@zuplo/runtime 6.70.40 → 6.70.42

package/out/types/mcp-gateway/index.d.ts

@@ -1,5 +1,13 @@
 import { z } from "zod/v4";
 
+/**
+ * MCP tool annotations to expose downstream.
+ * @public
+ */
+declare interface Annotations {
+  [k: string]: unknown;
+}
+
 declare interface ApiRuntimeConfig {
   urls: UrlConfig | undefined;
 }
@@ -1038,29 +1046,100 @@ export declare class McpCapabilityFilterInboundPolicy extends InboundPolicy<Vali
  */
 export declare interface McpCapabilityFilterInboundPolicyOptions {
   /**
-   * Tool names to expose. Omit to pass through all upstream tools; use an empty array to expose no tools.
+   * Tools to expose. Use a string for name-only filtering, or an object to expose and project tool description, annotations, and _meta. Omit to pass through all upstream tools; use an empty array to expose no tools.
    */
-  tools?: string[];
+  tools?: (string | ToolProjection)[];
   /**
-   * Prompt names to expose. Omit to pass through all upstream prompts; use an empty array to expose no prompts.
+   * Prompts to expose. Use a string for name-only filtering, or an object to expose and project prompt description and _meta. Omit to pass through all upstream prompts; use an empty array to expose no prompts.
    */
-  prompts?: string[];
+  prompts?: (string | PromptProjection)[];
   /**
-   * Resource URIs to expose. Omit to pass through all upstream resources; use an empty array to expose no resources.
+   * Resources to expose. Use a string for URI-only filtering, or an object to expose and project resource name, description, MIME type, and _meta. Omit to pass through all upstream resources; use an empty array to expose no resources.
    */
-  resources?: string[];
+  resources?: (string | ResourceProjection)[];
   /**
-   * Resource template URI templates to expose. Omit to pass through all upstream resource templates; use an empty array to expose no resource templates.
+   * Resource templates to expose. Use a string for URI-template-only filtering, or an object to expose and project template name, description, MIME type, and _meta. Omit to pass through all upstream resource templates; use an empty array to expose no resource templates.
    */
-  resourceTemplates?: string[];
+  resourceTemplates?: (string | ResourceTemplateProjection)[];
 }
 
 declare const mcpCapabilityFilterOptionsSchema: z.ZodObject<
   {
-    tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
-    prompts: z.ZodOptional<z.ZodArray<z.ZodString>>;
-    resources: z.ZodOptional<z.ZodArray<z.ZodString>>;
-    resourceTemplates: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    tools: z.ZodOptional<
+      z.ZodArray<
+        z.ZodUnion<
+          readonly [
+            z.ZodString,
+            z.ZodObject<
+              {
+                name: z.ZodString;
+                description: z.ZodOptional<z.ZodString>;
+                annotations: z.ZodOptional<
+                  z.ZodRecord<z.ZodString, z.ZodUnknown>
+                >;
+                _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+              },
+              z.core.$strict
+            >,
+          ]
+        >
+      >
+    >;
+    prompts: z.ZodOptional<
+      z.ZodArray<
+        z.ZodUnion<
+          readonly [
+            z.ZodString,
+            z.ZodObject<
+              {
+                name: z.ZodString;
+                description: z.ZodOptional<z.ZodString>;
+                _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+              },
+              z.core.$strict
+            >,
+          ]
+        >
+      >
+    >;
+    resources: z.ZodOptional<
+      z.ZodArray<
+        z.ZodUnion<
+          readonly [
+            z.ZodString,
+            z.ZodObject<
+              {
+                uri: z.ZodString;
+                name: z.ZodOptional<z.ZodString>;
+                description: z.ZodOptional<z.ZodString>;
+                mimeType: z.ZodOptional<z.ZodString>;
+                _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+              },
+              z.core.$strict
+            >,
+          ]
+        >
+      >
+    >;
+    resourceTemplates: z.ZodOptional<
+      z.ZodArray<
+        z.ZodUnion<
+          readonly [
+            z.ZodString,
+            z.ZodObject<
+              {
+                uriTemplate: z.ZodString;
+                name: z.ZodOptional<z.ZodString>;
+                description: z.ZodOptional<z.ZodString>;
+                mimeType: z.ZodOptional<z.ZodString>;
+                _meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+              },
+              z.core.$strict
+            >,
+          ]
+        >
+      >
+    >;
   },
   z.core.$strict
 >;
@@ -1339,6 +1418,14 @@ export declare interface McpTokenExchangeInboundPolicyOptions {
       };
 }
 
