npm - @mastra/auth-neon - Versions diffs - 0.0.0 → 0.2.0 - Mend

@mastra/auth-neon 0.0.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/LICENSE.md +30 -0
package/dist/index.cjs +373 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +148 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +369 -0
package/dist/index.js.map +1 -0
package/dist/rbac-provider.d.ts +111 -0
package/dist/rbac-provider.d.ts.map +1 -0
package/package.json +15 -15

package/LICENSE.md ADDED Viewed

@@ -0,0 +1,30 @@
+Portions of this software are licensed as follows:
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+    is licensed under the license defined in `ee/LICENSE`.
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+# Apache License 2.0
+Copyright (c) 2025 Kepler Software, Inc.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,373 @@
+'use strict';
+var server = require('@mastra/core/server');
+var jose = require('jose');
+var ee = require('@mastra/core/auth/ee');
+// src/index.ts
+var DEFAULT_CACHE_TTL_MS = 6e4;
+var DEFAULT_CACHE_MAX_SIZE = 1e3;
+var MastraRBACNeon = class {
+  options;
+  baseUrl;
+  rolesCache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  cacheMaxSize;
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  constructor(options) {
+    this.options = options;
+    const rawUrl = options.baseUrl ?? process.env.NEON_AUTH_BASE_URL ?? "";
+    let end = rawUrl.length;
+    while (end > 0 && rawUrl[end - 1] === "/") {
+      end--;
+    }
+    this.baseUrl = rawUrl.slice(0, end);
+    this.cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;
+    this.cacheMaxSize = options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE;
+  }
+  async getRoles(user) {
+    if (this.options.getUserRoles) {
+      return this.options.getUserRoles(user);
+    }
+    if (user.jwt) {
+      const role = user.jwt.role;
+      if (role) return [role];
+    }
+    const userId = user.user?.id;
+    if (!userId) return [];
+    const cached = this.rolesCache.get(userId);
+    if (cached && cached.expiresAt > Date.now()) {
+      this.rolesCache.delete(userId);
+      this.rolesCache.set(userId, cached);
+      return cached.roles;
+    }
+    const roles = await this.fetchRolesFromNeonAuth(userId);
+    if (this.rolesCache.size >= this.cacheMaxSize) {
+      const firstKey = this.rolesCache.keys().next().value;
+      if (firstKey) this.rolesCache.delete(firstKey);
+    }
+    this.rolesCache.set(userId, { roles, expiresAt: Date.now() + this.cacheTtlMs });
+    return roles;
+  }
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    return ee.resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => ee.matchesPermission(p, permission));
+  }
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  async getAvailableRoles() {
+    return Object.keys(this.options.roleMapping).filter((k) => k !== "_default").map((k) => ({ id: k, name: k.charAt(0).toUpperCase() + k.slice(1) }));
+  }
+  async getRolePermissions(roleId) {
+    return ee.resolvePermissionsFromMapping([roleId], this.options.roleMapping);
+  }
+  /**
+   * Fetch organization membership roles from Neon Auth.
+   *
+   * Uses Better Auth's `organization/list-memberships` admin API.
+   * Falls back to empty roles on error (default permissions will apply).
+   */
+  async fetchRolesFromNeonAuth(userId) {
+    if (!this.baseUrl) return [];
+    try {
+      const response = await fetch(`${this.baseUrl}/auth/api/organization/list-memberships`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ userId })
+      });
+      if (!response.ok) return [];
+      const data = await response.json();
+      const memberships = Array.isArray(data) ? data : data.data ?? [];
+      const relevant = this.options.organizationId ? memberships.filter((m) => m.organizationId === this.options.organizationId) : memberships;
+      return relevant.map((m) => m.role);
+    } catch {
+      return [];
+    }
+  }
+};
+// src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
+function stripTrailingSlashes(url) {
+  let end = url.length;
+  while (end > 0 && url[end - 1] === "/") {
+    end--;
+  }
+  return url.slice(0, end);
+}
+function parseCookies(response) {
+  if (typeof response.headers.getSetCookie === "function") {
+    return response.headers.getSetCookie();
+  }
+  const raw = response.headers.get("set-cookie");
+  if (!raw) return [];
+  return raw.split(/,(?=\s*\w+=)/);
+}
+function mapNeonUserToEEUser(user) {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    avatarUrl: user.image ?? void 0,
+    metadata: {
+      emailVerified: user.emailVerified,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt
+    }
+  };
+}
+var MastraAuthNeon = class extends server.MastraAuthProvider {
+  baseUrl;
+  jwksUrl;
+  sessionCookieName;
+  signUpEnabledConfig;
+  constructor(options) {
+    super({ name: options?.name ?? "neon" });
+    const baseUrl = options?.baseUrl ?? process.env.NEON_AUTH_BASE_URL;
+    if (!baseUrl) {
+      throw new Error(
+        "Neon Auth base URL is required, please provide it in the options or set the NEON_AUTH_BASE_URL environment variable"
+      );
+    }
+    this.baseUrl = stripTrailingSlashes(baseUrl);
+    this.jwksUrl = options?.jwksUrl ?? process.env.NEON_AUTH_JWKS_URL ?? `${this.baseUrl}/auth/jwks`;
+    this.sessionCookieName = options?.sessionCookieName ?? "neonauth.session_token";
+    this.signUpEnabledConfig = options?.signUpEnabled ?? true;
+    this.registerOptions(options);
+  }
+  /** Expose the base URL for RBAC or other consumers. */
+  getBaseUrl() {
+    return this.baseUrl;
+  }
+  isSignUpEnabled() {
+    return this.signUpEnabledConfig;
+  }
+  // ── IUserProvider ──
+  async getCurrentUser(request) {
+    try {
+      const result = await this.fetchSession(request.headers);
+      if (!result?.user) return null;
+      return mapNeonUserToEEUser(result.user);
+    } catch {
+      return null;
+    }
+  }
+  async getUser(_userId) {
+    return null;
+  }
+  getUserProfileUrl(user) {
+    return `/profile/${user.id}`;
+  }
+  // ── MastraAuthProvider ──
+  async authenticateToken(token, request) {
+    if (!token || typeof token !== "string") {
+      return null;
+    }
+    const jwtResult = await this.verifyJwt(token);
+    if (jwtResult) {
+      return {
+        user: {
+          id: jwtResult.sub ?? "",
+          email: jwtResult.email ?? "",
+          name: jwtResult.name ?? "",
+          image: jwtResult.picture ?? null,
+          emailVerified: jwtResult.email_verified ?? false,
+          createdAt: jwtResult.iat ? new Date(jwtResult.iat * 1e3).toISOString() : "",
+          updatedAt: ""
+        },
+        jwt: jwtResult
+      };
+    }
+    try {
+      const headers = new Headers();
+      const cookieHeader = getRequestHeader(request, "Cookie");
+      if (cookieHeader) {
+        headers.set("Cookie", cookieHeader);
+      }
+      const hasSessionCookie = !!cookieHeader?.split(";").some((pair) => pair.trim().split("=")[0]?.trim() === this.sessionCookieName);
+      if (token && !hasSessionCookie) {
+        const existingCookies = cookieHeader ? `${cookieHeader}; ` : "";
+        headers.set("Cookie", `${existingCookies}${this.sessionCookieName}=${token}`);
+      }
+      const result = await this.fetchSession(headers);
+      if (!result?.session || !result?.user) {
+        return null;
+      }
+      return {
+        session: result.session,
+        user: result.user
+      };
+    } catch {
+      return null;
+    }
+  }
+  async authorizeUser(user) {
+    if (!user?.user?.id) return false;
+    if (user.jwt?.exp && user.jwt.exp * 1e3 < Date.now()) {
+      return false;
+    }
+    return true;
+  }
+  // ── ICredentialsProvider ──
+  async signIn(email, password, request) {
+    const response = await fetch(`${this.baseUrl}/auth/sign-in/email`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...request?.headers ? Object.fromEntries(request.headers.entries()) : {}
+      },
+      body: JSON.stringify({ email, password })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(errorData.message || "Invalid email or password");
+    }
+    const result = await response.json();
+    if (!result?.user) {
+      throw new Error("Invalid email or password");
+    }
+    const cookies = parseCookies(response);
+    return {
+      user: mapNeonUserToEEUser(result.user),
+      token: result.token ?? void 0,
+      cookies
+    };
+  }
+  async signUp(email, password, name, request) {
+    const displayName = name ?? email.split("@")[0] ?? "User";
+    const response = await fetch(`${this.baseUrl}/auth/sign-up/email`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...request?.headers ? Object.fromEntries(request.headers.entries()) : {}
+      },
+      body: JSON.stringify({ email, password, name: displayName })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(errorData.message || "Failed to create account");
+    }
+    const result = await response.json();
+    if (!result?.user) {
+      throw new Error("Failed to create account");
+    }
+    const cookies = parseCookies(response);
+    return {
+      user: mapNeonUserToEEUser(result.user),
+      token: result.token ?? void 0,
+      cookies
+    };
+  }
+  // ── ISessionProvider ──
+  async createSession(_userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1e3);
+    return {
+      id: crypto.randomUUID(),
+      userId: _userId,
+      createdAt: now,
+      expiresAt,
+      metadata
+    };
+  }
+  async validateSession(sessionId) {
+    try {
+      const headers = new Headers();
+      headers.set("Cookie", `${this.sessionCookieName}=${sessionId}`);
+      const result = await this.fetchSession(headers);
+      if (!result?.session) return null;
+      return {
+        id: result.session.id,
+        userId: result.session.userId,
+        expiresAt: new Date(result.session.expiresAt),
+        createdAt: new Date(result.session.createdAt)
+      };
+    } catch {
+      return null;
+    }
+  }
+  async destroySession(_sessionId) {
+  }
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  getSessionIdFromRequest(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader) return null;
+    for (const pair of cookieHeader.split(";")) {
+      const [key, ...rest] = pair.trim().split("=");
+      if (key?.trim() === this.sessionCookieName) {
+        return rest.join("=") || null;
+      }
+    }
+    return null;
+  }
+  getSessionHeaders(session) {
+    const cookie = session._sessionCookie;
+    if (typeof cookie === "string") {
+      return { "Set-Cookie": cookie };
+    }
+    return {};
+  }
+  getClearSessionHeaders() {
+    const cookies = [
+      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,
+      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`
+    ];
+    return {
+      "Set-Cookie": cookies.join(", ")
+    };
+  }
+  // ── Internal helpers ──
+  async verifyJwt(token) {
+    try {
+      const JWKS = jose.createRemoteJWKSet(new URL(this.jwksUrl));
+      const { payload } = await jose.jwtVerify(token, JWKS);
+      return payload;
+    } catch {
+      return null;
+    }
+  }
+  /** Fetch and validate a session from the Neon Auth REST API. */
+  async fetchSession(headers) {
+    const response = await fetch(`${this.baseUrl}/auth/get-session`, {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const data = await response.json();
+    if (!data?.session || !data?.user) {
+      return null;
+    }
+    return data;
+  }
+};
+exports.MastraAuthNeon = MastraAuthNeon;
+exports.MastraRBACNeon = MastraRBACNeon;
