@mastra/fastify 1.1.7 → 1.1.8

package/CHANGELOG.md

@@ -1,5 +1,83 @@
 # @mastra/fastify
 
+## 1.1.8
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0
+  - @mastra/server@1.9.0
+
+## 1.1.8-alpha.0
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0-alpha.0
+  - @mastra/server@1.9.0-alpha.0
+
 ## 1.1.7
 
 ### Patch Changes

package/LICENSE.md

@@ -1,3 +1,18 @@
+Portions of this software are licensed as follows:
+
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+    is licensed under the license defined in `ee/LICENSE`.
+
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+
 # Apache License 2.0
 
 Copyright (c) 2025 Kepler Software, Inc.

package/dist/index.cjs

@@ -3,7 +3,6 @@
 var busboy = require('@fastify/busboy');
 var error = require('@mastra/server/handlers/error');
 var serverAdapter = require('@mastra/server/server-adapter');
-var auth = require('@mastra/server/auth');
 
 // src/index.ts
 
@@ -213,131 +212,39 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (request, reply) => {
-  const mastra = request.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = request.customRouteAuthConfig;
-  if (!authConfig) {
-    return;
-  }
-  const path = String(request.url.split("?")[0] || "/");
-  const method = String(request.method || "GET");
-  const getHeader = (name) => request.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return;
-  }
-  if (!auth.isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return;
-  }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return;
-  }
-  const authHeader = request.headers.authorization;
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  const query = request.query;
-  if (!token && query.apiKey) {
-    token = query.apiKey || null;
-  }
-  if (!token) {
-    return reply.status(401).send({ error: "Authentication required" });
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, request);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      return reply.status(401).send({ error: "Invalid or expired token" });
-    }
-    request.requestContext.set("user", user);
-    return;
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
+
+// src/index.ts
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/fastify] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
     });
-    return reply.status(401).send({ error: "Invalid or expired token" });
-  }
-};
-var authorizationMiddleware = async (request, reply) => {
-  const mastra = request.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = request.customRouteAuthConfig;
-  if (!authConfig) {
-    return;
-  }
-  const path = String(request.url.split("?")[0] || "/");
-  const method = String(request.method || "GET");
-  const getHeader = (name) => request.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return;
-  }
-  if (!auth.isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return;
   }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return;
-  }
-  const user = request.requestContext.get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, request);
-      if (isAuthorized) {
-        return;
-      }
-      return reply.status(403).send({ error: "Access denied" });
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      return reply.status(500).send({ error: "Authorization error" });
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const context = {
-        get: (key) => {
-          if (key === "mastra") return request.mastra;
-          if (key === "requestContext") return request.requestContext;
-          if (key === "tools") return request.tools;
-          if (key === "taskStore") return request.taskStore;
-          if (key === "customRouteAuthConfig") return request.customRouteAuthConfig;
-          return void 0;
-        },
-        req: request
-      };
-      const isAuthorized = await authConfig.authorize(path, method, user, context);
-      if (isAuthorized) {
-        return;
+  return _hasPermissionPromise;
+}
+function toWebRequest(request) {
+  const protocol = request.protocol || "http";
+  const host = request.headers.host || "localhost";
+  const url = `${protocol}://${host}${request.url}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(request.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        value.forEach((v) => headers.append(key, v));
+      } else {
+        headers.set(key, value);
       }
-      return reply.status(403).send({ error: "Access denied" });
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      return reply.status(500).send({ error: "Authorization error" });
     }
   }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return;
-    }
-    return reply.status(403).send({ error: "Access denied" });
-  }
-  if (auth.defaultAuthConfig.rules && auth.defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(auth.defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return;
-    }
-  }
-  return reply.status(403).send({ error: "Access denied" });
-};
-
-// src/index.ts
+  return new globalThis.Request(url, {
+    method: request.method,
