@thotischner/observability-mcp 1.8.1 → 3.0.1

package/dist/scim/routes.js

@@ -0,0 +1,395 @@
+// SCIM 2.0 routes — mounted at /scim/v2/.
+//
+// Spec subset covered:
+//   GET    /scim/v2/ServiceProviderConfig
+//   GET    /scim/v2/ResourceTypes
+//   GET    /scim/v2/Schemas
+//   GET    /scim/v2/Users        list (no filter support yet)
+//   GET    /scim/v2/Users/:id
+//   POST   /scim/v2/Users
+//   PATCH  /scim/v2/Users/:id    minimal: replace top-level attrs
+//   DELETE /scim/v2/Users/:id
+//   GET    /scim/v2/Groups
+//   GET    /scim/v2/Groups/:id
+//   POST   /scim/v2/Groups
+//   PATCH  /scim/v2/Groups/:id
+//   DELETE /scim/v2/Groups/:id
+//
+// Auth: Bearer token via OMCP_SCIM_TOKEN; absence of OMCP_SCIM_TOKEN
+// rejects every request (the routes are not safe without it).
+import { timingSafeEqual } from "node:crypto";
+import { SCIM_SCHEMA_LIST_RESPONSE, SCIM_SCHEMA_USER, SCIM_SCHEMA_GROUP, scimError, } from "./types.js";
+import { ScimNotFoundError, ScimValidationError } from "./store.js";
+const constantTimeBearerMatch = (raw, expected) => {
+    if (!raw)
+        return false;
+    // Use bounded whitespace ({1,16}) instead of `\s+` to avoid the
+    // polynomial-ReDoS class — `\s+` followed by `(.+)` backtracks on
+    // strings like "bearer<many spaces><payload>". 16 is generous;
+    // RFC 7235 only requires one space.
+    const m = raw.match(/^Bearer[ \t]{1,16}(.+)$/i);
+    if (!m)
+        return false;
+    const a = Buffer.from(m[1].trim());
+    const b = Buffer.from(expected);
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+};
+export function registerScimRoutes(app, deps) {
+    const { store, bearerToken, audit } = deps;
+    // Auth middleware — scoped to /scim/v2/* only.
+    app.use("/scim/v2", (req, res, next) => {
+        if (!bearerToken) {
+            res.status(503).json(scimError(503, "SCIM is enabled but OMCP_SCIM_TOKEN is unset"));
+            return;
+        }
+        if (!constantTimeBearerMatch(req.headers["authorization"], bearerToken)) {
+            res.status(401).json(scimError(401, "valid SCIM bearer token required"));
+            return;
+        }
+        next();
+    });
+    // ---- Discovery endpoints ----
+    app.get("/scim/v2/ServiceProviderConfig", (_req, res) => {
+        res.json({
+            schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+            documentationUri: "https://thotischner.github.io/observability-mcp/scim-provisioning/",
+            patch: { supported: true },
+            bulk: { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+            filter: { supported: false, maxResults: 200 },
+            changePassword: { supported: false },
+            sort: { supported: false },
+            etag: { supported: false },
+            authenticationSchemes: [
+                {
+                    name: "OAuth Bearer Token",
+                    description: "Authentication via OAuth 2.0 bearer token (configured per-deployment).",
+                    specUri: "https://datatracker.ietf.org/doc/html/rfc6750",
+                    documentationUri: "https://thotischner.github.io/observability-mcp/scim-provisioning/",
+                    type: "oauthbearertoken",
+                    primary: true,
+                },
+            ],
+        });
+    });
+    app.get("/scim/v2/ResourceTypes", (_req, res) => {
+        res.json({
+            schemas: [SCIM_SCHEMA_LIST_RESPONSE],
+            totalResults: 2,
+            Resources: [
+                {
+                    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                    id: "User",
+                    name: "User",
+                    endpoint: "/Users",
+                    description: "User account",
+                    schema: SCIM_SCHEMA_USER,
+                },
+                {
+                    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+                    id: "Group",
+                    name: "Group",
+                    endpoint: "/Groups",
+                    description: "Group / role mapping",
+                    schema: SCIM_SCHEMA_GROUP,
+                },
+            ],
+        });
+    });
+    app.get("/scim/v2/Schemas", (_req, res) => {
+        res.json({
+            schemas: [SCIM_SCHEMA_LIST_RESPONSE],
+            totalResults: 2,
+            Resources: [
+                { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Schema"], id: SCIM_SCHEMA_USER, name: "User" },
