npm - @kya-os/mcp-i-core - Versions diffs - 1.3.10 → 1.3.12 - Mend

@kya-os/mcp-i-core 1.3.10 → 1.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +1 -1
package/.turbo/turbo-test$colon$coverage.log +3419 -3072
package/.turbo/turbo-test.log +1664 -1539
package/coverage/coverage-final.json +60 -0
package/dist/identity/idp-token-resolver.d.ts +17 -1
package/dist/identity/idp-token-resolver.d.ts.map +1 -1
package/dist/identity/idp-token-resolver.js +34 -6
package/dist/identity/idp-token-resolver.js.map +1 -1
package/dist/identity/idp-token-storage.interface.d.ts +38 -7
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -1
package/dist/identity/idp-token-storage.interface.js +2 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/services/tool-context-builder.d.ts +18 -1
package/dist/services/tool-context-builder.d.ts.map +1 -1
package/dist/services/tool-context-builder.js +63 -10
package/dist/services/tool-context-builder.js.map +1 -1
package/dist/services/tool-protection.service.d.ts +1 -1
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +17 -10
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +53 -0
package/dist/utils/did-helpers.js.map +1 -1
package/package.json +2 -2
package/src/delegation/__tests__/vc-issuer.test.ts +1 -1
package/src/identity/idp-token-resolver.ts +41 -7
package/src/identity/idp-token-storage.interface.ts +42 -7
package/src/index.ts +6 -2
package/src/services/tool-context-builder.ts +75 -10
package/src/services/tool-protection.service.ts +51 -32
package/src/utils/__tests__/did-helpers.test.ts +55 -0
package/src/utils/did-helpers.ts +60 -0
package/dist/__tests__/utils/mock-providers.d.ts +0 -104
package/dist/__tests__/utils/mock-providers.d.ts.map +0 -1
package/dist/__tests__/utils/mock-providers.js +0 -293
package/dist/__tests__/utils/mock-providers.js.map +0 -1

package/.turbo/turbo-test.log CHANGED Viewed

@@ -1,168 +1,10 @@
-> @kya-os/mcp-i-core@1.3.7 test /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core
+> @kya-os/mcp-i-core@1.3.12 test /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
 > vitest run
- RUN  v4.0.5 /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core
+ RUN  v4.0.14 /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
-[CryptoService] Ed25519 verification error: Error: Verification failed
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
-[CryptoService] Invalid Ed25519 JWK format
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
-[CryptoService] Invalid Ed25519 JWK format
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
-[CryptoService] Invalid Ed25519 JWK format
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
-[CryptoService] Invalid Ed25519 JWK format
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
-[CryptoService] Invalid Ed25519 JWK format
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token '', "" is not valid JSON
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
-[CryptoService] Unsupported algorithm: RS256, expected EdDSA
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
-[CryptoService] Unsupported algorithm: HS256, expected EdDSA
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
-[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
-[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
-[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
-    at CryptoService.parseJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
-[CryptoService] Key ID mismatch
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
-[CryptoService] Unsupported algorithm: EdDSA, expected RS256
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
-[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
-    at CryptoService.jwkToBase64PublicKey (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
-    at CryptoService.verifyJWS (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
-[CryptoService] Ed25519 verification error: Error: Crypto error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
- ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 19ms
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use X-API-Key header for new endpoint
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -171,7 +13,7 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.310Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.470Z'
 }
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > API Authentication > should use Authorization Bearer header for old endpoint
@@ -182,95 +24,84 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.314Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.473Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped endpoint when projectId is available
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should fetch from /config endpoint and extract toolProtection.tools
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.315Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.475Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use project-scoped /config endpoint when projectId is available
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 0,
   protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.315Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.477Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should use agent-scoped endpoint when projectId is not available
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 0,
   protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'project/with/special-chars',
+  projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.478Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode projectId in URL
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 0,
   protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
-}
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
+  projectId: 'project/with/special-chars',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.479Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should fetch from project-scoped endpoint when projectId is available
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should use projectId-based /config endpoint when projectId is set
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
+  projectId: 'my-project-id',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.312Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.479Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should handle new endpoint format with toolProtections object
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Endpoint Selection > should encode agent DID in URL
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'protected_tool' ],
+  toolCount: 0,
+  protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
+  projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.316Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.480Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should parse oauthProvider from new endpoint format (Phase 2)
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle new endpoint format (toolProtections object)
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.480Z'
 }
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools array)
@@ -281,7 +112,7 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.481Z'
 }
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle old endpoint format (tools object)
@@ -292,7 +123,7 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.481Z'
 }
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle snake_case field names
@@ -303,10 +134,13 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.481Z'
 }
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should handle camelCase field names
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 1,
@@ -314,9 +148,12 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.482Z'
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
 }
 stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Response Format Compatibility > should prefer camelCase over snake_case when both present
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -325,449 +162,176 @@ stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield In
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.482Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - new endpoint format > should preserve oauthProvider through cache operations
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 1,
-  protectedTools: [ 'read_repos' ],
+  protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.317Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.485Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Error Handling > should handle network timeout
-  toolCount: 2,
-  protectedTools: [ 'checkout' ],
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
+  toolCount: 0,
+  protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.318Z'
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Fallback Behavior > should cache fallback config
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-12-04T01:15:16.485Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fetching from /config endpoint with embedded tools > should handle empty tools object from merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'tool1' ],
+  toolCount: 0,
+  protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.480Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should correctly identify protected tool from merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
+  protectedTools: [ 'checkout' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.481Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'tool1' ],
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should correctly identify protected tool from merged config
+[ToolProtectionService] Protection check {
+  tool: 'checkout',
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.320Z'
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'checkout', 'greet' ]
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should return null for unknown tool
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'read_repos', 'send_email' ],
+  toolCount: 1,
+  protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.320Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
-[ToolProtectionService] Cache miss, fetching from API {
-  source: 'api-fetch-start',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  apiUrl: 'https://kya.vouched.id',
-  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
-}
-[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
-  method: 'config?agent_did (old)',
-  projectId: 'none',
-  apiKeyPresent: true,
-  apiKeyLength: 18,
-  apiKeyMasked: 'test-api...'
+  cacheExpiresAt: '2025-12-04T01:20:15.481Z'
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
-[ToolProtectionService] API response received {
-  source: 'api-fetch-complete',
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > checkToolProtection with merged config > should return null for unknown tool
+[ToolProtectionService] Protection check {
+  tool: 'unknown-tool',
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  responseKeys: [ 'success', 'data', 'metadata' ],
-  dataKeys: [ 'tools' ],
-  rawToolProtections: null,
-  rawTools: [
-    { name: 'valid_tool', requiresDelegation: true },
-    { requiresDelegation: false }
-  ],
-  responseMetadata: {}
+  found: false,
+  isWildcard: true,
+  requiresDelegation: false,
+  availableTools: [ 'greet' ]
 }
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fallback behavior with merged config > should handle API returning config without tools field
 [ToolProtectionService] Config loaded from API {
   source: 'api',
+stderr | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Fallback behavior with merged config > should use fallback config when network error occurs
   toolCount: 1,
-  protectedTools: [ 'valid_tool' ],
+  protectedTools: [ 'greet' ],
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.321Z'
-}
-[ToolProtectionService] API fetch successful, config cached {
-  source: 'cache-write',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
-  toolCount: 1,
-  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
-  ttlMs: 300000,
-  ttlMinutes: 5,
-  expiresAt: '2025-11-26T15:41:45.321Z',
-  expiresIn: '300s'
+  cacheExpiresAt: '2025-12-04T01:20:15.486Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should cache successful API responses
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should cache tool protections extracted from merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 1,
-  protectedTools: [ 'tool1' ],
+  protectedTools: [ 'greet' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.319Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.486Z'
 }
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should respect cache TTL for merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
-  cacheTtlMs: 1000,
-  cacheExpiresAt: '2025-11-26T15:36:46.320Z'
+  cacheTtlMs: 100,
+  cacheExpiresAt: '2025-12-04T01:15:15.586Z'
 }
-stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+ ✓ src/__tests__/providers/base.test.ts (14 tests) 42ms
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+ ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 159ms
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
+[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
+stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
+[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/storage.service.ts'
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Caching with merged config > should respect cache TTL for merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'ECONNREFUSED',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
   toolCount: 1,
-  protectedTools: [ 'tool1' ],
+  protectedTools: [ 'greet' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-}
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
+  projectId: 'test-project-123',
+  cacheTtlMs: 100,
+  cacheExpiresAt: '2025-12-04T01:15:15.737Z'
 }
-stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+stdout | src/__tests__/services/tool-protection-merged-config.test.ts > ToolProtectionService - Merged Config API > Backward compatibility - /tool-protections response format > should still handle legacy /tool-protections response format if encountered
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 0,
-  protectedTools: [],
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Network error',
-  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+  cacheExpiresAt: '2025-12-04T01:20:15.637Z'
 }
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 600000,
-  cacheExpiresAt: '2025-11-26T15:46:45.324Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.324Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'other_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
-[ToolProtectionService] Protection check {
-  tool: 'unknown_tool',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: false,
