npm - @mastra/auth-google - Versions diffs - 0.0.0 - Mend

@mastra/auth-google 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +5 -0
package/dist/auth-provider.d.ts +48 -0
package/dist/auth-provider.d.ts.map +1 -0
package/dist/index.cjs +690 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +34 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +686 -0
package/dist/index.js.map +1 -0
package/dist/rbac-provider.d.ts +41 -0
package/dist/rbac-provider.d.ts.map +1 -0
package/dist/types.d.ts +131 -0
package/dist/types.d.ts.map +1 -0
package/package.json +63 -0

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/types.ts","../src/auth-provider.ts","../src/rbac-provider.ts"],"names":[],"mappings":";;;;;;;;;AA2CO,SAAS,sBAAsB,OAAA,EAAiC;AACrE,EAAA,MAAM,QAAA,GAAY,QAAQ,GAAA,IAAkB,EAAA;AAC5C,EAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA;AACtB,EAAA,MAAM,eAAe,OAAA,CAAQ,EAAA;AAC7B,EAAA,MAAM,gBAAgB,OAAA,CAAQ,cAAA;AAE9B,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,QAAA;AAAA,IACJ,QAAA;AAAA,IACA,KAAA;AAAA,IACA,IAAA,EACG,OAAA,CAAQ,IAAA,IACT,CAAC,QAAQ,UAAA,EAAY,OAAA,CAAQ,WAAW,CAAA,CAAE,OAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,KAClE,KAAA,IACA,MAAA;AAAA,IACF,WAAW,OAAA,CAAQ,OAAA;AAAA,IACnB,SAAA,EAAW,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,GAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI,MAAA;AAAA,IAC5E,YAAA;AAAA,IACA,aAAA;AAAA,IACA,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,QAAA,EAAU;AAAA,MACR,QAAA;AAAA,MACA,YAAA;AAAA,MACA,aAAA;AAAA,MACA,WAAW,OAAA,CAAQ,UAAA;AAAA,MACnB,YAAY,OAAA,CAAQ;AAAA;AACtB,GACF;AACF;;;ACzCA,IAAM,wBAAA,GAA2B,8CAAA;AACjC,IAAM,gBAAA,GAAmB,qCAAA;AACzB,IAAM,eAAA,GAAkB,4CAAA;AACxB,IAAM,cAAA,GAAiB,CAAC,6BAAA,EAA+B,qBAAqB,CAAA;AAE5E,IAAM,mBAAA,GAAsB,gBAAA;AAC5B,IAAM,sBAAA,GAAyB,KAAA;AAC/B,IAAM,cAAA,GAAiB,CAAC,QAAA,EAAU,SAAA,EAAW,OAAO,CAAA;AACpD,IAAM,qBAAA,GAAwB,KAAK,EAAA,GAAK,GAAA;AACxC,IAAM,WAAA,GAAc,EAAA;AACpB,IAAM,SAAA,GAAY,EAAA;AAalB,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAEA,SAAS,gBAAgB,MAAA,EAAuD;AAC9E,EAAA,MAAM,UAAA,GAAa,QAAQ,IAAA,EAAK,CAAE,aAAY,CAAE,OAAA,CAAQ,MAAM,EAAE,CAAA;AAChE,EAAA,OAAO,UAAA,IAAc,MAAA;AACvB;AAEA,SAAS,wBAAwB,KAAA,EAAgD;AAC/E,EAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,EAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,KAAK,IAAI,KAAA,GAAQ,KAAA,CAAM,MAAM,GAAG,CAAA;AAC5D,EAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAI,GAAA,CAAI,MAAM,GAAA,CAAI,eAAe,CAAA,CAAE,MAAA,CAAO,CAAC,MAAA,KAA6B,CAAC,CAAC,MAAM,CAAC,CAAC,CAAA;AACtG;AAEA,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AAEA,SAAS,6BAA6B,KAAA,EAAuB;AAC3D,EAAA,MAAM,cAAA,GAAiB,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACxC,EAAA,OAAO,cAAA,KAAmB,EAAA,GAAK,EAAA,GAAK,KAAA,CAAM,MAAM,cAAc,CAAA;AAChE;AAEA,SAAS,+BAA+B,KAAA,EAAuB;AAC7D,EAAA,MAAM,cAAA,GAAiB,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACxC,EAAA,OAAO,mBAAmB,EAAA,GAAK,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,cAAc,CAAA;AACtE;AAEA,SAAS,yBAAA,CAA0B,eAAuB,aAAA,EAA6B;AACrF,EAAA,MAAM,cAAA,GAAiB,6BAA6B,aAAa,CAAA;AACjE,EAAA,IAAI,CAAC,cAAA,EAAgB;AAErB,EAAA,IAAI,cAAA,KAAmB,4BAAA,CAA6B,aAAa,CAAA,EAAG;AAClE,IAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,EACjD;AACF;AAEA,SAAS,gBAAgB,SAAA,EAAwC;AAC/D,EAAA,IAAI,SAAA,KAAc,MAAA,IAAa,SAAA,KAAc,IAAA,EAAM;AACjD,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,IAAI,qBAAqB,IAAA,EAAM;AAC7B,IAAA,OAAO,UAAU,OAAA,EAAQ;AAAA,EAC3B;AAEA,EAAA,IAAI,OAAO,SAAA,KAAc,QAAA,IAAY,OAAO,cAAc,QAAA,EAAU;AAClE,IAAA,OAAO,IAAI,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EACrC;AAEA,EAAA,OAAO,MAAA,CAAO,GAAA;AAChB;AAEA,eAAe,SAAA,CAAU,QAAA,EAAkB,IAAA,EAAkB,KAAA,EAA8B;AACzF,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,OAAA,CAAQ,MAAA,CAAO,QAAQ,CAAA,EAAG,QAAA,EAAU,KAAA,EAAO;AAAA,IAClG,YAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,OAAO,OAAO,MAAA,CAAO,SAAA;AAAA,IACnB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,UAAA,EAAY,GAAA,EAAQ,MAAM,SAAA,EAAU;AAAA,IAC5D,WAAA;AAAA,IACA,EAAE,IAAA,EAAM,SAAA,EAAW,MAAA,EAAQ,GAAA,EAAI;AAAA,IAC/B,KAAA;AAAA,IACA,CAAC,KAAK;AAAA,GACR;AACF;AAEA,eAAe,cAAA,CAAe,MAAe,QAAA,EAAmC;AAC9E,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAO,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,WAAW,CAAC,CAAA;AAC/D,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,QAAA,EAAU,MAAM,SAAS,CAAA;AACrD,EAAA,MAAM,KAAK,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AAC3D,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,KAAK,OAAA,CAAQ,MAAA,CAAO,KAAK,SAAA,CAAU,IAAI,CAAC,CAAC,CAAA;AAChH,EAAA,MAAM,QAAA,GAAW,IAAI,UAAA,CAAW,IAAA,CAAK,MAAA,GAAS,EAAA,CAAG,MAAA,GAAS,IAAI,UAAA,CAAW,SAAS,CAAA,CAAE,MAAM,CAAA;AAC1F,EAAA,QAAA,CAAS,IAAI,IAAI,CAAA;AACjB,EAAA,QAAA,CAAS,GAAA,CAAI,EAAA,EAAI,IAAA,CAAK,MAAM,CAAA;AAC5B,EAAA,QAAA,CAAS,GAAA,CAAI,IAAI,UAAA,CAAW,SAAS,GAAG,IAAA,CAAK,MAAA,GAAS,GAAG,MAAM,CAAA;AAC/D,EAAA,OAAO,IAAA,CAAK,MAAA,CAAO,YAAA,CAAa,GAAG,QAAQ,CAAC,CAAA;AAC9C;AAEA,eAAe,cAAA,CAAe,WAAmB,QAAA,EAAoC;AACnF,EAAA,MAAM,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,SAAS,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AACtE,EAAA,IAAI,QAAA,CAAS,MAAA,GAAS,WAAA,GAAc,SAAA,GAAY,CAAA,EAAG;AACjD,IAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,EAClD;AACA,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,WAAW,CAAA;AAC1C,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,CAAM,WAAA,EAAa,cAAc,SAAS,CAAA;AAC9D,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,KAAA,CAAM,WAAA,GAAc,SAAS,CAAA;AACnD,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,QAAA,EAAU,MAAM,SAAS,CAAA;AACrD,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,IAAI,CAAA;AAChF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAI,aAAY,CAAE,MAAA,CAAO,SAAS,CAAC,CAAA;AACvD;AAEA,eAAe,QAAA,CAAS,MAAc,MAAA,EAAiC;AACrE,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IACpC,KAAA;AAAA,IACA,OAAA,CAAQ,OAAO,MAAM,CAAA;AAAA,IACrB,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACT;AACA,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,QAAQ,SAAA,EAAW,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAC,CAAA;AAClF,EAAA,MAAM,QAAA,GAAW,IAAI,UAAA,CAAW,SAAS,CAAA;AACzC,EAAA,OAAO,KAAK,MAAA,CAAO,YAAA,CAAa,GAAG,QAAQ,CAAC,CAAA,CACzC,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,MAAM,EAAE,CAAA;AACrB;AAEA,SAAS,eAAA,CAAgB,GAAW,CAAA,EAAoB;AACtD,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,MAAA,IAAU,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACpB;AAEA,eAAe,gBAAA,CACb,aAAA,EACA,WAAA,EACA,KAAA,EACA,MAAA,EACiB;AACjB,EAAA,MAAM,OAAA,GAAwB;AAAA,IAC5B,CAAA,EAAG,aAAA;AAAA,IACH,CAAA,EAAG,WAAA;AAAA,IACH,CAAA,EAAG,IAAA,CAAK,GAAA,EAAI,GAAI,qBAAA;AAAA,IAChB,CAAA,EAAG;AAAA,GACL;AACA,EAAA,MAAM,UAAA,GAAa,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAC/C,EAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,UAAA,EAAY,MAAM,CAAA;AACnD,EAAA,OAAO,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA;AACnC;AAEA,eAAe,gBAAA,CACb,YACA,MAAA,EACwE;AACxE,EAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,EAC9C;AAEA,EAAA,MAAM,CAAC,UAAA,EAAY,SAAS,CAAA,GAAI,KAAA;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,UAAA,EAAY,MAAM,CAAA;AACrD,EAAA,IAAI,CAAC,eAAA,CAAgB,SAAA,EAAW,WAAW,CAAA,EAAG;AAC5C,IAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,EACjD;AAEA,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI;AACF,IAAA,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,UAAU,CAAC,CAAA;AAAA,EACvC,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,IAAI,OAAA,CAAQ,CAAA,GAAI,IAAA,CAAK,GAAA,EAAI,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO;AAAA,IACL,eAAe,OAAA,CAAQ,CAAA;AAAA,IACvB,aAAa,OAAA,CAAQ,CAAA;AAAA,IACrB,OAAO,OAAA,CAAQ;AAAA,GACjB;AACF;AAEA,SAAS,WAAW,OAAA,EAA8B;AAChD,EAAA,OAAO,OAAO,QAAQ,GAAA,KAAQ,QAAA,IAAY,QAAQ,GAAA,GAAM,GAAA,GAAO,KAAK,GAAA,EAAI;AAC1E;AAEO,IAAM,gBAAA,GAAN,cAA+B,kBAAA,CAAoE;AAAA,EAC9F,QAAA;AAAA,EACF,YAAA;AAAA,EACA,WAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,IAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,UAAU,CAAA;AAEzC,IAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAClD,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,iBAAiB,uBAAA,CAAwB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,IAAI,sBAAsB,CAAA;AAC5G,IAAA,MAAM,yBAAyB,eAAA,CAAgB,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,oBAAoB,CAAA;AACxG,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAC1D,IAAA,MAAM,WAAA,GAAc,OAAA,EAAS,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,mBAAA;AACxD,IAAA,MAAM,8BAA8B,CAAC,EAAE,SAAS,OAAA,EAAS,cAAA,IAAkB,QAAQ,GAAA,CAAI,sBAAA,CAAA;AACvF,IAAA,MAAM,cAAA,GACJ,OAAA,EAAS,OAAA,EAAS,cAAA,IAClB,OAAA,CAAQ,GAAA,CAAI,sBAAA,IACZ,MAAA,CAAO,UAAA,EAAW,GAAI,MAAA,CAAO,UAAA,EAAW;AAE1C,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,eAAe,YAAA,IAAgB,IAAA;AACpC,IAAA,IAAA,CAAK,cAAc,WAAA,IAAe,IAAA;AAClC,IAAA,IAAA,CAAK,MAAA,GAAS,SAAS,MAAA,IAAU,cAAA;AACjC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,EAAS,OAAA,EAAS,UAAA,IAAc,mBAAA;AAClD,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,YAAA,IAAgB,sBAAA;AACtD,IAAA,IAAA,CAAK,cAAA,GAAiB,cAAA;AACtB,IAAA,IAAA,CAAK,gBAAgB,OAAA,EAAS,OAAA,EAAS,aAAA,IAAiB,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AACjF,IAAA,IAAA,CAAK,cAAA,GAAiB,cAAA;AACtB,IAAA,IAAA,CAAK,eAAe,sBAAA,KAA2B,cAAA,CAAe,WAAW,CAAA,GAAI,cAAA,CAAe,CAAC,CAAA,GAAI,MAAA,CAAA;AACjG,IAAA,IAAA,CAAK,UAAA,GAAa,CAAC,CAAC,YAAA;AACpB,IAAA,IAAA,CAAK,IAAA,GAAO,kBAAA,CAAmB,IAAI,GAAA,CAAI,eAAe,CAAC,CAAA;AAEvD,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,IAAI,cAAA,CAAe,SAAS,EAAA,EAAI;AAC9B,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SACF;AAAA,MACF;AAEA,MAAA,IAAI,CAAC,2BAAA,EAA6B;AAChC,QAAA,MAAM,OAAA,GACJ,gJAAA;AACF,QAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA,EAAc;AACzC,UAAA,MAAM,IAAI,MAAM,OAAO,CAAA;AAAA,QACzB;AACA,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN,GAAG,OAAO,CAAA,wFAAA;AAAA,SACZ;AAAA,MACF;AAEA,MAAA,IAAA,CAAK,iBAAA,EAAkB;AACvB,MAAA,IAAA,CAAK,qBAAA,EAAsB;AAAA,IAC7B;AAEA,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA,EAEA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAyD;AAC9F,IAAA,IAAI,IAAA,CAAK,cAAc,OAAA,EAAS;AAC9B,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,wBAAA,CAAyB,OAAO,CAAA;AAC/D,MAAA,IAAI,aAAa,OAAO,WAAA;AAAA,IAC1B;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,CAAA;AAC3C,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,IAAI,CAAC,IAAA,EAAM,QAAA,IAAY,CAAC,IAAA,EAAM,IAAI,OAAO,KAAA;AACzC,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,IAAA,CAAK,SAAS,CAAA;AAChD,IAAA,IAAI,SAAA,KAAc,MAAA,KAAc,CAAC,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,IAAK,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,CAAA,EAAI,OAAO,KAAA;AAC/F,IAAA,OAAO,IAAA,CAAK,qBAAA,CAAsB,IAAA,CAAK,YAAY,CAAA;AAAA,EACrD;AAAA,EAEA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,wBAAA,CAAyB,OAAO,CAAA;AAC/D,MAAA,IAAI,aAAa,OAAO,WAAA;AAAA,IAC1B;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,kBAAA,CAAmB,OAAO,CAAA;AAC7C,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,KAAA,EAAO,OAAO,CAAA;AAAA,EAC9C;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AACzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,kBAAkB,IAAA,EAA0B;AAC1C,IAAA,OAAO,CAAA,MAAA,EAAS,KAAK,EAAE,CAAA,CAAA;AAAA,EACzB;AAAA,EAEA,YAAA,GAAwB;AACtB,IAAA,OAAO,IAAA,CAAK,UAAA;AAAA,EACd;AAAA,EAEA,iBAAA,GAA8B;AAC5B,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,cAAc,CAAA;AAAA,EAChC;AAAA,EAEA,eAAA,GAAsC;AACpC,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA,EAEA,WAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AAAA,EAEA,MAAc,aAAA,CAAc,KAAA,EAAe,KAAA,EAAqC;AAC9E,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAA,EAAO,KAAK,IAAA,EAAM;AAAA,MACpD,MAAA,EAAQ,cAAA;AAAA,MACR,UAAU,IAAA,CAAK;AAAA,KAChB,CAAA;AAED,IAAA,IAAI,KAAA,IAAS,OAAA,CAAQ,KAAA,KAAU,KAAA,EAAO;AACpC,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AAEA,IAAA,IAAI,UAAA,CAAW,OAAO,CAAA,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,IAC/C;AAEA,IAAA,MAAM,IAAA,GAAO,sBAAsB,OAAO,CAAA;AAC1C,IAAA,IAAI,CAAC,KAAK,QAAA,EAAU;AAClB,MAAA,MAAM,IAAI,MAAM,oCAAoC,CAAA;AAAA,IACtD;AAEA,IAAA,IAAI,CAAC,IAAA,CAAK,qBAAA,CAAsB,IAAA,CAAK,YAAY,CAAA,EAAG;AAClD,MAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,IAClE;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEQ,sBAAsB,YAAA,EAA2C;AACvE,IAAA,IAAI,IAAA,CAAK,cAAA,CAAe,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC7C,IAAA,MAAM,MAAA,GAAS,gBAAgB,YAAY,CAAA;AAC3C,IAAA,IAAI,CAAC,QAAQ,OAAO,KAAA;AACpB,IAAA,OAAO,IAAA,CAAK,cAAA,CAAe,QAAA,CAAS,MAAM,CAAA;AAAA,EAC5C;AAAA,EAEQ,mBAAmB,OAAA,EAAiC;AAC1D,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,CAAC,YAAY,OAAO,IAAA;AACxB,IAAA,MAAM,QAAQ,UAAA,CAAW,OAAA,CAAQ,aAAA,EAAe,EAAE,EAAE,IAAA,EAAK;AACzD,IAAA,OAAO,KAAA,IAAS,IAAA;AAAA,EAClB;AAAA,EAEQ,YAAY,MAAA,EAAwB;AAC1C,IAAA,MAAM,KAAA,GAAQ,2CAA2C,MAAM,CAAA,CAAA;AAC/D,IAAA,OAAO,IAAA,CAAK,aAAA,GAAgB,CAAA,EAAG,KAAK,CAAA,QAAA,CAAA,GAAa,KAAA;AAAA,EACnD;AAAA,EAEA,MAAc,yBAAyB,OAAA,EAAwD;AAC7F,IAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AAEpB,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,IAAI,MAAA,CAAO,CAAA,WAAA,EAAc,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AAC3F,IAAA,IAAI,CAAC,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,IAAA;AAExB,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAe,MAAM,cAAA,CAAe,kBAAA,CAAmB,MAAM,CAAC,CAAC,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA;AAK3F,MAAA,IAAI,WAAA,CAAY,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AACtC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,aAAA,GAAgB,eAAA,CAAgB,WAAA,CAAY,IAAA,CAAK,SAAS,CAAA;AAChE,MAAA,IAAI,aAAA,KAAkB,MAAA,KAAc,CAAC,MAAA,CAAO,QAAA,CAAS,aAAa,CAAA,IAAK,aAAA,GAAgB,IAAA,CAAK,GAAA,EAAI,CAAA,EAAI;AAClG,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,EAAE,SAAA,EAAW,UAAA,EAAY,GAAG,WAAA,KAAgB,WAAA,CAAY,IAAA;AAC9D,MAAA,MAAM,IAAA,GAAmB;AAAA,QACvB,GAAG,WAAA;AAAA,QACH,GAAI,aAAA,KAAkB,MAAA,GAAY,EAAE,SAAA,EAAW,IAAI,IAAA,CAAK,aAAa,CAAA,EAAE,GAAI;AAAC,OAC9E;AAEA,MAAA,IAAI,CAAC,IAAA,CAAK,qBAAA,CAAsB,IAAA,CAAK,YAAY,CAAA,EAAG;AAClD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,iBAAA,GAA0B;AAChC,IAAA,MAAM,IAAA,GAAO,IAAA;AAEb,IAAC,IAAA,CAA6C,WAAA,GAAc,eAC1D,WAAA,EACA,KAAA,EACiB;AACjB,MAAA,MAAM,iBAAA,GAAoB,eAAe,IAAA,CAAK,WAAA;AAC9C,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,MAAM,IAAI,MAAM,uFAAuF,CAAA;AAAA,MACzG;AAEA,MAAA,MAAM,KAAA,GAAQ,OAAO,UAAA,EAAW;AAChC,MAAA,MAAM,cAAc,MAAM,gBAAA,CAAiB,OAAO,iBAAA,EAAmB,KAAA,EAAO,KAAK,cAAc,CAAA;AAC/F,MAAA,MAAM,aAAa,CAAA,EAAG,WAAW,CAAA,EAAG,4BAAA,CAA6B,KAAK,CAAC,CAAA,CAAA;AACvE,MAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,QACjC,WAAW,IAAA,CAAK,QAAA;AAAA,QAChB,aAAA,EAAe,MAAA;AAAA,QACf,KAAA,EAAO,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AAAA,QAC3B,YAAA,EAAc,iBAAA;AAAA,QACd,KAAA,EAAO,UAAA;AAAA,QACP;AAAA,OACD,CAAA;AAED,MAAA,IAAI,KAAK,YAAA,EAAc;AACrB,QAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,IAAA,CAAK,YAAY,CAAA;AAAA,MACpC;AAEA,MAAA,OAAO,CAAA,EAAG,wBAAwB,CAAA,CAAA,EAAI,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,IACzD,CAAA;AAEA,IAAC,IAAA,CAA6C,cAAA,GAAiB,eAC7D,IAAA,EACA,aAAA,EACwC;AACxC,MAAA,MAAM,WAAA,GAAc,+BAA+B,aAAa,CAAA;AAChE,MAAA,MAAM,EAAE,eAAe,WAAA,EAAa,KAAA,KAAU,MAAM,gBAAA,CAAiB,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA;AACrG,MAAA,yBAAA,CAA0B,eAAe,aAAa,CAAA;AAEtD,MAAA,MAAM,aAAA,GAAgB,MAAM,KAAA,CAAM,gBAAA,EAAkB;AAAA,QAClD,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,QAC/D,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,UACxB,UAAA,EAAY,oBAAA;AAAA,UACZ,IAAA;AAAA,UACA,WAAW,IAAA,CAAK,QAAA;AAAA,UAChB,eAAe,IAAA,CAAK,YAAA;AAAA,UACpB,YAAA,EAAc;AAAA,SACf,CAAA;AAAA,QACD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,OACnC,CAAA;AAED,MAAA,IAAI,CAAC,cAAc,EAAA,EAAI;AACrB,QAAA,MAAM,KAAA,GAAQ,MAAM,aAAA,CAAc,IAAA,EAAK;AACvC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,8BAAA,EAAiC,KAAK,CAAA,CAAE,CAAA;AAAA,MAC1D;AAEA,MAAA,MAAM,MAAA,GAAU,MAAM,aAAA,CAAc,IAAA,EAAK;AAQzC,MAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACpB,QAAA,MAAM,IAAI,MAAM,mDAAmD,CAAA;AAAA,MACrE;AAEA,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,aAAA,CAAc,MAAA,CAAO,UAAU,KAAK,CAAA;AAC5D,MAAA,MAAM,WAAA,GAAc;AAAA,QAClB,IAAA;AAAA,QACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,KAAK,YAAA,GAAe;AAAA,OAC9C;AACA,MAAA,MAAM,gBAAA,GAAmB,MAAM,cAAA,CAAe,WAAA,EAAa,KAAK,cAAc,CAAA;AAC9E,MAAA,MAAM,WAAA,GAAc,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,CAAA,EAAI,kBAAA,CAAmB,gBAAgB,CAAC,CAAA,EAAA,EAAK,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,YAAY,CAAC,CAAA,CAAA;AAEtH,MAAA,OAAO;AAAA,QACL,IAAA;AAAA,QACA,MAAA,EAAQ;AAAA,UACN,aAAa,MAAA,CAAO,YAAA;AAAA,UACpB,cAAc,MAAA,CAAO,aAAA;AAAA,UACrB,SAAS,MAAA,CAAO,QAAA;AAAA,UAChB,SAAA,EAAW,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,MAAA,CAAO,aAAa,GAAI;AAAA,SAC3D;AAAA,QACA,OAAA,EAAS,CAAC,WAAW;AAAA,OACvB;AAAA,IACF,CAAA;AAEA,IAAC,IAAA,CAA6C,uBAAuB,WAA4B;AAC/F,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,QAAA;AAAA,QACV,IAAA,EAAM,qBAAA;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,IACF,CAAA;AAEA,IAAC,IAAA,CAA6C,kBAAkB,WAAsB;AACpF,MAAA,OAAO,EAAC;AAAA,IACV,CAAA;AAEA,IAAC,IAAA,CAA6C,eAAe,iBAA0C;AACrG,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAAA,EACF;AAAA,EAEQ,qBAAA,GAA8B;AACpC,IAAA,MAAM,IAAA,GAAO,IAAA;AAEb,IAAC,IAAA,CAA8C,aAAA,GAAgB,eAC7D,MAAA,EACA,QAAA,EACkB;AAClB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,QACtB,MAAA;AAAA,QACA,SAAA,EAAW,GAAA;AAAA,QACX,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,IAAA,CAAK,eAAe,GAAI,CAAA;AAAA,QAC5D;AAAA,OACF;AAAA,IACF,CAAA;AAEA,IAAC,IAAA,CAA8C,kBAAkB,iBAA2C;AAC1G,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAEA,IAAC,IAAA,CAA8C,iBAAiB,iBAAiC;AAAA,IAAC,CAAA;AAElG,IAAC,IAAA,CAA8C,iBAAiB,iBAA2C;AACzG,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAEA,IAAC,IAAA,CAA8C,uBAAA,GAA0B,SACvE,OAAA,EACe;AACf,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAC3C,MAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,MAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,IAAI,MAAA,CAAO,CAAA,WAAA,EAAc,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AAC3F,MAAA,OAAO,QAAQ,CAAC,CAAA,GAAI,mBAAmB,KAAA,CAAM,CAAC,CAAC,CAAA,GAAI,IAAA;AAAA,IACrD,CAAA;AAEA,IAAC,IAAA,CAA8C,oBAAoB,WAAoC;AACrG,MAAA,OAAO,EAAC;AAAA,IACV,CAAA;AAEA,IAAC,IAAA,CAA8C,yBAAyB,WAAoC;AAC1G,MAAA,OAAO;AAAA,QACL,YAAA,EAAc,GAAG,IAAA,CAAK,UAAU,MAAM,IAAA,CAAK,WAAA,CAAY,CAAC,CAAC,CAAA;AAAA,OAC3D;AAAA,IACF,CAAA;AAAA,EACF;AACF;AC1kBA,IAAM,eAAA,GAAkB,qCAAA;AACxB,IAAM,oBAAA,GAAuB,wDAAA;AAC7B,IAAM,wBAAA,GAA2B,CAAC,gEAAgE,CAAA;AAClG,IAAM,uBAAuB,EAAA,GAAK,GAAA;AAClC,IAAM,sBAAA,GAAyB,GAAA;AAC/B,IAAM,wBAAA,GAA2B,GAAA;AAO1B,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,cAAA,GAAiB,CAAA;AAAA,EACjB,mBAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAI,CAAC,QAAQ,WAAA,EAAa;AACxB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IACxD;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,cAAc,OAAA,CAAQ,WAAA;AAC3B,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,QAAA,CAAoC;AAAA,MACxD,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,OAAA,IAAW,sBAAA;AAAA,MAC/B,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,KAAA,IAAS;AAAA,KAC9B,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAA,EAAG;AAC9B,MAAA,OAAO,IAAA,CAAK,MAAA;AAAA,IACd;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACxC,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAO,CAAA;AAC1C,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,eAAe,IAAA,CAAK,oBAAA,CAAqB,OAAO,CAAA,CAAE,MAAM,CAAA,GAAA,KAAO;AACnE,MAAA,OAAA,CAAQ,KAAA,CAAM,+DAA+D,GAAG,CAAA;AAChF,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,OAAO,CAAA;AAC9B,MAAA,MAAM,GAAA;AAAA,IACR,CAAC,CAAA;AACD,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,EAAS,YAAY,CAAA;AACzC,IAAA,OAAO,YAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,OAAA,KAAW,iBAAA,CAAkB,OAAA,EAAS,UAAU,CAAC,CAAA;AAAA,EAC3E;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,aAAW,iBAAA,CAAkB,OAAA,EAAS,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC5G;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,aAAW,iBAAA,CAAkB,OAAA,EAAS,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC3G;AAAA,EAEA,MAAM,iBAAA,GAA6D;AACjE,IAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,QAAQ,WAAW,CAAA,CACxC,OAAO,CAAA,GAAA,KAAO,GAAA,KAAQ,UAAU,CAAA,CAChC,IAAI,CAAA,GAAA,MAAQ,EAAE,IAAI,GAAA,EAAK,IAAA,EAAM,KAAI,CAAE,CAAA;AAAA,EACxC;AAAA,EAEA,MAAM,sBAAsB,MAAA,EAAmC;AAC7D,IAAA,OAAO,8BAA8B,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,QAAQ,WAAW,CAAA;AAAA,EACzE;AAAA,EAEA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,EACxB;AAAA,EAEA,eAAe,OAAA,EAAuB;AACpC,IAAA,IAAA,CAAK,UAAA,CAAW,OAAO,OAAO,CAAA;AAAA,EAChC;AAAA,EAEA,aAAA,GAAmD;AACjD,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,KAAK,UAAA,CAAW,IAAA;AAAA,MACtB,OAAA,EAAS,KAAK,UAAA,CAAW;AAAA,KAC3B;AAAA,EACF;AAAA,EAEQ,eAAe,IAAA,EAAsC;AAC3D,IAAA,IAAI,IAAA,CAAK,QAAQ,UAAA,EAAY;AAC3B,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA;AAAA,IACrC;AACA,IAAA,OAAO,IAAA,CAAK,KAAA;AAAA,EACd;AAAA,EAEA,MAAc,qBAAqB,OAAA,EAAoC;AACrE,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,EAAS;AAClC,IAAA,MAAM,KAAA,uBAAY,GAAA,EAAY;AAC9B,IAAA,IAAI,SAAA;AAEJ,IAAA,GAAG;AACD,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,oBAAoB,CAAA;AACxC,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,SAAA,EAAW,OAAO,CAAA;AACvC,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,YAAA,EAAc,KAAK,CAAA;AACxC,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,SAAS,CAAA;AAAA,MAC7C;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA;AAAA,UAC9B,MAAA,EAAQ;AAAA,SACV;AAAA,QACA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,wBAAwB;AAAA,OACrD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,QAAA,CAAS,MAAM,MAAM,MAAM,QAAA,CAAS,IAAA,EAAM,CAAA,CAAE,CAAA;AAAA,MACtG;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,KAAA,MAAW,KAAA,IAAS,IAAA,CAAK,MAAA,IAAU,EAAC,EAAG;AACrC,QAAA,MAAM,WAAA,GAAc,KAAK,OAAA,CAAQ,eAAA,GAAkB,KAAK,CAAA,IAAK,CAAC,MAAM,KAAK,CAAA;AACzE,QAAA,KAAA,MAAW,QAAQ,WAAA,EAAa;AAC9B,UAAA,IAAI,IAAA,EAAM,KAAA,CAAM,GAAA,CAAI,IAAI,CAAA;AAAA,QAC1B;AAAA,MACF;AACA,MAAA,SAAA,GAAY,IAAA,CAAK,aAAA;AAAA,IACnB,CAAA,QAAS,SAAA;AAET,IAAA,OAAO,KAAA,CAAM,KAAK,KAAK,CAAA;AAAA,EACzB;AAAA,EAEA,MAAc,QAAA,GAA4B;AACxC,IAAA,IAAI,IAAA,CAAK,QAAQ,cAAA,EAAgB;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAQ,cAAA,EAAe;AAAA,IACrC;AAEA,IAAA,IAAI,KAAK,WAAA,IAAe,IAAA,CAAK,KAAI,GAAI,IAAA,CAAK,iBAAiB,GAAA,EAAQ;AACjE,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IACd;AAEA,IAAA,IAAI,IAAA,CAAK,QAAQ,cAAA,EAAgB;AAC/B,MAAA,IAAI,CAAC,KAAK,mBAAA,EAAqB;AAC7B,QAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA,CAAK,sBAAA,EAAuB,CAAE,QAAQ,MAAM;AACrE,UAAA,IAAA,CAAK,mBAAA,GAAsB,MAAA;AAAA,QAC7B,CAAC,CAAA;AAAA,MACH;AACA,MAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,IACd;AAEA,IAAA,IAAI,KAAK,WAAA,EAAa;AACpB,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IACd;AAEA,IAAA,MAAM,IAAI,MAAM,8DAA8D,CAAA;AAAA,EAChF;AAAA,EAEA,MAAc,sBAAA,GAA0C;AACtD,IAAA,MAAM,OAAA,GAAU,KAAK,OAAA,CAAQ,cAAA;AAC7B,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,EAAK,OAAA,EAAS,KAAK,KAAA,EAAO,GAAI,OAAA,CAAQ,YAAA,GAAe,EAAE,GAAA,EAAK,OAAA,CAAQ,YAAA,EAAa,GAAI,EAAC,EAAG;AAC1G,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,KAAK,OAAA,CAAQ,WAAA;AAAA,MACb,KAAA,EAAA,CAAQ,OAAA,CAAQ,MAAA,IAAU,wBAAA,EAA0B,KAAK,GAAG,CAAA;AAAA,MAC5D,GAAA,EAAK,eAAA;AAAA,MACL,KAAK,GAAA,GAAM,IAAA;AAAA,MACX,GAAA,EAAK,GAAA;AAAA,MACL,GAAI,QAAQ,OAAA,GAAU,EAAE,KAAK,OAAA,CAAQ,OAAA,KAAY;AAAC,KACpD;AACA,IAAA,MAAM,WAAW,CAAA,EAAG,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,UAAU,MAAM,CAAC,CAAC,CAAA,CAAA,EAAI,KAAK,SAAA,CAAU,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAC,CAAA,CAAA;AACnG,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,mBAAA,CAAoB,OAAA,CAAQ,UAAU,CAAA;AAE9D,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI;AACF,MAAA,SAAA,GAAY,UAAA,CAAW,YAAY,CAAA,CAAE,MAAA,CAAO,QAAQ,CAAA,CAAE,IAAA,CAAK,YAAY,WAAW,CAAA;AAAA,IACpF,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,QAAA,CAAS,YAAY,CAAA;AACjD,MAAA,MAAM,MAAA,GAAS,UAAA,CAAW,QAAA,CAAS,UAAU,CAAA;AAC7C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,sDAAuD,GAAA,CAAc,OAAO,CAAA,yBAAA,EACjD,QAAQ,iBAAiB,MAAM,CAAA,gHAAA;AAAA,OAE5D;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,eAAA,EAAiB;AAAA,MAC5C,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,MAC/D,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,QACxB,UAAA,EAAY,6CAAA;AAAA,QACZ,SAAA,EAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA,OACpC,CAAA;AAAA,MACD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,wBAAwB;AAAA,KACrD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6CAAA,EAAgD,QAAA,CAAS,MAAM,MAAM,MAAM,QAAA,CAAS,IAAA,EAAM,CAAA,CAAE,CAAA;AAAA,IAC9G;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,IAAA,CAAK,cAAc,IAAA,CAAK,YAAA;AACxB,IAAA,IAAA,CAAK,cAAA,GAAiB,IAAA,CAAK,GAAA,EAAI,GAAI,KAAK,UAAA,GAAa,GAAA;AACrD,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA,EAEQ,UAAU,KAAA,EAAuB;AACvC,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAAA,EAChD;AAAA,EAEQ,oBAAoB,GAAA,EAAqB;AAC/C,IAAA,IAAI,GAAA,GAAM,IAAI,IAAA,EAAK;AAEnB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,MAAA,MAAM,MAAA,GAAS,GAAA;AACf,MAAA,IAAI,GAAA,CAAI,QAAA,CAAS,GAAG,CAAA,EAAG,GAAA,GAAM,IAAI,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,CAAE,IAAA,EAAK;AACnD,MAAA,IAAK,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,IAAK,IAAI,QAAA,CAAS,GAAG,CAAA,IAAO,GAAA,CAAI,WAAW,GAAG,CAAA,IAAK,GAAA,CAAI,QAAA,CAAS,GAAG,CAAA,EAAI;AAC5F,QAAA,GAAA,GAAM,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAAA,MACvB;AACA,MAAA,IAAK,GAAA,CAAI,UAAA,CAAW,KAAK,CAAA,IAAK,IAAI,QAAA,CAAS,KAAK,CAAA,IAAO,GAAA,CAAI,WAAW,KAAK,CAAA,IAAK,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA,EAAI;AACpG,QAAA,GAAA,GAAM,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAAA,MACvB;AACA,MAAA,IAAI,QAAQ,MAAA,EAAQ;AAAA,IACtB;AAEA,IAAA,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,MAAA,EAAQ,IAAI,CAAA;AAC9B,IAAA,GAAA,GAAM,IAAI,OAAA,CAAQ,MAAA,EAAQ,GAAG,CAAA,CAAE,OAAA,CAAQ,QAAQ,GAAG,CAAA;AAClD,IAAA,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,QAAA,EAAU,IAAI,CAAA;AAChC,IAAA,IAAI,CAAC,GAAA,CAAI,QAAA,CAAS,IAAI,GAAG,GAAA,IAAO,IAAA;AAChC,IAAA,OAAO,GAAA;AAAA,EACT;AACF","file":"index.js","sourcesContent":["/**\n * Shared types for Google Workspace authentication and RBAC.