@mastra/auth-studio 0.0.0-auth-combined-test-all-20260302225441

package/CHANGELOG.md

@@ -0,0 +1,8 @@
+# @mastra/auth-studio
+
+## 0.0.0-auth-combined-test-all-20260302225441
+
+### Patch Changes
+
+- Updated dependencies [[`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`cdc3c3a`](https://github.com/mastra-ai/mastra/commit/cdc3c3a1c0eb8462957720d9f9d6de953cb7897c), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4)]:
+  - @mastra/core@0.0.0-auth-combined-test-all-20260302225441

package/LICENSE.md

@@ -0,0 +1,30 @@
+Portions of this software are licensed as follows:
+
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+  is licensed under the license defined in `ee/LICENSE`.
+
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+
+# Apache License 2.0
+
+Copyright (c) 2025 Kepler Software, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/dist/index.cjs

@@ -0,0 +1,309 @@
+'use strict';
+
+var ee = require('@mastra/core/auth/ee');
+var server = require('@mastra/core/server');
+
+// src/index.ts
+var COOKIE_NAME = "wos-session";
+var MastraAuthStudio = class extends server.MastraAuthProvider {
+  isMastraCloudAuth = true;
+  sharedApiUrl;
+  organizationId;
+  useProductionCookies;
+  constructor(options) {
+    super({ name: "mastra-studio", ...options });
+    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || "http://localhost:3010/v1";
+    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;
+    if (this.sharedApiUrl.endsWith("/")) {
+      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);
+    }
+    this.useProductionCookies = this.sharedApiUrl.includes(".mastra.ai");
+    if (options) {
+      this.registerOptions(options);
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // MastraAuthProvider abstract methods
+  // ---------------------------------------------------------------------------
+  /**
+   * Authenticate an incoming request by forwarding the sealed session cookie
+   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.
+   */
+  async authenticateToken(token, request) {
+    let user = null;
+    const cookieHeader = request?.headers?.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (sessionCookie) {
+      user = await this.verifySessionCookie(sessionCookie);
+    }
+    if (!user && token) {
+      user = await this.verifyBearerToken(token);
+    }
+    if (!user) return null;
+    if (this.organizationId && user.organizationId !== this.organizationId) {
+      return null;
+    }
+    return user;
+  }
+  authorizeUser(user) {
+    return !!user?.id;
+  }
+  // ---------------------------------------------------------------------------
+  // ISSOProvider
+  // ---------------------------------------------------------------------------
+  getLoginUrl(redirectUri, state) {
+    let postLoginRedirect = "/";
+    if (state) {
+      const pipeIndex = state.indexOf("|");
+      if (pipeIndex !== -1) {
+        try {
+          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));
+        } catch {
+        }
+      }
+    }
+    const params = new URLSearchParams({
+      product: "deploy",
+      redirect_uri: redirectUri,
+      post_login_redirect: postLoginRedirect,
+      // Force re-authentication so AuthKit always shows the account picker
+      prompt: "login",
+      ...this.organizationId ? { organization_id: this.organizationId } : {}
+    });
+    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;
+  }
+  async handleCallback(code, state) {
+    const url = `${this.sharedApiUrl}/auth/callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;
+    const res = await fetch(url, {
+      redirect: "manual"
+    });
+    const setCookieHeaders = res.headers.getSetCookie?.() ?? [];
+    const sessionValue = extractCookieValue(setCookieHeaders, COOKIE_NAME);
+    if (!sessionValue) {
+      throw new Error("No session cookie returned from callback");
+    }
+    const user = await this.verifySessionCookie(sessionValue);
+    if (!user) {
+      throw new Error("Session validation failed after callback");
+    }
+    return {
+      user,
+      tokens: {
+        accessToken: sessionValue
