npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/services/__tests__/proof-verifier.test.ts DELETED Viewed

@@ -1,489 +0,0 @@
-/**
- * Tests for ProofVerifier
- *
- * Comprehensive security test coverage for proof verification service.
- * Tests nonce replay protection, timestamp skew validation, canonical payload reconstruction,
- * and various security attack scenarios.
- *
- * Test Coverage Requirements: 100% - All security-critical code paths
- */
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { ProofVerifier } from '../proof-verifier.js';
-import { CryptoService, type Ed25519JWK } from '../crypto.service.js';
-import type {
-  CryptoProvider,
-  ClockProvider,
-  NonceCacheProvider,
-  FetchProvider,
-} from '../../providers/base.js';
-import type { DetachedProof } from '@kya-os/contracts/proof';
-import {
-  ProofVerificationError,
-  PROOF_VERIFICATION_ERROR_CODES,
-} from '../errors.js';
-describe('ProofVerifier Security', () => {
-  let proofVerifier: ProofVerifier;
-  let mockCryptoProvider: CryptoProvider;
-  let mockClockProvider: ClockProvider;
-  let mockNonceCache: NonceCacheProvider;
-  let mockFetchProvider: FetchProvider;
-  let cryptoService: CryptoService;
-  const validJwk: Ed25519JWK = {
-    kty: 'OKP',
-    crv: 'Ed25519',
-    x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-    kid: 'did:key:z123#key-1',
-  };
-  const createValidProof = (): DetachedProof => {
-    const header = { alg: 'EdDSA', typ: 'JWT' };
-    // Create a proper JSON payload that matches the meta structure
-    const payload = {
-      aud: 'test-audience',
-      sub: 'did:key:z123',
-      iss: 'did:key:z123',
-      nonce: 'nonce123',
-      ts: Math.floor(Date.now() / 1000),
-      sessionId: 'session123',
-      requestHash: 'sha256:' + 'a'.repeat(64),
-      responseHash: 'sha256:' + 'b'.repeat(64),
-    };
-    // Use btoa for base64 encoding (available in test environment via polyfill)
-    const headerB64 = btoa(JSON.stringify(header))
-      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    const payloadB64 = btoa(JSON.stringify(payload))
-      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    const signatureB64 = btoa('signature')
-      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-    return {
-      jws,
-      meta: {
-        did: 'did:key:z123',
-        kid: 'did:key:z123#key-1',
-        ts: Math.floor(Date.now() / 1000),
-        nonce: 'nonce123',
-        audience: 'test-audience',
-        sessionId: 'session123',
-        requestHash: 'sha256:' + 'a'.repeat(64),
-        responseHash: 'sha256:' + 'b'.repeat(64),
-      },
-    };
-  };
-  beforeEach(() => {
-    mockCryptoProvider = {
-      sign: vi.fn(),
-      verify: vi.fn().mockResolvedValue(true),
-      generateKeyPair: vi.fn(),
-      hash: vi.fn(),
-      randomBytes: vi.fn(),
-    };
-    cryptoService = new CryptoService(mockCryptoProvider);
-    mockClockProvider = {
-      now: vi.fn().mockReturnValue(Date.now()), // Return milliseconds
-      isWithinSkew: vi.fn().mockReturnValue(true),
-      hasExpired: vi.fn(),
-      calculateExpiry: vi.fn((ttlSeconds: number) => Date.now() + (ttlSeconds * 1000)), // Return milliseconds
-      format: vi.fn(),
-    };
-    mockNonceCache = {
-      has: vi.fn().mockResolvedValue(false),
-      add: vi.fn().mockResolvedValue(undefined),
-      cleanup: vi.fn().mockResolvedValue(undefined),
-      destroy: vi.fn().mockResolvedValue(undefined),
-    };
-    mockFetchProvider = {
-      resolveDID: vi.fn().mockResolvedValue({
-        verificationMethod: [{
-          id: 'did:key:z123#key-1',
-          publicKeyJwk: validJwk,
-        }],
-      }),
-      fetchStatusList: vi.fn(),
-      fetchDelegationChain: vi.fn(),
-      fetch: vi.fn(),
-    };
-    proofVerifier = new ProofVerifier({
-      cryptoProvider: mockCryptoProvider,
-      clockProvider: mockClockProvider,
-      nonceCacheProvider: mockNonceCache,
-      fetchProvider: mockFetchProvider,
-      timestampSkewSeconds: 120,
-      nonceTtlSeconds: 300,
-    });
-  });
-  describe('Nonce Replay Protection', () => {
-    it('should prevent nonce replay attacks', async () => {
-      const proof = createValidProof();
-      // First verification should succeed
-      const result1 = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result1.valid).toBe(true);
-      expect(mockNonceCache.has).toHaveBeenCalledWith('nonce123', 'did:key:z123');
-      expect(mockNonceCache.add).toHaveBeenCalled();
-      // Reset mock to simulate second attempt
-      mockNonceCache.has = vi.fn().mockResolvedValue(true);
-      // Second verification with same nonce should fail
-      const result2 = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result2.valid).toBe(false);
-      expect(result2.reason).toContain('replay');
-    });
-    it('should add nonce to cache after successful verification', async () => {
-      const proof = createValidProof();
-      await proofVerifier.verifyProof(proof, validJwk);
-      expect(mockNonceCache.add).toHaveBeenCalledWith(
