
+    if (!cleanUserDid || !agentDid) {
+      return null; // Empty userDid or agentDid
+    }
+    return {
+      userDid: cleanUserDid,
+      agentDid,
+      projectId,
+    };
+  }
+}
+/**
+ * Durable Object Storage Provider
+ * Wraps Cloudflare Durable Object state storage
+ */
+class DurableObjectStorageProvider extends StorageProvider {
+  private state: NonNullable<StorageServiceConfig["durableObjectState"]>;
+  constructor(state: NonNullable<StorageServiceConfig["durableObjectState"]>) {
+    super();
+    this.state = state;
+  }
+  async get(key: string): Promise<string | null> {
+    const value = await this.state.storage.get(key);
+    return value ?? null;
+  }
+  async set(key: string, value: string): Promise<void> {
+    await this.state.storage.put(key, value);
+  }
+  async delete(key: string): Promise<void> {
+    await this.state.storage.delete(key);
+  }
+  async exists(key: string): Promise<boolean> {
+    const value = await this.state.storage.get(key);
+    return value !== undefined;
+  }
+  async list(prefix?: string): Promise<string[]> {
+    const result = await this.state.storage.list(
+      prefix ? { prefix } : undefined
+    );
+    return Array.from(result.keys());
+  }
+}
+/**
+ * Durable Object Nonce Cache Provider
+ */
+class DurableObjectNonceCacheProvider extends NonceCacheProvider {
+  private state: NonNullable<StorageServiceConfig["durableObjectState"]>;
+  constructor(state: NonNullable<StorageServiceConfig["durableObjectState"]>) {
+    super();
+    this.state = state;
+  }
+  async has(nonce: string, agentDid?: string): Promise<boolean> {
+    const key = agentDid
+      ? StorageKeyHelpers.buildNonceKey(agentDid, nonce)
+      : `nonce:${nonce}`;
+    const value = await this.state.storage.get(key);
+    if (!value) {
+      return false;
+    }
+    const expiresAt = parseInt(value, 10);
+    return Date.now() < expiresAt;
+  }
+  async add(
+    nonce: string,
+    ttlSeconds: number,
+    agentDid?: string
+  ): Promise<void> {
+    const key = agentDid
+      ? StorageKeyHelpers.buildNonceKey(agentDid, nonce)
+      : `nonce:${nonce}`;
+    // Convert TTL seconds to absolute expiration timestamp for storage
+    const expiresAt = Date.now() + ttlSeconds * 1000;
+    await this.state.storage.put(key, expiresAt.toString());
+  }
+  async cleanup(): Promise<void> {
+    // Durable Objects don't support efficient bulk operations
+    // Cleanup would require listing all keys, which is expensive
+    // For now, rely on TTL checking in has() method
+  }
+  async destroy(): Promise<void> {
+    // Durable Objects state persists automatically
+    // No explicit cleanup needed
+  }
+}
+/**
+ * Redis Storage Provider
+ * Uses Redis for storage operations
+ */
+class RedisStorageProvider extends StorageProvider {
+  private redis: any; // Redis client from 'redis' package
+  constructor(redisClient: any) {
+    super();
+    this.redis = redisClient;
+  }
+  async get(key: string): Promise<string | null> {
+    return await this.redis.get(key);
+  }
+  async set(key: string, value: string): Promise<void> {
+    await this.redis.set(key, value);
+  }
+  async delete(key: string): Promise<void> {
+    await this.redis.del(key);
+  }
+  async exists(key: string): Promise<boolean> {
+    const result = await this.redis.exists(key);
+    return result === 1;
+  }
+  async list(prefix?: string): Promise<string[]> {
+    const pattern = prefix ? `${prefix}*` : "*";
+    const keys = await this.redis.keys(pattern);
+    return keys;
+  }
+}
+/**
+ * Redis Nonce Cache Provider
+ */
+class RedisNonceCacheProvider extends NonceCacheProvider {
+  private redis: any;