+      },
+      cookies: setCookieHeaders
+    };
+  }
+  setCallbackCookieHeader(_cookieHeader) {
+  }
+  getLoginCookies() {
+    return void 0;
+  }
+  getLoginButtonConfig() {
+    return {
+      provider: "mastra-studio",
+      text: "Sign in with Mastra"
+    };
+  }
+  async getLogoutUrl(_redirectUri, request) {
+    const cookieHeader = request?.headers.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (!sessionCookie) return null;
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Cookie: `${COOKIE_NAME}=${sessionCookie}`
+        }
+      });
+      if (res.ok) {
+        const data = await res.json();
+        return data.logoutUrl ?? null;
+      }
+    } catch {
+    }
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // ISessionProvider
+  // ---------------------------------------------------------------------------
+  async createSession(userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    return {
+      id: metadata?.accessToken || crypto.randomUUID(),
+      userId,
+      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      // 24 hours
+      createdAt: now,
+      metadata
+    };
+  }
+  async validateSession(sessionId) {
+    const user = await this.verifySessionCookie(sessionId);
+    if (!user) return null;
+    const now = /* @__PURE__ */ new Date();
+    return {
+      id: sessionId,
+      userId: user.id,
+      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      createdAt: now
+    };
+  }
+  async destroySession(sessionId) {
+    try {
+      await fetch(`${this.sharedApiUrl}/auth/logout`, {
+        method: "POST",
+        headers: {
+          Cookie: `${COOKIE_NAME}=${sessionId}`
+        }
+      });
+    } catch {
+    }
+  }
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  getSessionIdFromRequest(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    return parseCookie(cookieHeader, COOKIE_NAME);
+  }
+  getSessionHeaders(session) {
+    const parts = [`${COOKIE_NAME}=${session.id}`, "HttpOnly", "SameSite=Lax", "Path=/", "Max-Age=86400"];
+    if (this.useProductionCookies) {
+      parts.push("Secure");
+      parts.push("Domain=.mastra.ai");
+    }
+    return { "Set-Cookie": parts.join("; ") };
+  }
+  getClearSessionHeaders() {
+    const parts = [`${COOKIE_NAME}=`, "HttpOnly", "SameSite=Lax", "Path=/", "Max-Age=0"];
+    if (this.useProductionCookies) {
+      parts.push("Secure");
+      parts.push("Domain=.mastra.ai");
+    }
+    return { "Set-Cookie": parts.join("; ") };
+  }
+  // ---------------------------------------------------------------------------
+  // IUserProvider
+  // ---------------------------------------------------------------------------
+  async getCurrentUser(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (sessionCookie) {
+      return this.verifySessionCookie(sessionCookie);
+    }
+    const authHeader = request.headers.get("Authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      return this.verifyBearerToken(authHeader.slice(7));
+    }
+    return null;
+  }
+  async getUser(_userId) {
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // Internal helpers
+  // ---------------------------------------------------------------------------
+  /**
+   * Forward a sealed session cookie to the shared API's /auth/me endpoint
+   * to validate it and get user info.
+   */
+  async verifySessionCookie(sessionCookie) {
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {
+        headers: {
+          Cookie: `${COOKIE_NAME}=${sessionCookie}`
+        }
+      });
+      if (!res.ok) return null;
+      const data = await res.json();
+      return {
+        id: data.user.id,
+        email: data.user.email,
+        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(" ") || void 0,
+        avatarUrl: data.user.profilePictureUrl,
+        organizationId: data.organizationId,
+        role: data.role,
+        permissions: data.permissions
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Forward a Bearer token to the shared API's /auth/verify endpoint
+   * to validate it and get user info (used for CLI tokens).
