@thotischner/observability-mcp 3.0.0 → 3.0.1

package/dist/scim/redis-store.js

@@ -0,0 +1,178 @@
+// Redis-backed SCIM store — same surface as the file-backed ScimStore,
+// persists the snapshot in a single Redis key.
+//
+// Multi-replica deployments need a shared store so that a Microsoft
+// Entra / Okta SCIM-push delivered to replica A is visible to replica
+// B's reads. The file store can't do that without a shared filesystem;
+// this one targets the same Redis the F8 SessionStore + the F8b
+// transport-map ride on (Q11 promotes the transport-map onto the same
+// interface).
+//
+// Concurrency note. SCIM clients (Entra, Okta, JumpCloud, generic
+// SCIM) deliver provisioning requests SERIALLY per resource — the
+// upstream IDP holds the connection open until the gateway responds.
+// A single load-balanced gateway in front of N replicas observes one
+// in-flight request per resource at a time, so last-writer-wins on
+// the single-key snapshot matches the source-of-truth semantics of
+// SCIM provisioning. We still serialise persists within a replica
+// via a small mutex so concurrent route handlers don't lose writes
+// to each other in the read-modify-write window.
+import { randomUUID } from "node:crypto";
+import { nowIso, SCIM_SCHEMA_GROUP, SCIM_SCHEMA_USER, } from "./types.js";
+import { ScimNotFoundError, ScimValidationError } from "./store.js";
+const DEFAULT_KEY = "omcp:scim:snapshot";
+export class RedisScimStore {
+    redis;
+    key;
+    snapshot = { users: [], groups: [] };
+    bootstrapped = null;
+    writeQueue = Promise.resolve();
+    constructor(redis, opts = {}) {
+        this.redis = redis;
+        this.key = opts.key || DEFAULT_KEY;
+    }
+    async load() {
+        if (this.bootstrapped)
+            return this.bootstrapped;
+        this.bootstrapped = (async () => {
+            try {
+                const raw = await this.redis.get(this.key);
+                if (!raw) {
+                    this.snapshot = { users: [], groups: [] };
+                    return;
+                }
+                const parsed = JSON.parse(raw);
+                this.snapshot = {
+                    users: Array.isArray(parsed.users) ? parsed.users : [],
+                    groups: Array.isArray(parsed.groups) ? parsed.groups : [],
+                };
+            }
+            catch (err) {
+                console.warn(`[scim] failed to load redis snapshot ${this.key}: ${err.message} — starting empty`);
+                this.snapshot = { users: [], groups: [] };
+            }
+        })();
+        return this.bootstrapped;
+    }
+    listUsers() {
+        return this.snapshot.users.slice();
+    }
+    getUser(id) {
+        return this.snapshot.users.find((u) => u.id === id);
+    }
+    getUserByUserName(userName) {
+        return this.snapshot.users.find((u) => u.userName === userName);
+    }
+    async createUser(input) {
+        if (!input.userName)
+            throw new ScimValidationError("userName is required");
+        if (this.getUserByUserName(input.userName)) {
+            throw new ScimValidationError(`User with userName '${input.userName}' already exists`, "uniqueness");
+        }
+        const ts = nowIso();
+        const user = {
+            schemas: [SCIM_SCHEMA_USER],
+            id: randomUUID(),
+            userName: input.userName,
+            active: input.active ?? true,
+            displayName: input.displayName,
+            name: input.name,
+            emails: input.emails,
+            externalId: input.externalId,
+            meta: { resourceType: "User", created: ts, lastModified: ts },
+        };
+        this.snapshot.users.push(user);
+        await this.persist();
+        return user;
+    }
+    async updateUser(id, patch) {
+        const i = this.snapshot.users.findIndex((u) => u.id === id);
+        if (i < 0)
+            throw new ScimNotFoundError(`User ${id} not found`);
+        const next = {
+            ...this.snapshot.users[i],
+            ...patch,
+            schemas: [SCIM_SCHEMA_USER],
+            id,
+            meta: {
+                ...this.snapshot.users[i].meta,
+                lastModified: nowIso(),
+            },
+        };
+        this.snapshot.users[i] = next;
+        await this.persist();
+        return next;
+    }
+    async deleteUser(id) {
+        const before = this.snapshot.users.length;
+        this.snapshot.users = this.snapshot.users.filter((u) => u.id !== id);
+        if (this.snapshot.users.length === before)
+            return false;
+        for (const g of this.snapshot.groups) {
+            g.members = (g.members ?? []).filter((m) => m.value !== id);
+        }
+        await this.persist();
+        return true;
+    }
+    listGroups() {
+        return this.snapshot.groups.slice();
+    }
+    getGroup(id) {
+        return this.snapshot.groups.find((g) => g.id === id);
+    }
+    async createGroup(input) {
+        if (!input.displayName)
+            throw new ScimValidationError("displayName is required");
+        const ts = nowIso();
+        const group = {
+            schemas: [SCIM_SCHEMA_GROUP],
+            id: randomUUID(),
+            displayName: input.displayName,
+            members: input.members ?? [],
+            externalId: input.externalId,
+            meta: { resourceType: "Group", created: ts, lastModified: ts },
+        };
+        this.snapshot.groups.push(group);
+        await this.persist();
+        return group;
+    }
+    async updateGroup(id, patch) {
+        const i = this.snapshot.groups.findIndex((g) => g.id === id);
+        if (i < 0)
+            throw new ScimNotFoundError(`Group ${id} not found`);
+        const next = {
+            ...this.snapshot.groups[i],
+            ...patch,
+            schemas: [SCIM_SCHEMA_GROUP],
+            id,
+            meta: {
+                ...this.snapshot.groups[i].meta,
+                lastModified: nowIso(),
+            },
+        };
+        this.snapshot.groups[i] = next;
+        await this.persist();
+        return next;
+    }
+    async deleteGroup(id) {
+        const before = this.snapshot.groups.length;
+        this.snapshot.groups = this.snapshot.groups.filter((g) => g.id !== id);
+        if (this.snapshot.groups.length === before)
+            return false;
+        await this.persist();
+        return true;
+    }
+    groupsContaining(userId) {
+        return this.snapshot.groups
+            .filter((g) => (g.members ?? []).some((m) => m.value === userId))
+            .map((g) => ({ value: g.id, display: g.displayName }));
+    }
+    persist() {
+        // Serialise persists so two concurrent updateUser calls don't
+        // race each other to the SET — the snapshot in memory is the
+        // canonical state, Redis just mirrors it.
+        const snap = { users: this.snapshot.users.slice(), groups: this.snapshot.groups.slice() };
+        this.writeQueue = this.writeQueue.then(() => this.redis.set(this.key, JSON.stringify(snap)).then(() => undefined));
+        return this.writeQueue;
+    }
+}

