@zuplo/runtime 6.70.49 → 6.70.50

package/out/types/mcp-gateway/index.d.ts

@@ -1144,31 +1144,456 @@ declare const mcpCapabilityFilterOptionsSchema: z.ZodObject<
   z.core.$strict
 >;
 
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Clerk.
+ *
+ * Clerk-friendly wrapper around `McpOAuthInboundPolicy`. Provide Clerk's
+ * Frontend API URL plus the OAuth application client id and secret; the
+ * constructor derives the Clerk issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Clerk OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpClerkOAuthInboundPolicy extends InboundPolicy<McpClerkOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpClerkOAuthInboundPolicyOptions {
+  /**
+   * The Clerk Frontend API URL origin, without a trailing path, query string, or fragment.
+   */
+  frontendApiUrl: string;
+  /**
+   * The Clerk OAuth application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Clerk OAuth application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Amazon Cognito.
+ *
+ * Cognito-friendly wrapper around `McpOAuthInboundPolicy`. Provide an AWS
+ * region, user pool id, user pool domain, client id, and client secret; the
+ * constructor derives the Cognito issuer, JWKS URL, authorize URL, and token
+ * URL.
+ *
+ * @title MCP Amazon Cognito OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpCognitoOAuthInboundPolicy extends InboundPolicy<McpCognitoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpCognitoOAuthInboundPolicyOptions {
+  /**
+   * The AWS region that contains the Amazon Cognito user pool.
+   */
+  awsRegion: string;
+  /**
+   * The Amazon Cognito user pool ID.
+   */
+  userPoolId: string;
+  /**
+   * The hosted UI domain for the user pool, without https://, a trailing slash, or a path.
+   */
+  userPoolDomain: string;
+  /**
+   * The Cognito app client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Cognito app client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Microsoft Entra ID.
+ *
+ * Entra-friendly wrapper around `McpOAuthInboundPolicy`. Provide a tenant UUID,
+ * application client id, and client secret; the constructor derives the Entra
+ * v2 issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Microsoft Entra OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpEntraOAuthInboundPolicy extends InboundPolicy<McpEntraOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpEntraOAuthInboundPolicyOptions {
+  /**
+   * The Microsoft Entra tenant UUID. Multi-tenant aliases like common and organizations are not supported by this policy yet.
+   */
+  tenantId: string;
+  /**
+   * The Microsoft Entra application (client) ID UUID registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Microsoft Entra client secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
 /**
  * Activates the MCP Gateway internal routes (OAuth authorization server,
  * upstream connection management, well-known metadata) on the runtime router.
  * The plugin is a no-op when no MCP-related policy is present.
  *
- * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
- * does not statically reference any MCP gateway code, so unrelated projects
- * pay no bundle cost.
+ * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
+ * does not statically reference any MCP gateway code, so unrelated projects
+ * pay no bundle cost.
+ *
+ * @public
+ * @example
+ * ```ts
+ * import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
+ *
+ * export default async function (runtime: RuntimeExtensions) {
+ *   runtime.addPlugin(new McpGatewayPlugin());
+ * }
+ * ```
+ */
+export declare class McpGatewayPlugin extends SystemRuntimePlugin {
+  registerRoutes(options: {
+    router: Router;
+    runtimeSettings: RuntimeSettings;
+    parsedRouteData?: ParsedRouteData;
+  }): void;
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Google.
+ *
+ * Google-friendly wrapper around `McpOAuthInboundPolicy`. Provide `clientId`
+ * and `clientSecret`; the constructor uses Google's fixed OIDC issuer, JWKS
+ * URL, authorize URL, and token URL, then runs the resulting shape through the
+ * same Zod schema as the generic policy.
+ *
+ * @title MCP Google OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpGoogleOAuthInboundPolicy extends InboundPolicy<McpGoogleOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpGoogleOAuthInboundPolicyOptions {
+  /**
+   * The Google OAuth client_id registered for the gateway's browser login flow. Google uses a fixed OIDC issuer and discovery endpoint.
+   */
+  clientId: string;
+  /**
+   * The Google OAuth client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Keycloak.
+ *
+ * Keycloak-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * Keycloak server root, realm, client id, and client secret; the constructor
+ * derives the realm issuer, JWKS URL, authorize URL, and token URL from
+ * Keycloak's documented OIDC endpoint layout.
+ *
+ * @title MCP Keycloak OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpKeycloakOAuthInboundPolicy extends InboundPolicy<McpKeycloakOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpKeycloakOAuthInboundPolicyOptions {
+  /**
+   * The absolute URL for the Keycloak server root. Do not include /realms/{realm}; set the realm option separately.
+   */
+  keycloakBaseUrl: string;
+  /**
+   * The Keycloak realm name.
+   */
+  realm: string;
+  /**
+   * The Keycloak OIDC client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Keycloak OIDC client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Logto.
+ *
+ * Logto-friendly wrapper around `McpOAuthInboundPolicy`. Provide the Logto
+ * tenant endpoint, client id, and client secret; the constructor derives the
+ * Logto `/oidc` issuer, JWKS URL, authorize URL, and token URL.
  *
+ * @title MCP Logto OAuth
  * @public
- * @example
- * ```ts
- * import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
- *
- * export default async function (runtime: RuntimeExtensions) {
- *   runtime.addPlugin(new McpGatewayPlugin());
- * }
- * ```
+ * @product mcp-gateway
  */
-export declare class McpGatewayPlugin extends SystemRuntimePlugin {
-  registerRoutes(options: {
-    router: Router;
-    runtimeSettings: RuntimeSettings;
-    parsedRouteData?: ParsedRouteData;
-  }): void;
+export declare class McpLogtoOAuthInboundPolicy extends InboundPolicy<McpLogtoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpLogtoOAuthInboundPolicyOptions {
+  /**
+   * Your Logto tenant endpoint or custom domain, without the /oidc path. The OIDC issuer, JWKS URL, authorization URL, and token URL are derived from this.
+   */
+  logtoEndpoint: string;
+  /**
+   * The Logto application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Logto application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
 }
 
