@mastra/mcp-docs-server 1.2.2-alpha.9 → 1.2.3-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.docs/docs/{harness → agent-controller}/modes.md +19 -19
- package/.docs/docs/agent-controller/overview.md +128 -0
- package/.docs/docs/agent-controller/session.md +143 -0
- package/.docs/docs/{harness → agent-controller}/subagents.md +12 -12
- package/.docs/docs/agent-controller/threads-and-state.md +141 -0
- package/.docs/docs/{harness → agent-controller}/tool-approvals.md +23 -23
- package/.docs/docs/agents/channels.md +47 -0
- package/.docs/docs/server/auth/google.md +281 -0
- package/.docs/docs/server/auth.md +2 -1
- package/.docs/models/gateways/vercel.md +3 -1
- package/.docs/models/index.md +1 -1
- package/.docs/models/providers/baseten.md +1 -1
- package/.docs/models/providers/fireworks-ai.md +2 -1
- package/.docs/models/providers/friendli.md +3 -1
- package/.docs/models/providers/llmgateway.md +1 -2
- package/.docs/models/providers/nebius.md +3 -2
- package/.docs/models/providers/opencode-go.md +1 -1
- package/.docs/models/providers/ovhcloud.md +1 -2
- package/.docs/models/providers/scaleway.md +2 -1
- package/.docs/models/providers/tinfoil.md +77 -0
- package/.docs/models/providers/togetherai.md +3 -2
- package/.docs/models/providers/xiaomi-token-plan-ams.md +4 -6
- package/.docs/models/providers/xiaomi-token-plan-cn.md +4 -6
- package/.docs/models/providers/xiaomi-token-plan-sgp.md +4 -6
- package/.docs/models/providers/xiaomi.md +4 -7
- package/.docs/models/providers.md +1 -0
- package/.docs/reference/{harness/harness-class.md → agent-controller/agent-controller-class.md} +106 -106
- package/.docs/reference/{harness → agent-controller}/session.md +97 -91
- package/.docs/reference/agents/channels.md +3 -1
- package/.docs/reference/agents/durable-agent.md +30 -3
- package/.docs/reference/auth/google.md +355 -0
- package/.docs/reference/channels/channel-provider.md +65 -0
- package/.docs/reference/channels/slack-provider.md +226 -0
- package/.docs/reference/index.md +5 -2
- package/CHANGELOG.md +28 -0
- package/package.json +6 -6
- package/.docs/docs/harness/overview.md +0 -128
- package/.docs/docs/harness/session.md +0 -143
- package/.docs/docs/harness/threads-and-state.md +0 -141
|
@@ -203,9 +203,13 @@ interface PrepareResult {
|
|
|
203
203
|
|
|
204
204
|
**activeTools** (`string[]`): Restricts execution to the named subset of the agent's tools.
|
|
205
205
|
|
|
206
|
-
**modelSettings** (`object`): Model-specific settings such as temperature.
|
|
206
|
+
**modelSettings** (`object`): Model-specific settings such as temperature. Credential-bearing headers (\`Authorization\`, \`X-Api-Key\`, and similar) are stripped from the serialized snapshot before it crosses process boundaries.
|
|
207
207
|
|
|
208
|
-
**
|
|
208
|
+
**stopWhen** (`AgentExecutionOptions['stopWhen']`): Predicate or composition that ends the agentic loop early. The closure rides on the in-process run registry; cross-process resumes degrade to \`maxSteps\` only.
|
|
209
|
+
|
|
210
|
+
**system** (`string | string[]`): Additional system message appended after the agent instructions and before user messages.
|
|
211
|
+
|
|
212
|
+
**requireToolApproval** (`boolean | ((args: { toolName: string; args: unknown; requestContext: RequestContext; workspace?: string }) => boolean | Promise<boolean>)`): Require approval for tool calls. Pass \`true\` or \`false\` to gate all or none, or a function for per-call policy. Function-form policies live on the in-process run registry; cross-process resumes fall back to a \`true\` shadow.
|
|
209
213
|
|
|
210
214
|
**autoResumeSuspendedTools** (`boolean`): Automatically resume tools that suspended, instead of waiting for an external \`resume()\` call.
