npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/delegation/__tests__/vc-verifier.test.ts DELETED Viewed

@@ -1,922 +0,0 @@
-import { describe, it, expect, beforeEach, vi, Mock } from "vitest";
-import {
-  DelegationCredentialVerifier,
-  createDelegationVerifier,
-  type DIDResolver,
-  type StatusListResolver,
-  type SignatureVerificationFunction,
-  type DelegationVCVerificationResult,
-} from "../vc-verifier.js";
-import type { DelegationCredential } from "@kya-os/contracts";
-// Mock the contracts functions
-vi.mock("@kya-os/contracts", () => ({
-  isDelegationCredentialExpired: vi.fn(),
-  isDelegationCredentialNotYetValid: vi.fn(),
-  validateDelegationCredential: vi.fn(),
-}));
-describe("DelegationCredentialVerifier", () => {
-  let mockDidResolver: {
-    resolve: ReturnType<typeof vi.fn>;
-  };
-  let mockStatusListResolver: {
-    checkStatus: ReturnType<typeof vi.fn>;
-  };
-  let mockSignatureVerifier: Mock<SignatureVerificationFunction>;
-  let verifier: DelegationCredentialVerifier;
-  // Helper function to setup default contracts mocks
-  const setupDefaultContractsMocks = async () => {
-    // Import the mocked functions
-    const contracts = await import("@kya-os/contracts");
-    // Access the mocked functions and set return values
-    const validateDelegationCredential = vi.mocked(
-      contracts.validateDelegationCredential
-    );
-    const isDelegationCredentialExpired = vi.mocked(
-      contracts.isDelegationCredentialExpired
-    );
-    const isDelegationCredentialNotYetValid = vi.mocked(
-      contracts.isDelegationCredentialNotYetValid
-    );
-    // Setup default return values
-    validateDelegationCredential.mockReturnValue({
-      success: true,
-      data: mockValidVC,
-    });
-    isDelegationCredentialExpired.mockReturnValue(false);
-    isDelegationCredentialNotYetValid.mockReturnValue(false);
-    return {
-      validateDelegationCredential,
-      isDelegationCredentialExpired,
-      isDelegationCredentialNotYetValid,
-    };
-  };
-  const mockValidVC: DelegationCredential = {
-    "@context": ["https://www.w3.org/2018/credentials/v1"],
-    id: "urn:delegation:123",
-    type: ["VerifiableCredential", "DelegationCredential"],
-    issuer: "did:web:example.com:issuer",
-    issuanceDate: "2024-01-01T00:00:00Z",
-    credentialSubject: {
-      id: "did:web:example.com:subject",
-      delegation: {
-        id: "urn:delegation:123",
-        issuerDid: "did:web:example.com:issuer",
-        subjectDid: "did:web:example.com:subject",
-        constraints: {
-          scopes: ["read:profile"],
-        },
-        status: "active",
-      },
-    },
-    proof: {
-      type: "Ed25519Signature2020",
-      created: "2024-01-01T00:00:00Z",
-      verificationMethod: "did:web:example.com:issuer#key-1",
-      proofPurpose: "assertionMethod",
-      proofValue: "mock-proof-value",
-    },
-  };
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Setup mocks as proper interface implementations with vitest mock types
-    mockDidResolver = {
-      resolve: vi.fn() as any,
-    };
-    mockStatusListResolver = {
-      checkStatus: vi.fn() as any,
-    };
-    mockSignatureVerifier = vi.fn();
-    verifier = new DelegationCredentialVerifier({
-      didResolver: mockDidResolver as DIDResolver,
-      statusListResolver: mockStatusListResolver as StatusListResolver,
-      signatureVerifier: mockSignatureVerifier,
-      cacheTtl: 1000, // Short TTL for testing
-    });
-  });
-  describe("constructor", () => {
-    it("should create verifier with default options", () => {
-      const defaultVerifier = new DelegationCredentialVerifier();
-      expect(defaultVerifier).toBeInstanceOf(DelegationCredentialVerifier);
-    });
-    it("should create verifier with custom options", () => {
-      const customVerifier = new DelegationCredentialVerifier({
-        cacheTtl: 5000,
-      });
-      expect(customVerifier).toBeInstanceOf(DelegationCredentialVerifier);
-    });
-  });
-  describe("createDelegationVerifier", () => {
-    it("should create a verifier instance", () => {
-      const verifier = createDelegationVerifier();
-      expect(verifier).toBeInstanceOf(DelegationCredentialVerifier);
-    });
-    it("should pass options to verifier", () => {
-      const options = { cacheTtl: 3000 };
-      const verifier = createDelegationVerifier(options);
-      expect(verifier).toBeInstanceOf(DelegationCredentialVerifier);
-    });
-  });
-  describe("verifyDelegationCredential - Basic Validation Stage", () => {
-    it("should reject expired credentials at basic validation stage", async () => {
-      const contractsMock = await setupDefaultContractsMocks();
-      contractsMock.isDelegationCredentialExpired.mockReturnValue(true);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Delegation credential expired");
-      expect(result.stage).toBe("basic");
-      expect(result.metrics?.totalMs).toBeGreaterThanOrEqual(0);
-      expect(result.checks?.basicValid).toBe(false);
-    });
-    it("should reject not-yet-valid credentials at basic validation stage", async () => {
-      const contractsMock = await setupDefaultContractsMocks();
-      contractsMock.isDelegationCredentialNotYetValid.mockReturnValue(true);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Delegation credential not yet valid");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject revoked credentials at basic validation stage", async () => {
-      await setupDefaultContractsMocks();
-      const revokedVC = {
-        ...mockValidVC,
-        credentialSubject: {
-          ...mockValidVC.credentialSubject,
-          delegation: {
