@mcp-i/core 1.1.0-canary.2 → 1.1.0

package/src/auth/handshake.ts

@@ -23,13 +23,22 @@ export type { DelegationVerifier, VerifyDelegationResult };
 
 export interface AgentReputation {
   agentDid: string;
-  score: number;
+  score: number | null;
   totalInteractions: number;
   successRate: number;
   riskLevel: 'low' | 'medium' | 'high' | 'unknown';
   updatedAt: number;
 }
 
+/**
+ * Policy for handling agents with no reputation history.
+ *
+ * - 'deny'            — reject unknown agents outright (strict environments)
+ * - 'require-consent' — route to the consent/authorization flow (default)
+ * - 'allow'           — let unknown agents through (reputation is advisory only)
+ */
+export type UnknownAgentPolicy = 'deny' | 'require-consent' | 'allow';
+
 export interface AuthHandshakeConfig {
   delegationVerifier: DelegationVerifier;
   resumeTokenStore: ResumeTokenStore;
@@ -41,7 +50,15 @@ export interface AuthHandshakeConfig {
   authorization: {
     authorizationUrl: string;
     resumeTokenTtl?: number;
-    requireAuthForUnknown?: boolean;
+    /**
+     * How to handle agents with no reputation history (404 from reputation
+     * service, network error, or first-time agent).
+     *
+     * - 'deny'            — reject outright
+     * - 'require-consent' — route to consent flow (default)
+     * - 'allow'           — skip reputation gate for unknowns
+     */
+    unknownAgentPolicy?: UnknownAgentPolicy;
     minReputationScore?: number;
   };
   debug?: boolean;
@@ -118,7 +135,10 @@ export class MemoryResumeTokenStore implements ResumeTokenStore {
     scopes: string[],
     metadata?: Record<string, unknown>
   ): Promise<string> {
-    const token = `rt_${Date.now()}_${Math.random().toString(36).substring(2, 18)}`;
+    const bytes = new Uint8Array(16);
+    globalThis.crypto.getRandomValues(bytes);
+    const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+    const token = `rt_${hex}`;
     const now = Date.now();
 
     this.tokens.set(token, {
@@ -182,14 +202,12 @@ export class MemoryResumeTokenStore implements ResumeTokenStore {
  * @param agentDid - The agent's DID to verify
  * @param scopes - Required scopes for the operation
  * @param config - Authorization configuration including verifier, token store, etc.
- * @param _resumeToken - Optional resume token from previous authorization attempt
  * @returns Result indicating authorization status, delegation, or auth hints
  */
 export async function verifyOrHints(
   agentDid: string,
   scopes: string[],
   config: AuthHandshakeConfig,
-  _resumeToken?: string
 ): Promise<VerifyOrHintsResult> {
   const startTime = Date.now();
 
@@ -199,36 +217,85 @@ export async function verifyOrHints(
 
   let reputation: AgentReputation | undefined;
   if (config.reputationService && config.authorization.minReputationScore !== undefined) {
+    const unknownPolicy = config.authorization.unknownAgentPolicy ?? 'require-consent';
+
     try {
       reputation = await fetchAgentReputation(agentDid, config.reputationService);
+    } catch (error) {
+      logger.error('[AuthHandshake] Reputation service unreachable, treating agent as unknown:', error);
+      reputation = {
+        agentDid,
+        score: null,
+        totalInteractions: 0,
+        successRate: 0,
+        riskLevel: 'unknown',
+        updatedAt: Date.now(),
+      };
+    }
 
-      if (config.debug) {
-        logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
-      }
-
-      if (reputation.score < config.authorization.minReputationScore) {
-        if (config.debug) {
-          logger.debug(
-            `[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`
-          );
-        }
+    if (config.debug) {
+      logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
+    }
 
