@mastra/auth-workos 1.0.0 → 1.1.0

package/dist/index.cjs

@@ -1,178 +1,883 @@
 'use strict';
 
 var auth = require('@mastra/auth');
+var server = require('@mastra/core/server');
+var authkitSession = require('@workos/authkit-session');
 var node = require('@workos-inc/node');
+var ee = require('@mastra/core/auth/ee');
+var lruCache = require('lru-cache');
 
-// src/index.ts
+// src/auth-provider.ts
+var WebSessionStorage = class extends authkitSession.CookieSessionStorage {
+  constructor(config) {
+    super(config);
+  }
+  /**
+   * Extract the encrypted session cookie from a Request.
+   *
+   * @param request - Standard Web Request object
+   * @returns The encrypted session string or null if not present
+   */
+  async getSession(request) {
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader) {
+      return null;
+    }
+    const cookies = cookieHeader.split(";").reduce(
+      (acc, cookie) => {
+        const [name, ...valueParts] = cookie.trim().split("=");
+        if (name) {
+          acc[name] = decodeURIComponent(valueParts.join("="));
+        }
+        return acc;
+      },
+      {}
+    );
+    return cookies[this.cookieName] || null;
+  }
+};
 
-// ../../packages/core/dist/chunk-NRUZYMHE.js
-var RegisteredLogger = {
-  LLM: "LLM"};
-var LogLevel = {
-  DEBUG: "debug",
-  INFO: "info",
-  WARN: "warn",
-  ERROR: "error"};
-var MastraLogger = class {
-  name;
-  level;
-  transports;
-  constructor(options = {}) {
-    this.name = options.name || "Mastra";
-    this.level = options.level || LogLevel.ERROR;
-    this.transports = new Map(Object.entries(options.transports || {}));
-  }
-  getTransports() {
-    return this.transports;
-  }
-  trackException(_error) {
-  }
-  async listLogs(transportId, params) {
-    if (!transportId || !this.transports.has(transportId)) {
-      return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };
-    }
-    return this.transports.get(transportId).listLogs(params) ?? {
-      logs: [],
-      total: 0,
-      page: params?.page ?? 1,
-      perPage: params?.perPage ?? 100,
-      hasMore: false
+// src/types.ts
+function mapWorkOSUserToEEUser(user) {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.firstName && user.lastName ? `${user.firstName} ${user.lastName}` : user.firstName || user.email,
+    avatarUrl: user.profilePictureUrl ?? void 0,
+    metadata: {
+      workosId: user.id,
+      emailVerified: user.emailVerified,
+      createdAt: user.createdAt
+    }
+  };
+}
+
+// src/auth-provider.ts
+var DEV_COOKIE_PASSWORD = crypto.randomUUID() + crypto.randomUUID();
+var MastraAuthWorkos = class extends server.MastraAuthProvider {
+  workos;
+  clientId;
+  redirectUri;
+  ssoConfig;
+  authService;
+  config;
+  constructor(options) {
+    super({ name: options?.name ?? "workos" });
+    const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;
+    const redirectUri = options?.redirectUri ?? process.env.WORKOS_REDIRECT_URI;
+    const cookiePassword = options?.session?.cookiePassword ?? process.env.WORKOS_COOKIE_PASSWORD ?? DEV_COOKIE_PASSWORD;
+    if (!apiKey || !clientId) {
+      throw new Error(
+        "WorkOS API key and client ID are required. Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables."
+      );
+    }
+    if (!redirectUri) {
+      throw new Error(
+        "WorkOS redirect URI is required. Provide it in the options or set WORKOS_REDIRECT_URI environment variable."
+      );
+    }
+    if (cookiePassword.length < 32) {
+      throw new Error(
+        "Cookie password must be at least 32 characters. Set WORKOS_COOKIE_PASSWORD environment variable or provide session.cookiePassword option."