+   */
+  async verifyBearerToken(token) {
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      });
+      if (!res.ok) return null;
+      const data = await res.json();
+      return {
+        id: data.user.id,
+        email: data.user.email,
+        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(" ") || void 0,
+        organizationId: data.organizationId
+      };
+    } catch {
+      return null;
+    }
+  }
+};
+function parseCookie(cookieHeader, name) {
+  if (!cookieHeader) return null;
+  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));
+  return match?.[1] ?? null;
+}
+function extractCookieValue(setCookieHeaders, name) {
+  for (const header of setCookieHeaders) {
+    const match = header.match(new RegExp(`^${name}=([^;]+)`));
+    if (match?.[1]) return match[1];
+  }
+  return null;
+}
+var MastraRBACStudio = class {
+  options;
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  constructor(options) {
+    this.options = options;
+  }
+  async getRoles(user) {
+    return user.role ? [user.role] : [];
+  }
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
+    }
+    return ee.resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => ee.matchesPermission(p, permission));
+  }
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+};
+
+exports.MastraAuthStudio = MastraAuthStudio;
+exports.MastraRBACStudio = MastraRBACStudio;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider","resolvePermissionsFromMapping","matchesPermission"],"mappings":";;;;;;AA8BA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACGA,yBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAKA,IAAA,IAAA,CAAK,oBAAA,GAAuB,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,YAAY,CAAA;AAEnE,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0C;AAC/E,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,GAAA,CAAI,QAAQ,CAAA;AACnD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,IAAA,IAAI,IAAA,CAAK,cAAA,IAAkB,IAAA,CAAK,cAAA,KAAmB,KAAK,cAAA,EAAgB;AACtE,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,KAAA,EAAuD;AAExF,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,oBAAA,EAAuB,kBAAA,CAAmB,IAAI,CAAC,CAAA,OAAA,EAAU,kBAAA,CAAmB,KAAK,CAAC,CAAA,CAAA;AAElH,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAC3B,QAAA,EAAU;AAAA,KACX,CAAA;AAGD,IAAA,MAAM,gBAAA,GAAmB,GAAA,CAAI,OAAA,CAAQ,YAAA,QAAoB,EAAC;AAC1D,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,gBAAA,EAAkB,WAAW,CAAA;AAErE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAGA,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAEA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,MACA,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,KAAK,oBAAA,EAAsB;AAC7B,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,KAAK,mBAAmB,CAAA;AAAA,IAChC;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,KAAK,oBAAA,EAAsB;AAC7B,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,KAAK,mBAAmB,CAAA;AAAA,IAChC;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,GAAA,CAAI,EAAA,EAAI,OAAO,IAAA;AAEpB,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAa7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK;AAAA,OACpB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,GAAA,CAAI,EAAA,EAAI,OAAO,IAAA;AAEpB,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAU7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK;AAAA,OACvB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAEA,SAAS,kBAAA,CAAmB,kBAA4B,IAAA,EAA6B;AACnF,EAAA,KAAA,MAAW,UAAU,gBAAA,EAAkB;AACrC,IAAA,MAAM,KAAA,GAAQ,OAAO,KAAA,CAAM,IAAI,OAAO,CAAA,CAAA,EAAI,IAAI,UAAU,CAAC,CAAA;AACzD,IAAA,IAAI,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,MAAM,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA;AACT;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAOC,gCAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.cjs","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Use production cookie settings (Secure + Domain=.mastra.ai) only when\n    // the shared API is actually on .mastra.ai — NOT based on NODE_ENV which\n    // may be 'production' even in local dev (e.g. mastra dev sets it).\n    this.useProductionCookies = this.sharedApiUrl.includes('.mastra.ai');\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: any): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = request?.headers?.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not in that org\n    if (this.organizationId && user.organizationId !== this.organizationId) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // Forward the callback to the shared API\n    const url = `${this.sharedApiUrl}/auth/callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;\n\n    const res = await fetch(url, {\n      redirect: 'manual',\n    });\n\n    // The shared API redirects after setting cookies — extract the session cookie\n    const setCookieHeaders = res.headers.getSetCookie?.