@kya-os/mcp-i-core 1.3.13 → 1.3.15

package/src/services/__tests__/crypto.service.test.ts

@@ -1,531 +0,0 @@
-/**
- * Tests for CryptoService
- *
- * Comprehensive test coverage for cryptographic operations service.
- * Tests verifyEd25519() and verifyJWS() with various scenarios.
- *
- * Test Coverage Requirements: 100% - All security-critical code paths
- */
-
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { CryptoService } from '../crypto.service.js';
-import type { CryptoProvider } from '../../providers/base.js';
-import type { Ed25519JWK } from '../crypto.service.js';
-
-describe('CryptoService', () => {
-  let cryptoService: CryptoService;
-  let mockCryptoProvider: CryptoProvider;
-
-  beforeEach(() => {
-    mockCryptoProvider = {
-      sign: vi.fn(),
-      verify: vi.fn(),
-      generateKeyPair: vi.fn(),
-      hash: vi.fn(),
-      randomBytes: vi.fn(),
-    };
-    cryptoService = new CryptoService(mockCryptoProvider);
-  });
-
-  describe('verifyEd25519', () => {
-    it('should return true for valid signature', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-
-      const result = await cryptoService.verifyEd25519(
-        new Uint8Array([1, 2, 3]),
-        new Uint8Array([4, 5, 6]),
-        'base64PublicKey'
-      );
-
-      expect(result).toBe(true);
-      expect(mockCryptoProvider.verify).toHaveBeenCalledWith(
-        new Uint8Array([1, 2, 3]),
-        new Uint8Array([4, 5, 6]),
-        'base64PublicKey'
-      );
-    });
-
-    it('should return false for invalid signature', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
-
-      const result = await cryptoService.verifyEd25519(
-        new Uint8Array([1, 2, 3]),
-        new Uint8Array([4, 5, 6]),
-        'base64PublicKey'
-      );
-
-      expect(result).toBe(false);
-    });
-
-    it('should return false on verification error', async () => {
-      mockCryptoProvider.verify = vi.fn().mockRejectedValue(
-        new Error('Verification failed')
-      );
-
-      const result = await cryptoService.verifyEd25519(
-        new Uint8Array([1, 2, 3]),
-        new Uint8Array([4, 5, 6]),
-        'base64PublicKey'
-      );
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle empty data', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-
-      const result = await cryptoService.verifyEd25519(
-        new Uint8Array(0),
-        new Uint8Array([4, 5, 6]),
-        'base64PublicKey'
-      );
-
-      expect(result).toBe(true);
-    });
-  });
-
-  describe('parseJWS', () => {
-    it('should parse valid full compact JWS', () => {
-      const header = { alg: 'EdDSA', typ: 'JWT' };
-      const payload = { sub: 'did:key:z123', iss: 'did:key:z123' };
-      // Properly encode as base64url
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      const parsed = cryptoService.parseJWS(jws);
-
-      expect(parsed.header).toEqual(header);
-      expect(parsed.payload).toEqual(payload);
-      expect(parsed.signingInput).toBe(`${headerB64}.${payloadB64}`);
-      expect(parsed.signatureBytes).toBeInstanceOf(Uint8Array);
-    });
-
-    it('should throw error for invalid JWS format', () => {
-      const invalidJws = 'not.a.jws';
-
-      // This will fail during JSON parsing, not format check
-      expect(() => cryptoService.parseJWS(invalidJws)).toThrow();
-    });
-
-    it('should throw error for JWS with wrong number of parts', () => {
-      const invalidJws = 'header.payload';
-
-      expect(() => cryptoService.parseJWS(invalidJws)).toThrow('Invalid JWS format');
-    });
-
-    it('should handle empty payload', () => {
-      const header = { alg: 'EdDSA' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const jws = `${headerB64}..${signatureB64}`;
-
-      const parsed = cryptoService.parseJWS(jws);
-
-      expect(parsed.header).toEqual(header);
-      expect(parsed.payload).toBeUndefined();
-    });
-  });
-
-  describe('verifyJWS', () => {
-    const validJwk: Ed25519JWK = {
-      kty: 'OKP',
-      crv: 'Ed25519',
-      x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ', // Example base64url public key (32 bytes when decoded)
-    };
-
-    // Create a valid JWS for testing
-    const createValidJWS = (): string => {
-      const header = { alg: 'EdDSA', typ: 'JWT' };
-      const payload = { sub: 'did:key:z123', iss: 'did:key:z123' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      return `${headerB64}.${payloadB64}.${signatureB64}`;
-    };
-
-    it('should verify valid full compact JWS', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, validJwk);
-
-      expect(result).toBe(true);
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-    });
-
-    it('should reject invalid JWK format', async () => {