+/**
+ * Arbitrary MCP _meta fields to expose downstream.
+ * @public
+ */
+declare interface Metadata {
+  [k: string]: unknown;
+}
+
 declare type Modify<T, R> = Omit<T, keyof R> & R;
 
 declare interface NotFoundOptions {
@@ -2092,6 +2179,18 @@ declare interface ProblemResponseFormat {
   ): Promise<Response> | Response;
 }
 
+declare interface PromptProjection {
+  /**
+   * Prompt name to expose.
+   */
+  name: string;
+  /**
+   * Optional downstream-facing prompt description override.
+   */
+  description?: string;
+  _meta?: Metadata;
+}
+
 /**
  * Generic type parameters for a request.
  * Extends RequestInitGeneric and adds query parameter typing.
@@ -2153,6 +2252,46 @@ declare type ResolveRequestQuery<
 declare type ResolveUserData<TUserData extends UserDataDefault | undefined> =
   TUserData extends UserDataDefault ? TUserData : UserDataDefault;
 
+declare interface ResourceProjection {
+  /**
+   * Resource URI to expose.
+   */
+  uri: string;
+  /**
+   * Optional downstream-facing resource name override.
+   */
+  name?: string;
+  /**
+   * Optional downstream-facing resource description override.
+   */
+  description?: string;
+  /**
+   * Optional downstream-facing resource MIME type override.
+   */
+  mimeType?: string;
+  _meta?: Metadata;
+}
+
+declare interface ResourceTemplateProjection {
+  /**
+   * Resource template URI template to expose.
+   */
+  uriTemplate: string;
+  /**
+   * Optional downstream-facing resource template name override.
+   */
+  name?: string;
+  /**
+   * Optional downstream-facing resource template description override.
+   */
+  description?: string;
+  /**
+   * Optional downstream-facing resource template MIME type override.
+   */
+  mimeType?: string;
+  _meta?: Metadata;
+}
+
 /**
  * Definition of responses for a route
  * @public
@@ -2271,6 +2410,19 @@ declare abstract class SystemRuntimePlugin extends RuntimePlugin {
   /* Excluded from this release type: registerRoutes */
 }
 
+declare interface ToolProjection {
+  /**
+   * Tool name to expose.
+   */
+  name: string;
+  /**
+   * Optional downstream-facing tool description override.
+   */
+  description?: string;
+  annotations?: Annotations;
+  _meta?: Metadata;
+}
+
 declare type UpstreamTokenExchangePolicyOptions = z.infer<
   typeof upstreamTokenExchangePolicyOptionsSchema
 >;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.40",
+  "version": "6.70.42",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/out/esm/browser-login-idp-HWMCSYMR.js

