@zuplo/runtime 6.69.10 → 6.70.0

package/out/types/mcp-gateway/index.d.ts

@@ -0,0 +1,2477 @@
+declare interface ApiRuntimeConfig {
+  urls: UrlConfig | undefined;
+}
+
+/**
+ * Base logger interface with methods for each log level.
+ * @beta
+ */
+declare interface BaseLogger {
+  debug(...messages: unknown[]): void;
+  info(...messages: unknown[]): void;
+  log(...messages: unknown[]): void;
+  warn(...messages: unknown[]): void;
+  error(...messages: unknown[]): void;
+}
+
+/**
+ * @public
+ */
+declare interface BuildRouteConfiguration {
+  path: string;
+  methods: HttpMethod[];
+  /**
+   * @deprecated This property is not used and will be removed in future versions
+   */
+  label?: string;
+  /**
+   * @deprecated This property is not used and will be removed in future versions
+   */
+  key?: string;
+  handler: HandlerDefinition;
+  corsPolicy?: CorsPolicy;
+  /**
+   * @deprecated This property is deprecated. Use route.raw() instead.
+   */
+  custom?: any;
+  mcp?: {
+    enabled?: boolean;
+  };
+  policies?: {
+    inbound?: string[];
+    outbound?: string[];
+  };
+  /**
+   * @deprecated This property is not used and will be removed in future versions
+   */
+  excludeFromOpenApi?: boolean;
+  pathPattern?: string;
+  /**
+   * Build-time metadata for this route.
+   */
+  metadata?: {
+    /**
+     * The source file this route was generated from.
+     */
+    filepath: string;
+  };
+  /* Excluded from this release type: raw */
+}
+
+/**
+ * The 2-letter continent codes Cloudflare uses
+ * @public
+ */
+declare type ContinentCode = "AF" | "AN" | "AS" | "EU" | "NA" | "OC" | "SA";
+
+/**
+ * @public
+ */
+declare type CorsPolicy = string | "anything-goes" | "none";
+
+/**
+ * @public
+ */
+declare interface CorsPolicyConfiguration {
+  name: string;
+  allowCredentials?: boolean;
+  maxAge?: number;
+  allowedOrigins: string[] | string;
+  allowedMethods?: HttpMethod[] | string;
+  allowedHeaders?: string[] | string;
+  exposeHeaders?: string[] | string;
+}
+
+/* Excluded from this release type: DevPortalRuntimeConfig */
+
+declare type DevPortalType = "legacy" | "zudoku";
+
+declare const EventType: {
+  readonly MCP_TOOL_USAGE: "mcp_tool_usage";
+  readonly AI_GATEWAY_COST_SUM: "ai_gateway_cost_sum";
+  readonly AI_GATEWAY_REQUEST_COUNT: "ai_gateway_request_count";
+  readonly AI_GATEWAY_TOKEN_SUM: "ai_gateway_token_sum";
+  readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
+  readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
+  readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly MCP_GATEWAY_REQUEST_RECEIVED: "mcp_gateway_request_received";
+  readonly MCP_GATEWAY_REQUEST_COMPLETED: "mcp_gateway_request_completed";
+  readonly MCP_GATEWAY_REQUEST_REJECTED: "mcp_gateway_request_rejected";
+  readonly MCP_GATEWAY_INITIALIZE_NEGOTIATED: "mcp_gateway_initialize_negotiated";
+  readonly MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR: "mcp_gateway_client_unsupported_behavior";
+  readonly MCP_GATEWAY_CATALOG_LISTED: "mcp_gateway_catalog_listed";
+  readonly MCP_GATEWAY_CATALOG_IMPORTED: "mcp_gateway_catalog_imported";
+  readonly MCP_GATEWAY_CATALOG_DRIFT_DETECTED: "mcp_gateway_catalog_drift_detected";
+  readonly MCP_GATEWAY_CAPABILITY_LISTED: "mcp_gateway_capability_listed";
+  readonly MCP_GATEWAY_CAPABILITY_INVOKED: "mcp_gateway_capability_invoked";
+  readonly MCP_GATEWAY_CAPABILITY_COMPLETED: "mcp_gateway_capability_completed";
+  readonly MCP_GATEWAY_CAPABILITY_FAILED: "mcp_gateway_capability_failed";
+  readonly MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED: "mcp_gateway_capability_connect_required";
+  readonly MCP_GATEWAY_AUTH_DOWNSTREAM_TOKEN_VALIDATED: "mcp_gateway_auth_downstream_token_validated";
+  readonly MCP_GATEWAY_AUTH_DOWNSTREAM_TOKEN_REJECTED: "mcp_gateway_auth_downstream_token_rejected";
+  readonly MCP_GATEWAY_OAUTH_CLIENT_REGISTERED: "mcp_gateway_oauth_client_registered";
+  readonly MCP_GATEWAY_OAUTH_AUTHORIZE_STARTED: "mcp_gateway_oauth_authorize_started";
+  readonly MCP_GATEWAY_OAUTH_AUTHORIZE_AWAITING_SETUP: "mcp_gateway_oauth_authorize_awaiting_setup";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_ISSUED: "mcp_gateway_oauth_token_issued";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_REFRESH_ROTATED: "mcp_gateway_oauth_token_refresh_rotated";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_REVOKED: "mcp_gateway_oauth_token_revoked";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_REQUIRED: "mcp_gateway_auth_upstream_connect_required";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED: "mcp_gateway_auth_upstream_connect_started";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED: "mcp_gateway_auth_upstream_callback_received";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED: "mcp_gateway_auth_upstream_token_exchange_succeeded";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED: "mcp_gateway_auth_upstream_token_exchange_failed";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED: "mcp_gateway_auth_upstream_credential_resolved";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING: "mcp_gateway_auth_upstream_credential_missing";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_RECONSENT_REQUIRED: "mcp_gateway_auth_upstream_reconsent_required";
+  readonly MCP_GATEWAY_POLICY_DECISION: "mcp_gateway_policy_decision";
+  readonly MCP_GATEWAY_GUARDRAIL_DECISION: "mcp_gateway_guardrail_decision";
+  readonly MCP_GATEWAY_RATE_LIMIT_DECISION: "mcp_gateway_rate_limit_decision";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_SENT: "mcp_gateway_upstream_request_sent";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_COMPLETED: "mcp_gateway_upstream_request_completed";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_FAILED: "mcp_gateway_upstream_request_failed";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_CREATED: "mcp_gateway_audit_virtual_server_created";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_UPDATED: "mcp_gateway_audit_virtual_server_updated";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_DELETED: "mcp_gateway_audit_virtual_server_deleted";
+};
+
+declare type EventType = (typeof EventType)[keyof typeof EventType];
+
+/**
+ * @public
+ */
+declare interface HandlerDefinition {
+  module: any;
+  export: string;
+  options?: unknown;
+}
+
+/**
+ * @public
+ */
+declare type HttpMethod =
+  | "GET"
+  | "HEAD"
+  | "POST"
+  | "PUT"
+  | "DELETE"
+  | "CONNECT"
+  | "OPTIONS"
+  | "TRACE"
+  | "PATCH";
+
+/**
+ * @beta
+ */
+declare enum HttpStatusCode {
+  /**
+   * The server has received the request headers and the client should proceed to send the request body
+   * (in the case of a request for which a body needs to be sent; for example, a POST request).
+   * Sending a large request body to a server after a request has been rejected for inappropriate headers would be inefficient.
+   * To have a server check the request's headers, a client must send Expect: 100-continue as a header in its initial request
+   * and receive a 100 Continue status code in response before sending the body. The response 417 Expectation Failed indicates the request should not be continued.
+   */
+  CONTINUE = 100,
+  /**
+   * The requester has asked the server to switch protocols and the server has agreed to do so.
+   */
+  SWITCHING_PROTOCOLS = 101,
+  /**
+   * A WebDAV request may contain many sub-requests involving file operations, requiring a long time to complete the request.
+   * This code indicates that the server has received and is processing the request, but no response is available yet.
+   * This prevents the client from timing out and assuming the request was lost.
+   * @deprecated This status code is deprecated and shouldn't be sent any more. Clients may still accept it, but simply ignore them.
+   */
+  PROCESSING = 102,
+  /**
+   * This response may be sent by a server while it is still preparing a
+   * response, with hints about the resources that the server is expecting
+   * the final response will link. This allows a browser to start preloading
+   * resources even before the server has prepared and sent that final response.
+   */
+  EARLY_HINTS = 103,
+  /**
+   * Standard response for successful HTTP requests.
+   * The actual response will depend on the request method used.
+   * In a GET request, the response will contain an entity corresponding to the requested resource.
+   * In a POST request, the response will contain an entity describing or containing the result of the action.
+   */
+  OK = 200,
+  /**
+   * The request has been fulfilled, resulting in the creation of a new resource.
+   */
+  CREATED = 201,
+  /**
+   * The request has been accepted for processing, but the processing has not been completed.
+   * The request might or might not be eventually acted upon, and may be disallowed when processing occurs.
+   */
+  ACCEPTED = 202,
+  /**
+   * SINCE HTTP/1.1
+   * The server is a transforming proxy that received a 200 OK from its origin,
+   * but is returning a modified version of the origin's response.
+   */
+  NON_AUTHORITATIVE_INFORMATION = 203,
+  /**
+   * The server successfully processed the request and is not returning any content.
+   */
+  NO_CONTENT = 204,
+  /**
+   * The server successfully processed the request, but is not returning any content.
+   * Unlike a 204 response, this response requires that the requester reset the document view.
+   */
+  RESET_CONTENT = 205,
+  /**
+   * The server is delivering only part of the resource (byte serving) due to a range header sent by the client.
