npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/__tests__/runtime/base-extensions.test.ts DELETED Viewed

@@ -1,595 +0,0 @@
-/**
- * Base Extensions Tests
- *
- * Tests for extension methods, edge cases, and additional functionality
- * not covered in base.test.ts.
- */
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { MCPIRuntimeBase } from '../../runtime/base';
-import { ProviderRuntimeConfig } from '../../config';
-import { createMockProviders, MockClockProvider, MockFetchProvider, MockIdentityProvider } from '../utils/mock-providers';
-import { UserDidManager } from '../../identity/user-did-manager';
-describe('MCPIRuntimeBase - Base Extensions', () => {
-  let runtime: MCPIRuntimeBase;
-  let config: ProviderRuntimeConfig;
-  let mockProviders: ReturnType<typeof createMockProviders>;
-  beforeEach(async () => {
-    vi.clearAllMocks();
-    mockProviders = createMockProviders();
-    config = {
-      ...mockProviders,
-      environment: 'development',
-      session: {
-        timestampSkewSeconds: 120,
-        ttlMinutes: 30
-      },
-      audit: {
-        enabled: false
-      }
-    };
-    runtime = new MCPIRuntimeBase(config);
-  });
-  describe('initialize with user DID generation', () => {
-    it('should initialize UserDidManager when generateUserDids enabled', async () => {
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development',
-          userDidStorage: 'ephemeral'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      const userDidManager = (runtimeWithUserDid as any).userDidManager;
-      expect(userDidManager).toBeInstanceOf(UserDidManager);
-    });
-    it('should not initialize UserDidManager when generateUserDids disabled', async () => {
-      const configWithoutUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: false,
-          environment: 'development'
-        }
-      };
-      const runtimeWithoutUserDid = new MCPIRuntimeBase(configWithoutUserDid);
-      await runtimeWithoutUserDid.initialize();
-      const userDidManager = (runtimeWithoutUserDid as any).userDidManager;
-      expect(userDidManager).toBeUndefined();
-    });
-    it('should initialize UserDidManager with persistent storage when configured', async () => {
-      const configWithPersistent = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development',
-          userDidStorage: 'persistent'
-        }
-      };
-      const runtimeWithPersistent = new MCPIRuntimeBase(configWithPersistent);
-      await runtimeWithPersistent.initialize();
-      const userDidManager = (runtimeWithPersistent as any).userDidManager;
-      expect(userDidManager).toBeInstanceOf(UserDidManager);
-    });
-    it('should handle UserDidManager initialization errors gracefully', async () => {
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      // Mock storage.set to throw error
-      const originalSet = mockProviders.storageProvider.set;
-      mockProviders.storageProvider.set = vi.fn().mockRejectedValue(new Error('Storage error'));
-      // Should not throw
-      await expect(runtimeWithUserDid.initialize()).resolves.not.toThrow();
-      // Restore original
-      mockProviders.storageProvider.set = originalSet;
-    });
-  });
-  describe('handleHandshake with user DID generation', () => {
-    it('should start session as anonymous (Phase 5)', async () => {
-      // Phase 5: Sessions start anonymous - userDid is only set after OAuth
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      const response = await runtimeWithUserDid.handleHandshake({
-        audience: 'https://client.example.com'
-      });
-      // Phase 5: userDid is undefined in response - session is anonymous
-      expect(response.userDid).toBeUndefined();
-      // Check session's identityState
-      const session = await runtimeWithUserDid.getCurrentSession();
-      expect(session.identityState).toBe('anonymous');
-    });
-    it('should use provided clientDid with anonymous session (Phase 5)', async () => {
-      // Phase 5: clientDid can be set while session stays anonymous (no userDid)
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      const response = await runtimeWithUserDid.handleHandshake({
-        clientDid: 'did:key:zprovided123',
-        audience: 'https://client.example.com'
-      });
-      const session = await runtimeWithUserDid.getCurrentSession();
-      expect(session.clientDid).toBe('did:key:zprovided123');
-      // Phase 5: userDid is undefined - session is anonymous until OAuth
-      expect(session.userDid).toBeUndefined();
-      expect(session.identityState).toBe('anonymous');
-    });
-    it('should handle user DID generation errors gracefully', async () => {
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      // Phase 5: getOrCreateUserDid now returns null instead of generating ephemeral DIDs
