npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/delegation/vc-verifier.ts DELETED Viewed

@@ -1,568 +0,0 @@
-/**
- * Delegation Credential Verifier (Platform-Agnostic)
- *
- * Progressive enhancement verification for W3C Delegation Credentials.
- * Follows the Edge-Delegation-Verification.md pattern:
- *
- * Stage 1: Fast basic checks (no network, early rejection)
- * Stage 2: Parallel advanced checks (signature, status)
- * Stage 3: Combined results
- *
- * Related Spec: MCP-I §4.3, W3C VC Data Model 1.1
- * Python Reference: Edge-Delegation-Verification.md
- */
-import type {
-  DelegationCredential,
-  CredentialStatus,
-} from '@kya-os/contracts';
-import {
-  isDelegationCredentialExpired,
-  isDelegationCredentialNotYetValid,
-  validateDelegationCredential,
-} from '@kya-os/contracts';
-/**
- * Verification result for delegation credentials
- */
-export interface DelegationVCVerificationResult {
-  /** Whether the delegation credential is valid */
-  valid: boolean;
-  /** Reason for invalid result (if valid=false) */
-  reason?: string;
-  /** Stage at which verification completed */
-  stage: 'basic' | 'signature' | 'status' | 'complete';
-  /** Whether result came from cache */
-  cached?: boolean;
-  /** Performance metrics */
-  metrics?: {
-    basicCheckMs?: number;
-    signatureCheckMs?: number;
-    statusCheckMs?: number;
-    totalMs: number;
-  };
-  /** Details about what was checked */
-  checks?: {
-    basicValid?: boolean;
-    signatureValid?: boolean;
-    statusValid?: boolean;
-  };
-}
-/**
- * Options for verification
- */
-export interface VerifyDelegationVCOptions {
-  /** Skip cache and force fresh verification */
-  skipCache?: boolean;
-  /** Skip signature verification (faster, less secure) */
-  skipSignature?: boolean;
-  /** Skip status checking (faster, may miss revocations) */
-  skipStatus?: boolean;
-  /** DID resolver for fetching public keys */
-  didResolver?: DIDResolver;
-  /** Status list resolver for checking revocation */
-  statusListResolver?: StatusListResolver;
-}
-/**
- * DID Resolver interface
- */
-export interface DIDResolver {
-  /**
-   * Resolve a DID to get the DID Document
-   * @param did - The DID to resolve
-   * @returns DID Document with verification methods
-   */
-  resolve(did: string): Promise<DIDDocument | null>;
-}
-/**
- * DID Document (simplified)
- */
-export interface DIDDocument {
-  id: string;
-  verificationMethod?: VerificationMethod[];
-  authentication?: (string | VerificationMethod)[];
-  assertionMethod?: (string | VerificationMethod)[];
-}
-/**
- * Verification Method
- */
-export interface VerificationMethod {
-  id: string;
-  type: string;
-  controller: string;
-  publicKeyJwk?: any; // JWK type
-  publicKeyBase58?: string;
-  publicKeyMultibase?: string;
-}
-/**
- * Status List Resolver interface
- */
-export interface StatusListResolver {
-  /**
-   * Check if a credential is revoked via StatusList2021
-   * @param status - The credential status entry
-   * @returns true if revoked, false otherwise
-   */
-  checkStatus(status: CredentialStatus): Promise<boolean>;
-}
-/**
- * Signature verification function interface
- *
- * Platform-specific implementations provide this function.