+    // Unknown agent (no reputation data)
+    if (reputation.score === null) {
+      if (unknownPolicy === 'deny') {
         const authError = await buildNeedsAuthorizationError(
           agentDid,
           scopes,
           config,
-          'Agent reputation score below threshold'
+          'Unknown agent denied by policy'
         );
+        return {
+          authorized: false,
+          authError,
+          reputation,
+          reason: 'Unknown agent — policy: deny',
+        };
+      }
 
+      if (unknownPolicy === 'require-consent') {
+        const authError = await buildNeedsAuthorizationError(
+          agentDid,
+          scopes,
+          config,
+          'Unknown agent requires consent'
+        );
         return {
           authorized: false,
           authError,
           reputation,
-          reason: 'Low reputation score',
+          reason: 'Unknown agent — policy: require-consent',
         };
       }
-    } catch (error) {
-      logger.warn('[AuthHandshake] Failed to check reputation:', error);
+
+      // unknownPolicy === 'allow' — skip reputation gate, continue to delegation check
+      if (config.debug) {
+        logger.debug('[AuthHandshake] Unknown agent allowed by policy, skipping reputation gate');
+      }
+    }
+
+    // Known agent with score below threshold
+    if (reputation.score !== null && reputation.score < config.authorization.minReputationScore) {
+      if (config.debug) {
+        logger.debug(
+          `[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`
+        );
+      }
+
+      const authError = await buildNeedsAuthorizationError(
+        agentDid,
+        scopes,
+        config,
+        'Agent reputation score below threshold'
+      );
+
+      return {
+        authorized: false,
+        authError,
+        reputation,
+        reason: 'Low reputation score',
+      };
     }
   }
 
@@ -322,7 +389,7 @@ async function fetchAgentReputation(
     if (response.status === 404) {
       return {
         agentDid,
-        score: 50,
+        score: null,
         totalInteractions: 0,
         successRate: 0,
         riskLevel: 'unknown',
@@ -334,7 +401,7 @@ async function fetchAgentReputation(
 
   const data = (await response.json()) as Record<string, unknown>;
 
-  const score = (data['score'] as number | undefined) ?? 50;
+  const score = (data['score'] as number | undefined) ?? 0;
   const levelRaw = (
     (data['level'] as string | undefined) ??
     (data['riskLevel'] as string | undefined) ??

package/src/auth/index.ts

@@ -6,6 +6,7 @@ export {
   type VerifyOrHintsResult,
   type AgentReputation,
   type ResumeTokenStore,
+  type UnknownAgentPolicy,
 } from './handshake.js';
 
 export type { DelegationVerifier, VerifyDelegationResult } from './types.js';

package/src/delegation/__tests__/did-key-resolver.test.ts

@@ -198,8 +198,8 @@ describe("did:key Resolver", () => {
       expect(didDoc?.verificationMethod?.[0].type).toBe("Ed25519VerificationKey2020");
       expect(didDoc?.verificationMethod?.[0].controller).toBe(didKey);
       expect(didDoc?.verificationMethod?.[0].publicKeyJwk).toBeDefined();
-      expect(didDoc?.authentication).toContain(`${didKey}#keys-1`);
-      expect(didDoc?.assertionMethod).toContain(`${didKey}#keys-1`);
+      expect(didDoc?.authentication).toContain(`${didKey}#${didKey.replace('did:key:', '')}`);
+      expect(didDoc?.assertionMethod).toContain(`${didKey}#${didKey.replace('did:key:', '')}`);
     });
 
     it("should return null for non-Ed25519 did:key", async () => {

package/src/delegation/__tests__/outbound-headers.test.ts

@@ -18,23 +18,19 @@ import { generateDidKeyFromBase64 } from '../../utils/did-helpers.js';
 // Test fixtures
 // ---------------------------------------------------------------------------
 
-let cryptoProvider: NodeCryptoProvider;
 let serverKeyPair: { privateKey: string; publicKey: string };
 let serverDid: string;
 let serverKid: string;
-let agentKeyPair: { privateKey: string; publicKey: string };
 let agentDid: string;
 
 beforeAll(async () => {
-  cryptoProvider = new NodeCryptoProvider();
+  const cryptoProvider = new NodeCryptoProvider();
 
