@tideorg/mcp 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/GAP_REGISTER.md +117 -0
  2. package/README.md +38 -0
  3. package/adapters/AGENTS.md +241 -0
  4. package/adapters/CLAUDE.md +146 -0
  5. package/adapters/replit.md +224 -0
  6. package/canon/anti-patterns.md +2133 -0
  7. package/canon/concepts.md +816 -0
  8. package/canon/custom-contracts.md +533 -0
  9. package/canon/delegation.md +195 -0
  10. package/canon/feature-mapping.md +637 -0
  11. package/canon/framework-matrix.md +1125 -0
  12. package/canon/invariants.md +851 -0
  13. package/canon/redirect-handler.md +254 -0
  14. package/canon/tidecloak-bootstrap.md +287 -0
  15. package/canon/tidecloak-endpoints.md +294 -0
  16. package/canon/troubleshooting.md +1494 -0
  17. package/canon/version-policy.md +89 -0
  18. package/mcp-server/dist/index.d.ts +2 -0
  19. package/mcp-server/dist/index.js +605 -0
  20. package/package.json +45 -0
  21. package/playbooks/add-auth-nextjs-existing.md +799 -0
  22. package/playbooks/add-auth-nextjs-fresh.md +654 -0
  23. package/playbooks/add-rbac-nextjs.md +190 -0
  24. package/playbooks/bootstrap-realm-from-template.md +170 -0
  25. package/playbooks/configure-e2ee-roles-and-policies.md +196 -0
  26. package/playbooks/deploy-tidecloak-docker.md +792 -0
  27. package/playbooks/diagnose-broken-login.md +234 -0
  28. package/playbooks/diagnose-missing-roles-or-claims.md +253 -0
  29. package/playbooks/initialize-admin-and-link-account.md +235 -0
  30. package/playbooks/migrate-from-existing-auth.md +198 -0
  31. package/playbooks/protect-api-nextjs.md +451 -0
  32. package/playbooks/protect-routes-nextjs.md +544 -0
  33. package/playbooks/setup-forseti-e2ee.md +756 -0
  34. package/playbooks/setup-iga-admin-panel.md +344 -0
  35. package/playbooks/setup-server-delegation.md +142 -0
  36. package/playbooks/start-tidecloak-dev.md +130 -0
  37. package/playbooks/verify-jwt-server-side.md +439 -0
  38. package/prompts/add-admin-approval-flow.md +50 -0
  39. package/prompts/build-private-customer-portal.md +85 -0
  40. package/prompts/migrate-generic-auth-to-tide.md +67 -0
  41. package/prompts/secure-existing-app.md +80 -0
  42. package/reference-apps/INDEX.md +87 -0
  43. package/reference-apps/encrypted-communication/anti-patterns.md +123 -0
  44. package/reference-apps/encrypted-communication/bootstrap-sequence.md +152 -0
  45. package/reference-apps/encrypted-communication/manifest.yaml +100 -0
  46. package/reference-apps/encrypted-communication/role-policy-matrix.md +80 -0
  47. package/reference-apps/encrypted-communication/scenario.md +134 -0
  48. package/reference-apps/git-pr-signing-service/anti-patterns.md +61 -0
  49. package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +157 -0
  50. package/reference-apps/git-pr-signing-service/manifest.yaml +80 -0
  51. package/reference-apps/git-pr-signing-service/role-policy-matrix.md +99 -0
  52. package/reference-apps/git-pr-signing-service/scenario.md +169 -0
  53. package/reference-apps/iga-admin-governance/anti-patterns.md +133 -0
  54. package/reference-apps/iga-admin-governance/bootstrap-sequence.md +153 -0
  55. package/reference-apps/iga-admin-governance/manifest.yaml +87 -0
  56. package/reference-apps/iga-admin-governance/role-policy-matrix.md +67 -0
  57. package/reference-apps/iga-admin-governance/scenario.md +126 -0
  58. package/reference-apps/organisation-password-manager/anti-patterns.md +71 -0
  59. package/reference-apps/organisation-password-manager/bootstrap-sequence.md +127 -0
  60. package/reference-apps/organisation-password-manager/manifest.yaml +86 -0
  61. package/reference-apps/organisation-password-manager/role-policy-matrix.md +59 -0
  62. package/reference-apps/organisation-password-manager/scenario.md +107 -0
  63. package/reference-apps/policy-governed-signing/anti-patterns.md +67 -0
  64. package/reference-apps/policy-governed-signing/bootstrap-sequence.md +128 -0
  65. package/reference-apps/policy-governed-signing/manifest.yaml +78 -0
  66. package/reference-apps/policy-governed-signing/role-policy-matrix.md +62 -0
  67. package/reference-apps/policy-governed-signing/scenario.md +113 -0
  68. package/skills/tide-diagnostics/SKILL.md +99 -0
  69. package/skills/tide-integration/SKILL.md +136 -0
  70. package/skills/tide-learning-capture/SKILL.md +174 -0
  71. package/skills/tide-rbac-and-e2ee/SKILL.md +214 -0
  72. package/skills/tide-reviewer/SKILL.md +133 -0
  73. package/skills/tide-route-and-api-protection/SKILL.md +201 -0
  74. package/skills/tide-scenario-resolver/SKILL.md +81 -0
  75. package/skills/tide-setup/SKILL.md +218 -0
  76. package/skills/tide-solutions-architect/SKILL.md +130 -0
@@ -0,0 +1,294 @@
1
+ # TideCloak Extension Endpoints - Canon
2
+
3
+ Complete reference of all REST endpoints added by TideCloak extensions. These are in addition to standard Keycloak endpoints.