|
|
211
215
|
|
|
@@ -217,10 +221,26 @@ interface PrepareResult {
|
|
|
217
221
|
|
|
218
222
|
**structuredOutput** (`object`): Structured output configuration.
|
|
219
223
|
|
|
220
|
-
**untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method.
|
|
224
|
+
**untilIdle** (`boolean | { maxIdleMs?: number }`): When set, keeps the stream open across background-task continuations until the agent is idle. Pass \`true\` for the default 5-minute idle timeout, or \`{ maxIdleMs }\` to customise. Equivalent to the deprecated \`streamUntilIdle()\` method. Also supported on \`resume()\`.
|
|
225
|
+
|
|
226
|
+
**disableBackgroundTasks** (`boolean`): Disable background-task dispatch for this run. Background-eligible tools execute inline instead.
|
|
227
|
+
|
|
228
|
+
**tracingOptions** (`AgentExecutionOptions['tracingOptions']`): Tracing metadata, tags, trace ID, parent span ID, and \`requestContextKeys\` forwarded to the agent and model spans. Fully JSON-serializable.
|
|
229
|
+
|
|
230
|
+
**actor** (`AgentExecutionOptions['actor']`): Per-call actor signal forwarded to FGA checks and tool execution.
|
|
231
|
+
|
|
232
|
+
**transform** (`AgentExecutionOptions['transform']`): Per-invocation tool payload transform policy. The \`transformToolPayload\` closure lives on the in-process run registry; only the JSON-safe \`targets\` shadow is serialized.
|
|
233
|
+
|
|
234
|
+
**prepareStep** (`AgentExecutionOptions['prepareStep']`): Per-step preparation hook invoked as a \`PrepareStepProcessor\` at the start of every iteration. Closure-only — stored on the in-process run registry. Cross-process resumes lose the hook.
|
|
235
|
+
|
|
236
|
+
**isTaskComplete** (`AgentExecutionOptions['isTaskComplete']`): Per-call completion policy. Scorer instances and \`onComplete\` live on the in-process run registry; the JSON-safe primitives (\`strategy\`, \`timeout\`, \`parallel\`, \`suppressFeedback\`, \`scorerNames\`) are serialized for cross-process observability.
|
|
237
|
+
|
|
238
|
+
**delegation** (`AgentExecutionOptions['delegation']`): Sub-agent delegation hooks (\`onDelegationStart\`, \`onDelegationComplete\`, \`messageFilter\`). Callbacks are baked into the sub-agent tool wrappers at prepare time. Cross-process resumes lose the callbacks.
|
|
221
239
|
|
|
222
240
|
**versions** (`object`): Version overrides for sub-agent delegation.
|
|
223
241
|
|
|
242
|
+
**abortSignal** (`AbortSignal`): External abort signal. Forwarded to the durable run's internal \`AbortController\`, so either source can cancel the run. Cross-process resumes cannot recover the signal — pass a fresh one to \`resume()\` if you need post-resume abortability.
|
|
243
|
+
|
|
224
244
|
**onChunk** (`(chunk: ChunkType) => void | Promise<void>`): Called for each streamed chunk.
|
|
225
245
|
|
|
226
246
|
**onStepFinish** (`(result: AgentStepFinishEventData) => void | Promise<void>`): Called when a step in the agentic loop finishes.
|
|
@@ -231,6 +251,10 @@ interface PrepareResult {
|
|
|
231
251
|
|
|
232
252
|
**onSuspended** (`(data: AgentSuspendedEventData) => void | Promise<void>`): Called when the run suspends, for example for tool approval.
|
|
233
253
|
|
|
254
|
+
**onAbort** (`AgentExecutionOptions['onAbort']`): Called when the run is aborted via \`abortSignal\` or \`result.abort()\`.
|
|
255
|
+
|
|
256
|
+
**onIterationComplete** (`AgentExecutionOptions['onIterationComplete']`): Called after every agentic-loop iteration with the latest \`messageList\`, \`finishReason\`, and \`isFinal\` flag. Observation-only on durable agents: returning \`continue: false\` or feedback does not influence the loop.
|
|
257
|
+
|
|
234
258
|
`resume()` and `observe()` accept the same lifecycle callbacks (`onChunk`, `onStepFinish`, `onFinish`, `onError`, `onSuspended`). `observe()` also accepts an `offset` to control where replay starts.