package/dist/scim/redis-store.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scim/redis-store.test.js

@@ -0,0 +1,138 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { RedisScimStore } from "./redis-store.js";
+import { ScimNotFoundError, ScimValidationError } from "./store.js";
+/** In-memory fake of the RedisLike surface — single-key GET/SET. */
+function fakeRedis(initial) {
+    const store = new Map(Object.entries(initial || {}));
+    return {
+        _store: store,
+        _writeCount: 0,
+        async get(key) { return store.has(key) ? store.get(key) : null; },
+        async set(key, value) {
+            store.set(key, value);
+            this._writeCount += 1;
+            return "OK";
+        },
+    };
+}
+test("load() initialises empty when redis key is missing", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    assert.deepEqual(s.listUsers(), []);
+    assert.deepEqual(s.listGroups(), []);
+});
+test("load() hydrates from a serialised snapshot in redis", async () => {
+    const r = fakeRedis({
+        "omcp:scim:snapshot": JSON.stringify({
+            users: [{ id: "u1", userName: "alice@example.com", schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], meta: { resourceType: "User" } }],
+            groups: [],
+        }),
+    });
+    const s = new RedisScimStore(r);
+    await s.load();
+    assert.equal(s.listUsers().length, 1);
+    assert.equal(s.listUsers()[0].userName, "alice@example.com");
+});
+test("createUser persists to redis", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const u = await s.createUser({ userName: "bob@example.com" });
+    assert.ok(u.id);
+    assert.equal(u.userName, "bob@example.com");
+    // Persisted snapshot round-trips through redis
+    const raw = JSON.parse(r._store.get("omcp:scim:snapshot"));
+    assert.equal(raw.users.length, 1);
+    assert.equal(raw.users[0].userName, "bob@example.com");
+});
+test("createUser enforces unique userName", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    await s.createUser({ userName: "alice@example.com" });
+    await assert.rejects(s.createUser({ userName: "alice@example.com" }), ScimValidationError);
+});
+test("createUser without userName throws", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    await assert.rejects(s.createUser({}), ScimValidationError);
+});
+test("updateUser preserves id + sets lastModified to a not-earlier ts", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const u = await s.createUser({ userName: "u@x" });
+    // 2ms gap so the ISO timestamp differs even on slow CI clocks
+    await new Promise((res) => setTimeout(res, 2));
+    const u2 = await s.updateUser(u.id, { displayName: "U" });
+    assert.equal(u2.id, u.id);
+    assert.equal(u2.displayName, "U");
+    assert.ok(u2.meta.lastModified >= u.meta.lastModified);
+});
+test("updateUser missing throws ScimNotFoundError", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    await assert.rejects(s.updateUser("nope", { displayName: "x" }), ScimNotFoundError);
+});
+test("deleteUser purges the user from all group member lists", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const u = await s.createUser({ userName: "u@x" });
+    const g = await s.createGroup({ displayName: "admins", members: [{ value: u.id, display: "u@x" }] });
+    await s.deleteUser(u.id);
+    const updated = s.getGroup(g.id);
+    assert.equal(updated?.members?.length, 0);
+});
+test("group CRUD round-trip persists", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const g = await s.createGroup({ displayName: "team-alpha" });
