refactor: apply automated zod v3 to v4 migrations

Automated transformations applied via zod-v3-to-v4:
- String validators: z.string().url() → z.url()
- Number validators: z.number().int() → z.int()
- Object methods: .passthrough() → z.looseObject(), .strict() → z.strictObject()
- Schema composition: .merge() → .extend() where applicable
- Error messages: { message } → { error }
- Defaults: .default() → .prefault()
- Object stripping: .strip() removed/consolidated

Author: felixweinberger

src/examples/server/simpleSseServer.ts

@@ -28,8 +28,8 @@ const getServer = () => {
         'start-notification-stream',
         'Starts sending periodic notifications',
         {
-            interval: z.number().describe('Interval in milliseconds between notifications').default(1000),
-            count: z.number().describe('Number of notifications to send').default(10)
+            interval: z.number().describe('Interval in milliseconds between notifications').prefault(1000),
+            count: z.number().describe('Number of notifications to send').prefault(10)
         },
         async ({ interval, count }, extra): Promise<CallToolResult> => {
             const sleep = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));

src/examples/server/simpleStatelessStreamableHttp.ts

@@ -42,8 +42,8 @@ const getServer = () => {
         'start-notification-stream',
         'Starts sending periodic notifications for testing resumability',
         {
-            interval: z.number().describe('Interval in milliseconds between notifications').default(100),
-            count: z.number().describe('Number of notifications to send (0 for 100)').default(10)
+            interval: z.number().describe('Interval in milliseconds between notifications').prefault(100),
+            count: z.number().describe('Number of notifications to send (0 for 100)').prefault(10)
         },
         async ({ interval, count }, extra): Promise<CallToolResult> => {
             const sleep = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));

src/examples/server/simpleStreamableHttp.ts

@@ -291,8 +291,8 @@ const getServer = () => {
         'start-notification-stream',
         'Starts sending periodic notifications for testing resumability',
         {
-            interval: z.number().describe('Interval in milliseconds between notifications').default(100),
-            count: z.number().describe('Number of notifications to send (0 for 100)').default(50)
+            interval: z.number().describe('Interval in milliseconds between notifications').prefault(100),
+            count: z.number().describe('Number of notifications to send (0 for 100)').prefault(50)
         },
         async ({ interval, count }, extra): Promise<CallToolResult> => {
             const sleep = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));

src/examples/server/sseAndStreamableHttpCompatibleServer.ts

@@ -33,8 +33,8 @@ const getServer = () => {
         'start-notification-stream',
         'Starts sending periodic notifications for testing resumability',
         {
-            interval: z.number().describe('Interval in milliseconds between notifications').default(100),
-            count: z.number().describe('Number of notifications to send (0 for 100)').default(50)
+            interval: z.number().describe('Interval in milliseconds between notifications').prefault(100),
+            count: z.number().describe('Number of notifications to send (0 for 100)').prefault(50)
         },
         async ({ interval, count }, extra): Promise<CallToolResult> => {
             const sleep = (ms: number) => new Promise(resolve => setTimeout(resolve, ms));

src/integration-tests/stateManagementStreamableHttp.test.ts

@@ -56,7 +56,7 @@ describe('Streamable HTTP Transport Session Management', () => {
             'greet',
             'A simple greeting tool',
             {
-                name: z.string().describe('Name to greet').default('World')
+                name: z.string().describe('Name to greet').prefault('World')
             },
             async ({ name }) => {
                 return {

src/integration-tests/taskResumability.test.ts

@@ -28,7 +28,7 @@ describe('Transport resumability', () => {
             'send-notification',
             'Sends a single notification',
             {
-                message: z.string().describe('Message to send').default('Test notification')
+                message: z.string().describe('Message to send').prefault('Test notification')
             },
             async ({ message }, { sendNotification }) => {
                 // Send notification immediately
@@ -51,8 +51,8 @@ describe('Transport resumability', () => {
             'run-notifications',
             'Sends multiple notifications over time',
             {
-                count: z.number().describe('Number of notifications to send').default(10),
-                interval: z.number().describe('Interval between notifications in ms').default(50)
+                count: z.number().describe('Number of notifications to send').prefault(10),
+                interval: z.number().describe('Interval between notifications in ms').prefault(50)
             },
             async ({ count, interval }, { sendNotification }) => {
                 // Send notifications at specified intervals

