@zuplo/runtime 6.70.53 → 6.70.55

package/out/types/index.d.ts

@@ -250,6 +250,7 @@ export declare interface AIGatewayOpenAIToAnthropicOutboundPolicyOptions {}
  * @title AI Gateway Semantic Cache
  * @product ai-gateway
  * @hidden
+ * @requiresAI
  * @param request - The ZuploRequest
  * @param context - The ZuploContext
  * @param options - The policy options set in policies.json
@@ -277,6 +278,7 @@ export declare interface AIGatewaySemanticCacheInboundPolicyOptions {}
  * @title AI Gateway Semantic Cache
  * @product ai-gateway
  * @hidden
+ * @requiresAI
  * @param response - The response from the upstream service
  * @param request - The original request
  * @param context - The ZuploContext
@@ -350,6 +352,7 @@ export declare function AIGatewayUsageTrackerPolicy(
  * Akamai AI Firewall Inbound Policy
  * @title Akamai AI Firewall
  * @product ai-gateway
+ * @requiresAI
  *
  * This policy integrates with Akamai's AI Firewall service to detect
  * and block malicious AI inputs and outputs. It's self-contained and
@@ -487,6 +490,7 @@ export declare interface AkamaiApiSecurityPluginOptions {
  *
  * @title Akamai Firewall for AI
  * @public
+ * @requiresAI
  * @param request - The ZuploRequest
  * @param context - The ZuploContext
  * @param options - The policy options set in policies.json
@@ -535,6 +539,7 @@ export declare interface AkamaiFirewallForAiInboundPolicyOptions {
  *
  * @title Akamai Firewall for AI
  * @public
+ * @requiresAI
  * @param response - The outgoing Response from the handler
  * @param request - The original incoming Request
  * @param context - The current context of the Request
@@ -6284,18 +6289,28 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
       },
       z.core.$strict
     >;
-    gateway: z.ZodDefault<
-      z.ZodOptional<
-        z.ZodDefault<
-          z.ZodObject<
-            {
-              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
-            },
-            z.core.$strict
-          >
+    gateway: z.ZodPipe<
+      z.ZodDefault<
+        z.ZodObject<
+          {
+            accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+            refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+            cimdEnabled: z.ZodDefault<z.ZodBoolean>;
+          },
+          z.core.$strict
         >
+      >,
+      z.ZodTransform<
+        {
+          accessTokenTtlSeconds: number;
+          refreshTokenTtlSeconds: number;
+          downstreamCimdEnabled: boolean;
+        },
+        {
+          accessTokenTtlSeconds: number;
+          refreshTokenTtlSeconds: number;
+          cimdEnabled: boolean;
+        }
       >
     >;
   },
@@ -6968,6 +6983,10 @@ export declare interface MonetizationInboundPolicyOptions {
    * A list of successful status codes and ranges "200-299, 304" that should trigger a metering call.
    */
   meterOnStatusCodes?: string | number[];
+  /**
+   * A list of entitlement keys that the subscription must have access to (hasAccess=true) for the request to be allowed. If any required entitlement is missing or does not have access, the request will be rejected with a 403 Forbidden.
+   */
+  requiredEntitlements?: string[];
 }
 
 /**
@@ -8532,6 +8551,7 @@ export declare class ProblemResponseFormatter {
  * @product mcp-gateway
  * @public
  * @enterprise
+ * @requiresAI
  * @param request - The ZuploRequest
  * @param context - The ZuploContext
  * @param options - The policy options set in policies.json
@@ -9661,6 +9681,7 @@ export declare interface SecretMaskingOutboundPolicyOptions {
  * @product ai-gateway
  * @beta
  * @enterprise
+ * @requiresAI
  * @param request - The ZuploRequest
  * @param context - The ZuploContext
  * @param options - The policy options set in policies.json

package/out/types/mcp-gateway/index.d.ts

@@ -1734,18 +1734,28 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
       },
       z.core.$strict
     >;
-    gateway: z.ZodDefault<
-      z.ZodOptional<
-        z.ZodDefault<
-          z.ZodObject<
-            {
-              accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
-              cimdEnabled: z.ZodDefault<z.ZodBoolean>;
-            },
-            z.core.$strict
-          >
+    gateway: z.ZodPipe<
+      z.ZodDefault<
+        z.ZodObject<
+          {
+            accessTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+            refreshTokenTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+            cimdEnabled: z.ZodDefault<z.ZodBoolean>;
+          },
+          z.core.$strict
         >
+      >,
+      z.ZodTransform<
+        {
+          accessTokenTtlSeconds: number;
+          refreshTokenTtlSeconds: number;
+          downstreamCimdEnabled: boolean;
+        },
+        {
+          accessTokenTtlSeconds: number;
+          refreshTokenTtlSeconds: number;
+          cimdEnabled: boolean;
+        }
       >
     >;
   },
@@ -2038,22 +2048,7 @@ export declare interface McpTokenExchangeInboundPolicyOptions {
    */
   scopeDelimiter?: string;
   /**
-   * OAuth client id when registering manually (for OAuth modes).
