npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/__tests__/runtime/delegation-flow.test.ts DELETED Viewed

@@ -1,164 +0,0 @@
-/**
- * Delegation Verification Flow Integration Tests
- *
- * Tests the complete flow: handshake → session creation → tool call → delegation verification
- * Ensures that session.agentDid is correctly used in delegation verification.
- *
- * @package @kya-os/mcp-i-core/__tests__/runtime
- */
-import { describe, it, expect, beforeEach } from "vitest";
-import { MCPIRuntimeBase } from "../../runtime/base";
-import { ProviderRuntimeConfig } from "../../config";
-import {
-  createMockProviders,
-  MockClockProvider,
-  MockIdentityProvider,
-  MockNonceCacheProvider,
-} from "../utils/mock-providers";
-import type { DelegationRecord } from "@kya-os/contracts/delegation";
-describe("Delegation Verification Flow", () => {
-  let runtime: MCPIRuntimeBase;
-  let config: ProviderRuntimeConfig;
-  let mockProviders: ReturnType<typeof createMockProviders>;
-  beforeEach(async () => {
-    mockProviders = createMockProviders();
-    config = {
-      ...mockProviders,
-      environment: "development",
-      session: {
-        timestampSkewSeconds: 120,
-        ttlMinutes: 30,
-      },
-      audit: {
-        enabled: false, // Disable audit for cleaner test output
-      },
-    };
-    runtime = new MCPIRuntimeBase(config);
-    await runtime.initialize();
-  });
-  it("should verify delegation using session.agentDid", async () => {
-    const agentDid = "did:key:zagent123";
-    const userDid = "did:web:user.example.com";
-    // 1. Perform handshake with agentDid
-    const handshakeRequest = {
-      nonce: "test-nonce-123",
-      audience: "https://server.example.com",
-      timestamp: Math.floor(Date.now() / 1000),
-      agentDid,
-      clientDid: userDid,
-    };
-    const handshakeResponse = await runtime.handleHandshake(handshakeRequest);
-    expect(handshakeResponse.sessionId).toBeDefined();
-    // 2. Get session and verify agentDid is correct
-    const session = await runtime.getCurrentSession();
-    expect(session).toBeDefined();
-    expect(session?.agentDid).toBe(agentDid); // ✅ Should be client's agent DID, not server DID
-    expect(session?.serverDid).toBe("did:key:zmock123"); // ✅ Should be server's DID
-    // 3. Create a delegation with subjectDid matching agentDid
-    // (In real scenario, this would be verified via delegation verifier)
-    const delegation: DelegationRecord = {
-      id: "del_test_001",
-      issuerDid: userDid,
-      subjectDid: agentDid, // ✅ Matches session.agentDid
-      controller: "user_alice",
-      vcId: "vc_test_001",
-      constraints: {
-        scopes: ["tool:execute"],
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000, // 1 hour
-    };
-    // 4. Verify that delegation.subjectDid matches session.agentDid
-    expect(delegation.subjectDid).toBe(session?.agentDid);
-    expect(delegation.subjectDid).not.toBe(session?.serverDid); // ✅ Should NOT match server DID
-  });
-  it("should fail when session.agentDid does not match delegation.subjectDid", async () => {
-    const agentDid = "did:key:zagent123";
-    const wrongAgentDid = "did:key:zwrong456";
-    const userDid = "did:web:user.example.com";
-    // 1. Perform handshake with agentDid
-    const handshakeRequest = {
-      nonce: "test-nonce-456",
-      audience: "https://server.example.com",
-      timestamp: Math.floor(Date.now() / 1000),
-      agentDid,
-      clientDid: userDid,
-    };
-    await runtime.handleHandshake(handshakeRequest);
-    // 2. Get session
-    const session = await runtime.getCurrentSession();
-    expect(session?.agentDid).toBe(agentDid);
-    // 3. Create delegation with wrong subjectDid
-    const delegation: DelegationRecord = {
-      id: "del_test_002",
-      issuerDid: userDid,
-      subjectDid: wrongAgentDid, // ❌ Does NOT match session.agentDid
-      controller: "user_bob",
-      vcId: "vc_test_002",
-      constraints: {
-        scopes: ["tool:execute"],
-      },
-      createdAt: Date.now(),
-      expiresAt: Date.now() + 3600000,
-    };
-    // 4. Verify mismatch
-    expect(delegation.subjectDid).not.toBe(session?.agentDid);
