@zuplo/runtime 6.70.48 → 6.70.50

package/out/types/index.d.ts

@@ -4,6 +4,7 @@ import { CallToolResult } from "@zuplo/mcp/types";
 import { KeyLike } from "jose";
 import { RequestGeneric as RequestGeneric_2 } from "../../request.js";
 import type { ValidateFunction } from "ajv";
+import { z } from "zod/v4";
 
 /**
  * Converts Anthropic Messages API format requests to OpenAI Chat Completions format.
@@ -5641,8 +5642,890 @@ declare type LokiTransportVersion = 1 | 2;
 
 /* Excluded from this release type: LookupResult */
 
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Auth0.
+ *
+ * Auth0-friendly wrapper around `McpOAuthInboundPolicy`. Provide `auth0Domain`
+ * and `clientId`; the constructor derives the OIDC issuer, JWKS URL, and Auth0
+ * authorize/token endpoints automatically and runs the resulting shape through
+ * the same Zod schema as the generic policy.
+ *
+ * Validation runs lazily inside the policy constructor, which the runtime
+ * caches per policy name — so a misconfigured policy fails the first request
+ * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
+ * crashing boot.
+ *
+ * @hidden
+ * @title MCP Auth0 OAuth
+ */
+export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpAuth0OAuthInboundPolicyOptions {
+  /**
+   * Your Auth0 tenant domain. The OIDC issuer, JWKS URL, /authorize URL, and /oauth/token URL are derived from this.
+   */
+  auth0Domain: string;
+  /**
+   * Optional Auth0 API audience. When set, the gateway sends it as the Auth0 authorize?audience= parameter and validates returned provider access tokens against it. Leave unset when Auth0 is only used for browser identity.
+   */
+  audience?: string;
+  /**
+   * The Auth0 client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Auth0 client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Clerk.
+ *
+ * Clerk-friendly wrapper around `McpOAuthInboundPolicy`. Provide Clerk's
+ * Frontend API URL plus the OAuth application client id and secret; the
+ * constructor derives the Clerk issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Clerk OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpClerkOAuthInboundPolicy extends InboundPolicy<McpClerkOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpClerkOAuthInboundPolicyOptions {
+  /**
+   * The Clerk Frontend API URL origin, without a trailing path, query string, or fragment.
+   */
+  frontendApiUrl: string;
+  /**
+   * The Clerk OAuth application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Clerk OAuth application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Amazon Cognito.
+ *
+ * Cognito-friendly wrapper around `McpOAuthInboundPolicy`. Provide an AWS
+ * region, user pool id, user pool domain, client id, and client secret; the
+ * constructor derives the Cognito issuer, JWKS URL, authorize URL, and token
+ * URL.
+ *
+ * @title MCP Amazon Cognito OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpCognitoOAuthInboundPolicy extends InboundPolicy<McpCognitoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpCognitoOAuthInboundPolicyOptions {
+  /**
+   * The AWS region that contains the Amazon Cognito user pool.
+   */
+  awsRegion: string;
+  /**
+   * The Amazon Cognito user pool ID.
+   */
+  userPoolId: string;
+  /**
+   * The hosted UI domain for the user pool, without https://, a trailing slash, or a path.
+   */
+  userPoolDomain: string;
+  /**
+   * The Cognito app client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Cognito app client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Microsoft Entra ID.
+ *
+ * Entra-friendly wrapper around `McpOAuthInboundPolicy`. Provide a tenant UUID,
+ * application client id, and client secret; the constructor derives the Entra
+ * v2 issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Microsoft Entra OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpEntraOAuthInboundPolicy extends InboundPolicy<McpEntraOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpEntraOAuthInboundPolicyOptions {
+  /**
+   * The Microsoft Entra tenant UUID. Multi-tenant aliases like common and organizations are not supported by this policy yet.
+   */
+  tenantId: string;
+  /**
+   * The Microsoft Entra application (client) ID UUID registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Microsoft Entra client secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
 /* Excluded from this release type: McpGatewayOAuthProtectedResourcePlugin */
 