-  isWildcard: true,
-  requiresDelegation: false,
-  availableTools: [ 'other_tool' ]
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ '*' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
-[ToolProtectionService] Protection check {
-  tool: 'unknown_tool',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: true,
-  isWildcard: true,
-  requiresDelegation: true,
-  availableTools: [ '*', 'specific_tool' ]
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should prioritize specific tool protection over wildcard
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ '*' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
-[ToolProtectionService] Protection check {
-  tool: 'any_tool',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: true,
-  isWildcard: true,
-  requiresDelegation: true,
-  availableTools: [ '*' ]
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'protected_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.325Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
-[ToolProtectionService] Protection check {
-  tool: 'protected_tool',
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  found: true,
-  isWildcard: false,
-  requiresDelegation: true,
-  availableTools: [ 'protected_tool' ]
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.326Z'
-}
-stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.326Z'
-}
- ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 22ms
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '2ade6797-2590-481e-aa6f-2215d75b3996',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '2ade6797-2590-481e-aa6f-2215d75b3996',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
-}
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '60a313a1-6692-43bd-aa37-29fa860cf510',
-  status: 400,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 209,
-  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
-  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '60a313a1-6692-43bd-aa37-29fa860cf510',
-  status: 400,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'error' ],
-  responseData: '{\n' +
-    '  "success": false,\n' +
-    '  "error": {\n' +
-    '    "code": "all_proofs_rejected",\n' +
-    '    "message": "All proofs rejected",\n' +
-    '    "details": {\n' +
-    '      "rejected": 1,\n' +
-    '      "errors": [\n' +
-    '        {\n' +
-    '          "proof_index": 0,\n' +
-    '          "error": {\n' +
-    '            "code": "invalid_signature",\n' +
-    '            "message": "Invalid signature"\n' +
-    '          }\n' +
-    '        }\n' +
-    '      ]\n' +
-    '    }\n' +
-    '  }\n' +
-    '}'
-}
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+ ✓ src/__tests__/services/tool-protection-merged-config.test.ts (11 tests) 166ms
+ ✓ src/services/__tests__/storage.service.test.ts (17 tests) 21ms
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with success field in data
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+  correlationId: '44b856b6-1731-42fd-8975-6af554f5e6eb',
   status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 206,
-  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.371Z"}}',
-  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.371Z"}}'
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 191,
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.628Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.628Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+  correlationId: '44b856b6-1731-42fd-8975-6af554f5e6eb',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
   responseData: '{\n' +
     '  "success": true,\n' +
     '  "data": {\n' +
-    '    "success": true,\n' +
     '    "accepted": 1,\n' +
     '    "rejected": 0,\n' +
     '    "outcomes": {\n' +
@@ -779,14 +343,13 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.371Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.628Z"\n' +
     '  }\n' +
     '}'
 }
 [AccessControl] Raw response received: {
   "success": true,
   "data": {
-    "success": true,
     "accepted": 1,
     "rejected": 0,
     "outcomes": {
@@ -798,12 +361,12 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.371Z"
+    "timestamp": "2025-12-04T01:15:15.628Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
-  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  correlationId: '44b856b6-1731-42fd-8975-6af554f5e6eb',
+  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
   hasAccepted: true,
   hasRejected: true,
   hasOutcomes: true,
@@ -817,7 +380,6 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
   errorsType: 'undefined',
   errorsIsArray: false,
   fullData: '{\n' +
-    '  "success": true,\n' +
     '  "accepted": 1,\n' +
     '  "rejected": 0,\n' +
     '  "outcomes": {\n' +
@@ -829,7 +391,7 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '8062b77e-6f28-4dac-a624-c3e10c7865d9',
+  correlationId: '44b856b6-1731-42fd-8975-6af554f5e6eb',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
   hasSuccess: true,
   successValue: true,
@@ -852,275 +414,18 @@ stderr | src/services/__tests__/access-control.service.test.ts > AccessControlAp
     '}'
 }
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with errors array
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd77a977b-42ca-4926-a1a3-8e633c5c215c',
+  correlationId: '3378ac8e-ca4f-4498-9896-3d5ae565f647',
   status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 42,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
+  statusText: undefined,
+  headers: {},
+  responseTextLength: 333,
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.675Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.675Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd77a977b-42ca-4926-a1a3-8e633c5c215c',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
-  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0
-}
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'b57c702a-173c-463c-8a0e-1edc3fc11cb6',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'b57c702a-173c-463c-8a0e-1edc3fc11cb6',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
-}
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '9e9878e9-938f-4bd4-b940-aa4cd8626ac8',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 56,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '9e9878e9-938f-4bd4-b940-aa4cd8626ac8',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {}
-}
-stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 52,
-  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
-  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'data' ],
-  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "data": {
-    "message": "Invalid format"
-  }
-}
-[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  dataKeys: [ 'message' ],
-  hasAccepted: false,
-  hasRejected: false,
-  hasOutcomes: false,
-  hasErrors: false,
-  acceptedType: 'undefined',
-  acceptedValue: undefined,
-  rejectedType: 'undefined',
-  rejectedValue: undefined,
-  outcomesType: 'undefined',
-  outcomesValue: undefined,
-  errorsType: 'undefined',
-  errorsIsArray: false,
-  fullData: '{\n  "message": "Invalid format"\n}'
-}
-[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
-  hasSuccess: true,
-  successValue: true,
-  hasAccepted: true,
-  acceptedValue: undefined,
-  hasRejected: true,
-  rejectedValue: undefined,
-  hasOutcomes: false,
-  outcomesValue: undefined,
-  fullDataWithSuccess: '{\n  "success": true\n}'
-}
-[AccessControl] ❌ MISSING REQUIRED FIELDS AFTER CONSTRUCTION: {
-  correlationId: 'd9a82dd8-18d9-4721-b45f-ecb435661533',
-  hasAccepted: true,
-  acceptedType: 'undefined',
-  acceptedValue: undefined,
-  hasRejected: true,
-  rejectedType: 'undefined',
-  rejectedValue: undefined,
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
-  fullDataWithSuccess: '{\n  "success": true\n}',
-  dataToValidateKeys: [ 'message' ],
-  fullDataToValidate: '{\n  "message": "Invalid format"\n}',
-  originalResponseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
-}
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
-[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
-stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with success field in data
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  status: 200,
-  statusText: undefined,
-  headers: {},
-  responseTextLength: 191,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.364Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.364Z"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'data', 'metadata' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "data": {\n' +
-    '    "accepted": 1,\n' +
-    '    "rejected": 0,\n' +
-    '    "outcomes": {\n' +
-    '      "success": 1,\n' +
-    '      "failed": 0,\n' +
-    '      "blocked": 0,\n' +
-    '      "error": 0\n' +
-    '    }\n' +
-    '  },\n' +
-    '  "metadata": {\n' +
-    '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.364Z"\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "data": {
-    "accepted": 1,
-    "rejected": 0,
-    "outcomes": {
-      "success": 1,
-      "failed": 0,
-      "blocked": 0,
-      "error": 0
-    }
-  },
-  "metadata": {
-    "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.364Z"
-  }
-}
-[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
-  hasAccepted: true,
-  hasRejected: true,
-  hasOutcomes: true,
-  hasErrors: false,
-  acceptedType: 'number',
-  acceptedValue: 1,
-  rejectedType: 'number',
-  rejectedValue: 0,
-  outcomesType: 'object',
-  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
-  errorsType: 'undefined',
-  errorsIsArray: false,
-  fullData: '{\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'a191bb28-c82e-4b0a-b3b2-4b9afd44abf6',
-  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  hasSuccess: true,
-  successValue: true,
-  hasAccepted: true,
-  acceptedValue: 1,
-  hasRejected: true,
-  rejectedValue: 0,
-  hasOutcomes: true,
-  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
-  fullDataWithSuccess: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response with errors array
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
-  status: 200,
-  statusText: undefined,
-  headers: {},
-  responseTextLength: 333,
-  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.376Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Proof validation failed","details":{"reason":"invalid_signature"}}}]},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.376Z"}}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
+  correlationId: '3378ac8e-ca4f-4498-9896-3d5ae565f647',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1150,7 +455,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.376Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.675Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1180,11 +485,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.376Z"
+    "timestamp": "2025-12-04T01:15:15.675Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
+  correlationId: '3378ac8e-ca4f-4498-9896-3d5ae565f647',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1222,7 +527,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '379ba9c2-a249-4004-a797-b65af80d45d0',
+  correlationId: '3378ac8e-ca4f-4498-9896-3d5ae565f647',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1259,16 +564,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should validate wrapped response without outcomes (optional field)
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: '64a8619d-c455-4f7b-a5d9-152e2ed596b0',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 133,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.377Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.377Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.676Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.676Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: '64a8619d-c455-4f7b-a5d9-152e2ed596b0',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1280,7 +585,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.377Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.676Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1292,11 +597,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.377Z"
+    "timestamp": "2025-12-04T01:15:15.676Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: '64a8619d-c455-4f7b-a5d9-152e2ed596b0',
   dataKeys: [ 'accepted', 'rejected' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1313,7 +618,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullData: '{\n  "accepted": 1,\n  "rejected": 0\n}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '4277a869-2b7b-4fd8-a82c-6db33c14ef67',
+  correlationId: '64a8619d-c455-4f7b-a5d9-152e2ed596b0',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
   hasSuccess: true,
   successValue: true,
@@ -1326,28 +631,18 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullDataWithSuccess: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
 }
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should prefer Redis over KV when both are configured
-[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/storage.service.ts'
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should fall back to memory when Redis connection fails
-[StorageService] Failed to connect to Redis, falling back to memory: Redis package not available
-stderr | src/services/__tests__/storage.service.test.ts > StorageService > createStorageProviders > should use KV namespace when provided
-[StorageService] Failed to initialize KV, falling back to memory: Failed to import Cloudflare storage providers: Cannot find package '@kya-os/mcp-i-cloudflare/providers/storage' imported from '/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/storage.service.ts'
- ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 34ms
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > Wrapped Response Format (AgentShield API) > should throw validation error if data object missing success field
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'b45811d4-482a-41c8-9a2f-e2d9dc92705e',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 191,
-  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.378Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-11-26T15:36:45.378Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.676Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:15.676Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'b45811d4-482a-41c8-9a2f-e2d9dc92705e',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1365,7 +660,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-request-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.378Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.676Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1383,11 +678,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-request-id",
