@zuplo/runtime 6.71.3 → 6.71.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -6205,6 +6205,10 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
6205
6205
  remoteTimeoutMs?: number;
6206
6206
  stateTtlSeconds?: number;
6207
6207
  sessionTtlSeconds?: number;
6208
+ /**
6209
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6210
+ */
6211
+ pkce?: "S256" | "none";
6208
6212
  };
6209
6213
  }
6210
6214
 
@@ -6232,6 +6236,12 @@ declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
6232
6236
  remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
6233
6237
  stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
6234
6238
  sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
6239
+ pkce: z.ZodOptional<
6240
+ z.ZodEnum<{
6241
+ none: "none";
6242
+ S256: "S256";
6243
+ }>
6244
+ >;
6235
6245
  },
6236
6246
  z.core.$strict
6237
6247
  >
@@ -6384,6 +6394,10 @@ export declare interface McpCognitoOAuthInboundPolicyOptions {
6384
6394
  remoteTimeoutMs?: number;
6385
6395
  stateTtlSeconds?: number;
6386
6396
  sessionTtlSeconds?: number;
6397
+ /**
6398
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6399
+ */
6400
+ pkce?: "S256" | "none";
6387
6401
  };
6388
6402
  }
6389
6403
 
@@ -6453,6 +6467,10 @@ export declare interface McpEntraOAuthInboundPolicyOptions {
6453
6467
  remoteTimeoutMs?: number;
6454
6468
  stateTtlSeconds?: number;
6455
6469
  sessionTtlSeconds?: number;
6470
+ /**
6471
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6472
+ */
6473
+ pkce?: "S256" | "none";
6456
6474
  };
6457
6475
  }
6458
6476
 
@@ -6521,6 +6539,10 @@ export declare interface McpGoogleOAuthInboundPolicyOptions {
6521
6539
  remoteTimeoutMs?: number;
6522
6540
  stateTtlSeconds?: number;
6523
6541
  sessionTtlSeconds?: number;
6542
+ /**
6543
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6544
+ */
6545
+ pkce?: "S256" | "none";
6524
6546
  };
6525
6547
  }
6526
6548
 
@@ -6595,6 +6617,10 @@ export declare interface McpKeycloakOAuthInboundPolicyOptions {
6595
6617
  remoteTimeoutMs?: number;
6596
6618
  stateTtlSeconds?: number;
6597
6619
  sessionTtlSeconds?: number;
6620
+ /**
6621
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6622
+ */
6623
+ pkce?: "S256" | "none";
6598
6624
  };
6599
6625
  }
6600
6626
 
@@ -6664,6 +6690,10 @@ export declare interface McpLogtoOAuthInboundPolicyOptions {
6664
6690
  remoteTimeoutMs?: number;
6665
6691
  stateTtlSeconds?: number;
6666
6692
  sessionTtlSeconds?: number;
6693
+ /**
6694
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
6695
+ */
6696
+ pkce?: "S256" | "none";
6667
6697
  };
6668
6698
  }
6669
6699
 
@@ -6743,6 +6773,10 @@ export declare interface McpOAuthInboundPolicyOptions {
6743
6773
  * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
6744
6774
  */
6745
6775
  audience?: string;
6776
+ /**
6777
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow (e.g. OAuth 2.1 IdPs, hardened Okta/Entra tenants). Leave as "none" for IdPs that may reject unexpected PKCE parameters.
6778
+ */
6779
+ pkce?: "S256" | "none";
6746
6780
  /**
6747
6781
  * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
6748
6782
  */
@@ -6860,6 +6894,12 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
6860
6894
  clientSecret: z.ZodOptional<z.ZodString>;
6861
6895
  scope: z.ZodDefault<z.ZodString>;
6862
6896
  audience: z.ZodOptional<z.ZodString>;
6897
+ pkce: z.ZodDefault<
6898
+ z.ZodEnum<{
6899
+ none: "none";
6900
+ S256: "S256";
6901
+ }>
6902
+ >;
6863
6903
  remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
6864
6904
  stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
6865
6905
  sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
@@ -7008,6 +7048,10 @@ export declare interface McpOktaOAuthInboundPolicyOptions {
7008
7048
  remoteTimeoutMs?: number;
7009
7049
  stateTtlSeconds?: number;
7010
7050
  sessionTtlSeconds?: number;
7051
+ /**
7052
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
7053
+ */
7054
+ pkce?: "S256" | "none";
7011
7055
  };
7012
7056
  }
7013
7057
 