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Google.
+ *
+ * Google-friendly wrapper around `McpOAuthInboundPolicy`. Provide `clientId`
+ * and `clientSecret`; the constructor uses Google's fixed OIDC issuer, JWKS
+ * URL, authorize URL, and token URL, then runs the resulting shape through the
+ * same Zod schema as the generic policy.
+ *
+ * @title MCP Google OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpGoogleOAuthInboundPolicy extends InboundPolicy<McpGoogleOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpGoogleOAuthInboundPolicyOptions {
+  /**
+   * The Google OAuth client_id registered for the gateway's browser login flow. Google uses a fixed OIDC issuer and discovery endpoint.
+   */
+  clientId: string;
+  /**
+   * The Google OAuth client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Keycloak.
+ *
+ * Keycloak-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * Keycloak server root, realm, client id, and client secret; the constructor
+ * derives the realm issuer, JWKS URL, authorize URL, and token URL from
+ * Keycloak's documented OIDC endpoint layout.
+ *
+ * @title MCP Keycloak OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpKeycloakOAuthInboundPolicy extends InboundPolicy<McpKeycloakOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpKeycloakOAuthInboundPolicyOptions {
+  /**
+   * The absolute URL for the Keycloak server root. Do not include /realms/{realm}; set the realm option separately.
+   */
+  keycloakBaseUrl: string;
+  /**
+   * The Keycloak realm name.
+   */
+  realm: string;
+  /**
+   * The Keycloak OIDC client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Keycloak OIDC client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Logto.
+ *
+ * Logto-friendly wrapper around `McpOAuthInboundPolicy`. Provide the Logto
+ * tenant endpoint, client id, and client secret; the constructor derives the
+ * Logto `/oidc` issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Logto OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpLogtoOAuthInboundPolicy extends InboundPolicy<McpLogtoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpLogtoOAuthInboundPolicyOptions {
+  /**
+   * Your Logto tenant endpoint or custom domain, without the /oidc path. The OIDC issuer, JWKS URL, authorization URL, and token URL are derived from this.
+   */
+  logtoEndpoint: string;
+  /**
+   * The Logto application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Logto application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token.
+ *
+ * The gateway hosts its own OAuth authorization server endpoints (DCR,
+ * `/authorize`, `/token`, `/callback`) — registered automatically when this
+ * policy is present in `policies.json`. End-user browser login is delegated
+ * to the OpenID Connect identity provider configured via the `oidc` and
+ * `browserLogin` policy options.
+ *
+ * Validation runs lazily inside the policy constructor, which the runtime
+ * caches per policy name — so a misconfigured policy fails the first request
+ * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
+ * crashing boot.
+ *
+ * @hidden
+ * @title MCP OAuth
+ */
+export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthRuntimeConfig> {
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOAuthInboundPolicyOptions {
+  /**
+   * OpenID Connect identity provider that authenticates end-users before the gateway issues its own OAuth access token.
+   */
+  oidc: {
+    /**
+     * The OIDC issuer URL of the identity provider.
+     */
+    issuer: string;
+    /**
+     * The JWKS endpoint used to verify ID tokens issued by the identity provider.
+     */
+    jwksUrl: string;
+    /**
+     * Optional IdP audience value. Leave unset when browser login ID tokens use the OIDC client_id as their audience.
+     */
+    audience?: string;
+  };
+  /**
+   * Browser-side OAuth/OIDC settings used when the gateway redirects the user to the identity provider for login.
+   */
+  browserLogin: {
+    /**
+     * The IdP /authorize endpoint to redirect the user to. For local development on loopback, use http://127.0.0.1:9000/oauth/dev-login.
+     */
+    url: string;
+    /**
+     * The IdP token endpoint used for the federated authorization code exchange. Required for federated_oidc browser login.
+     */
+    tokenUrl?: string;
+    /**
+     * The OIDC client_id registered with the identity provider for the gateway's browser login flow.
+     */
+    clientId?: string;
+    /**
+     * The OIDC client_secret. Required for federated browser login. Use $env(...) to source from a secret environment variable.
+     */
+    clientSecret?: string;
+    /**
+     * The OIDC scopes requested during browser login.
+     */
+    scope?: string;
+    /**
+     * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
+     */
+    audience?: string;
+    /**
+     * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
+     */
+    remoteTimeoutMs?: number;
+    /**
+     * Lifetime of an in-flight browser-login state record.
+     */
+    stateTtlSeconds?: number;
+    /**
