@tideorg/mcp 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/GAP_REGISTER.md +117 -0
- package/README.md +38 -0
- package/adapters/AGENTS.md +241 -0
- package/adapters/CLAUDE.md +146 -0
- package/adapters/replit.md +224 -0
- package/canon/anti-patterns.md +2133 -0
- package/canon/concepts.md +816 -0
- package/canon/custom-contracts.md +533 -0
- package/canon/delegation.md +195 -0
- package/canon/feature-mapping.md +637 -0
- package/canon/framework-matrix.md +1125 -0
- package/canon/invariants.md +851 -0
- package/canon/redirect-handler.md +254 -0
- package/canon/tidecloak-bootstrap.md +287 -0
- package/canon/tidecloak-endpoints.md +294 -0
- package/canon/troubleshooting.md +1494 -0
- package/canon/version-policy.md +89 -0
- package/mcp-server/dist/index.d.ts +2 -0
- package/mcp-server/dist/index.js +605 -0
- package/package.json +45 -0
- package/playbooks/add-auth-nextjs-existing.md +799 -0
- package/playbooks/add-auth-nextjs-fresh.md +654 -0
- package/playbooks/add-rbac-nextjs.md +190 -0
- package/playbooks/bootstrap-realm-from-template.md +170 -0
- package/playbooks/configure-e2ee-roles-and-policies.md +196 -0
- package/playbooks/deploy-tidecloak-docker.md +792 -0
- package/playbooks/diagnose-broken-login.md +234 -0
- package/playbooks/diagnose-missing-roles-or-claims.md +253 -0
- package/playbooks/initialize-admin-and-link-account.md +235 -0
- package/playbooks/migrate-from-existing-auth.md +198 -0
- package/playbooks/protect-api-nextjs.md +451 -0
- package/playbooks/protect-routes-nextjs.md +544 -0
- package/playbooks/setup-forseti-e2ee.md +756 -0
- package/playbooks/setup-iga-admin-panel.md +344 -0
- package/playbooks/setup-server-delegation.md +142 -0
- package/playbooks/start-tidecloak-dev.md +130 -0
- package/playbooks/verify-jwt-server-side.md +439 -0
- package/prompts/add-admin-approval-flow.md +50 -0
- package/prompts/build-private-customer-portal.md +85 -0
- package/prompts/migrate-generic-auth-to-tide.md +67 -0
- package/prompts/secure-existing-app.md +80 -0
- package/reference-apps/INDEX.md +87 -0
- package/reference-apps/encrypted-communication/anti-patterns.md +123 -0
- package/reference-apps/encrypted-communication/bootstrap-sequence.md +152 -0
- package/reference-apps/encrypted-communication/manifest.yaml +100 -0
- package/reference-apps/encrypted-communication/role-policy-matrix.md +80 -0
- package/reference-apps/encrypted-communication/scenario.md +134 -0
- package/reference-apps/git-pr-signing-service/anti-patterns.md +61 -0
- package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +157 -0
- package/reference-apps/git-pr-signing-service/manifest.yaml +80 -0
- package/reference-apps/git-pr-signing-service/role-policy-matrix.md +99 -0
- package/reference-apps/git-pr-signing-service/scenario.md +169 -0
- package/reference-apps/iga-admin-governance/anti-patterns.md +133 -0
- package/reference-apps/iga-admin-governance/bootstrap-sequence.md +153 -0
- package/reference-apps/iga-admin-governance/manifest.yaml +87 -0
- package/reference-apps/iga-admin-governance/role-policy-matrix.md +67 -0
- package/reference-apps/iga-admin-governance/scenario.md +126 -0
- package/reference-apps/organisation-password-manager/anti-patterns.md +71 -0
- package/reference-apps/organisation-password-manager/bootstrap-sequence.md +127 -0
- package/reference-apps/organisation-password-manager/manifest.yaml +86 -0
- package/reference-apps/organisation-password-manager/role-policy-matrix.md +59 -0
- package/reference-apps/organisation-password-manager/scenario.md +107 -0
- package/reference-apps/policy-governed-signing/anti-patterns.md +67 -0
- package/reference-apps/policy-governed-signing/bootstrap-sequence.md +128 -0
- package/reference-apps/policy-governed-signing/manifest.yaml +78 -0
- package/reference-apps/policy-governed-signing/role-policy-matrix.md +62 -0
- package/reference-apps/policy-governed-signing/scenario.md +113 -0
- package/skills/tide-diagnostics/SKILL.md +99 -0
- package/skills/tide-integration/SKILL.md +136 -0
- package/skills/tide-learning-capture/SKILL.md +174 -0
- package/skills/tide-rbac-and-e2ee/SKILL.md +214 -0
- package/skills/tide-reviewer/SKILL.md +133 -0
- package/skills/tide-route-and-api-protection/SKILL.md +201 -0
- package/skills/tide-scenario-resolver/SKILL.md +81 -0
- package/skills/tide-setup/SKILL.md +218 -0
- package/skills/tide-solutions-architect/SKILL.md +130 -0
|
@@ -0,0 +1,224 @@
|
|
|
1
|
+
# Tide Agent Adapter — Replit / Beginner
|
|
2
|
+
|
|
3
|
+
Instructions for AI coding agents helping beginner builders add Tide to their apps. Prioritize safety, clarity, and small correct steps.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Before You Touch Any Code
|
|
8
|
+
|
|
9
|
+
**Disambiguate first.** If the request could mean multiple things (self-encryption vs shared, fresh app vs existing, setup vs diagnosis), resolve the ambiguity before writing code. Ask the user if needed. Do not silently pick one path.