4
+
5
+ Admin endpoints require a Bearer token with `manage-realm` or `manage-users` permission.
6
+ Public endpoints require no authentication.
7
+
8
+ ---
9
+
10
+ ## URL Patterns
11
+
12
+ - Admin API: `/admin/realms/{realm}/{provider-id}/{path}`
13
+ - Public realm: `/realms/{realm}/{provider-id}/{path}`
14
+
15
+ ---
16
+
17
+ ## App Developer Endpoints
18
+
19
+ These are the endpoints app developers interact with most frequently.
20
+
21
+ ### Adapter JSON Export
22
+
23
+ ```
24
+ GET /admin/realms/{realm}/vendorResources/get-installations-provider
25
+ ?clientId={uuid}&providerId=keycloak-oidc-keycloak-json
26
+ ```
27
+
28
+ Returns the client adapter JSON with Tide-specific fields (`jwk`, `vendorId`, `homeOrkUrl`, `client-origin-auth-*`). The `jwk` field is only present when IGA is enabled. Save as `data/tidecloak.json`.
29
+
30
+ ### Public Tide Config
31
+
32
+ ```
33
+ GET /realms/{realm}/public/get-tide-config?clientId={clientId}
34
+ ```
35
+
36
+ Public endpoint. Returns `vendorId`, `homeOrkUrl`, client auth origins, and branding URLs for a client. No auth required.
37
+
38
+ ### Admin Policy (for E2EE)
39
+
40
+ ```
41
+ GET /realms/{realm}/tide-policy-resources/admin-policy
42
+ ```
43
+
44
+ Public endpoint. Returns the base64-encoded admin policy needed for policy-based encryption operations. Also available as `/admin-policy/bytes` (raw) and `/admin-policy/display` (human-readable).
45
+
46
+ ### Role Policy
47
+
48
+ ```
49
+ GET /realms/{realm}/tide-policy-resources/policy?roleId={id}&clientId={id}
50
+ ```
51
+
52
+ Public endpoint. Returns the Midgard policy for a specific role on a client.
53
+
54
+ ### Vouchers
55
+
56
+ ```
57
+ POST /realms/{realm}/tidevouchers/fromUserSession?sessionId={sid}
58
+ ```
59
+
60
+ Gets vouchers for a user session. Role-based: `signin`/`updateaccount` always allowed; `vendorsign` requires `_tide_*` or authorizer role; `vendordecrypt` requires `_tide_*.selfdecrypt` role. The SDK constructs this URL internally.
61
+
62
+ ```
63
+ POST /realms/{realm}/tidevouchers/fromAuthSession?sessionId={sid}&tabId={tab}&clientId={id}
64
+ ```
65
+
66
+ Gets vouchers during authentication flow (login).
67
+
68
+ ### DPoP Auth Page
69
+
70
+ ```
71
+ GET /realms/{realm}/tide-idp-resources/clientIframe/iss/{iss}/aud/{aud}/tide_dpop_auth.html
72
+ ```
73
+
74
+ Serves the DPoP authentication iframe HTML. `iss` and `aud` are hex-encoded. The SDK uses this internally.