-    expect(delegation.subjectDid).toBe(wrongAgentDid);
-  });
-  it("should handle session without agentDid gracefully", async () => {
-    const userDid = "did:web:user.example.com";
-    // 1. Perform handshake WITHOUT agentDid
-    const handshakeRequest = {
-      nonce: "test-nonce-789",
-      audience: "https://server.example.com",
-      timestamp: Math.floor(Date.now() / 1000),
-      // agentDid not provided
-      clientDid: userDid,
-    };
-    await runtime.handleHandshake(handshakeRequest);
-    // 2. Get session
-    const session = await runtime.getCurrentSession();
-    expect(session?.agentDid).toBeUndefined(); // ✅ Should be undefined, not fallback to clientDid
-    expect(session?.serverDid).toBe("did:key:zmock123"); // ✅ Server DID should still be set
-  });
-  it("should verify serverDid is set correctly in session", async () => {
-    const agentDid = "did:key:zagent789";
-    const identity = await runtime.getIdentity();
-    // 1. Perform handshake
-    const handshakeRequest = {
-      nonce: "test-nonce-server",
-      audience: "https://server.example.com",
-      timestamp: Math.floor(Date.now() / 1000),
-      agentDid,
-    };
-    await runtime.handleHandshake(handshakeRequest);
-    // 2. Verify serverDid matches identity.did
-    const session = await runtime.getCurrentSession();
-    expect(session?.serverDid).toBe(identity.did);
-    expect(session?.serverDid).not.toBe(agentDid); // ✅ Should NOT match agent DID
-  });
-});

package/src/__tests__/runtime/proof-client-did.test.ts DELETED Viewed

@@ -1,376 +0,0 @@
-/**
- * Proof Client DID Tests
- *
- * Tests for proof generation with clientDid tracking and extraction.
- */
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { MCPIRuntimeBase } from '../../runtime/base';
-import { ProviderRuntimeConfig } from '../../config';
-import { createMockProviders, MockClockProvider } from '../utils/mock-providers';
-describe('MCPIRuntimeBase - Proof Client DID', () => {
-  let runtime: MCPIRuntimeBase;
-  let config: ProviderRuntimeConfig;
-  let mockProviders: ReturnType<typeof createMockProviders>;
-  beforeEach(async () => {
-    vi.clearAllMocks();
-    mockProviders = createMockProviders();
-    config = {
-      ...mockProviders,
-      environment: 'development',
-      session: {
-        timestampSkewSeconds: 120,
-        ttlMinutes: 30
-      },
-      audit: {
-        enabled: false
-      }
-    };
-    runtime = new MCPIRuntimeBase(config);
-    await runtime.initialize();
-  });
-  describe('createProof with clientDid', () => {
-    it('should include clientDid in proof when provided in session', async () => {
-      const testData = { result: 'success' };
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'did:key:zclient123'
-      };
-      const proof = await runtime.createProof(testData, session);
-      expect(proof).toBeDefined();
-      expect(proof.did).toBe('did:key:zmock123'); // Agent DID
-      expect(proof.sessionId).toBe('session123');
-      expect(proof.audience).toBe('https://client.example.com');
-      // Note: clientDid is stored in proofData but not directly in proof object
-      // The proof structure includes sessionId which can be used to retrieve clientDid
-    });
-    it('should include userDid in proof when provided in session', async () => {
-      const testData = { result: 'success' };
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        userDid: 'did:key:zuser456'
-      };
-      const proof = await runtime.createProof(testData, session);
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-      // userDid is stored in session context
-    });
-    it('should work without clientDid or userDid (backward compatibility)', async () => {
-      const testData = { result: 'success' };
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce'
-      };
-      const proof = await runtime.createProof(testData, session);
-      expect(proof).toBeDefined();
-      expect(proof.did).toBe('did:key:zmock123');
-      expect(proof.sessionId).toBe('session123');
-      expect(proof.audience).toBe('https://client.example.com');
-    });
-    it('should prioritize clientDid over userDid when both provided', async () => {
