@mastra/auth-studio 1.2.2-alpha.0 → 1.2.3-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @mastra/auth-studio
 
+## 1.2.3-alpha.0
+
+### Patch Changes
+
+- Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. ([#17410](https://github.com/mastra-ai/mastra/pull/17410))
+
+- Updated dependencies [[`c973db4`](https://github.com/mastra-ai/mastra/commit/c973db428df1b564ff0c35d4b2a90e8f4f1e13fd), [`552285e`](https://github.com/mastra-ai/mastra/commit/552285e5af43cfc680a0972032cab8de8776c6a0), [`77e686c`](https://github.com/mastra-ai/mastra/commit/77e686c264e493e99ae5024e4dfe3ea5d5a09718), [`ece8dba`](https://github.com/mastra-ai/mastra/commit/ece8dba7ec1a5089eee8c33167cd762bfa91e509), [`e751af2`](https://github.com/mastra-ai/mastra/commit/e751af219433fbf4c7035b2d771b4c9ec8813b05), [`e2a8380`](https://github.com/mastra-ai/mastra/commit/e2a838017a7657850404c1e94c70d79ffdc6f14a), [`be3f1cd`](https://github.com/mastra-ai/mastra/commit/be3f1cd81f0e2a649e8eac15a024d542d814aef8), [`a34d9db`](https://github.com/mastra-ai/mastra/commit/a34d9dbc39fedb722f271318e9355ecee70489ab)]:
+  - @mastra/core@1.39.0-alpha.0
+
+## 1.2.2
+
+### Patch Changes
+
+- Authentication now refreshes expired server-side sessions transparently, so recoverable token expiry no longer causes unexpected user sign-outs. Only truly expired sessions (e.g. refresh token dead) return a 401. ([#15819](https://github.com/mastra-ai/mastra/pull/15819))
+
+  Server adapters now forward refreshed session cookies consistently, and auth-studio logs session validation and refresh failures to improve diagnostics.
+
+- Updated dependencies [[`28caa5b`](https://github.com/mastra-ai/mastra/commit/28caa5b032358545af2589ed90636eccb4dd9d2f), [`c1ae974`](https://github.com/mastra-ai/mastra/commit/c1ae97491f6e57378ce880c3a397778c42adcdf1), [`b510d36`](https://github.com/mastra-ai/mastra/commit/b510d368f73dab6be2e2c2bc99035aaef1fb7d7a), [`13b4d7c`](https://github.com/mastra-ai/mastra/commit/13b4d7c16de34dff9095d1cd80f22f544b6cfe75), [`7a7b313`](https://github.com/mastra-ai/mastra/commit/7a7b3138fb3bcf0b0c740eaea07971e43d330ef3), [`c04417b`](https://github.com/mastra-ai/mastra/commit/c04417ba0a2e4ded66da4352331ef29cd4bd1d79), [`cf25a03`](https://github.com/mastra-ai/mastra/commit/cf25a03132164b9dc1e5dccf7394824e33007c51), [`8a71261`](https://github.com/mastra-ai/mastra/commit/8a71261e3954ae617c6f8e25767b951f99438ab2), [`9e973b0`](https://github.com/mastra-ai/mastra/commit/9e973b010dacfa15ac82b0072897319f5234b90a), [`dd934a0`](https://github.com/mastra-ai/mastra/commit/dd934a0982ce0f78712fbd559e4f2410bf594b39), [`ba6b0c5`](https://github.com/mastra-ai/mastra/commit/ba6b0c51bfce358554fd33c7f2bcd5593633f2ff), [`a6dac0a`](https://github.com/mastra-ai/mastra/commit/a6dac0a40c7181161b1add4e8534f962bcbc9aa7), [`5a4b1ee`](https://github.com/mastra-ai/mastra/commit/5a4b1ee80212969621228104995589c0fa59e575), [`5a4b1ee`](https://github.com/mastra-ai/mastra/commit/5a4b1ee80212969621228104995589c0fa59e575), [`5a4b1ee`](https://github.com/mastra-ai/mastra/commit/5a4b1ee80212969621228104995589c0fa59e575), [`6c8c6c7`](https://github.com/mastra-ai/mastra/commit/6c8c6c71518394321a4692614aa4b11f3bb0a343), [`5a4b1ee`](https://github.com/mastra-ai/mastra/commit/5a4b1ee80212969621228104995589c0fa59e575), [`7d056b6`](https://github.com/mastra-ai/mastra/commit/7d056b6ecf603cacaa0f663ff1df025ed885b6c1), [`9cef83b`](https://github.com/mastra-ai/mastra/commit/9cef83b8a642b8098747772921e3523b492bafbc), [`d30e215`](https://github.com/mastra-ai/mastra/commit/d30e2156c746bc9fd791745cec1cc24377b66789), [`021a60f`](https://github.com/mastra-ai/mastra/commit/021a60f1f3e0135a70ef23c58be7a9b3aaffe6b4), [`73f2809`](https://github.com/mastra-ai/mastra/commit/73f2809721db24e98cdf122539652a455211b450), [`aedeea4`](https://github.com/mastra-ai/mastra/commit/aedeea48a94f728323f040478775076b9574be50), [`26f1f94`](https://github.com/mastra-ai/mastra/commit/26f1f9490574b864ba1ecedf2c9632e0767a23bd), [`8126d86`](https://github.com/mastra-ai/mastra/commit/8126d8638411eacfafdc29036ac998e8757ea66f), [`73b45fa`](https://github.com/mastra-ai/mastra/commit/73b45facdef4fbcb8af710c50f0646f18619dbaa), [`ae97520`](https://github.com/mastra-ai/mastra/commit/ae975206fdb0f6ef03c4d5bf94f7dc7c3f706c02), [`7a7b313`](https://github.com/mastra-ai/mastra/commit/7a7b3138fb3bcf0b0c740eaea07971e43d330ef3), [`441670a`](https://github.com/mastra-ai/mastra/commit/441670a02c9dc7731c52674f55481e7848a84523)]:
+  - @mastra/core@1.29.0
+
 ## 1.2.2-alpha.0
 
 ### Patch Changes

package/dist/index.cjs

@@ -4,6 +4,12 @@ var ee = require('@mastra/core/auth/ee');
 var server = require('@mastra/core/server');
 
 // src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
 var COOKIE_NAME = "wos-session";
 var MastraAuthStudio = class extends server.MastraAuthProvider {
   isMastraCloudAuth = true;
@@ -43,7 +49,7 @@ var MastraAuthStudio = class extends server.MastraAuthProvider {
    */
   async authenticateToken(token, request) {
     let user = null;
-    const cookieHeader = request?.headers?.get("Cookie");
+    const cookieHeader = getRequestHeader(request, "Cookie");
     const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
     if (sessionCookie) {
       user = await this.verifySessionCookie(sessionCookie);
@@ -112,7 +118,8 @@ var MastraAuthStudio = class extends server.MastraAuthProvider {
   getLoginButtonConfig() {
     return {
       provider: "mastra-studio",
-      text: "Sign in with Mastra"
+      text: "Sign in with Mastra",
+      description: "Your deployed Studio is secured by your Mastra account. Sign in with the same email you used to sign up on mastra.ai."