-      const invalidJwk = { kty: 'RSA' } as any;
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
-
-      expect(result).toBe(false);
-      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
-    });
-
-    it('should reject JWK with wrong kty', async () => {
-      const invalidJwk = {
-        kty: 'RSA',
-        crv: 'Ed25519',
-        x: 'test',
-      } as any;
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should reject JWK with wrong crv', async () => {
-      const invalidJwk = {
-        kty: 'OKP',
-        crv: 'P-256',
-        x: 'test',
-      } as any;
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should reject JWK with missing x field', async () => {
-      const invalidJwk = {
-        kty: 'OKP',
-        crv: 'Ed25519',
-      } as any;
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should reject JWK with empty x field', async () => {
-      const invalidJwk = {
-        kty: 'OKP',
-        crv: 'Ed25519',
-        x: '',
-      };
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should reject malformed JWS', async () => {
-      const malformedJws = 'not.a.jws';
-
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should reject non-EdDSA algorithms', async () => {
-      const header = { alg: 'RS256', typ: 'JWT' };
-      const payload = { sub: 'did:key:z123' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const rsaJws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      const result = await cryptoService.verifyJWS(rsaJws, validJwk);
-
-      expect(result).toBe(false);
-      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
-    });
-
-    it('should reject HS256 algorithm', async () => {
-      const header = { alg: 'HS256', typ: 'JWT' };
-      const payload = { sub: 'did:key:z123' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const hs256Jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      const result = await cryptoService.verifyJWS(hs256Jws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle empty JWS components', async () => {
-      const emptyJws = '..';
-
-      const result = await cryptoService.verifyJWS(emptyJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle malformed JWS - single part', async () => {
-      const malformedJws = 'singlepart';
-
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle malformed JWS - two parts', async () => {
-      const malformedJws = 'header.payload';
-
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle malformed JWS - four parts', async () => {
-      const header = { alg: 'EdDSA' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from('payload').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const malformedJws = `${headerB64}.${payloadB64}.${signatureB64}.extra`;
-
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle malformed JWS - invalid JSON header', async () => {
-      const invalidHeaderB64 = Buffer.from('notjson').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from('payload').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const malformedJws = `${invalidHeaderB64}.${payloadB64}.${signatureB64}`;
-
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle malformed JWS - invalid base64', async () => {
-      // Don't mock verify - the function should catch the error and return false
-      // before it gets to verification
-      const header = { alg: 'EdDSA' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const invalidBase64 = 'notbase64!!!';
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const malformedJws = `${headerB64}.${invalidBase64}.${signatureB64}`;
-
-      // parseJWS will throw when trying to decode invalid base64 payload
-      // This should be caught and return false
-      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
-
-      expect(result).toBe(false);
-      // verify should not be called because parseJWS should throw
-      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
-    });
-
-    it('should validate expectedKid option', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const validJws = createValidJWS();
-      const jwkWithKid: Ed25519JWK = {
-        kty: 'OKP',
-        crv: 'Ed25519',
-        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-        kid: 'key-1',
-      };
-
-      // Should succeed with matching kid
-      const result1 = await cryptoService.verifyJWS(validJws, jwkWithKid, {
-        expectedKid: 'key-1',
-      });
-      expect(result1).toBe(true);
-
-      // Should fail with mismatched kid
-      const result2 = await cryptoService.verifyJWS(validJws, jwkWithKid, {
-        expectedKid: 'key-2',
-      });
-      expect(result2).toBe(false);
