@zuplo/runtime 6.70.33 → 6.70.35

package/out/types/index.d.ts

@@ -6072,6 +6072,13 @@ export declare interface MonetizationSubscription {
    * Defaults to 3 days.
    */
   maxPaymentOverdueDays: number;
+  /**
+   * If true, end-user API requests for this subscription have been
+   * administratively blocked by the Zuplo customer. The policy returns 403
+   * regardless of payment / entitlement status. Toggled via the
+   * block-access / unblock-access endpoints.
+   */
+  accessBlocked?: boolean;
   createdAt: string;
   updatedAt: string;
 }

package/out/types/mcp-gateway/index.d.ts

@@ -1,3 +1,5 @@
+import { z } from "zod/v4";
+
 declare interface ApiRuntimeConfig {
   urls: UrlConfig | undefined;
 }
@@ -1054,8 +1056,7 @@ export declare class McpGatewayPlugin extends SystemRuntimePlugin {
  * @hidden
  * @title MCP OAuth
  */
-export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthInboundPolicyOptions> {
-  #private;
+export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthRuntimeConfig> {
   constructor(rawOptions: unknown, policyName: string);
   handler(
     request: ZuploRequest,
@@ -1145,11 +1146,60 @@ export declare interface McpOAuthInboundPolicyOptions {
   };
 }
 
+declare type McpOAuthRuntimeConfig = z.infer<
+  typeof mcpOAuthRuntimeConfigSchema
+>;
+
+declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
+  {
+    oidc: z.ZodObject<
+      {
+        issuer: z.ZodURL;
+        jwksUrl: z.ZodURL;
+        audience: z.ZodOptional<z.ZodString>;
+      },
+      z.core.$strip
+    >;
+    browserLogin: z.ZodObject<
+      {
+        url: z.ZodURL;
+        tokenUrl: z.ZodOptional<z.ZodURL>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodDefault<z.ZodString>;
+        audience: z.ZodOptional<z.ZodString>;
+        remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+      },
+      z.core.$strict
+    >;
+    gateway: z.ZodDefault<
+      z.ZodOptional<
+        z.ZodDefault<
+          z.ZodObject<
+            {
+              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
+            },
+            z.core.$strict
+          >
+        >
+      >
+    >;
+  },
+  z.core.$strict
+>;
+
+export declare function McpProxyHandler(
+  request: ZuploRequest,
+  context: ZuploContext
+): Promise<Response>;
+
 /**
- * Bind a route to an upstream MCP server. Resolves the upstream connection
- * config plus per-request credential and appends a
- * `ResolvedUpstreamBindingContext` onto the request context for
- * `McpVirtualServerHandler` to pick up during capability dispatch.
+ * Resolve a gateway-managed upstream MCP credential and apply it to the
+ * request before the normal Zuplo route handler forwards the request.
  *
  * Validation runs lazily inside the policy constructor, which the runtime
  * caches per policy name — so a misconfigured policy fails the first request
@@ -1157,10 +1207,9 @@ export declare interface McpOAuthInboundPolicyOptions {
  * crashing boot.
  *
  * @hidden
- * @title MCP Upstream Connection
+ * @title MCP Token Exchange
  */
-export declare class McpUpstreamConnectionInboundPolicy extends InboundPolicy<McpUpstreamConnectionInboundPolicyOptions> {
-  #private;
+export declare class McpTokenExchangeInboundPolicy extends InboundPolicy<UpstreamTokenExchangePolicyOptions> {
   constructor(rawOptions: unknown, policyName: string);
   handler(
     request: ZuploRequest,
@@ -1172,9 +1221,9 @@ export declare class McpUpstreamConnectionInboundPolicy extends InboundPolicy<Mc
  * The options for this policy.
  * @public
  */
-export declare interface McpUpstreamConnectionInboundPolicyOptions {
+export declare interface McpTokenExchangeInboundPolicyOptions {
   /**
-   * Stable id for the upstream connection. Used to namespace per-user OAuth state and audit events. If omitted, the gateway tries to infer it from the policy name (`mcp-upstream-{id}`).
+   * Stable id for the upstream connection. Used to namespace per-user OAuth state and audit events. If omitted, the gateway tries to infer it from the policy name (`mcp-token-exchange-{id}`).
    */
   id?: string;
   /**
@@ -1186,30 +1235,13 @@ export declare interface McpUpstreamConnectionInboundPolicyOptions {
    */
   summary?: string;
   /**
-   * The base URL of the upstream MCP server.
-   */
-  mcpUrl: string;
-  /**
-   * Optional override for the upstream's OAuth protected-resource metadata URL.
+   * Optional override for the upstream's OAuth protected-resource metadata URL. Defaults from the route handler's rewritePattern.
    */
   protectedResourceMetadataUrl?: string;
   /**
-   * Additional request headers the gateway should inject when calling the upstream. Use `$env(VAR_NAME)` to read the value from an environment variable. Combine with `required: false` to skip the header when the env variable is unset.
+   * Authentication mode. `user-oauth` performs per-user OAuth federation; `shared-oauth` uses a gateway-wide OAuth grant.
    */
-  requestHeaders?: {
-    name: string;
-    value?: string;
-    required?: boolean;
-  }[];
-  /**
-   * Authentication mode. `user-oauth` performs per-user OAuth federation; `shared-oauth` uses a gateway-wide OAuth grant; `static-secret` / `user-secret` / `shared-secret` use a configured secret instead of OAuth.
-   */
-  authMode:
-    | "user-oauth"
-    | "shared-oauth"
-    | "static-secret"
-    | "user-secret"
-    | "shared-secret";
+  authMode: "user-oauth" | "shared-oauth";
   /**
    * OAuth scopes to request from the upstream (for OAuth modes).
    */
@@ -1252,114 +1284,8 @@ export declare interface McpUpstreamConnectionInboundPolicyOptions {
           | "client_secret_post"
           | "none";
       };
-  /**
-   * Static secret configuration (for `static-secret`, `user-secret`, and `shared-secret` auth modes).
-   */
-  secret?: {
-    [k: string]: unknown;
-  };
 }
 
