@mastra/server 1.0.0-beta.2 → 1.0.0-beta.21

package/dist/server/auth/defaults.d.ts

@@ -0,0 +1,3 @@
+import type { MastraAuthConfig } from '@mastra/core/server';
+export declare const defaultAuthConfig: MastraAuthConfig;
+//# sourceMappingURL=defaults.d.ts.map

package/dist/server/auth/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../../src/server/auth/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAG5D,eAAO,MAAM,iBAAiB,EAAE,gBAsB/B,CAAC"}

package/dist/server/auth/helpers.d.ts

@@ -0,0 +1,14 @@
+import type { MastraAuthConfig } from '@mastra/core/server';
+/**
+ * Check if request is from dev playground
+ * @param getHeader - Function to get header value from request
+ */
+export declare const isDevPlaygroundRequest: (path: string, method: string, getHeader: (name: string) => string | undefined, authConfig: MastraAuthConfig) => boolean;
+export declare const isCustomRoutePublic: (path: string, method: string, customRouteAuthConfig?: Map<string, boolean>) => boolean;
+export declare const isProtectedPath: (path: string, method: string, authConfig: MastraAuthConfig, customRouteAuthConfig?: Map<string, boolean>) => boolean;
+export declare const canAccessPublicly: (path: string, method: string, authConfig: MastraAuthConfig) => boolean;
+export declare const pathMatchesPattern: (path: string, pattern: string) => boolean;
+export declare const pathMatchesRule: (path: string, rulePath: string | RegExp | string[] | undefined) => boolean;
+export declare const matchesOrIncludes: (values: string | string[], value: string) => boolean;
+export declare const checkRules: (rules: MastraAuthConfig["rules"], path: string, method: string, user: unknown) => Promise<boolean>;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/server/auth/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/server/auth/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAI5D;;;GAGG;AACH,eAAO,MAAM,sBAAsB,GACjC,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,WAAW,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,EAC/C,YAAY,gBAAgB,KAC3B,OAMF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,wBAAwB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,KAC3C,OAkBF,CAAC;AAEF,eAAO,MAAM,eAAe,GAC1B,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,YAAY,gBAAgB,EAC5B,wBAAwB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,KAC3C,OAGF,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,EAAE,QAAQ,MAAM,EAAE,YAAY,gBAAgB,KAAG,OAK9F,CAAC;AAiCF,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,OAQlE,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,EAAE,UAAU,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,OAgBhG,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,MAAM,KAAG,OAU5E,CAAC;AAGF,eAAO,MAAM,UAAU,GACrB,OAAO,gBAAgB,CAAC,OAAO,CAAC,EAChC,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,MAAM,OAAO,KACZ,OAAO,CAAC,OAAO,CA+BjB,CAAC"}

