@tideorg/mcp 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/GAP_REGISTER.md +117 -0
  2. package/README.md +38 -0
  3. package/adapters/AGENTS.md +241 -0
  4. package/adapters/CLAUDE.md +146 -0
  5. package/adapters/replit.md +224 -0
  6. package/canon/anti-patterns.md +2133 -0
  7. package/canon/concepts.md +816 -0
  8. package/canon/custom-contracts.md +533 -0
  9. package/canon/delegation.md +195 -0
  10. package/canon/feature-mapping.md +637 -0
  11. package/canon/framework-matrix.md +1125 -0
  12. package/canon/invariants.md +851 -0
  13. package/canon/redirect-handler.md +254 -0
  14. package/canon/tidecloak-bootstrap.md +287 -0
  15. package/canon/tidecloak-endpoints.md +294 -0
  16. package/canon/troubleshooting.md +1494 -0
  17. package/canon/version-policy.md +89 -0
  18. package/mcp-server/dist/index.d.ts +2 -0
  19. package/mcp-server/dist/index.js +605 -0
  20. package/package.json +45 -0
  21. package/playbooks/add-auth-nextjs-existing.md +799 -0
  22. package/playbooks/add-auth-nextjs-fresh.md +654 -0
  23. package/playbooks/add-rbac-nextjs.md +190 -0
  24. package/playbooks/bootstrap-realm-from-template.md +170 -0
  25. package/playbooks/configure-e2ee-roles-and-policies.md +196 -0
  26. package/playbooks/deploy-tidecloak-docker.md +792 -0
  27. package/playbooks/diagnose-broken-login.md +234 -0
  28. package/playbooks/diagnose-missing-roles-or-claims.md +253 -0
  29. package/playbooks/initialize-admin-and-link-account.md +235 -0
  30. package/playbooks/migrate-from-existing-auth.md +198 -0
  31. package/playbooks/protect-api-nextjs.md +451 -0
  32. package/playbooks/protect-routes-nextjs.md +544 -0
  33. package/playbooks/setup-forseti-e2ee.md +756 -0
  34. package/playbooks/setup-iga-admin-panel.md +344 -0
  35. package/playbooks/setup-server-delegation.md +142 -0
  36. package/playbooks/start-tidecloak-dev.md +130 -0
  37. package/playbooks/verify-jwt-server-side.md +439 -0
  38. package/prompts/add-admin-approval-flow.md +50 -0
  39. package/prompts/build-private-customer-portal.md +85 -0
  40. package/prompts/migrate-generic-auth-to-tide.md +67 -0
  41. package/prompts/secure-existing-app.md +80 -0
  42. package/reference-apps/INDEX.md +87 -0
  43. package/reference-apps/encrypted-communication/anti-patterns.md +123 -0
  44. package/reference-apps/encrypted-communication/bootstrap-sequence.md +152 -0
  45. package/reference-apps/encrypted-communication/manifest.yaml +100 -0
  46. package/reference-apps/encrypted-communication/role-policy-matrix.md +80 -0
  47. package/reference-apps/encrypted-communication/scenario.md +134 -0
  48. package/reference-apps/git-pr-signing-service/anti-patterns.md +61 -0
  49. package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +157 -0
  50. package/reference-apps/git-pr-signing-service/manifest.yaml +80 -0
  51. package/reference-apps/git-pr-signing-service/role-policy-matrix.md +99 -0
  52. package/reference-apps/git-pr-signing-service/scenario.md +169 -0
  53. package/reference-apps/iga-admin-governance/anti-patterns.md +133 -0
  54. package/reference-apps/iga-admin-governance/bootstrap-sequence.md +153 -0
  55. package/reference-apps/iga-admin-governance/manifest.yaml +87 -0
  56. package/reference-apps/iga-admin-governance/role-policy-matrix.md +67 -0
  57. package/reference-apps/iga-admin-governance/scenario.md +126 -0
  58. package/reference-apps/organisation-password-manager/anti-patterns.md +71 -0
  59. package/reference-apps/organisation-password-manager/bootstrap-sequence.md +127 -0
  60. package/reference-apps/organisation-password-manager/manifest.yaml +86 -0
  61. package/reference-apps/organisation-password-manager/role-policy-matrix.md +59 -0