     };
   }
   async getLogoutUrl(_redirectUri, request) {

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider","resolvePermissionsFromMapping","matchesPermission"],"mappings":";;;;;;AAuCA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACGA,yBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,YAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAGA,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAMzD,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,IAAI,GAAA,CAAI,KAAK,YAAY,CAAA,CAAE,SAAS,WAAA,EAAY;AACjE,MAAA,kBAAA,GAAqB,QAAA,KAAa,WAAA,IAAe,QAAA,CAAS,QAAA,CAAS,YAAY,CAAA;AAAA,IACjF,CAAA,CAAA,MAAQ;AACN,MAAA,kBAAA,GAAqB,KAAA;AAAA,IACvB;AACA,IAAA,IAAA,CAAK,oBAAA,GAAuB,CAAC,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA,EAAoB;AAC5C,MAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,IACtB;AAEA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0C;AAC/E,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,GAAA,CAAI,QAAQ,CAAA;AACnD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAIlB,IAAA,IAAI,IAAA,CAAK,kBAAkB,CAAC,IAAA,CAAK,cAAc,QAAA,CAAS,IAAA,CAAK,cAAc,CAAA,EAAG;AAC5E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAwD;AAIzF,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,wDAAA,EAA0D;AAAA,MAC1E,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,YAAY,IAAA,EAAM;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAI,CAAA;AAChD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,kFAAA,EAA+E;AAAA,QAC/F,cAAc,IAAA,CAAK,YAAA;AAAA,QACnB,YAAY,IAAA,EAAM;AAAA,OACnB,CAAA;AACD,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAKA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA;AACf,KACF;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,IAAI;AAEF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA,EAAiB;AAAA,QAC3D,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,2DAAA,EAA6D;AAAA,UAC5E,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA;AAAA,SAC1B,CAAA;AAED,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC9C,MAAA,MAAM,YAAA,GAAe,SAAA,GAAY,qBAAA,CAAsB,SAAA,EAAW,WAAW,CAAA,GAAI,IAAA;AAEjF,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,0DAA0D,CAAA;AAE3E,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,YAAA;AAAA,QACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,QACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,QACvD,SAAA,EAAW;AAAA,OACb;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,4CAAA,EAA8C;AAAA,QAC9D,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AAED,MAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,wDAAA,EAA0D;AAAA,UACzE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAY,GAAA,CAAI,UAAA;AAAA,UAChB,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAc7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK,WAAA;AAAA,QAClB,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,iDAAA,EAAmD;AAAA,QACnE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,sDAAA,EAAwD;AAAA,UACvE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAY7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,+CAAA,EAAiD;AAAA,QACjE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAMA,SAAS,qBAAA,CAAsB,iBAAyB,IAAA,EAA6B;AAEnF,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,KAAA,CAAM,GAAG,CAAA;AACvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE/B,EAAA,MAAM,CAAC,YAAY,GAAG,UAAU,IAAI,KAAA,CAAM,CAAC,CAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY,IAAA,EAAK,KAAM,IAAA,EAAM,OAAO,IAAA;AAGxC,EAAA,OAAO,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AACjC;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAOC,gCAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.cjs","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n  /** All organization IDs the user is a member of (for cross-org access checks) */\n  memberOrgIds?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n  /**\n   * Cookie domain for session cookies (e.g., '.example.com').\n   * When set, cookies will include Secure and Domain attributes.\n   * Defaults to auto-detecting from sharedApiUrl (uses '.mastra.ai' when sharedApiUrl contains '.mastra.ai').\n   * Can also be set via MASTRA_COOKIE_DOMAIN environment variable.\n   */\n  cookieDomain?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n  private cookieDomain: string | undefined;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Cookie domain can be explicitly configured, read from env, or auto-detected from sharedApiUrl\n    this.cookieDomain = options?.cookieDomain || process.env.MASTRA_COOKIE_DOMAIN;\n\n    // Use production cookie settings (Secure + Domain) when:\n    // 1. An explicit cookieDomain is configured, OR\n    // 2. The shared API is on .mastra.ai (auto-detect default domain)\n    // Use hostname-based detection to avoid false positives (e.g., api.mastra.ai.evil.com)\n    let autoDetectMastraAi = false;\n    try {\n      const hostname = new URL(this.sharedApiUrl).hostname.toLowerCase();\n      autoDetectMastraAi = hostname === 'mastra.ai' || hostname.endsWith('.mastra.ai');\n    } catch {\n      autoDetectMastraAi = false;\n    }\n    this.useProductionCookies = !!this.cookieDomain || autoDetectMastraAi;\n\n    // If no explicit domain but we're on .mastra.ai, use the default domain\n    if (!this.cookieDomain && autoDetectMastraAi) {\n      this.cookieDomain = '.mastra.ai';\n    }\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: any): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = request?.headers?.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not a member of that org\n    // Check memberOrgIds (all orgs user belongs to) rather than organizationId (current org)\n    if (this.organizationId && !user.memberOrgIds?.includes(this.organizationId)) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, _state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // The shared API already consumed the OAuth code and passes the sealed\n    // session directly as the `code` parameter in the redirect to this callback.\n    // Validate it to get user info.\n    this.logger.debug('SSO callback: validating sealed session via shared API', {\n      sharedApiUrl: this.sharedApiUrl,\n      codeLength: code?.length,\n    });\n    const user = await this.verifySessionCookie(code);\n    if (!user) {\n      this.logger.error('SSO callback: session validation failed — verifySessionCookie returned null', {\n        sharedApiUrl: this.sharedApiUrl,\n        codeLength: code?.length,\n      });\n      throw new Error('Session validation failed');\n    }\n\n    // Omit `cookies` so the Mastra server fallback path calls\n    // createSession() + getSessionHeaders() to build a cookie scoped to\n    // the deployed instance's domain.\n    return {\n      user,\n      tokens: {\n        accessToken: code,\n      },\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    try {\n      // Call the shared API's /auth/refresh endpoint to get a fresh access token\n      const res = await fetch(`${this.sharedApiUrl}/auth/refresh`, {\n        method: 'GET',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('refreshSession: shared API refresh returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/refresh`,\n        });\n        // Refresh failed, fall back to validation (will likely also fail)\n        return this.validateSession(sessionId);\n      }\n\n      // Parse the new sealed session from Set-Cookie header\n      const setCookie = res.headers.get('Set-Cookie');\n      const newSessionId = setCookie ? parseCookieFromHeader(setCookie, COOKIE_NAME) : null;\n\n      if (!newSessionId) {\n        this.logger.warn('refreshSession: no Set-Cookie header in refresh response');\n        // No new cookie returned, fall back to validation with original\n        return this.validateSession(sessionId);\n      }\n\n      // Verify the new session works and return it\n      const user = await this.verifySessionCookie(newSessionId);\n      if (!user) return null;\n\n      const now = new Date();\n      return {\n        id: newSessionId,\n        userId: user.id,\n        expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n        createdAt: now,\n      };\n    } catch (error) {\n      this.logger.error('refreshSession: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/refresh`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      // On error, fall back to validation\n      return this.validateSession(sessionId);\n    }\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifySessionCookie: shared API returned non-OK status', {\n          status: res.status,\n          statusText: res.statusText,\n          url: `${this.sharedApiUrl}/auth/me`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifySessionCookie: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/me`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifyBearerToken: shared API returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/verify`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n        role?: string;\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n        role: data.role,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifyBearerToken: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/verify`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\n/**\n * Parse a cookie value from a Set-Cookie header.\n * Set-Cookie format: \"name=value; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400\"\n */\nfunction parseCookieFromHeader(setCookieHeader: string, name: string): string | null {\n  // Set-Cookie header starts with \"name=value\" followed by optional attributes\n  const parts = setCookieHeader.split(';');\n  if (parts.length === 0) return null;\n\n  const [cookieName, ...valueParts] = parts[0]!.split('=');\n  if (cookieName?.trim() !== name) return null;\n\n  // Value could contain = characters, so rejoin\n  return valueParts.join('=') || null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}