package/dist/server/auth/index.cjs

@@ -0,0 +1,137 @@
+'use strict';
+
+// src/server/auth/defaults.ts
+var defaultAuthConfig = {
+  protected: ["/api/*"],
+  public: ["/api"],
+  // Simple rule system
+  rules: [
+    // Admin users can do anything
+    {
+      condition: (user) => {
+        if (typeof user === "object" && user !== null) {
+          if ("isAdmin" in user) {
+            return !!user.isAdmin;
+          }
+          if ("role" in user) {
+            return user.role === "admin";
+          }
+        }
+        return false;
+      },
+      allow: true
+    }
+  ]
+};
+
+// src/server/auth/helpers.ts
+var isDevPlaygroundRequest = (path, method, getHeader, authConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return process.env.MASTRA_DEV === "true" && (!isAnyMatch(path, method, protectedAccess) || getHeader("x-mastra-dev-playground") === "true");
+};
+var isCustomRoutePublic = (path, method, customRouteAuthConfig) => {
+  if (!customRouteAuthConfig) {
+    return false;
+  }
+  const routeKey = `${method}:${path}`;
+  if (customRouteAuthConfig.has(routeKey)) {
+    return !customRouteAuthConfig.get(routeKey);
+  }
+  const allRouteKey = `ALL:${path}`;
+  if (customRouteAuthConfig.has(allRouteKey)) {
+    return !customRouteAuthConfig.get(allRouteKey);
+  }
+  return false;
+};
+var isProtectedPath = (path, method, authConfig, customRouteAuthConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);
+};
+var canAccessPublicly = (path, method, authConfig) => {
+  const publicAccess = [...defaultAuthConfig.public || [], ...authConfig.public || []];
+  return isAnyMatch(path, method, publicAccess);
+};
+var isAnyMatch = (path, method, patterns) => {
+  if (!patterns) {
+    return false;
+  }
+  for (const patternPathOrMethod of patterns) {
+    if (patternPathOrMethod instanceof RegExp) {
+      if (patternPathOrMethod.test(path)) {
+        return true;
+      }
+    }
+    if (typeof patternPathOrMethod === "string" && pathMatchesPattern(path, patternPathOrMethod)) {
+      return true;
+    }
+    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {
+      const [pattern, methodOrMethods] = patternPathOrMethod;
+      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {
+        return true;
+      }
+    }
+  }
+  return false;
+};
+var pathMatchesPattern = (path, pattern) => {
+  if (pattern.endsWith("*")) {
+    const prefix = pattern.slice(0, -1);
+    return path.startsWith(prefix);
+  }
+  return path === pattern;
+};
+var pathMatchesRule = (path, rulePath) => {
+  if (!rulePath) return true;
+  if (typeof rulePath === "string") {
+    return pathMatchesPattern(path, rulePath);
+  }
+  if (rulePath instanceof RegExp) {
+    return rulePath.test(path);
+  }
+  if (Array.isArray(rulePath)) {
+    return rulePath.some((p) => pathMatchesPattern(path, p));
+  }
+  return false;
+};
+var matchesOrIncludes = (values, value) => {
+  if (typeof values === "string") {
+    return values === value;
+  }
+  if (Array.isArray(values)) {
+    return values.includes(value);
+  }
+  return false;
+};
+var checkRules = async (rules, path, method, user) => {
+  for (const i in rules || []) {
+    const rule = rules?.[i];
+    if (!pathMatchesRule(path, rule.path)) {
+      continue;
+    }
+    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {
+      continue;
+    }
+    const condition = rule.condition;
+    if (typeof condition === "function") {
+      const allowed = await Promise.resolve().then(() => condition(user)).catch(() => false);
+      if (allowed) {
+        return true;
+      }
+    } else if (rule.allow) {
+      return true;
+    }
+  }
+  return false;
+};
+
+exports.canAccessPublicly = canAccessPublicly;
+exports.checkRules = checkRules;
+exports.defaultAuthConfig = defaultAuthConfig;
+exports.isCustomRoutePublic = isCustomRoutePublic;
+exports.isDevPlaygroundRequest = isDevPlaygroundRequest;
+exports.isProtectedPath = isProtectedPath;
+exports.matchesOrIncludes = matchesOrIncludes;
+exports.pathMatchesPattern = pathMatchesPattern;