\n */\n\nimport type { EEUser, RoleMapping } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport type { JWTPayload } from 'jose';\n\n/**\n * Google user claims mapped to Mastra's enterprise user shape.\n */\nexport interface GoogleUser extends EEUser {\n /** Google Account subject identifier. */\n googleId: string;\n /** Verified ID token expiration time, when available. */\n expiresAt?: Date;\n /** Google Workspace or Cloud organization domain from the verified `hd` claim. */\n hostedDomain?: string;\n /** Whether Google reports the email address as verified. */\n emailVerified?: boolean;\n /** Optional Google Workspace group roles attached by a caller. */\n groups?: string[];\n}\n\n/**\n * Google Workspace Directory group returned by the Admin SDK Directory API.\n */\nexport interface GoogleWorkspaceGroup {\n /** Group unique ID. */\n id?: string;\n /** Primary group email address. */\n email: string;\n /** Display name. */\n name?: string;\n /** Optional description. */\n description?: string;\n /** Direct member count, returned as a string by the Directory API. */\n directMembersCount?: string;\n}\n\n/**\n * Maps verified Google ID token claims to GoogleUser format.\n */\nexport function mapGoogleClaimsToUser(payload: JWTPayload): GoogleUser {\n const googleId = (payload.sub as string) || '';\n const email = payload.email as string | undefined;\n const hostedDomain = payload.hd as string | undefined;\n const emailVerified = payload.email_verified as boolean | undefined;\n\n return {\n id: googleId,\n googleId,\n email,\n name:\n (payload.name as string) ||\n [payload.given_name, payload.family_name].filter(Boolean).join(' ') ||\n email ||\n undefined,\n avatarUrl: payload.picture as string | undefined,\n expiresAt: typeof payload.exp === 'number' ? new Date(payload.exp * 1000) : undefined,\n hostedDomain,\n emailVerified,\n groups: payload.groups as string[] | undefined,\n metadata: {\n googleId,\n hostedDomain,\n emailVerified,\n givenName: payload.given_name,\n familyName: payload.family_name,\n },\n };\n}\n\n/**\n * Session cookie configuration for MastraAuthGoogle.\n */\nexport interface GoogleSessionOptions {\n /** Cookie name for the session. Defaults to `google_session`. */\n cookieName?: string;\n /** Cookie max age in seconds. Defaults to 86400 (24 hours). */\n cookieMaxAge?: number;\n /**\n * Password for encrypting session cookies. Must be at least 32 characters.\n * Defaults to GOOGLE_COOKIE_PASSWORD.\n */\n cookiePassword?: string;\n /**\n * Set the Secure flag on session cookies.\n * Defaults to true when NODE_ENV=production, false otherwise.\n */\n secureCookies?: boolean;\n}\n\n/**\n * Options for MastraAuthGoogle.\n */\nexport interface MastraAuthGoogleOptions extends MastraAuthProviderOptions<GoogleUser> {\n /** Google OAuth client ID. Defaults to GOOGLE_CLIENT_ID. */\n clientId?: string;\n /** Google OAuth client secret. Defaults to GOOGLE_CLIENT_SECRET. Required for SSO. */\n clientSecret?: string;\n /** OAuth redirect URI for the SSO callback. Defaults to GOOGLE_REDIRECT_URI. */\n redirectUri?: string;\n /** OAuth scopes to request. Defaults to `['openid', 'profile', 'email']`. */\n scopes?: string[];\n /**\n * Allowed Google Workspace hosted domains.\n * Defaults to comma-separated GOOGLE_ALLOWED_DOMAINS.\n */\n allowedDomains?: string | string[];\n /**\n * Google OAuth hosted-domain login hint.\n * Defaults to GOOGLE_HOSTED_DOMAIN, or the single allowed domain when exactly one domain is configured.\n */\n hostedDomain?: string;\n /** Session configuration. */\n session?: GoogleSessionOptions;\n}\n\n/**\n * Service account configuration for Workspace Directory API access.\n */\nexport interface GoogleWorkspaceServiceAccount {\n /** Google service account email. */\n clientEmail: string;\n /** PEM-encoded private key. Supports escaped `\\n` values from .env files. */\n privateKey: string;\n /** Optional private key ID. */\n privateKeyId?: string;\n /**\n * Google Workspace administrator user to impersonate with domain-wide delegation.\n * Required by most Admin SDK Directory API deployments.\n */\n subject?: string;\n /** OAuth scopes for the service account token. */\n scopes?: string[];\n}\n\n/**\n * Cache configuration for RBAC group lookups.\n */\nexport interface PermissionCacheOptions {\n /** Maximum number of users to cache. Defaults to 1000. */\n maxSize?: number;\n /** Time-to-live in milliseconds. Defaults to 60000. */\n ttlMs?: number;\n}\n\n/**\n * Options for MastraRBACGoogle.\n */\nexport interface MastraRBACGoogleOptions {\n /** Pre-obtained Workspace Directory API access token. */\n accessToken?: string;\n /** Callback that returns a Workspace Directory API access token. */\n getAccessToken?: () => Promise<string> | string;\n /** Service account credentials for domain-wide delegated Directory API access. */\n serviceAccount?: GoogleWorkspaceServiceAccount;\n /** Map Google Workspace group roles to Mastra permissions. */\n roleMapping: RoleMapping;\n /** Extract the Google Directory API userKey from any authenticated user object. Defaults to `user.email`. */\n getUserKey?: (user: unknown) => string | undefined;\n /** Map a Google Workspace group to one or more RBAC role IDs. Defaults to `[group.email]`. */\n mapGroupToRoles?: (group: GoogleWorkspaceGroup) => string[];\n /** Permission cache configuration. */\n cache?: PermissionCacheOptions;\n}\n","/**\n * MastraAuthGoogle - Google OpenID Connect authentication provider.\n *\n * Supports Google OAuth 2.0 / OIDC login, encrypted session cookies, Bearer ID\n * token verification, and Google Workspace hosted-domain restrictions.\n */\n\nimport type {\n ISSOProvider,\n ISessionProvider,\n IUserProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@mastra/core/auth';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport { createRemoteJWKSet, jwtVerify } from 'jose';\nimport type { JWTPayload } from 'jose';\n\nimport type { GoogleUser, MastraAuthGoogleOptions } from './types';\nimport { mapGoogleClaimsToUser } from './types';\n\ntype HonoRequestLike = {\n raw?: Request;\n headers?: Headers;\n header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nconst GOOGLE_AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/v2/auth';\nconst GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';\nconst GOOGLE_JWKS_URL = 'https://www.googleapis.com/oauth2/v3/certs';\nconst GOOGLE_ISSUERS = ['https://accounts.google.com', 'accounts.google.com'];\n\nconst DEFAULT_COOKIE_NAME = 'google_session';\nconst DEFAULT_COOKIE_MAX_AGE = 86400;\nconst DEFAULT_SCOPES = ['openid', 'profile', 'email'];\nconst STATE_TOKEN_EXPIRY_MS = 10 * 60 * 1000;\nconst SALT_LENGTH = 16;\nconst IV_LENGTH = 12;\n\ninterface StatePayload {\n /** Original state from caller. */\n s: string;\n /** Redirect URI used for token exchange. */\n r: string;\n /** Expiry timestamp. */\n e: number;\n /** OIDC nonce tied to the ID token. */\n n: string;\n}\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n if (request instanceof Request) {\n return request.headers.get(name);\n }\n\n return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\nfunction normalizeDomain(domain: string | undefined | null): string | undefined {\n const normalized = domain?.trim().toLowerCase().replace(/^@/, '');\n return normalized || undefined;\n}\n\nfunction normalizeAllowedDomains(value: string | string[] | undefined): string[] {\n if (!value) return [];\n const parts = Array.isArray(value) ? value : value.split(',');\n return Array.from(new Set(parts.map(normalizeDomain).filter((domain): domain is string => !!domain)));\n}\n\nfunction escapeRegex(str: string): string {\n return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\nfunction getServerRedirectStateSuffix(state: string): string {\n const separatorIndex = state.indexOf('|');\n return separatorIndex === -1 ? '' : state.slice(separatorIndex);\n}\n\nfunction getStateTokenFromCallbackState(state: string): string {\n const separatorIndex = state.indexOf('|');\n return separatorIndex === -1 ? state : state.slice(0, separatorIndex);\n}\n\nfunction verifyCallbackStateSuffix(callbackState: string, originalState: string): void {\n const callbackSuffix = getServerRedirectStateSuffix(callbackState);\n if (!callbackSuffix) return;\n\n if (callbackSuffix !