@kya-os/mcp-i-core 1.3.10 → 1.3.11

package/.turbo/turbo-test.log

@@ -1,585 +1,826 @@
 
-> @kya-os/mcp-i-core@1.3.7 test /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core
+> @kya-os/mcp-i-core@1.3.11 test /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
 > vitest run
 
 
- RUN  v4.0.5 /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core
+ RUN  v4.0.14 /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
 
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
-[CryptoService] Ed25519 verification error: Error: Verification failed
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
-[CryptoService] Invalid Ed25519 JWK format
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
-[CryptoService] Invalid Ed25519 JWK format
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
-[CryptoService] Invalid Ed25519 JWK format
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
-[CryptoService] Invalid Ed25519 JWK format
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
-[CryptoService] Invalid Ed25519 JWK format
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'ž', "ž‹" is not valid JSON
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
-[CryptoService] Unsupported algorithm: RS256, expected EdDSA
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
-[CryptoService] Unsupported algorithm: HS256, expected EdDSA
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
-[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
-[CryptoService] Key ID mismatch
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
-[CryptoService] Unsupported algorithm: EdDSA, expected RS256
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
-[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
-    at CryptoService.jwkToBase64PublicKey (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
-[CryptoService] Ed25519 verification error: Error: Crypto error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-
- ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 19ms
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use X-API-Key header for new endpoint
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.310Z'
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '77c7a20f-05ce-4415-838f-5f53cb90aa44',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use Authorization Bearer header for old endpoint
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.314Z'
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '77c7a20f-05ce-4415-838f-5f53cb90aa44',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped endpoint when projectId is available
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.315Z'
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
 }
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.315Z'
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '1747205d-098b-4520-acc2-6cd9890190f3',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 200,
+  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
+  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'project/with/special-chars',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '1747205d-098b-4520-acc2-6cd9890190f3',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 0,\n' +
+    '  "rejected": 1,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "invalid_signature",\n' +
+    '        "message": "Invalid JWS signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 0,
+  "rejected": 1,
+  "outcomes": {
+    "success": 0,
+    "failed": 1,
+    "blocked": 0,
+    "error": 0
+  },
+  "errors": [
+    {
+      "proof_index": 0,
+      "error": {
+        "code": "invalid_signature",
+        "message": "Invalid JWS signature"
+      }
+    }
+  ]
 }
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
-}
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
+[CryptoService] Key ID mismatch
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should fetch from project-scoped endpoint when projectId is available
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.312Z'
-}
+ ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 118ms
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should handle new endpoint format with toolProtections object
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'protected_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
-}
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should parse oauthProvider from new endpoint format (Phase 2)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
-}
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools array)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
-}
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'deae9b94-fc2a-44bb-8c86-7b453c0151f7',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle snake_case field names
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'deae9b94-fc2a-44bb-8c86-7b453c0151f7',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
 }
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle camelCase field names
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
 }
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should prefer camelCase over snake_case when both present
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'c2bd8538-dc0b-4694-9e4d-dd3d07df2bac',
+  status: 400,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 209,
+  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
+  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
 }
-
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should preserve oauthProvider through cache operations
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'read_repos' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'c2bd8538-dc0b-4694-9e4d-dd3d07df2bac',
+  status: 400,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'error' ],
+  responseData: '{\n' +
+    '  "success": false,\n' +
+    '  "error": {\n' +
+    '    "code": "all_proofs_rejected",\n' +
+    '    "message": "All proofs rejected",\n' +
+    '    "details": {\n' +
+    '      "rejected": 1,\n' +
+    '      "errors": [\n' +
+    '        {\n' +
+    '          "proof_index": 0,\n' +
+    '          "error": {\n' +
+    '            "code": "invalid_signature",\n' +
+    '            "message": "Invalid signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      ]\n' +
+    '    }\n' +
+    '  }\n' +
+    '}'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
-
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'aec40584-7681-44c4-ba5f-846b20e3b703',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 206,
+  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.158Z"}}',
+  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.158Z"}}'
 }
-
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'aec40584-7681-44c4-ba5f-846b20e3b703',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "success": true,\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-12-04T01:04:13.158Z"\n' +
+    '  }\n' +
+    '}'
 }
-
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "success": true,
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-12-04T01:04:13.158Z"
+  }
 }
-
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.320Z'
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'aec40584-7681-44c4-ba5f-846b20e3b703',
+  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
 }
-
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.320Z'
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'aec40584-7681-44c4-ba5f-846b20e3b703',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
-[ToolProtectionService] Cache miss, fetching from API {
-  source: 'api-fetch-start',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  apiUrl: 'https://kya.vouched.id',
-  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
-}
-[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
-  method: 'config?agent_did (old)',
-  projectId: 'none',
-  apiKeyPresent: true,
-  apiKeyLength: 18,
-  apiKeyMasked: 'test-api...'
-}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '23f9725f-3ae1-4507-a0b4-9000c503f539',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 42,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '23f9725f-3ae1-4507-a0b4-9000c503f539',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0
+}
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
-[ToolProtectionService] API response received {
-  source: 'api-fetch-complete',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  responseKeys: [ 'success', 'data', 'metadata' ],
-  dataKeys: [ 'tools' ],
-  rawToolProtections: null,
-  rawTools: [
-    { name: 'valid_tool', requiresDelegation: true },
-    { requiresDelegation: false }
-  ],
-  responseMetadata: {}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '3d3e7ec6-3d12-4ffb-94db-8f1fd1eacb83',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '3d3e7ec6-3d12-4ffb-94db-8f1fd1eacb83',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'c2f50d50-cdd9-487b-aca9-8655b5525cfb',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 56,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'c2f50d50-cdd9-487b-aca9-8655b5525cfb',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {}
+}
+
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'acc96611-1fba-48e8-a631-9e57dbf31366',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 52,
+  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
+  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'acc96611-1fba-48e8-a631-9e57dbf31366',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data' ],
+  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: 'acc96611-1fba-48e8-a631-9e57dbf31366',
+  dataKeys: [ 'message' ],
+  hasAccepted: false,
+  hasRejected: false,
+  hasOutcomes: false,
+  hasErrors: false,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  outcomesType: 'undefined',
+  outcomesValue: undefined,
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n  "message": "Invalid format"\n}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: 'acc96611-1fba-48e8-a631-9e57dbf31366',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedValue: undefined,
+  hasOutcomes: false,
+  outcomesValue: undefined,
+  fullDataWithSuccess: '{\n  "success": true\n}'
+}
+[AccessControl] ❌ MISSING REQUIRED FIELDS AFTER CONSTRUCTION: {
+  correlationId: 'acc96611-1fba-48e8-a631-9e57dbf31366',
+  hasAccepted: true,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  fullDataWithSuccess: '{\n  "success": true\n}',
+  dataToValidateKeys: [ 'message' ],
+  fullDataToValidate: '{\n  "message": "Invalid format"\n}',
+  originalResponseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+
+ ✓ src/services/__tests__/storage.service.test.ts (17 tests) 60ms
+ ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 35ms
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should fetch from project-scoped /config endpoint when projectId is available
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'valid_tool' ],
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.321Z'
-}
-[ToolProtectionService] API fetch successful, config cached {
-  source: 'cache-write',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  toolCount: 1,
-  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
-  ttlMs: 300000,
-  ttlMinutes: 5,
-  expiresAt: '2025-11-26T15:41:45.321Z',
-  expiresIn: '300s'
+  cacheExpiresAt: '2025-12-04T01:09:13.325Z'
 }
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should handle new endpoint format with toolProtections object
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
+  toolCount: 2,
+  protectedTools: [ 'protected_tool' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.327Z'
 }
 