+exports.mapNeonUserToEEUser = mapNeonUserToEEUser;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/rbac-provider.ts","../src/index.ts"],"names":["resolvePermissionsFromMapping","matchesPermission","MastraAuthProvider","createRemoteJWKSet","jwtVerify"],"mappings":";;;;;;;AAiEA,IAAM,oBAAA,GAAuB,GAAA;AAC7B,IAAM,sBAAA,GAAyB,GAAA;AA0CxB,IAAM,iBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA,uBAA0C,GAAA,EAAI;AAAA,EAC9C,UAAA;AAAA,EACA,YAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,kBAAA,IAAsB,EAAA;AACpE,IAAA,IAAI,MAAM,MAAA,CAAO,MAAA;AACjB,IAAA,OAAO,MAAM,CAAA,IAAK,MAAA,CAAO,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACzC,MAAA,GAAA,EAAA;AAAA,IACF;AACA,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAClC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,CAAQ,KAAA,EAAO,KAAA,IAAS,oBAAA;AAC1C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,CAAQ,KAAA,EAAO,OAAA,IAAW,sBAAA;AAAA,EAChD;AAAA,EAEA,MAAM,SAAS,IAAA,EAAuC;AACpD,IAAA,IAAI,IAAA,CAAK,QAAQ,YAAA,EAAc;AAC7B,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,IAAI,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,KAAK,GAAA,EAAK;AACZ,MAAA,MAAM,IAAA,GAAO,KAAK,GAAA,CAAI,IAAA;AACtB,MAAA,IAAI,IAAA,EAAM,OAAO,CAAC,IAAI,CAAA;AAAA,IACxB;AAEA,IAAA,MAAM,MAAA,GAAS,KAAK,IAAA,EAAM,EAAA;AAC1B,IAAA,IAAI,CAAC,MAAA,EAAQ,OAAO,EAAC;AAGrB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAM,CAAA;AACzC,IAAA,IAAI,MAAA,IAAU,MAAA,CAAO,SAAA,GAAY,IAAA,CAAK,KAAI,EAAG;AAC3C,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAC7B,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAA,EAAQ,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA,CAAO,KAAA;AAAA,IAChB;AAGA,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,sBAAA,CAAuB,MAAM,CAAA;AAGtD,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,IAAQ,IAAA,CAAK,YAAA,EAAc;AAC7C,MAAA,MAAM,WAAW,IAAA,CAAK,UAAA,CAAW,IAAA,EAAK,CAAE,MAAK,CAAE,KAAA;AAC/C,MAAA,IAAI,QAAA,EAAU,IAAA,CAAK,UAAA,CAAW,MAAA,CAAO,QAAQ,CAAA;AAAA,IAC/C;AACA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAA,EAAQ,EAAE,KAAA,EAAO,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,UAAA,EAAY,CAAA;AAE9E,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAoB,IAAA,EAAgC;AAChE,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAuC;AAC1D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAOA,gCAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAoB,UAAA,EAAsC;AAC5E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAoB,WAAA,EAAyC;AACnF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAoB,WAAA,EAAyC;AAClF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA,EAEA,MAAM,iBAAA,GAA6D;AACjE,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA,CACxC,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,KAAM,UAAU,CAAA,CAC5B,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,EAAA,EAAI,CAAA,EAAG,IAAA,EAAM,CAAA,CAAE,MAAA,CAAO,CAAC,CAAA,CAAE,WAAA,EAAY,GAAI,CAAA,CAAE,KAAA,CAAM,CAAC,CAAA,EAAE,CAAE,CAAA;AAAA,EACvE;AAAA,EAEA,MAAM,mBAAmB,MAAA,EAAmC;AAC1D,IAAA,OAAOD,iCAA8B,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,QAAQ,WAAW,CAAA;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,uBAAuB,MAAA,EAAmC;AACtE,IAAA,IAAI,CAAC,IAAA,CAAK,OAAA,EAAS,OAAO,EAAC;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,uCAAA,CAAA,EAA2C;AAAA,QACrF,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,QAC9C,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,EAAE,QAAQ;AAAA,OAChC,CAAA;AAED,MAAA,IAAI,CAAC,QAAA,CAAS,EAAA,EAAI,OAAO,EAAC;AAE1B,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,MAAM,WAAA,GAAc,MAAM,OAAA,CAAQ,IAAI,IAAI,IAAA,GAAQ,IAAA,CAAK,QAAQ,EAAC;AAEhE,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,OAAA,CAAQ,cAAA,GAC1B,WAAA,CAAY,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,CAAA,GACxE,WAAA;AAEJ,MAAA,OAAO,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,IAAI,CAAA;AAAA,IACjC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,EAAC;AAAA,IACV;AAAA,EACF;AACF;;;AC9MA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AACA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAEA,SAAS,qBAAqB,GAAA,EAAqB;AACjD,EAAA,IAAI,MAAM,GAAA,CAAI,MAAA;AACd,EAAA,OAAO,MAAM,CAAA,IAAK,GAAA,CAAI,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACtC,IAAA,GAAA,EAAA;AAAA,EACF;AACA,EAAA,OAAO,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AACzB;AAEA,SAAS,aAAa,QAAA,EAA8B;AAClD,EAAA,IAAI,OAAO,QAAA,CAAS,OAAA,CAAQ,YAAA,KAAiB,UAAA,EAAY;AACvD,IAAA,OAAO,QAAA,CAAS,QAAQ,YAAA,EAAa;AAAA,EACvC;AACA,EAAA,MAAM,GAAA,GAAM,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC7C,EAAA,IAAI,CAAC,GAAA,EAAK,OAAO,EAAC;AAClB,EAAA,OAAO,GAAA,CAAI,MAAM,cAAc,CAAA;AACjC;AAoCO,SAAS,oBAAoB,IAAA,EAA2C;AAC7E,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AA6EO,IAAM,cAAA,GAAN,cACGE,yBAAA,CAEV;AAAA,EACY,OAAA;AAAA,EACA,OAAA;AAAA,EACH,iBAAA;AAAA,EACG,mBAAA;AAAA,EAEV,YAAY,OAAA,EAAiC;AAC3C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,QAAQ,CAAA;AAEvC,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,kBAAA;AAEhD,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,qBAAqB,OAAO,CAAA;AAC3C,IAAA,IAAA,CAAK,OAAA,GAAU,SAAS,OAAA,IAAW,OAAA,CAAQ,IAAI,kBAAA,IAAsB,CAAA,EAAG,KAAK,OAAO,CAAA,UAAA,CAAA;AACpF,IAAA,IAAA,CAAK,iBAAA,GAAoB,SAAS,iBAAA,IAAqB,wBAAA;AACvD,IAAA,IAAA,CAAK,mBAAA,GAAsB,SAAS,aAAA,IAAiB,IAAA;AAErD,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA,EAGA,UAAA,GAAqB;AACnB,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA,EAEA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA,EAIA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,QAAQ,OAAO,CAAA;AACtD,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,mBAAA,CAAoB,OAAO,IAAI,CAAA;AAAA,IACxC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,OAAA,EAAyC;AACrD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA,EAIA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0D;AAC/F,IAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAC5C,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,OAAO;AAAA,QACL,IAAA,EAAM;AAAA,UACJ,EAAA,EAAI,UAAU,GAAA,IAAO,EAAA;AAAA,UACrB,KAAA,EAAQ,UAAU,KAAA,IAAoB,EAAA;AAAA,UACtC,IAAA,EAAO,UAAU,IAAA,IAAmB,EAAA;AAAA,UACpC,KAAA,EAAQ,UAAU,OAAA,IAAsB,IAAA;AAAA,UACxC,aAAA,EAAgB,UAAU,cAAA,IAA8B,KAAA;AAAA,UACxD,SAAA,EAAW,SAAA,CAAU,GAAA,GAAM,IAAI,IAAA,CAAK,UAAU,GAAA,GAAM,GAAI,CAAA,CAAE,WAAA,EAAY,GAAI,EAAA;AAAA,UAC1E,SAAA,EAAW;AAAA,SACb;AAAA,QACA,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAGA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAE5B,MAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAEA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EACvB,MAAM,GAAG,CAAA,CACV,KAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,MAAK,CAAE,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAK,KAAM,KAAK,iBAAiB,CAAA;AAE5E,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAA,EAAQ,OAAA,IAAW,CAAC,QAAQ,IAAA,EAAM;AACrC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,cAAc,IAAA,EAAsC;AACxD,IAAA,IAAI,CAAC,IAAA,EAAM,IAAA,EAAM,EAAA,EAAI,OAAO,KAAA;AAE5B,IAAA,IAAI,IAAA,CAAK,KAAK,GAAA,IAAO,IAAA,CAAK,IAAI,GAAA,GAAM,GAAA,GAAO,IAAA,CAAK,GAAA,EAAI,EAAG;AACrD,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,mBAAA,CAAA,EAAuB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,GAAI,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,WAAA,CAAY,QAAQ,OAAA,CAAQ,OAAA,EAAS,CAAA,GAAI;AAAC,OAC1E;AAAA,MACA,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,UAAU;AAAA,KACzC,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAEA,IAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,mBAAA,CAAoB,MAAA,CAAO,IAAI,CAAA;AAAA,MACrC,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AAEnD,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,mBAAA,CAAA,EAAuB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,GAAI,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,WAAA,CAAY,QAAQ,OAAA,CAAQ,OAAA,EAAS,CAAA,GAAI;AAAC,OAC1E;AAAA,MACA,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,OAAO,QAAA,EAAU,IAAA,EAAM,aAAa;AAAA,KAC5D,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAEA,IAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,mBAAA,CAAoB,MAAA,CAAO,IAAI,CAAA;AAAA,MACrC,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA,EAIA,MAAM,aAAA,CAAc,OAAA,EAAiB,QAAA,EAAsD;AACzF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,OAAA,KAAY,CAAA,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAClE,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,MACtB,MAAA,EAAQ,OAAA;AAAA,MACR,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,IAAI,QAAA,EAAU,CAAA,EAAG,KAAK,iBAAiB,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAC9D,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAA,EAAQ,OAAA,EAAS,OAAO,IAAA;AAE7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,OAAO,OAAA,CAAQ,EAAA;AAAA,QACnB,MAAA,EAAQ,OAAO,OAAA,CAAQ,MAAA;AAAA,QACvB,SAAA,EAAW,IAAI,IAAA,CAAK,MAAA,CAAO,QAAQ,SAAS,CAAA;AAAA,QAC5C,SAAA,EAAW,IAAI,IAAA,CAAK,MAAA,CAAO,QAAQ,SAAS;AAAA,OAC9C;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,UAAA,EAAmC;AAAA,EAGxD;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAG/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,KAAA,MAAW,IAAA,IAAQ,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,EAAG;AAC1C,MAAA,MAAM,CAAC,KAAK,GAAG,IAAI,IAAI,IAAA,CAAK,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AAC5C,MAAA,IAAI,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA,EAAmB;AAC1C,QAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AAAA,MAC3B;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,SAAU,OAAA,CAA+C,cAAA;AAC/D,IAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAO,EAAE,cAAc,MAAA,EAAO;AAAA,IAChC;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,UAAU,KAAA,EAA2C;AACjE,IAAA,IAAI;AACF,MAAA,MAAM,OAAOC,uBAAA,CAAmB,IAAI,GAAA,CAAI,IAAA,CAAK,OAAO,CAAC,CAAA;AACrD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAMC,cAAA,CAAU,OAAO,IAAI,CAAA;AAC/C,MAAA,OAAO,OAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA,EAGA,MAAa,aAAa,OAAA,EAAuD;AAC/E,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,iBAAA,CAAA,EAAqB;AAAA,MAC/D,MAAA,EAAQ,KAAA;AAAA,MACR;AAAA,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,IAAI,CAAC,IAAA,EAAM,OAAA,IAAW,CAAC,MAAM,IAAA,EAAM;AACjC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AACF","file":"index.cjs","sourcesContent":["/**\n * Neon Auth RBAC provider for Mastra.\n *\n * Maps Neon Auth organization roles (via Better Auth's Organization plugin)\n * to Mastra permissions using a configurable role mapping.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\n\nimport type { NeonAuthUser } from './index';\n\n/**\n * Response shape from the Neon Auth organization member endpoint.\n */\ninterface NeonOrgMember {\n id: string;\n organizationId: string;\n userId: string;\n role: string;\n createdAt: string;\n}\n\nexport interface NeonRoleMappingOptions {\n /** Cache TTL in milliseconds (default: 60_000) */\n ttlMs?: number;\n /** Max cache entries (default: 1000) */\n maxSize?: number;\n}\n\nexport interface MastraRBACNeonOptions {\n /**\n * Base URL for the Neon Auth service.\n * Falls back to `NEON_AUTH_BASE_URL` env var.\n */\n baseUrl?: string;\n /**\n * Map provider role slugs to arrays of Mastra permission patterns.\n * Use `_default` for roles not explicitly listed.\n *\n * @example\n * ```typescript\n * {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n /**\n * Specific organization ID to scope role lookups to.\n * If omitted, roles from all organizations are merged.\n */\n organizationId?: string;\n /** Caching options for role lookups. */\n cache?: NeonRoleMappingOptions;\n /**\n * Custom function to extract roles from the NeonAuthUser object.\n * Useful when JWT claims already contain role info.\n */\n getUserRoles?: (user: NeonAuthUser) => string[] | Promise<string[]>;\n}\n\nconst DEFAULT_CACHE_TTL_MS = 60_000;\nconst DEFAULT_CACHE_MAX_SIZE = 1000;\n\ninterface CacheEntry {\n roles: string[];\n expiresAt: number;\n}\n\n/**\n * RBAC provider for Neon Auth that maps organization roles to Mastra permissions.\n *\n * Neon Auth uses Better Auth's Organization plugin which provides `owner`,\n * `admin`, and `member` roles. This provider maps those roles to Mastra\n * permission patterns via a configurable `roleMapping`.\n *\n * @example Static mapping\n * ```typescript\n * import { MastraRBACNeon } from '@mastra/auth-neon';\n *\n * const rbac = new MastraRBACNeon({\n * roleMapping: {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * },\n * });\n * ```\n *\n * @example With custom role extraction from JWT claims\n * ```typescript\n * const rbac = new MastraRBACNeon({\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read'],\n * },\n * getUserRoles: (user) => {\n * const role = user.jwt?.role as string;\n * return role ? [role] : [];\n * },\n * });\n * ```\n */\nexport class MastraRBACNeon implements IRBACProvider<NeonAuthUser> {\n private options: MastraRBACNeonOptions;\n private baseUrl: string;\n private rolesCache: Map<string, CacheEntry> = new Map();\n private cacheTtlMs: number;\n private cacheMaxSize: number;\n\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n constructor(options: MastraRBACNeonOptions) {\n this.options = options;\n const rawUrl = options.baseUrl ?? process.env.NEON_AUTH_BASE_URL ?? '';\n let end = rawUrl.length;\n while (end > 0 && rawUrl[end - 1] === '/') {\n end--;\n }\n this.baseUrl = rawUrl.slice(0, end);\n this.cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;\n this.cacheMaxSize = options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE;\n }\n\n async getRoles(user: NeonAuthUser): Promise<string[]> {\n if (this.options.getUserRoles) {\n return this.options.getUserRoles(user);\n }\n\n // Try extracting role from JWT claims first (fast path).