+    assert.equal(g.displayName, "team-alpha");
+    const g2 = await s.updateGroup(g.id, { displayName: "team-beta" });
+    assert.equal(g2.displayName, "team-beta");
+    assert.equal((await s.deleteGroup(g.id)), true);
+    assert.equal((await s.deleteGroup(g.id)), false);
+});
+test("groupsContaining returns membership", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const u = await s.createUser({ userName: "u@x" });
+    const g = await s.createGroup({ displayName: "admins", members: [{ value: u.id, display: "u@x" }] });
+    const groups = s.groupsContaining(u.id);
+    assert.equal(groups.length, 1);
+    assert.equal(groups[0].value, g.id);
+    assert.equal(groups[0].display, "admins");
+});
+test("custom key is honoured", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r, { key: "custom:key" });
+    await s.load();
+    await s.createUser({ userName: "u@x" });
+    assert.ok(r._store.has("custom:key"));
+    assert.equal(r._store.has("omcp:scim:snapshot"), false);
+});
+test("concurrent writes serialise — no lost-write race", async () => {
+    const r = fakeRedis();
+    const s = new RedisScimStore(r);
+    await s.load();
+    const u1 = s.createUser({ userName: "a@x" });
+    const u2 = s.createUser({ userName: "b@x" });
+    const u3 = s.createUser({ userName: "c@x" });
+    await Promise.all([u1, u2, u3]);
+    const final = JSON.parse(r._store.get("omcp:scim:snapshot"));
+    assert.equal(final.users.length, 3);
+});
+test("malformed snapshot in redis → starts empty (warning logged)", async () => {
+    const r = fakeRedis({ "omcp:scim:snapshot": "this is not json" });
+    const s = new RedisScimStore(r);
+    await s.load();
+    assert.deepEqual(s.listUsers(), []);
+    assert.deepEqual(s.listGroups(), []);
+});

package/dist/scim/routes.d.ts

@@ -1,7 +1,8 @@
 import type { Application } from "express";
-import { ScimStore } from "./store.js";
+import { type ScimPatchRequest } from "./types.js";
+import { type IScimStore } from "./store.js";
 export interface ScimRoutesDeps {
-    store: ScimStore;
+    store: IScimStore;
     bearerToken: string;
     /** Audit hook called after every successful mutation. Best-effort. */
     audit?: (event: {
@@ -13,3 +14,27 @@ export interface ScimRoutesDeps {
     }) => void;
 }
 export declare function registerScimRoutes(app: Application, deps: ScimRoutesDeps): void;
+/** Translate a SCIM PatchOp request into a partial resource patch.
+ *
+ *  Supported (RFC 7644 §3.5.2):
+ *   - replace, no path        → whole-resource merge of allow-listed keys
+ *   - replace, path=attr      → set that attribute
+ *   - add, no path            → merge; array attrs append (deduped), scalars set
+ *   - add, path=arrayAttr     → append value(s) to the array (deduped)
+ *   - add, path=scalarAttr    → set
+ *   - remove, path=arrayAttr  → clear the array
+ *   - remove, path=arrayAttr[sub eq "x"] → drop matching elements
+ *   - remove, path=scalarAttr → clear the attribute (set undefined)
+ *
+ *  Array ops are computed against the CURRENT resource value and the
+ *  full resulting array is returned in `out` (the store merges
+ *  shallowly, so out[attr] replaces current[attr] wholesale).
+ *
+ *  Every property name written into `out` is gated through
+ *  `PATCH_ALLOWED_ATTRS` so a SCIM client can't inject __proto__ /
+ *  constructor / arbitrary fields (CodeQL js/remote-property-injection +
+ *  js/prototype-polluting-assignment). Filter sub-attributes are
+ *  read-only. */
+export declare function applyPatchOps<T extends {
+    id: string;
+}>(current: T | undefined, patch: ScimPatchRequest): Partial<T>;