-   */
-  clientId?: string;
-  /**
-   * OAuth client secret (for OAuth modes with manual registration). Use `$env(VAR_NAME)` to source from an environment variable.
-   */
-  clientSecret?: string;
-  /**
-   * Token endpoint authentication method (for OAuth modes with manual registration).
-   */
-  tokenEndpointAuthMethod?:
-    | "client_secret_basic"
-    | "client_secret_post"
-    | "none";
-  /**
-   * OAuth client registration mode. Defaults to `auto` (Dynamic Client Registration).
+   * OAuth client registration mode. Defaults to `auto`, which uses Client ID Metadata Documents when the upstream advertises support and falls back to Dynamic Client Registration otherwise.
    */
   clientRegistration?:
     | {
@@ -3188,91 +3183,44 @@ declare const upstreamTokenExchangePolicyOptionsSchema: z.ZodObject<
       "user-oauth": "user-oauth";
       "shared-oauth": "shared-oauth";
     }>;
-    authConfig: z.ZodDiscriminatedUnion<
-      [
-        z.ZodObject<
-          {
-            mode: z.ZodLiteral<"shared-oauth">;
-            oauth: z.ZodObject<
-              {
-                scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
-                scopeDelimiter: z.ZodDefault<z.ZodString>;
-                clientRegistration: z.ZodDefault<
-                  z.ZodDiscriminatedUnion<
-                    [
-                      z.ZodObject<
-                        {
-                          mode: z.ZodLiteral<"auto">;
-                        },
-                        z.core.$strict
-                      >,
-                      z.ZodObject<
-                        {
-                          mode: z.ZodLiteral<"manual">;
-                          clientId: z.ZodString;
-                          clientSecret: z.ZodOptional<z.ZodString>;
-                          tokenEndpointAuthMethod: z.ZodDefault<
-                            z.ZodEnum<{
-                              none: "none";
-                              client_secret_basic: "client_secret_basic";
-                              client_secret_post: "client_secret_post";
-                            }>
-                          >;
-                        },
-                        z.core.$strict
-                      >,
-                    ]
-                  >
-                >;
-                redirectPath: z.ZodString;
-              },
-              z.core.$strict
-            >;
-          },
-          z.core.$strict
-        >,
-        z.ZodObject<
-          {
-            mode: z.ZodLiteral<"user-oauth">;
-            oauth: z.ZodObject<
-              {
-                scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
-                scopeDelimiter: z.ZodDefault<z.ZodString>;
-                clientRegistration: z.ZodDefault<
-                  z.ZodDiscriminatedUnion<
-                    [
-                      z.ZodObject<
-                        {
-                          mode: z.ZodLiteral<"auto">;
-                        },
-                        z.core.$strict
-                      >,
-                      z.ZodObject<
-                        {
-                          mode: z.ZodLiteral<"manual">;
-                          clientId: z.ZodString;
-                          clientSecret: z.ZodOptional<z.ZodString>;
-                          tokenEndpointAuthMethod: z.ZodDefault<
-                            z.ZodEnum<{
-                              none: "none";
-                              client_secret_basic: "client_secret_basic";
-                              client_secret_post: "client_secret_post";
-                            }>
-                          >;
-                        },
-                        z.core.$strict
-                      >,
-                    ]
-                  >
-                >;
-                redirectPath: z.ZodString;
-              },
-              z.core.$strict
-            >;
-          },
-          z.core.$strict
-        >,
-      ]
+    ownerMode: z.ZodEnum<{
+      user: "user";
+      shared: "shared";
+    }>;
+    authConfig: z.ZodObject<
+      {
+        scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        scopeDelimiter: z.ZodDefault<z.ZodString>;
+        clientRegistration: z.ZodDefault<
+          z.ZodDiscriminatedUnion<
+            [
+              z.ZodObject<
+                {
+                  mode: z.ZodLiteral<"auto">;
+                },
+                z.core.$strict
+              >,
+              z.ZodObject<
+                {
+                  mode: z.ZodLiteral<"manual">;
+                  clientId: z.ZodString;
+                  clientSecret: z.ZodOptional<z.ZodString>;
+                  tokenEndpointAuthMethod: z.ZodDefault<
+                    z.ZodEnum<{
+                      none: "none";
+                      client_secret_basic: "client_secret_basic";
+                      client_secret_post: "client_secret_post";
+                    }>
+                  >;
+                },
+                z.core.$strict
+              >,
+            ]
+          >
+        >;
+        redirectPath: z.ZodString;
+      },
+      z.core.$strict
     >;
   },
   z.core.$strict

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.53",
+  "version": "6.70.55",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/out/esm/browser-login-idp-QZEGTRKY.js

@@ -1,26 +0,0 @@
-
-/*---------------------------------------------------------------------------------------------
- *  Copyright (c) Zuplo, Inc. All rights reserved.