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should parse oauthProvider from new endpoint format (Phase 2)
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
-  cacheTtlMs: 1000,
-  cacheExpiresAt: '2025-11-26T15:36:46.320Z'
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.327Z'
 }
 
-stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should preserve oauthProvider through cache operations
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'ECONNREFUSED',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
   toolCount: 1,
-  protectedTools: [ 'tool1' ],
+  protectedTools: [ 'read_repos' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.327Z'
 }
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
 
-}
-stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
-
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Network error',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
-}
-
+  cacheExpiresAt: '2025-12-04T01:09:13.328Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
-  cacheTtlMs: 600000,
-  cacheExpiresAt: '2025-11-26T15:46:45.324Z'
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.328Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.328Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 1,
+  toolCount: 2,
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.328Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 2,
-  protectedTools: [ 'tool1' ],
+  protectedTools: [ 'read_repos', 'send_email' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.328Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [],
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Cache miss, fetching from API {
+  source: 'api-fetch-start',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
+  apiUrl: 'https://kya.vouched.id',
+  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
+  method: 'config?agent_did (legacy)',
+  projectId: 'none',
+  apiKeyPresent: true,
+  apiKeyLength: 18,
+  apiKeyMasked: 'test-api...'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should fetch from /config endpoint and extract toolProtection.tools
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'other_tool' ],
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.327Z'
 }
 
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
-[ToolProtectionService] Protection check {
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] API response received {
+  source: 'api-fetch-complete',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  responseKeys: [ 'success', 'data', 'metadata' ],
+  dataKeys: [ 'tools' ],
+  rawConfig: null,
+  rawConfigToolProtection: null,
+  rawToolProtections: null,
+  rawTools: [
+    { name: 'valid_tool', requiresDelegation: true },
+    { requiresDelegation: false }
+  ],
+  responseMetadata: {}
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'valid_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.329Z'
+}
+[ToolProtectionService] API fetch successful, config cached {
+  source: 'cache-write',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  toolCount: 1,
+  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
+  ttlMs: 300000,
+  ttlMinutes: 5,
+  expiresAt: '2025-12-04T01:09:13.329Z',
+  expiresIn: '300s'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should use projectId-based /config endpoint when projectId is set
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'my-project-id',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.330Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should handle empty tools object from merged config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.331Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should correctly identify protected tool from merged config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.331Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should correctly identify protected tool from merged config
+[ToolProtectionService] Protection check {
+  tool: 'checkout',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'checkout', 'greet' ]
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should return null for unknown tool
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.331Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should return null for unknown tool
+[ToolProtectionService] Protection check {
+  tool: 'unknown-tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: false,
+  isWildcard: true,
+  requiresDelegation: false,
+  availableTools: [ 'greet' ]
+}
+
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'ECONNREFUSED',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+
+stderr | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fallback behavior with merged config > should use fallback config when network error occurs
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.332Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.332Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 600000,
+  cacheExpiresAt: '2025-12-04T01:14:13.332Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fallback behavior with merged config > should handle API returning config without tools field
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.332Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should cache tool protections extracted from merged config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.332Z'
+}
+
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should respect cache TTL for merged config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 100,
+  cacheExpiresAt: '2025-12-04T01:04:13.433Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.333Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+}
+
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'other_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
+}
+
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Protection check {
   tool: 'unknown_tool',
   agentDid: 'did:key:z6MkhaXgBZDv...',
   found: false,
@@ -596,7 +837,7 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
 }
 
 stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
@@ -617,7 +858,7 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.334Z'
 }
 
 stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
@@ -638,7 +879,7 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.335Z'
 }
 
 stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
@@ -651,6 +892,7 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   availableTools: [ 'protected_tool' ]
 }
 
+ ✓ src/delegation/__tests__/utils.test.ts (28 tests) 3ms
 stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -659,7 +901,7 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.326Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.335Z'
 }
 
 stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
@@ -670,104 +912,227 @@ stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtection
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.326Z'
+  cacheExpiresAt: '2025-12-04T01:09:13.335Z'
 }
 
- ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 22ms
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '2ade6797-2590-481e-aa6f-2215d75b3996',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+ ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 15ms
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use X-API-Key header for new endpoint
+[ToolProtectionService] Config loaded from API {
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+  source: 'api',
+
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
+  toolCount: 0,
+  protectedTools: [],
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.336Z'
 }
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '2ade6797-2590-481e-aa6f-2215d75b3996',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use Authorization Bearer header for old endpoint
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.356Z'
 }
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped /config endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.367Z'
 }
 
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '60a313a1-6692-43bd-aa37-29fa860cf510',
-  status: 400,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 209,
-  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
-  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.367Z'
 }
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '60a313a1-6692-43bd-aa37-29fa860cf510',
-  status: 400,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'error' ],
-  responseData: '{\n' +
-    '  "success": false,\n' +
-    '  "error": {\n' +
-    '    "code": "all_proofs_rejected",\n' +
-    '    "message": "All proofs rejected",\n' +
-    '    "details": {\n' +
-    '      "rejected": 1,\n' +
-    '      "errors": [\n' +
-    '        {\n' +
-    '          "proof_index": 0,\n' +
-    '          "error": {\n' +
-    '            "code": "invalid_signature",\n' +
-    '            "message": "Invalid signature"\n' +
-    '          }\n' +
-    '        }\n' +
-    '      ]\n' +
-    '    }\n' +
-    '  }\n' +
-    '}'
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'project/with/special-chars',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.368Z'
 }
 