== getServerRedirectStateSuffix(originalState)) {\n throw new Error('Invalid state redirect suffix');\n }\n}\n\nfunction getExpirationMs(expiresAt: unknown): number | undefined {\n if (expiresAt === undefined || expiresAt === null) {\n return undefined;\n }\n\n if (expiresAt instanceof Date) {\n return expiresAt.getTime();\n }\n\n if (typeof expiresAt === 'string' || typeof expiresAt === 'number') {\n return new Date(expiresAt).getTime();\n }\n\n return Number.NaN;\n}\n\nasync function deriveKey(password: string, salt: Uint8Array, usage: 'encrypt' | 'decrypt') {\n const encoder = new TextEncoder();\n const keyMaterial = await crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, [\n 'deriveBits',\n 'deriveKey',\n ]);\n\n return crypto.subtle.deriveKey(\n { name: 'PBKDF2', salt, iterations: 100000, hash: 'SHA-256' },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n [usage],\n );\n}\n\nasync function encryptSession(data: unknown, password: string): Promise<string> {\n const encoder = new TextEncoder();\n const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));\n const key = await deriveKey(password, salt, 'encrypt');\n const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));\n const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoder.encode(JSON.stringify(data)));\n const combined = new Uint8Array(salt.length + iv.length + new Uint8Array(encrypted).length);\n combined.set(salt);\n combined.set(iv, salt.length);\n combined.set(new Uint8Array(encrypted), salt.length + iv.length);\n return btoa(String.fromCharCode(...combined));\n}\n\nasync function decryptSession(encrypted: string, password: string): Promise<unknown> {\n const combined = Uint8Array.from(atob(encrypted), c => c.charCodeAt(0));\n if (combined.length < SALT_LENGTH + IV_LENGTH + 1) {\n throw new Error('Invalid encrypted session data');\n }\n const salt = combined.slice(0, SALT_LENGTH);\n const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);\n const data = combined.slice(SALT_LENGTH + IV_LENGTH);\n const key = await deriveKey(password, salt, 'decrypt');\n const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, data);\n return JSON.parse(new TextDecoder().decode(decrypted));\n}\n\nasync function hmacSign(data: string, secret: string): Promise<string> {\n const encoder = new TextEncoder();\n const cryptoKey = await crypto.subtle.importKey(\n 'raw',\n encoder.encode(secret),\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n );\n const signature = await crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(data));\n const sigBytes = new Uint8Array(signature);\n return btoa(String.fromCharCode(...sigBytes))\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=/g, '');\n}\n\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let result = 0;\n for (let i = 0; i < a.length; i++) {\n result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return result === 0;\n}\n\nasync function createStateToken(\n originalState: string,\n redirectUri: string,\n nonce: string,\n secret: string,\n): Promise<string> {\n const payload: StatePayload = {\n s: originalState,\n r: redirectUri,\n e: Date.now() + STATE_TOKEN_EXPIRY_MS,\n n: nonce,\n };\n const payloadB64 = btoa(JSON.stringify(payload));\n const signature = await hmacSign(payloadB64, secret);\n return `${payloadB64}.${signature}`;\n}\n\nasync function verifyStateToken(\n stateToken: string,\n secret: string,\n): Promise<{ originalState: string; redirectUri: string; nonce: string }> {\n const parts = stateToken.split('.');\n if (parts.length !== 2) {\n throw new Error('Invalid state token format');\n }\n\n const [payloadB64, signature] = parts as [string, string];\n const expectedSig = await hmacSign(payloadB64, secret);\n if (!timingSafeEqual(signature, expectedSig)) {\n throw new Error('Invalid state token signature');\n }\n\n let payload: StatePayload;\n try {\n payload = JSON.parse(atob(payloadB64)) as StatePayload;\n } catch {\n throw new Error('Invalid state token payload');\n }\n\n if (payload.e < Date.now()) {\n throw new Error('State token has expired');\n }\n\n return {\n originalState: payload.s,\n redirectUri: payload.r,\n nonce: payload.n,\n };\n}\n\nfunction hasExpired(payload: JWTPayload): boolean {\n return typeof payload.exp === 'number' && payload.exp * 1000 < Date.now();\n}\n\nexport class MastraAuthGoogle extends MastraAuthProvider<GoogleUser> implements IUserProvider<GoogleUser> {\n protected clientId: string;\n private clientSecret: string | null;\n private redirectUri: string | null;\n private scopes: string[];\n private cookieName: string;\n private cookieMaxAge: number;\n private cookiePassword: string;\n private secureCookies: boolean;\n private allowedDomains: string[];\n private hostedDomain?: string;\n private ssoEnabled: boolean;\n private jwks: ReturnType<typeof createRemoteJWKSet>;\n\n constructor(options?: MastraAuthGoogleOptions) {\n super({ name: options?.name ?? 'google' });\n\n const clientId = options?.clientId ?? process.env.GOOGLE_CLIENT_ID;\n if (!clientId) {\n throw new Error(\n 'Google client ID is required. Provide it in the options or set GOOGLE_CLIENT_ID environment variable.',\n );\n }\n\n const allowedDomains = normalizeAllowedDomains(options?.allowedDomains ?? process.env.GOOGLE_ALLOWED_DOMAINS);\n const configuredHostedDomain = normalizeDomain(options?.hostedDomain ?? process.env.GOOGLE_HOSTED_DOMAIN);\n const clientSecret = options?.clientSecret ?? process.env.GOOGLE_CLIENT_SECRET;\n const redirectUri = options?.redirectUri ?? process.env.GOOGLE_REDIRECT_URI;\n const hasConfiguredCookiePassword = !!(options?.session?.cookiePassword ?? process.env.GOOGLE_COOKIE_PASSWORD);\n const cookiePassword =\n options?.session?.cookiePassword ??\n process.env.GOOGLE_COOKIE_PASSWORD ??\n crypto.randomUUID() + crypto.randomUUID();\n\n this.clientId = clientId;\n this.clientSecret = clientSecret ?? null;\n this.redirectUri = redirectUri ?? null;\n this.scopes = options?.scopes ?? DEFAULT_SCOPES;\n this.cookieName = options?.session?.cookieName ?? DEFAULT_COOKIE_NAME;\n this.cookieMaxAge = options?.session?.cookieMaxAge ?? DEFAULT_COOKIE_MAX_AGE;\n this.cookiePassword = cookiePassword;\n this.secureCookies = options?.session?.secureCookies ?? process.env.NODE_ENV === 'production';\n this.allowedDomains = allowedDomains;\n this.hostedDomain = configuredHostedDomain ?? (allowedDomains.length === 1 ? allowedDomains[0] : undefined);\n this.ssoEnabled = !!clientSecret;\n this.jwks = createRemoteJWKSet(new URL(GOOGLE_JWKS_URL));\n\n if (this.ssoEnabled) {\n if (cookiePassword.length < 32) {\n throw new Error(\n 'Cookie password must be at least 32 characters for SSO. Set GOOGLE_COOKIE_PASSWORD environment variable.',\n );\n }\n\n if (!hasConfiguredCookiePassword) {\n const message =\n '[MastraAuthGoogle] GOOGLE_COOKIE_PASSWORD is required for Google SSO in production. Set GOOGLE_COOKIE_PASSWORD or pass session.cookiePassword.';\n if (process.env.NODE_ENV === 'production') {\n throw new Error(message);\n }\n console.warn(\n `${message} Using an auto-generated value for development only; sessions will not survive restarts.`,\n );\n }\n\n this.attachSSOProvider();\n this.attachSessionProvider();\n }\n\n this.registerOptions(options);\n }\n\n async authenticateToken(token: string, request?: MastraAuthRequest): Promise<GoogleUser | null> {\n if (this.ssoEnabled && request) {\n const sessionUser = await this.getUserFromSessionCookie(request);\n if (sessionUser) return sessionUser;\n }\n\n if (!token || typeof token !