@mastra/deployer 1.36.0-alpha.0 → 1.36.0-alpha.10

package/CHANGELOG.md

@@ -1,5 +1,138 @@
 # @mastra/deployer
 
+## 1.36.0-alpha.10
+
+### Patch Changes
+
+- Updated dependencies [[`27fd1b7`](https://github.com/mastra-ai/mastra/commit/27fd1b79ac62eb7694f92587eb7d1be05b59be01), [`a702009`](https://github.com/mastra-ai/mastra/commit/a702009d3cfaa745120f501e21c783ed4d6a3072), [`48cf61e`](https://github.com/mastra-ai/mastra/commit/48cf61e2cc759a61b6631566acf381d46ca9e12e), [`8534d79`](https://github.com/mastra-ai/mastra/commit/8534d791fa1cb70fe1c19e2604c4b63cc10dd051), [`c78f8cd`](https://github.com/mastra-ai/mastra/commit/c78f8cd6222a86e6c60ae5210b6929ad5221b6fb), [`e146aad`](https://github.com/mastra-ai/mastra/commit/e146aadbba66c410ba0e74bac4c50135495cb8dd), [`1a0ec78`](https://github.com/mastra-ai/mastra/commit/1a0ec789a26cae443744e9abbd62ed6ee676af39), [`d52b6fe`](https://github.com/mastra-ai/mastra/commit/d52b6fe1c56853eb38864baae0bbfa75cc739ccb)]:
+  - @mastra/core@1.36.0-alpha.10
+  - @mastra/server@1.36.0-alpha.10
+
+## 1.36.0-alpha.9
+
+### Patch Changes
+
+- Updated dependencies [[`bd92c15`](https://github.com/mastra-ai/mastra/commit/bd92c154238ce5d05e12d5477da07c7b7292c5e3), [`bd92c15`](https://github.com/mastra-ai/mastra/commit/bd92c154238ce5d05e12d5477da07c7b7292c5e3), [`1698f5e`](https://github.com/mastra-ai/mastra/commit/1698f5ec141d34f22a873efdb145ce3cdf848a5e)]:
+  - @mastra/server@1.36.0-alpha.9
+  - @mastra/core@1.36.0-alpha.9
+
+## 1.36.0-alpha.8
+
+### Patch Changes
+
+- Updated dependencies [[`9aee493`](https://github.com/mastra-ai/mastra/commit/9aee493ed6089b5133472623dcce49934bf2d509)]:
+  - @mastra/core@1.36.0-alpha.8
+  - @mastra/server@1.36.0-alpha.8
+
+## 1.36.0-alpha.7
+
+### Patch Changes
+
+- Browser streaming now works for stored agents. The deployer's `getToolset` first checks the runtime agent registry, then falls back to the editor's stored-agent lookup, so agents created at runtime through the editor can stream browser sessions without being pre-registered in code. ([#16778](https://github.com/mastra-ai/mastra/pull/16778))
+
+- Updated dependencies [[`a935b0a`](https://github.com/mastra-ai/mastra/commit/a935b0a0977ae3f196b33ec7621f528069c82db0), [`a935b0a`](https://github.com/mastra-ai/mastra/commit/a935b0a0977ae3f196b33ec7621f528069c82db0)]:
+  - @mastra/core@1.36.0-alpha.7
+  - @mastra/server@1.36.0-alpha.7
+
+## 1.36.0-alpha.6
+
+### Patch Changes
+
+- Updated dependencies [[`71a820b`](https://github.com/mastra-ai/mastra/commit/71a820b2353fa1406772c50760a3732058a8b337)]:
+  - @mastra/core@1.36.0-alpha.6
+  - @mastra/server@1.36.0-alpha.6
+
+## 1.36.0-alpha.5
+
+### Patch Changes
+
+- Updated dependencies [[`ac79462`](https://github.com/mastra-ai/mastra/commit/ac79462b98f1062394c45093aa515b0766f27ee2), [`19281c7`](https://github.com/mastra-ai/mastra/commit/19281c70424f757219782de16c2699743c5e04d0)]:
+  - @mastra/core@1.36.0-alpha.5
+  - @mastra/server@1.36.0-alpha.5
+
+## 1.36.0-alpha.4
+
+### Patch Changes
+
+- Updated dependencies [[`c272d50`](https://github.com/mastra-ai/mastra/commit/c272d50610a54496b6b6d92ccd4d37b333a2613a), [`d8692af`](https://github.com/mastra-ai/mastra/commit/d8692afa253028e39cdce2aafa0ac414071a762e), [`841a222`](https://github.com/mastra-ai/mastra/commit/841a222560d8c19238f8213713f30535cdd82284)]:
+  - @mastra/core@1.36.0-alpha.4
+  - @mastra/server@1.36.0-alpha.4
+
+## 1.36.0-alpha.3
+
+### Patch Changes
+
