npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/services/__tests__/access-control.service.test.ts ADDED Viewed

@@ -0,0 +1,970 @@
+/**
+ * Unit Tests for AccessControlApiService
+ *
+ * Comprehensive test coverage for the access control API service.
+ * Tests all methods (fetchConfig, verifyDelegation, submitProofs) with
+ * success cases, error cases, retry logic, and validation.
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { AccessControlApiService } from '../access-control.service.js';
+import { AgentShieldAPIError } from '@kya-os/contracts/agentshield-api';
+import type { FetchProvider } from '../../providers/base.js';
+import type {
+  VerifyDelegationRequest,
+  ToolProtectionConfigAPIResponse,
+  ProofSubmissionRequest,
+} from '@kya-os/contracts/agentshield-api';
+describe('AccessControlApiService', () => {
+  let service: AccessControlApiService;
+  let mockFetchProvider: FetchProvider;
+  let mockLogger: ReturnType<typeof vi.fn>;
+  let mockSleep: ReturnType<typeof vi.fn>;
+  beforeEach(() => {
+    mockLogger = vi.fn();
+    mockSleep = vi.fn().mockResolvedValue(undefined);
+    mockFetchProvider = {
+      resolveDID: vi.fn(),
+      fetchStatusList: vi.fn(),
+      fetchDelegationChain: vi.fn(),
+      fetch: vi.fn(),
+    } as unknown as FetchProvider;
+    service = new AccessControlApiService({
+      baseUrl: 'https://api.example.com',
+      apiKey: 'test-api-key',
+      fetchProvider: mockFetchProvider,
+      logger: mockLogger,
+      sleepProvider: mockSleep,
+      retryConfig: {
+        maxRetries: 2,
+        initialDelayMs: 10,
+        maxDelayMs: 100,
+      },
+    });
+  });
+  describe('fetchConfig', () => {
+    it('should fetch config successfully', async () => {
+      const mockResponse: ToolProtectionConfigAPIResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {
+            'tool1': {
+              scopes: ['scope1'],
+              requires_delegation: true,
+            },
+          },
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
+      expect(result).toEqual(mockResponse);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
+        'https://api.example.com/api/v1/bouncer/config?agent_did=did%3Akey%3Az123',
+        expect.objectContaining({
+          method: 'GET',
+          headers: expect.objectContaining({
+            'Authorization': 'Bearer test-api-key',
+            'Content-Type': 'application/json',
+          }),
+        })
+      );
+    });
+    it('should handle 404 error', async () => {
+      const errorResponse = {
+        success: false,
+        error: {
+          code: 'config_not_found',
+          message: 'Config not found',
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(errorResponse), {
+          status: 404,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await expect(
+        service.fetchConfig({ agentDid: 'did:key:z123' })
+      ).rejects.toThrow(AgentShieldAPIError);
+      const metrics = service.getMetrics();
+      expect(metrics.errorCount).toBe(1);
+    });
+    it('should retry on 500 error', async () => {
+      const mockResponse: ToolProtectionConfigAPIResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {},
+        },
+      };
+      // First call fails with 500, second succeeds
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockResolvedValueOnce(
+          new Response('Internal Server Error', { status: 500 })
+        )
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify(mockResponse), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          })
+        );
+      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
+      expect(result).toEqual(mockResponse);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
+      expect(mockSleep).toHaveBeenCalled();
+      expect(service.getMetrics().retryCount).toBe(1);
+    });
+    it('should handle invalid JSON response', async () => {
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockResolvedValueOnce(
+          new Response('invalid json', {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          })
+        )
+        .mockResolvedValueOnce(
+          new Response('invalid json', {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          })
+        );
+      await expect(
+        service.fetchConfig({ agentDid: 'did:key:z123' })
+      ).rejects.toThrow(AgentShieldAPIError);
+      const error = await service
+        .fetchConfig({ agentDid: 'did:key:z123' })
+        .catch((e) => e);
+      expect(error).toBeInstanceOf(AgentShieldAPIError);
+      expect(error.code).toBe('invalid_response');
+    });
+  });
+  describe('verifyDelegation', () => {
+    it('should verify delegation successfully', async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: 'did:key:z123',
+        scopes: ['scope1', 'scope2'],
+      };
+      const mockResponse = {
+        success: true,
+        data: {
+          valid: true,
+          delegation_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID format
+          credential: {
+            agent_did: 'did:key:z123',
+            scopes: ['scope1', 'scope2'],
+            issued_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
+            created_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
+          },
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result = await service.verifyDelegation(request);
+      expect(result.data.valid).toBe(true);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
+        'https://api.example.com/api/v1/bouncer/delegations/verify',
+        expect.objectContaining({
+          method: 'POST',