-    "timestamp": "2025-11-26T15:36:45.378Z"
+    "timestamp": "2025-12-04T01:15:15.676Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'b45811d4-482a-41c8-9a2f-e2d9dc92705e',
   dataKeys: [ 'accepted', 'rejected', 'outcomes' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1413,7 +708,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'd99d9059-cc05-4ce7-84f1-7d951e39daac',
+  correlationId: 'b45811d4-482a-41c8-9a2f-e2d9dc92705e',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
   hasSuccess: true,
   successValue: true,
@@ -1438,7 +733,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should correctly extract data from wrapped response after JSON deep clone
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '4b706886-8d05-4976-953d-9fabf77135ff',
   status: 200,
   statusText: undefined,
   headers: {},
@@ -1447,7 +742,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullResponseText: '{"success":true,"data":{"accepted":1,"rejected":0,"outcomes":{"success":1},"errors":[]},"metadata":{"requestId":"fc1fa88f-9b22-4161-b4fd-17d8215098ee","timestamp":"2025-11-24T21:36:33.029Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '4b706886-8d05-4976-953d-9fabf77135ff',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1483,7 +778,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '4b706886-8d05-4976-953d-9fabf77135ff',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1507,7 +802,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '1720e7cd-d11b-4e5e-a7f3-947163c96fcc',
+  correlationId: '4b706886-8d05-4976-953d-9fabf77135ff',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1530,16 +825,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response where data fields are numeric values (not undefined)
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: '3f8f79eb-d89f-4249-ba4c-770a006bc1be',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 151,
-  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.380Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.380Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:15:15.678Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":0,"rejected":0,"outcomes":{},"errors":[]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:15:15.678Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: '3f8f79eb-d89f-4249-ba4c-770a006bc1be',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1553,7 +848,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.380Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.678Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1567,11 +862,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-id",
-    "timestamp": "2025-11-26T15:36:45.380Z"
+    "timestamp": "2025-12-04T01:15:15.678Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: '3f8f79eb-d89f-4249-ba4c-770a006bc1be',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1588,7 +883,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   fullData: '{\n  "accepted": 0,\n  "rejected": 0,\n  "outcomes": {},\n  "errors": []\n}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: 'a503dfd0-d743-4265-b852-8651f811be47',
+  correlationId: '3f8f79eb-d89f-4249-ba4c-770a006bc1be',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1609,16 +904,16 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
 stderr | src/services/__tests__/access-control.proof-response-validation.test.ts > Proof Submission Response Validation > JSON Deep Clone Fix (Cloudflare Workers Edge Case) > should handle response with nested outcomes object
 [AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '662ba42a-700b-4338-88bc-5f11d41d121e',
   status: 200,
   statusText: undefined,
   headers: {},
   responseTextLength: 278,
-  responseTextPreview: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.381Z"}}',
-  fullResponseText: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-11-26T15:36:45.381Z"}}'
+  responseTextPreview: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:15:15.678Z"}}',
+  fullResponseText: '{"success":true,"data":{"accepted":3,"rejected":2,"outcomes":{"success":1,"failed":1,"blocked":1,"error":2},"errors":[{"proof_index":0,"error":{"code":"validation_error","message":"Invalid signature"}}]},"metadata":{"requestId":"test-id","timestamp":"2025-12-04T01:15:15.678Z"}}'
 }
 [AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '662ba42a-700b-4338-88bc-5f11d41d121e',
   status: 200,
   responseDataType: 'object',
   responseDataKeys: [ 'success', 'data', 'metadata' ],
@@ -1645,7 +940,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '  },\n' +
     '  "metadata": {\n' +
     '    "requestId": "test-id",\n' +
-    '    "timestamp": "2025-11-26T15:36:45.381Z"\n' +
+    '    "timestamp": "2025-12-04T01:15:15.678Z"\n' +
     '  }\n' +
     '}'
 }
@@ -1672,11 +967,11 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
   },
   "metadata": {
     "requestId": "test-id",
-    "timestamp": "2025-11-26T15:36:45.381Z"
+    "timestamp": "2025-12-04T01:15:15.678Z"
   }
 }
 [AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '662ba42a-700b-4338-88bc-5f11d41d121e',
   dataKeys: [ 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasAccepted: true,
   hasRejected: true,
@@ -1711,7 +1006,7 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
 [AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
-  correlationId: '92b20f95-5715-4269-a897-5091058dfb43',
+  correlationId: '662ba42a-700b-4338-88bc-5f11d41d121e',
   dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
   hasSuccess: true,
   successValue: true,
@@ -1743,206 +1038,97 @@ stderr | src/services/__tests__/access-control.proof-response-validation.test.ts
     '}'
 }
- ✓ src/services/__tests__/access-control.proof-response-validation.test.ts (12 tests) 18ms
- ✓ src/services/__tests__/storage.service.test.ts (17 tests) 22ms
-stderr | src/services/__tests__/proof-verifier.test.ts > ProofVerifier Security > Signature Verification > should handle signature verification errors gracefully
-[CryptoService] Ed25519 verification error: Error: Crypto error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '5be6f8ae-ee53-4b5f-a627-da78df1494fb',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 100,
-  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
-  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+ ✓ src/services/__tests__/access-control.proof-response-validation.test.ts (12 tests) 54ms
+ ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 9ms
+ ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 11ms
+ ✓ src/__tests__/runtime/base.test.ts (55 tests) 15ms
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+[MCP-I] Checking tool protection: {
+  tool: 'unprotectedTool',
+  agentDid: 'did:key:zmock123...',
+  tool: 'protectedTool',
+  hasDelegation: false
 }
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '5be6f8ae-ee53-4b5f-a627-da78df1494fb',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 1,\n' +
-    '  "rejected": 0,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 1,\n' +
-    '    "failed": 0,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  }\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 1,
-  "rejected": 0,
-  "outcomes": {
-    "success": 1,
-    "failed": 0,
-    "blocked": 0,
-    "error": 0
-  }
-}
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
-[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
-  correlationId: '1ceb40b1-e915-4474-97ee-d103432d8f85',
-  status: 200,
-  statusText: '',
-  headers: { 'content-type': 'application/json' },
-  responseTextLength: 200,
-  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
-  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
-}
-[AccessControl] 🔍 PARSED RESPONSE DATA: {
-  correlationId: '1ceb40b1-e915-4474-97ee-d103432d8f85',
-  status: 200,
-  responseDataType: 'object',
-  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
-  responseData: '{\n' +
-    '  "success": true,\n' +
-    '  "accepted": 0,\n' +
-    '  "rejected": 1,\n' +
-    '  "outcomes": {\n' +
-    '    "success": 0,\n' +
-    '    "failed": 1,\n' +
-    '    "blocked": 0,\n' +
-    '    "error": 0\n' +
-    '  },\n' +
-    '  "errors": [\n' +
-    '    {\n' +
-    '      "proof_index": 0,\n' +
-    '      "error": {\n' +
-    '        "code": "invalid_signature",\n' +
-    '        "message": "Invalid JWS signature"\n' +
-    '      }\n' +
-    '    }\n' +
-    '  ]\n' +
-    '}'
-}
-[AccessControl] Raw response received: {
-  "success": true,
-  "accepted": 0,
-  "rejected": 1,
-  "outcomes": {
-    "success": 0,
-    "failed": 1,
-    "blocked": 0,
-    "error": 0
-  },
-  "errors": [
-    {
-      "proof_index": 0,
-      "error": {
-        "code": "invalid_signature",
-        "message": "Invalid JWS signature"
-      }
-    }
-  ]
-}
-stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
-[CryptoService] Key ID mismatch
- ✓ src/__tests__/cache/tool-protection-cache.test.ts (49 tests) 210ms
- ✓ src/__tests__/runtime/base.test.ts (55 tests) 35ms
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
+[MCP-I] Tool protection check passed (no delegation required) {
   requiredScopes: [ 'files:write' ],
-[MCP-I] Checking tool protection: {
   tool: 'unprotectedTool',
   agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gxa3v_mig63sgc',
+  reason: 'Tool not configured to require delegation'
+}
   agentDid: 'did:key:zmock123...',
-  hasDelegation: false
+  resumeToken: 'resume_bx55kc_miqquppj',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_bx55kc_miqquppj'
 }
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when no protection required
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gxa3v_mig63sgc'
-}
 stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
-[MCP-I] Tool protection check passed (no delegation required) {
-  tool: 'unprotectedTool',
-[MCP-I] ❌ Delegation verification FAILED {
-  agentDid: 'did:key:zmock123...',
-  reason: 'Tool not configured to require delegation'
-}
-  tool: 'protectedTool',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when protection required and no delegation
 [MCP-I] Checking tool protection: {
-  agentDid: 'did:key:zmock123...',
+[MCP-I] ❌ Delegation verification FAILED {
+  tool: 'protectedTool',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
-  reason: 'Delegation token expired',
 }
+  agentDid: 'did:key:zmock123...',
-  errorCode: undefined,
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
-  errorMessage: undefined,
 [MCP-I] Checking tool protection: {
+  reason: 'Delegation token expired',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-  hasDelegation: true
+  errorCode: undefined,
+  errorMessage: undefined,
   requiredScopes: [ 'files:write' ]
+  hasDelegation: true
 }
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
-  hasConsentProof: false,
 [MCP-I] ❌ Delegation verification FAILED {
+  hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and delegation provided
-[MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
+[MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  delegationId: 'test-delegation-id',
   agentDid: 'did:key:zmock123...',
   reason: 'Insufficient scopes',
-  delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
-  errorCode: undefined,
   requiredScopes: [ 'files:write' ]
 }
-  errorMessage: undefined,
-  requiredScopes: [ 'files:write' ]
+  errorCode: undefined,
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
+  errorMessage: undefined,
+  requiredScopes: [ 'files:write' ]
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
 }
+  agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+[MCP-I] ❌ Delegation verification error (API failure) {
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  tool: 'protectedTool',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: false,
@@ -1950,6 +1136,7 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   requiredScopes: [ 'files:write' ]
 }
+  agentDid: 'did:key:zmock123...',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when protection required and consentProof provided
 [MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
@@ -1957,6 +1144,7 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
   requiredScopes: [ 'files:write' ]
+  errorCode: 'network_error',
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
@@ -1967,7 +1155,9 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation verification fails
+  errorMessage: 'API unavailable',
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  errorDetails: {}
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
@@ -1975,240 +1165,271 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   requiredScopes: [ 'files:write' ]
 }
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
+[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
+  tool: 'protectedTool',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
+  agentDid: 'did:key:zmock123...',
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  hasDelegationToken: true,
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
+  hasConsentProof: false
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should block tool execution when delegation has wrong scopes
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+}
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
+[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
 }
+  tool: 'protectedTool',
+  agentDid: 'did:key:zmock123...',
- ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 31ms
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+  delegationUserIdentifier: 'did:key:zUserB987654...',
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
+  sessionUserDid: 'did:key:zUserA123456...',
   hasDelegation: true
 }
+  sessionId: 'session123...',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should handle API errors during verification gracefully
-[MCP-I] ❌ Delegation verification error (API failure) {
+  reason: 'user_identifier_mismatch',
+  severity: 'high'
+}
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
-  tool: 'protectedTool',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-  agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
   hasConsentProof: false,
-  errorCode: 'network_error',
   requiredScopes: [ 'files:write' ]
 }
-  errorMessage: 'API unavailable',
-  errorDetails: {}
+[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  tool: 'protectedTool',
   hasDelegation: true
 }
-}
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should allow tool execution when access control service not configured (graceful degradation)
-[MCP-I] ⚠️ Delegation token provided but AccessControlApiService not configured - skipping verification {
-  tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-  hasDelegationToken: true,
-  hasConsentProof: false
-}
+  delegationUserIdentifier: 'did:key:zUserA123456...',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
+  sessionId: 'session123...'