-            ...mockValidVC.credentialSubject.delegation,
-            status: "revoked" as const,
-          },
-        },
-      };
-      const result = await verifier.verifyDelegationCredential(revokedVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Delegation status is revoked");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject expired status credentials at basic validation stage", async () => {
-      await setupDefaultContractsMocks();
-      const expiredVC = {
-        ...mockValidVC,
-        credentialSubject: {
-          ...mockValidVC.credentialSubject,
-          delegation: {
-            ...mockValidVC.credentialSubject.delegation,
-            status: "expired" as const,
-          },
-        },
-      };
-      const result = await verifier.verifyDelegationCredential(expiredVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Delegation status is expired");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject credentials without issuer DID", async () => {
-      await setupDefaultContractsMocks();
-      const invalidVC = {
-        ...mockValidVC,
-        credentialSubject: {
-          ...mockValidVC.credentialSubject,
-          delegation: {
-            ...mockValidVC.credentialSubject.delegation,
-            issuerDid: undefined,
-          },
-        },
-      } as any;
-      const result = await verifier.verifyDelegationCredential(invalidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Missing issuer or subject DID");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject credentials without subject DID", async () => {
-      await setupDefaultContractsMocks();
-      const invalidVC = {
-        ...mockValidVC,
-        credentialSubject: {
-          ...mockValidVC.credentialSubject,
-          delegation: {
-            ...mockValidVC.credentialSubject.delegation,
-            subjectDid: undefined,
-          },
-        },
-      } as any;
-      const result = await verifier.verifyDelegationCredential(invalidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Missing issuer or subject DID");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject credentials without proof", async () => {
-      await setupDefaultContractsMocks();
-      const invalidVC = { ...mockValidVC };
-      delete invalidVC.proof;
-      const result = await verifier.verifyDelegationCredential(invalidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Missing proof");
-      expect(result.stage).toBe("basic");
-    });
-    it("should reject invalid schema at basic validation stage", async () => {
-      const contractsMock = await setupDefaultContractsMocks();
-      // Create a mock ZodError-like object without importing zod
-      const mockZodError = {
-        issues: [{ code: "custom", path: [], message: "Invalid schema" }],
-        message: "Invalid schema",
-      };
-      contractsMock.validateDelegationCredential.mockReturnValue({
-        success: false,
-        error: mockZodError,
-      } as any);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Schema validation failed: Invalid schema");
-      expect(result.stage).toBe("basic");
-    });
-  });
-  describe("verifyDelegationCredential - Signature Verification", () => {
-    it("should skip signature verification when skipSignature is true", async () => {
-      await setupDefaultContractsMocks();
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      mockSignatureVerifier.mockResolvedValue({ valid: false }); // This should not be called
-      const result = await verifier.verifyDelegationCredential(mockValidVC, {
-        skipSignature: true,
-      });
-      expect(result.valid).toBe(true); // Only basic checks pass
-      expect(result.stage).toBe("complete");
-      expect(result.checks?.signatureValid).toBe(true); // Skipped = treated as valid
-      expect(mockSignatureVerifier).not.toHaveBeenCalled();
-    });
-    it("should skip signature verification when no resolver available", async () => {
-      await setupDefaultContractsMocks();
-      const verifierWithoutResolver = new DelegationCredentialVerifier({
-        statusListResolver: mockStatusListResolver,
-        // No signatureVerifier
-      });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result =
-        await verifierWithoutResolver.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(true);
-      expect(result.checks?.signatureValid).toBe(true); // Trust but don't verify
-    });
-    it("should fail when DID resolution fails", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue(null);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe(
-        "Could not resolve issuer DID: did:web:example.com:issuer"
-      );
-      expect(result.stage).toBe("complete");
-      expect(result.checks?.signatureValid).toBe(false);
-    });
-    it("should fail when verification method not found", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [], // Empty array
-      });
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe(
-        "Verification method did:web:example.com:issuer#key-1 not found"
-      );
-      expect(result.checks?.signatureValid).toBe(false);
-    });
-    it("should fail when verification method missing public key", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            // Missing publicKeyJwk
-          },
-        ],
-      });
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Verification method missing publicKeyJwk");
-      expect(result.checks?.signatureValid).toBe(false);
-    });
-    it("should succeed when signature verification passes", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(true);