-  // Generate server identity
   serverKeyPair = await cryptoProvider.generateKeyPair();
   serverDid = generateDidKeyFromBase64(serverKeyPair.publicKey);
-  serverKid = `${serverDid}#keys-1`;
+  serverKid = `${serverDid}#${serverDid.replace('did:key:', '')}`;
 
-  // Generate agent identity
-  agentKeyPair = await cryptoProvider.generateKeyPair();
+  const agentKeyPair = await cryptoProvider.generateKeyPair();
   agentDid = generateDidKeyFromBase64(agentKeyPair.publicKey);
 });
 
@@ -92,7 +88,7 @@ function createTestContext(
 describe('buildOutboundDelegationHeaders', () => {
   it('builds correct headers from a valid session + delegation', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     expect(headers).toHaveProperty('X-Agent-DID');
     expect(headers).toHaveProperty('X-Delegation-Chain');
@@ -102,28 +98,28 @@ describe('buildOutboundDelegationHeaders', () => {
 
   it('X-Agent-DID matches session.agentDid', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     expect(headers['X-Agent-DID']).toBe(context.session.agentDid);
   });
 
   it('X-Delegation-Chain matches delegation.vcId', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     expect(headers['X-Delegation-Chain']).toBe(context.delegation.vcId);
   });
 
   it('X-Session-ID matches session.sessionId', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     expect(headers['X-Session-ID']).toBe(context.session.sessionId);
   });
 
   it('X-Delegation-Proof is a valid JWT with correct claims', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     const jwt = headers['X-Delegation-Proof'];
 
@@ -150,7 +146,7 @@ describe('buildOutboundDelegationHeaders', () => {
     const context = createTestContext({
       targetUrl: 'https://api.service.example.com:8443/v1/resource?query=test',
     });
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     const payload = decodeJwt(headers['X-Delegation-Proof']);
     expect(payload.aud).toBe('api.service.example.com');
@@ -160,7 +156,7 @@ describe('buildOutboundDelegationHeaders', () => {
     const context = createTestContext({
       targetUrl: 'http://internal-service.local/api',
     });
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     const payload = decodeJwt(headers['X-Delegation-Proof']);
     expect(payload.aud).toBe('internal-service.local');
@@ -170,7 +166,7 @@ describe('buildOutboundDelegationHeaders', () => {
     const context = createTestContext({
       targetUrl: 'https://secure.example.org/endpoint',
     });
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     const payload = decodeJwt(headers['X-Delegation-Proof']);
     expect(payload.aud).toBe('secure.example.org');
@@ -178,7 +174,7 @@ describe('buildOutboundDelegationHeaders', () => {
 
   it('JWT exp is 60 seconds from iat', async () => {
     const context = createTestContext();
-    const headers = await buildOutboundDelegationHeaders(context, cryptoProvider);
+    const headers = await buildOutboundDelegationHeaders(context);
 
     const payload = decodeJwt(headers['X-Delegation-Proof']);
     expect((payload.exp as number) - (payload.iat as number)).toBe(60);
@@ -190,7 +186,7 @@ describe('buildOutboundDelegationHeaders', () => {
     });
 
     await expect(
-      buildOutboundDelegationHeaders(context, cryptoProvider)
+      buildOutboundDelegationHeaders(context)
     ).rejects.toThrow('Session must have agentDid');
   });
 
@@ -200,7 +196,7 @@ describe('buildOutboundDelegationHeaders', () => {
     });
 
     await expect(
-      buildOutboundDelegationHeaders(context, cryptoProvider)
+      buildOutboundDelegationHeaders(context)
     ).rejects.toThrow('Session must have sessionId');
   });
 