|
|
10
|
+
|
|
11
|
+
**Inspect first.** Do not edit until you understand the current state.
|
|
12
|
+
|
|
13
|
+
### Check 1: Is Tide installed?
|
|
14
|
+
|
|
15
|
+
```bash
|
|
16
|
+
grep '@tidecloak' package.json
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
If no result: the app does not use Tide yet. Go to **"App Is Not Tide-Enabled"** below.
|
|
20
|
+
|
|
21
|
+
### Check 2: Is the provider set up?
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
grep 'TideCloakProvider\|TideCloakContextProvider' app/layout.tsx app/providers.tsx 2>/dev/null
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
If no result: Tide SDK is installed but not wired in. Use playbook `add-auth-nextjs-fresh`.
|
|
28
|
+
|
|
29
|
+
### Check 3: Does adapter JSON exist?
|
|
30
|
+
|
|
31
|
+
The file must be named `tidecloak.json`. Not `adapter.json`. Not `keycloak.json`.
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
# Next.js: check data/
|
|
35
|
+
test -f data/tidecloak.json && echo "Found" || echo "Missing in data/"
|
|
36
|
+
# React/Vite or Vanilla JS: check public/
|
|
37
|
+
test -f public/tidecloak.json && echo "Found" || echo "Missing in public/"
|
|
38
|
+
# Wrong filename?
|
|
39
|
+
ls data/adapter.json public/adapter.json 2>/dev/null && echo "WRONG NAME — rename to tidecloak.json"
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
If missing: the builder has not exported their configuration from TideCloak. They need to do that before any Tide code will work.
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## If the App Is Not Tide-Enabled
|
|
47
|
+
|
|
48
|
+
**Stop.** Do not try to diagnose login issues, fix auth errors, or add features.
|
|
49
|
+
|
|
50
|
+
The app needs setup first. Two paths:
|
|
51
|
+
|
|
52
|
+
**Generated app (default)**: If the project has an init script (`npm run init` in package.json):
|
|
53
|
+
```
|
|
54
|
+
npm install
|
|
55
|
+
npm run init # starts TideCloak, creates realm, exports tidecloak.json
|
|
56
|
+
npm run dev
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**Manual bootstrap (no init script)**: Direct the builder to:
|
|
60
|
+
1. Get TideCloak running:
|
|
61
|
+
- `start-tidecloak-dev` — start the Docker container
|
|
62
|
+
- `bootstrap-realm-from-template` — create realm and enable IGA
|
|
63
|
+
- `initialize-admin-and-link-account` — create admin, link account, export adapter JSON
|
|
64
|
+
2. Add Tide auth to their app (playbook: `add-auth-nextjs-fresh`)
|
|
65
|
+
|
|
66
|
+
Everything else depends on bootstrap completing first. TideCloak must be running with a configured realm before app integration.
|
|
67
|
+
|
|
68
|
+
---
|
|
69
|
+
|
|
70
|
+
## Core Safety Rules
|
|
71
|
+
|
|
72
|
+
These are firm. Do not bend them for convenience.
|
|
73
|
+
|
|
74
|
+
### 1. Hiding UI is not authorization
|
|
75
|
+
|
|
76
|
+
Showing or hiding a button based on a role check (`hasRealmRole('admin')`) does **not** protect anything. Anyone can call the API directly and bypass the UI. The SDK exports `hasRealmRole(role)` for realm roles and `hasClientRole(role, client?)` for client roles — there is no generic `hasRole()` on the hook.
|
|
77
|
+
|
|
78
|
+
**Real authorization** means verifying the JWT token on the server, in every API route that returns or modifies sensitive data.
