@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

package/.turbo/turbo-test$colon$coverage.log

@@ -0,0 +1,4514 @@
+
+
+> @kya-os/mcp-i-core@1.2.2-canary.38 test:coverage /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
+> vitest run --coverage
+
+[?25l
+ RUN  v4.0.5 /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
+      Coverage enabled with v8
+
+[?2026h
+ ❯ src/__tests__/services/agentshield-integration.test.ts [queued]
+
+ Test Files 0 passed (44)
+      Tests 0 passed (0)
+   Start at 17:52:48
+   Duration 102ms
+[?2026l[?2026h
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts [queued]
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts [queued]
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 0/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts [queued]
+ ❯ src/delegation/__tests__/vc-issuer.test.ts [queued]
+ ❯ src/delegation/__tests__/vc-verifier.test.ts [queued]
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts [queued]
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 0 passed (44)
+      Tests 0 passed (19)
+   Start at 17:52:48
+   Duration 202ms
+[?2026l[?2026hstderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle empty scopes array
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle ambiguous scopes (multiple providers inferred)
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle unknown scope prefixes
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify gmail → google mapping works
+[ProviderResolver] Inferred provider "google" from scopes
+
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify calendar → google mapping works
+[ProviderResolver] Inferred provider "google" from scopes
+
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify outlook → microsoft mapping works
+[ProviderResolver] Inferred provider "microsoft" from scopes
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle scopes without colons
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle inferred provider not in registry
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "google" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Fallback behavior (Priority 3) > should use first configured provider when oauthProvider not specified
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Provider name case sensitivity > should handle provider names case-insensitively in inference
+[ProviderResolver] Inferred provider "github" from scopes
+
+stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Multiple scopes with same provider > should handle multiple scopes from same provider
+[ProviderResolver] Inferred provider "github" from scopes
+
+ ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (19 tests | 1 skipped) 7ms
+ ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 5ms
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use X-API-Key header for new endpoint
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.638Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use Authorization Bearer header for old endpoint
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.642Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.643Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.643Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'project/with/special-chars',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.644Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.644Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.644Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should fetch from project-scoped endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.643Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.644Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.644Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle camelCase field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should prefer camelCase over snake_case when both present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should handle new endpoint format with toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should parse oauthProvider from new endpoint format (Phase 2)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should preserve oauthProvider through cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.645Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.646Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.646Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.646Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.646Z'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.647Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Cache miss, fetching from API {
+  source: 'api-fetch-start',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  apiUrl: 'https://kya.vouched.id',
+  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
+  method: 'config?agent_did (old)',
+  projectId: 'none',
+  apiKeyPresent: true,
+  apiKeyLength: 18,
+  apiKeyMasked: 'test-api...'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] API response received {
+  source: 'api-fetch-complete',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  responseKeys: [ 'success', 'data', 'metadata' ],
+  dataKeys: [ 'tools' ],
+  rawToolProtections: null,
+  rawTools: [
+    { name: 'valid_tool', requiresDelegation: true },
+    { requiresDelegation: false }
+  ],
+  responseMetadata: {}
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'valid_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.647Z'
+}
+[ToolProtectionService] API fetch successful, config cached {
+  source: 'cache-write',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  toolCount: 1,
+  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
+  ttlMs: 300000,
+  ttlMinutes: 5,
+  expiresAt: '2025-11-24T23:57:48.647Z',
+  expiresIn: '300s'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-11-24T23:52:49.647Z'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'ECONNREFUSED',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.650Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.650Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 600000,
+  cacheExpiresAt: '2025-11-25T00:02:48.651Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.651Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.651Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.651Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.651Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'other_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.654Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: false,
+  isWildcard: true,
+  requiresDelegation: false,
+  availableTools: [ 'other_tool' ]
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.654Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*', 'specific_tool' ]
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should prioritize specific tool protection over wildcard
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.654Z'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] Protection check {
+  tool: 'any_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*' ]
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.655Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Protection check {
+  tool: 'protected_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'protected_tool' ]
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.655Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:48.655Z'
+}
+
+ ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 17ms
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026hstderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '65b85076-4377-4e1f-bf37-836838433b88',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '65b85076-4377-4e1f-bf37-836838433b88',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '11b587b4-ac6e-43ef-bafa-12bda57e5630',
+  status: 400,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 209,
+  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
+  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '11b587b4-ac6e-43ef-bafa-12bda57e5630',
+  status: 400,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'error' ],
+  responseData: '{\n' +
+    '  "success": false,\n' +
+    '  "error": {\n' +
+    '    "code": "all_proofs_rejected",\n' +
+    '    "message": "All proofs rejected",\n' +
+    '    "details": {\n' +
+    '      "rejected": 1,\n' +
+    '      "errors": [\n' +
+    '        {\n' +
+    '          "proof_index": 0,\n' +
+    '          "error": {\n' +
+    '            "code": "invalid_signature",\n' +
+    '            "message": "Invalid signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      ]\n' +
+    '    }\n' +
+    '  }\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '5ac1bfa3-006b-4bb7-9082-67a24030fafe',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 206,
+  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:48.685Z"}}',
+  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:48.685Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '5ac1bfa3-006b-4bb7-9082-67a24030fafe',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "success": true,\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:48.685Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "success": true,
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-24T23:52:48.685Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '5ac1bfa3-006b-4bb7-9082-67a24030fafe',
+  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '5ac1bfa3-006b-4bb7-9082-67a24030fafe',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '027b427a-ce0e-42c1-9193-038ce989ead0',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 42,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '027b427a-ce0e-42c1-9193-038ce989ead0',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'f783783f-2004-4322-ab55-454b76b141ac',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'f783783f-2004-4322-ab55-454b76b141ac',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '349ca8ce-6a47-4afa-8c0a-37e36c407b8c',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 56,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '349ca8ce-6a47-4afa-8c0a-37e36c407b8c',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {}
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '98fb8b6f-6133-4c82-b1c8-1da92ef65003',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 52,
+  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
+  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '98fb8b6f-6133-4c82-b1c8-1da92ef65003',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data' ],
+  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '98fb8b6f-6133-4c82-b1c8-1da92ef65003',
+  dataKeys: [ 'message' ],
+  hasAccepted: false,
+  hasRejected: false,
+  hasOutcomes: false,
+  hasErrors: false,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  outcomesType: 'undefined',
+  outcomesValue: undefined,
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n  "message": "Invalid format"\n}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '98fb8b6f-6133-4c82-b1c8-1da92ef65003',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedValue: undefined,
+  hasOutcomes: false,
+  outcomesValue: undefined,
+  fullDataWithSuccess: '{\n  "success": true\n}'
+}
+[AccessControl] ❌ MISSING REQUIRED FIELDS AFTER CONSTRUCTION: {
+  correlationId: '98fb8b6f-6133-4c82-b1c8-1da92ef65003',
+  hasAccepted: true,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  fullDataWithSuccess: '{\n  "success": true\n}',
+  dataToValidateKeys: [ 'message' ],
+  fullDataToValidate: '{\n  "message": "Invalid format"\n}',
+  originalResponseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 0/49
+ ❯ src/__tests__/integration.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts [queued]
+ ❯ src/__tests__/runtime/route-interception.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 0/30
+ ❯ src/__tests__/services/provider-resolver-edge-cases.test.ts 19/19
+ ❯ src/__tests__/services/tool-protection.service.test.ts 49/49
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 0/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 0/35
+ ❯ src/delegation/storage/__tests__/memory-graph-storage.test.ts 27/27
+ ❯ src/services/__tests__/access-control.integration.test.ts [queued]
+ ❯ src/services/__tests__/access-control.service.test.ts 1/23
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts [queued]
+
+ Test Files 3 passed (44)
+      Tests 95 passed | 1 skipped (253)
+   Start at 17:52:48
+   Duration 302ms
+[?2026l[?2026h ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 38ms
+ ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 74ms
+ ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 104ms
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
+[CryptoService] Ed25519 verification error: Error: Verification failed
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
+[CryptoService] Invalid Ed25519 JWK format
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026h ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 35ms
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'ž', "ž‹" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
+[CryptoService] Unsupported algorithm: RS256, expected EdDSA
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
+[CryptoService] Unsupported algorithm: HS256, expected EdDSA
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zR2T1bdxSVhqFu_d_eKkKvLNvKe1i7QGg","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368809,"timestampFormatted":"2025-11-24T23:52:48.809Z"}
+
+ ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 164ms
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"b4baa468a1525b411e466ab234d851d3","timestamp":1764028368809},"timestamp":1764028368809,"timestampFormatted":"2025-11-24T23:52:48.809Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zFakH7XD0MHPMuE27RdmBSeo1Rm2mFFrJ","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368814,"timestampFormatted":"2025-11-24T23:52:48.814Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zL7rWRHMPmV0fq7nCCPQLbADZoOeaZcb0","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368814,"timestampFormatted":"2025-11-24T23:52:48.814Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:zL7rWRHMPmV0fq7nCCPQLbADZoOeaZcb0","newDid":"did:key:zFeeIiR7_PPnoxptUEt29-LM6RPtdJUo9","timestamp":1764028368814},"timestamp":1764028368814,"timestampFormatted":"2025-11-24T23:52:48.814Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:ztEJI5ksSFuBKCt8pvLPNWoYmN5pHOqCY","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368815,"timestampFormatted":"2025-11-24T23:52:48.815Z"}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zM3Uz_vzOMcWsnGV3S5W9rF5gWpJ2P6JG","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368815,"timestampFormatted":"2025-11-24T23:52:48.815Z"}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zMO7-Htu3LlfayBEg_lbqysxpBEqtYIYS","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368816,"timestampFormatted":"2025-11-24T23:52:48.816Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zwE8MZq80KXN1yqj30YVx5E7av8Ddhu76","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368816,"timestampFormatted":"2025-11-24T23:52:48.816Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z9ZSnbRnMCharaJfa0KU--Ac24AUgOFoZ","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368816,"timestampFormatted":"2025-11-24T23:52:48.816Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zpaZlGd4Gl1drs00uTZm7ialjf6LiPs4O","environment":"development","userDidGeneration":"disabled"},"timestamp":1764028368816,"timestampFormatted":"2025-11-24T23:52:48.816Z"}