() ?? [];\n    const sessionValue = extractCookieValue(setCookieHeaders, COOKIE_NAME);\n\n    if (!sessionValue) {\n      throw new Error('No session cookie returned from callback');\n    }\n\n    // Validate the new session to get user info\n    const user = await this.verifySessionCookie(sessionValue);\n    if (!user) {\n      throw new Error('Session validation failed after callback');\n    }\n\n    return {\n      user,\n      tokens: {\n        accessToken: sessionValue,\n      },\n      cookies: setCookieHeaders,\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    return this.validateSession(sessionId);\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies) {\n      parts.push('Secure');\n      parts.push('Domain=.mastra.ai');\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies) {\n      parts.push('Secure');\n      parts.push('Domain=.mastra.ai');\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) return null;\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) return null;\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n      };\n    } catch {\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\nfunction extractCookieValue(setCookieHeaders: string[], name: string): string | null {\n  for (const header of setCookieHeaders) {\n    const match = header.match(new RegExp(`^${name}=([^;]+)`));\n    if (match?.[1]) return match[1];\n  }\n  return null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}

package/dist/index.d.ts

@@ -0,0 +1,102 @@
+import type { ISSOProvider, ISessionProvider, IUserProvider, Session, SSOCallbackResult, SSOLoginConfig } from '@mastra/core/auth';
+import type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';
+import { MastraAuthProvider } from '@mastra/core/server';
+import type { MastraAuthProviderOptions } from '@mastra/core/server';
+export interface StudioUser extends EEUser {
+    id: string;
+    email?: string;
+    name?: string;
+    avatarUrl?: string;
+    organizationId?: string;
+    role?: string;
+    permissions?: string[];
+}
+export interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {
+    /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */
+    sharedApiUrl?: string;
+    /** Organization ID that owns this deployed instance. Users not in this org are rejected. */
+    organizationId?: string;
+}
+/**
+ * Auth provider for Mastra Studio deployed instances.
+ *
+ * Proxies all authentication through the shared API, keeping the
+ * WorkOS API key safely in the shared API. Deployed instances only
+ * need the shared API URL — no secrets required.
+ *
+ * The shared API's sealed session cookie (`wos-session`) is set with
+ * `Domain=.mastra.ai` in production, so it's included in requests
+ * to deployed instances and can be forwarded for validation.
+ */
+export declare class MastraAuthStudio extends MastraAuthProvider<StudioUser> implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser> {
+    readonly isMastraCloudAuth = true;
+    private sharedApiUrl;
+    private organizationId;
+    private useProductionCookies;
+    constructor(options?: MastraAuthStudioOptions);
+    /**
+     * Authenticate an incoming request by forwarding the sealed session cookie
+     * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.
+     */
+    authenticateToken(token: string, request: any): Promise<StudioUser | null>;
+    authorizeUser(user: StudioUser): boolean;
+    getLoginUrl(redirectUri: string, state: string): string;
+    handleCallback(code: string, state: string): Promise<SSOCallbackResult<StudioUser>>;
+    setCallbackCookieHeader(_cookieHeader: string | null): void;
+    getLoginCookies(): string[] | undefined;
+    getLoginButtonConfig(): SSOLoginConfig;
+    getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null>;
+    createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session>;
+    validateSession(sessionId: string): Promise<Session | null>;
+    destroySession(sessionId: string): Promise<void>;
+    refreshSession(sessionId: string): Promise<Session | null>;
+    getSessionIdFromRequest(request: Request): string | null;
+    getSessionHeaders(session: Session): Record<string, string>;
+    getClearSessionHeaders(): Record<string, string>;
+    getCurrentUser(request: Request): Promise<StudioUser | null>;
+    getUser(_userId: string): Promise<StudioUser | null>;
+    /**
+     * Forward a sealed session cookie to the shared API's /auth/me endpoint
+     * to validate it and get user info.
+     */
+    private verifySessionCookie;
+    /**
+     * Forward a Bearer token to the shared API's /auth/verify endpoint
+     * to validate it and get user info (used for CLI tokens).
