npm - @mastra/auth-workos - Versions diffs - 1.1.2-alpha.0 → 1.2.0-alpha.0 - Mend

@mastra/auth-workos 1.1.2-alpha.0 → 1.2.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/CHANGELOG.md +50 -0
package/README.md +70 -6
package/dist/auth-provider.d.ts +14 -0
package/dist/auth-provider.d.ts.map +1 -1
package/dist/fga-provider.d.ts +158 -0
package/dist/fga-provider.d.ts.map +1 -0
package/dist/index.cjs +595 -19
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +593 -20
package/dist/index.js.map +1 -1
package/dist/types.d.ts +135 -1
package/dist/types.d.ts.map +1 -1
package/package.json +11 -11

package/dist/index.cjs CHANGED Viewed

@@ -4,8 +4,8 @@ var auth = require('@mastra/auth');
 var server = require('@mastra/core/server');
 var authkitSession = require('@workos/authkit-session');
 var node = require('@workos-inc/node');
-var ee = require('@mastra/core/auth/ee');
 var lruCache = require('lru-cache');
+var ee = require('@mastra/core/auth/ee');
 // src/auth-provider.ts
 var WebSessionStorage = class extends authkitSession.CookieSessionStorage {
@@ -54,6 +54,8 @@ function mapWorkOSUserToEEUser(user) {
 // src/auth-provider.ts
 var DEV_COOKIE_PASSWORD = crypto.randomUUID() + crypto.randomUUID();
+var MEMBERSHIP_CACHE_TTL_MS = 60 * 1e3;
+var MEMBERSHIP_CACHE_MAX_SIZE = 1e3;
 var MastraAuthWorkos = class extends server.MastraAuthProvider {
   workos;
   clientId;
@@ -61,6 +63,11 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
   ssoConfig;
   authService;
   config;
+  fetchMemberships;
+  trustJwtClaims;
+  jwtClaimOptions;
+  mapJwtPayloadToUser;
+  membershipCache;
   constructor(options) {
     super({ name: options?.name ?? "workos" });
     const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
@@ -85,6 +92,14 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
     this.clientId = clientId;
     this.redirectUri = redirectUri;
     this.ssoConfig = options?.sso;
+    this.fetchMemberships = options?.fetchMemberships ?? false;
+    this.trustJwtClaims = options?.trustJwtClaims ?? false;
+    this.jwtClaimOptions = options?.jwtClaims;
+    this.mapJwtPayloadToUser = options?.mapJwtPayloadToUser;
+    this.membershipCache = new lruCache.LRUCache({
+      max: MEMBERSHIP_CACHE_MAX_SIZE,
+      ttl: MEMBERSHIP_CACHE_TTL_MS
+    });
     this.workos = new node.WorkOS(apiKey, { clientId });
     this.config = {
       clientId,
@@ -121,27 +136,57 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
       const rawRequest = "raw" in request ? request.raw : request;
       const { auth: auth$1 } = await this.authService.withAuth(rawRequest);
       if (auth$1.user) {
+        let memberships;
+        if (this.fetchMemberships) {
+          try {
+            memberships = await this.getMemberships(auth$1.user.id);
+          } catch {
+          }
+        }
         return {
           ...mapWorkOSUserToEEUser(auth$1.user),
           workosId: auth$1.user.id,
-          organizationId: auth$1.organizationId
-          // Note: memberships not available from session, fetch if needed
+          organizationId: auth$1.organizationId,
+          memberships
         };
       }
       if (token) {
         const jwksUri = this.workos.userManagement.getJwksUrl(this.clientId);
         const payload = await auth.verifyJwks(token, jwksUri);
+        const jwtUser = this.resolveJwtPayloadUser(payload);
+        if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+          return await this.attachMembershipsIfNeeded(jwtUser);
+        }
         if (payload?.sub) {
-          const user = await this.workos.userManagement.getUser(payload.sub);
-          const memberships = await this.workos.userManagement.listOrganizationMemberships({
-            userId: user.id
-          });
-          return {
-            ...mapWorkOSUserToEEUser(user),
-            workosId: user.id,
-            organizationId: memberships.data[0]?.organizationId,
-            memberships: memberships.data
-          };
+          try {
+            const user = await this.workos.userManagement.getUser(payload.sub);
+            let memberships;
+            if (this.fetchMemberships) {
+              try {
+                memberships = await this.getMemberships(user.id);
+              } catch {
+                memberships = void 0;
+              }
+            }
+            return this.mergeJwtPayloadUser(
+              {
+                ...mapWorkOSUserToEEUser(user),
+                workosId: user.id,
+                organizationId: this.getSingleMembershipOrganizationId(memberships),
+                memberships
+              },
+              jwtUser,
+              { trustOrganizationClaims: this.trustJwtClaims }
+            );
+          } catch {
+            if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+              return await this.attachMembershipsIfNeeded(jwtUser);
+            }
+            return null;
+          }
+        }
+        if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+          return await this.attachMembershipsIfNeeded(jwtUser);
         }
       }
       return null;
@@ -168,19 +213,19 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
         return null;
       }
       let organizationId = auth.organizationId;
-      if (!organizationId) {
+      let memberships;
+      if (this.fetchMemberships) {
         try {
-          const memberships = await this.workos.userManagement.listOrganizationMemberships({
-            userId: auth.user.id
-          });
-          organizationId = memberships.data[0]?.organizationId;
+          memberships = await this.getMemberships(auth.user.id);
+          organizationId ??= this.getSingleMembershipOrganizationId(memberships);
         } catch {
         }
       }
       const user = {
         ...mapWorkOSUserToEEUser(auth.user),
         workosId: auth.user.id,
-        organizationId
+        organizationId,
+        memberships
       };
       if (refreshedSessionData) {
         user._refreshedSessionData = refreshedSessionData;
@@ -210,6 +255,124 @@ var MastraAuthWorkos = class extends server.MastraAuthProvider {
   getUserProfileUrl(user) {
     return `/profile/${user.id}`;
   }
+  async getMemberships(userId) {
+    const cached = this.membershipCache.get(userId);
+    if (cached) {
+      return cached;
+    }
+    try {
+      const response = await this.workos.userManagement.listOrganizationMemberships({
+        userId
+      });
+      const memberships = await response.autoPagination();
+      this.membershipCache.set(userId, memberships);
+      return memberships;
+    } catch (error) {
+      this.membershipCache.delete(userId);
+      throw error;
+    }
+  }
+  async attachMembershipsIfNeeded(user) {
+    if (!this.fetchMemberships || user.organizationMembershipId) {
+      return user;
+    }
+    try {
+      const memberships = await this.getMemberships(user.workosId);
+      return {
+        ...user,
+        organizationId: user.organizationId ?? this.getSingleMembershipOrganizationId(memberships),
+        memberships
+      };
+    } catch {
+      return user;
+    }
+  }
+  getSingleMembershipOrganizationId(memberships) {
+    return memberships?.length === 1 ? memberships[0]?.organizationId : void 0;
+  }
+  resolveJwtPayloadUser(payload) {
+    if (!payload) {
+      return null;
+    }
+    const mappedClaims = this.buildUserFromJwtClaims(payload);
+    const customMappedClaims = this.mapJwtPayloadToUser?.(payload) ?? void 0;
+    const combined = {
+      ...payload,
+      ...mappedClaims ?? {},
+      ...customMappedClaims ?? {}
+    };
+    const id = typeof combined.id === "string" ? combined.id : void 0;
+    const workosId = typeof combined.workosId === "string" ? combined.workosId : id;
+    if (!id || !workosId) {
+      return null;
+    }
+    const metadata = combined.metadata && typeof combined.metadata === "object" && !Array.isArray(combined.metadata) ? combined.metadata : void 0;
+    return {
+      ...combined,
+      id,
+      workosId,
+      email: typeof combined.email === "string" ? combined.email : void 0,