|
|
79
|
+
|
|
80
|
+
### 2. Protected APIs need server-side verification
|
|
81
|
+
|
|
82
|
+
Every API route that handles sensitive data must:
|
|
83
|
+
- Extract the JWT from the `Authorization` header
|
|
84
|
+
- Verify the signature using embedded JWKS from adapter JSON
|
|
85
|
+
- Check the role claims on the verified token
|
|
86
|
+
- Return 401 or 403 if verification fails
|
|
87
|
+
|
|
88
|
+
Use playbook `protect-api-nextjs` for the full procedure.
|
|
89
|
+
|
|
90
|
+
### 3. Do not invent auth
|
|
91
|
+
|
|
92
|
+
Do not create:
|
|
93
|
+
- Your own login system alongside Tide
|
|
94
|
+
- Plain-text role cookies
|
|
95
|
+
- Local role-checking middleware that skips JWT verification
|
|
96
|
+
- Fake auth helpers that always return true
|
|
97
|
+
|
|
98
|
+
Tide handles authentication and provides threshold-signed JWTs. Your job is to verify those JWTs server-side.
|
|
99
|
+
|
|
100
|
+
### 4. Do not skip DPoP
|
|
101
|
+
|
|
102
|
+
DPoP binds the access token to the browser session. Without it, stolen tokens can be replayed. Playbook `add-auth-nextjs-fresh` covers DPoP provider configuration.
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
## Choosing What to Do
|
|
107
|
+
|
|
108
|
+
Pick the smallest correct playbook for the builder's current need.
|
|
109
|
+
|
|
110
|
+
| Builder says... | Use this playbook |
|
|
111
|
+
|----------------|-------------------|
|
|
112
|
+
| "I want to add login to my app" | `add-auth-nextjs-fresh` |
|
|
113
|
+
| "My app already has auth, I want Tide" | `add-auth-nextjs-existing` |
|
|
114
|
+
| "I want to protect certain pages" | `protect-routes-nextjs` |
|
|
115
|
+
| "I want to protect my API" | `protect-api-nextjs` |
|
|
116
|
+
| "I need admin vs user roles" | `add-rbac-nextjs` |
|
|
117
|
+
| "Login is broken" | `diagnose-broken-login` |
|
|
118
|
+
| "Roles aren't showing up" | `diagnose-missing-roles-or-claims` |
|
|
119
|
+
|
|
120
|
+
### Bootstrap sequence (if TideCloak not running)
|
|
121
|
+
|
|
122
|
+
**If init script exists**: `npm run init` handles everything.
|
|
123
|
+
|
|
124
|
+
**If no init script** (manual):
|
|
125
|
+
1. `start-tidecloak-dev` — start TideCloak
|
|
126
|
+
2. `bootstrap-realm-from-template` — create realm
|
|
127
|
+
3. `initialize-admin-and-link-account` — set up admin, export adapter JSON
|
|
128
|
+
|
|
129
|
+
### Standard build sequence for a new app
|
|
130
|
+
|
|
131
|
+
1. `add-auth-nextjs-fresh` — get login working
|
|
132
|
+
2. `protect-routes-nextjs` — redirect unauthorized users (UI only)
|
|
133
|
+
3. `protect-api-nextjs` — real server-side protection
|
|
134
|
+
4. `verify-jwt-server-side` — complete JWT + DPoP code
|
|
135
|
+
5. `add-rbac-nextjs` — role-based access control
|
|
136
|
+
|
|
137
|
+
Bootstrap must complete before the build sequence. Do not skip step 3. Steps 1 and 2 alone provide zero API security.
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
## Preserve Existing App Behavior
|
|
142
|
+
|
|
143
|
+
When adding Tide to an existing app:
|
|
144
|
+
|
|
145
|
+
- Do not remove existing routes or pages
|
|
146
|
+
- Do not restructure the project layout unless required
|
|
147
|
+
- Add Tide as a layer — provider wrapping the app, verification in API routes
|
|
148
|
+
- Keep changes minimal and reversible
|
|
149
|
+
- Test that existing non-auth functionality still works after each step
|
|
150
|
+
|
|
151
|
+
---
|
|
152
|
+
|
|
153
|
+
## What These Terms Mean
|
|
154
|
+
|
|
155
|
+
| Term | Plain meaning |
|
|
156
|
+
|------|--------------|
|
|
157
|
+
| **UI gating** | Showing/hiding buttons based on login state. Not real security. |
|
|
158
|
+
| **Route guard** | Redirecting to login page if not logged in. Not real API security. |
|
|
159
|
+
| **Server-side JWT verification** | Checking the cryptographic signature of the token on the server. This is real security. |
|
|
160
|
+
| **Adapter JSON** | A config file exported from TideCloak containing keys and endpoints your app needs. |
|
|
161
|
+
| **DPoP** | A security feature that ties your access token to your browser session so it can't be stolen and reused. |
|
|
162
|
+
| **IGA** | Multi-admin approval system. Admin changes need multiple approvals before they take effect. |
|
|
163
|
+
| **SWE iframe** | An invisible browser frame that handles cryptographic operations. If CSP blocks it, login hangs. |
|
|
164
|
+
| **Redirect handler** | A page at your app's redirect URI that receives the auth code after login. Without it, login looks broken. |
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## Common Mistakes (and Fixes)
|
|
169
|
+
|
|
170
|
+
### "Login hangs forever"
|
|
171
|
+
|
|
172
|
+
Usually a CSP issue. The SWE iframe is being blocked.
