@tideorg/mcp 1.4.1 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/CHANGELOG.md +81 -0
  2. package/GAP_REGISTER.md +19 -9
  3. package/PRIVACY.md +41 -0
  4. package/README.md +204 -120
  5. package/adapters/AGENTS.md +3 -2
  6. package/adapters/CLAUDE.md +1 -1
  7. package/adapters/replit.md +0 -0
  8. package/canon/anti-patterns.md +55 -62
  9. package/canon/concepts.md +46 -34
  10. package/canon/custom-contracts.md +12 -8
  11. package/canon/feature-mapping.md +27 -75
  12. package/canon/framework-matrix.md +69 -22
  13. package/canon/hosting-options.md +111 -0
  14. package/canon/iga-change-requests-api.md +211 -0
  15. package/canon/invariants.md +33 -35
  16. package/canon/redirect-handler.md +0 -0
  17. package/canon/security-gap-mapping.md +506 -0
  18. package/canon/security-runtime-probes.md +177 -0
  19. package/canon/tidecloak-bootstrap.md +84 -15
  20. package/canon/tidecloak-endpoints.md +60 -98
  21. package/canon/troubleshooting.md +201 -53
  22. package/canon/version-policy.md +8 -12
  23. package/mcp-server/dist/http.d.ts +2 -0
  24. package/mcp-server/dist/http.js +46 -0
  25. package/mcp-server/dist/index.d.ts +0 -0
  26. package/mcp-server/dist/index.js +2 -601
  27. package/mcp-server/dist/server.d.ts +2 -0
  28. package/mcp-server/dist/server.js +617 -0
  29. package/package.json +48 -45
  30. package/playbooks/add-auth-nextjs-existing.md +33 -17
  31. package/playbooks/add-auth-nextjs-fresh.md +1 -1
  32. package/playbooks/add-rbac-nextjs.md +7 -2
  33. package/playbooks/bootstrap-realm-from-template.md +33 -18
  34. package/playbooks/configure-e2ee-roles-and-policies.md +0 -0
  35. package/playbooks/deploy-tidecloak-docker.md +31 -28
  36. package/playbooks/diagnose-broken-login.md +0 -0
  37. package/playbooks/diagnose-missing-roles-or-claims.md +2 -2
  38. package/playbooks/initialize-admin-and-link-account.md +22 -19
  39. package/playbooks/migrate-from-existing-auth.md +0 -0
  40. package/playbooks/protect-api-nextjs.md +40 -1
  41. package/playbooks/protect-aspnet-core-asgard.md +313 -0
  42. package/playbooks/protect-routes-nextjs.md +24 -10
  43. package/playbooks/provision-tidecloak-skycloak.md +213 -0
  44. package/playbooks/setup-forseti-e2ee.md +32 -50
  45. package/playbooks/setup-iga-admin-panel.md +113 -171
  46. package/playbooks/start-tidecloak-dev.md +0 -0
  47. package/playbooks/verify-jwt-server-side.md +20 -1
  48. package/prompts/add-admin-approval-flow.md +0 -0
  49. package/prompts/build-private-customer-portal.md +1 -1
  50. package/prompts/migrate-generic-auth-to-tide.md +0 -0
  51. package/prompts/secure-existing-app.md +0 -0
  52. package/prompts/security-gap-analysis.md +55 -0
  53. package/reference-apps/INDEX.md +0 -0
  54. package/reference-apps/encrypted-communication/anti-patterns.md +3 -3
  55. package/reference-apps/encrypted-communication/bootstrap-sequence.md +2 -2
  56. package/reference-apps/encrypted-communication/manifest.yaml +0 -0
  57. package/reference-apps/encrypted-communication/role-policy-matrix.md +0 -0
  58. package/reference-apps/encrypted-communication/scenario.md +2 -2
  59. package/reference-apps/git-pr-signing-service/anti-patterns.md +0 -0
  60. package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +8 -8
  61. package/reference-apps/git-pr-signing-service/manifest.yaml +0 -0
  62. package/reference-apps/git-pr-signing-service/role-policy-matrix.md +0 -0