+exports.pathMatchesRule = pathMatchesRule;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/server/auth/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/auth/defaults.ts","../../../src/server/auth/helpers.ts"],"names":[],"mappings":";;;AAGO,IAAM,iBAAA,GAAsC;AAAA,EACjD,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,EACpB,MAAA,EAAQ,CAAC,MAAM,CAAA;AAAA;AAAA,EAEf,KAAA,EAAO;AAAA;AAAA,IAEL;AAAA,MACE,WAAW,CAAA,IAAA,KAAQ;AACjB,QAAA,IAAI,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAA,EAAM;AAC7C,UAAA,IAAI,aAAa,IAAA,EAAM;AACrB,YAAA,OAAO,CAAC,CAAC,IAAA,CAAK,OAAA;AAAA,UAChB;AAEA,UAAA,IAAI,UAAU,IAAA,EAAM;AAClB,YAAA,OAAO,KAAK,IAAA,KAAS,OAAA;AAAA,UACvB;AAAA,QACF;AACA,QAAA,OAAO,KAAA;AAAA,MACT,CAAA;AAAA,MACA,KAAA,EAAO;AAAA;AACT;AAEJ;;;ACjBO,IAAM,sBAAA,GAAyB,CACpC,IAAA,EACA,MAAA,EACA,WACA,UAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OACE,OAAA,CAAQ,GAAA,CAAI,UAAA,KAAe,MAAA,KAC1B,CAAC,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,eAAe,CAAA,IAAK,SAAA,CAAU,yBAAyB,CAAA,KAAM,MAAA,CAAA;AAE5F;AAEO,IAAM,mBAAA,GAAsB,CACjC,IAAA,EACA,MAAA,EACA,qBAAA,KACY;AACZ,EAAA,IAAI,CAAC,qBAAA,EAAuB;AAC1B,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,MAAM,QAAA,GAAW,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAClC,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,QAAQ,CAAA,EAAG;AACvC,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,QAAQ,CAAA;AAAA,EAC5C;AAGA,EAAA,MAAM,WAAA,GAAc,OAAO,IAAI,CAAA,CAAA;AAC/B,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA,EAAG;AAC1C,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,eAAA,GAAkB,CAC7B,IAAA,EACA,MAAA,EACA,YACA,qBAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OAAO,UAAA,CAAW,MAAM,MAAA,EAAQ,eAAe,KAAK,CAAC,mBAAA,CAAoB,IAAA,EAAM,MAAA,EAAQ,qBAAqB,CAAA;AAC9G;AAEO,IAAM,iBAAA,GAAoB,CAAC,IAAA,EAAc,MAAA,EAAgB,UAAA,KAA0C;AAExG,EAAA,MAAM,YAAA,GAAe,CAAC,GAAI,iBAAA,CAAkB,MAAA,IAAU,EAAC,EAAI,GAAI,UAAA,CAAW,MAAA,IAAU,EAAG,CAAA;AAEvF,EAAA,OAAO,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,YAAY,CAAA;AAC9C;AAEA,IAAM,UAAA,GAAa,CACjB,IAAA,EACA,MAAA,EACA,QAAA,KACY;AACZ,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,KAAA,MAAW,uBAAuB,QAAA,EAAU;AAC1C,IAAA,IAAI,+BAA+B,MAAA,EAAQ;AACzC,MAAA,IAAI,mBAAA,CAAoB,IAAA,CAAK,IAAI,CAAA,EAAG;AAClC,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,IAAI,OAAO,mBAAA,KAAwB,QAAA,IAAY,kBAAA,CAAmB,IAAA,EAAM,mBAAmB,CAAA,EAAG;AAC5F,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,MAAM,OAAA,CAAQ,mBAAmB,CAAA,IAAK,mBAAA,CAAoB,WAAW,CAAA,EAAG;AAC1E,MAAA,MAAM,CAAC,OAAA,EAAS,eAAe,CAAA,GAAI,mBAAA;AACnC,MAAA,IAAI,mBAAmB,IAAA,EAAM,OAAO,KAAK,iBAAA,CAAkB,eAAA,EAAiB,MAAM,CAAA,EAAG;AACnF,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT,CAAA;AAEO,IAAM,kBAAA,GAAqB,CAAC,IAAA,EAAc,OAAA,KAA6B;AAG5E,EAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AACzB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAClC,IAAA,OAAO,IAAA,CAAK,WAAW,MAAM,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,IAAA,KAAS,OAAA;AAClB;AAEO,IAAM,eAAA,GAAkB,CAAC,IAAA,EAAc,QAAA,KAA8D;AAC1G,EAAA,IAAI,CAAC,UAAU,OAAO,IAAA;AAEtB,EAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,IAAA,OAAO,kBAAA,CAAmB,MAAM,QAAQ,CAAA;AAAA,EAC1C;AAEA,EAAA,IAAI,oBAAoB,MAAA,EAAQ;AAC9B,IAAA,OAAO,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC3B,IAAA,OAAO,SAAS,IAAA,CAAK,CAAA,CAAA,KAAK,kBAAA,CAAmB,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,iBAAA,GAAoB,CAAC,MAAA,EAA2B,KAAA,KAA2B;AACtF,EAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,IAAA,OAAO,MAAA,KAAW,KAAA;AAAA,EACpB;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,IAAA,OAAO,MAAA,CAAO,SAAS,KAAK,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AAGO,IAAM,UAAA,GAAa,OACxB,KAAA,EACA,IAAA,EACA,QACA,IAAA,KACqB;AAErB,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,IAAS,EAAC,EAAG;AAC3B,IAAA,MAAM,IAAA,GAAO,QAAQ,CAAC,CAAA;AAEtB,IAAA,IAAI,CAAC,eAAA,CAAgB,IAAA,EAAM,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,KAAK,OAAA,IAAW,CAAC,kBAAkB,IAAA,CAAK,OAAA,EAAS,MAAM,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,IAAA,IAAI,OAAO,cAAc,UAAA,EAAY;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,OAAA,EAAQ,CACnC,IAAA,CAAK,MAAM,SAAA,CAAU,IAAI,CAAC,CAAA,CAC1B,KAAA,CAAM,MAAM,KAAK,CAAA;AAEpB,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,OAAO,KAAA;AACT","file":"index.cjs","sourcesContent":["import type { MastraAuthConfig } from '@mastra/core/server';\n\n// Default configuration that can be extended by clients\nexport const defaultAuthConfig: MastraAuthConfig = {\n  protected: ['/api/*'],\n  public: ['/api'],\n  // Simple rule system\n  rules: [\n    // Admin users can do anything\n    {\n      condition: user => {\n        if (typeof user === 'object' && user !