npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/__tests__/services/cache-busting.test.ts DELETED Viewed

@@ -1,125 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { ToolProtectionService } from "../../services/tool-protection.service";
-import { InMemoryToolProtectionCache } from "../../cache/tool-protection-cache";
-describe("Cache Busting in clearAndRefresh", () => {
-  let cache: InMemoryToolProtectionCache;
-  let service: ToolProtectionService;
-  const agentDid = "did:key:test-agent";
-  const projectId = "test-project-123";
-  beforeEach(() => {
-    cache = new InMemoryToolProtectionCache();
-    service = new ToolProtectionService(
-      {
-        apiUrl: "https://test.agentshield.com",
-        apiKey: "test-api-key",
-        projectId,
-        cacheTtl: 300000,
-        debug: true,
-      },
-      cache
-    );
-  });
-  it("clearAndRefresh should call fetchFromApi with bypassCDNCache: true", async () => {
-    // Spy on the private fetchFromApi method
-    const fetchSpy = vi.spyOn(service as any, "fetchFromApi").mockResolvedValue({
-      success: true,
-      data: {
-        toolProtections: {
-          greet: { requiresDelegation: true, requiredScopes: ["greet:execute"] },
-        },
-      },
-    });
-    await service.clearAndRefresh(agentDid);
-    // Verify fetchFromApi was called with bypassCDNCache: true
-    expect(fetchSpy).toHaveBeenCalledTimes(1);
-    expect(fetchSpy).toHaveBeenCalledWith(agentDid, { bypassCDNCache: true });
-  });
-  it("fetchFromApi should add cache-busting query param when bypassCDNCache is true", async () => {
-    // Mock global fetch
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: true,
-      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
-    });
-    global.fetch = fetchMock;
-    // Call fetchFromApi directly with bypassCDNCache: true
-    await (service as any).fetchFromApi(agentDid, { bypassCDNCache: true });
-    // Verify the URL contains cache-busting timestamp
-    const calledUrl = fetchMock.mock.calls[0][0] as string;
-    expect(calledUrl).toContain("?_t=");
-    expect(calledUrl).toMatch(/\?_t=\d+$/); // Ends with ?_t=<timestamp>
-  });
-  it("fetchFromApi should add Cache-Control headers when bypassCDNCache is true", async () => {
-    // Mock global fetch
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: true,
-      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
-    });
-    global.fetch = fetchMock;
-    // Call fetchFromApi directly with bypassCDNCache: true
-    await (service as any).fetchFromApi(agentDid, { bypassCDNCache: true });
-    // Verify the headers contain cache-control
-    const calledOptions = fetchMock.mock.calls[0][1] as RequestInit;
-    const headers = calledOptions.headers as Record<string, string>;
-    expect(headers["Cache-Control"]).toBe("no-cache, no-store, must-revalidate");
-    expect(headers["Pragma"]).toBe("no-cache");
-  });
-  it("fetchFromApi should NOT add cache-busting when bypassCDNCache is false/undefined", async () => {
-    // Mock global fetch
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: true,
-      json: () => Promise.resolve({ success: true, data: { toolProtections: {} } }),
-    });
-    global.fetch = fetchMock;
-    // Call fetchFromApi without bypassCDNCache
-    await (service as any).fetchFromApi(agentDid);
-    // Verify the URL does NOT contain cache-busting timestamp
-    const calledUrl = fetchMock.mock.calls[0][0] as string;
-    expect(calledUrl).not.toContain("?_t=");
-    // Verify no cache-control header
-    const calledOptions = fetchMock.mock.calls[0][1] as RequestInit;
-    const headers = calledOptions.headers as Record<string, string>;
-    expect(headers["Cache-Control"]).toBeUndefined();
-  });
-  it("cache should be empty after clearAndRefresh deletes it", async () => {
-    const cacheKey = `config:tool-protections:${projectId}`;
-    // Pre-populate cache
-    await cache.set(cacheKey, { toolProtections: { old: { requiresDelegation: false, requiredScopes: [] } } }, 300000);
-    // Verify cache has data
-    const before = await cache.get(cacheKey);
-    expect(before).not.toBeNull();
-    // Mock fetchFromApi to avoid network call
-    vi.spyOn(service as any, "fetchFromApi").mockResolvedValue({
