npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/identity/user-did-manager.ts DELETED Viewed

@@ -1,526 +0,0 @@
-/**
- * User DID Manager
- *
- * Manages user DIDs for MCP-I sessions.
- *
- * Phase 5: Anonymous Sessions Until OAuth
- * - Sessions start anonymous (no userDid) until OAuth completes
- * - User DIDs are resolved via AgentShield identity/resolve after OAuth
- * - Eliminates DID fragmentation (same user = same DID across sessions)
- *
- * DID Resolution Priority:
- * 1. OAuth mapping lookup (persistent)
- * 2. Session storage lookup
- * 3. Return null (session stays anonymous)
- */
-import { CryptoProvider } from '../providers/base';
-/**
- * OAuth identity for persistent user DID lookup
- */
-export interface OAuthIdentity {
-  /**
-   * OAuth provider name (e.g., "google", "github", "microsoft")
-   */
-  provider: string;
-  /**
-   * OAuth subject identifier (unique user ID from provider)
-   */
-  subject: string;
-  /**
-   * User's email address from OAuth provider (optional)
-   */
-  email?: string;
-  /**
-   * User's display name from OAuth provider (optional)
-   */
-  name?: string;
-}
-/**
- * User key pair for signing VCs
- *
- * Contains both public and private keys in base64 format.
- * SECURITY: Private keys should be encrypted at rest.
- */
-export interface UserKeyPair {
-  /**
-   * User DID (did:key format)
-   */
-  did: string;
-  /**
-   * Public key in base64 format
-   */
-  publicKey: string;
-  /**
-   * Private key in base64 format
-   * SECURITY: Should be encrypted at rest in production
-   */
-  privateKey: string;
-  /**
-   * Key ID (for JWS header)
-   */
-  keyId: string;
-}
-/**
- * User DID storage interface
- */
-export interface UserDidStorage {
-  /**
-   * Get user DID for a session
-   */
-  get(sessionId: string): Promise<string | null>;
-  /**
-   * Store user DID for a session
-   */
-  set(sessionId: string, did: string, ttl?: number): Promise<void>;
-  /**
-   * Delete user DID for a session
-   */
-  delete(sessionId: string): Promise<void>;
-  /**
-   * Get user DID by OAuth identity (optional - for persistent user DID lookup)
-   * If not implemented, OAuth-based lookup will be skipped
-   */
-  getByOAuth?(provider: string, subject: string): Promise<string | null>;
-  /**
-   * Store user DID mapping for OAuth identity (optional - for persistent user DID storage)
-   * If not implemented, OAuth-based storage will be skipped
-   */
-  setByOAuth?(provider: string, subject: string, did: string, ttl?: number): Promise<void>;
-  /**
-   * Get user key pair for a session (optional - for VC signing)
-   * If not implemented, VC issuance will not be available for this session
-   */
-  getKeyPair?(sessionId: string): Promise<UserKeyPair | null>;
-  /**
-   * Store user key pair for a session (optional - for VC signing)
-   * SECURITY: Implementation should encrypt private keys at rest
-   */
-  setKeyPair?(sessionId: string, keyPair: UserKeyPair, ttl?: number): Promise<void>;
-  /**
-   * Get user key pair by OAuth identity (optional - for persistent key storage)
-   * If not implemented, OAuth-based key lookup will be skipped
-   */
-  getKeyPairByOAuth?(provider: string, subject: string): Promise<UserKeyPair | null>;
-  /**
-   * Store user key pair for OAuth identity (optional - for persistent key storage)
-   * SECURITY: Implementation should encrypt private keys at rest
-   */
-  setKeyPairByOAuth?(
-    provider: string,
-    subject: string,
-    keyPair: UserKeyPair,
-    ttl?: number
-  ): Promise<void>;
-}
-/**
- * User DID Manager configuration
- */
-export interface UserDidManagerConfig {
-  /**
-   * Storage provider for user DIDs (optional)
-   * If not provided, user DIDs are ephemeral (not persisted)
-   */
-  storage?: UserDidStorage;
-  /**
-   * Crypto provider for DID generation
-   */
-  crypto: CryptoProvider;
-  /**
-   * Generate did:web format instead of did:key (requires additional setup)
-   */
-  useDidWeb?: boolean;
-  /**
-   * Base URL for did:web (required if useDidWeb is true)
-   */
-  didWebBaseUrl?: string;
-}
-/**
- * User DID Manager
- *
- * Generates and manages user DIDs for MCP-I sessions.