+     * Lifetime of the gateway browser-login session cookie issued after a successful login.
+     */
+    sessionTtlSeconds?: number;
+  };
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+}
+
+declare type McpOAuthRuntimeConfig = z.infer<
+  typeof mcpOAuthRuntimeConfigSchema
+>;
+
+declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
+  {
+    oidc: z.ZodObject<
+      {
+        issuer: z.ZodURL;
+        jwksUrl: z.ZodURL;
+        audience: z.ZodOptional<z.ZodString>;
+      },
+      z.core.$strip
+    >;
+    browserLogin: z.ZodObject<
+      {
+        url: z.ZodURL;
+        tokenUrl: z.ZodOptional<z.ZodURL>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodDefault<z.ZodString>;
+        audience: z.ZodOptional<z.ZodString>;
+        remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+      },
+      z.core.$strict
+    >;
+    gateway: z.ZodDefault<
+      z.ZodOptional<
+        z.ZodDefault<
+          z.ZodObject<
+            {
+              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
+            },
+            z.core.$strict
+          >
+        >
+      >
+    >;
+  },
+  z.core.$strict
+>;
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Okta.
+ *
+ * Okta-friendly wrapper around `McpOAuthInboundPolicy`. Provide an Okta org
+ * domain, optional authorization server id, client id, and client secret; the
+ * constructor derives the Okta issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Okta OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOktaOAuthInboundPolicy extends InboundPolicy<McpOktaOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOktaOAuthInboundPolicyOptions {
+  /**
+   * The Okta org domain, without https://, a trailing slash, or a path.
+   */
+  oktaDomain: string;
+  /**
+   * Optional Okta custom authorization server id. Omit this to use the org authorization server.
+   */
+  authorizationServerId?: string;
+  /**
+   * The Okta OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Okta OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to OneLogin.
+ *
+ * OneLogin-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * OneLogin account subdomain, client id, and client secret; the constructor
+ * derives OneLogin's OIDC issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP OneLogin OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOneLoginOAuthInboundPolicy extends InboundPolicy<McpOneLoginOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOneLoginOAuthInboundPolicyOptions {
+  /**
+   * The OneLogin account subdomain, without https://, .onelogin.com, a trailing slash, or a path.
+   */
+  oneLoginSubdomain: string;
+  /**
+   * The OneLogin OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The OneLogin OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to PingOne.
+ *
+ * PingOne-friendly wrapper around `McpOAuthInboundPolicy`. Provide a PingOne
+ * environment ID plus optional region, or a PingOne custom domain, with client
+ * ID and client secret; the constructor derives the PingOne issuer, JWKS URL,
+ * authorize URL, and token URL.
+ *
+ * @title MCP Ping OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpPingOAuthInboundPolicy extends InboundPolicy<McpPingOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpPingOAuthInboundPolicyOptions {
+  /**
+   * The PingOne environment ID. Required unless customDomain is set.
+   */
+  environmentId?: string;
+  /**
+   * The PingOne geography for the environment. Ignored when customDomain is set.
+   */
+  region?:
+    | "north-america"
+    | "canada"
+    | "europe"
+    | "singapore"
+    | "australia"
+    | "asia-pacific";
+  /**
+   * Optional PingOne custom domain, without https://, a trailing slash, or a path. When set, environmentId and region are not used.
+   */
+  customDomain?: string;
+  /**
+   * The PingOne OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The PingOne OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
 /**
  * An MCP Server handler for Zuplo
  * Only POST requests are supported for the HTTP streamable MCP transport.
@@ -5657,6 +6540,72 @@ export declare function mcpServerHandler(
   context: ZuploContext
 ): Promise<Response>;
 
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to WorkOS.
+ *
+ * WorkOS-friendly wrapper around `McpOAuthInboundPolicy`. Provide `clientId`
+ * and `clientSecret`; the constructor derives the WorkOS OIDC issuer, JWKS URL,
+ * authorize URL, and token URL automatically and runs the resulting shape
+ * through the same Zod schema as the generic policy.
+ *
+ * @title MCP WorkOS OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpWorkosOAuthInboundPolicy extends InboundPolicy<McpWorkosOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpWorkosOAuthInboundPolicyOptions {
+  /**
+   * The WorkOS client_id registered for the gateway's browser login flow. The OIDC issuer and JWKS URL are derived from this client ID.
+   */
+  clientId: string;
+  /**
+   * The WorkOS client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
 declare interface MemoryCacheOptions {
   maxSize: number;
 }