npm - @mastra/auth-cloud - Versions diffs - 0.0.1 → 1.1.0 - Mend

@mastra/auth-cloud 0.0.1 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/CHANGELOG.md +63 -0
package/LICENSE.md +30 -0
package/README.md +65 -1
package/dist/auth-provider.d.ts +198 -0
package/dist/auth-provider.d.ts.map +1 -0
package/dist/client.d.ts +110 -0
package/dist/client.d.ts.map +1 -0
package/dist/error.d.ts +65 -0
package/dist/error.d.ts.map +1 -0
package/dist/index.cjs +855 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +19 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +850 -0
package/dist/index.js.map +1 -0
package/dist/oauth/index.d.ts +9 -0
package/dist/oauth/index.d.ts.map +1 -0
package/dist/oauth/network.d.ts +20 -0
package/dist/oauth/network.d.ts.map +1 -0
package/dist/oauth/oauth.d.ts +68 -0
package/dist/oauth/oauth.d.ts.map +1 -0
package/dist/oauth/state.d.ts +47 -0
package/dist/oauth/state.d.ts.map +1 -0
package/dist/pkce/cookie.d.ts +42 -0
package/dist/pkce/cookie.d.ts.map +1 -0
package/dist/pkce/error.d.ts +31 -0
package/dist/pkce/error.d.ts.map +1 -0
package/dist/pkce/index.d.ts +10 -0
package/dist/pkce/index.d.ts.map +1 -0
package/dist/pkce/pkce.d.ts +26 -0
package/dist/pkce/pkce.d.ts.map +1 -0
package/dist/rbac/index.d.ts +2 -0
package/dist/rbac/index.d.ts.map +1 -0
package/dist/rbac/rbac-provider.d.ts +124 -0
package/dist/rbac/rbac-provider.d.ts.map +1 -0
package/dist/session/cookie.d.ts +32 -0
package/dist/session/cookie.d.ts.map +1 -0
package/dist/session/index.d.ts +9 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/session.d.ts +56 -0
package/dist/session/session.d.ts.map +1 -0
package/dist/types.d.ts +64 -0
package/dist/types.d.ts.map +1 -0
package/package.json +54 -3