+      name: typeof combined.name === "string" ? combined.name : typeof combined.email === "string" ? combined.email : id,
+      organizationId: typeof combined.organizationId === "string" ? combined.organizationId : void 0,
+      organizationMembershipId: typeof combined.organizationMembershipId === "string" ? combined.organizationMembershipId : void 0,
+      metadata: {
+        ...metadata ?? {},
+        workosId,
+        ...typeof combined.organizationId === "string" ? { organizationId: combined.organizationId } : {},
+        ...typeof combined.organizationMembershipId === "string" ? { organizationMembershipId: combined.organizationMembershipId } : {}
+      }
+    };
+  }
+  buildUserFromJwtClaims(payload) {
+    const userId = this.readJwtClaim(payload, this.jwtClaimOptions?.userId) ?? this.readJwtClaim(payload, "sub");
+    const workosId = this.readJwtClaim(payload, this.jwtClaimOptions?.workosId) ?? userId;
+    if (!userId || !workosId) {
+      return null;
+    }
+    return {
+      id: userId,
+      workosId,
+      email: this.readJwtClaim(payload, this.jwtClaimOptions?.email) ?? this.readJwtClaim(payload, "email"),
+      name: this.readJwtClaim(payload, this.jwtClaimOptions?.name) ?? this.readJwtClaim(payload, "name"),
+      organizationId: this.readJwtClaim(payload, this.jwtClaimOptions?.organizationId) ?? this.readJwtClaim(payload, "org_id"),
+      organizationMembershipId: this.readJwtClaim(payload, this.jwtClaimOptions?.organizationMembershipId)
+    };
+  }
+  mergeJwtPayloadUser(user, jwtUser, options) {
+    if (!jwtUser) {
+      return user;
+    }
+    const trustOrganizationClaims = options?.trustOrganizationClaims ?? true;
+    const jwtMetadata = { ...jwtUser.metadata ?? {} };
+    if (!trustOrganizationClaims) {
+      delete jwtMetadata.organizationId;
+      delete jwtMetadata.organizationMembershipId;
+    }
+    return {
+      ...jwtUser,
+      ...user,
+      organizationId: trustOrganizationClaims ? jwtUser.organizationId ?? user.organizationId : user.organizationId,
+      organizationMembershipId: trustOrganizationClaims ? jwtUser.organizationMembershipId ?? user.organizationMembershipId : user.organizationMembershipId,
+      memberships: trustOrganizationClaims ? user.memberships ?? jwtUser.memberships : user.memberships,
+      metadata: {
+        ...jwtMetadata,
+        ...user.metadata ?? {}
+      }
+    };
+  }
+  readJwtClaim(payload, claimPath) {
+    if (!claimPath) {
+      return void 0;
+    }
+    let current = payload;
+    for (const segment of claimPath.split(".")) {
+      if (!current || typeof current !== "object" || !(segment in current)) {
+        return void 0;
+      }
+      current = current[segment];
+    }
+    return typeof current === "string" ? current : void 0;
+  }
   // ============================================================================
   // ISSOProvider Implementation
   // ============================================================================
@@ -606,6 +769,408 @@ var MastraRBACWorkos = class {
     return relevantMemberships.map((m) => m.role.slug);
   }
 };
+var FILTER_ACCESSIBLE_CHECK_CONCURRENCY = 5;
+var WorkOSFGAResourceNotFoundError = class extends Error {
+  status = 404;
+  resourceType;
+  resourceId;
+  constructor(resourceType, resourceId) {
+    super(
+      `[MastraFGAWorkos] Resource '${resourceType}/${resourceId}' is not registered in WorkOS. Create the '${resourceType}' resource type in your WorkOS dashboard, then register '${resourceId}' using MastraFGAWorkos.createResource() or your seed script. See https://workos.com/docs/fga for setup instructions.`
+    );
+    this.name = "WorkOSFGAResourceNotFoundError";
+    this.resourceType = resourceType;
+    this.resourceId = resourceId;
+  }
+};
+var WorkOSFGAMembershipResolutionError = class extends Error {
+  status = 500;
+  userId;
+  constructor(user) {
+    super(
+      "[MastraFGAWorkos] Cannot resolve organization membership for user <redacted>. Ensure fetchMemberships is enabled on MastraAuthWorkos or provide organizationMembershipId on the user."
