@zuplo/cli 6.70.69 → 6.70.70

package/node_modules/@zuplo/runtime/out/types/index.d.ts

@@ -2899,6 +2899,291 @@ export declare class DataDogMetricsPlugin extends MetricsPlugin {
   static setContext(context: ZuploContext, data: DataDogMetricsContext): void;
 }
 
+/**
+ * Scans the incoming request body for sensitive data — PII, secrets, and
+ * financial identifiers — using an extensible catalog of built-in recognizers
+ * plus any custom patterns, and takes a configurable action when a match is
+ * found.
+ *
+ * The action is one of `mask` (redact matches before forwarding the request),
+ * `block` (reject with a `422` listing the detected entity names only), or
+ * `log` (record a warning and forward unchanged). Only text content types are
+ * inspected; binary bodies pass through untouched, and the body is read from a
+ * clone so the upstream still receives the original stream.
+ *
+ * @title Data Loss Prevention
+ * @product api-gateway
+ * @public
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param options - The policy options set in policies.json
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const DataLossPreventionInboundPolicy: InboundPolicyHandler<DataLossPreventionInboundPolicyOptions>;
+
+/**
+ * The options for the Data Loss Prevention inbound policy. Scans the incoming request body for sensitive data and applies the configured action (mask, block, or log).
+ * @public
+ */
+export declare interface DataLossPreventionInboundPolicyOptions {
+  /**
+   * The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change.
+   */
+  engine?: "builtin";
+  /**
+   * Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.
+   */
+  entities?: (
+    | "contact"
+    | "finance"
+    | "finance-us"
+    | "id"
+    | "id-au"
+    | "id-br"
+    | "id-ca"
+    | "id-es"
+    | "id-fr"
+    | "id-in"
+    | "id-it"
+    | "id-nl"
+    | "id-pl"
+    | "id-sg"
+    | "id-uk"
+    | "id-us"
+    | "network"
+    | "pii"
+    | "region-eu"
+    | "secret"
+    | "secret-aws"
+    | "contact-email"
+    | "contact-phone"
+    | "finance-credit-card"
+    | "finance-crypto-wallet"
+    | "finance-cvv"
+    | "finance-iban"
+    | "finance-swift-bic"
+    | "finance-us-aba-routing"
+    | "finance-us-bank-account"
+    | "id-au-abn"
+    | "id-au-acn"
+    | "id-au-medicare"
+    | "id-au-tfn"
+    | "id-br-cpf"
+    | "id-ca-sin"
+    | "id-es-nif"
+    | "id-fr-nir"
+    | "id-in-aadhaar"
+    | "id-in-pan"
+    | "id-it-fiscal-code"
+    | "id-nl-bsn"
+    | "id-pl-pesel"
+    | "id-sg-nric"
+    | "id-uk-nhs"
+    | "id-uk-nino"
+    | "id-us-itin"
+    | "id-us-passport"
+    | "id-us-ssn"
+    | "network-ipv4"
+    | "network-ipv6"
+    | "network-mac"
+    | "secret-anthropic"
+    | "secret-aws-access-key"
+    | "secret-aws-bedrock"
+    | "secret-azure-client"
+    | "secret-databricks"
+    | "secret-digitalocean"
+    | "secret-discord-webhook"
+    | "secret-github"
+    | "secret-gitlab"
+    | "secret-google-api-key"
+    | "secret-heroku"
+    | "secret-hugging-face"
+    | "secret-jwt"
+    | "secret-mailchimp"
+    | "secret-mailgun"
+    | "secret-npm"
+    | "secret-openai"
+    | "secret-perplexity"
+    | "secret-postman"
+    | "secret-private-key"
+    | "secret-pypi"
+    | "secret-sendgrid"
+    | "secret-sentry"
+    | "secret-shopify"
+    | "secret-slack"
+    | "secret-square"
+    | "secret-stripe"
+    | "secret-telegram-bot"
+    | "secret-terraform"
+    | "secret-twilio"
+    | "secret-zuplo"
+  )[];
+  /**
+   * Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the request.
+   */
+  customPatterns?: DlpCustomPattern[];
+  /**
+   * What to do when sensitive data is detected. `mask` redacts matches before forwarding the request, `block` rejects with a 422 listing only the detected entity names, and `log` records a warning and forwards the request unchanged.
+   */
+  action?: "mask" | "block" | "log";
+  /**
+   * The string that replaces detected values when `action` is `mask`.
+   */
+  mask?: string;
+  /**
+   * Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches.
+   */
+  minConfidence?: number;
+  /**
+   * Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/*) is used.
+   */
+  contentTypes?: string[];
+}
+
+/**
+ * Scans the upstream response body for sensitive data — PII, secrets, and
+ * financial identifiers — using an extensible catalog of built-in recognizers
+ * plus any custom patterns, and takes a configurable action when a match is
+ * found.
+ *
+ * The action is one of `mask` (redact matches before returning the response),
+ * `block` (replace the response with a `422` listing the detected entity names
+ * only), or `log` (record a warning and return unchanged). Only text content
+ * types are inspected; binary bodies pass through untouched, and the body is
+ * read from a clone so the client still receives the original stream.
+ *