+{"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider","resolvePermissionsFromMapping","matchesPermission"],"mappings":";;;;;;AAqBA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AA4BA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACGA,yBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,YAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAGA,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAMzD,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,IAAI,GAAA,CAAI,KAAK,YAAY,CAAA,CAAE,SAAS,WAAA,EAAY;AACjE,MAAA,kBAAA,GAAqB,QAAA,KAAa,WAAA,IAAe,QAAA,CAAS,QAAA,CAAS,YAAY,CAAA;AAAA,IACjF,CAAA,CAAA,MAAQ;AACN,MAAA,kBAAA,GAAqB,KAAA;AAAA,IACvB;AACA,IAAA,IAAA,CAAK,oBAAA,GAAuB,CAAC,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA,EAAoB;AAC5C,MAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,IACtB;AAEA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAwD;AAC7F,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAIlB,IAAA,IAAI,IAAA,CAAK,kBAAkB,CAAC,IAAA,CAAK,cAAc,QAAA,CAAS,IAAA,CAAK,cAAc,CAAA,EAAG;AAC5E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAwD;AAIzF,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,wDAAA,EAA0D;AAAA,MAC1E,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,YAAY,IAAA,EAAM;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAI,CAAA;AAChD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,kFAAA,EAA+E;AAAA,QAC/F,cAAc,IAAA,CAAK,YAAA;AAAA,QACnB,YAAY,IAAA,EAAM;AAAA,OACnB,CAAA;AACD,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAKA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA;AACf,KACF;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE;AAAA,KACJ;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,IAAI;AAEF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA,EAAiB;AAAA,QAC3D,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,2DAAA,EAA6D;AAAA,UAC5E,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA;AAAA,SAC1B,CAAA;AAED,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC9C,MAAA,MAAM,YAAA,GAAe,SAAA,GAAY,qBAAA,CAAsB,SAAA,EAAW,WAAW,CAAA,GAAI,IAAA;AAEjF,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,0DAA0D,CAAA;AAE3E,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,YAAA;AAAA,QACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,QACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,QACvD,SAAA,EAAW;AAAA,OACb;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,4CAAA,EAA8C;AAAA,QAC9D,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AAED,MAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,wDAAA,EAA0D;AAAA,UACzE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAY,GAAA,CAAI,UAAA;AAAA,UAChB,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAc7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK,WAAA;AAAA,QAClB,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,iDAAA,EAAmD;AAAA,QACnE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,sDAAA,EAAwD;AAAA,UACvE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAY7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,+CAAA,EAAiD;AAAA,QACjE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAMA,SAAS,qBAAA,CAAsB,iBAAyB,IAAA,EAA6B;AAEnF,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,KAAA,CAAM,GAAG,CAAA;AACvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE/B,EAAA,MAAM,CAAC,YAAY,GAAG,UAAU,IAAI,KAAA,CAAM,CAAC,CAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY,IAAA,EAAK,KAAM,IAAA,EAAM,OAAO,IAAA;AAGxC,EAAA,OAAO,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AACjC;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAOC,gCAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.cjs","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\ntype HonoRequestLike = {\n  raw?: Request;\n  headers?: Headers;\n  header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n  if (request instanceof Request) {\n    return request.headers.get(name);\n  }\n\n  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n  /** All organization IDs the user is a member of (for cross-org access checks) */\n  memberOrgIds?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n  /**\n   * Cookie domain for session cookies (e.g., '.example.com').\n   * When set, cookies will include Secure and Domain attributes.\n   * Defaults to auto-detecting from sharedApiUrl (uses '.mastra.ai' when sharedApiUrl contains '.mastra.ai').\n   * Can also be set via MASTRA_COOKIE_DOMAIN environment variable.\n   */\n  cookieDomain?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n  private cookieDomain: string | undefined;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Cookie domain can be explicitly configured, read from env, or auto-detected from sharedApiUrl\n    this.cookieDomain = options?.cookieDomain || process.env.MASTRA_COOKIE_DOMAIN;\n\n    // Use production cookie settings (Secure + Domain) when:\n    // 1. An explicit cookieDomain is configured, OR\n    // 2. The shared API is on .mastra.ai (auto-detect default domain)\n    // Use hostname-based detection to avoid false positives (e.g., api.mastra.ai.evil.com)\n    let autoDetectMastraAi = false;\n    try {\n      const hostname = new URL(this.sharedApiUrl).hostname.toLowerCase();\n      autoDetectMastraAi = hostname === 'mastra.ai' || hostname.endsWith('.mastra.ai');\n    } catch {\n      autoDetectMastraAi = false;\n    }\n    this.useProductionCookies = !!this.cookieDomain || autoDetectMastraAi;\n\n    // If no explicit domain but we're on .mastra.ai, use the default domain\n    if (!this.cookieDomain && autoDetectMastraAi) {\n      this.cookieDomain = '.mastra.ai';\n    }\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: MastraAuthRequest): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = getRequestHeader(request, 'Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not a member of that org\n    // Check memberOrgIds (all orgs user belongs to) rather than organizationId (current org)\n    if (this.organizationId && !user.memberOrgIds?.includes(this.organizationId)) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, _state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // The shared API already consumed the OAuth code and passes the sealed\n    // session directly as the `code` parameter in the redirect to this callback.\n    // Validate it to get user info.\n    this.logger.debug('SSO callback: validating sealed session via shared API', {\n      sharedApiUrl: this.sharedApiUrl,\n      codeLength: code?.length,\n    });\n    const user = await this.verifySessionCookie(code);\n    if (!user) {\n      this.logger.error('SSO callback: session validation failed — verifySessionCookie returned null', {\n        sharedApiUrl: this.sharedApiUrl,\n        codeLength: code?.length,\n      });\n      throw new Error('Session validation failed');\n    }\n\n    // Omit `cookies` so the Mastra server fallback path calls\n    // createSession() + getSessionHeaders() to build a cookie scoped to\n    // the deployed instance's domain.\n    return {\n      user,\n      tokens: {\n        accessToken: code,\n      },\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n      description:\n        'Your deployed Studio is secured by your Mastra account. Sign in with the same email you used to sign up on mastra.ai.',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    try {\n      // Call the shared API's /auth/refresh endpoint to get a fresh access token\n      const res = await fetch(`${this.sharedApiUrl}/auth/refresh`, {\n        method: 'GET',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('refreshSession: shared API refresh returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/refresh`,\n        });\n        // Refresh failed, fall back to validation (will likely also fail)\n        return this.validateSession(sessionId);\n      }\n\n      // Parse the new sealed session from Set-Cookie header\n      const setCookie = res.headers.get('Set-Cookie');\n      const newSessionId = setCookie ? parseCookieFromHeader(setCookie, COOKIE_NAME) : null;\n\n      if (!newSessionId) {\n        this.logger.warn('refreshSession: no Set-Cookie header in refresh response');\n        // No new cookie returned, fall back to validation with original\n        return this.validateSession(sessionId);\n      }\n\n      // Verify the new session works and return it\n      const user = await this.verifySessionCookie(newSessionId);\n      if (!user) return null;\n\n      const now = new Date();\n      return {\n        id: newSessionId,\n        userId: user.id,\n        expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n        createdAt: now,\n      };\n    } catch (error) {\n      this.logger.error('refreshSession: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/refresh`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      // On error, fall back to validation\n      return this.validateSession(sessionId);\n    }\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifySessionCookie: shared API returned non-OK status', {\n          status: res.status,\n          statusText: res.statusText,\n          url: `${this.sharedApiUrl}/auth/me`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifySessionCookie: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/me`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifyBearerToken: shared API returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/verify`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n        role?: string;\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n        role: data.role,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifyBearerToken: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/verify`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\n/**\n * Parse a cookie value from a Set-Cookie header.\n * Set-Cookie format: \"name=value; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400\"\n */\nfunction parseCookieFromHeader(setCookieHeader: string, name: string): string | null {\n  // Set-Cookie header starts with \"name=value\" followed by optional attributes\n  const parts = setCookieHeader.split(';');\n  if (parts.length === 0) return null;\n\n  const [cookieName, ...valueParts] = parts[0]!.split('=');\n  if (cookieName?.trim() !== name) return null;\n\n  // Value could contain = characters, so rejoin\n  return valueParts.join('=') || null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}

package/dist/index.d.ts

@@ -2,6 +2,12 @@ import type { ISSOProvider, ISessionProvider, IUserProvider, Session, SSOCallbac
 import type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';
 import { MastraAuthProvider } from '@mastra/core/server';
 import type { MastraAuthProviderOptions } from '@mastra/core/server';
+type HonoRequestLike = {
+    raw?: Request;
+    headers?: Headers;
+    header(name: string): string | undefined;
+};
+type MastraAuthRequest = Request | HonoRequestLike;
 export interface StudioUser extends EEUser {
     id: string;
     email?: string;
@@ -48,7 +54,7 @@ export declare class MastraAuthStudio extends MastraAuthProvider<StudioUser> imp
      * Authenticate an incoming request by forwarding the sealed session cookie
      * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.