+    );
+    this.name = "WorkOSFGAMembershipResolutionError";
+    this.userId = user?.id ? "<redacted>" : void 0;
+  }
+};
+var MastraFGAWorkos = class {
+  workos;
+  organizationId;
+  resourceMapping;
+  permissionMapping;
+  constructor(options) {
+    const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;
+    if (!apiKey || !clientId) {
+      throw new Error(
+        "WorkOS API key and client ID are required. Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables."
+      );
+    }
+    this.workos = new node.WorkOS(apiKey, { clientId });
+    this.organizationId = options.organizationId;
+    this.resourceMapping = options.resourceMapping ?? {};
+    this.permissionMapping = options.permissionMapping ?? {};
+  }
+  // ──────────────────────────────────────────────────────────────
+  // IFGAProvider — Read-only checks
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Check if a user has permission on a resource.
+   *
+   * Resolves the user's organization membership ID, maps the permission
+   * via `permissionMapping`, and delegates to `workos.authorization.check()`.
+   */
+  async check(user, params) {
+    const checkOptions = this.buildCheckOptions(user, params);
+    if (!checkOptions) return false;
+    try {
+      const result = await this.workos.authorization.check(checkOptions);
+      return result.authorized;
+    } catch (error) {
+      if (error?.status === 404 || error?.code === "entity_not_found") {
+        throw new WorkOSFGAResourceNotFoundError(params.resource.type, params.resource.id);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Require that a user has permission, throwing FGADeniedError if not.
+   */
+  async require(user, params) {
+    const checkOptions = this.buildCheckOptions(user, params, { strictMembershipResolution: true });
+    if (!checkOptions) {
+      throw new ee.FGADeniedError(user, params.resource, params.permission);
+    }
+    try {
+      const result = await this.workos.authorization.check(checkOptions);
+      if (!result.authorized) {
+        throw new ee.FGADeniedError(user, params.resource, params.permission);
+      }
+    } catch (error) {
+      if (error instanceof ee.FGADeniedError) throw error;
+      if (error?.status === 404 || error?.code === "entity_not_found") {
+        throw new WorkOSFGAResourceNotFoundError(params.resource.type, params.resource.id);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Filter resources to only those the user has permission to access.
+   *
+   * Uses WorkOS `listResourcesForMembership()` when the resource mapping can
+   * resolve a parent resource from user context. This avoids one check per
+   * resource for list endpoints like agents/workflows/tools.
+   *
+   * Falls back to per-resource `check()` calls when no parent resource can be
+   * resolved from the configured mapping.