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 0/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts [queued]
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 0/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/delegation/__tests__/vc-verifier.test.ts 35/35
+ ❯ src/services/__tests__/access-control.integration.test.ts 0/9
+ ❯ src/services/__tests__/access-control.service.test.ts 23/23
+ ❯ src/services/__tests__/crypto.service.test.ts 0/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 0/13
+
+ Test Files 8 passed (44)
+      Tests 269 passed | 1 skipped (356)
+   Start at 17:52:48
+   Duration 403ms
+[?2026l[?2026hstderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
+[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
+[CryptoService] Key ID mismatch
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
+[CryptoService] Unsupported algorithm: EdDSA, expected RS256
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
+[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
+    at CryptoService.jwkToBase64PublicKey (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 9/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts 0/38
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 17/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/services/__tests__/access-control.integration.test.ts 7/9
+ ❯ src/services/__tests__/crypto.service.test.ts 34/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 13/13
+ ❯ src/services/__tests__/storage.service.test.ts [queued]
+
+ Test Files 12 passed (44)
+      Tests 348 passed | 2 skipped (394)
+   Start at 17:52:48
+   Duration 524ms
+[?2026l[?2026h ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 27ms
+ ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 27ms
+ ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 89ms
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 9/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts 0/38
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 17/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/services/__tests__/access-control.integration.test.ts 7/9
+ ❯ src/services/__tests__/crypto.service.test.ts 34/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 13/13
+ ❯ src/services/__tests__/storage.service.test.ts [queued]
+
+ Test Files 12 passed (44)
+      Tests 348 passed | 2 skipped (394)
+   Start at 17:52:48
+   Duration 524ms
+[?2026l[?2026hstderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '65272a36-f969-4200-a207-97a1a693668b',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '65272a36-f969-4200-a207-97a1a693668b',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '826c3ebd-3cff-47ed-be37-041b9451bfb5',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 200,
+  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
+  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '826c3ebd-3cff-47ed-be37-041b9451bfb5',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 1,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "invalid_signature",\n' +
+    '        "message": "Invalid JWS signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 0,
+  "rejected": 1,
+  "outcomes": {
+    "success": 0,
+    "failed": 1,
+    "blocked": 0,
+    "error": 0
+  },
+  "errors": [
+    {
+      "proof_index": 0,
+      "error": {
+        "code": "invalid_signature",
+        "message": "Invalid JWS signature"
+      }
+    }
+  ]
+}
+
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
+[CryptoService] Key ID mismatch
+
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 9/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts 0/38
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 17/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/services/__tests__/access-control.integration.test.ts 7/9
+ ❯ src/services/__tests__/crypto.service.test.ts 34/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 13/13
+ ❯ src/services/__tests__/storage.service.test.ts [queued]
+
+ Test Files 12 passed (44)
+      Tests 348 passed | 2 skipped (394)
+   Start at 17:52:48
+   Duration 524ms
+[?2026l[?2026h ✓ src/__tests__/integration.test.ts (9 tests) 8ms
+
+ ❯ src/__tests__/cache/tool-protection-cache.test.ts 49/49
+ ❯ src/__tests__/integration.test.ts 9/9
+ ❯ src/__tests__/runtime/base-extensions.test.ts 0/38
+ ❯ src/__tests__/runtime/base.test.ts [queued]
+ ❯ src/__tests__/runtime/proof-client-did.test.ts 17/17
+ ❯ src/__tests__/runtime/route-interception.test.ts 21/21
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/vc-issuer.test.ts 21/21
+ ❯ src/services/__tests__/access-control.integration.test.ts 7/9
+ ❯ src/services/__tests__/crypto.service.test.ts 34/34
+ ❯ src/services/__tests__/proof-verifier.integration.test.ts 13/13
+ ❯ src/services/__tests__/storage.service.test.ts [queued]
+
+ Test Files 12 passed (44)
+      Tests 348 passed | 2 skipped (394)
+   Start at 17:52:48
+   Duration 524ms
+[?2026l[?2026h ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 9ms
+ ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 161ms
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
+[MCP-I] Checking tool protection: {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkqz9_midsy0ry',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_cxkqz9_midsy0ry'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: false,
+  hasConsentProof: true,
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] ❌ Delegation verification FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Delegation token expired',
+  errorCode: undefined,
+  errorMessage: undefined,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+[MCP-I] ❌ Delegation verification FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Insufficient scopes',
+  errorCode: undefined,
+  errorMessage: undefined,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026h ✓ src/__tests__/runtime/base.test.ts (55 tests) 15ms
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] ❌ Delegation verification error (API failure) {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  errorCode: 'network_error',
+  errorMessage: 'API unavailable',
+  errorDetails: {}
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
+[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationUserIdentifier: 'did:key:zUserB987654...',
+  sessionUserDid: 'did:key:zUserA123456...',
+  sessionId: 'session123...',
+  reason: 'user_identifier_mismatch',
+  severity: 'high'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+[MCP-I] ✅ User identifier validation PASSED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  userDid: 'did:key:zUserA123456...',
+  sessionId: 'session123...'
