@zuplo/runtime 6.69.11 → 6.70.0

package/out/esm/mocks/index.js

@@ -22,5 +22,5 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{b as l}from"../chunk-NEN7UYI6.js";import{X as n,a as t}from"../chunk-FFHHHNST.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function o(i){e.push(Promise.resolve(i))}return t(o,"waitUntil"),{context:new s({event:{waitUntil:o},route:u.route}),invokeResponse:t(async()=>{await Promise.all(e)},"invokeResponse")}}t(g,"createMockContext");var a={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:t(()=>({}),"raw")},s=class extends EventTarget{static{t(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:o=a,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:t(()=>{},"setLogProperties")},this.custom={},this.route=o,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,o){throw new Error("Not implemented")}invokeOutboundPolicy(e,o,r){throw new Error("Not implemented")}invokeRoute(e,o){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,o,r){let p=t(i=>{try{typeof o=="function"?o(i):o.handleEvent(i)}catch(d){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),d}},"wrapped");super.addEventListener(e,p,r)}};export{s as MockZuploContext,g as createMockContext};
+import{b as l}from"../chunk-5ZAQEULH.js";import{X as n,a as t}from"../chunk-FFHHHNST.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function o(i){e.push(Promise.resolve(i))}return t(o,"waitUntil"),{context:new s({event:{waitUntil:o},route:u.route}),invokeResponse:t(async()=>{await Promise.all(e)},"invokeResponse")}}t(g,"createMockContext");var a={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:t(()=>({}),"raw")},s=class extends EventTarget{static{t(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:o=a,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:t(()=>{},"setLogProperties")},this.custom={},this.route=o,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,o){throw new Error("Not implemented")}invokeOutboundPolicy(e,o,r){throw new Error("Not implemented")}invokeRoute(e,o){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,o,r){let p=t(i=>{try{typeof o=="function"?o(i):o.handleEvent(i)}catch(d){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),d}},"wrapped");super.addEventListener(e,p,r)}};export{s as MockZuploContext,g as createMockContext};
 //# sourceMappingURL=index.js.map

package/out/types/index.d.ts

@@ -474,6 +474,103 @@ export declare interface AkamaiApiSecurityPluginOptions {
   shouldLog?: ShouldLogFunction;
 }
 