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/error.ts","../src/oauth/state.ts","../src/oauth/network.ts","../src/pkce/error.ts","../src/pkce/cookie.ts","../src/pkce/pkce.ts","../src/oauth/oauth.ts","../src/session/cookie.ts","../src/session/session.ts","../src/client.ts","../src/auth-provider.ts","../src/rbac/rbac-provider.ts"],"names":[],"mappings":";;;;;AAiCO,IAAM,SAAA,GAAN,MAAM,UAAA,SAAkB,KAAA,CAAM;AAAA,EAC1B,IAAA;AAAA,EACS,KAAA;AAAA,EACT,SAAA;AAAA,EACA,YAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAqB,OAAA,EAAiB,OAAA,EAA4B;AAC5E,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAQ,OAAA,EAAS,KAAA;AACtB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,eAAe,OAAA,EAAS,YAAA;AAE7B,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,YAAA,GAA0B;AAC/B,IAAA,OAAO,IAAI,UAAA,CAAU,eAAA,EAAiB,gDAAgD,CAAA;AAAA,EACxF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,aAAA,GAA2B;AAChC,IAAA,OAAO,IAAI,UAAA,CAAU,gBAAA,EAAkB,6DAA6D,CAAA;AAAA,EACtG;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,WAAA,GAAyB;AAC9B,IAAA,OAAO,IAAI,UAAA,CAAU,cAAA,EAAgB,oDAAoD,CAAA;AAAA,EAC3F;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,oBAAoB,OAAA,EAAuC;AAChE,IAAA,OAAO,IAAI,UAAA,CAAU,uBAAA,EAAyB,mDAAA,EAAqD,OAAO,CAAA;AAAA,EAC5G;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,kBAAA,GAAgC;AACrC,IAAA,OAAO,IAAI,UAAA,CAAU,qBAAA,EAAuB,4BAA4B,CAAA;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAA,GAA4B;AACjC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,yCAAyC,CAAA;AAAA,EACnF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAA,GAA4B;AACjC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,2CAA2C,CAAA;AAAA,EACrF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,aAAa,KAAA,EAA0B;AAC5C,IAAA,OAAO,IAAI,UAAA,CAAU,eAAA,EAAiB,4DAAA,EAA8D,EAAE,OAAO,CAAA;AAAA,EAC/G;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAc,OAAA,EAAuC;AAC1D,IAAA,MAAM,OAAA,GAAU,SAAS,YAAA,IAAgB,8BAAA;AACzC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,OAAA,EAAS,OAAO,CAAA;AAAA,EAC1D;AACF;;;ACpFO,SAAS,WAAA,CAAY,MAAc,QAAA,EAA0B;AAClE,EAAA,MAAM,IAAA,GAAkB,EAAE,IAAA,EAAM,QAAA,EAAS;AACzC,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAChC,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,SAAS,WAAW,CAAA;AAC/C;AASO,SAAS,YAAY,KAAA,EAA0B;AACpD,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAA,CAAO,IAAA,CAAK,KAAA,EAAO,WAAW,EAAE,QAAA,EAAS;AACtD,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAG5B,IAAA,IAAI,OAAO,IAAA,CAAK,IAAA,KAAS,YAAY,OAAO,IAAA,CAAK,aAAa,QAAA,EAAU;AACtE,MAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,IAC3C;AAEA,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,UAAU,YAAA,EAAa;AAAA,EAC/B;AACF;AAaO,SAAS,gBAAA,CAAiB,UAA8B,aAAA,EAA+B;AAE5F,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,QAAA,CAAS,WAAW,GAAG,CAAA,IAAK,CAAC,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AAC1D,IAAA,OAAO,QAAA;AAAA,EACT;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,QAAQ,CAAA;AAC/B,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,aAAa,CAAA;AAGpC,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,MAAA,CAAO,MAAA,EAAQ;AACnC,MAAA,OAAO,QAAA;AAAA,IACT;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AAGA,EAAA,OAAO,GAAA;AACT;;;AC1EA,eAAsB,cAAA,CAAe,KAAa,OAAA,EAAyC;AACzF,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,OAAO,CAAA;AAAA,EACjC,CAAA,CAAA,MAAQ;AAEN,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,OAAO,CAAA;AAAA,IACjC,SAAS,UAAA,EAAY;AAEnB,MAAA,MAAM,SAAA,CAAU,YAAA,CAAa,UAAA,YAAsB,KAAA,GAAQ,aAAa,MAAS,CAAA;AAAA,IACnF;AAAA,EACF;AACF;;;AClBO,IAAM,SAAA,GAAN,MAAM,UAAA,SAAkB,KAAA,CAAM;AAAA,EAC1B,IAAA;AAAA,EACS,KAAA;AAAA,EAElB,WAAA,CAAY,IAAA,EAAqB,OAAA,EAAiB,KAAA,EAAe;AAC/D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAEb,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,eAAA,GAA6B;AAClC,IAAA,OAAO,IAAI,UAAA;AAAA,MACT,kBAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,OAAA,GAAqB;AAC1B,IAAA,OAAO,IAAI,UAAA,CAAU,SAAA,EAAW,mEAAmE,CAAA;AAAA,EACrG;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,QAAQ,KAAA,EAA0B;AACvC,IAAA,OAAO,IAAI,UAAA,CAAU,SAAA,EAAW,+CAAA,EAAiD,KAAK,CAAA;AAAA,EACxF;AACF,CAAA;;;ACvCO,IAAM,gBAAA,GAAmB,sBAAA;AAmBzB,SAAS,aAAA,CAAc,QAAA,EAAkB,KAAA,EAAe,YAAA,EAA+B;AAC5F,EAAA,MAAM,aAAa,CAAA,GAAI,EAAA;AACvB,EAAA,MAAM,IAAA,GAAuB;AAAA,IAC3B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,UAAA,GAAa;AAAA,GACvC;AAEA,EAAA,MAAM,OAAA,GAAU,kBAAA,CAAmB,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AAEvD,EAAA,IAAI,SAAS,CAAA,EAAG,gBAAgB,CAAA,CAAA,EAAI,OAAO,6CAA6C,UAAU,CAAA,CAAA;AAElG,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAA,IAAU,UAAA;AAAA,EACZ;AAEA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,gBAAgB,YAAA,EAA6C;AAC3E,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,UAAU,eAAA,EAAgB;AAAA,EAClC;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,gBAAgB,UAAU,CAAC,CAAA;AAE1E,EAAA,IAAI,CAAC,KAAA,GAAQ,CAAC,CAAA,EAAG;AACf,IAAA,MAAM,UAAU,eAAA,EAAgB;AAAA,EAClC;AAEA,EAAA,IAAI,IAAA;AACJ,EAAA,IAAI;AACF,IAAA,IAAA,GAAO,KAAK,KAAA,CAAM,kBAAA,CAAmB,KAAA,CAAM,CAAC,CAAC,CAAC,CAAA;AAAA,EAChD,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,SAAA,CAAU,OAAA,CAAQ,CAAA,YAAa,KAAA,GAAQ,IAAI,MAAS,CAAA;AAAA,EAC5D;AAEA,EAAA,IAAI,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAC/B,IAAA,MAAM,UAAU,OAAA,EAAQ;AAAA,EAC1B;AAEA,EAAA,OAAO,IAAA;AACT;AAOO,SAAS,eAAA,GAA0B;AACxC,EAAA,OAAO,GAAG,gBAAgB,CAAA,4CAAA,CAAA;AAC5B;AC1EO,SAAS,oBAAA,GAA+B;AAE7C,EAAA,OAAO,WAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA;AAC7C;AAQO,SAAS,qBAAqB,QAAA,EAA0B;AAC7D,EAAA,OAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,QAAQ,CAAA,CAAE,OAAO,WAAW,CAAA;AACjE;AAMO,SAAS,aAAA,GAAwB;AAEtC,EAAA,OAAO,WAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA;AAC7C;;;ACwBO,SAAS,YAAY,OAAA,EAA0C;AACpE,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,aAAa,QAAA,EAAU,aAAA,EAAe,cAAa,GAAI,OAAA;AAGxF,EAAA,MAAM,WAAW,oBAAA,EAAqB;AACtC,EAAA,MAAM,SAAA,GAAY,qBAAqB,QAAQ,CAAA;AAG/C,EAAA,MAAM,OAAO,aAAA,EAAc;AAG3B,EAAA,MAAM,iBAAA,GAAoB,gBAAA,CAAiB,QAAA,EAAU,aAAa,CAAA;AAGlE,EAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,IAAA,EAAM,iBAAiB,CAAA;AAGjD,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,WAAA,EAAa,YAAY,CAAA;AAC7C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,YAAA,EAAc,SAAS,CAAA;AAC5C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,SAAS,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,MAAM,CAAA;AACpD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,WAAW,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AAGnC,EAAA,MAAM,eAAA,GAAkB,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AACjE,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,QAAA,EAAU,IAAA,EAAM,eAAe,CAAA;AAEhE,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,IAAI,QAAA,EAAS;AAAA,IAClB,OAAA,EAAS,CAAC,UAAU;AAAA,GACtB;AACF;AAeA,eAAsB,eAAe,OAAA,EAAmD;AACtF,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,aAAa,IAAA,EAAM,KAAA,EAAO,cAAa,GAAI,OAAA;AAG5E,EAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,EAAA,MAAM,SAAA,GAAY,YAAY,KAAK,CAAA;AAGnC,EAAA,IAAI,SAAA,CAAU,IAAA,KAAS,QAAA,CAAS,KAAA,EAAO;AACrC,IAAA,MAAM,UAAU,aAAA,EAAc;AAAA,EAChC;AAGA,EAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,cAAA,CAAA,EAAkB;AAAA,IACrE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,cAAA,EAAgB,kBAAA;AAAA,MAChB,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,MACnB,IAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,QAAA,CAAS;AAAA,KACzB;AAAA,GACF,CAAA;AAGD,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK;AACvC,MAAA,SAAA,GAAY,SAAA,CAAU,IAAA;AACtB,MAAA,YAAA,GAAe,SAAA,CAAU,OAAA;AAAA,IAC3B,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,SAAA,CAAU,mBAAA,CAAoB,EAAE,SAAA,EAAW,cAAc,CAAA;AAAA,EACjE;AAGA,EAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAOlC,EAAA,MAAM,cAAA,GAAiB,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,IACzE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAA;AAAA,MAC1C,cAAA,EAAgB;AAAA;AAClB,GACD,CAAA;AAED,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACtB,IAAA,MAAM,UAAU,kBAAA,EAAmB;AAAA,EACrC;AAGA,EAAA,MAAM,UAAA,GAAc,MAAM,cAAA,CAAe,IAAA,EAAK;AAS9C,EAAA,MAAM,cAAc,eAAA,EAAgB;AAEpC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM;AAAA,MACJ,IAAI,UAAA,CAAW,GAAA;AAAA,MACf,OAAO,UAAA,CAAW,KAAA;AAAA,MAClB,MAAM,UAAA,CAAW,IAAA;AAAA,MACjB,QAAQ,UAAA,CAAW,UAAA;AAAA,MACnB,MAAM,UAAA,CAAW;AAAA,KACnB;AAAA,IACA,aAAa,IAAA,CAAK,YAAA;AAAA,IAClB,UAAU,SAAA,CAAU,QAAA;AAAA,IACpB,OAAA,EAAS,CAAC,WAAW;AAAA,GACvB;AACF;;;AC1LO,IAAM,mBAAA,GAAsB,sBAAA;AAS5B,SAAS,gBAAA,CAAiB,OAAe,YAAA,EAA+B;AAC7E,EAAA,MAAM,UAAA,GAAa,KAAK,EAAA,GAAK,EAAA;AAE7B,EAAA,IAAI,SAAS,CAAA,EAAG,mBAAmB,CAAA,CAAA,EAAI,KAAK,6CAA6C,UAAU,CAAA,CAAA;AAEnG,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAA,IAAU,UAAA;AAAA,EACZ;AAEA,EAAA,OAAO,MAAA;AACT;AAQO,SAAS,mBAAmB,YAAA,EAA4C;AAC7E,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,mBAAmB,UAAU,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAOO,SAAS,kBAAA,GAA6B;AAC3C,EAAA,OAAO,GAAG,mBAAmB,CAAA,4CAAA,CAAA;AAC/B;;;AChBA,eAAsB,YAAY,OAAA,EAAsD;AACtF,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,KAAA,EAAM,GAAI,OAAA;AAE3C,EAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,IACnE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA;AAAA,MAC9B,cAAA,EAAgB;AAAA;AAClB,GACD,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,UAAU,kBAAA,EAAmB;AAAA,EACrC;AAKA,EAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAalC,EAAA,IAAI,IAAA,CAAK,eAAe,mBAAA,EAAqB;AAC3C,IAAA,OAAO;AAAA,MACL,IAAA,EAAM;AAAA,QACJ,EAAA,EAAI,WAAA;AAAA,QACJ,KAAA,EAAO,MAAA;AAAA,QACP,IAAA,EAAM,MAAA;AAAA,QACN,MAAA,EAAQ;AAAA,OACV;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,KACb;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM;AAAA,MACJ,IAAI,IAAA,CAAK,GAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACf;AAAA,IACA,MAAM,IAAA,CAAK;AAAA,GACb;AACF;AAQA,eAAsB,gBAAgB,OAAA,EAAuD;AAC3F,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,YAAA,EAAa,GAAI,OAAA;AAElD,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,sBAAA,CAAA,EAA0B;AAAA,MAC7E,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,aAAA,EAAe,UAAU,YAAY,CAAA,CAAA;AAAA,QACrC,cAAA,EAAgB;AAAA;AAClB,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,EAC9B,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAQA,eAAsB,eAAe,OAAA,EAAwC;AAC3E,EAAA,MAAM,EAAE,YAAA,EAAc,YAAA,EAAa,GAAI,OAAA;AAEvC,EAAA,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,qBAAA,CAAA,EAAyB;AAAA,IAC3D,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,YAAY,CAAA;AAAA;AACvC,GACD,CAAA;AAGH;AAUO,SAAS,YAAA,CAAa,YAAA,EAAsB,qBAAA,EAA+B,WAAA,EAA6B;AAC7G,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,cAAA,EAAgB,YAAY,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,0BAAA,EAA4B,qBAAqB,CAAA;AACtE,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,WAAW,CAAA;AACjD,EAAA,OAAO,IAAI,QAAA,EAAS;AACtB;;;ACnGO,IAAM,kBAAN,MAAsB;AAAA,EACV,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,YAAY,OAAA,EAAuE;AACjF,IAAA,OAAO,WAAA,CAAY;AAAA,MACjB,SAAA,EAAW,KAAK,MAAA,CAAO,SAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO,YAAA;AAAA,MAC1B,WAAA,EAAa,KAAK,MAAA,CAAO,WAAA;AAAA,MACzB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO;AAAA,KAC3B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,OAAA,EAAgG;AAC7G,IAAA,OAAO,cAAA,CAAe;AAAA,MACpB,SAAA,EAAW,KAAK,MAAA,CAAO,SAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO,YAAA;AAAA,MAC1B,WAAA,EAAa,KAAK,MAAA,CAAO,WAAA;AAAA,MACzB,GAAG;AAAA,KACJ,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,YAAY,KAAA,EAAwC;AAClD,IAAA,OAAO,WAAA,CAAY,EAAE,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,KAAA,EAAO,CAAA;AAAA,EACxG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,gBAAgB,YAAA,EAAoD;AAClE,IAAA,OAAO,eAAA,CAAgB,EAAE,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,CAAA;AAAA,EACnH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,eAAe,YAAA,EAAqC;AAClD,IAAA,OAAO,cAAA,CAAe,EAAoC,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,CAAA;AAAA,EAClH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAA,CAAa,uBAA+B,WAAA,EAA6B;AACvE,IAAA,OAAO,YAAA,CAAa,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,uBAAuB,WAAW,CAAA;AAAA,EAClF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,iBAAiB,KAAA,EAAuB;AACtC,IAAA,OAAO,gBAAA,CAAiB,OAAO,IAAA,CAAK,MAAA,CAAO,gBAAgB,OAAA,CAAQ,GAAA,CAAI,aAAa,YAAY,CAAA;AAAA,EAClG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,kBAAA,GAA6B;AAC3B,IAAA,OAAO,kBAAA,EAAmB;AAAA,EAC5B;AACF;AC1FO,IAAM,uBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACU,MAAA;AAAA;AAAA,EAGC,iBAAA,GAAoB,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOrB,yBAAA,GAA2C,IAAA;AAAA,EAEnD,YAAY,OAAA,EAAyC;AACnD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,SAAS,CAAA;AAExC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAChC,WAAW,OAAA,CAAQ,SAAA;AAAA,MACnB,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,MACrB,cAAc,OAAA,CAAQ;AAAA,KACvB,CAAA;AAED,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAAwB,YAAA,EAAmC;AACzD,IAAA,IAAA,CAAK,yBAAA,GAA4B,YAAA;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA2D;AAChG,IAAA,IAAI;AAEF,MAAA,MAAM,UAAA,GAAa,KAAA,IAAS,OAAA,GAAU,OAAA,CAAQ,GAAA,GAAM,OAAA;AACpD,MAAA,MAAM,YAAA,GAAe,UAAA,CAAW,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAGpD,MAAA,MAAM,YAAA,GAAe,mBAAmB,YAAY,CAAA;AAEpD,MAAA,IAAI,YAAA,EAAc;AAEhB,QAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,YAAY,CAAA;AACjE,QAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,MACzB;AAGA,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,KAAK,CAAA;AAC1D,QAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,MACzB;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,cAAc,IAAA,EAA0B;AACtC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAA,GAA8D,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAStE,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,MAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAA,EAAK,CAAC,CAAA;AAChC,MAAA,MAAM,eAAA,GAAkB,MAAM,CAAC,CAAA;AAC/B,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,mBAAmB,eAAe,CAAA;AAAA,QACxD,CAAA,CAAA,MAAQ;AACN,UAAA,iBAAA,GAAoB,GAAA;AAAA,QACtB;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,WAAW,CAAA;AACvC,IAAA,MAAM,SAAS,WAAA,CAAY,MAAA;AAG3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY;AAAA,MACrC,QAAA,EAAU,iBAAA;AAAA,MACV,aAAA,EAAe;AAAA,KAChB,CAAA;AAGD,IAAA,IAAA,CAAK,gBAAA,GAAmB,MAAA;AAExB,IAAA,OAAO,MAAA,CAAO,GAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAA,GAAwC;AACtC,IAAA,MAAM,OAAA,GAAU,KAAK,gBAAA,EAAkB,OAAA;AACvC,IAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AACxB,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,cAAA,CAAe,IAAA,EAAc,KAAA,EAAmD;AAEpF,IAAA,MAAM,eAAe,IAAA,CAAK,yBAAA;AAC1B,IAAA,IAAA,CAAK,yBAAA,GAA4B,IAAA;AAGjC,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe;AAAA,MAC9C,IAAA;AAAA,MACA,KAAA;AAAA,MACA;AAAA,KACD,CAAA;AAGD,