@@ -1,26 +0,0 @@
-
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Zuplo, Inc. All rights reserved.
- *
- *  This software and associated documentation files (the "Software") is intended to be used
- *  only by Zuplo customers solely to develop and test applications that will be deployed
- *  to Zuplo hosted services. You and others in your organization may use these files on your
- *  Development Devices solely for the above stated purpose.
- *
- *  Outside of uses stated above, no license is granted for any other purpose including
- *  without limitation the rights to use, copy, modify, merge, publish, distribute,
- *  sublicense, host, and/or sell copies of the Software.
- *
- *  The software may include third party components with separate legal notices or governed by
- *  other agreements, as described in licenses either embedded in or accompanying the Software.
- *
- *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
- *  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
- *  PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE 
- *  FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 
- *  OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
- *  DEALINGS IN THE SOFTWARE.
- *--------------------------------------------------------------------------------------------*/
-    
-import{Ja as v,K as h,L as k,M as l,Ma as u,O as b,P as f,d as p,ja as y,ka as x}from"./chunk-FYGTTP3G.js";import{ea as r,fa as j}from"./chunk-2GVPMQ7M.js";import"./chunk-JRXZBVXH.js";import"./chunk-4SACVMDH.js";import{a}from"./chunk-ZIKV2LUM.js";j();import{createRemoteJWKSet as C,errors as d,jwtVerify as T}from"jose";var I=r.object({id_token:r.string().min(1),token_type:r.string().min(1).optional(),expires_in:r.number().optional(),access_token:r.string().min(1).optional(),refresh_token:r.string().min(1).optional(),scope:r.string().min(1).optional()}),J=r.object({error:r.string().min(1).optional(),error_description:r.string().min(1).optional(),error_uri:r.string().min(1).optional()});function P(e){let n=J.safeParse(e);if(!n.success)return{};let t={};return n.data.error!==void 0&&(t.idpError=n.data.error),n.data.error_description!==void 0&&(t.idpErrorDescription=n.data.error_description.slice(0,256)),n.data.error_uri!==void 0&&(t.idpErrorUri=n.data.error_uri.slice(0,256)),t}a(P,"readIdpErrorFields");function U(e){return e instanceof d.JWTExpired?"expired":e instanceof d.JWTClaimValidationFailed?"claim":e instanceof d.JWSSignatureVerificationFailed?"signature":e instanceof d.JWKSNoMatchingKey?"jwks_no_match":e instanceof d.JWTInvalid?"invalid":e instanceof r.ZodError?"schema":"other"}a(U,"readJwtFailureKind");var M=r.object({sub:y,nonce:r.string().min(1)}).catchall(r.unknown()),m;function L(e){return e instanceof Error&&"cause"in e?e.cause:e}a(L,"readErrorCause");function W(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}a(W,"readRuntimeGatewayCode");function G(){if(!m){let e=p();m=C(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return m}a(G,"readFederatedJwks");async function Z(e){let n=p(),t=u("tokenUrl"),w=u("clientId"),E=u("clientSecret"),F=new URL("/oauth/callback",h(e.requestUrl)).toString(),R=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:F,client_id:w,client_secret:E});try{let{response:i,json:s}=await v(t,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:R},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:n.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!i.ok){let o=P(s);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:l(t),idpStatus:i.status,...o},"Federated browser login token exchange returned non-2xx from the identity provider"),f({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${i.status}${o.idpError?` idp_error=${o.idpError}`:""}${o.idpErrorDescription?` idp_error_description=${o.idpErrorDescription}`:""})`)})}let S=I.parse(s),c;try{({payload:c}=await T(S.id_token,G(),{issuer:n.oidc.issuer,audience:w}))}catch(o){let _={};throw k(_,"error",o),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:U(o),idpHost:l(t),expectedIssuer:n.oidc.issuer,..._},"Federated id_token failed jose verification"),o}if(c.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:l(t),nonceMissingFromIdToken:c.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),f("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let g=M.parse(c);return x({sub:g.sub,data:g},e.requestUrl)}catch(i){let s=b(i)??W(i);throw s!==void 0&&s!=="browser_login_verification_failed"?i:f("browser_login_verification_failed","Federated browser login callback could not be verified.",L(i))}}a(Z,"exchangeFederatedAuthorizationCode");export{Z as exchangeFederatedAuthorizationCode};
-//# sourceMappingURL=browser-login-idp-HWMCSYMR.js.map