== null) {\n          if ('isAdmin' in user) {\n            return !!user.isAdmin;\n          }\n\n          if ('role' in user) {\n            return user.role === 'admin';\n          }\n        }\n        return false;\n      },\n      allow: true,\n    },\n  ],\n};\n","import type { MastraAuthConfig } from '@mastra/core/server';\n\nimport { defaultAuthConfig } from './defaults';\n\n/**\n * Check if request is from dev playground\n * @param getHeader - Function to get header value from request\n */\nexport const isDevPlaygroundRequest = (\n  path: string,\n  method: string,\n  getHeader: (name: string) => string | undefined,\n  authConfig: MastraAuthConfig,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return (\n    process.env.MASTRA_DEV === 'true' &&\n    (!isAnyMatch(path, method, protectedAccess) || getHeader('x-mastra-dev-playground') === 'true')\n  );\n};\n\nexport const isCustomRoutePublic = (\n  path: string,\n  method: string,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  if (!customRouteAuthConfig) {\n    return false;\n  }\n\n  // Check exact match first\n  const routeKey = `${method}:${path}`;\n  if (customRouteAuthConfig.has(routeKey)) {\n    return !customRouteAuthConfig.get(routeKey); // True when route opts out of auth\n  }\n\n  // Check ALL method\n  const allRouteKey = `ALL:${path}`;\n  if (customRouteAuthConfig.has(allRouteKey)) {\n    return !customRouteAuthConfig.get(allRouteKey);\n  }\n\n  return false;\n};\n\nexport const isProtectedPath = (\n  path: string,\n  method: string,\n  authConfig: MastraAuthConfig,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);\n};\n\nexport const canAccessPublicly = (path: string, method: string, authConfig: MastraAuthConfig): boolean => {\n  // Check if this path+method combination is publicly accessible\n  const publicAccess = [...(defaultAuthConfig.public || []), ...(authConfig.public || [])];\n\n  return isAnyMatch(path, method, publicAccess);\n};\n\nconst isAnyMatch = (\n  path: string,\n  method: string,\n  patterns: MastraAuthConfig['protected'] | MastraAuthConfig['public'],\n): boolean => {\n  if (!patterns) {\n    return false;\n  }\n\n  for (const patternPathOrMethod of patterns) {\n    if (patternPathOrMethod instanceof RegExp) {\n      if (patternPathOrMethod.test(path)) {\n        return true;\n      }\n    }\n\n    if (typeof patternPathOrMethod === 'string' && pathMatchesPattern(path, patternPathOrMethod)) {\n      return true;\n    }\n\n    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {\n      const [pattern, methodOrMethods] = patternPathOrMethod;\n      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {\n        return true;\n      }\n    }\n  }\n\n  return false;\n};\n\nexport const pathMatchesPattern = (path: string, pattern: string): boolean => {\n  // Simple pattern matching that supports wildcards\n  // e.g., '/api/agents/*' matches '/api/agents/123'\n  if (pattern.endsWith('*')) {\n    const prefix = pattern.slice(0, -1);\n    return path.startsWith(prefix);\n  }\n  return path === pattern;\n};\n\nexport const pathMatchesRule = (path: string, rulePath: string | RegExp | string[] | undefined): boolean => {\n  if (!rulePath) return true; // No path specified means all paths\n\n  if (typeof rulePath === 'string') {\n    return pathMatchesPattern(path, rulePath);\n  }\n\n  if (rulePath instanceof RegExp) {\n    return rulePath.test(path);\n  }\n\n  if (Array.isArray(rulePath)) {\n    return rulePath.some(p => pathMatchesPattern(path, p));\n  }\n\n  return false;\n};\n\nexport const matchesOrIncludes = (values: string | string[], value: string): boolean => {\n  if (typeof values === 'string') {\n    return values === value;\n  }\n\n  if (Array.isArray(values)) {\n    return values.includes(value);\n  }\n\n  return false;\n};\n\n// Check authorization rules\nexport const checkRules = async (\n  rules: MastraAuthConfig['rules'],\n  path: string,\n  method: string,\n  user: unknown,\n): Promise<boolean> => {\n  // Go through rules in order (first match wins)\n  for (const i in rules || []) {\n    const rule = rules?.[i]!;\n    // Check if rule applies to this path\n    if (!pathMatchesRule(path, rule.path)) {\n      continue;\n    }\n\n    // Check if rule applies to this method\n    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {\n      continue;\n    }\n\n    // Rule matches, check conditions\n    const condition = rule.condition;\n    if (typeof condition === 'function') {\n      const allowed = await Promise.resolve()\n        .then(() => condition(user))\n        .catch(() => false);\n\n      if (allowed) {\n        return true;\n      }\n    } else if (rule.allow) {\n      return true;\n    }\n  }\n\n  // No matching rules, deny by default\n  return false;\n};\n"]}