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,OAAO,WAAW,CAAA;AAErE,IAAA,OAAO;AAAA,MACL,MAAM,MAAA,CAAO,IAAA;AAAA;AAAA,MACb,MAAA,EAAQ;AAAA,QACN,aAAa,MAAA,CAAO;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,SAAS,aAAa;AAAA,KAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,YAAA,CAAa,aAAqB,OAAA,EAAkC;AAElE,IAAA,MAAM,YAAA,GAAe,OAAA,GAAU,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA,GAAI,IAAA;AACvE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,YAAA,CAAa,WAAA,EAAa,YAAY,CAAA;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAE9D,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,MAAA,CAAO,gBAAgB,SAAS,CAAA;AAC3D,IAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AAErB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,MACrC,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS;AAAA,KACvC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,SAAS,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,OAAO,kBAAA,CAAmB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,OAAO,EAAE,YAAA,EAAc,IAAA,CAAK,OAAO,gBAAA,CAAiB,OAAA,CAAQ,EAAE,CAAA,EAAE;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,sBAAA,GAAiD;AAC/C,IAAA,OAAO,EAAE,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,oBAAmB,EAAE;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,eAAe,OAAA,EAA6C;AAChE,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACzD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,YAAY,CAAA;AACjE,MAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,IACzB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQ,OAAA,EAA4C;AACxD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;ACzVO,IAAM,kBAAN,MAA0D;AAAA,EACvD,OAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOR,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,OAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,SAAS,IAAA,EAAoC;AAEjD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAA,CAAQ,IAAA,EAAiB,IAAA,EAAgC;AAC7D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,IAAA,EAAoC;AACvD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAEtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AAEA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,IAAA,EAAiB,UAAA,EAAsC;AACzE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,iBAAA,CAAkB,IAAA,EAAiB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAA,CAAiB,IAAA,EAAiB,WAAA,EAAyC;AAC/E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.js","sourcesContent":["/**\n * Auth error types and error class.\n *\n * Provides typed error handling for OAuth flow and session management.\n */\n\n/**\n * Error codes for authentication-related failures.\n */\nexport type AuthErrorCode =\n | 'invalid_state'\n | 'state_mismatch'\n | 'missing_code'\n | 'token_exchange_failed'\n | 'verification_failed'\n | 'session_invalid'\n | 'session_expired'\n | 'network_error'\n | 'cloud_api_error';\n\n/**\n * Options for AuthError constructor.\n */\nexport interface AuthErrorOptions {\n cause?: Error;\n cloudCode?: string;\n cloudMessage?: string;\n}\n\n/**\n * Error class for authentication-related failures.\n * Uses a code discriminator for programmatic error handling.\n */\nexport class AuthError extends Error {\n readonly code: AuthErrorCode;\n override readonly cause?: Error;\n readonly cloudCode?: string;\n readonly cloudMessage?: string;\n\n constructor(code: AuthErrorCode, message: string, options?: AuthErrorOptions) {\n super(message);\n this.name = 'AuthError';\n this.code = code;\n this.cause = options?.cause;\n this.cloudCode = options?.cloudCode;\n this.cloudMessage = options?.cloudMessage;\n // Required for instanceof checks in TypeScript\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /**\n * Factory: OAuth state parameter is invalid or malformed.\n */\n static invalidState(): AuthError {\n return new AuthError('invalid_state', 'OAuth state parameter is invalid or malformed.');\n }\n\n /**\n * Factory: OAuth state parameter does not match expected value.\n */\n static stateMismatch(): AuthError {\n return new AuthError('state_mismatch', 'OAuth state parameter does not match. Possible CSRF attack.');\n }\n\n /**\n * Factory: Authorization code is missing from callback.\n */\n static missingCode(): AuthError {\n return new AuthError('missing_code', 'Authorization code is missing from OAuth callback.');\n }\n\n /**\n * Factory: Token exchange with Cloud API failed.\n */\n static tokenExchangeFailed(options?: AuthErrorOptions): AuthError {\n return new AuthError('token_exchange_failed', 'Failed to exchange authorization code for tokens.', options);\n }\n\n /**\n * Factory: Token verification failed.\n */\n static verificationFailed(): AuthError {\n return new AuthError('verification_failed', 'Token verification failed.');\n }\n\n /**\n * Factory: Session is invalid.\n */\n static sessionInvalid(): AuthError {\n return new AuthError('session_invalid', 'Session is invalid or has been revoked.');\n }\n\n /**\n * Factory: Session has expired.\n */\n static sessionExpired(): AuthError {\n return new AuthError('session_expired', 'Session has expired. Please log in again.');\n }\n\n /**\n * Factory: Network error during API call.\n */\n static networkError(cause?: Error): AuthError {\n return new AuthError('network_error', 'Network error occurred while communicating with Cloud API.', { cause });\n }\n\n /**\n * Factory: Cloud API returned an error.\n */\n static cloudApiError(options?: AuthErrorOptions): AuthError {\n const message = options?.cloudMessage ?? 'Cloud API returned an error.';\n return new AuthError('cloud_api_error', message, options);\n }\n}\n","/**\n * OAuth state parameter encoding/decoding.\n *\n * The state parameter carries:\n * - csrf: CSRF token for validation\n * - returnTo: URL to redirect after successful login\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\n\n/**\n * Data encoded in the OAuth state parameter.\n */\nexport interface StateData {\n /** CSRF token for state validation */\n csrf: string;\n /** URL to redirect to after login */\n returnTo: string;\n}\n\n/**\n * Encode state data into a base64url string for OAuth state parameter.\n *\n * @param csrf - CSRF token to include\n * @param returnTo - URL to redirect to after login\n * @returns Base64url encoded state string\n */\nexport function encodeState(csrf: string, returnTo: string): string {\n const data: StateData = { csrf, returnTo };\n const json = JSON.stringify(data);\n return Buffer.from(json).toString('base64url');\n}\n\n/**\n * Decode state parameter back to StateData.\n *\n * @param state - Base64url encoded state string\n * @returns Decoded state data\n * @throws AuthError with code 'invalid_state' if decoding fails\n */\nexport function decodeState(state: string): StateData {\n try {\n const json = Buffer.from(state, 'base64url').toString();\n const data = JSON.parse(json) as StateData;\n\n // Validate required fields exist\n if (typeof data.csrf !== 'string' || typeof data.returnTo !== 'string') {\n throw new Error('Missing required fields');\n }\n\n return data;\n } catch {\n throw AuthError.invalidState();\n }\n}\n\n/**\n * Validate and sanitize returnTo URL to prevent open redirect attacks.\n *\n * Safe values:\n * - Relative paths starting with '/' (but not '//')\n * - Absolute URLs with same origin as request\n *\n * @param returnTo - URL from user input (may be undefined)\n * @param requestOrigin - Origin of the current request (e.g., 'https://example.com')\n * @returns Safe redirect URL, defaults to '/' if invalid\n */\nexport function validateReturnTo(returnTo: string | undefined, requestOrigin: string): string {\n // Default to root for empty/undefined values\n if (!returnTo) {\n return '/';\n }\n\n // Relative paths starting with '/' are safe (but not protocol-relative '//')\n if (returnTo.startsWith('/') && !returnTo.startsWith('//')) {\n return returnTo;\n }\n\n // For absolute URLs, validate same origin\n try {\n const parsed = new URL(returnTo);\n const origin = new URL(requestOrigin);\n\n // Same origin check: protocol + host must match\n if (parsed.origin === origin.origin) {\n return returnTo;\n }\n } catch {\n // Invalid URL, fall through to default\n }\n\n // Default to root for invalid or cross-origin URLs\n return '/';\n}\n","/**\n * Network utilities for OAuth flow.\n *\n * Provides fetch wrapper with single retry for transient network errors.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\n\n/**\n * Fetch with single retry on network errors.\n *\n * Retries ONLY on network failures (fetch throws), not HTTP error responses.\n * Caller is responsible for handling HTTP status codes.\n *\n * @param url - URL to fetch\n * @param options - Fetch options\n * @returns Response (may have error status code)\n * @throws AuthError with code 'network_error' if both attempts fail\n */\nexport async function fetchWithRetry(url: string, options: RequestInit): Promise<Response> {\n try {\n return await fetch(url, options);\n } catch {\n // Network error - retry once\n try {\n return await fetch(url, options);\n } catch (retryError) {\n // Both attempts failed\n throw AuthError.networkError(retryError instanceof Error ? retryError : undefined);\n }\n }\n}\n","/**\n * PKCE error types and error class.\n *\n * @internal This module is not exported from the main package.\n */\n\n/**\n * Error codes for PKCE-related failures.\n */\nexport type PKCEErrorCode = 'MISSING_VERIFIER' | 'EXPIRED' | 'INVALID';\n\n/**\n * Error class for PKCE-related failures.\n * Uses a code discriminator for programmatic error handling.\n */\nexport class PKCEError extends Error {\n readonly code: PKCEErrorCode;\n override readonly cause?: Error;\n\n constructor(code: PKCEErrorCode, message: string, cause?: Error) {\n super(message);\n this.name = 'PKCEError';\n this.code = code;\n this.cause = cause;\n // Required for instanceof checks in TypeScript\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /**\n * Factory: PKCE verifier cookie not found.\n */\n static missingVerifier(): PKCEError {\n return new PKCEError(\n 'MISSING_VERIFIER',\n 'PKCE verifier cookie not found. Authorization flow may have expired or was not initiated properly.',\n );\n }\n\n /**\n * Factory: PKCE verifier has expired.\n */\n static expired(): PKCEError {\n return new PKCEError('EXPIRED', 'PKCE verifier has expired. Please restart the authorization flow.');\n }\n\n /**\n * Factory: PKCE verifier cookie is malformed.\n */\n static invalid(cause?: Error): PKCEError {\n return new PKCEError('INVALID', 'PKCE verifier cookie is malformed or invalid.', cause);\n }\n}\n","/**\n * PKCE cookie storage utilities.\n * Handles serialization, parsing, and clearing of PKCE verifier cookies.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { PKCEError } from './error';\n\n/**\n * Cookie name for PKCE verifier storage.\n */\nexport const PKCE_COOKIE_NAME = 'mastra_pkce_verifier';\n\n/**\n * Data stored in the PKCE cookie.\n */\nexport interface PKCECookieData {\n verifier: string;\n state: string;\n expiresAt: number; // Unix timestamp in milliseconds\n}\n\n/**\n * Create a Set-Cookie header value for storing PKCE verifier and state.\n *\n * @param verifier - The code verifier for PKCE\n * @param state - The state parameter for CSRF protection\n * @param isProduction - Whether to add Secure flag (required for HTTPS)\n * @returns Set-Cookie header value\n */\nexport function setPKCECookie(verifier: string, state: string, isProduction: boolean): string {\n const ttlSeconds = 5 * 60; // 5 minutes\n const data: PKCECookieData = {\n verifier,\n state,\n expiresAt: Date.now() + ttlSeconds * 1000,\n };\n\n const encoded = encodeURIComponent(JSON.stringify(data));\n\n let cookie = `${PKCE_COOKIE_NAME}=${encoded}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;\n\n if (isProduction) {\n cookie += '; Secure';\n }\n\n return cookie;\n}\n\n/**\n * Parse the PKCE cookie from a Cookie header.\n *\n * @param cookieHeader - The Cookie header value (may be null)\n * @returns Parsed cookie data\n * @throws PKCEError if cookie is missing, expired, or malformed\n */\nexport function parsePKCECookie(cookieHeader: string | null): PKCECookieData {\n if (!cookieHeader) {\n throw PKCEError.missingVerifier();\n }\n\n const match = cookieHeader.match(new RegExp(`${PKCE_COOKIE_NAME}=([^;]+)`));\n\n if (!match?.[1]) {\n throw PKCEError.missingVerifier();\n }\n\n let data: PKCECookieData;\n try {\n data = JSON.parse(decodeURIComponent(match[1])) as PKCECookieData;\n } catch (e) {\n throw PKCEError.invalid(e instanceof Error ? e : undefined);\n }\n\n if (data.expiresAt < Date.now()) {\n throw PKCEError.expired();\n }\n\n return data;\n}\n\n/**\n * Create a Set-Cookie header value to clear the PKCE cookie.\n *\n * @returns Set-Cookie header value that expires the cookie\n */\nexport function clearPKCECookie(): string {\n return `${PKCE_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;\n}\n","/**\n * PKCE (Proof Key for Code Exchange) cryptographic utilities.\n * Implements RFC 7636 S256 challenge method.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { randomBytes, createHash } from 'node:crypto';\n\n/**\n * Generate a code verifier for PKCE.\n * Uses 32 random bytes encoded as base64url (43 characters).\n *\n * Per RFC 7636: code_verifier must be 43-128 characters using unreserved characters.\n */\nexport function generateCodeVerifier(): string {\n // 32 bytes -> 43 chars base64url\n return randomBytes(32).toString('base64url');\n}\n\n/**\n * Compute the S256 code challenge from a verifier.\n * challenge = BASE64URL(SHA256(verifier))\n *\n * Per RFC 7636: S256 method uses SHA-256 hash of the verifier.\n */\nexport function computeCodeChallenge(verifier: string): string {\n return createHash('sha256').update(verifier).digest('base64url');\n}\n\n/**\n * Generate a state parameter for CSRF protection.\n * Uses 16 random bytes encoded as base64url (22 characters).\n */\nexport function generateState(): string {\n // 16 bytes -> 22 chars base64url\n return randomBytes(16).toString('base64url');\n}\n","/**\n * OAuth authorization flow functions.\n *\n * Implements login URL generation and callback handling for\n * Mastra Cloud authentication with PKCE.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\nimport { setPKCECookie, parsePKCECookie, clearPKCECookie } from '../pkce/cookie';\nimport { generateCodeVerifier, computeCodeChallenge, generateState } from '../pkce/pkce';\nimport type { LoginUrlResult, CallbackResult } from '../types';\nimport { fetchWithRetry } from './network';\nimport { encodeState, decodeState, validateReturnTo } from './state';\n\n/**\n * Options for generating login URL.