+      );
+    }
+    this.clientId = clientId;
+    this.redirectUri = redirectUri;
+    this.ssoConfig = options?.sso;
+    this.workos = new node.WorkOS(apiKey, { clientId });
+    this.config = {
+      clientId,
+      apiKey,
+      redirectUri,
+      cookiePassword,
+      cookieName: options?.session?.cookieName ?? "wos_session",
+      cookieMaxAge: options?.session?.maxAge ?? 60 * 60 * 24 * 400,
+      // 400 days
+      cookieSameSite: options?.session?.sameSite?.toLowerCase(),
+      cookieDomain: void 0,
+      apiHttps: true
     };
+    const storage = new WebSessionStorage(this.config);
+    this.authService = new authkitSession.AuthService(this.config, storage, this.workos, authkitSession.sessionEncryption);
+    this.registerOptions(options);
+    if (cookiePassword === DEV_COOKIE_PASSWORD) {
+      console.warn(
+        "[WorkOS] Using auto-generated cookie password for development. Sessions will not persist across server restarts. Set WORKOS_COOKIE_PASSWORD for persistent sessions."
+      );
+    }
   }
-  async listLogsByRunId({
-    transportId,
-    runId,
-    fromDate,
-    toDate,
-    logLevel,
-    filters,
-    page,
-    perPage
-  }) {
-    if (!transportId || !this.transports.has(transportId) || !runId) {
-      return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };
-    }
-    return this.transports.get(transportId).listLogsByRunId({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {
-      logs: [],
-      total: 0,
-      page: page ?? 1,
-      perPage: perPage ?? 100,
-      hasMore: false
-    };
+  // ============================================================================
+  // MastraAuthProvider Implementation
+  // ============================================================================
+  /**
+   * Authenticate a bearer token or session cookie.
+   *
+   * Uses AuthKit's withAuth() for cookie-based sessions, falls back to
+   * JWT verification for bearer tokens.
+   */
+  async authenticateToken(token, request) {
+    try {
+      const rawRequest = "raw" in request ? request.raw : request;
+      const { auth: auth$1 } = await this.authService.withAuth(rawRequest);
+      if (auth$1.user) {
+        return {
+          ...mapWorkOSUserToEEUser(auth$1.user),
+          workosId: auth$1.user.id,
+          organizationId: auth$1.organizationId
+          // Note: memberships not available from session, fetch if needed
+        };
+      }
+      if (token) {
+        const jwksUri = this.workos.userManagement.getJwksUrl(this.clientId);
+        const payload = await auth.verifyJwks(token, jwksUri);
+        if (payload?.sub) {
+          const user = await this.workos.userManagement.getUser(payload.sub);
+          const memberships = await this.workos.userManagement.listOrganizationMemberships({
+            userId: user.id
+          });
+          return {
+            ...mapWorkOSUserToEEUser(user),
+            workosId: user.id,
+            organizationId: memberships.data[0]?.organizationId,
+            memberships: memberships.data
+          };
+        }
+      }
+      return null;
+    } catch {
+      return null;
+    }
   }
-};
-var ConsoleLogger = class extends MastraLogger {
-  constructor(options = {}) {
-    super(options);
+  /**
+   * Authorize a user for access.
+   */
+  async authorizeUser(user) {
+    return !!user?.id && !!user?.workosId;
   }
-  debug(message, ...args) {
-    if (this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
+  // ============================================================================
+  // IUserProvider Implementation
+  // ============================================================================
+  /**
+   * Get the current user from the request using AuthKit session.
+   */
+  async getCurrentUser(request) {
+    try {
+      const { auth, refreshedSessionData } = await this.authService.withAuth(request);
+      if (!auth.user) {
+        return null;
+      }
+      let organizationId = auth.organizationId;
+      if (!organizationId) {
+        try {
+          const memberships = await this.workos.userManagement.listOrganizationMemberships({
+            userId: auth.user.id
+          });
+          organizationId = memberships.data[0]?.organizationId;
+        } catch {
+        }
+      }
+      const user = {
+        ...mapWorkOSUserToEEUser(auth.user),
+        workosId: auth.user.id,
+        organizationId
+      };
+      if (refreshedSessionData) {
+        user._refreshedSessionData = refreshedSessionData;
+      }
+      return user;
+    } catch {
+      return null;
     }
   }
-  info(message, ...args) {
-    if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
+  /**
+   * Get a user by their ID.