-        'nonce123',
-        expect.any(Number),
-        'did:key:z123'
-      );
-    });
-  });
-  describe('Timestamp Skew Validation', () => {
-    it('should enforce timestamp skew limits', async () => {
-      const proof = createValidProof();
-      const currentTime = Date.now(); // milliseconds
-      // Set clock to 5 minutes in the future
-      mockClockProvider.now = vi.fn().mockReturnValue(currentTime);
-      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain('skew');
-      // isWithinSkew is called with timestamp in milliseconds (converted from seconds)
-      expect(mockClockProvider.isWithinSkew).toHaveBeenCalledWith(
-        proof.meta.ts * 1000, // Convert seconds to milliseconds
-        120
-      );
-    });
-    it('should accept timestamps within skew window', async () => {
-      const proof = createValidProof();
-      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(true);
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result.valid).toBe(true);
-    });
-    it('should use custom timestamp skew seconds', async () => {
-      const customProofVerifier = new ProofVerifier({
-        cryptoProvider: mockCryptoProvider,
-        clockProvider: mockClockProvider,
-        nonceCacheProvider: mockNonceCache,
-        fetchProvider: mockFetchProvider,
-        timestampSkewSeconds: 300, // 5 minutes
-        nonceTtlSeconds: 300,
-      });
-      const proof = createValidProof();
-      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
-      await customProofVerifier.verifyProof(proof, validJwk);
-      // isWithinSkew is called with timestamp in milliseconds (converted from seconds)
-      expect(mockClockProvider.isWithinSkew).toHaveBeenCalledWith(
-        proof.meta.ts * 1000, // Convert seconds to milliseconds
-        300
-      );
-    });
-  });
-  describe('Canonical Payload Reconstruction', () => {
-    it('should reconstruct canonical payload from meta', async () => {
-      const proof = createValidProof();
-      await proofVerifier.verifyProof(proof, validJwk);
-      // Verify that verifyJWS was called with detached payload
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-    });
-    it('should validate canonical payload ordering determinism', () => {
-      const meta1 = {
-        z: 1,
-        a: 2,
-        m: 3,
-        did: 'did:test',
-        kid: 'kid',
-        ts: 123,
-        nonce: 'nonce',
-        audience: 'aud',
-        sessionId: 'session',
-        requestHash: 'sha256:' + 'a'.repeat(64),
-        responseHash: 'sha256:' + 'b'.repeat(64),
-      };
-      const meta2 = {
-        a: 2,
-        m: 3,
-        z: 1,
-        did: 'did:test',
-        kid: 'kid',
-        ts: 123,
-        nonce: 'nonce',
-        audience: 'aud',
-        sessionId: 'session',
-        requestHash: 'sha256:' + 'a'.repeat(64),
-        responseHash: 'sha256:' + 'b'.repeat(64),
-      };
-      const canonical1 = proofVerifier.buildCanonicalPayload(meta1);
-      const canonical2 = proofVerifier.buildCanonicalPayload(meta2);
-      // Should be identical despite different key order
-      expect(canonical1).toBe(canonical2);
-    });
-    it('should handle detached JWS reconstruction', async () => {
-      const header = { alg: 'EdDSA' };
-      const headerB64 = btoa(JSON.stringify(header))
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const signatureB64 = btoa('signature')
-        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-      const detachedJws = `${headerB64}..${signatureB64}`;
-      const proof: DetachedProof = {
-        jws: detachedJws,
-        meta: createValidProof().meta,
-      };
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      // Should call verifyJWS with detached payload
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-      expect(result.valid).toBe(true);
-    });
-  });
-  describe('Proof Structure Validation', () => {
-    it('should reject invalid proof structure', async () => {
-      const invalidProof = {
-        jws: 'invalid',
-        meta: {
-          // Missing required fields
-          did: 'did:test',
-        },
-      } as any;
-      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain('Invalid proof structure');
-    });
-    it('should reject proof with missing required meta fields', async () => {
-      const invalidProof: DetachedProof = {
-        jws: 'header.payload.signature',
-        meta: {
-          did: 'did:test',
-          kid: 'kid',
-          ts: 123,
-          nonce: 'nonce',
-          audience: 'aud',
-          sessionId: 'session',
-          // Missing requestHash and responseHash
-          requestHash: '' as any,
-          responseHash: '' as any,
-        },
-      };
-      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
-      expect(result.valid).toBe(false);
-    });
-  });
-  describe('Signature Verification', () => {
-    it('should reject proof with invalid signature', async () => {
-      const proof = createValidProof();
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toContain('Invalid JWS signature');
