@zuplo/runtime 6.70.63 → 6.70.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/out/esm/chunk-O5I2ETU3.js +356 -0
  2. package/out/esm/chunk-O5I2ETU3.js.map +1 -0
  3. package/out/esm/index.js +1 -1
  4. package/out/esm/mcp-gateway/index.js +13 -12
  5. package/out/esm/mcp-gateway/index.js.map +1 -1
  6. package/out/types/index.d.ts +207 -1
  7. package/out/types/mcp-gateway/index.d.ts +402 -35
  8. package/package.json +1 -1
  9. package/out/esm/chunk-GI3LNO4X.js +0 -370
  10. package/out/esm/chunk-GI3LNO4X.js.map +0 -1
  11. /package/out/esm/{chunk-GI3LNO4X.js.LEGAL.txt → chunk-O5I2ETU3.js.LEGAL.txt} +0 -0
package/out/types/mcp-gateway/index.d.ts CHANGED
@@ -962,7 +962,7 @@ declare interface Logger extends BaseLogger {
962
962
  * @title MCP Auth0 OAuth
963
963
  * @product mcp-gateway
964
964
  */
965
- export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<McpAuth0OAuthInboundPolicyOptions> {
965
+ export declare class McpAuth0OAuthInboundPolicy extends InboundPolicy<ValidatedAuth0OAuthOptions> {
966
966
  #private;
967
967
  constructor(rawOptions: unknown, policyName: string);
968
968
  handler(
@@ -1013,6 +1013,69 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
1013
1013
  */
1014
1014
  cimdEnabled?: boolean;
1015
1015
  };
1016
+ /**
1017
+ * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
1018
+ */
1019
+ idJag?:
1020
+ | {
1021
+ /**
1022
+ * Disable ID-JAG support.
1023
+ */
1024
+ enabled: false;
1025
+ }
1026
+ | {
1027
+ /**
1028
+ * Enable ID-JAG support.
1029
+ */
1030
+ enabled: true;
1031
+ /**
1032
+ * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
1033
+ *
1034
+ * @minItems 1
1035
+ */
1036
+ trustedIssuers: [
1037
+ {
1038
+ /**
1039
+ * Exact issuer URL expected in the ID-JAG iss claim.
1040
+ */
1041
+ issuer: string;
1042
+ /**
1043
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1044
+ */
1045
+ jwksUrl: string;
1046
+ /**
1047
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1048
+ */
1049
+ expectedClientIds?: string[];
1050
+ /**
1051
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1052
+ */
1053
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1054
+ },
1055
+ ...{
1056
+ /**
1057
+ * Exact issuer URL expected in the ID-JAG iss claim.
1058
+ */
1059
+ issuer: string;
1060
+ /**
1061
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1062
+ */
1063
+ jwksUrl: string;
1064
+ /**
1065
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1066
+ */
1067
+ expectedClientIds?: string[];
1068
+ /**
1069
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1070
+ */
1071
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1072
+ }[],
1073
+ ];
1074
+ /**
1075
+ * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
1076
+ */
1077
+ authorizationDetailsTypesAllowed?: string[];
1078
+ };
1016
1079
  /**
1017
1080
  * Optional overrides for the derived browser-login settings.
1018
1081
  */
@@ -1023,6 +1086,38 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
1023
1086
  };
1024
1087
  }
1025
1088
 
1089
+ declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
1090
+ {
1091
+ auth0Domain: z.ZodString;
1092
+ audience: z.ZodOptional<z.ZodString>;
1093
+ clientId: z.ZodString;
1094
+ clientSecret: z.ZodString;
1095
+ scope: z.ZodOptional<z.ZodString>;
1096
+ gateway: z.ZodOptional<
1097
+ z.ZodObject<
1098
+ {
1099
+ accessTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
1100
+ refreshTokenTtlSeconds: z.ZodOptional<z.ZodNumber>;
1101
+ cimdEnabled: z.ZodOptional<z.ZodBoolean>;
1102
+ },
1103
+ z.core.$strict
1104
+ >
1105
+ >;
1106
+ idJag: z.ZodOptional<z.ZodUnknown>;
1107
+ browserLoginOverrides: z.ZodOptional<
1108
+ z.ZodObject<
1109
+ {
1110
+ remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
1111
+ stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
1112
+ sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
1113
+ },
1114
+ z.core.$strict
1115
+ >
1116
+ >;
1117
+ },
1118
+ z.core.$strict
1119
+ >;
1120
+
1026
1121
  /**
1027
1122
  * Curate MCP capabilities advertised and reachable through `McpProxyHandler`.
1028
1123
  *
@@ -1734,6 +1829,69 @@ export declare interface McpOAuthInboundPolicyOptions {
1734
1829
  */
1735
1830
  cimdEnabled?: boolean;
1736
1831
  };
1832
+ /**
1833
+ * Optional Identity Assertion JWT Authorization Grant (ID-JAG / XAA) support for the gateway token endpoint.
1834
+ */
1835
+ idJag?:
1836
+ | {
1837
+ /**
1838
+ * Disable ID-JAG support.
1839
+ */
1840
+ enabled: false;
1841
+ }
1842
+ | {
1843
+ /**
1844
+ * Enable ID-JAG support.
1845
+ */
1846
+ enabled: true;
1847
+ /**
1848
+ * Trusted ID-JAG issuers. These values are never published in OAuth metadata.
1849
+ *
1850
+ * @minItems 1
1851
+ */
1852
+ trustedIssuers: [
1853
+ {
1854
+ /**
1855
+ * Exact issuer URL expected in the ID-JAG iss claim.
1856
+ */
1857
+ issuer: string;
1858
+ /**
1859
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1860
+ */
1861
+ jwksUrl: string;
1862
+ /**
1863
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1864
+ */
1865
+ expectedClientIds?: string[];
1866
+ /**
1867
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1868
+ */
1869
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1870
+ },
1871
+ ...{
1872
+ /**
1873
+ * Exact issuer URL expected in the ID-JAG iss claim.
1874
+ */
1875
+ issuer: string;
1876
+ /**
1877
+ * JWKS URL used to verify ID-JAG signatures from this issuer.
1878
+ */
1879
+ jwksUrl: string;
1880
+ /**
1881
+ * Optional allow-list of client IDs accepted from this issuer. The ID-JAG client_id must still match the authenticated token-endpoint client.
1882
+ */
1883
+ expectedClientIds?: string[];
1884
+ /**
1885
+ * How the ID-JAG subject is mapped into the gateway subject ID.
1886
+ */
1887
+ subjectMapping?: "iss_prefix" | "iss_tenant_prefix" | "sub_id_only";
1888
+ }[],
1889
+ ];
1890
+ /**
1891
+ * Optional allow-list of RFC 9396 authorization_details type values accepted from ID-JAGs.
1892
+ */
1893
+ authorizationDetailsTypesAllowed?: string[];
1894
+ };
1737
1895
  }
1738
1896
 
1739
1897
  declare type McpOAuthRuntimeConfig = z.infer<
@@ -1788,6 +1946,50 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
1788
1946
  }
1789
1947
  >
1790
1948
  >;
1949
+ idJag: z.ZodDefault<
1950
+ z.ZodOptional<
1951
+ z.ZodDefault<
1952
+ z.ZodDiscriminatedUnion<
1953
+ [
1954
+ z.ZodObject<
1955
+ {
1956
+ enabled: z.ZodLiteral<false>;
1957
+ },
1958
+ z.core.$strict
1959
+ >,
1960
+ z.ZodObject<
1961
+ {
1962
+ enabled: z.ZodLiteral<true>;
1963
+ trustedIssuers: z.ZodArray<
1964
+ z.ZodObject<
1965
+ {
1966
+ issuer: z.ZodURL;
1967
+ jwksUrl: z.ZodURL;
1968
+ expectedClientIds: z.ZodOptional<
1969
+ z.ZodArray<z.ZodString>
1970
+ >;
1971
+ subjectMapping: z.ZodDefault<
1972
+ z.ZodEnum<{
1973
+ iss_prefix: "iss_prefix";
1974
+ iss_tenant_prefix: "iss_tenant_prefix";
1975
+ sub_id_only: "sub_id_only";
1976
+ }>
1977
+ >;
1978
+ },
1979
+ z.core.$strict
1980
+ >
1981
+ >;
1982
+ authorizationDetailsTypesAllowed: z.ZodOptional<
1983
+ z.ZodArray<z.ZodString>
1984
+ >;
1985
+ },
1986
+ z.core.$strict
1987
+ >,
1988
+ ]
1989
+ >
1990
+ >
1991
+ >
1992
+ >;
1791
1993
  },
1792
1994
  z.core.$strict
1793
1995
  >;