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.368Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.368Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.368Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.369Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.369Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle camelCase field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.369Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should prefer camelCase over snake_case when both present
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.369Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.371Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-12-04T01:04:14.371Z'
+}
+
+ ✓ src/__tests__/runtime/base.test.ts (55 tests) 64ms
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
+
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
+
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with success field in data
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should respect cache TTL for merged config
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  correlationId: 'e81d10fc-4a5c-419f-b96f-442734a20e6e',
+  toolCount: 1,
   status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 206,
-  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.371Z"}}',
-  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.371Z"}}'
+  protectedTools: [ 'greet' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  statusText: undefined,
+  headers: {},
+  cacheTtlMs: 100,
+  cacheExpiresAt: '2025-12-04T01:04:13.584Z'
+}
+
+  responseTextLength: 191,
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Backward compatibility - /tool-protections response format > should still handle legacy /tool-protections response format if encountered
+[ToolProtectionService] Config loaded from API {
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.369Z"}}',
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.369Z"}}'
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+}
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.485Z'
 }
+
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+  correlationId: 'e81d10fc-4a5c-419f-b96f-442734a20e6e',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
   responseData: '{\n' +
     '  "success": true,\n' +
     '  "data": {\n' +
-    '    "success": true,\n' +
     '    "accepted": 1,\n' +
     '    "rejected": 0,\n' +
     '    "outcomes": {\n' +
@@ -779,14 +1144,13 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.371Z"\n' +
+    '    "timestamp": "2025-12-04T01:04:13.369Z"\n' +
     '  }\n' +
     '}'
 }
 [AccessControl] Raw response received: {
   "success": true,
   "data": {
-    "success": true,
     "accepted": 1,
     "rejected": 0,
     "outcomes": {
@@ -798,12 +1162,12 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.371Z"
+    "timestamp": "2025-12-04T01:04:13.369Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
-  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  correlationId: 'e81d10fc-4a5c-419f-b96f-442734a20e6e',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
   hasAccepted: true,
   hasRejected: true,
   hasOutcomes: true,
@@ -817,7 +1181,6 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
   errorsType: 'undefined',
   errorsIsArray: false,
   fullData: '{\n' +
-    '  "success": true,\n' +
     '  "accepted": 1,\n' +
     '  "rejected": 0,\n' +
     '  "outcomes": {\n' +
@@ -829,7 +1192,7 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+  correlationId: 'e81d10fc-4a5c-419f-b96f-442734a20e6e',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
   hasSuccess: true,
   successValue: true,
@@ -852,305 +1215,48 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '}'
 }
 
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd77a977b-42ca-4926-a1a3-8e633c5c215c',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 42,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd77a977b-42ca-4926-a1a3-8e633c5c215c',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
-  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0
-}
-
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with errors array
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'b57c702a-173c-463c-8a0e-1edc3fc11cb6',
+  correlationId: 'fd709747-f82f-46b1-860e-25f3dff00f62',
   status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 333,
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.436Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.436Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'b57c702a-173c-463c-8a0e-1edc3fc11cb6',
+  correlationId: 'fd709747-f82f-46b1-860e-25f3dff00f62',
   status: 200,
   responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
   responseData: '{\n' +
     '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
-}
-
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '9e9878e9-938f-4bd4-b940-aa4cd8626ac8',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 56,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '9e9878e9-938f-4bd4-b940-aa4cd8626ac8',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {}
-}
-
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 52,
-  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
-  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'data' ],
-  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "data": {
-    "message": "Invalid format"
-  }
-}
-[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  dataKeys: [ 'message' ],
-  hasAccepted: false,
-  hasRejected: false,
-  hasOutcomes: false,
-  hasErrors: false,
-  acceptedType: 'undefined',
-  acceptedValue: undefined,
-  rejectedType: 'undefined',
-  rejectedValue: undefined,
-  outcomesType: 'undefined',
-  outcomesValue: undefined,
-  errorsType: 'undefined',
-  errorsIsArray: false,
-  fullData: '{\n  "message": "Invalid format"\n}'
-}
-[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
-  hasSuccess: true,
-  successValue: true,
-  hasAccepted: true,
-  acceptedValue: undefined,
-  hasRejected: true,
-  rejectedValue: undefined,
-  hasOutcomes: false,
-  outcomesValue: undefined,
-  fullDataWithSuccess: '{\n  "success": true\n}'
-}
-[AccessControl] ❌ MISSING REQUIRED FIELDS AFTER CONSTRUCTION: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  hasAccepted: true,
-  acceptedType: 'undefined',
-  acceptedValue: undefined,
-  hasRejected: true,
-  rejectedType: 'undefined',
-  rejectedValue: undefined,
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
-  fullDataWithSuccess: '{\n  "success": true\n}',
-  dataToValidateKeys: [ 'message' ],
-  fullDataToValidate: '{\n  "message": "Invalid format"\n}',
-  originalResponseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
-}
-
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
-[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
-
-stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with success field in data
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  status: 200,
-  statusText: undefined,
-  headers: {},
-  responseTextLength: 191,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.364Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.364Z"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'data', 'metadata' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "data": {\n' +
-    '    "accepted": 1,\n' +
-    '    "rejected": 0,\n' +
-    '    "outcomes": {\n' +
-    '      "success": 1,\n' +
-    '      "failed": 0,\n' +
-    '      "blocked": 0,\n' +
-    '      "error": 0\n' +
-    '    }\n' +
-    '  },\n' +
-    '  "metadata": {\n' +
-    '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.364Z"\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "data": {
-    "accepted": 1,
-    "rejected": 0,
-    "outcomes": {
-      "success": 1,
-      "failed": 0,
-      "blocked": 0,
-      "error": 0
-    }
-  },
-  "metadata": {
-    "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.364Z"
-  }
-}
-[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
-  hasAccepted: true,
-  hasRejected: true,
-  hasOutcomes: true,
-  hasErrors: false,
-  acceptedType: 'number',
-  acceptedValue: 1,
-  rejectedType: 'number',
-  rejectedValue: 0,
-  outcomesType: 'object',
-  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
-  errorsType: 'undefined',
-  errorsIsArray: false,
-  fullData: '{\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  hasSuccess: true,
-  successValue: true,
-  hasAccepted: true,
-  acceptedValue: 1,
-  hasRejected: true,
-  rejectedValue: 0,
-  hasOutcomes: true,
-  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
-  fullDataWithSuccess: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-
-stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with errors array
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
-  status: 200,
-  statusText: undefined,
-  headers: {},
-  responseTextLength: 333,
-  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.376Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.376Z"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'data', 'metadata' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "data": {\n' +
-    '    "accepted": 0,\n' +
-    '    "rejected": 1,\n' +
-    '    "outcomes": {\n' +
-    '      "success": 0,\n' +
-    '      "failed": 1,\n' +
-    '      "blocked": 0,\n' +
-    '      "error": 0\n' +
-    '    },\n' +
-    '    "errors": [\n' +
-    '      {\n' +
-    '        "proof_index": 0,\n' +
-    '        "error": {\n' +
-    '          "code": "validation_error",\n' +
-    '          "message": "Proof validation failed",\n' +
-    '          "details": {\n' +
-    '            "reason": "invalid_signature"\n' +
-    '          }\n' +
-    '        }\n' +
-    '      }\n' +
-    '    ]\n' +
-    '  },\n' +
-    '  "metadata": {\n' +
-    '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.376Z"\n' +
+    '  "data": {\n' +
+    '    "accepted": 0,\n' +
+    '    "rejected": 1,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 0,\n' +
+    '      "failed": 1,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    },\n' +
+    '    "errors": [\n' +
+    '      {\n' +
+    '        "proof_index": 0,\n' +
+    '        "error": {\n' +
+    '          "code": "validation_error",\n' +
+    '          "message": "Proof validation failed",\n' +
+    '          "details": {\n' +
+    '            "reason": "invalid_signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      }\n' +
+    '    ]\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-12-04T01:04:13.436Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1180,11 +1286,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.376Z"
+    "timestamp": "2025-12-04T01:04:13.436Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
+  correlationId: 'fd709747-f82f-46b1-860e-25f3dff00f62',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1222,7 +1328,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
+  correlationId: 'fd709747-f82f-46b1-860e-25f3dff00f62',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1259,16 +1365,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response without outcomes (optional field)
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: 'd9e8a43f-4427-4b5f-a380-9928b2f6c919',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 133,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.377Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.377Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.436Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.436Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: 'd9e8a43f-4427-4b5f-a380-9928b2f6c919',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1280,7 +1386,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.377Z"\n' +
+    '    "timestamp": "2025-12-04T01:04:13.436Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1292,11 +1398,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.377Z"
+    "timestamp": "2025-12-04T01:04:13.436Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: 'd9e8a43f-4427-4b5f-a380-9928b2f6c919',
   dataKeys: [ 'accepted', 'rejected' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1313,7 +1419,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullData: '{\n  "accepted": 1,\n  "rejected": 0\n}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: 'd9e8a43f-4427-4b5f-a380-9928b2f6c919',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
   hasSuccess: true,
   successValue: true,
@@ -1326,28 +1432,18 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullDataWithSuccess: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
 }
 
