@alpic-ai/api 0.0.0-staging.g3da6945 → 0.0.0-staging.g430b4ff

package/dist/index.mjs

@@ -1,6 +1,174 @@
 import { z } from "zod";
+import * as z$1 from "zod/v4";
 import { oc } from "@orpc/contract";
 import ms from "ms";
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+sdk@1.29.0_@cfworker+json-schema@4.1.1_zod@4.4.3/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+/**
+* Reusable URL validation that disallows javascript: scheme
+*/
+const SafeUrlSchema = z$1.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: z$1.ZodIssueCode.custom,
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z$1.NEVER;
+	}
+}).refine((url) => {
+	const u = new URL(url);
+	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+/**
+* RFC 9728 OAuth Protected Resource Metadata
+*/
+const OAuthProtectedResourceMetadataSchema = z$1.looseObject({
+	resource: z$1.string().url(),
+	authorization_servers: z$1.array(SafeUrlSchema).optional(),
+	jwks_uri: z$1.string().url().optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	bearer_methods_supported: z$1.array(z$1.string()).optional(),
+	resource_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	resource_name: z$1.string().optional(),
+	resource_documentation: z$1.string().optional(),
+	resource_policy_uri: z$1.string().url().optional(),
+	resource_tos_uri: z$1.string().url().optional(),
+	tls_client_certificate_bound_access_tokens: z$1.boolean().optional(),
+	authorization_details_types_supported: z$1.array(z$1.string()).optional(),
+	dpop_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	dpop_bound_access_tokens_required: z$1.boolean().optional()
+});
+/**
+* RFC 8414 OAuth 2.0 Authorization Server Metadata
+*/
+const OAuthMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: SafeUrlSchema.optional(),
+	revocation_endpoint: SafeUrlSchema.optional(),
+	revocation_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	revocation_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint: z$1.string().optional(),
+	introspection_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	code_challenge_methods_supported: z$1.array(z$1.string()).optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery 1.0 Provider Metadata
+* see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+*/
+const OpenIdProviderMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	userinfo_endpoint: SafeUrlSchema.optional(),
+	jwks_uri: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	acr_values_supported: z$1.array(z$1.string()).optional(),
+	subject_types_supported: z$1.array(z$1.string()),
+	id_token_signing_alg_values_supported: z$1.array(z$1.string()),
+	id_token_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	id_token_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	display_values_supported: z$1.array(z$1.string()).optional(),
+	claim_types_supported: z$1.array(z$1.string()).optional(),
+	claims_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: z$1.string().optional(),
+	claims_locales_supported: z$1.array(z$1.string()).optional(),
+	ui_locales_supported: z$1.array(z$1.string()).optional(),
+	claims_parameter_supported: z$1.boolean().optional(),
+	request_parameter_supported: z$1.boolean().optional(),
+	request_uri_parameter_supported: z$1.boolean().optional(),
+	require_request_uri_registration: z$1.boolean().optional(),
+	op_policy_uri: SafeUrlSchema.optional(),
+	op_tos_uri: SafeUrlSchema.optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery metadata that may include OAuth 2.0 fields
+* This schema represents the real-world scenario where OIDC providers
+* return a mix of OpenID Connect and OAuth 2.0 metadata fields
+*/
+const OpenIdProviderDiscoveryMetadataSchema = z$1.object({
+	...OpenIdProviderMetadataSchema.shape,
+	...OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }).shape
+});
+z$1.object({
+	access_token: z$1.string(),
+	id_token: z$1.string().optional(),
+	token_type: z$1.string(),
+	expires_in: z$1.coerce.number().optional(),
+	scope: z$1.string().optional(),
+	refresh_token: z$1.string().optional()
+}).strip();
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
+});
+/**
+* Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+*/
+const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z$1.literal("").transform(() => void 0));
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
+*/
+const OAuthClientMetadataSchema = z$1.object({
+	redirect_uris: z$1.array(SafeUrlSchema),
+	token_endpoint_auth_method: z$1.string().optional(),
+	grant_types: z$1.array(z$1.string()).optional(),
+	response_types: z$1.array(z$1.string()).optional(),
+	client_name: z$1.string().optional(),
+	client_uri: SafeUrlSchema.optional(),
+	logo_uri: OptionalSafeUrlSchema,
+	scope: z$1.string().optional(),
+	contacts: z$1.array(z$1.string()).optional(),
+	tos_uri: OptionalSafeUrlSchema,
+	policy_uri: z$1.string().optional(),
+	jwks_uri: SafeUrlSchema.optional(),
+	jwks: z$1.any().optional(),
+	software_id: z$1.string().optional(),
+	software_version: z$1.string().optional(),
+	software_statement: z$1.string().optional()
+}).strip();
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration client information
+*/
+const OAuthClientInformationSchema = z$1.object({
+	client_id: z$1.string(),
+	client_secret: z$1.string().optional(),
+	client_id_issued_at: z$1.number().optional(),
+	client_secret_expires_at: z$1.number().optional()
+}).strip();
+OAuthClientMetadataSchema.merge(OAuthClientInformationSchema);
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional()
+}).strip();
+z$1.object({
+	token: z$1.string(),
+	token_type_hint: z$1.string().optional()
+}).strip();
 const platformSchema = z.enum(["chatgpt", "claudeai"]);
 const PLATFORM_LABELS = {
 	chatgpt: "ChatGPT",
@@ -71,6 +239,13 @@ const auditReportWithScreenshotsSchema = auditReportSchema.extend({ widgetScreen
 	chatgpt: widgetScreenshotSchema.optional(),
 	claudeai: widgetScreenshotSchema.optional()
 }) });
+z.object({
+	id: z.string(),
+	environmentId: z.string(),
+	clientId: z.string(),
+	clientSecret: z.string(),
+	clientScopes: z.array(z.string())
+});
 const deploymentStatusSchema$1 = z.enum([
 	"ongoing",
 	"deployed",
@@ -98,6 +273,74 @@ const deploymentSummarySchema = z.object({
 	createdAt: z.coerce.date(),
 	updatedAt: z.coerce.date()
 });
+/**
+* Public environment
+*
+* No OAuth metadata exposed.
+*/
+const publicEnvironmentSchema = z.object({
+	isPublic: z.literal(true),
+	oAuthMetadata: z.undefined().optional()
+});
+/**
+* Protected environment with an external resource metadata URL
+*
+* An external resource metadata URL is returned in the WWW-Authenticate header during the first 401 response.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalResourceMetadataEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({ externalResourceMetadataUrl: z.url() }),
+	scope: z.string().optional()
+});
+/**
+* Protected environment with an external authorization server URL
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* An external authorization server URL is returned when requesting the endpoint.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalAuthorizationServerEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		externalAuthorizationServerUrl: z.url(),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Standalone protected environment
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* The server itself exposes the /.well-known/oauth-authorization-server endpoint.
+*/
+const standaloneEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		authorizationServerMetadata: z.union([OAuthMetadataSchema, OpenIdProviderDiscoveryMetadataSchema]),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Protected environment without OAuth discovery
+*
+* The server enforces authentication but exposes no OAuth discovery metadata.
+* Neither /.well-known/oauth-protected-resource nor /.well-known/oauth-authorization-server
+* are advertised. Clients must obtain credentials out-of-band.
+*/
+const protectedWithoutDiscoveryEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.strictObject({}),
+	scope: z.string().optional()
+});
+z.union([
+	publicEnvironmentSchema,
+	externalResourceMetadataEnvironmentSchema,
+	externalAuthorizationServerEnvironmentSchema,
+	standaloneEnvironmentSchema,
+	protectedWithoutDiscoveryEnvironmentSchema
+]);
 const allowedPlatformSchema = platformSchema;
 const environmentDomainSchema = z.object({
 	domain: z.string(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alpic-ai/api",
-  "version": "0.0.0-staging.g3da6945",
+  "version": "0.0.0-staging.g430b4ff",
   "description": "Contract for the Alpic API",
   "type": "module",
   "main": "./dist/index.mjs",