package/dist/scim/routes.js

@@ -23,7 +23,11 @@ import { ScimNotFoundError, ScimValidationError } from "./store.js";
 const constantTimeBearerMatch = (raw, expected) => {
     if (!raw)
         return false;
-    const m = raw.match(/^Bearer\s+(.+)$/i);
+    // Use bounded whitespace ({1,16}) instead of `\s+` to avoid the
+    // polynomial-ReDoS class — `\s+` followed by `(.+)` backtracks on
+    // strings like "bearer<many spaces><payload>". 16 is generous;
+    // RFC 7235 only requires one space.
+    const m = raw.match(/^Bearer[ \t]{1,16}(.+)$/i);
     if (!m)
         return false;
     const a = Buffer.from(m[1].trim());
@@ -205,29 +209,171 @@ export function registerScimRoutes(app, deps) {
 function withGroups(u, store) {
     return { ...u, groups: store.groupsContaining(u.id) };
 }
-/** Translate a SCIM PatchOp into a partial resource patch. Minimal:
- *  we accept `op: "replace"` with no path (whole-resource merge) or
- *  with a single-segment path naming a top-level attribute. `add` and
- *  `remove` for members/emails arrays are a follow-up — the
- *  Entra/Okta provisioning checklists exercise replace-only on the
- *  attributes we expose. */
-function applyPatchOps(current, patch) {
+// Allow-list of attribute names patchable via SCIM PatchOp.
+// `applyPatchOps` writes into a plain object using a user-supplied
+// path/key — every key is gated through this set so a malicious
+// client can't inject __proto__ / constructor / arbitrary fields.
+const PATCH_ALLOWED_ATTRS = new Set([
+    "userName", "active", "displayName", "name", "emails", "externalId",
+    "members", "groups",
+]);
+function safePatchKey(k) {
+    return typeof k === "string" && PATCH_ALLOWED_ATTRS.has(k);
+}
+// Multi-valued attributes that support add/remove element ops + filter
+// segments. Everything else is treated as a scalar (replace/set).
+const PATCH_ARRAY_ATTRS = new Set(["members", "emails", "groups"]);
+/** Parse a PatchOp `path` into {attr, filter?}. Supports a bare
+ *  attribute (`members`) and a single `eq` filter segment
+ *  (`members[value eq "abc"]`). Returns null for anything that
+ *  doesn't name an allow-listed attribute or that we don't model —
+ *  the caller skips those ops (fail-closed). The sub-attribute in the
+ *  filter is only ever READ for comparison, never written, so it
+ *  can't drive prototype pollution. */
+function parsePatchPath(path) {
+    const filterMatch = /^([A-Za-z][\w]*)\[\s*([A-Za-z][\w]*)\s+eq\s+"([^"]*)"\s*\]$/.exec(path);
+    if (filterMatch) {
+        const attr = filterMatch[1];
+        if (!safePatchKey(attr))
+            return null;
+        return { attr, filter: { sub: filterMatch[2], val: filterMatch[3] } };
+    }
+    if (safePatchKey(path))
+        return { attr: path };
+    return null;
+}
+// Always returns a FRESH array — never the caller's reference — so the
+// add/remove machinery can push/filter without mutating the current
+// resource in place (which would corrupt it across chained ops or
+// repeated calls).
+function asArray(v) {
+    if (Array.isArray(v))
+        return v.slice();
+    if (v == null)
+        return [];
+    return [v];
+}
+/** Element identity for dedup/removal on multi-valued attrs. SCIM
+ *  members/emails carry a `value` key; fall back to JSON equality. */
+function elemKey(e) {
+    if (e && typeof e === "object" && "value" in e) {
+        return String(e.value);
+    }
+    return JSON.stringify(e);
+}
+/** Translate a SCIM PatchOp request into a partial resource patch.
+ *
+ *  Supported (RFC 7644 §3.5.2):
+ *   - replace, no path        → whole-resource merge of allow-listed keys
+ *   - replace, path=attr      → set that attribute
+ *   - add, no path            → merge; array attrs append (deduped), scalars set
+ *   - add, path=arrayAttr     → append value(s) to the array (deduped)
+ *   - add, path=scalarAttr    → set
+ *   - remove, path=arrayAttr  → clear the array
+ *   - remove, path=arrayAttr[sub eq "x"] → drop matching elements
+ *   - remove, path=scalarAttr → clear the attribute (set undefined)
+ *
+ *  Array ops are computed against the CURRENT resource value and the
+ *  full resulting array is returned in `out` (the store merges
+ *  shallowly, so out[attr] replaces current[attr] wholesale).
+ *
+ *  Every property name written into `out` is gated through