      */
-    authenticateToken(token: string, request: any): Promise<StudioUser | null>;
+    authenticateToken(token: string, request: MastraAuthRequest): Promise<StudioUser | null>;
     authorizeUser(user: StudioUser): boolean;
     getLoginUrl(redirectUri: string, state: string): string;
     handleCallback(code: string, _state: string): Promise<SSOCallbackResult<StudioUser>>;
@@ -109,4 +115,5 @@ export declare class MastraRBACStudio implements IRBACProvider<StudioUser> {
     hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean>;
     hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean>;
 }
+export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAErE,MAAM,WAAW,UAAW,SAAQ,MAAM;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iFAAiF;IACjF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,uBAAwB,SAAQ,yBAAyB,CAAC,UAAU,CAAC;IACpF,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4FAA4F;IAC5F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID;;;;;;;;;;GAUG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,YAAY,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC;IAEzF,QAAQ,CAAC,iBAAiB,QAAQ;IAElC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAqB;IAC3C,OAAO,CAAC,oBAAoB,CAAU;IACtC,OAAO,CAAC,YAAY,CAAqB;gBAE7B,OAAO,CAAC,EAAE,uBAAuB;IAwC7C;;;OAGG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IA2BhF,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQxC,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA0BjD,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IA4B1F,uBAAuB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAI3D,eAAe,IAAI,MAAM,EAAE,GAAG,SAAS;IAKvC,oBAAoB,IAAI,cAAc;IAOhC,YAAY,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA8B7E,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAWnF,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAa3D,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAahD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAkDhE,uBAAuB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAKxD,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAS3D,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAa1C,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiB5D,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAS1D;;;OAGG;YACW,mBAAmB;IAkDjC;;;OAGG;YACW,iBAAiB;CA4ChC;AAgCD,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;OAYG;IACH,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,aAAa,CAAC,UAAU,CAAC;IAChE,OAAO,CAAC,OAAO,CAA0B;IAEzC,IAAI,WAAW,IAAI,WAAW,CAE7B;gBAEW,OAAO,EAAE,uBAAuB;IAItC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7C,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKzD,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAQnD,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKrE,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5E,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAIlF"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,OAAO,EACP,iBAAiB,EACjB,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAErE,KAAK,eAAe,GAAG;IACrB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC1C,CAAC;AAEF,KAAK,iBAAiB,GAAG,OAAO,GAAG,eAAe,CAAC;AAUnD,MAAM,WAAW,UAAW,SAAQ,MAAM;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iFAAiF;IACjF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,uBAAwB,SAAQ,yBAAyB,CAAC,UAAU,CAAC;IACpF,yEAAyE;IACzE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4FAA4F;IAC5F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID;;;;;;;;;;GAUG;AACH,qBAAa,gBACX,SAAQ,kBAAkB,CAAC,UAAU,CACrC,YAAW,YAAY,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC;IAEzF,QAAQ,CAAC,iBAAiB,QAAQ;IAElC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAqB;IAC3C,OAAO,CAAC,oBAAoB,CAAU;IACtC,OAAO,CAAC,YAAY,CAAqB;gBAE7B,OAAO,CAAC,EAAE,uBAAuB;IAwC7C;;;OAGG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IA2B9F,aAAa,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO;IAQxC,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;IA0BjD,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IA4B1F,uBAAuB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAI3D,eAAe,IAAI,MAAM,EAAE,GAAG,SAAS;IAKvC,oBAAoB,IAAI,cAAc;IAShC,YAAY,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IA8B7E,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAWnF,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAa3D,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAahD,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAkDhE,uBAAuB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI;IAKxD,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAS3D,sBAAsB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAa1C,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiB5D,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAS1D;;;OAGG;YACW,mBAAmB;IAkDjC;;;OAGG;YACW,iBAAiB;CA4ChC;AAgCD,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;OAYG;IACH,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,aAAa,CAAC,UAAU,CAAC;IAChE,OAAO,CAAC,OAAO,CAA0B;IAEzC,IAAI,WAAW,IAAI,WAAW,CAE7B;gBAEW,OAAO,EAAE,uBAAuB;IAItC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAI7C,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKzD,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAQnD,aAAa,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKrE,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5E,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAIlF"}

package/dist/index.js

@@ -2,6 +2,12 @@ import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/a
 import { MastraAuthProvider } from '@mastra/core/server';
 
 // src/index.ts
+function getRequestHeader(request, name) {
+  if (request instanceof Request) {
+    return request.headers.get(name);
+  }
+  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;
+}
 var COOKIE_NAME = "wos-session";
 var MastraAuthStudio = class extends MastraAuthProvider {
   isMastraCloudAuth = true;
@@ -41,7 +47,7 @@ var MastraAuthStudio = class extends MastraAuthProvider {
    */
   async authenticateToken(token, request) {
     let user = null;
-    const cookieHeader = request?.headers?.get("Cookie");
+    const cookieHeader = getRequestHeader(request, "Cookie");
     const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);
     if (sessionCookie) {
       user = await this.verifySessionCookie(sessionCookie);
@@ -110,7 +116,8 @@ var MastraAuthStudio = class extends MastraAuthProvider {
   getLoginButtonConfig() {
     return {
       provider: "mastra-studio",
-      text: "Sign in with Mastra"
+      text: "Sign in with Mastra",
+      description: "Your deployed Studio is secured by your Mastra account. Sign in with the same email you used to sign up on mastra.ai."