|
|
235
259
|
|
|
236
260
|
## DurableAgentStreamResult
|
|
@@ -245,6 +269,7 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
|
|
|
245
269
|
threadId?: string
|
|
246
270
|
resourceId?: string
|
|
247
271
|
cleanup: () => void
|
|
272
|
+
abort: () => void
|
|
248
273
|
}
|
|
249
274
|
```
|
|
250
275
|
|
|
@@ -260,6 +285,8 @@ interface DurableAgentStreamResult<OUTPUT = undefined> {
|
|
|
260
285
|
|
|
261
286
|
**cleanup** (`() => void`): Unsubscribes from PubSub and clears registry entries for the run. Call it when done with the run.
|
|
262
287
|
|
|
288
|
+
**abort** (`() => void`): Aborts the run by flipping the internal \`AbortController\`. Surfaces as an \`AbortError\` inside the durable LLM-execution step and fires the \`onAbort\` callback. Safe to call after the run has finished — a no-op in that case.
|
|
289
|
+
|
|
263
290
|
## Related
|
|
264
291
|
|
|
265
292
|
- [`createInngestAgent()`](https://mastra.ai/reference/agents/inngest-agent)
|
|
@@ -0,0 +1,355 @@
|
|
|
1
|
+
# MastraAuthGoogle & MastraRBACGoogle class
|
|
2
|
+
|
|
3
|
+
## MastraAuthGoogle class
|
|
4
|
+
|
|
5
|
+
The `MastraAuthGoogle` class provides authentication for Mastra using Google Workspace. It implements an OAuth 2.0 / OIDC login flow with encrypted session cookies, verifies Google ID tokens, and integrates with the Mastra server using the `auth` option.
|
|
6
|
+
|
|
7
|
+
### Usage example
|
|
8
|
+
|
|
9
|
+
```typescript
|
|
10
|
+
import { Mastra } from '@mastra/core'
|
|
11
|
+
import { MastraAuthGoogle } from '@mastra/auth-google'
|
|
12
|
+
|
|
13
|
+
export const mastra = new Mastra({
|
|
14
|
+
server: {
|
|
15
|
+
auth: new MastraAuthGoogle({
|
|
16
|
+
clientId: process.env.GOOGLE_CLIENT_ID,
|
|
17
|
+
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
|
|
18
|
+
redirectUri: process.env.GOOGLE_REDIRECT_URI,
|
|
19
|
+
allowedDomains: ['example.com'],
|
|
20
|
+
}),
|
|
21
|
+
},
|
|
22
|
+
})
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
> **Note:** You can omit the constructor parameters if you have the appropriately named environment variables set. In that case, use `new MastraAuthGoogle()` without any arguments.
|
|
26
|
+
|
|
27
|
+
### Constructor parameters
|
|
28
|
+
|
|
29
|
+
**clientId** (`string`): Google OAuth client ID. (Default: `process.env.GOOGLE_CLIENT_ID`)
|
|
30
|
+
|
|
31
|
+
**clientSecret** (`string`): Google OAuth client secret. Required for Studio SSO. (Default: `process.env.GOOGLE_CLIENT_SECRET`)
|
|
32
|
+
|
|
33
|
+
**redirectUri** (`string`): OAuth redirect URI for the SSO callback. Must match the redirect URI configured in your Google Cloud OAuth client. (Default: `process.env.GOOGLE_REDIRECT_URI`)
|
|
34
|
+
|
|
35
|
+
**scopes** (`string[]`): OAuth scopes requested during the login flow. (Default: `['openid', 'profile', 'email']`)
|
|
36
|
+
|
|
37
|
+
**allowedDomains** (`string | string[]`): Allowed Google Workspace hosted domains. Mastra validates these against the verified \`hd\` claim. (Default: `process.env.GOOGLE_ALLOWED_DOMAINS`)
|
|
38
|
+
|
|
39
|
+
**hostedDomain** (`string`): Hosted-domain login hint passed to Google as \`hd\`. This is a hint only and is not used for authorization. (Default: `process.env.GOOGLE_HOSTED_DOMAIN or the single allowed domain`)
|
|
40
|
+
|
|
41
|
+
**session** (`GoogleSessionOptions`): Session cookie configuration.
|
|
42
|
+
|
|
43
|
+
**session.cookieName** (`string`): Name of the session cookie.
|
|
44
|
+
|
|
45
|
+
**session.cookieMaxAge** (`number`): Cookie max age in seconds.
|
|
46
|
+
|
|
47
|
+
**session.cookiePassword** (`string`): Password for encrypting session cookies. Must be at least 32 characters. If not set, an auto-generated value is used in development that does not survive restarts.
