@mastra/auth-workos 1.1.2-alpha.0 → 1.2.0-alpha.0

package/dist/index.js

@@ -2,8 +2,8 @@ import { verifyJwks } from '@mastra/auth';
 import { MastraAuthProvider } from '@mastra/core/server';
 import { CookieSessionStorage, AuthService, sessionEncryption } from '@workos/authkit-session';
 import { WorkOS, GeneratePortalLinkIntent } from '@workos-inc/node';
-import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
 import { LRUCache } from 'lru-cache';
+import { resolvePermissionsFromMapping, matchesPermission, FGADeniedError } from '@mastra/core/auth/ee';
 
 // src/auth-provider.ts
 var WebSessionStorage = class extends CookieSessionStorage {
@@ -52,6 +52,8 @@ function mapWorkOSUserToEEUser(user) {
 
 // src/auth-provider.ts
 var DEV_COOKIE_PASSWORD = crypto.randomUUID() + crypto.randomUUID();
+var MEMBERSHIP_CACHE_TTL_MS = 60 * 1e3;
+var MEMBERSHIP_CACHE_MAX_SIZE = 1e3;
 var MastraAuthWorkos = class extends MastraAuthProvider {
   workos;
   clientId;
@@ -59,6 +61,11 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
   ssoConfig;
   authService;
   config;
+  fetchMemberships;
+  trustJwtClaims;
+  jwtClaimOptions;
+  mapJwtPayloadToUser;
+  membershipCache;
   constructor(options) {
     super({ name: options?.name ?? "workos" });
     const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;
@@ -83,6 +90,14 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
     this.clientId = clientId;
     this.redirectUri = redirectUri;
     this.ssoConfig = options?.sso;
+    this.fetchMemberships = options?.fetchMemberships ?? false;
+    this.trustJwtClaims = options?.trustJwtClaims ?? false;
+    this.jwtClaimOptions = options?.jwtClaims;
+    this.mapJwtPayloadToUser = options?.mapJwtPayloadToUser;
+    this.membershipCache = new LRUCache({
+      max: MEMBERSHIP_CACHE_MAX_SIZE,
+      ttl: MEMBERSHIP_CACHE_TTL_MS
+    });
     this.workos = new WorkOS(apiKey, { clientId });
     this.config = {
       clientId,
@@ -119,27 +134,57 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
       const rawRequest = "raw" in request ? request.raw : request;
       const { auth } = await this.authService.withAuth(rawRequest);
       if (auth.user) {
+        let memberships;
+        if (this.fetchMemberships) {
+          try {
+            memberships = await this.getMemberships(auth.user.id);
+          } catch {
+          }
+        }
         return {
           ...mapWorkOSUserToEEUser(auth.user),
           workosId: auth.user.id,
-          organizationId: auth.organizationId
-          // Note: memberships not available from session, fetch if needed
+          organizationId: auth.organizationId,
+          memberships
         };
       }
       if (token) {
         const jwksUri = this.workos.userManagement.getJwksUrl(this.clientId);
         const payload = await verifyJwks(token, jwksUri);
+        const jwtUser = this.resolveJwtPayloadUser(payload);
+        if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+          return await this.attachMembershipsIfNeeded(jwtUser);
+        }
         if (payload?.sub) {
-          const user = await this.workos.userManagement.getUser(payload.sub);
-          const memberships = await this.workos.userManagement.listOrganizationMemberships({
-            userId: user.id
-          });
-          return {
-            ...mapWorkOSUserToEEUser(user),
-            workosId: user.id,
-            organizationId: memberships.data[0]?.organizationId,
-            memberships: memberships.data
-          };
+          try {
+            const user = await this.workos.userManagement.getUser(payload.sub);
+            let memberships;
+            if (this.fetchMemberships) {
+              try {
+                memberships = await this.getMemberships(user.id);
+              } catch {
+                memberships = void 0;
+              }
+            }
+            return this.mergeJwtPayloadUser(
+              {
+                ...mapWorkOSUserToEEUser(user),
+                workosId: user.id,
+                organizationId: this.getSingleMembershipOrganizationId(memberships),
+                memberships
+              },
+              jwtUser,
+              { trustOrganizationClaims: this.trustJwtClaims }
+            );
+          } catch {
+            if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+              return await this.attachMembershipsIfNeeded(jwtUser);
+            }
+            return null;
+          }