+     */
+    private verifyBearerToken;
+}
+export interface MastraRBACStudioOptions {
+    /**
+     * Mapping from role names to permission arrays.
+     *
+     * @example
+     * ```typescript
+     * {
+     *   admin: ['*'],
+     *   member: ['agents:read', 'workflows:*'],
+     *   viewer: ['agents:read', 'workflows:read'],
+     *   _default: [],
+     * }
+     * ```
+     */
+    roleMapping: RoleMapping;
+}
+/**
+ * RBAC provider for Mastra Studio authentication.
+ *
+ * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions
+ * using a configurable role mapping.
+ */
+export declare class MastraRBACStudio implements IRBACProvider<StudioUser> {
+    private options;
+    get roleMapping(): RoleMapping;
+    constructor(options: MastraRBACStudioOptions);
+    getRoles(user: StudioUser): Promise<string[]>;
+    hasRole(user: StudioUser, role: string): Promise<boolean>;
+    getPermissions(user: StudioUser): Promise<string[]>;
+    hasPermission(user: StudioUser, permission: string): Promise<boolean>;
+    hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean>;
+    hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAErE,MAAM,WAAW,UAAW,SAAQ,MAAM;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,uBAAwB,SAAQ,yBAAyB,CAAC,UAAU,CAAC;IACpF,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4FAA4F;IAC5F,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAID;;;;;;;;;;GAUG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,YAAY,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC;IAEzF,QAAQ,CAAC,iBAAiB,QAAQ;IAElC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAqB;IAC3C,OAAO,CAAC,oBAAoB,CAAU;gBAE1B,OAAO,CAAC,EAAE,uBAAuB;IAwB7C;;;OAGG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IA0BhF,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQxC,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA0BjD,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IA+BzF,uBAAuB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAI3D,eAAe,IAAI,MAAM,EAAE,GAAG,SAAS;IAKvC,oBAAoB,IAAI,cAAc;IAOhC,YAAY,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA8B7E,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAWnF,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAa3D,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAahD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIhE,uBAAuB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAKxD,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAS3D,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAa1C,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiB5D,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAS1D;;;OAGG;YACW,mBAAmB;IAqCjC;;;OAGG;YACW,iBAAiB;CA8BhC;AAwBD,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;OAYG;IACH,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,aAAa,CAAC,UAAU,CAAC;IAChE,OAAO,CAAC,OAAO,CAA0B;IAEzC,IAAI,WAAW,IAAI,WAAW,CAE7B;gBAEW,OAAO,EAAE,uBAAuB;IAItC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7C,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKzD,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAQnD,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKrE,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5E,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAIlF"}

package/dist/index.js

@@ -0,0 +1,306 @@
+import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
+import { MastraAuthProvider } from '@mastra/core/server';
+
+// src/index.ts
+var COOKIE_NAME = "wos-session";
+var MastraAuthStudio = class extends MastraAuthProvider {
+  isMastraCloudAuth = true;
+  sharedApiUrl;
+  organizationId;
+  useProductionCookies;
+  constructor(options) {
+    super({ name: "mastra-studio", ...options });
+    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || "http://localhost:3010/v1";
+    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;
+    if (this.sharedApiUrl.endsWith("/")) {
+      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);
+    }
+    this.useProductionCookies = this.sharedApiUrl.includes(".mastra.ai");
+    if (options) {
+      this.registerOptions(options);
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // MastraAuthProvider abstract methods
+  // ---------------------------------------------------------------------------
+  /**
+   * Authenticate an incoming request by forwarding the sealed session cookie
+   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.