src/server/auth/handlers/authorize.ts

@@ -21,7 +21,9 @@ const ClientAuthorizationParamsSchema = z.object({
     redirect_uri: z
         .string()
         .optional()
-        .refine(value => value === undefined || URL.canParse(value), { message: 'redirect_uri must be a valid URL' })
+        .refine(value => value === undefined || URL.canParse(value), {
+            error: 'redirect_uri must be a valid URL'
+        })
 });
 
 // Parameters that must be validated for a successful authorization request. Failure can be reported to the redirect URI.
@@ -31,7 +33,7 @@ const RequestAuthorizationParamsSchema = z.object({
     code_challenge_method: z.literal('S256'),
     scope: z.string().optional(),
     state: z.string().optional(),
-    resource: z.string().url().optional()
+    resource: z.url().optional()
 });
 
 export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: AuthorizationHandlerOptions): RequestHandler {

src/server/auth/handlers/token.ts

@@ -32,13 +32,13 @@ const AuthorizationCodeGrantSchema = z.object({
     code: z.string(),
     code_verifier: z.string(),
     redirect_uri: z.string().optional(),
-    resource: z.string().url().optional()
+    resource: z.url().optional()
 });
 
 const RefreshTokenGrantSchema = z.object({
     refresh_token: z.string(),
     scope: z.string().optional(),
-    resource: z.string().url().optional()
+    resource: z.url().optional()
 });
 
 export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHandlerOptions): RequestHandler {

src/shared/auth.ts

@@ -3,13 +3,11 @@ import { z } from 'zod';
 /**
  * Reusable URL validation that disallows javascript: scheme
  */
-export const SafeUrlSchema = z
-    .string()
-    .url()
+export const SafeUrlSchema = z.url()
     .superRefine((val, ctx) => {
         if (!URL.canParse(val)) {
             ctx.addIssue({
-                code: z.ZodIssueCode.custom,
+                code: "custom",
                 message: 'URL must be parseable',
                 fatal: true
             });
@@ -22,36 +20,35 @@ export const SafeUrlSchema = z
             const u = new URL(url);
             return u.protocol !== 'javascript:' && u.protocol !== 'data:' && u.protocol !== 'vbscript:';
         },
-        { message: 'URL cannot use javascript:, data:, or vbscript: scheme' }
+        {
+            error: 'URL cannot use javascript:, data:, or vbscript: scheme'
+        }
     );
 
 /**
  * RFC 9728 OAuth Protected Resource Metadata
  */
-export const OAuthProtectedResourceMetadataSchema = z
-    .object({
-        resource: z.string().url(),
+export const OAuthProtectedResourceMetadataSchema = z.looseObject({
+        resource: z.url(),
         authorization_servers: z.array(SafeUrlSchema).optional(),
-        jwks_uri: z.string().url().optional(),
+        jwks_uri: z.url().optional(),
         scopes_supported: z.array(z.string()).optional(),
         bearer_methods_supported: z.array(z.string()).optional(),
         resource_signing_alg_values_supported: z.array(z.string()).optional(),
         resource_name: z.string().optional(),
         resource_documentation: z.string().optional(),
-        resource_policy_uri: z.string().url().optional(),
-        resource_tos_uri: z.string().url().optional(),
+        resource_policy_uri: z.url().optional(),
+        resource_tos_uri: z.url().optional(),
         tls_client_certificate_bound_access_tokens: z.boolean().optional(),
         authorization_details_types_supported: z.array(z.string()).optional(),
         dpop_signing_alg_values_supported: z.array(z.string()).optional(),
         dpop_bound_access_tokens_required: z.boolean().optional()
-    })
-    .passthrough();
+    });
 