\n */\nexport interface LoginUrlOptions {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API (e.g., 'https://cloud.mastra.ai') */\n cloudBaseUrl: string;\n /** OAuth callback URL (e.g., 'https://myapp.com/auth/callback') */\n callbackUrl: string;\n /** URL to redirect to after successful login */\n returnTo?: string;\n /** Origin of the current request (e.g., 'https://myapp.com') */\n requestOrigin: string;\n /** Whether running in production (affects cookie Secure flag) */\n isProduction?: boolean;\n}\n\n/**\n * Options for handling OAuth callback.\n */\nexport interface CallbackOptions {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API */\n cloudBaseUrl: string;\n /** OAuth callback URL (must match what was sent to /auth/oss) */\n redirectUri: string;\n /** Authorization code from OAuth callback */\n code: string;\n /** State parameter from OAuth callback */\n state: string;\n /** Cookie header from request (may be null) */\n cookieHeader: string | null;\n}\n\n/**\n * Generate a login URL for Mastra Cloud OAuth flow.\n *\n * Creates a URL with PKCE challenge and state parameter for CSRF protection.\n * Returns a PKCE cookie that must be set on the response.\n *\n * @param options - Login URL options\n * @returns URL to redirect to and cookies to set\n */\nexport function getLoginUrl(options: LoginUrlOptions): LoginUrlResult {\n const { projectId, cloudBaseUrl, callbackUrl, returnTo, requestOrigin, isProduction } = options;\n\n // Generate PKCE verifier and challenge\n const verifier = generateCodeVerifier();\n const challenge = computeCodeChallenge(verifier);\n\n // Generate CSRF token for state\n const csrf = generateState();\n\n // Validate returnTo to prevent open redirect attacks\n const validatedReturnTo = validateReturnTo(returnTo, requestOrigin);\n\n // Encode state with CSRF and returnTo\n const state = encodeState(csrf, validatedReturnTo);\n\n // Build authorization URL\n const url = new URL('/auth/oss', cloudBaseUrl);\n url.searchParams.set('project_id', projectId);\n url.searchParams.set('code_challenge', challenge);\n url.searchParams.set('code_challenge_method', 'S256');\n url.searchParams.set('redirect_uri', callbackUrl);\n url.searchParams.set('state', state);\n\n // Create PKCE cookie (stores verifier and CSRF token)\n const isProductionEnv = isProduction ?? process.env.NODE_ENV === 'production';\n const pkceCookie = setPKCECookie(verifier, csrf, isProductionEnv);\n\n return {\n url: url.toString(),\n cookies: [pkceCookie],\n };\n}\n\n/**\n * Handle OAuth callback from Mastra Cloud.\n *\n * Validates state for CSRF, exchanges code for tokens, and returns user info.\n * Returns a cookie to clear the PKCE state.\n *\n * Note: Session cookie is NOT set here - caller (session module) handles that.\n *\n * @param options - Callback options\n * @returns User info, access token, and redirect URL\n * @throws PKCEError if PKCE cookie is missing or expired\n * @throws AuthError if state validation fails or token exchange fails\n */\nexport async function handleCallback(options: CallbackOptions): Promise<CallbackResult> {\n const { projectId, cloudBaseUrl, redirectUri, code, state, cookieHeader } = options;\n\n // Parse PKCE cookie (throws PKCEError if missing/expired)\n const pkceData = parsePKCECookie(cookieHeader);\n\n // Decode state parameter (throws AuthError if malformed)\n const stateData = decodeState(state);\n\n // Validate CSRF token matches\n if (stateData.csrf !== pkceData.state) {\n throw AuthError.stateMismatch();\n }\n\n // Exchange code for tokens\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/callback`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-Project-ID': projectId,\n },\n body: JSON.stringify({\n code,\n redirect_uri: redirectUri,\n code_verifier: pkceData.verifier,\n }),\n });\n\n // Handle error responses\n if (!response.ok) {\n let cloudCode: string | undefined;\n let cloudMessage: string | undefined;\n\n try {\n const errorBody = (await response.json()) as { code?: string; message?: string };\n cloudCode = errorBody.code;\n cloudMessage = errorBody.message;\n } catch {\n // Could not parse error body\n }\n\n throw AuthError.tokenExchangeFailed({ cloudCode, cloudMessage });\n }\n\n // Parse successful response - Cloud returns token only, no user\n const body = (await response.json()) as {\n access_token: string;\n token_type: string;\n expires_in: number;\n };\n\n // Get user info from /auth/verify endpoint\n const verifyResponse = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${body.access_token}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!verifyResponse.ok) {\n throw AuthError.verificationFailed();\n }\n\n // Cloud returns: { sub, email, name?, avatar_url?, role }\n const verifyBody = (await verifyResponse.json()) as {\n sub: string;\n email: string;\n name?: string;\n avatar_url?: string;\n role: string;\n };\n\n // Clear PKCE cookie (no longer needed)\n const clearCookie = clearPKCECookie();\n\n return {\n user: {\n id: verifyBody.sub,\n email: verifyBody.email,\n name: verifyBody.name,\n avatar: verifyBody.avatar_url,\n role: verifyBody.role,\n },\n accessToken: body.access_token,\n returnTo: stateData.returnTo,\n cookies: [clearCookie],\n };\n}\n","/**\n * Session cookie utilities.\n * Handles setting, parsing, and clearing of session cookies.\n *\n * @internal This module is not exported from the main package.\n */\n\n/**\n * Cookie name for session token storage.\n */\nexport const SESSION_COOKIE_NAME = 'mastra_cloud_session';\n\n/**\n * Create a Set-Cookie header value for storing session token.\n *\n * @param token - The session token\n * @param isProduction - Whether to add Secure flag (required for HTTPS)\n * @returns Set-Cookie header value\n */\nexport function setSessionCookie(token: string, isProduction: boolean): string {\n const ttlSeconds = 24 * 60 * 60; // 24 hours\n\n let cookie = `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;\n\n if (isProduction) {\n cookie += '; Secure';\n }\n\n return cookie;\n}\n\n/**\n * Parse the session token from a Cookie header.\n *\n * @param cookieHeader - The Cookie header value (may be null)\n * @returns Session token or null if not present\n */\nexport function parseSessionCookie(cookieHeader: string | null): string | null {\n if (!cookieHeader) {\n return null;\n }\n\n const match = cookieHeader.match(new RegExp(`${SESSION_COOKIE_NAME}=([^;]+)`));\n return match?.[1] ?? null;\n}\n\n/**\n * Create a Set-Cookie header value to clear the session cookie.\n *\n * @returns Set-Cookie header value that expires the cookie\n */\nexport function clearSessionCookie(): string {\n return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;\n}\n","/**\n * Session lifecycle functions.\n * Handles token verification, session validation, and logout.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\nimport { fetchWithRetry } from '../oauth/network';\nimport type { CloudSession, VerifyResponse } from '../types';\n\n/**\n * Options for verifyToken.\n */\nexport interface VerifyTokenOptions {\n projectId: string;\n cloudBaseUrl: string;\n token: string;\n}\n\n/**\n * Options for validateSession and destroySession.\n */\nexport interface SessionOptions {\n projectId: string;\n cloudBaseUrl: string;\n sessionToken: string;\n}\n\n/**\n * Verify an access token with Cloud API.\n *\n * @param options - Verification options\n * @returns User and role information\n * @throws AuthError with code 'verification_failed' if verification fails\n * @throws AuthError with code 'network_error' if network request fails\n */\nexport async function verifyToken(options: VerifyTokenOptions): Promise<VerifyResponse> {\n const { projectId, cloudBaseUrl, token } = options;\n\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${token}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!response.ok) {\n throw AuthError.verificationFailed();\n }\n\n // Cloud returns different shapes for user tokens vs project API tokens:\n // User token: { sub, email, name?, avatar_url?, role }\n // Project API token: { valid: true, role: \"api\", token_type: \"project_api_token\" }\n const body = (await response.json()) as {\n // User token fields\n sub?: string;\n email?: string;\n name?: string;\n avatar_url?: string;\n role: string;\n // Project API token fields\n valid?: boolean;\n token_type?: string;\n };\n\n // Project API token - no user info, just role\n if (body.token_type === 'project_api_token') {\n return {\n user: {\n id: 'api-token',\n email: undefined,\n name: undefined,\n avatar: undefined,\n },\n role: body.role,\n };\n }\n\n // User token - full user info\n return {\n user: {\n id: body.sub!,\n email: body.email!,\n name: body.name,\n avatar: body.avatar_url,\n },\n role: body.role,\n };\n}\n\n/**\n * Validate an existing session with Cloud API.\n *\n * @param options - Session options\n * @returns Session data if valid, null otherwise\n */\nexport async function validateSession(options: SessionOptions): Promise<CloudSession | null> {\n const { projectId, cloudBaseUrl, sessionToken } = options;\n\n try {\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/session/validate`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${sessionToken}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!response.ok) {\n return null;\n }\n\n return (await response.json()) as CloudSession;\n } catch {\n // Any error (network, parsing) returns null\n return null;\n }\n}\n\n/**\n * Destroy a session with Cloud API.\n * Note: X-Project-ID not required for this endpoint.\n *\n * @param options - Session options\n */\nexport async function destroySession(options: SessionOptions): Promise<void> {\n const { cloudBaseUrl, sessionToken } = options;\n\n await fetchWithRetry(`${cloudBaseUrl}/auth/session/destroy`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${sessionToken}`,\n },\n });\n\n // Ignore response - void return per spec\n}\n\n/**\n * Get the logout URL for redirecting users.\n *\n * @param cloudBaseUrl - Cloud API base URL\n * @param postLogoutRedirectUri - URL to redirect to after logout (required)\n * @param idTokenHint - The access token (required by Cloud)\n * @returns Full logout URL with redirect and token parameters\n */\nexport function getLogoutUrl(cloudBaseUrl: string, postLogoutRedirectUri: string, idTokenHint: string): string {\n const url = new URL('/auth/logout', cloudBaseUrl);\n url.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);\n url.searchParams.set('id_token_hint', idTokenHint);\n return url.toString();\n}\n","/**\n * MastraCloudAuth client class.\n * Facade composing OAuth and session modules into unified API.\n */\n\nimport { getLoginUrl, handleCallback } from './oauth';\nimport {\n verifyToken,\n validateSession,\n destroySession,\n getLogoutUrl,\n setSessionCookie,\n clearSessionCookie,\n} from './session';\nimport type { LoginUrlResult, CallbackResult, VerifyResponse, CloudSession } from './types';\n\n/**\n * Configuration for MastraCloudAuth client.\n */\nexport interface MastraCloudAuthConfig {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of the Cloud API (e.g., https://cloud.mastra.ai) */\n cloudBaseUrl: string;\n /** OAuth callback URL for your application */\n callbackUrl: string;\n /** Whether running in production (adds Secure flag to cookies) */\n isProduction?: boolean;\n}\n\n/**\n * Mastra Cloud authentication client.\n *\n * Provides unified API for OAuth flow and session management.\n *\n * @example\n * ```typescript\n * const auth = new MastraCloudAuth({\n * cloudBaseUrl: 'https://cloud.mastra.ai',\n * callbackUrl: 'https://myapp.com/auth/callback',\n * });\n *\n * // Start login flow\n * const { url, cookies } = auth.getLoginUrl({\n * requestOrigin: 'https://myapp.com',\n * });\n *\n * // After callback\n * const result = await auth.handleCallback({\n * code: 'auth_code',\n * state: 'state_param',\n * cookieHeader: request.headers.get('cookie'),\n * });\n * ```\n */\nexport class MastraCloudAuth {\n private readonly config: MastraCloudAuthConfig;\n\n constructor(config: MastraCloudAuthConfig) {\n this.config = config;\n }\n\n /**\n * Generate login URL for OAuth authorization.\n *\n * @param options - Login options\n * @returns URL to redirect to and cookies to set\n */\n getLoginUrl(options: { returnTo?: string; requestOrigin: string }): LoginUrlResult {\n return getLoginUrl({\n projectId: this.config.projectId,\n cloudBaseUrl: this.config.cloudBaseUrl,\n callbackUrl: this.config.callbackUrl,\n returnTo: options.returnTo,\n requestOrigin: options.requestOrigin,\n isProduction: this.config.isProduction,\n });\n }\n\n /**\n * Handle OAuth callback after authorization.\n *\n * @param options - Callback parameters\n * @returns User info, tokens, and redirect URL\n */\n handleCallback(options: { code: string; state: string; cookieHeader: string | null }): Promise<CallbackResult> {\n return handleCallback({\n projectId: this.config.projectId,\n cloudBaseUrl: this.config.cloudBaseUrl,\n redirectUri: this.config.callbackUrl,\n ...options,\n });\n }\n\n /**\n * Verify an access token.\n *\n * @param token - Access token to verify\n * @returns User and role information\n */\n verifyToken(token: string): Promise<VerifyResponse> {\n return verifyToken({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, token });\n }\n\n /**\n * Validate an existing session.\n *\n * @param sessionToken - Session token to validate\n * @returns Session data if valid, null otherwise\n */\n validateSession(sessionToken: string): Promise<CloudSession | null> {\n return validateSession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });\n }\n\n /**\n * Destroy a session (server-side logout).\n *\n * @param sessionToken - Session token to destroy\n */\n destroySession(sessionToken: string): Promise<void> {\n return destroySession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });\n }\n\n /**\n * Get the logout URL for client-side redirect.\n *\n * @param postLogoutRedirectUri - URL to redirect to after logout\n * @param idTokenHint - The access token\n * @returns Full logout URL with redirect and token parameters\n */\n getLogoutUrl(postLogoutRedirectUri: string, idTokenHint: string): string {\n return getLogoutUrl(this.config.cloudBaseUrl, postLogoutRedirectUri, idTokenHint);\n }\n\n /**\n * Create Set-Cookie header value for session token.\n *\n * @param token - Session token to store\n * @returns Set-Cookie header value\n */\n setSessionCookie(token: string): string {\n return setSessionCookie(token, this.config.isProduction ?? process.env.NODE_ENV === 'production');\n }\n\n /**\n * Create Set-Cookie header value to clear session cookie.\n *\n * @returns Set-Cookie header value\n */\n clearSessionCookie(): string {\n return clearSessionCookie();\n }\n}\n","/**\n * MastraCloudAuthProvider - Server integration for Mastra Cloud authentication.\n *\n * Extends MastraAuthProvider and implements ISSOProvider, ISessionProvider,\n * and IUserProvider interfaces to integrate with Mastra server middleware.