+          body: JSON.stringify({
+            agent_did: 'did:key:z123',
+            scopes: ['scope1', 'scope2'],
+          }),
+        })
+      );
+    });
+    it('should omit scopes field when scopes is undefined (truly optional)', async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: 'did:key:z123',
+        // scopes is intentionally omitted
+      };
+      const mockResponse = {
+        success: true,
+        data: { valid: true },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      try {
+        await service.verifyDelegation(request);
+      } catch (error: any) {
+        // Log validation errors and mock logger calls for debugging
+        if (error.details?.zodErrors) {
+          console.log('Validation errors:', JSON.stringify(error.details.zodErrors, null, 2));
+        }
+        // Check mock logger calls
+        const loggerCalls = mockLogger.mock.calls;
+        const debugCall = loggerCalls.find((call: any[]) =>
+          call[0]?.includes('Request body debug')
+        );
+        if (debugCall) {
+          console.log('Debug log:', JSON.stringify(debugCall[1], null, 2));
+        }
+        throw error;
+      }
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mock.calls[0];
+      const requestBody = JSON.parse(callArgs[1].body as string);
+      // Verify scopes field is not included in request body when undefined
+      expect(requestBody).not.toHaveProperty('scopes');
+      expect(requestBody.agent_did).toBe('did:key:z123');
+    });
+    it('should include scopes field when scopes is provided', async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: 'did:key:z123',
+        scopes: ['scope1', 'scope2'],
+      };
+      const mockResponse = {
+        success: true,
+        data: { valid: true },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await service.verifyDelegation(request);
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mock.calls[0];
+      const requestBody = JSON.parse(callArgs[1].body as string);
+      // Verify scopes field is included when provided
+      expect(requestBody.scopes).toEqual(['scope1', 'scope2']);
+    });
+    it('should include delegation_token from context', async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: 'did:key:z123',
+        scopes: ['scope1'],
+      };
+      const mockResponse = {
+        success: true,
+        data: { valid: true },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await service.verifyDelegation(request, {
+        delegationToken: 'token-123',
+        credentialJwt: 'jwt-123',
+      });
+      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
+        expect.any(String),
+        expect.objectContaining({
+          body: expect.stringContaining('delegation_token'),
+        })
+      );
+    });
+    it('should handle validation error', async () => {
+      const invalidRequest = {
+        agent_did: '', // Invalid: empty string
+        scopes: [],
+      } as VerifyDelegationRequest;
+      // Mock fetch twice since we call verifyDelegation twice
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockResolvedValueOnce(
+          new Response(
+            JSON.stringify({
+              success: false,
+              error: {
+                code: 'validation_error',
+                message: 'Invalid request',
+              },
+            }),
+            {
+              status: 400,
+              headers: { 'Content-Type': 'application/json' },
+            }
+          )
+        )
+        .mockResolvedValueOnce(
+          new Response(
+            JSON.stringify({
+              success: false,
+              error: {
+                code: 'validation_error',
+                message: 'Invalid request',
+              },
+            }),
+            {
+              status: 400,
+              headers: { 'Content-Type': 'application/json' },
+            }
+          )
+        );
+      await expect(
+        service.verifyDelegation(invalidRequest)
+      ).rejects.toThrow(AgentShieldAPIError);
+      const error = await service
+        .verifyDelegation(invalidRequest)
+        .catch((e) => e);
+      expect(error.code).toBe('validation_error');
+    });
+    it('should handle 401 authentication error', async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: 'did:key:z123',
+        scopes: ['scope1'],
+      };
+      // Mock fetch twice since we call verifyDelegation twice
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockResolvedValueOnce(
+          new Response(
+            JSON.stringify({
+              success: false,
+              error: {
+                code: 'authentication_failed',
+                message: 'Invalid API key',
+              },
+            }),
+            {
+              status: 401,
+              headers: { 'Content-Type': 'application/json' },
+            }
+          )
+        )
+        .mockResolvedValueOnce(
+          new Response(
+            JSON.stringify({
+              success: false,
+              error: {
+                code: 'authentication_failed',
+                message: 'Invalid API key',
+              },
+            }),
+            {
+              status: 401,
+              headers: { 'Content-Type': 'application/json' },
+            }
+          )
+        );
+      await expect(service.verifyDelegation(request)).rejects.toThrow(
+        AgentShieldAPIError
+      );
+      const error = await service.verifyDelegation(request).catch((e) => e);
+      expect(error.code).toBe('authentication_failed');
+    });
+  });
+  describe('submitProofs', () => {