== 'string') {\n return null;\n }\n\n try {\n const user = await this.verifyIdToken(token);\n return user;\n } catch {\n return null;\n }\n }\n\n authorizeUser(user: GoogleUser): boolean {\n if (!user?.googleId && !user?.id) return false;\n const expiresAt = getExpirationMs(user.expiresAt);\n if (expiresAt !== undefined && (!Number.isFinite(expiresAt) || expiresAt < Date.now())) return false;\n return this.isHostedDomainAllowed(user.hostedDomain);\n }\n\n async getCurrentUser(request: Request): Promise<GoogleUser | null> {\n if (this.ssoEnabled) {\n const sessionUser = await this.getUserFromSessionCookie(request);\n if (sessionUser) return sessionUser;\n }\n\n const token = this.extractBearerToken(request);\n if (!token) return null;\n\n return this.authenticateToken(token, request);\n }\n\n async getUser(_userId: string): Promise<GoogleUser | null> {\n return null;\n }\n\n getUserProfileUrl(user: GoogleUser): string {\n return `/user/${user.id}`;\n }\n\n isSSOEnabled(): boolean {\n return this.ssoEnabled;\n }\n\n getAllowedDomains(): string[] {\n return [...this.allowedDomains];\n }\n\n getHostedDomain(): string | undefined {\n return this.hostedDomain;\n }\n\n getClientId(): string {\n return this.clientId;\n }\n\n private async verifyIdToken(token: string, nonce?: string): Promise<GoogleUser> {\n const { payload } = await jwtVerify(token, this.jwks, {\n issuer: GOOGLE_ISSUERS,\n audience: this.clientId,\n });\n\n if (nonce && payload.nonce !== nonce) {\n throw new Error('Invalid Google ID token nonce');\n }\n\n if (hasExpired(payload)) {\n throw new Error('Google ID token has expired');\n }\n\n const user = mapGoogleClaimsToUser(payload);\n if (!user.googleId) {\n throw new Error('Google ID token is missing subject');\n }\n\n if (!this.isHostedDomainAllowed(user.hostedDomain)) {\n throw new Error('Google user is not in an allowed hosted domain');\n }\n\n return user;\n }\n\n private isHostedDomainAllowed(hostedDomain: string | undefined): boolean {\n if (this.allowedDomains.length === 0) return true;\n const domain = normalizeDomain(hostedDomain);\n if (!domain) return false;\n return this.allowedDomains.includes(domain);\n }\n\n private extractBearerToken(request: Request): string | null {\n const authHeader = request.headers.get('Authorization');\n if (!authHeader) return null;\n const token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n return token || null;\n }\n\n private cookieFlags(maxAge: number): string {\n const flags = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`;\n return this.secureCookies ? `${flags}; Secure` : flags;\n }\n\n private async getUserFromSessionCookie(request: MastraAuthRequest): Promise<GoogleUser | null> {\n const cookie = getRequestHeader(request, 'cookie');\n if (!cookie) return null;\n\n const match = cookie.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(this.cookieName)}=([^;]+)`));\n if (!match?.[1]) return null;\n\n try {\n const sessionData = (await decryptSession(decodeURIComponent(match[1]), this.cookiePassword)) as {\n user: Omit<GoogleUser, 'expiresAt'> & { expiresAt?: Date | number | string };\n expiresAt: number;\n };\n\n if (sessionData.expiresAt < Date.now()) {\n return null;\n }\n\n const userExpiresAt = getExpirationMs(sessionData.user.expiresAt);\n if (userExpiresAt !== undefined && (!Number.isFinite(userExpiresAt) || userExpiresAt < Date.now())) {\n return null;\n }\n\n const { expiresAt: _expiresAt, ...sessionUser } = sessionData.user;\n const user: GoogleUser = {\n ...sessionUser,\n ...(userExpiresAt !== undefined ? { expiresAt: new Date(userExpiresAt) } : {}),\n };\n\n if (!this.isHostedDomainAllowed(user.hostedDomain)) {\n return null;\n }\n\n return user;\n } catch {\n return null;\n }\n }\n\n private attachSSOProvider(): void {\n const self = this;\n\n (this as unknown as ISSOProvider<GoogleUser>).getLoginUrl = async function (\n redirectUri: string,\n state: string,\n ): Promise<string> {\n const actualRedirectUri = redirectUri ?? self.redirectUri;\n if (!actualRedirectUri) {\n throw new Error('Redirect URI is required for Google SSO. Set GOOGLE_REDIRECT_URI or pass redirectUri.');\n }\n\n const nonce = crypto.randomUUID();\n const signedState = await createStateToken(state, actualRedirectUri, nonce, self.cookiePassword);\n const oauthState = `${signedState}${getServerRedirectStateSuffix(state)}`;\n const params = new URLSearchParams({\n client_id: self.clientId,\n response_type: 'code',\n scope: self.scopes.join(' '),\n redirect_uri: actualRedirectUri,\n state: oauthState,\n nonce,\n });\n\n if (self.hostedDomain) {\n params.set('hd', self.hostedDomain);\n }\n\n return `${GOOGLE_AUTHORIZATION_URL}?${params.toString()}`;\n };\n\n (this as unknown as ISSOProvider<GoogleUser>).handleCallback = async function (\n code: string,\n callbackState: string,\n ): Promise<SSOCallbackResult<GoogleUser>> {\n const signedState = getStateTokenFromCallbackState(callbackState);\n const { originalState, redirectUri, nonce } = await verifyStateToken(signedState, self.cookiePassword);\n verifyCallbackStateSuffix(callbackState, originalState);\n\n const tokenResponse = await fetch(GOOGLE_TOKEN_URL, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: new URLSearchParams({\n grant_type: 'authorization_code',\n code,\n client_id: self.clientId,\n client_secret: self.clientSecret!,\n redirect_uri: redirectUri,\n }),\n signal: AbortSignal.timeout(10_000),\n });\n\n if (!tokenResponse.ok) {\n const error = await tokenResponse.text();\n throw new Error(`Google token exchange failed: ${error}`);\n }\n\n const tokens = (await tokenResponse.json()) as {\n access_token: string;\n id_token?: string;\n refresh_token?: string;\n expires_in: number;\n token_type: string;\n };\n\n if (!tokens.id_token) {\n throw new Error('Google token response did not include an ID token');\n }\n\n const user = await self.verifyIdToken(tokens.id_token, nonce);\n const sessionData = {\n user,\n expiresAt: Date.now() + self.cookieMaxAge * 1000,\n };\n const encryptedSession = await encryptSession(sessionData, self.cookiePassword);\n const cookieValue = `${self.cookieName}=${encodeURIComponent(encryptedSession)}; ${self.cookieFlags(self.cookieMaxAge)}`;\n\n return {\n user,\n tokens: {\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token,\n idToken: tokens.id_token,\n expiresAt: new Date(Date.now() + tokens.expires_in * 1000),\n },\n cookies: [cookieValue],\n };\n };\n\n (this as unknown as ISSOProvider<GoogleUser>).getLoginButtonConfig = function (): SSOLoginConfig {\n return {\n provider: 'google',\n text: 'Sign in with Google',\n description: 'Sign in using your Google account',\n };\n };\n\n (this as unknown as ISSOProvider<GoogleUser>).getLoginCookies = function (): string[] {\n return [];\n };\n\n (this as unknown as ISSOProvider<GoogleUser>).getLogoutUrl = async function (): Promise<string | null> {\n return null;\n };\n }\n\n private attachSessionProvider(): void {\n const self = this;\n\n (this as unknown as ISessionProvider<Session>).createSession = async function (\n userId: string,\n metadata?: Record<string, unknown>,\n ): Promise<Session> {\n const now = new Date();\n return {\n id: crypto.randomUUID(),\n userId,\n createdAt: now,\n expiresAt: new Date(now.getTime() + self.cookieMaxAge * 1000),\n metadata,\n };\n };\n\n (this as unknown as ISessionProvider<Session>).validateSession = async function (): Promise<Session | null> {\n return null;\n };\n\n (this as unknown as ISessionProvider<Session>).destroySession = async function (): Promise<void> {};\n\n (this as unknown as ISessionProvider<Session>).refreshSession = async function (): Promise<Session | null> {\n return null;\n };\n\n (this as unknown as ISessionProvider<Session>).getSessionIdFromRequest = function (\n request: Request,\n ): string | null {\n const cookie = request.headers.get('Cookie');\n if (!cookie) return null;\n const match = cookie.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(self.cookieName)}=([^;]+)`));\n return match?.[1] ? decodeURIComponent(match[1]) : null;\n };\n\n (this as unknown as ISessionProvider<Session>).getSessionHeaders = function (): Record<string, string> {\n return {};\n };\n\n (this as unknown as ISessionProvider<Session>).getClearSessionHeaders = function (): Record<string, string> {\n return {\n 'Set-Cookie': `${self.cookieName}=; ${self.cookieFlags(0)}`,\n };\n };\n }\n}\n","/**\n * Google Workspace RBAC provider for Mastra.