\n if (user.jwt) {\n const role = user.jwt.role as string | undefined;\n if (role) return [role];\n }\n\n const userId = user.user?.id;\n if (!userId) return [];\n\n // Check cache (promote on hit for LRU eviction).\n const cached = this.rolesCache.get(userId);\n if (cached && cached.expiresAt > Date.now()) {\n this.rolesCache.delete(userId);\n this.rolesCache.set(userId, cached);\n return cached.roles;\n }\n\n // Fetch organization memberships from Neon Auth.\n const roles = await this.fetchRolesFromNeonAuth(userId);\n\n // Cache the result.\n if (this.rolesCache.size >= this.cacheMaxSize) {\n const firstKey = this.rolesCache.keys().next().value;\n if (firstKey) this.rolesCache.delete(firstKey);\n }\n this.rolesCache.set(userId, { roles, expiresAt: Date.now() + this.cacheTtlMs });\n\n return roles;\n }\n\n async hasRole(user: NeonAuthUser, role: string): Promise<boolean> {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n async getPermissions(user: NeonAuthUser): Promise<string[]> {\n const roles = await this.getRoles(user);\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n async hasPermission(user: NeonAuthUser, permission: string): Promise<boolean> {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n async hasAllPermissions(user: NeonAuthUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n async hasAnyPermission(user: NeonAuthUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n return Object.keys(this.options.roleMapping)\n .filter(k => k !== '_default')\n .map(k => ({ id: k, name: k.charAt(0).toUpperCase() + k.slice(1) }));\n }\n\n async getRolePermissions(roleId: string): Promise<string[]> {\n return resolvePermissionsFromMapping([roleId], this.options.roleMapping);\n }\n\n /**\n * Fetch organization membership roles from Neon Auth.\n *\n * Uses Better Auth's `organization/list-memberships` admin API.\n * Falls back to empty roles on error (default permissions will apply).\n */\n private async fetchRolesFromNeonAuth(userId: string): Promise<string[]> {\n if (!this.baseUrl) return [];\n\n try {\n const response = await fetch(`${this.baseUrl}/auth/api/organization/list-memberships`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ userId }),\n });\n\n if (!response.ok) return [];\n\n const data = (await response.json()) as NeonOrgMember[] | { data?: NeonOrgMember[] };\n const memberships = Array.isArray(data) ? data : (data.data ?? []);\n\n const relevant = this.options.organizationId\n ? memberships.filter(m => m.organizationId === this.options.organizationId)\n : memberships;\n\n return relevant.map(m => m.role);\n } catch {\n return [];\n }\n }\n}\n","import type {\n IUserProvider,\n ICredentialsProvider,\n ISessionProvider,\n Session,\n CredentialsResult,\n} from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport { createRemoteJWKSet, jwtVerify } from 'jose';\nimport type { JWTPayload } from 'jose';\n\nexport { MastraRBACNeon } from './rbac-provider';\nexport type { MastraRBACNeonOptions, NeonRoleMappingOptions } from './rbac-provider';\n\ntype HonoRequestLike = {\n raw?: Request;\n headers?: Headers;\n header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n if (request instanceof Request) {\n return request.headers.get(name);\n }\n return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\nfunction stripTrailingSlashes(url: string): string {\n let end = url.length;\n while (end > 0 && url[end - 1] === '/') {\n end--;\n }\n return url.slice(0, end);\n}\n\nfunction parseCookies(response: Response): string[] {\n if (typeof response.headers.getSetCookie === 'function') {\n return response.headers.getSetCookie();\n }\n const raw = response.headers.get('set-cookie');\n if (!raw) return [];\n return raw.split(/,(?=\\s*\\w+=)/);\n}\n\n/**\n * Response shape from Neon Auth session endpoint.\n */\nexport interface NeonSessionResponse {\n session: {\n id: string;\n token: string;\n userId: string;\n expiresAt: string;\n createdAt: string;\n updatedAt: string;\n };\n user: {\n id: string;\n email: string;\n name: string;\n image?: string | null;\n emailVerified: boolean;\n createdAt: string;\n updatedAt: string;\n };\n}\n\n/**\n * User type returned by the adapter's authenticateToken.\n * Contains the session and user data from Neon Auth,\n * plus optional JWT claims when authenticated via bearer JWT.\n */\nexport interface NeonAuthUser {\n session?: NeonSessionResponse['session'];\n user: NeonSessionResponse['user'];\n jwt?: JWTPayload;\n}\n\nexport function mapNeonUserToEEUser(user: NeonSessionResponse['user']): EEUser {\n return {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.image ?? undefined,\n metadata: {\n emailVerified: user.emailVerified,\n createdAt: user.createdAt,\n updatedAt: user.updatedAt,\n },\n };\n}\n\nexport interface MastraAuthNeonOptions extends MastraAuthProviderOptions<NeonAuthUser> {\n /**\n * The Neon Auth base URL (e.g., `https://your-project.neon.tech`).\n * Falls back to the `NEON_AUTH_BASE_URL` environment variable.\n */\n baseUrl?: string;\n /**\n * Explicit JWKS URL for JWT token verification.\n * Overrides the URL derived from `baseUrl`.\n * Falls back to the `NEON_AUTH_JWKS_URL` environment variable.\n */\n jwksUrl?: string;\n /**\n * The session cookie name used by Neon Auth.\n * @default 'neonauth.session_token'\n */\n sessionCookieName?: string;\n /**\n * Whether to allow new user registration via sign-up.\n * @default true\n */\n signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Neon Auth.\n *\n * Neon Auth is a managed authentication service built on Better Auth\n * that stores users, sessions, and auth configuration directly in your\n * Neon Postgres database.\n *\n * This adapter supports:\n * - JWT bearer token verification via JWKS (for API clients)\n * - Session cookie verification via Neon Auth REST API (for Studio)\n * - Email/password sign-in and sign-up (for Studio credentials flow)\n * - Session management (validate, refresh, destroy)\n *\n * @example\n * ```typescript\n * import { MastraAuthNeon } from '@mastra/auth-neon';\n *\n * const auth = new MastraAuthNeon({\n * baseUrl: process.env.NEON_AUTH_BASE_URL,\n * });\n *\n * const mastra = new Mastra({\n * server: {\n * auth,\n * },\n * });\n * ```\n *\n * @example With RBAC\n * ```typescript\n * import { MastraAuthNeon, MastraRBACNeon } from '@mastra/auth-neon';\n *\n * const mastra = new Mastra({\n * server: {\n * auth: new MastraAuthNeon({\n * baseUrl: process.env.NEON_AUTH_BASE_URL,\n * }),\n * rbac: new MastraRBACNeon({\n * roleMapping: {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * },\n * }),\n * },\n * });\n * ```\n *\n * @see https://neon.com/docs/auth/overview\n */\nexport class MastraAuthNeon\n extends MastraAuthProvider<NeonAuthUser>\n implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>, ISessionProvider<Session>\n{\n protected baseUrl: string;\n protected jwksUrl: string;\n public sessionCookieName: string;\n protected signUpEnabledConfig: boolean;\n\n constructor(options?: MastraAuthNeonOptions) {\n super({ name: options?.name ?? 'neon' });\n\n const baseUrl = options?.baseUrl ?? process.env.NEON_AUTH_BASE_URL;\n\n if (!baseUrl) {\n throw new Error(\n 'Neon Auth base URL is required, please provide it in the options or set the NEON_AUTH_BASE_URL environment variable',\n );\n }\n\n this.baseUrl = stripTrailingSlashes(baseUrl);\n this.jwksUrl = options?.jwksUrl ?? process.env.NEON_AUTH_JWKS_URL ?? `${this.baseUrl}/auth/jwks`;\n this.sessionCookieName = options?.sessionCookieName ?? 'neonauth.session_token';\n this.signUpEnabledConfig = options?.signUpEnabled ?? true;\n\n this.registerOptions(options);\n }\n\n /** Expose the base URL for RBAC or other consumers. */\n getBaseUrl(): string {\n return this.baseUrl;\n }\n\n isSignUpEnabled(): boolean {\n return this.signUpEnabledConfig;\n }\n\n // ── IUserProvider ──\n\n async getCurrentUser(request: Request): Promise<EEUser | null> {\n try {\n const result = await this.fetchSession(request.headers);\n if (!result?.user) return null;\n return mapNeonUserToEEUser(result.user);\n } catch {\n return null;\n }\n }\n\n async getUser(_userId: string): Promise<EEUser | null> {\n return null;\n }\n\n getUserProfileUrl(user: EEUser): string {\n return `/profile/${user.id}`;\n }\n\n // ── MastraAuthProvider ──\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise<NeonAuthUser | null> {\n if (!token || typeof token !== 'string') {\n return null;\n }\n\n // Try JWT verification first (for bearer JWT tokens from API clients).\n const jwtResult = await this.verifyJwt(token);\n if (jwtResult) {\n return {\n user: {\n id: jwtResult.sub ?? '',\n email: (jwtResult.email as string) ?? '',\n name: (jwtResult.name as string) ?? '',\n image: (jwtResult.picture as string) ?? null,\n emailVerified: (jwtResult.email_verified as boolean) ?? false,\n createdAt: jwtResult.iat ? new Date(jwtResult.iat * 1000).toISOString() : '',\n updatedAt: '',\n },\n jwt: jwtResult,\n };\n }\n\n // Fall back to session cookie verification via Neon Auth API.\n try {\n const headers = new Headers();\n\n const cookieHeader = getRequestHeader(request, 'Cookie');\n if (cookieHeader) {\n headers.set('Cookie', cookieHeader);\n }\n\n const hasSessionCookie = !!cookieHeader\n ?.split(';')\n .some(pair => pair.trim().split('=')[0]?.trim() === this.sessionCookieName);\n\n if (token && !hasSessionCookie) {\n const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n }\n\n const result = await this.fetchSession(headers);\n if (!result?.session || !result?.user) {\n return null;\n }\n\n return {\n session: result.session,\n user: result.user,\n };\n } catch {\n return null;\n }\n }\n\n async authorizeUser(user: NeonAuthUser): Promise<boolean> {\n if (!user?.user?.id) return false;\n\n if (user.jwt?.exp && user.jwt.exp * 1000 < Date.now()) {\n return false;\n }\n\n return true;\n }\n\n // ── ICredentialsProvider ──\n\n async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n const response = await fetch(`${this.baseUrl}/auth/sign-in/email`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(request?.headers ? Object.fromEntries(request.headers.entries()) : {}),\n },\n body: JSON.stringify({ email, password }),\n });\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n throw new Error(errorData.message || 'Invalid email or password');\n }\n\n const result = (await response.json()) as { user?: NeonSessionResponse['user']; token?: string | null };\n\n if (!result?.user) {\n throw new Error('Invalid email or password');\n }\n\n const cookies = parseCookies(response);\n\n return {\n user: mapNeonUserToEEUser(result.user),\n token: result.token ?? undefined,\n cookies,\n };\n }\n\n async signUp(\n email: string,\n password: string,\n name: string | undefined,\n request: Request,\n ): Promise<CredentialsResult<EEUser>> {\n const displayName = name ?? email.split('@')[0] ?? 'User';\n\n const response = await fetch(`${this.baseUrl}/auth/sign-up/email`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(request?.headers ? Object.fromEntries(request.headers.entries()) : {}),\n },\n body: JSON.stringify({ email, password, name: displayName }),\n });\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n throw new Error(errorData.message || 'Failed to create account');\n }\n\n const result = (await response.json()) as { user?: NeonSessionResponse['user']; token?: string | null };\n\n if (!result?.user) {\n throw new Error('Failed to create account');\n }\n\n const cookies = parseCookies(response);\n\n return {\n user: mapNeonUserToEEUser(result.user),\n token: result.token ?? undefined,\n cookies,\n };\n }\n\n // ── ISessionProvider ──\n\n async createSession(_userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n const now = new Date();\n const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000);\n return {\n id: crypto.randomUUID(),\n userId: _userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n async validateSession(sessionId: string): Promise<Session | null> {\n try {\n const headers = new Headers();\n headers.set('Cookie', `${this.sessionCookieName}=${sessionId}`);\n const result = await this.fetchSession(headers);\n if (!result?.session) return null;\n\n return {\n id: result.session.id,\n userId: result.session.userId,\n expiresAt: new Date(result.session.expiresAt),\n createdAt: new Date(result.session.createdAt),\n };\n } catch {\n return null;\n }\n }\n\n async destroySession(_sessionId: string): Promise<void> {\n // Neon Auth (Better Auth) manages session destruction via the sign-out endpoint.