-    });
-
-    it('should validate alg option', async () => {
-      const header = { alg: 'EdDSA', typ: 'JWT' };
-      const payload = { sub: 'did:key:z123' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const validJws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      // Should succeed with matching alg
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const result1 = await cryptoService.verifyJWS(validJws, validJwk, {
-        alg: 'EdDSA',
-      });
-      expect(result1).toBe(true);
-
-      // Should fail with mismatched alg (even if header says EdDSA)
-      const result2 = await cryptoService.verifyJWS(validJws, validJwk, {
-        alg: 'RS256' as any,
-      });
-      expect(result2).toBe(false);
-    });
-
-    it('should validate Ed25519 key length', async () => {
-      const invalidLengthJwk = {
-        kty: 'OKP' as const,
-        crv: 'Ed25519' as const,
-        x: 'c2hvcnQ', // "short" in base64 - too short for Ed25519 (only 5 bytes)
-      };
-
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, invalidLengthJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle detached payload', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const header = { alg: 'EdDSA' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const detachedJws = `${headerB64}..${signatureB64}`;
-      const detachedPayload = JSON.stringify({ sub: 'did:key:z123' });
-
-      const result = await cryptoService.verifyJWS(detachedJws, validJwk, {
-        detachedPayload,
-      });
-
-      expect(result).toBe(true);
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-    });
-
-    it('should handle detached payload as Uint8Array', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const header = { alg: 'EdDSA' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const detachedJws = `${headerB64}..${signatureB64}`;
-      const detachedPayloadBytes = new TextEncoder().encode(JSON.stringify({ sub: 'did:key:z123' }));
-
-      const result = await cryptoService.verifyJWS(detachedJws, validJwk, {
-        detachedPayload: detachedPayloadBytes,
-      });
-
-      expect(result).toBe(true);
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-    });
-
-    it('should handle signature verification failure', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should handle signature verification error', async () => {
-      mockCryptoProvider.verify = vi.fn().mockRejectedValue(new Error('Crypto error'));
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, validJwk);
-
-      expect(result).toBe(false);
-    });
-
-    it('should accept JWK with optional kid field', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const jwkWithKid: Ed25519JWK = {
-        kty: 'OKP',
-        crv: 'Ed25519',
-        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-        kid: 'key-1',
-      };
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, jwkWithKid);
-
-      expect(result).toBe(true);
-    });
-
-    it('should accept JWK with optional use field', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const jwkWithUse: Ed25519JWK = {
-        kty: 'OKP',
-        crv: 'Ed25519',
-        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-        use: 'sig',
-      };
-      const validJws = createValidJWS();
-
-      const result = await cryptoService.verifyJWS(validJws, jwkWithUse);
-
-      expect(result).toBe(true);
-    });
-  });
-
-  describe('base64url edge cases', () => {
-    const validJwk: Ed25519JWK = {
-      kty: 'OKP',
-      crv: 'Ed25519',
-      x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-    };
-
-    it('should handle base64url with no padding', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const header = { alg: 'EdDSA' };
-      const payload = { test: 'Hello' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      const result = await cryptoService.verifyJWS(jws, validJwk);
-
-      // Should not throw, even if padding is missing
-      expect(typeof result).toBe('boolean');
-    });
-
-    it('should handle base64url with padding', async () => {
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
-      const header = { alg: 'EdDSA' };
-      const payload = { test: 'Hello World!' };
-      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_');
-      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_');
-      const signatureB64 = Buffer.from('signature').toString('base64')
-        .replace(/\+/g, '-').replace(/\//g, '_');
-      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-      const result = await cryptoService.verifyJWS(jws, validJwk);
-
-      expect(typeof result).toBe('boolean');
-    });
-  });
-});
-