@@ -3212,45 +3414,206 @@ declare const upstreamTokenExchangePolicyOptionsSchema: z.ZodObject<
3212
3414
  authMode: z.ZodEnum<{
3213
3415
  "user-oauth": "user-oauth";
3214
3416
  "shared-oauth": "shared-oauth";
3417
+ "id-jag": "id-jag";
3215
3418
  }>;
3216
3419
  ownerMode: z.ZodEnum<{
3217
3420
  user: "user";
3218
3421
  shared: "shared";
3219
3422
  }>;
3220
- authConfig: z.ZodObject<
3221
- {
3222
- scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3223
- scopeDelimiter: z.ZodDefault<z.ZodString>;
3224
- clientRegistration: z.ZodDefault<
3225
- z.ZodDiscriminatedUnion<
3226
- [
3227
- z.ZodObject<
3228
- {
3229
- mode: z.ZodLiteral<"auto">;
3230
- },
3231
- z.core.$strict
3232
- >,
3233
- z.ZodObject<
3234
- {
3235
- mode: z.ZodLiteral<"manual">;
3236
- clientId: z.ZodString;
3237
- clientSecret: z.ZodOptional<z.ZodString>;
3238
- tokenEndpointAuthMethod: z.ZodDefault<
3239
- z.ZodEnum<{
3240
- none: "none";
3241
- client_secret_basic: "client_secret_basic";
3242
- client_secret_post: "client_secret_post";
3243
- }>
3244
- >;
3245
- },
3246
- z.core.$strict
3247
- >,
3248
- ]
3249
- >
3250
- >;
3251
- redirectPath: z.ZodString;
3252
- },
3253
- z.core.$strict
3423
+ authConfig: z.ZodDiscriminatedUnion<
3424
+ [
3425
+ z.ZodObject<
3426
+ {
3427
+ mode: z.ZodLiteral<"shared-oauth">;
3428
+ oauth: z.ZodObject<
3429
+ {
3430
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3431
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3432
+ clientRegistration: z.ZodDefault<
3433
+ z.ZodDiscriminatedUnion<
3434
+ [
3435
+ z.ZodObject<
3436
+ {
3437
+ mode: z.ZodLiteral<"auto">;
3438
+ },
3439
+ z.core.$strict
3440
+ >,
3441
+ z.ZodObject<
3442
+ {
3443
+ mode: z.ZodLiteral<"manual">;
3444
+ clientId: z.ZodString;
3445
+ clientSecret: z.ZodOptional<z.ZodString>;
3446
+ tokenEndpointAuthMethod: z.ZodDefault<
3447
+ z.ZodEnum<{
3448
+ none: "none";
3449
+ client_secret_basic: "client_secret_basic";
3450
+ client_secret_post: "client_secret_post";
3451
+ }>
3452
+ >;
3453
+ },
3454
+ z.core.$strict
3455
+ >,
3456
+ ]
3457
+ >
3458
+ >;
3459
+ redirectPath: z.ZodString;
3460
+ },
3461
+ z.core.$strict
3462
+ >;
3463
+ },
3464
+ z.core.$strict
3465
+ >,
3466
+ z.ZodObject<
3467
+ {
3468
+ mode: z.ZodLiteral<"user-oauth">;
3469
+ oauth: z.ZodObject<
3470
+ {
3471
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3472
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3473
+ clientRegistration: z.ZodDefault<
3474
+ z.ZodDiscriminatedUnion<
3475
+ [
3476
+ z.ZodObject<
3477
+ {
3478
+ mode: z.ZodLiteral<"auto">;
3479
+ },
3480
+ z.core.$strict
3481
+ >,
3482
+ z.ZodObject<
3483
+ {
3484
+ mode: z.ZodLiteral<"manual">;
3485
+ clientId: z.ZodString;
3486
+ clientSecret: z.ZodOptional<z.ZodString>;
3487
+ tokenEndpointAuthMethod: z.ZodDefault<
3488
+ z.ZodEnum<{
3489
+ none: "none";
3490
+ client_secret_basic: "client_secret_basic";
3491
+ client_secret_post: "client_secret_post";
3492
+ }>
3493
+ >;
3494
+ },
3495
+ z.core.$strict
3496
+ >,
3497
+ ]
3498
+ >
3499
+ >;
3500
+ redirectPath: z.ZodString;
3501
+ },
3502
+ z.core.$strict
3503
+ >;
3504
+ },
3505
+ z.core.$strict
3506
+ >,
3507
+ z.ZodObject<
3508
+ {
3509
+ mode: z.ZodLiteral<"id-jag">;
3510
+ idJag: z.ZodObject<
3511
+ {
3512
+ scopes: z.ZodDefault<z.ZodArray<z.ZodString>>;
3513
+ scopeDelimiter: z.ZodDefault<z.ZodString>;
3514
+ idp: z.ZodObject<
3515
+ {
3516
+ tokenUrl: z.ZodURL;
3517
+ clientAuth: z.ZodDiscriminatedUnion<
3518
+ [
3519
+ z.ZodObject<
3520
+ {
3521
+ method: z.ZodLiteral<"client_secret_post">;
3522
+ clientId: z.ZodString;
3523
+ clientSecret: z.ZodString;
3524
+ },
3525
+ z.core.$strict
3526
+ >,
3527
+ z.ZodObject<
3528
+ {
3529
+ method: z.ZodLiteral<"client_secret_basic">;
3530
+ clientId: z.ZodString;
3531
+ clientSecret: z.ZodString;
3532
+ },
3533
+ z.core.$strict
3534
+ >,
3535
+ z.ZodObject<
3536
+ {
3537
+ method: z.ZodLiteral<"private_key_jwt">;
3538
+ clientId: z.ZodString;
3539
+ privateKeyPem: z.ZodString;
3540
+ algorithm: z.ZodDefault<
3541
+ z.ZodEnum<{
3542
+ RS256: "RS256";
3543
+ RS384: "RS384";
3544
+ RS512: "RS512";
3545
+ ES256: "ES256";
3546
+ ES384: "ES384";
3547
+ ES512: "ES512";
3548
+ }>
3549
+ >;
3550
+ keyId: z.ZodOptional<z.ZodString>;
3551
+ audience: z.ZodOptional<z.ZodURL>;
3552
+ expiresInSeconds: z.ZodDefault<z.ZodNumber>;
3553
+ },
3554
+ z.core.$strict
3555
+ >,
3556
+ ]
3557
+ >;
3558
+ },
3559
+ z.core.$strict
3560
+ >;
3561
+ resourceAs: z.ZodObject<
3562
+ {
3563
+ tokenUrl: z.ZodURL;
3564
+ audience: z.ZodString;
3565
+ resource: z.ZodOptional<z.ZodString>;
3566
+ clientAuth: z.ZodDiscriminatedUnion<
3567
+ [
3568
+ z.ZodObject<
3569
+ {
3570
+ method: z.ZodLiteral<"client_secret_post">;
3571
+ clientId: z.ZodString;
3572
+ clientSecret: z.ZodString;
3573
+ },
3574
+ z.core.$strict
3575
+ >,
3576
+ z.ZodObject<
3577
+ {
3578
+ method: z.ZodLiteral<"client_secret_basic">;
3579
+ clientId: z.ZodString;
3580
+ clientSecret: z.ZodString;
3581
+ },
3582
+ z.core.$strict
3583
+ >,
3584
+ z.ZodObject<
3585
+ {
3586
+ method: z.ZodLiteral<"private_key_jwt">;
3587
+ clientId: z.ZodString;
3588
+ privateKeyPem: z.ZodString;
3589
+ algorithm: z.ZodDefault<
3590
+ z.ZodEnum<{
3591
+ RS256: "RS256";
3592
+ RS384: "RS384";
3593
+ RS512: "RS512";
3594
+ ES256: "ES256";
3595
+ ES384: "ES384";
3596
+ ES512: "ES512";
3597
+ }>
3598
+ >;
3599
+ keyId: z.ZodOptional<z.ZodString>;
3600
+ audience: z.ZodOptional<z.ZodURL>;
3601
+ expiresInSeconds: z.ZodDefault<z.ZodNumber>;
3602
+ },
3603
+ z.core.$strict
3604
+ >,
3605
+ ]
3606
+ >;
3607
+ },
3608
+ z.core.$strict
3609
+ >;
3610
+ },
3611
+ z.core.$strict
3612
+ >;
3613
+ },
3614
+ z.core.$strict
3615
+ >,
3616
+ ]
3254
3617
  >;
3255
3618
  },
3256
3619
  z.core.$strict
@@ -3263,6 +3626,10 @@ declare interface UrlConfig {
3263
3626
 
3264
3627
  declare type UserDataDefault = any;
3265
3628
 
3629
+ declare type ValidatedAuth0OAuthOptions = z.infer<
3630
+ typeof mcpAuth0OAuthOptionsSchema
3631
+ >;
3632
+
3266
3633
  declare type ValidatedOptions = z.infer<
3267
3634
  typeof mcpCapabilityFilterOptionsSchema
3268
3635
  >;
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@zuplo/runtime",
3
3
  "type": "module",
4
- "version": "6.70.63",
4
+ "version": "6.70.67",
5
5
  "repository": "https://github.com/zuplo/zuplo",
6
6
  "author": "Zuplo, Inc.",
7
7
  "exports": {