@mastra/koa 1.2.3 → 1.2.4

package/CHANGELOG.md

@@ -1,5 +1,83 @@
 # @mastra/koa
 
+## 1.2.4
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0
+  - @mastra/server@1.9.0
+
+## 1.2.4-alpha.0
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0-alpha.0
+  - @mastra/server@1.9.0-alpha.0
+
 ## 1.2.3
 
 ### Patch Changes

package/LICENSE.md

@@ -1,3 +1,18 @@
+Portions of this software are licensed as follows:
+
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+    is licensed under the license defined in `ee/LICENSE`.
+
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+
 # Apache License 2.0
 
 Copyright (c) 2025 Kepler Software, Inc.

package/dist/index.cjs

@@ -1,9 +1,9 @@
 'use strict';
 
 var busboy = require('@fastify/busboy');
+var auth = require('@mastra/server/auth');
 var error = require('@mastra/server/handlers/error');
 var serverAdapter = require('@mastra/server/server-adapter');
-var auth = require('@mastra/server/auth');
 
 // src/index.ts
 
@@ -213,148 +213,39 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (ctx, next) => {
-  const mastra = ctx.state.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = ctx.state.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = String(ctx.path || "/");
-  const method = String(ctx.method || "GET");
-  const getHeader = (name) => ctx.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const authHeader = ctx.headers.authorization;
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  const query = ctx.query;
-  if (!token && query.apiKey) {
-    token = query.apiKey || null;
-  }
-  if (!token) {
-    ctx.status = 401;
-    ctx.body = { error: "Authentication required" };
-    return;
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, ctx.request);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      ctx.status = 401;
-      ctx.body = { error: "Invalid or expired token" };
-      return;
-    }
-    ctx.state.requestContext.set("user", user);
-    return next();
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
+
+// src/index.ts
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
     });
-    ctx.status = 401;
-    ctx.body = { error: "Invalid or expired token" };
-    return;
-  }
-};
-var authorizationMiddleware = async (ctx, next) => {
-  const mastra = ctx.state.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = ctx.state.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = String(ctx.path || "/");
-  const method = String(ctx.method || "GET");
-  const getHeader = (name) => ctx.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return next();
   }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const user = ctx.state.requestContext.get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, ctx.request);
-      if (isAuthorized) {
-        return next();
-      }
-      ctx.status = 403;
-      ctx.body = { error: "Access denied" };
-      return;
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      ctx.status = 500;
-      ctx.body = { error: "Authorization error" };
-      return;
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const context = {
-        get: (key) => {
-          if (key === "mastra") return ctx.state.mastra;
-          if (key === "requestContext") return ctx.state.requestContext;
-          if (key === "tools") return ctx.state.tools;
-          if (key === "taskStore") return ctx.state.taskStore;
-          if (key === "customRouteAuthConfig") return ctx.state.customRouteAuthConfig;
-          return void 0;
-        },
-        req: ctx.request
-      };
-      const isAuthorized = await authConfig.authorize(path, method, user, context);
-      if (isAuthorized) {
-        return next();
+  return _hasPermissionPromise;
+}
+function toWebRequest(ctx) {
+  const protocol = ctx.protocol || "http";
+  const host = ctx.host || "localhost";
+  const url = `${protocol}://${host}${ctx.url}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(ctx.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        value.forEach((v) => headers.append(key, v));
+      } else {
+        headers.set(key, value);
       }
-      ctx.status = 403;
-      ctx.body = { error: "Access denied" };
-      return;
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      ctx.status = 500;
-      ctx.body = { error: "Authorization error" };
-      return;
-    }
-  }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-    ctx.status = 403;
-    ctx.body = { error: "Access denied" };
-    return;
-  }
-  if (auth.defaultAuthConfig.rules && auth.defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(auth.defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
     }
   }
-  ctx.status = 403;
-  ctx.body = { error: "Access denied" };
-};
-
-// src/index.ts
+  return new globalThis.Request(url, {
+    method: ctx.method,
+    headers
+  });
+}
 var MastraServer = class extends serverAdapter.MastraServer {
   async init() {
     this.registerErrorMiddleware();
@@ -612,7 +503,8 @@ var MastraServer = class extends serverAdapter.MastraServer {