-      expect(result.stage).toBe("complete");
-      expect(result.checks?.signatureValid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true);
-      expect(result.checks?.basicValid).toBe(true);
-    });
-    it("should fail when signature verification fails", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({
-        valid: false,
-        reason: "Invalid signature",
-      });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe("Invalid signature");
-      expect(result.checks?.signatureValid).toBe(false);
-    });
-  });
-  describe("verifyDelegationCredential - Status Checking", () => {
-    it("should skip status checking when skipStatus is true", async () => {
-      await setupDefaultContractsMocks();
-      const vcWithoutStatus = { ...mockValidVC };
-      delete vcWithoutStatus.credentialStatus;
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(true); // Revoked - should not be called
-      const result = await verifier.verifyDelegationCredential(
-        vcWithoutStatus,
-        {
-          skipStatus: true,
-        }
-      );
-      expect(result.valid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true); // Skipped = treated as valid
-      expect(mockStatusListResolver.checkStatus).not.toHaveBeenCalled();
-    });
-    it("should skip status checking when no status entry exists", async () => {
-      await setupDefaultContractsMocks();
-      const vcWithoutStatus = { ...mockValidVC };
-      delete vcWithoutStatus.credentialStatus;
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      const result = await verifier.verifyDelegationCredential(vcWithoutStatus);
-      expect(result.valid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true);
-      expect(mockStatusListResolver.checkStatus).not.toHaveBeenCalled();
-    });
-    it("should skip status checking when no resolver available", async () => {
-      await setupDefaultContractsMocks();
-      const verifierWithoutResolver = new DelegationCredentialVerifier({
-        didResolver: mockDidResolver,
-        signatureVerifier: mockSignatureVerifier,
-        // No statusListResolver
-      });
-      const vcWithStatus = {
-        ...mockValidVC,
-        credentialStatus: {
-          id: "https://example.com/status#123",
-          type: "StatusList2021Entry" as const,
-          statusPurpose: "revocation" as const,
-          statusListIndex: "123",
-          statusListCredential: "https://example.com/status",
-        },
-      };
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      const result =
-        await verifierWithoutResolver.verifyDelegationCredential(vcWithStatus);
-      expect(result.valid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true); // Trust but don't verify
-    });
-    it("should fail when credential is revoked", async () => {
-      await setupDefaultContractsMocks();
-      const vcWithStatus = {
-        ...mockValidVC,
-        credentialStatus: {
-          id: "https://example.com/status#123",
-          type: "StatusList2021Entry" as const,
-          statusPurpose: "revocation" as const,
-          statusListIndex: "123",
-          statusListCredential: "https://example.com/status",
-        },
-      };
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(true); // Revoked
-      const result = await verifier.verifyDelegationCredential(vcWithStatus);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBe(
-        "Credential revoked via StatusList2021 (revocation)"
-      );
-      expect(result.checks?.statusValid).toBe(false);
-    });
-    it("should succeed when credential is not revoked", async () => {
-      await setupDefaultContractsMocks();
-      const vcWithStatus = {
-        ...mockValidVC,
-        credentialStatus: {
-          id: "https://example.com/status#123",
-          type: "StatusList2021Entry" as const,
-          statusPurpose: "revocation" as const,
-          statusListIndex: "123",
-          statusListCredential: "https://example.com/status",
-        },
-      };
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false); // Not revoked
-      const result = await verifier.verifyDelegationCredential(vcWithStatus);
-      expect(result.valid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true);
-    });
-  });
-  describe("verifyDelegationCredential - Caching", () => {
-    it("should return cached result when available", async () => {
-      await setupDefaultContractsMocks();
-      // First call - should verify and cache
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result1 = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result1.valid).toBe(true);
-      expect(result1.cached).toBeUndefined();
-      // Second call - should return cached result
-      mockSignatureVerifier.mockClear();
-      mockStatusListResolver.checkStatus.mockClear();
-      const result2 = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result2.valid).toBe(true);
-      expect(result2.cached).toBe(true);
-      // Verifiers should not be called again
-      expect(mockSignatureVerifier).not.toHaveBeenCalled();
-      expect(mockStatusListResolver.checkStatus).not.toHaveBeenCalled();
-    });
-    it("should skip cache when skipCache is true", async () => {
-      await setupDefaultContractsMocks();
-      // First call
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      await verifier.verifyDelegationCredential(mockValidVC);
-      // Second call with skipCache
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: false }); // Different result
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC, {
-        skipCache: true,
-      });