-      const testData = { result: 'success' };
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'did:key:zclient123',
-        userDid: 'did:key:zuser456'
-      };
-      const proof = await runtime.createProof(testData, session);
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-      // clientDid takes precedence in session context
-    });
-  });
-  describe('processToolCall with clientDid', () => {
-    const mockHandler = vi.fn().mockResolvedValue({ result: 'success' });
-    it('should include clientDid in proof when session has clientDid', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'did:key:zclient123'
-      };
-      await runtime.processToolCall(
-        'testTool',
-        { arg: 'value' },
-        mockHandler,
-        session
-      );
-      const proof = runtime.getLastProof();
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-      expect(proof.audience).toBe('https://client.example.com');
-    });
-    it('should extract clientDid from handshake session', async () => {
-      // Create session via handshake
-      const handshakeResponse = await runtime.handleHandshake({
-        clientDid: 'did:key:zhandshake123',
-        audience: 'https://client.example.com'
-      });
-      const session = await runtime.getCurrentSession();
-      const proof = await runtime.createProof(
-        { test: 'data' },
-        session
-      );
-      expect(proof.sessionId).toBe(handshakeResponse.sessionId);
-      expect(session.clientDid).toBe('did:key:zhandshake123');
-    });
-    it('should handle anonymous session from handshake (Phase 5)', async () => {
-      // Phase 5: Sessions start anonymous - no userDid at handshake
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      const handshakeResponse = await runtimeWithUserDid.handleHandshake({
-        audience: 'https://client.example.com'
-      });
-      const session = await runtimeWithUserDid.getCurrentSession();
-      expect(session).toBeDefined();
-      // Phase 5: Sessions start anonymous without userDid
-      // userDid is only set after OAuth identity resolution
-      expect(session.userDid).toBeUndefined();
-      expect(session.identityState).toBe('anonymous');
-      const proof = await runtimeWithUserDid.createProof(
-        { test: 'data' },
-        session
-      );
-      expect(proof.sessionId).toBe(handshakeResponse.sessionId);
-    });
-  });
-  describe('verifyProof with clientDid context', () => {
-    let validProof: any;
-    const testData = { foo: 'bar' };
-    beforeEach(async () => {
-      // Set up DID document for verification
-      const fetchProvider = mockProviders.fetchProvider as any;
-      fetchProvider.setDIDDocument('did:key:zmock123', {
-        verificationMethod: [{
-          publicKeyBase64: 'mock-public-key'
-        }]
-      });
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'did:key:zclient123'
-      };
-      validProof = await runtime.createProof(testData, session);
-    });
-    it('should verify proof with clientDid in session context', async () => {
-      const nonceCache = mockProviders.nonceCacheProvider as any;
-      nonceCache.clear();
-      const isValid = await runtime.verifyProof(testData, validProof);
-      expect(isValid).toBe(true);
-    });
-    it('should verify proof independently of clientDid presence', async () => {
-      // Create proof without clientDid
-      const proofWithoutClientDid = await runtime.createProof(testData, {
-        id: 'session456',
-        audience: 'https://client.example.com',
-        nonce: 'other-nonce'
-      });
-      const nonceCache = mockProviders.nonceCacheProvider as any;
-      nonceCache.clear();
-      const isValid = await runtime.verifyProof(testData, proofWithoutClientDid);
-      expect(isValid).toBe(true);
-    });
-  });
-  describe('clientDid extraction from session', () => {
-    it('should retrieve clientDid from active session', async () => {
-      const handshakeResponse = await runtime.handleHandshake({
-        clientDid: 'did:key:zclient789',
-        audience: 'https://client.example.com'
-      });
-      const session = await runtime.getCurrentSession();
-      expect(session.clientDid).toBe('did:key:zclient789');