 [MCP-I] Checking tool protection: {
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
-[MCP-I] 🔒 SECURITY: User identifier validation FAILED {
+}
   hasDelegation: true
 }
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  delegationUserIdentifier: 'did:key:zUserB987654...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should reject delegation when user_identifier does not match session userDid
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  sessionUserDid: 'did:key:zUserA123456...',
-  sessionId: 'session123...',
-  reason: 'user_identifier_mismatch',
-  severity: 'high'
   agentDid: 'did:key:zmock123...',
-}
   hasDelegationToken: true,
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
+  tool: 'protectedTool',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
 }
+  resumeToken: 'resume_bx55g1_miqquppo',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_bx55g1_miqquppo'
   hasDelegation: true
 }
+}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should accept delegation when user_identifier matches session userDid
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
 [MCP-I] ✅ User identifier validation PASSED {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  requiredScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
   userDid: 'did:key:zUserA123456...',
   sessionId: 'session123...'
 }
 [MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
+  resumeToken: 'resume_bx55g1_miqquppo',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_bx55g1_miqquppo'
+}
   agentDid: 'did:key:zmock123...',
   delegationId: 'test-delegation-id',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   credentialScopes: [ 'files:write' ],
   requiredScopes: [ 'files:write' ]
+  tool: 'protectedTool',
 }
+  requiredScopes: [ 'files:write', 'files:read' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_bx55g1_miqquppo',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_bx55g1_miqquppo'
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
 [MCP-I] Checking tool protection: {
+}
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
   hasDelegation: true
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
+  requiredScopes: [ 'files:write' ],
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
+  resumeToken: 'resume_bx55g1_miqquppo',
 }
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_bx55g1_miqquppo'
+}
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing user_identifier gracefully (backward compatibility)
 [MCP-I] ✅ Delegation verification SUCCEEDED {
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
+  tool: 'protectedTool',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  requiredScopes: [ 'files:write' ],
   delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
+  agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_bx55g1_miqquppp',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_bx55g1_miqquppp'
+}
   requiredScopes: [ 'files:write' ]
 }
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: true
 }
+  tool: 'protectedTool',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
+  requiredScopes: [ 'files:write' ],
 [MCP-I] 🔐 Verifying delegation token with AccessControlApiService {
+  agentDid: 'did:key:zmock123...',
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegationToken: true,
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
   hasConsentProof: false,
   requiredScopes: [ 'files:write' ]
 }
-[MCP-I] ⚠️ Delegation has user_identifier but session missing userDid {
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > user_identifier validation > should handle missing session userDid gracefully
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  delegationUserIdentifier: 'did:key:zUserA123456...',
 [MCP-I] ✅ Delegation verification SUCCEEDED {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   delegationId: 'test-delegation-id',
   credentialScopes: [ 'files:write' ],
-  sessionId: 'session123...'
   requiredScopes: [ 'files:write' ]
+  resumeToken: 'resume_49l1t5_miqquppp',
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
 [MCP-I] Checking tool protection: {
-}
   tool: 'unprotectedTool',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_49l1t5_miqquppp'
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should create proof after successful tool execution
+}
 [MCP-I] Tool protection check passed (no delegation required) {
   tool: 'unprotectedTool',
   agentDid: 'did:key:zmock123...',
   reason: 'Tool not configured to require delegation'
 }
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+  tool: 'protectedTool',
 }
+  requiredScopes: [],
+  agentDid: 'did:key:zmock123...',
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > processToolCall with tool protection > should not create proof when tool execution is blocked
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
+  resumeToken: 'resume_bx55eb_miqquppq',
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_bx55eb_miqquppq'
+}
   hasDelegation: false
 }
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
+stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
+[MCP-I] Checking tool protection: {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
   agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgv',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgv'
+  hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include tool name in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgv',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgv'
-}
-stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
-[MCP-I] Checking tool protection: {
-  tool: 'protectedTool',
-  agentDid: 'did:key:zmock123...',
-  hasDelegation: false
-}
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include required scopes in error
 [MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write', 'files:read' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8nc_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite%2Cfiles%3Aread&session_id=session123&agent_did=&resume_token=resume_gx8nc_mig63sgw'
-}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
 [MCP-I] Checking tool protection: {
@@ -2217,52 +1438,39 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include consent URL in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8mh_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8mh_mig63sgw'
-}
+  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_bx55eb_miqquppq',
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_bx55eb_miqquppq'
+  agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include resume token in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx8mh_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_gx8mh_mig63sgw'
 }
+stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+[MCP-I] BLOCKED: Tool requires delegation but none provided {
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > DelegationRequiredError details > should include intercepted call context in error
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
   tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_fpsylu_mig63sgw',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=session123&agent_did=&resume_token=resume_fpsylu_mig63sgw'
-}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
+  requiredScopes: [ 'files:write' ],
 [MCP-I] Checking tool protection: {
+  agentDid: 'did:key:zmock123...',
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
+  resumeToken: 'resume_14wv0f_miqquppq',
   hasDelegation: false
+  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_14wv0f_miqquppq'
+}
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log tool protection check when audit enabled
@@ -2270,21 +1478,30 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
   reason: 'Tool not configured to require delegation'
 }
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > audit logging > should log blocked tool call when audit enabled
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
 [MCP-I] Checking tool protection: {
   tool: 'testTool',
   agentDid: 'did:key:zmock123...',
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
   hasDelegation: false
+  agentDid: 'did:key:z6MkhaXgBZDv...',
 }
+  error: 'Network error',
+  cacheKey: 'config:tool-protections:test-project'
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should use agent DID from identity for protection check
 [MCP-I] Tool protection check passed (no delegation required) {
@@ -2296,278 +1513,1441 @@ stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntime
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > tool protection service integration > should handle tool protection service errors gracefully
 [MCP-I] Checking tool protection: {
   tool: 'testTool',
+}
+stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
+[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should submit proof end-to-end
 }
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '00db17b8-fc23-47b8-9e6c-109b226b7a8e',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle empty required scopes array
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx7z8_mig63sh2',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=&session_id=session123&agent_did=&resume_token=resume_gx7z8_mig63sh2'
-}
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  status: 200,
+  statusText: '',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle multiple required scopes
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'scope1', 'scope2', 'scope3' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_gx7yd_mig63sh3',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=scope1%2Cscope2%2Cscope3&session_id=session123&agent_did=&resume_token=resume_gx7yd_mig63sh3'
-}
+  headers: { 'content-type': 'application/json' },
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
 [MCP-I] Checking tool protection: {
   tool: 'protectedTool',
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
 }
-stderr | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle session without id
-[MCP-I] BLOCKED: Tool requires delegation but none provided {
-  tool: 'protectedTool',
-  requiredScopes: [ 'files:write' ],
-  agentDid: 'did:key:zmock123...',
-  resumeToken: 'resume_cl4sgd_mig63sh3',
-  consentUrl: 'https://kya.vouched.id/bouncer/consent?tool=protectedTool&scopes=files%3Awrite&session_id=&agent_did=&resume_token=resume_cl4sgd_mig63sh3'
 }
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '00db17b8-fc23-47b8-9e6c-109b226b7a8e',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
 [MCP-I] Checking tool protection: {
   tool: 'errorTool',
   agentDid: 'did:key:zmock123...',
   hasDelegation: false
+  status: 200,
 }
+  responseDataType: 'object',
 stdout | src/__tests__/runtime/tool-protection-enforcement.test.ts > MCPIRuntimeBase - Tool Protection Enforcement > edge cases > should handle handler errors independently of protection
 [MCP-I] Tool protection check passed (no delegation required) {
   tool: 'errorTool',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
   agentDid: 'did:key:zmock123...',
   reason: 'Tool not configured to require delegation'
+  responseData: '{\n' +
 }
- ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 63ms
-stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
-[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
-    at Object.resolveDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at ProofVerifier.fetchPublicKeyFromDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
-stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
-[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
-    at Object.resolveDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at ProofVerifier.fetchPublicKeyFromDID (/Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
- ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 46ms
- ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 154ms
- ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 134ms
- ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 317ms
- ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 324ms
+    '  "success": true,\n' +
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should allow unprotected tool calls
 [ToolProtectionService] Config loaded from API {
   source: 'api',
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
   toolCount: 1,
   protectedTools: [],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should use fallback config when API fails
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.684Z'
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network error' }
+  cacheExpiresAt: '2025-12-04T01:20:15.764Z'
 }
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
 [ToolProtectionService] Config loaded from API {
+    '    "blocked": 0,\n' +
   source: 'api',
   toolCount: 1,
   protectedTools: [ 'checkout' ],
+    '    "error": 0\n' +
   agentDid: 'did:key:z6MkhaXgBZDv...',
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle tool protection service errors gracefully
+    '  }\n' +
   projectId: 'test-project',
+    '}'
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.685Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.764Z'
 }
-[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Tool protection enforcement flow > should intercept protected tool calls without delegation
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Network error',
 [ToolProtectionService] Protection check {
   tool: 'checkout',
-  cacheKey: 'config:tool-protections:test-project'
   agentDid: 'did:key:z6MkhaXgBZDv...',
+}
   found: true,
   isWildcard: false,
+[AccessControl] Raw response received: {
   requiresDelegation: true,
+  "success": true,
   availableTools: [ 'checkout' ]
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
 }
-stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield
-}
+stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should fetch tool protection config from AgentShield merged config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-stderr | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Error handling in full flow > should handle network timeouts
-[ToolProtectionService] API fetch failed, using fallback config { agentDid: 'did:key:z6MkhaXgBZDv...', error: 'Network timeout' }
   toolCount: 1,
   protectedTools: [ 'protected_tool' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.686Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.765Z'
 }
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > AgentShield integration flow > should cache tool protection config
 [ToolProtectionService] Config loaded from API {
   source: 'api',
+    "blocked": 0,
+    "error": 0
+  }
   toolCount: 1,
+}
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.687Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.766Z'
 }
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should share cache across multiple service instances
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Submission Flow > should handle proof submission with errors
 [ToolProtectionService] Config loaded from API {
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
   source: 'api',
+  correlationId: '7d4ba585-b06f-4d8e-ab41-6a4bd33bc598',
   toolCount: 1,
