npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/services/__tests__/access-control.proof-response-validation.test.ts ADDED Viewed

@@ -0,0 +1,578 @@
+/**
+ * Proof Submission Response Validation Tests
+ *
+ * These tests verify that the proof submission response format matches
+ * the schema defined in @kya-os/contracts, preventing regressions.
+ *
+ * CRITICAL: These tests ensure API parity between MCP-I and AgentShield/Bouncer.
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { AccessControlApiService } from "../access-control.service";
+import { proofSubmissionResponseSchema } from "@kya-os/contracts/agentshield-api";
+import type { ProofSubmissionRequest } from "@kya-os/contracts/agentshield-api";
+describe("Proof Submission Response Validation", () => {
+  let service: AccessControlApiService;
+  let mockFetch: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    mockFetch = vi.fn();
+    service = new AccessControlApiService({
+      baseUrl: "https://kya.vouched.id",
+      apiKey: "test-api-key",
+      fetchProvider: {
+        fetch: mockFetch,
+      },
+      logger: vi.fn(),
+    });
+  });
+  describe("Wrapped Response Format (AgentShield API)", () => {
+    it("should validate wrapped response with success field in data", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Simulate AgentShield API wrapped response
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 1,
+          rejected: 0,
+          outcomes: {
+            success: 1,
+            failed: 0,
+            blocked: 0,
+            error: 0,
+          },
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      expect(result).toMatchObject({
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      });
+    });
+    it("should validate wrapped response with errors array", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 0,
+          rejected: 1,
+          outcomes: {
+            success: 0,
+            failed: 1,
+            blocked: 0,
+            error: 0,
+          },
+          errors: [
+            {
+              proof_index: 0,
+              error: {
+                code: "validation_error",
+                message: "Proof validation failed",
+                details: { reason: "invalid_signature" },
+              },
+            },
+          ],
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      expect(result).toMatchObject({
+        success: true,
+        accepted: 0,
+        rejected: 1,
+        errors: [
+          {
+            proof_index: 0,
+            error: {
+              code: "validation_error",
+              message: "Proof validation failed",
+              details: { reason: "invalid_signature" },
+            },
+          },
+        ],
+      });
+    });
+    it("should validate wrapped response without outcomes (optional field)", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Response without outcomes (should be valid per schema)
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 1,
+          rejected: 0,
+          // outcomes omitted - should still validate
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      expect(result).toMatchObject({
+        success: true,
+        accepted: 1,
+        rejected: 0,
+      });
+      // outcomes should be undefined or present, but not required
+      expect(result.outcomes).toBeUndefined();
+    });
+    it("should throw validation error if data object missing success field", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Response where data object doesn't have success (should be added by service)
+      const wrappedResponse = {
+        success: true,
+        data: {
+          // Missing success field - service should add it
+          accepted: 1,
+          rejected: 0,
+          outcomes: {
+            success: 1,
+            failed: 0,
+            blocked: 0,
+            error: 0,
+          },
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      // Should succeed because service adds success field
+      const result = await service.submitProofs(request);
+      expect(result.success).toBe(true);
+    });
+    it("should validate schema directly matches AgentShield response format", () => {
+      // This test ensures the schema matches what AgentShield actually returns
+      const agentShieldResponseData = {
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      const validation = proofSubmissionResponseSchema.safeParse(
+        agentShieldResponseData
+      );
+      expect(validation.success).toBe(true);
+      if (validation.success) {
+        expect(validation.data).toMatchObject(agentShieldResponseData);
+      }
+    });
+    it("should validate schema with errors array matches AgentShield format", () => {
+      const agentShieldResponseData = {
+        success: true,
+        accepted: 0,
+        rejected: 1,
+        outcomes: {
+          success: 0,
+          failed: 1,
+          blocked: 0,
+          error: 0,
+        },
+        errors: [
+          {
+            proof_index: 0,
+            error: {
+              code: "validation_error",
+              message: "Proof validation failed",
+              details: { reason: "invalid_signature" },
+            },
+          },
+        ],
+      };
+      const validation = proofSubmissionResponseSchema.safeParse(