+ * @title Data Loss Prevention
+ * @product api-gateway
+ * @public
+ * @param response - The outgoing Response from the handler
+ * @param request - The original incoming Request
+ * @param context - The current context of the Request
+ * @param options - The configuration options for the policy
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Response
+ */
+export declare const DataLossPreventionOutboundPolicy: OutboundPolicyHandler<DataLossPreventionOutboundPolicyOptions>;
+
+/**
+ * The options for the Data Loss Prevention outbound policy. Scans the upstream response body for sensitive data and applies the configured action (mask, block, or log).
+ * @public
+ */
+export declare interface DataLossPreventionOutboundPolicyOptions {
+  /**
+   * The detection engine. Only `builtin` (in-isolate regex + checksum detection with context-word scoring) is available today. This is the extension point for a future hosted `presidio-service` mode; declaring it now keeps adding that mode an additive, non-breaking change.
+   */
+  engine?: "builtin";
+  /**
+   * Built-in recognizer ids and/or group selectors to enable. Entity ids follow a {category}-{scope}-{name} taxonomy, and any dash-aligned id prefix acts as a selector (for example `secret` is every secret, `id-au` is Australia's identifiers, `secret-aws` is both AWS entities), plus the named groups `pii` and `region-eu`. Available selectors: `contact`, `finance`, `finance-us`, `id`, `id-au`, `id-br`, `id-ca`, `id-es`, `id-fr`, `id-in`, `id-it`, `id-nl`, `id-pl`, `id-sg`, `id-uk`, `id-us`, `network`, `pii`, `region-eu`, `secret`, `secret-aws`. When omitted, the full built-in catalog is used.
+   */
+  entities?: (
+    | "contact"
+    | "finance"
+    | "finance-us"
+    | "id"
+    | "id-au"
+    | "id-br"
+    | "id-ca"
+    | "id-es"
+    | "id-fr"
+    | "id-in"
+    | "id-it"
+    | "id-nl"
+    | "id-pl"
+    | "id-sg"
+    | "id-uk"
+    | "id-us"
+    | "network"
+    | "pii"
+    | "region-eu"
+    | "secret"
+    | "secret-aws"
+    | "contact-email"
+    | "contact-phone"
+    | "finance-credit-card"
+    | "finance-crypto-wallet"
+    | "finance-cvv"
+    | "finance-iban"
+    | "finance-swift-bic"
+    | "finance-us-aba-routing"
+    | "finance-us-bank-account"
+    | "id-au-abn"
+    | "id-au-acn"
+    | "id-au-medicare"
+    | "id-au-tfn"
+    | "id-br-cpf"
+    | "id-ca-sin"
+    | "id-es-nif"
+    | "id-fr-nir"
+    | "id-in-aadhaar"
+    | "id-in-pan"
+    | "id-it-fiscal-code"
+    | "id-nl-bsn"
+    | "id-pl-pesel"
+    | "id-sg-nric"
+    | "id-uk-nhs"
+    | "id-uk-nino"
+    | "id-us-itin"
+    | "id-us-passport"
+    | "id-us-ssn"
+    | "network-ipv4"
+    | "network-ipv6"
+    | "network-mac"
+    | "secret-anthropic"
+    | "secret-aws-access-key"
+    | "secret-aws-bedrock"
+    | "secret-azure-client"
+    | "secret-databricks"
+    | "secret-digitalocean"
+    | "secret-discord-webhook"
+    | "secret-github"
+    | "secret-gitlab"
+    | "secret-google-api-key"
+    | "secret-heroku"
+    | "secret-hugging-face"
+    | "secret-jwt"
+    | "secret-mailchimp"
+    | "secret-mailgun"
+    | "secret-npm"
+    | "secret-openai"
+    | "secret-perplexity"
+    | "secret-postman"
+    | "secret-private-key"
+    | "secret-pypi"
+    | "secret-sendgrid"
+    | "secret-sentry"
+    | "secret-shopify"
+    | "secret-slack"
+    | "secret-square"
+    | "secret-stripe"
+    | "secret-telegram-bot"
+    | "secret-terraform"
+    | "secret-twilio"
+    | "secret-zuplo"
+  )[];
+  /**
+   * Additional customer-defined regex recognizers. Invalid patterns are logged and skipped rather than failing the response.
+   */
+  customPatterns?: DlpCustomPattern_2[];
+  /**
+   * What to do when sensitive data is detected. `mask` redacts matches before returning the response, `block` replaces the response with a 422 listing only the detected entity names, and `log` records a warning and returns the response unchanged.
+   */
+  action?: "mask" | "block" | "log";
+  /**
+   * The string that replaces detected values when `action` is `mask`.
+   */
+  mask?: string;
+  /**
+   * Minimum confidence (0-1) a match must reach to count as a finding. Context-dependent recognizers (for example `finance-us-bank-account` or `finance-us-aba-routing`) sit below the default threshold of 0.5 until a context word near the match boosts them above it. Lower the threshold to surface them everywhere; raise it to keep only prefix- or checksum-validated matches.
+   */
+  minConfidence?: number;
+  /**
+   * Override the set of scannable content-type prefixes. When omitted, the built-in text content-type allow-list (JSON, XML, form-encoded, text/*) is used.
+   */
+  contentTypes?: string[];
+}
+
 /**
  * Default function to generate Hydrolix log entries
  * @public
@@ -2924,6 +3209,44 @@ export declare interface DispatchRequestLoggerEntries<T> {
   (entries: T[]): Promise<void>;
 }
 
