@zuplo/runtime 6.70.63 → 6.70.67

package/out/types/index.d.ts

@@ -5700,7 +5700,7 @@ declare type LokiTransportVersion = 1 | 2;
  * @title MCP Auth0 OAuth
  * @product mcp-gateway
  */
-export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
+export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<ValidatedAuth0OAuthOptions> {
   #private;
   constructor(rawOptions: unknown, policyName: string);
   handler(
@@ -5751,6 +5751,69 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
      */
     cimdEnabled?: boolean;
   };
+  /**
+   * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
+   */
+  idJag?:
+    | {
+        /**
+         * Disable ID-JAG support.
+         */
+        enabled: false;
+      }
+    | {
+        /**
+         * Enable ID-JAG support.
+         */
+        enabled: true;
+        /**
+         * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
+         *
+         * @minItems 1
+         */
+        trustedIssuers: [
+          {
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          },
+          ...{
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          }[],
+        ];
+        /**
+         * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
+         */
+        authorizationDetailsTypesAllowed?: string[];
+      };
   /**
    * Optional overrides for the derived browser-login settings.
    */
@@ -5761,6 +5824,38 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
   };
 }
 
+declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
+  {
+    auth0Domain: z.ZodString;
+    audience: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    gateway: z.ZodOptional<
+      z.ZodObject<
+        {
+          accessTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          refreshTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          cimdEnabled: z.ZodOptional<z.ZodBoolean>;
+        },
+        z.core.$strict
+      >
+    >;
+    idJag: z.ZodOptional<z.ZodUnknown>;
+    browserLoginOverrides: z.ZodOptional<
+      z.ZodObject<
+        {
+          remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
+          stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
+          sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
+        },
+        z.core.$strict
+      >
+    >;
+  },
+  z.core.$strict
+>;
+
 /**
  * Authenticate MCP gateway requests using a gateway-issued OAuth access token,
  * with browser login delegated to Clerk.
@@ -6294,6 +6389,69 @@ export declare interface McpOAuthInboundPolicyOptions {
      */
     cimdEnabled?: boolean;
   };
+  /**
+   * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
+   */
+  idJag?:
+    | {
+        /**
+         * Disable ID-JAG support.
+         */
+        enabled: false;
+      }
+    | {
+        /**
+         * Enable ID-JAG support.
+         */
+        enabled: true;
+        /**
+         * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
+         *
+         * @minItems 1
+         */
+        trustedIssuers: [
+          {
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          },
+          ...{
+            /**
+             * Exact issuer URL expected in the ID-JAG iss claim.
+             */
+            issuer: string;
+            /**
+             * JWKS URL used to verify ID-JAG signatures from this issuer.
+             */
+            jwksUrl: string;
+            /**
+             * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
+             */
+            expectedClientIds?: string[];
+            /**
+             * How the ID-JAG subject is mapped into the gateway subject ID.
+             */
+            subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
+          }[],
+        ];
+        /**
+         * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
+         */
+        authorizationDetailsTypesAllowed?: string[];
+      };
 }
 
 declare type McpOAuthRuntimeConfig = z.infer<
@@ -6348,6 +6506,50 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
         }
       >
     >;
+    idJag: z.ZodDefault<
+      z.ZodOptional<
+        z.ZodDefault<
+          z.ZodDiscriminatedUnion<
+            [
+              z.ZodObject<
+                {
+                  enabled: z.ZodLiteral<false>;
+                },
+                z.core.$strict
+              >,
+              z.ZodObject<
+                {
+                  enabled: z.ZodLiteral<true>;
+                  trustedIssuers: z.ZodArray<
+                    z.ZodObject<
+                      {
+                        issuer: z.ZodURL;
+                        jwksUrl: z.ZodURL;
+                        expectedClientIds: z.ZodOptional<
+                          z.ZodArray<z.ZodString>
+                        >;
+                        subjectMapping: z.ZodDefault<
+                          z.ZodEnum<{
+                            iss_prefix: "iss_prefix";
+                            iss_tenant_prefix: "iss_tenant_prefix";
+                            sub_id_only: "sub_id_only";
+                          }>
+                        >;
+                      },
+                      z.core.$strict
+                    >
+                  >;
+                  authorizationDetailsTypesAllowed: z.ZodOptional<
+                    z.ZodArray<z.ZodString>
+                  >;
+                },
+                z.core.$strict
+              >,
+            ]
+          >
+        >
+      >
+    >;
   },
   z.core.$strict
 >;
@@ -10879,6 +11081,10 @@ export declare function urlRewriteHandler(
 
 declare type UserDataDefault = any;
 
+declare type ValidatedAuth0OAuthOptions = z.infer<
+  typeof mcpAuth0OAuthOptionsSchema
+>;
+
 /**
  * Validates the body of an incoming request based on a JSON schema.
  *