package/dist/server/auth/index.d.ts

@@ -0,0 +1,3 @@
+export * from './helpers.js';
+export * from './defaults.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC"}

package/dist/server/auth/index.js

@@ -0,0 +1,127 @@
+// src/server/auth/defaults.ts
+var defaultAuthConfig = {
+  protected: ["/api/*"],
+  public: ["/api"],
+  // Simple rule system
+  rules: [
+    // Admin users can do anything
+    {
+      condition: (user) => {
+        if (typeof user === "object" && user !== null) {
+          if ("isAdmin" in user) {
+            return !!user.isAdmin;
+          }
+          if ("role" in user) {
+            return user.role === "admin";
+          }
+        }
+        return false;
+      },
+      allow: true
+    }
+  ]
+};
+
+// src/server/auth/helpers.ts
+var isDevPlaygroundRequest = (path, method, getHeader, authConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return process.env.MASTRA_DEV === "true" && (!isAnyMatch(path, method, protectedAccess) || getHeader("x-mastra-dev-playground") === "true");
+};
+var isCustomRoutePublic = (path, method, customRouteAuthConfig) => {
+  if (!customRouteAuthConfig) {
+    return false;
+  }
+  const routeKey = `${method}:${path}`;
+  if (customRouteAuthConfig.has(routeKey)) {
+    return !customRouteAuthConfig.get(routeKey);
+  }
+  const allRouteKey = `ALL:${path}`;
+  if (customRouteAuthConfig.has(allRouteKey)) {
+    return !customRouteAuthConfig.get(allRouteKey);
+  }
+  return false;
+};
+var isProtectedPath = (path, method, authConfig, customRouteAuthConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);
+};
+var canAccessPublicly = (path, method, authConfig) => {
+  const publicAccess = [...defaultAuthConfig.public || [], ...authConfig.public || []];
+  return isAnyMatch(path, method, publicAccess);
+};
+var isAnyMatch = (path, method, patterns) => {
+  if (!patterns) {
+    return false;
+  }
+  for (const patternPathOrMethod of patterns) {
+    if (patternPathOrMethod instanceof RegExp) {
+      if (patternPathOrMethod.test(path)) {
+        return true;
+      }
+    }
+    if (typeof patternPathOrMethod === "string" && pathMatchesPattern(path, patternPathOrMethod)) {
+      return true;
+    }
+    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {
+      const [pattern, methodOrMethods] = patternPathOrMethod;
+      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {
+        return true;
+      }
+    }
+  }
+  return false;
+};
+var pathMatchesPattern = (path, pattern) => {
+  if (pattern.endsWith("*")) {
+    const prefix = pattern.slice(0, -1);
+    return path.startsWith(prefix);
+  }
+  return path === pattern;
+};
+var pathMatchesRule = (path, rulePath) => {
+  if (!rulePath) return true;
+  if (typeof rulePath === "string") {
+    return pathMatchesPattern(path, rulePath);
+  }
+  if (rulePath instanceof RegExp) {
+    return rulePath.test(path);
+  }
+  if (Array.isArray(rulePath)) {
+    return rulePath.some((p) => pathMatchesPattern(path, p));
+  }
+  return false;
+};
+var matchesOrIncludes = (values, value) => {
+  if (typeof values === "string") {
+    return values === value;
+  }
+  if (Array.isArray(values)) {
+    return values.includes(value);
+  }
+  return false;
+};
+var checkRules = async (rules, path, method, user) => {
+  for (const i in rules || []) {
+    const rule = rules?.[i];
+    if (!pathMatchesRule(path, rule.path)) {
+      continue;
+    }
+    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {
+      continue;
+    }
+    const condition = rule.condition;
+    if (typeof condition === "function") {
+      const allowed = await Promise.resolve().then(() => condition(user)).catch(() => false);
+      if (allowed) {
+        return true;
+      }
+    } else if (rule.allow) {
+      return true;
+    }
+  }
+  return false;
+};
+
