@zuplo/runtime 6.70.62 → 6.70.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/out/esm/chunk-C2TBCXWG.js +26 -0
  2. package/out/esm/chunk-C2TBCXWG.js.map +1 -0
  3. package/out/esm/chunk-WDGKR433.js +370 -0
  4. package/out/esm/chunk-WDGKR433.js.map +1 -0
  5. package/out/esm/index.js +1 -1
  6. package/out/esm/mcp-gateway/index.js +13 -12
  7. package/out/esm/mcp-gateway/index.js.map +1 -1
  8. package/out/esm/mocks/index.js +1 -1
  9. package/out/types/index.d.ts +256 -1
  10. package/out/types/mcp-gateway/index.d.ts +403 -35
  11. package/out/types/mocks/index.d.ts +1 -0
  12. package/package.json +1 -1
  13. package/out/esm/chunk-HYUYKNAF.js +0 -370
  14. package/out/esm/chunk-HYUYKNAF.js.map +0 -1
  15. package/out/esm/chunk-LGEY3NNC.js +0 -26
  16. package/out/esm/chunk-LGEY3NNC.js.map +0 -1
  17. /package/out/esm/{chunk-HYUYKNAF.js.LEGAL.txt → chunk-WDGKR433.js.LEGAL.txt} +0 -0
package/out/types/mcp-gateway/index.d.ts CHANGED
@@ -103,6 +103,7 @@ declare const EventType: {
103
103
  readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
104
104
  readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
105
105
  readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
106
+ readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
106
107
  readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
107
108
  readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
108
109
  readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
@@ -961,7 +962,7 @@ declare interface Logger extends BaseLogger {
961
962
  * @title MCP Auth0 OAuth
962
963
  * @product mcp-gateway
963
964
  */
964
- export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
965
+ export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<ValidatedAuth0OAuthOptions> {
965
966
  #private;
966
967
  constructor(rawOptions: unknown, policyName: string);
967
968
  handler(
@@ -1012,6 +1013,69 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
1012
1013
  */
1013
1014
  cimdEnabled?: boolean;
1014
1015
  };
1016
+ /**
1017
+ * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
1018
+ */
1019
+ idJag?:
1020
+ | {
1021
+ /**
1022
+ * Disable ID-JAG support.
1023
+ */
1024
+ enabled: false;
1025
+ }
1026
+ | {
1027
+ /**
1028
+ * Enable ID-JAG support.
1029
+ */
1030
+ enabled: true;
1031
+ /**
1032
+ * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
1033
+ *
1034
+ * @minItems 1
1035
+ */
1036
+ trustedIssuers: [
1037
+ {
1038
+ /**
1039
+ * Exact issuer URL expected in the ID-JAG iss claim.
1040
+ */
1041
+ issuer: string;
1042
+ /**
1043
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1044
+ */
1045
+ jwksUrl: string;
1046
+ /**
1047
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1048
+ */
1049
+ expectedClientIds?: string[];
1050
+ /**
1051
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1052
+ */
1053
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1054
+ },
1055
+ ...{
1056
+ /**
1057
+ * Exact issuer URL expected in the ID-JAG iss claim.
1058
+ */
1059
+ issuer: string;
1060
+ /**
1061
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1062
+ */
1063
+ jwksUrl: string;
1064
+ /**
1065
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1066
+ */
1067
+ expectedClientIds?: string[];
1068
+ /**
1069
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1070
+ */
1071
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1072
+ }[],
1073
+ ];
1074
+ /**
1075
+ * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
1076
+ */
1077
+ authorizationDetailsTypesAllowed?: string[];
1078
+ };
1015
1079
  /**
1016
1080
  * Optional overrides for the derived browser-login settings.
1017
1081
  */
@@ -1022,6 +1086,38 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
1022
1086
  };
1023
1087
  }
1024
1088
 
1089
+ declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
1090
+ {
1091
+ auth0Domain: z.ZodString;
1092
+ audience: z.ZodOptional<z.ZodString>;
1093
+ clientId: z.ZodString;
1094
+ clientSecret: z.ZodString;
1095
+ scope: z.ZodOptional<z.ZodString>;
1096
+ gateway: z.ZodOptional<
1097
+ z.ZodObject<
1098
+ {
1099
+ accessTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
1100
+ refreshTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
1101
+ cimdEnabled: z.ZodOptional<z.ZodBoolean>;
1102
+ },
1103
+ z.core.$strict
1104
+ >
1105
+ >;
1106
+ idJag: z.ZodOptional<z.ZodUnknown>;
1107
+ browserLoginOverrides: z.ZodOptional<
1108
+ z.ZodObject<
1109
+ {
1110
+ remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
1111
+ stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
1112
+ sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
1113
+ },
1114
+ z.core.$strict
1115
+ >
1116
+ >;
1117
+ },
1118
+ z.core.$strict
1119
+ >;
1120
+
1025
1121
  /**
1026
1122
  * Curate MCP capabilities advertised and reachable through `McpProxyHandler`.