+   */
+  async authenticateToken(token, request) {
+    let user = null;
+    const cookieHeader = request?.headers?.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (sessionCookie) {
+      user = await this.verifySessionCookie(sessionCookie);
+    }
+    if (!user && token) {
+      user = await this.verifyBearerToken(token);
+    }
+    if (!user) return null;
+    if (this.organizationId && user.organizationId !== this.organizationId) {
+      return null;
+    }
+    return user;
+  }
+  authorizeUser(user) {
+    return !!user?.id;
+  }
+  // ---------------------------------------------------------------------------
+  // ISSOProvider
+  // ---------------------------------------------------------------------------
+  getLoginUrl(redirectUri, state) {
+    let postLoginRedirect = "/";
+    if (state) {
+      const pipeIndex = state.indexOf("|");
+      if (pipeIndex !== -1) {
+        try {
+          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));
+        } catch {
+        }
+      }
+    }
+    const params = new URLSearchParams({
+      product: "deploy",
+      redirect_uri: redirectUri,
+      post_login_redirect: postLoginRedirect,
+      // Force re-authentication so AuthKit always shows the account picker
+      prompt: "login",
+      ...this.organizationId ? { organization_id: this.organizationId } : {}
+    });
+    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;
+  }
+  async handleCallback(code, state) {
+    const url = `${this.sharedApiUrl}/auth/callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;
+    const res = await fetch(url, {
+      redirect: "manual"
+    });
+    const setCookieHeaders = res.headers.getSetCookie?.() ?? [];
+    const sessionValue = extractCookieValue(setCookieHeaders, COOKIE_NAME);
+    if (!sessionValue) {
+      throw new Error("No session cookie returned from callback");
+    }
+    const user = await this.verifySessionCookie(sessionValue);
+    if (!user) {
+      throw new Error("Session validation failed after callback");
+    }
+    return {
+      user,
+      tokens: {
+        accessToken: sessionValue
+      },
+      cookies: setCookieHeaders
+    };
+  }
+  setCallbackCookieHeader(_cookieHeader) {
+  }
+  getLoginCookies() {
+    return void 0;
+  }
+  getLoginButtonConfig() {
+    return {
+      provider: "mastra-studio",
+      text: "Sign in with Mastra"
+    };
+  }
+  async getLogoutUrl(_redirectUri, request) {
+    const cookieHeader = request?.headers.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (!sessionCookie) return null;
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Cookie: `${COOKIE_NAME}=${sessionCookie}`
+        }
+      });
+      if (res.ok) {
+        const data = await res.json();
+        return data.logoutUrl ?? null;
+      }
+    } catch {
+    }
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // ISessionProvider
+  // ---------------------------------------------------------------------------
+  async createSession(userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    return {
+      id: metadata?.accessToken || crypto.randomUUID(),
+      userId,
+      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      // 24 hours
+      createdAt: now,
+      metadata
+    };
+  }
+  async validateSession(sessionId) {
+    const user = await this.verifySessionCookie(sessionId);
+    if (!user) return null;
+    const now = /* @__PURE__ */ new Date();
+    return {
+      id: sessionId,
+      userId: user.id,
+      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1e3),
+      createdAt: now
+    };
+  }
+  async destroySession(sessionId) {
+    try {
+      await fetch(`${this.sharedApiUrl}/auth/logout`, {
+        method: "POST",
+        headers: {
+          Cookie: `${COOKIE_NAME}=${sessionId}`
+        }
+      });
+    } catch {
+    }
+  }
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  getSessionIdFromRequest(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    return parseCookie(cookieHeader, COOKIE_NAME);
+  }
+  getSessionHeaders(session) {
+    const parts = [`${COOKIE_NAME}=${session.id}`, "HttpOnly", "SameSite=Lax", "Path=/", "Max-Age=86400"];
+    if (this.useProductionCookies) {
+      parts.push("Secure");
+      parts.push("Domain=.mastra.ai");
+    }
+    return { "Set-Cookie": parts.join("; ") };
+  }
+  getClearSessionHeaders() {
+    const parts = [`${COOKIE_NAME}=`, "HttpOnly", "SameSite=Lax", "Path=/", "Max-Age=0"];
+    if (this.useProductionCookies) {
+      parts.push("Secure");
+      parts.push("Domain=.mastra.ai");
+    }
+    return { "Set-Cookie": parts.join("; ") };
+  }
+  // ---------------------------------------------------------------------------
+  // IUserProvider
+  // ---------------------------------------------------------------------------
+  async getCurrentUser(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
+    if (sessionCookie) {
+      return this.verifySessionCookie(sessionCookie);
+    }
+    const authHeader = request.headers.get("Authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      return this.verifyBearerToken(authHeader.slice(7));
+    }
+    return null;
+  }
+  async getUser(_userId) {
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // Internal helpers
+  // ---------------------------------------------------------------------------
+  /**
+   * Forward a sealed session cookie to the shared API's /auth/me endpoint
+   * to validate it and get user info.