+   */
+  async getUser(userId) {
+    try {
+      const user = await this.workos.userManagement.getUser(userId);
+      return {
+        ...mapWorkOSUserToEEUser(user),
+        workosId: user.id
+      };
+    } catch {
+      return null;
     }
   }
-  warn(message, ...args) {
-    if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
+  /**
+   * Get the URL to the user's profile page.
+   */
+  getUserProfileUrl(user) {
+    return `/profile/${user.id}`;
+  }
+  // ============================================================================
+  // ISSOProvider Implementation
+  // ============================================================================
+  /**
+   * Get the URL to redirect users to for SSO login.
+   */
+  getLoginUrl(redirectUri, state) {
+    const baseOptions = {
+      clientId: this.clientId,
+      redirectUri: redirectUri || this.redirectUri,
+      state
+    };
+    if (this.ssoConfig?.connection) {
+      return this.workos.userManagement.getAuthorizationUrl({
+        ...baseOptions,
+        connectionId: this.ssoConfig.connection
+      });
+    } else if (this.ssoConfig?.provider) {
+      return this.workos.userManagement.getAuthorizationUrl({
+        ...baseOptions,
+        provider: this.ssoConfig.provider
+      });
+    } else if (this.ssoConfig?.defaultOrganization) {
+      return this.workos.userManagement.getAuthorizationUrl({
+        ...baseOptions,
+        organizationId: this.ssoConfig.defaultOrganization
+      });
     }
+    return this.workos.userManagement.getAuthorizationUrl({
+      ...baseOptions,
+      provider: "authkit"
+    });
   }
-  error(message, ...args) {
-    if (this.level === LogLevel.ERROR || this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.error(message, ...args);
+  /**
+   * Handle the OAuth callback from WorkOS.
+   *
+   * Uses AuthKit's handleCallback for proper session creation.
+   */
+  async handleCallback(code, _state) {
+    const result = await this.authService.handleCallback(
+      new Request("http://localhost"),
+      // Dummy request, not used
+      new Response(),
+      // Dummy response to get headers
+      { code, state: _state }
+    );
+    const user = {
+      ...mapWorkOSUserToEEUser(result.authResponse.user),
+      workosId: result.authResponse.user.id,
+      organizationId: result.authResponse.organizationId
+    };
+    const sessionCookie = result.headers?.["Set-Cookie"];
+    const cookies = sessionCookie ? Array.isArray(sessionCookie) ? sessionCookie : [sessionCookie] : void 0;
+    return {
+      user,
+      tokens: {
+        accessToken: result.authResponse.accessToken,
+        refreshToken: result.authResponse.refreshToken
+      },
+      cookies
+    };
+  }
+  /**
+   * Get the URL to redirect users to for logout.
+   * Extracts session ID from the request's JWT to build a valid WorkOS logout URL.
+   *
+   * @param redirectUri - URL to redirect to after logout
+   * @param request - Request containing session cookie (needed to extract sid)
+   * @returns Logout URL or null if no active session
+   */
+  async getLogoutUrl(redirectUri, request) {
+    if (!request) {
+      return null;
+    }
+    try {
+      const { auth } = await this.authService.withAuth(request);
+      if (!auth.user) {
+        return null;
+      }
+      const [, payloadBase64] = auth.accessToken.split(".");
+      if (!payloadBase64) {
+        return null;
+      }
+      const payload = JSON.parse(atob(payloadBase64));
+      const sessionId = payload.sid;
+      if (!sessionId) {
+        return null;
+      }
+      return this.workos.userManagement.getLogoutUrl({ sessionId, returnTo: redirectUri });
+    } catch {
+      return null;
     }
   }
-  async listLogs(_transportId, _params) {
-    return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };
+  /**
+   * Get the configuration for rendering the login button.