+   * The range header is used by HTTP clients to enable resuming of interrupted downloads,
+   * or split a download into multiple simultaneous streams.
+   */
+  PARTIAL_CONTENT = 206,
+  /**
+   * The message body that follows is an XML message and can contain a number of separate response codes,
+   * depending on how many sub-requests were made.
+   */
+  MULTI_STATUS = 207,
+  /**
+   * The members of a DAV binding have already been enumerated in a preceding part of the (multistatus) response,
+   * and are not being included again.
+   */
+  ALREADY_REPORTED = 208,
+  /**
+   * The server has fulfilled a request for the resource,
+   * and the response is a representation of the result of one or more instance-manipulations applied to the current instance.
+   */
+  IM_USED = 226,
+  /**
+   * Indicates multiple options for the resource from which the client may choose (via agent-driven content negotiation).
+   * For example, this code could be used to present multiple video format options,
+   * to list files with different filename extensions, or to suggest word-sense disambiguation.
+   */
+  MULTIPLE_CHOICES = 300,
+  /**
+   * This and all future requests should be directed to the given URI.
+   */
+  MOVED_PERMANENTLY = 301,
+  /**
+   * This is an example of industry practice contradicting the standard.
+   * The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect
+   * (the original describing phrase was "Moved Temporarily"), but popular browsers implemented 302
+   * with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307
+   * to distinguish between the two behaviours. However, some Web applications and frameworks
+   * use the 302 status code as if it were the 303.
+   */
+  FOUND = 302,
+  /**
+   * SINCE HTTP/1.1
+   * The response to the request can be found under another URI using a GET method.
+   * When received in response to a POST (or PUT/DELETE), the client should presume that
+   * the server has received the data and should issue a redirect with a separate GET message.
+   */
+  SEE_OTHER = 303,
+  /**
+   * Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match.
+   * In such case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.
+   */
+  NOT_MODIFIED = 304,
+  /**
+   * SINCE HTTP/1.1
+   * The requested resource is available only through a proxy, the address for which is provided in the response.
+   * Many HTTP clients (such as Mozilla and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.
+   */
+  USE_PROXY = 305,
+  /**
+   * No longer used. Originally meant "Subsequent requests should use the specified proxy."
+   * @deprecated No longer used
+   */
+  SWITCH_PROXY = 306,
+  /**
+   * SINCE HTTP/1.1
+   * In this case, the request should be repeated with another URI; however, future requests should still use the original URI.
+   * In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request.
+   * For example, a POST request should be repeated using another POST request.
+   */
+  TEMPORARY_REDIRECT = 307,
+  /**
+   * The request and all future requests should be repeated using another URI.
+   * 307 and 308 parallel the behaviors of 302 and 301, but do not allow the HTTP method to change.
+   * So, for example, submitting a form to a permanently redirected resource may continue smoothly.
+   */
+  PERMANENT_REDIRECT = 308,
+  /**
+   * The server cannot or will not process the request due to an apparent client error
+   * (e.g., malformed request syntax, too large size, invalid request message framing, or deceptive request routing).
+   */
+  BAD_REQUEST = 400,
+  /**
+   * Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet
+   * been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the
+   * requested resource. See Basic access authentication and Digest access authentication. 401 semantically means
+   * "unauthenticated",i.e. the user does not have the necessary credentials.
+   */
+  UNAUTHORIZED = 401,
+  /**
+   * Reserved for future use. The original intention was that this code might be used as part of some form of digital
+   * cash or micro payment scheme, but that has not happened, and this code is not usually used.
+   * Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.
+   */
+  PAYMENT_REQUIRED = 402,
+  /**
+   * The request was valid, but the server is refusing action.
+   * The user might not have the necessary permissions for a resource.
+   */
+  FORBIDDEN = 403,
+  /**
+   * The requested resource could not be found but may be available in the future.
+   * Subsequent requests by the client are permissible.
+   */
+  NOT_FOUND = 404,
+  /**
+   * A request method is not supported for the requested resource;
+   * for example, a GET request on a form that requires data to be presented via POST, or a PUT request on a read-only resource.
+   */
+  METHOD_NOT_ALLOWED = 405,
+  /**
+   * The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request.
+   */
+  NOT_ACCEPTABLE = 406,
+  /**
+   * The client must first authenticate itself with the proxy.
+   */
+  PROXY_AUTHENTICATION_REQUIRED = 407,
+  /**
+   * The server timed out waiting for the request.
+   * According to HTTP specifications:
+   * "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
+   */
+  REQUEST_TIMEOUT = 408,
+  /**
+   * Indicates that the request could not be processed because of conflict in the request,
+   * such as an edit conflict between multiple simultaneous updates.
+   */
+  CONFLICT = 409,
+  /**
+   * Indicates that the resource requested is no longer available and will not be available again.
+   * This should be used when a resource has been intentionally removed and the resource should be purged.
+   * Upon receiving a 410 status code, the client should not request the resource in the future.
+   * Clients such as search engines should remove the resource from their indices.
+   * Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
+   */
+  GONE = 410,
+  /**
+   * The request did not specify the length of its content, which is required by the requested resource.
+   */
+  LENGTH_REQUIRED = 411,
+  /**
+   * The server does not meet one of the preconditions that the requester put on the request.
+   */
+  PRECONDITION_FAILED = 412,
+  /**
+   * The request is larger than the server is willing or able to process. Previously called "Request Entity Too Large".
+   */
+  CONTENT_TOO_LARGE = 413,
+  /* Excluded from this release type: PAYLOAD_TOO_LARGE */
+  /**
+   * The URI provided was too long for the server to process. Often the result of too much data being encoded as a query-string of a GET request,
+   * in which case it should be converted to a POST request.
+   * Called "Request-URI Too Long" previously.
+   */
+  URI_TOO_LONG = 414,
+  /**
+   * The request entity has a media type which the server or resource does not support.
+   * For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
+   */
+  UNSUPPORTED_MEDIA_TYPE = 415,
+  /**
+   * The client has asked for a portion of the file (byte serving), but the server cannot supply that portion.
+   * For example, if the client asked for a part of the file that lies beyond the end of the file.
+   * Called "Requested Range Not Satisfiable" previously.
+   */
+  RANGE_NOT_SATISFIABLE = 416,
+  /**
+   * The server cannot meet the requirements of the Expect request-header field.
+   */
+  EXPECTATION_FAILED = 417,
+  /**
+   * This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol,
+   * and is not expected to be implemented by actual HTTP servers. The RFC specifies this code should be returned by
+   * teapots requested to brew coffee. This HTTP status is used as an Easter egg in some websites, including Google.com.
+   */
+  I_AM_A_TEAPOT = 418,
+  /**
+   * The request was directed at a server that is not able to produce a response (for example because a connection reuse).
+   */
+  MISDIRECTED_REQUEST = 421,
+  /* Excluded from this release type: UNPROCESSABLE_ENTITY */
+  /**
+   * The request was well-formed but was unable to be followed due to semantic errors.
+   */
+  UNPROCESSABLE_CONTENT = 422,
+  /**
+   * The resource that is being accessed is locked.
+   */
+  LOCKED = 423,
+  /**
+   * The request failed due to failure of a previous request (e.g., a PROPPATCH).
+   */
+  FAILED_DEPENDENCY = 424,
+  /**
+   * The server is unwilling to risk processing a request that might be
+   * replayed, which creates the potential for a replay attack.
+   */
+  TOO_EARLY = 425,
+  /**
+   * The client should switch to a different protocol such as TLS/1.0, given in the Upgrade header field.
+   */
+  UPGRADE_REQUIRED = 426,
+  /**
+   * The origin server requires the request to be conditional.
+   * Intended to prevent "the 'lost update' problem, where a client
+   * GETs a resource's state, modifies it, and PUTs it back to the server,
+   * when meanwhile a third party has modified the state on the server, leading to a conflict."
+   */
+  PRECONDITION_REQUIRED = 428,
+  /**
+   * The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.
+   */
+  TOO_MANY_REQUESTS = 429,
+  /**
+   * The server is unwilling to process the request because either an individual header field,
+   * or all the header fields collectively, are too large.
+   */
+  REQUEST_HEADER_FIELDS_TOO_LARGE = 431,
+  /**
+   * A server operator has received a legal demand to deny access to a resource or to a set of resources
+   * that includes the requested resource. The code 451 was chosen as a reference to the novel Fahrenheit 451.
+   */
+  UNAVAILABLE_FOR_LEGAL_REASONS = 451,
+  /**
+   * A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.
+   */
+  INTERNAL_SERVER_ERROR = 500,
+  /**
+   * The server either does not recognize the request method, or it lacks the ability to fulfill the request.
+   * Usually this implies future availability (e.g., a new feature of a web-service API).
+   */
+  NOT_IMPLEMENTED = 501,
+  /**
+   * The server was acting as a gateway or proxy and received an invalid response from the upstream server.
+   */
+  BAD_GATEWAY = 502,
+  /**
+   * The server is currently unavailable (because it is overloaded or down for maintenance).
+   * Generally, this is a temporary state.
+   */
+  SERVICE_UNAVAILABLE = 503,
+  /**
+   * The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
+   */
+  GATEWAY_TIMEOUT = 504,
+  /**
+   * The server does not support the HTTP protocol version used in the request
+   */
+  HTTP_VERSION_NOT_SUPPORTED = 505,
+  /**
+   * Transparent content negotiation for the request results in a circular reference.
+   */
+  VARIANT_ALSO_NEGOTIATES = 506,
+  /**
+   * The server is unable to store the representation needed to complete the request.
+   */
+  INSUFFICIENT_STORAGE = 507,
+  /**
+   * The server detected an infinite loop while processing the request.