+   */
+  async filterAccessible(user, resources, resourceType, permission) {
+    if (resources.length === 0) return [];
+    const membershipId = this.resolveOrganizationMembershipId(user);
+    if (!membershipId) return [];
+    const permissionSlug = this.resolvePermission(permission);
+    const parentResource = resourceType === "thread" ? void 0 : this.resolveParentResource(user, resourceType);
+    if (parentResource) {
+      const accessibleIds = await this.listAccessibleResourceExternalIds({
+        organizationMembershipId: membershipId,
+        permissionSlug,
+        parentResourceExternalId: parentResource.externalId,
+        parentResourceTypeSlug: parentResource.typeSlug
+      });
+      return resources.filter((resource) => {
+        const mappedId = this.resolveResourceId(
+          user,
+          resourceType,
+          resource.id,
+          "resourceId" in resource && typeof resource.resourceId === "string" ? { resourceId: resource.resourceId } : void 0
+        );
+        return !!mappedId && accessibleIds.has(mappedId);
+      });
+    }
+    const checks = [];
+    for (let start = 0; start < resources.length; start += FILTER_ACCESSIBLE_CHECK_CONCURRENCY) {
+      const batch = resources.slice(start, start + FILTER_ACCESSIBLE_CHECK_CONCURRENCY);
+      const batchChecks = await Promise.all(
+        batch.map(async (resource) => {
+          const authorized = await this.check(user, {
+            resource: { type: resourceType, id: resource.id },
+            permission,
+            context: "resourceId" in resource && typeof resource.resourceId === "string" ? { resourceId: resource.resourceId } : void 0
+          });
+          return { resource, authorized };
+        })
+      );
+      checks.push(...batchChecks);
+    }
+    return checks.filter((c) => c.authorized).map((c) => c.resource);
+  }
+  // ──────────────────────────────────────────────────────────────
+  // IFGAManager — Write operations
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Create an authorization resource in WorkOS.
+   */
+  async createResource(params) {
+    const options = {
+      externalId: params.externalId,
+      name: params.name,
+      resourceTypeSlug: params.resourceTypeSlug,
+      organizationId: params.organizationId
+    };
+    if (params.description !== void 0) options.description = params.description;
+    if (params.parentResourceId) options.parentResourceId = params.parentResourceId;
+    if (params.parentResourceExternalId) {
+      options.parentResourceExternalId = params.parentResourceExternalId;
+      options.parentResourceTypeSlug = params.parentResourceTypeSlug;
+    }
+    const result = await this.workos.authorization.createResource(options);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * Get an authorization resource by ID.
+   */
+  async getResource(resourceId) {
+    const result = await this.workos.authorization.getResource(resourceId);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * List authorization resources with optional filters.
+   */
+  async listResources(options) {
+    const listOptions = {};
+    if (options?.organizationId) listOptions.organizationId = options.organizationId;
+    if (options?.resourceTypeSlug) listOptions.resourceTypeSlug = options.resourceTypeSlug;
+    if (options?.parentResourceId) listOptions.parentResourceId = options.parentResourceId;
+    if (options?.search) listOptions.search = options.search;
+    if (options?.limit) listOptions.limit = options.limit;
+    if (options?.after) listOptions.after = options.after;
+    const result = await this.workos.authorization.listResources(listOptions);
+    return result.data.map((r) => this.mapAuthorizationResource(r));
+  }
+  /**
+   * Update an authorization resource.
+   */
+  async updateResource(params) {
+    const options = { resourceId: params.resourceId };
+    if (params.name !== void 0) options.name = params.name;
+    if (params.description !== void 0) options.description = params.description;
+    const result = await this.workos.authorization.updateResource(options);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * Delete an authorization resource.
+   */
+  async deleteResource(params) {
+    if ("resourceId" in params && params.resourceId) {
+      await this.workos.authorization.deleteResource({ resourceId: params.resourceId });
+    } else if ("externalId" in params && params.externalId && params.resourceTypeSlug) {
+      await this.workos.authorization.deleteResourceByExternalId({
+        externalId: params.externalId,
+        resourceTypeSlug: params.resourceTypeSlug,
+        organizationId: params.organizationId
+      });
+    }
+  }
+  /**
+   * Assign a role to an organization membership on a resource.
+   */
+  async assignRole(params) {
+    const options = {
+      organizationMembershipId: params.organizationMembershipId,
+      roleSlug: params.roleSlug
+    };
+    if (params.resourceId) options.resourceId = params.resourceId;
+    if (params.resourceExternalId) {
+      options.resourceExternalId = params.resourceExternalId;
+      options.resourceTypeSlug = params.resourceTypeSlug;
+    }
+    const result = await this.workos.authorization.assignRole(options);
+    return {
+      id: result.id,
+      role: result.role,
+      resource: {
+        id: result.resource.id,
+        externalId: result.resource.externalId,
+        resourceTypeSlug: result.resource.resourceTypeSlug
+      }
+    };
+  }
+  /**
+   * Remove a role assignment.