\n // Cookie clearing happens via getClearSessionHeaders.\n }\n\n async refreshSession(sessionId: string): Promise<Session | null> {\n // Neon Auth (Better Auth) refreshes sessions automatically when\n // get-session is called and the updateAge threshold is reached.\n return this.validateSession(sessionId);\n }\n\n getSessionIdFromRequest(request: Request): string | null {\n const cookieHeader = request.headers.get('Cookie');\n if (!cookieHeader) return null;\n\n for (const pair of cookieHeader.split(';')) {\n const [key, ...rest] = pair.trim().split('=');\n if (key?.trim() === this.sessionCookieName) {\n return rest.join('=') || null;\n }\n }\n\n return null;\n }\n\n getSessionHeaders(session: Session): Record<string, string> {\n const cookie = (session as unknown as Record<string, unknown>)._sessionCookie;\n if (typeof cookie === 'string') {\n return { 'Set-Cookie': cookie };\n }\n return {};\n }\n\n getClearSessionHeaders(): Record<string, string> {\n const cookies = [\n `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n ];\n return {\n 'Set-Cookie': cookies.join(', '),\n };\n }\n\n // ── Internal helpers ──\n\n private async verifyJwt(token: string): Promise<JWTPayload | null> {\n try {\n const JWKS = createRemoteJWKSet(new URL(this.jwksUrl));\n const { payload } = await jwtVerify(token, JWKS);\n return payload;\n } catch {\n return null;\n }\n }\n\n /** Fetch and validate a session from the Neon Auth REST API. */\n public async fetchSession(headers: Headers): Promise<NeonSessionResponse | null> {\n const response = await fetch(`${this.baseUrl}/auth/get-session`, {\n method: 'GET',\n headers,\n });\n\n if (!response.ok) {\n return null;\n }\n\n const data = (await response.json()) as NeonSessionResponse | null;\n if (!data?.session || !data?.user) {\n return null;\n }\n\n return data;\n }\n}\n"]}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,148 @@
+import type { IUserProvider, ICredentialsProvider, ISessionProvider, Session, CredentialsResult } from '@mastra/core/auth';
+import type { EEUser } from '@mastra/core/auth/ee';
+import type { MastraAuthProviderOptions } from '@mastra/core/server';
+import { MastraAuthProvider } from '@mastra/core/server';
+import type { JWTPayload } from 'jose';
+export { MastraRBACNeon } from './rbac-provider.js';
+export type { MastraRBACNeonOptions, NeonRoleMappingOptions } from './rbac-provider.js';
+type HonoRequestLike = {
+    raw?: Request;
+    headers?: Headers;
+    header(name: string): string | undefined;
+};
+type MastraAuthRequest = Request | HonoRequestLike;
+/**
+ * Response shape from Neon Auth session endpoint.
+ */
+export interface NeonSessionResponse {
+    session: {
+        id: string;
+        token: string;
+        userId: string;
+        expiresAt: string;
+        createdAt: string;
+        updatedAt: string;
+    };
+    user: {
+        id: string;
+        email: string;
+        name: string;
+        image?: string | null;
+        emailVerified: boolean;
+        createdAt: string;
+        updatedAt: string;
+    };
+}
+/**
+ * User type returned by the adapter's authenticateToken.
+ * Contains the session and user data from Neon Auth,
+ * plus optional JWT claims when authenticated via bearer JWT.
+ */
+export interface NeonAuthUser {
+    session?: NeonSessionResponse['session'];
+    user: NeonSessionResponse['user'];
+    jwt?: JWTPayload;
+}
+export declare function mapNeonUserToEEUser(user: NeonSessionResponse['user']): EEUser;
+export interface MastraAuthNeonOptions extends MastraAuthProviderOptions<NeonAuthUser> {
+    /**
+     * The Neon Auth base URL (e.g., `https://your-project.neon.tech`).
+     * Falls back to the `NEON_AUTH_BASE_URL` environment variable.
+     */
+    baseUrl?: string;
+    /**
+     * Explicit JWKS URL for JWT token verification.
+     * Overrides the URL derived from `baseUrl`.
+     * Falls back to the `NEON_AUTH_JWKS_URL` environment variable.
+     */
+    jwksUrl?: string;
+    /**
+     * The session cookie name used by Neon Auth.
+     * @default 'neonauth.session_token'
+     */
+    sessionCookieName?: string;
+    /**
+     * Whether to allow new user registration via sign-up.
+     * @default true
+     */
+    signUpEnabled?: boolean;
+}
+/**
+ * Mastra authentication provider for Neon Auth.
+ *
+ * Neon Auth is a managed authentication service built on Better Auth
+ * that stores users, sessions, and auth configuration directly in your
+ * Neon Postgres database.
+ *
+ * This adapter supports:
+ * - JWT bearer token verification via JWKS (for API clients)
+ * - Session cookie verification via Neon Auth REST API (for Studio)
+ * - Email/password sign-in and sign-up (for Studio credentials flow)
+ * - Session management (validate, refresh, destroy)
+ *
+ * @example
+ * ```typescript
+ * import { MastraAuthNeon } from '@mastra/auth-neon';
+ *
+ * const auth = new MastraAuthNeon({
+ *   baseUrl: process.env.NEON_AUTH_BASE_URL,
+ * });
+ *
+ * const mastra = new Mastra({
+ *   server: {
+ *     auth,
+ *   },
+ * });
+ * ```
+ *
+ * @example With RBAC
+ * ```typescript
+ * import { MastraAuthNeon, MastraRBACNeon } from '@mastra/auth-neon';
+ *
+ * const mastra = new Mastra({
+ *   server: {
+ *     auth: new MastraAuthNeon({
+ *       baseUrl: process.env.NEON_AUTH_BASE_URL,
+ *     }),
+ *     rbac: new MastraRBACNeon({
+ *       roleMapping: {
+ *         owner: ['*'],
+ *         admin: ['*'],
+ *         member: ['agents:read', 'workflows:*'],
+ *         _default: [],
+ *       },
+ *     }),
+ *   },
+ * });
+ * ```
+ *
+ * @see https://neon.com/docs/auth/overview
+ */
+export declare class MastraAuthNeon extends MastraAuthProvider<NeonAuthUser> implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>, ISessionProvider<Session> {
+    protected baseUrl: string;
+    protected jwksUrl: string;
+    sessionCookieName: string;
+    protected signUpEnabledConfig: boolean;
+    constructor(options?: MastraAuthNeonOptions);
+    /** Expose the base URL for RBAC or other consumers. */
+    getBaseUrl(): string;
+    isSignUpEnabled(): boolean;
+    getCurrentUser(request: Request): Promise<EEUser | null>;
+    getUser(_userId: string): Promise<EEUser | null>;
+    getUserProfileUrl(user: EEUser): string;
+    authenticateToken(token: string, request: MastraAuthRequest): Promise<NeonAuthUser | null>;
+    authorizeUser(user: NeonAuthUser): Promise<boolean>;
+    signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>>;
+    signUp(email: string, password: string, name: string | undefined, request: Request): Promise<CredentialsResult<EEUser>>;
+    createSession(_userId: string, metadata?: Record<string, unknown>): Promise<Session>;
+    validateSession(sessionId: string): Promise<Session | null>;
+    destroySession(_sessionId: string): Promise<void>;
+    refreshSession(sessionId: string): Promise<Session | null>;
+    getSessionIdFromRequest(request: Request): string | null;
+    getSessionHeaders(session: Session): Record<string, string>;
+    getClearSessionHeaders(): Record<string, string>;
+    private verifyJwt;
+    /** Fetch and validate a session from the Neon Auth REST API. */
+    fetchSession(headers: Headers): Promise<NeonSessionResponse | null>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EACb,oBAAoB,EACpB,gBAAgB,EAChB,OAAO,EACP,iBAAiB,EAClB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,YAAY,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAErF,KAAK,eAAe,GAAG;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C,CAAC;AAEF,KAAK,iBAAiB,GAAG,OAAO,GAAG,eAAe,CAAC;AA0BnD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACtB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,CAAC,EAAE,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,EAAE,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAClC,GAAG,CAAC,EAAE,UAAU,CAAC;CAClB;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,mBAAmB,CAAC,MAAM,CAAC,GAAG,MAAM,CAY7E;AAED,MAAM,WAAW,qBAAsB,SAAQ,yBAAyB,CAAC,YAAY,CAAC;IACpF;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,qBAAa,cACX,SAAQ,kBAAkB,CAAC,YAAY,CACvC,YAAW,aAAa,CAAC,MAAM,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC;IAEzF,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,mBAAmB,EAAE,OAAO,CAAC;gBAE3B,OAAO,CAAC,EAAE,qBAAqB;IAmB3C,uDAAuD;IACvD,UAAU,IAAI,MAAM;IAIpB,eAAe,IAAI,OAAO;IAMpB,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUxD,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAItD,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAMjC,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAsD1F,aAAa,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC;IAYnD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IA8B7F,MAAM,CACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAkC/B,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAYpF,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAkB3D,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKjD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAMhE,uBAAuB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAcxD,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAQ3D,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;YAYlC,SAAS;IAUvB,gEAAgE;IACnD,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;CAiBjF"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,369 @@
+import { MastraAuthProvider } from '@mastra/core/server';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
+// src/index.ts
+var DEFAULT_CACHE_TTL_MS = 6e4;
+var DEFAULT_CACHE_MAX_SIZE = 1e3;
+var MastraRBACNeon = class {
+  options;
+  baseUrl;
+  rolesCache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  cacheMaxSize;
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  constructor(options) {
+    this.options = options;
+    const rawUrl = options.baseUrl ?? process.env.NEON_AUTH_BASE_URL ?? "";
+    let end = rawUrl.length;
+    while (end > 0 && rawUrl[end - 1] === "/") {
+      end--;
+    }
+    this.baseUrl = rawUrl.slice(0, end);
+    this.cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;
+    this.cacheMaxSize = options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE;
+  }
+  async getRoles(user) {
+    if (this.options.getUserRoles) {
+      return this.options.getUserRoles(user);
+    }
+    if (user.jwt) {
+      const role = user.jwt.role;
+      if (role) return [role];
+    }
+    const userId = user.user?.id;
+    if (!userId) return [];
+    const cached = this.rolesCache.get(userId);
+    if (cached && cached.expiresAt > Date.now()) {
+      this.rolesCache.delete(userId);
+      this.rolesCache.set(userId, cached);
+      return cached.roles;
+    }
+    const roles = await this.fetchRolesFromNeonAuth(userId);
+    if (this.rolesCache.size >= this.cacheMaxSize) {
+      const firstKey = this.rolesCache.keys().next().value;
+      if (firstKey) this.rolesCache.delete(firstKey);
+    }
+    this.rolesCache.set(userId, { roles, expiresAt: Date.now() + this.cacheTtlMs });
+    return roles;
+  }
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    return resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => matchesPermission(p, permission));
+  }
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+  async getAvailableRoles() {
+    return Object.keys(this.options.roleMapping).filter((k) => k !== "_default").map((k) => ({ id: k, name: k.charAt(0).toUpperCase() + k.slice(1) }));
+  }
+  async getRolePermissions(roleId) {
+    return resolvePermissionsFromMapping([roleId], this.options.roleMapping);
+  }
+  /**
+   * Fetch organization membership roles from Neon Auth.