+   */
+  LOOP_DETECTED = 508,
+  /**
+   * Further extensions to the request are required for the server to fulfill it.
+   */
+  NOT_EXTENDED = 510,
+  /**
+   * The client needs to authenticate to gain network access.
+   * Intended for use by intercepting proxies used to control access to the network (e.g., "captive portals" used
+   * to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).
+   */
+  NETWORK_AUTHENTICATION_REQUIRED = 511,
+}
+
+declare type HttpStatusCodeRangeDefinition =
+  | "1XX"
+  | "2XX"
+  | "3XX"
+  | "4XX"
+  | "5XX";
+
+/**
+ * A function-based inbound policy that can modify the incoming HTTP request.
+ * This is the simplest way to create custom policies without extending a class.
+ *
+ * @param request - The incoming Request
+ * @param context - The current context of the Request
+ * @param options - The configuration options for the policy
+ * @param policyName - The name set on the policy in the configuration
+ * @returns A Response to short-circuit or a Request to continue
+ *
+ * @public
+ * @example
+ * ```typescript
+ * import { InboundPolicyHandler } from "@zuplo/runtime";
+ *
+ * interface RateLimitOptions {
+ *   requests: number;
+ *   windowMs: number;
+ * }
+ *
+ * export const rateLimitPolicy: InboundPolicyHandler<RateLimitOptions> = async (
+ *   request,
+ *   context,
+ *   options,
+ *   policyName
+ * ) => {
+ *   const key = request.headers.get("x-api-key") || "anonymous";
+ *   const count = await incrementCounter(key, options.windowMs);
+ *
+ *   if (count > options.requests) {
+ *     return new Response("Too Many Requests", { status: 429 });
+ *   }
+ *
+ *   // Add rate limit headers
+ *   request.headers.set("X-RateLimit-Limit", options.requests.toString());
+ *   request.headers.set("X-RateLimit-Remaining", (options.requests - count).toString());
+ *
+ *   return request;
+ * };
+ * ```
+ */
+declare interface InboundPolicyHandler<TOptions = any> {
+  (
+    request: ZuploRequest,
+    context: ZuploContext,
+    options: TOptions,
+    policyName: string
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * @public
+ */
+declare interface IncomingRequestProperties {
+  /**
+   * ASN of the incoming request, for example, 395747.
+   */
+  readonly asn: number | undefined;
+  /**
+   * The organization which owns the ASN of the incoming request,
+   * for example, Google Cloud.
+   */
+  readonly asOrganization: string | undefined;
+  /**
+   * City of the incoming request, for example, "Austin".
+   */
+  readonly city: string | undefined;
+  /**
+   * Continent of the incoming request, for example, "NA".
+   */
+  readonly continent: ContinentCode | undefined;
+  /**
+   * The two-letter country code in the request.
+   * @see {@link https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2|ISO 3166-1 alpha-2}
+   */
+  readonly country: Iso3166Alpha2Code | undefined;
+  /**
+   * Latitude of the incoming request, for example, "30.27130".
+   */
+  readonly latitude: string | undefined;
+  /**
+   * Longitude of the incoming request, for example, "-97.74260".
+   */
+  readonly longitude: string | undefined;
+  /**
+   * The three-letter IATA airport code of the data center that the request hit,
+   * for example, "DFW".
+   * @see {@link https://en.wikipedia.org/wiki/IATA_airport_code|IATA airport code}
+   */
+  readonly colo: string | undefined;
+  /**
+   * Postal code of the incoming request, for example, "78701".
+   */
+  readonly postalCode: string | undefined;
+  /**
+   * Metro code (DMA) of the incoming request, for example, "635".
+   */
+  readonly metroCode: string | undefined;
+  /**
+   * If known, the ISO 3166-2 name for the first level region associated with
+   * the IP address of the incoming request, for example, "Texas".
+   * @see {@link https://en.wikipedia.org/wiki/ISO_3166-2|ISO 3166-2}
+   */
+  readonly region: string | undefined;
+  /**
+   * If known, the ISO 3166-2 code for the first-level region associated with
+   * the IP address of the incoming request, for example, "TX".
+   * @see {@link https://en.wikipedia.org/wiki/ISO_3166-2|ISO 3166-2}
+   */
+  readonly regionCode: string | undefined;
+  /**
+   * Timezone of the incoming request, for example, "America/Chicago".
+   */
+  readonly timezone: string | undefined;
+  /**
+   * If available, the HTTP protocol of the incoming request, for example, "HTTP/1.1".
+   */
+  readonly httpProtocol: string | undefined;
+}
+
+/**
+ * ISO 3166-1 Alpha-2 codes
+ * @public
+ */
+declare type Iso3166Alpha2Code =
+  | "AD"
+  | "AE"
+  | "AF"
+  | "AG"
+  | "AI"
+  | "AL"
+  | "AM"
+  | "AO"
+  | "AQ"
+  | "AR"
+  | "AS"
+  | "AT"
+  | "AU"
+  | "AW"
+  | "AX"
+  | "AZ"
+  | "BA"
+  | "BB"
+  | "BD"
+  | "BE"
+  | "BF"
+  | "BG"
+  | "BH"
+  | "BI"
+  | "BJ"
+  | "BL"
+  | "BM"
+  | "BN"
+  | "BO"
+  | "BQ"
+  | "BR"
+  | "BS"
+  | "BT"
+  | "BV"
+  | "BW"
+  | "BY"
+  | "BZ"
+  | "CA"
+  | "CC"
+  | "CD"
+  | "CF"
+  | "CG"
+  | "CH"
+  | "CI"
+  | "CK"
+  | "CL"
+  | "CM"
+  | "CN"
+  | "CO"
+  | "CR"
+  | "CU"
+  | "CV"
+  | "CW"
+  | "CX"
+  | "CY"
+  | "CZ"
+  | "DE"
+  | "DJ"
+  | "DK"
+  | "DM"
+  | "DO"
+  | "DZ"
+  | "EC"
+  | "EE"
+  | "EG"
+  | "EH"
+  | "ER"
+  | "ES"
+  | "ET"
+  | "FI"
+  | "FJ"
+  | "FK"
+  | "FM"
+  | "FO"
+  | "FR"
+  | "GA"
+  | "GB"
+  | "GD"
+  | "GE"
+  | "GF"
+  | "GG"
+  | "GH"
+  | "GI"
+  | "GL"
+  | "GM"
+  | "GN"
+  | "GP"
+  | "GQ"
+  | "GR"
+  | "GS"
+  | "GT"
+  | "GU"
+  | "GW"
+  | "GY"
+  | "HK"
+  | "HM"
+  | "HN"
+  | "HR"
+  | "HT"
+  | "HU"
+  | "ID"
+  | "IE"
+  | "IL"
+  | "IM"
+  | "IN"
+  | "IO"
+  | "IQ"
+  | "IR"
+  | "IS"
+  | "IT"
+  | "JE"
+  | "JM"
+  | "JO"
+  | "JP"
+  | "KE"
+  | "KG"
+  | "KH"
+  | "KI"
+  | "KM"
+  | "KN"
+  | "KP"
+  | "KR"
+  | "KW"
+  | "KY"
+  | "KZ"
+  | "LA"
+  | "LB"
+  | "LC"
+  | "LI"
+  | "LK"
+  | "LR"
+  | "LS"
+  | "LT"
+  | "LU"
+  | "LV"
+  | "LY"
+  | "MA"
+  | "MC"
+  | "MD"
+  | "ME"
+  | "MF"
+  | "MG"
+  | "MH"
+  | "MK"
+  | "ML"
+  | "MM"
+  | "MN"
+  | "MO"
+  | "MP"
+  | "MQ"
+  | "MR"
+  | "MS"
+  | "MT"
+  | "MU"
+  | "MV"
+  | "MW"
+  | "MX"
+  | "MY"
+  | "MZ"
+  | "NA"
+  | "NC"
+  | "NE"
+  | "NF"
+  | "NG"
+  | "NI"
+  | "NL"
+  | "NO"
+  | "NP"
+  | "NR"
+  | "NU"
+  | "NZ"
+  | "OM"
+  | "PA"
+  | "PE"
+  | "PF"
+  | "PG"
+  | "PH"
+  | "PK"
+  | "PL"
+  | "PM"
+  | "PN"
+  | "PR"
+  | "PS"
+  | "PT"
+  | "PW"
+  | "PY"
+  | "QA"
+  | "RE"
+  | "RO"
+  | "RS"
+  | "RU"
+  | "RW"
+  | "SA"
+  | "SB"
+  | "SC"
+  | "SD"
+  | "SE"
+  | "SG"
+  | "SH"
+  | "SI"
+  | "SJ"
+  | "SK"
+  | "SL"
+  | "SM"
+  | "SN"
+  | "SO"
+  | "SR"
+  | "SS"
+  | "ST"
+  | "SV"
+  | "SX"
+  | "SY"
+  | "SZ"
+  | "TC"
+  | "TD"
+  | "TF"
+  | "TG"
+  | "TH"
+  | "TJ"
+  | "TK"
+  | "TL"
+  | "TM"
+  | "TN"
+  | "TO"
+  | "TR"
+  | "TT"
+  | "TV"
+  | "TW"
+  | "TZ"
+  | "UA"
+  | "UG"
+  | "UM"
+  | "US"
+  | "UY"
+  | "UZ"
+  | "VA"
+  | "VC"
+  | "VE"
+  | "VG"
+  | "VI"
+  | "VN"
+  | "VU"
+  | "WF"
+  | "WS"
+  | "YE"
+  | "YT"
+  | "ZA"
+  | "ZM"
+  | "ZW";
+
+declare type JsonArray = JsonValue[] | readonly JsonValue[];
+
+/**
+ Matches a JSON object.