-      success: true,
-      data: { toolProtections: {} },
-    });
-    // Clear and refresh
-    await service.clearAndRefresh(agentDid);
-    // Note: clearAndRefresh deletes then re-populates with fresh data
-    // But since our mock returns empty toolProtections, cache should have empty config
-    const after = await cache.get(cacheKey);
-    expect(after).toBeDefined();
-  });
-});

package/src/__tests__/services/oauth-service-pkce.test.ts DELETED Viewed

@@ -1,556 +0,0 @@
-/**
- * Tests for OAuthService PKCE Token Exchange
- *
- * Verifies:
- * 1. Successful PKCE token exchange
- * 2. Handling of GitHub-style 200-status errors
- * 3. Handling of standard 4xx errors
- * 4. Token response validation
- */
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import { OAuthService } from "../../services/oauth-service";
-import type { OAuthConfigService } from "../../services/oauth-config.service";
-import type { FetchProvider } from "../../providers/types";
-import type { OAuthProvider } from "@kya-os/contracts/config";
-describe("OAuthService PKCE Token Exchange", () => {
-  let mockConfigService: OAuthConfigService;
-  let mockFetchProvider: FetchProvider;
-  let oauthService: OAuthService;
-  const mockGitHubProvider: OAuthProvider = {
-    clientId: "test-client-id",
-    clientSecret: null,
-    authorizationUrl: "https://github.com/login/oauth/authorize",
-    tokenUrl: "https://github.com/login/oauth/access_token",
-    supportsPKCE: true,
-    requiresClientSecret: false,
-    scopes: [],
-  };
-  const mockOAuthConfig = {
-    providers: {
-      github: mockGitHubProvider,
-    },
-    configuredProvider: "github",
-  };
-  beforeEach(() => {
-    mockConfigService = {
-      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
-    } as unknown as OAuthConfigService;
-    mockFetchProvider = {
-      fetch: vi.fn(),
-      resolveDID: vi.fn(),
-      fetchStatusList: vi.fn(),
-      fetchDelegationChain: vi.fn(),
-    };
-    oauthService = new OAuthService({
-      configService: mockConfigService,
-      fetchProvider: mockFetchProvider,
-      agentShieldApiUrl: "https://test.agentshield.com",
-      agentShieldApiKey: "test-api-key",
-      projectId: "test-project",
-      logger: vi.fn(),
-    });
-  });
-  describe("Successful Token Exchange", () => {
-    it("should exchange code for access_token successfully", async () => {
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-        token_type: "bearer",
-        scope: "greet:execute",
-        expires_in: 3600,
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      const result = await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      expect(result.access_token).toBe("gho_test_access_token_123");
-      expect(result.token_type).toBe("bearer");
-      expect(result.scope).toBe("greet:execute");
-      expect(result.expires_in).toBe(3600);
-      expect(result.expires_at).toBeGreaterThan(Date.now());
-    });
-    it("should handle missing expires_in with default value", async () => {
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-        token_type: "bearer",
-        // No expires_in - should default to 3600
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      const result = await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      expect(result.expires_in).toBe(3600);
-    });
-    it("should handle refresh_token when provided", async () => {
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-        refresh_token: "ghr_test_refresh_token_456",
-        token_type: "bearer",
-        expires_in: 3600,
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      const result = await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      expect(result.refresh_token).toBe("ghr_test_refresh_token_456");
-    });
-  });
-  describe("GitHub 200-Status Error Handling", () => {
-    it("should handle bad_verification_code error (200 status)", async () => {
-      const mockErrorResponse = {
-        error: "bad_verification_code",
-        error_description: "The code passed is incorrect or expired.",
-        error_uri:
-          "https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true, // GitHub returns 200 even for errors!