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
-[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/storage.service.ts'
-
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
-[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
-
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
-[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/storage.service.ts'
-
- ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 34ms
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should throw validation error if data object missing success field
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'c3aabc29-772c-4036-9609-6cc8c3f5c09b',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 191,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.378Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.378Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.437Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:04:13.437Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'c3aabc29-772c-4036-9609-6cc8c3f5c09b',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1365,7 +1461,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.378Z"\n' +
+    '    "timestamp": "2025-12-04T01:04:13.437Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1383,11 +1479,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.378Z"
+    "timestamp": "2025-12-04T01:04:13.437Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'c3aabc29-772c-4036-9609-6cc8c3f5c09b',
   dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1413,7 +1509,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'c3aabc29-772c-4036-9609-6cc8c3f5c09b',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
   hasSuccess: true,
   successValue: true,
@@ -1438,7 +1534,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should correctly extract data from wrapped response after JSON deep clone
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '5adca573-666b-4ae3-bc6b-ff799385e578',
   status: 200,
   statusText: undefined,
   headers: {},
@@ -1447,7 +1543,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1},"errors":[]},"metadata":{"requestId":"fc1fa88f-9b22-4161-b4fd-17d8215098ee","timestamp":"2025-11-24T21:36:33.029Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '5adca573-666b-4ae3-bc6b-ff799385e578',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1483,7 +1579,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '5adca573-666b-4ae3-bc6b-ff799385e578',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1507,7 +1603,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '5adca573-666b-4ae3-bc6b-ff799385e578',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1530,16 +1626,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response where data fields are numeric values (not undefined)
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: 'cdd19aee-28fe-4c90-bcd5-6707560cbcf2',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 151,
-  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.380Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.380Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:04:13.439Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:04:13.439Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: 'cdd19aee-28fe-4c90-bcd5-6707560cbcf2',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1553,7 +1649,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.380Z"\n' +
+    '    "timestamp": "2025-12-04T01:04:13.439Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1567,11 +1663,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-id",
-    "timestamp": "2025-11-26T15:36:45.380Z"
+    "timestamp": "2025-12-04T01:04:13.439Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: 'cdd19aee-28fe-4c90-bcd5-6707560cbcf2',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1588,7 +1684,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullData: '{\n  "accepted": 0,\n  "rejected": 0,\n  "outcomes": {},\n  "errors": []\n}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: 'cdd19aee-28fe-4c90-bcd5-6707560cbcf2',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1609,16 +1705,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response with nested outcomes object
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '7454c6a3-85c3-41e6-944f-e69811fabbce',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 278,
-  responseTextPreview: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.381Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.381Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:04:13.439Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:04:13.439Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '7454c6a3-85c3-41e6-944f-e69811fabbce',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1645,301 +1741,659 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.381Z"\n' +
+    '    "timestamp": "2025-12-04T01:04:13.439Z"\n' +
     '  }\n' +
     '}'
 }
-[AccessControl] Raw response received: {
-  "success": true,
-  "data": {
-    "accepted": 3,
-    "rejected": 2,
-    "outcomes": {
-      "success": 1,
-      "failed": 1,
-      "blocked": 1,
-      "error": 2
-    },
-    "errors": [
-      {
-        "proof_index": 0,
-        "error": {
-          "code": "validation_error",
-          "message": "Invalid signature"
-        }
-      }
-    ]
-  },
-  "metadata": {
-    "requestId": "test-id",
-    "timestamp": "2025-11-26T15:36:45.381Z"
-  }
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "accepted": 3,
+    "rejected": 2,
+    "outcomes": {
+      "success": 1,
+      "failed": 1,
+      "blocked": 1,
+      "error": 2
+    },
+    "errors": [
+      {
+        "proof_index": 0,
+        "error": {
+          "code": "validation_error",
+          "message": "Invalid signature"
+        }
+      }
+    ]
+  },
+  "metadata": {
+    "requestId": "test-id",
+    "timestamp": "2025-12-04T01:04:13.439Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '7454c6a3-85c3-41e6-944f-e69811fabbce',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: true,
+  acceptedType: 'number',
+  acceptedValue: 3,
+  rejectedType: 'number',
+  rejectedValue: 2,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
+  errorsType: 'object',
+  errorsIsArray: true,
+  fullData: '{\n' +
+    '  "accepted": 3,\n' +
+    '  "rejected": 2,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 1,\n' +
+    '    "error": 2\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Invalid signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '7454c6a3-85c3-41e6-944f-e69811fabbce',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 3,
+  hasRejected: true,
+  rejectedValue: 2,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 3,\n' +
+    '  "rejected": 2,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 1,\n' +
+    '    "blocked": 1,\n' +
+    '    "error": 2\n' +
+    '  },\n' +
+    '  "errors": [\n' +
+    '    {\n' +
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
+    '        "code": "validation_error",\n' +
+    '        "message": "Invalid signature"\n' +
+    '      }\n' +
+    '    }\n' +
+    '  ]\n' +
+    '}'
+}
+
+ ✓ src/__tests__/services/tool-protection-merged-config.test.ts (11 tests) 161ms
+ ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 162ms
+ ✓ src/services/__tests__/access-control.proof-response-validation.test.ts (12 tests) 71ms
+ ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 102ms
+ ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 21ms
+ ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 13ms
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should allow unprotected tool calls
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
+  toolCount: 1,
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Network error',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheKey: 'config:tool-protections:test-project'
+  cacheTtlMs: 300000,
+}
+  cacheExpiresAt: '2025-12-04T01:09:13.661Z'
+}
+
+
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+[ToolProtectionService] Config loaded from API {
+
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.662Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
+[ToolProtectionService] Protection check {
+  tool: 'checkout',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'checkout' ]
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield merged config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.662Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should cache tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.663Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should share cache across multiple service instances
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.674Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.675Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.675Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 3,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.675Z'
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+[ToolProtectionService] Protection check {
+  tool: 'add_to_cart',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'search_products', 'add_to_cart', 'checkout' ]
+}
+
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Concurrent operations > should handle concurrent cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.676Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.676Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.676Z'
+}
+
+ ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 111ms
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'phase1_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.842Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.847Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.848Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_snake_case' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.848Z'
+}
+
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+stderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+  toolCount: 2,
+  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:13.850Z'
+}
+
+ ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 9ms
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
+[CryptoService] Ed25519 verification error: Error: Verification failed
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
+[CryptoService] Invalid Ed25519 JWK format
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
+ ✓ src/__tests__/providers/memory.test.ts (34 tests) 39ms
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'ž', "ž‹" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
+[CryptoService] Unsupported algorithm: RS256, expected EdDSA
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
+[CryptoService] Unsupported algorithm: HS256, expected EdDSA
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
+[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
+[CryptoService] Key ID mismatch
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
+[CryptoService] Unsupported algorithm: EdDSA, expected RS256
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
+[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
+    at CryptoService.jwkToBase64PublicKey (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+
+ ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 52ms
+ ✓ src/__tests__/providers/base.test.ts (14 tests) 70ms
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-12-04T01:04:15.473Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 4,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:14.474Z'
+}
+
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:14.474Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:14.474Z'
 }
-[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
-  dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
-  hasAccepted: true,
-  hasRejected: true,
-  hasOutcomes: true,
-  hasErrors: true,
-  acceptedType: 'number',
-  acceptedValue: 3,
-  rejectedType: 'number',
-  rejectedValue: 2,
-  outcomesType: 'object',
-  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
-  errorsType: 'object',
-  errorsIsArray: true,
-  fullData: '{\n' +
-    '  "accepted": 3,\n' +
-    '  "rejected": 2,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 1,\n' +
-    '    "blocked": 1,\n' +
-    '    "error": 2\n' +
-    '  },\n' +
-    '  "errors": [\n' +
-    '    {\n' +
-    '      "proof_index": 0,\n' +
-    '      "error": {\n' +
-    '        "code": "validation_error",\n' +
-    '        "message": "Invalid signature"\n' +
-    '      }\n' +
-    '    }\n' +
-    '  ]\n' +
-    '}'
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:09:14.474Z'
 }
-[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
-  hasSuccess: true,
-  successValue: true,
-  hasAccepted: true,
-  acceptedValue: 3,
-  hasRejected: true,
-  rejectedValue: 2,
-  hasOutcomes: true,
-  outcomesValue: { success: 1, failed: 1, blocked: 1, error: 2 },
-  fullDataWithSuccess: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 3,\n' +
-    '  "rejected": 2,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 1,\n' +
-    '    "blocked": 1,\n' +
-    '    "error": 2\n' +
-    '  },\n' +
-    '  "errors": [\n' +
-    '    {\n' +
-    '      "proof_index": 0,\n' +
-    '      "error": {\n' +
-    '        "code": "validation_error",\n' +
-    '        "message": "Invalid signature"\n' +
-    '      }\n' +
-    '    }\n' +
-    '  ]\n' +
-    '}'
+
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
+[ToolProtectionService] API fetch failed, using fallback config {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
 }
 