 /**
  * RFC 8414 OAuth 2.0 Authorization Server Metadata
  */
-export const OAuthMetadataSchema = z
-    .object({
+export const OAuthMetadataSchema = z.looseObject({
         issuer: z.string(),
         authorization_endpoint: SafeUrlSchema,
         token_endpoint: SafeUrlSchema,
@@ -70,15 +67,13 @@ export const OAuthMetadataSchema = z
         introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),
         introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
         code_challenge_methods_supported: z.array(z.string()).optional()
-    })
-    .passthrough();
+    });
 
 /**
  * OpenID Connect Discovery 1.0 Provider Metadata
  * see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
  */
-export const OpenIdProviderMetadataSchema = z
-    .object({
+export const OpenIdProviderMetadataSchema = z.looseObject({
         issuer: z.string(),
         authorization_endpoint: SafeUrlSchema,
         token_endpoint: SafeUrlSchema,
@@ -114,8 +109,7 @@ export const OpenIdProviderMetadataSchema = z
         require_request_uri_registration: z.boolean().optional(),
         op_policy_uri: SafeUrlSchema.optional(),
         op_tos_uri: SafeUrlSchema.optional()
-    })
-    .passthrough();
+    });
 
 /**
  * OpenID Connect Discovery metadata that may include OAuth 2.0 fields
@@ -131,16 +125,14 @@ export const OpenIdProviderDiscoveryMetadataSchema = OpenIdProviderMetadataSchem
 /**
  * OAuth 2.1 token response
  */
-export const OAuthTokensSchema = z
-    .object({
+export const OAuthTokensSchema = z.object({
         access_token: z.string(),
         id_token: z.string().optional(), // Optional for OAuth 2.1, but necessary in OpenID Connect
         token_type: z.string(),
         expires_in: z.number().optional(),
         scope: z.string().optional(),
         refresh_token: z.string().optional()
-    })
-    .strip();
+    });
 
 /**
  * OAuth 2.1 error response
@@ -159,8 +151,7 @@ export const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z.literal('').t
 /**
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
-export const OAuthClientMetadataSchema = z
-    .object({
+export const OAuthClientMetadataSchema = z.object({
         redirect_uris: z.array(SafeUrlSchema),
         token_endpoint_auth_method: z.string().optional(),
         grant_types: z.array(z.string()).optional(),
@@ -177,20 +168,17 @@ export const OAuthClientMetadataSchema = z
         software_id: z.string().optional(),
         software_version: z.string().optional(),
         software_statement: z.string().optional()
-    })
-    .strip();
+    });
 
 /**
  * RFC 7591 OAuth 2.0 Dynamic Client Registration client information
  */
-export const OAuthClientInformationSchema = z
-    .object({
+export const OAuthClientInformationSchema = z.object({
         client_id: z.string(),
         client_secret: z.string().optional(),
         client_id_issued_at: z.number().optional(),
         client_secret_expires_at: z.number().optional()
-    })
-    .strip();
+    });
 
 /**
  * RFC 7591 OAuth 2.0 Dynamic Client Registration full response (client information plus metadata)
@@ -200,22 +188,18 @@ export const OAuthClientInformationFullSchema = OAuthClientMetadataSchema.merge(
 /**
  * RFC 7591 OAuth 2.0 Dynamic Client Registration error response
  */
-export const OAuthClientRegistrationErrorSchema = z
-    .object({
+export const OAuthClientRegistrationErrorSchema = z.object({
         error: z.string(),
         error_description: z.string().optional()
-    })
-    .strip();
+    });
 
 /**
  * RFC 7009 OAuth 2.0 Token Revocation request
  */
-export const OAuthTokenRevocationRequestSchema = z
-    .object({
+export const OAuthTokenRevocationRequestSchema = z.object({
         token: z.string(),
         token_type_hint: z.string().optional()
-    })
-    .strip();
+    });
 
 export type OAuthMetadata = z.infer<typeof OAuthMetadataSchema>;
 export type OpenIdProviderMetadata = z.infer<typeof OpenIdProviderMetadataSchema>;