-/**
- * Thin MCP upstream proxy. Pair this with `McpOAuthInboundPolicy` (or
- * `McpAuth0OAuthInboundPolicy`) plus `McpUpstreamConnectionInboundPolicy`:
- * the OAuth policy authenticates the request, the upstream-connection
- * policy resolves a single upstream binding onto the request context, and
- * this handler:
- *
- * 1. Reads the resolved binding off the context.
- * 2. Resolves the per-request upstream credential (handling user OAuth
- *    via the connection's auth provider when configured).
- * 3. Builds a new `Request` targeting the upstream's MCP HTTP endpoint
- *    with the customer's body and headers, plus the resolved credential
- *    translated to `Authorization` / custom request headers.
- * 4. `fetch`-es the upstream, returning successful responses untouched and
- *    mapping upstream error responses to problem+json responses.
- *
- * Use this for the common single-upstream pass-through case (the new
- * recommended shape). For multi-upstream aggregation or curated catalogs,
- * use `McpVirtualServerHandler` instead.
- *
- * Any customer-supplied policy attached between the upstream-connection
- * policy and this handler can observe or transform the rewritten
- * `Request` before it leaves the gateway.
- *
- * @beta
- *
- * @example
- * ```json
- * // routes.oas.json — single-upstream MCP proxy
- * {
- *   "paths": {
- *     "/mcp/linear": {
- *       "post": {
- *         "x-zuplo-route": {
- *           "handler": {
- *             "module": "$import(@zuplo/runtime)",
- *             "export": "mcpUpstreamHandler"
- *           },
- *           "policies": {
- *             "inbound": ["mcp-oauth", "mcp-upstream-linear"]
- *           }
- *         }
- *       }
- *     }
- *   }
- * }
- * ```
- */
-export declare function mcpUpstreamHandler(
-  request: ZuploRequest,
-  context: ZuploContext
-): Promise<Response>;
-
-/**
- * Implements the server-side MCP request lifecycle for the gateway. Pair with
- * `McpOAuthInboundPolicy` (or `McpAuth0OAuthInboundPolicy`) plus an
- * `McpUpstreamConnectionInboundPolicy` instance: the OAuth inbound policy
- * authenticates the request, the upstream-connection policy resolves which
- * upstream MCP server is bound to the route, and this handler accepts the
- * incoming JSON-RPC POST, dispatches `initialize`, `tools/list`, `tools/call`,
- * `prompts/list`, `prompts/get`, `resources/list`, and `resources/read` to the
- * upstream MCP server through the streamable HTTP transport, and returns the
- * JSON-RPC response.
- *
- * GET requests (for the standalone SSE channel of the streamable HTTP
- * transport) are intentionally rejected with JSON-RPC error code `-32000` and
- * `Allow: POST` because this handler runs in stateless mode.
- *
- * @beta
- * @param request - The ZuploRequest. The body must contain a JSON-RPC request.
- * @param context - The ZuploContext.
- * @returns The JSON-RPC response from the upstream MCP server.
- *
- * @example
- * ```json
- * // routes.oas.json - Pair with the MCP OAuth + upstream-connection policies.
- * {
- *   "paths": {
- *     "/mcp/linear": {
- *       "post": {
- *         "x-zuplo-route": {
- *           "handler": {
- *             "module": "$import(@zuplo/runtime)",
- *             "export": "McpVirtualServerHandler"
- *           },
- *           "policies": {
- *             "inbound": ["auth0-managed-oauth", "mcp-upstream-linear"]
- *           }
- *         }
- *       }
- *     }
- *   }
- * }
- * ```
- */
-export declare function McpVirtualServerHandler(
-  request: ZuploRequest,
-  context: ZuploContext
-): Promise<Response>;
-
 declare type Modify<T, R> = Omit<T, keyof R> & R;
 
 declare interface NotFoundOptions {
@@ -2292,6 +2218,140 @@ declare abstract class SystemRuntimePlugin extends RuntimePlugin {
   /* Excluded from this release type: registerRoutes */
 }
 