-      expect(result.valid).toBe(false); // Should get new result, not cached
-      expect(result.cached).toBeUndefined();
-    });
-    it("should not cache failed verifications", async () => {
-      // First call - fails
-      const contractsMock = await setupDefaultContractsMocks();
-      contractsMock.isDelegationCredentialExpired.mockReturnValue(true);
-      const result1 = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result1.valid).toBe(false);
-      // Reset for second call
-      contractsMock.isDelegationCredentialExpired.mockReturnValue(false);
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      // Second call - should verify again (not cached)
-      const result2 = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result2.valid).toBe(true);
-      expect(result2.cached).toBeUndefined(); // Should not be cached
-    });
-  });
-  describe("cache management", () => {
-    it("should clear all cache entries", async () => {
-      await setupDefaultContractsMocks();
-      // Add to cache
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      await verifier.verifyDelegationCredential(mockValidVC);
-      // Clear cache
-      verifier.clearCache();
-      // Next call should verify again
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: false }); // Different result
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.cached).toBeUndefined();
-    });
-    it("should clear specific cache entry", async () => {
-      await setupDefaultContractsMocks();
-      // Add to cache
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      await verifier.verifyDelegationCredential(mockValidVC);
-      // Clear specific entry
-      verifier.clearCacheEntry("urn:delegation:123");
-      // Next call should verify again
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: false });
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.cached).toBeUndefined();
-    });
-  });
-  describe("performance metrics", () => {
-    it("should include timing metrics in results", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.metrics).toBeDefined();
-      expect(result.metrics?.totalMs).toBeGreaterThanOrEqual(0);
-      expect(result.metrics?.basicCheckMs).toBeGreaterThanOrEqual(0);
-      expect(result.metrics?.signatureCheckMs).toBeGreaterThanOrEqual(0);
-      expect(result.metrics?.statusCheckMs).toBeGreaterThanOrEqual(0);
-    });
-    it("should report zero timing for skipped checks", async () => {
-      await setupDefaultContractsMocks();
-      const result = await verifier.verifyDelegationCredential(mockValidVC, {
-        skipSignature: true,
-        skipStatus: true,
-      });
-      expect(result.metrics?.signatureCheckMs).toBe(0);
-      expect(result.metrics?.statusCheckMs).toBe(0);
-    });
-  });
-  describe("error handling", () => {
-    it("should handle DID resolver errors gracefully", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockRejectedValue(new Error("Network timeout"));
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain(
-        "Signature verification error: Network timeout"
-      );
-    });
-    it("should handle status list resolver errors gracefully", async () => {
-      await setupDefaultContractsMocks();
-      const vcWithStatus = {
-        ...mockValidVC,
-        credentialStatus: {
-          id: "https://example.com/status#123",
-          type: "StatusList2021Entry" as const,
-          statusPurpose: "revocation" as const,
-          statusListIndex: "123",
-          statusListCredential: "https://example.com/status",
-        },
-      };
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockRejectedValue(
-        new Error("Status list unavailable")
-      );
-      const result = await verifier.verifyDelegationCredential(vcWithStatus);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain(
-        "Status check error: Status list unavailable"
-      );
-    });
-    it("should handle signature verifier errors gracefully", async () => {
-      await setupDefaultContractsMocks();
-      mockDidResolver.resolve.mockResolvedValue({
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-        ],
-      });
-      mockSignatureVerifier.mockRejectedValue(
-        new Error("Signature algorithm unsupported")
-      );
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain(
-        "Signature verification error: Signature algorithm unsupported"
-      );
-    });
-  });
-  describe("findVerificationMethod", () => {
-    // This is a private method, but we can test it indirectly through the main verification flow
-    it("should find verification method by ID", async () => {
-      await setupDefaultContractsMocks();
-      const didDoc = {
-        id: "did:web:example.com:issuer",
-        verificationMethod: [
-          {
-            id: "did:web:example.com:issuer#key-1",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
-          },
-          {
-            id: "did:web:example.com:issuer#key-2",
-            type: "Ed25519VerificationKey2020",
-            controller: "did:web:example.com:issuer",
-            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "other-key" },
-          },
-        ],
-      };
-      mockDidResolver.resolve.mockResolvedValue(didDoc);
-      mockSignatureVerifier.mockResolvedValue({ valid: true });
-      mockStatusListResolver.checkStatus.mockResolvedValue(false);
-      const result = await verifier.verifyDelegationCredential(mockValidVC);
-      expect(result.valid).toBe(true);
-      expect(mockSignatureVerifier).toHaveBeenCalledWith(mockValidVC, {
-        kty: "OKP",
-        crv: "Ed25519",
-        x: "mock-key",
-      });
-    });
-  });
-});