-      // Sessions start anonymous - no userDid at handshake
-      const userDidManager = (runtimeWithUserDid as any).userDidManager;
-      const originalGetOrCreate = userDidManager.getOrCreateUserDid;
-      userDidManager.getOrCreateUserDid = vi.fn().mockResolvedValue(null);
-      const response = await runtimeWithUserDid.handleHandshake({
-        audience: 'https://client.example.com'
-      });
-      // Should succeed with anonymous session (no userDid)
-      expect(response.sessionId).toBeDefined();
-      // Phase 5: Session should be anonymous without userDid
-      const session = await runtimeWithUserDid.getCurrentSession();
-      expect(session.userDid).toBeUndefined();
-      expect(session.identityState).toBe('anonymous');
-      userDidManager.getOrCreateUserDid = originalGetOrCreate;
-    });
-  });
-  describe('createWellKnownHandler edge cases', () => {
-    let handler: any;
-    beforeEach(async () => {
-      await runtime.initialize();
-      handler = runtime.createWellKnownHandler({
-        serviceName: 'Test Service',
-        serviceEndpoint: 'https://test.example.com'
-      });
-    });
-    it('should handle /.well-known/agent.json with all fields', async () => {
-      const response = await handler('/.well-known/agent.json');
-      expect(response.status).toBe(200);
-      expect(response.headers['Content-Type']).toBe('application/json');
-      const result = JSON.parse(response.body);
-      expect(result.id).toBe('did:key:zmock123');
-      expect(result.capabilities).toEqual({
-        'mcp-i': ['handshake', 'signing', 'verification']
-      });
-      expect(result.metadata.name).toBe('Test Service');
-      expect(result.metadata.serviceEndpoint).toBe('https://test.example.com');
-    });
-    it('should handle /.well-known/agent.json with partial config', async () => {
-      const partialHandler = runtime.createWellKnownHandler({
-        serviceName: 'Partial Service'
-      });
-      const response = await partialHandler('/.well-known/agent.json');
-      const result = JSON.parse(response.body);
-      expect(result.metadata.name).toBe('Partial Service');
-      // serviceEndpoint may not be included if not provided in config
-      if (result.metadata.serviceEndpoint) {
-        expect(result.metadata.serviceEndpoint).toBe('https://example.com');
-      }
-    });
-    it('should set cache headers based on environment', async () => {
-      const prodConfig = {
-        ...config,
-        environment: 'production'
-      };
-      const prodRuntime = new MCPIRuntimeBase(prodConfig);
-      await prodRuntime.initialize();
-      const prodHandler = prodRuntime.createWellKnownHandler();
-      const response = await prodHandler('/.well-known/did.json');
-      expect(response.headers['Cache-Control']).toBe('public, max-age=300');
-    });
-    it('should set no-store cache headers in development', async () => {
-      const response = await handler('/.well-known/did.json');
-      expect(response.headers['Cache-Control']).toBe('no-store');
-    });
-    it('should handle unknown paths gracefully', async () => {
-      const result = await handler('/.well-known/unknown');
-      expect(result).toBeNull();
-    });
-    it('should handle empty path', async () => {
-      const result = await handler('');
-      expect(result).toBeNull();
-    });
-  });
-  describe('createDebugEndpoint edge cases', () => {
-    it('should return null in production environment', () => {
-      const prodConfig = {
-        ...config,
-        environment: 'production'
-      };
-      const prodRuntime = new MCPIRuntimeBase(prodConfig);
-      const endpoint = prodRuntime.createDebugEndpoint();
-      expect(endpoint).toBeNull();
-    });
-    it('should include all config values in debug output', async () => {
-      const customConfig = {
-        ...config,
-        environment: 'development',
-        session: {
-          timestampSkewSeconds: 60,
-          ttlMinutes: 60
-        }
-      };
-      const customRuntime = new MCPIRuntimeBase(customConfig);
-      await customRuntime.initialize();
-      const endpoint = customRuntime.createDebugEndpoint();
-      const result = await endpoint!();
-      expect(result.config.timestampSkewSeconds).toBe(60);
-      expect(result.config.sessionTtlMinutes).toBe(60);
-      expect(result.config.environment).toBe('development');
-    });
-    it('should handle missing session gracefully', async () => {
-      await runtime.initialize();
-      const endpoint = runtime.createDebugEndpoint();
-      const result = await endpoint!();
-      expect(result.session).toBeNull();
-    });
-  });
-  describe('getAuditLogger', () => {
-    it('should return logger with log method', () => {
-      const logger = runtime.getAuditLogger();