- * Supports both ephemeral (did:key) and persistent (did:web) formats.
- */
-export class UserDidManager {
-  private config: UserDidManagerConfig;
-  private sessionDidCache = new Map<string, string>();
-  private sessionKeyPairCache = new Map<string, UserKeyPair>();
-  constructor(config: UserDidManagerConfig) {
-    this.config = config;
-  }
-  /**
-   * Get key pair for a session (for VC signing)
-   *
-   * Returns the key pair if available, null otherwise.
-   * Key pairs are stored when DIDs are generated.
-   *
-   * @param sessionId - MCP session ID
-   * @param oauthIdentity - Optional OAuth identity for persistent lookup
-   * @returns UserKeyPair or null if not available
-   */
-  async getKeyPairForSession(
-    sessionId: string,
-    oauthIdentity?: OAuthIdentity | null
-  ): Promise<UserKeyPair | null> {
-    // Check in-memory cache first
-    if (this.sessionKeyPairCache.has(sessionId)) {
-      return this.sessionKeyPairCache.get(sessionId)!;
-    }
-    // Check OAuth-based persistent storage if available
-    if (
-      oauthIdentity?.provider &&
-      oauthIdentity?.subject &&
-      this.config.storage?.getKeyPairByOAuth
-    ) {
-      try {
-        const keyPair = await this.config.storage.getKeyPairByOAuth(
-          oauthIdentity.provider,
-          oauthIdentity.subject
-        );
-        if (keyPair) {
-          this.sessionKeyPairCache.set(sessionId, keyPair);
-          return keyPair;
-        }
-      } catch (error) {
-        console.warn('[UserDidManager] OAuth key pair lookup failed:', error);
-      }
-    }
-    // Check session storage if available
-    if (this.config.storage?.getKeyPair) {
-      try {
-        const keyPair = await this.config.storage.getKeyPair(sessionId);
-        if (keyPair) {
-          this.sessionKeyPairCache.set(sessionId, keyPair);
-          return keyPair;
-        }
-      } catch (error) {
-        console.warn('[UserDidManager] Session key pair lookup failed:', error);
-      }
-    }
-    return null;
-  }
-  /**
-   * Get user DID for a session (Phase 5: No ephemeral generation)
-   *
-   * If a user DID already exists for the session, it is returned.
-   * If OAuth identity is provided, checks for persistent user DID mapping.
-   * Returns null if no DID found - session stays anonymous until OAuth completes.
-   *
-   * @param sessionId - MCP session ID
-   * @param oauthIdentity - Optional OAuth identity for persistent user DID lookup
-   * @returns User DID (did:key format) or null if session is anonymous
-   *
-   * @remarks
-   * - Phase 5: Sessions start anonymous, no ephemeral DID generation
-   * - User DIDs are resolved via AgentShield after OAuth completes
-   * - Returns null if no existing DID found (instead of generating ephemeral)
-   */
-  async getOrCreateUserDid(sessionId: string, oauthIdentity?: OAuthIdentity | null): Promise<string | null> {
-    // Check cache first
-    if (this.sessionDidCache.has(sessionId)) {
-      return this.sessionDidCache.get(sessionId)!;
-    }
-    // PRIORITY 1: If OAuth identity provided, check for persistent user DID mapping
-    if (oauthIdentity && oauthIdentity.provider && oauthIdentity.subject && this.config.storage?.getByOAuth) {
-      try {
-        const persistentUserDid = await this.config.storage.getByOAuth(
-          oauthIdentity.provider,
-          oauthIdentity.subject
-        );
-        if (persistentUserDid) {
-          console.log('[UserDidManager] Found persistent user DID from OAuth mapping:', {
-            provider: oauthIdentity.provider,
-            userDid: persistentUserDid.substring(0, 20) + '...',
-          });
-          // Cache it for this session
-          this.sessionDidCache.set(sessionId, persistentUserDid);
-          // Also store in session storage for faster future lookups
-          if (this.config.storage) {
-            try {
-              await this.config.storage.set(sessionId, persistentUserDid, 1800); // 30 minutes TTL
-            } catch (error) {
-              // Log but continue - DID is cached and will be returned