+                { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Schema"], id: SCIM_SCHEMA_GROUP, name: "Group" },
+            ],
+        });
+    });
+    // ---- Users ----
+    app.get("/scim/v2/Users", (_req, res) => {
+        const users = store.listUsers().map((u) => withGroups(u, store));
+        res.json({
+            schemas: [SCIM_SCHEMA_LIST_RESPONSE],
+            totalResults: users.length,
+            itemsPerPage: users.length,
+            startIndex: 1,
+            Resources: users,
+        });
+    });
+    app.get("/scim/v2/Users/:id", (req, res) => {
+        const u = store.getUser(req.params.id);
+        if (!u) {
+            res.status(404).json(scimError(404, `User ${req.params.id} not found`));
+            return;
+        }
+        res.json(withGroups(u, store));
+    });
+    app.post("/scim/v2/Users", async (req, res) => {
+        try {
+            const u = await store.createUser((req.body ?? {}));
+            audit?.({ actor: "scim", action: "User.create", target: u.userName, result: "ok", status: 201 });
+            res.status(201).json(withGroups(u, store));
+        }
+        catch (e) {
+            handleStoreError(e, res, "User.create", audit);
+        }
+    });
+    app.patch("/scim/v2/Users/:id", async (req, res) => {
+        try {
+            const patch = applyPatchOps(store.getUser(req.params.id), req.body);
+            const u = await store.updateUser(req.params.id, patch);
+            audit?.({ actor: "scim", action: "User.update", target: u.userName, result: "ok", status: 200 });
+            res.json(withGroups(u, store));
+        }
+        catch (e) {
+            handleStoreError(e, res, "User.update", audit);
+        }
+    });
+    app.delete("/scim/v2/Users/:id", async (req, res) => {
+        const ok = await store.deleteUser(req.params.id);
+        audit?.({ actor: "scim", action: "User.delete", target: req.params.id, result: ok ? "ok" : "error", status: ok ? 204 : 404 });
+        if (!ok) {
+            res.status(404).json(scimError(404, `User ${req.params.id} not found`));
+            return;
+        }
+        res.status(204).end();
+    });
+    // ---- Groups ----
+    app.get("/scim/v2/Groups", (_req, res) => {
+        const groups = store.listGroups();
+        res.json({
+            schemas: [SCIM_SCHEMA_LIST_RESPONSE],
+            totalResults: groups.length,
+            itemsPerPage: groups.length,
+            startIndex: 1,
+            Resources: groups,
+        });
+    });
+    app.get("/scim/v2/Groups/:id", (req, res) => {
+        const g = store.getGroup(req.params.id);
+        if (!g) {
+            res.status(404).json(scimError(404, `Group ${req.params.id} not found`));
+            return;
+        }
+        res.json(g);
+    });
+    app.post("/scim/v2/Groups", async (req, res) => {
+        try {
+            const g = await store.createGroup((req.body ?? {}));
+            audit?.({ actor: "scim", action: "Group.create", target: g.displayName, result: "ok", status: 201 });
+            res.status(201).json(g);
+        }
+        catch (e) {
+            handleStoreError(e, res, "Group.create", audit);
+        }
+    });
+    app.patch("/scim/v2/Groups/:id", async (req, res) => {
+        try {
+            const patch = applyPatchOps(store.getGroup(req.params.id), req.body);
+            const g = await store.updateGroup(req.params.id, patch);
+            audit?.({ actor: "scim", action: "Group.update", target: g.displayName, result: "ok", status: 200 });
+            res.json(g);
+        }
+        catch (e) {
+            handleStoreError(e, res, "Group.update", audit);
+        }
+    });
+    app.delete("/scim/v2/Groups/:id", async (req, res) => {
+        const ok = await store.deleteGroup(req.params.id);
+        audit?.({ actor: "scim", action: "Group.delete", target: req.params.id, result: ok ? "ok" : "error", status: ok ? 204 : 404 });
+        if (!ok) {
+            res.status(404).json(scimError(404, `Group ${req.params.id} not found`));
+            return;
+        }
+        res.status(204).end();
+    });
+}
+function withGroups(u, store) {
+    return { ...u, groups: store.groupsContaining(u.id) };
+}
+// Allow-list of attribute names patchable via SCIM PatchOp.
+// `applyPatchOps` writes into a plain object using a user-supplied
+// path/key — every key is gated through this set so a malicious
+// client can't inject __proto__ / constructor / arbitrary fields.