\n *\n * @packageDocumentation\n */\n\nimport type {\n IUserProvider,\n ISSOProvider,\n ISessionProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { HonoRequest } from 'hono';\n\nimport { MastraCloudAuth } from './client';\nimport { parseSessionCookie } from './session/cookie';\nimport type { CloudUser } from './types';\n\n/**\n * Configuration options for MastraCloudAuthProvider.\n */\nexport interface MastraCloudAuthProviderOptions extends MastraAuthProviderOptions<CloudUser> {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API (e.g., https://cloud.mastra.ai) */\n cloudBaseUrl: string;\n /** OAuth callback URL for your application */\n callbackUrl: string;\n /** Whether running in production (adds Secure flag to cookies) */\n isProduction?: boolean;\n}\n\n/**\n * Mastra Cloud authentication provider for server integration.\n *\n * Wraps the MastraCloudAuth client and implements the required interfaces\n * for Mastra server middleware. Provides SSO login, session management,\n * and user awareness.\n *\n * @example\n * ```typescript\n * import { MastraCloudAuthProvider } from '@mastra/auth-cloud';\n *\n * const auth = new MastraCloudAuthProvider({\n * cloudBaseUrl: 'https://cloud.mastra.ai',\n * callbackUrl: 'https://myapp.com/auth/callback',\n * });\n *\n * const mastra = new Mastra({\n * auth,\n * // ...\n * });\n * ```\n */\nexport class MastraCloudAuthProvider\n extends MastraAuthProvider<CloudUser>\n implements IUserProvider<EEUser>, ISSOProvider<EEUser>, ISessionProvider<Session>\n{\n private client: MastraCloudAuth;\n\n /** Marker for EE license exemption - MastraCloudAuth is exempt */\n readonly isMastraCloudAuth = true;\n\n /**\n * Cookie header for handleCallback PKCE validation.\n * Set via setCallbackCookieHeader() before handleCallback() is called.\n * @internal\n */\n private _lastCallbackCookieHeader: string | null = null;\n\n constructor(options: MastraCloudAuthProviderOptions) {\n super({ name: options?.name ?? 'cloud' });\n\n this.client = new MastraCloudAuth({\n projectId: options.projectId,\n cloudBaseUrl: options.cloudBaseUrl,\n callbackUrl: options.callbackUrl,\n isProduction: options.isProduction,\n });\n\n this.registerOptions(options);\n }\n\n /**\n * Set cookie header for handleCallback PKCE validation.\n * Must be called before handleCallback() to pass cookie header.\n *\n * @param cookieHeader - Cookie header from original request\n */\n setCallbackCookieHeader(cookieHeader: string | null): void {\n this._lastCallbackCookieHeader = cookieHeader;\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n /**\n * Authenticate a bearer token or session cookie.\n *\n * Checks session cookie first, falls back to bearer token for API clients.\n *\n * @param token - Bearer token (from Authorization header)\n * @param request - Hono or raw Request\n * @returns Authenticated user with role, or null if invalid\n */\n async authenticateToken(token: string, request: HonoRequest | Request): Promise<CloudUser | null> {\n try {\n // Get raw Request for cookie access\n const rawRequest = 'raw' in request ? request.raw : request;\n const cookieHeader = rawRequest.headers.get('cookie');\n\n // Parse session token from cookie\n const sessionToken = parseSessionCookie(cookieHeader);\n\n if (sessionToken) {\n // Verify session token with Cloud API\n const { user, role } = await this.client.verifyToken(sessionToken);\n return { ...user, role };\n }\n\n // Fall back to bearer token if no cookie\n if (token) {\n const { user, role } = await this.client.verifyToken(token);\n return { ...user, role };\n }\n\n return null;\n } catch {\n // Per Phase 10 decision: return null on any error\n return null;\n }\n }\n\n /**\n * Authorize a user for access.\n *\n * Simple validation - detailed permission checking happens in server\n * middleware via checkRoutePermission(), not authorizeUser().\n *\n * @param user - Authenticated user\n * @returns True if user has valid id\n */\n authorizeUser(user: CloudUser): boolean {\n return !!user?.id;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Cached login result for getLoginCookies() to retrieve cookies.\n * @internal\n */\n private _lastLoginResult: { url: string; cookies: string[] } | null = null;\n\n /**\n * Get URL to redirect user to for SSO login.\n *\n * @param redirectUri - Callback URL after authentication\n * @param state - State parameter (format: uuid|encodedPostLoginRedirect)\n * @returns Full authorization URL\n */\n getLoginUrl(redirectUri: string, state: string): string {\n // Extract postLoginRedirect from state (format: uuid|encodedPostLoginRedirect)\n let postLoginRedirect = '/';\n if (state && state.includes('|')) {\n const parts = state.split('|', 2);\n const encodedRedirect = parts[1];\n if (encodedRedirect) {\n try {\n postLoginRedirect = decodeURIComponent(encodedRedirect);\n } catch {\n postLoginRedirect = '/';\n }\n }\n }\n\n // Parse origin from redirectUri for PKCE cookie origin validation\n const redirectUrl = new URL(redirectUri);\n const origin = redirectUrl.origin;\n\n // Generate login URL with PKCE\n const result = this.client.getLoginUrl({\n returnTo: postLoginRedirect,\n requestOrigin: origin,\n });\n\n // Cache result for getLoginCookies() to retrieve\n this._lastLoginResult = result;\n\n return result.url;\n }\n\n /**\n * Get cookies to set during login redirect (PKCE verifier).\n * Must be called after getLoginUrl() in same request.\n *\n * @returns Array of Set-Cookie header values\n */\n getLoginCookies(): string[] | undefined {\n const cookies = this._lastLoginResult?.cookies;\n this._lastLoginResult = null; // Clear after retrieval\n return cookies;\n }\n\n /**\n * Handle OAuth callback, exchange code for tokens and user.\n *\n * @param code - Authorization code from callback\n * @param state - State parameter for CSRF validation\n * @returns User, tokens, and session cookies\n */\n async handleCallback(code: string, state: string): Promise<SSOCallbackResult<EEUser>> {\n // Get cookie header for PKCE validation, then clear\n const cookieHeader = this._lastCallbackCookieHeader;\n this._lastCallbackCookieHeader = null;\n\n // Exchange code for tokens and get user (includes /auth/verify call)\n const result = await this.client.handleCallback({\n code,\n state,\n cookieHeader,\n });\n\n // Build session cookie\n const sessionCookie = this.client.setSessionCookie(result.accessToken);\n\n return {\n user: result.user, // Already has role from handleCallback\n tokens: {\n accessToken: result.accessToken,\n },\n cookies: [...result.cookies, sessionCookie],\n };\n }\n\n /**\n * Get configuration for rendering login button in UI.\n *\n * @returns Login button configuration\n */\n getLoginButtonConfig(): SSOLoginConfig {\n return {\n provider: 'mastra',\n text: 'Sign in with Mastra Cloud',\n };\n }\n\n /**\n * Get logout URL for client-side redirect.\n * Requires the request to extract the session token for id_token_hint.\n *\n * @param redirectUri - URL to redirect to after logout\n * @param request - Request to extract session token from\n * @returns Logout URL with redirect and token parameters, or null if no session\n */\n getLogoutUrl(redirectUri: string, request?: Request): string | null {\n // Get session token from request cookies for id_token_hint\n const sessionToken = request ? this.getSessionIdFromRequest(request) : null;\n if (!sessionToken) {\n return null; // No active session, nothing to logout\n }\n return this.client.getLogoutUrl(redirectUri, sessionToken);\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n /**\n * Create a new session for a user.\n *\n * For Cloud auth, sessions are created via handleCallback.\n * This method builds a Session object for interface compatibility.\n *\n * @param userId - User to create session for\n * @param metadata - Optional metadata (accessToken can be passed here)\n * @returns Session object\n */\n async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n const now = new Date();\n const expiresAt = new Date(now.getTime() + 24 * 60 * 60 * 1000); // 24 hours\n\n return {\n id: (metadata?.accessToken as string) ?? crypto.randomUUID(),\n userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n /**\n * Validate a session and return it if valid.\n *\n * @param sessionId - Session token to validate\n * @returns Session object or null if invalid/expired\n */\n async validateSession(sessionId: string): Promise<Session | null> {\n const session = await this.client.validateSession(sessionId);\n if (!session) return null;\n\n return {\n id: sessionId,\n userId: session.userId,\n createdAt: new Date(session.createdAt),\n expiresAt: new Date(session.expiresAt),\n };\n }\n\n /**\n * Destroy a session (logout).\n *\n * @param sessionId - Session token to destroy\n */\n async destroySession(sessionId: string): Promise<void> {\n await this.client.destroySession(sessionId);\n }\n\n /**\n * Refresh a session, extending its expiry.\n * Cloud handles refresh internally, so just validate.\n *\n * @param sessionId - Session token to refresh\n * @returns Session object or null if invalid\n */\n async refreshSession(sessionId: string): Promise<Session | null> {\n return this.validateSession(sessionId);\n }\n\n /**\n * Extract session ID from an incoming request.\n *\n * @param request - Incoming HTTP request\n * @returns Session token or null if not present\n */\n getSessionIdFromRequest(request: Request): string | null {\n return parseSessionCookie(request.headers.get('cookie'));\n }\n\n /**\n * Create response headers to set session cookie.\n *\n * @param session - Session to encode (id is the access token)\n * @returns Headers object with Set-Cookie\n */\n getSessionHeaders(session: Session): Record<string, string> {\n return { 'Set-Cookie': this.client.setSessionCookie(session.id) };\n }\n\n /**\n * Create response headers to clear session (for logout).\n *\n * @returns Headers object to clear session cookie\n */\n getClearSessionHeaders(): Record<string, string> {\n return { 'Set-Cookie': this.client.clearSessionCookie() };\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // ============================================================================\n\n /**\n * Get current user from request (session cookie).\n *\n * @param request - Incoming HTTP request\n * @returns User with role or null if not authenticated\n */\n async getCurrentUser(request: Request): Promise<CloudUser | null> {\n const sessionToken = this.getSessionIdFromRequest(request);\n if (!sessionToken) return null;\n\n try {\n const { user, role } = await this.client.verifyToken(sessionToken);\n return { ...user, role };\n } catch {\n return null;\n }\n }\n\n /**\n * Get user by ID.\n * Cloud API doesn't have a /users/:id endpoint.\n *\n * @returns Always null (not supported)\n */\n async getUser(_userId: string): Promise<CloudUser | null> {\n return null;\n }\n}\n","/**\n * Mastra Cloud RBAC provider.\n *\n * Provides role-based permission checking for Cloud-authenticated users\n * using configurable role-to-permission mappings.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\n\nimport type { CloudUser } from '../types';\n\n/**\n * Configuration options for MastraRBACCloud.\n */\nexport interface MastraRBACCloudOptions {\n /**\n * Mapping from role names to permission arrays.\n *\n * @example\n * ```typescript\n * {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Cloud authentication.\n *\n * Maps user roles (from /verify endpoint) to Mastra permissions\n * using a configurable role mapping. This is a simpler implementation\n * than WorkOS RBAC since Cloud uses a single-role model.\n *\n * @example Basic usage\n * ```typescript\n * import { MastraRBACCloud } from '@mastra/auth-cloud';\n *\n * const rbac = new MastraRBACCloud({\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * },\n * });\n *\n * const hasAccess = await rbac.hasPermission(user, 'agents:read');\n * ```\n */\nexport class MastraRBACCloud implements IRBACProvider<CloudUser> {\n private options: MastraRBACCloudOptions;\n\n /**\n * Expose roleMapping for middleware access.\n * This allows the authorization middleware to resolve permissions\n * without needing to call the async methods.\n */\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n /**\n * Create a new Mastra Cloud RBAC provider.\n *\n * @param options - RBAC configuration options\n */\n constructor(options: MastraRBACCloudOptions) {\n this.options = options;\n }\n\n /**\n * Get all roles for a user.\n *\n * Returns the user's role as a single-element array, or empty array if no role.\n * Cloud uses a single-role model (role is attached via verifyToken()).\n *\n * @param user - Cloud user to get roles for\n * @returns Array containing user's role, or empty array\n */\n async getRoles(user: CloudUser): Promise<string[]> {\n // Role attached to user from verifyToken() call\n return user.role ? [user.role] : [];\n }\n\n /**\n * Check if a user has a specific role.\n *\n * @param user - Cloud user to check\n * @param role - Role name to check for\n * @returns True if user has the role\n */\n async hasRole(user: CloudUser, role: string): Promise<boolean> {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n /**\n * Get all permissions for a user by mapping their role.\n *\n * Uses the configured roleMapping to translate the user's role\n * into Mastra permission strings.\n *\n * If the user has no role, the _default permissions from the\n * role mapping are applied.\n *\n * @param user - Cloud user to get permissions for\n * @returns Array of permission strings\n */\n async getPermissions(user: CloudUser): Promise<string[]> {\n const roles = await this.getRoles(user);\n\n if (roles.length === 0) {\n return this.options.roleMapping['_default'] ?? [];\n }\n\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n /**\n * Check if a user has a specific permission.\n *\n * Uses wildcard matching to check if the user's permissions\n * grant access to the required permission.\n *\n * @param user - Cloud user to check\n * @param permission - Permission to check for (e.g., 'agents:read')\n * @returns True if user has the permission\n */\n async hasPermission(user: CloudUser, permission: string): Promise<boolean> {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n /**\n * Check if a user has ALL of the specified permissions.\n *\n * @param user - Cloud user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has all permissions\n */\n async hasAllPermissions(user: CloudUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Check if a user has ANY of the specified permissions.\n *\n * @param user - Cloud user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has at least one permission\n */\n async hasAnyPermission(user: CloudUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n}\n"]}