-              console.warn('[UserDidManager] Failed to cache persistent DID in session storage:', error);
-            }
-          }
-          return persistentUserDid;
-        }
-      } catch (error) {
-        // Log but continue - will check session storage or generate new DID
-        console.warn('[UserDidManager] OAuth lookup failed, falling back to session storage:', error);
-      }
-    }
-    // PRIORITY 2: Check session storage if available
-    if (this.config.storage) {
-      try {
-        const storedDid = await this.config.storage.get(sessionId);
-        if (storedDid) {
-          this.sessionDidCache.set(sessionId, storedDid);
-          // If OAuth identity provided but no persistent mapping found, create one now
-          if (oauthIdentity && oauthIdentity.provider && oauthIdentity.subject && this.config.storage.setByOAuth) {
-            try {
-              await this.config.storage.setByOAuth(
-                oauthIdentity.provider,
-                oauthIdentity.subject,
-                storedDid,
-                90 * 24 * 60 * 60 // 90 days TTL for persistent mapping
-              );
-              console.log('[UserDidManager] Created persistent OAuth mapping for existing user DID:', {
-                provider: oauthIdentity.provider,
-                userDid: storedDid.substring(0, 20) + '...',
-              });
-            } catch (error) {
-              // Log but continue - mapping creation failed, but DID is still valid
-              console.warn('[UserDidManager] Failed to create OAuth mapping:', error);
-            }
-          }
-          return storedDid;
-        }
-      } catch (error) {
-        // Log but continue - session will be anonymous
-        console.warn('[UserDidManager] Storage.get failed:', error);
-      }
-    }
-    // PHASE 5: No ephemeral DID generation - session stays anonymous
-    // User DID will be resolved via AgentShield after OAuth completes
-    return null;
-  }
-  /**
-   * Set user DID for a session (Phase 5: After OAuth resolution)
-   *
-   * Called after AgentShield identity/resolve returns a persistent user DID.
-   * Caches the DID and optionally stores in session storage.
-   *
-   * @param sessionId - MCP session ID
-   * @param userDid - Persistent user DID from AgentShield
-   * @param oauthIdentity - OAuth identity for creating persistent mappings
-   */
-  async setUserDidForSession(
-    sessionId: string,
-    userDid: string,
-    oauthIdentity?: OAuthIdentity | null
-  ): Promise<void> {
-    // Cache in memory
-    this.sessionDidCache.set(sessionId, userDid);
-    // Store in session storage if available
-    if (this.config.storage) {
-      try {
-        await this.config.storage.set(sessionId, userDid, 1800); // 30 minutes TTL
-      } catch (error) {
-        console.warn('[UserDidManager] Failed to store user DID in session storage:', error);
-      }
-    }
-    // Create OAuth mapping if provided
-    if (oauthIdentity?.provider && oauthIdentity?.subject && this.config.storage?.setByOAuth) {
-      try {
-        await this.config.storage.setByOAuth(
-          oauthIdentity.provider,
-          oauthIdentity.subject,
-          userDid,
-          90 * 24 * 60 * 60 // 90 days TTL for persistent mapping
-        );
-        console.log('[UserDidManager] Created OAuth → DID mapping:', {
-          provider: oauthIdentity.provider,
-          userDid: userDid.substring(0, 20) + '...',
-        });
-      } catch (error) {
-        console.warn('[UserDidManager] Failed to create OAuth mapping:', error);
-      }
-    }
-  }
-  /**
-   * Generate a new ephemeral user DID
-   *
-   * Uses did:key format by default for simplicity.
-   * did:web can be used if configured, but requires additional setup.
-   */
-  private async generateUserDid(): Promise<string> {
-    const keyPairData = await this.generateUserDidWithKeyPair();
-    return keyPairData.did;
-  }
-  /**
-   * Generate a new ephemeral user DID with full key pair
-   *
-   * Returns the DID along with the key pair for VC signing.
-   * Uses did:key format by default.