+        }
+        if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {
+          return await this.attachMembershipsIfNeeded(jwtUser);
         }
       }
       return null;
@@ -166,19 +211,19 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
         return null;
       }
       let organizationId = auth.organizationId;
-      if (!organizationId) {
+      let memberships;
+      if (this.fetchMemberships) {
         try {
-          const memberships = await this.workos.userManagement.listOrganizationMemberships({
-            userId: auth.user.id
-          });
-          organizationId = memberships.data[0]?.organizationId;
+          memberships = await this.getMemberships(auth.user.id);
+          organizationId ??= this.getSingleMembershipOrganizationId(memberships);
         } catch {
         }
       }
       const user = {
         ...mapWorkOSUserToEEUser(auth.user),
         workosId: auth.user.id,
-        organizationId
+        organizationId,
+        memberships
       };
       if (refreshedSessionData) {
         user._refreshedSessionData = refreshedSessionData;
@@ -208,6 +253,124 @@ var MastraAuthWorkos = class extends MastraAuthProvider {
   getUserProfileUrl(user) {
     return `/profile/${user.id}`;
   }
+  async getMemberships(userId) {
+    const cached = this.membershipCache.get(userId);
+    if (cached) {
+      return cached;
+    }
+    try {
+      const response = await this.workos.userManagement.listOrganizationMemberships({
+        userId
+      });
+      const memberships = await response.autoPagination();
+      this.membershipCache.set(userId, memberships);
+      return memberships;
+    } catch (error) {
+      this.membershipCache.delete(userId);
+      throw error;
+    }
+  }
+  async attachMembershipsIfNeeded(user) {
+    if (!this.fetchMemberships || user.organizationMembershipId) {
+      return user;
+    }
+    try {
+      const memberships = await this.getMemberships(user.workosId);
+      return {
+        ...user,
+        organizationId: user.organizationId ?? this.getSingleMembershipOrganizationId(memberships),
+        memberships
+      };
+    } catch {
+      return user;
+    }
+  }
+  getSingleMembershipOrganizationId(memberships) {
+    return memberships?.length === 1 ? memberships[0]?.organizationId : void 0;
+  }
+  resolveJwtPayloadUser(payload) {
+    if (!payload) {
+      return null;
+    }
+    const mappedClaims = this.buildUserFromJwtClaims(payload);
+    const customMappedClaims = this.mapJwtPayloadToUser?.(payload) ?? void 0;
+    const combined = {
+      ...payload,
+      ...mappedClaims ?? {},
+      ...customMappedClaims ?? {}
+    };
+    const id = typeof combined.id === "string" ? combined.id : void 0;
+    const workosId = typeof combined.workosId === "string" ? combined.workosId : id;
+    if (!id || !workosId) {
+      return null;
+    }
+    const metadata = combined.metadata && typeof combined.metadata === "object" && !Array.isArray(combined.metadata) ? combined.metadata : void 0;
+    return {
+      ...combined,
+      id,
+      workosId,
+      email: typeof combined.email === "string" ? combined.email : void 0,
+      name: typeof combined.name === "string" ? combined.name : typeof combined.email === "string" ? combined.email : id,
+      organizationId: typeof combined.organizationId === "string" ? combined.organizationId : void 0,
+      organizationMembershipId: typeof combined.organizationMembershipId === "string" ? combined.organizationMembershipId : void 0,
+      metadata: {
+        ...metadata ?? {},
+        workosId,
+        ...typeof combined.organizationId === "string" ? { organizationId: combined.organizationId } : {},
+        ...typeof combined.organizationMembershipId === "string" ? { organizationMembershipId: combined.organizationMembershipId } : {}
+      }
+    };
+  }
+  buildUserFromJwtClaims(payload) {
+    const userId = this.readJwtClaim(payload, this.jwtClaimOptions?.userId) ?? this.readJwtClaim(payload, "sub");
+    const workosId = this.readJwtClaim(payload, this.jwtClaimOptions?.workosId) ?? userId;
+    if (!userId || !workosId) {
+      return null;
+    }
+    return {
+      id: userId,
+      workosId,
+      email: this.readJwtClaim(payload, this.jwtClaimOptions?.email) ?? this.readJwtClaim(payload, "email"),
+      name: this.readJwtClaim(payload, this.jwtClaimOptions?.name) ?? this.readJwtClaim(payload, "name"),