-        json: () => Promise.resolve(mockErrorResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "expired-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("The code passed is incorrect or expired.");
-    });
-    it("should handle incorrect_client_credentials error (200 status)", async () => {
-      const mockErrorResponse = {
-        error: "incorrect_client_credentials",
-        error_description:
-          "The client_id and/or client_secret passed are incorrect.",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockErrorResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow(
-        "The client_id and/or client_secret passed are incorrect."
-      );
-    });
-    it("should handle redirect_uri_mismatch error (200 status)", async () => {
-      const mockErrorResponse = {
-        error: "redirect_uri_mismatch",
-        error_description:
-          "The redirect_uri MUST match the registered callback URL for this application.",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockErrorResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://wrong-redirect.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("The redirect_uri MUST match the registered callback");
-    });
-    it("should fallback to error code when error_description is missing", async () => {
-      const mockErrorResponse = {
-        error: "access_denied",
-        // No error_description
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockErrorResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("access_denied");
-    });
-  });
-  describe("Standard HTTP Error Handling", () => {
-    it("should handle 400 Bad Request error", async () => {
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: false,
-        status: 400,
-        text: () =>
-          Promise.resolve(
-            JSON.stringify({
-              error: "invalid_request",
-              error_description: "Missing required parameter",
-            })
-          ),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("Missing required parameter");
-    });
-    it("should handle 401 Unauthorized error", async () => {
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: false,
-        status: 401,
-        text: () =>
-          Promise.resolve(
-            JSON.stringify({
-              error: "invalid_client",
-              error_description: "Client authentication failed",
-            })
-          ),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("Client authentication failed");
-    });
-    it("should handle non-JSON error response", async () => {
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: false,
-        status: 500,
-        text: () => Promise.resolve("Internal Server Error"),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("Internal Server Error");
-    });
-  });
-  describe("Token Response Validation", () => {
-    it("should throw error when access_token is missing from valid response", async () => {
-      const mockInvalidResponse = {
-        token_type: "bearer",
-        scope: "greet:execute",
-        // Missing access_token
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockInvalidResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("Token response missing access_token");
-    });
-    it("should throw error when access_token is empty string", async () => {
-      const mockInvalidResponse = {
-        access_token: "",
-        token_type: "bearer",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockInvalidResponse),
-      });
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow("Token response missing access_token");
-    });
-  });
-  describe("PKCE Request Format", () => {
-    it("should send correct PKCE parameters", async () => {
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier-12345",
-        "https://test.workers.dev/oauth/callback"
-      );
-      expect(mockFetchProvider.fetch).toHaveBeenCalledWith(
-        "https://github.com/login/oauth/access_token",
-        expect.objectContaining({
-          method: "POST",
-          headers: expect.objectContaining({
-            "Content-Type": "application/x-www-form-urlencoded",
-            Accept: "application/json",
-          }),
-        })
-      );
-      // Verify request body contains correct PKCE parameters
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mock.calls[0];
-      const body = callArgs[1].body as string;
-      expect(body).toContain("grant_type=authorization_code");
-      expect(body).toContain("code=test-auth-code");
-      expect(body).toContain("code_verifier=test-code-verifier-12345");
-      expect(body).toContain("client_id=test-client-id");
-      expect(body).toContain(
-        "redirect_uri=https%3A%2F%2Ftest.workers.dev%2Foauth%2Fcallback"
-      );
-    });
-  });
-  describe("Provider Not Found", () => {
-    it("should throw error for unconfigured provider", async () => {
-      await expect(
-        oauthService.exchangeToken(