@@ -210,7 +206,7 @@ describe('buildOutboundDelegationHeaders', () => {
     });
 
     await expect(
-      buildOutboundDelegationHeaders(context, cryptoProvider)
+      buildOutboundDelegationHeaders(context)
     ).rejects.toThrow('Delegation must have vcId');
   });
 
@@ -224,7 +220,7 @@ describe('buildOutboundDelegationHeaders', () => {
     });
 
     await expect(
-      buildOutboundDelegationHeaders(context, cryptoProvider)
+      buildOutboundDelegationHeaders(context)
     ).rejects.toThrow('Server DID must be did:key with Ed25519');
   });
 });

package/src/delegation/__tests__/statuslist-manager.test.ts

@@ -59,7 +59,7 @@ describe("StatusList2021Manager", () => {
     proof: {
       type: "Ed25519Signature2020",
       created: new Date().toISOString(),
-      verificationMethod: "did:key:z6MkIssuer#keys-1",
+      verificationMethod: "did:key:z6MkIssuer#z6MkIssuer",
       proofPurpose: "assertionMethod",
       proofValue: "mock-proof-value",
     },
@@ -74,13 +74,13 @@ describe("StatusList2021Manager", () => {
 
     mockIdentity = {
       getDid: vi.fn().mockReturnValue("did:key:z6MkTestIssuer"),
-      getKeyId: vi.fn().mockReturnValue("did:key:z6MkTestIssuer#keys-1"),
+      getKeyId: vi.fn().mockReturnValue("did:key:z6MkTestIssuer#z6MkTestIssuer"),
     };
 
     mockSigningFunction = vi.fn().mockResolvedValue({
       type: "Ed25519Signature2020",
       created: new Date().toISOString(),
-      verificationMethod: "did:key:z6MkTestIssuer#keys-1",
+      verificationMethod: "did:key:z6MkTestIssuer#z6MkTestIssuer",
       proofPurpose: "assertionMethod",
       proofValue: "mock-signature",
     });
@@ -405,7 +405,7 @@ describe("StatusList2021Manager", () => {
       expect(isRevoked).toBe(true);
     });
 
-    it("should return false if status list doesn't exist", async () => {
+    it("should throw if status list doesn't exist (fail closed)", async () => {
       const manager = new StatusList2021Manager(
         mockStorage,
         mockIdentity,
@@ -424,9 +424,9 @@ describe("StatusList2021Manager", () => {
         statusListCredential: "https://status.example.com/revocation/v1",
       };
 
-      const isRevoked = await manager.checkStatus(credentialStatus);
-
-      expect(isRevoked).toBe(false);
+      await expect(
+        manager.checkStatus(credentialStatus)
+      ).rejects.toThrow("Status list not found");
     });
   });
 
@@ -512,4 +512,117 @@ describe("StatusList2021Manager", () => {
       expect(manager.getStatusListBaseUrl()).toBe("https://status.example.com");
     });
   });
+
+  describe("checkStatus fail-closed behavior", () => {
+    it("should throw with the status list URL in the error message", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(null);
+
+      const statusListUrl = "https://status.example.com/revocation/v1";
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListUrl}#5`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: statusListUrl,
+      };
+
+      await expect(manager.checkStatus(credentialStatus)).rejects.toThrow(
+        statusListUrl
+      );
+    });
+
+    it("should throw when storage provider rejects", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockRejectedValue(
+        new Error("Redis connection refused")
+      );
+
+      const credentialStatus: CredentialStatus = {
+        id: "https://status.example.com/revocation/v1#5",
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: "https://status.example.com/revocation/v1",
+      };
+
+      await expect(manager.checkStatus(credentialStatus)).rejects.toThrow(
+        "Redis connection refused"
+      );
+    });
+
+    it("should still return false for non-revoked credential with valid storage", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation"
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(existingCredential);
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#3`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "3",
+        statusListCredential: statusListId,
+      };
+
+      const isRevoked = await manager.checkStatus(credentialStatus);
+      expect(isRevoked).toBe(false);
+    });
+
+    it("should still return true for revoked credential with valid storage", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      const bytes = new Uint8Array(2);
+      bytes[0] = 0b00001000; // Bit 3 set
+      const encodedList = Buffer.from(bytes).toString("base64url");
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation",
+        encodedList
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(existingCredential);
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#3`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "3",
+        statusListCredential: statusListId,
+      };
+
+      const isRevoked = await manager.checkStatus(credentialStatus);
+      expect(isRevoked).toBe(true);
+    });
+  });
 });

