@juspay/neurolink 9.31.1 → 9.32.0

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## [9.32.0](https://github.com/juspay/neurolink/compare/v9.31.2...v9.32.0) (2026-03-25)
+
+### Features
+
+- **(auth):** add authentication providers system with 12 providers, middleware, RBAC, and session management ([97dabd9](https://github.com/juspay/neurolink/commit/97dabd9f58b3506d13faa626359b5c9e0b1cadd9))
+
+## [9.31.2](https://github.com/juspay/neurolink/compare/v9.31.1...v9.31.2) (2026-03-25)
+
+### Bug Fixes
+
+- **(proxy):** skip launchd guard when launched by launchd itself ([183996d](https://github.com/juspay/neurolink/commit/183996d40e6c718d87f1a0d3ccfc6107328cd728))
+
 ## [9.31.1](https://github.com/juspay/neurolink/compare/v9.31.0...v9.31.1) (2026-03-25)
 
 ### Bug Fixes

package/dist/auth/AuthProviderFactory.d.ts

@@ -0,0 +1,71 @@
+/**
+ * AuthProviderFactory - Static factory for authentication providers
+ *
+ * Matches the ProviderFactory pattern: all-static class, no BaseFactory
+ * extension, no singleton instance. Providers are registered by
+ * AuthProviderRegistry using dynamic imports to avoid circular dependencies.
+ */
+import type { AuthProviderConfig, AuthProviderMetadata, MastraAuthProvider } from "../types/authTypes.js";
+type AuthProviderConstructor = (config: AuthProviderConfig) => Promise<MastraAuthProvider>;
+/**
+ * AuthProviderFactory - Creates authentication provider instances
+ *
+ * Pure static factory with no hardcoded imports. All providers are
+ * registered dynamically by AuthProviderRegistry to avoid circular
+ * dependencies and enable lazy loading.
+ *
+ * @example
+ * ```typescript
+ * // Create a provider (after AuthProviderRegistry.registerAllProviders())
+ * const provider = await AuthProviderFactory.createProvider("auth0", {
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ * });
+ * ```
+ */
+export declare class AuthProviderFactory {
+    private static readonly providers;
+    private static readonly aliasMap;
+    /**
+     * Register a provider with the factory
+     */
+    static registerProvider(type: string, factory: AuthProviderConstructor, aliases?: string[], metadata?: AuthProviderMetadata): void;
+    /**
+     * Create a provider instance
+     */
+    static createProvider(typeOrAlias: string, config: AuthProviderConfig): Promise<MastraAuthProvider>;
+    /**
+     * Check if a provider is registered
+     */
+    static hasProvider(typeOrAlias: string): boolean;
+    /**
+     * Get list of available provider types (excludes aliases)
+     */
+    static getAvailableProviders(): string[];
+    /**
+     * Get provider metadata
+     */
+    static getProviderMetadata(typeOrAlias: string): AuthProviderMetadata | undefined;
+    /**
+     * Get all registered providers with their metadata
+     */
+    static getAllProviderInfo(): Array<{
+        type: string;
+        aliases: string[];
+        metadata?: AuthProviderMetadata;
+    }>;
+    /**
+     * Clear all registrations (for testing)
+     */
+    static clearRegistrations(): void;
+    /**
+     * Resolve an alias to its canonical provider type
+     */
+    private static resolveType;
+}
+/**
+ * Create an auth provider using the factory
+ */
+export declare function createAuthProvider(type: string, config: AuthProviderConfig): Promise<MastraAuthProvider>;
+export {};