+declare interface DlpCustomPattern {
+  /**
+   * Identifier reported in findings and block details for this pattern.
+   */
+  name: string;
+  /**
+   * A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\d` for a digit).
+   */
+  pattern: string;
+  /**
+   * Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context.
+   */
+  confidence?: number;
+  /**
+   * Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key).
+   */
+  context?: string[];
+}
+
+declare interface DlpCustomPattern_2 {
+  /**
+   * Identifier reported in findings and block details for this pattern.
+   */
+  name: string;
+  /**
+   * A JavaScript regular expression source string. Remember to escape backslashes for JSON (for example `\\d` for a digit).
+   */
+  pattern: string;
+  /**
+   * Base confidence (0-1) for matches of this pattern. The default of 0.85 is above the default detection threshold; combine a low value with `context` words for patterns that are only sensitive in context.
+   */
+  confidence?: number;
+  /**
+   * Context words that boost a match's confidence by 0.45 when one appears near the match (in the surrounding field, label, or key).
+   */
+  context?: string[];
+}
+
 declare interface DynaTraceLoggingOptions {
   url: string;
   apiToken: string;

package/node_modules/@zuplo/runtime/out/types/mcp-gateway/index.d.ts

@@ -1462,7 +1462,9 @@ export declare interface McpEntraOAuthInboundPolicyOptions {
 /**
  * Activates the MCP Gateway internal routes (OAuth authorization server,
  * upstream connection management, well-known metadata) on the runtime router.
- * The plugin is a no-op when no MCP-related policy is present.
+ * When no MCP-related policy is present the plugin registers no routes; it
+ * still records `plugin.mcp-gateway` feature usage on construction so gateway
+ * adoption is visible in telemetry regardless of route configuration.
  *
  * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
  * does not statically reference any MCP gateway code, so unrelated projects

package/node_modules/@zuplo/runtime/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.69",
+  "version": "6.70.70",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/protobufjs/dist/light/protobuf.js