+/**
+ * Inspects each incoming request with Akamai's Firewall for AI detect API
+ * and blocks the request if Akamai returns a `deny` rule. Useful in front of
+ * AI-powered APIs to filter prompt injection, jailbreaks, and other unsafe
+ * inputs before they reach the model.
+ *
+ * The body, headers, URL, and query string sent to Akamai are configurable;
+ * by default only the request body is captured. Bodies are read from a clone
+ * so the upstream handler still sees the original.
+ *
+ * @title Akamai Firewall for AI - Inbound
+ * @public
+ * @param request - The ZuploRequest
+ * @param context - The ZuploContext
+ * @param options - The policy options set in policies.json
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Request or a Response
+ */
+export declare const AkamaiFirewallForAiInboundPolicy: InboundPolicyHandler<AkamaiFirewallForAiInboundPolicyOptions>;
+
+/**
+ * The options for the Akamai Firewall for AI inbound policy. Sends the incoming request to Akamai's Firewall for AI detect endpoint and blocks the request if any rule returns a 'deny' action.
+ * @public
+ */
+export declare interface AkamaiFirewallForAiInboundPolicyOptions {
+  /**
+   * Your Akamai Firewall for AI Configuration ID. This is the ID of the configuration in the Akamai Control Center that defines which detection rules to apply.
+   */
+  configurationId: string;
+  /**
+   * Your Akamai Firewall for AI API key, sent as the `Fai-Api-Key` header on each detect call.
+   */
+  "api-key": string;
+  capture?: CaptureSettings;
+  /**
+   * Behavior when Akamai returns a rule with `action: "alert"` (Akamai's Monitor mode). `log` writes a warning and lets the request through, `block` treats the alert like a deny, `none` is silent.
+   */
+  onWarn?: "log" | "block" | "none";
+  /**
+   * If true (the default), the policy throws when the Akamai detect call itself fails (network error, 5xx, malformed response). Set to false to fail open and allow the request through when Akamai is unreachable.
+   */
+  throwOnError?: boolean;
+  /**
+   * Override the Akamai Firewall for AI detect endpoint URL. The literal `{configurationId}` is replaced with the configured ID. Defaults to `https://aisec.akamai.com/fai/v1/fai-configurations/{configurationId}/detect`. Useful for regional Akamai endpoints or for pointing tests at a mock server.
+   */
+  detectUrl?: string;
+}
+
+/**
+ * Inspects each upstream response with Akamai's Firewall for AI detect API
+ * and replaces the response with a `403 Forbidden` if Akamai returns a `deny`
+ * rule. Useful behind AI-powered APIs to filter unsafe completions, sensitive
+ * data exposure, and toxic content before they reach the client.
+ *
+ * The body, headers, URL, and query string sent to Akamai are configurable;
+ * by default only the response body is captured. Bodies are read from a clone
+ * so the client still receives the original.
+ *
+ * @title Akamai Firewall for AI - Outbound
+ * @public
+ * @param response - The outgoing Response from the handler
+ * @param request - The original incoming Request
+ * @param context - The current context of the Request
+ * @param options - The configuration options for the policy
+ * @param policyName - The name of the policy as set in policies.json
+ * @returns A Response
+ */
+export declare const AkamaiFirewallForAiOutboundPolicy: OutboundPolicyHandler<AkamaiFirewallForAiOutboundPolicyOptions>;
+
+/**
+ * The options for the Akamai Firewall for AI outbound policy. Sends the upstream response to Akamai's Firewall for AI detect endpoint and blocks the response if any rule returns a 'deny' action.
+ * @public
+ */
+export declare interface AkamaiFirewallForAiOutboundPolicyOptions {
+  /**
+   * Your Akamai Firewall for AI Configuration ID. This is the ID of the configuration in the Akamai Control Center that defines which detection rules to apply.
+   */
+  configurationId: string;
+  /**
+   * Your Akamai Firewall for AI API key, sent as the `Fai-Api-Key` header on each detect call.
+   */
+  "api-key": string;
+  capture?: CaptureSettings_2;
+  /**
+   * Behavior when Akamai returns a rule with `action: "alert"` (Akamai's Monitor mode). `log` writes a warning and lets the response through, `block` treats the alert like a deny, `none` is silent.
+   */
+  onWarn?: "log" | "block" | "none";
+  /**
+   * If true (the default), the policy throws when the Akamai detect call itself fails (network error, 5xx, malformed response). Set to false to fail open and allow the response through when Akamai is unreachable.
+   */
+  throwOnError?: boolean;
+  /**
+   * Override the Akamai Firewall for AI detect endpoint URL. The literal `{configurationId}` is replaced with the configured ID. Defaults to `https://aisec.akamai.com/fai/v1/fai-configurations/{configurationId}/detect`. Useful for regional Akamai endpoints or for pointing tests at a mock server.
+   */
+  detectUrl?: string;
+}
+
 /**
  * Amberflo is a usage metering and billing service. This policy allows
  * you to send metering calls for each API to their meter ingest endpoint.
@@ -1868,6 +1965,68 @@ export declare interface CachingInboundPolicyOptions {
   statusCodes?: number[];
 }
 