package/dist/auth/AuthProviderFactory.js

@@ -0,0 +1,111 @@
+/**
+ * AuthProviderFactory - Static factory for authentication providers
+ *
+ * Matches the ProviderFactory pattern: all-static class, no BaseFactory
+ * extension, no singleton instance. Providers are registered by
+ * AuthProviderRegistry using dynamic imports to avoid circular dependencies.
+ */
+import { logger } from "../utils/logger.js";
+import { AuthError } from "./errors.js";
+// =============================================================================
+// FACTORY IMPLEMENTATION
+// =============================================================================
+/**
+ * AuthProviderFactory - Creates authentication provider instances
+ *
+ * Pure static factory with no hardcoded imports. All providers are
+ * registered dynamically by AuthProviderRegistry to avoid circular
+ * dependencies and enable lazy loading.
+ *
+ * @example
+ * ```typescript
+ * // Create a provider (after AuthProviderRegistry.registerAllProviders())
+ * const provider = await AuthProviderFactory.createProvider("auth0", {
+ *   type: "auth0",
+ *   domain: "your-tenant.auth0.com",
+ *   clientId: "your-client-id",
+ * });
+ * ```
+ */
+export class AuthProviderFactory {
+    static providers = new Map();
+    static aliasMap = new Map();
+    /**
+     * Register a provider with the factory
+     */
+    static registerProvider(type, factory, aliases = [], metadata) {
+        AuthProviderFactory.providers.set(type, { factory, aliases, metadata });
+        for (const alias of aliases) {
+            AuthProviderFactory.aliasMap.set(alias.toLowerCase(), type);
+        }
+        logger.debug(`Registered auth provider: ${type}`);
+    }
+    /**
+     * Create a provider instance
+     */
+    static async createProvider(typeOrAlias, config) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        const registration = AuthProviderFactory.providers.get(resolvedType);
+        if (!registration) {
+            throw AuthError.create("PROVIDER_NOT_FOUND", `Auth provider not found: ${typeOrAlias}. Available: ${AuthProviderFactory.getAvailableProviders().join(", ")}`);
+        }
+        try {
+            return await registration.factory(config);
+        }
+        catch (error) {
+            throw AuthError.create("CREATION_FAILED", `Failed to create auth provider ${typeOrAlias}: ${error instanceof Error ? error.message : String(error)}`, { cause: error instanceof Error ? error : undefined });
+        }
+    }
+    /**
+     * Check if a provider is registered
+     */
+    static hasProvider(typeOrAlias) {
+        return (AuthProviderFactory.providers.has(typeOrAlias) ||
+            AuthProviderFactory.aliasMap.has(typeOrAlias.toLowerCase()));
+    }
+    /**
+     * Get list of available provider types (excludes aliases)
+     */
+    static getAvailableProviders() {
+        return Array.from(AuthProviderFactory.providers.keys());
+    }
+    /**
+     * Get provider metadata
+     */
+    static getProviderMetadata(typeOrAlias) {
+        const resolvedType = AuthProviderFactory.resolveType(typeOrAlias);
+        return AuthProviderFactory.providers.get(resolvedType)?.metadata;
+    }
+    /**
+     * Get all registered providers with their metadata
+     */
+    static getAllProviderInfo() {
+        return Array.from(AuthProviderFactory.providers.entries()).map(([type, reg]) => ({
+            type,
+            aliases: reg.aliases,
+            metadata: reg.metadata,
+        }));
+    }
+    /**
+     * Clear all registrations (for testing)
+     */
+    static clearRegistrations() {
+        AuthProviderFactory.providers.clear();
+        AuthProviderFactory.aliasMap.clear();
+    }
+    /**
+     * Resolve an alias to its canonical provider type
+     */
+    static resolveType(typeOrAlias) {
+        return (AuthProviderFactory.aliasMap.get(typeOrAlias.toLowerCase()) || typeOrAlias);
+    }
+}
+// =============================================================================
+// CONVENIENCE EXPORTS
+// =============================================================================
+/**
+ * Create an auth provider using the factory
+ */
+export async function createAuthProvider(type, config) {
+    return AuthProviderFactory.createProvider(type, config);
+}

