npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/services/__tests__/access-control.service.test.ts DELETED Viewed

@@ -1,970 +0,0 @@
-/**
- * Unit Tests for AccessControlApiService
- *
- * Comprehensive test coverage for the access control API service.
- * Tests all methods (fetchConfig, verifyDelegation, submitProofs) with
- * success cases, error cases, retry logic, and validation.
- */
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { AccessControlApiService } from '../access-control.service.js';
-import { AgentShieldAPIError } from '@kya-os/contracts/agentshield-api';
-import type { FetchProvider } from '../../providers/base.js';
-import type {
-  VerifyDelegationRequest,
-  ToolProtectionConfigAPIResponse,
-  ProofSubmissionRequest,
-} from '@kya-os/contracts/agentshield-api';
-describe('AccessControlApiService', () => {
-  let service: AccessControlApiService;
-  let mockFetchProvider: FetchProvider;
-  let mockLogger: ReturnType<typeof vi.fn>;
-  let mockSleep: ReturnType<typeof vi.fn>;
-  beforeEach(() => {
-    mockLogger = vi.fn();
-    mockSleep = vi.fn().mockResolvedValue(undefined);
-    mockFetchProvider = {
-      resolveDID: vi.fn(),
-      fetchStatusList: vi.fn(),
-      fetchDelegationChain: vi.fn(),
-      fetch: vi.fn(),
-    } as unknown as FetchProvider;
-    service = new AccessControlApiService({
-      baseUrl: 'https://api.example.com',
-      apiKey: 'test-api-key',
-      fetchProvider: mockFetchProvider,
-      logger: mockLogger,
-      sleepProvider: mockSleep,
-      retryConfig: {
-        maxRetries: 2,
-        initialDelayMs: 10,
-        maxDelayMs: 100,
-      },
-    });
-  });
-  describe('fetchConfig', () => {
-    it('should fetch config successfully', async () => {
-      const mockResponse: ToolProtectionConfigAPIResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {
-            'tool1': {
-              scopes: ['scope1'],
-              requires_delegation: true,
-            },
-          },
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
-      expect(result).toEqual(mockResponse);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
-        'https://api.example.com/api/v1/bouncer/config?agent_did=did%3Akey%3Az123',
-        expect.objectContaining({
-          method: 'GET',
-          headers: expect.objectContaining({
-            'Authorization': 'Bearer test-api-key',
-            'Content-Type': 'application/json',
-          }),
-        })
-      );
-    });
-    it('should handle 404 error', async () => {
-      const errorResponse = {
-        success: false,
-        error: {
-          code: 'config_not_found',
-          message: 'Config not found',
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(errorResponse), {
-          status: 404,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await expect(
-        service.fetchConfig({ agentDid: 'did:key:z123' })
-      ).rejects.toThrow(AgentShieldAPIError);
-      const metrics = service.getMetrics();
-      expect(metrics.errorCount).toBe(1);
-    });
-    it('should retry on 500 error', async () => {
-      const mockResponse: ToolProtectionConfigAPIResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {},
-        },
-      };
-      // First call fails with 500, second succeeds
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockResolvedValueOnce(
-          new Response('Internal Server Error', { status: 500 })
-        )
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(mockResponse), {
-            status: 200,
-            headers: { 'Content-Type': 'application/json' },
-          })
-        );
-      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
-      expect(result).toEqual(mockResponse);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
-      expect(mockSleep).toHaveBeenCalled();
-      expect(service.getMetrics().retryCount).toBe(1);
-    });
-    it('should handle invalid JSON response', async () => {
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockResolvedValueOnce(
-          new Response('invalid json', {
-            status: 200,
-            headers: { 'Content-Type': 'application/json' },
-          })
-        )
-        .mockResolvedValueOnce(
-          new Response('invalid json', {
-            status: 200,
-            headers: { 'Content-Type': 'application/json' },
-          })
-        );
-      await expect(
-        service.fetchConfig({ agentDid: 'did:key:z123' })
-      ).rejects.toThrow(AgentShieldAPIError);
-      const error = await service
-        .fetchConfig({ agentDid: 'did:key:z123' })
-        .catch((e) => e);
-      expect(error).toBeInstanceOf(AgentShieldAPIError);
-      expect(error.code).toBe('invalid_response');
-    });
-  });
-  describe('verifyDelegation', () => {
-    it('should verify delegation successfully', async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: 'did:key:z123',
-        scopes: ['scope1', 'scope2'],
-      };
-      const mockResponse = {
-        success: true,
-        data: {
-          valid: true,
-          delegation_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID format
-          credential: {
-            agent_did: 'did:key:z123',
-            scopes: ['scope1', 'scope2'],
-            issued_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
-            created_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
-          },
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result = await service.verifyDelegation(request);
-      expect(result.data.valid).toBe(true);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
-        'https://api.example.com/api/v1/bouncer/delegations/verify',
-        expect.objectContaining({
-          method: 'POST',
-          body: JSON.stringify({