-      expect(logger).toBeDefined();
-      expect(typeof logger.log).toBe('function');
-    });
-    it('should log through runtime audit system', async () => {
-      const auditConfig = {
-        ...config,
-        audit: {
-          enabled: true,
-          logFunction: vi.fn(),
-          includePayloads: true
-        }
-      };
-      const auditRuntime = new MCPIRuntimeBase(auditConfig);
-      await auditRuntime.initialize();
-      const logger = auditRuntime.getAuditLogger();
-      logger.log('test_event', { test: 'data' });
-      expect(auditConfig.audit!.logFunction).toHaveBeenCalledWith(
-        expect.stringContaining('test_event')
-      );
-    });
-    it('should handle audit disabled', () => {
-      const noAuditConfig = {
-        ...config,
-        audit: {
-          enabled: false
-        }
-      };
-      const noAuditRuntime = new MCPIRuntimeBase(noAuditConfig);
-      const logger = noAuditRuntime.getAuditLogger();
-      // Should not throw
-      logger.log('test_event', { test: 'data' });
-    });
-  });
-  describe('rotateKeys', () => {
-    beforeEach(async () => {
-      await runtime.initialize();
-    });
-    it('should update cached identity after rotation', async () => {
-      const oldIdentity = await runtime.getIdentity();
-      const newIdentity = await runtime.rotateKeys();
-      const currentIdentity = await runtime.getIdentity();
-      expect(currentIdentity.did).toBe(newIdentity.did);
-      expect(currentIdentity.did).not.toBe(oldIdentity.did);
-    });
-    it('should handle rotation errors gracefully', async () => {
-      const identityProvider = mockProviders.identityProvider as MockIdentityProvider;
-      const originalRotate = identityProvider.rotateKeys;
-      identityProvider.rotateKeys = vi.fn().mockRejectedValue(new Error('Rotation failed'));
-      await expect(runtime.rotateKeys()).rejects.toThrow('Rotation failed');
-      identityProvider.rotateKeys = originalRotate;
-    });
-  });
-  describe('helper methods', () => {
-    beforeEach(async () => {
-      await runtime.initialize();
-    });
-    describe('extractPublicKey', () => {
-      it('should extract publicKeyBase64 from DID document', () => {
-        const didDoc = {
-          verificationMethod: [{
-            publicKeyBase64: 'test-key-base64'
-          }]
-        };
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        const publicKey = extractPublicKey(didDoc);
-        expect(publicKey).toBe('test-key-base64');
-      });
-      it('should extract publicKeyMultibase from DID document', () => {
-        const didDoc = {
-          verificationMethod: [{
-            publicKeyMultibase: 'zmultibase-key'
-          }]
-        };
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        const publicKey = extractPublicKey(didDoc);
-        expect(publicKey).toBe('zmultibase-key');
-      });
-      it('should prioritize publicKeyBase64 over publicKeyMultibase', () => {
-        const didDoc = {
-          verificationMethod: [{
-            publicKeyBase64: 'base64-key',
-            publicKeyMultibase: 'multibase-key'
-          }]
-        };
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        const publicKey = extractPublicKey(didDoc);
-        expect(publicKey).toBe('base64-key');
-      });
-      it('should throw if no public key found', () => {
-        const didDoc = {
-          verificationMethod: [{}]
-        };
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        expect(() => extractPublicKey(didDoc)).toThrow('Public key not found');
-      });
-      it('should throw if verificationMethod is empty', () => {
-        const didDoc = {
-          verificationMethod: []
-        };
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        expect(() => extractPublicKey(didDoc)).toThrow('Public key not found');
-      });
-      it('should throw if verificationMethod is missing', () => {
-        const didDoc = {};
-        const extractPublicKey = (runtime as any).extractPublicKey.bind(runtime);
-        expect(() => extractPublicKey(didDoc)).toThrow('Public key not found');
-      });
-    });
-    describe('bytesToBase64', () => {
-      it('should convert Uint8Array to base64', () => {
-        const bytes = new Uint8Array([1, 2, 3, 4, 5]);
-        const bytesToBase64 = (runtime as any).bytesToBase64.bind(runtime);
-        const base64 = bytesToBase64(bytes);
-        expect(base64).toBeDefined();
-        expect(typeof base64).toBe('string');
-      });
-    });
-    describe('base64ToBytes', () => {
-      it('should convert base64 to Uint8Array', () => {
-        const base64 = Buffer.from([1, 2, 3, 4, 5]).toString('base64');
-        const base64ToBytes = (runtime as any).base64ToBytes.bind(runtime);