package/dist/auth/AuthProviderRegistry.d.ts

@@ -0,0 +1,33 @@
+/**
+ * AuthProviderRegistry - Static one-shot registry for authentication providers
+ *
+ * Matches the ProviderRegistry pattern: static class with a single
+ * `registerAllProviders()` entry point that registers all 11 auth
+ * providers with AuthProviderFactory using dynamic imports.
+ */
+/**
+ * AuthProviderRegistry - registers all auth providers with the factory
+ *
+ * Call `AuthProviderRegistry.registerAllProviders()` once during
+ * application startup. The method is idempotent and concurrency-safe.
+ */
+export declare class AuthProviderRegistry {
+    private static registered;
+    private static registrationPromise;
+    /**
+     * Register all auth providers with the factory
+     */
+    static registerAllProviders(): Promise<void>;
+    /**
+     * Internal registration implementation
+     */
+    private static _doRegister;
+    /**
+     * Check if providers are registered
+     */
+    static isRegistered(): boolean;
+    /**
+     * Clear registrations (for testing)
+     */
+    static clearRegistrations(): void;
+}

package/dist/auth/AuthProviderRegistry.js

@@ -0,0 +1,190 @@
+/**
+ * AuthProviderRegistry - Static one-shot registry for authentication providers
+ *
+ * Matches the ProviderRegistry pattern: static class with a single
+ * `registerAllProviders()` entry point that registers all 11 auth
+ * providers with AuthProviderFactory using dynamic imports.
+ */
+import { logger } from "../utils/logger.js";
+import { AuthProviderFactory } from "./AuthProviderFactory.js";
+/**
+ * Narrow `AuthProviderConfig` to a specific provider variant.
+ *
+ * Each factory lambda calls this to assert the config is the expected
+ * variant — safe because the factory is only ever invoked with a config
+ * whose `type` matches the registered provider key.
+ */
+function narrowConfig(config) {
+    return config;
+}
+/**
+ * AuthProviderRegistry - registers all auth providers with the factory
+ *
+ * Call `AuthProviderRegistry.registerAllProviders()` once during
+ * application startup. The method is idempotent and concurrency-safe.
+ */
+export class AuthProviderRegistry {
+    static registered = false;
+    static registrationPromise = null;
+    /**
+     * Register all auth providers with the factory
+     */
+    static async registerAllProviders() {
+        if (AuthProviderRegistry.registered) {
+            return;
+        }
+        if (AuthProviderRegistry.registrationPromise) {
+            return AuthProviderRegistry.registrationPromise;
+        }
+        AuthProviderRegistry.registrationPromise =
+            AuthProviderRegistry._doRegister();
+        try {
+            await AuthProviderRegistry.registrationPromise;
+            AuthProviderRegistry.registered = true;
+        }
+        catch (error) {
+            AuthProviderRegistry.registrationPromise = null;
+            throw error;
+        }
+    }
+    /**
+     * Internal registration implementation
+     */
+    static async _doRegister() {
+        // Auth0 Provider
+        AuthProviderFactory.registerProvider("auth0", async (config) => {
+            const { Auth0Provider } = await import("./providers/auth0.js");
+            return new Auth0Provider(narrowConfig(config));
+        }, ["auth0-jwt", "auth0-oauth"], {
+            type: "auth0",
+            name: "Auth0",
+            description: "Auth0 identity platform integration",
+            documentation: "https://auth0.com/docs",
+            aliases: ["auth0-jwt", "auth0-oauth"],
+        });
+        // Clerk Provider
+        AuthProviderFactory.registerProvider("clerk", async (config) => {
+            const { ClerkProvider } = await import("./providers/clerk.js");
+            return new ClerkProvider(narrowConfig(config));
+        }, ["clerk-jwt"], {
+            type: "clerk",
+            name: "Clerk",
+            description: "Clerk authentication platform integration",
+            documentation: "https://clerk.com/docs",
+            aliases: ["clerk-jwt"],
+        });
+        // Firebase Provider
+        AuthProviderFactory.registerProvider("firebase", async (config) => {
+            const { FirebaseAuthProvider } = await import("./providers/firebase.js");
+            return new FirebaseAuthProvider(narrowConfig(config));
+        }, ["firebase-auth", "google-firebase"], {
+            type: "firebase",
+            name: "Firebase",
+            description: "Firebase Authentication integration",
+            documentation: "https://firebase.google.com/docs/auth",
+            aliases: ["firebase-auth", "google-firebase"],
+        });
+        // Supabase Provider