     };
   }
   async getLogoutUrl(_redirectUri, request) {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;AAuCA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,YAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAGA,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAMzD,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,IAAI,GAAA,CAAI,KAAK,YAAY,CAAA,CAAE,SAAS,WAAA,EAAY;AACjE,MAAA,kBAAA,GAAqB,QAAA,KAAa,WAAA,IAAe,QAAA,CAAS,QAAA,CAAS,YAAY,CAAA;AAAA,IACjF,CAAA,CAAA,MAAQ;AACN,MAAA,kBAAA,GAAqB,KAAA;AAAA,IACvB;AACA,IAAA,IAAA,CAAK,oBAAA,GAAuB,CAAC,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA,EAAoB;AAC5C,MAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,IACtB;AAEA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA0C;AAC/E,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,GAAA,CAAI,QAAQ,CAAA;AACnD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAIlB,IAAA,IAAI,IAAA,CAAK,kBAAkB,CAAC,IAAA,CAAK,cAAc,QAAA,CAAS,IAAA,CAAK,cAAc,CAAA,EAAG;AAC5E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAwD;AAIzF,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,wDAAA,EAA0D;AAAA,MAC1E,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,YAAY,IAAA,EAAM;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAI,CAAA;AAChD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,kFAAA,EAA+E;AAAA,QAC/F,cAAc,IAAA,CAAK,YAAA;AAAA,QACnB,YAAY,IAAA,EAAM;AAAA,OACnB,CAAA;AACD,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAKA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA;AACf,KACF;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,IAAI;AAEF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA,EAAiB;AAAA,QAC3D,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,2DAAA,EAA6D;AAAA,UAC5E,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA;AAAA,SAC1B,CAAA;AAED,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC9C,MAAA,MAAM,YAAA,GAAe,SAAA,GAAY,qBAAA,CAAsB,SAAA,EAAW,WAAW,CAAA,GAAI,IAAA;AAEjF,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,0DAA0D,CAAA;AAE3E,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,YAAA;AAAA,QACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,QACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,QACvD,SAAA,EAAW;AAAA,OACb;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,4CAAA,EAA8C;AAAA,QAC9D,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AAED,MAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,wDAAA,EAA0D;AAAA,UACzE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAY,GAAA,CAAI,UAAA;AAAA,UAChB,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAc7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK,WAAA;AAAA,QAClB,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,iDAAA,EAAmD;AAAA,QACnE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,sDAAA,EAAwD;AAAA,UACvE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAY7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,+CAAA,EAAiD;AAAA,QACjE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAMA,SAAS,qBAAA,CAAsB,iBAAyB,IAAA,EAA6B;AAEnF,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,KAAA,CAAM,GAAG,CAAA;AACvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE/B,EAAA,MAAM,CAAC,YAAY,GAAG,UAAU,IAAI,KAAA,CAAM,CAAC,CAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY,IAAA,EAAK,KAAM,IAAA,EAAM,OAAO,IAAA;AAGxC,EAAA,OAAO,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AACjC;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.js","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n  /** All organization IDs the user is a member of (for cross-org access checks) */\n  memberOrgIds?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n  /**\n   * Cookie domain for session cookies (e.g., '.example.com').\n   * When set, cookies will include Secure and Domain attributes.\n   * Defaults to auto-detecting from sharedApiUrl (uses '.mastra.ai' when sharedApiUrl contains '.mastra.ai').\n   * Can also be set via MASTRA_COOKIE_DOMAIN environment variable.\n   */\n  cookieDomain?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n  private cookieDomain: string | undefined;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Cookie domain can be explicitly configured, read from env, or auto-detected from sharedApiUrl\n    this.cookieDomain = options?.cookieDomain || process.env.MASTRA_COOKIE_DOMAIN;\n\n    // Use production cookie settings (Secure + Domain) when:\n    // 1. An explicit cookieDomain is configured, OR\n    // 2. The shared API is on .mastra.ai (auto-detect default domain)\n    // Use hostname-based detection to avoid false positives (e.g., api.mastra.ai.evil.com)\n    let autoDetectMastraAi = false;\n    try {\n      const hostname = new URL(this.sharedApiUrl).hostname.toLowerCase();\n      autoDetectMastraAi = hostname === 'mastra.ai' || hostname.endsWith('.mastra.ai');\n    } catch {\n      autoDetectMastraAi = false;\n    }\n    this.useProductionCookies = !!this.cookieDomain || autoDetectMastraAi;\n\n    // If no explicit domain but we're on .mastra.ai, use the default domain\n    if (!this.cookieDomain && autoDetectMastraAi) {\n      this.cookieDomain = '.mastra.ai';\n    }\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: any): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = request?.headers?.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not a member of that org\n    // Check memberOrgIds (all orgs user belongs to) rather than organizationId (current org)\n    if (this.organizationId && !user.memberOrgIds?.includes(this.organizationId)) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, _state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // The shared API already consumed the OAuth code and passes the sealed\n    // session directly as the `code` parameter in the redirect to this callback.\n    // Validate it to get user info.\n    this.logger.debug('SSO callback: validating sealed session via shared API', {\n      sharedApiUrl: this.sharedApiUrl,\n      codeLength: code?.length,\n    });\n    const user = await this.verifySessionCookie(code);\n    if (!user) {\n      this.logger.error('SSO callback: session validation failed — verifySessionCookie returned null', {\n        sharedApiUrl: this.sharedApiUrl,\n        codeLength: code?.length,\n      });\n      throw new Error('Session validation failed');\n    }\n\n    // Omit `cookies` so the Mastra server fallback path calls\n    // createSession() + getSessionHeaders() to build a cookie scoped to\n    // the deployed instance's domain.\n    return {\n      user,\n      tokens: {\n        accessToken: code,\n      },\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    try {\n      // Call the shared API's /auth/refresh endpoint to get a fresh access token\n      const res = await fetch(`${this.sharedApiUrl}/auth/refresh`, {\n        method: 'GET',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('refreshSession: shared API refresh returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/refresh`,\n        });\n        // Refresh failed, fall back to validation (will likely also fail)\n        return this.validateSession(sessionId);\n      }\n\n      // Parse the new sealed session from Set-Cookie header\n      const setCookie = res.headers.get('Set-Cookie');\n      const newSessionId = setCookie ? parseCookieFromHeader(setCookie, COOKIE_NAME) : null;\n\n      if (!newSessionId) {\n        this.logger.warn('refreshSession: no Set-Cookie header in refresh response');\n        // No new cookie returned, fall back to validation with original\n        return this.validateSession(sessionId);\n      }\n\n      // Verify the new session works and return it\n      const user = await this.verifySessionCookie(newSessionId);\n      if (!user) return null;\n\n      const now = new Date();\n      return {\n        id: newSessionId,\n        userId: user.id,\n        expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n        createdAt: now,\n      };\n    } catch (error) {\n      this.logger.error('refreshSession: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/refresh`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      // On error, fall back to validation\n      return this.validateSession(sessionId);\n    }\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifySessionCookie: shared API returned non-OK status', {\n          status: res.status,\n          statusText: res.statusText,\n          url: `${this.sharedApiUrl}/auth/me`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifySessionCookie: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/me`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifyBearerToken: shared API returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/verify`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n        role?: string;\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n        role: data.role,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifyBearerToken: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/verify`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\n/**\n * Parse a cookie value from a Set-Cookie header.