|
|
48
|
+
|
|
49
|
+
**session.secureCookies** (`boolean`): Set the \`Secure\` flag on session cookies.
|
|
50
|
+
|
|
51
|
+
**name** (`string`): Custom name for the auth provider instance. (Default: `'google'`)
|
|
52
|
+
|
|
53
|
+
### Environment variables
|
|
54
|
+
|
|
55
|
+
The following environment variables are automatically used when constructor options aren't provided:
|
|
56
|
+
|
|
57
|
+
**GOOGLE\_CLIENT\_ID** (`string`): Google OAuth client ID from your Google Cloud OAuth client.
|
|
58
|
+
|
|
59
|
+
**GOOGLE\_CLIENT\_SECRET** (`string`): Google OAuth client secret. Required for the SSO authorization code flow.
|
|
60
|
+
|
|
61
|
+
**GOOGLE\_REDIRECT\_URI** (`string`): OAuth redirect URI for the SSO callback.
|
|
62
|
+
|
|
63
|
+
**GOOGLE\_COOKIE\_PASSWORD** (`string`): Password for encrypting session cookies. Must be at least 32 characters.
|
|
64
|
+
|
|
65
|
+
**GOOGLE\_ALLOWED\_DOMAINS** (`string`): Comma-separated Google Workspace hosted domains to allow.
|
|
66
|
+
|
|
67
|
+
**GOOGLE\_HOSTED\_DOMAIN** (`string`): Hosted-domain login hint passed to Google during SSO login.
|
|
68
|
+
|
|
69
|
+
### Authentication flow
|
|
70
|
+
|
|
71
|
+
`MastraAuthGoogle` authenticates requests in the following order:
|
|
72
|
+
|
|
73
|
+
1. **Session cookie**: When SSO is enabled, reads the encrypted session cookie and decrypts it. If the session is valid and not expired, the user is authenticated.
|
|
74
|
+
2. **Google ID token fallback**: If no valid session cookie is present, verifies the `Authorization` header token against Google's JWKS endpoint.
|
|
75
|
+
|
|
76
|
+
After authentication, `authorizeUser` checks that the user has a valid Google user ID, the token-derived expiration has not passed, and the user's verified `hd` claim matches `allowedDomains` when domains are configured.
|
|
77
|
+
|
|
78
|
+
### Authentication methods
|
|
79
|
+
|
|
80
|
+
#### `authenticateToken(token, request?)`
|
|
81
|
+
|
|
82
|
+
Authenticates a Google ID token. When SSO is enabled, this method checks the encrypted session cookie before it verifies the Bearer token.
|
|
83
|
+
|
|
84
|
+
```typescript
|
|
85
|
+
const user = await auth.authenticateToken(idToken, request)
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
Returns: `Promise<GoogleUser | null>`
|
|
89
|
+
|
|
90
|
+
#### `getCurrentUser(request)`
|
|
91
|
+
|
|
92
|
+
Returns the authenticated user from a session cookie or Bearer Google ID token.
|
|
93
|
+
|
|
94
|
+
```typescript
|
|
95
|
+
const user = await auth.getCurrentUser(request)
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
Returns: `Promise<GoogleUser | null>`
|
|
99
|
+
|
|
100
|
+
#### `authorizeUser(user)`
|
|
101
|
+
|
|
102
|
+
Returns `true` when the user has an ID, has not expired, and matches `allowedDomains` when domains are configured.
|
|
103
|
+
|
|
104
|
+
```typescript
|
|
105
|
+
const allowed = auth.authorizeUser(user)
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
Returns: `boolean`
|
|
109
|
+
|
|
110
|
+
#### `getUser(userId)`
|
|
111
|
+
|
|
112
|
+
Returns `null`. Google ID tokens are verified directly, so this provider does not perform user lookup by ID.