+    it('should submit proofs successfully', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
+        delegation_id: null, // Explicitly set to null
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      const mockResponse = {
+        // Direct ProofSubmissionResponse (not wrapped)
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result = await service.submitProofs(request);
+      expect(result.accepted).toBe(1);
+      expect(result.rejected).toBe(0);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
+        'https://api.example.com/api/v1/bouncer/proofs',
+        expect.objectContaining({
+          method: 'POST',
+          body: JSON.stringify(request),
+        })
+      );
+    });
+    it('should handle all_proofs_rejected error gracefully', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
+        delegation_id: null, // Explicitly set to null
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      const errorResponse = {
+        success: false,
+        error: {
+          code: 'all_proofs_rejected',
+          message: 'All proofs rejected',
+          details: {
+            rejected: 1,
+            errors: [
+              {
+                proof_index: 0,
+                error: {
+                  code: 'invalid_signature',
+                  message: 'Invalid signature',
+                },
+              },
+            ],
+          },
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(errorResponse), {
+          status: 400,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result = await service.submitProofs(request);
+      // ProofSubmissionResponse has a success field
+      expect(result.success).toBe(false);
+      expect(result.accepted).toBe(0);
+      expect(result.rejected).toBe(1);
+      expect(result.errors).toBeDefined();
+    });
+    it('should handle wrapped response format', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
+        delegation_id: null, // Explicitly set to null
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      const wrappedResponse = {
+        success: true,
+        data: {
+          // ProofSubmissionResponse has a success field
+          success: true,
+          accepted: 1,
+          rejected: 0,
+          outcomes: {
+            success: 1,
+            failed: 0,
+            blocked: 0,
+            error: 0,
+          },
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(wrappedResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result = await service.submitProofs(request);
+      expect(result.accepted).toBe(1);
+    });
+    it('should handle invalid response format with detailed error logging', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000',
+        delegation_id: null,
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000),
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      // Invalid response: missing required fields (accepted, rejected, outcomes)
+      const invalidResponse = {
+        success: true,
+        message: 'Proof submitted', // Wrong format - missing required fields
+      };
+      const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(invalidResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const error = await service.submitProofs(request).catch((e) => e);
+      expect(error).toBeInstanceOf(AgentShieldAPIError);
+      expect((error as AgentShieldAPIError).code).toBe('invalid_response');
+      expect((error as AgentShieldAPIError).message).toBe('Response validation failed');
+      // Verify detailed error logging
+      expect(consoleErrorSpy).toHaveBeenCalled();
+      const errorCall = consoleErrorSpy.mock.calls.find(call =>
+        call[0]?.includes('Response validation failed')
+      );
+      expect(errorCall).toBeDefined();
+      expect(errorCall?.[1]).toHaveProperty('zodErrors');
+      expect(errorCall?.[1]).toHaveProperty('responseData');
+      consoleErrorSpy.mockRestore();
+    });
+    it('should handle response with missing outcomes field (outcomes is optional)', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000',
+        delegation_id: null,
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000),
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      // Test 1: Response WITHOUT outcomes field (valid - outcomes is optional)
+      const responseWithoutOutcomes = {
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        // Missing outcomes field - this is now valid
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
+        new Response(JSON.stringify(responseWithoutOutcomes), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result1 = await service.submitProofs(request);
+      expect(result1).toEqual({
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: undefined, // outcomes is optional
+      });
+      // Test 2: Response WITH outcomes field (also valid)
+      const responseWithOutcomes = {
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
+        new Response(JSON.stringify(responseWithOutcomes), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result2 = await service.submitProofs(request);
+      expect(result2).toEqual({
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      });
+      // Test 3: Response with empty outcomes object (also valid)
+      const responseWithEmptyOutcomes = {
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {},
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
+        new Response(JSON.stringify(responseWithEmptyOutcomes), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const result3 = await service.submitProofs(request);