+      organizationId: this.readJwtClaim(payload, this.jwtClaimOptions?.organizationId) ?? this.readJwtClaim(payload, "org_id"),
+      organizationMembershipId: this.readJwtClaim(payload, this.jwtClaimOptions?.organizationMembershipId)
+    };
+  }
+  mergeJwtPayloadUser(user, jwtUser, options) {
+    if (!jwtUser) {
+      return user;
+    }
+    const trustOrganizationClaims = options?.trustOrganizationClaims ?? true;
+    const jwtMetadata = { ...jwtUser.metadata ?? {} };
+    if (!trustOrganizationClaims) {
+      delete jwtMetadata.organizationId;
+      delete jwtMetadata.organizationMembershipId;
+    }
+    return {
+      ...jwtUser,
+      ...user,
+      organizationId: trustOrganizationClaims ? jwtUser.organizationId ?? user.organizationId : user.organizationId,
+      organizationMembershipId: trustOrganizationClaims ? jwtUser.organizationMembershipId ?? user.organizationMembershipId : user.organizationMembershipId,
+      memberships: trustOrganizationClaims ? user.memberships ?? jwtUser.memberships : user.memberships,
+      metadata: {
+        ...jwtMetadata,
+        ...user.metadata ?? {}
+      }
+    };
+  }
+  readJwtClaim(payload, claimPath) {
+    if (!claimPath) {
+      return void 0;
+    }
+    let current = payload;
+    for (const segment of claimPath.split(".")) {
+      if (!current || typeof current !== "object" || !(segment in current)) {
+        return void 0;
+      }
+      current = current[segment];
+    }
+    return typeof current === "string" ? current : void 0;
+  }
   // ============================================================================
   // ISSOProvider Implementation
   // ============================================================================
@@ -604,6 +767,408 @@ var MastraRBACWorkos = class {
     return relevantMemberships.map((m) => m.role.slug);
   }
 };
+var FILTER_ACCESSIBLE_CHECK_CONCURRENCY = 5;
+var WorkOSFGAResourceNotFoundError = class extends Error {
+  status = 404;
+  resourceType;
+  resourceId;
+  constructor(resourceType, resourceId) {
+    super(
+      `[MastraFGAWorkos] Resource '${resourceType}/${resourceId}' is not registered in WorkOS. Create the '${resourceType}' resource type in your WorkOS dashboard, then register '${resourceId}' using MastraFGAWorkos.createResource() or your seed script. See https://workos.com/docs/fga for setup instructions.`
+    );
+    this.name = "WorkOSFGAResourceNotFoundError";
+    this.resourceType = resourceType;
+    this.resourceId = resourceId;
+  }
+};
+var WorkOSFGAMembershipResolutionError = class extends Error {
+  status = 500;
+  userId;
+  constructor(user) {
+    super(
+      "[MastraFGAWorkos] Cannot resolve organization membership for user <redacted>. Ensure fetchMemberships is enabled on MastraAuthWorkos or provide organizationMembershipId on the user."
+    );
+    this.name = "WorkOSFGAMembershipResolutionError";
+    this.userId = user?.id ? "<redacted>" : void 0;
+  }
+};
+var MastraFGAWorkos = class {
+  workos;
+  organizationId;
+  resourceMapping;
+  permissionMapping;
+  constructor(options) {
+    const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;
+    if (!apiKey || !clientId) {
+      throw new Error(
+        "WorkOS API key and client ID are required. Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables."
+      );
+    }
+    this.workos = new WorkOS(apiKey, { clientId });
+    this.organizationId = options.organizationId;
+    this.resourceMapping = options.resourceMapping ?? {};
+    this.permissionMapping = options.permissionMapping ?? {};
+  }
+  // ──────────────────────────────────────────────────────────────
+  // IFGAProvider — Read-only checks
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Check if a user has permission on a resource.
+   *
+   * Resolves the user's organization membership ID, maps the permission
+   * via `permissionMapping`, and delegates to `workos.authorization.check()`.
+   */
+  async check(user, params) {
+    const checkOptions = this.buildCheckOptions(user, params);
+    if (!checkOptions) return false;
+    try {
+      const result = await this.workos.authorization.check(checkOptions);
+      return result.authorized;
+    } catch (error) {
+      if (error?.status === 404 || error?.code === "entity_not_found") {
+        throw new WorkOSFGAResourceNotFoundError(params.resource.type, params.resource.id);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Require that a user has permission, throwing FGADeniedError if not.
