@zuplo/runtime 6.70.62 → 6.70.66

package/out/esm/mocks/index.js

@@ -22,5 +22,5 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{b as l}from"../chunk-LGEY3NNC.js";import{a as o,da as n}from"../chunk-ZIKV2LUM.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function t(i){e.push(Promise.resolve(i))}return o(t,"waitUntil"),{context:new s({event:{waitUntil:t},route:u.route}),invokeResponse:o(async()=>{await Promise.all(e)},"invokeResponse")}}o(g,"createMockContext");var p={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:o(()=>({}),"raw")},s=class extends EventTarget{static{o(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:t=p,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:o(()=>{},"setLogProperties")},this.custom={},this.route=t,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0,clientCert:void 0,clientMtlsVerificationStatus:void 0,clientMtlsVerificationReason:void 0,clientCertFingerprintSha256:void 0,clientCertNotBefore:void 0,clientCertNotAfter:void 0,clientCertIssuerDn:void 0,clientCertSubjectDn:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,t){throw new Error("Not implemented")}invokeOutboundPolicy(e,t,r){throw new Error("Not implemented")}invokeRoute(e,t){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,t,r){let d=o(i=>{try{typeof t=="function"?t(i):t.handleEvent(i)}catch(a){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),a}},"wrapped");super.addEventListener(e,d,r)}};export{s as MockZuploContext,g as createMockContext};
+import{b as l}from"../chunk-C2TBCXWG.js";import{a as o,da as n}from"../chunk-ZIKV2LUM.js";function g(u={request:new Request("https://api.example.com")}){let e=[];function t(i){e.push(Promise.resolve(i))}return o(t,"waitUntil"),{context:new s({event:{waitUntil:t},route:u.route}),invokeResponse:o(async()=>{await Promise.all(e)},"invokeResponse")}}o(g,"createMockContext");var p={path:"/",methods:["GET"],handler:{module:{},export:"default"},raw:o(()=>({}),"raw")},s=class extends EventTarget{static{o(this,"MockZuploContext")}#e;contextId;requestId;log;route;custom;incomingRequestProperties;parentContext;analyticsContext;constructor({event:e,route:t=p,parentContext:r}){super(),this.requestId=crypto.randomUUID(),this.contextId=crypto.randomUUID(),this.log={info:n.console.info,log:n.console.log,debug:n.console.debug,warn:n.console.warn,error:n.console.error,setLogProperties:o(()=>{},"setLogProperties")},this.custom={},this.route=t,this.incomingRequestProperties={asn:1234,asOrganization:"ORGANIZATION",city:"Seattle",region:"Washington",regionCode:"WA",colo:"SEA",continent:"NA",country:"US",postalCode:"98004",metroCode:"SEA",latitude:void 0,longitude:void 0,timezone:void 0,httpProtocol:void 0,clientCert:void 0,clientMtlsVerificationStatus:void 0,clientMtlsVerificationReason:void 0,clientCertFingerprintSha256:void 0,clientCertNotBefore:void 0,clientCertNotAfter:void 0,clientCertIssuerDn:void 0,clientCertSubjectDn:void 0},this.parentContext=r,this.#e=e,this.analyticsContext=new l(this.requestId)}waitUntil(e){this.#e.waitUntil(e)}invokeInboundPolicy(e,t){throw new Error("Not implemented")}invokeOutboundPolicy(e,t,r){throw new Error("Not implemented")}invokeRoute(e,t){throw new Error("Not implemented")}addResponseSendingHook(e){throw new Error("Not implemented")}addResponseSendingFinalHook(e){throw new Error("Not implemented")}addEventListener(e,t,r){let d=o(i=>{try{typeof t=="function"?t(i):t.handleEvent(i)}catch(a){throw this.log.error(`Error invoking event ${e}. See following logs for details.`),a}},"wrapped");super.addEventListener(e,d,r)}};export{s as MockZuploContext,g as createMockContext};
 //# sourceMappingURL=index.js.map

package/out/types/index.d.ts

@@ -176,6 +176,22 @@ export declare class AIGatewayMeteringInboundPolicy extends InboundPolicy<AIGate
     increments: AIGatewayMeterIncrements
   ): void;
   static getIncrements(context: ZuploContext): AIGatewayMeterIncrements;
+  /**
+   * Record the global quota fallback models for the current request. Set by the
+   * metering policy when a quota is exceeded and a fallback is configured; read
+   * by the LLM translation handler, which routes to the capability-appropriate
+   * model instead of the (over-budget) primary.
+   *
+   * @param context - The ZuploContext
+   * @param quotaFallback - The validated quota fallback models.
+   */
+  static setQuotaFallback(
+    context: ZuploContext,
+    quotaFallback: QuotaFallbackModels
+  ): void;
+  static getQuotaFallback(
+    context: ZuploContext
+  ): QuotaFallbackModels | undefined;
   constructor(
     options: AIGatewayMeteringInboundPolicyOptions,
     policyName: string
@@ -185,6 +201,23 @@ export declare class AIGatewayMeteringInboundPolicy extends InboundPolicy<AIGate
     context: ZuploContext
   ): Promise<Response | ZuploRequest<RequestGeneric_2>>;
   private fetchCurrentMeters;
+  /**
+   * The capability a request targets, derived from its path, or `undefined` for
+   * paths that do not support quota fallback (e.g. `/v1/responses`, which the LLM
+   * handler serves without the fallback chain). Used to decide whether a quota
+   * fallback actually applies to *this* request.
+   */
+  private requestCapability;
+  /**
+   * Validate and return the configured quota fallback when it applies to *this*
+   * request's capability, or `undefined` otherwise (no config, malformed config,
+   * an unsupported path, or no model configured for the request's capability).
+   * Returning `undefined` blocks the request with a 429 — so a fallback is only
+   * counted and applied when the handler can actually serve the request with it.
+   * The config is customer-authored and reaches us through an `unknown` cast, so
+   * we validate it through Zod before acting on it.
+   */
+  private resolveQuotaFallback;
   private checkHierarchicalQuotaLimits;
   /**
    * Increment meters via API. Can be used by providers for streaming responses.
@@ -2969,6 +3002,7 @@ declare const EventType: {
   readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
   readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
   readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
+  readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
   readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
   readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
   readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
@@ -5666,7 +5700,7 @@ declare type LokiTransportVersion = 1 | 2;
  * @title MCP Auth0 OAuth
  * @product mcp-gateway
  */
-export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
+export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<ValidatedAuth0OAuthOptions> {
   #private;
   constructor(rawOptions: unknown, policyName: string);
   handler(
@@ -5717,6 +5751,69 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
      */
     cimdEnabled?: boolean;
   };
+  /**
+   * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
+   */
+  idJag?:
+    | {
+        /**
+         * Disable ID-JAG support.
+         */
+        enabled: false;
+      }
+    | {
+        /**
+         * Enable ID-JAG support.
+         */
+        enabled: true;
+        /**
+         * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
+         *
+         * @minItems 1
+         */
+        trustedIssuers: [
+          {
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          },
+          ...{
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          }[],
+        ];
+        /**
+         * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
+         */
+        authorizationDetailsTypesAllowed?: string[];
+      };
   /**
    * Optional overrides for the derived browser-login settings.
    */
@@ -5727,6 +5824,38 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
   };
 }
 
+declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
+  {
+    auth0Domain: z.ZodString;
+    audience: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    gateway: z.ZodOptional<
+      z.ZodObject<
+        {
+          accessTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          refreshTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          cimdEnabled: z.ZodOptional<z.ZodBoolean>;
+        },
+        z.core.$strict
+      >
+    >;
+    idJag: z.ZodOptional<z.ZodUnknown>;
+    browserLoginOverrides: z.ZodOptional<
+      z.ZodObject<
+        {
+          remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
+          stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
+        },
+        z.core.$strict
+      >
+    >;
+  },
+  z.core.$strict
+>;
+
 /**
  * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
  * with browser login delegated to Clerk.
@@ -6260,6 +6389,69 @@ export declare interface McpOAuthInboundPolicyOptions {
      */
     cimdEnabled?: boolean;
   };
+  /**
+   * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
+   */
+  idJag?:
+    | {
+        /**
+         * Disable ID-JAG support.
+         */
+        enabled: false;
+      }
+    | {
+        /**
+         * Enable ID-JAG support.
+         */
+        enabled: true;
+        /**
+         * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
+         *
+         * @minItems 1
+         */
+        trustedIssuers: [
+          {
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          },
+          ...{
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          }[],
+        ];
+        /**
+         * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
+         */
+        authorizationDetailsTypesAllowed?: string[];
+      };
 }
 
 declare type McpOAuthRuntimeConfig = z.infer<
@@ -6314,6 +6506,50 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
         }
       >
     >;
+    idJag: z.ZodDefault<
+      z.ZodOptional<
+        z.ZodDefault<
+          z.ZodDiscriminatedUnion<
+            [
+              z.ZodObject<
+                {
+                  enabled: z.ZodLiteral<false>;
+                },
+                z.core.$strict
+              >,
+              z.ZodObject<
+                {
+                  enabled: z.ZodLiteral<true>;
+                  trustedIssuers: z.ZodArray<
+                    z.ZodObject<
+                      {
+                        issuer: z.ZodURL;
+                        jwksUrl: z.ZodURL;
+                        expectedClientIds: z.ZodOptional<
+                          z.ZodArray<z.ZodString>
+                        >;
+                        subjectMapping: z.ZodDefault<
+                          z.ZodEnum<{
+                            iss_prefix: "iss_prefix";
+                            iss_tenant_prefix: "iss_tenant_prefix";
+                            sub_id_only: "sub_id_only";
+                          }>
+                        >;
+                      },
+                      z.core.$strict
+                    >
+                  >;
+                  authorizationDetailsTypesAllowed: z.ZodOptional<
+                    z.ZodArray<z.ZodString>
+                  >;
+                },
+                z.core.$strict
+              >,
+            ]
+          >
+        >
+      >
+    >;
   },
   z.core.$strict
 >;
@@ -6844,6 +7080,12 @@ export declare interface MockApiInboundOptions {
  */
 export declare const MockApiInboundPolicy: InboundPolicyHandler<MockApiInboundOptions>;
 
+declare interface ModelConfiguration {
+  environmentVariable: string;
+  model: string;
+  provider: string;
+}
+
 declare type Modify<T, R> = Omit<T, keyof R> & R;
 
 declare interface MoesifContext {
@@ -8667,6 +8909,15 @@ export declare interface QuotaDetail {
   };
 }
 
+/**
+ * Global quota fallback models, keyed by capability. Applied whenever any
+ * configured quota limit (any meter/period) is exceeded.
+ */
+declare interface QuotaFallbackModels {
+  completions?: ModelConfiguration;
+  embeddings?: ModelConfiguration;
+}
+
 /**
  * The Quota policy enables you to set monthly, weekly, daily or hourly quotas on your API.
  *
@@ -10830,6 +11081,10 @@ export declare function urlRewriteHandler(
 
 declare type UserDataDefault = any;
 
+declare type ValidatedAuth0OAuthOptions = z.infer<
+  typeof mcpAuth0OAuthOptionsSchema
+>;
+
 /**
  * Validates the body of an incoming request based on a JSON schema.
  *