1027
1123
  *
@@ -1733,6 +1829,69 @@ export declare interface McpOAuthInboundPolicyOptions {
1733
1829
  */
1734
1830
  cimdEnabled?: boolean;
1735
1831
  };
1832
+ /**
1833
+ * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
1834
+ */
1835
+ idJag?:
1836
+ | {
1837
+ /**
1838
+ * Disable ID-JAG support.
1839
+ */
1840
+ enabled: false;
1841
+ }
1842
+ | {
1843
+ /**
1844
+ * Enable ID-JAG support.
1845
+ */
1846
+ enabled: true;
1847
+ /**
1848
+ * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
1849
+ *
1850
+ * @minItems 1
1851
+ */
1852
+ trustedIssuers: [
1853
+ {
1854
+ /**
1855
+ * Exact issuer URL expected in the ID-JAG iss claim.
1856
+ */
1857
+ issuer: string;
1858
+ /**
1859
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1860
+ */
1861
+ jwksUrl: string;
1862
+ /**
1863
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1864
+ */
1865
+ expectedClientIds?: string[];
1866
+ /**
1867
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1868
+ */
1869
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1870
+ },
1871
+ ...{
1872
+ /**
1873
+ * Exact issuer URL expected in the ID-JAG iss claim.
1874
+ */
1875
+ issuer: string;
1876
+ /**
1877
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1878
+ */
1879
+ jwksUrl: string;
1880
+ /**
1881
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1882
+ */
1883
+ expectedClientIds?: string[];
1884
+ /**
1885
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1886
+ */
1887
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1888
+ }[],
1889
+ ];
1890
+ /**
1891
+ * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
1892
+ */
1893
+ authorizationDetailsTypesAllowed?: string[];
1894
+ };
1736
1895
  }
1737
1896
 
1738
1897
  declare type McpOAuthRuntimeConfig = z.infer<
@@ -1787,6 +1946,50 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
1787
1946
  }
1788
1947
  >
1789
1948
  >;
1949
+ idJag: z.ZodDefault<
1950
+ z.ZodOptional<
1951
+ z.ZodDefault<
1952
+ z.ZodDiscriminatedUnion<
1953
+ [
1954
+ z.ZodObject<
1955
+ {
1956
+ enabled: z.ZodLiteral<false>;
1957
+ },
1958
+ z.core.$strict
1959
+ >,
1960
+ z.ZodObject<
1961
+ {
1962
+ enabled: z.ZodLiteral<true>;
1963
+ trustedIssuers: z.ZodArray<
1964
+ z.ZodObject<
1965
+ {
1966
+ issuer: z.ZodURL;
1967
+ jwksUrl: z.ZodURL;
1968
+ expectedClientIds: z.ZodOptional<
1969
+ z.ZodArray<z.ZodString>
1970
+ >;
1971
+ subjectMapping: z.ZodDefault<
1972
+ z.ZodEnum<{
1973
+ iss_prefix: "iss_prefix";
1974
+ iss_tenant_prefix: "iss_tenant_prefix";
1975
+ sub_id_only: "sub_id_only";
1976
+ }>
1977
+ >;
1978
+ },
1979
+ z.core.$strict
1980
+ >
1981
+ >;
1982
+ authorizationDetailsTypesAllowed: z.ZodOptional<
1983
+ z.ZodArray<z.ZodString>
1984
+ >;
1985
+ },
1986
+ z.core.$strict
1987
+ >,
1988
+ ]
1989
+ >
1990
+ >
1991
+ >
1992
+ >;
1790
1993
  },
1791
1994
  z.core.$strict
1792
1995
  >;
@@ -3211,45 +3414,206 @@ declare const upstreamTokenExchangePolicyOptionsSchema: z.ZodObject<
3211
3414
  authMode: z.ZodEnum<{
3212
3415
  "user-oauth": "user-oauth";
3213
3416
  "shared-oauth": "shared-oauth";
3417
+ "id-jag": "id-jag";
3214
3418
  }>;
3215
3419
  ownerMode: z.ZodEnum<{
3216
3420
  user: "user";
3217
3421
  shared: "shared";
3218
3422
  }>;
3219
- authConfig: z.ZodObject<
3220
- {
3221
- scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3222
- scopeDelimiter: z.ZodDefault<z.ZodString>;
3223
- clientRegistration: z.ZodDefault<
3224
- z.ZodDiscriminatedUnion<
3225
- [
3226
- z.ZodObject<
3227
- {
3228
- mode: z.ZodLiteral<"auto">;
3229
- },
3230
- z.core.$strict
3231
- >,
3232
- z.ZodObject<
3233
- {
3234
- mode: z.ZodLiteral<"manual">;
3235
- clientId: z.ZodString;
3236
- clientSecret: z.ZodOptional<z.ZodString>;
3237
- tokenEndpointAuthMethod: z.ZodDefault<
3238
- z.ZodEnum<{
3239
- none: "none";
3240
- client_secret_basic: "client_secret_basic";
3241
- client_secret_post: "client_secret_post";
3242
- }>
3243
- >;
3244
- },
3245
- z.core.$strict
3246
- >,
3247
- ]
3248
- >
3249
- >;
3250
- redirectPath: z.ZodString;
3251
- },
3252
- z.core.$strict
3423
+ authConfig: z.ZodDiscriminatedUnion<
3424
+ [
3425
+ z.ZodObject<
3426
+ {
3427
+ mode: z.ZodLiteral<"shared-oauth">;
3428
+ oauth: z.ZodObject<
3429
+ {
3430
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3431
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3432
+ clientRegistration: z.ZodDefault<
3433
+ z.ZodDiscriminatedUnion<
3434
+ [
3435
+ z.ZodObject<
3436
+ {
3437
+ mode: z.ZodLiteral<"auto">;
3438
+ },
3439
+ z.core.$strict
3440
+ >,
3441
+ z.ZodObject<
3442
+ {
3443
+ mode: z.ZodLiteral<"manual">;
3444
+ clientId: z.ZodString;
3445
+ clientSecret: z.ZodOptional<z.ZodString>;
3446
+ tokenEndpointAuthMethod: z.ZodDefault<
3447
+ z.ZodEnum<{
3448
+ none: "none";
3449
+ client_secret_basic: "client_secret_basic";
3450
+ client_secret_post: "client_secret_post";
3451
+ }>
3452
+ >;
3453
+ },
3454
+ z.core.$strict
3455
+ >,
3456
+ ]
3457
+ >
3458
+ >;
3459
+ redirectPath: z.ZodString;
3460
+ },
3461
+ z.core.$strict
3462
+ >;
3463
+ },
3464
+ z.core.$strict
3465
+ >,
3466
+ z.ZodObject<
3467
+ {
3468
+ mode: z.ZodLiteral<"user-oauth">;
3469
+ oauth: z.ZodObject<
3470
+ {
3471
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3472
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3473
+ clientRegistration: z.ZodDefault<
3474
+ z.ZodDiscriminatedUnion<
3475
+ [
3476
+ z.ZodObject<
3477
+ {
3478
+ mode: z.ZodLiteral<"auto">;
3479
+ },
3480
+ z.core.$strict
3481
+ >,
3482
+ z.ZodObject<
3483
+ {
3484
+ mode: z.ZodLiteral<"manual">;
3485
+ clientId: z.ZodString;
3486
+ clientSecret: z.ZodOptional<z.ZodString>;
3487
+ tokenEndpointAuthMethod: z.ZodDefault<
3488
+ z.ZodEnum<{
3489
+ none: "none";
3490
+ client_secret_basic: "client_secret_basic";
3491
+ client_secret_post: "client_secret_post";
3492
+ }>
3493
+ >;
3494
+ },
3495
+ z.core.$strict
3496
+ >,
3497
+ ]
3498
+ >
3499
+ >;
3500
+ redirectPath: z.ZodString;
3501
+ },
3502
+ z.core.$strict
3503
+ >;
3504
+ },
3505
+ z.core.$strict
3506
+ >,
3507
+ z.ZodObject<
3508
+ {
3509
+ mode: z.ZodLiteral<"id-jag">;
3510
+ idJag: z.ZodObject<
3511
+ {
3512
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3513
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3514
+ idp: z.ZodObject<
3515
+ {
3516
+ tokenUrl: z.ZodURL;
3517
+ clientAuth: z.ZodDiscriminatedUnion<
3518
+ [
3519
+ z.ZodObject<
3520
+ {
3521
+ method: z.ZodLiteral<"client_secret_post">;
3522
+ clientId: z.ZodString;
3523
+ clientSecret: z.ZodString;
3524
+ },
3525
+ z.core.$strict
3526
+ >,
3527