+  private keyPrefix: string;
+  constructor(redisClient: any, keyPrefix = "nonce:") {
+    super();
+    this.redis = redisClient;
+    this.keyPrefix = keyPrefix;
+  }
+  async has(nonce: string, agentDid?: string): Promise<boolean> {
+    const key = agentDid
+      ? StorageKeyHelpers.buildNonceKey(agentDid, nonce)
+      : `${this.keyPrefix}${nonce}`;
+    const result = await this.redis.exists(key);
+    return result === 1;
+  }
+  async add(
+    nonce: string,
+    ttlSeconds: number,
+    agentDid?: string
+  ): Promise<void> {
+    const key = agentDid
+      ? StorageKeyHelpers.buildNonceKey(agentDid, nonce)
+      : `${this.keyPrefix}${nonce}`;
+    // Use TTL directly in seconds (callers now pass TTL, not absolute timestamp)
+    await this.redis.setEx(key, ttlSeconds, "1");
+  }
+  async cleanup(): Promise<void> {
+    // Redis handles TTL automatically, no cleanup needed
+  }
+  async destroy(): Promise<void> {
+    // Redis connection should be managed by caller
+  }
+}
+/**
+ * KV Storage Provider wrapper
+ * Uses existing KVStorageProvider from mcp-i-cloudflare
+ */
+/**
+ * Create Cloudflare KV storage providers
+ *
+ * This function dynamically imports Cloudflare-specific storage providers.
+ * The @ts-ignore is necessary because @kya-os/mcp-i-cloudflare/providers/storage
+ * is an optional dependency that may not exist in Node.js environments.
+ * This is intentional for platform-specific code - the import will fail at runtime
+ * if the module doesn't exist, which is handled by the try-catch block.
+ */
+async function createKVStorageProvider(
+  kvNamespace: StorageServiceConfig["kvNamespace"]
+): Promise<{ storage: StorageProvider; nonceCache: NonceCacheProvider }> {
+  // Dynamic import to avoid bundling Cloudflare-specific code
+  // This is an optional dependency that may not exist in all environments
+  try {
+    // Use string literal to avoid TypeScript checking the module path at compile time
+    const storageModulePath = "@kya-os/mcp-i-cloudflare/providers/storage";
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore TS2307 - Optional dependency: @kya-os/mcp-i-cloudflare/providers/storage
+    // may not exist in Node.js environments. This is intentional for platform-specific code.
+    const { KVStorageProvider, KVNonceCacheProvider } = await import(
+      storageModulePath
+    );
+    const storage = new KVStorageProvider(kvNamespace as any);
+    const nonceCache = new KVNonceCacheProvider(kvNamespace as any);
+    return { storage, nonceCache };
+  } catch (error) {
+    throw new Error(
+      `Failed to import Cloudflare storage providers: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+/**
+ * Create storage providers based on configuration
+ *
+ * Priority order:
+ * 1. Redis (if redisUrl provided)
+ * 2. Cloudflare KV (if kvNamespace provided)
+ * 3. Cloudflare Durable Objects (if durableObjectState provided)
+ * 4. In-memory fallback (if fallbackToMemory is true, default)
+ */
+export async function createStorageProviders(
+  config: StorageServiceConfig
+): Promise<StorageProviders> {
+  const fallbackToMemory = config.fallbackToMemory !== false;
+  // Priority 1: Redis
+  if (config.redisUrl) {
+    try {
+      // Dynamic import to avoid bundling Redis in environments that don't need it
+      // Use string literal to avoid TypeScript checking the module path at compile time
+      const redisModulePath = "redis";
+      // @ts-ignore TS2307 - Optional dependency: 'redis' package may not be installed.
+      // This is intentional - the import will fail at runtime if Redis is not available,
+      // which is handled by the try-catch block.