package/src/delegation/__tests__/vc-verifier.test.ts

@@ -471,7 +471,7 @@ describe("DelegationCredentialVerifier", () => {
       expect(mockStatusListResolver.checkStatus).not.toHaveBeenCalled();
     });
 
-    it("should skip status checking when no resolver available", async () => {
+    it("should fail closed when no status resolver available but credential has credentialStatus", async () => {
       await setupDefaultContractsMocks();
       const verifierWithoutResolver = new DelegationCredentialVerifier({
         didResolver: mockDidResolver,
@@ -506,8 +506,9 @@ describe("DelegationCredentialVerifier", () => {
       const result =
         await verifierWithoutResolver.verifyDelegationCredential(vcWithStatus);
 
-      expect(result.valid).toBe(true);
-      expect(result.checks?.statusValid).toBe(true); // Trust but don't verify
+      expect(result.valid).toBe(false);
+      expect(result.checks?.statusValid).toBe(false);
+      expect(result.reason).toContain("no status list resolver is configured");
     });
 
     it("should fail when credential is revoked", async () => {
@@ -1026,4 +1027,45 @@ describe("DelegationCredentialVerifier", () => {
       });
     });
   });
+
+  describe("E2E: StatusList2021 missing storage → verifier rejects", () => {
+    it("should return valid: false when status list resolver throws (missing storage)", async () => {
+      await setupDefaultContractsMocks();
+      const vcWithStatus = {
+        ...mockValidVC,
+        credentialStatus: {
+          id: "https://example.com/status#123",
+          type: "StatusList2021Entry" as const,
+          statusPurpose: "revocation" as const,
+          statusListIndex: "123",
+          statusListCredential: "https://example.com/status",
+        },
+      };
+
+      mockDidResolver.resolve.mockResolvedValue({
+        id: "did:web:example.com:issuer",
+        verificationMethod: [
+          {
+            id: "did:web:example.com:issuer#key-1",
+            type: "Ed25519VerificationKey2020",
+            controller: "did:web:example.com:issuer",
+            publicKeyJwk: { kty: "OKP", crv: "Ed25519", x: "mock-key" },
+          },
+        ],
+      });
+      mockSignatureVerifier.mockResolvedValue({ valid: true });
+
+      // Simulate StatusList2021Manager.checkStatus throwing on missing storage
+      mockStatusListResolver.checkStatus.mockRejectedValue(
+        new Error("Status list not found: https://example.com/status — cannot determine revocation status")
+      );
+
+      const result = await verifier.verifyDelegationCredential(vcWithStatus);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toContain("Status list not found");
+      expect(result.reason).toContain("cannot determine revocation status");
+      expect(result.checks?.statusValid).toBe(false);
+    });
+  });
 });

package/src/delegation/did-key-resolver.ts

@@ -15,6 +15,7 @@
  */
 
 import { base58Decode } from '../utils/base58.js';
+import { didKeyFragment } from '../utils/did-helpers.js';
 import { base64urlEncodeFromBytes } from '../utils/base64.js';
 import type { DIDResolver, DIDDocument, VerificationMethod } from './vc-verifier.js';
 import { logger } from '../logging/index.js';
@@ -124,8 +125,10 @@ export function createDidKeyResolver(): DIDResolver {
       const multibaseKey = did.replace('did:key:', '');
 