-        const bytes = base64ToBytes(base64);
-        expect(bytes).toBeInstanceOf(Uint8Array);
-        expect(bytes.length).toBe(5);
-      });
-    });
-    describe('bytesToHex', () => {
-      it('should convert Uint8Array to hex string', () => {
-        const bytes = new Uint8Array([1, 2, 3, 4, 5]);
-        const bytesToHex = (runtime as any).bytesToHex.bind(runtime);
-        const hex = bytesToHex(bytes);
-        expect(hex).toBeDefined();
-        expect(typeof hex).toBe('string');
-        expect(hex.length).toBe(10); // 5 bytes * 2 hex chars
-      });
-    });
-  });
-  describe('session management edge cases', () => {
-    beforeEach(async () => {
-      await runtime.initialize();
-    });
-    it('should handle multiple sessions', async () => {
-      const handshake1 = await runtime.handleHandshake({
-        clientDid: 'did:key:zclient1',
-        audience: 'https://client1.example.com'
-      });
-      const handshake2 = await runtime.handleHandshake({
-        clientDid: 'did:key:zclient2',
-        audience: 'https://client2.example.com'
-      });
-      const session = await runtime.getCurrentSession();
-      // Should return a non-expired session (could be either)
-      expect(session).toBeDefined();
-      expect([handshake1.sessionId, handshake2.sessionId]).toContain(session.id);
-    });
-    it('should filter out expired sessions', async () => {
-      const clock = mockProviders.clockProvider as MockClockProvider;
-      const currentTime = Date.now();
-      clock.setTime(currentTime);
-      const handshake1 = await runtime.handleHandshake({
-        clientDid: 'did:key:zclient1',
-        audience: 'https://client1.example.com'
-      });
-      // Advance time past expiry
-      clock.setTime(currentTime + (31 * 60 * 1000));
-      const handshake2 = await runtime.handleHandshake({
-        clientDid: 'did:key:zclient2',
-        audience: 'https://client2.example.com'
-      });
-      const session = await runtime.getCurrentSession();
-      expect(session.id).toBe(handshake2.sessionId);
-    });
-    it('should handle empty sessions map', async () => {
-      const session = await runtime.getCurrentSession();
-      expect(session).toBeNull();
-    });
-  });
-  describe('nonce cache integration', () => {
-    beforeEach(async () => {
-      await runtime.initialize();
-    });
-    it('should cache nonce with proper expiry', async () => {
-      const clock = mockProviders.clockProvider as MockClockProvider;
-      const currentTime = Date.now();
-      clock.setTime(currentTime);
-      const nonce = await runtime.issueNonce('session123');
-      const nonceCache = mockProviders.nonceCacheProvider as any;
-      const identity = await runtime.getIdentity();
-      expect(await nonceCache.has(nonce, identity.did)).toBe(true);
-      // Advance time past expiry
-      clock.setTime(currentTime + (5 * 60 * 1000) + 1);
-      expect(await nonceCache.has(nonce, identity.did)).toBe(false);
-    });
-    it('should use session nonce if provided', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'pre-generated-nonce'
-      };
-      const proof = await runtime.createProof({ test: 'data' }, session);
-      expect(proof.nonce).toBe('pre-generated-nonce');
-    });
-  });
-  describe('error handling', () => {
-    it('should handle identity provider errors gracefully', async () => {
-      const identityProvider = mockProviders.identityProvider as MockIdentityProvider;
-      const originalGetIdentity = identityProvider.getIdentity;
-      identityProvider.getIdentity = vi.fn().mockRejectedValue(new Error('Identity error'));
-      await expect(runtime.getIdentity()).rejects.toThrow('Identity error');
-      identityProvider.getIdentity = originalGetIdentity;
-    });
-    it('should handle crypto provider errors gracefully', async () => {
-      const originalSign = mockProviders.cryptoProvider.sign;
-      mockProviders.cryptoProvider.sign = vi.fn().mockRejectedValue(new Error('Crypto error'));
-      await expect(
-        runtime.createProof({ test: 'data' })
-      ).rejects.toThrow('Crypto error');
-      mockProviders.cryptoProvider.sign = originalSign;
-    });
-    it('should handle fetch provider errors in verifyProof', async () => {
-      await runtime.initialize();
-      const fetchProvider = mockProviders.fetchProvider as MockFetchProvider;
-      const originalResolveDID = fetchProvider.resolveDID;
-      fetchProvider.resolveDID = vi.fn().mockRejectedValue(new Error('DID resolution failed'));
-      const proof = await runtime.createProof({ test: 'data' });
-      const isValid = await runtime.verifyProof({ test: 'data' }, proof);
-      expect(isValid).toBe(false); // Should return false on error
-      fetchProvider.resolveDID = originalResolveDID;
-    });
-  });
-});