+export { canAccessPublicly, checkRules, defaultAuthConfig, isCustomRoutePublic, isDevPlaygroundRequest, isProtectedPath, matchesOrIncludes, pathMatchesPattern, pathMatchesRule };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/server/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/auth/defaults.ts","../../../src/server/auth/helpers.ts"],"names":[],"mappings":";AAGO,IAAM,iBAAA,GAAsC;AAAA,EACjD,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,EACpB,MAAA,EAAQ,CAAC,MAAM,CAAA;AAAA;AAAA,EAEf,KAAA,EAAO;AAAA;AAAA,IAEL;AAAA,MACE,WAAW,CAAA,IAAA,KAAQ;AACjB,QAAA,IAAI,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAA,EAAM;AAC7C,UAAA,IAAI,aAAa,IAAA,EAAM;AACrB,YAAA,OAAO,CAAC,CAAC,IAAA,CAAK,OAAA;AAAA,UAChB;AAEA,UAAA,IAAI,UAAU,IAAA,EAAM;AAClB,YAAA,OAAO,KAAK,IAAA,KAAS,OAAA;AAAA,UACvB;AAAA,QACF;AACA,QAAA,OAAO,KAAA;AAAA,MACT,CAAA;AAAA,MACA,KAAA,EAAO;AAAA;AACT;AAEJ;;;ACjBO,IAAM,sBAAA,GAAyB,CACpC,IAAA,EACA,MAAA,EACA,WACA,UAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OACE,OAAA,CAAQ,GAAA,CAAI,UAAA,KAAe,MAAA,KAC1B,CAAC,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,eAAe,CAAA,IAAK,SAAA,CAAU,yBAAyB,CAAA,KAAM,MAAA,CAAA;AAE5F;AAEO,IAAM,mBAAA,GAAsB,CACjC,IAAA,EACA,MAAA,EACA,qBAAA,KACY;AACZ,EAAA,IAAI,CAAC,qBAAA,EAAuB;AAC1B,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,MAAM,QAAA,GAAW,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAClC,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,QAAQ,CAAA,EAAG;AACvC,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,QAAQ,CAAA;AAAA,EAC5C;AAGA,EAAA,MAAM,WAAA,GAAc,OAAO,IAAI,CAAA,CAAA;AAC/B,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA,EAAG;AAC1C,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,eAAA,GAAkB,CAC7B,IAAA,EACA,MAAA,EACA,YACA,qBAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OAAO,UAAA,CAAW,MAAM,MAAA,EAAQ,eAAe,KAAK,CAAC,mBAAA,CAAoB,IAAA,EAAM,MAAA,EAAQ,qBAAqB,CAAA;AAC9G;AAEO,IAAM,iBAAA,GAAoB,CAAC,IAAA,EAAc,MAAA,EAAgB,UAAA,KAA0C;AAExG,EAAA,MAAM,YAAA,GAAe,CAAC,GAAI,iBAAA,CAAkB,MAAA,IAAU,EAAC,EAAI,GAAI,UAAA,CAAW,MAAA,IAAU,EAAG,CAAA;AAEvF,EAAA,OAAO,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,YAAY,CAAA;AAC9C;AAEA,IAAM,UAAA,GAAa,CACjB,IAAA,EACA,MAAA,EACA,QAAA,KACY;AACZ,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,KAAA,MAAW,uBAAuB,QAAA,EAAU;AAC1C,IAAA,IAAI,+BAA+B,MAAA,EAAQ;AACzC,MAAA,IAAI,mBAAA,CAAoB,IAAA,CAAK,IAAI,CAAA,EAAG;AAClC,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,IAAI,OAAO,mBAAA,KAAwB,QAAA,IAAY,kBAAA,CAAmB,IAAA,EAAM,mBAAmB,CAAA,EAAG;AAC5F,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,MAAM,OAAA,CAAQ,mBAAmB,CAAA,IAAK,mBAAA,CAAoB,WAAW,CAAA,EAAG;AAC1E,MAAA,MAAM,CAAC,OAAA,EAAS,eAAe,CAAA,GAAI,mBAAA;AACnC,MAAA,IAAI,mBAAmB,IAAA,EAAM,OAAO,KAAK,iBAAA,CAAkB,eAAA,EAAiB,MAAM,CAAA,EAAG;AACnF,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT,CAAA;AAEO,IAAM,kBAAA,GAAqB,CAAC,IAAA,EAAc,OAAA,KAA6B;AAG5E,EAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AACzB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAClC,IAAA,OAAO,IAAA,CAAK,WAAW,MAAM,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,IAAA,KAAS,OAAA;AAClB;AAEO,IAAM,eAAA,GAAkB,CAAC,IAAA,EAAc,QAAA,KAA8D;AAC1G,EAAA,IAAI,CAAC,UAAU,OAAO,IAAA;AAEtB,EAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,IAAA,OAAO,kBAAA,CAAmB,MAAM,QAAQ,CAAA;AAAA,EAC1C;AAEA,EAAA,IAAI,oBAAoB,MAAA,EAAQ;AAC9B,IAAA,OAAO,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC3B,IAAA,OAAO,SAAS,IAAA,CAAK,CAAA,CAAA,KAAK,kBAAA,CAAmB,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,iBAAA,GAAoB,CAAC,MAAA,EAA2B,KAAA,KAA2B;AACtF,EAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,IAAA,OAAO,MAAA,KAAW,KAAA;AAAA,EACpB;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,IAAA,OAAO,MAAA,CAAO,SAAS,KAAK,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AAGO,IAAM,UAAA,GAAa,OACxB,KAAA,EACA,IAAA,EACA,QACA,IAAA,KACqB;AAErB,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,IAAS,EAAC,EAAG;AAC3B,IAAA,MAAM,IAAA,GAAO,QAAQ,CAAC,CAAA;AAEtB,IAAA,IAAI,CAAC,eAAA,CAAgB,IAAA,EAAM,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,KAAK,OAAA,IAAW,CAAC,kBAAkB,IAAA,CAAK,OAAA,EAAS,MAAM,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,IAAA,IAAI,OAAO,cAAc,UAAA,EAAY;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,OAAA,EAAQ,CACnC,IAAA,CAAK,MAAM,SAAA,CAAU,IAAI,CAAC,CAAA,CAC1B,KAAA,CAAM,MAAM,KAAK,CAAA;AAEpB,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,OAAO,KAAA;AACT","file":"index.js","sourcesContent":["import type { MastraAuthConfig } from '@mastra/core/server';\n\n// Default configuration that can be extended by clients\nexport const defaultAuthConfig: MastraAuthConfig = {\n  protected: ['/api/*'],\n  public: ['/api'],\n  // Simple rule system\n  rules: [\n    // Admin users can do anything\n    {\n      condition: user => {\n        if (typeof user === 'object' && user !