75
+
76
+ ### Token Exchange (Delegation)
77
+
78
+ ```
79
+ POST /realms/{realm}/protocol/openid-connect/token
80
+ ```
81
+
82
+ Standard OIDC token endpoint used for delegation token exchange:
83
+ - `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`
84
+ - `subject_token=<user access token>`
85
+ - `actor_token=<browser-signed delegation request>`
86
+ - `dpop_approval=<session key approval>`
87
+ - `DPoP` header: server's DPoP proof
88
+
89
+ See `canon/delegation.md` for full flow.
90
+
91
+ ---
92
+
93
+ ## Bootstrap Endpoints
94
+
95
+ Used during realm initialization. Typically called by the init script, not by app code.
96
+
97
+ ### Realm Setup
98
+
99
+ ```
100
+ POST /admin/realms/{realm}/vendorResources/setUpTideRealm
101
+ Content-Type: application/x-www-form-urlencoded
102
+ Body: email=admin@yourorg.com
103
+ ```
104
+
105
+ Full Tide realm setup: creates IDP, key provider, gets free-tier license. `isRagnarokEnabled` optional (default true). Content-Type MUST be form-encoded, not JSON.
106
+
107
+ ### Enable IGA
108
+
109
+ ```
110
+ POST /admin/realms/{realm}/tide-admin/toggle-iga
111
+ Content-Type: application/x-www-form-urlencoded
112
+ Body: isIGAEnabled=true
113
+ ```
114
+
115
+ Enables IGA governance for the realm. Sets EdDSA signature algorithm, configures Tide protocol mappers.
116
+
117
+ ### Sign IDP Settings
118
+
119
+ ```
120
+ POST /admin/realms/{realm}/vendorResources/sign-idp-settings
121
+ ```
122
+
123
+ Signs all Tide IDP settings with the VRK. Required after any IDP config change (logo, background, admin domain, client origins). Without this, the ORK enclave rejects settings as unsigned.
124
+
125
+ ### Admin Invite Link
126
+
127
+ ```
128
+ POST /admin/realms/{realm}/tideAdminResources/get-required-action-link
129
+ ?userId={id}&redirectUri={uri}&clientId={id}&lifespan=43200
130
+ Body: ["link-tide-account-action"]
131
+ ```
132
+
133
+ Generates a link for the admin user to link their Tide account. Time-limited (default 12 hours).
134
+
135
+ ---
136
+
137
+ ## IGA Change-Set Endpoints
138
+
139
+ Used for multi-admin governance approval flows.
140
+
141
+ ### List Pending Changes
142
+
143
+ ```
144
+ GET /admin/realms/{realm}/tide-admin/change-set/users/requests
145
+ GET /admin/realms/{realm}/tide-admin/change-set/roles/requests
146
+ GET /admin/realms/{realm}/tide-admin/change-set/clients/requests
147
+ GET /admin/realms/{realm}/tide-admin/change-set/groups/requests
148
+ GET /admin/realms/{realm}/tide-admin/change-set/all/requests
149
+ GET /admin/realms/{realm}/tide-admin/change-set/counts
150
+ ```
151
+
152
+ ### Sign and Commit
153
+
154
+ ```
155
+ POST /admin/realms/{realm}/tide-admin/change-set/sign
156
+ Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
157
+
158
+ POST /admin/realms/{realm}/tide-admin/change-set/commit
159
+ Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
160
+ ```
161
+
162
+ Batch variants: `/sign/batch` and `/commit/batch` with `{ "changeSets": [...] }`.
163
+
164
+ ### Cancel
165
+
166
+ ```
167
+ POST /admin/realms/{realm}/tide-admin/change-set/cancel
168
+ Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
169
+ ```
170
+
171
+ ### Approve/Reject (multi-admin)
172
+
173
+ ```
174
+ POST /admin/realms/{realm}/tideAdminResources/add-review
175
+ Content-Type: multipart/form-data
176
+ Fields: changeSetId, changeSetType, actionType, requests
177
+
178
+ POST /admin/realms/{realm}/tide-admin/add-rejection
179
+ Content-Type: multipart/form-data
180
+ Fields: changeSetId, actionType, changeSetType
181
+ ```
182
+
183
+ Note: `add-review` and `add-rejection` use `multipart/form-data`. All other change-set endpoints use JSON.
