npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/config/remote-config.ts DELETED Viewed

@@ -1,264 +0,0 @@
-/**
- * Remote Configuration Fetching
- *
- * Service for fetching configuration from remote APIs (AgentShield dashboard)
- * with caching support for performance optimization.
- *
- * @module @kya-os/mcp-i-core/config/remote-config
- */
-import type { MCPIConfig } from '@kya-os/contracts/config';
-import type { MergedMCPIServerConfig } from '@kya-os/contracts/dashboard-config';
-import type { ToolProtection, ToolProtectionMap } from '@kya-os/contracts/tool-protection';
-import { AGENTSHIELD_ENDPOINTS } from '@kya-os/contracts/agentshield-api';
-/**
- * Options for fetching remote configuration
- */
-export interface RemoteConfigOptions {
-  /**
-   * API base URL
-   * @example 'https://kya.vouched.id'
-   */
-  apiUrl: string;
-  /**
-   * API key for authentication
-   */
-  apiKey: string;
-  /**
-   * Project ID (optional, preferred over agentDid)
-   * Used for project-scoped configuration
-   */
-  projectId?: string;
-  /**
-   * Agent DID (optional, used when projectId not available)
-   * Used for agent-scoped configuration
-   */
-  agentDid?: string;
-  /**
-   * Cache TTL in milliseconds
-   * @default 300000 (5 minutes)
-   */
-  cacheTtl?: number;
-  /**
-   * Fetch provider function
-   * Platform-agnostic fetch implementation
-   */
-  fetchProvider: (url: string, options: RequestInit) => Promise<Response>;
-}
-/**
- * Cache interface for remote configuration
- * Abstracts platform-specific caching (KV, Redis, Memory, etc.)
- */
-export interface RemoteConfigCache {
-  /**
-   * Get a cached value
-   */
-  get(key: string): Promise<string | null>;
-  /**
-   * Set a cached value with TTL
-   */
-  set(key: string, value: string, ttl: number): Promise<void>;
-}
-/**
- * Fetch configuration from remote API (AgentShield dashboard)
- *
- * Attempts to fetch configuration from the AgentShield API with caching support.
- * Falls back gracefully if remote fetch fails.
- *
- * @param options - Remote config options
- * @param cache - Optional cache implementation
- * @returns Configuration object or null if fetch fails
- */
-export async function fetchRemoteConfig(
-  options: RemoteConfigOptions,
-  cache?: RemoteConfigCache
-): Promise<MCPIConfig | null> {
-  const { apiUrl, apiKey, projectId, agentDid, cacheTtl = 300000, fetchProvider } = options;
-  // Generate cache key
-  const cacheKey = projectId
-    ? `config:project:${projectId}`
-    : agentDid
-    ? `config:agent:${agentDid}`
-    : null;
-  // Try cache first
-  if (cache && cacheKey) {
-    try {
-      const cached = await cache.get(cacheKey);
-      if (cached) {
-        try {
-          const parsed = JSON.parse(cached) as { config: MCPIConfig; expiresAt: number };
-          if (parsed.expiresAt > Date.now()) {
-            return parsed.config;
-          }
-        } catch {
-          // Invalid cache entry, continue to fetch
-        }
-      }
-    } catch (error) {
-      // Cache read failed, continue to fetch
-      console.warn('[RemoteConfig] Cache read failed:', error);
-    }
-  }
-  // Fetch from API
-  try {
-    // Build API URL
-    let url: string;
-    if (projectId) {
-      // Use project-scoped endpoint (preferred)
-      url = `${apiUrl}${AGENTSHIELD_ENDPOINTS.CONFIG(projectId)}`;
-    } else if (agentDid) {
-      // Use agent-scoped endpoint
-      url = `${apiUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
-    } else {
-      console.warn('[RemoteConfig] Neither projectId nor agentDid provided');
-      return null;
-    }
-    const response = await fetchProvider(url, {
-      headers: {
-        'Authorization': `Bearer ${apiKey}`,
-        'Content-Type': 'application/json'
-      }
-    });
-    if (!response.ok) {
-      console.warn(`[RemoteConfig] API returned ${response.status}: ${response.statusText}`);
-      return null;
-    }
-    const data = await response.json();
-    // Extract config from API response
-    // API response format: { success: boolean, data: { config: MCPIConfig } }
-    const responseData = data as { config?: MCPIConfig; data?: { config?: MCPIConfig }; success?: boolean };
-    const config = responseData.config || responseData.data?.config || (responseData.success ? responseData.data as MCPIConfig | null : null) as MCPIConfig | null;
-    if (!config) {
-      console.warn('[RemoteConfig] No config found in API response');
-      return null;
-    }
-    // Cache the result
-    if (cache && cacheKey) {
-      try {
-        await cache.set(
-          cacheKey,
-          JSON.stringify({
-            config,
-            expiresAt: Date.now() + cacheTtl
-          }),
-          cacheTtl
-        );
-      } catch (error) {
-        // Cache write failed, but we got the config so continue
-        console.warn('[RemoteConfig] Cache write failed:', error);
-      }
-    }
-    return config as MCPIConfig;
-  } catch (error) {
-    console.warn('[RemoteConfig] Failed to fetch config:', error);
-    return null;
-  }
-}
-/**
- * Get tool protection for a specific tool from a merged config
- *
- * This helper function extracts tool protection from a merged config response.