+   */
+  getLoginButtonConfig() {
+    let text = "Sign in";
+    if (this.ssoConfig?.provider) {
+      const providerNames = {
+        GoogleOAuth: "Google",
+        MicrosoftOAuth: "Microsoft",
+        GitHubOAuth: "GitHub",
+        AppleOAuth: "Apple"
+      };
+      const providerName = providerNames[this.ssoConfig.provider];
+      if (providerName) {
+        text = `Sign in with ${providerName}`;
+      }
+    }
+    return {
+      provider: "workos",
+      text
+    };
   }
-  async listLogsByRunId(_args) {
-    return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };
+  // ============================================================================
+  // ISessionProvider Implementation
+  // ============================================================================
+  /**
+   * Create a new session for a user.
+   *
+   * Note: With AuthKit, sessions are created via handleCallback.
+   * This method is kept for interface compatibility.
+   */
+  async createSession(userId, metadata) {
+    const sessionId = crypto.randomUUID();
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + this.config.cookieMaxAge * 1e3);
+    return {
+      id: sessionId,
+      userId,
+      createdAt: now,
+      expiresAt,
+      metadata
+    };
   }
-};
-
-// ../../packages/core/dist/chunk-LSHPJWM5.js
-var MastraBase = class {
-  component = RegisteredLogger.LLM;
-  logger;
-  name;
-  constructor({ component, name }) {
-    this.component = component || RegisteredLogger.LLM;
-    this.name = name;
-    this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });
+  /**
+   * Validate a session.
+   *
+   * With AuthKit, sessions are validated via withAuth().
+   */
+  async validateSession(_sessionId) {
+    return null;
   }
   /**
-   * Set the logger for the agent
-   * @param logger
+   * Destroy a session.
    */
-  __setLogger(logger) {
-    this.logger = logger;
-    if (this.component !== RegisteredLogger.LLM) {
-      this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);
+  async destroySession(_sessionId) {
+  }
+  /**
+   * Refresh a session.
+   */
+  async refreshSession(_sessionId) {
+    return null;
+  }
+  /**
+   * Extract session ID from a request.
+   */
+  getSessionIdFromRequest(_request) {
+    return null;
+  }
+  /**
+   * Get response headers to set the session cookie.
+   */
+  getSessionHeaders(session) {
+    const sessionCookie = session._sessionCookie;
+    if (sessionCookie) {
+      return { "Set-Cookie": Array.isArray(sessionCookie) ? sessionCookie[0] : sessionCookie };
     }
+    return {};
+  }
+  /**
+   * Get response headers to clear the session cookie.
+   */
+  getClearSessionHeaders() {
+    const cookieParts = [`${this.config.cookieName}=`, "Path=/", "Max-Age=0", "HttpOnly"];
+    return { "Set-Cookie": cookieParts.join("; ") };
+  }
+  // ============================================================================
+  // Helper Methods
+  // ============================================================================
+  /**
+   * Get the underlying WorkOS client.
+   */
+  getWorkOS() {
+    return this.workos;
+  }
+  /**
+   * Get the AuthKit AuthService.
+   */
+  getAuthService() {
+    return this.authService;
+  }
+  /**
+   * Get the configured client ID.
+   */
+  getClientId() {
+    return this.clientId;
+  }
+  /**
+   * Get the configured redirect URI.
+   */
+  getRedirectUri() {
+    return this.redirectUri;
   }
 };
-
-// ../../packages/core/dist/server/index.js
-var MastraAuthProvider = class extends MastraBase {
-  protected;
-  public;
+var DEFAULT_CACHE_TTL_MS = 60 * 1e3;
+var DEFAULT_CACHE_MAX_SIZE = 1e3;
+var MastraRBACWorkos = class {
+  workos;
+  options;
+  /**
+   * Single cache for roles (the expensive WorkOS API call).