   protectedTools: [ 'tool1' ],
+  status: 200,
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.768Z'
 }
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 200,
+  responseTextPreview: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}',
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
 [ToolProtectionService] Config loaded from API {
+  fullResponseText: '{"success":true,"accepted":0,"rejected":1,"outcomes":{"success":0,"failed":1,"blocked":0,"error":0},"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid JWS signature"}}]}'
   source: 'api',
   toolCount: 1,
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
+}
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.768Z'
 }
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Cache integration in full flow > should clear cache when needed
 [ToolProtectionService] Config loaded from API {
   source: 'api',
+  correlationId: '7d4ba585-b06f-4d8e-ab41-6a4bd33bc598',
   toolCount: 1,
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.768Z'
+  status: 200,
+  responseDataType: 'object',
 }
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes', 'errors' ],
 [ToolProtectionService] Config loaded from API {
+  responseData: '{\n' +
+    '  "success": true,\n' +
   source: 'api',
   toolCount: 3,
+    '  "accepted": 0,\n' +
   protectedTools: [ 'add_to_cart', 'checkout' ],
+    '  "rejected": 1,\n' +
   agentDid: 'did:key:z6MkhaXgBZDv...',
+    '  "outcomes": {\n' +
+    '    "success": 0,\n' +
+    '    "failed": 1,\n' +
   projectId: 'test-project',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.689Z'
+  cacheExpiresAt: '2025-12-04T01:20:15.769Z'
+    '    "blocked": 0,\n' +
 }
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Real-world e-commerce scenario > should handle complete e-commerce flow with tool protection
 [ToolProtectionService] Protection check {
+    '    "error": 0\n' +
   tool: 'add_to_cart',
+    '  },\n' +
   agentDid: 'did:key:z6MkhaXgBZDv...',
   found: true,
+    '  "errors": [\n' +
+    '    {\n' +
   isWildcard: false,
   requiresDelegation: true,
   availableTools: [ 'search_products', 'add_to_cart', 'checkout' ]
+    '      "proof_index": 0,\n' +
+    '      "error": {\n' +
 }
+    '        "code": "invalid_signature",\n' +
 stdout | src/__tests__/integration/full-flow.test.ts > Full Flow Integration > Concurrent operations > should handle concurrent cache operations
 [ToolProtectionService] Config loaded from API {
+    '        "message": "Invalid JWS signature"\n' +
+    '      }\n' +
+    '    }\n' +
+  source: 'api',
+    '  ]\n' +
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project',
+    '}'
+}
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:15.769Z'
+}
+[ToolProtectionService] Config loaded from API {
+[AccessControl] Raw response received: {
   source: 'api',
   toolCount: 1,
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project',
+  "success": true,
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+  "accepted": 0,
+  cacheExpiresAt: '2025-12-04T01:20:15.769Z'
 }
 [ToolProtectionService] Config loaded from API {
   source: 'api',
   toolCount: 1,
+  "rejected": 1,
   protectedTools: [ 'tool1' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
+  "outcomes": {
+  projectId: 'test-project',
+    "success": 0,
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:15.769Z'
+}
+    "failed": 1,
+    "blocked": 0,
+    "error": 0
+  },
+  "errors": [
+    {
+      "proof_index": 0,
+      "error": {
+        "code": "invalid_signature",
+        "message": "Invalid JWS signature"
+      }
+    }
+  ]
+}
+stderr | src/services/__tests__/access-control.integration.test.ts > AccessControlApiService Integration > Proof Verification Flow > should verify proof using ProofVerifier
+[CryptoService] Key ID mismatch
+ ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 23ms
+ ✓ src/__tests__/runtime/tool-protection-enforcement.test.ts (29 tests) 13ms
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:252:7
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
+stderr | src/services/__tests__/proof-verifier.integration.test.ts > ProofVerifier Integration - Real DID Resolution > did:web Resolution (HTTP) > should handle HTTP errors gracefully
+[ProofVerifier] Failed to fetch public key from DID: Error: Failed to resolve did:web:nonexistent-domain-that-does-not-exist-12345.com: fetch failed
+    at Object.resolveDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:143:19)
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at ProofVerifier.fetchPublicKeyFromDID (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/proof-verifier.ts:348:22)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.integration.test.ts:257:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
+ ✓ src/services/__tests__/proof-verifier.integration.test.ts (13 tests | 1 skipped) 147ms
+ ✓ src/services/__tests__/access-control.integration.test.ts (9 tests) 160ms
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyEd25519 > should return false on verification error
+[CryptoService] Ed25519 verification error: Error: Verification failed
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:62:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject invalid JWK format
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong kty
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with wrong crv
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with missing x field
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject JWK with empty x field
+[CryptoService] Invalid Ed25519 JWK format
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject malformed JWS
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token '', "" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:230:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject non-EdDSA algorithms
+[CryptoService] Unsupported algorithm: RS256, expected EdDSA
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should reject HS256 algorithm
+[CryptoService] Unsupported algorithm: HS256, expected EdDSA
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle empty JWS components
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected end of JSON input
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:271:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - single part
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:279:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - two parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:287:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - four parts
+[CryptoService] Invalid JWS format: Error: Invalid JWS format: expected header.payload.signature
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:78:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:302:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid JSON header
+[CryptoService] Invalid JWS format: Error: Invalid header base64: Unexpected token 'o', "notjson" is not valid JSON
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:91:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:316:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle malformed JWS - invalid base64
+[CryptoService] Invalid JWS format: Error: Invalid payload base64: Invalid base64url string: Invalid character
+    at CryptoService.parseJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:107:15)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:169:23)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:334:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate expectedKid option
+[CryptoService] Key ID mismatch
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate alg option
+[CryptoService] Unsupported algorithm: EdDSA, expected RS256
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should validate Ed25519 key length
+[CryptoService] Failed to extract public key: Error: Invalid Ed25519 public key length: 5
+    at CryptoService.jwkToBase64PublicKey (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:295:13)
+    at CryptoService.verifyJWS (/Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/crypto.service.ts:249:32)
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:398:42
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+stderr | src/services/__tests__/crypto.service.test.ts > CryptoService > verifyJWS > should handle signature verification error
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/crypto.service.test.ts:449:61
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+ ✓ src/services/__tests__/crypto.service.test.ts (34 tests) 14ms
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should submit proofs successfully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '3e2a5e0f-9dc2-4f4b-87c9-04bff331d934',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '3e2a5e0f-9dc2-4f4b-87c9-04bff331d934',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle all_proofs_rejected error gracefully
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '9fb2e02d-cf02-43ab-a38d-9332bf1fce27',
+  status: 400,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 209,
+  responseTextPreview: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}',
+  fullResponseText: '{"success":false,"error":{"code":"all_proofs_rejected","message":"All proofs rejected","details":{"rejected":1,"errors":[{"proof_index":0,"error":{"code":"invalid_signature","message":"Invalid signature"}}]}}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '9fb2e02d-cf02-43ab-a38d-9332bf1fce27',
+  status: 400,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'error' ],
+  responseData: '{\n' +
+    '  "success": false,\n' +
+    '  "error": {\n' +
+    '    "code": "all_proofs_rejected",\n' +
+    '    "message": "All proofs rejected",\n' +
+    '    "details": {\n' +
+    '      "rejected": 1,\n' +
+    '      "errors": [\n' +
+    '        {\n' +
+    '          "proof_index": 0,\n' +
+    '          "error": {\n' +
+    '            "code": "invalid_signature",\n' +
+    '            "message": "Invalid signature"\n' +
+    '          }\n' +
+    '        }\n' +
+    '      ]\n' +
+    '    }\n' +
+    '  }\n' +
+    '}'
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response format
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '0da4cd48-1bda-409d-8c94-07c72bfd9e7d',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 206,
+  responseTextPreview: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:16.588Z"}}',
+  fullResponseText: '{"success":true,"data":{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}},"metadata":{"requestId":"test-request-id","timestamp":"2025-12-04T01:15:16.588Z"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '0da4cd48-1bda-409d-8c94-07c72bfd9e7d',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data', 'metadata' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "data": {\n' +
+    '    "success": true,\n' +
+    '    "accepted": 1,\n' +
+    '    "rejected": 0,\n' +
+    '    "outcomes": {\n' +
+    '      "success": 1,\n' +
+    '      "failed": 0,\n' +
+    '      "blocked": 0,\n' +
+    '      "error": 0\n' +
+    '    }\n' +
+    '  },\n' +
+    '  "metadata": {\n' +
+    '    "requestId": "test-request-id",\n' +
+    '    "timestamp": "2025-12-04T01:15:16.588Z"\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "success": true,
+    "accepted": 1,
+    "rejected": 0,
+    "outcomes": {
+      "success": 1,
+      "failed": 0,
+      "blocked": 0,
+      "error": 0
+    }
+  },
+  "metadata": {
+    "requestId": "test-request-id",
+    "timestamp": "2025-12-04T01:15:16.588Z"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '0da4cd48-1bda-409d-8c94-07c72bfd9e7d',
+  dataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasAccepted: true,
+  hasRejected: true,
+  hasOutcomes: true,
+  hasErrors: false,
+  acceptedType: 'number',
+  acceptedValue: 1,
+  rejectedType: 'number',
+  rejectedValue: 0,
+  outcomesType: 'object',
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '0da4cd48-1bda-409d-8c94-07c72bfd9e7d',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: 1,
+  hasRejected: true,
+  rejectedValue: 0,
+  hasOutcomes: true,
+  outcomesValue: { success: 1, failed: 0, blocked: 0, error: 0 },
+  fullDataWithSuccess: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'd107eb6d-cd2e-40d1-a87a-77bbb9a2c248',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 42,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'd107eb6d-cd2e-40d1-a87a-77bbb9a2c248',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: 'c8298b4e-ee49-4f03-9078-03e559397d8d',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 100,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{"success":1,"failed":0,"blocked":0,"error":0}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: 'c8298b4e-ee49-4f03-9078-03e559397d8d',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n' +
+    '  "success": true,\n' +
+    '  "accepted": 1,\n' +
+    '  "rejected": 0,\n' +
+    '  "outcomes": {\n' +
+    '    "success": 1,\n' +
+    '    "failed": 0,\n' +
+    '    "blocked": 0,\n' +
+    '    "error": 0\n' +
+    '  }\n' +
+    '}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {
+    "success": 1,
+    "failed": 0,
+    "blocked": 0,
+    "error": 0
+  }
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle response with missing outcomes field (outcomes is optional)
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '5924cc97-b045-4a96-a234-31252848bc09',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 56,
+  responseTextPreview: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}',
+  fullResponseText: '{"success":true,"accepted":1,"rejected":0,"outcomes":{}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '5924cc97-b045-4a96-a234-31252848bc09',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'accepted', 'rejected', 'outcomes' ],
+  responseData: '{\n  "success": true,\n  "accepted": 1,\n  "rejected": 0,\n  "outcomes": {}\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "accepted": 1,
+  "rejected": 0,
+  "outcomes": {}
+}
+stderr | src/services/__tests__/access-control.service.test.ts > AccessControlApiService > submitProofs > should handle wrapped response with invalid data structure
+[AccessControl] 🔍 RAW API RESPONSE (before parsing): {
+  correlationId: '2ecd5f26-1003-4bb2-9949-15d7a0e9ddc7',
+  status: 200,
+  statusText: '',
+  headers: { 'content-type': 'application/json' },
+  responseTextLength: 52,
+  responseTextPreview: '{"success":true,"data":{"message":"Invalid format"}}',
+  fullResponseText: '{"success":true,"data":{"message":"Invalid format"}}'
+}
+[AccessControl] 🔍 PARSED RESPONSE DATA: {
+  correlationId: '2ecd5f26-1003-4bb2-9949-15d7a0e9ddc7',
+  status: 200,
+  responseDataType: 'object',
+  responseDataKeys: [ 'success', 'data' ],
+  responseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+[AccessControl] Raw response received: {
+  "success": true,
+  "data": {
+    "message": "Invalid format"
+  }
+}
+[AccessControl] 🔍 DATA OBJECT STRUCTURE (after deep clone): {
+  correlationId: '2ecd5f26-1003-4bb2-9949-15d7a0e9ddc7',
+  dataKeys: [ 'message' ],
+  hasAccepted: false,
+  hasRejected: false,
+  hasOutcomes: false,