+}
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: true
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegationToken: true,
+  hasConsentProof: false,
+  requiredScopes: [ 'files:write' ]
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationUserIdentifier: 'did:key:zUserA123456...',
+  sessionId: 'session123...'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] ✅ Delegation verification SUCCEEDED {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
+  credentialScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write' ]
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
+[MCP-I] Checking tool protection: {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkqaa_midsy0s6',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_cxkqaa_midsy0s6'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkqaa_midsy0s6',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_cxkqaa_midsy0s6'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write', 'files:read' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkq9f_midsy0s7',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_cxkq9f_midsy0s7'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkq9f_midsy0s7',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_cxkq9f_midsy0s7'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkq9f_midsy0s7',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_cxkq9f_midsy0s7'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_395gyw_midsy0s7',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_395gyw_midsy0s7'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log blocked tool call when audit enabled
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should handle tool protection service errors gracefully
+[MCP-I] Checking tool protection: {
+  tool: 'testTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkq7p_midsy0s9',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_cxkq7p_midsy0s9'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_cxkq7p_midsy0s9',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_cxkq7p_midsy0s9'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_4ha71_midsy0s9',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_4ha71_midsy0s9'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
+[MCP-I] Checking tool protection: {
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+}
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
+[MCP-I] Tool protection check passed (no delegation required) {
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  reason: 'Tool not configured to require delegation'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026h ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 18ms
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026hstderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+
+stderr | src/services/__tests__/proof-verifier.test.ts > ProofVerifier Security > Signature Verification > should handle signature verification errors gracefully
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts [queued]
+ ❯ src/__tests__/integration/full-flow.test.ts [queued]
+ ❯ src/__tests__/providers/memory.test.ts 0/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 0/12
+ ❯ src/__tests__/runtime/base-extensions.test.ts 38/38
+ ❯ src/__tests__/runtime/base.test.ts 55/55
+ ❯ src/__tests__/runtime/tool-protection-enforcement.test.ts 29/29
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts [queued]
+ ❯ src/services/__tests__/access-control.integration.test.ts 9/9
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 0/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 0/21
+ ❯ src/services/__tests__/storage.service.test.ts 0/17
+
+ Test Files 16 passed (44)
+      Tests 472 passed | 2 skipped (574)
+   Start at 17:52:48
+   Duration 727ms
+[?2026l[?2026h ✓ src/__tests__/providers/memory.test.ts (34 tests) 8ms
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with success field in data
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'ad96c32e-52a5-4887-a858-92d70ca77f0d',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 191,
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.047Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.047Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'ad96c32e-52a5-4887-a858-92d70ca77f0d',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.047Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-24T23:52:49.047Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'ad96c32e-52a5-4887-a858-92d70ca77f0d',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'ad96c32e-52a5-4887-a858-92d70ca77f0d',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with errors array
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'ad29b63a-0efd-473d-b421-1877f8ab7a4f',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 333,
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.110Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.110Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'ad29b63a-0efd-473d-b421-1877f8ab7a4f',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 0,\n' +
+    '    "rejected": 1,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 0,\n' +
+    '      "failed": 1,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    },\n' +
+    '    "errors": [\n' +
+    '      {\n' +
+    '        "proof_index": 0,\n' +
+    '        "error": {\n' +
+    '          "code": "validation_error",\n' +
+    '          "message": "Proof validation failed",\n' +
+    '          "details": {\n' +
+    '            "reason": "invalid_signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      }\n' +
+    '    ]\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.110Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 0,
+    "rejected": 1,
+    "outcomes": {
+      "success": 0,
+      "failed": 1,
+      "blocked": 0,
+      "error": 0
+    },
+    "errors": [
+      {
+        "proof_index": 0,
+        "error": {
+          "code": "validation_error",
+          "message": "Proof validation failed",
+          "details": {
+            "reason": "invalid_signature"
+          }
+        }
+      }
+    ]