package/out/esm/browser-login-idp-HWMCSYMR.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["@zuplo/runtime/mcp-gateway/v2/downstream-oauth/browser-login-idp.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;uPAGAA,IADA,OAAS,sBAAAC,EAAoB,UAAUC,EAAY,aAAAC,MAAiB,OAqBpE,IAAMC,EAA+BC,EAAE,OAAO,CAC5C,SAAUA,EAAE,OAAO,EAAE,IAAI,CAAC,EAC1B,WAAYA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EACvC,WAAYA,EAAE,OAAO,EAAE,SAAS,EAChC,aAAcA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EACzC,cAAeA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAC1C,MAAOA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,CACpC,CAAC,EACKC,EAAoCD,EAAE,OAAO,CACjD,MAAOA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAClC,kBAAmBA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAC9C,UAAWA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,CACxC,CAAC,EAED,SAASE,EAAmBC,EAAmD,CAC7E,IAAMC,EAASH,EAAkC,UAAUE,CAAI,EAC/D,GAAI,CAACC,EAAO,QACV,MAAO,CAAC,EAEV,IAAMC,EAA6C,CAAC,EACpD,OAAID,EAAO,KAAK,QAAU,SACxBC,EAAO,SAAWD,EAAO,KAAK,OAE5BA,EAAO,KAAK,oBAAsB,SACpCC,EAAO,oBAAsBD,EAAO,KAAK,kBAAkB,MAAM,EAAG,GAAG,GAErEA,EAAO,KAAK,YAAc,SAC5BC,EAAO,YAAcD,EAAO,KAAK,UAAU,MAAM,EAAG,GAAG,GAElDC,CACT,CAhBSC,EAAAJ,EAAA,sBAkBT,SAASK,EAAmBC,EAAwB,CAClD,OAAIA,aAAiBC,EAAW,WAAmB,UAC/CD,aAAiBC,EAAW,yBAAiC,QAC7DD,aAAiBC,EAAW,+BACvB,YACLD,aAAiBC,EAAW,kBAA0B,gBACtDD,aAAiBC,EAAW,WAAmB,UAC/CD,aAAiBR,EAAE,SAAiB,SACjC,OACT,CATSM,EAAAC,EAAA,sBAUT,IAAMG,EAA+BV,EAClC,OAAO,CACN,IAAKW,EACL,MAAOX,EAAE,OAAO,EAAE,IAAI,CAAC,CACzB,CAAC,EACA,SAASA,EAAE,QAAQ,CAAC,EAEnBY,EAEJ,SAASC,EAAeL,EAAyB,CAC/C,OAAOA,aAAiB,OAAS,UAAWA,EAAQA,EAAM,MAAQA,CACpE,CAFSF,EAAAO,EAAA,kBAIT,SAASC,EAAuBN,EAAyB,CACvD,GACEA,IAAU,MACV,OAAOA,GAAU,UACjB,qBAAsBA,EAKtB,OAFEA,EACA,kBACuB,WAG7B,CAZSF,EAAAQ,EAAA,0BAcT,SAASC,GAAoB,CAC3B,GAAI,CAACH,EAAqB,CACxB,IAAMI,EAASC,EAAsB,EACrCL,EAAsBM,EAAmB,IAAI,IAAIF,EAAO,KAAK,OAAO,EAAG,CACrE,gBAAiBA,EAAO,aAAa,eACvC,CAAC,CACH,CAEA,OAAOJ,CACT,CATSN,EAAAS,EAAA,qBAWT,eAAsBI,EAAmCC,EAK3B,CAC5B,IAAMJ,EAASC,EAAsB,EAC/BI,EAAWC,EAAyB,UAAU,EAC9CC,EAAWD,EAAyB,UAAU,EAC9CE,EAAeF,EAAyB,cAAc,EACtDG,EAAc,IAAI,IACtB,kBACAC,EAAuBN,EAAM,UAAU,CACzC,EAAE,SAAS,EACLO,EAAO,IAAI,gBAAgB,CAC/B,WAAY,qBACZ,KAAMP,EAAM,KACZ,aAAcK,EACd,UAAWF,EACX,cAAeC,CACjB,CAAC,EAED,GAAI,CACF,GAAM,CAAE,SAAAI,EAAU,KAAAzB,CAAK,EAAI,MAAM0B,EAC/BR,EACA,CACE,OAAQ,OACR,QAAS,CACP,OAAQ,mBACR,eAAgB,mCAClB,EACA,KAAAM,CACF,EACA,CACE,iBAAkB,MAClB,YAAa,oCACb,UAAWX,EAAO,aAAa,gBAC/B,GAAII,EAAM,UAAY,OAAY,CAAC,EAAI,CAAE,QAASA,EAAM,OAAQ,CAClE,CACF,EAEA,GAAI,CAACQ,EAAS,GAAI,CAChB,IAAME,EAAY5B,EAAmBC,CAAI,EACzC,MAAAiB,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,kCACP,KAAM,yBACN,QAASW,EAASV,CAAQ,EAC1B,UAAWO,EAAS,OACpB,GAAGE,CACL,EACA,oFACF,EACME,EAA0B,CAC9B,KAAM,yBACN,cAAe,iDACf,MAAO,IAAI,MACT,qCAAqCJ,EAAS,MAAM,GAClDE,EAAU,SAAW,cAAcA,EAAU,QAAQ,GAAK,EAC5D,GACEA,EAAU,oBACN,0BAA0BA,EAAU,mBAAmB,GACvD,EACN,GACF,CACF,CAAC,CACH,CAEA,IAAMG,EAAUlC,EAA6B,MAAMI,CAAI,EACnD+B,EACJ,GAAI,EACD,CAAE,QAASA,CAAc,EAAI,MAAMC,EAClCF,EAAQ,SACRlB,EAAkB,EAClB,CACE,OAAQC,EAAO,KAAK,OACpB,SAAUO,CACZ,CACF,EACF,OAASa,EAAa,CACpB,IAAMC,EAAuC,CAAC,EAC9C,MAAAC,EAAkBD,EAAc,QAASD,CAAW,EACpDhB,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,yCACP,KAAM,oCACN,YAAab,EAAmB6B,CAAW,EAC3C,QAASL,EAASV,CAAQ,EAC1B,eAAgBL,EAAO,KAAK,OAC5B,GAAGqB,CACL,EACA,6CACF,EACMD,CACR,CAEA,GAAIF,EAAc,QAAUd,EAAM,MAChC,MAAAA,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,2BACP,KAAM,0BACN,QAASW,EAASV,CAAQ,EAC1B,wBAAyBa,EAAc,QAAU,MACnD,EACA,iEACF,EACMF,EACJ,0BACA,uEACF,EAGF,IAAMO,EACJ7B,EAA6B,MAAMwB,CAAa,EAElD,OACEM,EACE,CACE,IAAKD,EAAoB,IACzB,KAAMA,CACR,EACAnB,EAAM,UACR,CAEJ,OAASZ,EAAO,CACd,IAAMiC,EACJC,EAAuBlC,CAAK,GAAKM,EAAuBN,CAAK,EAC/D,MACEiC,IAAgB,QAChBA,IAAgB,oCAEVjC,EAGFwB,EACJ,oCACA,0DACAnB,EAAeL,CAAK,CACtB,CACF,CACF,CA5IsBF,EAAAa,EAAA","names":["init_v4","createRemoteJWKSet","joseErrors","jwtVerify","federatedTokenResponseSchema","external_exports","federatedTokenErrorResponseSchema","readIdpErrorFields","json","parsed","fields","__name","readJwtFailureKind","error","joseErrors","federatedIdTokenClaimsSchema","subjectIdSchema","cachedFederatedJwks","readErrorCause","readRuntimeGatewayCode","readFederatedJwks","config","getGatewayOAuthConfig","createRemoteJWKSet","exchangeFederatedAuthorizationCode","input","tokenUrl","requireBrowserLoginField","clientId","clientSecret","callbackUrl","readGatewayOAuthIssuer","body","response","fetchIdentityProviderJson","idpFields","safeHost","createGatewayRuntimeError","payload","idTokenClaims","jwtVerify","verifyError","verifyFields","addErrorLogFields","parsedIdTokenClaims","parseGatewayPrincipal","problemCode","readGatewayProblemCode"]}