- ✓ src/services/__tests__/access-control.proof-response-validation.test.ts (12 tests) 18ms
- ✓ src/services/__tests__/storage.service.test.ts (17 tests) 22ms
+ ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1140ms
+       ✓ should respect cache TTL  1103ms
+ ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 99ms
 stderr | src/services/__tests__/proof-verifier.test.ts > ProofVerifier Security > Signature Verification > should handle signature verification errors gracefully
 [CryptoService] Ed25519 verification error: Error: Crypto error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+ ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 7ms
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
     at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+
+ ✓ src/__tests__/services/oauth-service-pkce.test.ts (18 tests) 14ms
+ ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 16ms
+ ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 210ms
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zjbbPxe6AE2HLR3QRM_E0z4u_aWhgGpQ3","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254825,"timestampFormatted":"2025-12-04T01:04:14.825Z"}
 
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '5be6f8ae-ee53-4b5f-a627-da78df1494fb',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '5be6f8ae-ee53-4b5f-a627-da78df1494fb',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
-}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"ba91f41cf17c12fcd070b5cfd89b06e3","timestamp":1764810254825},"timestamp":1764810254825,"timestampFormatted":"2025-12-04T01:04:14.825Z"}
 
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '1ceb40b1-e915-4474-97ee-d103432d8f85',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 200,
-  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
-  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '1ceb40b1-e915-4474-97ee-d103432d8f85',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 0,\n' +
-    '  "rejected": 1,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 0,\n' +
-    '    "failed": 1,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  },\n' +
-    '  "errors": [\n' +
-    '    {\n' +
-    '      "proof_index": 0,\n' +
-    '      "error": {\n' +
-    '        "code": "invalid_signature",\n' +
-    '        "message": "Invalid JWS signature"\n' +
-    '      }\n' +
-    '    }\n' +
-    '  ]\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 0,
-  "rejected": 1,
-  "outcomes": {
-    "success": 0,
-    "failed": 1,
-    "blocked": 0,
-    "error": 0
-  },
-  "errors": [
-    {
-      "proof_index": 0,
-      "error": {
-        "code": "invalid_signature",
-        "message": "Invalid JWS signature"
-      }
-    }
-  ]
-}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z4Ep3_6GMiNGMjkYK-_EFcb-GaTHIXCyR","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254847,"timestampFormatted":"2025-12-04T01:04:14.847Z"}
 
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
-[CryptoService] Key ID mismatch
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z_qssUyj-sPIMt5zoPGba1dHDGP6MgsQG","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254848,"timestampFormatted":"2025-12-04T01:04:14.848Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:z_qssUyj-sPIMt5zoPGba1dHDGP6MgsQG","newDid":"did:key:zYJVTLOR2WCfN5FapeKI7uJi-SAUL-BFT","timestamp":1764810254848},"timestamp":1764810254848,"timestampFormatted":"2025-12-04T01:04:14.848Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z0p0-xYtFCTSYO9PMFoSTRT6Uj1nGDBwI","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254849,"timestampFormatted":"2025-12-04T01:04:14.849Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zQfJPS5aQrf_f6YY2uFf6loa4S7YM1Jyb","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254850,"timestampFormatted":"2025-12-04T01:04:14.850Z"}
 
- ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 210ms
- ✓ src/__tests__/runtime/base.test.ts (55 tests) 35ms
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zRzncwCTe9ETyyWDPdbvxs5Q3OmQA7-cF","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254850,"timestampFormatted":"2025-12-04T01:04:14.850Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zETFV_zv_9XzsdurOI7285XtCZ5P_zYTE","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254850,"timestampFormatted":"2025-12-04T01:04:14.850Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zK32d_cVxugLUy6F0GgHDRakMJD0uwDbo","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254851,"timestampFormatted":"2025-12-04T01:04:14.851Z"}
+
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z6joWc15AsX4mYbNqt_WdJLJfLfRH2yN8","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810254851,"timestampFormatted":"2025-12-04T01:04:14.851Z"}
+
+ ✓ src/__tests__/integration.test.ts (9 tests) 49ms
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
 [MCP-I] Checking tool protection: {
   tool: 'unprotectedTool',
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gxa3v_mig63sgc',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gxa3v_mig63sgc'
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
 [MCP-I] Tool protection check passed (no delegation required) {
   tool: 'unprotectedTool',
-[MCP-I] ❌ Delegation verification FAILED {
   agentDid: 'did:key:zmock123...',
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   reason: 'Tool not configured to require delegation'
 }
-
   tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
-[MCP-I] Checking tool protection: {
   agentDid: 'did:key:zmock123...',
+[MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
-  reason: 'Delegation token expired',
 }
+  resumeToken: 'resume_t9ybq8_miqqgjrp',
 
-  errorCode: undefined,
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
-  errorMessage: undefined,
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
-  requiredScopes: [ 'files:write' ]
-}
 }
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_t9ybq8_miqqgjrp'
 
+}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
   hasConsentProof: false,
-[MCP-I] ❌ Delegation verification FAILED {
   requiredScopes: [ 'files:write' ]
+
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+[MCP-I] ❌ Delegation verification FAILED {
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
 [MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
   agentDid: 'did:key:zmock123...',
-  reason: 'Insufficient scopes',
+  tool: 'protectedTool',
   delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
-  errorCode: undefined,
   requiredScopes: [ 'files:write' ]
 }
-  errorMessage: undefined,
-  requiredScopes: [ 'files:write' ]
 
+  agentDid: 'did:key:zmock123...',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-}
-
+  reason: 'Delegation token expired',
+  agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
+  errorCode: undefined,
+  errorMessage: undefined,
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
@@ -1949,25 +2403,35 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   hasConsentProof: true,
   requiredScopes: [ 'files:write' ]
 }
+  requiredScopes: [ 'files:write' ]
 
+}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
 [MCP-I] ✅ Delegation verification SUCCEEDED {
+
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
   delegationId: 'test-delegation-id',
+[MCP-I] ❌ Delegation verification FAILED {
   credentialScopes: [ 'files:write' ],
+  tool: 'protectedTool',
   requiredScopes: [ 'files:write' ]
+  agentDid: 'did:key:zmock123...',
 }
+  reason: 'Insufficient scopes',
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  errorCode: undefined,
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  errorMessage: undefined,
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
@@ -1978,85 +2442,87 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ]
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
+}
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
   hasDelegationToken: true,
+[MCP-I] ❌ Delegation verification error (API failure) {
   hasConsentProof: false,
+  tool: 'protectedTool',
   requiredScopes: [ 'files:write' ]
 }
 
- ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 31ms
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
 [MCP-I] Checking tool protection: {
+  agentDid: 'did:key:zmock123...',
+  errorCode: 'network_error',
+  errorMessage: 'API unavailable',
+  errorDetails: {}
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
   hasDelegation: true
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
-[MCP-I] ❌ Delegation verification error (API failure) {
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
+}
+
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
   hasConsentProof: false,
-  errorCode: 'network_error',
   requiredScopes: [ 'files:write' ]
+[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
 }
-  errorMessage: 'API unavailable',
 
-  errorDetails: {}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
 
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
-[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
   hasConsentProof: false
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
-[MCP-I] Checking tool protection: {
 stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+[MCP-I] Checking tool protection: {
+[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
+  tool: 'protectedTool',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
+  agentDid: 'did:key:zmock123...',
+  delegationUserIdentifier: 'did:key:zUserB987654...',
   hasDelegation: true
+  sessionUserDid: 'did:key:zUserA123456...',
 }
-  tool: 'protectedTool',
 
-  agentDid: 'did:key:zmock123...',
-  delegationUserIdentifier: 'did:key:zUserB987654...',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
-  tool: 'protectedTool',
-  sessionUserDid: 'did:key:zUserA123456...',
   sessionId: 'session123...',
-  reason: 'user_identifier_mismatch',
-  severity: 'high'
+  tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-}
   hasDelegationToken: true,
-
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
+  reason: 'user_identifier_mismatch',
+  severity: 'high'
+}
+
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
@@ -2127,73 +2593,63 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
 }
-[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  delegationUserIdentifier: 'did:key:zUserA123456...',
 [MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
   agentDid: 'did:key:zmock123...',
+[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
   delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
-  sessionId: 'session123...'
+  tool: 'protectedTool',
   requiredScopes: [ 'files:write' ]
+  agentDid: 'did:key:zmock123...',
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
 [MCP-I] Checking tool protection: {
-}
-
+  delegationUserIdentifier: 'did:key:zUserA123456...',
   tool: 'unprotectedTool',
+  sessionId: 'session123...'
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
+}
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
 [MCP-I] Tool protection check passed (no delegation required) {
   tool: 'unprotectedTool',
   agentDid: 'did:key:zmock123...',
   reason: 'Tool not configured to require delegation'
+
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
   hasDelegation: false
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
 }
 
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+  tool: 'protectedTool',
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
-}
-
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
   agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgv',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgv'
+  resumeToken: 'resume_t9ycf7_miqqgjry',
 }
 
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgv',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgv'
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_t9ycf7_miqqgjry'
 }
-
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
@@ -2201,73 +2657,65 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   hasDelegation: false
 }
 
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
 [MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write', 'files:read' ],
+  requiredScopes: [ 'files:write' ],
   agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgw'
+  resumeToken: 'resume_t9ycg2_miqqgjry',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_t9ycg2_miqqgjry'
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
 [MCP-I] Checking tool protection: {
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
 [MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
+  requiredScopes: [ 'files:write', 'files:read' ],
   agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8mh_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8mh_mig63sgw'
-}
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  resumeToken: 'resume_t9ycg2_miqqgjry',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_t9ycg2_miqqgjry'
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8mh_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8mh_mig63sgw'
 }
 
+
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
   hasDelegation: false
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
 [MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_fpsylu_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_fpsylu_mig63sgw'
 }
+  requiredScopes: [ 'files:write' ],
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
 [MCP-I] Checking tool protection: {
+  agentDid: 'did:key:zmock123...',
   tool: 'testTool',
+  resumeToken: 'resume_t9ycg2_miqqgjry',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_t9ycg2_miqqgjry'
 }
 