+ *  `PATCH_ALLOWED_ATTRS` so a SCIM client can't inject __proto__ /
+ *  constructor / arbitrary fields (CodeQL js/remote-property-injection +
+ *  js/prototype-polluting-assignment). Filter sub-attributes are
+ *  read-only. */
+export function applyPatchOps(current, patch) {
     if (!current)
         throw new ScimNotFoundError("target resource not found");
     if (!patch?.Operations || !Array.isArray(patch.Operations))
         return {};
+    const cur = current;
     const out = {};
+    // Read the working value for an attr: prefer an in-progress value
+    // from a prior op in this same request, else the current resource.
+    const readAttr = (attr) => (attr in out ? out[attr] : cur[attr]);
     for (const op of patch.Operations) {
-        if (op.op !== "replace")
-            continue; // skip add/remove for F21a
-        if (!op.path) {
-            // value is a partial object — merge top-level keys
-            if (op.value && typeof op.value === "object") {
-                Object.assign(out, op.value);
+        const verb = (op.op || "").toLowerCase();
+        if (verb === "replace") {
+            if (!op.path) {
+                if (op.value && typeof op.value === "object") {
+                    for (const [k, v] of Object.entries(op.value)) {
+                        if (safePatchKey(k))
+                            out[k] = v;
+                    }
+                }
+                continue;
+            }
+            const parsed = parsePatchPath(op.path);
+            if (parsed && !parsed.filter)
+                out[parsed.attr] = op.value;
+            continue;
+        }
+        if (verb === "add") {
+            if (!op.path) {
+                if (op.value && typeof op.value === "object") {
+                    for (const [k, v] of Object.entries(op.value)) {
+                        if (!safePatchKey(k))
+                            continue;
+                        if (PATCH_ARRAY_ATTRS.has(k)) {
+                            const existing = asArray(readAttr(k));
+                            const seen = new Set(existing.map(elemKey));
+                            for (const item of asArray(v)) {
+                                if (!seen.has(elemKey(item))) {
+                                    existing.push(item);
+                                    seen.add(elemKey(item));
+                                }
+                            }
+                            out[k] = existing;
+                        }
+                        else {
+                            out[k] = v;
+                        }
+                    }
+                }
+                continue;
+            }
+            const parsed = parsePatchPath(op.path);
+            if (!parsed || parsed.filter)
+                continue;
+            if (PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                const existing = asArray(readAttr(parsed.attr));
+                const seen = new Set(existing.map(elemKey));
+                for (const item of asArray(op.value)) {
+                    if (!seen.has(elemKey(item))) {
+                        existing.push(item);
+                        seen.add(elemKey(item));
+                    }
+                }
+                out[parsed.attr] = existing;
+            }
+            else {
+                out[parsed.attr] = op.value;
+            }
+            continue;
+        }
+        if (verb === "remove") {
+            if (!op.path)
+                continue; // remove with no path is a no-op (nothing to target)
+            const parsed = parsePatchPath(op.path);
+            if (!parsed)
+                continue;
+            if (parsed.filter && PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                const existing = asArray(readAttr(parsed.attr));
+                const { sub, val } = parsed.filter;
+                out[parsed.attr] = existing.filter((e) => {
+                    const ev = e && typeof e === "object" ? e[sub] : undefined;
+                    return String(ev) !== val;
+                });
+            }
+            else if (PATCH_ARRAY_ATTRS.has(parsed.attr)) {
+                out[parsed.attr] = [];
+            }
+            else {
+                out[parsed.attr] = undefined;
             }
             continue;
         }
-        out[op.path] = op.value;
     }
     return out;
 }