+/**
+ * Controls which parts of the incoming request are sent to Akamai for inspection. Akamai's detect endpoint receives the captured fields concatenated into a single labeled text payload as `llmInput`.
+ * @public
+ */
+declare interface CaptureSettings {
+  /**
+   * Include the request body. Only text-based content types (JSON, XML, form-encoded, text/*) are sent; binary bodies are skipped. The body is read from a clone of the request so the upstream still receives it unchanged.
+   */
+  body?: boolean;
+  /**
+   * Include the request headers. By default `Authorization`, `Proxy-Authorization`, `Cookie`, and `Set-Cookie` are stripped — see the `dangerouslyInclude*` flags to override.
+   */
+  headers?: boolean;
+  /**
+   * Include the request URL (origin and path, query string excluded). Enable `queryString` separately if you also want the query string.
+   */
+  url?: boolean;
+  /**
+   * Include the request query string. Query strings sometimes contain credentials or session tokens — leave this off unless you want Akamai to see them.
+   */
+  queryString?: boolean;
+  /**
+   * If `headers` is true, also include the `Authorization` and `Proxy-Authorization` headers. Off by default because these typically contain bearer tokens.
+   */
+  dangerouslyIncludeAuthorizationHeader?: boolean;
+  /**
+   * If `headers` is true, also include the `Cookie` header. Off by default because cookies often carry session credentials.
+   */
+  dangerouslyIncludeCookieHeader?: boolean;
+}
+
+/**
+ * Controls which parts of the upstream response (and the originating request URL) are sent to Akamai for inspection. Akamai's detect endpoint receives the captured fields concatenated into a single labeled text payload as `llmOutput`.
+ * @public
+ */
+declare interface CaptureSettings_2 {
+  /**
+   * Include the response body. Only text-based content types (JSON, XML, form-encoded, text/*) are sent; binary bodies are skipped. The body is read from a clone of the response so the client still receives it unchanged.
+   */
+  body?: boolean;
+  /**
+   * Include the response headers. By default `Set-Cookie` is stripped — see `dangerouslyIncludeCookieHeader` to override.
+   */
+  headers?: boolean;
+  /**
+   * Include the originating request URL (origin and path, query string excluded). Useful as context for the response.
+   */
+  url?: boolean;
+  /**
+   * Include the originating request's query string. Query strings sometimes contain credentials or session tokens — leave this off unless you want Akamai to see them.
+   */
+  queryString?: boolean;
+  /**
+   * If `headers` is true, also include any `Authorization` or `Proxy-Authorization` headers on the response. Rarely set on responses but stripped by default for safety.
+   */
+  dangerouslyIncludeAuthorizationHeader?: boolean;
+  /**
+   * If `headers` is true, also include the `Set-Cookie` header on the response. Off by default because Set-Cookie typically carries session credentials.
+   */
+  dangerouslyIncludeCookieHeader?: boolean;
+}
+
 declare interface Category {
   Id?: string;
   CategoryId?: string;
@@ -2810,6 +2969,44 @@ declare const EventType: {
   readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
   readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
   readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly MCP_GATEWAY_REQUEST_RECEIVED: "mcp_gateway_request_received";
+  readonly MCP_GATEWAY_REQUEST_COMPLETED: "mcp_gateway_request_completed";
+  readonly MCP_GATEWAY_REQUEST_REJECTED: "mcp_gateway_request_rejected";
+  readonly MCP_GATEWAY_INITIALIZE_NEGOTIATED: "mcp_gateway_initialize_negotiated";
+  readonly MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR: "mcp_gateway_client_unsupported_behavior";
+  readonly MCP_GATEWAY_CATALOG_LISTED: "mcp_gateway_catalog_listed";
+  readonly MCP_GATEWAY_CATALOG_IMPORTED: "mcp_gateway_catalog_imported";