+        AuthProviderFactory.registerProvider("supabase", async (config) => {
+            const { SupabaseAuthProvider } = await import("./providers/supabase.js");
+            return new SupabaseAuthProvider(narrowConfig(config));
+        }, ["supabase-auth"], {
+            type: "supabase",
+            name: "Supabase",
+            description: "Supabase Auth integration",
+            documentation: "https://supabase.com/docs/guides/auth",
+            aliases: ["supabase-auth"],
+        });
+        // AWS Cognito Provider
+        AuthProviderFactory.registerProvider("cognito", async (config) => {
+            const { CognitoProvider } = await import("./providers/CognitoProvider.js");
+            return new CognitoProvider(config);
+        }, ["aws-cognito", "amazon-cognito"], {
+            type: "cognito",
+            name: "AWS Cognito",
+            description: "Amazon Cognito User Pools integration",
+            documentation: "https://docs.aws.amazon.com/cognito",
+            aliases: ["aws-cognito", "amazon-cognito"],
+        });
+        // Keycloak Provider
+        AuthProviderFactory.registerProvider("keycloak", async (config) => {
+            const { KeycloakProvider } = await import("./providers/KeycloakProvider.js");
+            return new KeycloakProvider(config);
+        }, ["keycloak-oidc"], {
+            type: "keycloak",
+            name: "Keycloak",
+            description: "Keycloak OpenID Connect integration",
+            documentation: "https://www.keycloak.org/documentation",
+            aliases: ["keycloak-oidc"],
+        });
+        // Better Auth Provider
+        AuthProviderFactory.registerProvider("better-auth", async (config) => {
+            const { BetterAuthProvider } = await import("./providers/betterAuth.js");
+            return new BetterAuthProvider(narrowConfig(config));
+        }, ["betterauth", "better_auth"], {
+            type: "better-auth",
+            name: "Better Auth",
+            description: "Self-hosted open-source authentication solution",
+            documentation: "https://better-auth.com/docs",
+            aliases: ["betterauth", "better_auth"],
+        });
+        // WorkOS Provider
+        AuthProviderFactory.registerProvider("workos", async (config) => {
+            const { WorkOSProvider } = await import("./providers/workos.js");
+            return new WorkOSProvider(narrowConfig(config));
+        }, ["workos-sso", "work-os"], {
+            type: "workos",
+            name: "WorkOS",
+            description: "Enterprise SSO and user management",
+            documentation: "https://workos.com/docs",
+            aliases: ["workos-sso", "work-os"],
+        });
+        // OAuth2 Provider
+        AuthProviderFactory.registerProvider("oauth2", async (config) => {
+            const { OAuth2Provider } = await import("./providers/oauth2.js");
+            return new OAuth2Provider(narrowConfig(config));
+        }, ["oauth", "oidc", "openid-connect"], {
+            type: "oauth2",
+            name: "OAuth2",
+            description: "Generic OAuth2/OIDC provider with JWKS and userinfo support",
+            documentation: "https://oauth.net/2/",
+            aliases: ["oauth", "oidc", "openid-connect"],
+        });
+        // JWT Provider
+        AuthProviderFactory.registerProvider("jwt", async (config) => {
+            const { JWTProvider } = await import("./providers/jwt.js");
+            return new JWTProvider(narrowConfig(config));
+        }, ["jwt-auth", "jwt-token"], {
+            type: "jwt",
+            name: "JWT",
+            description: "Generic JWT token validation with symmetric/asymmetric keys",
+            documentation: "https://jwt.io/",
+            aliases: ["jwt-auth", "jwt-token"],
+        });
+        // Custom Provider
+        AuthProviderFactory.registerProvider("custom", async (config) => {
+            const { CustomAuthProvider } = await import("./providers/custom.js");
+            return new CustomAuthProvider(narrowConfig(config));
+        }, ["custom-auth"], {
+            type: "custom",
+            name: "Custom",
+            description: "Custom authentication with user-provided validation logic",
+            aliases: ["custom-auth"],
+        });
+        logger.debug("All auth providers registered");
+    }
+    /**
+     * Check if providers are registered
+     */
+    static isRegistered() {
+        return AuthProviderRegistry.registered;
+    }
+    /**
+     * Clear registrations (for testing)
+     */
+    static clearRegistrations() {
+        AuthProviderRegistry.registered = false;
+        AuthProviderRegistry.registrationPromise = null;
+        AuthProviderFactory.clearRegistrations();
+    }
+}