       // Construct the verification method
+      const fragment = didKeyFragment(did);
+
       const verificationMethod: VerificationMethod = {
-        id: `${did}#keys-1`,
+        id: `${did}#${fragment}`,
         type: 'Ed25519VerificationKey2020',
         controller: did,
         publicKeyJwk,
@@ -136,8 +139,8 @@ export function createDidKeyResolver(): DIDResolver {
       return {
         id: did,
         verificationMethod: [verificationMethod],
-        authentication: [`${did}#keys-1`],
-        assertionMethod: [`${did}#keys-1`],
+        authentication: [`${did}#${fragment}`],
+        assertionMethod: [`${did}#${fragment}`],
       };
     },
   };
@@ -164,8 +167,10 @@ export function resolveDidKeySync(did: string): DIDDocument | null {
   const publicKeyJwk = publicKeyToJwk(publicKeyBytes);
   const multibaseKey = did.replace('did:key:', '');
 
+  const fragment = didKeyFragment(did);
+
   const verificationMethod: VerificationMethod = {
-    id: `${did}#keys-1`,
+    id: `${did}#${fragment}`,
     type: 'Ed25519VerificationKey2020',
     controller: did,
     publicKeyJwk,
@@ -175,7 +180,7 @@ export function resolveDidKeySync(did: string): DIDDocument | null {
   return {
     id: did,
     verificationMethod: [verificationMethod],
-    authentication: [`${did}#keys-1`],
-    assertionMethod: [`${did}#keys-1`],
+    authentication: [`${did}#${fragment}`],
+    assertionMethod: [`${did}#${fragment}`],
   };
 }

package/src/delegation/outbound-headers.ts

@@ -14,7 +14,6 @@
  */
 
 import type { SessionContext, DelegationRecord } from '../types/protocol.js';
-import type { CryptoProvider } from '../providers/base.js';
 import { buildDelegationProofJWT, type Ed25519PrivateJWK } from './outbound-proof.js';
 import { extractPublicKeyFromDidKey, isEd25519DidKey } from './did-key-resolver.js';
 import { base64ToBytes, base64urlEncodeFromBytes } from '../utils/base64.js';
@@ -112,7 +111,6 @@ function buildPrivateKeyJwk(
  * downstream service can independently verify the delegation chain.
  *
  * @param context - The delegation context including session, delegation, and server identity
- * @param _cryptoProvider - CryptoProvider (reserved for future use)
  * @returns Headers object to attach to the outbound request
  *
  * @throws {Error} If session is missing agentDid or sessionId
@@ -126,7 +124,7 @@ function buildPrivateKeyJwk(
  *   delegation,
  *   serverIdentity: { did: serverDid, kid: serverKid, privateKey },
  *   targetUrl: 'https://downstream-api.example.com/resource',
- * }, cryptoProvider);
+ * });
  *
  * // Attach headers to your HTTP request
  * fetch(targetUrl, { headers });
@@ -134,7 +132,6 @@ function buildPrivateKeyJwk(
  */
 export async function buildOutboundDelegationHeaders(
   context: OutboundDelegationContext,
-  _cryptoProvider: CryptoProvider
 ): Promise<OutboundDelegationHeaders> {
   const { session, delegation, serverIdentity, targetUrl } = context;
 

package/src/delegation/statuslist-manager.ts

@@ -112,7 +112,9 @@ export class StatusList2021Manager {
 
     const statusList = await this.storage.getStatusList(statusListCredential);
     if (!statusList) {
-      return false;
+      throw new Error(
+        `Status list not found: ${statusListCredential} — cannot determine revocation status`
+      );
     }
 
     const manager = await BitstringManager.decode(

package/src/delegation/vc-verifier.ts

@@ -350,8 +350,9 @@ export class DelegationCredentialVerifier {
     try {
       if (!statusListResolver) {
         return {
-          valid: true,
-          reason: "No status list resolver available, skipping status check",
+          valid: false,
+          reason:
+            "Credential has credentialStatus but no status list resolver is configured — cannot verify revocation status",
           durationMs: Date.now() - startTime,
         };
       }