- * It handles both the new format (toolProtection.tools) and returns null
- * for unprotected or unknown tools.
- *
- * @param config - Merged config object (must have toolProtection.tools)
- * @param toolName - Name of the tool to look up
- * @returns Tool protection or null if tool not protected or not found
- *
- * @since 1.6.0
- */
-export function getToolProtection(
-  config: { toolProtection?: { tools?: ToolProtectionMap } },
-  toolName: string
-): ToolProtection | null {
-  const tools = config?.toolProtection?.tools;
-  if (!tools) {
-    return null;
-  }
-  // Check for specific tool protection first
-  let protection = tools[toolName];
-  // Fall back to wildcard protection if specific tool not found
-  if (!protection && tools['*']) {
-    protection = tools['*'];
-  }
-  // Return null for unprotected tools (requiresDelegation: false) or unknown tools
-  if (!protection || !protection.requiresDelegation) {
-    return null;
-  }
-  return protection;
-}
-/**
- * Extract tool protections map from merged config
- *
- * This helper function extracts the tool protections map from a merged config.
- * Returns an empty object if no tools are found.
- *
- * @param config - Config object that may contain toolProtection.tools
- * @returns Tool protection map or empty object
- *
- * @since 1.6.0
- */
-export function extractToolProtections(
-  config: { toolProtection?: { tools?: ToolProtectionMap } } | null | undefined
-): ToolProtectionMap {
-  if (!config?.toolProtection?.tools) {
-    return {};
-  }
-  return config.toolProtection.tools;
-}
-/**
- * Check if config has embedded tool protections
- *
- * Utility to check if a config response is in the new merged format
- * with embedded tool protections.
- *
- * @param config - Config object to check
- * @returns True if config has embedded tools, false otherwise
- *
- * @since 1.6.0
- */
-export function hasMergedToolProtections(
-  config: unknown
-): config is { toolProtection: { tools: ToolProtectionMap } } {
-  if (!config || typeof config !== 'object') {
-    return false;
-  }
-  const c = config as { toolProtection?: { tools?: unknown } };
-  return (
-    c.toolProtection !== undefined &&
-    typeof c.toolProtection === 'object' &&
-    c.toolProtection !== null &&
-    'tools' in c.toolProtection &&
-    typeof c.toolProtection.tools === 'object' &&
-    c.toolProtection.tools !== null // typeof null === 'object' in JS
-  );
-}

package/src/config.ts DELETED Viewed

@@ -1,312 +0,0 @@
-/**
- * Provider-based Runtime Configuration
- *
- * Core configuration for MCP-I runtime using the provider pattern.
- * This is the foundation for all platform-specific implementations.
- *
- * @module @kya-os/mcp-i-core/config
- */
-import type {
-  MCPIBaseConfig,
-  RuntimeIdentityConfig,
-  ProofingConfig,
-  DelegationConfig,
-  ToolProtectionSourceConfig
-} from '@kya-os/contracts/config';
-import type {
-  CryptoProvider,
-  ClockProvider,
-  FetchProvider,
-  StorageProvider,
-  NonceCacheProvider,
-  IdentityProvider
-} from './providers/base';
-import type { ToolProtectionService } from './services/tool-protection.service';
-/**
- * Provider-based runtime configuration
- *
- * This configuration is used internally by MCPIRuntimeBase and provides
- * the foundation for all platform-specific implementations. It uses the
- * provider pattern for platform abstraction, allowing different implementations
- * for Node.js, Cloudflare Workers, and other environments.