+   * Permissions are derived from roles on-the-fly (cheap, synchronous).
+   * Storing promises handles concurrent request deduplication.
+   */
+  rolesCache;
+  /**
+   * Expose roleMapping for middleware access.
+   * This allows the authorization middleware to resolve permissions
+   * without needing to call the async methods.
+   */
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  /**
+   * Create a new WorkOS RBAC provider.
+   *
+   * @param options - RBAC configuration options
+   */
   constructor(options) {
-    super({ component: "AUTH", name: options?.name });
-    if (options?.authorizeUser) {
-      this.authorizeUser = options.authorizeUser.bind(this);
+    const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;
+    if (!apiKey || !clientId) {
+      throw new Error(
+        "WorkOS API key and client ID are required. Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables."
+      );
     }
-    this.protected = options?.protected;
-    this.public = options?.public;
+    this.workos = new node.WorkOS(apiKey, { clientId });
+    this.options = options;
+    this.rolesCache = new lruCache.LRUCache({
+      max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,
+      ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS
+    });
   }
-  registerOptions(opts) {
-    if (opts?.authorizeUser) {
-      this.authorizeUser = opts.authorizeUser.bind(this);
+  /**
+   * Get all roles for a user from their WorkOS organization memberships.
+   *
+   * Fetches organization memberships from WorkOS and extracts role slugs.
+   * If an organizationId is configured, only returns roles from that organization.
+   * Otherwise, returns roles from all organizations the user belongs to.
+   *
+   * Results are cached and concurrent requests are deduplicated.
+   *
+   * @param user - WorkOS user to get roles for
+   * @returns Array of role slugs
+   */
+  async getRoles(user) {
+    if (user.memberships && user.memberships.length > 0) {
+      return this.extractRolesFromMemberships(user);
     }
-    if (opts?.protected) {
-      this.protected = opts.protected;
+    const cacheKey = user.workosId ?? user.id;
+    const cached = this.rolesCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const rolesPromise = this.fetchRolesFromWorkOS(user);
+    this.rolesCache.set(cacheKey, rolesPromise);
+    return rolesPromise;
+  }
+  /**
+   * Fetch roles from WorkOS API.
+   */
+  async fetchRolesFromWorkOS(user) {
+    try {
+      const memberships = await this.workos.userManagement.listOrganizationMemberships({
+        userId: user.workosId
+      });
+      const relevantMemberships = this.options.organizationId ? memberships.data.filter((m) => m.organizationId === this.options.organizationId) : memberships.data;
+      return relevantMemberships.map((m) => m.role.slug);
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Check if a user has a specific role.
+   *
+   * @param user - WorkOS user to check
+   * @param role - Role slug to check for
+   * @returns True if user has the role
+   */
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  /**
+   * Get all permissions for a user by mapping their WorkOS roles.
+   *
+   * Uses the configured roleMapping to translate WorkOS role slugs
+   * into Mastra permission strings. Roles are cached; permissions
+   * are derived on-the-fly (cheap, synchronous operation).
+   *
+   * If the user has no roles (no organization memberships), the
+   * _default permissions from the role mapping are applied.
+   *
+   * @param user - WorkOS user to get permissions for
+   * @returns Array of permission strings
+   */
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
     }
-    if (opts?.public) {
-      this.public = opts.public;
+    return ee.resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  /**
+   * Check if a user has a specific permission.
+   *
+   * Uses wildcard matching to check if any of the user's permissions
+   * grant access to the required permission.
+   *
+   * @param user - WorkOS user to check
+   * @param permission - Permission to check for (e.g., 'agents:read')
+   * @returns True if user has the permission
+   */
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => ee.matchesPermission(p, permission));
+  }
+  /**
+   * Check if a user has ALL of the specified permissions.
+   *
+   * @param user - WorkOS user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has all permissions
+   */
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  /**
+   * Check if a user has ANY of the specified permissions.