+- Updated dependencies [[`5556cc1`](https://github.com/mastra-ai/mastra/commit/5556cc1befec71518d84f826b3bfe3a079a9daf7), [`5499303`](https://github.com/mastra-ai/mastra/commit/54993032c1ebc09642625b78d2014e0cf84a3cae), [`5499303`](https://github.com/mastra-ai/mastra/commit/54993032c1ebc09642625b78d2014e0cf84a3cae), [`3498b49`](https://github.com/mastra-ai/mastra/commit/3498b4946be94f4313cd817733589680dcda5278), [`e47bca7`](https://github.com/mastra-ai/mastra/commit/e47bca7b72866d3abd173b9f530ac4318113a8ff), [`bfadd40`](https://github.com/mastra-ai/mastra/commit/bfadd4049df2977080f7f6c1602dc094a6e0f2f4), [`0031d0f`](https://github.com/mastra-ai/mastra/commit/0031d0f13831d7843ac5d498734a7d92862e2ce3), [`3498b49`](https://github.com/mastra-ai/mastra/commit/3498b4946be94f4313cd817733589680dcda5278), [`359439b`](https://github.com/mastra-ai/mastra/commit/359439bb8c635e048176306828195f8297f50021)]:
+  - @mastra/core@1.36.0-alpha.3
+  - @mastra/server@1.36.0-alpha.3
+
+## 1.36.0-alpha.2
+
+### Patch Changes
+
+- When browser streaming is unavailable (the `ws` and `@hono/node-ws` packages aren't installed, or the deployer is running in a serverless environment), the deployer now registers a fallback `GET /api/agents/:agentId/browser/session` route that returns `{ hasSession: false, screencastAvailable: false }`. This lets clients detect that screencast won't work and skip the WebSocket upgrade instead of triggering a noisy reconnect loop. ([#16668](https://github.com/mastra-ai/mastra/pull/16668))
+
+- Bumped the `@mastra/core` peer dependency floor from `>=1.32.0-0` to `>=1.34.0-0`. ([#16666](https://github.com/mastra-ai/mastra/pull/16666))
+
+- Updated dependencies [[`5ba7253`](https://github.com/mastra-ai/mastra/commit/5ba7253745c85e8df8012a76d954c640ffa336f7), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`4e88dc6`](https://github.com/mastra-ai/mastra/commit/4e88dc6b89f154c0eae37221c8126be0c23c569f), [`19018f0`](https://github.com/mastra-ai/mastra/commit/19018f05722af74a5978781a7731a654b26f7f2a), [`5ba7253`](https://github.com/mastra-ai/mastra/commit/5ba7253745c85e8df8012a76d954c640ffa336f7)]:
+  - @mastra/core@1.36.0-alpha.2
+  - @mastra/server@1.36.0-alpha.2
+
+## 1.36.0-alpha.1
+
+### Minor Changes
+
+- Added route-specific CORS configuration so credentialed cross-origin access can be limited to selected custom routes and channel webhooks. ([#16689](https://github.com/mastra-ai/mastra/pull/16689))
+
+  ```ts
+  registerApiRoute('/customer-webhook', {
+    method: 'POST',
+    cors: {
+      origin: ['https://customer-saas.example'],
+      credentials: true,
+    },
+    handler: async c => c.json({ ok: true }),
+  });
+  ```
+
+  ```ts
+  new Agent({
+    id: 'support-agent',
+    name: 'Support Agent',
+    instructions: '...',
+    model,
+    channels: {
+      adapters: {
+        web: {
+          adapter: createWebAdapter(),
+          cors: {
+            origin: ['https://customer-saas.example'],
+            credentials: true,
+          },
+        },
+      },
+    },
+  });
+  ```
+
+  Use `server.cors` for one global CORS policy across the server:
+
+  ```ts
+  new Mastra({
+    server: {
+      cors: {
+        origin: '*',
+      },
+    },
+  });
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`8cdb86c`](https://github.com/mastra-ai/mastra/commit/8cdb86ceed1137bc2768e147dce85a0692b9fb26), [`eda90c5`](https://github.com/mastra-ai/mastra/commit/eda90c5bfd7de11805ecc9f4552716c895fbaf78), [`afc004f`](https://github.com/mastra-ai/mastra/commit/afc004f5cc7e30697809e7021820b9f5881e6719), [`408be73`](https://github.com/mastra-ai/mastra/commit/408be73449dfab92b51eab8c6623b6c443debc25)]:
+  - @mastra/core@1.36.0-alpha.1
+  - @mastra/server@1.36.0-alpha.1
+
 ## 1.36.0-alpha.0
 
 ### Patch Changes

package/dist/docs/SKILL.md

@@ -3,7 +3,7 @@ name: mastra-deployer
 description: Documentation for @mastra/deployer. Use when working with @mastra/deployer APIs, configuration, or implementation.