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
 [MCP-I] Tool protection check passed (no delegation required) {
+}
   tool: 'testTool',
+
   agentDid: 'did:key:zmock123...',
   reason: 'Tool not configured to require delegation'
 }
@@ -2276,17 +2724,30 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   hasDelegation: false
 }
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
 
+  resumeToken: 'resume_t9ycg2_miqqgjry',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_t9ycg2_miqqgjry'
 [MCP-I] Checking tool protection: {
+}
+
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
 }
 
+  tool: 'protectedTool',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
+  requiredScopes: [ 'files:write' ],
 [MCP-I] Tool protection check passed (no delegation required) {
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
@@ -2297,277 +2758,100 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
 [MCP-I] Checking tool protection: {
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
-  hasDelegation: false
-}
-
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
-[MCP-I] Checking tool protection: {
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  hasDelegation: false
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx7z8_mig63sh2',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_gx7z8_mig63sh2'
-}
-
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
-[MCP-I] Checking tool protection: {
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  hasDelegation: false
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx7yd_mig63sh3',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_gx7yd_mig63sh3'
-}
-
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
-[MCP-I] Checking tool protection: {
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  hasDelegation: false
-}
-
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_cl4sgd_mig63sh3',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_cl4sgd_mig63sh3'
-}
-
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
-[MCP-I] Checking tool protection: {
-  tool: 'errorTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+  resumeToken: 'resume_pkfiar_miqqgjrz',
 }
-
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
-[MCP-I] Tool protection check passed (no delegation required) {
-  tool: 'errorTool',
-  agentDid: 'did:key:zmock123...',
-  reason: 'Tool not configured to require delegation'
-}
-
- ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 63ms
-stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
-[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
-    at Object.resolveDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at ProofVerifier.fetchPublicKeyFromDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
-
-stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
-[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
-    at Object.resolveDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at ProofVerifier.fetchPublicKeyFromDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
-
- ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 46ms
- ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 154ms
- ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 134ms
- ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 317ms
- ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 324ms
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should allow unprotected tool calls
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.684Z'
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
-}
-
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'checkout' ],
-
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.685Z'
-}
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
-
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Network error',
-[ToolProtectionService] Protection check {
-  tool: 'checkout',
-  cacheKey: 'config:tool-protections:test-project'
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: true,
-  isWildcard: false,
-  requiresDelegation: true,
-  availableTools: [ 'checkout' ]
-}
-
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield
-}
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
-  toolCount: 1,
-  protectedTools: [ 'protected_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-
-  cacheExpiresAt: '2025-11-26T15:41:45.686Z'
-}
-
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should cache tool protection config
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.687Z'
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_pkfiar_miqqgjrz'
 }
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should share cache across multiple service instances
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
+  requiredScopes: [],
+  agentDid: 'did:key:zmock123...',
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
+  resumeToken: 'resume_t9yczv_miqqgjs0',
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
 }
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_t9yczv_miqqgjs0'
 }
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+  hasDelegation: false
 }
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 3,
-  protectedTools: [ 'add_to_cart', 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+[MCP-I] Checking tool protection: {
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
+  tool: 'protectedTool',
+  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_t9yczv_miqqgjs0',
+  hasDelegation: false
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_t9yczv_miqqgjs0'
 }
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
-[ToolProtectionService] Protection check {
-  tool: 'add_to_cart',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: true,
-  isWildcard: false,
-  requiresDelegation: true,
-  availableTools: [ 'search_products', 'add_to_cart', 'checkout' ]
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
 }
+[MCP-I] Checking tool protection: {
 
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Concurrent operations > should handle concurrent cache operations
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  hasDelegation: false
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
 }
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
+  tool: 'protectedTool',
+[MCP-I] Tool protection check passed (no delegation required) {
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  tool: 'errorTool',
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_sp3okj_miqqgjs0',
+  reason: 'Tool not configured to require delegation'
 }
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_sp3okj_miqqgjs0'
+
 }
 
- ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 20ms
-stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully
-[UserDidManager] Storage.get failed, generating new DID: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:187:67
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-
-stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.set errors gracefully
-[UserDidManager] Storage.set failed, continuing with cached DID: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:196:67
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+ ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 78ms
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully (Phase 5)
+[UserDidManager] Storage.get failed: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
     at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
 
 stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.delete errors gracefully
 [UserDidManager] Storage.delete failed, continuing: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:70
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:225:70
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
 
  ✓ src/__tests__/identity/user-did-manager.test.ts (17 tests) 8ms
+ ✓ src/config/__tests__/merged-config.spec.ts (6 tests) 5ms
+ ✓ src/delegation/__tests__/did-key-resolver.test.ts (28 tests) 6ms
+ ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 8ms
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from camelCase field
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -2576,7 +2860,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.789Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.032Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from snake_case field
@@ -2587,7 +2871,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.791Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.033Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should prefer camelCase over snake_case when both present
@@ -2598,7 +2882,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.791Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.034Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should handle missing oauthProvider field (backward compatible)
@@ -2609,7 +2893,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.792Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.034Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with camelCase
@@ -2620,7 +2904,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.035Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with snake_case
@@ -2631,7 +2915,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.036Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should prefer camelCase over snake_case in array format
@@ -2642,7 +2926,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.036Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with camelCase
@@ -2653,7 +2937,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.036Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with snake_case
@@ -2664,7 +2948,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.794Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.036Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should prefer camelCase over snake_case in object format
@@ -2675,7 +2959,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.794Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.036Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Caching > should cache oauthProvider field correctly
@@ -2686,7 +2970,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.037Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should include oauthProvider in returned ToolProtection objects when present
@@ -2697,7 +2981,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.037Z'
 }
 
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should handle empty string oauthProvider gracefully
@@ -2708,23 +2992,10 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:09:15.037Z'
 }
 
  ✓ src/__tests__/services/tool-protection-oauth-provider.test.ts (14 tests) 7ms
- ✓ src/__tests__/services/oauth-service-pkce.test.ts (18 tests) 9ms
- ✓ src/__tests__/providers/memory.test.ts (34 tests) 13ms
- ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 25ms
-stderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should fall back to configuredProvider for ambiguous scopes
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
- ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 9ms
-stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
-[ProviderResolver] Inferred provider "github" from scopes
-
-stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
-[ProviderResolver] Inferred provider "google" from scopes
-
-
 stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle empty scopes array
 [ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 
@@ -2733,10 +3004,10 @@ stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderR
 
 stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle unknown scope prefixes
 [ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify gmail → google mapping works
 [ProviderResolver] Inferred provider "google" from scopes
 
+
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify calendar → google mapping works
 [ProviderResolver] Inferred provider "google" from scopes
 
@@ -2755,155 +3026,74 @@ stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderR
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Provider name case sensitivity > should handle provider names case-insensitively in inference
 [ProviderResolver] Inferred provider "github" from scopes
 
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should use configuredProvider when tool has no oauthProvider
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Multiple scopes with same provider > should handle multiple scopes from same provider
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should use configuredProvider when tool has no oauthProvider
 [ProviderResolver] Inferred provider "github" from scopes
 