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-24T23:52:49.110Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'ad29b63a-0efd-473d-b421-1877f8ab7a4f',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: true,
+  acceptedType: 'number',
+  acceptedValue: 0,
+  rejectedType: 'number',
+  rejectedValue: 1,
+  outcomesType: 'object',
+  outcomesValue: { success: 0, failed: 1, blocked: 0, error: 0 },
+  errorsType: 'object',
+  errorsIsArray: true,
+  fullData: '{\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 1,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Proof validation failed",\n' +
+    '        "details": {\n' +
+    '          "reason": "invalid_signature"\n' +
+    '        }\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'ad29b63a-0efd-473d-b421-1877f8ab7a4f',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 0,
+  hasRejected: true,
+  rejectedValue: 1,
+  hasOutcomes: true,
+  outcomesValue: { success: 0, failed: 1, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 1,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Proof validation failed",\n' +
+    '        "details": {\n' +
+    '          "reason": "invalid_signature"\n' +
+    '        }\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026h ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 23ms
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response without outcomes (optional field)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '27682a7f-582d-4e08-a703-a9bc88fbdfe4',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 133,
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.110Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.110Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '27682a7f-582d-4e08-a703-a9bc88fbdfe4',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.110Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 1,
+    "rejected": 0
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-24T23:52:49.110Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '27682a7f-582d-4e08-a703-a9bc88fbdfe4',
+  dataKeys: [ 'accepted', 'rejected' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: false,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'undefined',
+  outcomesValue: undefined,
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '27682a7f-582d-4e08-a703-a9bc88fbdfe4',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: false,
+  outcomesValue: undefined,
+  fullDataWithSuccess: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should throw validation error if data object missing success field
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '2a24ca10-b029-43b6-90f2-faf4cf3d29cb',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 191,
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.111Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-24T23:52:49.111Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '2a24ca10-b029-43b6-90f2-faf4cf3d29cb',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.111Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-11-24T23:52:49.111Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '2a24ca10-b029-43b6-90f2-faf4cf3d29cb',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '2a24ca10-b029-43b6-90f2-faf4cf3d29cb',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should correctly extract data from wrapped response after JSON deep clone
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '5723bd29-b42c-457f-a1c1-e9508d75669a',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 191,
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1},"errors":[]},"metadata":{"requestId":"fc1fa88f-9b22-4161-b4fd-17d8215098ee","timestamp":"2025-11-24T21:36:33.029Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1},"errors":[]},"metadata":{"requestId":"fc1fa88f-9b22-4161-b4fd-17d8215098ee","timestamp":"2025-11-24T21:36:33.029Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '5723bd29-b42c-457f-a1c1-e9508d75669a',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1\n' +
+    '    },\n' +
+    '    "errors": []\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "fc1fa88f-9b22-4161-b4fd-17d8215098ee",\n' +
+    '    "timestamp": "2025-11-24T21:36:33.029Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1
+    },
+    "errors": []
+  },
+  "metadata": {
+    "requestId": "fc1fa88f-9b22-4161-b4fd-17d8215098ee",
+    "timestamp": "2025-11-24T21:36:33.029Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '5723bd29-b42c-457f-a1c1-e9508d75669a',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: true,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1 },
+  errorsType: 'object',
+  errorsIsArray: true,
+  fullData: '{\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1\n' +
+    '  },\n' +
+    '  "errors": []\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '5723bd29-b42c-457f-a1c1-e9508d75669a',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1\n' +
+    '  },\n' +
+    '  "errors": []\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response where data fields are numeric values (not undefined)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'a382c923-903e-4c59-bc1c-4e14a99a598f',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 151,
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-24T23:52:49.114Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-24T23:52:49.114Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'a382c923-903e-4c59-bc1c-4e14a99a598f',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 0,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {},\n' +
+    '    "errors": []\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.114Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 0,
+    "rejected": 0,
+    "outcomes": {},
+    "errors": []
+  },
+  "metadata": {
+    "requestId": "test-id",
+    "timestamp": "2025-11-24T23:52:49.114Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'a382c923-903e-4c59-bc1c-4e14a99a598f',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: true,
+  acceptedType: 'number',
+  acceptedValue: 0,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: {},