 metadata:
   package: "@mastra/deployer"
-  version: "1.36.0-alpha.0"
+  version: "1.36.0-alpha.10"
 ---
 
 ## When to use

package/dist/docs/assets/SOURCE_MAP.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.36.0-alpha.0",
+  "version": "1.36.0-alpha.10",
   "package": "@mastra/deployer",
   "exports": {
     "Deps": {

package/dist/server/index.cjs

@@ -17,6 +17,7 @@ var tools = require('@mastra/core/tools');
 var serverAdapter = require('@mastra/server/server-adapter');
 var util = require('util');
 var buffer = require('buffer');
+var auth = require('@mastra/server/auth');
 var browserStream = require('@mastra/server/browser-stream');
 var store = require('@mastra/server/a2a/store');
 var hono = require('hono');
@@ -3183,6 +3184,9 @@ async function setupBrowserStream(app, config2) {
   }
   const { injectWebSocket, upgradeWebSocket } = createNodeWebSocket({ app });
   const registry2 = new browserStream.ViewerRegistry();
+  const rawPrefix = config2.apiPrefix ?? "/api";
+  const trimmed = rawPrefix.endsWith("/") ? rawPrefix.slice(0, -1) : rawPrefix;
+  const apiPrefix = trimmed || "/api";
   app.get(
     "/browser/:agentId/stream",
     upgradeWebSocket((c) => {
@@ -3197,7 +3201,7 @@ async function setupBrowserStream(app, config2) {
         onMessage(event, _ws) {
           const data = typeof event.data === "string" ? event.data : null;
           if (data) {
-            browserStream.handleInputMessage(data, config2.getToolset, agentId, threadId);
+            void browserStream.handleInputMessage(data, config2.getToolset, agentId, threadId);
           }
         },
         onClose(_event, ws) {
@@ -3210,12 +3214,25 @@ async function setupBrowserStream(app, config2) {
       };
     })
   );
-  app.post("/api/agents/:agentId/browser/close", async (c) => {
+  app.get(`${apiPrefix}/agents/:agentId/browser/session`, async (c) => {
     const agentId = c.req.param("agentId");
     if (!agentId) {
       return c.json({ error: "Agent ID is required" }, 400);
     }
-    const toolset = config2.getToolset(agentId);
+    const threadId = c.req.query("threadId");
+    const toolset = await config2.getToolset(agentId);
+    if (!toolset) {
+      return c.json({ hasSession: false, screencastAvailable: true });
+    }
+    const hasSession = threadId ? toolset.hasThreadSession(threadId) : false;
+    return c.json({ hasSession, screencastAvailable: true });
+  });
+  app.post(`${apiPrefix}/agents/:agentId/browser/close`, async (c) => {
+    const agentId = c.req.param("agentId");
+    if (!agentId) {
+      return c.json({ error: "Agent ID is required" }, 400);
+    }
+    const toolset = await config2.getToolset(agentId);
     if (!toolset) {
       return c.json({ error: "No browser session for this agent" }, 404);
     }
@@ -3616,7 +3633,7 @@ var MastraServer = class extends serverAdapter.MastraServer {
         if (authConfig) {
           const hasPermission = await loadHasPermission();
           if (hasPermission) {
-            const userPermissions = c.get("requestContext").get("userPermissions");
+            const userPermissions = c.get("requestContext").get("mastra__userPermissions");
             const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
             if (permissionError) {
               return c.json(
@@ -3713,7 +3730,7 @@ var MastraServer = class extends serverAdapter.MastraServer {
         if (authConfig) {
           const hasPermission = await loadHasPermission();
           if (hasPermission) {
-            const userPermissions = c.get("requestContext").get("userPermissions");
+            const userPermissions = c.get("requestContext").get("mastra__userPermissions");
             const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
             if (permissionError) {
               return c.json(
@@ -4447,6 +4464,27 @@ var getStudioPath = () => {