  62. package/reference-apps/organisation-password-manager/scenario.md +107 -0
  63. package/reference-apps/policy-governed-signing/anti-patterns.md +67 -0
  64. package/reference-apps/policy-governed-signing/bootstrap-sequence.md +128 -0
  65. package/reference-apps/policy-governed-signing/manifest.yaml +78 -0
  66. package/reference-apps/policy-governed-signing/role-policy-matrix.md +62 -0
  67. package/reference-apps/policy-governed-signing/scenario.md +113 -0
  68. package/skills/tide-diagnostics/SKILL.md +99 -0
  69. package/skills/tide-integration/SKILL.md +136 -0
  70. package/skills/tide-learning-capture/SKILL.md +174 -0
  71. package/skills/tide-rbac-and-e2ee/SKILL.md +214 -0
  72. package/skills/tide-reviewer/SKILL.md +133 -0
  73. package/skills/tide-route-and-api-protection/SKILL.md +201 -0
  74. package/skills/tide-scenario-resolver/SKILL.md +81 -0
  75. package/skills/tide-setup/SKILL.md +218 -0
  76. package/skills/tide-solutions-architect/SKILL.md +130 -0
@@ -0,0 +1,224 @@
1
+ # Tide Agent Adapter — Replit / Beginner
2
+
3
+ Instructions for AI coding agents helping beginner builders add Tide to their apps. Prioritize safety, clarity, and small correct steps.
4
+
5
+ ---
6
+
7
+ ## Before You Touch Any Code
8
+
9
+ **Disambiguate first.** If the request could mean multiple things (self-encryption vs shared, fresh app vs existing, setup vs diagnosis), resolve the ambiguity before writing code. Ask the user if needed. Do not silently pick one path.
10
+
11
+ **Inspect first.** Do not edit until you understand the current state.
12
+
13
+ ### Check 1: Is Tide installed?
14
+
15
+ ```bash
16
+ grep '@tidecloak' package.json
17
+ ```
18
+
19
+ If no result: the app does not use Tide yet. Go to **"App Is Not Tide-Enabled"** below.
20
+
21
+ ### Check 2: Is the provider set up?
22
+
23
+ ```bash
24
+ grep 'TideCloakProvider\|TideCloakContextProvider' app/layout.tsx app/providers.tsx 2>/dev/null
25
+ ```
26
+
27
+ If no result: Tide SDK is installed but not wired in. Use playbook `add-auth-nextjs-fresh`.
28
+
29
+ ### Check 3: Does adapter JSON exist?
30
+
31
+ The file must be named `tidecloak.json`. Not `adapter.json`. Not `keycloak.json`.
32
+
33
+ ```bash
34
+ # Next.js: check data/
35
+ test -f data/tidecloak.json && echo "Found" || echo "Missing in data/"
36
+ # React/Vite or Vanilla JS: check public/
37
+ test -f public/tidecloak.json && echo "Found" || echo "Missing in public/"
38
+ # Wrong filename?
39
+ ls data/adapter.json public/adapter.json 2>/dev/null && echo "WRONG NAME — rename to tidecloak.json"
40
+ ```
41
+
42
+ If missing: the builder has not exported their configuration from TideCloak. They need to do that before any Tide code will work.
43
+
44
+ ---
45
+
46
+ ## If the App Is Not Tide-Enabled
47
+
48
+ **Stop.** Do not try to diagnose login issues, fix auth errors, or add features.
49
+
50
+ The app needs setup first. Two paths:
51
+
52
+ **Generated app (default)**: If the project has an init script (`npm run init` in package.json):
53
+ ```
54
+ npm install
55
+ npm run init # starts TideCloak, creates realm, exports tidecloak.json
56
+ npm run dev
57
+ ```
58
+
59
+ **Manual bootstrap (no init script)**: Direct the builder to:
60
+ 1. Get TideCloak running:
61
+ - `start-tidecloak-dev` — start the Docker container
62
+ - `bootstrap-realm-from-template` — create realm and enable IGA
63
+ - `initialize-admin-and-link-account` — create admin, link account, export adapter JSON
64
+ 2. Add Tide auth to their app (playbook: `add-auth-nextjs-fresh`)
65
+
66
+ Everything else depends on bootstrap completing first. TideCloak must be running with a configured realm before app integration.