+  hasErrors: false,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  outcomesType: 'undefined',
+  outcomesValue: undefined,
+  errorsType: 'undefined',
+  errorsIsArray: false,
+  fullData: '{\n  "message": "Invalid format"\n}'
+}
+[AccessControl] 🔍 VALIDATING DATA WITH SUCCESS: {
+  correlationId: '2ecd5f26-1003-4bb2-9949-15d7a0e9ddc7',
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  hasSuccess: true,
+  successValue: true,
+  hasAccepted: true,
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedValue: undefined,
+  hasOutcomes: false,
+  outcomesValue: undefined,
+  fullDataWithSuccess: '{\n  "success": true\n}'
+}
+[AccessControl] ❌ MISSING REQUIRED FIELDS AFTER CONSTRUCTION: {
+  correlationId: '2ecd5f26-1003-4bb2-9949-15d7a0e9ddc7',
+  hasAccepted: true,
+  acceptedType: 'undefined',
+  acceptedValue: undefined,
+  hasRejected: true,
+  rejectedType: 'undefined',
+  rejectedValue: undefined,
+  dataWithSuccessKeys: [ 'success', 'accepted', 'rejected' ],
+  fullDataWithSuccess: '{\n  "success": true\n}',
+  dataToValidateKeys: [ 'message' ],
+  fullDataToValidate: '{\n  "message": "Invalid format"\n}',
+  originalResponseData: '{\n  "success": true,\n  "data": {\n    "message": "Invalid format"\n  }\n}'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
+stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+[ToolProtectionService] API fetch failed, using fallback config {
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 1000,
+  cacheExpiresAt: '2025-12-04T01:15:17.587Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
+[ToolProtectionService] Config loaded from API {
+  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
+  source: 'api',
+  toolCount: 4,
+  protectedTools: [ 'add_to_cart', 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+}
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.588Z'
+}
+stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.589Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.589Z'
+}
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.589Z'
+}
+ ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1121ms
+       ✓ should respect cache TTL  1102ms
+ ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 4ms
+ ✓ src/services/__tests__/access-control.service.test.ts (23 tests) 93ms
+ ✓ src/__tests__/services/oauth-service-pkce.test.ts (18 tests) 53ms
+ ✓ src/__tests__/providers/memory.test.ts (34 tests) 11ms
+stderr | src/services/__tests__/proof-verifier.test.ts > ProofVerifier Security > Signature Verification > should handle signature verification errors gracefully
+[CryptoService] Ed25519 verification error: Error: Crypto error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/services/__tests__/proof-verifier.test.ts:328:9
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zq5-ev5Y5xitwortZn_hNu31JcIkMy6WR","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916633,"timestampFormatted":"2025-12-04T01:15:16.633Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
+[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"6a8538c35483912e6fa59b9d80a234a6","timestamp":1764810916633},"timestamp":1764810916633,"timestampFormatted":"2025-12-04T01:15:16.633Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zrZDbmNhqf3BMOEmdMS43AbAXoxxOZOpR","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916653,"timestampFormatted":"2025-12-04T01:15:16.653Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zgy6dSCtf7RFVDeck5OhoQdmlj_ikCGVy","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916653,"timestampFormatted":"2025-12-04T01:15:16.653Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
+[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:zgy6dSCtf7RFVDeck5OhoQdmlj_ikCGVy","newDid":"did:key:zX01Vl7wEhhblqby8hUZw7ym8HPzGkCYk","timestamp":1764810916653},"timestamp":1764810916653,"timestampFormatted":"2025-12-04T01:15:16.653Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zrh6BVDG-vvjr3kRBldFSu7ZjJU0CI6_8","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916654,"timestampFormatted":"2025-12-04T01:15:16.654Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z-bMdycC8zJjTaoBLp9NJvCZNWmY7RoHU","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916654,"timestampFormatted":"2025-12-04T01:15:16.654Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zvjDTDtmeSU_LyKrdgPpebIMABTtLusYo","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916655,"timestampFormatted":"2025-12-04T01:15:16.655Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zM1uMfox_m4C1uLwchCsq_5RlBIwedwHi","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916655,"timestampFormatted":"2025-12-04T01:15:16.655Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zuUj7R0sDPxGWTIxawj6KwOPRikFwJzeW","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916655,"timestampFormatted":"2025-12-04T01:15:16.655Z"}
+stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
+[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z4w9GuVqb6B_X5NrINMq5kdtplydG9yFa","environment":"development","userDidGeneration":"disabled"},"timestamp":1764810916656,"timestampFormatted":"2025-12-04T01:15:16.656Z"}
+ ✓ src/services/__tests__/proof-verifier.test.ts (21 tests) 14ms
+ ✓ src/__tests__/integration.test.ts (9 tests) 24ms
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should fetch from project-scoped /config endpoint when projectId is available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.668Z'
+}
+ ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 6ms
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should handle new endpoint format with toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.732Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should parse oauthProvider from new endpoint format (Phase 2)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.732Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - merged config format > should preserve oauthProvider through cache operations
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'read_repos' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.861Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should fetch from agent-scoped endpoint when projectId is not available
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'checkout' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.869Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools array
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.870Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.870Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should handle old endpoint format with tools object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.870Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should parse oauthProvider from old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ 'read_repos', 'send_email' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.870Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Cache miss, fetching from API {
+  source: 'api-fetch-start',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  apiUrl: 'https://kya.vouched.id',
+  endpoint: '/api/v1/bouncer/config?agent_did=did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+[ToolProtectionService] Fetching from API: https://kya.vouched.id/api/v1/bouncer/config?agent_did=did%3Akey%3Az6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK {
+  method: 'config?agent_did (legacy)',
+  projectId: 'none',
+  apiKeyPresent: true,
+  apiKeyLength: 18,
+  apiKeyMasked: 'test-api...'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] API response received {
+  source: 'api-fetch-complete',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  responseKeys: [ 'success', 'data', 'metadata' ],
+  dataKeys: [ 'tools' ],
+  rawConfig: null,
+  rawConfigToolProtection: null,
+  rawToolProtections: null,
+  rawTools: [
+    { name: 'valid_tool', requiresDelegation: true },
+    { requiresDelegation: false }
+  ],
+  responseMetadata: {}
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch - old endpoint format > should skip tools without name in array format
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'valid_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.873Z'
+}
+[ToolProtectionService] API fetch successful, config cached {
+  source: 'cache-write',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK',
+  toolCount: 1,
+  tools: [ { name: 'valid_tool', requiresDelegation: true, scopeCount: 0 } ],
+  ttlMs: 300000,
+  ttlMinutes: 5,
+  expiresAt: '2025-12-04T01:20:16.873Z',
+  expiresIn: '300s'
+}
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > API fetch error handling > should handle network errors gracefully
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  error: 'ECONNREFUSED',
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should cache successful API responses
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.929Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use default cache TTL when not specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.929Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > caching behavior > should use custom cache TTL when specified
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 600000,
+  cacheExpiresAt: '2025-12-04T01:25:16.930Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle empty toolProtections object
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 0,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.931Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle null requiredScopes
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.936Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > getToolProtectionConfig > edge cases > should handle mixed camelCase and snake_case in response
+stderr | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+[ToolProtectionService] API fetch failed, no fallback, failing closed (deny-all) {
+  toolCount: 2,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  cacheExpiresAt: '2025-12-04T01:20:16.936Z'
+  error: 'Network error',
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool has no protection
+[ToolProtectionService] Config loaded from API {
+  cacheKey: 'agent:did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK'
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+}
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.937Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'other_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.937Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return null when tool is not in config
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: false,
+  isWildcard: true,
+  requiresDelegation: false,
+  availableTools: [ 'other_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.937Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return wildcard protection when tool not found and wildcard exists
+[ToolProtectionService] Protection check {
+  tool: 'unknown_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*', 'specific_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should prioritize specific tool protection over wildcard
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 2,
+  protectedTools: [ '*' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.937Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should use wildcard protection in fail-safe deny-all mode
+[ToolProtectionService] Protection check {
+  tool: 'any_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: true,
+  requiresDelegation: true,
+  availableTools: [ '*' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'protected_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.937Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > checkToolProtection > should return protection config when tool requires delegation
+[ToolProtectionService] Protection check {
+  tool: 'protected_tool',
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  found: true,
+  isWildcard: false,
+  requiresDelegation: true,
+  availableTools: [ 'protected_tool' ]
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.938Z'
+}
+stdout | src/__tests__/services/tool-protection.service.test.ts > ToolProtectionService > integration with NoOpToolProtectionCache > should work with NoOpToolProtectionCache
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool1' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:16.938Z'
+}
+ ✓ src/__tests__/runtime/route-interception.test.ts (21 tests) 274ms
+ ✓ src/__tests__/services/tool-protection.service.test.ts (49 tests) 307ms
+ ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 19ms
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API request fails
+[RemoteConfig] API returned 404: Not Found
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API throws error
+[RemoteConfig] Failed to fetch config: Error: Network error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if neither projectId nor agentDid provided
+[RemoteConfig] Neither projectId nor agentDid provided
+stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should handle cache read errors gracefully
+[RemoteConfig] Cache read failed: Error: Cache error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+ ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 5ms
+ ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 10ms
+ ✓ src/delegation/__tests__/vc-verifier.test.ts (35 tests) 12ms
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
+[ToolProtectionService] clearAndRefresh starting {
+  cacheKey: 'config:tool-protections:test-project-123',
+  projectId: 'test-project-123',
+  agentDid: 'did:key:test-agent...'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
+[ToolProtectionService] Cache entry deleted { cacheKey: 'config:tool-protections:test-project-123' }
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
+[ToolProtectionService] Fresh config fetched and cached {
+  cacheKey: 'config:tool-protections:test-project-123',
+  toolCount: 1,
+  protectedTools: [ 'greet' ],
+  source: 'api'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add cache-busting query param when bypassCDNCache is true
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config?_t=1764810917475 {
+  method: 'projects/{projectId}/config (merged)',
+  projectId: 'test-project-123',
+  apiKeyPresent: true,
+  apiKeyLength: 12,
+  apiKeyMasked: 'test-api...'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add Cache-Control headers when bypassCDNCache is true
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config?_t=1764810917475 {
+  method: 'projects/{projectId}/config (merged)',
+  projectId: 'test-project-123',
+  apiKeyPresent: true,
+  apiKeyLength: 12,
+  apiKeyMasked: 'test-api...'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should NOT add cache-busting when bypassCDNCache is false/undefined
+[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/config {
+  method: 'projects/{projectId}/config (merged)',
+  projectId: 'test-project-123',
+  apiKeyPresent: true,
+  apiKeyLength: 12,
+  apiKeyMasked: 'test-api...'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
+[ToolProtectionService] clearAndRefresh starting {
+  cacheKey: 'config:tool-protections:test-project-123',
+  projectId: 'test-project-123',
+  agentDid: 'did:key:test-agent...'