- *
- *  This software and associated documentation files (the "Software") is intended to be used
- *  only by Zuplo customers solely to develop and test applications that will be deployed
- *  to Zuplo hosted services. You and others in your organization may use these files on your
- *  Development Devices solely for the above stated purpose.
- *
- *  Outside of uses stated above, no license is granted for any other purpose including
- *  without limitation the rights to use, copy, modify, merge, publish, distribute,
- *  sublicense, host, and/or sell copies of the Software.
- *
- *  The software may include third party components with separate legal notices or governed by
- *  other agreements, as described in licenses either embedded in or accompanying the Software.
- *
- *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 
- *  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 
- *  PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE 
- *  FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 
- *  OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
- *  DEALINGS IN THE SOFTWARE.
- *--------------------------------------------------------------------------------------------*/
-    
-import{f as v,i as u}from"./chunk-WASXKKBJ.js";import{Gc as y,Hc as x,S as r,T as j,ec as h,fc as k,gc as l,jb as m,jc as b,kc as f}from"./chunk-ORBTGJIA.js";import"./chunk-JRXZBVXH.js";import"./chunk-4SACVMDH.js";import{a}from"./chunk-ZIKV2LUM.js";j();import{createRemoteJWKSet as C,errors as d,jwtVerify as T}from"jose";var I=r.object({id_token:r.string().min(1),token_type:r.string().min(1).optional(),expires_in:r.number().optional(),access_token:r.string().min(1).optional(),refresh_token:r.string().min(1).optional(),scope:r.string().min(1).optional()}),U=r.object({error:r.string().min(1).optional(),error_description:r.string().min(1).optional(),error_uri:r.string().min(1).optional()});function J(e){let t=U.safeParse(e);if(!t.success)return{};let n={};return t.data.error!==void 0&&(n.idpError=t.data.error),t.data.error_description!==void 0&&(n.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(n.idpErrorUri=t.data.error_uri.slice(0,256)),n}a(J,"readIdpErrorFields");function M(e){return e instanceof d.JWTExpired?"expired":e instanceof d.JWTClaimValidationFailed?"claim":e instanceof d.JWSSignatureVerificationFailed?"signature":e instanceof d.JWKSNoMatchingKey?"jwks_no_match":e instanceof d.JWTInvalid?"invalid":e instanceof r.ZodError?"schema":"other"}a(M,"readJwtFailureKind");var P=r.object({sub:y,nonce:r.string().min(1)}).catchall(r.unknown()),p;function q(e){return e instanceof Error&&"cause"in e?e.cause:e}a(q,"readErrorCause");function H(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}a(H,"readRuntimeGatewayCode");function L(){if(!p){let e=m();p=C(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return p}a(L,"readFederatedJwks");async function Z(e){let t=m(),n=u("tokenUrl"),w=u("clientId"),E=u("clientSecret"),F=new