+  errorsType: 'object',
+  errorsIsArray: true,
+  fullData: '{\n  "accepted": 0,\n  "rejected": 0,\n  "outcomes": {},\n  "errors": []\n}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'a382c923-903e-4c59-bc1c-4e14a99a598f',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 0,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: {},
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {},\n' +
+    '  "errors": []\n' +
+    '}'
+}
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response with nested outcomes object
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'eb3e998b-0929-4bd6-b912-44bf3d74cecf',
+  status: 200,
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 278,
+  responseTextPreview: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-24T23:52:49.115Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-24T23:52:49.115Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'eb3e998b-0929-4bd6-b912-44bf3d74cecf',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "accepted": 3,\n' +
+    '    "rejected": 2,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 1,\n' +
+    '      "blocked": 1,\n' +
+    '      "error": 2\n' +
+    '    },\n' +
+    '    "errors": [\n' +
+    '      {\n' +
+    '        "proof_index": 0,\n' +
+    '        "error": {\n' +
+    '          "code": "validation_error",\n' +
+    '          "message": "Invalid signature"\n' +
+    '        }\n' +
+    '      }\n' +
+    '    ]\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-id",\n' +
+    '    "timestamp": "2025-11-24T23:52:49.115Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 3,
+    "rejected": 2,
+    "outcomes": {
+      "success": 1,
+      "failed": 1,
+      "blocked": 1,
+      "error": 2
+    },
+    "errors": [
+      {
+        "proof_index": 0,
+        "error": {
+          "code": "validation_error",
+          "message": "Invalid signature"
+        }
+      }
+    ]
+  },
+  "metadata": {
+    "requestId": "test-id",
+    "timestamp": "2025-11-24T23:52:49.115Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'eb3e998b-0929-4bd6-b912-44bf3d74cecf',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: true,
+  acceptedType: 'number',
+  acceptedValue: 3,
+  rejectedType: 'number',
+  rejectedValue: 2,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
+  errorsType: 'object',
+  errorsIsArray: true,
+  fullData: '{\n' +
+    '  "accepted": 3,\n' +
+    '  "rejected": 2,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 1,\n' +
+    '    "error": 2\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Invalid signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'eb3e998b-0929-4bd6-b912-44bf3d74cecf',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 3,
+  hasRejected: true,
+  rejectedValue: 2,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 3,\n' +
+    '  "rejected": 2,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 1,\n' +
+    '    "error": 2\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Invalid signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026h ✓ src/services/__tests__/storage.service.test.ts (17 tests) 70ms
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'phase1_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.118Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.127Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.127Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_snake_case' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.127Z'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.128Z'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully
+[UserDidManager] Storage.get failed, generating new DID: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:187:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.set errors gracefully
+[UserDidManager] Storage.set failed, continuing with cached DID: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:196:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.delete errors gracefully
+[UserDidManager] Storage.delete failed, continuing: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:70
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026h ✓ src/services/__tests__/access-control.proof-response-validation.test.ts (12 tests) 78ms
+ ✓ src/__tests__/identity/user-did-manager.test.ts (17 tests) 7ms
+ ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 12ms
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should allow unprotected tool calls
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.142Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.143Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] Protection check {
+  tool: 'checkout',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'checkout' ]
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.143Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should cache tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.144Z'
+}
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  cacheKey: 'config:tool-protections:test-project'
+}
+
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should share cache across multiple service instances
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.146Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.146Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.146Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 3,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.146Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Protection check {
+  tool: 'add_to_cart',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'search_products', 'add_to_cart', 'checkout' ]
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Concurrent operations > should handle concurrent cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.147Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.147Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.147Z'
+}
+
+ ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 12ms
+ ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 8ms
+
+ ❯ src/__tests__/identity/user-did-manager.test.ts 17/17
+ ❯ src/__tests__/integration/full-flow.test.ts 21/21