== null) {\n          if ('isAdmin' in user) {\n            return !!user.isAdmin;\n          }\n\n          if ('role' in user) {\n            return user.role === 'admin';\n          }\n        }\n        return false;\n      },\n      allow: true,\n    },\n  ],\n};\n","import type { MastraAuthConfig } from '@mastra/core/server';\n\nimport { defaultAuthConfig } from './defaults';\n\n/**\n * Check if request is from dev playground\n * @param getHeader - Function to get header value from request\n */\nexport const isDevPlaygroundRequest = (\n  path: string,\n  method: string,\n  getHeader: (name: string) => string | undefined,\n  authConfig: MastraAuthConfig,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return (\n    process.env.MASTRA_DEV === 'true' &&\n    (!isAnyMatch(path, method, protectedAccess) || getHeader('x-mastra-dev-playground') === 'true')\n  );\n};\n\nexport const isCustomRoutePublic = (\n  path: string,\n  method: string,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  if (!customRouteAuthConfig) {\n    return false;\n  }\n\n  // Check exact match first\n  const routeKey = `${method}:${path}`;\n  if (customRouteAuthConfig.has(routeKey)) {\n    return !customRouteAuthConfig.get(routeKey); // True when route opts out of auth\n  }\n\n  // Check ALL method\n  const allRouteKey = `ALL:${path}`;\n  if (customRouteAuthConfig.has(allRouteKey)) {\n    return !customRouteAuthConfig.get(allRouteKey);\n  }\n\n  return false;\n};\n\nexport const isProtectedPath = (\n  path: string,\n  method: string,\n  authConfig: MastraAuthConfig,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);\n};\n\nexport const canAccessPublicly = (path: string, method: string, authConfig: MastraAuthConfig): boolean => {\n  // Check if this path+method combination is publicly accessible\n  const publicAccess = [...(defaultAuthConfig.public || []), ...(authConfig.public || [])];\n\n  return isAnyMatch(path, method, publicAccess);\n};\n\nconst isAnyMatch = (\n  path: string,\n  method: string,\n  patterns: MastraAuthConfig['protected'] | MastraAuthConfig['public'],\n): boolean => {\n  if (!patterns) {\n    return false;\n  }\n\n  for (const patternPathOrMethod of patterns) {\n    if (patternPathOrMethod instanceof RegExp) {\n      if (patternPathOrMethod.test(path)) {\n        return true;\n      }\n    }\n\n    if (typeof patternPathOrMethod === 'string' && pathMatchesPattern(path, patternPathOrMethod)) {\n      return true;\n    }\n\n    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {\n      const [pattern, methodOrMethods] = patternPathOrMethod;\n      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {\n        return true;\n      }\n    }\n  }\n\n  return false;\n};\n\nexport const pathMatchesPattern = (path: string, pattern: string): boolean => {\n  // Simple pattern matching that supports wildcards\n  // e.g., '/api/agents/*' matches '/api/agents/123'\n  if (pattern.endsWith('*')) {\n    const prefix = pattern.slice(0, -1);\n    return path.startsWith(prefix);\n  }\n  return path === pattern;\n};\n\nexport const pathMatchesRule = (path: string, rulePath: string | RegExp | string[] | undefined): boolean => {\n  if (!rulePath) return true; // No path specified means all paths\n\n  if (typeof rulePath === 'string') {\n    return pathMatchesPattern(path, rulePath);\n  }\n\n  if (rulePath instanceof RegExp) {\n    return rulePath.test(path);\n  }\n\n  if (Array.isArray(rulePath)) {\n    return rulePath.some(p => pathMatchesPattern(path, p));\n  }\n\n  return false;\n};\n\nexport const matchesOrIncludes = (values: string | string[], value: string): boolean => {\n  if (typeof values === 'string') {\n    return values === value;\n  }\n\n  if (Array.isArray(values)) {\n    return values.includes(value);\n  }\n\n  return false;\n};\n\n// Check authorization rules\nexport const checkRules = async (\n  rules: MastraAuthConfig['rules'],\n  path: string,\n  method: string,\n  user: unknown,\n): Promise<boolean> => {\n  // Go through rules in order (first match wins)\n  for (const i in rules || []) {\n    const rule = rules?.[i]!;\n    // Check if rule applies to this path\n    if (!pathMatchesRule(path, rule.path)) {\n      continue;\n    }\n\n    // Check if rule applies to this method\n    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {\n      continue;\n    }\n\n    // Rule matches, check conditions\n    const condition = rule.condition;\n    if (typeof condition === 'function') {\n      const allowed = await Promise.resolve()\n        .then(() => condition(user))\n        .catch(() => false);\n\n      if (allowed) {\n        return true;\n      }\n    } else if (rule.allow) {\n      return true;\n    }\n  }\n\n  // No matching rules, deny by default\n  return false;\n};\n"]}