+   *
+   * @param user - WorkOS user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has at least one permission
+   */
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  /**
+   * Clear the roles cache.
+   *
+   * Call this when system-wide role changes occur.
+   * For individual user changes, prefer clearUserCache() instead.
+   */
+  clearCache() {
+    this.rolesCache.clear();
+  }
+  /**
+   * Clear cached roles for a specific user.
+   *
+   * Call this when a user's roles change to ensure fresh permission resolution
+   * on their next request. This is more efficient than clearing the entire cache.
+   *
+   * @param userId - The user ID to clear from cache
+   */
+  clearUserCache(userId) {
+    this.rolesCache.delete(userId);
+  }
+  /**
+   * Get cache statistics for monitoring.
+   *
+   * @returns Object with cache size and max size
+   */
+  getCacheStats() {
+    return {
+      size: this.rolesCache.size,
+      maxSize: this.rolesCache.max
+    };
+  }
+  /**
+   * Extract role slugs from memberships attached to the user object.
+   *
+   * @param user - WorkOS user with memberships
+   * @returns Array of role slugs
+   */
+  extractRolesFromMemberships(user) {
+    if (!user.memberships) {
+      return [];
     }
+    const relevantMemberships = this.options.organizationId ? user.memberships.filter((m) => m.organizationId === this.options.organizationId) : user.memberships;
+    return relevantMemberships.map((m) => m.role.slug);
   }
 };
-var MastraAuthWorkos = class extends MastraAuthProvider {
+
+// src/directory-sync.ts
+var WorkOSDirectorySync = class {
   workos;
-  constructor(options) {
-    super({ name: options?.name ?? "workos" });
-    const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
-    const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;
-    if (!apiKey || !clientId) {
+  webhookSecret;
+  handlers;
+  /**
+   * Creates a new WorkOSDirectorySync instance.
+   *
+   * @param workos - WorkOS client instance
+   * @param options - Configuration options including webhook secret and event handlers
+   * @throws Error if webhook secret is not provided
+   */
+  constructor(workos, options) {
+    this.workos = workos;
+    const webhookSecret = options.webhookSecret ?? process.env.WORKOS_WEBHOOK_SECRET;
+    if (!webhookSecret) {
       throw new Error(
-        "WorkOS API key and client ID are required, please provide them in the options or set the environment variables WORKOS_API_KEY and WORKOS_CLIENT_ID"
+        "WorkOS webhook secret is required. Provide it in options or set WORKOS_WEBHOOK_SECRET environment variable."
       );
     }
-    this.workos = new node.WorkOS(apiKey, {
-      clientId
-    });
-    this.registerOptions(options);
+    this.webhookSecret = webhookSecret;
+    this.handlers = options.handlers;
   }
-  async authenticateToken(token) {
-    const jwksUri = this.workos.userManagement.getJwksUrl(process.env.WORKOS_CLIENT_ID);
-    const user = await auth.verifyJwks(token, jwksUri);
-    return user;
+  /**
+   * Handles incoming webhook events from WorkOS Directory Sync.
+   *
+   * This method verifies the webhook signature for security, parses the event,
+   * and routes it to the appropriate handler based on the event type.
+   *
+   * @param payload - Raw webhook payload (string or object)
+   * @param signature - WorkOS signature header for verification
+   * @throws Error if signature verification fails
+   */
+  async handleWebhook(payload, signature) {
+    const parsedPayload = typeof payload === "string" ? JSON.parse(payload) : payload;
+    const event = await this.workos.webhooks.constructEvent({
+      payload: parsedPayload,
+      sigHeader: signature,
+      secret: this.webhookSecret
+    });
+    try {
+      await this.routeEvent(event);
+    } catch (error) {
+      console.error(`[WorkOSDirectorySync] Error handling event ${event.event}:`, error);
+    }
   }
-  async authorizeUser(user) {
-    if (!user) {
-      return false;
+  /**
+   * Routes a directory sync event to the appropriate handler.