+ This type can be useful to enforce some input to be JSON-compatible or as a super-type to be extended from. Don't use this as a direct return type as the user would have to double-cast it: `jsonObject as unknown as CustomResponse`. Instead, you could extend your CustomResponse type from it to ensure your type only uses JSON-compatible types: `interface CustomResponse extends JsonObject { … }`.
+ */
+declare type JsonObject = {
+  [Key in string]: JsonValue;
+} & {
+  [Key in string]?: JsonValue | undefined;
+};
+
+declare type JsonPrimitive = string | number | boolean | null;
+
+/**
+ Matches any valid JSON value.
+ @see `Jsonify` if you need to transform a type to one that is assignable to `JsonValue`.
+ */
+declare type JsonValue = JsonPrimitive | JsonObject | JsonArray;
+
+/**
+ * Logger to be used in the runtime via context.log.
+ * You can set per-request properties that will be included in all log entries for this request.
+ * @beta
+ */
+declare interface Logger extends BaseLogger {
+  /**
+   * Set properties that will be included in all subsequent log entries for this request.
+   * Properties are merged with existing properties and any static fields configured in the logging plugin.
+   * Per-request properties take precedence over static fields with the same name.
+   *
+   * @param properties - Key-value pairs to include in log entries. Values must be string, number, or boolean.
+   *
+   * @example
+   * ```ts
+   * export default async function (request: ZuploRequest, context: ZuploContext) {
+   *   // Set properties that will be included in all logs for this request
+   *   context.log.setLogProperties({ http_status_code: 400, user_id: "123" });
+   *
+   *   context.log.error("Request failed"); // Will include http_status_code and user_id
+   *
+   *   return new Response("Error", { status: 400 });
+   * }
+   * ```
+   */
+  setLogProperties?(
+    properties: Record<string, string | number | boolean>
+  ): void;
+}
+
+/* Excluded from this release type: LookupResult */
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Auth0.
+ *
+ * Auth0-friendly wrapper around `McpOAuthInboundPolicy`. Provide
+ * `auth0Domain` and `clientId`; the wrapper derives the OIDC issuer, JWKS URL,
+ * and Auth0 authorize/token endpoints automatically. The resolved options are
+ * translated into the generic `McpOAuthRuntimeConfig` at gateway initialization
+ * time (see `setupRoutes`); this request-time entry point delegates straight
+ * to the underlying OAuth implementation.
+ *
+ * @beta
+ * @title MCP Auth0 OAuth Inbound
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param _options - The policy options set in policies.json
+ * @param _policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const McpAuth0OAuthInboundPolicy: InboundPolicyHandler<McpAuth0OAuthInboundPolicyOptions>;
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpAuth0OAuthInboundPolicyOptions {
+  /**
+   * Your Auth0 tenant domain. The OIDC issuer, JWKS URL, /authorize URL, and /oauth/token URL are derived from this.
+   */
+  auth0Domain: string;
+  /**
+   * Expected audience claim on tokens issued for the gateway. Surfaces both as the OIDC token audience and as the Auth0 authorize?audience= parameter.
+   */
+  audience: string;
+  /**
+   * The Auth0 client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Auth0 client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret?: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Activates the MCP Gateway internal routes (OAuth authorization server,
+ * upstream connection management, well-known metadata) on the runtime router.
+ * The plugin is a no-op when no MCP-related policy is present.
+ *
+ * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
+ * does not statically reference any MCP gateway code, so unrelated projects
+ * pay no bundle cost.
+ *
+ * @public
+ * @example
+ * ```ts
+ * import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
+ *
+ * export default async function (runtime: RuntimeExtensions) {
+ *   runtime.addPlugin(new McpGatewayPlugin());
+ * }
+ * ```
+ */
+export declare class McpGatewayPlugin extends SystemRuntimePlugin {
+  registerRoutes(options: {
+    router: Router;
+    runtimeSettings: RuntimeSettings;
+    parsedRouteData?: ParsedRouteData;
+  }): void;
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token.
+ *
+ * The gateway hosts its own OAuth authorization server endpoints (DCR,
+ * `/authorize`, `/token`, `/callback`) — registered automatically when this
+ * policy is present in `policies.json`. End-user browser login is delegated
+ * to the OpenID Connect identity provider configured via the `oidc` and
+ * `browserLogin` policy options.
+ *
+ * The runtime resolves the policy options into a `McpOAuthRuntimeConfig` at
+ * gateway-initialization time and threads them into the underlying OAuth
+ * implementation. This policy's request-time job is to validate the bearer
+ * token presented by the MCP client and hydrate the principal onto the
+ * request context.
+ *
+ * @beta
+ * @title MCP OAuth Inbound
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param _options - The policy options set in policies.json
+ * @param _policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const McpOAuthInboundPolicy: InboundPolicyHandler<McpOAuthInboundPolicyOptions>;
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOAuthInboundPolicyOptions {
+  /**
+   * OpenID Connect identity provider that authenticates end-users before the gateway issues its own OAuth access token.
+   */
+  oidc: {
+    /**
+     * The OIDC issuer URL of the identity provider.
+     */
+    issuer: string;
+    /**
+     * The JWKS endpoint used to verify ID tokens issued by the identity provider.
+     */
+    jwksUrl: string;
+    /**
+     * Expected audience claim on tokens issued for the gateway.
+     */
+    audience: string;
+  };
+  /**
+   * Browser-side OAuth/OIDC settings used when the gateway redirects the user to the identity provider for login.
+   */
+  browserLogin: {
+    /**
+     * The IdP /authorize endpoint to redirect the user to. For local development on loopback, use http://127.0.0.1:9000/oauth/dev-login.
+     */
+    url: string;
+    /**
+     * The IdP token endpoint used for the federated authorization code exchange. Required for federated_oidc browser login.
+     */
+    tokenUrl?: string;
+    /**
+     * The OIDC client_id registered with the identity provider for the gateway's browser login flow.
+     */
+    clientId?: string;
+    /**
+     * The OIDC client_secret. Use $env(...) to source from a secret environment variable.
+     */
+    clientSecret?: string;
+    /**
+     * The OIDC scopes requested during browser login.
+     */
+    scope?: string;
+    /**
+     * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
+     */
+    audience?: string;
+    /**
+     * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
+     */
+    remoteTimeoutMs?: number;
+    /**
+     * Lifetime of an in-flight browser-login state record.
+     */
+    stateTtlSeconds?: number;
+    /**
+     * Lifetime of the gateway browser-login session cookie issued after a successful login.
+     */
+    sessionTtlSeconds?: number;
+  };
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+}
+
+/**
+ * Bind a route to an upstream MCP server. Stores the resolved upstream binding
+ * on the request context for {@link McpVirtualServerHandler}, which resolves
+ * credentials during capability dispatch.
+ *
+ * @beta
+ * @title MCP Upstream Connection Inbound
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param options - The policy options set in policies.json
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const McpUpstreamConnectionInboundPolicy: InboundPolicyHandler<McpUpstreamConnectionInboundPolicyOptions>;
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpUpstreamConnectionInboundPolicyOptions {
+  /**
+   * Stable id for the upstream connection. Used to namespace per-user OAuth state and audit events. If omitted, the gateway tries to infer it from the policy name (`mcp-upstream-{id}`).
+   */
+  id?: string;
+  /**
+   * Display name shown in connect-required responses, audit logs, and the setup UI.
+   */
+  displayName: string;
+  /**
+   * Optional human-readable summary of the upstream, shown on the consent page.
+   */
+  summary?: string;
+  /**
+   * The base URL of the upstream MCP server.
+   */
+  mcpUrl: string;
+  /**
+   * Optional override for the upstream's OAuth protected-resource metadata URL.
+   */
+  protectedResourceMetadataUrl?: string;
+  /**
+   * Additional request headers the gateway should inject when calling the upstream.
+   */
+  requestHeaders?: {
+    name: string;
+    valueEnv: string;
+    required?: boolean;
+  }[];
+  /**
+   * Authentication mode. `user_oauth` performs per-user OAuth federation; `tenant_shared_oauth` uses a tenant-level OAuth grant; the `*_static_secret` variants use a configured secret instead of OAuth.
+   */
+  authMode:
+    | "user_oauth"
+    | "tenant_shared_oauth"
+    | "static_secret"
+    | "user_static_secret"
+    | "tenant_static_secret";
+  /**
+   * OAuth scopes to request from the upstream (for OAuth modes).
+   */
+  scopes?: string[];
+  /**
+   * Delimiter used to join scopes in the OAuth authorization request. Defaults to a single space.
+   */
+  scopeDelimiter?: string;
+  /**
+   * OAuth client id when registering manually (for OAuth modes).
+   */
+  clientId?: string;
+  /**
+   * Environment variable holding the OAuth client secret (for OAuth modes with manual registration).
+   */
+  clientSecretEnv?: string;
+  /**
+   * OAuth client secret reference, either an env var name or `$env(VAR_NAME)` (for OAuth modes with manual registration).
+   */
+  clientSecret?: string;
+  /**
+   * Token endpoint authentication method (for OAuth modes with manual registration).
+   */
+  tokenEndpointAuthMethod?:
+    | "client_secret_basic"
+    | "client_secret_post"
+    | "none";
+  /**
+   * OAuth client registration mode. Defaults to `auto` (Dynamic Client Registration).
+   */
+  clientRegistration?:
+    | {
+        mode: "auto";
+      }
+    | {
+        mode: "manual";
+        clientId: string;
+        clientSecretEnv?: string;
+        tokenEndpointAuthMethod?:
+          | "client_secret_basic"
+          | "client_secret_post"
+          | "none";
+      };
+  /**
+   * Static secret configuration (for `*_static_secret` auth modes).