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should prefer scope-inferred provider over configuredProvider
 [ProviderResolver] Inferred provider "google" from scopes
 
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'phase1_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.870Z'
-}
-
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'old_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.881Z'
-}
-
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'old_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.882Z'
-}
-
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool_with_snake_case' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.882Z'
-}
+ ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (25 tests | 1 skipped) 8ms
+ ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 19ms
+ ✓ src/utils/__tests__/did-helpers.test.ts (16 tests) 3ms
+ ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 6ms
+ ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 5ms
+ ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 2ms
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
+[ProviderResolver] Inferred provider "github" from scopes
 
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
-stderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.885Z'
-}
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
+[ProviderResolver] Inferred provider "google" from scopes
 
+stderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should fall back to configuredProvider for ambiguous scopes
 [ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 
-stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z-fcn5k3v2ZvYK9dlIxU8n4lMqIWAYMTh","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405871,"timestampFormatted":"2025-11-26T15:36:45.871Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
-[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"70fae80e7f85d8d7c07f785a68990d26","timestamp":1764171405871},"timestamp":1764171405871,"timestampFormatted":"2025-11-26T15:36:45.871Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zT_7RaA0bLnzRdBKcRy8wSQhZQWOqdu6M","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zTh6D4u2wJj_Y3a4AyHIqU89X7UCKWfoF","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
-[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:zTh6D4u2wJj_Y3a4AyHIqU89X7UCKWfoF","newDid":"did:key:zmjuGQxXVJTkNFmfA7biSllCtFAK3U22B","timestamp":1764171405883},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zt1EwInIPdYDy3nYd-H-vnDVXRVC8Ngnz","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405887,"timestampFormatted":"2025-11-26T15:36:45.887Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zd-MgrCaVXirdlYFY4OUm5ClzQZAdOchd","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zmtiafOUYJHiKNWjqtCy4IRCk3iieeEpb","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zmglnfmMGPMSRQ2b7Vr0t-PoMXPG0Ltbg","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-
-stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zs1TeqYecLeqs89TtiOTV2kVTDeu1wdzZ","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405889,"timestampFormatted":"2025-11-26T15:36:45.889Z"}
-
- ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (25 tests | 1 skipped) 12ms
- ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 6ms
- ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 14ms
-stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z-4za6CQd91VdYGlXbvvTWpL8r9av_GhE","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405889,"timestampFormatted":"2025-11-26T15:36:45.889Z"}
-
- ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 17ms
  ✓ src/services/__tests__/provider-resolver.test.ts (8 tests) 6ms
- ✓ src/__tests__/integration.test.ts (9 tests) 19ms
- ✓ src/__tests__/providers/base.test.ts (14 tests) 6ms
- ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 7ms
+ ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 4ms
+ ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 3ms
 stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API request fails
 [RemoteConfig] API returned 404: Not Found
 
 stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API throws error
 [RemoteConfig] Failed to fetch config: Error: Network error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
     at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
 
 stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if neither projectId nor agentDid provided
 [RemoteConfig] Neither projectId nor agentDid provided
 
 stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should handle cache read errors gracefully
 [RemoteConfig] Cache read failed: Error: Cache error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
     at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-
- ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 7ms
- ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 4ms
- ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 11ms
- ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 5ms
- ✓ src/delegation/__tests__/utils.test.ts (28 tests) 7ms
- ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 3ms
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+
+ ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 10ms
+stderr | src/services/__tests__/provider-resolution.integration.test.ts > Provider Resolution Integration > Backward compatibility > should work with Phase 1 tools (no oauthProvider field)
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+
+ ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 25ms
+ ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 5ms
+ ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 5ms
+ ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 18ms
  ✓ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts (14 tests) 3ms
- ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 4ms
- ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 4ms
 stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
 [ToolProtectionService] clearAndRefresh starting {
   cacheKey: 'config:tool-protections:test-project-123',
@@ -2923,8 +3113,8 @@ stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAn
 }
 
 stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add cache-busting query param when bypassCDNCache is true
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections?_t=1764171406153 {
-  method: 'projects/{projectId}/tool-protections (new)',
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config?_t=1764810255702 {
+  method: 'projects/{projectId}/config (merged)',
   projectId: 'test-project-123',
   apiKeyPresent: true,
   apiKeyLength: 12,
@@ -2932,8 +3122,8 @@ stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAn
 }
 
 stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add Cache-Control headers when bypassCDNCache is true
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections?_t=1764171406153 {
-  method: 'projects/{projectId}/tool-protections (new)',
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config?_t=1764810255702 {
+  method: 'projects/{projectId}/config (merged)',
   projectId: 'test-project-123',
   apiKeyPresent: true,
   apiKeyLength: 12,
@@ -2941,8 +3131,8 @@ stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAn
 }
 
 stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should NOT add cache-busting when bypassCDNCache is false/undefined
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections {
-  method: 'projects/{projectId}/tool-protections (new)',
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config {
+  method: 'projects/{projectId}/config (merged)',
   projectId: 'test-project-123',
   apiKeyPresent: true,
   apiKeyLength: 12,
@@ -2967,78 +3157,13 @@ stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAn
   source: 'api'
 }
 
-stderr | src/services/__tests__/provider-resolution.integration.test.ts > Provider Resolution Integration > Backward compatibility > should work with Phase 1 tools (no oauthProvider field)
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-
- ✓ src/__tests__/services/cache-busting.test.ts (5 tests) 5ms
- ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 4ms
- ✓ src/utils/__tests__/did-helpers.test.ts (11 tests) 3ms
- ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 1ms
- ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 4ms
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 1000,
-  cacheExpiresAt: '2025-11-26T15:36:47.421Z'
-}
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 4,
-  protectedTools: [ 'add_to_cart', 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.421Z'
-}
-
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
-[ToolProtectionService] API fetch failed, using fallback config {
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
-}
-
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
-
- ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1113ms
-       ✓ should respect cache TTL  1102ms
+ ✓ src/__tests__/services/cache-busting.test.ts (5 tests) 6ms
+ ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 3ms
  ↓ src/__tests__/delegation-e2e.test.ts (14 tests | 14 skipped)
- ✓ src/__tests__/index.test.ts (4 tests) 2ms
+ ✓ src/__tests__/index.test.ts (4 tests) 3ms
 
- Test Files  45 passed | 1 skipped (46)
-      Tests  905 passed | 16 skipped (921)
-   Start at  10:36:44
-   Duration  1.70s (transform 5.57s, setup 0ms, collect 8.85s, tests 2.79s, environment 4ms, prepare 1.19s)
+ Test Files  48 passed | 1 skipped (49)
+      Tests  955 passed | 16 skipped (971)
+   Start at  19:04:10
+   Duration  5.41s (transform 6.92s, setup 0ms, import 15.31s, tests 2.88s, environment 3ms)