|
|
173
|
+
|
|
174
|
+
Fix: set CSP `frame-src '*'` in your app configuration. See playbook `diagnose-broken-login`.
|
|
175
|
+
|
|
176
|
+
### "I added role checks but anyone can still access the API"
|
|
177
|
+
|
|
178
|
+
You added UI gating, not real authorization. The `hasRealmRole()` / `hasClientRole()` check only hides buttons — it does not protect the API endpoint.
|
|
179
|
+
|
|
180
|
+
Fix: add server-side JWT verification to the API route. See playbook `protect-api-nextjs`.
|
|
181
|
+
|
|
182
|
+
### "Import error with @tidecloak/verify"
|
|
183
|
+
|
|
184
|
+
The package is CJS, not ESM. Named imports like `import { verifyTideCloakToken }` will fail. See `canon/framework-matrix.md` for the correct default-import interop pattern.
|
|
185
|
+
|
|
186
|
+
### "Missing jwk field in adapter JSON"
|
|
187
|
+
|
|
188
|
+
IGA is not enabled on the realm. The `jwk` field only appears when IGA is active. Enable IGA via TideCloak admin console, then re-export adapter JSON.
|
|
189
|
+
|
|
190
|
+
### "Build error with @tidecloak/js in Next.js"
|
|
191
|
+
|
|
192
|
+
Webpack needs a config workaround for incomplete re-exports. See `canon/framework-matrix.md` (Webpack Workaround section).
|
|
193
|
+
|
|
194
|
+
---
|
|
195
|
+
|
|
196
|
+
## Quick Reference
|
|
197
|
+
|
|
198
|
+
- **CSP**: `frame-src '*'` required. Without it, login hangs.
|
|
199
|
+
- **`silent-check-sso.html`**: Must be in `public/` folder.
|
|
200
|
+
- **Redirect handler**: A page must exist at your app's redirect URI path (default `/auth/redirect`). Without it, login ends on a 404. See `canon/redirect-handler.md`.
|
|
201
|
+
- **Setup order**: License first, then IGA, then E2EE. No shortcuts.
|
|
202
|
+
- **`_tide_enabled` role**: Must exist in realm.json. Not auto-created.
|
|
203
|
+
- **DPoP**: ES256 is the default. Always enable it.
|
|
204
|
+
- **Adapter JSON**: Export from TideCloak using provider ID `keycloak-oidc-keycloak-json`.
|
|
205
|
+
|
|
206
|
+
---
|
|
207
|
+
|
|
208
|
+
## Review Before Handoff
|
|
209
|
+
|
|
210
|
+
Before handing completed work to the user, check:
|
|
211
|
+
- [ ] Protected APIs verify JWT server-side (not just UI gating)
|
|
212
|
+
- [ ] `createLocalJWKSet` used, not `createRemoteJWKSet`
|
|
213
|
+
- [ ] DPoP configured on both server (realm template) and client (provider config)
|
|
214
|
+
- [ ] No hardcoded admin credentials in generated app code
|
|
215
|
+
- [ ] Bootstrap is fully complete (user with `tideUserKey` exists, adapter exported)
|
|
216
|
+
|
|
217
|
+
---
|
|
218
|
+
|
|
219
|
+
## When You Are Not Sure
|
|
220
|
+
|
|
221
|
+
- If the playbook covers it, follow the playbook.
|
|
222
|
+
- If the playbook adds a caveat, preserve the caveat in your output.
|
|
223
|
+
- If you cannot find the answer in canon or playbooks, say "I'm not sure about this — it may not be documented yet" rather than guessing.
|
|
224
|
+
- Do not present unresolved items as settled facts.
|