+   *
+   * @param event - The verified webhook event
+   */
+  async routeEvent(event) {
+    const { event: eventType, data } = event;
+    switch (eventType) {
+      case "dsync.user.created":
+        if (this.handlers.onUserCreated) {
+          await this.handlers.onUserCreated(this.mapUserData(data));
+        }
+        break;
+      case "dsync.user.updated":
+        if (this.handlers.onUserUpdated) {
+          await this.handlers.onUserUpdated(this.mapUserData(data));
+        }
+        break;
+      case "dsync.user.deleted":
+        if (this.handlers.onUserDeleted) {
+          await this.handlers.onUserDeleted(this.mapUserData(data));
+        }
+        break;
+      case "dsync.group.created":
+        if (this.handlers.onGroupCreated) {
+          await this.handlers.onGroupCreated(this.mapGroupData(data));
+        }
+        break;
+      case "dsync.group.updated":
+        if (this.handlers.onGroupUpdated) {
+          await this.handlers.onGroupUpdated(this.mapGroupData(data));
+        }
+        break;
+      case "dsync.group.deleted":
+        if (this.handlers.onGroupDeleted) {
+          await this.handlers.onGroupDeleted(this.mapGroupData(data));
+        }
+        break;
+      case "dsync.group.user_added":
+        if (this.handlers.onGroupUserAdded) {
+          await this.handlers.onGroupUserAdded({
+            group: this.mapGroupData(data.group),
+            user: this.mapUserData(data.user)
+          });
+        }
+        break;
+      case "dsync.group.user_removed":
+        if (this.handlers.onGroupUserRemoved) {
+          await this.handlers.onGroupUserRemoved({
+            group: this.mapGroupData(data.group),
+            user: this.mapUserData(data.user)
+          });
+        }
+        break;
+      default:
+        console.warn(`[WorkOSDirectorySync] Unknown event type: ${eventType}`);
     }
-    const org = await this.workos.userManagement.listOrganizationMemberships({
-      userId: user.sub
+  }
+  /**
+   * Maps raw webhook user data to the DirectorySyncUserData type.
+   *
+   * @param data - Raw user data from webhook
+   * @returns Typed user data
+   */
+  mapUserData(data) {
+    return {
+      id: data.id,
+      directoryId: data.directory_id,
+      organizationId: data.organization_id,
+      idpId: data.idp_id,
+      firstName: data.first_name,
+      lastName: data.last_name,
+      jobTitle: data.job_title,
+      emails: data.emails ?? [],
+      username: data.username,
+      groups: data.groups ?? [],
+      state: data.state,
+      rawAttributes: data.raw_attributes ?? {},
+      customAttributes: data.custom_attributes ?? {},
+      createdAt: data.created_at,
+      updatedAt: data.updated_at
+    };
+  }
+  /**
+   * Maps raw webhook group data to the DirectorySyncGroupData type.
+   *
+   * @param data - Raw group data from webhook
+   * @returns Typed group data
+   */
+  mapGroupData(data) {
+    return {
+      id: data.id,
+      directoryId: data.directory_id,
+      organizationId: data.organization_id,
+      idpId: data.idp_id,
+      name: data.name,
+      createdAt: data.created_at,
+      updatedAt: data.updated_at,
+      rawAttributes: data.raw_attributes ?? {}
+    };
+  }
+  // ===========================================================================
+  // Helper Methods for Directory Sync Operations
+  // ===========================================================================
+  /**
+   * Lists all directories for an organization.
+   *
+   * @param organizationId - The WorkOS organization ID
+   * @returns Array of directories
+   *
+   * @example
+   * ```typescript
+   * const directories = await directorySync.listDirectories('org_123');
+   * for (const dir of directories) {
+   *   console.log(`Directory: ${dir.name} (${dir.type})`);
+   * }
+   * ```
+   */
+  async listDirectories(organizationId) {
+    const response = await this.workos.directorySync.listDirectories({
+      organizationId
+    });
+    return response.data;
+  }
+  /**
+   * Lists all users in a directory.