-            agent_did: 'did:key:z123',
-            scopes: ['scope1', 'scope2'],
-          }),
-        })
-      );
-    });
-    it('should omit scopes field when scopes is undefined (truly optional)', async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: 'did:key:z123',
-        // scopes is intentionally omitted
-      };
-      const mockResponse = {
-        success: true,
-        data: { valid: true },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      try {
-        await service.verifyDelegation(request);
-      } catch (error: any) {
-        // Log validation errors and mock logger calls for debugging
-        if (error.details?.zodErrors) {
-          console.log('Validation errors:', JSON.stringify(error.details.zodErrors, null, 2));
-        }
-        // Check mock logger calls
-        const loggerCalls = mockLogger.mock.calls;
-        const debugCall = loggerCalls.find((call: any[]) =>
-          call[0]?.includes('Request body debug')
-        );
-        if (debugCall) {
-          console.log('Debug log:', JSON.stringify(debugCall[1], null, 2));
-        }
-        throw error;
-      }
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mock.calls[0];
-      const requestBody = JSON.parse(callArgs[1].body as string);
-      // Verify scopes field is not included in request body when undefined
-      expect(requestBody).not.toHaveProperty('scopes');
-      expect(requestBody.agent_did).toBe('did:key:z123');
-    });
-    it('should include scopes field when scopes is provided', async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: 'did:key:z123',
-        scopes: ['scope1', 'scope2'],
-      };
-      const mockResponse = {
-        success: true,
-        data: { valid: true },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await service.verifyDelegation(request);
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mock.calls[0];
-      const requestBody = JSON.parse(callArgs[1].body as string);
-      // Verify scopes field is included when provided
-      expect(requestBody.scopes).toEqual(['scope1', 'scope2']);
-    });
-    it('should include delegation_token from context', async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: 'did:key:z123',
-        scopes: ['scope1'],
-      };
-      const mockResponse = {
-        success: true,
-        data: { valid: true },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await service.verifyDelegation(request, {
-        delegationToken: 'token-123',
-        credentialJwt: 'jwt-123',
-      });
-      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.objectContaining({
-          body: expect.stringContaining('delegation_token'),
-        })
-      );
-    });
-    it('should handle validation error', async () => {
-      const invalidRequest = {
-        agent_did: '', // Invalid: empty string
-        scopes: [],
-      } as VerifyDelegationRequest;
-      // Mock fetch twice since we call verifyDelegation twice
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockResolvedValueOnce(
-          new Response(
-            JSON.stringify({
-              success: false,
-              error: {
-                code: 'validation_error',
-                message: 'Invalid request',
-              },
-            }),
-            {
-              status: 400,
-              headers: { 'Content-Type': 'application/json' },
-            }
-          )
-        )
-        .mockResolvedValueOnce(
-          new Response(
-            JSON.stringify({
-              success: false,
-              error: {
-                code: 'validation_error',
-                message: 'Invalid request',
-              },
-            }),
-            {
-              status: 400,
-              headers: { 'Content-Type': 'application/json' },
-            }
-          )
-        );
-      await expect(
-        service.verifyDelegation(invalidRequest)
-      ).rejects.toThrow(AgentShieldAPIError);
-      const error = await service
-        .verifyDelegation(invalidRequest)
-        .catch((e) => e);
-      expect(error.code).toBe('validation_error');
-    });
-    it('should handle 401 authentication error', async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: 'did:key:z123',
-        scopes: ['scope1'],
-      };
-      // Mock fetch twice since we call verifyDelegation twice
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockResolvedValueOnce(
-          new Response(
-            JSON.stringify({
-              success: false,
-              error: {
-                code: 'authentication_failed',
-                message: 'Invalid API key',
-              },
-            }),
-            {
-              status: 401,
-              headers: { 'Content-Type': 'application/json' },
-            }
-          )
-        )
-        .mockResolvedValueOnce(
-          new Response(
-            JSON.stringify({
-              success: false,
-              error: {
-                code: 'authentication_failed',
-                message: 'Invalid API key',
-              },
-            }),
-            {
-              status: 401,
-              headers: { 'Content-Type': 'application/json' },
-            }
-          )
-        );
-      await expect(service.verifyDelegation(request)).rejects.toThrow(
-        AgentShieldAPIError
-      );
-      const error = await service.verifyDelegation(request).catch((e) => e);
-      expect(error.code).toBe('authentication_failed');
-    });
-  });
-  describe('submitProofs', () => {
-    it('should submit proofs successfully', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
-        delegation_id: null, // Explicitly set to null
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      const mockResponse = {