+   */
+  async removeRole(params) {
+    const options = {
+      organizationMembershipId: params.organizationMembershipId,
+      roleSlug: params.roleSlug
+    };
+    if (params.resourceId) options.resourceId = params.resourceId;
+    if (params.resourceExternalId) {
+      options.resourceExternalId = params.resourceExternalId;
+      options.resourceTypeSlug = params.resourceTypeSlug;
+    }
+    await this.workos.authorization.removeRole(options);
+  }
+  /**
+   * List role assignments for an organization membership.
+   */
+  async listRoleAssignments(options) {
+    const result = await this.workos.authorization.listRoleAssignments({
+      organizationMembershipId: options.organizationMembershipId,
+      ...options.limit && { limit: options.limit },
+      ...options.after && { after: options.after }
+    });
+    return result.data.map((ra) => ({
+      id: ra.id,
+      role: ra.role,
+      resource: {
+        id: ra.resource.id,
+        externalId: ra.resource.externalId,
+        resourceTypeSlug: ra.resource.resourceTypeSlug
+      }
+    }));
+  }
+  // ──────────────────────────────────────────────────────────────
+  // Internal helpers
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Resolve the organization membership ID from a user object.
+   * Looks for organizationMembershipId, then finds membership matching
+   * configured organizationId, then falls back to first membership.
+   *
+   * Returns undefined if no membership can be resolved, which causes
+   * authorization checks to deny access. Enable `fetchMemberships: true`
+   * on MastraAuthWorkos to populate the memberships field.
+   */
+  resolveOrganizationMembershipId(user, options) {
+    if (user?.organizationMembershipId) return user.organizationMembershipId;
+    if (!user?.memberships?.length) {
+      console.warn(
+        "[MastraFGAWorkos] Cannot resolve organization membership for user <redacted>. Ensure fetchMemberships is enabled on MastraAuthWorkos when using FGA."
+      );
+      if (options?.strictMembershipResolution) {
+        throw new WorkOSFGAMembershipResolutionError(user);
+      }
+      return void 0;
+    }
+    if (this.organizationId) {
+      const match = user.memberships.find((m) => m.organizationId === this.organizationId);
+      if (match) return match.id;
+      console.warn("[MastraFGAWorkos] User <redacted> does not belong to configured organization <redacted>.");
+      if (options?.strictMembershipResolution) {
+        throw new WorkOSFGAMembershipResolutionError(user);
+      }
+      return void 0;
+    }
+    return user.memberships[0].id;
+  }
+  /**
+   * Map a Mastra permission string to a WorkOS permission slug via permissionMapping.
+   * Falls back to the original permission if no mapping is found.
+   */
+  resolvePermission(permission) {
+    return this.permissionMapping[permission] ?? permission;
+  }
+  /**
+   * Resolve the parent resource context needed for WorkOS resource discovery.
+   */
+  resolveParentResource(user, resourceType) {
+    const mapping = this.getResourceMapping(resourceType);
+    const externalId = mapping?.deriveId?.({ user });
+    const parentTypeSlug = mapping?.parentFgaResourceType ?? mapping?.parentResourceTypeSlug;
+    if (!mapping?.fgaResourceType || !externalId || !parentTypeSlug || parentTypeSlug === mapping.fgaResourceType) {
+      return void 0;
+    }
+    return {
+      externalId,
+      typeSlug: parentTypeSlug
+    };
+  }
+  /**
+   * Resolve the FGA resource ID using resourceMapping's deriveId function.
+   * Falls back to the original resource ID if no mapping is found.