+ z.ZodObject<
3528
+ {
3529
+ method: z.ZodLiteral<"client_secret_basic">;
3530
+ clientId: z.ZodString;
3531
+ clientSecret: z.ZodString;
3532
+ },
3533
+ z.core.$strict
3534
+ >,
3535
+ z.ZodObject<
3536
+ {
3537
+ method: z.ZodLiteral<"private_key_jwt">;
3538
+ clientId: z.ZodString;
3539
+ privateKeyPem: z.ZodString;
3540
+ algorithm: z.ZodDefault<
3541
+ z.ZodEnum<{
3542
+ RS256: "RS256";
3543
+ RS384: "RS384";
3544
+ RS512: "RS512";
3545
+ ES256: "ES256";
3546
+ ES384: "ES384";
3547
+ ES512: "ES512";
3548
+ }>
3549
+ >;
3550
+ keyId: z.ZodOptional<z.ZodString>;
3551
+ audience: z.ZodOptional<z.ZodURL>;
3552
+ expiresInSeconds: z.ZodDefault<z.ZodNumber>;
3553
+ },
3554
+ z.core.$strict
3555
+ >,
3556
+ ]
3557
+ >;
3558
+ },
3559
+ z.core.$strict
3560
+ >;
3561
+ resourceAs: z.ZodObject<
3562
+ {
3563
+ tokenUrl: z.ZodURL;
3564
+ audience: z.ZodString;
3565
+ resource: z.ZodOptional<z.ZodString>;
3566
+ clientAuth: z.ZodDiscriminatedUnion<
3567
+ [
3568
+ z.ZodObject<
3569
+ {
3570
+ method: z.ZodLiteral<"client_secret_post">;
3571
+ clientId: z.ZodString;
3572
+ clientSecret: z.ZodString;
3573
+ },
3574
+ z.core.$strict
3575
+ >,
3576
+ z.ZodObject<
3577
+ {
3578
+ method: z.ZodLiteral<"client_secret_basic">;
3579
+ clientId: z.ZodString;
3580
+ clientSecret: z.ZodString;
3581
+ },
3582
+ z.core.$strict
3583
+ >,
3584
+ z.ZodObject<
3585
+ {
3586
+ method: z.ZodLiteral<"private_key_jwt">;
3587
+ clientId: z.ZodString;
3588
+ privateKeyPem: z.ZodString;
3589
+ algorithm: z.ZodDefault<
3590
+ z.ZodEnum<{
3591
+ RS256: "RS256";
3592
+ RS384: "RS384";
3593
+ RS512: "RS512";
3594
+ ES256: "ES256";
3595
+ ES384: "ES384";
3596
+ ES512: "ES512";
3597
+ }>
3598
+ >;
3599
+ keyId: z.ZodOptional<z.ZodString>;
3600
+ audience: z.ZodOptional<z.ZodURL>;
3601
+ expiresInSeconds: z.ZodDefault<z.ZodNumber>;
3602
+ },
3603
+ z.core.$strict
3604
+ >,
3605
+ ]
3606
+ >;
3607
+ },
3608
+ z.core.$strict
3609
+ >;
3610
+ },
3611
+ z.core.$strict
3612
+ >;
3613
+ },
3614
+ z.core.$strict
3615
+ >,
3616
+ ]
3253
3617
  >;
3254
3618
  },
3255
3619
  z.core.$strict
@@ -3262,6 +3626,10 @@ declare interface UrlConfig {
3262
3626
 
3263
3627
  declare type UserDataDefault = any;
3264
3628
 
3629
+ declare type ValidatedAuth0OAuthOptions = z.infer<
3630
+ typeof mcpAuth0OAuthOptionsSchema
3631
+ >;
3632
+
3265
3633
  declare type ValidatedOptions = z.infer<
3266
3634
  typeof mcpCapabilityFilterOptionsSchema
3267
3635
  >;
package/out/types/mocks/index.d.ts CHANGED
@@ -84,6 +84,7 @@ declare const EventType: {
84
84
  readonly AI_GATEWAY_LATENCY_HISTOGRAM: "ai_gateway_latency_histogram";
85
85
  readonly AI_GATEWAY_WARNING_COUNT: "ai_gateway_warning_count";
86
86
  readonly AI_GATEWAY_BLOCKED_COUNT: "ai_gateway_blocked_count";
87
+ readonly AI_GATEWAY_FALLBACK_COUNT: "ai_gateway_fallback_count";
87
88
  readonly MCP_REQUEST_RECEIVED: "mcp_request_received";
88
89
  readonly MCP_REQUEST_COMPLETED: "mcp_request_completed";
89
90
  readonly MCP_REQUEST_REJECTED: "mcp_request_rejected";
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@zuplo/runtime",
3
3
  "type": "module",
4
- "version": "6.70.62",
4
+ "version": "6.70.66",
5
5
  "repository": "https://github.com/zuplo/zuplo",
6
6
  "author": "Zuplo, Inc.",
7
7
  "exports": {