package/dist/server/handlers/a2a.cjs

@@ -1,32 +1,40 @@
 'use strict';
 
-var chunkKJIDZQRA_cjs = require('../../chunk-KJIDZQRA.cjs');
+var chunkU7IJEAF4_cjs = require('../../chunk-U7IJEAF4.cjs');
 
 
 
+Object.defineProperty(exports, "AGENT_EXECUTION_ROUTE", {
+  enumerable: true,
+  get: function () { return chunkU7IJEAF4_cjs.AGENT_EXECUTION_ROUTE; }
+});
+Object.defineProperty(exports, "GET_AGENT_CARD_ROUTE", {
+  enumerable: true,
+  get: function () { return chunkU7IJEAF4_cjs.GET_AGENT_CARD_ROUTE; }
+});
 Object.defineProperty(exports, "getAgentCardByIdHandler", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.getAgentCardByIdHandler; }
+  get: function () { return chunkU7IJEAF4_cjs.getAgentCardByIdHandler; }
 });
 Object.defineProperty(exports, "getAgentExecutionHandler", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.getAgentExecutionHandler; }
+  get: function () { return chunkU7IJEAF4_cjs.getAgentExecutionHandler; }
 });
 Object.defineProperty(exports, "handleMessageSend", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.handleMessageSend; }
+  get: function () { return chunkU7IJEAF4_cjs.handleMessageSend; }
 });
 Object.defineProperty(exports, "handleMessageStream", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.handleMessageStream; }
+  get: function () { return chunkU7IJEAF4_cjs.handleMessageStream; }
 });
 Object.defineProperty(exports, "handleTaskCancel", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.handleTaskCancel; }
+  get: function () { return chunkU7IJEAF4_cjs.handleTaskCancel; }
 });
 Object.defineProperty(exports, "handleTaskGet", {
   enumerable: true,
-  get: function () { return chunkKJIDZQRA_cjs.handleTaskGet; }
+  get: function () { return chunkU7IJEAF4_cjs.handleTaskGet; }
 });
 //# sourceMappingURL=a2a.cjs.map
 //# sourceMappingURL=a2a.cjs.map