+ ❯ src/__tests__/providers/memory.test.ts 34/34
+ ❯ src/__tests__/regression/phase2-regression.test.ts 12/12
+ ❯ src/__tests__/runtime/delegation-flow.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts [queued]
+ ❯ src/config/__tests__/remote-config.spec.ts [queued]
+ ❯ src/delegation/__tests__/cascading-revocation.test.ts 23/23
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 0/28
+ ❯ src/services/__tests__/access-control.proof-response-validation.test.ts 12/12
+ ❯ src/services/__tests__/proof-verifier.test.ts 21/21
+ ❯ src/services/__tests__/storage.service.test.ts 17/17
+
+ Test Files 24 passed (44)
+      Tests 629 passed | 2 skipped (663)
+   Start at 17:52:48
+   Duration 827ms
+[?2026l[?2026hstdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from camelCase field
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.319Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from snake_case field
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.323Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should prefer camelCase over snake_case when both present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.323Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should handle missing oauthProvider field (backward compatible)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.324Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with camelCase
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.325Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with snake_case
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.325Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should prefer camelCase over snake_case in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.325Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with camelCase
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.325Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with snake_case
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.325Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should prefer camelCase over snake_case in object format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.326Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Caching > should cache oauthProvider field correctly
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.326Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should include oauthProvider in returned ToolProtection objects when present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool_with_provider', 'tool_without_provider' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.326Z'
+}
+
+stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should handle empty string oauthProvider gracefully
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_empty_provider' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.326Z'
+}
+
+ ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 17ms
+
+ ❯ src/__tests__/providers/base.test.ts 14/14
+ ❯ src/__tests__/runtime/delegation-flow.test.ts 4/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts 14/14
+ ❯ src/compliance/__tests__/schema-verifier.test.ts 1/30
+ ❯ src/config/__tests__/remote-config.spec.ts 9/9
+ ❯ src/delegation/__tests__/bitstring.test.ts 0/30
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 28/28
+ ❯ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts [queued]
+ ❯ src/services/__tests__/batch-delegation.service.test.ts 0/11
+ ❯ src/services/__tests__/oauth-provider-registry.test.ts [queued]
+ ❯ src/services/__tests__/provider-resolution.integration.test.ts 0/6
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+
+ Test Files 30 passed (44)
+      Tests 707 passed | 2 skipped (789)
+   Start at 17:52:48
+   Duration 1.06s
+[?2026l[?2026hstderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API request fails
+[RemoteConfig] API returned 404: Not Found
+
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API throws error
+[RemoteConfig] Failed to fetch config: Error: Network error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if neither projectId nor agentDid provided
+[RemoteConfig] Neither projectId nor agentDid provided
+
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should handle cache read errors gracefully
+[RemoteConfig] Cache read failed: Error: Cache error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runSuite (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+
+
+ ❯ src/__tests__/providers/base.test.ts 14/14
+ ❯ src/__tests__/runtime/delegation-flow.test.ts 4/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts 14/14
+ ❯ src/compliance/__tests__/schema-verifier.test.ts 1/30
+ ❯ src/config/__tests__/remote-config.spec.ts 9/9
+ ❯ src/delegation/__tests__/bitstring.test.ts 0/30
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 28/28
+ ❯ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts [queued]
+ ❯ src/services/__tests__/batch-delegation.service.test.ts 0/11
+ ❯ src/services/__tests__/oauth-provider-registry.test.ts [queued]
+ ❯ src/services/__tests__/provider-resolution.integration.test.ts 0/6
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+
+ Test Files 30 passed (44)
+      Tests 707 passed | 2 skipped (789)
+   Start at 17:52:48
+   Duration 1.06s
+[?2026l[?2026h ✓ src/__tests__/services/tool-protection-oauth-provider.test.ts (14 tests) 9ms
+ ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 7ms
+ ✓ src/__tests__/providers/base.test.ts (14 tests) 7ms
+ ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 4ms
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
+[ProviderResolver] Inferred provider "github" from scopes
+
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
+[ProviderResolver] Inferred provider "google" from scopes
+
+
+ ❯ src/__tests__/providers/base.test.ts 14/14
+ ❯ src/__tests__/runtime/delegation-flow.test.ts 4/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts 14/14
+ ❯ src/compliance/__tests__/schema-verifier.test.ts 1/30
+ ❯ src/config/__tests__/remote-config.spec.ts 9/9
+ ❯ src/delegation/__tests__/bitstring.test.ts 0/30
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 28/28
+ ❯ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts [queued]