URL("/oauth/callback",h(e.requestUrl,e.requestHeaders)).toString(),R=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:F,client_id:w,client_secret:E});try{let{response:i,json:s}=await v(n,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:R},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!i.ok){let o=J(s);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:l(n),idpStatus:i.status,...o},"Federated browser login token exchange returned non-2xx from the identity provider"),f({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${i.status}${o.idpError?` idp_error=${o.idpError}`:""}${o.idpErrorDescription?` idp_error_description=${o.idpErrorDescription}`:""})`)})}let S=I.parse(s),c;try{({payload:c}=await T(S.id_token,L(),{issuer:t.oidc.issuer,audience:w}))}catch(o){let _={};throw k(_,"error",o),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:M(o),idpHost:l(n),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),o}if(c.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:l(n),nonceMissingFromIdToken:c.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),f("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let g=P.parse(c);return x({sub:g.sub,data:g},e.requestUrl)}catch(i){let s=b(i)??H(i);throw s!==void 0&&s!=="browser_login_verification_failed"?i:f("browser_login_verification_failed","Federated browser login callback could not be verified.",q(i))}}a(Z,"exchangeFederatedAuthorizationCode");export{Z as exchangeFederatedAuthorizationCode};
-//# sourceMappingURL=browser-login-idp-QZEGTRKY.js.map

package/out/esm/browser-login-idp-QZEGTRKY.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["@zuplo/runtime/mcp-gateway/v2/downstream-oauth/browser-login-idp.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;yPAGAA,IADA,OAAS,sBAAAC,EAAoB,UAAUC,EAAY,aAAAC,MAAiB,OAqBpE,IAAMC,EAA+BC,EAAE,OAAO,CAC5C,SAAUA,EAAE,OAAO,EAAE,IAAI,CAAC,EAC1B,WAAYA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EACvC,WAAYA,EAAE,OAAO,EAAE,SAAS,EAChC,aAAcA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EACzC,cAAeA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAC1C,MAAOA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,CACpC,CAAC,EACKC,EAAoCD,EAAE,OAAO,CACjD,MAAOA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAClC,kBAAmBA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,EAC9C,UAAWA,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,CACxC,CAAC,EAED,SAASE,EAAmBC,EAAmD,CAC7E,IAAMC,EAASH,EAAkC,UAAUE,CAAI,EAC/D,GAAI,CAACC,EAAO,QACV,MAAO,CAAC,EAEV,IAAMC,EAA6C,CAAC,EACpD,OAAID,EAAO,KAAK,QAAU,SACxBC,EAAO,SAAWD,EAAO,KAAK,OAE5BA,EAAO,KAAK,oBAAsB,SACpCC,EAAO,oBAAsBD,EAAO,KAAK,kBAAkB,MAAM,EAAG,GAAG,GAErEA,EAAO,KAAK,YAAc,SAC5BC,EAAO,YAAcD,EAAO,KAAK,UAAU,MAAM,EAAG,GAAG,GAElDC,CACT,CAhBSC,EAAAJ,EAAA,sBAkBT,SAASK,EAAmBC,EAAwB,CAClD,OAAIA,aAAiBC,EAAW,WAAmB,UAC/CD,aAAiBC,EAAW,yBAAiC,QAC7DD,aAAiBC,EAAW,+BACvB,YACLD,aAAiBC,EAAW,kBAA0B,gBACtDD,aAAiBC,EAAW,WAAmB,UAC/CD,aAAiBR,EAAE,SAAiB,SACjC,OACT,CATSM,EAAAC,EAAA,sBAUT,IAAMG,EAA+BV,EAClC,OAAO,CACN,IAAKW,EACL,MAAOX,EAAE,OAAO,EAAE,IAAI,CAAC,CACzB,CAAC,EACA,SAASA,EAAE,QAAQ,CAAC,EAEnBY,EAEJ,SAASC,EAAeL,EAAyB,CAC/C,OAAOA,aAAiB,OAAS,UAAWA,EAAQA,EAAM,MAAQA,CACpE,CAFSF,EAAAO,EAAA,kBAIT,SAASC,EAAuBN,EAAyB,CACvD,GACEA,IAAU,MACV,OAAOA,GAAU,UACjB,qBAAsBA,EAKtB,OAFEA,EACA,kBACuB,WAG7B,CAZSF,EAAAQ,EAAA,0BAcT,SAASC,GAAoB,CAC3B,GAAI,CAACH,EAAqB,CACxB,IAAMI,EAASC,EAAsB,EACrCL,EAAsBM,EAAmB,IAAI,IAAIF,EAAO,KAAK,OAAO,EAAG,CACrE,gBAAiBA,EAAO,aAAa,eACvC,CAAC,CACH,CAEA,OAAOJ,CACT,CATSN,EAAAS,EAAA,qBAWT,eAAsBI,EAAmCC,EAM3B,CAC5B,IAAMJ,EAASC,EAAsB,EAC/BI,EAAWC,EAAyB,UAAU,EAC9CC,EAAWD,EAAyB,UAAU,EAC9CE,EAAeF,EAAyB,cAAc,EACtDG,EAAc,IAAI,IACtB,kBACAC,EAAuBN,EAAM,WAAYA,EAAM,cAAc,CAC/D,EAAE,SAAS,EACLO,EAAO,IAAI,gBAAgB,CAC/B,WAAY,qBACZ,KAAMP,EAAM,KACZ,aAAcK,EACd,UAAWF,EACX,cAAeC,CACjB,CAAC,EAED,GAAI,CACF,GAAM,CAAE,SAAAI,EAAU,KAAAzB,CAAK,EAAI,MAAM0B,EAC/BR,EACA,CACE,OAAQ,OACR,QAAS,CACP,OAAQ,mBACR,eAAgB,mCAClB,EACA,KAAAM,CACF,EACA,CACE,iBAAkB,MAClB,YAAa,oCACb,UAAWX,EAAO,aAAa,gBAC/B,GAAII,EAAM,UAAY,OAAY,CAAC,EAAI,CAAE,QAASA,EAAM,OAAQ,CAClE,CACF,EAEA,GAAI,CAACQ,EAAS,GAAI,CAChB,IAAME,EAAY5B,EAAmBC,CAAI,EACzC,MAAAiB,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,kCACP,KAAM,yBACN,QAASW,EAASV,CAAQ,EAC1B,UAAWO,EAAS,OACpB,GAAGE,CACL,EACA,oFACF,EACME,EAA0B,CAC9B,KAAM,yBACN,cAAe,iDACf,MAAO,IAAI,MACT,qCAAqCJ,EAAS,MAAM,GAClDE,EAAU,SAAW,cAAcA,EAAU,QAAQ,GAAK,EAC5D,GACEA,EAAU,oBACN,0BAA0BA,EAAU,mBAAmB,GACvD,EACN,GACF,CACF,CAAC,CACH,CAEA,IAAMG,EAAUlC,EAA6B,MAAMI,CAAI,EACnD+B,EACJ,GAAI,EACD,CAAE,QAASA,CAAc,EAAI,MAAMC,EAClCF,EAAQ,SACRlB,EAAkB,EAClB,CACE,OAAQC,EAAO,KAAK,OACpB,SAAUO,CACZ,CACF,EACF,OAASa,EAAa,CACpB,IAAMC,EAAuC,CAAC,EAC9C,MAAAC,EAAkBD,EAAc,QAASD,CAAW,EACpDhB,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,yCACP,KAAM,oCACN,YAAab,EAAmB6B,CAAW,EAC3C,QAASL,EAASV,CAAQ,EAC1B,eAAgBL,EAAO,KAAK,OAC5B,GAAGqB,CACL,EACA,6CACF,EACMD,CACR,CAEA,GAAIF,EAAc,QAAUd,EAAM,MAChC,MAAAA,EAAM,SAAS,IAAI,KACjB,CACE,MAAO,2BACP,KAAM,0BACN,QAASW,EAASV,CAAQ,EAC1B,wBAAyBa,EAAc,QAAU,MACnD,EACA,iEACF,EACMF,EACJ,0BACA,uEACF,EAGF,IAAMO,EACJ7B,EAA6B,MAAMwB,CAAa,EAElD,OACEM,EACE,CACE,IAAKD,EAAoB,IACzB,KAAMA,CACR,EACAnB,EAAM,UACR,CAEJ,OAASZ,EAAO,CACd,IAAMiC,EACJC,EAAuBlC,CAAK,GAAKM,EAAuBN,CAAK,EAC/D,MACEiC,IAAgB,QAChBA,IAAgB,oCAEVjC,EAGFwB,EACJ,oCACA,0DACAnB,EAAeL,CAAK,CACtB,CACF,CACF,CA7IsBF,EAAAa,EAAA","names":["init_v4","createRemoteJWKSet","joseErrors","jwtVerify","federatedTokenResponseSchema","external_exports","federatedTokenErrorResponseSchema","readIdpErrorFields","json","parsed","fields","__name","readJwtFailureKind","error","joseErrors","federatedIdTokenClaimsSchema","subjectIdSchema","cachedFederatedJwks","readErrorCause","readRuntimeGatewayCode","readFederatedJwks","config","getGatewayOAuthConfig","createRemoteJWKSet","exchangeFederatedAuthorizationCode","input","tokenUrl","requireBrowserLoginField","clientId","clientSecret","callbackUrl","readGatewayOAuthIssuer","body","response","fetchIdentityProviderJson","idpFields","safeHost","createGatewayRuntimeError","payload","idTokenClaims","jwtVerify","verifyError","verifyFields","addErrorLogFields","parsedIdTokenClaims","parseGatewayRequestUser","problemCode","readGatewayProblemCode"]}