\n * Set-Cookie format: \"name=value; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400\"\n */\nfunction parseCookieFromHeader(setCookieHeader: string, name: string): string | null {\n  // Set-Cookie header starts with \"name=value\" followed by optional attributes\n  const parts = setCookieHeader.split(';');\n  if (parts.length === 0) return null;\n\n  const [cookieName, ...valueParts] = parts[0]!.split('=');\n  if (cookieName?.trim() !== name) return null;\n\n  // Value could contain = characters, so rejoin\n  return valueParts.join('=') || null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;AAqBA,SAAS,gBAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AA4BA,IAAM,WAAA,GAAc,aAAA;AAab,IAAM,gBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACW,iBAAA,GAAoB,IAAA;AAAA,EAErB,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,YAAA;AAAA,EAER,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,eAAA,EAAiB,GAAG,SAAS,CAAA;AAC3C,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,IAAI,qBAAA,IAAyB,0BAAA;AAClF,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,sBAAA;AAG7D,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,EAAE,CAAA;AAAA,IACnD;AAGA,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAMzD,IAAA,IAAI,kBAAA,GAAqB,KAAA;AACzB,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,IAAI,GAAA,CAAI,KAAK,YAAY,CAAA,CAAE,SAAS,WAAA,EAAY;AACjE,MAAA,kBAAA,GAAqB,QAAA,KAAa,WAAA,IAAe,QAAA,CAAS,QAAA,CAAS,YAAY,CAAA;AAAA,IACjF,CAAA,CAAA,MAAQ;AACN,MAAA,kBAAA,GAAqB,KAAA;AAAA,IACvB;AACA,IAAA,IAAA,CAAK,oBAAA,GAAuB,CAAC,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,IAAgB,kBAAA,EAAoB;AAC5C,MAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AAAA,IACtB;AAEA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAwD;AAC7F,IAAA,IAAI,IAAA,GAA0B,IAAA;AAG9B,IAAA,MAAM,YAAA,GAAe,gBAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AACvD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,aAAa,CAAA;AAAA,IACrD;AAGA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAIlB,IAAA,IAAI,IAAA,CAAK,kBAAkB,CAAC,IAAA,CAAK,cAAc,QAAA,CAAS,IAAA,CAAK,cAAc,CAAA,EAAG;AAC5E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,cAAc,IAAA,EAA2B;AACvC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAMA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACnC,MAAA,IAAI,cAAc,EAAA,EAAI;AACpB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,kBAAA,CAAmB,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,CAAC,CAAC,CAAA;AAAA,QACnE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MACjC,OAAA,EAAS,QAAA;AAAA,MACT,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA;AAAA,MAErB,MAAA,EAAQ,OAAA;AAAA,MACR,GAAI,KAAK,cAAA,GAAiB,EAAE,iBAAiB,IAAA,CAAK,cAAA,KAAmB;AAAC,KACvE,CAAA;AAED,IAAA,OAAO,GAAG,IAAA,CAAK,YAAY,CAAA,YAAA,EAAe,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,EAC7D;AAAA,EAEA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAwD;AAIzF,IAAA,IAAA,CAAK,MAAA,CAAO,MAAM,wDAAA,EAA0D;AAAA,MAC1E,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,YAAY,IAAA,EAAM;AAAA,KACnB,CAAA;AACD,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAI,CAAA;AAChD,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,kFAAA,EAA+E;AAAA,QAC/F,cAAc,IAAA,CAAK,YAAA;AAAA,QACnB,YAAY,IAAA,EAAM;AAAA,OACnB,CAAA;AACD,MAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,IAC7C;AAKA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa;AAAA;AACf,KACF;AAAA,EACF;AAAA,EAEA,wBAAwB,aAAA,EAAoC;AAAA,EAE5D;AAAA,EAEA,eAAA,GAAwC;AAEtC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,eAAA;AAAA,MACV,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE;AAAA,KACJ;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,YAAA,EAAsB,OAAA,EAA2C;AAClF,IAAA,MAAM,YAAA,GAAe,OAAA,EAAS,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAClD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,CAAC,eAAe,OAAO,IAAA;AAE3B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,IAAI,EAAA,EAAI;AACV,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,OAAO,KAAK,SAAA,IAAa,IAAA;AAAA,MAC3B;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA;AAAA,MACvD,SAAA,EAAW,GAAA;AAAA,MACX;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACrD,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,MACvD,SAAA,EAAW;AAAA,KACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC9C,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,IAAI;AAEF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA,EAAiB;AAAA,QAC3D,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,SAAS,CAAA;AAAA;AACrC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,2DAAA,EAA6D;AAAA,UAC5E,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA;AAAA,SAC1B,CAAA;AAED,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC9C,MAAA,MAAM,YAAA,GAAe,SAAA,GAAY,qBAAA,CAAsB,SAAA,EAAW,WAAW,CAAA,GAAI,IAAA;AAEjF,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,0DAA0D,CAAA;AAE3E,QAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,MACvC;AAGA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,YAAY,CAAA;AACxD,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,YAAA;AAAA,QACJ,QAAQ,IAAA,CAAK,EAAA;AAAA,QACb,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAAA,QACvD,SAAA,EAAW;AAAA,OACb;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,4CAAA,EAA8C;AAAA,QAC9D,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,aAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AAED,MAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,OAAO,WAAA,CAAY,cAAc,WAAW,CAAA;AAAA,EAC9C;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,CAAA,EAAI,UAAA,EAAY,cAAA,EAAgB,QAAA,EAAU,eAAe,CAAA;AACpG,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,KAAA,GAAQ,CAAC,CAAA,EAAG,WAAW,KAAK,UAAA,EAAY,cAAA,EAAgB,UAAU,WAAW,CAAA;AACnF,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,YAAA,EAAc;AAClD,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAE,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,EAAE,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,OAAA,EAA8C;AACjE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,MAAM,aAAA,GAAgB,WAAA,CAAY,YAAA,EAAc,WAAW,CAAA;AAE3D,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,IAAA,CAAK,oBAAoB,aAAa,CAAA;AAAA,IAC/C;AAGA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAAA,EAA6C;AAEzD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,oBAAoB,aAAA,EAAmD;AACnF,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA,EAAY;AAAA,QACtD,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,WAAW,CAAA,CAAA,EAAI,aAAa,CAAA;AAAA;AACzC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,wDAAA,EAA0D;AAAA,UACzE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAY,GAAA,CAAI,UAAA;AAAA,UAChB,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAc7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,SAAA,EAAW,KAAK,IAAA,CAAK,iBAAA;AAAA,QACrB,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,aAAa,IAAA,CAAK,WAAA;AAAA,QAClB,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,iDAAA,EAAmD;AAAA,QACnE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,QAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,kBAAkB,KAAA,EAA2C;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC1D,OAAA,EAAS;AAAA,UACP,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,IAAA,CAAK,MAAA,CAAO,KAAK,sDAAA,EAAwD;AAAA,UACvE,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA;AAAA,SAC1B,CAAA;AACD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAY7B,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,KAAK,IAAA,CAAK,EAAA;AAAA,QACd,KAAA,EAAO,KAAK,IAAA,CAAK,KAAA;AAAA,QACjB,IAAA,EAAM,CAAC,IAAA,CAAK,IAAA,CAAK,WAAW,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,gBAAgB,IAAA,CAAK,cAAA;AAAA,QACrB,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,cAAc,IAAA,CAAK;AAAA,OACrB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,+CAAA,EAAiD;AAAA,QACjE,GAAA,EAAK,CAAA,EAAG,IAAA,CAAK,YAAY,CAAA,YAAA,CAAA;AAAA,QACzB,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,KAAA,CAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI,MAAA,CAAO,KAAK;AAAA,OAC9F,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,WAAA,CAAY,cAAyC,IAAA,EAA6B;AACzF,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,IAAI,UAAU,CAAC,CAAA;AAC9D,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAMA,SAAS,qBAAA,CAAsB,iBAAyB,IAAA,EAA6B;AAEnF,EAAA,MAAM,KAAA,GAAQ,eAAA,CAAgB,KAAA,CAAM,GAAG,CAAA;AACvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE/B,EAAA,MAAM,CAAC,YAAY,GAAG,UAAU,IAAI,KAAA,CAAM,CAAC,CAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY,IAAA,EAAK,KAAM,IAAA,EAAM,OAAO,IAAA;AAGxC,EAAA,OAAO,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,IAAK,IAAA;AACjC;AA6BO,IAAM,mBAAN,MAA4D;AAAA,EACzD,OAAA;AAAA,EAER,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA,EAEA,YAAY,OAAA,EAAkC;AAC5C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA,EAEA,MAAM,SAAS,IAAA,EAAqC;AAClD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AACA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.js","sourcesContent":["import type {\n  ISSOProvider,\n  ISessionProvider,\n  IUserProvider,\n  Session,\n  SSOCallbackResult,\n  SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser, IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\n\ntype HonoRequestLike = {\n  raw?: Request;\n  headers?: Headers;\n  header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n  if (request instanceof Request) {\n    return request.headers.get(name);\n  }\n\n  return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\nexport interface StudioUser extends EEUser {\n  id: string;\n  email?: string;\n  name?: string;\n  avatarUrl?: string;\n  organizationId?: string;\n  role?: string;\n  permissions?: string[];\n  /** All organization IDs the user is a member of (for cross-org access checks) */\n  memberOrgIds?: string[];\n}\n\nexport interface MastraAuthStudioOptions extends MastraAuthProviderOptions<StudioUser> {\n  /** Base URL of the Mastra shared API (e.g., https://api.mastra.ai/v1) */\n  sharedApiUrl?: string;\n  /** Organization ID that owns this deployed instance. Users not in this org are rejected. */\n  organizationId?: string;\n  /**\n   * Cookie domain for session cookies (e.g., '.example.com').