67
+
68
+ ---
69
+
70
+ ## Core Safety Rules
71
+
72
+ These are firm. Do not bend them for convenience.
73
+
74
+ ### 1. Hiding UI is not authorization
75
+
76
+ Showing or hiding a button based on a role check (`hasRealmRole('admin')`) does **not** protect anything. Anyone can call the API directly and bypass the UI. The SDK exports `hasRealmRole(role)` for realm roles and `hasClientRole(role, client?)` for client roles — there is no generic `hasRole()` on the hook.
77
+
78
+ **Real authorization** means verifying the JWT token on the server, in every API route that returns or modifies sensitive data.
79
+
80
+ ### 2. Protected APIs need server-side verification
81
+
82
+ Every API route that handles sensitive data must:
83
+ - Extract the JWT from the `Authorization` header
84
+ - Verify the signature using embedded JWKS from adapter JSON
85
+ - Check the role claims on the verified token
86
+ - Return 401 or 403 if verification fails
87
+
88
+ Use playbook `protect-api-nextjs` for the full procedure.
89
+
90
+ ### 3. Do not invent auth
91
+
92
+ Do not create:
93
+ - Your own login system alongside Tide
94
+ - Plain-text role cookies
95
+ - Local role-checking middleware that skips JWT verification
96
+ - Fake auth helpers that always return true
97
+
98
+ Tide handles authentication and provides threshold-signed JWTs. Your job is to verify those JWTs server-side.
99
+
100
+ ### 4. Do not skip DPoP
101
+
102
+ DPoP binds the access token to the browser session. Without it, stolen tokens can be replayed. Playbook `add-auth-nextjs-fresh` covers DPoP provider configuration.
103
+
104
+ ---
105
+
106
+ ## Choosing What to Do
107
+
108
+ Pick the smallest correct playbook for the builder's current need.
109
+
110
+ | Builder says... | Use this playbook |
111
+ |----------------|-------------------|
112
+ | "I want to add login to my app" | `add-auth-nextjs-fresh` |
113
+ | "My app already has auth, I want Tide" | `add-auth-nextjs-existing` |
114
+ | "I want to protect certain pages" | `protect-routes-nextjs` |
115
+ | "I want to protect my API" | `protect-api-nextjs` |
116
+ | "I need admin vs user roles" | `add-rbac-nextjs` |
117
+ | "Login is broken" | `diagnose-broken-login` |
118
+ | "Roles aren't showing up" | `diagnose-missing-roles-or-claims` |
119
+
120
+ ### Bootstrap sequence (if TideCloak not running)
121
+
122
+ **If init script exists**: `npm run init` handles everything.
123
+
124
+ **If no init script** (manual):
125
+ 1. `start-tidecloak-dev` — start TideCloak
126
+ 2. `bootstrap-realm-from-template` — create realm
127
+ 3. `initialize-admin-and-link-account` — set up admin, export adapter JSON
128
+
129
+ ### Standard build sequence for a new app
130
+
131
+ 1. `add-auth-nextjs-fresh` — get login working
132
+ 2. `protect-routes-nextjs` — redirect unauthorized users (UI only)
133
+ 3. `protect-api-nextjs` — real server-side protection
134
+ 4. `verify-jwt-server-side` — complete JWT + DPoP code
135
+ 5. `add-rbac-nextjs` — role-based access control
136
+
137
+ Bootstrap must complete before the build sequence. Do not skip step 3. Steps 1 and 2 alone provide zero API security.