   async sendResponse(route, ctx, result, prefix) {
     const resolvedPrefix = prefix ?? this.prefix ?? "";
     if (route.responseType === "json") {
-      ctx.body = result;
+      ctx.type = "application/json";
+      ctx.body = result === null || result === void 0 ? JSON.stringify(null) : result;
     } else if (route.responseType === "stream") {
       await this.stream(route, ctx, result);
     } else if (route.responseType === "datastream-response") {
@@ -715,7 +607,9 @@ var MastraServer = class extends serverAdapter.MastraServer {
         method: String(ctx.method || "GET"),
         getHeader: (name) => ctx.headers[name.toLowerCase()],
         getQuery: (name) => ctx.query[name],
-        requestContext: ctx.state.requestContext
+        requestContext: ctx.state.requestContext,
+        request: toWebRequest(ctx),
+        buildAuthorizeContext: () => toWebRequest(ctx)
       });
       if (authError) {
         ctx.status = authError.status;
@@ -802,6 +696,22 @@ var MastraServer = class extends serverAdapter.MastraServer {
         abortSignal: ctx.state.abortSignal,
         routePrefix: prefix
       };
+      const authConfig = this.mastra.getServer()?.auth;
+      if (authConfig) {
+        const hasPermission = await loadHasPermission();
+        if (hasPermission) {
+          const userPermissions = ctx.state.requestContext.get("userPermissions");
+          const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+          if (permissionError) {
+            ctx.status = permissionError.status;
+            ctx.body = {
+              error: permissionError.error,
+              message: permissionError.message
+            };
+            return;
+          }
+        }
+      }
       try {
         const result = await route.handler(handlerParams);
         await this.sendResponse(route, ctx, result, prefix);
@@ -846,6 +756,54 @@ var MastraServer = class extends serverAdapter.MastraServer {
   async registerCustomApiRoutes() {
     if (!await this.buildCustomRouteHandler()) return;
     this.app.use(async (ctx, next) => {
+      const path = String(ctx.path || "/");
+      const method = String(ctx.method || "GET");
+      if (auth.isProtectedCustomRoute(path, method, this.customRouteAuthConfig)) {
+        const serverRoute = {
+          method,
+          path,
+          responseType: "json",
+          handler: async () => {
+          }
+        };
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path,
+          method,
+          getHeader: (name) => ctx.headers[name.toLowerCase()],
+          getQuery: (name) => ctx.query[name],
+          requestContext: ctx.state.requestContext,
+          request: toWebRequest(ctx),
+          buildAuthorizeContext: () => toWebRequest(ctx)
+        });
+        if (authError) {
+          ctx.status = authError.status;
+          ctx.body = { error: authError.error };
+          return;
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          let hasPermission;
+          try {
+            ({ hasPermission } = await import('@mastra/core/auth/ee'));
+          } catch {
+            console.error(
+              "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+            );
+          }
+          if (hasPermission) {
+            const userPermissions = ctx.state.requestContext.get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              ctx.status = permissionError.status;
+              ctx.body = {
+                error: permissionError.error,
+                message: permissionError.message
+              };
+              return;
+            }
+          }
+        }
+      }
       const response = await this.handleCustomRouteRequest(
         `${ctx.protocol}://${ctx.host}${ctx.originalUrl || ctx.url}`,
         ctx.method,
@@ -862,12 +820,44 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use(this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.use(authenticationMiddleware);
-    this.app.use(authorizationMiddleware);
+    this.app.use(async (ctx, next) => {
+      if (!this.shouldLogRequest(ctx.path)) {
+        return next();
+      }
+      const start = Date.now();
+      const method = ctx.method;
+      const path = ctx.path;
+      await next();
+      const duration = Date.now() - start;
+      const status = ctx.status;
+      const level = this.httpLoggingConfig?.level || "info";
+      const logData = {
+        method,
+        path,
+        status,
+        duration: `${duration}ms`
+      };
+      if (this.httpLoggingConfig?.includeQueryParams) {
+        logData.query = ctx.query;
+      }
+      if (this.httpLoggingConfig?.includeHeaders) {
+        const headers = { ...ctx.headers };
+        const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+        redactHeaders.forEach((h) => {
+          const key = h.toLowerCase();
+          if (headers[key] !== void 0) {
+            headers[key] = "[REDACTED]";
+          }
+        });
+        logData.headers = headers;
+      }
+      this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+    });
   }
 };