\n *\n * Maps Google Workspace groups from the Admin SDK Directory API to Mastra\n * permissions using a configurable role mapping.\n */\n\nimport { createSign } from 'node:crypto';\n\nimport type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { matchesPermission, resolvePermissionsFromMapping } from '@mastra/core/auth/ee';\nimport { LRUCache } from 'lru-cache';\n\nimport type { GoogleUser, GoogleWorkspaceGroup, MastraRBACGoogleOptions } from './types';\n\nconst OAUTH_TOKEN_URL = 'https://oauth2.googleapis.com/token';\nconst DIRECTORY_GROUPS_URL = 'https://admin.googleapis.com/admin/directory/v1/groups';\nconst DEFAULT_DIRECTORY_SCOPES = ['https://www.googleapis.com/auth/admin.directory.group.readonly'];\nconst DEFAULT_CACHE_TTL_MS = 60 * 1000;\nconst DEFAULT_CACHE_MAX_SIZE = 1000;\nconst DEFAULT_FETCH_TIMEOUT_MS = 10_000;\n\ninterface GroupsListResponse {\n groups?: GoogleWorkspaceGroup[];\n nextPageToken?: string;\n}\n\nexport class MastraRBACGoogle implements IRBACProvider<GoogleUser> {\n private options: MastraRBACGoogleOptions;\n private rolesCache: LRUCache<string, Promise<string[]>>;\n private accessToken?: string;\n private tokenExpiresAt = 0;\n private tokenRefreshPromise?: Promise<string>;\n\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n constructor(options: MastraRBACGoogleOptions) {\n if (!options.roleMapping) {\n throw new Error('Google RBAC roleMapping is required.');\n }\n\n this.options = options;\n this.accessToken = options.accessToken;\n this.rolesCache = new LRUCache<string, Promise<string[]>>({\n max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,\n ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS,\n });\n }\n\n async getRoles(user: GoogleUser): Promise<string[]> {\n if (Array.isArray(user.groups)) {\n return user.groups;\n }\n\n const userKey = this.resolveUserKey(user);\n if (!userKey) {\n return [];\n }\n\n const cached = this.rolesCache.get(userKey);\n if (cached) {\n return cached;\n }\n\n const rolesPromise = this.fetchRolesFromGoogle(userKey).catch(err => {\n console.error('[MastraRBACGoogle] Failed to fetch Google Workspace groups:', err);\n this.rolesCache.delete(userKey);\n throw err;\n });\n this.rolesCache.set(userKey, rolesPromise);\n return rolesPromise;\n }\n\n async hasRole(user: GoogleUser, role: string): Promise<boolean> {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n async getPermissions(user: GoogleUser): Promise<string[]> {\n const roles = await this.getRoles(user);\n if (roles.length === 0) {\n return this.options.roleMapping['_default'] ?? [];\n }\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n async hasPermission(user: GoogleUser, permission: string): Promise<boolean> {\n const permissions = await this.getPermissions(user);\n return permissions.some(granted => matchesPermission(granted, permission));\n }\n\n async hasAllPermissions(user: GoogleUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(granted => matchesPermission(granted, required)));\n }\n\n async hasAnyPermission(user: GoogleUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(granted => matchesPermission(granted, required)));\n }\n\n async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n return Object.keys(this.options.roleMapping)\n .filter(key => key !== '_default')\n .map(key => ({ id: key, name: key }));\n }\n\n async getPermissionsForRole(roleId: string): Promise<string[]> {\n return resolvePermissionsFromMapping([roleId], this.options.roleMapping);\n }\n\n clearCache(): void {\n this.rolesCache.clear();\n }\n\n clearUserCache(userKey: string): void {\n this.rolesCache.delete(userKey);\n }\n\n getCacheStats(): { size: number; maxSize: number } {\n return {\n size: this.rolesCache.size,\n maxSize: this.rolesCache.max,\n };\n }\n\n private resolveUserKey(user: GoogleUser): string | undefined {\n if (this.options.getUserKey) {\n return this.options.getUserKey(user);\n }\n return user.email;\n }\n\n private async fetchRolesFromGoogle(userKey: string): Promise<string[]> {\n const token = await this.getToken();\n const roles = new Set<string>();\n let pageToken: string | undefined;\n\n do {\n const url = new URL(DIRECTORY_GROUPS_URL);\n url.searchParams.set('userKey', userKey);\n url.searchParams.set('maxResults', '200');\n if (pageToken) {\n url.searchParams.set('pageToken', pageToken);\n }\n\n const response = await fetch(url, {\n headers: {\n Authorization: `Bearer ${token}`,\n Accept: 'application/json',\n },\n signal: AbortSignal.timeout(DEFAULT_FETCH_TIMEOUT_MS),\n });\n\n if (!response.ok) {\n throw new Error(`Google Directory groups.list failed (${response.status}): ${await response.text()}`);\n }\n\n const json = (await response.json()) as GroupsListResponse;\n for (const group of json.groups ?? []) {\n const mappedRoles = this.options.mapGroupToRoles?.(group) ?? [group.email];\n for (const role of mappedRoles) {\n if (role) roles.add(role);\n }\n }\n pageToken = json.nextPageToken;\n } while (pageToken);\n\n return Array.from(roles);\n }\n\n private async getToken(): Promise<string> {\n if (this.options.getAccessToken) {\n return this.options.getAccessToken();\n }\n\n if (this.accessToken && Date.now() < this.tokenExpiresAt - 60_000) {\n return this.accessToken;\n }\n\n if (this.options.serviceAccount) {\n if (!this.tokenRefreshPromise) {\n this.tokenRefreshPromise = this.getServiceAccountToken().finally(() => {\n this.tokenRefreshPromise = undefined;\n });\n }\n return this.tokenRefreshPromise;\n }\n\n if (this.accessToken) {\n return this.accessToken;\n }\n\n throw new Error('Google Workspace Directory authentication is not configured.');\n }\n\n private async getServiceAccountToken(): Promise<string> {\n const account = this.options.serviceAccount!;\n const now = Math.floor(Date.now() / 1000);\n const header = { alg: 'RS256', typ: 'JWT', ...(account.privateKeyId ? { kid: account.privateKeyId } : {}) };\n const claim = {\n iss: account.clientEmail,\n scope: (account.scopes ?? DEFAULT_DIRECTORY_SCOPES).join(' '),\n aud: OAUTH_TOKEN_URL,\n exp: now + 3600,\n iat: now,\n ...(account.subject ? { sub: account.subject } : {}),\n };\n const unsigned = `${this.base64Url(JSON.stringify(header))}.${this.base64Url(JSON.stringify(claim))}`;\n const privateKey = this.normalizePrivateKey(account.privateKey);\n\n let signature: string;\n try {\n signature = createSign('RSA-SHA256').update(unsigned).sign(privateKey, 'base64url');\n } catch (err) {\n const hasBegin = privateKey.includes('-----BEGIN');\n const hasEnd = privateKey.includes('-----END');\n throw new Error(\n `Google service account private key signing failed (${(err as Error).message}). ` +\n `Key has BEGIN marker: ${hasBegin}, END marker: ${hasEnd}. ` +\n `Ensure your .env value contains the raw PEM with \\\\n for newlines, without extra surrounding quotes or commas.`,\n );\n }\n\n const response = await fetch(OAUTH_TOKEN_URL, {\n method: 'POST',\n headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n body: new URLSearchParams({\n grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',\n assertion: `${unsigned}.${signature}`,\n }),\n signal: AbortSignal.timeout(DEFAULT_FETCH_TIMEOUT_MS),\n });\n\n if (!response.ok) {\n throw new Error(`Google service account token request failed (${response.status}): ${await response.text()}`);\n }\n\n const json = (await response.json()) as { access_token: string; expires_in: number };\n this.accessToken = json.access_token;\n this.tokenExpiresAt = Date.now() + json.expires_in * 1000;\n return json.access_token;\n }\n\n private base64Url(value: string): string {\n return Buffer.from(value).toString('base64url');\n }\n\n private normalizePrivateKey(key: string): string {\n let out = key.trim();\n\n for (let i = 0; i < 5; i++) {\n const before = out;\n if (out.endsWith(',')) out = out.slice(0, -1).trim();\n if ((out.startsWith('\"') && out.endsWith('\"')) || (out.startsWith(\"'\") && out.endsWith(\"'\"))) {\n out = out.slice(1, -1);\n }\n if ((out.startsWith('\\\\\"') && out.endsWith('\\\\\"')) || (out.startsWith(\"\\\\'\") && out.endsWith(\"\\\\'\"))) {\n out = out.slice(2, -2);\n }\n if (out === before) break;\n }\n\n out = out.replace(/\\\\n/g, '\\n');\n out = out.replace(/\\\\\"/g, '\"').replace(/\\\\'/g, \"'\");\n out = out.replace(/\\r\\n?/g, '\\n');\n if (!out.endsWith('\\n')) out += '\\n';\n return out;\n }\n}\n"]}

package/dist/rbac-provider.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Google Workspace RBAC provider for Mastra.