- */
-export interface SignatureVerificationFunction {
-  /**
-   * Verify an Ed25519 signature on a VC
-   *
-   * @param vc - The VC to verify
-   * @param publicKeyJwk - The public key in JWK format
-   * @returns Verification result
-   */
-  (vc: DelegationCredential, publicKeyJwk: any): Promise<{
-    valid: boolean;
-    reason?: string;
-  }>;
-}
-/**
- * Delegation Credential Verifier (Platform-Agnostic)
- *
- * Implements progressive enhancement pattern from Edge-Delegation-Verification.md:
- * 1. Fast basic checks (no network) - early rejection
- * 2. Parallel advanced checks (signature + status)
- * 3. Combined results
- */
-export class DelegationCredentialVerifier {
-  private didResolver?: DIDResolver;
-  private statusListResolver?: StatusListResolver;
-  private signatureVerifier?: SignatureVerificationFunction;
-  private cache = new Map<
-    string,
-    { result: DelegationVCVerificationResult; expiresAt: number }
-  >();
-  private cacheTtl: number;
-  constructor(options?: {
-    didResolver?: DIDResolver;
-    statusListResolver?: StatusListResolver;
-    signatureVerifier?: SignatureVerificationFunction;
-    cacheTtl?: number;
-  }) {
-    this.didResolver = options?.didResolver;
-    this.statusListResolver = options?.statusListResolver;
-    this.signatureVerifier = options?.signatureVerifier;
-    this.cacheTtl = options?.cacheTtl || 60_000; // 1 minute default
-  }
-  /**
-   * Verify a delegation credential with progressive enhancement
-   *
-   * Per Edge-Delegation-Verification.md:41-102
-   *
-   * @param vc - The delegation credential to verify
-   * @param options - Verification options
-   * @returns Verification result
-   */
-  async verifyDelegationCredential(
-    vc: DelegationCredential,
-    options: VerifyDelegationVCOptions = {}
-  ): Promise<DelegationVCVerificationResult> {
-    const startTime = Date.now();
-    // Check cache first
-    if (!options.skipCache) {
-      const cached = this.getFromCache(vc.id || '');
-      if (cached) {
-        return { ...cached, cached: true };
-      }
-    }
-    // ===================================================================
-    // STAGE 1: Fast Basic Checks (no network calls)
-    // Per Edge-Delegation-Verification.md:152-186
-    // ===================================================================
-    const basicCheckStart = Date.now();
-    const basicValidation = this.validateBasicProperties(vc);
-    const basicCheckMs = Date.now() - basicCheckStart;
-    if (!basicValidation.valid) {
-      const result: DelegationVCVerificationResult = {
-        valid: false,
-        reason: basicValidation.reason,
-        stage: 'basic',
-        metrics: {
-          basicCheckMs,
-          totalMs: Date.now() - startTime,
-        },
-        checks: {
-          basicValid: false,
-        },
-      };
-      return result;
-    }
-    // ===================================================================
-    // STAGE 2: Parallel Advanced Checks
-    // Per Edge-Delegation-Verification.md:281-301
-    // ===================================================================
-    // Start signature verification (if not skipped)
-    const signaturePromise = !options.skipSignature
-      ? this.verifySignature(vc, options.didResolver || this.didResolver)
-      : Promise.resolve<{
-          valid: boolean;
-          reason?: string;
-          durationMs?: number;
-        }>({
-          valid: true,
-          durationMs: 0,
-        });
-    // Start status checking (if not skipped)
-    const statusPromise =
-      !options.skipStatus && vc.credentialStatus
-        ? this.checkCredentialStatus(
-            vc.credentialStatus,
-            options.statusListResolver || this.statusListResolver
-          )
-        : Promise.resolve<{
-            valid: boolean;
-            reason?: string;
-            durationMs?: number;
-          }>({
-            valid: true,
-            durationMs: 0,
-          });
-    // Wait for both checks in parallel
-    const [signatureResult, statusResult] = await Promise.all([
-      signaturePromise,
-      statusPromise,
-    ]);
-    const signatureCheckMs = signatureResult.durationMs || 0;
-    const statusCheckMs = statusResult.durationMs || 0;
-    // ===================================================================
-    // STAGE 3: Combined Results
-    // Per Edge-Delegation-Verification.md:82-94
-    // ===================================================================
-    const allValid =
-      basicValidation.valid && signatureResult.valid && statusResult.valid;
-    const result: DelegationVCVerificationResult = {
-      valid: allValid,
-      reason: !allValid
-        ? signatureResult.reason || statusResult.reason || 'Unknown failure'
-        : undefined,
-      stage: 'complete',
-      metrics: {
-        basicCheckMs,
-        signatureCheckMs,
-        statusCheckMs,
-        totalMs: Date.now() - startTime,
-      },
-      checks: {
-        basicValid: basicValidation.valid,
-        signatureValid: signatureResult.valid,
-        statusValid: statusResult.valid,
-      },
-    };
-    // Cache successful verifications
-    if (result.valid && vc.id) {
-      this.setInCache(vc.id, result);
-    }
-    return result;
-  }
-  /**
-   * Stage 1: Validate basic properties (no network calls)
-   *
-   * Fast path for early rejection of invalid delegations.