- */
-export interface ProviderRuntimeConfig extends MCPIBaseConfig {
-  /**
-   * Cryptographic operations provider
-   * Handles signing, verification, and key generation
-   */
-  cryptoProvider: CryptoProvider;
-  /**
-   * Time operations provider
-   * Provides current time and timestamp generation
-   */
-  clockProvider: ClockProvider;
-  /**
-   * HTTP fetch operations provider
-   * Handles external API calls
-   */
-  fetchProvider: FetchProvider;
-  /**
-   * Storage operations provider
-   * Handles persistent data storage
-   */
-  storageProvider: StorageProvider;
-  /**
-   * Nonce cache provider
-   * Handles replay prevention
-   */
-  nonceCacheProvider: NonceCacheProvider;
-  /**
-   * Identity management provider
-   * Handles agent identity and DID operations
-   */
-  identityProvider: IdentityProvider;
-  /**
-   * Session configuration
-   * Controls session handling and timeouts
-   */
-  session?: {
-    /**
-     * Allowed timestamp skew in seconds
-     * @default 120
-     */
-    timestampSkewSeconds?: number;
-    /**
-     * Session TTL in minutes
-     * @default 30
-     */
-    ttlMinutes?: number;
-  };
-  /**
-   * Identity configuration (optional)
-   * When provided, enables identity features
-   */
-  identity?: RuntimeIdentityConfig;
-  /**
-   * Proofing configuration (optional)
-   * When provided, enables proof generation
-   */
-  proofing?: ProofingConfig;
-  /**
-   * Delegation configuration (optional)
-   * When provided, enables delegation verification
-   */
-  delegation?: DelegationConfig;
-  /**
-   * Tool protection service (optional)
-   * When provided, enables runtime tool protection
-   * Note: This is different from tool registry which is compile-time
-   */
-  toolProtectionService?: ToolProtectionService;
-  /**
-   * Tool protection source configuration (optional)
-   * Alternative to toolProtectionService for configuration-based setup
-   */
-  toolProtection?: ToolProtectionSourceConfig;
-}
-/**
- * Builder for provider runtime configuration
- * Helps create valid configurations with proper defaults
- */
-export class ProviderRuntimeConfigBuilder {
-  private config: Partial<ProviderRuntimeConfig> = {
-    environment: 'development'
-  };
-  /**
-   * Set the providers (required)
-   */
-  withProviders(providers: {
-    cryptoProvider: CryptoProvider;
-    clockProvider: ClockProvider;
-    fetchProvider: FetchProvider;
-    storageProvider: StorageProvider;
-    nonceCacheProvider: NonceCacheProvider;
-    identityProvider: IdentityProvider;
-  }): this {
-    Object.assign(this.config, providers);
-    return this;
-  }
-  /**
-   * Set the environment
-   */
-  withEnvironment(env: 'development' | 'production'): this {
-    this.config.environment = env;
-    return this;
-  }
-  /**
-   * Configure session handling
-   */
-  withSession(session: {
-    timestampSkewSeconds?: number;
-    ttlMinutes?: number;
-  }): this {
-    this.config.session = session;
-    return this;
-  }
-  /**
-   * Enable identity features
-   */
-  withIdentity(identity: RuntimeIdentityConfig): this {
-    this.config.identity = identity;
-    return this;
-  }
-  /**
-   * Enable proofing features
-   */
-  withProofing(proofing: ProofingConfig): this {
-    this.config.proofing = proofing;
-    return this;
-  }
-  /**
-   * Enable delegation features
-   */
-  withDelegation(delegation: DelegationConfig): this {
-    this.config.delegation = delegation;
-    return this;
-  }
-  /**
-   * Set tool protection service
-   */
-  withToolProtectionService(service: ToolProtectionService): this {
-    this.config.toolProtectionService = service;
-    return this;
-  }
-  /**
-   * Set tool protection configuration
-   */
-  withToolProtection(config: ToolProtectionSourceConfig): this {
-    this.config.toolProtection = config;
-    return this;
-  }
-  /**
-   * Enable audit features
-   */
-  withAudit(audit: {
-    enabled: boolean;
-    includeProofHashes?: boolean;
-  }): this {
-    this.config.audit = audit;
-    return this;
-  }
-  /**
-   * Enable well-known endpoints
-   */
-  withWellKnown(wellKnown: {
-    enabled: boolean;
-    serviceName?: string;
-  }): this {
-    this.config.wellKnown = wellKnown;
-    return this;
-  }
-  /**
-   * Build the configuration
-   * Validates that all required providers are set
-   */
-  build(): ProviderRuntimeConfig {
-    const required = [
-      'cryptoProvider',
-      'clockProvider',
-      'fetchProvider',
-      'storageProvider',
-      'nonceCacheProvider',
-      'identityProvider'
-    ];
-    for (const field of required) {
-      if (!(field in this.config)) {
-        throw new Error(`Missing required provider: ${field}`);
-      }
-    }
-    // Apply defaults
-    return {
-      environment: 'development',
-      session: {