+   */
+  async require(user, params) {
+    const checkOptions = this.buildCheckOptions(user, params, { strictMembershipResolution: true });
+    if (!checkOptions) {
+      throw new FGADeniedError(user, params.resource, params.permission);
+    }
+    try {
+      const result = await this.workos.authorization.check(checkOptions);
+      if (!result.authorized) {
+        throw new FGADeniedError(user, params.resource, params.permission);
+      }
+    } catch (error) {
+      if (error instanceof FGADeniedError) throw error;
+      if (error?.status === 404 || error?.code === "entity_not_found") {
+        throw new WorkOSFGAResourceNotFoundError(params.resource.type, params.resource.id);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Filter resources to only those the user has permission to access.
+   *
+   * Uses WorkOS `listResourcesForMembership()` when the resource mapping can
+   * resolve a parent resource from user context. This avoids one check per
+   * resource for list endpoints like agents/workflows/tools.
+   *
+   * Falls back to per-resource `check()` calls when no parent resource can be
+   * resolved from the configured mapping.
+   */
+  async filterAccessible(user, resources, resourceType, permission) {
+    if (resources.length === 0) return [];
+    const membershipId = this.resolveOrganizationMembershipId(user);
+    if (!membershipId) return [];
+    const permissionSlug = this.resolvePermission(permission);
+    const parentResource = resourceType === "thread" ? void 0 : this.resolveParentResource(user, resourceType);
+    if (parentResource) {
+      const accessibleIds = await this.listAccessibleResourceExternalIds({
+        organizationMembershipId: membershipId,
+        permissionSlug,
+        parentResourceExternalId: parentResource.externalId,
+        parentResourceTypeSlug: parentResource.typeSlug
+      });
+      return resources.filter((resource) => {
+        const mappedId = this.resolveResourceId(
+          user,
+          resourceType,
+          resource.id,
+          "resourceId" in resource && typeof resource.resourceId === "string" ? { resourceId: resource.resourceId } : void 0
+        );
+        return !!mappedId && accessibleIds.has(mappedId);
+      });
+    }
+    const checks = [];
+    for (let start = 0; start < resources.length; start += FILTER_ACCESSIBLE_CHECK_CONCURRENCY) {
+      const batch = resources.slice(start, start + FILTER_ACCESSIBLE_CHECK_CONCURRENCY);
+      const batchChecks = await Promise.all(
+        batch.map(async (resource) => {
+          const authorized = await this.check(user, {
+            resource: { type: resourceType, id: resource.id },
+            permission,
+            context: "resourceId" in resource && typeof resource.resourceId === "string" ? { resourceId: resource.resourceId } : void 0
+          });
+          return { resource, authorized };
+        })
+      );
+      checks.push(...batchChecks);
+    }
+    return checks.filter((c) => c.authorized).map((c) => c.resource);
+  }
+  // ──────────────────────────────────────────────────────────────
+  // IFGAManager — Write operations
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Create an authorization resource in WorkOS.
+   */
+  async createResource(params) {
+    const options = {
+      externalId: params.externalId,
+      name: params.name,
+      resourceTypeSlug: params.resourceTypeSlug,
+      organizationId: params.organizationId
+    };
+    if (params.description !== void 0) options.description = params.description;
+    if (params.parentResourceId) options.parentResourceId = params.parentResourceId;
+    if (params.parentResourceExternalId) {
+      options.parentResourceExternalId = params.parentResourceExternalId;
+      options.parentResourceTypeSlug = params.parentResourceTypeSlug;
+    }
+    const result = await this.workos.authorization.createResource(options);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * Get an authorization resource by ID.
+   */
+  async getResource(resourceId) {
+    const result = await this.workos.authorization.getResource(resourceId);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * List authorization resources with optional filters.
+   */
+  async listResources(options) {
+    const listOptions = {};
+    if (options?.organizationId) listOptions.organizationId = options.organizationId;
+    if (options?.resourceTypeSlug) listOptions.resourceTypeSlug = options.resourceTypeSlug;
+    if (options?.parentResourceId) listOptions.parentResourceId = options.parentResourceId;
+    if (options?.search) listOptions.search = options.search;
+    if (options?.limit) listOptions.limit = options.limit;
+    if (options?.after) listOptions.after = options.after;
+    const result = await this.workos.authorization.listResources(listOptions);
+    return result.data.map((r) => this.mapAuthorizationResource(r));
+  }
+  /**
+   * Update an authorization resource.
+   */
+  async updateResource(params) {
+    const options = { resourceId: params.resourceId };
+    if (params.name !== void 0) options.name = params.name;
+    if (params.description !== void 0) options.description = params.description;
+    const result = await this.workos.authorization.updateResource(options);
+    return this.mapAuthorizationResource(result);
+  }
+  /**
+   * Delete an authorization resource.
