npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/__tests__/services/provider-resolver-edge-cases.test.ts DELETED Viewed

@@ -1,591 +0,0 @@
-/**
- * Provider Resolver - Edge Cases Tests
- *
- * Tests for edge cases and error scenarios in provider resolution
- * (Phase 2: Dynamic Providers)
- *
- * @package @kya-os/mcp-i-core
- */
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { ProviderResolver } from "../../services/provider-resolver.js";
-import { OAuthProviderRegistry } from "../../services/oauth-provider-registry.js";
-import { OAuthConfigService } from "../../services/oauth-config.service.js";
-import type { ToolProtection } from "@kya-os/contracts/tool-protection";
-import type { OAuthConfig } from "@kya-os/contracts/config";
-describe("ProviderResolver - Edge Cases", () => {
-  let mockConfigService: OAuthConfigService;
-  let mockRegistry: OAuthProviderRegistry;
-  let resolver: ProviderResolver;
-  const mockOAuthConfig: OAuthConfig = {
-    providers: {
-      github: {
-        clientId: "github_client_id",
-        authorizationUrl: "https://github.com/login/oauth/authorize",
-        tokenUrl: "https://github.com/login/oauth/access_token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-      },
-      google: {
-        clientId: "google_client_id",
-        authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-        tokenUrl: "https://oauth2.googleapis.com/token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-      },
-      microsoft: {
-        clientId: "microsoft_client_id",
-        authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
-        tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-      },
-    },
-  };
-  beforeEach(() => {
-    // Don't clear mocks here - it might interfere with mock return values
-    // Instead, create fresh mocks for each test
-    mockConfigService = {
-      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
-    } as any;
-    // Create fresh mocks for each test
-    const getProviderNamesMock = vi.fn().mockReturnValue([]);
-    const loadFromAgentShieldMock = vi.fn().mockResolvedValue(undefined);
-    const hasProviderMock = vi.fn().mockReturnValue(false);
-    const getConfiguredProviderMock = vi.fn().mockReturnValue(null);
-    mockRegistry = {
-      hasProvider: hasProviderMock,
-      getAllProviders: vi.fn().mockReturnValue([]),
-      getProviderNames: getProviderNamesMock,
-      loadFromAgentShield: loadFromAgentShieldMock,
-      getConfiguredProvider: getConfiguredProviderMock,
-    } as any;
-    resolver = new ProviderResolver(mockRegistry, mockConfigService);
-  });
-  describe("Provider validation (Priority 1)", () => {
-    it("should validate provider exists before returning", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        oauthProvider: "github",
-      };
-      // Mock registry that simulates loaded state
-      const testRegistry = {
-        getProviderNames: vi.fn().mockReturnValue(["github", "google"]),
-        hasProvider: vi.fn((provider: string) => provider === "github" || provider === "google"),
-        loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
-        getAllProviders: vi.fn().mockReturnValue([]),
-      };
-      const testResolver = new ProviderResolver(testRegistry as any, mockConfigService);
-      const provider = await testResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-      expect(testRegistry.hasProvider).toHaveBeenCalledWith("github");
-      // Should not need to load since registry already has providers
-      expect(testRegistry.loadFromAgentShield).not.toHaveBeenCalled();
-    });
-    // TODO: Fix this test - it's trying to verify that the registry automatically loads
-    // when empty, but the mock state transitions are complex due to async timing.
-    // The test needs to properly simulate the registry state changing from empty to
-    // populated after loadFromAgentShield completes, but before hasProvider is called.
-    // Consider using a more integration-style test or rethinking the test approach.
-    it.skip("should load registry if empty before checking provider existence", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        oauthProvider: "github",
-      };
-      // Create a mock registry that starts empty
-      const mockEmptyRegistry = {
-        getProviderNames: vi.fn().mockReturnValue([]), // Empty initially
-        hasProvider: vi.fn().mockReturnValue(false), // No providers initially
-        loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
-        getAllProviders: vi.fn().mockReturnValue([]),
-      };
-      const testResolver = new ProviderResolver(mockEmptyRegistry as any, mockConfigService);
-      // Since the registry starts empty and hasProvider returns false,
-      // the resolver will throw an error about the provider not being configured
-      await expect(
-        testResolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/not configured for project/);
-      // Verify that loadFromAgentShield was called
-      expect(mockEmptyRegistry.loadFromAgentShield).toHaveBeenCalledWith("test-project");
-      expect(mockEmptyRegistry.getProviderNames).toHaveBeenCalled();
-      expect(mockEmptyRegistry.hasProvider).toHaveBeenCalledWith("github");
-    });
-    it("should throw error if tool-specific provider not configured", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        oauthProvider: "nonexistent",
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/not configured for project/);
-    });
-  });
-  describe("Scope inference edge cases (Priority 2)", () => {
-    it("should handle empty scopes array", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-      };
-      // Should fall through to Priority 3 (configuredProvider)
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configured provider (Priority 3)
-      expect(provider).toBe("github");
-    });
-    it("should handle ambiguous scopes (multiple providers inferred)", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["github:repo:read", "google:calendar:read"],
-      };
-      // Ambiguous scopes should fall through to Priority 3 (configuredProvider)
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configured provider (Priority 3)
-      expect(provider).toBe("github");
-    });
-    it("should handle unknown scope prefixes", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["custom:unknown:scope"],
-      };
-      // Unknown prefix should fall through to Priority 3 (configuredProvider)
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configured provider (Priority 3)
-      expect(provider).toBe("github");
-    });
-    it("should verify gmail → google mapping works", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["gmail:read"],
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["google"]);
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => {
-        return name === "google";
-      });
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("google");
-    });
-    it("should verify calendar → google mapping works", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["calendar:read"],
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["google"]);
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => {
-        return name === "google";
-      });
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("google");
-    });
-    it("should verify outlook → microsoft mapping works", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["outlook:read"],
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["microsoft"]);