+      expect(result3).toEqual({
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {},
+      });
+    });
+    it('should handle wrapped response with invalid data structure', async () => {
+      const request: ProofSubmissionRequest = {
+        session_id: '123e4567-e89b-12d3-a456-426614174000',
+        delegation_id: null,
+        proofs: [
+          {
+            jws: 'header.payload.signature',
+            meta: {
+              did: 'did:key:z123',
+              kid: 'did:key:z123#key-1',
+              ts: Math.floor(Date.now() / 1000),
+              nonce: 'nonce-123',
+              audience: 'mcp-client',
+              sessionId: 'session-123',
+              requestHash: 'sha256:' + 'a'.repeat(64),
+              responseHash: 'sha256:' + 'b'.repeat(64),
+            },
+          },
+        ],
+      };
+      // Wrapped response but data is invalid
+      const invalidWrappedResponse = {
+        success: true,
+        data: {
+          // Missing required fields
+          message: 'Invalid format',
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(invalidWrappedResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      const error = await service.submitProofs(request).catch((e) => e);
+      expect(error).toBeInstanceOf(AgentShieldAPIError);
+      expect((error as AgentShieldAPIError).code).toBe('invalid_response');
+    });
+    it('should validate request schema', async () => {
+      const invalidRequest = {
+        session_id: '', // Invalid: empty string
+        proofs: [],
+      } as ProofSubmissionRequest;
+      await expect(service.submitProofs(invalidRequest)).rejects.toThrow(
+        AgentShieldAPIError
+      );
+      const error = await service
+        .submitProofs(invalidRequest)
+        .catch((e) => e);
+      expect(error.code).toBe('validation_error');
+    });
+  });
+  describe('retry logic', () => {
+    it('should retry on network errors', async () => {
+      const mockResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {},
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      // First call throws network error, second succeeds
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockRejectedValueOnce(new TypeError('fetch failed'))
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify(mockResponse), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          })
+        );
+      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
+      expect(result).toBeDefined();
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
+      expect(service.getMetrics().retryCount).toBe(1);
+    });
+    it('should not retry on 400 errors', async () => {
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(
+          JSON.stringify({
+            success: false,
+            error: {
+              code: 'validation_error',
+              message: 'Invalid request',
+            },
+          }),
+          {
+            status: 400,
+            headers: { 'Content-Type': 'application/json' },
+          }
+        )
+      );
+      await expect(
+        service.fetchConfig({ agentDid: 'did:key:z123' })
+      ).rejects.toThrow(AgentShieldAPIError);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(1);
+      expect(mockSleep).not.toHaveBeenCalled();
+    });
+    it('should respect maxRetries limit', async () => {
+      // All calls fail with 500 - need to mock multiple times for retries
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }))
+        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }))
+        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }));
+      await expect(
+        service.fetchConfig({ agentDid: 'did:key:z123' })
+      ).rejects.toThrow();
+      // Should retry maxRetries times (2) + initial attempt = 3 total
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(3);
+      expect(service.getMetrics().retryCount).toBe(2);
+      expect(service.getMetrics().errorCount).toBe(1);
+    });
+  });
+  describe('metrics', () => {
+    it('should track successful requests', async () => {
+      const mockResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {},
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await service.fetchConfig({ agentDid: 'did:key:z123' });
+      const metrics = service.getMetrics();
+      expect(metrics.successCount).toBe(1);
+      expect(metrics.errorCount).toBe(0);
+    });
+    it('should reset metrics', async () => {
+      const mockResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {},
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await service.fetchConfig({ agentDid: 'did:key:z123' });
+      service.resetMetrics();
+      const metrics = service.getMetrics();
+      expect(metrics.successCount).toBe(0);
+      expect(metrics.errorCount).toBe(0);
+      expect(metrics.retryCount).toBe(0);
+    });
+  });
+  describe('correlation ID', () => {
+    it('should include correlation ID in headers', async () => {
+      const mockResponse = {
+        success: true,
+        data: {
+          agent_did: 'did:key:z123',
+          tools: {},
+        },
+        metadata: {
+          requestId: 'test-request-id',
+          timestamp: new Date().toISOString(),
+        },
+      };
+      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+      await service.fetchConfig({ agentDid: 'did:key:z123' });
+      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
+        .mock.calls[0];
+      const headers = callArgs[1].headers;
+      expect(headers['X-Request-ID']).toBeDefined();
+      expect(typeof headers['X-Request-ID']).toBe('string');
+    });
+  });
+});