-        // Direct ProofSubmissionResponse (not wrapped)
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {
-          success: 1,
-          failed: 0,
-          blocked: 0,
-          error: 0,
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result = await service.submitProofs(request);
-      expect(result.accepted).toBe(1);
-      expect(result.rejected).toBe(0);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
-        'https://api.example.com/api/v1/bouncer/proofs',
-        expect.objectContaining({
-          method: 'POST',
-          body: JSON.stringify(request),
-        })
-      );
-    });
-    it('should handle all_proofs_rejected error gracefully', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
-        delegation_id: null, // Explicitly set to null
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      const errorResponse = {
-        success: false,
-        error: {
-          code: 'all_proofs_rejected',
-          message: 'All proofs rejected',
-          details: {
-            rejected: 1,
-            errors: [
-              {
-                proof_index: 0,
-                error: {
-                  code: 'invalid_signature',
-                  message: 'Invalid signature',
-                },
-              },
-            ],
-          },
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(errorResponse), {
-          status: 400,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result = await service.submitProofs(request);
-      // ProofSubmissionResponse has a success field
-      expect(result.success).toBe(false);
-      expect(result.accepted).toBe(0);
-      expect(result.rejected).toBe(1);
-      expect(result.errors).toBeDefined();
-    });
-    it('should handle wrapped response format', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000', // Valid UUID
-        delegation_id: null, // Explicitly set to null
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      const wrappedResponse = {
-        success: true,
-        data: {
-          // ProofSubmissionResponse has a success field
-          success: true,
-          accepted: 1,
-          rejected: 0,
-          outcomes: {
-            success: 1,
-            failed: 0,
-            blocked: 0,
-            error: 0,
-          },
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(wrappedResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result = await service.submitProofs(request);
-      expect(result.accepted).toBe(1);
-    });
-    it('should handle invalid response format with detailed error logging', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000',
-        delegation_id: null,
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000),
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      // Invalid response: missing required fields (accepted, rejected, outcomes)
-      const invalidResponse = {
-        success: true,
-        message: 'Proof submitted', // Wrong format - missing required fields
-      };
-      const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(invalidResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const error = await service.submitProofs(request).catch((e) => e);
-      expect(error).toBeInstanceOf(AgentShieldAPIError);
-      expect((error as AgentShieldAPIError).code).toBe('invalid_response');
-      expect((error as AgentShieldAPIError).message).toBe('Response validation failed');
-      // Verify detailed error logging
-      expect(consoleErrorSpy).toHaveBeenCalled();
-      const errorCall = consoleErrorSpy.mock.calls.find(call =>
-        call[0]?.includes('Response validation failed')
-      );
-      expect(errorCall).toBeDefined();
-      expect(errorCall?.[1]).toHaveProperty('zodErrors');
-      expect(errorCall?.[1]).toHaveProperty('responseData');
-      consoleErrorSpy.mockRestore();
-    });
-    it('should handle response with missing outcomes field (outcomes is optional)', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000',
-        delegation_id: null,
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000),
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      // Test 1: Response WITHOUT outcomes field (valid - outcomes is optional)
-      const responseWithoutOutcomes = {
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        // Missing outcomes field - this is now valid
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
-        new Response(JSON.stringify(responseWithoutOutcomes), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result1 = await service.submitProofs(request);
-      expect(result1).toEqual({
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: undefined, // outcomes is optional
-      });
-      // Test 2: Response WITH outcomes field (also valid)
-      const responseWithOutcomes = {
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {
-          success: 1,
-          failed: 0,
-          blocked: 0,
-          error: 0,
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
-        new Response(JSON.stringify(responseWithOutcomes), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result2 = await service.submitProofs(request);
-      expect(result2).toEqual({
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {
-          success: 1,
-          failed: 0,
-          blocked: 0,
-          error: 0,
-        },
-      });
-      // Test 3: Response with empty outcomes object (also valid)
-      const responseWithEmptyOutcomes = {
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {},
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValueOnce(
-        new Response(JSON.stringify(responseWithEmptyOutcomes), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const result3 = await service.submitProofs(request);