-    });
-    it('should handle anonymous session when no clientDid provided (Phase 5)', async () => {
-      // Phase 5: Sessions start anonymous - userDid and clientDid may both be undefined
-      const configWithUserDid = {
-        ...config,
-        identity: {
-          enabled: true,
-          generateUserDids: true,
-          environment: 'development'
-        }
-      };
-      const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
-      await runtimeWithUserDid.initialize();
-      const handshakeResponse = await runtimeWithUserDid.handleHandshake({
-        audience: 'https://client.example.com'
-      });
-      const session = await runtimeWithUserDid.getCurrentSession();
-      expect(session).toBeDefined();
-      // Phase 5: Sessions start anonymous without userDid
-      // userDid is only set after OAuth identity resolution
-      expect(session.userDid).toBeUndefined();
-      expect(session.identityState).toBe('anonymous');
-      // clientDid can also be undefined in anonymous sessions
-      // Both will be set after OAuth completes
-      // Verify proof includes the session
-      const proof = await runtimeWithUserDid.createProof(
-        { test: 'data' },
-        session
-      );
-      expect(proof.sessionId).toBe(handshakeResponse.sessionId);
-    });
-  });
-  describe('edge cases', () => {
-    it('should handle empty clientDid string gracefully', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: ''
-      };
-      const proof = await runtime.createProof({ test: 'data' }, session);
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-    });
-    it('should handle null clientDid gracefully', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: null as any
-      };
-      const proof = await runtime.createProof({ test: 'data' }, session);
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-    });
-    it('should handle undefined clientDid gracefully', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce'
-        // clientDid is undefined
-      };
-      const proof = await runtime.createProof({ test: 'data' }, session);
-      expect(proof).toBeDefined();
-      expect(proof.sessionId).toBe('session123');
-    });
-    it('should handle invalid DID format in clientDid', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'invalid-did-format'
-      };
-      const proof = await runtime.createProof({ test: 'data' }, session);
-      expect(proof).toBeDefined();
-      // Proof should still be created even with invalid DID format
-      expect(proof.sessionId).toBe('session123');
-    });
-  });
-  describe('proof metadata consistency', () => {
-    it('should maintain consistent proof structure with clientDid', async () => {
-      const session = {
-        id: 'session123',
-        audience: 'https://client.example.com',
-        nonce: 'test-nonce',
-        clientDid: 'did:key:zclient123'
-      };
-      const proof1 = await runtime.createProof({ test: 'data1' }, session);
-      const proof2 = await runtime.createProof({ test: 'data2' }, session);
-      // Both proofs should have same sessionId and audience
-      expect(proof1.sessionId).toBe(proof2.sessionId);
-      expect(proof1.audience).toBe(proof2.audience);
-      // But different nonces (if not pre-provided)
-      // Since we're using same nonce, they should be same
-      expect(proof1.nonce).toBe(proof2.nonce);
-      // Different timestamps
-      expect(proof1.timestamp).toBeLessThanOrEqual(proof2.timestamp);
-    });
-    it('should use different proofs for different sessions', async () => {
-      const session1 = {
-        id: 'session1',
-        audience: 'https://client.example.com',
-        nonce: 'nonce1',
-        clientDid: 'did:key:zclient1'
-      };
-      const session2 = {
-        id: 'session2',
-        audience: 'https://client.example.com',
-        nonce: 'nonce2',
-        clientDid: 'did:key:zclient2'
-      };
-      const proof1 = await runtime.createProof({ test: 'data' }, session1);
-      const proof2 = await runtime.createProof({ test: 'data' }, session2);
-      expect(proof1.sessionId).not.toBe(proof2.sessionId);
-      expect(proof1.nonce).not.toBe(proof2.nonce);
-    });
-  });
-});