+ *
+ * Maps Google Workspace groups from the Admin SDK Directory API to Mastra
+ * permissions using a configurable role mapping.
+ */
+import type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';
+import type { GoogleUser, MastraRBACGoogleOptions } from './types.js';
+export declare class MastraRBACGoogle implements IRBACProvider<GoogleUser> {
+    private options;
+    private rolesCache;
+    private accessToken?;
+    private tokenExpiresAt;
+    private tokenRefreshPromise?;
+    get roleMapping(): RoleMapping;
+    constructor(options: MastraRBACGoogleOptions);
+    getRoles(user: GoogleUser): Promise<string[]>;
+    hasRole(user: GoogleUser, role: string): Promise<boolean>;
+    getPermissions(user: GoogleUser): Promise<string[]>;
+    hasPermission(user: GoogleUser, permission: string): Promise<boolean>;
+    hasAllPermissions(user: GoogleUser, permissions: string[]): Promise<boolean>;
+    hasAnyPermission(user: GoogleUser, permissions: string[]): Promise<boolean>;
+    getAvailableRoles(): Promise<{
+        id: string;
+        name: string;
+    }[]>;
+    getPermissionsForRole(roleId: string): Promise<string[]>;
+    clearCache(): void;
+    clearUserCache(userKey: string): void;
+    getCacheStats(): {
+        size: number;
+        maxSize: number;
+    };
+    private resolveUserKey;
+    private fetchRolesFromGoogle;
+    private getToken;
+    private getServiceAccountToken;
+    private base64Url;
+    private normalizePrivateKey;
+}
+//# sourceMappingURL=rbac-provider.d.ts.map

package/dist/rbac-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-provider.d.ts","sourceRoot":"","sources":["../src/rbac-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAIvE,OAAO,KAAK,EAAE,UAAU,EAAwB,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAczF,qBAAa,gBAAiB,YAAW,aAAa,CAAC,UAAU,CAAC;IAChE,OAAO,CAAC,OAAO,CAA0B;IACzC,OAAO,CAAC,UAAU,CAAsC;IACxD,OAAO,CAAC,WAAW,CAAC,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,mBAAmB,CAAC,CAAkB;IAE9C,IAAI,WAAW,IAAI,WAAW,CAE7B;gBAEW,OAAO,EAAE,uBAAuB;IAatC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAwB7C,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKzD,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAQnD,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKrE,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5E,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3E,iBAAiB,IAAI,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAM5D,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAI9D,UAAU,IAAI,IAAI;IAIlB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIrC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAOlD,OAAO,CAAC,cAAc;YAOR,oBAAoB;YAsCpB,QAAQ;YAyBR,sBAAsB;IAgDpC,OAAO,CAAC,SAAS;IAIjB,OAAO,CAAC,mBAAmB;CAqB5B"}

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,131 @@
+/**
+ * Shared types for Google Workspace authentication and RBAC.
+ */
+import type { EEUser, RoleMapping } from '@mastra/core/auth/ee';
+import type { MastraAuthProviderOptions } from '@mastra/core/server';
+import type { JWTPayload } from 'jose';
+/**
+ * Google user claims mapped to Mastra's enterprise user shape.
+ */
+export interface GoogleUser extends EEUser {
+    /** Google Account subject identifier. */
+    googleId: string;
+    /** Verified ID token expiration time, when available. */
+    expiresAt?: Date;
+    /** Google Workspace or Cloud organization domain from the verified `hd` claim. */
+    hostedDomain?: string;
+    /** Whether Google reports the email address as verified. */
+    emailVerified?: boolean;
+    /** Optional Google Workspace group roles attached by a caller. */
+    groups?: string[];
+}
+/**
+ * Google Workspace Directory group returned by the Admin SDK Directory API.
+ */
+export interface GoogleWorkspaceGroup {
+    /** Group unique ID. */
+    id?: string;
+    /** Primary group email address. */
+    email: string;
+    /** Display name. */
+    name?: string;
+    /** Optional description. */
+    description?: string;
+    /** Direct member count, returned as a string by the Directory API. */
+    directMembersCount?: string;
+}
+/**
+ * Maps verified Google ID token claims to GoogleUser format.
+ */
+export declare function mapGoogleClaimsToUser(payload: JWTPayload): GoogleUser;
+/**
+ * Session cookie configuration for MastraAuthGoogle.
+ */
+export interface GoogleSessionOptions {
+    /** Cookie name for the session. Defaults to `google_session`. */
+    cookieName?: string;
+    /** Cookie max age in seconds. Defaults to 86400 (24 hours). */
+    cookieMaxAge?: number;
+    /**
+     * Password for encrypting session cookies. Must be at least 32 characters.
+     * Defaults to GOOGLE_COOKIE_PASSWORD.
+     */
+    cookiePassword?: string;
+    /**
+     * Set the Secure flag on session cookies.
+     * Defaults to true when NODE_ENV=production, false otherwise.
+     */
+    secureCookies?: boolean;
+}
+/**
+ * Options for MastraAuthGoogle.
+ */
+export interface MastraAuthGoogleOptions extends MastraAuthProviderOptions<GoogleUser> {
+    /** Google OAuth client ID. Defaults to GOOGLE_CLIENT_ID. */
+    clientId?: string;
+    /** Google OAuth client secret. Defaults to GOOGLE_CLIENT_SECRET. Required for SSO. */
+    clientSecret?: string;
+    /** OAuth redirect URI for the SSO callback. Defaults to GOOGLE_REDIRECT_URI. */
+    redirectUri?: string;
+    /** OAuth scopes to request. Defaults to `['openid', 'profile', 'email']`. */
+    scopes?: string[];
+    /**
+     * Allowed Google Workspace hosted domains.
+     * Defaults to comma-separated GOOGLE_ALLOWED_DOMAINS.
+     */
+    allowedDomains?: string | string[];
+    /**
+     * Google OAuth hosted-domain login hint.
+     * Defaults to GOOGLE_HOSTED_DOMAIN, or the single allowed domain when exactly one domain is configured.
+     */
+    hostedDomain?: string;
+    /** Session configuration. */
+    session?: GoogleSessionOptions;
+}
+/**
+ * Service account configuration for Workspace Directory API access.
+ */
+export interface GoogleWorkspaceServiceAccount {
+    /** Google service account email. */
+    clientEmail: string;
+    /** PEM-encoded private key. Supports escaped `\n` values from .env files. */
+    privateKey: string;
+    /** Optional private key ID. */
+    privateKeyId?: string;
+    /**
+     * Google Workspace administrator user to impersonate with domain-wide delegation.
+     * Required by most Admin SDK Directory API deployments.
+     */
+    subject?: string;
+    /** OAuth scopes for the service account token. */
+    scopes?: string[];
+}
+/**
+ * Cache configuration for RBAC group lookups.
+ */
+export interface PermissionCacheOptions {
+    /** Maximum number of users to cache. Defaults to 1000. */
+    maxSize?: number;
+    /** Time-to-live in milliseconds. Defaults to 60000. */
+    ttlMs?: number;
+}
+/**
+ * Options for MastraRBACGoogle.
+ */
+export interface MastraRBACGoogleOptions {
+    /** Pre-obtained Workspace Directory API access token. */
+    accessToken?: string;
+    /** Callback that returns a Workspace Directory API access token. */
+    getAccessToken?: () => Promise<string> | string;
+    /** Service account credentials for domain-wide delegated Directory API access. */
+    serviceAccount?: GoogleWorkspaceServiceAccount;
+    /** Map Google Workspace group roles to Mastra permissions. */
+    roleMapping: RoleMapping;
+    /** Extract the Google Directory API userKey from any authenticated user object. Defaults to `user.email`. */
+    getUserKey?: (user: unknown) => string | undefined;
+    /** Map a Google Workspace group to one or more RBAC role IDs. Defaults to `[group.email]`. */
+    mapGroupToRoles?: (group: GoogleWorkspaceGroup) => string[];
+    /** Permission cache configuration. */
+    cache?: PermissionCacheOptions;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,MAAM;IACxC,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,kFAAkF;IAClF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,uBAAuB;IACvB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sEAAsE;IACtE,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,UAAU,GAAG,UAAU,CA4BrE;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAwB,SAAQ,yBAAyB,CAAC,UAAU,CAAC;IACpF,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sFAAsF;IACtF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,OAAO,CAAC,EAAE,oBAAoB,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,6BAA6B;IAC5C,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,0DAA0D;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAChD,kFAAkF;IAClF,cAAc,CAAC,EAAE,6BAA6B,CAAC;IAC/C,8DAA8D;IAC9D,WAAW,EAAE,WAAW,CAAC;IACzB,6GAA6G;IAC7G,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACnD,8FAA8F;IAC9F,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,oBAAoB,KAAK,MAAM,EAAE,CAAC;IAC5D,sCAAsC;IACtC,KAAK,CAAC,EAAE,sBAAsB,CAAC;CAChC"}

package/package.json ADDED Viewed

@@ -0,0 +1,63 @@
+{
+  "name": "@mastra/auth-google",
+  "version": "0.0.0",
+  "description": "Mastra Google Workspace Auth integration",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "build": "tsup --silent --config tsup.config.ts",
+    "build:watch": "tsup --watch --silent --config tsup.config.ts",
+    "test": "vitest run",
+    "lint": "eslint ."
+  },
+  "license": "Apache-2.0",
+  "dependencies": {
+    "jose": "^6.2.1",
+    "lru-cache": "^11.2.7"
+  },
+  "peerDependencies": {
+    "@mastra/core": ">=1.32.0-0 <2.0.0-0"
+  },
+  "devDependencies": {
+    "@internal/lint": "workspace:*",
+    "@internal/types-builder": "workspace:*",
+    "@mastra/core": "workspace:*",
+    "@types/node": "22.19.21",
+    "@vitest/coverage-v8": "catalog:",
+    "@vitest/ui": "catalog:",
+    "eslint": "^10.4.1",
+    "tsup": "^8.5.1",
+    "typescript": "catalog:",
+    "vitest": "catalog:"
+  },
+  "homepage": "https://mastra.ai",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mastra-ai/mastra.git",
+    "directory": "auth/google"
+  },
+  "bugs": {
+    "url": "https://github.com/mastra-ai/mastra/issues"
+  },
+  "engines": {
+    "node": ">=22.13.0"
+  }
+}