-   * Per Edge-Delegation-Verification.md:155-186
-   *
-   * @param vc - The delegation credential
-   * @returns Validation result
-   */
-  private validateBasicProperties(
-    vc: DelegationCredential
-  ): { valid: boolean; reason?: string } {
-    // 1. Validate schema
-    const schemaValidation = validateDelegationCredential(vc);
-    if (!schemaValidation.success) {
-      return {
-        valid: false,
-        reason: `Schema validation failed: ${schemaValidation.error.message}`,
-      };
-    }
-    // 2. Check expiration
-    if (isDelegationCredentialExpired(vc)) {
-      return { valid: false, reason: 'Delegation credential expired' };
-    }
-    // 3. Check not yet valid
-    if (isDelegationCredentialNotYetValid(vc)) {
-      return { valid: false, reason: 'Delegation credential not yet valid' };
-    }
-    // 4. Check delegation status
-    const delegation = vc.credentialSubject.delegation;
-    if (delegation.status === 'revoked') {
-      return { valid: false, reason: 'Delegation status is revoked' };
-    }
-    if (delegation.status === 'expired') {
-      return { valid: false, reason: 'Delegation status is expired' };
-    }
-    // 5. Check required fields
-    if (!delegation.issuerDid || !delegation.subjectDid) {
-      return { valid: false, reason: 'Missing issuer or subject DID' };
-    }
-    // 6. Check proof exists (we'll verify it later)
-    if (!vc.proof) {
-      return { valid: false, reason: 'Missing proof' };
-    }
-    return { valid: true };
-  }
-  /**
-   * Stage 2a: Verify signature
-   *
-   * Per Edge-Delegation-Verification.md:191-234
-   *
-   * @param vc - The delegation credential
-   * @param didResolver - Optional DID resolver
-   * @returns Verification result
-   */
-  private async verifySignature(
-    vc: DelegationCredential,
-    didResolver?: DIDResolver
-  ): Promise<{ valid: boolean; reason?: string; durationMs?: number }> {
-    const startTime = Date.now();
-    try {
-      // Get issuer DID
-      const issuerDid =
-        typeof vc.issuer === 'string' ? vc.issuer : vc.issuer.id;
-      // If no DID resolver or signature verifier, skip verification
-      if (!didResolver || !this.signatureVerifier) {
-        return {
-          valid: true, // Trust but don't verify (no resolver/verifier available)
-          reason:
-            'No DID resolver or signature verifier available, skipping signature verification',
-          durationMs: Date.now() - startTime,
-        };
-      }
-      // Resolve issuer DID to get public key
-      const didDoc = await didResolver.resolve(issuerDid);
-      if (!didDoc) {
-        return {
-          valid: false,
-          reason: `Could not resolve issuer DID: ${issuerDid}`,
-          durationMs: Date.now() - startTime,
-        };
-      }
-      // Find verification method from proof
-      if (!vc.proof) {
-        return {
-          valid: false,
-          reason: 'Proof is missing',
-          durationMs: Date.now() - startTime,
-        };
-      }
-      const verificationMethodId = vc.proof.verificationMethod;
-      if (!verificationMethodId) {
-        return {
-          valid: false,
-          reason: 'Proof missing verificationMethod',
-          durationMs: Date.now() - startTime,
-        };
-      }
-      const verificationMethod = this.findVerificationMethod(
-        didDoc,
-        verificationMethodId
-      );
-      if (!verificationMethod) {
-        return {
-          valid: false,
-          reason: `Verification method ${verificationMethodId} not found`,
-          durationMs: Date.now() - startTime,
-        };
-      }
-      // Extract public key
-      const publicKeyJwk = verificationMethod.publicKeyJwk;
-      if (!publicKeyJwk) {
-        return {
-          valid: false,