-          "unknown-provider",
-          "test-code",
-          "test-code-verifier",
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow('Provider "unknown-provider" not configured');
-    });
-  });
-  describe("PKCE Requirement", () => {
-    it("should throw error when codeVerifier is missing for PKCE provider", async () => {
-      await expect(
-        oauthService.exchangeToken(
-          "github",
-          "test-code",
-          undefined, // Missing code_verifier
-          "https://test.workers.dev/oauth/callback"
-        )
-      ).rejects.toThrow('Provider "github" requires PKCE code_verifier');
-    });
-  });
-  describe("Client Secret Handling in PKCE", () => {
-    it("should include client_secret when provider has one configured (GitHub OAuth Apps)", async () => {
-      // GitHub OAuth Apps require client_secret even with PKCE
-      const mockGitHubOAuthAppProvider: OAuthProvider = {
-        clientId: "github-oauth-app-client-id",
-        clientSecret: "github-oauth-app-client-secret",
-        authorizationUrl: "https://github.com/login/oauth/authorize",
-        tokenUrl: "https://github.com/login/oauth/access_token",
-        supportsPKCE: true,
-        requiresClientSecret: true,
-        scopes: [],
-      };
-      const mockConfigWithSecret = {
-        providers: {
-          github: mockGitHubOAuthAppProvider,
-        },
-        configuredProvider: "github",
-      };
-      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
-        mockConfigWithSecret
-      );
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-        token_type: "bearer",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      // Verify client_secret is included in request body
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mock.calls[0];
-      const body = callArgs[1].body as string;
-      expect(body).toContain("client_id=github-oauth-app-client-id");
-      expect(body).toContain("client_secret=github-oauth-app-client-secret");
-      expect(body).toContain("code_verifier=test-code-verifier");
-    });
-    it("should NOT include client_secret when provider has null clientSecret (GitHub Apps)", async () => {
-      // GitHub Apps (not OAuth Apps) can use PKCE without client_secret
-      const mockGitHubAppProvider: OAuthProvider = {
-        clientId: "github-app-client-id",
-        clientSecret: null, // No secret for GitHub Apps with PKCE
-        authorizationUrl: "https://github.com/login/oauth/authorize",
-        tokenUrl: "https://github.com/login/oauth/access_token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-        scopes: [],
-      };
-      const mockConfigWithoutSecret = {
-        providers: {
-          github: mockGitHubAppProvider,
-        },
-        configuredProvider: "github",
-      };
-      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
-        mockConfigWithoutSecret
-      );
-      const mockTokenResponse = {
-        access_token: "gho_test_access_token_123",
-        token_type: "bearer",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      // Verify client_secret is NOT included in request body
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mock.calls[0];
-      const body = callArgs[1].body as string;
-      expect(body).toContain("client_id=github-app-client-id");
-      expect(body).not.toContain("client_secret");
-      expect(body).toContain("code_verifier=test-code-verifier");
-    });
-    it("should NOT include client_secret when it is empty string", async () => {
-      const mockProviderWithEmptySecret: OAuthProvider = {
-        clientId: "test-client-id",
-        clientSecret: "", // Empty string should be treated as no secret
-        authorizationUrl: "https://example.com/oauth/authorize",
-        tokenUrl: "https://example.com/oauth/token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-        scopes: [],
-      };
-      const mockConfigWithEmptySecret = {
-        providers: {
-          github: mockProviderWithEmptySecret,
-        },
-        configuredProvider: "github",
-      };
-      (mockConfigService.getOAuthConfig as ReturnType<typeof vi.fn>).mockResolvedValue(
-        mockConfigWithEmptySecret
-      );
-      const mockTokenResponse = {
-        access_token: "test_access_token",
-        token_type: "bearer",
-      };
-      (mockFetchProvider.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
-        ok: true,
-        json: () => Promise.resolve(mockTokenResponse),
-      });
-      await oauthService.exchangeToken(
-        "github",
-        "test-auth-code",
-        "test-code-verifier",
-        "https://test.workers.dev/oauth/callback"
-      );
-      // Verify client_secret is NOT included when empty
-      const callArgs = (mockFetchProvider.fetch as ReturnType<typeof vi.fn>)
-        .mock.calls[0];
-      const body = callArgs[1].body as string;
-      expect(body).not.toContain("client_secret");
-    });
-  });
-});