+const PATCH_ALLOWED_ATTRS = new Set([
+    "userName", "active", "displayName", "name", "emails", "externalId",
+    "members", "groups",
+]);
+function safePatchKey(k) {
+    return typeof k === "string" && PATCH_ALLOWED_ATTRS.has(k);
+}
+// Multi-valued attributes that support add/remove element ops + filter
+// segments. Everything else is treated as a scalar (replace/set).
+const PATCH_ARRAY_ATTRS = new Set(["members", "emails", "groups"]);
+/** Parse a PatchOp `path` into {attr, filter?}. Supports a bare
+ *  attribute (`members`) and a single `eq` filter segment
+ *  (`members[value eq "abc"]`). Returns null for anything that
+ *  doesn't name an allow-listed attribute or that we don't model —
+ *  the caller skips those ops (fail-closed). The sub-attribute in the
+ *  filter is only ever READ for comparison, never written, so it
+ *  can't drive prototype pollution. */
+function parsePatchPath(path) {
+    const filterMatch = /^([A-Za-z][\w]*)\[\s*([A-Za-z][\w]*)\s+eq\s+"([^"]*)"\s*\]$/.exec(path);
+    if (filterMatch) {
+        const attr = filterMatch[1];
+        if (!safePatchKey(attr))
+            return null;
+        return { attr, filter: { sub: filterMatch[2], val: filterMatch[3] } };
+    }
+    if (safePatchKey(path))
+        return { attr: path };
+    return null;
+}
+// Always returns a FRESH array — never the caller's reference — so the
+// add/remove machinery can push/filter without mutating the current
+// resource in place (which would corrupt it across chained ops or
+// repeated calls).
+function asArray(v) {
+    if (Array.isArray(v))
+        return v.slice();
+    if (v == null)
+        return [];
+    return [v];
+}
+/** Element identity for dedup/removal on multi-valued attrs. SCIM
+ *  members/emails carry a `value` key; fall back to JSON equality. */
+function elemKey(e) {
+    if (e && typeof e === "object" && "value" in e) {
+        return String(e.value);
+    }
+    return JSON.stringify(e);
+}
+/** Translate a SCIM PatchOp request into a partial resource patch.
+ *
+ *  Supported (RFC 7644 §3.5.2):
+ *   - replace, no path        → whole-resource merge of allow-listed keys
+ *   - replace, path=attr      → set that attribute
+ *   - add, no path            → merge; array attrs append (deduped), scalars set
+ *   - add, path=arrayAttr     → append value(s) to the array (deduped)
+ *   - add, path=scalarAttr    → set
+ *   - remove, path=arrayAttr  → clear the array
+ *   - remove, path=arrayAttr[sub eq "x"] → drop matching elements
+ *   - remove, path=scalarAttr → clear the attribute (set undefined)
+ *
+ *  Array ops are computed against the CURRENT resource value and the
+ *  full resulting array is returned in `out` (the store merges
+ *  shallowly, so out[attr] replaces current[attr] wholesale).
+ *
+ *  Every property name written into `out` is gated through
+ *  `PATCH_ALLOWED_ATTRS` so a SCIM client can't inject __proto__ /
+ *  constructor / arbitrary fields (CodeQL js/remote-property-injection +
+ *  js/prototype-polluting-assignment). Filter sub-attributes are
+ *  read-only. */
+export function applyPatchOps(current, patch) {
+    if (!current)
+        throw new ScimNotFoundError("target resource not found");
+    if (!patch?.Operations || !Array.isArray(patch.Operations))
+        return {};
+    const cur = current;
+    const out = {};
+    // Read the working value for an attr: prefer an in-progress value
+    // from a prior op in this same request, else the current resource.