+   */
+  secret?: {
+    [k: string]: unknown;
+  };
+}
+
+/**
+ * Implements the server-side MCP request lifecycle for the gateway. Pair with
+ * `McpOAuthInboundPolicy` (or `McpAuth0OAuthInboundPolicy`) plus an
+ * `McpUpstreamConnectionInboundPolicy` instance: the OAuth inbound policy
+ * authenticates the request, the upstream-connection policy resolves which
+ * upstream MCP server is bound to the route, and this handler accepts the
+ * incoming JSON-RPC POST, dispatches `initialize`, `tools/list`, `tools/call`,
+ * `prompts/list`, `prompts/get`, `resources/list`, and `resources/read` to the
+ * upstream MCP server through the streamable HTTP transport, and returns the
+ * JSON-RPC response.
+ *
+ * GET requests (for the standalone SSE channel of the streamable HTTP
+ * transport) are intentionally rejected with JSON-RPC error code `-32000` and
+ * `Allow: POST` because this handler runs in stateless mode.
+ *
+ * @beta
+ * @param request - The ZuploRequest. The body must contain a JSON-RPC request.
+ * @param context - The ZuploContext.
+ * @returns The JSON-RPC response from the upstream MCP server.
+ *
+ * @example
+ * ```json
+ * // routes.oas.json - Pair with the MCP OAuth + upstream-connection policies.
+ * {
+ *   "paths": {
+ *     "/mcp/linear": {
+ *       "post": {
+ *         "x-zuplo-route": {
+ *           "handler": {
+ *             "module": "$import(@zuplo/runtime)",
+ *             "export": "McpVirtualServerHandler"
+ *           },
+ *           "policies": {
+ *             "inbound": ["auth0-managed-oauth", "mcp-upstream-linear"]
+ *           }
+ *         }
+ *       }
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export declare function McpVirtualServerHandler(
+  request: ZuploRequest,
+  context: ZuploContext
+): Promise<Response>;
+
+declare type Modify<T, R> = Omit<T, keyof R> & R;
+
+declare interface NotFoundOptions {
+  routesMatchedByPathOnly: RouteConfiguration[];
+}
+
+/**
+ * @public
+ */
+declare interface OnRequestHook {
+  (
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response> | (ZuploRequest | Response);
+}
+
+/**
+ * @public
+ */
+declare interface OnResponseSendingFinalHook {
+  (
+    response: Response,
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<void> | void;
+}
+
+/**
+ * @public
+ */
+declare interface OnResponseSendingHook {
+  (
+    response: Response,
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<Response> | Response;
+}
+
+declare namespace OpenAPIV3 {
+  interface Document<T extends {} = {}> {
+    openapi: string;
+    info: InfoObject;
+    servers?: ServerObject[];
+    paths: PathsObject<T>;
+    components?: ComponentsObject;
+    security?: SecurityRequirementObject[];
+    tags?: TagObject[];
+    externalDocs?: ExternalDocumentationObject;
+    "x-express-openapi-additional-middleware"?: (
+      | ((request: any, response: any, next: any) => Promise<void>)
+      | ((request: any, response: any, next: any) => void)
+    )[];
+    "x-express-openapi-validation-strict"?: boolean;
+  }
+  interface InfoObject {
+    title: string;
+    description?: string;
+    termsOfService?: string;
+    contact?: ContactObject;
+    license?: LicenseObject;
+    version: string;
+  }
+  interface ContactObject {
+    name?: string;
+    url?: string;
+    email?: string;
+  }
+  interface LicenseObject {
+    name: string;
+    url?: string;
+  }
+  interface ServerObject {
+    url: string;
+    description?: string;
+    variables?: {
+      [variable: string]: ServerVariableObject;
+    };
+  }
+  interface ServerVariableObject {
+    enum?: string[];
+    default: string;
+    description?: string;
+  }
+  interface PathsObject<T extends {} = {}, P extends {} = {}> {
+    [pattern: string]: (PathItemObject<T> & P) | undefined;
+  }
+  enum HttpMethods {
+    GET = "get",
+    PUT = "put",
+    POST = "post",
+    DELETE = "delete",
+    OPTIONS = "options",
+    HEAD = "head",
+    PATCH = "patch",
+    TRACE = "trace",
+  }
+  type PathItemObject<T extends {} = {}> = {
+    $ref?: string;
+    summary?: string;
+    description?: string;
+    servers?: ServerObject[];
+    parameters?: (ReferenceObject | ParameterObject)[];
+  } & {
+    [method in HttpMethods]?: OperationObject<T>;
+  };
+  type OperationObject<T extends {} = {}> = {
+    tags?: string[];
+    summary?: string;
+    description?: string;
+    externalDocs?: ExternalDocumentationObject;
+    operationId?: string;
+    parameters?: (ReferenceObject | ParameterObject)[];
+    requestBody?: ReferenceObject | RequestBodyObject;
+    responses: ResponsesObject;
+    callbacks?: {
+      [callback: string]: ReferenceObject | CallbackObject;
+    };
+    deprecated?: boolean;
+    security?: SecurityRequirementObject[];
+    servers?: ServerObject[];
+  } & T;
+  interface ExternalDocumentationObject {
+    description?: string;
+    url: string;
+  }
+  interface ParameterObject extends ParameterBaseObject {
+    name: string;
+    in: string;
+  }
+  interface HeaderObject extends ParameterBaseObject {}
+  interface ParameterBaseObject {
+    description?: string;
+    required?: boolean;
+    deprecated?: boolean;
+    allowEmptyValue?: boolean;
+    style?: string;
+    explode?: boolean;
+    allowReserved?: boolean;
+    schema?: ReferenceObject | SchemaObject;
+    example?: any;
+    examples?: {
+      [media: string]: ReferenceObject | ExampleObject;
+    };
+    content?: {
+      [media: string]: MediaTypeObject;
+    };
+  }
+  type NonArraySchemaObjectType =
+    | "boolean"
+    | "object"
+    | "number"
+    | "string"
+    | "integer";
+  type ArraySchemaObjectType = "array";
+  type SchemaObject = ArraySchemaObject | NonArraySchemaObject;
+  interface ArraySchemaObject extends BaseSchemaObject {
+    type: ArraySchemaObjectType;
+    items: ReferenceObject | SchemaObject;
+  }
+  interface NonArraySchemaObject extends BaseSchemaObject {
+    type?: NonArraySchemaObjectType;
+  }
+  interface BaseSchemaObject {
+    title?: string;
+    description?: string;
+    format?: string;
+    default?: any;
+    multipleOf?: number;
+    maximum?: number;
+    exclusiveMaximum?: boolean;
+    minimum?: number;
+    exclusiveMinimum?: boolean;
+    maxLength?: number;
+    minLength?: number;
+    pattern?: string;
+    additionalProperties?: boolean | ReferenceObject | SchemaObject;
+    maxItems?: number;
+    minItems?: number;
+    uniqueItems?: boolean;
+    maxProperties?: number;
+    minProperties?: number;
+    required?: string[];
+    enum?: any[];
+    properties?: {
+      [name: string]: ReferenceObject | SchemaObject;
+    };
+    allOf?: (ReferenceObject | SchemaObject)[];
+    oneOf?: (ReferenceObject | SchemaObject)[];
+    anyOf?: (ReferenceObject | SchemaObject)[];
+    not?: ReferenceObject | SchemaObject;
+    nullable?: boolean;
+    discriminator?: DiscriminatorObject;
+    readOnly?: boolean;
+    writeOnly?: boolean;
+    xml?: XMLObject;
+    externalDocs?: ExternalDocumentationObject;
+    example?: any;
+    deprecated?: boolean;
+  }
+  interface DiscriminatorObject {
+    propertyName: string;
+    mapping?: {
+      [value: string]: string;
+    };
+  }
+  interface XMLObject {
+    name?: string;
+    namespace?: string;
+    prefix?: string;
+    attribute?: boolean;
+    wrapped?: boolean;
+  }
+  interface ReferenceObject {
+    $ref: string;
+  }
+  interface ExampleObject {
+    summary?: string;
+    description?: string;
+    value?: any;
+    externalValue?: string;
+  }
+  interface MediaTypeObject {
+    schema?: ReferenceObject | SchemaObject;
+    example?: any;
+    examples?: {
+      [media: string]: ReferenceObject | ExampleObject;
+    };
+    encoding?: {
+      [media: string]: EncodingObject;
+    };
+  }
+  interface EncodingObject {
+    contentType?: string;
+    headers?: {
+      [header: string]: ReferenceObject | HeaderObject;
+    };
+    style?: string;
+    explode?: boolean;
+    allowReserved?: boolean;
+  }
+  interface RequestBodyObject {
+    description?: string;
+    content: {
+      [media: string]: MediaTypeObject;
+    };
+    required?: boolean;
+  }
+  interface ResponsesObject {
+    [code: string]: ReferenceObject | ResponseObject;
+  }
+  interface ResponseObject {
+    description: string;
+    headers?: {
+      [header: string]: ReferenceObject | HeaderObject;
+    };
+    content?: {
+      [media: string]: MediaTypeObject;
+    };
+    links?: {
+      [link: string]: ReferenceObject | LinkObject;
+    };
+  }
+  interface LinkObject {
+    operationRef?: string;
+    operationId?: string;
+    parameters?: {
+      [parameter: string]: any;
+    };
+    requestBody?: any;
+    description?: string;
+    server?: ServerObject;
+  }
+  interface CallbackObject {
+    [url: string]: PathItemObject;
+  }
+  interface SecurityRequirementObject {
+    [name: string]: string[];
+  }
+  interface ComponentsObject {
+    schemas?: {
+      [key: string]: ReferenceObject | SchemaObject;
+    };
+    responses?: {
+      [key: string]: ReferenceObject | ResponseObject;
+    };
+    parameters?: {
+      [key: string]: ReferenceObject | ParameterObject;
+    };
+    examples?: {
+      [key: string]: ReferenceObject | ExampleObject;
+    };
+    requestBodies?: {
+      [key: string]: ReferenceObject | RequestBodyObject;
+    };
+    headers?: {
+      [key: string]: ReferenceObject | HeaderObject;
+    };
+    securitySchemes?: {
+      [key: string]: ReferenceObject | SecuritySchemeObject;
+    };
+    links?: {
+      [key: string]: ReferenceObject | LinkObject;
+    };
+    callbacks?: {
+      [key: string]: ReferenceObject | CallbackObject;
+    };
+  }
+  type SecuritySchemeObject =
+    | HttpSecurityScheme