+   */
+  async verifySessionCookie(sessionCookie) {
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {
+        headers: {
+          Cookie: `${COOKIE_NAME}=${sessionCookie}`
+        }
+      });
+      if (!res.ok) return null;
+      const data = await res.json();
+      return {
+        id: data.user.id,
+        email: data.user.email,
+        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(" ") || void 0,
+        avatarUrl: data.user.profilePictureUrl,
+        organizationId: data.organizationId,
+        role: data.role,
+        permissions: data.permissions
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Forward a Bearer token to the shared API's /auth/verify endpoint
+   * to validate it and get user info (used for CLI tokens).
+   */
+  async verifyBearerToken(token) {
+    try {
+      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      });
+      if (!res.ok) return null;
+      const data = await res.json();
+      return {
+        id: data.user.id,
+        email: data.user.email,
+        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(" ") || void 0,
+        organizationId: data.organizationId
+      };
+    } catch {
+      return null;
+    }
+  }
+};
+function parseCookie(cookieHeader, name) {
+  if (!cookieHeader) return null;
+  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));
+  return match?.[1] ?? null;
+}
+function extractCookieValue(setCookieHeaders, name) {
+  for (const header of setCookieHeaders) {
+    const match = header.match(new RegExp(`^${name}=([^;]+)`));
+    if (match?.[1]) return match[1];
+  }
+  return null;
+}
+var MastraRBACStudio = class {
+  options;
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  constructor(options) {
+    this.options = options;
+  }
+  async getRoles(user) {
+    return user.role ? [user.role] : [];
+  }
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
+    }
+    return resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => matchesPermission(p, permission));
+  }
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+};
+
+export { MastraAuthStudio, MastraRBACStudio };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;AA8BA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAKA,IAAA,IAAA,CAAK,oBAAA,GAAuB,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,YAAY,CAAA;AAEnE,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0C;AAC/E,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,GAAA,CAAI,QAAQ,CAAA;AACnD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,IAAA,IAAI,IAAA,CAAK,cAAA,IAAkB,IAAA,CAAK,cAAA,KAAmB,KAAK,cAAA,EAAgB;AACtE,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,KAAA,EAAuD;AAExF,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,oBAAA,EAAuB,kBAAA,CAAmB,IAAI,CAAC,CAAA,OAAA,EAAU,kBAAA,CAAmB,KAAK,CAAC,CAAA,CAAA;AAElH,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAC3B,QAAA,EAAU;AAAA,KACX,CAAA;AAGD,IAAA,MAAM,gBAAA,GAAmB,GAAA,CAAI,OAAA,CAAQ,YAAA,QAAoB,EAAC;AAC1D,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,gBAAA,EAAkB,WAAW,CAAA;AAErE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAGA,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAEA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,MACA,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,KAAK,oBAAA,EAAsB;AAC7B,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,KAAK,mBAAmB,CAAA;AAAA,IAChC;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,KAAK,oBAAA,EAAsB;AAC7B,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,KAAK,mBAAmB,CAAA;AAAA,IAChC;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,GAAA,CAAI,EAAA,EAAI,OAAO,IAAA;AAEpB,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAa7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK;AAAA,OACpB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,GAAA,CAAI,EAAA,EAAI,OAAO,IAAA;AAEpB,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAU7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK;AAAA,OACvB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAEA,SAAS,kBAAA,CAAmB,kBAA4B,IAAA,EAA6B;AACnF,EAAA,KAAA,MAAW,UAAU,gBAAA,EAAkB;AACrC,IAAA,MAAM,KAAA,GAAQ,OAAO,KAAA,CAAM,IAAI,OAAO,CAAA,CAAA,EAAI,IAAI,UAAU,CAAC,CAAA;AACzD,IAAA,IAAI,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,MAAM,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA;AACT;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.js","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Use production cookie settings (Secure + Domain=.mastra.ai) only when\n    // the shared API is actually on .mastra.ai — NOT based on NODE_ENV which\n    // may be 'production' even in local dev (e.g. mastra dev sets it).