|
|
113
|
+
|
|
114
|
+
```typescript
|
|
115
|
+
const user = await auth.getUser(userId)
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
Returns: `Promise<GoogleUser | null>`
|
|
119
|
+
|
|
120
|
+
### `GoogleUser` type
|
|
121
|
+
|
|
122
|
+
The `GoogleUser` type extends the base `EEUser` interface with Google-specific fields:
|
|
123
|
+
|
|
124
|
+
**id** (`string`): Mastra user ID. Uses the Google \`sub\` claim.
|
|
125
|
+
|
|
126
|
+
**googleId** (`string`): Google Account subject identifier.
|
|
127
|
+
|
|
128
|
+
**email** (`string`): User email address.
|
|
129
|
+
|
|
130
|
+
**name** (`string`): User display name from Google profile claims.
|
|
131
|
+
|
|
132
|
+
**avatarUrl** (`string`): URL to the user's Google profile picture.
|
|
133
|
+
|
|
134
|
+
**hostedDomain** (`string`): Google Workspace hosted domain from the verified \`hd\` claim.
|
|
135
|
+
|
|
136
|
+
**expiresAt** (`Date`): Verified ID token expiration time, when available.
|
|
137
|
+
|
|
138
|
+
**emailVerified** (`boolean`): Whether Google reports the email address as verified.
|
|
139
|
+
|
|
140
|
+
**groups** (`string[]`): Optional pre-resolved Google Workspace group role IDs.
|
|
141
|
+
|
|
142
|
+
## MastraRBACGoogle class
|
|
143
|
+
|
|
144
|
+
The `MastraRBACGoogle` class maps Google Workspace groups to Mastra permissions. It fetches user groups from the Google Admin SDK Directory API and resolves them against a configurable role mapping. Use it with `MastraAuthGoogle` or any other auth provider.
|
|
145
|
+
|
|
146
|
+
> **Note:** RBAC requires a valid Enterprise Edition license. It works without a license in development so you can try it locally, but you'll need a license for production. [Contact sales](https://mastra.ai/contact) for more information.
|
|
147
|
+
|
|
148
|
+
### Usage example
|
|
149
|
+
|
|
150
|
+
Use `MastraRBACGoogle` alongside an auth provider by passing it to the `rbac` option:
|
|
151
|
+
|
|
152
|
+
```typescript
|
|
153
|
+
import { Mastra } from '@mastra/core'
|
|
154
|
+
import { MastraAuthGoogle, MastraRBACGoogle } from '@mastra/auth-google'
|
|
155
|
+
|
|
156
|
+
export const mastra = new Mastra({
|
|
157
|
+
server: {
|
|
158
|
+
auth: new MastraAuthGoogle(),
|
|
159
|
+
rbac: new MastraRBACGoogle({
|
|
160
|
+
serviceAccount: {
|
|
161
|
+
clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
|
|
162
|
+
privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
|
|
163
|
+
subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
|
|
164
|
+
},
|
|
165
|
+
roleMapping: {
|
|
166
|
+
'admins@example.com': ['*'],
|
|
167
|
+
'engineering@example.com': ['agents:*', 'workflows:*', 'tools:*'],
|
|
168
|
+
'viewers@example.com': ['agents:read', 'workflows:read'],
|
|
169
|
+
_default: [],
|
|
170
|
+
},
|
|
171
|
+
}),
|
|
172
|
+
},
|
|
173
|
+
})
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
To use Google Workspace RBAC with a different auth provider, pass a `getUserKey` function to resolve the Google Directory API user key from the other provider's user object:
|
|
177
|
+
|
|
178
|
+
```typescript
|
|
179
|
+
import { Mastra } from '@mastra/core'
|
|
180
|
+
import { MastraAuthAuth0 } from '@mastra/auth-auth0'
|
|
181
|
+
import { MastraRBACGoogle } from '@mastra/auth-google'
|
|
182
|
+
|
|
183
|
+
export const mastra = new Mastra({
|
|
184
|
+
server: {
|
|
185
|
+
auth: new MastraAuthAuth0(),
|
|
186
|
+
rbac: new MastraRBACGoogle({
|
|
187
|
+
getUserKey: user => user.email,
|
|
188
|
+
serviceAccount: {
|
|
189
|
+
clientEmail: process.env.GOOGLE_SERVICE_ACCOUNT_EMAIL!,
|
|
190
|
+
privateKey: process.env.GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY!,
|
|
191
|
+
subject: process.env.GOOGLE_WORKSPACE_ADMIN_EMAIL!,
|
|
192
|
+
},
|
|
193
|
+
roleMapping: {
|
|
194
|
+
'engineering@example.com': ['agents:*', 'workflows:*'],
|
|
195
|
+
'admins@example.com': ['*'],
|
|
196
|
+
_default: [],
|
|
197
|
+
},
|
|
198
|
+
}),
|
|
199
|
+
},
|
|
200
|
+
})
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
### Constructor parameters
|
|
204
|
+
|
|
205
|
+
**roleMapping** (`RoleMapping`): Maps Google Workspace group role IDs to arrays of Mastra permission strings. Use \`'\_default'\` to assign permissions to users who do not match any group. Supports wildcards like \`'\*'\` (full access) and \`'agents:\*'\` (all agent actions).