-          reason: 'Verification method missing publicKeyJwk',
-          durationMs: Date.now() - startTime,
-        };
-      }
-      // Verify signature using platform-specific verifier
-      const verificationResult = await this.signatureVerifier(vc, publicKeyJwk);
-      return {
-        valid: verificationResult.valid,
-        reason: verificationResult.reason,
-        durationMs: Date.now() - startTime,
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        reason: `Signature verification error: ${
-          error instanceof Error ? error.message : 'Unknown error'
-        }`,
-        durationMs: Date.now() - startTime,
-      };
-    }
-  }
-  /**
-   * Stage 2b: Check credential status via StatusList2021
-   *
-   * @param status - The credential status entry
-   * @param statusListResolver - Optional status list resolver
-   * @returns Status check result
-   */
-  private async checkCredentialStatus(
-    status: CredentialStatus,
-    statusListResolver?: StatusListResolver
-  ): Promise<{ valid: boolean; reason?: string; durationMs?: number }> {
-    const startTime = Date.now();
-    try {
-      // If no status list resolver, we can't check the status
-      if (!statusListResolver) {
-        return {
-          valid: true, // Trust but don't verify (no resolver available)
-          reason: 'No status list resolver available, skipping status check',
-          durationMs: Date.now() - startTime,
-        };
-      }
-      // Check if credential is revoked/suspended
-      const isRevoked = await statusListResolver.checkStatus(status);
-      if (isRevoked) {
-        return {
-          valid: false,
-          reason: `Credential revoked via StatusList2021 (${status.statusPurpose})`,
-          durationMs: Date.now() - startTime,
-        };
-      }
-      return {
-        valid: true,
-        durationMs: Date.now() - startTime,
-      };
-    } catch (error) {
-      return {
-        valid: false,
-        reason: `Status check error: ${
-          error instanceof Error ? error.message : 'Unknown error'
-        }`,
-        durationMs: Date.now() - startTime,
-      };
-    }
-  }
-  /**
-   * Find verification method in DID document
-   *
-   * @param didDoc - The DID document
-   * @param verificationMethodId - The verification method ID
-   * @returns Verification method or undefined
-   */
-  private findVerificationMethod(
-    didDoc: DIDDocument,
-    verificationMethodId: string
-  ): VerificationMethod | undefined {
-    return didDoc.verificationMethod?.find(
-      (vm) => vm.id === verificationMethodId
-    );
-  }
-  /**
-   * Get from cache
-   */
-  private getFromCache(id: string): DelegationVCVerificationResult | null {
-    const entry = this.cache.get(id);
-    if (!entry) return null;
-    if (Date.now() > entry.expiresAt) {
-      this.cache.delete(id);
-      return null;
-    }
-    return entry.result;
-  }
-  /**
-   * Set in cache
-   */
-  private setInCache(id: string, result: DelegationVCVerificationResult): void {
-    this.cache.set(id, {
-      result,
-      expiresAt: Date.now() + this.cacheTtl,
-    });
-  }
-  /**
-   * Clear cache
-   */
-  clearCache(): void {
-    this.cache.clear();
-  }
-  /**
-   * Clear cache entry for specific VC
-   */
-  clearCacheEntry(id: string): void {
-    this.cache.delete(id);
-  }
-}
-/**
- * Create a delegation credential verifier
- *
- * Convenience factory function.
- *
- * @param options - Verifier options
- * @returns DelegationCredentialVerifier instance
- */
-export function createDelegationVerifier(options?: {
-  didResolver?: DIDResolver;
-  statusListResolver?: StatusListResolver;
-  signatureVerifier?: SignatureVerificationFunction;
-  cacheTtl?: number;
-}): DelegationCredentialVerifier {
-  return new DelegationCredentialVerifier(options);
-}