-    });
-    it('should handle signature verification errors gracefully', async () => {
-      const proof = createValidProof();
-      mockCryptoProvider.verify = vi.fn().mockRejectedValue(
-        new Error('Crypto error')
-      );
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBeDefined();
-      // Should not throw, should return error result
-    });
-  });
-  describe('verifyProofDetached', () => {
-    it('should verify proof with string canonical payload', async () => {
-      const proof = createValidProof();
-      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
-      const result = await proofVerifier.verifyProofDetached(
-        proof,
-        canonicalPayload,
-        validJwk
-      );
-      expect(result.valid).toBe(true);
-    });
-    it('should verify proof with Uint8Array canonical payload', async () => {
-      const proof = createValidProof();
-      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
-      const canonicalPayloadBytes = new TextEncoder().encode(canonicalPayload);
-      const result = await proofVerifier.verifyProofDetached(
-        proof,
-        canonicalPayloadBytes,
-        validJwk
-      );
-      expect(result.valid).toBe(true);
-    });
-    it('should prevent nonce replay in verifyProofDetached', async () => {
-      const proof = createValidProof();
-      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
-      // First verification
-      const result1 = await proofVerifier.verifyProofDetached(
-        proof,
-        canonicalPayload,
-        validJwk
-      );
-      expect(result1.valid).toBe(true);
-      // Second verification should fail
-      mockNonceCache.has = vi.fn().mockResolvedValue(true);
-      const result2 = await proofVerifier.verifyProofDetached(
-        proof,
-        canonicalPayload,
-        validJwk
-      );
-      expect(result2.valid).toBe(false);
-      expect(result2.reason).toContain('replay');
-    });
-  });
-  describe('Error Handling', () => {
-    it('should never throw on verification errors', async () => {
-      const proof = createValidProof();
-      // Simulate various error conditions
-      mockNonceCache.has = vi.fn().mockRejectedValue(new Error('Cache error'));
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      // Should return error result, not throw
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBeDefined();
-    });
-    it('should handle clock provider errors gracefully', async () => {
-      const proof = createValidProof();
-      mockClockProvider.isWithinSkew = vi.fn().mockImplementation(() => {
-        throw new Error('Clock error');
-      });
-      const result = await proofVerifier.verifyProof(proof, validJwk);
-      expect(result.valid).toBe(false);
-      expect(result.reason).toBeDefined();
-    });
-  });
-  describe('fetchPublicKeyFromDID', () => {
-    it('should fetch public key from DID document', async () => {
-      const jwk = await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1');
-      expect(jwk).toEqual(validJwk);
-      expect(mockFetchProvider.resolveDID).toHaveBeenCalledWith('did:key:z123');
-    });
-    it('should throw ProofVerificationError if DID document not found', async () => {
-      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue(null);
-      await expect(
-        proofVerifier.fetchPublicKeyFromDID('did:key:z123')
-      ).rejects.toThrow(ProofVerificationError);
-      try {
-        await proofVerifier.fetchPublicKeyFromDID('did:key:z123');
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.DID_DOCUMENT_NOT_FOUND
-        );
-      }
-    });
-    it('should throw ProofVerificationError if verification method not found', async () => {
-      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue({
-        verificationMethod: [],
-      });
-      await expect(
-        proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1')
-      ).rejects.toThrow(ProofVerificationError);
-      try {
-        await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1');
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
-        );
-      }
-    });
-    it('should throw ProofVerificationError if JWK is not Ed25519', async () => {
-      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue({
-        verificationMethod: [{
-          id: 'did:key:z123#key-1',
-          publicKeyJwk: {
-            kty: 'RSA',
-            crv: 'RS256',
-            n: 'invalid',
-          },
-        }],
-      });
-      await expect(
-        proofVerifier.fetchPublicKeyFromDID('did:key:z123')
-      ).rejects.toThrow(ProofVerificationError);
-      try {
-        await proofVerifier.fetchPublicKeyFromDID('did:key:z123');
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT
-        );
-      }
-    });
-  });
-});

package/src/services/__tests__/provider-resolution.integration.test.ts DELETED Viewed

@@ -1,202 +0,0 @@
-/**
- * Provider Resolution Integration Tests
- *
- * Tests end-to-end provider resolution flow and backward compatibility.