+    | ApiKeySecurityScheme
+    | OAuth2SecurityScheme
+    | OpenIdSecurityScheme;
+  interface HttpSecurityScheme {
+    type: "http";
+    description?: string;
+    scheme: string;
+    bearerFormat?: string;
+  }
+  interface ApiKeySecurityScheme {
+    type: "apiKey";
+    description?: string;
+    name: string;
+    in: string;
+  }
+  interface OAuth2SecurityScheme {
+    type: "oauth2";
+    description?: string;
+    flows: {
+      implicit?: {
+        authorizationUrl: string;
+        refreshUrl?: string;
+        scopes: {
+          [scope: string]: string;
+        };
+      };
+      password?: {
+        tokenUrl: string;
+        refreshUrl?: string;
+        scopes: {
+          [scope: string]: string;
+        };
+      };
+      clientCredentials?: {
+        tokenUrl: string;
+        refreshUrl?: string;
+        scopes: {
+          [scope: string]: string;
+        };
+      };
+      authorizationCode?: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        refreshUrl?: string;
+        scopes: {
+          [scope: string]: string;
+        };
+      };
+    };
+  }
+  interface OpenIdSecurityScheme {
+    type: "openIdConnect";
+    description?: string;
+    openIdConnectUrl: string;
+  }
+  interface TagObject {
+    name: string;
+    description?: string;
+    externalDocs?: ExternalDocumentationObject;
+  }
+}
+
+declare namespace OpenAPIV3_1 {
+  type Modify<T, R> = Omit<T, keyof R> & R;
+  type PathsWebhooksComponents<T extends {} = {}> = {
+    paths: PathsObject<T>;
+    webhooks: Record<string, PathItemObject | ReferenceObject>;
+    components: ComponentsObject;
+  };
+  type Document<T extends {} = {}> = Modify<
+    Omit<OpenAPIV3.Document<T>, "paths" | "components">,
+    {
+      info: InfoObject;
+      jsonSchemaDialect?: string;
+      servers?: ServerObject[];
+    } & (
+      | (Pick<PathsWebhooksComponents<T>, "paths"> &
+          Omit<Partial<PathsWebhooksComponents<T>>, "paths">)
+      | (Pick<PathsWebhooksComponents<T>, "webhooks"> &
+          Omit<Partial<PathsWebhooksComponents<T>>, "webhooks">)
+      | (Pick<PathsWebhooksComponents<T>, "components"> &
+          Omit<Partial<PathsWebhooksComponents<T>>, "components">)
+    )
+  >;
+  type InfoObject = Modify<
+    OpenAPIV3.InfoObject,
+    {
+      summary?: string;
+      license?: LicenseObject;
+    }
+  >;
+  type ContactObject = OpenAPIV3.ContactObject;
+  type LicenseObject = Modify<
+    OpenAPIV3.LicenseObject,
+    {
+      identifier?: string;
+    }
+  >;
+  type ServerObject = Modify<
+    OpenAPIV3.ServerObject,
+    {
+      url: string;
+      description?: string;
+      variables?: Record<string, ServerVariableObject>;
+    }
+  >;
+  type ServerVariableObject = Modify<
+    OpenAPIV3.ServerVariableObject,
+    {
+      enum?: [string, ...string[]];
+    }
+  >;
+  type PathsObject<T extends {} = {}, P extends {} = {}> = Record<
+    string,
+    (PathItemObject<T> & P) | undefined
+  >;
+  type HttpMethods = OpenAPIV3.HttpMethods;
+  type PathItemObject<T extends {} = {}> = Modify<
+    OpenAPIV3.PathItemObject<T>,
+    {
+      servers?: ServerObject[];
+      parameters?: (ReferenceObject | ParameterObject)[];
+    }
+  > & {
+    [method in HttpMethods]?: OperationObject<T>;
+  };
+  type OperationObject<T extends {} = {}> = Modify<
+    OpenAPIV3.OperationObject<T>,
+    {
+      parameters?: (ReferenceObject | ParameterObject)[];
+      requestBody?: ReferenceObject | RequestBodyObject;
+      responses?: ResponsesObject;
+      callbacks?: Record<string, ReferenceObject | CallbackObject>;
+      servers?: ServerObject[];
+    }
+  > &
+    T;
+  type ExternalDocumentationObject = OpenAPIV3.ExternalDocumentationObject;
+  type ParameterObject = OpenAPIV3.ParameterObject;
+  type HeaderObject = OpenAPIV3.HeaderObject;
+  type ParameterBaseObject = OpenAPIV3.ParameterBaseObject;
+  type NonArraySchemaObjectType = OpenAPIV3.NonArraySchemaObjectType | "null";
+  type ArraySchemaObjectType = OpenAPIV3.ArraySchemaObjectType;
+  /**
+   * There is no way to tell typescript to require items when type is either 'array' or array containing 'array' type
+   * 'items' will be always visible as optional
+   * Casting schema object to ArraySchemaObject or NonArraySchemaObject will work fine
+   */
+  type SchemaObject =
+    | ArraySchemaObject
+    | NonArraySchemaObject
+    | MixedSchemaObject;
+  interface ArraySchemaObject extends BaseSchemaObject {
+    type: ArraySchemaObjectType;
+    items: ReferenceObject | SchemaObject;
+  }
+  interface NonArraySchemaObject extends BaseSchemaObject {
+    type?: NonArraySchemaObjectType;
+  }
+  interface MixedSchemaObject extends BaseSchemaObject {
+    type?: (ArraySchemaObjectType | NonArraySchemaObjectType)[];
+    items?: ReferenceObject | SchemaObject;
+  }
+  type BaseSchemaObject = Modify<
+    Omit<OpenAPIV3.BaseSchemaObject, "nullable">,
+    {
+      examples?: OpenAPIV3.BaseSchemaObject["example"][];
+      exclusiveMinimum?: boolean | number;
+      exclusiveMaximum?: boolean | number;
+      contentMediaType?: string;
+      $schema?: string;
+      additionalProperties?: boolean | ReferenceObject | SchemaObject;
+      properties?: {
+        [name: string]: ReferenceObject | SchemaObject;
+      };
+      allOf?: (ReferenceObject | SchemaObject)[];
+      oneOf?: (ReferenceObject | SchemaObject)[];
+      anyOf?: (ReferenceObject | SchemaObject)[];
+      not?: ReferenceObject | SchemaObject;
+      discriminator?: DiscriminatorObject;
+      externalDocs?: ExternalDocumentationObject;
+      xml?: XMLObject;
+      const?: any;
+    }
+  >;
+  type DiscriminatorObject = OpenAPIV3.DiscriminatorObject;
+  type XMLObject = OpenAPIV3.XMLObject;
+  type ReferenceObject = Modify<
+    OpenAPIV3.ReferenceObject,
+    {
+      summary?: string;
+      description?: string;
+    }
+  >;
+  type ExampleObject = OpenAPIV3.ExampleObject;
+  type MediaTypeObject = Modify<
+    OpenAPIV3.MediaTypeObject,
+    {
+      schema?: SchemaObject | ReferenceObject;
+      examples?: Record<string, ReferenceObject | ExampleObject>;
+    }
+  >;
+  type EncodingObject = OpenAPIV3.EncodingObject;
+  type RequestBodyObject = Modify<
+    OpenAPIV3.RequestBodyObject,
+    {
+      content: {
+        [media: string]: MediaTypeObject;
+      };
+    }
+  >;
+  type ResponsesObject = Record<string, ReferenceObject | ResponseObject>;
+  type ResponseObject = Modify<
+    OpenAPIV3.ResponseObject,
+    {
+      headers?: {
+        [header: string]: ReferenceObject | HeaderObject;
+      };
+      content?: {
+        [media: string]: MediaTypeObject;
+      };
+      links?: {
+        [link: string]: ReferenceObject | LinkObject;
+      };
+    }
+  >;
+  type LinkObject = Modify<
+    OpenAPIV3.LinkObject,
+    {
+      server?: ServerObject;
+    }
+  >;
+  type CallbackObject = Record<string, PathItemObject | ReferenceObject>;
+  type SecurityRequirementObject = OpenAPIV3.SecurityRequirementObject;
+  type ComponentsObject = Modify<
+    OpenAPIV3.ComponentsObject,
+    {
+      schemas?: Record<string, SchemaObject>;
+      responses?: Record<string, ReferenceObject | ResponseObject>;
+      parameters?: Record<string, ReferenceObject | ParameterObject>;
+      examples?: Record<string, ReferenceObject | ExampleObject>;
+      requestBodies?: Record<string, ReferenceObject | RequestBodyObject>;
+      headers?: Record<string, ReferenceObject | HeaderObject>;
+      securitySchemes?: Record<string, ReferenceObject | SecuritySchemeObject>;
+      links?: Record<string, ReferenceObject | LinkObject>;
+      callbacks?: Record<string, ReferenceObject | CallbackObject>;
+      pathItems?: Record<string, ReferenceObject | PathItemObject>;
+    }
+  >;
+  type SecuritySchemeObject = OpenAPIV3.SecuritySchemeObject;
+  type HttpSecurityScheme = OpenAPIV3.HttpSecurityScheme;
+  type ApiKeySecurityScheme = OpenAPIV3.ApiKeySecurityScheme;
+  type OAuth2SecurityScheme = OpenAPIV3.OAuth2SecurityScheme;
+  type OpenIdSecurityScheme = OpenAPIV3.OpenIdSecurityScheme;
+  type TagObject = OpenAPIV3.TagObject;
+  {
+  }
+}
+
+/**
+ * Base object for parameter definitions
+ * @public
+ */
+declare type ParameterBaseObject = Modify<
+  Omit<
+    OpenAPIV3_1.ParameterBaseObject,
+    | "content"
+    | "allowEmptyValue"
+    | "style"
+    | "allowReserved"
+    | "explode"
+    | "example"
+    | "examples"
+  >,
+  {
+    schema: OpenAPIV3_1.SchemaObject;
+  }
+>;
+
+/**
+ * Definition of a parameter
+ * @public
+ */
+declare interface ParameterDefinition extends ParameterBaseObject {
+  name: string;
+  in: string;
+}
+
+/**
+ * This is the parsed values of the Cors configuration. All
+ * values in the parsed configuration are in the format that the headers
+ * use them (i.e. everything is converted to a string)
+ */
+declare interface ParsedCorsPolicyConfiguration {
+  name: string;
+  allowCredentials: string | undefined;
+  maxAge: string | undefined;
+  allowedOrigins: string[];
+  allowedMethods?: string;
+  allowedHeaders?: string;
+  exposeHeaders?: string;
+}
+
+/**
+ * @public
+ */
+declare interface ParsedRouteData extends Omit<RouteData, "corsPolicies"> {
+  corsPolicies: ParsedCorsPolicyConfiguration[];
+}
+
+/**
+ * @public
+ */
+declare interface PolicyConfiguration {
+  name: string;
+  policyType: string;
+  handler: HandlerDefinition;
+  options?: unknown;
+}
+
+/**
+ * @public
+ */
+declare interface PreRoutingHook {
+  (request: Request): Promise<Request> | Request;
+}
+
+/**
+ * Problem Details for HTTP APIs
+ * @see {@link https://www.rfc-editor.org/rfc/rfc7807 |RFC7807}
+ * @public
+ */
+declare interface ProblemDetails {
+  /**
+   * A URI reference [RFC3986] that identifies the problem type.