|
|
206
|
+
|
|
207
|
+
**accessToken** (`string`): Pre-obtained Workspace Directory API access token.
|
|
208
|
+
|
|
209
|
+
**getAccessToken** (`() => Promise<string> | string`): Callback that returns a Workspace Directory API access token.
|
|
210
|
+
|
|
211
|
+
**serviceAccount** (`GoogleWorkspaceServiceAccount`): Service account credentials for domain-wide delegated Directory API access.
|
|
212
|
+
|
|
213
|
+
**serviceAccount.clientEmail** (`string`): Google service account email.
|
|
214
|
+
|
|
215
|
+
**serviceAccount.privateKey** (`string`): PEM-encoded private key. Escaped \`\n\` values from .env files are supported.
|
|
216
|
+
|
|
217
|
+
**serviceAccount.privateKeyId** (`string`): Optional private key ID.
|
|
218
|
+
|
|
219
|
+
**serviceAccount.subject** (`string`): Workspace administrator user to impersonate with domain-wide delegation.
|
|
220
|
+
|
|
221
|
+
**serviceAccount.scopes** (`string[]`): OAuth scopes for the service account token.
|
|
222
|
+
|
|
223
|
+
**getUserKey** (`(user: unknown) => string | undefined`): Extract the Directory API \`userKey\` from an authenticated user. Defaults to \`user.email\`.
|
|
224
|
+
|
|
225
|
+
**mapGroupToRoles** (`(group: GoogleWorkspaceGroup) => string[]`): Map a Google Workspace group to role IDs. Defaults to \`\[group.email]\`.
|
|
226
|
+
|
|
227
|
+
**cache** (`PermissionCacheOptions`): Configure the LRU cache for group lookups.
|
|
228
|
+
|
|
229
|
+
**cache.maxSize** (`number`): Maximum number of users to cache.
|
|
230
|
+
|
|
231
|
+
**cache.ttlMs** (`number`): Time-to-live in milliseconds.
|
|
232
|
+
|
|
233
|
+
### RBAC methods
|
|
234
|
+
|
|
235
|
+
#### `getRoles(user)`
|
|
236
|
+
|
|
237
|
+
Returns Google Workspace group role IDs for a user.
|
|
238
|
+
|
|
239
|
+
```typescript
|
|
240
|
+
const roles = await rbac.getRoles(user)
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
Returns: `Promise<string[]>`
|
|
244
|
+
|
|
245
|
+
#### `getPermissions(user)`
|
|
246
|
+
|
|
247
|
+
Returns Mastra permissions resolved from Google Workspace groups and `roleMapping`.
|
|
248
|
+
|
|
249
|
+
```typescript
|
|
250
|
+
const permissions = await rbac.getPermissions(user)
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
Returns: `Promise<string[]>`
|
|
254
|
+
|
|
255
|
+
#### `hasPermission(user, permission)`
|
|
256
|
+
|
|
257
|
+
Checks whether a user has a permission.
|
|
258
|
+
|
|
259
|
+
```typescript
|
|
260
|
+
const canReadAgents = await rbac.hasPermission(user, 'agents:read')
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
Returns: `Promise<boolean>`
|
|
264
|
+
|
|
265
|
+
#### `hasRole(user, role)`
|
|
266
|
+
|
|
267
|
+
Checks whether a user resolved to a specific Google Workspace group role.
|
|
268
|
+
|
|
269
|
+
```typescript
|
|
270
|
+
const isAdmin = await rbac.hasRole(user, 'admins@example.com')
|
|
271
|
+
```
|
|
272
|
+
|
|
273
|
+
Returns: `Promise<boolean>`
|
|
274
|
+
|
|
275
|
+
#### `hasAllPermissions(user, permissions)`
|
|
276
|
+
|
|
277
|
+
Checks whether a user has every requested permission.