package/src/services/__tests__/oauth-provider-registry.test.ts

@@ -1,142 +0,0 @@
-/**
- * OAuth Provider Registry Tests
- *
- * @package @kya-os/mcp-i-core
- */
-
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { OAuthProviderRegistry } from "../oauth-provider-registry.js";
-import { OAuthConfigService } from "../oauth-config.service.js";
-import type { OAuthConfig, OAuthProvider } from "@kya-os/contracts/config";
-
-describe("OAuthProviderRegistry", () => {
-  let mockConfigService: OAuthConfigService;
-  let registry: OAuthProviderRegistry;
-
-  const mockOAuthConfig: OAuthConfig = {
-    providers: {
-      github: {
-        clientId: "github_client_id",
-        authorizationUrl: "https://github.com/login/oauth/authorize",
-        tokenUrl: "https://github.com/login/oauth/access_token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-        scopes: ["repo", "read:user"],
-        defaultScopes: ["repo"],
-      },
-      google: {
-        clientId: "google_client_id",
-        authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-        tokenUrl: "https://oauth2.googleapis.com/token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-        scopes: ["email", "profile"],
-        defaultScopes: ["email"],
-      },
-    },
-  };
-
-  beforeEach(() => {
-    mockConfigService = {
-      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
-    } as any;
-
-    registry = new OAuthProviderRegistry(mockConfigService);
-  });
-
-  describe("loadFromAgentShield", () => {
-    it("should load providers from AgentShield config", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      expect(mockConfigService.getOAuthConfig).toHaveBeenCalledWith(
-        "test-project"
-      );
-      expect(registry.hasProvider("github")).toBe(true);
-      expect(registry.hasProvider("google")).toBe(true);
-    });
-
-    it("should clear existing providers before loading new ones", async () => {
-      await registry.loadFromAgentShield("test-project");
-      expect(registry.getAllProviders().length).toBe(2);
-
-      const newConfig: OAuthConfig = {
-        providers: {
-          microsoft: {
-            clientId: "microsoft_client_id",
-            authorizationUrl: "https://login.microsoftonline.com/oauth2/v2.0/authorize",
-            tokenUrl: "https://login.microsoftonline.com/oauth2/v2.0/token",
-            supportsPKCE: true,
-            requiresClientSecret: false,
-          },
-        },
-      };
-
-      (mockConfigService.getOAuthConfig as any).mockResolvedValueOnce(newConfig);
-      await registry.loadFromAgentShield("test-project-2");
-
-      expect(registry.getAllProviders().length).toBe(1);
-      expect(registry.hasProvider("github")).toBe(false);
-      expect(registry.hasProvider("microsoft")).toBe(true);
-    });
-  });
-
-  describe("getProvider", () => {
-    it("should return provider by name", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      const githubProvider = registry.getProvider("github");
-      expect(githubProvider).toBeDefined();
-      expect(githubProvider?.clientId).toBe("github_client_id");
-    });
-
-    it("should return null for non-existent provider", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      const provider = registry.getProvider("nonexistent");
-      expect(provider).toBeNull();
-    });
-  });
-
-  describe("getAllProviders", () => {
-    it("should return all providers", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      const providers = registry.getAllProviders();
-      expect(providers.length).toBe(2);
-      expect(providers.map((p) => p.clientId)).toContain("github_client_id");
-      expect(providers.map((p) => p.clientId)).toContain("google_client_id");
-    });
-
-    it("should return empty array when no providers loaded", () => {
-      const providers = registry.getAllProviders();
-      expect(providers).toEqual([]);
-    });
-  });
-
-  describe("hasProvider", () => {
-    it("should return true for existing provider", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      expect(registry.hasProvider("github")).toBe(true);
-      expect(registry.hasProvider("google")).toBe(true);
-    });
-
-    it("should return false for non-existent provider", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      expect(registry.hasProvider("nonexistent")).toBe(false);
-    });
-  });
-
-  describe("getProviderNames", () => {
-    it("should return all provider names", async () => {
-      await registry.loadFromAgentShield("test-project");
-
-      const names = registry.getProviderNames();
-      expect(names).toContain("github");
-      expect(names).toContain("google");
-      expect(names.length).toBe(2);
-    });
-  });
-});
-