+   */
+  resolveResourceId(user, resourceType, resourceId, context) {
+    const mapping = this.getResourceMapping(resourceType);
+    const derivedId = mapping?.deriveId?.({
+      user,
+      resourceId: context?.resourceId ?? resourceId,
+      requestContext: context?.requestContext
+    });
+    return derivedId ?? resourceId;
+  }
+  buildCheckOptions(user, params, options) {
+    const membershipId = this.resolveOrganizationMembershipId(user, options);
+    if (!membershipId) return null;
+    const permissionSlug = this.resolvePermission(params.permission);
+    const resourceId = this.resolveResourceId(user, params.resource.type, params.resource.id, params.context);
+    const checkOptions = {
+      organizationMembershipId: membershipId,
+      permissionSlug
+    };
+    if (!resourceId) {
+      return checkOptions;
+    }
+    const mapping = this.getResourceMapping(params.resource.type);
+    if (mapping) {
+      checkOptions.resourceExternalId = resourceId;
+      checkOptions.resourceTypeSlug = mapping.fgaResourceType;
+    } else {
+      checkOptions.resourceExternalId = params.resource.id;
+      checkOptions.resourceTypeSlug = params.resource.type;
+    }
+    return checkOptions;
+  }
+  getResourceMapping(resourceType) {
+    const aliases = resourceType === "agent" ? ["agent", "agents"] : resourceType === "workflow" ? ["workflow", "workflows"] : resourceType === "tool" ? ["tool", "tools"] : resourceType === "thread" ? ["thread", "threads", "memory"] : [resourceType];
+    for (const key of aliases) {
+      const mapping = this.resourceMapping[key];
+      if (mapping) {
+        return mapping;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * List accessible child resources for a membership, following pagination.
+   */
+  async listAccessibleResourceExternalIds(params) {
+    const accessibleIds = /* @__PURE__ */ new Set();
+    let after;
+    do {
+      const result = await this.workos.authorization.listResourcesForMembership({
+        organizationMembershipId: params.organizationMembershipId,
+        permissionSlug: params.permissionSlug,
+        parentResourceExternalId: params.parentResourceExternalId,
+        parentResourceTypeSlug: params.parentResourceTypeSlug,
+        ...after ? { after } : {},
+        limit: 100,
+        order: "asc"
+      });
+      for (const resource of result.data ?? []) {
+        if (typeof resource?.externalId === "string") {
+          accessibleIds.add(resource.externalId);
+        }
+      }
+      after = result.listMetadata?.after ?? void 0;
+    } while (after);
+    return accessibleIds;
+  }
+  /**
+   * Map a WorkOS AuthorizationResource to Mastra's FGAResource type.
+   */
+  mapAuthorizationResource(resource) {
+    return {
+      id: resource.id,
+      externalId: resource.externalId,
+      name: resource.name,
+      description: resource.description,
+      resourceTypeSlug: resource.resourceTypeSlug,
+      organizationId: resource.organizationId,
+      parentResourceId: resource.parentResourceId
+    };
+  }
+};
 // src/directory-sync.ts
 var WorkOSDirectorySync = class {
@@ -872,12 +1437,23 @@ var WorkOSAdminPortal = class {
     return result.link;
   }
 };
+/**
+ * WorkOS FGA provider for Mastra.
+ *
+ * Integrates WorkOS Authorization API with Mastra's FGA interface
+ * for permission-based, resource-level authorization.
+ *
+ * @license Mastra Enterprise License - see ee/LICENSE
+ */
 exports.MastraAuthWorkos = MastraAuthWorkos;
+exports.MastraFGAWorkos = MastraFGAWorkos;
 exports.MastraRBACWorkos = MastraRBACWorkos;
 exports.WebSessionStorage = WebSessionStorage;
 exports.WorkOSAdminPortal = WorkOSAdminPortal;
 exports.WorkOSDirectorySync = WorkOSDirectorySync;
+exports.WorkOSFGAMembershipResolutionError = WorkOSFGAMembershipResolutionError;
+exports.WorkOSFGAResourceNotFoundError = WorkOSFGAResourceNotFoundError;
 exports.mapWorkOSUserToEEUser = mapWorkOSUserToEEUser;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map