package/dist/oauth/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * OAuth module for Mastra Cloud authentication.
+ *
+ * @internal This module is not exported from the main package.
+ */
+export { encodeState, decodeState, validateReturnTo, type StateData } from './state.js';
+export { fetchWithRetry } from './network.js';
+export { getLoginUrl, handleCallback, type LoginUrlOptions, type CallbackOptions } from './oauth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/oauth/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oauth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,KAAK,SAAS,EAAE,MAAM,SAAS,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,KAAK,eAAe,EAAE,KAAK,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/oauth/network.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Network utilities for OAuth flow.
+ *
+ * Provides fetch wrapper with single retry for transient network errors.
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Fetch with single retry on network errors.
+ *
+ * Retries ONLY on network failures (fetch throws), not HTTP error responses.
+ * Caller is responsible for handling HTTP status codes.
+ *
+ * @param url - URL to fetch
+ * @param options - Fetch options
+ * @returns Response (may have error status code)
+ * @throws AuthError with code 'network_error' if both attempts fail
+ */
+export declare function fetchWithRetry(url: string, options: RequestInit): Promise<Response>;
+//# sourceMappingURL=network.d.ts.map

package/dist/oauth/network.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../src/oauth/network.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAYzF"}

package/dist/oauth/oauth.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * OAuth authorization flow functions.
+ *
+ * Implements login URL generation and callback handling for
+ * Mastra Cloud authentication with PKCE.
+ *
+ * @internal This module is not exported from the main package.
+ */
+import type { LoginUrlResult, CallbackResult } from '../types.js';
+/**
+ * Options for generating login URL.
+ */
+export interface LoginUrlOptions {
+    /** Mastra Cloud project ID */
+    projectId: string;
+    /** Base URL of Mastra Cloud API (e.g., 'https://cloud.mastra.ai') */
+    cloudBaseUrl: string;
+    /** OAuth callback URL (e.g., 'https://myapp.com/auth/callback') */
+    callbackUrl: string;
+    /** URL to redirect to after successful login */
+    returnTo?: string;
+    /** Origin of the current request (e.g., 'https://myapp.com') */
+    requestOrigin: string;
+    /** Whether running in production (affects cookie Secure flag) */
+    isProduction?: boolean;
+}
+/**
+ * Options for handling OAuth callback.
+ */
+export interface CallbackOptions {
+    /** Mastra Cloud project ID */
+    projectId: string;
+    /** Base URL of Mastra Cloud API */
+    cloudBaseUrl: string;
+    /** OAuth callback URL (must match what was sent to /auth/oss) */
+    redirectUri: string;
+    /** Authorization code from OAuth callback */
+    code: string;
+    /** State parameter from OAuth callback */
+    state: string;
+    /** Cookie header from request (may be null) */
+    cookieHeader: string | null;
+}
+/**
+ * Generate a login URL for Mastra Cloud OAuth flow.
+ *
+ * Creates a URL with PKCE challenge and state parameter for CSRF protection.
+ * Returns a PKCE cookie that must be set on the response.
+ *
+ * @param options - Login URL options
+ * @returns URL to redirect to and cookies to set
+ */
+export declare function getLoginUrl(options: LoginUrlOptions): LoginUrlResult;
+/**
+ * Handle OAuth callback from Mastra Cloud.
+ *
+ * Validates state for CSRF, exchanges code for tokens, and returns user info.
+ * Returns a cookie to clear the PKCE state.
+ *
+ * Note: Session cookie is NOT set here - caller (session module) handles that.
+ *
+ * @param options - Callback options
+ * @returns User info, access token, and redirect URL
+ * @throws PKCEError if PKCE cookie is missing or expired
+ * @throws AuthError if state validation fails or token exchange fails
+ */
+export declare function handleCallback(options: CallbackOptions): Promise<CallbackResult>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/oauth/oauth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/oauth/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAI/D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,YAAY,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,aAAa,EAAE,MAAM,CAAC;IACtB,iEAAiE;IACjE,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,0CAA0C;IAC1C,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,eAAe,GAAG,cAAc,CAgCpE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC,CAwFtF"}