+   *
+   * @remarks
+   *
+   * This specification encourages that, when dereferenced, it provide
+   * human-readable documentation for the  problem type
+   * (e.g., using HTML [W3C.REC-html5-20141028]).  When this member is not
+   * present, its value is assumed to be "about:blank".
+   *
+   * @see {@link https://www.rfc-editor.org/rfc/rfc3986|RFC3986}
+   *
+   * @example
+   * https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429
+   */
+  type: string;
+  /**
+   * A short, human-readable summary of the problem type.
+   *
+   * @remarks
+   *
+   * It SHOULD NOT change from occurrence to occurrence of the problem, except
+   * for purposes of localization (e.g., using proactive content negotiation;
+   *
+   * @see {@link https://www.rfc-editor.org/rfc/rfc7231#section-3.4|RFC7231, Section 3.4}.
+   *
+   * @example
+   * Too many requests
+   */
+  title: string;
+  /**
+   * The HTTP status code () generated by the origin server for this occurrence
+   * of the problem.
+   *
+   * @see {@link https://www.rfc-editor.org/rfc/rfc7231#section-6|RFC7231, Section 6}
+   *
+   * @example
+   * 429
+   */
+  status: HttpStatusCode;
+  /**
+   * A human-readable explanation specific to this occurrence of the problem.
+   *
+   * @example
+   * Rate limit exceeded, try again later
+   */
+  detail?: string;
+  /**
+   * A URI reference that identifies the specific occurrence of the problem.
+   * It may or may not yield further information if dereferenced.
+   *
+   * @example
+   * josh-twist::test::main::prod::4edc99c/pizza/size/large/type/pepperoni
+   */
+  instance?: string;
+  /**
+   * Identifiers useful to zuplo and the customer to locate more information in
+   * logs. To reduce the number of properties these strings are concated
+   *
+   * @example
+   * requestId:6384105d-1d34-4a7f-8ad7-5c428e97ab49/ray:lcielfnuuclvh/buildId:293908c3-e359-4037-874f-d9c71d4a7263
+   */
+  trace?: Record<string, string>;
+  /**
+   * Problem type definitions MAY extend the problem details object with
+   * additional members.
+   */
+  [extensionMembers: string]: any;
+}
+
+/**
+ * @public
+ */
+declare interface ProblemResponseDetails {
+  problem: ProblemDetails;
+  /**
+   * statusText used in the response to accompany the
+   */
+  statusText?: string;
+  /**
+   * Additional headers to be sent with the standard response. Used for things
+   * like rate-limit retry-after headers (to meet other standards)
+   */
+  additionalHeaders?: HeadersInit;
+}
+
+/**
+ * @public
+ */
+declare interface ProblemResponseFormat {
+  (
+    problemDetails: ProblemResponseDetails,
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<Response> | Response;
+}
+
+/**
+ * Generic type parameters for a request.
+ * Extends RequestInitGeneric and adds query parameter typing.
+ * @public
+ */
+declare interface RequestGeneric extends RequestInitGeneric {
+  Query?: RequestQueryDefault;
+}
+
+/**
+ * Generic type parameters for request initialization.
+ * Used to strongly type the user data and path parameters.
+ * @public
+ */
+declare interface RequestInitGeneric {
+  UserData?: UserDataDefault;
+  Params?: RequestParamsDefault;
+}
+
+declare type RequestParamsDefault = Record<string, string>;
+
+/* Excluded from this release type: RequestProcessor */
+
+declare type RequestQueryDefault = Record<string, string>;
+
+/**
+ * Represents an authenticated user on the request.
+ * Set by authentication policies like API key, JWT, or OAuth.
+ *
+ * @public
+ * @example
+ * ```typescript
+ * // Access user info in a handler
+ * export function myHandler(request: ZuploRequest, context: ZuploContext) {
+ *   if (!request.user) {
+ *     return new Response("Unauthorized", { status: 401 });
+ *   }
+ *
+ *   const userId = request.user.sub;
+ *   const customData = request.user.data as { role: string; tenantId: string };
+ *
+ *   context.log.info(`Request from user ${userId} with role ${customData.role}`);
+ * }
+ * ```
+ */
+declare interface RequestUser<TUserData> {
+  sub: string;
+  data: TUserData;
+}
+
+declare type ResolveRequestParams<
+  TParams extends RequestParamsDefault | undefined,
+> = TParams extends RequestParamsDefault ? TParams : RequestParamsDefault;
+
+declare type ResolveRequestQuery<
+  TQuery extends RequestQueryDefault | undefined,
+> = TQuery extends RequestQueryDefault ? TQuery : RequestQueryDefault;
+
+declare type ResolveUserData<TUserData extends UserDataDefault | undefined> =
+  TUserData extends UserDataDefault ? TUserData : UserDataDefault;
+
+/**
+ * Definition of responses for a route
+ * @public
+ */
+declare type ResponsesDefinition = Record<
+  HttpStatusCode | HttpStatusCodeRangeDefinition,
+  Modify<
+    Omit<OpenAPIV3_1.ResponseObject, "links">,
+    {
+      headers?: {
+        [header: string]: ParameterBaseObject;
+      };
+    }
+  >
+>;
+
+/**
+ * @public
+ */
+declare interface RouteConfiguration extends Omit<
+  BuildRouteConfiguration,
+  "raw"
+> {
+  /**
+   * @deprecated Please switch to "raw().operationId"
+   */
+  operationId?: string;
+  /**
+   * @deprecated Please switch to "raw().summary"
+   */
+  summary?: string;
+  /**
+   * @deprecated Please switch to "raw().tags"
+   */
+  tags?: string[];
+  /**
+   * @deprecated Please switch to "raw().parameters"
+   */
+  parameters?: ParameterDefinition[];
+  /**
+   * @deprecated Please switch to "raw().responses"
+   */
+  responses?: ResponsesDefinition;
+  /**
+   * Gets the raw route configuration object
+   */
+  raw<T = any>(): T;
+}
+
+/**
+ * @public
+ */
+declare interface RouteData {
+  /**
+   * @deprecated This property is not used and will be removed in future versions
+   */
+  info?: OpenAPIV3_1.InfoObject;
+  routes: RouteConfiguration[];
+  policies: PolicyConfiguration[];
+  corsPolicies: CorsPolicyConfiguration[];
+}
+
+/**
+ * @beta
+ */
+declare interface RouteHandler<T = unknown> {
+  (request: ZuploRequest, context: ZuploContext): Promise<T>;
+}
+
+/* Excluded from this release type: Router */
+
+/**
+ * Zuplo global runtime customization
+ * @beta
+ */
+declare interface RuntimeExtensions {
+  /**
+   * Custom response formatter
+   */
+  problemResponseFormat?: ProblemResponseFormat;
+  /**
+   * Register runtime plugins
+   */
+  addPlugin: (plugin: RuntimePlugin) => void;
+  /**
+   * Set a custom not found handler
+   */
+  notFoundHandler?: (
+    request: ZuploRequest,
+    context: ZuploContext,
+    notFoundOptions: NotFoundOptions
+  ) => Promise<Response>;
+  addRequestHook(hook: OnRequestHook): void;
+  addResponseSendingHook(hook: OnResponseSendingHook): void;
+  addResponseSendingFinalHook(hook: OnResponseSendingFinalHook): void;
+  /**
+   * Add a hook that runs before route matching occurs
+   * @param hook - The pre-routing hook function
+   */
+  addPreRoutingHook(hook: PreRoutingHook): void;
+}
+
+/**
+ * @public
+ */
+declare abstract class RuntimePlugin {}
+
+/* Excluded from this release type: RuntimeSettings */
+
+/**
+ * Plugins for registering system capabilities
+ * @public
+ */
+declare abstract class SystemRuntimePlugin extends RuntimePlugin {
+  /* Excluded from this release type: initialize */
+  /* Excluded from this release type: registerRoutes */
+}
+
+declare interface UrlConfig {
+  defaultUrl: string;
+  urls: string[];
+}
+
+declare type UserDataDefault = any;
+
+/**
+ * @public
+ */
+declare interface WaitUntilFunc {
+  (promise: Promise<any>): void;
+}
+
+declare interface ZuploAnalyticsContext {
+  addAnalyticsEvent(
+    value: number,
+    eventType: EventType,
+    metadata: JsonObject,
+    unit?: string
+  ): void;
+  flushAnalyticsEvents(): ZuploAnalyticsEvent[];
+  getAnalyticsEvents(): ZuploAnalyticsEvent[];
+}
+
+declare interface ZuploAnalyticsEvent<T extends JsonObject = JsonObject> {
+  eventId: string;
+  requestId: string;
+  timestamp: Date;
+  accountName: string;
+  projectName: string;
+  deploymentName: string;
+  eventType: EventType;
+  metadata: T;
+  unit?: string;
+  value: number;
+}
+
+/**
+ * The ZuploContext provides information about the current request and helper methods.