+   *
+   * Uses Better Auth's `organization/list-memberships` admin API.
+   * Falls back to empty roles on error (default permissions will apply).
+   */
+  async fetchRolesFromNeonAuth(userId) {
+    if (!this.baseUrl) return [];
+    try {
+      const response = await fetch(`${this.baseUrl}/auth/api/organization/list-memberships`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ userId })
+      });
+      if (!response.ok) return [];
+      const data = await response.json();
+      const memberships = Array.isArray(data) ? data : data.data ?? [];
+      const relevant = this.options.organizationId ? memberships.filter((m) => m.organizationId === this.options.organizationId) : memberships;
+      return relevant.map((m) => m.role);
+    } catch {
+      return [];
+    }
+  }
+};
+// src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
+function stripTrailingSlashes(url) {
+  let end = url.length;
+  while (end > 0 && url[end - 1] === "/") {
+    end--;
+  }
+  return url.slice(0, end);
+}
+function parseCookies(response) {
+  if (typeof response.headers.getSetCookie === "function") {
+    return response.headers.getSetCookie();
+  }
+  const raw = response.headers.get("set-cookie");
+  if (!raw) return [];
+  return raw.split(/,(?=\s*\w+=)/);
+}
+function mapNeonUserToEEUser(user) {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    avatarUrl: user.image ?? void 0,
+    metadata: {
+      emailVerified: user.emailVerified,
+      createdAt: user.createdAt,
+      updatedAt: user.updatedAt
+    }
+  };
+}
+var MastraAuthNeon = class extends MastraAuthProvider {
+  baseUrl;
+  jwksUrl;
+  sessionCookieName;
+  signUpEnabledConfig;
+  constructor(options) {
+    super({ name: options?.name ?? "neon" });
+    const baseUrl = options?.baseUrl ?? process.env.NEON_AUTH_BASE_URL;
+    if (!baseUrl) {
+      throw new Error(
+        "Neon Auth base URL is required, please provide it in the options or set the NEON_AUTH_BASE_URL environment variable"
+      );
+    }
+    this.baseUrl = stripTrailingSlashes(baseUrl);
+    this.jwksUrl = options?.jwksUrl ?? process.env.NEON_AUTH_JWKS_URL ?? `${this.baseUrl}/auth/jwks`;
+    this.sessionCookieName = options?.sessionCookieName ?? "neonauth.session_token";
+    this.signUpEnabledConfig = options?.signUpEnabled ?? true;
+    this.registerOptions(options);
+  }
+  /** Expose the base URL for RBAC or other consumers. */
+  getBaseUrl() {
+    return this.baseUrl;
+  }
+  isSignUpEnabled() {
+    return this.signUpEnabledConfig;
+  }
+  // ── IUserProvider ──
+  async getCurrentUser(request) {
+    try {
+      const result = await this.fetchSession(request.headers);
+      if (!result?.user) return null;
+      return mapNeonUserToEEUser(result.user);
+    } catch {
+      return null;
+    }
+  }
+  async getUser(_userId) {
+    return null;
+  }
+  getUserProfileUrl(user) {
+    return `/profile/${user.id}`;
+  }
+  // ── MastraAuthProvider ──
+  async authenticateToken(token, request) {
+    if (!token || typeof token !== "string") {
+      return null;
+    }
+    const jwtResult = await this.verifyJwt(token);
+    if (jwtResult) {
+      return {
+        user: {
+          id: jwtResult.sub ?? "",
+          email: jwtResult.email ?? "",
+          name: jwtResult.name ?? "",
+          image: jwtResult.picture ?? null,
+          emailVerified: jwtResult.email_verified ?? false,
+          createdAt: jwtResult.iat ? new Date(jwtResult.iat * 1e3).toISOString() : "",
+          updatedAt: ""
+        },
+        jwt: jwtResult
+      };
+    }
+    try {
+      const headers = new Headers();
+      const cookieHeader = getRequestHeader(request, "Cookie");
+      if (cookieHeader) {
+        headers.set("Cookie", cookieHeader);
+      }
+      const hasSessionCookie = !!cookieHeader?.split(";").some((pair) => pair.trim().split("=")[0]?.trim() === this.sessionCookieName);
+      if (token && !hasSessionCookie) {
+        const existingCookies = cookieHeader ? `${cookieHeader}; ` : "";
+        headers.set("Cookie", `${existingCookies}${this.sessionCookieName}=${token}`);
+      }
+      const result = await this.fetchSession(headers);
+      if (!result?.session || !result?.user) {
+        return null;
+      }
+      return {
+        session: result.session,
+        user: result.user
+      };
+    } catch {
+      return null;
+    }
+  }
+  async authorizeUser(user) {
+    if (!user?.user?.id) return false;
+    if (user.jwt?.exp && user.jwt.exp * 1e3 < Date.now()) {
+      return false;
+    }
+    return true;
+  }
+  // ── ICredentialsProvider ──
+  async signIn(email, password, request) {
+    const response = await fetch(`${this.baseUrl}/auth/sign-in/email`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...request?.headers ? Object.fromEntries(request.headers.entries()) : {}
+      },
+      body: JSON.stringify({ email, password })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(errorData.message || "Invalid email or password");
+    }
+    const result = await response.json();
+    if (!result?.user) {
+      throw new Error("Invalid email or password");
+    }
+    const cookies = parseCookies(response);
+    return {
+      user: mapNeonUserToEEUser(result.user),
+      token: result.token ?? void 0,
+      cookies
+    };
+  }
+  async signUp(email, password, name, request) {
+    const displayName = name ?? email.split("@")[0] ?? "User";
+    const response = await fetch(`${this.baseUrl}/auth/sign-up/email`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...request?.headers ? Object.fromEntries(request.headers.entries()) : {}
+      },
+      body: JSON.stringify({ email, password, name: displayName })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(errorData.message || "Failed to create account");
+    }
+    const result = await response.json();
+    if (!result?.user) {
+      throw new Error("Failed to create account");
+    }
+    const cookies = parseCookies(response);
+    return {
+      user: mapNeonUserToEEUser(result.user),
+      token: result.token ?? void 0,
+      cookies
+    };
+  }
+  // ── ISessionProvider ──
+  async createSession(_userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1e3);
+    return {
+      id: crypto.randomUUID(),
+      userId: _userId,
+      createdAt: now,
+      expiresAt,
+      metadata
+    };
+  }
+  async validateSession(sessionId) {
+    try {
+      const headers = new Headers();
+      headers.set("Cookie", `${this.sessionCookieName}=${sessionId}`);
+      const result = await this.fetchSession(headers);
+      if (!result?.session) return null;
+      return {
+        id: result.session.id,
+        userId: result.session.userId,
+        expiresAt: new Date(result.session.expiresAt),
+        createdAt: new Date(result.session.createdAt)
+      };
+    } catch {
+      return null;
+    }
+  }
+  async destroySession(_sessionId) {
+  }
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  getSessionIdFromRequest(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader) return null;
+    for (const pair of cookieHeader.split(";")) {
+      const [key, ...rest] = pair.trim().split("=");
+      if (key?.trim() === this.sessionCookieName) {
+        return rest.join("=") || null;
+      }
+    }
+    return null;
+  }
+  getSessionHeaders(session) {
+    const cookie = session._sessionCookie;
+    if (typeof cookie === "string") {
+      return { "Set-Cookie": cookie };
+    }
+    return {};
+  }
+  getClearSessionHeaders() {
+    const cookies = [
+      `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,
+      `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`
+    ];
+    return {
+      "Set-Cookie": cookies.join(", ")
+    };
+  }
+  // ── Internal helpers ──
+  async verifyJwt(token) {
+    try {
+      const JWKS = createRemoteJWKSet(new URL(this.jwksUrl));
+      const { payload } = await jwtVerify(token, JWKS);
+      return payload;
+    } catch {
+      return null;
+    }
+  }
+  /** Fetch and validate a session from the Neon Auth REST API. */
+  async fetchSession(headers) {
+    const response = await fetch(`${this.baseUrl}/auth/get-session`, {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const data = await response.json();
+    if (!data?.session || !data?.user) {
+      return null;
+    }
+    return data;
+  }
+};
+export { MastraAuthNeon, MastraRBACNeon, mapNeonUserToEEUser };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/rbac-provider.ts","../src/index.ts"],"names":[],"mappings":";;;;;AAiEA,IAAM,oBAAA,GAAuB,GAAA;AAC7B,IAAM,sBAAA,GAAyB,GAAA;AA0CxB,IAAM,iBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA,uBAA0C,GAAA,EAAI;AAAA,EAC9C,UAAA;AAAA,EACA,YAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,kBAAA,IAAsB,EAAA;AACpE,IAAA,IAAI,MAAM,MAAA,CAAO,MAAA;AACjB,IAAA,OAAO,MAAM,CAAA,IAAK,MAAA,CAAO,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACzC,MAAA,GAAA,EAAA;AAAA,IACF;AACA,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAClC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,CAAQ,KAAA,EAAO,KAAA,IAAS,oBAAA;AAC1C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,CAAQ,KAAA,EAAO,OAAA,IAAW,sBAAA;AAAA,EAChD;AAAA,EAEA,MAAM,SAAS,IAAA,EAAuC;AACpD,IAAA,IAAI,IAAA,CAAK,QAAQ,YAAA,EAAc;AAC7B,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,IAAI,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,KAAK,GAAA,EAAK;AACZ,MAAA,MAAM,IAAA,GAAO,KAAK,GAAA,CAAI,IAAA;AACtB,MAAA,IAAI,IAAA,EAAM,OAAO,CAAC,IAAI,CAAA;AAAA,IACxB;AAEA,IAAA,MAAM,MAAA,GAAS,KAAK,IAAA,EAAM,EAAA;AAC1B,IAAA,IAAI,CAAC,MAAA,EAAQ,OAAO,EAAC;AAGrB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAM,CAAA;AACzC,IAAA,IAAI,MAAA,IAAU,MAAA,CAAO,SAAA,GAAY,IAAA,CAAK,KAAI,EAAG;AAC3C,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAC7B,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAA,EAAQ,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA,CAAO,KAAA;AAAA,IAChB;AAGA,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,sBAAA,CAAuB,MAAM,CAAA;AAGtD,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,IAAQ,IAAA,CAAK,YAAA,EAAc;AAC7C,MAAA,MAAM,WAAW,IAAA,CAAK,UAAA,CAAW,IAAA,EAAK,CAAE,MAAK,CAAE,KAAA;AAC/C,MAAA,IAAI,QAAA,EAAU,IAAA,CAAK,UAAA,CAAW,MAAA,CAAO,QAAQ,CAAA;AAAA,IAC/C;AACA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,MAAA,EAAQ,EAAE,KAAA,EAAO,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,UAAA,EAAY,CAAA;AAE9E,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAoB,IAAA,EAAgC;AAChE,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAuC;AAC1D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAoB,UAAA,EAAsC;AAC5E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAoB,WAAA,EAAyC;AACnF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAoB,WAAA,EAAyC;AAClF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA,EAEA,MAAM,iBAAA,GAA6D;AACjE,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA,CACxC,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,KAAM,UAAU,CAAA,CAC5B,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,EAAA,EAAI,CAAA,EAAG,IAAA,EAAM,CAAA,CAAE,MAAA,CAAO,CAAC,CAAA,CAAE,WAAA,EAAY,GAAI,CAAA,CAAE,KAAA,CAAM,CAAC,CAAA,EAAE,CAAE,CAAA;AAAA,EACvE;AAAA,EAEA,MAAM,mBAAmB,MAAA,EAAmC;AAC1D,IAAA,OAAO,8BAA8B,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,QAAQ,WAAW,CAAA;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,uBAAuB,MAAA,EAAmC;AACtE,IAAA,IAAI,CAAC,IAAA,CAAK,OAAA,EAAS,OAAO,EAAC;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,uCAAA,CAAA,EAA2C;AAAA,QACrF,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,QAC9C,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,EAAE,QAAQ;AAAA,OAChC,CAAA;AAED,MAAA,IAAI,CAAC,QAAA,CAAS,EAAA,EAAI,OAAO,EAAC;AAE1B,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,MAAM,WAAA,GAAc,MAAM,OAAA,CAAQ,IAAI,IAAI,IAAA,GAAQ,IAAA,CAAK,QAAQ,EAAC;AAEhE,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,OAAA,CAAQ,cAAA,GAC1B,WAAA,CAAY,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,CAAA,GACxE,WAAA;AAEJ,MAAA,OAAO,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,IAAI,CAAA;AAAA,IACjC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,EAAC;AAAA,IACV;AAAA,EACF;AACF;;;AC9MA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AACA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAEA,SAAS,qBAAqB,GAAA,EAAqB;AACjD,EAAA,IAAI,MAAM,GAAA,CAAI,MAAA;AACd,EAAA,OAAO,MAAM,CAAA,IAAK,GAAA,CAAI,GAAA,GAAM,CAAC,MAAM,GAAA,EAAK;AACtC,IAAA,GAAA,EAAA;AAAA,EACF;AACA,EAAA,OAAO,GAAA,CAAI,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AACzB;AAEA,SAAS,aAAa,QAAA,EAA8B;AAClD,EAAA,IAAI,OAAO,QAAA,CAAS,OAAA,CAAQ,YAAA,KAAiB,UAAA,EAAY;AACvD,IAAA,OAAO,QAAA,CAAS,QAAQ,YAAA,EAAa;AAAA,EACvC;AACA,EAAA,MAAM,GAAA,GAAM,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC7C,EAAA,IAAI,CAAC,GAAA,EAAK,OAAO,EAAC;AAClB,EAAA,OAAO,GAAA,CAAI,MAAM,cAAc,CAAA;AACjC;AAoCO,SAAS,oBAAoB,IAAA,EAA2C;AAC7E,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,MAAM,IAAA,CAAK,IAAA;AAAA,IACX,SAAA,EAAW,KAAK,KAAA,IAAS,MAAA;AAAA,IACzB,QAAA,EAAU;AAAA,MACR,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;AA6EO,IAAM,cAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACY,OAAA;AAAA,EACA,OAAA;AAAA,EACH,iBAAA;AAAA,EACG,mBAAA;AAAA,EAEV,YAAY,OAAA,EAAiC;AAC3C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,QAAQ,CAAA;AAEvC,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,kBAAA;AAEhD,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,qBAAqB,OAAO,CAAA;AAC3C,IAAA,IAAA,CAAK,OAAA,GAAU,SAAS,OAAA,IAAW,OAAA,CAAQ,IAAI,kBAAA,IAAsB,CAAA,EAAG,KAAK,OAAO,CAAA,UAAA,CAAA;AACpF,IAAA,IAAA,CAAK,iBAAA,GAAoB,SAAS,iBAAA,IAAqB,wBAAA;AACvD,IAAA,IAAA,CAAK,mBAAA,GAAsB,SAAS,aAAA,IAAiB,IAAA;AAErD,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA,EAGA,UAAA,GAAqB;AACnB,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA,EAEA,eAAA,GAA2B;AACzB,IAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,EACd;AAAA;AAAA,EAIA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,QAAQ,OAAO,CAAA;AACtD,MAAA,IAAI,CAAC,MAAA,EAAQ,IAAA,EAAM,OAAO,IAAA;AAC1B,MAAA,OAAO,mBAAA,CAAoB,OAAO,IAAI,CAAA;AAAA,IACxC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,OAAA,EAAyC;AACrD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA,EAIA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0D;AAC/F,IAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAC5C,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,OAAO;AAAA,QACL,IAAA,EAAM;AAAA,UACJ,EAAA,EAAI,UAAU,GAAA,IAAO,EAAA;AAAA,UACrB,KAAA,EAAQ,UAAU,KAAA,IAAoB,EAAA;AAAA,UACtC,IAAA,EAAO,UAAU,IAAA,IAAmB,EAAA;AAAA,UACpC,KAAA,EAAQ,UAAU,OAAA,IAAsB,IAAA;AAAA,UACxC,aAAA,EAAgB,UAAU,cAAA,IAA8B,KAAA;AAAA,UACxD,SAAA,EAAW,SAAA,CAAU,GAAA,GAAM,IAAI,IAAA,CAAK,UAAU,GAAA,GAAM,GAAI,CAAA,CAAE,WAAA,EAAY,GAAI,EAAA;AAAA,UAC1E,SAAA,EAAW;AAAA,SACb;AAAA,QACA,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAGA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAE5B,MAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAAA,MACpC;AAEA,MAAA,MAAM,gBAAA,GAAmB,CAAC,CAAC,YAAA,EACvB,MAAM,GAAG,CAAA,CACV,KAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,MAAK,CAAE,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAK,KAAM,KAAK,iBAAiB,CAAA;AAE5E,MAAA,IAAI,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC9B,QAAA,MAAM,eAAA,GAAkB,YAAA,GAAe,CAAA,EAAG,YAAY,CAAA,EAAA,CAAA,GAAO,EAAA;AAC7D,QAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,eAAe,GAAG,IAAA,CAAK,iBAAiB,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,MAC9E;AAEA,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAA,EAAQ,OAAA,IAAW,CAAC,QAAQ,IAAA,EAAM;AACrC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,MAAM,MAAA,CAAO;AAAA,OACf;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,cAAc,IAAA,EAAsC;AACxD,IAAA,IAAI,CAAC,IAAA,EAAM,IAAA,EAAM,EAAA,EAAI,OAAO,KAAA;AAE5B,IAAA,IAAI,IAAA,CAAK,KAAK,GAAA,IAAO,IAAA,CAAK,IAAI,GAAA,GAAM,GAAA,GAAO,IAAA,CAAK,GAAA,EAAI,EAAG;AACrD,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAkB,OAAA,EAAsD;AAClG,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,mBAAA,CAAA,EAAuB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,GAAI,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,WAAA,CAAY,QAAQ,OAAA,CAAQ,OAAA,EAAS,CAAA,GAAI;AAAC,OAC1E;AAAA,MACA,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,UAAU;AAAA,KACzC,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,2BAA2B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAEA,IAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,mBAAA,CAAoB,MAAA,CAAO,IAAI,CAAA;AAAA,MACrC,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,MACA,OAAA,EACoC;AACpC,IAAA,MAAM,cAAc,IAAA,IAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,MAAA;AAEnD,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,mBAAA,CAAA,EAAuB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,GAAI,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,WAAA,CAAY,QAAQ,OAAA,CAAQ,OAAA,EAAS,CAAA,GAAI;AAAC,OAC1E;AAAA,MACA,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,OAAO,QAAA,EAAU,IAAA,EAAM,aAAa;AAAA,KAC5D,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,MAAA,MAAM,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,IAAW,0BAA0B,CAAA;AAAA,IACjE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AAEpC,IAAA,IAAI,CAAC,QAAQ,IAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,0BAA0B,CAAA;AAAA,IAC5C;AAEA,IAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,mBAAA,CAAoB,MAAA,CAAO,IAAI,CAAA;AAAA,MACrC,KAAA,EAAO,OAAO,KAAA,IAAS,MAAA;AAAA,MACvB;AAAA,KACF;AAAA,EACF;AAAA;AAAA,EAIA,MAAM,aAAA,CAAc,OAAA,EAAiB,QAAA,EAAsD;AACzF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,OAAA,KAAY,CAAA,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAClE,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,MACtB,MAAA,EAAQ,OAAA;AAAA,MACR,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,IAAI,QAAA,EAAU,CAAA,EAAG,KAAK,iBAAiB,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAC9D,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAA,EAAQ,OAAA,EAAS,OAAO,IAAA;AAE7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,OAAO,OAAA,CAAQ,EAAA;AAAA,QACnB,MAAA,EAAQ,OAAO,OAAA,CAAQ,MAAA;AAAA,QACvB,SAAA,EAAW,IAAI,IAAA,CAAK,MAAA,CAAO,QAAQ,SAAS,CAAA;AAAA,QAC5C,SAAA,EAAW,IAAI,IAAA,CAAK,MAAA,CAAO,QAAQ,SAAS;AAAA,OAC9C;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,UAAA,EAAmC;AAAA,EAGxD;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAG/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,KAAA,MAAW,IAAA,IAAQ,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,EAAG;AAC1C,MAAA,MAAM,CAAC,KAAK,GAAG,IAAI,IAAI,IAAA,CAAK,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AAC5C,MAAA,IAAI,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,CAAK,iBAAA,EAAmB;AAC1C,QAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AAAA,MAC3B;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,SAAU,OAAA,CAA+C,cAAA;AAC/D,IAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAO,EAAE,cAAc,MAAA,EAAO;AAAA,IAChC;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,CAAA,EAAG,KAAK,iBAAiB,CAAA,4CAAA,CAAA;AAAA,MACzB,CAAA,EAAG,KAAK,iBAAiB,CAAA,gDAAA;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,OAAA,CAAQ,IAAA,CAAK,IAAI;AAAA,KACjC;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,UAAU,KAAA,EAA2C;AACjE,IAAA,IAAI;AACF,MAAA,MAAM,OAAO,kBAAA,CAAmB,IAAI,GAAA,CAAI,IAAA,CAAK,OAAO,CAAC,CAAA;AACrD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,OAAO,IAAI,CAAA;AAC/C,MAAA,OAAO,OAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA,EAGA,MAAa,aAAa,OAAA,EAAuD;AAC/E,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,iBAAA,CAAA,EAAqB;AAAA,MAC/D,MAAA,EAAQ,KAAA;AAAA,MACR;AAAA,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,IAAI,CAAC,IAAA,EAAM,OAAA,IAAW,CAAC,MAAM,IAAA,EAAM;AACjC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AACF","file":"index.js","sourcesContent":["/**\n * Neon Auth RBAC provider for Mastra.\n *\n * Maps Neon Auth organization roles (via Better Auth's Organization plugin)\n * to Mastra permissions using a configurable role mapping.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\n\nimport type { NeonAuthUser } from './index';\n\n/**\n * Response shape from the Neon Auth organization member endpoint.\n */\ninterface NeonOrgMember {\n id: string;\n organizationId: string;\n userId: string;\n role: string;\n createdAt: string;\n}\n\nexport interface NeonRoleMappingOptions {\n /** Cache TTL in milliseconds (default: 60_000) */\n ttlMs?: number;\n /** Max cache entries (default: 1000) */\n maxSize?: number;\n}\n\nexport interface MastraRBACNeonOptions {\n /**\n * Base URL for the Neon Auth service.\n * Falls back to `NEON_AUTH_BASE_URL` env var.\n */\n baseUrl?: string;\n /**\n * Map provider role slugs to arrays of Mastra permission patterns.\n * Use `_default` for roles not explicitly listed.\n *\n * @example\n * ```typescript\n * {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n /**\n * Specific organization ID to scope role lookups to.\n * If omitted, roles from all organizations are merged.\n */\n organizationId?: string;\n /** Caching options for role lookups. */\n cache?: NeonRoleMappingOptions;\n /**\n * Custom function to extract roles from the NeonAuthUser object.\n * Useful when JWT claims already contain role info.\n */\n getUserRoles?: (user: NeonAuthUser) => string[] | Promise<string[]>;\n}\n\nconst DEFAULT_CACHE_TTL_MS = 60_000;\nconst DEFAULT_CACHE_MAX_SIZE = 1000;\n\ninterface CacheEntry {\n roles: string[];\n expiresAt: number;\n}\n\n/**\n * RBAC provider for Neon Auth that maps organization roles to Mastra permissions.\n *\n * Neon Auth uses Better Auth's Organization plugin which provides `owner`,\n * `admin`, and `member` roles. This provider maps those roles to Mastra\n * permission patterns via a configurable `roleMapping`.