package/dist/oauth/state.d.ts ADDED Viewed

@@ -0,0 +1,47 @@
+/**
+ * OAuth state parameter encoding/decoding.
+ *
+ * The state parameter carries:
+ * - csrf: CSRF token for validation
+ * - returnTo: URL to redirect after successful login
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Data encoded in the OAuth state parameter.
+ */
+export interface StateData {
+    /** CSRF token for state validation */
+    csrf: string;
+    /** URL to redirect to after login */
+    returnTo: string;
+}
+/**
+ * Encode state data into a base64url string for OAuth state parameter.
+ *
+ * @param csrf - CSRF token to include
+ * @param returnTo - URL to redirect to after login
+ * @returns Base64url encoded state string
+ */
+export declare function encodeState(csrf: string, returnTo: string): string;
+/**
+ * Decode state parameter back to StateData.
+ *
+ * @param state - Base64url encoded state string
+ * @returns Decoded state data
+ * @throws AuthError with code 'invalid_state' if decoding fails
+ */
+export declare function decodeState(state: string): StateData;
+/**
+ * Validate and sanitize returnTo URL to prevent open redirect attacks.
+ *
+ * Safe values:
+ * - Relative paths starting with '/' (but not '//')
+ * - Absolute URLs with same origin as request
+ *
+ * @param returnTo - URL from user input (may be undefined)
+ * @param requestOrigin - Origin of the current request (e.g., 'https://example.com')
+ * @returns Safe redirect URL, defaults to '/' if invalid
+ */
+export declare function validateReturnTo(returnTo: string | undefined, requestOrigin: string): string;
+//# sourceMappingURL=state.d.ts.map

package/dist/oauth/state.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"state.d.ts","sourceRoot":"","sources":["../../src/oauth/state.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAIlE;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAcpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CA0B5F"}

package/dist/pkce/cookie.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * PKCE cookie storage utilities.
+ * Handles serialization, parsing, and clearing of PKCE verifier cookies.
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Cookie name for PKCE verifier storage.
+ */
+export declare const PKCE_COOKIE_NAME = "mastra_pkce_verifier";
+/**
+ * Data stored in the PKCE cookie.
+ */
+export interface PKCECookieData {
+    verifier: string;
+    state: string;
+    expiresAt: number;
+}
+/**
+ * Create a Set-Cookie header value for storing PKCE verifier and state.
+ *
+ * @param verifier - The code verifier for PKCE
+ * @param state - The state parameter for CSRF protection
+ * @param isProduction - Whether to add Secure flag (required for HTTPS)
+ * @returns Set-Cookie header value
+ */
+export declare function setPKCECookie(verifier: string, state: string, isProduction: boolean): string;
+/**
+ * Parse the PKCE cookie from a Cookie header.
+ *
+ * @param cookieHeader - The Cookie header value (may be null)
+ * @returns Parsed cookie data
+ * @throws PKCEError if cookie is missing, expired, or malformed
+ */
+export declare function parsePKCECookie(cookieHeader: string | null): PKCECookieData;
+/**
+ * Create a Set-Cookie header value to clear the PKCE cookie.
+ *
+ * @returns Set-Cookie header value that expires the cookie
+ */
+export declare function clearPKCECookie(): string;
+//# sourceMappingURL=cookie.d.ts.map