+   */
+  async deleteResource(params) {
+    if ("resourceId" in params && params.resourceId) {
+      await this.workos.authorization.deleteResource({ resourceId: params.resourceId });
+    } else if ("externalId" in params && params.externalId && params.resourceTypeSlug) {
+      await this.workos.authorization.deleteResourceByExternalId({
+        externalId: params.externalId,
+        resourceTypeSlug: params.resourceTypeSlug,
+        organizationId: params.organizationId
+      });
+    }
+  }
+  /**
+   * Assign a role to an organization membership on a resource.
+   */
+  async assignRole(params) {
+    const options = {
+      organizationMembershipId: params.organizationMembershipId,
+      roleSlug: params.roleSlug
+    };
+    if (params.resourceId) options.resourceId = params.resourceId;
+    if (params.resourceExternalId) {
+      options.resourceExternalId = params.resourceExternalId;
+      options.resourceTypeSlug = params.resourceTypeSlug;
+    }
+    const result = await this.workos.authorization.assignRole(options);
+    return {
+      id: result.id,
+      role: result.role,
+      resource: {
+        id: result.resource.id,
+        externalId: result.resource.externalId,
+        resourceTypeSlug: result.resource.resourceTypeSlug
+      }
+    };
+  }
+  /**
+   * Remove a role assignment.
+   */
+  async removeRole(params) {
+    const options = {
+      organizationMembershipId: params.organizationMembershipId,
+      roleSlug: params.roleSlug
+    };
+    if (params.resourceId) options.resourceId = params.resourceId;
+    if (params.resourceExternalId) {
+      options.resourceExternalId = params.resourceExternalId;
+      options.resourceTypeSlug = params.resourceTypeSlug;
+    }
+    await this.workos.authorization.removeRole(options);
+  }
+  /**
+   * List role assignments for an organization membership.
+   */
+  async listRoleAssignments(options) {
+    const result = await this.workos.authorization.listRoleAssignments({
+      organizationMembershipId: options.organizationMembershipId,
+      ...options.limit && { limit: options.limit },
+      ...options.after && { after: options.after }
+    });
+    return result.data.map((ra) => ({
+      id: ra.id,
+      role: ra.role,
+      resource: {
+        id: ra.resource.id,
+        externalId: ra.resource.externalId,
+        resourceTypeSlug: ra.resource.resourceTypeSlug
+      }
+    }));
+  }
+  // ──────────────────────────────────────────────────────────────
+  // Internal helpers
+  // ──────────────────────────────────────────────────────────────
+  /**
+   * Resolve the organization membership ID from a user object.
+   * Looks for organizationMembershipId, then finds membership matching
+   * configured organizationId, then falls back to first membership.
+   *
+   * Returns undefined if no membership can be resolved, which causes
+   * authorization checks to deny access. Enable `fetchMemberships: true`
+   * on MastraAuthWorkos to populate the memberships field.
+   */
+  resolveOrganizationMembershipId(user, options) {
+    if (user?.organizationMembershipId) return user.organizationMembershipId;
+    if (!user?.memberships?.length) {
+      console.warn(
+        "[MastraFGAWorkos] Cannot resolve organization membership for user <redacted>. Ensure fetchMemberships is enabled on MastraAuthWorkos when using FGA."
+      );
+      if (options?.strictMembershipResolution) {
+        throw new WorkOSFGAMembershipResolutionError(user);
+      }
+      return void 0;
+    }
+    if (this.organizationId) {
+      const match = user.memberships.find((m) => m.organizationId === this.organizationId);
+      if (match) return match.id;
+      console.warn("[MastraFGAWorkos] User <redacted> does not belong to configured organization <redacted>.");
+      if (options?.strictMembershipResolution) {
+        throw new WorkOSFGAMembershipResolutionError(user);
+      }
+      return void 0;
+    }
+    return user.memberships[0].id;
+  }
+  /**
+   * Map a Mastra permission string to a WorkOS permission slug via permissionMapping.
+   * Falls back to the original permission if no mapping is found.
+   */
+  resolvePermission(permission) {
+    return this.permissionMapping[permission] ?? permission;
+  }
+  /**
+   * Resolve the parent resource context needed for WorkOS resource discovery.