+  readonly MCP_GATEWAY_CATALOG_DRIFT_DETECTED: "mcp_gateway_catalog_drift_detected";
+  readonly MCP_GATEWAY_CAPABILITY_LISTED: "mcp_gateway_capability_listed";
+  readonly MCP_GATEWAY_CAPABILITY_INVOKED: "mcp_gateway_capability_invoked";
+  readonly MCP_GATEWAY_CAPABILITY_COMPLETED: "mcp_gateway_capability_completed";
+  readonly MCP_GATEWAY_CAPABILITY_FAILED: "mcp_gateway_capability_failed";
+  readonly MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED: "mcp_gateway_capability_connect_required";
+  readonly MCP_GATEWAY_AUTH_DOWNSTREAM_TOKEN_VALIDATED: "mcp_gateway_auth_downstream_token_validated";
+  readonly MCP_GATEWAY_AUTH_DOWNSTREAM_TOKEN_REJECTED: "mcp_gateway_auth_downstream_token_rejected";
+  readonly MCP_GATEWAY_OAUTH_CLIENT_REGISTERED: "mcp_gateway_oauth_client_registered";
+  readonly MCP_GATEWAY_OAUTH_AUTHORIZE_STARTED: "mcp_gateway_oauth_authorize_started";
+  readonly MCP_GATEWAY_OAUTH_AUTHORIZE_AWAITING_SETUP: "mcp_gateway_oauth_authorize_awaiting_setup";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_ISSUED: "mcp_gateway_oauth_token_issued";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_REFRESH_ROTATED: "mcp_gateway_oauth_token_refresh_rotated";
+  readonly MCP_GATEWAY_OAUTH_TOKEN_REVOKED: "mcp_gateway_oauth_token_revoked";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_REQUIRED: "mcp_gateway_auth_upstream_connect_required";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED: "mcp_gateway_auth_upstream_connect_started";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED: "mcp_gateway_auth_upstream_callback_received";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED: "mcp_gateway_auth_upstream_token_exchange_succeeded";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED: "mcp_gateway_auth_upstream_token_exchange_failed";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED: "mcp_gateway_auth_upstream_credential_resolved";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING: "mcp_gateway_auth_upstream_credential_missing";
+  readonly MCP_GATEWAY_AUTH_UPSTREAM_RECONSENT_REQUIRED: "mcp_gateway_auth_upstream_reconsent_required";
+  readonly MCP_GATEWAY_POLICY_DECISION: "mcp_gateway_policy_decision";
+  readonly MCP_GATEWAY_GUARDRAIL_DECISION: "mcp_gateway_guardrail_decision";
+  readonly MCP_GATEWAY_RATE_LIMIT_DECISION: "mcp_gateway_rate_limit_decision";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_SENT: "mcp_gateway_upstream_request_sent";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_COMPLETED: "mcp_gateway_upstream_request_completed";
+  readonly MCP_GATEWAY_UPSTREAM_REQUEST_FAILED: "mcp_gateway_upstream_request_failed";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_CREATED: "mcp_gateway_audit_virtual_server_created";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_UPDATED: "mcp_gateway_audit_virtual_server_updated";
+  readonly MCP_GATEWAY_AUDIT_VIRTUAL_SERVER_DELETED: "mcp_gateway_audit_virtual_server_deleted";
 };
 
 declare type EventType = (typeof EventType)[keyof typeof EventType];
@@ -7335,6 +7532,28 @@ export declare interface ParameterDefinition extends ParameterBaseObject {
   in: string;
 }
 
+/**
+ * This is the parsed values of the Cors configuration. All
+ * values in the parsed configuration are in the format that the headers
+ * use them (i.e. everything is converted to a string)
+ */
+declare interface ParsedCorsPolicyConfiguration {
+  name: string;
+  allowCredentials: string | undefined;
+  maxAge: string | undefined;
+  allowedOrigins: string[];
+  allowedMethods?: string;
+  allowedHeaders?: string;
+  exposeHeaders?: string;
+}
+
+/**
+ * @public
+ */
+declare interface ParsedRouteData extends Omit<RouteData, "corsPolicies"> {
+  corsPolicies: ParsedCorsPolicyConfiguration[];
+}
+
 /**
  * The base class for inbound and outbound policies.
  * Provides common functionality for all policy types.