+declare type UpstreamTokenExchangePolicyOptions = z.infer<
+  typeof upstreamTokenExchangePolicyOptionsSchema
+>;
+
+declare const upstreamTokenExchangePolicyOptionsSchema: z.ZodObject<
+  {
+    id: z.core.$ZodBranded<z.ZodString, "UpstreamServerId">;
+    displayName: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    serverInfo: z.ZodOptional<
+      z.ZodObject<
+        {
+          version: z.ZodString;
+          websiteUrl: z.ZodOptional<z.ZodString>;
+          description: z.ZodOptional<z.ZodString>;
+          icons: z.ZodOptional<
+            z.ZodArray<
+              z.ZodObject<
+                {
+                  src: z.ZodString;
+                  mimeType: z.ZodOptional<z.ZodString>;
+                  sizes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+                  theme: z.ZodOptional<
+                    z.ZodEnum<{
+                      light: "light";
+                      dark: "dark";
+                    }>
+                  >;
+                },
+                z.core.$strip
+              >
+            >
+          >;
+          name: z.ZodString;
+          title: z.ZodOptional<z.ZodString>;
+        },
+        z.core.$strip
+      >
+    >;
+    protectedResourceMetadataUrl: z.ZodOptional<z.ZodURL>;
+    authMode: z.ZodEnum<{
+      "user-oauth": "user-oauth";
+      "shared-oauth": "shared-oauth";
+    }>;
+    authConfig: z.ZodDiscriminatedUnion<
+      [
+        z.ZodObject<
+          {
+            mode: z.ZodLiteral<"shared-oauth">;
+            oauth: z.ZodObject<
+              {
+                scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+                scopeDelimiter: z.ZodDefault<z.ZodString>;
+                clientRegistration: z.ZodDefault<
+                  z.ZodDiscriminatedUnion<
+                    [
+                      z.ZodObject<
+                        {
+                          mode: z.ZodLiteral<"auto">;
+                        },
+                        z.core.$strict
+                      >,
+                      z.ZodObject<
+                        {
+                          mode: z.ZodLiteral<"manual">;
+                          clientId: z.ZodString;
+                          clientSecret: z.ZodOptional<z.ZodString>;
+                          tokenEndpointAuthMethod: z.ZodDefault<
+                            z.ZodEnum<{
+                              none: "none";
+                              client_secret_basic: "client_secret_basic";
+                              client_secret_post: "client_secret_post";
+                            }>
+                          >;
+                        },
+                        z.core.$strict
+                      >,
+                    ]
+                  >
+                >;
+                redirectPath: z.ZodString;
+              },
+              z.core.$strict
+            >;
+          },
+          z.core.$strict
+        >,
+        z.ZodObject<
+          {
+            mode: z.ZodLiteral<"user-oauth">;
+            oauth: z.ZodObject<
+              {
+                scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+                scopeDelimiter: z.ZodDefault<z.ZodString>;
+                clientRegistration: z.ZodDefault<
+                  z.ZodDiscriminatedUnion<
+                    [
+                      z.ZodObject<
+                        {
+                          mode: z.ZodLiteral<"auto">;
+                        },
+                        z.core.$strict
+                      >,
+                      z.ZodObject<
+                        {
+                          mode: z.ZodLiteral<"manual">;
+                          clientId: z.ZodString;
+                          clientSecret: z.ZodOptional<z.ZodString>;
+                          tokenEndpointAuthMethod: z.ZodDefault<
+                            z.ZodEnum<{
+                              none: "none";
+                              client_secret_basic: "client_secret_basic";
+                              client_secret_post: "client_secret_post";
+                            }>
+                          >;
+                        },
+                        z.core.$strict
+                      >,
+                    ]
+                  >
+                >;
+                redirectPath: z.ZodString;
+              },
+              z.core.$strict
+            >;
+          },
+          z.core.$strict
+        >,
+      ]
+    >;
+  },
+  z.core.$strict
+>;
+
 declare interface UrlConfig {
   defaultUrl: string;
   urls: string[];

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.33",
+  "version": "6.70.35",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {