chore: use zod v4 methods for types and auth

Author: dclark27

src/client/v3/index.v3.test.ts

@@ -3,6 +3,7 @@
 /* eslint-disable @typescript-eslint/no-unused-expressions */
 import { Client } from '../index.js';
 import * as z from 'zod/v3';
+import { AnyObjectSchema } from '../../server/zod-compat.js';
 import {
     RequestSchema,
     NotificationSchema,
@@ -601,39 +602,48 @@ test('should allow setRequestHandler for declared elicitation capability', () =>
  * Test that custom request/notification/result schemas can be used with the Client class.
  */
 test('should typecheck', () => {
-    const GetWeatherRequestSchema = RequestSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const GetWeatherRequestSchema = (RequestSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/get'),
         params: z.object({
             city: z.string()
         })
-    });
+    }) as AnyObjectSchema;
 
-    const GetForecastRequestSchema = RequestSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const GetForecastRequestSchema = (RequestSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/forecast'),
         params: z.object({
             city: z.string(),
             days: z.number()
         })
-    });
+    }) as AnyObjectSchema;
 
-    const WeatherForecastNotificationSchema = NotificationSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherForecastNotificationSchema = (NotificationSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/alert'),
         params: z.object({
             severity: z.enum(['warning', 'watch']),
             message: z.string()
         })
-    });
-
-    const WeatherRequestSchema = GetWeatherRequestSchema.or(GetForecastRequestSchema);
-    const WeatherNotificationSchema = WeatherForecastNotificationSchema;
-    const WeatherResultSchema = ResultSchema.extend({
+    }) as AnyObjectSchema;
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherRequestSchema = (GetWeatherRequestSchema as unknown as z.ZodObject<any>).or(
+        GetForecastRequestSchema as unknown as z.ZodObject<any>
+    ) as AnyObjectSchema;
+    const WeatherNotificationSchema = WeatherForecastNotificationSchema as AnyObjectSchema;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherResultSchema = (ResultSchema as unknown as z.ZodObject<any>).extend({
         temperature: z.number(),
         conditions: z.string()
-    });
+    }) as AnyObjectSchema;
 
-    type WeatherRequest = z.infer<typeof WeatherRequestSchema>;
-    type WeatherNotification = z.infer<typeof WeatherNotificationSchema>;
-    type WeatherResult = z.infer<typeof WeatherResultSchema>;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    type InferSchema<T> = T extends z.ZodType<infer Output, any, any> ? Output : never;
+    type WeatherRequest = InferSchema<typeof WeatherRequestSchema>;
+    type WeatherNotification = InferSchema<typeof WeatherNotificationSchema>;
+    type WeatherResult = InferSchema<typeof WeatherResultSchema>;
 
     // Create a typed Client for weather data
     const weatherClient = new Client<WeatherRequest, WeatherNotification, WeatherResult>(

src/server/v3/index.v3.test.ts

@@ -19,6 +19,7 @@ import {
     SUPPORTED_PROTOCOL_VERSIONS
 } from '../../types.js';
 import { Server } from '../index.js';
+import { AnyObjectSchema } from '../zod-compat.js';
 
 test('should accept latest protocol version', async () => {
     let sendPromiseResolve: (value: unknown) => void;
@@ -632,39 +633,48 @@ test('should only allow setRequestHandler for declared capabilities', () => {
   Test that custom request/notification/result schemas can be used with the Server class.
   */
 test('should typecheck', () => {
-    const GetWeatherRequestSchema = RequestSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const GetWeatherRequestSchema = (RequestSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/get'),
         params: z.object({
             city: z.string()
         })
-    });
+    }) as AnyObjectSchema;
 
-    const GetForecastRequestSchema = RequestSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const GetForecastRequestSchema = (RequestSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/forecast'),
         params: z.object({
             city: z.string(),
             days: z.number()
         })
-    });
+    }) as AnyObjectSchema;
 
-    const WeatherForecastNotificationSchema = NotificationSchema.extend({
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherForecastNotificationSchema = (NotificationSchema as unknown as z.ZodObject<any>).extend({
         method: z.literal('weather/alert'),
         params: z.object({
             severity: z.enum(['warning', 'watch']),
             message: z.string()
         })
-    });
-
-    const WeatherRequestSchema = GetWeatherRequestSchema.or(GetForecastRequestSchema);
-    const WeatherNotificationSchema = WeatherForecastNotificationSchema;
-    const WeatherResultSchema = ResultSchema.extend({
+    }) as AnyObjectSchema;
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherRequestSchema = (GetWeatherRequestSchema as unknown as z.ZodObject<any>).or(
+        GetForecastRequestSchema as unknown as z.ZodObject<any>
+    ) as AnyObjectSchema;
+    const WeatherNotificationSchema = WeatherForecastNotificationSchema as AnyObjectSchema;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const WeatherResultSchema = (ResultSchema as unknown as z.ZodObject<any>).extend({
         temperature: z.number(),
         conditions: z.string()
-    });
+    }) as AnyObjectSchema;
 
-    type WeatherRequest = z.infer<typeof WeatherRequestSchema>;
-    type WeatherNotification = z.infer<typeof WeatherNotificationSchema>;
-    type WeatherResult = z.infer<typeof WeatherResultSchema>;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    type InferSchema<T> = T extends z.ZodType<infer Output, any, any> ? Output : never;
+    type WeatherRequest = InferSchema<typeof WeatherRequestSchema>;
+    type WeatherNotification = InferSchema<typeof WeatherNotificationSchema>;
+    type WeatherResult = InferSchema<typeof WeatherResultSchema>;
 
     // Create a typed Server for weather data
     const weatherServer = new Server<WeatherRequest, WeatherNotification, WeatherResult>(
@@ -691,7 +701,9 @@ test('should typecheck', () => {
     });
 
     weatherServer.setNotificationHandler(WeatherForecastNotificationSchema, notification => {
-        console.log(`Weather alert: ${notification.params.message}`);
+        // Type assertion needed for v3/v4 schema mixing
+        const params = notification.params as { message: string; severity: 'warning' | 'watch' };
+        console.log(`Weather alert: ${params.message}`);
     });
 });
 

src/shared/auth.ts

@@ -28,105 +28,100 @@ export const SafeUrlSchema = z
 /**
  * RFC 9728 OAuth Protected Resource Metadata
  */
-export const OAuthProtectedResourceMetadataSchema = z
-    .object({
-        resource: z.string().url(),
-        authorization_servers: z.array(SafeUrlSchema).optional(),
-        jwks_uri: z.string().url().optional(),
-        scopes_supported: z.array(z.string()).optional(),
-        bearer_methods_supported: z.array(z.string()).optional(),
-        resource_signing_alg_values_supported: z.array(z.string()).optional(),
-        resource_name: z.string().optional(),
-        resource_documentation: z.string().optional(),
-        resource_policy_uri: z.string().url().optional(),
-        resource_tos_uri: z.string().url().optional(),
-        tls_client_certificate_bound_access_tokens: z.boolean().optional(),
-        authorization_details_types_supported: z.array(z.string()).optional(),
-        dpop_signing_alg_values_supported: z.array(z.string()).optional(),
-        dpop_bound_access_tokens_required: z.boolean().optional()
-    })
-    .passthrough();
+export const OAuthProtectedResourceMetadataSchema = z.looseObject({
+    resource: z.string().url(),
+    authorization_servers: z.array(SafeUrlSchema).optional(),
+    jwks_uri: z.string().url().optional(),
+    scopes_supported: z.array(z.string()).optional(),
+    bearer_methods_supported: z.array(z.string()).optional(),
+    resource_signing_alg_values_supported: z.array(z.string()).optional(),
+    resource_name: z.string().optional(),
+    resource_documentation: z.string().optional(),
+    resource_policy_uri: z.string().url().optional(),
+    resource_tos_uri: z.string().url().optional(),
+    tls_client_certificate_bound_access_tokens: z.boolean().optional(),
+    authorization_details_types_supported: z.array(z.string()).optional(),
+    dpop_signing_alg_values_supported: z.array(z.string()).optional(),
+    dpop_bound_access_tokens_required: z.boolean().optional()
+});
 
 /**
  * RFC 8414 OAuth 2.0 Authorization Server Metadata
  */
-export const OAuthMetadataSchema = z
-    .object({
-        issuer: z.string(),
-        authorization_endpoint: SafeUrlSchema,
-        token_endpoint: SafeUrlSchema,
-        registration_endpoint: SafeUrlSchema.optional(),
-        scopes_supported: z.array(z.string()).optional(),
-        response_types_supported: z.array(z.string()),
-        response_modes_supported: z.array(z.string()).optional(),
-        grant_types_supported: z.array(z.string()).optional(),
-        token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-        token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-        service_documentation: SafeUrlSchema.optional(),
-        revocation_endpoint: SafeUrlSchema.optional(),
-        revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-        revocation_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-        introspection_endpoint: z.string().optional(),
-        introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-        introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-        code_challenge_methods_supported: z.array(z.string()).optional()
-    })
-    .passthrough();
+export const OAuthMetadataSchema = z.looseObject({
+    issuer: z.string(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
+    scopes_supported: z.array(z.string()).optional(),
+    response_types_supported: z.array(z.string()),
+    response_modes_supported: z.array(z.string()).optional(),
+    grant_types_supported: z.array(z.string()).optional(),
+    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+    token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
+    service_documentation: SafeUrlSchema.optional(),
+    revocation_endpoint: SafeUrlSchema.optional(),
+    revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+    revocation_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
+    introspection_endpoint: z.string().optional(),
+    introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+    introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
+    code_challenge_methods_supported: z.array(z.string()).optional()
+});
 
 /**
  * OpenID Connect Discovery 1.0 Provider Metadata
  * see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
  */
-export const OpenIdProviderMetadataSchema = z
-    .object({
-        issuer: z.string(),
-        authorization_endpoint: SafeUrlSchema,
-        token_endpoint: SafeUrlSchema,
-        userinfo_endpoint: SafeUrlSchema.optional(),
-        jwks_uri: SafeUrlSchema,
-        registration_endpoint: SafeUrlSchema.optional(),
-        scopes_supported: z.array(z.string()).optional(),
-        response_types_supported: z.array(z.string()),
-        response_modes_supported: z.array(z.string()).optional(),
-        grant_types_supported: z.array(z.string()).optional(),
-        acr_values_supported: z.array(z.string()).optional(),
-        subject_types_supported: z.array(z.string()),
-        id_token_signing_alg_values_supported: z.array(z.string()),
-        id_token_encryption_alg_values_supported: z.array(z.string()).optional(),
-        id_token_encryption_enc_values_supported: z.array(z.string()).optional(),
-        userinfo_signing_alg_values_supported: z.array(z.string()).optional(),
-        userinfo_encryption_alg_values_supported: z.array(z.string()).optional(),
-        userinfo_encryption_enc_values_supported: z.array(z.string()).optional(),
-        request_object_signing_alg_values_supported: z.array(z.string()).optional(),
-        request_object_encryption_alg_values_supported: z.array(z.string()).optional(),
-        request_object_encryption_enc_values_supported: z.array(z.string()).optional(),
-        token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
-        token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-        display_values_supported: z.array(z.string()).optional(),
-        claim_types_supported: z.array(z.string()).optional(),
-        claims_supported: z.array(z.string()).optional(),
-        service_documentation: z.string().optional(),
-        claims_locales_supported: z.array(z.string()).optional(),
-        ui_locales_supported: z.array(z.string()).optional(),
-        claims_parameter_supported: z.boolean().optional(),
-        request_parameter_supported: z.boolean().optional(),
-        request_uri_parameter_supported: z.boolean().optional(),
-        require_request_uri_registration: z.boolean().optional(),
-        op_policy_uri: SafeUrlSchema.optional(),
-        op_tos_uri: SafeUrlSchema.optional()
-    })
-    .passthrough();
+export const OpenIdProviderMetadataSchema = z.looseObject({
+    issuer: z.string(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    userinfo_endpoint: SafeUrlSchema.optional(),
+    jwks_uri: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
+    scopes_supported: z.array(z.string()).optional(),
+    response_types_supported: z.array(z.string()),
+    response_modes_supported: z.array(z.string()).optional(),
+    grant_types_supported: z.array(z.string()).optional(),
+    acr_values_supported: z.array(z.string()).optional(),
+    subject_types_supported: z.array(z.string()),
+    id_token_signing_alg_values_supported: z.array(z.string()),
+    id_token_encryption_alg_values_supported: z.array(z.string()).optional(),
+    id_token_encryption_enc_values_supported: z.array(z.string()).optional(),
+    userinfo_signing_alg_values_supported: z.array(z.string()).optional(),
+    userinfo_encryption_alg_values_supported: z.array(z.string()).optional(),
+    userinfo_encryption_enc_values_supported: z.array(z.string()).optional(),
+    request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+    request_object_encryption_alg_values_supported: z.array(z.string()).optional(),
+    request_object_encryption_enc_values_supported: z.array(z.string()).optional(),
+    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+    token_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
+    display_values_supported: z.array(z.string()).optional(),
+    claim_types_supported: z.array(z.string()).optional(),
+    claims_supported: z.array(z.string()).optional(),
+    service_documentation: z.string().optional(),
+    claims_locales_supported: z.array(z.string()).optional(),
+    ui_locales_supported: z.array(z.string()).optional(),
+    claims_parameter_supported: z.boolean().optional(),
+    request_parameter_supported: z.boolean().optional(),
+    request_uri_parameter_supported: z.boolean().optional(),
+    require_request_uri_registration: z.boolean().optional(),
+    op_policy_uri: SafeUrlSchema.optional(),
+    op_tos_uri: SafeUrlSchema.optional()
+});
 
 /**
  * OpenID Connect Discovery metadata that may include OAuth 2.0 fields
  * This schema represents the real-world scenario where OIDC providers
  * return a mix of OpenID Connect and OAuth 2.0 metadata fields
  */
-export const OpenIdProviderDiscoveryMetadataSchema = OpenIdProviderMetadataSchema.merge(
-    OAuthMetadataSchema.pick({
+export const OpenIdProviderDiscoveryMetadataSchema = z.object({
+    ...OpenIdProviderMetadataSchema.shape,
+    ...OAuthMetadataSchema.pick({
         code_challenge_methods_supported: true
-    })
-);
+    }).shape
+});
 
 /**
  * OAuth 2.1 token response