\n    this.useProductionCookies = this.sharedApiUrl.includes('.mastra.ai');\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: any): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = request?.headers?.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not in that org\n    if (this.organizationId && user.organizationId !== this.organizationId) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // Forward the callback to the shared API\n    const url = `${this.sharedApiUrl}/auth/callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;\n\n    const res = await fetch(url, {\n      redirect: 'manual',\n    });\n\n    // The shared API redirects after setting cookies — extract the session cookie\n    const setCookieHeaders = res.headers.getSetCookie?.() ?? [];\n    const sessionValue = extractCookieValue(setCookieHeaders, COOKIE_NAME);\n\n    if (!sessionValue) {\n      throw new Error('No session cookie returned from callback');\n    }\n\n    // Validate the new session to get user info\n    const user = await this.verifySessionCookie(sessionValue);\n    if (!user) {\n      throw new Error('Session validation failed after callback');\n    }\n\n    return {\n      user,\n      tokens: {\n        accessToken: sessionValue,\n      },\n      cookies: setCookieHeaders,\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    return this.validateSession(sessionId);\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies) {\n      parts.push('Secure');\n      parts.push('Domain=.mastra.ai');\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies) {\n      parts.push('Secure');\n      parts.push('Domain=.mastra.ai');\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) return null;\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) return null;\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n      };\n    } catch {\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\nfunction extractCookieValue(setCookieHeaders: string[], name: string): string | null {\n  for (const header of setCookieHeaders) {\n    const match = header.match(new RegExp(`^${name}=([^;]+)`));\n    if (match?.[1]) return match[1];\n  }\n  return null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@mastra/auth-studio",
+  "version": "0.0.0-auth-combined-test-all-20260302225441",
+  "description": "Mastra Studio Auth integration — proxies authentication through Mastra shared API",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "license": "Apache-2.0",
+  "dependencies": {},
+  "devDependencies": {
+    "@types/node": "22.19.7",
+    "@vitest/coverage-v8": "4.0.18",
+    "@vitest/ui": "4.0.18",
+    "eslint": "^9.37.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "4.0.18",
+    "@internal/lint": "0.0.0-auth-combined-test-all-20260302225441",
+    "@internal/types-builder": "0.0.0-auth-combined-test-all-20260302225441",
+    "@mastra/core": "0.0.0-auth-combined-test-all-20260302225441"
+  },
+  "peerDependencies": {
+    "@mastra/core": "0.0.0-auth-combined-test-all-20260302225441"
+  },
+  "files": [
+    "dist",
+    "CHANGELOG.md"
+  ],
+  "homepage": "https://mastra.ai",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mastra-ai/mastra.git",
+    "directory": "auth/studio"
+  },
+  "bugs": {
+    "url": "https://github.com/mastra-ai/mastra/issues"
+  },
+  "engines": {
+    "node": ">=22.13.0"
+  },
+  "scripts": {
+    "build": "tsup --silent --config tsup.config.ts",
+    "build:watch": "tsup --watch --silent --config tsup.config.ts",
+    "test": "vitest run",
+    "lint": "eslint ."
+  }
+}