package/dist/auth/RequestContext.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Type-safe Map wrapper for request-scoped context.
+ * Flows from auth middleware through generate/stream/tools/memory.
+ * Reserved keys (prefixed neurolink__) cannot be overridden by client code.
+ */
+export declare const NEUROLINK_RESOURCE_ID_KEY = "neurolink__resourceId";
+export declare const NEUROLINK_THREAD_ID_KEY = "neurolink__threadId";
+export declare class RequestContext<T extends Record<string, unknown> = Record<string, unknown>> {
+    private registry;
+    constructor(initial?: Partial<T> | [string, unknown][]);
+    set<K extends string>(key: K, value: unknown): void;
+    get<K extends string>(key: K): unknown;
+    has(key: string): boolean;
+    delete(key: string): boolean;
+    get size(): number;
+    /**
+     * Merge client-provided values, but SKIP reserved keys that are already set.
+     * This prevents clients from overriding auth middleware values.
+     */
+    mergeClientContext(clientContext: Record<string, unknown>): void;
+    toJSON(): Record<string, unknown>;
+    private isSerializable;
+}

package/dist/auth/RequestContext.js

@@ -0,0 +1,78 @@
+// src/lib/auth/RequestContext.ts
+/**
+ * Type-safe Map wrapper for request-scoped context.
+ * Flows from auth middleware through generate/stream/tools/memory.
+ * Reserved keys (prefixed neurolink__) cannot be overridden by client code.
+ */
+export const NEUROLINK_RESOURCE_ID_KEY = "neurolink__resourceId";
+export const NEUROLINK_THREAD_ID_KEY = "neurolink__threadId";
+const RESERVED_PREFIX = "neurolink__";
+export class RequestContext {
+    registry = new Map();
+    constructor(initial) {
+        if (Array.isArray(initial)) {
+            for (const [key, value] of initial) {
+                this.registry.set(key, value);
+            }
+        }
+        else if (initial) {
+            for (const [key, value] of Object.entries(initial)) {
+                this.registry.set(key, value);
+            }
+        }
+    }
+    set(key, value) {
+        this.registry.set(key, value);
+    }
+    get(key) {
+        return this.registry.get(key);
+    }
+    has(key) {
+        return this.registry.has(key);
+    }
+    delete(key) {
+        return this.registry.delete(key);
+    }
+    get size() {
+        return this.registry.size;
+    }
+    /**
+     * Merge client-provided values, but SKIP reserved keys that are already set.
+     * This prevents clients from overriding auth middleware values.
+     */
+    mergeClientContext(clientContext) {
+        for (const [key, value] of Object.entries(clientContext)) {
+            if (key.startsWith(RESERVED_PREFIX) && this.registry.has(key)) {
+                continue; // Server-set reserved keys cannot be overridden
+            }
+            if (!this.registry.has(key)) {
+                this.registry.set(key, value);
+            }
+        }
+    }
+    toJSON() {
+        const result = {};
+        for (const [key, value] of this.registry.entries()) {
+            if (this.isSerializable(value)) {
+                result[key] = value;
+            }
+        }
+        return result;
+    }
+    isSerializable(value) {
+        if (value === null || value === undefined) {
+            return true;
+        }
+        const type = typeof value;
+        if (type === "function" || type === "symbol") {
+            return false;
+        }
+        try {
+            JSON.stringify(value);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}