 /**
@@ -1324,6 +1749,232 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
   z.core.$strict
 >;
 
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Okta.
+ *
+ * Okta-friendly wrapper around `McpOAuthInboundPolicy`. Provide an Okta org
+ * domain, optional authorization server id, client id, and client secret; the
+ * constructor derives the Okta issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Okta OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOktaOAuthInboundPolicy extends InboundPolicy<McpOktaOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOktaOAuthInboundPolicyOptions {
+  /**
+   * The Okta org domain, without https://, a trailing slash, or a path.
+   */
+  oktaDomain: string;
+  /**
+   * Optional Okta custom authorization server id. Omit this to use the org authorization server.
+   */
+  authorizationServerId?: string;
+  /**
+   * The Okta OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Okta OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to OneLogin.
+ *
+ * OneLogin-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * OneLogin account subdomain, client id, and client secret; the constructor
+ * derives OneLogin's OIDC issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP OneLogin OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOneLoginOAuthInboundPolicy extends InboundPolicy<McpOneLoginOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOneLoginOAuthInboundPolicyOptions {
+  /**
+   * The OneLogin account subdomain, without https://, .onelogin.com, a trailing slash, or a path.
+   */
+  oneLoginSubdomain: string;
+  /**
+   * The OneLogin OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The OneLogin OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to PingOne.
+ *
+ * PingOne-friendly wrapper around `McpOAuthInboundPolicy`. Provide a PingOne
+ * environment ID plus optional region, or a PingOne custom domain, with client
+ * ID and client secret; the constructor derives the PingOne issuer, JWKS URL,
+ * authorize URL, and token URL.
+ *
+ * @title MCP Ping OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpPingOAuthInboundPolicy extends InboundPolicy<McpPingOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpPingOAuthInboundPolicyOptions {
+  /**
+   * The PingOne environment ID. Required unless customDomain is set.
+   */
+  environmentId?: string;
+  /**
+   * The PingOne geography for the environment. Ignored when customDomain is set.
+   */
+  region?:
+    | "north-america"
+    | "canada"
+    | "europe"
+    | "singapore"
+    | "australia"
+    | "asia-pacific";
+  /**
+   * Optional PingOne custom domain, without https://, a trailing slash, or a path. When set, environmentId and region are not used.
+   */
+  customDomain?: string;
+  /**
+   * The PingOne OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The PingOne OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
 export declare function McpProxyHandler(
   request: ZuploRequest,
   context: ZuploContext

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.49",
+  "version": "6.70.50",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {