@zuplo/runtime 6.70.49 → 6.70.51

package/out/types/mcp-gateway/index.d.ts

@@ -956,8 +956,9 @@ declare interface Logger extends BaseLogger {
  * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
  * crashing boot.
  *
- * @hidden
+ * @public
  * @title MCP Auth0 OAuth
+ * @product mcp-gateway
  */
 export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
   #private;
@@ -1028,8 +1029,9 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
  * with a customer-facing `ConfigurationError` instead of failing at module
  * load.
  *
- * @hidden
+ * @public
  * @title MCP Capability Filter
+ * @product mcp-gateway
  */
 export declare class McpCapabilityFilterInboundPolicy extends InboundPolicy<ValidatedOptions> {
   #private;
@@ -1145,50 +1147,19 @@ declare const mcpCapabilityFilterOptionsSchema: z.ZodObject<
 >;
 
 /**
- * Activates the MCP Gateway internal routes (OAuth authorization server,
- * upstream connection management, well-known metadata) on the runtime router.
- * The plugin is a no-op when no MCP-related policy is present.
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Clerk.
  *
- * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
- * does not statically reference any MCP gateway code, so unrelated projects
- * pay no bundle cost.
+ * Clerk-friendly wrapper around `McpOAuthInboundPolicy`. Provide Clerk's
+ * Frontend API URL plus the OAuth application client id and secret; the
+ * constructor derives the Clerk issuer, JWKS URL, authorize URL, and token URL.
  *
+ * @title MCP Clerk OAuth
  * @public
- * @example
- * ```ts
- * import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
- *
- * export default async function (runtime: RuntimeExtensions) {
- *   runtime.addPlugin(new McpGatewayPlugin());
- * }
- * ```
- */
-export declare class McpGatewayPlugin extends SystemRuntimePlugin {
-  registerRoutes(options: {
-    router: Router;
-    runtimeSettings: RuntimeSettings;
-    parsedRouteData?: ParsedRouteData;
-  }): void;
-}
-
-/**
- * Authenticate MCP gateway requests using a gateway-issued OAuth access token.
- *
- * The gateway hosts its own OAuth authorization server endpoints (DCR,
- * `/authorize`, `/token`, `/callback`) — registered automatically when this
- * policy is present in `policies.json`. End-user browser login is delegated
- * to the OpenID Connect identity provider configured via the `oidc` and
- * `browserLogin` policy options.
- *
- * Validation runs lazily inside the policy constructor, which the runtime
- * caches per policy name — so a misconfigured policy fails the first request
- * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
- * crashing boot.
- *
- * @hidden
- * @title MCP OAuth
+ * @product mcp-gateway
  */
-export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthRuntimeConfig> {
+export declare class McpClerkOAuthInboundPolicy extends InboundPolicy<McpClerkOAuthInboundPolicyOptions> {
+  #private;
   constructor(rawOptions: unknown, policyName: string);
   handler(
     request: ZuploRequest,
@@ -1200,65 +1171,170 @@ export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthRuntime
  * The options for this policy.
  * @public
  */
-export declare interface McpOAuthInboundPolicyOptions {
+export declare interface McpClerkOAuthInboundPolicyOptions {
   /**
-   * OpenID Connect identity provider that authenticates end-users before the gateway issues its own OAuth access token.
+   * The Clerk Frontend API URL origin, without a trailing path, query string, or fragment.
    */
-  oidc: {
+  frontendApiUrl: string;
+  /**
+   * The Clerk OAuth application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Clerk OAuth application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
     /**
-     * The OIDC issuer URL of the identity provider.
+     * Lifetime of access tokens issued by /oauth/token.
      */
-    issuer: string;
+    accessTokenTtlSeconds?: number;
     /**
-     * The JWKS endpoint used to verify ID tokens issued by the identity provider.
+     * Lifetime of refresh tokens issued by /oauth/token.
      */
-    jwksUrl: string;
+    refreshTokenTtlSeconds?: number;
     /**
-     * Optional IdP audience value. Leave unset when browser login ID tokens use the OIDC client_id as their audience.
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
      */
-    audience?: string;
+    cimdEnabled?: boolean;
   };
   /**
-   * Browser-side OAuth/OIDC settings used when the gateway redirects the user to the identity provider for login.
+   * Optional overrides for the derived browser-login settings.
    */
-  browserLogin: {
-    /**
-     * The IdP /authorize endpoint to redirect the user to. For local development on loopback, use http://127.0.0.1:9000/oauth/dev-login.
-     */
-    url: string;
-    /**
-     * The IdP token endpoint used for the federated authorization code exchange. Required for federated_oidc browser login.
-     */
-    tokenUrl?: string;
-    /**
-     * The OIDC client_id registered with the identity provider for the gateway's browser login flow.
-     */
-    clientId?: string;
-    /**
-     * The OIDC client_secret. Required for federated browser login. Use $env(...) to source from a secret environment variable.
-     */
-    clientSecret?: string;
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Amazon Cognito.
+ *
+ * Cognito-friendly wrapper around `McpOAuthInboundPolicy`. Provide an AWS
+ * region, user pool id, user pool domain, client id, and client secret; the
+ * constructor derives the Cognito issuer, JWKS URL, authorize URL, and token
+ * URL.
+ *
+ * @title MCP Amazon Cognito OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpCognitoOAuthInboundPolicy extends InboundPolicy<McpCognitoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpCognitoOAuthInboundPolicyOptions {
+  /**
+   * The AWS region that contains the Amazon Cognito user pool.
+   */
+  awsRegion: string;
+  /**
+   * The Amazon Cognito user pool ID.
+   */
+  userPoolId: string;
+  /**
+   * The hosted UI domain for the user pool, without https://, a trailing slash, or a path.
+   */
+  userPoolDomain: string;
+  /**
+   * The Cognito app client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Cognito app client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
     /**
-     * The OIDC scopes requested during browser login.
+     * Lifetime of access tokens issued by /oauth/token.
      */
-    scope?: string;
+    accessTokenTtlSeconds?: number;
     /**
-     * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
+     * Lifetime of refresh tokens issued by /oauth/token.
      */
-    audience?: string;
+    refreshTokenTtlSeconds?: number;
     /**
-     * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
      */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
     remoteTimeoutMs?: number;
-    /**
-     * Lifetime of an in-flight browser-login state record.
-     */
     stateTtlSeconds?: number;
-    /**
-     * Lifetime of the gateway browser-login session cookie issued after a successful login.
-     */
     sessionTtlSeconds?: number;
   };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Microsoft Entra ID.
+ *
+ * Entra-friendly wrapper around `McpOAuthInboundPolicy`. Provide a tenant UUID,
+ * application client id, and client secret; the constructor derives the Entra
+ * v2 issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Microsoft Entra OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpEntraOAuthInboundPolicy extends InboundPolicy<McpEntraOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpEntraOAuthInboundPolicyOptions {
+  /**
+   * The Microsoft Entra tenant UUID. Multi-tenant aliases like common and organizations are not supported by this policy yet.
+   */
+  tenantId: string;
+  /**
+   * The Microsoft Entra application (client) ID UUID registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Microsoft Entra client secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
   /**
    * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
    */
@@ -1276,70 +1352,649 @@ export declare interface McpOAuthInboundPolicyOptions {
      */
     cimdEnabled?: boolean;
   };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
 }
 
-declare type McpOAuthRuntimeConfig = z.infer<
-  typeof mcpOAuthRuntimeConfigSchema
->;
-
-declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
-  {
-    oidc: z.ZodObject<
-      {
-        issuer: z.ZodURL;
-        jwksUrl: z.ZodURL;
-        audience: z.ZodOptional<z.ZodString>;
-      },
-      z.core.$strip
-    >;
-    browserLogin: z.ZodObject<
-      {
-        url: z.ZodURL;
-        tokenUrl: z.ZodOptional<z.ZodURL>;
-        clientId: z.ZodOptional<z.ZodString>;
-        clientSecret: z.ZodOptional<z.ZodString>;
-        scope: z.ZodDefault<z.ZodString>;
-        audience: z.ZodOptional<z.ZodString>;
-        remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-        stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-        sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-      },
-      z.core.$strict
-    >;
-    gateway: z.ZodDefault<
-      z.ZodOptional<
-        z.ZodDefault<
-          z.ZodObject<
-            {
-              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
-            },
-            z.core.$strict
-          >
-        >
-      >
-    >;
-  },
-  z.core.$strict
->;
-
-export declare function McpProxyHandler(
-  request: ZuploRequest,
-  context: ZuploContext
-): Promise<Response>;
-
 /**
- * Resolve a gateway-managed upstream MCP credential and apply it to the
- * request before the normal Zuplo route handler forwards the request.
+ * Activates the MCP Gateway internal routes (OAuth authorization server,
+ * upstream connection management, well-known metadata) on the runtime router.
+ * The plugin is a no-op when no MCP-related policy is present.
+ *
+ * Importing from `@zuplo/runtime/mcp-gateway` is the opt-in: the runtime core
+ * does not statically reference any MCP gateway code, so unrelated projects
+ * pay no bundle cost.
+ *
+ * @beta
+ * @example
+ * ```ts
+ * import { McpGatewayPlugin } from "@zuplo/runtime/mcp-gateway";
+ *
+ * export default async function (runtime: RuntimeExtensions) {
+ *   runtime.addPlugin(new McpGatewayPlugin());
+ * }
+ * ```
+ */
+export declare class McpGatewayPlugin extends SystemRuntimePlugin {
+  registerRoutes(options: {
+    router: Router;
+    runtimeSettings: RuntimeSettings;
+    parsedRouteData?: ParsedRouteData;
+  }): void;
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Google.
+ *
+ * Google-friendly wrapper around `McpOAuthInboundPolicy`. Provide `clientId`
+ * and `clientSecret`; the constructor uses Google's fixed OIDC issuer, JWKS
+ * URL, authorize URL, and token URL, then runs the resulting shape through the
+ * same Zod schema as the generic policy.
+ *
+ * @title MCP Google OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpGoogleOAuthInboundPolicy extends InboundPolicy<McpGoogleOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpGoogleOAuthInboundPolicyOptions {
+  /**
+   * The Google OAuth client_id registered for the gateway's browser login flow. Google uses a fixed OIDC issuer and discovery endpoint.
+   */
+  clientId: string;
+  /**
+   * The Google OAuth client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Keycloak.
+ *
+ * Keycloak-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * Keycloak server root, realm, client id, and client secret; the constructor
+ * derives the realm issuer, JWKS URL, authorize URL, and token URL from
+ * Keycloak's documented OIDC endpoint layout.
+ *
+ * @title MCP Keycloak OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpKeycloakOAuthInboundPolicy extends InboundPolicy<McpKeycloakOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpKeycloakOAuthInboundPolicyOptions {
+  /**
+   * The absolute URL for the Keycloak server root. Do not include /realms/{realm}; set the realm option separately.
+   */
+  keycloakBaseUrl: string;
+  /**
+   * The Keycloak realm name.
+   */
+  realm: string;
+  /**
+   * The Keycloak OIDC client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Keycloak OIDC client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Logto.
+ *
+ * Logto-friendly wrapper around `McpOAuthInboundPolicy`. Provide the Logto
+ * tenant endpoint, client id, and client secret; the constructor derives the
+ * Logto `/oidc` issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Logto OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpLogtoOAuthInboundPolicy extends InboundPolicy<McpLogtoOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpLogtoOAuthInboundPolicyOptions {
+  /**
+   * Your Logto tenant endpoint or custom domain, without the /oidc path. The OIDC issuer, JWKS URL, authorization URL, and token URL are derived from this.
+   */
+  logtoEndpoint: string;
+  /**
+   * The Logto application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Logto application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token.
+ *
+ * The gateway hosts its own OAuth authorization server endpoints (DCR,
+ * `/authorize`, `/token`, `/callback`) — registered automatically when this
+ * policy is present in `policies.json`. End-user browser login is delegated
+ * to the OpenID Connect identity provider configured via the `oidc` and
+ * `browserLogin` policy options.
+ *
+ * Validation runs lazily inside the policy constructor, which the runtime
+ * caches per policy name — so a misconfigured policy fails the first request
+ * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
+ * crashing boot.
+ *
+ * @public
+ * @title MCP OAuth
+ * @product mcp-gateway
+ */
+export declare class McpOAuthInboundPolicy extends InboundPolicy<McpOAuthRuntimeConfig> {
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOAuthInboundPolicyOptions {
+  /**
+   * OpenID Connect identity provider that authenticates end-users before the gateway issues its own OAuth access token.
+   */
+  oidc: {
+    /**
+     * The OIDC issuer URL of the identity provider.
+     */
+    issuer: string;
+    /**
+     * The JWKS endpoint used to verify ID tokens issued by the identity provider.
+     */
+    jwksUrl: string;
+    /**
+     * Optional IdP audience value. Leave unset when browser login ID tokens use the OIDC client_id as their audience.
+     */
+    audience?: string;
+  };
+  /**
+   * Browser-side OAuth/OIDC settings used when the gateway redirects the user to the identity provider for login.
+   */
+  browserLogin: {
+    /**
+     * The IdP /authorize endpoint to redirect the user to. For local development on loopback, use http://127.0.0.1:9000/oauth/dev-login.
+     */
+    url: string;
+    /**
+     * The IdP token endpoint used for the federated authorization code exchange. Required for federated_oidc browser login.
+     */
+    tokenUrl?: string;
+    /**
+     * The OIDC client_id registered with the identity provider for the gateway's browser login flow.
+     */
+    clientId?: string;
+    /**
+     * The OIDC client_secret. Required for federated browser login. Use $env(...) to source from a secret environment variable.
+     */
+    clientSecret?: string;
+    /**
+     * The OIDC scopes requested during browser login.
+     */
+    scope?: string;
+    /**
+     * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
+     */
+    audience?: string;
+    /**
+     * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
+     */
+    remoteTimeoutMs?: number;
+    /**
+     * Lifetime of an in-flight browser-login state record.
+     */
+    stateTtlSeconds?: number;
+    /**
+     * Lifetime of the gateway browser-login session cookie issued after a successful login.
+     */
+    sessionTtlSeconds?: number;
+  };
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+}
+
+declare type McpOAuthRuntimeConfig = z.infer<
+  typeof mcpOAuthRuntimeConfigSchema
+>;
+
+declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
+  {
+    oidc: z.ZodObject<
+      {
+        issuer: z.ZodURL;
+        jwksUrl: z.ZodURL;
+        audience: z.ZodOptional<z.ZodString>;
+      },
+      z.core.$strip
+    >;
+    browserLogin: z.ZodObject<
+      {
+        url: z.ZodURL;
+        tokenUrl: z.ZodOptional<z.ZodURL>;
+        clientId: z.ZodOptional<z.ZodString>;
+        clientSecret: z.ZodOptional<z.ZodString>;
+        scope: z.ZodDefault<z.ZodString>;
+        audience: z.ZodOptional<z.ZodString>;
+        remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+        sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+      },
+      z.core.$strict
+    >;
+    gateway: z.ZodDefault<
+      z.ZodOptional<
+        z.ZodDefault<
+          z.ZodObject<
+            {
+              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
+            },
+            z.core.$strict
+          >
+        >
+      >
+    >;
+  },
+  z.core.$strict
+>;
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to Okta.
+ *
+ * Okta-friendly wrapper around `McpOAuthInboundPolicy`. Provide an Okta org
+ * domain, optional authorization server id, client id, and client secret; the
+ * constructor derives the Okta issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP Okta OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOktaOAuthInboundPolicy extends InboundPolicy<McpOktaOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOktaOAuthInboundPolicyOptions {
+  /**
+   * The Okta org domain, without https://, a trailing slash, or a path.
+   */
+  oktaDomain: string;
+  /**
+   * Optional Okta custom authorization server id. Omit this to use the org authorization server.
+   */
+  authorizationServerId?: string;
+  /**
+   * The Okta OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The Okta OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to OneLogin.
+ *
+ * OneLogin-friendly wrapper around `McpOAuthInboundPolicy`. Provide the
+ * OneLogin account subdomain, client id, and client secret; the constructor
+ * derives OneLogin's OIDC issuer, JWKS URL, authorize URL, and token URL.
+ *
+ * @title MCP OneLogin OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpOneLoginOAuthInboundPolicy extends InboundPolicy<McpOneLoginOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpOneLoginOAuthInboundPolicyOptions {
+  /**
+   * The OneLogin account subdomain, without https://, .onelogin.com, a trailing slash, or a path.
+   */
+  oneLoginSubdomain: string;
+  /**
+   * The OneLogin OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The OneLogin OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+/**
+ * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
+ * with browser login delegated to PingOne.
+ *
+ * PingOne-friendly wrapper around `McpOAuthInboundPolicy`. Provide a PingOne
+ * environment ID plus optional region, or a PingOne custom domain, with client
+ * ID and client secret; the constructor derives the PingOne issuer, JWKS URL,
+ * authorize URL, and token URL.
+ *
+ * @title MCP Ping OAuth
+ * @public
+ * @product mcp-gateway
+ */
+export declare class McpPingOAuthInboundPolicy extends InboundPolicy<McpPingOAuthInboundPolicyOptions> {
+  #private;
+  constructor(rawOptions: unknown, policyName: string);
+  handler(
+    request: ZuploRequest,
+    context: ZuploContext
+  ): Promise<ZuploRequest | Response>;
+}
+
+/**
+ * The options for this policy.
+ * @public
+ */
+export declare interface McpPingOAuthInboundPolicyOptions {
+  /**
+   * The PingOne environment ID. Required unless customDomain is set.
+   */
+  environmentId?: string;
+  /**
+   * The PingOne geography for the environment. Ignored when customDomain is set.
+   */
+  region?:
+    | "north-america"
+    | "canada"
+    | "europe"
+    | "singapore"
+    | "australia"
+    | "asia-pacific";
+  /**
+   * Optional PingOne custom domain, without https://, a trailing slash, or a path. When set, environmentId and region are not used.
+   */
+  customDomain?: string;
+  /**
+   * The PingOne OIDC application client_id registered for the gateway's browser login flow.
+   */
+  clientId: string;
+  /**
+   * The PingOne OIDC application client_secret. Use $env(...) to source from a secret environment variable.
+   */
+  clientSecret: string;
+  /**
+   * OIDC scopes requested during browser login.
+   */
+  scope?: string;
+  /**
+   * Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.
+   */
+  gateway?: {
+    /**
+     * Lifetime of access tokens issued by /oauth/token.
+     */
+    accessTokenTtlSeconds?: number;
+    /**
+     * Lifetime of refresh tokens issued by /oauth/token.
+     */
+    refreshTokenTtlSeconds?: number;
+    /**
+     * Whether to advertise client_id_metadata_document_supported in AS metadata.
+     */
+    cimdEnabled?: boolean;
+  };
+  /**
+   * Optional overrides for the derived browser-login settings.
+   */
+  browserLoginOverrides?: {
+    remoteTimeoutMs?: number;
+    stateTtlSeconds?: number;
+    sessionTtlSeconds?: number;
+  };
+}
+
+export declare function McpProxyHandler(
+  request: ZuploRequest,
+  context: ZuploContext
+): Promise<Response>;
+
+/**
+ * Resolve a gateway-managed upstream MCP credential and apply it to the
+ * request before the normal Zuplo route handler forwards the request.
  *
  * Validation runs lazily inside the policy constructor, which the runtime
  * caches per policy name — so a misconfigured policy fails the first request
  * with a `ConfigurationError` (surfaced in the 500 problem body) rather than
  * crashing boot.
  *
- * @hidden
+ * @public
  * @title MCP Token Exchange
+ * @product mcp-gateway
  */
 export declare class McpTokenExchangeInboundPolicy extends InboundPolicy<UpstreamTokenExchangePolicyOptions> {
   constructor(rawOptions: unknown, policyName: string);