+    const readAttr = (attr) => (attr in out ? out[attr] : cur[attr]);
+    for (const op of patch.Operations) {
+        const verb = (op.op || "").toLowerCase();
+        if (verb === "replace") {
+            if (!op.path) {
+                if (op.value && typeof op.value === "object") {
+                    for (const [k, v] of Object.entries(op.value)) {
+                        if (safePatchKey(k))
+                            out[k] = v;
+                    }
+                }
+                continue;
+            }
+            const parsed = parsePatchPath(op.path);
+            if (parsed && !parsed.filter)
+                out[parsed.attr] = op.value;
+            continue;
+        }
+        if (verb === "add") {
+            if (!op.path) {
+                if (op.value && typeof op.value === "object") {
+                    for (const [k, v] of Object.entries(op.value)) {
+                        if (!safePatchKey(k))
+                            continue;
+                        if (PATCH_ARRAY_ATTRS.has(k)) {
+                            const existing = asArray(readAttr(k));
+                            const seen = new Set(existing.map(elemKey));
+                            for (const item of asArray(v)) {
+                                if (!seen.has(elemKey(item))) {
+                                    existing.push(item);
+                                    seen.add(elemKey(item));
+                                }
+                            }
+                            out[k] = existing;
+                        }
+                        else {
+                            out[k] = v;
+                        }
+                    }
+                }
+                continue;
+            }
+            const parsed = parsePatchPath(op.path);
+            if (!parsed || parsed.filter)
+                continue;
+            if (PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                const existing = asArray(readAttr(parsed.attr));
+                const seen = new Set(existing.map(elemKey));
+                for (const item of asArray(op.value)) {
+                    if (!seen.has(elemKey(item))) {
+                        existing.push(item);
+                        seen.add(elemKey(item));
+                    }
+                }
+                out[parsed.attr] = existing;
+            }
+            else {
+                out[parsed.attr] = op.value;
+            }
+            continue;
+        }
+        if (verb === "remove") {
+            if (!op.path)
+                continue; // remove with no path is a no-op (nothing to target)
+            const parsed = parsePatchPath(op.path);
+            if (!parsed)
+                continue;
+            if (parsed.filter && PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                const existing = asArray(readAttr(parsed.attr));
+                const { sub, val } = parsed.filter;
+                out[parsed.attr] = existing.filter((e) => {
+                    const ev = e && typeof e === "object" ? e[sub] : undefined;
+                    return String(ev) !== val;
+                });
+            }
+            else if (PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                out[parsed.attr] = [];
+            }
+            else {
+                out[parsed.attr] = undefined;
+            }
+            continue;
+        }
+    }
+    return out;
+}
+function handleStoreError(e, res, action, audit) {
+    if (e instanceof ScimNotFoundError) {
+        audit?.({ actor: "scim", action, target: "?", result: "error", status: 404 });
+        res.status(404).json(scimError(404, e.message));
+        return;
+    }
+    if (e instanceof ScimValidationError) {
+        const status = e.scimType === "uniqueness" ? 409 : 400;
+        audit?.({ actor: "scim", action, target: "?", result: "error", status });
+        res.status(status).json(scimError(status, e.message, e.scimType));
+        return;
+    }
+    console.warn(`[scim] ${action} failed:`, e);
+    audit?.({ actor: "scim", action, target: "?", result: "error", status: 500 });
+    res.status(500).json(scimError(500, "internal error"));
+}

package/dist/scim/store.d.ts

@@ -0,0 +1,76 @@
+import { type ScimGroup, type ScimUser } from "./types.js";
+export interface ScimSnapshot {
+    users: ScimUser[];
+    groups: ScimGroup[];
+}
+/**
+ * The store surface route handlers and group-role-map depend on.
+ * Both file + redis backends implement this. New backends (DynamoDB,
+ * Postgres, …) just need to satisfy these methods.
+ */
+export interface IScimStore {
+    load(): Promise<void>;
+    listUsers(): ScimUser[];
+    getUser(id: string): ScimUser | undefined;
+    getUserByUserName(userName: string): ScimUser | undefined;
+    createUser(input: Partial<ScimUser>): Promise<ScimUser>;
+    updateUser(id: string, patch: Partial<ScimUser>): Promise<ScimUser>;
+    deleteUser(id: string): Promise<boolean>;
+    listGroups(): ScimGroup[];
+    getGroup(id: string): ScimGroup | undefined;
+    createGroup(input: Partial<ScimGroup>): Promise<ScimGroup>;
+    updateGroup(id: string, patch: Partial<ScimGroup>): Promise<ScimGroup>;
+    deleteGroup(id: string): Promise<boolean>;
+    groupsContaining(userId: string): Array<{
+        value: string;
+        display?: string;
+    }>;
+}
+export declare class ScimStore implements IScimStore {
+    private readonly path;
+    private snapshot;
+    private bootstrapped;
+    constructor(path: string);
+    load(): Promise<void>;
+    listUsers(): ScimUser[];
+    getUser(id: string): ScimUser | undefined;
+    getUserByUserName(userName: string): ScimUser | undefined;
+    createUser(input: Partial<ScimUser>): Promise<ScimUser>;
+    updateUser(id: string, patch: Partial<ScimUser>): Promise<ScimUser>;
+    deleteUser(id: string): Promise<boolean>;
+    listGroups(): ScimGroup[];
+    getGroup(id: string): ScimGroup | undefined;
+    createGroup(input: Partial<ScimGroup>): Promise<ScimGroup>;
+    updateGroup(id: string, patch: Partial<ScimGroup>): Promise<ScimGroup>;
+    deleteGroup(id: string): Promise<boolean>;
+    /** Look up the groups a user is currently a member of — used to
+     *  populate `User.groups` on read responses. */
+    groupsContaining(userId: string): Array<{
+        value: string;
+        display?: string;
+    }>;
+    private persist;
+}
+export declare class ScimValidationError extends Error {
+    readonly scimType?: string | undefined;
+    constructor(message: string, scimType?: string | undefined);
+}
+export declare class ScimNotFoundError extends Error {
+    constructor(message: string);
+}
+/**
+ * Boot-time factory. Reads OMCP_SCIM_BACKEND and returns the matching
+ * implementation. Loadbearing on Helm too — values.yaml exposes a
+ * scim.backend toggle that ends up as the env var.
+ *
+ * config.path  — file backend storage path (file backend only).
+ * config.redis — RedisLike client (redis backend only).
+ * config.redisKey — override default key name.
+ */
+export interface CreateScimStoreConfig {
+    backend?: "file" | "redis";
+    path?: string;
+    redis?: import("./redis-store.js").RedisLike;
+    redisKey?: string;
+}
+export declare function createScimStore(config?: CreateScimStoreConfig): Promise<IScimStore>;

package/dist/scim/store.js

@@ -0,0 +1,196 @@
+// SCIM store — file-backed JSON for users + groups (default), with a
+// Redis-backed alternative for multi-replica deployments behind the
+// `OMCP_SCIM_BACKEND=redis` env / `scim.backend: redis` Helm value.
+//
+// F21a shipped the on-disk JSON file (atomic tmp+rename, mode 0600).
+// F21b (Q6) adds the Redis variant + the IScimStore interface every
+// route handler now talks to. The factory `createScimStore` picks
+// the implementation at boot; everything downstream is unchanged.
+import { readFile, writeFile, mkdir, rename } from "node:fs/promises";
+import { dirname } from "node:path";
+import { randomUUID } from "node:crypto";
+import { nowIso, SCIM_SCHEMA_GROUP, SCIM_SCHEMA_USER } from "./types.js";
+const EMPTY = { users: [], groups: [] };
+export class ScimStore {
+    path;
+    snapshot = EMPTY;
+    bootstrapped = null;
+    constructor(path) {
+        this.path = path;
+    }
+    async load() {
+        if (this.bootstrapped)
+            return this.bootstrapped;
+        this.bootstrapped = (async () => {
+            try {
+                const raw = await readFile(this.path, "utf8");
+                const parsed = JSON.parse(raw);
+                this.snapshot = {
+                    users: Array.isArray(parsed.users) ? parsed.users : [],
+                    groups: Array.isArray(parsed.groups) ? parsed.groups : [],
+                };
+            }
+            catch (err) {
+                if (err.code === "ENOENT") {
+                    this.snapshot = { users: [], groups: [] };
+                    return;
+                }
+                console.warn(`[scim] failed to load ${this.path}: ${err.message} — starting empty`);
+                this.snapshot = { users: [], groups: [] };
+            }
+        })();
+        return this.bootstrapped;
+    }
+    listUsers() {
+        return this.snapshot.users.slice();
+    }
+    getUser(id) {
+        return this.snapshot.users.find((u) => u.id === id);
+    }
+    getUserByUserName(userName) {
+        return this.snapshot.users.find((u) => u.userName === userName);
+    }
+    async createUser(input) {
+        if (!input.userName)
+            throw new ScimValidationError("userName is required");
+        if (this.getUserByUserName(input.userName)) {
+            throw new ScimValidationError(`User with userName '${input.userName}' already exists`, "uniqueness");
+        }
+        const ts = nowIso();
+        const user = {
+            schemas: [SCIM_SCHEMA_USER],
+            id: randomUUID(),
+            userName: input.userName,
+            active: input.active ?? true,
+            displayName: input.displayName,
+            name: input.name,
+            emails: input.emails,
+            externalId: input.externalId,
+            meta: { resourceType: "User", created: ts, lastModified: ts },
+        };
+        this.snapshot.users.push(user);
+        await this.persist();
+        return user;
+    }
+    async updateUser(id, patch) {
+        const i = this.snapshot.users.findIndex((u) => u.id === id);
+        if (i < 0)
+            throw new ScimNotFoundError(`User ${id} not found`);
+        const next = {
+            ...this.snapshot.users[i],
+            ...patch,
+            schemas: [SCIM_SCHEMA_USER],
+            id,
+            meta: {
+                ...this.snapshot.users[i].meta,
+                lastModified: nowIso(),
+            },
+        };
+        this.snapshot.users[i] = next;
+        await this.persist();
+        return next;
+    }
+    async deleteUser(id) {
+        const before = this.snapshot.users.length;
+        this.snapshot.users = this.snapshot.users.filter((u) => u.id !== id);
+        if (this.snapshot.users.length === before)
+            return false;
+        // Also remove the user from every group's members list.
+        for (const g of this.snapshot.groups) {
+            g.members = (g.members ?? []).filter((m) => m.value !== id);
+        }
+        await this.persist();
+        return true;
+    }
+    listGroups() {
+        return this.snapshot.groups.slice();
+    }
+    getGroup(id) {
+        return this.snapshot.groups.find((g) => g.id === id);
+    }
+    async createGroup(input) {
+        if (!input.displayName)
+            throw new ScimValidationError("displayName is required");
+        const ts = nowIso();
+        const group = {
+            schemas: [SCIM_SCHEMA_GROUP],
+            id: randomUUID(),
+            displayName: input.displayName,
+            members: input.members ?? [],
+            externalId: input.externalId,
+            meta: { resourceType: "Group", created: ts, lastModified: ts },
+        };
+        this.snapshot.groups.push(group);
+        await this.persist();
+        return group;
+    }
+    async updateGroup(id, patch) {
+        const i = this.snapshot.groups.findIndex((g) => g.id === id);
+        if (i < 0)
+            throw new ScimNotFoundError(`Group ${id} not found`);
+        const next = {
+            ...this.snapshot.groups[i],
+            ...patch,
+            schemas: [SCIM_SCHEMA_GROUP],
+            id,
+            meta: {
+                ...this.snapshot.groups[i].meta,
+                lastModified: nowIso(),
+            },
+        };
+        this.snapshot.groups[i] = next;
+        await this.persist();
+        return next;
+    }
+    async deleteGroup(id) {
+        const before = this.snapshot.groups.length;
+        this.snapshot.groups = this.snapshot.groups.filter((g) => g.id !== id);
+        if (this.snapshot.groups.length === before)
+            return false;
+        await this.persist();
+        return true;
+    }
+    /** Look up the groups a user is currently a member of — used to
+     *  populate `User.groups` on read responses. */
+    groupsContaining(userId) {
+        return this.snapshot.groups
+            .filter((g) => (g.members ?? []).some((m) => m.value === userId))
+            .map((g) => ({ value: g.id, display: g.displayName }));
+    }
+    async persist() {
+        await mkdir(dirname(this.path), { recursive: true }).catch(() => undefined);
+        const tmp = `${this.path}.tmp`;
+        await writeFile(tmp, JSON.stringify(this.snapshot, null, 2), { mode: 0o600 });
+        await rename(tmp, this.path);
+    }
+}
+export class ScimValidationError extends Error {
+    scimType;
+    constructor(message, scimType) {
+        super(message);
+        this.scimType = scimType;
+        this.name = "ScimValidationError";
+    }
+}
+export class ScimNotFoundError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ScimNotFoundError";
+    }
+}
+export async function createScimStore(config = {}) {
+    const backend = (config.backend || process.env.OMCP_SCIM_BACKEND || "file");
+    if (backend === "redis") {
+        if (!config.redis) {
+            throw new Error("createScimStore: backend=redis requires a redis client. Pass config.redis (RedisLike).");
+        }
+        const { RedisScimStore } = await import("./redis-store.js");
+        const store = new RedisScimStore(config.redis, { key: config.redisKey });
+        await store.load();
+        return store;
+    }
+    const path = config.path || process.env.OMCP_SCIM_STORE || "/var/lib/observability-mcp/scim.json";
+    const store = new ScimStore(path);
+    await store.load();
+    return store;
+}

package/dist/scim/store.test.d.ts

@@ -0,0 +1 @@
+export {};