+      const redisModule = await import(redisModulePath).catch(() => null);
+      if (!redisModule) {
+        throw new Error("Redis package not available");
+      }
+      const { createClient } = redisModule;
+      // @ts-ignore TS2307 - Type inference from dynamic import
+      // Redis client type is inferred from the runtime module
+      const redis = createClient({
+        url: config.redisUrl,
+        socket: {
+          connectTimeout: 5000,
+        },
+      });
+      await redis.connect();
+      await redis.ping();
+      const storageProvider = new RedisStorageProvider(redis);
+      const nonceCacheProvider = new RedisNonceCacheProvider(redis);
+      return {
+        storageProvider,
+        nonceCacheProvider,
+      };
+    } catch (error) {
+      if (!fallbackToMemory) {
+        throw error;
+      }
+      console.warn(
+        "[StorageService] Failed to connect to Redis, falling back to memory:",
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  }
+  // Priority 2: Cloudflare KV
+  if (config.kvNamespace) {
+    try {
+      const providers = await createKVStorageProvider(config.kvNamespace);
+      return {
+        storageProvider: providers.storage,
+        nonceCacheProvider: providers.nonceCache,
+      };
+    } catch (error) {
+      if (!fallbackToMemory) {
+        throw error;
+      }
+      console.warn(
+        "[StorageService] Failed to initialize KV, falling back to memory:",
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  }
+  // Priority 3: Cloudflare Durable Objects
+  if (config.durableObjectState) {
+    try {
+      const storageProvider = new DurableObjectStorageProvider(
+        config.durableObjectState as NonNullable<
+          StorageServiceConfig["durableObjectState"]
+        >
+      );
+      const nonceCacheProvider = new DurableObjectNonceCacheProvider(
+        config.durableObjectState as NonNullable<
+          StorageServiceConfig["durableObjectState"]
+        >
+      );
+      return {
+        storageProvider,
+        nonceCacheProvider,
+      };
+    } catch (error) {
+      if (!fallbackToMemory) {
+        throw error;
+      }
+      console.warn(
+        "[StorageService] Failed to initialize Durable Objects, falling back to memory:",
+        error instanceof Error ? error.message : String(error)
+      );
+    }
+  }
+  // Priority 4: In-memory fallback
+  if (fallbackToMemory) {
+    return {
+      storageProvider: new MemoryStorageProvider(),
+      nonceCacheProvider: new MemoryNonceCacheProvider(),
+    };
+  }
+  throw new Error(
+    "No storage provider configured and fallbackToMemory is false"
+  );
+}
+/**
+ * Migration utility for legacy key formats
+ *
+ * Migrates keys from old format (e.g., `agent:${did}:delegation`) to new composite format
+ */
+export async function migrateLegacyKeys(
+  oldKeyPrefix: string,
+  newKeyFormat: (oldKey: string) => string | null,
+  storageProvider: StorageProvider,
+  batchSize = 100
+): Promise<number> {
+  let migrated = 0;
+  try {
+    // List all keys with old prefix
+    const oldKeys = await storageProvider.list(oldKeyPrefix);
+    for (const oldKey of oldKeys) {
+      const newKey = newKeyFormat(oldKey);
+      if (!newKey) {
+        continue; // Skip if transformation fails
+      }
+      // Check if new key already exists
+      const existing = await storageProvider.exists(newKey);
+      if (existing) {
+        continue; // Skip if already migrated
+      }
+      // Read old value
+      const value = await storageProvider.get(oldKey);
+      if (!value) {
+        continue; // Skip if old key has no value
+      }
+      // Write to new key
+      await storageProvider.set(newKey, value);
+      // Optionally delete old key (commented out for safety)
+      // await storageProvider.delete(oldKey);
+      migrated++;
+      if (migrated % batchSize === 0) {
+        // Yield to event loop for large migrations
+        await new Promise((resolve) => setTimeout(resolve, 0));
+      }
+    }
+  } catch (error) {
+    console.error("[StorageService] Migration error:", error);
+    throw error;
+  }
+  return migrated;
+}