- *
- * @package @kya-os/mcp-i-core
- */
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { OAuthProviderRegistry } from "../oauth-provider-registry.js";
-import { ProviderResolver } from "../provider-resolver.js";
-import { OAuthConfigService } from "../oauth-config.service.js";
-import { ToolProtectionService } from "../tool-protection.service.js";
-import type { ToolProtection } from "@kya-os/contracts/tool-protection";
-import type { OAuthConfig } from "@kya-os/contracts/config";
-describe("Provider Resolution Integration", () => {
-  let mockConfigService: OAuthConfigService;
-  let mockToolProtectionService: ToolProtectionService;
-  let providerRegistry: OAuthProviderRegistry;
-  let providerResolver: ProviderResolver;
-  const mockOAuthConfig: OAuthConfig = {
-    providers: {
-      github: {
-        clientId: "github_client_id",
-        authorizationUrl: "https://github.com/login/oauth/authorize",
-        tokenUrl: "https://github.com/login/oauth/access_token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-      },
-      google: {
-        clientId: "google_client_id",
-        authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-        tokenUrl: "https://oauth2.googleapis.com/token",
-        supportsPKCE: true,
-        requiresClientSecret: false,
-      },
-    },
-    // Explicitly configured provider (Priority 3 fallback)
-    configuredProvider: "github",
-  };
-  beforeEach(() => {
-    mockConfigService = {
-      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
-    } as any;
-    mockToolProtectionService = {
-      checkToolProtection: vi.fn(),
-      getProjectId: vi.fn().mockReturnValue("test-project"),
-    } as any;
-    providerRegistry = new OAuthProviderRegistry(mockConfigService);
-    providerResolver = new ProviderResolver(providerRegistry, mockConfigService);
-  });
-  describe("End-to-end provider resolution", () => {
-    it("should resolve provider for tool with oauthProvider field", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        oauthProvider: "github",
-      };
-      const provider = await providerResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-    });
-    it("should resolve provider via scope inference when oauthProvider not specified", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["github:repo:read"],
-        // No oauthProvider field (Phase 1 compatibility)
-      };
-      const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
-      const provider = await providerResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBe("github");
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("Inferred provider")
-      );
-      consoleSpy.mockRestore();
-    });
-    it("should fall back to configuredProvider for Phase 1 compatibility", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["custom:scope"], // No recognizable prefix
-        // No oauthProvider field
-      };
-      const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
-      const provider = await providerResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should use configuredProvider (github)
-      expect(provider).toBe("github");
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("project-configured provider")
-      );
-      consoleSpy.mockRestore();
-    });
-  });
-  describe("Backward compatibility", () => {
-    it("should work with Phase 1 tools (no oauthProvider field)", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        // No oauthProvider - Phase 1 style
-      };
-      // Should not throw - uses fallback resolution
-      const provider = await providerResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      expect(provider).toBeDefined();
-      expect(typeof provider).toBe("string");
-    });
-    it("should handle tools with empty requiredScopes", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const toolProtection: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: [],
-        // No oauthProvider
-      };
-      const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
-      const provider = await providerResolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-      // Should fall back to configuredProvider
-      expect(provider).toBe("github");
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("project-configured provider")
-      );
-      consoleSpy.mockRestore();
-    });
-  });
-  describe("Multi-provider scenarios", () => {
-    it("should resolve different providers for different tools", async () => {
-      await providerRegistry.loadFromAgentShield("test-project");
-      const githubTool: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["repo:read"],
-        oauthProvider: "github",
-      };
-      const googleTool: ToolProtection = {
-        requiresDelegation: true,
-        requiredScopes: ["calendar:read"],
-        oauthProvider: "google",
-      };
-      const githubProvider = await providerResolver.resolveProvider(
-        githubTool,
-        "test-project"
-      );
-      const googleProvider = await providerResolver.resolveProvider(
-        googleTool,
-        "test-project"
-      );
-      expect(githubProvider).toBe("github");
-      expect(googleProvider).toBe("google");
-    });
-  });
-});