+   *
+   * @param directoryId - The directory ID
+   * @returns Array of directory users
+   *
+   * @example
+   * ```typescript
+   * const users = await directorySync.listDirectoryUsers('directory_123');
+   * for (const user of users) {
+   *   console.log(`User: ${user.firstName} ${user.lastName}`);
+   * }
+   * ```
+   */
+  async listDirectoryUsers(directoryId) {
+    const response = await this.workos.directorySync.listUsers({
+      directory: directoryId
+    });
+    return response.data;
+  }
+  /**
+   * Lists all groups in a directory.
+   *
+   * @param directoryId - The directory ID
+   * @returns Array of directory groups
+   *
+   * @example
+   * ```typescript
+   * const groups = await directorySync.listDirectoryGroups('directory_123');
+   * for (const group of groups) {
+   *   console.log(`Group: ${group.name}`);
+   * }
+   * ```
+   */
+  async listDirectoryGroups(directoryId) {
+    const response = await this.workos.directorySync.listGroups({
+      directory: directoryId
+    });
+    return response.data;
+  }
+};
+var INTENT_MAP = {
+  sso: node.GeneratePortalLinkIntent.SSO,
+  dsync: node.GeneratePortalLinkIntent.DSync,
+  audit_logs: node.GeneratePortalLinkIntent.AuditLogs,
+  log_streams: node.GeneratePortalLinkIntent.LogStreams
+};
+var WorkOSAdminPortal = class {
+  workos;
+  returnUrl;
+  /**
+   * Creates a new WorkOSAdminPortal instance.
+   *
+   * @param workos - The WorkOS client instance
+   * @param options - Configuration options for the Admin Portal
+   */
+  constructor(workos, options) {
+    this.workos = workos;
+    this.returnUrl = options?.returnUrl ?? "/";
+  }
+  /**
+   * Generates a link to the WorkOS Admin Portal for a specific organization.
+   *
+   * The generated link is a one-time use URL that expires after a short period.
+   * Users should be redirected to this link immediately after generation.
+   *
+   * @param organizationId - The WorkOS organization ID (e.g., 'org_01H...')
+   * @param intent - The portal section to open. Determines what the user can configure:
+   *   - `'sso'`: Configure SSO connections (SAML, OIDC providers)
+   *   - `'dsync'`: Configure Directory Sync (SCIM provisioning)
+   *   - `'audit_logs'`: View and export audit logs
+   *   - `'log_streams'`: Configure log streaming to external SIEM systems
+   * @returns A promise that resolves to the Admin Portal URL
+   *
+   * @example
+   * ```typescript
+   * // SSO configuration (default)
+   * const link = await adminPortal.getPortalLink('org_01H...');
+   *
+   * // Directory Sync configuration
+   * const link = await adminPortal.getPortalLink('org_01H...', 'dsync');
+   *
+   * // Audit logs viewing
+   * const link = await adminPortal.getPortalLink('org_01H...', 'audit_logs');
+   * ```
+   */
+  async getPortalLink(organizationId, intent) {
+    const result = await this.workos.portal.generateLink({
+      organization: organizationId,
+      intent: INTENT_MAP[intent ?? "sso"],
+      returnUrl: this.returnUrl
     });
-    const roles = org.data.map((org2) => org2.role);
-    const isAdmin = roles.some((role) => role.slug === "admin");
-    return isAdmin;
+    return result.link;
   }
 };
 
 exports.MastraAuthWorkos = MastraAuthWorkos;
+exports.MastraRBACWorkos = MastraRBACWorkos;
+exports.WebSessionStorage = WebSessionStorage;
+exports.WorkOSAdminPortal = WorkOSAdminPortal;
+exports.WorkOSDirectorySync = WorkOSDirectorySync;
+exports.mapWorkOSUserToEEUser = mapWorkOSUserToEEUser;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map