184
+
185
+ ### Activity and Comments
186
+
187
+ ```
188
+ GET /admin/realms/{realm}/tide-admin/change-set/{id}/activity
189
+ POST /admin/realms/{realm}/tide-admin/change-set/{id}/comments
190
+ Body: { "comment": "..." }
191
+ ```
192
+
193
+ ---
194
+
195
+ ## Policy and Contract Endpoints
196
+
197
+ ### Policy Templates
198
+
199
+ ```
200
+ POST /admin/realms/{realm}/tide-admin/policy-templates
201
+ GET /admin/realms/{realm}/tide-admin/policy-templates
202
+ PUT /admin/realms/{realm}/tide-admin/policy-templates/{id}
203
+ DELETE /admin/realms/{realm}/tide-admin/policy-templates/{id}
204
+ ```
205
+
206
+ Body: `{ name, description, contractCode, modelId, parameters }`
207
+
208
+ ### Realm Policy
209
+
210
+ ```
211
+ GET /admin/realms/{realm}/tide-admin/realm-policy
212
+ POST /admin/realms/{realm}/tide-admin/realm-policy/pending
213
+ POST /admin/realms/{realm}/tide-admin/realm-policy/commit
214
+ POST /admin/realms/{realm}/tide-admin/realm-policy/request-delete
215
+ POST /admin/realms/{realm}/tide-admin/realm-policy/commit-delete
216
+ DELETE /admin/realms/{realm}/tide-admin/realm-policy
217
+ ```
218
+
219
+ ### SSH Policies (per-role)
220
+
221
+ ```
222
+ PUT /admin/realms/{realm}/tide-admin/ssh-policies
223
+ GET /admin/realms/{realm}/tide-admin/ssh-policies
224
+ DELETE /admin/realms/{realm}/tide-admin/ssh-policies?roleId={id}
225
+ ```
226
+
227
+ Body: `{ roleId, contractCode, approvalType, executionType, threshold, policyData }`
228
+
229
+ ### Forseti Contracts
230
+
231
+ ```
232
+ PUT /admin/realms/{realm}/tide-admin/forseti-contracts
233
+ GET /admin/realms/{realm}/tide-admin/forseti-contracts
234
+ ```
235
+
236
+ Body: `{ contractCode, name }`
237
+
238
+ ### Role Init Cert
239
+
240
+ ```
241
+ POST /admin/realms/{realm}/tide-admin/role-policy/{roleId}/init-cert
242
+ Body: { initCert, initCertSig }
243
+ ```
244
+
245
+ ---
246
+
247
+ ## VRK and Licensing Endpoints
248
+
249
+ Infrastructure-level. Used during initial setup and license rotation.
250
+
251
+ ```
252
+ POST /admin/realms/{realm}/vendorResources/generate-initial-key
253
+ POST /admin/realms/{realm}/vendorResources/generate-initial-vrk-v1
254
+ POST /admin/realms/{realm}/vendorResources/confirm-initial-vrk
255
+ POST /admin/realms/{realm}/vendorResources/rotate-vrk
256
+ POST /admin/realms/{realm}/vendorResources/switch-vrk
257
+ POST /admin/realms/{realm}/vendorResources/requestFreeTierLicense
258
+ GET /admin/realms/{realm}/vendorResources/isPendingLicenseActive
259
+ GET /admin/realms/{realm}/vendorResources/getLicenseDetails
260
+ GET /admin/realms/{realm}/vendorResources/licenseHistory
261
+ ```
262
+
263
+ ---
264
+
265
+ ## Utility Endpoints
266
+
267
+ ```
268
+ POST /admin/realms/{realm}/vendorResources/sign-message
269
+ FormParam: data
270
+
271
+ GET /admin/realms/{realm}/vendorResources/get-tide-jwk
272
+
273
+ POST /admin/realms/{realm}/tide-admin/generate-default-user-context
274
+ Body: [clientId1, clientId2, ...]
275
+
276
+ POST /admin/realms/{realm}/tide-admin/what-if-token
277
+ Body: { changeSetType, actionType, userId, clientId }
278
+
279
+ GET /admin/realms/{realm}/tide-admin/user-context/{userId}/{clientId}
280
+ GET /admin/realms/{realm}/tide-admin/change-set/{changeSetId}/user-context
281
+ ```
282
+
283
+ ---
284
+
285
+ ## Branding Endpoints
286
+
287
+ ```
288
+ POST /admin/realms/{realm}/tide-idp-admin-resources/images/upload
289
+ Multipart: fileData, fileName, fileType
290
+
291
+ DELETE /admin/realms/{realm}/tide-idp-admin-resources/images/{type}/delete
292
+ GET /admin/realms/{realm}/tide-idp-admin-resources/images/{type}/name
293
+ GET /realms/{realm}/tide-idp-resources/images/{type}
294
+ ```