+ * @public
+ */
+declare interface ZuploContext extends EventTarget {
+  /**
+   * The unique identifier of this context
+   */
+  readonly contextId: Readonly<string>;
+  /**
+   * The unique identifier of the incoming request
+   */
+  readonly requestId: Readonly<string>;
+  /**
+   * Request based logger
+   */
+  readonly log: Readonly<Logger>;
+  /**
+   * The route that is being processed
+   */
+  readonly route: Readonly<RouteConfiguration>;
+  /**
+   * Custom data stored on the ZuploContext
+   */
+  readonly custom: Record<string, any>;
+  readonly incomingRequestProperties: IncomingRequestProperties;
+  /**
+   * The parent context that spawned this context
+   * @beta
+   */
+  readonly parentContext: ZuploContext | undefined;
+  /* Excluded from this release type: analyticsContext */
+  readonly invokeInboundPolicy: (
+    policyName: string,
+    request: ZuploRequest
+  ) => Promise<Response | ZuploRequest>;
+  readonly invokeOutboundPolicy: (
+    policyName: string,
+    response: Response,
+    request: ZuploRequest
+  ) => Promise<Response>;
+  /**
+   * Invokes a route based on a Request without going back out to HTTP.
+   * Can take a relative route path to invoke on the Gateway
+   * Example: "/my/route" will invoke http://localhost/my/route on the Gateway
+   * without having to rebuild the Request's protocol and host.
+   * @beta
+   */
+  readonly invokeRoute: <TOptions extends RequestGeneric = RequestGeneric>(
+    input: string | URL | Request,
+    init?: ZuploRequestInit<TOptions>
+  ) => Promise<Response>;
+  readonly waitUntil: WaitUntilFunc;
+  /**
+   * Fires just before the response is sent. Response can be modified.
+   */
+  readonly addResponseSendingHook: (hook: OnResponseSendingHook) => void;
+  /**
+   * Fires immediately after the response is sent. Response cannot be modified.
+   */
+  readonly addResponseSendingFinalHook: (
+    hook: OnResponseSendingFinalHook
+  ) => void;
+  /**
+   * Appends an event listener for events whose type attribute value is type. The callback argument sets the callback that will be invoked when the event is dispatched.
+   *
+   * The options argument sets listener-specific options. For compatibility this can be a boolean, in which case the method behaves exactly as if the value was specified as options's capture.
+   *
+   * When set to true, options's capture prevents callback from being invoked when the event's eventPhase attribute value is BUBBLING_PHASE. When false (or not present), callback will not be invoked when event's eventPhase attribute value is CAPTURING_PHASE. Either way, callback will be invoked if event's eventPhase attribute value is AT_TARGET.
+   *
+   * When set to true, options's passive indicates that the callback will not cancel the event by invoking preventDefault(). This is used to enable performance optimizations described in § 2.8 Observing event listeners.
+   *
+   * When set to true, options's once indicates that the callback will only be invoked once after which the event listener will be removed.
+   *
+   * If an AbortSignal is passed for options's signal, then the event listener will be removed when signal is aborted.
+   *
+   * The event listener is appended to target's event listener list and is not appended if it has the same type, callback, and capture.
+   * @deprecated This will be removed in the future. Use hooks instead. See {@link https://zuplo.com/docs/programmable-api/runtime-extensions}
+   */
+  addEventListener<Type extends keyof Record<string, Event>>(
+    type: Type,
+    handler: EventListenerOrEventListenerObject,
+    options?: AddEventListenerOptions | boolean
+  ): void;
+  /**
+   * @deprecated This will be removed in the future. See {@link https://zuplo.com/docs/programmable-api/runtime-extensions}
+   */
+  removeEventListener<Type extends keyof Record<string, Event>>(
+    type: Type,
+    handler: EventListenerOrEventListenerObject,
+    options?: AddEventListenerOptions | boolean
+  ): void;
+}
+
+/**
+ * Enhanced Request class that extends the standard Web Request API with
+ * convenient properties for accessing path parameters, query strings, and user data.
+ * This is the request type passed to all handlers and policies in Zuplo.
+ *
+ * @public
+ * @example
+ * ```typescript
+ * import { ZuploRequest, ZuploContext } from "@zuplo/runtime";
+ *
+ * export function myHandler(request: ZuploRequest, context: ZuploContext) {
+ *   // Access query parameters
+ *   const page = request.query.page || "1";
+ *   const limit = request.query.limit || "10";
+ *
+ *   // Access path parameters (e.g., from /users/:userId)
+ *   const userId = request.params.userId;
+ *
+ *   // Access authenticated user
+ *   const user = request.user;
+ *
+ *   // Standard Request properties still available
+ *   const contentType = request.headers.get("content-type");
+ *   const method = request.method;
+ *
+ *   return Response.json({
+ *     userId,
+ *     page,
+ *     limit,
+ *     authenticated: !!user
+ *   });
+ * }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Strongly typed request parameters
+ * interface MyParams {
+ *   userId: string;
+ *   orderId: string;
+ * }
+ *
+ * interface MyQuery {
+ *   include?: string;
+ *   format?: "json" | "xml";
+ * }
+ *
+ * interface MyUserData {
+ *   role: "admin" | "user";
+ *   tenantId: string;
+ * }
+ *
+ * type MyRequest = ZuploRequest<{
+ *   Params: MyParams;
+ *   Query: MyQuery;
+ *   UserData: MyUserData;
+ * }>;
+ *
+ * export function typedHandler(request: MyRequest, context: ZuploContext) {
+ *   // All properties are now strongly typed
+ *   const userId = request.params.userId; // string
+ *   const format = request.query.format; // "json" | "xml" | undefined
+ *   const role = request.user?.data.role; // "admin" | "user" | undefined
+ * }
+ * ```
+ */
+declare class ZuploRequest<
+  TOptions extends RequestGeneric = RequestGeneric,
+> extends Request {
+  #private;
+  constructor(
+    input: string | URL | Request,
+    init?: ZuploRequestInit<TOptions>,
+    originalRequest?: Request
+  );
+  /* Excluded from this release type: originalRequest */
+  /**
+   * A dictionary of query-string values
+   *
+   * @example
+   * The url `https://example.com?foo=bar` would return
+   * the following query object:
+   *
+   * ```
+   * const foo = request.query.foo;
+   * ```
+   *
+   * @readonly
+   */
+  get query(): Readonly<ResolveRequestQuery<TOptions["Query"]>>;
+  /**
+   * If you use tokens in your route’s URL, they are
+   * automatically parsed into properties on the params
+   * property of your request.
+   *
+   * @example
+   * The route `/products/:productId/vendors/:vendorId`
+   * would include two params:
+   *
+   * ```
+   * const productId = request.params.productId;
+   * const vendorId = request.params.vendorId;
+   * ```
+   * @readonly
+   */
+  get params(): Readonly<ResolveRequestParams<TOptions["Params"]>>;
+  /**
+   * An optional object identifying a ‘user’.
+   *
+   * @remarks
+   * If undefined this typically means the request is
+   * anonymous. If present, the user object will have
+   * a sub property that is a unique identifier for
+   * that user. There is also an optional data property
+   * that is of any type that typically contains other
+   * information about the user. When using JWT tokens
+   * you’ll usually find all the claims here.
+   *
+   * @readonly
+   */
+  user?: RequestUser<ResolveUserData<TOptions["UserData"]>>;
+}
+
+/**
+ * Options for creating a new ZuploRequest.
+ * Extends the standard RequestInit with Zuplo-specific properties.
+ * @public
+ */
+declare interface ZuploRequestInit<
+  TOptions extends RequestInitGeneric = RequestInitGeneric,
+> extends RequestInit {
+  params?: ResolveRequestParams<TOptions["Params"]>;
+  user?: ResolveUserData<TOptions["UserData"]>;
+}
+
+export {};