-      expect(result3).toEqual({
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {},
-      });
-    });
-    it('should handle wrapped response with invalid data structure', async () => {
-      const request: ProofSubmissionRequest = {
-        session_id: '123e4567-e89b-12d3-a456-426614174000',
-        delegation_id: null,
-        proofs: [
-          {
-            jws: 'header.payload.signature',
-            meta: {
-              did: 'did:key:z123',
-              kid: 'did:key:z123#key-1',
-              ts: Math.floor(Date.now() / 1000),
-              nonce: 'nonce-123',
-              audience: 'mcp-client',
-              sessionId: 'session-123',
-              requestHash: 'sha256:' + 'a'.repeat(64),
-              responseHash: 'sha256:' + 'b'.repeat(64),
-            },
-          },
-        ],
-      };
-      // Wrapped response but data is invalid
-      const invalidWrappedResponse = {
-        success: true,
-        data: {
-          // Missing required fields
-          message: 'Invalid format',
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(invalidWrappedResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      const error = await service.submitProofs(request).catch((e) => e);
-      expect(error).toBeInstanceOf(AgentShieldAPIError);
-      expect((error as AgentShieldAPIError).code).toBe('invalid_response');
-    });
-    it('should validate request schema', async () => {
-      const invalidRequest = {
-        session_id: '', // Invalid: empty string
-        proofs: [],
-      } as ProofSubmissionRequest;
-      await expect(service.submitProofs(invalidRequest)).rejects.toThrow(
-        AgentShieldAPIError
-      );
-      const error = await service
-        .submitProofs(invalidRequest)
-        .catch((e) => e);
-      expect(error.code).toBe('validation_error');
-    });
-  });
-  describe('retry logic', () => {
-    it('should retry on network errors', async () => {
-      const mockResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {},
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      // First call throws network error, second succeeds
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockRejectedValueOnce(new TypeError('fetch failed'))
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(mockResponse), {
-            status: 200,
-            headers: { 'Content-Type': 'application/json' },
-          })
-        );
-      const result = await service.fetchConfig({ agentDid: 'did:key:z123' });
-      expect(result).toBeDefined();
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
-      expect(service.getMetrics().retryCount).toBe(1);
-    });
-    it('should not retry on 400 errors', async () => {
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(
-          JSON.stringify({
-            success: false,
-            error: {
-              code: 'validation_error',
-              message: 'Invalid request',
-            },
-          }),
-          {
-            status: 400,
-            headers: { 'Content-Type': 'application/json' },
-          }
-        )
-      );
-      await expect(
-        service.fetchConfig({ agentDid: 'did:key:z123' })
-      ).rejects.toThrow(AgentShieldAPIError);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(1);
-      expect(mockSleep).not.toHaveBeenCalled();
-    });
-    it('should respect maxRetries limit', async () => {
-      // All calls fail with 500 - need to mock multiple times for retries
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }))
-        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }))
-        .mockResolvedValueOnce(new Response('Internal Server Error', { status: 500 }));
-      await expect(
-        service.fetchConfig({ agentDid: 'did:key:z123' })
-      ).rejects.toThrow();
-      // Should retry maxRetries times (2) + initial attempt = 3 total
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(3);
-      expect(service.getMetrics().retryCount).toBe(2);
-      expect(service.getMetrics().errorCount).toBe(1);
-    });
-  });
-  describe('metrics', () => {
-    it('should track successful requests', async () => {
-      const mockResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {},
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await service.fetchConfig({ agentDid: 'did:key:z123' });
-      const metrics = service.getMetrics();
-      expect(metrics.successCount).toBe(1);
-      expect(metrics.errorCount).toBe(0);
-    });
-    it('should reset metrics', async () => {
-      const mockResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {},
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await service.fetchConfig({ agentDid: 'did:key:z123' });
-      service.resetMetrics();
-      const metrics = service.getMetrics();
-      expect(metrics.successCount).toBe(0);
-      expect(metrics.errorCount).toBe(0);
-      expect(metrics.retryCount).toBe(0);
-    });
-  });
-  describe('correlation ID', () => {
-    it('should include correlation ID in headers', async () => {
-      const mockResponse = {
-        success: true,
-        data: {
-          agent_did: 'did:key:z123',
-          tools: {},
-        },
-        metadata: {
-          requestId: 'test-request-id',
-          timestamp: new Date().toISOString(),
-        },
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { 'Content-Type': 'application/json' },
-        })
-      );
-      await service.fetchConfig({ agentDid: 'did:key:z123' });
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mock.calls[0];
-      const headers = callArgs[1].headers;
-      expect(headers['X-Request-ID']).toBeDefined();
-      expect(typeof headers['X-Request-ID']).toBe('string');
-    });
-  });
-});