@@ -7161,6 +7205,10 @@ export declare interface McpPingOAuthInboundPolicyOptions {
7161
7205
  remoteTimeoutMs?: number;
7162
7206
  stateTtlSeconds?: number;
7163
7207
  sessionTtlSeconds?: number;
7208
+ /**
7209
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
7210
+ */
7211
+ pkce?: "S256" | "none";
7164
7212
  };
7165
7213
  }
7166
7214
 
@@ -7241,6 +7289,10 @@ export declare interface McpWorkosOAuthInboundPolicyOptions {
7241
7289
  remoteTimeoutMs?: number;
7242
7290
  stateTtlSeconds?: number;
7243
7291
  sessionTtlSeconds?: number;
7292
+ /**
7293
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
7294
+ */
7295
+ pkce?: "S256" | "none";
7244
7296
  };
7245
7297
  }
7246
7298
 
@@ -1083,6 +1083,10 @@ export declare interface McpAuth0OAuthInboundPolicyOptions {
1083
1083
  remoteTimeoutMs?: number;
1084
1084
  stateTtlSeconds?: number;
1085
1085
  sessionTtlSeconds?: number;
1086
+ /**
1087
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1088
+ */
1089
+ pkce?: "S256" | "none";
1086
1090
  };
1087
1091
  }
1088
1092
 
@@ -1110,6 +1114,12 @@ declare const mcpAuth0OAuthOptionsSchema: z.ZodObject<
1110
1114
  remoteTimeoutMs: z.ZodOptional<z.ZodNumber>;
1111
1115
  stateTtlSeconds: z.ZodOptional<z.ZodNumber>;
1112
1116
  sessionTtlSeconds: z.ZodOptional<z.ZodNumber>;
1117
+ pkce: z.ZodOptional<
1118
+ z.ZodEnum<{
1119
+ none: "none";
1120
+ S256: "S256";
1121
+ }>
1122
+ >;
1113
1123
  },
1114
1124
  z.core.$strict
1115
1125
  >
@@ -1387,6 +1397,10 @@ export declare interface McpCognitoOAuthInboundPolicyOptions {
1387
1397
  remoteTimeoutMs?: number;
1388
1398
  stateTtlSeconds?: number;
1389
1399
  sessionTtlSeconds?: number;
1400
+ /**
1401
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1402
+ */
1403
+ pkce?: "S256" | "none";
1390
1404
  };
1391
1405
  }
1392
1406
 
@@ -1456,6 +1470,10 @@ export declare interface McpEntraOAuthInboundPolicyOptions {
1456
1470
  remoteTimeoutMs?: number;
1457
1471
  stateTtlSeconds?: number;
1458
1472
  sessionTtlSeconds?: number;
1473
+ /**
1474
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1475
+ */
1476
+ pkce?: "S256" | "none";
1459
1477
  };
1460
1478
  }
1461
1479
 
@@ -1579,6 +1597,10 @@ export declare interface McpGoogleOAuthInboundPolicyOptions {
1579
1597
  remoteTimeoutMs?: number;
1580
1598
  stateTtlSeconds?: number;
1581
1599
  sessionTtlSeconds?: number;
1600
+ /**
1601
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1602
+ */
1603
+ pkce?: "S256" | "none";
1582
1604
  };
1583
1605
  }
1584
1606
 
@@ -1653,6 +1675,10 @@ export declare interface McpKeycloakOAuthInboundPolicyOptions {
1653
1675
  remoteTimeoutMs?: number;
1654
1676
  stateTtlSeconds?: number;
1655
1677
  sessionTtlSeconds?: number;
1678
+ /**
1679
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1680
+ */
1681
+ pkce?: "S256" | "none";
1656
1682
  };
1657
1683
  }
1658
1684
 
@@ -1722,6 +1748,10 @@ export declare interface McpLogtoOAuthInboundPolicyOptions {
1722
1748
  remoteTimeoutMs?: number;
1723
1749
  stateTtlSeconds?: number;
1724
1750
  sessionTtlSeconds?: number;
1751
+ /**
1752
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
1753
+ */
1754
+ pkce?: "S256" | "none";
1725
1755
  };
1726
1756
  }
1727
1757
 
@@ -1801,6 +1831,10 @@ export declare interface McpOAuthInboundPolicyOptions {
1801
1831
  * Optional audience parameter for the IdP authorization request (Auth0-style API audiences).
1802
1832
  */
1803
1833
  audience?: string;
1834
+ /**
1835
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow (e.g. OAuth 2.1 IdPs, hardened Okta/Entra tenants). Leave as "none" for IdPs that may reject unexpected PKCE parameters.
1836
+ */
1837
+ pkce?: "S256" | "none";
1804
1838
  /**
1805
1839
  * Timeout for outbound calls to the IdP (token exchange, JWKS fetch).
1806
1840
  */
@@ -1918,6 +1952,12 @@ declare const mcpOAuthRuntimeConfigSchema: z.ZodObject<
1918
1952
  clientSecret: z.ZodOptional<z.ZodString>;
1919
1953
  scope: z.ZodDefault<z.ZodString>;
1920
1954
  audience: z.ZodOptional<z.ZodString>;
1955
+ pkce: z.ZodDefault<
1956
+ z.ZodEnum<{
1957
+ none: "none";
1958
+ S256: "S256";
1959
+ }>
1960
+ >;
1921
1961
  remoteTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
1922
1962
  stateTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
1923
1963
  sessionTtlSeconds: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
@@ -2066,6 +2106,10 @@ export declare interface McpOktaOAuthInboundPolicyOptions {
2066
2106
  remoteTimeoutMs?: number;
2067
2107
  stateTtlSeconds?: number;
2068
2108
  sessionTtlSeconds?: number;
2109
+ /**
2110
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
2111
+ */
2112
+ pkce?: "S256" | "none";
2069
2113
  };
2070
2114
  }
2071
2115
 
@@ -2219,6 +2263,10 @@ export declare interface McpPingOAuthInboundPolicyOptions {
2219
2263
  remoteTimeoutMs?: number;
2220
2264
  stateTtlSeconds?: number;
2221
2265
  sessionTtlSeconds?: number;
2266
+ /**
2267
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
2268
+ */
2269
+ pkce?: "S256" | "none";
2222
2270
  };
2223
2271
  }
2224
2272
 
@@ -2365,6 +2413,10 @@ export declare interface McpWorkosOAuthInboundPolicyOptions {
2365
2413
  remoteTimeoutMs?: number;
2366
2414
  stateTtlSeconds?: number;
2367
2415
  sessionTtlSeconds?: number;
2416
+ /**
2417
+ * Whether to send S256 PKCE on the federated browser-login authorization request and replay the verifier at the token exchange. Defaults to "none". Set to "S256" when the identity provider mandates PKCE on the authorization-code flow.
2418
+ */
2419
+ pkce?: "S256" | "none";
2368
2420
  };
2369
2421
  }
2370
2422
 
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@zuplo/runtime",
3
3
  "type": "module",
4
- "version": "6.71.3",
4
+ "version": "6.71.7",
5
5
  "repository": "https://github.com/zuplo/zuplo",
6
6
  "author": "Zuplo, Inc.",
7
7
  "exports": {