package/dist/pkce/cookie.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/pkce/cookie.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;GAEG;AACH,eAAO,MAAM,gBAAgB,yBAAyB,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,GAAG,MAAM,CAiB5F;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,cAAc,CAuB3E;AAED;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC"}

package/dist/pkce/error.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * PKCE error types and error class.
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Error codes for PKCE-related failures.
+ */
+export type PKCEErrorCode = 'MISSING_VERIFIER' | 'EXPIRED' | 'INVALID';
+/**
+ * Error class for PKCE-related failures.
+ * Uses a code discriminator for programmatic error handling.
+ */
+export declare class PKCEError extends Error {
+    readonly code: PKCEErrorCode;
+    readonly cause?: Error;
+    constructor(code: PKCEErrorCode, message: string, cause?: Error);
+    /**
+     * Factory: PKCE verifier cookie not found.
+     */
+    static missingVerifier(): PKCEError;
+    /**
+     * Factory: PKCE verifier has expired.
+     */
+    static expired(): PKCEError;
+    /**
+     * Factory: PKCE verifier cookie is malformed.
+     */
+    static invalid(cause?: Error): PKCEError;
+}
+//# sourceMappingURL=error.d.ts.map

package/dist/pkce/error.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../src/pkce/error.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,kBAAkB,GAAG,SAAS,GAAG,SAAS,CAAC;AAEvE;;;GAGG;AACH,qBAAa,SAAU,SAAQ,KAAK;IAClC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,SAAkB,KAAK,CAAC,EAAE,KAAK,CAAC;gBAEpB,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK;IAS/D;;OAEG;IACH,MAAM,CAAC,eAAe,IAAI,SAAS;IAOnC;;OAEG;IACH,MAAM,CAAC,OAAO,IAAI,SAAS;IAI3B;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,SAAS;CAGzC"}

package/dist/pkce/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * PKCE module internal re-exports.
+ *
+ * @internal This module is not exported from the main package.
+ * These utilities are only used by MastraCloudAuth internally.
+ */
+export * from './pkce.js';
+export * from './error.js';
+export * from './cookie.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/pkce/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/pkce/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC"}

package/dist/pkce/pkce.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * PKCE (Proof Key for Code Exchange) cryptographic utilities.
+ * Implements RFC 7636 S256 challenge method.
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Generate a code verifier for PKCE.
+ * Uses 32 random bytes encoded as base64url (43 characters).
+ *
+ * Per RFC 7636: code_verifier must be 43-128 characters using unreserved characters.
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Compute the S256 code challenge from a verifier.
+ * challenge = BASE64URL(SHA256(verifier))
+ *
+ * Per RFC 7636: S256 method uses SHA-256 hash of the verifier.
+ */
+export declare function computeCodeChallenge(verifier: string): string;
+/**
+ * Generate a state parameter for CSRF protection.
+ * Uses 16 random bytes encoded as base64url (22 characters).
+ */
+export declare function generateState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/pkce/pkce.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce/pkce.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;GAKG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAGtC"}

package/dist/rbac/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { MastraRBACCloud, type MastraRBACCloudOptions } from './rbac-provider.js';
2	+ //# sourceMappingURL=index.d.ts.map

package/dist/rbac/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/rbac/rbac-provider.d.ts ADDED Viewed

@@ -0,0 +1,124 @@
+/**
+ * Mastra Cloud RBAC provider.
+ *
+ * Provides role-based permission checking for Cloud-authenticated users
+ * using configurable role-to-permission mappings.
+ */
+import type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';
+import type { CloudUser } from '../types.js';
+/**
+ * Configuration options for MastraRBACCloud.
+ */
+export interface MastraRBACCloudOptions {
+    /**
+     * Mapping from role names to permission arrays.
+     *
+     * @example
+     * ```typescript
+     * {
+     *   admin: ['*'],
+     *   member: ['agents:read', 'workflows:*'],
+     *   viewer: ['agents:read', 'workflows:read'],
+     *   _default: [],
+     * }
+     * ```
+     */
+    roleMapping: RoleMapping;
+}
+/**
+ * RBAC provider for Mastra Cloud authentication.
+ *
+ * Maps user roles (from /verify endpoint) to Mastra permissions
+ * using a configurable role mapping. This is a simpler implementation
+ * than WorkOS RBAC since Cloud uses a single-role model.
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { MastraRBACCloud } from '@mastra/auth-cloud';
+ *
+ * const rbac = new MastraRBACCloud({
+ *   roleMapping: {
+ *     admin: ['*'],
+ *     member: ['agents:read', 'workflows:*'],
+ *     viewer: ['agents:read', 'workflows:read'],
+ *     _default: [],
+ *   },
+ * });
+ *
+ * const hasAccess = await rbac.hasPermission(user, 'agents:read');
+ * ```
+ */
+export declare class MastraRBACCloud implements IRBACProvider<CloudUser> {
+    private options;
+    /**
+     * Expose roleMapping for middleware access.
+     * This allows the authorization middleware to resolve permissions
+     * without needing to call the async methods.
+     */
+    get roleMapping(): RoleMapping;
+    /**
+     * Create a new Mastra Cloud RBAC provider.
+     *
+     * @param options - RBAC configuration options
+     */
+    constructor(options: MastraRBACCloudOptions);
+    /**
+     * Get all roles for a user.
+     *
+     * Returns the user's role as a single-element array, or empty array if no role.
+     * Cloud uses a single-role model (role is attached via verifyToken()).
+     *
+     * @param user - Cloud user to get roles for
+     * @returns Array containing user's role, or empty array
+     */
+    getRoles(user: CloudUser): Promise<string[]>;
+    /**
+     * Check if a user has a specific role.
+     *
+     * @param user - Cloud user to check
+     * @param role - Role name to check for
+     * @returns True if user has the role
+     */
+    hasRole(user: CloudUser, role: string): Promise<boolean>;
+    /**
+     * Get all permissions for a user by mapping their role.
+     *
+     * Uses the configured roleMapping to translate the user's role
+     * into Mastra permission strings.
+     *
+     * If the user has no role, the _default permissions from the
+     * role mapping are applied.
+     *
+     * @param user - Cloud user to get permissions for
+     * @returns Array of permission strings
+     */
+    getPermissions(user: CloudUser): Promise<string[]>;
+    /**
+     * Check if a user has a specific permission.
+     *
+     * Uses wildcard matching to check if the user's permissions
+     * grant access to the required permission.
+     *
+     * @param user - Cloud user to check
+     * @param permission - Permission to check for (e.g., 'agents:read')
+     * @returns True if user has the permission
+     */
+    hasPermission(user: CloudUser, permission: string): Promise<boolean>;
+    /**
+     * Check if a user has ALL of the specified permissions.
+     *
+     * @param user - Cloud user to check
+     * @param permissions - Array of permissions to check for
+     * @returns True if user has all permissions
+     */
+    hasAllPermissions(user: CloudUser, permissions: string[]): Promise<boolean>;
+    /**
+     * Check if a user has ANY of the specified permissions.
+     *
+     * @param user - Cloud user to check
+     * @param permissions - Array of permissions to check for
+     * @returns True if user has at least one permission
+     */
+    hasAnyPermission(user: CloudUser, permissions: string[]): Promise<boolean>;
+}
+//# sourceMappingURL=rbac-provider.d.ts.map

package/dist/rbac/rbac-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-provider.d.ts","sourceRoot":"","sources":["../../src/rbac/rbac-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGvE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;;;;;;;;;;OAYG;IACH,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,eAAgB,YAAW,aAAa,CAAC,SAAS,CAAC;IAC9D,OAAO,CAAC,OAAO,CAAyB;IAExC;;;;OAIG;IACH,IAAI,WAAW,IAAI,WAAW,CAE7B;IAED;;;;OAIG;gBACS,OAAO,EAAE,sBAAsB;IAI3C;;;;;;;;OAQG;IACG,QAAQ,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKlD;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9D;;;;;;;;;;;OAWG;IACG,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAUxD;;;;;;;;;OASG;IACG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK1E;;;;;;OAMG;IACG,iBAAiB,CAAC,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAKjF;;;;;;OAMG;IACG,gBAAgB,CAAC,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAIjF"}

package/dist/session/cookie.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Session cookie utilities.
+ * Handles setting, parsing, and clearing of session cookies.
+ *
+ * @internal This module is not exported from the main package.
+ */
+/**
+ * Cookie name for session token storage.
+ */
+export declare const SESSION_COOKIE_NAME = "mastra_cloud_session";
+/**
+ * Create a Set-Cookie header value for storing session token.
+ *
+ * @param token - The session token
+ * @param isProduction - Whether to add Secure flag (required for HTTPS)
+ * @returns Set-Cookie header value
+ */
+export declare function setSessionCookie(token: string, isProduction: boolean): string;
+/**
+ * Parse the session token from a Cookie header.
+ *
+ * @param cookieHeader - The Cookie header value (may be null)
+ * @returns Session token or null if not present
+ */
+export declare function parseSessionCookie(cookieHeader: string | null): string | null;
+/**
+ * Create a Set-Cookie header value to clear the session cookie.
+ *
+ * @returns Set-Cookie header value that expires the cookie
+ */
+export declare function clearSessionCookie(): string;
+//# sourceMappingURL=cookie.d.ts.map

package/dist/session/cookie.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/session/cookie.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAE1D;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,GAAG,MAAM,CAU7E;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAO7E;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C"}

package/dist/session/index.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Session module for Mastra Cloud authentication.
+ *
+ * @internal This module is not exported from the main package.
+ */
+export { SESSION_COOKIE_NAME, setSessionCookie, parseSessionCookie, clearSessionCookie } from './cookie.js';
+export { verifyToken, validateSession, destroySession, getLogoutUrl } from './session.js';
+export type { VerifyTokenOptions, SessionOptions } from './session.js';
+//# sourceMappingURL=index.d.ts.map