|
|
278
|
+
|
|
279
|
+
```typescript
|
|
280
|
+
const canManageAgents = await rbac.hasAllPermissions(user, ['agents:read', 'agents:update'])
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
Returns: `Promise<boolean>`
|
|
284
|
+
|
|
285
|
+
#### `hasAnyPermission(user, permissions)`
|
|
286
|
+
|
|
287
|
+
Checks whether a user has at least one requested permission.
|
|
288
|
+
|
|
289
|
+
```typescript
|
|
290
|
+
const canReadSomething = await rbac.hasAnyPermission(user, ['agents:read', 'workflows:read'])
|
|
291
|
+
```
|
|
292
|
+
|
|
293
|
+
Returns: `Promise<boolean>`
|
|
294
|
+
|
|
295
|
+
#### `getAvailableRoles()`
|
|
296
|
+
|
|
297
|
+
Returns the role IDs configured in `roleMapping`, excluding `_default`.
|
|
298
|
+
|
|
299
|
+
```typescript
|
|
300
|
+
const roles = await rbac.getAvailableRoles()
|
|
301
|
+
```
|
|
302
|
+
|
|
303
|
+
Returns: `Promise<{ id: string; name: string }[]>`
|
|
304
|
+
|
|
305
|
+
#### `getPermissionsForRole(roleId)`
|
|
306
|
+
|
|
307
|
+
Returns the permissions configured for a role ID.
|
|
308
|
+
|
|
309
|
+
```typescript
|
|
310
|
+
const permissions = await rbac.getPermissionsForRole('engineering@example.com')
|
|
311
|
+
```
|
|
312
|
+
|
|
313
|
+
Returns: `Promise<string[]>`
|
|
314
|
+
|
|
315
|
+
#### `clearCache()`
|
|
316
|
+
|
|
317
|
+
Clears all cached Google Workspace group lookups.
|
|
318
|
+
|
|
319
|
+
```typescript
|
|
320
|
+
rbac.clearCache()
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
Returns: `void`
|
|
324
|
+
|
|
325
|
+
#### `clearUserCache(userKey)`
|
|
326
|
+
|
|
327
|
+
Clears the cached group lookup for one Directory API user key, such as an email address.
|
|
328
|
+
|
|
329
|
+
```typescript
|
|
330
|
+
rbac.clearUserCache('user@example.com')
|
|
331
|
+
```
|
|
332
|
+
|
|
333
|
+
Returns: `void`
|
|
334
|
+
|
|
335
|
+
#### `getCacheStats()`
|
|
336
|
+
|
|
337
|
+
Returns the current group lookup cache size and maximum size.
|
|
338
|
+
|
|
339
|
+
```typescript
|
|
340
|
+
const stats = rbac.getCacheStats()
|
|
341
|
+
```
|
|
342
|
+
|
|
343
|
+
Returns: `{ size: number; maxSize: number }`
|
|
344
|
+
|
|
345
|
+
### Additional configuration
|
|
346
|
+
|
|
347
|
+
`MastraRBACGoogle` uses `GET https://admin.googleapis.com/admin/directory/v1/groups?userKey=...` and handles pagination. Provide a service account with domain-wide delegation for production Google Workspace deployments, or pass `accessToken` / `getAccessToken` if your application already manages Google API tokens.
|
|
348
|
+
|
|
349
|
+
If `user.groups` is already an array, `MastraRBACGoogle` uses that value and does not call the Directory API. An empty `groups` array means the user has no Google group roles and resolves to `_default` permissions when `_default` is configured.
|
|
350
|
+
|
|
351
|
+
`MastraRBACGoogle` does not automatically read service-account environment variables. Pass service-account credentials through the `serviceAccount` option, or pass `accessToken` / `getAccessToken`.
|
|
352
|
+
|
|
353
|
+
## Related
|
|
354
|
+
|
|
355
|
+
[Google auth docs](https://mastra.ai/docs/server/auth/google)
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
# ChannelProvider
|
|
2
|
+
|
|
3
|
+
`ChannelProvider` is the interface that platform integrations implement to connect agents to a messaging platform. A provider owns the full lifecycle of an integration: app provisioning and OAuth, webhook routing and event handling, adapter creation and agent wiring, and credential management.