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => {
-        return name === "microsoft";
-      });
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("microsoft");
-    });
-    it("should handle scopes without colons", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["read", "write"], // No colons
-      };
-      // Should fall through to Priority 3 (configuredProvider)
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configured provider (Priority 3)
-      expect(provider).toBe("github");
-    });
-    it("should handle inferred provider not in registry", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["github:repo:read"],
-      };
-      // Inferred provider (github) exists but not in registry
-      // configuredProvider is google
-      (mockRegistry.getProviderNames as any).mockReturnValue(["google"]);
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "google");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("google");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configured provider (Priority 3)
-      expect(provider).toBe("google");
-    });
-  });
-  describe("Fallback behavior (Priority 3 - configuredProvider)", () => {
-    it("should log warning when using configuredProvider fallback", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["custom:scope"],
-      };
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
-      await resolver.resolveProvider(toolProtection, "test-project");
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("project-configured provider")
-      );
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("github")
-      );
-      consoleSpy.mockRestore();
-    });
-    it("should use configuredProvider when oauthProvider not specified", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["custom:scope"],
-      };
-      // Multiple providers available, but configuredProvider is google
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) =>
-        name === "github" || name === "google"
-      );
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("google");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configuredProvider, not first alphabetically
-      expect(provider).toBe("google");
-    });
-    it("should NOT fall back to first provider alphabetically", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["custom:scope"],
-      };
-      // Multiple providers in registry, but NO configuredProvider
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-        { clientId: "google_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
-      // Should throw error, NOT pick first provider
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider is configured/);
-    });
-  });
-  describe("Error scenarios (Priority 4)", () => {
-    it("should throw error if no provider is configured", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-      };
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider is configured/);
-    });
-    it("should include project ID in error message", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-      };
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      try {
-        await resolver.resolveProvider(toolProtection, "test-project-123");
-      } catch (error) {
-        expect((error as Error).message).toContain("test-project-123");
-      }
-    });
-    it("should provide helpful error message with resolution steps", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-      };
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      try {
-        await resolver.resolveProvider(toolProtection, "test-project");
-      } catch (error) {
-        const message = (error as Error).message;
-        expect(message).toContain("AgentShield dashboard");
-        expect(message).toContain("Configure");
-      }
-    });
-  });
-  describe("Registry load failures", () => {
-    it("should propagate registry load errors", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-      };
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.loadFromAgentShield as any).mockRejectedValueOnce(
-        new Error("Network error")
-      );
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow("Network error");
-    });
-  });
-  describe("Provider name case sensitivity", () => {
-    it("should handle provider names case-insensitively in inference", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["GITHUB:repo:read"], // Uppercase prefix
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => {
-        return name.toLowerCase() === "github";
-      });
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-    });
-  });
-  describe("Multiple scopes with same provider", () => {
-    it("should handle multiple scopes from same provider", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [
-          "github:repo:read",
-          "github:repo:write",
-          "github:user:read",
-        ],
-      };
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
-      (mockRegistry.hasProvider as any).mockReturnValue(true);
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-    });
-  });
-  describe("configuredProvider behavior (Priority 3)", () => {
-    it("should use configuredProvider when tool has no oauthProvider", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["greet:execute"], // No scope inference match
-      };
-      // configuredProvider is github
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-      expect(mockRegistry.getConfiguredProvider).toHaveBeenCalled();
-    });
-    it("should throw when configuredProvider is null and tool needs OAuth", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["greet:execute"],
-      };
-      // No configuredProvider set
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider is configured/);
-    });
-    it("should NOT use unconfigured providers as fallback", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["greet:execute"],
-      };
-      // Registry has providers but configuredProvider is null
-      // This simulates AgentShield returning all providers but none configured
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-        { clientId: "google_client_id" },
-        { clientId: "microsoft_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google", "microsoft"]);
-      // Should NOT pick "github" alphabetically - should throw
-      await expect(
-        resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider is configured/);
-    });
-    it("should prefer tool-specific oauthProvider over configuredProvider", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-        oauthProvider: "google", // Tool specifies google
-      };
-      // configuredProvider is github, but tool wants google
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) =>
-        name === "github" || name === "google"
-      );
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Priority 1 (tool-specific) should win over Priority 3 (configuredProvider)
-      expect(provider).toBe("google");
-    });
-    it("should prefer scope-inferred provider over configuredProvider", async () => {
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["google:calendar:read"], // Infers google
-      };
-      // configuredProvider is github, but scopes infer google
-      (mockRegistry.hasProvider as any).mockImplementation((name: string) =>
-        name === "github" || name === "google"
-      );
-      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Priority 2 (scope inference) should win over Priority 3 (configuredProvider)
-      expect(provider).toBe("google");
-    });
-  });
-});