\n   * When set, cookies will include Secure and Domain attributes.\n   * Defaults to auto-detecting from sharedApiUrl (uses '.mastra.ai' when sharedApiUrl contains '.mastra.ai').\n   * Can also be set via MASTRA_COOKIE_DOMAIN environment variable.\n   */\n  cookieDomain?: string;\n}\n\nconst COOKIE_NAME = 'wos-session';\n\n/**\n * Auth provider for Mastra Studio deployed instances.\n *\n * Proxies all authentication through the shared API, keeping the\n * WorkOS API key safely in the shared API. Deployed instances only\n * need the shared API URL — no secrets required.\n *\n * The shared API's sealed session cookie (`wos-session`) is set with\n * `Domain=.mastra.ai` in production, so it's included in requests\n * to deployed instances and can be forwarded for validation.\n */\nexport class MastraAuthStudio\n  extends MastraAuthProvider<StudioUser>\n  implements ISSOProvider<StudioUser>, ISessionProvider<Session>, IUserProvider<StudioUser>\n{\n  readonly isMastraCloudAuth = true;\n\n  private sharedApiUrl: string;\n  private organizationId: string | undefined;\n  private useProductionCookies: boolean;\n  private cookieDomain: string | undefined;\n\n  constructor(options?: MastraAuthStudioOptions) {\n    super({ name: 'mastra-studio', ...options });\n    this.sharedApiUrl = options?.sharedApiUrl || process.env.MASTRA_SHARED_API_URL || 'http://localhost:3010/v1';\n    this.organizationId = options?.organizationId || process.env.MASTRA_ORGANIZATION_ID;\n\n    // Strip trailing slash\n    if (this.sharedApiUrl.endsWith('/')) {\n      this.sharedApiUrl = this.sharedApiUrl.slice(0, -1);\n    }\n\n    // Cookie domain can be explicitly configured, read from env, or auto-detected from sharedApiUrl\n    this.cookieDomain = options?.cookieDomain || process.env.MASTRA_COOKIE_DOMAIN;\n\n    // Use production cookie settings (Secure + Domain) when:\n    // 1. An explicit cookieDomain is configured, OR\n    // 2. The shared API is on .mastra.ai (auto-detect default domain)\n    // Use hostname-based detection to avoid false positives (e.g., api.mastra.ai.evil.com)\n    let autoDetectMastraAi = false;\n    try {\n      const hostname = new URL(this.sharedApiUrl).hostname.toLowerCase();\n      autoDetectMastraAi = hostname === 'mastra.ai' || hostname.endsWith('.mastra.ai');\n    } catch {\n      autoDetectMastraAi = false;\n    }\n    this.useProductionCookies = !!this.cookieDomain || autoDetectMastraAi;\n\n    // If no explicit domain but we're on .mastra.ai, use the default domain\n    if (!this.cookieDomain && autoDetectMastraAi) {\n      this.cookieDomain = '.mastra.ai';\n    }\n\n    if (options) {\n      this.registerOptions(options);\n    }\n  }\n\n  // ---------------------------------------------------------------------------\n  // MastraAuthProvider abstract methods\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Authenticate an incoming request by forwarding the sealed session cookie\n   * to the shared API's /auth/me endpoint, or a Bearer token to /auth/verify.\n   */\n  async authenticateToken(token: string, request: MastraAuthRequest): Promise<StudioUser | null> {\n    let user: StudioUser | null = null;\n\n    // Try sealed session cookie first (browser flow)\n    const cookieHeader = getRequestHeader(request, 'Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      user = await this.verifySessionCookie(sessionCookie);\n    }\n\n    // Fall back to Bearer token (CLI / API token flow)\n    if (!user && token) {\n      user = await this.verifyBearerToken(token);\n    }\n\n    if (!user) return null;\n\n    // Org-scoping: if this instance belongs to a specific org, reject users not a member of that org\n    // Check memberOrgIds (all orgs user belongs to) rather than organizationId (current org)\n    if (this.organizationId && !user.memberOrgIds?.includes(this.organizationId)) {\n      return null;\n    }\n\n    return user;\n  }\n\n  authorizeUser(user: StudioUser): boolean {\n    return !!user?.id;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISSOProvider\n  // ---------------------------------------------------------------------------\n\n  getLoginUrl(redirectUri: string, state: string): string {\n    // Extract the post-login redirect from state (format: uuid|encodedPostLoginRedirect)\n    let postLoginRedirect = '/';\n    if (state) {\n      const pipeIndex = state.indexOf('|');\n      if (pipeIndex !== -1) {\n        try {\n          postLoginRedirect = decodeURIComponent(state.slice(pipeIndex + 1));\n        } catch {\n          // ignore decode errors\n        }\n      }\n    }\n\n    const params = new URLSearchParams({\n      product: 'deploy',\n      redirect_uri: redirectUri,\n      post_login_redirect: postLoginRedirect,\n      // Force re-authentication so AuthKit always shows the account picker\n      prompt: 'login',\n      ...(this.organizationId ? { organization_id: this.organizationId } : {}),\n    });\n\n    return `${this.sharedApiUrl}/auth/login?${params.toString()}`;\n  }\n\n  async handleCallback(code: string, _state: string): Promise<SSOCallbackResult<StudioUser>> {\n    // The shared API already consumed the OAuth code and passes the sealed\n    // session directly as the `code` parameter in the redirect to this callback.\n    // Validate it to get user info.\n    this.logger.debug('SSO callback: validating sealed session via shared API', {\n      sharedApiUrl: this.sharedApiUrl,\n      codeLength: code?.length,\n    });\n    const user = await this.verifySessionCookie(code);\n    if (!user) {\n      this.logger.error('SSO callback: session validation failed — verifySessionCookie returned null', {\n        sharedApiUrl: this.sharedApiUrl,\n        codeLength: code?.length,\n      });\n      throw new Error('Session validation failed');\n    }\n\n    // Omit `cookies` so the Mastra server fallback path calls\n    // createSession() + getSessionHeaders() to build a cookie scoped to\n    // the deployed instance's domain.\n    return {\n      user,\n      tokens: {\n        accessToken: code,\n      },\n    };\n  }\n\n  setCallbackCookieHeader(_cookieHeader: string | null): void {\n    // No-op: we don't use PKCE cookies — the shared API handles the full OAuth flow\n  }\n\n  getLoginCookies(): string[] | undefined {\n    // No PKCE cookies needed — shared API manages the OAuth state\n    return undefined;\n  }\n\n  getLoginButtonConfig(): SSOLoginConfig {\n    return {\n      provider: 'mastra-studio',\n      text: 'Sign in with Mastra',\n      description:\n        'Your deployed Studio is secured by your Mastra account. Sign in with the same email you used to sign up on mastra.ai.',\n    };\n  }\n\n  async getLogoutUrl(_redirectUri: string, request?: Request): Promise<string | null> {\n    const cookieHeader = request?.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (!sessionCookie) return null;\n\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (res.ok) {\n        const data = (await res.json()) as { ok: boolean; logoutUrl?: string };\n        return data.logoutUrl ?? null;\n      }\n    } catch {\n      // Failed to get logout URL — return null\n    }\n\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // ISessionProvider\n  // ---------------------------------------------------------------------------\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = new Date();\n    return {\n      id: (metadata?.accessToken as string) || crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000), // 24 hours\n      createdAt: now,\n      metadata,\n    };\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const user = await this.verifySessionCookie(sessionId);\n    if (!user) return null;\n\n    const now = new Date();\n    return {\n      id: sessionId,\n      userId: user.id,\n      expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n      createdAt: now,\n    };\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    try {\n      await fetch(`${this.sharedApiUrl}/auth/logout`, {\n        method: 'POST',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n    } catch {\n      // Best effort\n    }\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    try {\n      // Call the shared API's /auth/refresh endpoint to get a fresh access token\n      const res = await fetch(`${this.sharedApiUrl}/auth/refresh`, {\n        method: 'GET',\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionId}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('refreshSession: shared API refresh returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/refresh`,\n        });\n        // Refresh failed, fall back to validation (will likely also fail)\n        return this.validateSession(sessionId);\n      }\n\n      // Parse the new sealed session from Set-Cookie header\n      const setCookie = res.headers.get('Set-Cookie');\n      const newSessionId = setCookie ? parseCookieFromHeader(setCookie, COOKIE_NAME) : null;\n\n      if (!newSessionId) {\n        this.logger.warn('refreshSession: no Set-Cookie header in refresh response');\n        // No new cookie returned, fall back to validation with original\n        return this.validateSession(sessionId);\n      }\n\n      // Verify the new session works and return it\n      const user = await this.verifySessionCookie(newSessionId);\n      if (!user) return null;\n\n      const now = new Date();\n      return {\n        id: newSessionId,\n        userId: user.id,\n        expiresAt: new Date(now.getTime() + 24 * 60 * 60 * 1000),\n        createdAt: now,\n      };\n    } catch (error) {\n      this.logger.error('refreshSession: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/refresh`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      // On error, fall back to validation\n      return this.validateSession(sessionId);\n    }\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('Cookie');\n    return parseCookie(cookieHeader, COOKIE_NAME);\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=${session.id}`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=86400'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    const parts = [`${COOKIE_NAME}=`, 'HttpOnly', 'SameSite=Lax', 'Path=/', 'Max-Age=0'];\n    if (this.useProductionCookies && this.cookieDomain) {\n      parts.push('Secure');\n      parts.push(`Domain=${this.cookieDomain}`);\n    }\n    return { 'Set-Cookie': parts.join('; ') };\n  }\n\n  // ---------------------------------------------------------------------------\n  // IUserProvider\n  // ---------------------------------------------------------------------------\n\n  async getCurrentUser(request: Request): Promise<StudioUser | null> {\n    const cookieHeader = request.headers.get('Cookie');\n    const sessionCookie = parseCookie(cookieHeader, COOKIE_NAME);\n\n    if (sessionCookie) {\n      return this.verifySessionCookie(sessionCookie);\n    }\n\n    // Try bearer token\n    const authHeader = request.headers.get('Authorization');\n    if (authHeader?.startsWith('Bearer ')) {\n      return this.verifyBearerToken(authHeader.slice(7));\n    }\n\n    return null;\n  }\n\n  async getUser(_userId: string): Promise<StudioUser | null> {\n    // Cannot look up users by ID — only validate sessions\n    return null;\n  }\n\n  // ---------------------------------------------------------------------------\n  // Internal helpers\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Forward a sealed session cookie to the shared API's /auth/me endpoint\n   * to validate it and get user info.\n   */\n  private async verifySessionCookie(sessionCookie: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/me`, {\n        headers: {\n          Cookie: `${COOKIE_NAME}=${sessionCookie}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifySessionCookie: shared API returned non-OK status', {\n          status: res.status,\n          statusText: res.statusText,\n          url: `${this.sharedApiUrl}/auth/me`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n          profilePictureUrl?: string;\n        };\n        organizationId: string;\n        role?: string;\n        permissions?: string[];\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        avatarUrl: data.user.profilePictureUrl,\n        organizationId: data.organizationId,\n        role: data.role,\n        permissions: data.permissions,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifySessionCookie: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/me`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n\n  /**\n   * Forward a Bearer token to the shared API's /auth/verify endpoint\n   * to validate it and get user info (used for CLI tokens).\n   */\n  private async verifyBearerToken(token: string): Promise<StudioUser | null> {\n    try {\n      const res = await fetch(`${this.sharedApiUrl}/auth/verify`, {\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!res.ok) {\n        this.logger.warn('verifyBearerToken: shared API returned non-OK status', {\n          status: res.status,\n          url: `${this.sharedApiUrl}/auth/verify`,\n        });\n        return null;\n      }\n\n      const data = (await res.json()) as {\n        user: {\n          id: string;\n          email: string;\n          firstName: string;\n          lastName: string;\n        };\n        organizationId: string;\n        role?: string;\n        memberOrgIds?: string[];\n      };\n\n      return {\n        id: data.user.id,\n        email: data.user.email,\n        name: [data.user.firstName, data.user.lastName].filter(Boolean).join(' ') || undefined,\n        organizationId: data.organizationId,\n        role: data.role,\n        memberOrgIds: data.memberOrgIds,\n      };\n    } catch (error) {\n      this.logger.error('verifyBearerToken: fetch to shared API failed', {\n        url: `${this.sharedApiUrl}/auth/verify`,\n        error: error instanceof Error ? { message: error.message, stack: error.stack } : String(error),\n      });\n      return null;\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Cookie helpers\n// ---------------------------------------------------------------------------\n\nfunction parseCookie(cookieHeader: string | null | undefined, name: string): string | null {\n  if (!cookieHeader) return null;\n  const match = cookieHeader.match(new RegExp(`${name}=([^;]+)`));\n  return match?.[1] ?? null;\n}\n\n/**\n * Parse a cookie value from a Set-Cookie header.\n * Set-Cookie format: \"name=value; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400\"\n */\nfunction parseCookieFromHeader(setCookieHeader: string, name: string): string | null {\n  // Set-Cookie header starts with \"name=value\" followed by optional attributes\n  const parts = setCookieHeader.split(';');\n  if (parts.length === 0) return null;\n\n  const [cookieName, ...valueParts] = parts[0]!.split('=');\n  if (cookieName?.trim() !== name) return null;\n\n  // Value could contain = characters, so rejoin\n  return valueParts.join('=') || null;\n}\n\n// ---------------------------------------------------------------------------\n// MastraRBACStudio — role-based permission provider for Studio auth\n// ---------------------------------------------------------------------------\n\nexport interface MastraRBACStudioOptions {\n  /**\n   * Mapping from role names to permission arrays.\n   *\n   * @example\n   * ```typescript\n   * {\n   *   admin: ['*'],\n   *   member: ['agents:read', 'workflows:*'],\n   *   viewer: ['agents:read', 'workflows:read'],\n   *   _default: [],\n   * }\n   * ```\n   */\n  roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Studio authentication.\n *\n * Maps user roles (from the shared API's /auth/me endpoint) to Mastra permissions\n * using a configurable role mapping.\n */\nexport class MastraRBACStudio implements IRBACProvider<StudioUser> {\n  private options: MastraRBACStudioOptions;\n\n  get roleMapping(): RoleMapping {\n    return this.options.roleMapping;\n  }\n\n  constructor(options: MastraRBACStudioOptions) {\n    this.options = options;\n  }\n\n  async getRoles(user: StudioUser): Promise<string[]> {\n    return user.role ? [user.role] : [];\n  }\n\n  async hasRole(user: StudioUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: StudioUser): Promise<string[]> {\n    const roles = await this.getRoles(user);\n    if (roles.length === 0) {\n      return this.options.roleMapping['_default'] ?? [];\n    }\n    return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n  }\n\n  async hasPermission(user: StudioUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: StudioUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mastra/auth-studio",
-  "version": "1.2.2-alpha.0",
+  "version": "1.2.3-alpha.0",
   "description": "Mastra Studio Auth integration — proxies authentication through Mastra shared API",
   "type": "module",
   "main": "dist/index.js",
@@ -25,11 +25,11 @@
     "@vitest/ui": "4.1.5",
     "eslint": "^10.2.1",
     "tsup": "^8.5.1",
-    "typescript": "^5.9.3",
+    "typescript": "^6.0.3",
     "vitest": "4.1.5",
-    "@internal/types-builder": "0.0.61",
-    "@mastra/core": "1.29.0-alpha.5",
-    "@internal/lint": "0.0.86"
+    "@internal/lint": "0.0.100",
+    "@mastra/core": "1.39.0-alpha.0",
+    "@internal/types-builder": "0.0.75"
   },
   "peerDependencies": {
     "@mastra/core": ">=1.0.0-0 <2.0.0-0"