|
|
4
|
+
|
|
5
|
+
Register providers on the `Mastra` constructor under `channels`, keyed by an id you choose. Each provider's routes are merged into the server's API routes automatically, and `initialize()` runs during Mastra startup.
|
|
6
|
+
|
|
7
|
+
```typescript
|
|
8
|
+
import { Mastra } from '@mastra/core/mastra'
|
|
9
|
+
import { SlackProvider } from '@mastra/slack'
|
|
10
|
+
|
|
11
|
+
export const mastra = new Mastra({
|
|
12
|
+
channels: {
|
|
13
|
+
slack: new SlackProvider({
|
|
14
|
+
refreshToken: process.env.SLACK_REFRESH_TOKEN!,
|
|
15
|
+
baseUrl: process.env.MASTRA_BASE_URL,
|
|
16
|
+
}),
|
|
17
|
+
},
|
|
18
|
+
})
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
The provider's `baseUrl` is the public URL the platform sends webhooks and events to. In production this is your deployed Mastra server URL. For local development, the platform can't reach `http://localhost:4111`, so run a tunnel (such as [cloudflared](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) or [ngrok](https://ngrok.com/)) and point `baseUrl` at the tunnel URL (for example `https://abc123.trycloudflare.com`) so events reach your local dev process.
|
|
22
|
+
|
|
23
|
+
[`SlackProvider`](https://mastra.ai/reference/channels/slack-provider) is the first built-in implementation. Build a custom provider by implementing this interface.
|
|
24
|
+
|
|
25
|
+
## Properties
|
|
26
|
+
|
|
27
|
+
**id** (`string`): Unique identifier for this channel type, for example 'slack' or 'discord'. Used as the key when routing events and looking the provider up from Mastra.
|
|
28
|
+
|
|
29
|
+
## Methods
|
|
30
|
+
|
|
31
|
+
**getRoutes** (`() => ApiRoute[]`): Returns the API routes for this channel (OAuth, webhooks, events). These are merged into the server's apiRoutes automatically.
|
|
32
|
+
|
|
33
|
+
**initialize** (`() => Promise<void>`): Called during Mastra initialization after all agents are registered. Use it for async setup such as restoring active installations. Does not provision new apps.
|
|
34
|
+
|
|
35
|
+
**configure** (`(credentials: Record<string, unknown> | null) => void | Promise<void>`): Provides or clears platform credentials at runtime. Pass null to clear credentials and delete stored tokens.
|
|
36
|
+
|
|
37
|
+
**getInfo** (`() => ChannelPlatformInfo`): Returns discovery metadata for the editor UI: platform name, configuration status, and the connect options schema.
|
|
38
|
+
|
|
39
|
+
**connect** (`(agentId: string, options?: Record<string, unknown>) => Promise<ChannelConnectResult>`): Connects an agent to the platform. Returns a discriminated result describing the authorization flow required to finish the connection.
|
|
40
|
+
|
|
41
|
+
**disconnect** (`(agentId: string) => Promise<void>`): Disconnects an agent from the platform. Deletes the platform app and cleans up stored state.
|
|
42
|
+
|
|
43
|
+
**listInstallations** (`() => Promise<ChannelInstallationInfo[]>`): Lists active installations for this platform. Returns public info only, never secrets.
|
|
44
|
+
|
|
45
|
+
## Accessing a provider
|
|
46
|
+
|
|
47
|
+
Access a registered provider through the `channels` getter, keyed by the id you registered it under. The getter is typed from the constructor config, so `mastra.channels.slack` is the concrete provider with its full method surface.
|
|
48
|
+
|
|
49
|
+
```typescript
|
|
50
|
+
await mastra.channels.slack.configure({ refreshToken })
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
When the key is only known at runtime, look the provider up by string id instead. `getChannelProvider` takes the concrete type as a generic, and `getChannelProviders` returns every registered provider keyed by id.
|
|
54
|
+
|
|
55
|
+
```typescript
|
|
56
|
+
import type { SlackProvider } from '@mastra/slack'
|
|
57
|
+
|
|
58
|
+
const slack = mastra.getChannelProvider<SlackProvider>('slack')
|
|
59
|
+
const all = mastra.getChannelProviders()
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Related
|
|
63
|
+
|
|
64
|
+
- [SlackProvider](https://mastra.ai/reference/channels/slack-provider)
|
|
65
|
+
- [Channels](https://mastra.ai/docs/agents/channels)
|