\n *\n * @example Static mapping\n * ```typescript\n * import { MastraRBACNeon } from '@mastra/auth-neon';\n *\n * const rbac = new MastraRBACNeon({\n * roleMapping: {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * },\n * });\n * ```\n *\n * @example With custom role extraction from JWT claims\n * ```typescript\n * const rbac = new MastraRBACNeon({\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read'],\n * },\n * getUserRoles: (user) => {\n * const role = user.jwt?.role as string;\n * return role ? [role] : [];\n * },\n * });\n * ```\n */\nexport class MastraRBACNeon implements IRBACProvider<NeonAuthUser> {\n private options: MastraRBACNeonOptions;\n private baseUrl: string;\n private rolesCache: Map<string, CacheEntry> = new Map();\n private cacheTtlMs: number;\n private cacheMaxSize: number;\n\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n constructor(options: MastraRBACNeonOptions) {\n this.options = options;\n const rawUrl = options.baseUrl ?? process.env.NEON_AUTH_BASE_URL ?? '';\n let end = rawUrl.length;\n while (end > 0 && rawUrl[end - 1] === '/') {\n end--;\n }\n this.baseUrl = rawUrl.slice(0, end);\n this.cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;\n this.cacheMaxSize = options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE;\n }\n\n async getRoles(user: NeonAuthUser): Promise<string[]> {\n if (this.options.getUserRoles) {\n return this.options.getUserRoles(user);\n }\n\n // Try extracting role from JWT claims first (fast path).\n if (user.jwt) {\n const role = user.jwt.role as string | undefined;\n if (role) return [role];\n }\n\n const userId = user.user?.id;\n if (!userId) return [];\n\n // Check cache (promote on hit for LRU eviction).\n const cached = this.rolesCache.get(userId);\n if (cached && cached.expiresAt > Date.now()) {\n this.rolesCache.delete(userId);\n this.rolesCache.set(userId, cached);\n return cached.roles;\n }\n\n // Fetch organization memberships from Neon Auth.\n const roles = await this.fetchRolesFromNeonAuth(userId);\n\n // Cache the result.\n if (this.rolesCache.size >= this.cacheMaxSize) {\n const firstKey = this.rolesCache.keys().next().value;\n if (firstKey) this.rolesCache.delete(firstKey);\n }\n this.rolesCache.set(userId, { roles, expiresAt: Date.now() + this.cacheTtlMs });\n\n return roles;\n }\n\n async hasRole(user: NeonAuthUser, role: string): Promise<boolean> {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n async getPermissions(user: NeonAuthUser): Promise<string[]> {\n const roles = await this.getRoles(user);\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n async hasPermission(user: NeonAuthUser, permission: string): Promise<boolean> {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n async hasAllPermissions(user: NeonAuthUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n async hasAnyPermission(user: NeonAuthUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n return Object.keys(this.options.roleMapping)\n .filter(k => k !== '_default')\n .map(k => ({ id: k, name: k.charAt(0).toUpperCase() + k.slice(1) }));\n }\n\n async getRolePermissions(roleId: string): Promise<string[]> {\n return resolvePermissionsFromMapping([roleId], this.options.roleMapping);\n }\n\n /**\n * Fetch organization membership roles from Neon Auth.\n *\n * Uses Better Auth's `organization/list-memberships` admin API.\n * Falls back to empty roles on error (default permissions will apply).\n */\n private async fetchRolesFromNeonAuth(userId: string): Promise<string[]> {\n if (!this.baseUrl) return [];\n\n try {\n const response = await fetch(`${this.baseUrl}/auth/api/organization/list-memberships`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ userId }),\n });\n\n if (!response.ok) return [];\n\n const data = (await response.json()) as NeonOrgMember[] | { data?: NeonOrgMember[] };\n const memberships = Array.isArray(data) ? data : (data.data ?? []);\n\n const relevant = this.options.organizationId\n ? memberships.filter(m => m.organizationId === this.options.organizationId)\n : memberships;\n\n return relevant.map(m => m.role);\n } catch {\n return [];\n }\n }\n}\n","import type {\n IUserProvider,\n ICredentialsProvider,\n ISessionProvider,\n Session,\n CredentialsResult,\n} from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\nimport { createRemoteJWKSet, jwtVerify } from 'jose';\nimport type { JWTPayload } from 'jose';\n\nexport { MastraRBACNeon } from './rbac-provider';\nexport type { MastraRBACNeonOptions, NeonRoleMappingOptions } from './rbac-provider';\n\ntype HonoRequestLike = {\n raw?: Request;\n headers?: Headers;\n header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n if (request instanceof Request) {\n return request.headers.get(name);\n }\n return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\nfunction stripTrailingSlashes(url: string): string {\n let end = url.length;\n while (end > 0 && url[end - 1] === '/') {\n end--;\n }\n return url.slice(0, end);\n}\n\nfunction parseCookies(response: Response): string[] {\n if (typeof response.headers.getSetCookie === 'function') {\n return response.headers.getSetCookie();\n }\n const raw = response.headers.get('set-cookie');\n if (!raw) return [];\n return raw.split(/,(?=\\s*\\w+=)/);\n}\n\n/**\n * Response shape from Neon Auth session endpoint.\n */\nexport interface NeonSessionResponse {\n session: {\n id: string;\n token: string;\n userId: string;\n expiresAt: string;\n createdAt: string;\n updatedAt: string;\n };\n user: {\n id: string;\n email: string;\n name: string;\n image?: string | null;\n emailVerified: boolean;\n createdAt: string;\n updatedAt: string;\n };\n}\n\n/**\n * User type returned by the adapter's authenticateToken.\n * Contains the session and user data from Neon Auth,\n * plus optional JWT claims when authenticated via bearer JWT.\n */\nexport interface NeonAuthUser {\n session?: NeonSessionResponse['session'];\n user: NeonSessionResponse['user'];\n jwt?: JWTPayload;\n}\n\nexport function mapNeonUserToEEUser(user: NeonSessionResponse['user']): EEUser {\n return {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.image ?? undefined,\n metadata: {\n emailVerified: user.emailVerified,\n createdAt: user.createdAt,\n updatedAt: user.updatedAt,\n },\n };\n}\n\nexport interface MastraAuthNeonOptions extends MastraAuthProviderOptions<NeonAuthUser> {\n /**\n * The Neon Auth base URL (e.g., `https://your-project.neon.tech`).\n * Falls back to the `NEON_AUTH_BASE_URL` environment variable.\n */\n baseUrl?: string;\n /**\n * Explicit JWKS URL for JWT token verification.\n * Overrides the URL derived from `baseUrl`.\n * Falls back to the `NEON_AUTH_JWKS_URL` environment variable.\n */\n jwksUrl?: string;\n /**\n * The session cookie name used by Neon Auth.\n * @default 'neonauth.session_token'\n */\n sessionCookieName?: string;\n /**\n * Whether to allow new user registration via sign-up.\n * @default true\n */\n signUpEnabled?: boolean;\n}\n\n/**\n * Mastra authentication provider for Neon Auth.\n *\n * Neon Auth is a managed authentication service built on Better Auth\n * that stores users, sessions, and auth configuration directly in your\n * Neon Postgres database.\n *\n * This adapter supports:\n * - JWT bearer token verification via JWKS (for API clients)\n * - Session cookie verification via Neon Auth REST API (for Studio)\n * - Email/password sign-in and sign-up (for Studio credentials flow)\n * - Session management (validate, refresh, destroy)\n *\n * @example\n * ```typescript\n * import { MastraAuthNeon } from '@mastra/auth-neon';\n *\n * const auth = new MastraAuthNeon({\n * baseUrl: process.env.NEON_AUTH_BASE_URL,\n * });\n *\n * const mastra = new Mastra({\n * server: {\n * auth,\n * },\n * });\n * ```\n *\n * @example With RBAC\n * ```typescript\n * import { MastraAuthNeon, MastraRBACNeon } from '@mastra/auth-neon';\n *\n * const mastra = new Mastra({\n * server: {\n * auth: new MastraAuthNeon({\n * baseUrl: process.env.NEON_AUTH_BASE_URL,\n * }),\n * rbac: new MastraRBACNeon({\n * roleMapping: {\n * owner: ['*'],\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * _default: [],\n * },\n * }),\n * },\n * });\n * ```\n *\n * @see https://neon.com/docs/auth/overview\n */\nexport class MastraAuthNeon\n extends MastraAuthProvider<NeonAuthUser>\n implements IUserProvider<EEUser>, ICredentialsProvider<EEUser>, ISessionProvider<Session>\n{\n protected baseUrl: string;\n protected jwksUrl: string;\n public sessionCookieName: string;\n protected signUpEnabledConfig: boolean;\n\n constructor(options?: MastraAuthNeonOptions) {\n super({ name: options?.name ?? 'neon' });\n\n const baseUrl = options?.baseUrl ?? process.env.NEON_AUTH_BASE_URL;\n\n if (!baseUrl) {\n throw new Error(\n 'Neon Auth base URL is required, please provide it in the options or set the NEON_AUTH_BASE_URL environment variable',\n );\n }\n\n this.baseUrl = stripTrailingSlashes(baseUrl);\n this.jwksUrl = options?.jwksUrl ?? process.env.NEON_AUTH_JWKS_URL ?? `${this.baseUrl}/auth/jwks`;\n this.sessionCookieName = options?.sessionCookieName ?? 'neonauth.session_token';\n this.signUpEnabledConfig = options?.signUpEnabled ?? true;\n\n this.registerOptions(options);\n }\n\n /** Expose the base URL for RBAC or other consumers. */\n getBaseUrl(): string {\n return this.baseUrl;\n }\n\n isSignUpEnabled(): boolean {\n return this.signUpEnabledConfig;\n }\n\n // ── IUserProvider ──\n\n async getCurrentUser(request: Request): Promise<EEUser | null> {\n try {\n const result = await this.fetchSession(request.headers);\n if (!result?.user) return null;\n return mapNeonUserToEEUser(result.user);\n } catch {\n return null;\n }\n }\n\n async getUser(_userId: string): Promise<EEUser | null> {\n return null;\n }\n\n getUserProfileUrl(user: EEUser): string {\n return `/profile/${user.id}`;\n }\n\n // ── MastraAuthProvider ──\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise<NeonAuthUser | null> {\n if (!token || typeof token !== 'string') {\n return null;\n }\n\n // Try JWT verification first (for bearer JWT tokens from API clients).\n const jwtResult = await this.verifyJwt(token);\n if (jwtResult) {\n return {\n user: {\n id: jwtResult.sub ?? '',\n email: (jwtResult.email as string) ?? '',\n name: (jwtResult.name as string) ?? '',\n image: (jwtResult.picture as string) ?? null,\n emailVerified: (jwtResult.email_verified as boolean) ?? false,\n createdAt: jwtResult.iat ? new Date(jwtResult.iat * 1000).toISOString() : '',\n updatedAt: '',\n },\n jwt: jwtResult,\n };\n }\n\n // Fall back to session cookie verification via Neon Auth API.\n try {\n const headers = new Headers();\n\n const cookieHeader = getRequestHeader(request, 'Cookie');\n if (cookieHeader) {\n headers.set('Cookie', cookieHeader);\n }\n\n const hasSessionCookie = !!cookieHeader\n ?.split(';')\n .some(pair => pair.trim().split('=')[0]?.trim() === this.sessionCookieName);\n\n if (token && !hasSessionCookie) {\n const existingCookies = cookieHeader ? `${cookieHeader}; ` : '';\n headers.set('Cookie', `${existingCookies}${this.sessionCookieName}=${token}`);\n }\n\n const result = await this.fetchSession(headers);\n if (!result?.session || !result?.user) {\n return null;\n }\n\n return {\n session: result.session,\n user: result.user,\n };\n } catch {\n return null;\n }\n }\n\n async authorizeUser(user: NeonAuthUser): Promise<boolean> {\n if (!user?.user?.id) return false;\n\n if (user.jwt?.exp && user.jwt.exp * 1000 < Date.now()) {\n return false;\n }\n\n return true;\n }\n\n // ── ICredentialsProvider ──\n\n async signIn(email: string, password: string, request: Request): Promise<CredentialsResult<EEUser>> {\n const response = await fetch(`${this.baseUrl}/auth/sign-in/email`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(request?.headers ? Object.fromEntries(request.headers.entries()) : {}),\n },\n body: JSON.stringify({ email, password }),\n });\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n throw new Error(errorData.message || 'Invalid email or password');\n }\n\n const result = (await response.json()) as { user?: NeonSessionResponse['user']; token?: string | null };\n\n if (!result?.user) {\n throw new Error('Invalid email or password');\n }\n\n const cookies = parseCookies(response);\n\n return {\n user: mapNeonUserToEEUser(result.user),\n token: result.token ?? undefined,\n cookies,\n };\n }\n\n async signUp(\n email: string,\n password: string,\n name: string | undefined,\n request: Request,\n ): Promise<CredentialsResult<EEUser>> {\n const displayName = name ?? email.split('@')[0] ?? 