-   *
-   * @returns UserKeyPair containing DID, public key, private key, and key ID
-   */
-  private async generateUserDidWithKeyPair(): Promise<UserKeyPair> {
-    if (this.config.useDidWeb && this.config.didWebBaseUrl) {
-      // Generate did:web (requires web server setup)
-      // For now, fall back to did:key
-      // TODO: Implement did:web generation if needed
-      console.warn('[UserDidManager] did:web not yet implemented, using did:key');
-    }
-    // Generate Ed25519 keypair for user DID
-    const keyPair = await this.config.crypto.generateKeyPair();
-    // Extract public key bytes (32 bytes for Ed25519)
-    const publicKeyBytes = this.base64ToBytes(keyPair.publicKey);
-    // Generate did:key from public key
-    const did = this.generateDidKeyFromPublicKey(publicKeyBytes);
-    // Key ID is the DID with #keys-1 fragment (standard for did:key)
-    const keyId = `${did}#keys-1`;
-    return {
-      did,
-      publicKey: keyPair.publicKey,
-      privateKey: keyPair.privateKey,
-      keyId,
-    };
-  }
-  /**
-   * Generate did:key from Ed25519 public key bytes
-   * Following spec: https://w3c-ccg.github.io/did-method-key/
-   *
-   * Format: did:key:z<multibase-base58btc(<multicodec-ed25519-pub><publicKey>)>
-   */
-  private generateDidKeyFromPublicKey(publicKeyBytes: Uint8Array): string {
-    // Ed25519 multicodec prefix (0xed 0x01)
-    const multicodecPrefix = new Uint8Array([0xed, 0x01]);
-    // Combine prefix + public key
-    const multicodecKey = new Uint8Array(multicodecPrefix.length + publicKeyBytes.length);
-    multicodecKey.set(multicodecPrefix);
-    multicodecKey.set(publicKeyBytes, multicodecPrefix.length);
-    // Base58 encode (using a simple implementation)
-    // Note: For production, consider using base-x library
-    const base58Encoded = this.base58Encode(multicodecKey);
-    // Add multibase prefix 'z' for base58-btc
-    return `did:key:z${base58Encoded}`;
-  }
-  /**
-   * Base58 encode (Bitcoin alphabet)
-   * Simple implementation for did:key generation
-   */
-  private base58Encode(bytes: Uint8Array): string {
-    const alphabet = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-    let num = BigInt(0);
-    // Convert bytes to big integer
-    for (let i = 0; i < bytes.length; i++) {
-      num = num * BigInt(256) + BigInt(bytes[i]);
-    }
-    // Convert to base58
-    let result = '';
-    while (num > 0) {
-      result = alphabet[Number(num % BigInt(58))] + result;
-      num = num / BigInt(58);
-    }
-    // Add leading zeros
-    for (let i = 0; i < bytes.length && bytes[i] === 0; i++) {
-      result = '1' + result;
-    }
-    return result;
-  }
-  /**
-   * Convert base64 string to Uint8Array
-   */
-  private base64ToBytes(base64: string): Uint8Array {
-    if (typeof Buffer !== 'undefined') {
-      // Node.js environment
-      return new Uint8Array(Buffer.from(base64, 'base64'));
-    } else {
-      // Browser/Workers environment
-      const binaryString = atob(base64);
-      const bytes = new Uint8Array(binaryString.length);
-      for (let i = 0; i < binaryString.length; i++) {
-        bytes[i] = binaryString.charCodeAt(i);
-      }
-      return bytes;
-    }
-  }
-  /**
-   * Get user DID for a session without creating one
-   */
-  async getUserDid(sessionId: string): Promise<string | null> {
-    // Check cache
-    if (this.sessionDidCache.has(sessionId)) {
-      return this.sessionDidCache.get(sessionId)!;
-    }
-    // Check storage
-    if (this.config.storage) {
-      const storedDid = await this.config.storage.get(sessionId);
-      if (storedDid) {
-        this.sessionDidCache.set(sessionId, storedDid);
-        return storedDid;
-      }
-    }
-    return null;
-  }
-  /**
-   * Clear user DID for a session
-   */
-  async clearUserDid(sessionId: string): Promise<void> {
-    this.sessionDidCache.delete(sessionId);
-    if (this.config.storage) {
-      try {
-        await this.config.storage.delete(sessionId);
-      } catch (error) {
-        // Log but continue - cache is already cleared
-        console.warn('[UserDidManager] Storage.delete failed, continuing:', error);
-      }
-    }
-  }
-  /**
-   * Clear all cached user DIDs (useful for testing)
-   */
-  clearCache(): void {
-    this.sessionDidCache.clear();
-  }
-}