package/dist/scim/store.d.ts

@@ -3,7 +3,30 @@ export interface ScimSnapshot {
     users: ScimUser[];
     groups: ScimGroup[];
 }
-export declare class ScimStore {
+/**
+ * The store surface route handlers and group-role-map depend on.
+ * Both file + redis backends implement this. New backends (DynamoDB,
+ * Postgres, …) just need to satisfy these methods.
+ */
+export interface IScimStore {
+    load(): Promise<void>;
+    listUsers(): ScimUser[];
+    getUser(id: string): ScimUser | undefined;
+    getUserByUserName(userName: string): ScimUser | undefined;
+    createUser(input: Partial<ScimUser>): Promise<ScimUser>;
+    updateUser(id: string, patch: Partial<ScimUser>): Promise<ScimUser>;
+    deleteUser(id: string): Promise<boolean>;
+    listGroups(): ScimGroup[];
+    getGroup(id: string): ScimGroup | undefined;
+    createGroup(input: Partial<ScimGroup>): Promise<ScimGroup>;
+    updateGroup(id: string, patch: Partial<ScimGroup>): Promise<ScimGroup>;
+    deleteGroup(id: string): Promise<boolean>;
+    groupsContaining(userId: string): Array<{
+        value: string;
+        display?: string;
+    }>;
+}
+export declare class ScimStore implements IScimStore {
     private readonly path;
     private snapshot;
     private bootstrapped;
@@ -35,3 +58,19 @@ export declare class ScimValidationError extends Error {
 export declare class ScimNotFoundError extends Error {
     constructor(message: string);
 }
+/**
+ * Boot-time factory. Reads OMCP_SCIM_BACKEND and returns the matching
+ * implementation. Loadbearing on Helm too — values.yaml exposes a
+ * scim.backend toggle that ends up as the env var.
+ *
+ * config.path  — file backend storage path (file backend only).
+ * config.redis — RedisLike client (redis backend only).
+ * config.redisKey — override default key name.
+ */
+export interface CreateScimStoreConfig {
+    backend?: "file" | "redis";
+    path?: string;
+    redis?: import("./redis-store.js").RedisLike;
+    redisKey?: string;
+}
+export declare function createScimStore(config?: CreateScimStoreConfig): Promise<IScimStore>;

package/dist/scim/store.js

@@ -1,9 +1,11 @@
-// SCIM store — file-backed JSON for users + groups.
+// SCIM store — file-backed JSON for users + groups (default), with a
+// Redis-backed alternative for multi-replica deployments behind the
+// `OMCP_SCIM_BACKEND=redis` env / `scim.backend: redis` Helm value.
 //
-// F21a uses an on-disk JSON file (atomic tmp+rename, mode 0600).
-// Multi-replica deployments should plug the F8 SessionStore in here
-// — that's F21b. The interface intentionally mirrors what the
-// SessionStore exposes so the swap is purely additive.
+// F21a shipped the on-disk JSON file (atomic tmp+rename, mode 0600).
+// F21b (Q6) adds the Redis variant + the IScimStore interface every
+// route handler now talks to. The factory `createScimStore` picks
+// the implementation at boot; everything downstream is unchanged.
 import { readFile, writeFile, mkdir, rename } from "node:fs/promises";
 import { dirname } from "node:path";
 import { randomUUID } from "node:crypto";
@@ -176,3 +178,19 @@ export class ScimNotFoundError extends Error {
         this.name = "ScimNotFoundError";
     }
 }
+export async function createScimStore(config = {}) {
+    const backend = (config.backend || process.env.OMCP_SCIM_BACKEND || "file");
+    if (backend === "redis") {
+        if (!config.redis) {
+            throw new Error("createScimStore: backend=redis requires a redis client. Pass config.redis (RedisLike).");
+        }
+        const { RedisScimStore } = await import("./redis-store.js");
+        const store = new RedisScimStore(config.redis, { key: config.redisKey });
+        await store.load();
+        return store;
+    }
+    const path = config.path || process.env.OMCP_SCIM_STORE || "/var/lib/observability-mcp/scim.json";
+    const store = new ScimStore(path);
+    await store.load();
+    return store;
+}