@@ -1,6 +1,6 @@
 /*!
- * protobuf.js v7.6.2 (c) 2016, daniel wirtz
- * compiled sat, 30 may 2026 21:57:57 utc
+ * protobuf.js v7.6.3 (c) 2016, daniel wirtz
+ * compiled tue, 09 jun 2026 20:47:47 utc
  * licensed under the bsd-3-clause license
  * see: https://github.com/dcodeio/protobuf.js for details
  */
@@ -1273,14 +1273,15 @@ converter.fromObject = function fromObject(mtype) {
     var fields = mtype.fieldsArray;
     var gen = util.codegen(["d", "n"], mtype.name + "$fromObject")
     ("if(d instanceof this.ctor)")
-        ("return d")
+        ("return d");
+    if (!fields.length) return gen
+    ("return new this.ctor");
+    gen
     ("if(!util.isObject(d))")
         ("throw TypeError(%j)", mtype.fullName + ": object expected")
     ("if(n===undefined)n=0")
     ("if(n>util.recursionLimit)")
         ("throw Error(\"maximum nesting depth exceeded\")");
-    if (!fields.length) return gen
-    ("return new this.ctor");
     gen
     ("var m=new this.ctor");
     for (var i = 0; i < fields.length; ++i) {
@@ -1468,7 +1469,7 @@ converter.toObject = function toObject(mtype) {
             genValuePartial_toObject(gen, field, /* sorted */ index, prop + "[j]")
         ("}");
         } else { gen
-    ("if(m%s!=null&&m.hasOwnProperty(%j)){", prop, field.name); // !== undefined && !== null
+    ("if(m%s!=null&&Object.hasOwnProperty.call(m,%j)){", prop, field.name); // !== undefined && !== null
         genValuePartial_toObject(gen, field, /* sorted */ index, prop);
         if (field.partOf) gen
         ("if(o.oneofs)")
@@ -1610,7 +1611,7 @@ function decoder(mtype) {
     for (i = 0; i < mtype._fieldsArray.length; ++i) {
         var rfield = mtype._fieldsArray[i];
         if (rfield.required) gen
-    ("if(!m.hasOwnProperty(%j))", rfield.name)
+            ("if(!Object.hasOwnProperty.call(m,%j))", rfield.name)
         ("throw util.ProtocolError(%j,{instance:m})", missing(rfield));
     }
 
@@ -5263,8 +5264,6 @@ var Method = require(22),
     util   = require(35),
     rpc    = require(30);
 
-var reservedRe = util.patterns.reservedRe;
-
 /**
  * Constructs a new service instance.
  * @classdesc Reflected service.
@@ -5439,11 +5438,11 @@ Service.prototype.create = function create(rpcImpl, requestDelimited, responseDe
     var rpcService = new rpc.Service(rpcImpl, requestDelimited, responseDelimited);
     for (var i = 0, method; i < /* initializes */ this.methodsArray.length; ++i) {
         var methodName = util.lcFirst((method = this._methodsArray[i]).resolve().name).replace(/[^$\w_]/g, "");
-        rpcService[methodName] = util.codegen(["r","c"], reservedRe.test(methodName) ? methodName + "_" : methodName)("return this.rpcCall(m,q,s,r,c)")({
-            m: method,
-            q: method.resolvedRequestType.ctor,
-            s: method.resolvedResponseType.ctor
-        });
+        rpcService[methodName] = (function(method, requestType, responseType) {
+            return function rpcMethod(request, callback) {
+                return rpc.Service.prototype.rpcCall.call(this, method, requestType, responseType, request, callback);
+            };
+        })(method, method.resolvedRequestType.ctor, method.resolvedResponseType.ctor);
     }
     return rpcService;
 };
@@ -5824,7 +5823,7 @@ Type.prototype.add = function add(object) {
             throw Error("duplicate id " + object.id + " in " + this);
         if (this.isReservedId(object.id))
             throw Error("id " + object.id + " is reserved in " + this);
-        if (this.isReservedName(object.name))
+        if (this.isReservedName(object.name) || object.name.charAt(0) === "$")
             throw Error("name '" + object.name + "' is reserved in " + this);
         if (object.name === "__proto__")
             return this;
@@ -5837,6 +5836,8 @@ Type.prototype.add = function add(object) {
         return clearCache(this);
     }
     if (object instanceof OneOf) {
+        if (object.name.charAt(0) === "$")
+            throw Error("name '" + object.name + "' is reserved in " + this);
         if (object.name === "__proto__")
             return this;
         if (!this.oneofs)
@@ -6847,7 +6848,7 @@ util.isset =
  */
 util.isSet = function isSet(obj, prop) {
     var value = obj[prop];
-    if (value != null && obj.hasOwnProperty(prop)) // eslint-disable-line eqeqeq, no-prototype-builtins
+    if (value != null && Object.hasOwnProperty.call(obj, prop)) // eslint-disable-line eqeqeq
         return typeof value !== "object" || (Array.isArray(value) ? value.length : Object.keys(value).length) > 0;
     return false;
 };
@@ -7371,7 +7372,7 @@ function verifier(mtype) {
             ref   = "m" + util.safeProp(field.name);
 
         if (field.optional) gen
-        ("if(%s!=null&&m.hasOwnProperty(%j)){", ref, field.name); // !== undefined && !== null
+        ("if(%s!=null&&Object.hasOwnProperty.call(m,%j)){", ref, field.name); // !== undefined && !== null
 
         // map fields
         if (field.map) { gen