  63. package/reference-apps/git-pr-signing-service/scenario.md +0 -0
  64. package/reference-apps/iga-admin-governance/anti-patterns.md +18 -16
  65. package/reference-apps/iga-admin-governance/bootstrap-sequence.md +10 -5
  66. package/reference-apps/iga-admin-governance/manifest.yaml +0 -0
  67. package/reference-apps/iga-admin-governance/role-policy-matrix.md +12 -13
  68. package/reference-apps/iga-admin-governance/scenario.md +15 -13
  69. package/reference-apps/organisation-password-manager/anti-patterns.md +0 -0
  70. package/reference-apps/organisation-password-manager/bootstrap-sequence.md +5 -6
  71. package/reference-apps/organisation-password-manager/manifest.yaml +0 -0
  72. package/reference-apps/organisation-password-manager/role-policy-matrix.md +0 -0
  73. package/reference-apps/organisation-password-manager/scenario.md +0 -0
  74. package/reference-apps/policy-governed-signing/anti-patterns.md +0 -0
  75. package/reference-apps/policy-governed-signing/bootstrap-sequence.md +9 -9
  76. package/reference-apps/policy-governed-signing/manifest.yaml +0 -0
  77. package/reference-apps/policy-governed-signing/role-policy-matrix.md +0 -0
  78. package/reference-apps/policy-governed-signing/scenario.md +0 -0
  79. package/skills/tide-diagnostics/SKILL.md +1 -1
  80. package/skills/tide-integration/SKILL.md +9 -18
  81. package/skills/tide-learning-capture/SKILL.md +0 -0
  82. package/skills/tide-mcp-qa/SKILL.md +139 -0
  83. package/skills/tide-rbac-and-e2ee/SKILL.md +5 -5
  84. package/skills/tide-reviewer/SKILL.md +1 -1
  85. package/skills/tide-route-and-api-protection/SKILL.md +0 -0
  86. package/skills/tide-scenario-resolver/SKILL.md +0 -0
  87. package/skills/tide-security-analyst/SKILL.md +182 -0
  88. package/skills/tide-setup/SKILL.md +1 -1
  89. package/skills/tide-solutions-architect/SKILL.md +0 -0
  90. package/canon/delegation.md +0 -195
  91. package/playbooks/setup-server-delegation.md +0 -142
@@ -1,142 +0,0 @@
1
- # Setup Server-Side Delegation
2
-
3
- For apps where the backend needs to call TideCloak admin APIs on behalf of authenticated users.
4
-
5
- ---
6
-
7
- ## When to Use
8
-
9
- - Your server manages users, roles, or policies via TideCloak admin API
10
- - You need server-side role management or access approvals
11
- - You want to avoid using master admin credentials from your server
12
-
13
- ---
14
-
15
- ## Prerequisites
16
-
17
- - TideCloak bootstrapped and running
18
- - `tidecloak.json` exported with `jwk`, `vendorId`, `homeOrkUrl`
19
- - App has working Tide login (provider wired, DPoP enabled)
20
- - Node.js 18+ on the server (Ed25519 support)
21
-
22
- ---
23
-
24
- ## Steps
25
-
26
- ### 1. Install server SDK
27
-
28
- ```bash
29
- npm install @tidecloak/server
30
- ```
31
-
32
- ### 2. Create delegation instance
33
-
34
- ```ts
35
- // server/lib/delegation.ts
36
- import { TideDelegation } from '@tidecloak/server';
37
-
38
- let _delegation: TideDelegation | null = null;
39
-
40
- export function getDelegation(): TideDelegation {
41
- if (!_delegation) {
42
- _delegation = new TideDelegation({
43
- tidecloakUrl: process.env.TIDECLOAK_URL || config['auth-server-url'],
44
- realm: process.env.TIDECLOAK_REALM || config.realm,
45
- clientId: process.env.TIDECLOAK_CLIENT_ID || config.resource,
46
- });
47
- }
48
- return _delegation;
49
- }
50
- ```
51
-
52
- Use a lazy singleton. Do not create a new instance per request.