+    headers
+  });
+}
 var MastraServer = class extends serverAdapter.MastraServer {
   createContextMiddleware() {
     return async (request, _reply) => {
@@ -611,7 +518,9 @@ var MastraServer = class extends serverAdapter.MastraServer {
         method: String(request.method || "GET"),
         getHeader: (name) => request.headers[name.toLowerCase()],
         getQuery: (name) => request.query[name],
-        requestContext: request.requestContext
+        requestContext: request.requestContext,
+        request: toWebRequest(request),
+        buildAuthorizeContext: () => toWebRequest(request)
       });
       if (authError) {
         return reply.status(authError.status).send({ error: authError.error });
@@ -682,6 +591,20 @@ var MastraServer = class extends serverAdapter.MastraServer {
         abortSignal: request.abortSignal,
         routePrefix: prefix
       };
+      const authConfig = this.mastra.getServer()?.auth;
+      if (authConfig) {
+        const hasPermission = await loadHasPermission();
+        if (hasPermission) {
+          const userPermissions = request.requestContext.get("userPermissions");
+          const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+          if (permissionError) {
+            return reply.status(permissionError.status).send({
+              error: permissionError.error,
+              message: permissionError.message
+            });
+          }
+        }
+      }
       try {
         const result = await route.handler(handlerParams);
         await this.sendResponse(route, reply, result, request, prefix);
@@ -735,7 +658,48 @@ var MastraServer = class extends serverAdapter.MastraServer {
     if (!await this.buildCustomRouteHandler()) return;
     const routes = this.customApiRoutes ?? this.mastra.getServer()?.apiRoutes ?? [];
     for (const route of routes) {
+      const serverRoute = {
+        method: route.method,
+        path: route.path,
+        responseType: "json",
+        handler: async () => {
+        },
+        requiresAuth: route.requiresAuth
+      };
       const fastifyHandler = async (request, reply) => {
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path: String(request.url.split("?")[0] || "/"),
+          method: String(request.method || "GET"),
+          getHeader: (name) => request.headers[name.toLowerCase()],
+          getQuery: (name) => request.query[name],
+          requestContext: request.requestContext,
+          request: toWebRequest(request),
+          buildAuthorizeContext: () => toWebRequest(request)
+        });
+        if (authError) {
+          return reply.status(authError.status).send({ error: authError.error });
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          let hasPermission;
+          try {
+            ({ hasPermission } = await import('@mastra/core/auth/ee'));
+          } catch {
+            console.error(
+              "[@mastra/fastify] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+            );
+          }
+          if (hasPermission) {
+            const userPermissions = request.requestContext.get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              return reply.status(permissionError.status).send({
+                error: permissionError.error,
+                message: permissionError.message
+              });
+            }
+          }
+        }
         const response = await this.handleCustomRouteRequest(
           `http://${request.headers.host}${request.url}`,
           request.method,
@@ -784,12 +748,46 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.addHook("preHandler", this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.addHook("preHandler", authenticationMiddleware);
-    this.app.addHook("preHandler", authorizationMiddleware);
+    this.app.addHook("onRequest", async (request, reply) => {
+      const urlPath = request.url.split("?")[0];
+      if (!this.shouldLogRequest(urlPath)) {
+        return;
+      }
+      const start = Date.now();
+      const method = request.method;
+      const path = urlPath;
+      reply.raw.once("finish", () => {
+        const duration = Date.now() - start;
+        const status = reply.statusCode;
+        const level = this.httpLoggingConfig?.level || "info";
+        const logData = {
+          method,
+          path,
+          status,
+          duration: `${duration}ms`
+        };
+        if (this.httpLoggingConfig?.includeQueryParams) {
+          logData.query = request.query;
+        }
+        if (this.httpLoggingConfig?.includeHeaders) {
+          const headers = { ...request.headers };
+          const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+          redactHeaders.forEach((h) => {
+            const key = h.toLowerCase();
+            if (headers[key] !== void 0) {
+              headers[key] = "[REDACTED]";
+            }
+          });
+          logData.headers = headers;
+        }
+        this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+      });
+    });
   }
 };