npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/__tests__/services/tool-protection-oauth-provider.test.ts ADDED Viewed

@@ -0,0 +1,480 @@
+/**
+ * Tool Protection Service - oauthProvider Parsing Tests
+ *
+ * Tests for parsing oauthProvider field from all API response formats
+ * (Phase 2: Dynamic Providers)
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import { describe, test, expect, beforeEach, vi, afterEach } from 'vitest';
+import { ToolProtectionService } from '../../services/tool-protection.service';
+import {
+  InMemoryToolProtectionCache,
+  type ToolProtectionCache,
+} from '../../cache/tool-protection-cache';
+import type {
+  ToolProtectionServiceConfig,
+  ToolProtectionConfig,
+} from '../../types/tool-protection';
+// Mock global fetch
+global.fetch = vi.fn();
+describe('ToolProtectionService - oauthProvider Parsing', () => {
+  let service: ToolProtectionService;
+  let cache: ToolProtectionCache;
+  let config: ToolProtectionServiceConfig;
+  const mockAgentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cache = new InMemoryToolProtectionCache();
+    config = {
+      apiUrl: 'https://kya.vouched.id',
+      apiKey: 'test-api-key-12345',
+      cacheTtl: 300000, // 5 minutes
+      debug: false,
+    };
+    service = new ToolProtectionService(config, cache);
+  });
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+  describe('New endpoint format (toolProtections object)', () => {
+    test('should parse oauthProvider from camelCase field', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+            },
+            send_email: {
+              requiresDelegation: true,
+              requiredScopes: ['gmail:send'],
+              oauthProvider: 'google',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(result.toolProtections.send_email.oauthProvider).toBe('google');
+    });
+    test('should parse oauthProvider from snake_case field', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauth_provider: 'github',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+    });
+    test('should prefer camelCase over snake_case when both present', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github', // camelCase (preferred)
+              oauth_provider: 'google', // snake_case (should be ignored)
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      // Should prefer camelCase
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(result.toolProtections.read_repos.oauthProvider).not.toBe('google');
+    });
+    test('should handle missing oauthProvider field (backward compatible)', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              // No oauthProvider field (Phase 1 compatibility)
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.requiresDelegation).toBe(true);
+      expect(result.toolProtections.read_repos.requiredScopes).toEqual(['repo:read']);
+      // oauthProvider should be undefined (not included in object)
+      expect(result.toolProtections.read_repos).not.toHaveProperty('oauthProvider');
+    });
+  });
+  describe('Old endpoint format (tools array)', () => {
+    test('should parse oauthProvider from array format with camelCase', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: [
+            {
+              name: 'read_repos',
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+            },
+            {
+              name: 'send_email',
+              requiresDelegation: true,
+              requiredScopes: ['gmail:send'],
+              oauthProvider: 'google',
+            },
+          ],
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(result.toolProtections.send_email.oauthProvider).toBe('google');
+    });
+    test('should parse oauthProvider from array format with snake_case', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: [
+            {
+              name: 'read_repos',
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauth_provider: 'github',
+            },
+          ],
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+    });
+    test('should prefer camelCase over snake_case in array format', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: [
+            {
+              name: 'read_repos',
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+              oauth_provider: 'google',
+            },
+          ],
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+    });
+  });
+  describe('Old endpoint format (tools object)', () => {
+    test('should parse oauthProvider from object format with camelCase', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+            },
+            send_email: {
+              requiresDelegation: true,
+              requiredScopes: ['gmail:send'],
+              oauthProvider: 'google',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(result.toolProtections.send_email.oauthProvider).toBe('google');
+    });
+    test('should parse oauthProvider from object format with snake_case', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauth_provider: 'github',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+    });
+    test('should prefer camelCase over snake_case in object format', async () => {
+      const apiResponse = {
+        success: true,
+        data: {
+          tools: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+              oauth_provider: 'google',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+    });
+  });
+  describe('Caching', () => {
+    test('should cache oauthProvider field correctly', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            read_repos: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      // First call - should fetch from API
+      const result1 = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result1.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(global.fetch).toHaveBeenCalledTimes(1);
+      // Second call - should use cache
+      const result2 = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result2.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(global.fetch).toHaveBeenCalledTimes(1); // Still 1, not 2
+    });
+    test('should preserve oauthProvider through cache operations', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const cachedConfig: ToolProtectionConfig = {
+        toolProtections: {
+          read_repos: {
+            requiresDelegation: true,
+            requiredScopes: ['repo:read'],
+            oauthProvider: 'github',
+          },
+        },
+      };
+      const cacheKey = `config:tool-protections:${projectId}`;
+      await cache.set(cacheKey, cachedConfig, 300000);
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      expect(result.toolProtections.read_repos.oauthProvider).toBe('github');
+      expect(global.fetch).not.toHaveBeenCalled();
+    });
+  });
+  describe('oauthProvider field inclusion', () => {
+    test('should include oauthProvider in returned ToolProtection objects when present', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            tool_with_provider: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: 'github',
+            },
+            tool_without_provider: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              // No oauthProvider
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      // Tool with provider should have oauthProvider field
+      expect(result.toolProtections.tool_with_provider.oauthProvider).toBe('github');
+      expect(result.toolProtections.tool_with_provider).toHaveProperty('oauthProvider');
+      // Tool without provider should not have oauthProvider field
+      expect(result.toolProtections.tool_without_provider).not.toHaveProperty('oauthProvider');
+    });
+    test('should handle empty string oauthProvider gracefully', async () => {
+      const projectId = 'test-project-123';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            tool_with_empty_provider: {
+              requiresDelegation: true,
+              requiredScopes: ['repo:read'],
+              oauthProvider: '', // Empty string
+            },
+          },
+        },
+        metadata: {},
+      };
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+      // Empty string should be treated as falsy and not included
+      expect(result.toolProtections.tool_with_empty_provider).not.toHaveProperty('oauthProvider');
+    });
+  });
+});