'User';\n\n const response = await fetch(`${this.baseUrl}/auth/sign-up/email`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(request?.headers ? Object.fromEntries(request.headers.entries()) : {}),\n },\n body: JSON.stringify({ email, password, name: displayName }),\n });\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as { message?: string };\n throw new Error(errorData.message || 'Failed to create account');\n }\n\n const result = (await response.json()) as { user?: NeonSessionResponse['user']; token?: string | null };\n\n if (!result?.user) {\n throw new Error('Failed to create account');\n }\n\n const cookies = parseCookies(response);\n\n return {\n user: mapNeonUserToEEUser(result.user),\n token: result.token ?? undefined,\n cookies,\n };\n }\n\n // ── ISessionProvider ──\n\n async createSession(_userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n const now = new Date();\n const expiresAt = new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000);\n return {\n id: crypto.randomUUID(),\n userId: _userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n async validateSession(sessionId: string): Promise<Session | null> {\n try {\n const headers = new Headers();\n headers.set('Cookie', `${this.sessionCookieName}=${sessionId}`);\n const result = await this.fetchSession(headers);\n if (!result?.session) return null;\n\n return {\n id: result.session.id,\n userId: result.session.userId,\n expiresAt: new Date(result.session.expiresAt),\n createdAt: new Date(result.session.createdAt),\n };\n } catch {\n return null;\n }\n }\n\n async destroySession(_sessionId: string): Promise<void> {\n // Neon Auth (Better Auth) manages session destruction via the sign-out endpoint.\n // Cookie clearing happens via getClearSessionHeaders.\n }\n\n async refreshSession(sessionId: string): Promise<Session | null> {\n // Neon Auth (Better Auth) refreshes sessions automatically when\n // get-session is called and the updateAge threshold is reached.\n return this.validateSession(sessionId);\n }\n\n getSessionIdFromRequest(request: Request): string | null {\n const cookieHeader = request.headers.get('Cookie');\n if (!cookieHeader) return null;\n\n for (const pair of cookieHeader.split(';')) {\n const [key, ...rest] = pair.trim().split('=');\n if (key?.trim() === this.sessionCookieName) {\n return rest.join('=') || null;\n }\n }\n\n return null;\n }\n\n getSessionHeaders(session: Session): Record<string, string> {\n const cookie = (session as unknown as Record<string, unknown>)._sessionCookie;\n if (typeof cookie === 'string') {\n return { 'Set-Cookie': cookie };\n }\n return {};\n }\n\n getClearSessionHeaders(): Record<string, string> {\n const cookies = [\n `${this.sessionCookieName}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n `${this.sessionCookieName}_sig=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0`,\n ];\n return {\n 'Set-Cookie': cookies.join(', '),\n };\n }\n\n // ── Internal helpers ──\n\n private async verifyJwt(token: string): Promise<JWTPayload | null> {\n try {\n const JWKS = createRemoteJWKSet(new URL(this.jwksUrl));\n const { payload } = await jwtVerify(token, JWKS);\n return payload;\n } catch {\n return null;\n }\n }\n\n /** Fetch and validate a session from the Neon Auth REST API. */\n public async fetchSession(headers: Headers): Promise<NeonSessionResponse | null> {\n const response = await fetch(`${this.baseUrl}/auth/get-session`, {\n method: 'GET',\n headers,\n });\n\n if (!response.ok) {\n return null;\n }\n\n const data = (await response.json()) as NeonSessionResponse | null;\n if (!data?.session || !data?.user) {\n return null;\n }\n\n return data;\n }\n}\n"]}

package/dist/rbac-provider.d.ts ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * Neon Auth RBAC provider for Mastra.
+ *
+ * Maps Neon Auth organization roles (via Better Auth's Organization plugin)
+ * to Mastra permissions using a configurable role mapping.
+ */
+import type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';
+import type { NeonAuthUser } from './index.js';
+export interface NeonRoleMappingOptions {
+    /** Cache TTL in milliseconds (default: 60_000) */
+    ttlMs?: number;
+    /** Max cache entries (default: 1000) */
+    maxSize?: number;
+}
+export interface MastraRBACNeonOptions {
+    /**
+     * Base URL for the Neon Auth service.
+     * Falls back to `NEON_AUTH_BASE_URL` env var.
+     */
+    baseUrl?: string;
+    /**
+     * Map provider role slugs to arrays of Mastra permission patterns.
+     * Use `_default` for roles not explicitly listed.
+     *
+     * @example
+     * ```typescript
+     * {
+     *   owner: ['*'],
+     *   admin: ['*'],
+     *   member: ['agents:read', 'workflows:*'],
+     *   _default: [],
+     * }
+     * ```
+     */
+    roleMapping: RoleMapping;
+    /**
+     * Specific organization ID to scope role lookups to.
+     * If omitted, roles from all organizations are merged.
+     */
+    organizationId?: string;
+    /** Caching options for role lookups. */
+    cache?: NeonRoleMappingOptions;
+    /**
+     * Custom function to extract roles from the NeonAuthUser object.
+     * Useful when JWT claims already contain role info.
+     */
+    getUserRoles?: (user: NeonAuthUser) => string[] | Promise<string[]>;
+}
+/**
+ * RBAC provider for Neon Auth that maps organization roles to Mastra permissions.
+ *
+ * Neon Auth uses Better Auth's Organization plugin which provides `owner`,
+ * `admin`, and `member` roles. This provider maps those roles to Mastra
+ * permission patterns via a configurable `roleMapping`.
+ *
+ * @example Static mapping
+ * ```typescript
+ * import { MastraRBACNeon } from '@mastra/auth-neon';
+ *
+ * const rbac = new MastraRBACNeon({
+ *   roleMapping: {
+ *     owner: ['*'],
+ *     admin: ['*'],
+ *     member: ['agents:read', 'workflows:*'],
+ *     _default: [],
+ *   },
+ * });
+ * ```
+ *
+ * @example With custom role extraction from JWT claims
+ * ```typescript
+ * const rbac = new MastraRBACNeon({
+ *   roleMapping: {
+ *     admin: ['*'],
+ *     member: ['agents:read'],
+ *   },
+ *   getUserRoles: (user) => {
+ *     const role = user.jwt?.role as string;
+ *     return role ? [role] : [];
+ *   },
+ * });
+ * ```
+ */
+export declare class MastraRBACNeon implements IRBACProvider<NeonAuthUser> {
+    private options;
+    private baseUrl;
+    private rolesCache;
+    private cacheTtlMs;
+    private cacheMaxSize;
+    get roleMapping(): RoleMapping;
+    constructor(options: MastraRBACNeonOptions);
+    getRoles(user: NeonAuthUser): Promise<string[]>;
+    hasRole(user: NeonAuthUser, role: string): Promise<boolean>;
+    getPermissions(user: NeonAuthUser): Promise<string[]>;
+    hasPermission(user: NeonAuthUser, permission: string): Promise<boolean>;
+    hasAllPermissions(user: NeonAuthUser, permissions: string[]): Promise<boolean>;
+    hasAnyPermission(user: NeonAuthUser, permissions: string[]): Promise<boolean>;
+    getAvailableRoles(): Promise<{
+        id: string;
+        name: string;
+    }[]>;
+    getRolePermissions(roleId: string): Promise<string[]>;
+    /**
+     * Fetch organization membership roles from Neon Auth.
+     *
+     * Uses Better Auth's `organization/list-memberships` admin API.
+     * Falls back to empty roles on error (default permissions will apply).
+     */
+    private fetchRolesFromNeonAuth;
+}
+//# sourceMappingURL=rbac-provider.d.ts.map

package/dist/rbac-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac-provider.d.ts","sourceRoot":"","sources":["../src/rbac-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAa5C,MAAM,WAAW,sBAAsB;IACrC,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;;OAaG;IACH,WAAW,EAAE,WAAW,CAAC;IACzB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,KAAK,CAAC,EAAE,sBAAsB,CAAC;IAC/B;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACrE;AAUD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,qBAAa,cAAe,YAAW,aAAa,CAAC,YAAY,CAAC;IAChE,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,UAAU,CAAsC;IACxD,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,YAAY,CAAS;IAE7B,IAAI,WAAW,IAAI,WAAW,CAE7B;gBAEW,OAAO,EAAE,qBAAqB;IAYpC,QAAQ,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAmC/C,OAAO,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3D,cAAc,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKrD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvE,iBAAiB,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9E,gBAAgB,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK7E,iBAAiB,IAAI,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAM5D,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAI3D;;;;;OAKG;YACW,sBAAsB;CAwBrC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mastra/auth-neon",
-  "version": "0.0.0",
+  "version": "0.2.0",
   "description": "Mastra Neon Auth integration",
   "type": "module",
   "main": "dist/index.js",
@@ -18,12 +18,6 @@
     },
     "./package.json": "./package.json"
   },
-  "scripts": {
-    "build": "tsup --silent --config tsup.config.ts",
-    "build:watch": "tsup --watch --silent --config tsup.config.ts",
-    "test": "vitest run",
-    "lint": "eslint ."
-  },
   "license": "Apache-2.0",
   "dependencies": {
     "jose": "^6.2.1"
@@ -32,16 +26,16 @@
     "@mastra/core": ">=1.0.0-0 <2.0.0-0"
   },
   "devDependencies": {
-    "@internal/lint": "workspace:*",
-    "@internal/types-builder": "workspace:*",
-    "@mastra/core": "workspace:*",
     "@types/node": "22.19.21",
-    "@vitest/coverage-v8": "catalog:",
-    "@vitest/ui": "catalog:",
+    "@vitest/coverage-v8": "4.1.8",
+    "@vitest/ui": "4.1.8",
     "eslint": "^10.4.1",
     "tsup": "^8.5.1",
-    "typescript": "catalog:",
-    "vitest": "catalog:"
+    "typescript": "^6.0.3",
+    "vitest": "4.1.8",
+    "@internal/lint": "0.0.105",
+    "@internal/types-builder": "0.0.80",
+    "@mastra/core": "1.43.0"
   },
   "files": [
     "dist",
@@ -58,5 +52,11 @@
   },
   "engines": {
     "node": ">=22.13.0"
+  },
+  "scripts": {
+    "build": "tsup --silent --config tsup.config.ts",
+    "build:watch": "tsup --watch --silent --config tsup.config.ts",
+    "test": "vitest run",
+    "lint": "eslint ."
   }
-}
+}