+ ❯ src/services/__tests__/batch-delegation.service.test.ts 0/11
+ ❯ src/services/__tests__/oauth-provider-registry.test.ts [queued]
+ ❯ src/services/__tests__/provider-resolution.integration.test.ts 0/6
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+
+ Test Files 30 passed (44)
+      Tests 707 passed | 2 skipped (789)
+   Start at 17:52:48
+   Duration 1.06s
+[?2026l[?2026hstderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should return null for ambiguous scopes
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+
+ ❯ src/__tests__/providers/base.test.ts 14/14
+ ❯ src/__tests__/runtime/delegation-flow.test.ts 4/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts 14/14
+ ❯ src/compliance/__tests__/schema-verifier.test.ts 1/30
+ ❯ src/config/__tests__/remote-config.spec.ts 9/9
+ ❯ src/delegation/__tests__/bitstring.test.ts 0/30
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 28/28
+ ❯ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts [queued]
+ ❯ src/services/__tests__/batch-delegation.service.test.ts 0/11
+ ❯ src/services/__tests__/oauth-provider-registry.test.ts [queued]
+ ❯ src/services/__tests__/provider-resolution.integration.test.ts 0/6
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+
+ Test Files 30 passed (44)
+      Tests 707 passed | 2 skipped (789)
+   Start at 17:52:48
+   Duration 1.06s
+[?2026l[?2026h ✓ src/services/__tests__/provider-resolver.test.ts (8 tests) 5ms
+
+ ❯ src/__tests__/providers/base.test.ts 14/14
+ ❯ src/__tests__/runtime/delegation-flow.test.ts 4/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/__tests__/services/tool-protection-oauth-provider.test.ts 14/14
+ ❯ src/compliance/__tests__/schema-verifier.test.ts 1/30
+ ❯ src/config/__tests__/remote-config.spec.ts 9/9
+ ❯ src/delegation/__tests__/bitstring.test.ts 0/30
+ ❯ src/delegation/__tests__/delegation-graph.test.ts 28/28
+ ❯ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts [queued]
+ ❯ src/services/__tests__/batch-delegation.service.test.ts 0/11
+ ❯ src/services/__tests__/oauth-provider-registry.test.ts [queued]
+ ❯ src/services/__tests__/provider-resolution.integration.test.ts 0/6
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+
+ Test Files 30 passed (44)
+      Tests 707 passed | 2 skipped (789)
+   Start at 17:52:48
+   Duration 1.06s
+[?2026l[?2026h ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 5ms
+
+
+
+
+
+
+
+ ❯ src/__tests__/config/provider-runtime-config.test.ts 1/9
+ ❯ src/__tests__/index.test.ts [queued]
+ ❯ src/__tests__/runtime/audit-logger.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+ ❯ src/utils/__tests__/did-helpers.test.ts [queued]
+
+ Test Files 37 passed (44)
+      Tests 835 passed | 2 skipped (849)
+   Start at 17:52:48
+   Duration 1.16s
+[?2026l[?2026hstderr | src/services/__tests__/provider-resolution.integration.test.ts > Provider Resolution Integration > Backward compatibility > should work with Phase 1 tools (no oauthProvider field)
+[ProviderResolver] Tool does not specify oauthProvider. Using first configured provider "github" as fallback. This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.
+
+
+
+
+
+
+ ❯ src/__tests__/config/provider-runtime-config.test.ts 1/9
+ ❯ src/__tests__/index.test.ts [queued]
+ ❯ src/__tests__/runtime/audit-logger.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+ ❯ src/utils/__tests__/did-helpers.test.ts [queued]
+
+ Test Files 37 passed (44)
+      Tests 835 passed | 2 skipped (849)
+   Start at 17:52:48
+   Duration 1.16s
+[?2026l[?2026h ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 13ms
+ ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 4ms
+ ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 11ms
+ ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 4ms
+ ✓ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts (14 tests) 3ms
+ ✓ src/delegation/__tests__/utils.test.ts (28 tests) 3ms
+
+
+
+ ❯ src/__tests__/config/provider-runtime-config.test.ts 1/9
+ ❯ src/__tests__/index.test.ts [queued]
+ ❯ src/__tests__/runtime/audit-logger.test.ts [queued]
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+ ❯ src/services/__tests__/provider-resolver.test.ts 8/8
+ ❯ src/utils/__tests__/did-helpers.test.ts [queued]
+
+ Test Files 37 passed (44)
+      Tests 835 passed | 2 skipped (849)
+   Start at 17:52:48
+   Duration 1.16s
+[?2026l[?2026h ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 2ms
+ ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 4ms
+ ✓ src/utils/__tests__/did-helpers.test.ts (11 tests) 4ms
+ ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 2ms
+
+
+
+
+ ❯ src/__tests__/delegation-e2e.test.ts [queued]
+ ❯ src/__tests__/index.test.ts 0/4
+ ❯ src/__tests__/services/agentshield-integration.test.ts 26/30
+
+ Test Files 41 passed (44)
+      Tests 868 passed | 2 skipped (878)
+   Start at 17:52:48
+   Duration 1.36s
+[?2026l ↓ src/__tests__/delegation-e2e.test.ts (14 tests | 14 skipped)
+ ✓ src/__tests__/index.test.ts (4 tests) 3ms
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-11-24T23:52:50.747Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 4,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.748Z'
+}
+
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
+[ToolProtectionService] API fetch failed, using fallback config {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.748Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.748Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-11-24T23:57:49.748Z'
+}
+
+ ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1111ms
+       ✓ should respect cache TTL  1101ms
+
+ Test Files  43 passed | 1 skipped (44)
+      Tests  876 passed | 16 skipped (892)
+   Start at  17:52:48
+   Duration  1.54s (transform 2.94s, setup 0ms, collect 4.95s, tests 2.24s, environment 4ms, prepare 1.12s)
+
+ % Coverage report from v8
+
+=============================== Coverage summary ===============================
+Statements   : 64.89% ( 1551/2390 )
+Branches     : 59.85% ( 969/1619 )
+Functions    : 63.77% ( 250/392 )
+Lines        : 64.87% ( 1513/2332 )
+================================================================================
+[?25h