+        agentShieldResponseData
+      );
+      expect(validation.success).toBe(true);
+      if (validation.success) {
+        expect(validation.data.errors).toHaveLength(1);
+        expect(validation.data.errors![0].proof_index).toBe(0);
+        expect(validation.data.errors![0].error.code).toBe("validation_error");
+      }
+    });
+  });
+  describe("Regression Prevention", () => {
+    it("should prevent regression: missing success field in data", () => {
+      // This test ensures we catch if AgentShield changes response format
+      const responseWithoutSuccess = {
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      const validation = proofSubmissionResponseSchema.safeParse(
+        responseWithoutSuccess
+      );
+      expect(validation.success).toBe(false);
+      if (!validation.success) {
+        expect(
+          validation.error.errors.some((e) => e.path.includes("success"))
+        ).toBe(true);
+      }
+    });
+    it("should prevent regression: wrong type for accepted/rejected", () => {
+      const invalidResponse = {
+        success: true,
+        accepted: "1", // Should be number
+        rejected: "0", // Should be number
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      const validation =
+        proofSubmissionResponseSchema.safeParse(invalidResponse);
+      expect(validation.success).toBe(false);
+    });
+    it("should prevent regression: missing required fields", () => {
+      const incompleteResponse = {
+        success: true,
+        // Missing accepted
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      const validation =
+        proofSubmissionResponseSchema.safeParse(incompleteResponse);
+      expect(validation.success).toBe(false);
+      if (!validation.success) {
+        expect(
+          validation.error.errors.some((e) => e.path.includes("accepted"))
+        ).toBe(true);
+      }
+    });
+  });
+  describe("JSON Deep Clone Fix (Cloudflare Workers Edge Case)", () => {
+    it("should correctly extract data from wrapped response after JSON deep clone", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Simulate the exact response format from AgentShield API
+      // This matches the format seen in production logs
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 1,
+          rejected: 0,
+          outcomes: {
+            success: 1,
+          },
+          errors: [],
+        },
+        metadata: {
+          requestId: "fc1fa88f-9b22-4161-b4fd-17d8215098ee",
+          timestamp: "2025-11-24T21:36:33.029Z",
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      // Verify all fields are correctly extracted
+      expect(result.success).toBe(true);
+      expect(result.accepted).toBe(1);
+      expect(result.rejected).toBe(0);
+      expect(result.outcomes).toEqual({ success: 1 });
+      expect(result.errors).toEqual([]);
+    });
+    it("should handle response where data fields are numeric values (not undefined)", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Test with zero values (edge case for falsy check)
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 0,
+          rejected: 0,
+          outcomes: {},
+          errors: [],
+        },
+        metadata: {
+          requestId: "test-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      // Verify zero values are correctly extracted (not treated as undefined)
+      expect(result.success).toBe(true);
+      expect(result.accepted).toBe(0);
+      expect(result.rejected).toBe(0);
+    });
+    it("should handle response with nested outcomes object", async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: "test-session",
+        proofs: [
+          {
+            jws: "test.jws.signature",
+            meta: {
+              did: "did:key:test",
+              kid: "did:key:test#key-1",
+              ts: Date.now(),
+              nonce: "test-nonce",
+              audience: "https://kya.vouched.id",
+              sessionId: "test-session",
+              requestHash: "sha256:" + "a".repeat(64),
+              responseHash: "sha256:" + "b".repeat(64),
+              scopeId: "test:execute",
+            },
+          },
+        ],
+      };
+      // Test with various outcome types
+      const wrappedResponse = {
+        success: true,
+        data: {
+          accepted: 3,
+          rejected: 2,
+          outcomes: {
+            success: 1,
+            failed: 1,
+            blocked: 1,
+            error: 2,
+          },
+          errors: [
+            {
+              proof_index: 0,
+              error: {
+                code: "validation_error",
+                message: "Invalid signature",
+              },
+            },
+          ],
+        },
+        metadata: {
+          requestId: "test-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        text: async () => JSON.stringify(wrappedResponse),
+        headers: new Headers(),
+      });
+      const result = await service.submitProofs(request);
+      expect(result.accepted).toBe(3);
+      expect(result.rejected).toBe(2);
+      expect(result.outcomes).toEqual({
+        success: 1,
+        failed: 1,
+        blocked: 1,
+        error: 2,
+      });
+      expect(result.errors).toHaveLength(1);
+      expect(result.errors![0].proof_index).toBe(0);
+    });
+  });
+});