-        timestampSkewSeconds: 120,
-        ttlMinutes: 30
-      },
-      ...this.config
-    } as ProviderRuntimeConfig;
-  }
-}
-/**
- * Re-export base types for convenience
- */
-export type {
-  MCPIBaseConfig,
-  RuntimeIdentityConfig as BaseIdentityConfig,
-  ProofingConfig,
-  DelegationConfig,
-  ToolProtectionSourceConfig
-} from '@kya-os/contracts/config';
-/**
- * Re-export remote config utilities
- */
-export {
-  fetchRemoteConfig,
-  getToolProtection,
-  extractToolProtections,
-  hasMergedToolProtections,
-  type RemoteConfigOptions,
-  type RemoteConfigCache
-} from './config/remote-config';
-/**
- * Create a provider runtime configuration
- * Convenience function for creating configurations
- */
-export function createProviderRuntimeConfig(
-  providers: {
-    cryptoProvider: CryptoProvider;
-    clockProvider: ClockProvider;
-    fetchProvider: FetchProvider;
-    storageProvider: StorageProvider;
-    nonceCacheProvider: NonceCacheProvider;
-    identityProvider: IdentityProvider;
-  },
-  options?: Partial<Omit<ProviderRuntimeConfig, keyof typeof providers>>
-): ProviderRuntimeConfig {
-  return new ProviderRuntimeConfigBuilder()
-    .withProviders(providers)
-    .withEnvironment(options?.environment || 'development')
-    .withSession(options?.session || {})
-    .withIdentity(options?.identity || { enabled: false, environment: 'development' })
-    .withProofing(options?.proofing || { enabled: false })
-    .withDelegation(options?.delegation || {
-      enabled: false,
-      verifier: { type: 'memory' }
-    })
-    .withAudit(options?.audit || { enabled: false })
-    .withWellKnown(options?.wellKnown || { enabled: true })
-    .build();
-}

package/src/delegation/__tests__/audience-validator.test.ts DELETED Viewed

@@ -1,112 +0,0 @@
-/**
- * Tests for Delegation Audience Validation
- *
- * @package @kya-os/mcp-i-core/delegation/__tests__
- */
-import { describe, it, expect } from "vitest";
-import { verifyDelegationAudience } from "../audience-validator";
-import type { DelegationRecord } from "@kya-os/contracts/delegation";
-describe("verifyDelegationAudience", () => {
-  const serverDid = "did:web:server.example.com";
-  it("should return true when delegation has no audience", () => {
-    const delegation: DelegationRecord = {
-      id: "del_001",
-      issuerDid: "did:web:user.com",
-      subjectDid: "did:key:zagent123",
-      controller: "user_alice",
-      vcId: "vc_001",
-      constraints: {
-        scopes: ["tool:execute"],
-        // No audience field
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
-  });
-  it("should return true when delegation audience matches server DID", () => {
-    const delegation: DelegationRecord = {
-      id: "del_002",
-      issuerDid: "did:web:user.com",
-      subjectDid: "did:key:zagent123",
-      controller: "user_bob",
-      vcId: "vc_002",
-      constraints: {
-        scopes: ["tool:execute"],
-        audience: serverDid, // Matches server DID
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
-  });
-  it("should return false when delegation audience does not match server DID", () => {
-    const delegation: DelegationRecord = {
-      id: "del_003",
-      issuerDid: "did:web:user.com",
-      subjectDid: "did:key:zagent123",
-      controller: "user_charlie",
-      vcId: "vc_003",
-      constraints: {
-        scopes: ["tool:execute"],
-        audience: "did:web:other-server.com", // Different server
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    expect(verifyDelegationAudience(delegation, serverDid)).toBe(false);
-  });
-  it("should return true when server DID is in audience array", () => {
-    const delegation: DelegationRecord = {
-      id: "del_004",
-      issuerDid: "did:web:user.com",
-      subjectDid: "did:key:zagent123",
-      controller: "user_dave",
-      vcId: "vc_004",
-      constraints: {
-        scopes: ["tool:execute"],
-        audience: [
-          "did:web:server1.com",
-          serverDid, // Server DID is in array
-          "did:web:server3.com",
-        ],
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    expect(verifyDelegationAudience(delegation, serverDid)).toBe(true);
-  });
-  it("should return false when server DID is not in audience array", () => {
-    const delegation: DelegationRecord = {
-      id: "del_005",
-      issuerDid: "did:web:user.com",
-      subjectDid: "did:key:zagent123",
-      controller: "user_eve",
-      vcId: "vc_005",
-      constraints: {
-        scopes: ["tool:execute"],
-        audience: [
-          "did:web:server1.com",
-          "did:web:server2.com",
-          // serverDid not in array
-        ],
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    expect(verifyDelegationAudience(delegation, serverDid)).toBe(false);
-  });
-});