138
+
139
+ ---
140
+
141
+ ## Preserve Existing App Behavior
142
+
143
+ When adding Tide to an existing app:
144
+
145
+ - Do not remove existing routes or pages
146
+ - Do not restructure the project layout unless required
147
+ - Add Tide as a layer — provider wrapping the app, verification in API routes
148
+ - Keep changes minimal and reversible
149
+ - Test that existing non-auth functionality still works after each step
150
+
151
+ ---
152
+
153
+ ## What These Terms Mean
154
+
155
+ | Term | Plain meaning |
156
+ |------|--------------|
157
+ | **UI gating** | Showing/hiding buttons based on login state. Not real security. |
158
+ | **Route guard** | Redirecting to login page if not logged in. Not real API security. |
159
+ | **Server-side JWT verification** | Checking the cryptographic signature of the token on the server. This is real security. |
160
+ | **Adapter JSON** | A config file exported from TideCloak containing keys and endpoints your app needs. |
161
+ | **DPoP** | A security feature that ties your access token to your browser session so it can't be stolen and reused. |
162
+ | **IGA** | Multi-admin approval system. Admin changes need multiple approvals before they take effect. |
163
+ | **SWE iframe** | An invisible browser frame that handles cryptographic operations. If CSP blocks it, login hangs. |
164
+ | **Redirect handler** | A page at your app's redirect URI that receives the auth code after login. Without it, login looks broken. |
165
+
166
+ ---
167
+
168
+ ## Common Mistakes (and Fixes)
169
+
170
+ ### "Login hangs forever"
171
+
172
+ Usually a CSP issue. The SWE iframe is being blocked.
173
+
174
+ Fix: set CSP `frame-src '*'` in your app configuration. See playbook `diagnose-broken-login`.
175
+
176
+ ### "I added role checks but anyone can still access the API"
177
+
178
+ You added UI gating, not real authorization. The `hasRealmRole()` / `hasClientRole()` check only hides buttons — it does not protect the API endpoint.
179
+
180
+ Fix: add server-side JWT verification to the API route. See playbook `protect-api-nextjs`.
181
+
182
+ ### "Import error with @tidecloak/verify"
183
+
184
+ The package is CJS, not ESM. Named imports like `import { verifyTideCloakToken }` will fail. See `canon/framework-matrix.md` for the correct default-import interop pattern.
185
+
186
+ ### "Missing jwk field in adapter JSON"
187
+
188
+ IGA is not enabled on the realm. The `jwk` field only appears when IGA is active. Enable IGA via TideCloak admin console, then re-export adapter JSON.
189
+
190
+ ### "Build error with @tidecloak/js in Next.js"
191
+
192
+ Webpack needs a config workaround for incomplete re-exports. See `canon/framework-matrix.md` (Webpack Workaround section).
193
+
194
+ ---
195
+
196
+ ## Quick Reference
197
+
198
+ - **CSP**: `frame-src '*'` required. Without it, login hangs.
199
+ - **`silent-check-sso.html`**: Must be in `public/` folder.
200
+ - **Redirect handler**: A page must exist at your app's redirect URI path (default `/auth/redirect`). Without it, login ends on a 404. See `canon/redirect-handler.md`.
201
+ - **Setup order**: License first, then IGA, then E2EE. No shortcuts.
202
+ - **`_tide_enabled` role**: Must exist in realm.json. Not auto-created.
203
+ - **DPoP**: ES256 is the default. Always enable it.
204
+ - **Adapter JSON**: Export from TideCloak using provider ID `keycloak-oidc-keycloak-json`.
205
+
206
+ ---
207
+
208
+ ## Review Before Handoff
209
+
210
+ Before handing completed work to the user, check:
211
+ - [ ] Protected APIs verify JWT server-side (not just UI gating)
212
+ - [ ] `createLocalJWKSet` used, not `createRemoteJWKSet`
213
+ - [ ] DPoP configured on both server (realm template) and client (provider config)
214
+ - [ ] No hardcoded admin credentials in generated app code
215
+ - [ ] Bootstrap is fully complete (user with `tideUserKey` exists, adapter exported)
216
+
217
+ ---
218
+
219
+ ## When You Are Not Sure
220
+
221
+ - If the playbook covers it, follow the playbook.
222
+ - If the playbook adds a caveat, preserve the caveat in your output.
223
+ - If you cannot find the answer in canon or playbooks, say "I'm not sure about this — it may not be documented yet" rather than guessing.
224
+ - Do not present unresolved items as settled facts.