+}
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
+[ToolProtectionService] Cache entry deleted { cacheKey: 'config:tool-protections:test-project-123' }
+stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
+[ToolProtectionService] Fresh config fetched and cached {
+  cacheKey: 'config:tool-protections:test-project-123',
+  toolCount: 0,
+  protectedTools: [],
+  source: 'api'
+}
+ ✓ src/__tests__/services/cache-busting.test.ts (5 tests) 4ms
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully (Phase 5)
+[UserDidManager] Storage.get failed: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:67
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:145:11
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:26
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1244:20
+    at new Promise (<anonymous>)
+    at runWithTimeout (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1210:10)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:37
+    at Traces.$ (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/traces.U4xDYhzZ.js:115:27)
+    at trace (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/vitest@4.0.14_@opentelemetry+api@1.9.0_@types+node@20.19.25_jiti@2.6.1_lightningcss@1.3_3f67c307998c5928f2f2aae3bf45ed95/node_modules/vitest/dist/chunks/test.DqQZzsWf.js:234:21)
+    at runTest (file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:1654:12)
+stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.delete errors gracefully
+[UserDidManager] Storage.delete failed, continuing: Error: Storage error
+    at /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:225:70
+    at processTicksAndRejections (node:internal/process/task_queues:103:5)
+    at file:///Users/dylanhobbs/Documents/@kya-os/xmcp-i/node_modules/.pnpm/@vitest+runner@4.0.14/node_modules/@vitest/runner/dist/index.js:919:20
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'phase1_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:17.480Z'
+}
+ ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 11ms
+ ✓ src/__tests__/identity/user-did-manager.test.ts (17 tests) 7ms
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+stderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:17.484Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'old_tool' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'none',
+  cacheTtlMs: 300000,
+  cacheExpiresAt: '2025-12-04T01:20:17.484Z'
+}
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
+[ToolProtectionService] Config loaded from API {
+  source: 'api',
+  toolCount: 1,
+  protectedTools: [ 'tool_with_snake_case' ],
+  agentDid: 'did:key:z6MkhaXgBZDv...',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.485Z'
 }
+stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
 [ToolProtectionService] Config loaded from API {
   source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
+  toolCount: 2,
+  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
   agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project',
+  projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.690Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.486Z'
 }
- ✓ src/__tests__/integration/full-flow.test.ts (21 tests) 20ms
-stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.get errors gracefully
-[UserDidManager] Storage.get failed, generating new DID: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:187:67
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.set errors gracefully
-[UserDidManager] Storage.set failed, continuing with cached DID: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:196:67
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-stderr | src/__tests__/identity/user-did-manager.test.ts > UserDidManager > error handling > should handle storage.delete errors gracefully
-[UserDidManager] Storage.delete failed, continuing: Error: Storage error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/__tests__/identity/user-did-manager.test.ts:206:70
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:20
- ✓ src/__tests__/identity/user-did-manager.test.ts (17 tests) 8ms
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from camelCase field
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -2576,7 +2956,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.789Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.483Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should parse oauthProvider from snake_case field
@@ -2587,7 +2967,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.791Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.485Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should prefer camelCase over snake_case when both present
@@ -2598,7 +2978,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.791Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.485Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > New endpoint format (toolProtections object) > should handle missing oauthProvider field (backward compatible)
@@ -2609,7 +2989,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.792Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.486Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with camelCase
@@ -2620,7 +3000,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.486Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should parse oauthProvider from array format with snake_case
@@ -2631,7 +3011,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools array) > should prefer camelCase over snake_case in array format
@@ -2642,9 +3022,10 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
+ ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 7ms
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with camelCase
 [ToolProtectionService] Config loaded from API {
   source: 'api',
@@ -2653,7 +3034,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.793Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should parse oauthProvider from object format with snake_case
@@ -2664,7 +3045,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.794Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Old endpoint format (tools object) > should prefer camelCase over snake_case in object format
@@ -2675,7 +3056,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'none',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.794Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > Caching > should cache oauthProvider field correctly
@@ -2686,7 +3067,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.487Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should include oauthProvider in returned ToolProtection objects when present
@@ -2697,7 +3078,7 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.488Z'
 }
 stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolProtectionService - oauthProvider Parsing > oauthProvider field inclusion > should handle empty string oauthProvider gracefully
@@ -2708,337 +3089,81 @@ stdout | src/__tests__/services/tool-protection-oauth-provider.test.ts > ToolPro
   agentDid: 'did:key:z6MkhaXgBZDv...',
   projectId: 'test-project-123',
   cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.795Z'
+  cacheExpiresAt: '2025-12-04T01:20:17.488Z'
 }
- ✓ src/__tests__/services/tool-protection-oauth-provider.test.ts (14 tests) 7ms
- ✓ src/__tests__/services/oauth-service-pkce.test.ts (18 tests) 9ms
- ✓ src/__tests__/providers/memory.test.ts (34 tests) 13ms
- ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 25ms
-stderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should fall back to configuredProvider for ambiguous scopes
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
- ✓ src/delegation/__tests__/cascading-revocation.test.ts (23 tests) 9ms
-stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
-[ProviderResolver] Inferred provider "github" from scopes
-stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
-[ProviderResolver] Inferred provider "google" from scopes
+ ✓ src/__tests__/services/tool-protection-oauth-provider.test.ts (14 tests) 6ms
 stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle empty scopes array
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle ambiguous scopes (multiple providers inferred)
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle unknown scope prefixes
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify gmail → google mapping works
 [ProviderResolver] Inferred provider "google" from scopes
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify calendar → google mapping works
 [ProviderResolver] Inferred provider "google" from scopes
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should verify outlook → microsoft mapping works
 [ProviderResolver] Inferred provider "microsoft" from scopes
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle scopes without colons
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle inferred provider not in registry
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "google" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Fallback behavior (Priority 3 - configuredProvider) > should use configuredProvider when oauthProvider not specified
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "google" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle ambiguous scopes (multiple providers inferred)
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Provider name case sensitivity > should handle provider names case-insensitively in inference
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 [ProviderResolver] Inferred provider "github" from scopes
-stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should use configuredProvider when tool has no oauthProvider
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Multiple scopes with same provider > should handle multiple scopes from same provider
-[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
 [ProviderResolver] Inferred provider "github" from scopes
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle unknown scope prefixes
 stdout | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should prefer scope-inferred provider over configuredProvider
 [ProviderResolver] Inferred provider "google" from scopes
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Phase 1 tools (no oauthProvider) > should work with Phase 1 tools that don't specify oauthProvider
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'phase1_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.870Z'
-}
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools array)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'old_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.881Z'
-}
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > Old API endpoint format > should still support old endpoint format (tools object)
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'old_tool' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'none',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.882Z'
-}
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Backward Compatibility > snake_case field names > should still support snake_case field names
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool_with_snake_case' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.882Z'
-}
-stdout | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > Mixed Phase 1 and Phase 2 tools > should handle mix of Phase 1 and Phase 2 tools in same project
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 2,
-  protectedTools: [ 'phase1_tool', 'phase2_tool' ],
-stderr | src/__tests__/regression/phase2-regression.test.ts > Phase 2 Regression Tests > No Regressions > Phase 1 OAuth flow > should still work with Phase 1 OAuth flow (no oauthProvider)
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:45.885Z'
-}
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from github scope prefix
+[ProviderResolver] Inferred provider "github" from scopes
 [ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z-fcn5k3v2ZvYK9dlIxU8n4lMqIWAYMTh","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405871,"timestampFormatted":"2025-11-26T15:36:45.871Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Full handshake and tool execution flow > should complete full authentication and tool execution cycle