53
-
54
- ### 3. Wire delegation exchange endpoint
55
-
56
- ```ts
57
- app.post('/api/delegation', authenticate, getDelegation().handleDelegation());
58
- ```
59
-
60
- This endpoint receives signed delegation artifacts from the browser and exchanges them with TideCloak for a delegation token.
61
-
62
- ### 4. Add delegation middleware to admin routes
63
-
64
- ```ts
65
- app.get('/api/admin/users',
66
- authenticate,
67
- requireAdmin,
68
- getDelegation().requireDelegation(),
69
- async (req, res) => {
70
- const adminUrl = `${tidecloakUrl}/admin/realms/${realm}`;
71
- const users = await req.delegation.fetch(`${adminUrl}/users`);
72
- res.json(users);
73
- }
74
- );
75
- ```
76
-
77
- The middleware:
78
- - Checks if a cached delegation token exists for this user session
79
- - If yes: attaches `req.delegation` with `token` and `fetch()` helper
80
- - If no: responds 419 with a delegation challenge
81
-
82
- ### 5. Wrap browser fetch with createTideFetch
83
-
84
- ```ts
85
- import { createTideFetch } from '@tidecloak/js';
86
-
87
- // Wrap the app's fetch function
88
- const appFetch = createTideFetch(window.fetch);
89
-
90
- // Use appFetch for all server calls that may need delegation
91
- const users = await appFetch('/api/admin/users');
92
- ```
93
-
94
- `createTideFetch` intercepts 419 responses, handles the delegation signing flow with the browser's DPoP key, and retries the original request.
95
-
96
- ### 6. Optional: scope delegation roles
97
-
98
- ```ts
99
- // Only include specific roles in the delegation token
100
- getDelegation().requireDelegation({
101
- roles: {
102
- realm: ['admin'],
103
- clients: { 'my-app': ['manage-users'] }
104
- }
105
- })
106
- ```
107
-
108
- If `roles` is specified, only listed roles appear in the delegation token. Unlisted realms/clients are stripped. Cannot add roles the user does not have.
109
-
110
- ---
111
-
112
- ## Verification
113
-
114
- - [ ] `@tidecloak/server` in server package.json
115
- - [ ] `/api/delegation` POST route wired with `handleDelegation()`
116
- - [ ] Admin routes use `requireDelegation()` middleware
117
- - [ ] Browser uses `createTideFetch` wrapper
118
- - [ ] Admin API calls succeed: user list, role management, etc.
119
- - [ ] 419 responses are handled transparently (no user-visible interruption)
120
- - [ ] Delegation token is cached (no 419 on every request)
121
-
122
- ---
123
-
124
- ## Troubleshooting
125
-
126
- **Repeated 419 responses**
127
- Check that `/api/delegation` is wired correctly and the `authenticate` middleware sets `req.accessToken`.
128
-
129
- **"No pending delegation challenge"**
130
- Server restarted between 419 and delegation POST. Browser retries automatically.
131
-
132
- **"Delegation exchange failed"**
133
- Check TideCloak has `tide-chain-of-trust` client authenticator enabled and `DelegationToken:1` in VRK model whitelist. A VRK rotation is needed after adding the model ID.
134
-
135
- **"DPoP is not initialized"**
136
- `signDelegationRequest` needs the DPoP provider. Ensure `useDPoP` is in the TideCloakProvider config object.
137
-
138
- **Delegation token has wrong roles**
139
- If using scoped delegation, everything not listed is excluded. Omit `roles` for full permissions.
140
-
141
- **Admin API returns 403**
142
- The user does not have the required role (e.g., `tide-realm-admin` on `realm-management`). Delegation can only use roles the user already has.