+   */
+  resolveParentResource(user, resourceType) {
+    const mapping = this.getResourceMapping(resourceType);
+    const externalId = mapping?.deriveId?.({ user });
+    const parentTypeSlug = mapping?.parentFgaResourceType ?? mapping?.parentResourceTypeSlug;
+    if (!mapping?.fgaResourceType || !externalId || !parentTypeSlug || parentTypeSlug === mapping.fgaResourceType) {
+      return void 0;
+    }
+    return {
+      externalId,
+      typeSlug: parentTypeSlug
+    };
+  }
+  /**
+   * Resolve the FGA resource ID using resourceMapping's deriveId function.
+   * Falls back to the original resource ID if no mapping is found.
+   */
+  resolveResourceId(user, resourceType, resourceId, context) {
+    const mapping = this.getResourceMapping(resourceType);
+    const derivedId = mapping?.deriveId?.({
+      user,
+      resourceId: context?.resourceId ?? resourceId,
+      requestContext: context?.requestContext
+    });
+    return derivedId ?? resourceId;
+  }
+  buildCheckOptions(user, params, options) {
+    const membershipId = this.resolveOrganizationMembershipId(user, options);
+    if (!membershipId) return null;
+    const permissionSlug = this.resolvePermission(params.permission);
+    const resourceId = this.resolveResourceId(user, params.resource.type, params.resource.id, params.context);
+    const checkOptions = {
+      organizationMembershipId: membershipId,
+      permissionSlug
+    };
+    if (!resourceId) {
+      return checkOptions;
+    }
+    const mapping = this.getResourceMapping(params.resource.type);
+    if (mapping) {
+      checkOptions.resourceExternalId = resourceId;
+      checkOptions.resourceTypeSlug = mapping.fgaResourceType;
+    } else {
+      checkOptions.resourceExternalId = params.resource.id;
+      checkOptions.resourceTypeSlug = params.resource.type;
+    }
+    return checkOptions;
+  }
+  getResourceMapping(resourceType) {
+    const aliases = resourceType === "agent" ? ["agent", "agents"] : resourceType === "workflow" ? ["workflow", "workflows"] : resourceType === "tool" ? ["tool", "tools"] : resourceType === "thread" ? ["thread", "threads", "memory"] : [resourceType];
+    for (const key of aliases) {
+      const mapping = this.resourceMapping[key];
+      if (mapping) {
+        return mapping;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * List accessible child resources for a membership, following pagination.
+   */
+  async listAccessibleResourceExternalIds(params) {
+    const accessibleIds = /* @__PURE__ */ new Set();
+    let after;
+    do {
+      const result = await this.workos.authorization.listResourcesForMembership({
+        organizationMembershipId: params.organizationMembershipId,
+        permissionSlug: params.permissionSlug,
+        parentResourceExternalId: params.parentResourceExternalId,
+        parentResourceTypeSlug: params.parentResourceTypeSlug,
+        ...after ? { after } : {},
+        limit: 100,
+        order: "asc"
+      });
+      for (const resource of result.data ?? []) {
+        if (typeof resource?.externalId === "string") {
+          accessibleIds.add(resource.externalId);
+        }
+      }
+      after = result.listMetadata?.after ?? void 0;
+    } while (after);
+    return accessibleIds;
+  }
+  /**
+   * Map a WorkOS AuthorizationResource to Mastra's FGAResource type.
+   */
+  mapAuthorizationResource(resource) {
+    return {
+      id: resource.id,
+      externalId: resource.externalId,
+      name: resource.name,
+      description: resource.description,
+      resourceTypeSlug: resource.resourceTypeSlug,
+      organizationId: resource.organizationId,
+      parentResourceId: resource.parentResourceId
+    };
+  }
+};
 
 // src/directory-sync.ts
 var WorkOSDirectorySync = class {
@@ -870,7 +1435,15 @@ var WorkOSAdminPortal = class {
     return result.link;
   }
 };
+/**
+ * WorkOS FGA provider for Mastra.
+ *
+ * Integrates WorkOS Authorization API with Mastra's FGA interface
+ * for permission-based, resource-level authorization.
+ *
+ * @license Mastra Enterprise License - see ee/LICENSE
+ */
 
-export { MastraAuthWorkos, MastraRBACWorkos, WebSessionStorage, WorkOSAdminPortal, WorkOSDirectorySync, mapWorkOSUserToEEUser };
+export { MastraAuthWorkos, MastraFGAWorkos, MastraRBACWorkos, WebSessionStorage, WorkOSAdminPortal, WorkOSDirectorySync, WorkOSFGAMembershipResolutionError, WorkOSFGAResourceNotFoundError, mapWorkOSUserToEEUser };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map