-[AUDIT] {"event":"tool_executed","data":{"tool":"greetingTool","sessionId":"70fae80e7f85d8d7c07f785a68990d26","timestamp":1764171405871},"timestamp":1764171405871,"timestampFormatted":"2025-11-26T15:36:45.871Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Session expiry handling > should handle expired sessions correctly
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zT_7RaA0bLnzRdBKcRy8wSQhZQWOqdu6M","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zTh6D4u2wJj_Y3a4AyHIqU89X7UCKWfoF","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Key rotation flow > should handle key rotation and maintain functionality
-[AUDIT] {"event":"keys_rotated","data":{"oldDid":"did:key:zTh6D4u2wJj_Y3a4AyHIqU89X7UCKWfoF","newDid":"did:key:zmjuGQxXVJTkNFmfA7biSllCtFAK3U22B","timestamp":1764171405883},"timestamp":1764171405883,"timestampFormatted":"2025-11-26T15:36:45.883Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Well-known endpoints > should provide identity discovery endpoints
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zt1EwInIPdYDy3nYd-H-vnDVXRVC8Ngnz","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405887,"timestampFormatted":"2025-11-26T15:36:45.887Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Nonce replay protection > should prevent nonce reuse
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zd-MgrCaVXirdlYFY4OUm5ClzQZAdOchd","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle network errors gracefully
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zmtiafOUYJHiKNWjqtCy4IRCk3iieeEpb","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Error handling > should handle malformed DID documents
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zmglnfmMGPMSRQ2b7Vr0t-PoMXPG0Ltbg","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405888,"timestampFormatted":"2025-11-26T15:36:45.888Z"}
-stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should provide debug information in development
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:zs1TeqYecLeqs89TtiOTV2kVTDeu1wdzZ","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405889,"timestampFormatted":"2025-11-26T15:36:45.889Z"}
- ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (25 tests | 1 skipped) 12ms
- ✓ src/delegation/__tests__/delegation-graph.test.ts (28 tests) 6ms
- ✓ src/__tests__/runtime/base-extensions.test.ts (38 tests) 14ms
-stdout | src/__tests__/integration.test.ts > Integration Tests > Debug endpoint > should be disabled in production
-[AUDIT] {"event":"runtime_initialized","data":{"did":"did:key:z-4za6CQd91VdYGlXbvvTWpL8r9av_GhE","environment":"development","userDidGeneration":"disabled"},"timestamp":1764171405889,"timestampFormatted":"2025-11-26T15:36:45.889Z"}
- ✓ src/__tests__/regression/phase2-regression.test.ts (12 tests) 17ms
- ✓ src/services/__tests__/provider-resolver.test.ts (8 tests) 6ms
- ✓ src/__tests__/integration.test.ts (9 tests) 19ms
- ✓ src/__tests__/providers/base.test.ts (14 tests) 6ms
- ✓ src/__tests__/runtime/proof-client-did.test.ts (17 tests) 7ms
-stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API request fails
-[RemoteConfig] API returned 404: Not Found
-stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if API throws error
-[RemoteConfig] Failed to fetch config: Error: Network error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:170:35
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should return null if neither projectId nor agentDid provided
-[RemoteConfig] Neither projectId nor agentDid provided
-stderr | src/config/__tests__/remote-config.spec.ts > fetchRemoteConfig > Error handling > should handle cache read errors gracefully
-[RemoteConfig] Cache read failed: Error: Cache error
-    at /Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/packages/mcp-i-core/src/config/__tests__/remote-config.spec.ts:198:50
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:157:11
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:753:26
-    at file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1636:20
-    at new Promise (<anonymous>)
-    at runWithTimeout (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1602:10)
-    at runTest (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1309:12)
-    at processTicksAndRejections (node:internal/process/task_queues:105:5)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
-    at runSuite (file:///Users/brian/Documents/Vouched/@sandbox/xmcp-i-S/node_modules/.pnpm/@vitest+runner@4.0.5/node_modules/@vitest/runner/dist/index.js:1468:8)
- ✓ src/config/__tests__/remote-config.spec.ts (9 tests) 7ms
- ✓ src/delegation/storage/__tests__/memory-graph-storage.test.ts (27 tests) 4ms
- ✓ src/__tests__/runtime/delegation-flow.test.ts (4 tests) 11ms
- ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 5ms
- ✓ src/delegation/__tests__/utils.test.ts (28 tests) 7ms
- ✓ src/services/__tests__/oauth-provider-registry.test.ts (9 tests) 3ms
- ✓ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts (14 tests) 3ms
- ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 4ms
- ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 4ms
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
-[ToolProtectionService] clearAndRefresh starting {
-  cacheKey: 'config:tool-protections:test-project-123',
-  projectId: 'test-project-123',
-  agentDid: 'did:key:test-agent...'
-}
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
-[ToolProtectionService] Cache entry deleted { cacheKey: 'config:tool-protections:test-project-123' }
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > clearAndRefresh should call fetchFromApi with bypassCDNCache: true
-[ToolProtectionService] Fresh config fetched and cached {
-  cacheKey: 'config:tool-protections:test-project-123',
-  toolCount: 1,
-  protectedTools: [ 'greet' ],
-  source: 'api'
-}
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add cache-busting query param when bypassCDNCache is true
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections?_t=1764171406153 {
-  method: 'projects/{projectId}/tool-protections (new)',
-  projectId: 'test-project-123',
-  apiKeyPresent: true,
-  apiKeyLength: 12,
-  apiKeyMasked: 'test-api...'
-}
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle scopes without colons
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should add Cache-Control headers when bypassCDNCache is true
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections?_t=1764171406153 {
-  method: 'projects/{projectId}/tool-protections (new)',
-  projectId: 'test-project-123',
-  apiKeyPresent: true,
-  apiKeyLength: 12,
-  apiKeyMasked: 'test-api...'
-}
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Scope inference edge cases (Priority 2) > should handle inferred provider not in registry
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "google" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > fetchFromApi should NOT add cache-busting when bypassCDNCache is false/undefined
-[ToolProtectionService] Fetching from API: https://test.agentshield.com/api/v1/bouncer/projects/test-project-123/tool-protections {
-  method: 'projects/{projectId}/tool-protections (new)',
-  projectId: 'test-project-123',
-  apiKeyPresent: true,
-  apiKeyLength: 12,
-  apiKeyMasked: 'test-api...'
-}
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > Fallback behavior (Priority 3 - configuredProvider) > should use configuredProvider when oauthProvider not specified
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "google" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
-[ToolProtectionService] clearAndRefresh starting {
-  cacheKey: 'config:tool-protections:test-project-123',
-  projectId: 'test-project-123',
-  agentDid: 'did:key:test-agent...'
-}
+stderr | src/__tests__/services/provider-resolver-edge-cases.test.ts > ProviderResolver - Edge Cases > configuredProvider behavior (Priority 3) > should use configuredProvider when tool has no oauthProvider
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
-[ToolProtectionService] Cache entry deleted { cacheKey: 'config:tool-protections:test-project-123' }
+stdout | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should infer provider from gmail scope prefix (maps to google)
+[ProviderResolver] Inferred provider "google" from scopes
-stdout | src/__tests__/services/cache-busting.test.ts > Cache Busting in clearAndRefresh > cache should be empty after clearAndRefresh deletes it
-[ToolProtectionService] Fresh config fetched and cached {
-  cacheKey: 'config:tool-protections:test-project-123',
-  toolCount: 0,
-  protectedTools: [],
-  source: 'api'
-}
+ ✓ src/__tests__/services/provider-resolver-edge-cases.test.ts (25 tests | 1 skipped) 29ms
+stderr | src/services/__tests__/provider-resolver.test.ts > ProviderResolver > resolveProvider - Priority 2: Scope inference > should fall back to configuredProvider for ambiguous scopes
+[ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
+ ✓ src/services/__tests__/provider-resolver.test.ts (8 tests) 48ms
 stderr | src/services/__tests__/provider-resolution.integration.test.ts > Provider Resolution Integration > Backward compatibility > should work with Phase 1 tools (no oauthProvider field)
 [ProviderResolver] Tool does not specify oauthProvider. Using project-configured provider "github" as fallback. Consider explicitly setting oauthProvider in tool protection config.
- ✓ src/__tests__/services/cache-busting.test.ts (5 tests) 5ms
- ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 4ms
- ✓ src/utils/__tests__/did-helpers.test.ts (11 tests) 3ms
- ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 1ms
- ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 4ms
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Caching Integration > should respect cache TTL
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 0,
-  protectedTools: [],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 1000,
-  cacheExpiresAt: '2025-11-26T15:36:47.421Z'
-}
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle typical e-commerce tool protection config
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 4,
-  protectedTools: [ 'add_to_cart', 'checkout' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.421Z'
-}
-stderr | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle API rate limiting gracefully
-[ToolProtectionService] API fetch failed, using fallback config {
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  error: 'Failed to fetch bouncer config: 429 Too Many Requests - Rate limit exceeded'
-}
-stdout | src/__tests__/services/agentshield-integration.test.ts > AgentShield Integration > Real-world Scenarios > should handle concurrent requests
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
-[ToolProtectionService] Config loaded from API {
-  source: 'api',
-  toolCount: 1,
-  protectedTools: [ 'tool1' ],
-  agentDid: 'did:key:z6MkhaXgBZDv...',
-  projectId: 'test-project-123',
-  cacheTtlMs: 300000,
-  cacheExpiresAt: '2025-11-26T15:41:46.422Z'
-}
- ✓ src/__tests__/services/agentshield-integration.test.ts (30 tests) 1113ms
-       ✓ should respect cache TTL  1102ms
+ ✓ src/services/__tests__/provider-resolution.integration.test.ts (6 tests) 3ms
+ ✓ src/delegation/__tests__/did-key-resolver.test.ts (28 tests) 8ms
+ ✓ src/delegation/__tests__/vc-issuer.test.ts (21 tests) 8ms
+ ✓ src/compliance/__tests__/schema-verifier.test.ts (30 tests) 8ms
+ ✓ src/config/__tests__/merged-config.spec.ts (6 tests) 44ms
+ ✓ src/services/__tests__/batch-delegation.service.test.ts (11 tests) 80ms
+ ✓ src/delegation/__tests__/audience-validator.test.ts (5 tests) 2ms
+ ✓ src/delegation/storage/__tests__/memory-statuslist-storage.test.ts (14 tests) 3ms
+ ✓ src/delegation/__tests__/utils.test.ts (28 tests) 6ms
+ ✓ src/__tests__/runtime/audit-logger.test.ts (9 tests) 3ms
+ ✓ src/utils/__tests__/did-helpers.test.ts (16 tests) 7ms
+ ✓ src/delegation/__tests__/bitstring.test.ts (30 tests) 6ms
+ ✓ src/__tests__/config/provider-runtime-config.test.ts (9 tests) 2ms
  ↓ src/__tests__/delegation-e2e.test.ts (14 tests | 14 skipped)
- ✓ src/__tests__/index.test.ts (4 tests) 2ms
+ ✓ src/__tests__/index.test.ts (4 tests) 3ms
- Test Files  45 passed | 1 skipped (46)
-      Tests  905 passed | 16 skipped (921)
-   Start at  10:36:44
-   Duration  1.70s (transform 5.57s, setup 0ms, collect 8.85s, tests 2.79s, environment 4ms, prepare 1.19s)
+ Test Files  48 passed | 1 skipped (49)
+      Tests  955 passed | 16 skipped (971)
+   Start at  19:15:13
+   Duration  5.16s (transform 8.92s, setup 0ms, import 17.14s, tests 3.08s, environment 3ms)