   const studioPath = process.env.MASTRA_STUDIO_PATH || path.join(__dirname, "studio");
   return studioPath;
 };
+var DEFAULT_CORS_ALLOW_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"];
+var DEFAULT_CORS_ALLOW_HEADERS = ["Content-Type", "Authorization", "x-mastra-client-type", "x-mastra-dev-playground"];
+var DEFAULT_CORS_EXPOSE_HEADERS = ["Content-Length", "X-Requested-With"];
+function getCorsConfig(serverCors, credentialsDefault) {
+  const userCors = serverCors && typeof serverCors === "object" ? serverCors : void 0;
+  const origin = userCors && "origin" in userCors && userCors.origin ? userCors.origin : credentialsDefault ? (requestOrigin) => requestOrigin || void 0 : "*";
+  const credentials = userCors && "credentials" in userCors ? userCors.credentials : credentialsDefault;
+  return {
+    origin,
+    allowMethods: DEFAULT_CORS_ALLOW_METHODS,
+    credentials,
+    maxAge: 3600,
+    ...userCors,
+    allowHeaders: [...DEFAULT_CORS_ALLOW_HEADERS, ...userCors?.allowHeaders ?? []],
+    exposeHeaders: [...DEFAULT_CORS_EXPOSE_HEADERS, ...userCors?.exposeHeaders ?? []]
+  };
+}
+function getRouteCorsConfig(apiRoutes, pathname, method) {
+  const route = auth.findMatchingCustomRoute(pathname, method, apiRoutes)?.route;
+  return route?.cors;
+}
 function getToolExports(tools$1) {
   try {
     return tools$1.reduce((acc, toolModule) => {
@@ -4530,40 +4568,39 @@ async function createHonoServer(mastra, options = {
     }
   }
   const browserStreamSetup = await setupBrowserStream(app, {
-    getToolset: (agentId) => {
-      const agent = mastra.getAgentById(agentId);
-      return agent?.browser;
-    }
+    getToolset: async (agentId) => {
+      try {
+        const runtimeAgent = mastra.getAgentById(agentId);
+        if (runtimeAgent) {
+          return runtimeAgent.browser;
+        }
+      } catch {
+      }
+      try {
+        const storedAgent = await mastra.getEditor?.()?.agent.getById(agentId);
+        return storedAgent?.browser;
+      } catch {
+        return void 0;
+      }
+    },
+    apiPrefix
   });
+  if (!browserStreamSetup) {
+    app.get(
+      `${apiPrefix}/agents/:agentId/browser/session`,
+      (c) => c.json({ hasSession: false, screencastAvailable: false })
+    );
+  }
   if (server?.cors === false) {
     app.use("*", timeout.timeout(server?.timeout ?? 3 * 60 * 1e3));
   } else {
     const hasAuth = !!server?.auth;
-    let corsOrigin;
-    if (server?.cors && typeof server.cors === "object" && "origin" in server.cors && server.cors.origin) {
-      corsOrigin = server.cors.origin;
-    } else if (hasAuth) {
-      corsOrigin = (origin) => origin || void 0;
-    } else {
-      corsOrigin = "*";
-    }
-    const corsConfig = {
-      origin: corsOrigin,
-      allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-      // Enable credentials for cookie-based auth (e.g., Better Auth sessions)
-      credentials: hasAuth ? true : false,
-      maxAge: 3600,
-      ...server?.cors,
-      allowHeaders: [
-        "Content-Type",
-        "Authorization",
-        "x-mastra-client-type",
-        "x-mastra-dev-playground",
-        ...server?.cors?.allowHeaders ?? []
-      ],
-      exposeHeaders: ["Content-Length", "X-Requested-With", ...server?.cors?.exposeHeaders ?? []]
-    };
-    app.use("*", timeout.timeout(server?.timeout ?? 3 * 60 * 1e3), cors.cors(corsConfig));
+    app.use("*", timeout.timeout(server?.timeout ?? 3 * 60 * 1e3), async (c, next) => {
+      const pathname = new URL(c.req.url).pathname;
+      const method = c.req.method === "OPTIONS" ? c.req.header("Access-Control-Request-Method") ?? c.req.method : c.req.method;
+      const routeCors = getRouteCorsConfig(processedRoutes, pathname, method);
+      return cors.cors(routeCors ? getCorsConfig(routeCors, false) : getCorsConfig(server?.cors, hasAuth))(c, next);
+    });
   }
   app.get(
     "/health",