@mastra/server 1.36.0-alpha.0 → 1.36.0-alpha.2

package/dist/chunk-V4ATNZXG.cjs

@@ -0,0 +1,31 @@
+'use strict';
+
+var chunk4G7S52U3_cjs = require('./chunk-4G7S52U3.cjs');
+var chunkVX3MJR4P_cjs = require('./chunk-VX3MJR4P.cjs');
+
+// src/server/handlers/favorites-enrichment.ts
+async function prepareFavoritesEnrichment(mastra, requestContext, entityType, entityIds) {
+  if (!await chunk4G7S52U3_cjs.isBuilderFeatureEnabled(mastra, "favorites")) return null;
+  const userId = chunkVX3MJR4P_cjs.getCallerAuthorId(requestContext);
+  if (!userId) return null;
+  const storage = mastra.getStorage();
+  if (!storage) return null;
+  const favoritesStore = await storage.getStore("favorites");
+  if (!favoritesStore) return null;
+  const starredIds = entityIds.length === 0 ? /* @__PURE__ */ new Set() : await favoritesStore.isFavoritedBatch({ userId, entityType, entityIds });
+  return { userId, starredIds, favoritesStore };
+}
+function stripFavoriteFields(record) {
+  if ("isFavorited" in record || "favoriteCount" in record) {
+    const copy = { ...record };
+    delete copy.isFavorited;
+    delete copy.favoriteCount;
+    return copy;
+  }
+  return record;
+}
+
+exports.prepareFavoritesEnrichment = prepareFavoritesEnrichment;
+exports.stripFavoriteFields = stripFavoriteFields;
+//# sourceMappingURL=chunk-V4ATNZXG.cjs.map
+//# sourceMappingURL=chunk-V4ATNZXG.cjs.map

package/dist/chunk-V4ATNZXG.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/handlers/favorites-enrichment.ts"],"names":["isBuilderFeatureEnabled","getCallerAuthorId"],"mappings":";;;;;;AAyBA,eAAsB,0BAAA,CACpB,MAAA,EACA,cAAA,EACA,UAAA,EACA,SAAA,EACqC;AACrC,EAAA,IAAI,CAAE,MAAMA,yCAAA,CAAwB,MAAA,EAAQ,WAAW,GAAI,OAAO,IAAA;AAElE,EAAA,MAAM,MAAA,GAASC,oCAAkB,cAAc,CAAA;AAC/C,EAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AAEpB,EAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,EAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AACrB,EAAA,MAAM,cAAA,GAAiB,MAAM,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA;AACzD,EAAA,IAAI,CAAC,gBAAgB,OAAO,IAAA;AAE5B,EAAA,MAAM,UAAA,GACJ,SAAA,CAAU,MAAA,KAAW,CAAA,uBACb,GAAA,EAAY,GAChB,MAAM,cAAA,CAAe,gBAAA,CAAiB,EAAE,MAAA,EAAQ,UAAA,EAAY,WAAW,CAAA;AAC7E,EAAA,OAAO,EAAE,MAAA,EAAQ,UAAA,EAAY,cAAA,EAAe;AAC9C;AAMO,SAAS,oBAAsC,MAAA,EAAc;AAClE,EAAA,IAAI,aAAA,IAAiB,MAAA,IAAU,eAAA,IAAmB,MAAA,EAAQ;AACxD,IAAA,MAAM,IAAA,GAAO,EAAE,GAAG,MAAA,EAAO;AACzB,IAAA,OAAO,IAAA,CAAK,WAAA;AACZ,IAAA,OAAO,IAAA,CAAK,aAAA;AACZ,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,MAAA;AACT","file":"chunk-V4ATNZXG.cjs","sourcesContent":["import type { Mastra } from '@mastra/core';\nimport type { RequestContext } from '@mastra/core/di';\nimport type { FavoritesStorage, StorageFavoriteEntityType } from '@mastra/core/storage';\n\nimport { getCallerAuthorId } from './authorship';\nimport { isBuilderFeatureEnabled } from './editor-builder';\n\n/**\n * Result of `prepareFavoritesEnrichment` — `null` when the `favorites` EE feature is off.\n * When non-null the caller may use `starredIds` to set `isFavorited` on records\n * and may pass `userId` along to storage list paths for pin-favorited-first\n * sorting (`pinFavoritedFor`).\n */\nexport type FavoritesEnrichmentContext = {\n  userId: string;\n  starredIds: Set<string>;\n  favoritesStore: FavoritesStorage;\n} | null;\n\n/**\n * Resolve the EE feature flag plus the caller's favorited set for a list of\n * candidate entity IDs in one shot. Soft-gated: returns `null` if the feature\n * is off or there's no caller — handlers should drop `isFavorited` / `favoriteCount`\n * fields and ignore `?favoritedOnly=true` in that case.\n */\nexport async function prepareFavoritesEnrichment(\n  mastra: Mastra,\n  requestContext: RequestContext,\n  entityType: StorageFavoriteEntityType,\n  entityIds: string[],\n): Promise<FavoritesEnrichmentContext> {\n  if (!(await isBuilderFeatureEnabled(mastra, 'favorites'))) return null;\n\n  const userId = getCallerAuthorId(requestContext);\n  if (!userId) return null;\n\n  const storage = mastra.getStorage();\n  if (!storage) return null;\n  const favoritesStore = await storage.getStore('favorites');\n  if (!favoritesStore) return null;\n\n  const starredIds =\n    entityIds.length === 0\n      ? new Set<string>()\n      : await favoritesStore.isFavoritedBatch({ userId, entityType, entityIds });\n  return { userId, starredIds, favoritesStore };\n}\n\n/**\n * Strip the favorites EE fields from a record. Used when the feature is off so\n * stale values from storage do not leak through the API.\n */\nexport function stripFavoriteFields<T extends object>(record: T): T {\n  if ('isFavorited' in record || 'favoriteCount' in record) {\n    const copy = { ...record } as Record<string, unknown>;\n    delete copy.isFavorited;\n    delete copy.favoriteCount;\n    return copy as T;\n  }\n  return record;\n}\n"]}

package/dist/chunk-VX3MJR4P.cjs

@@ -0,0 +1,161 @@
+'use strict';
+
+var chunk64ITUOXI_cjs = require('./chunk-64ITUOXI.cjs');
+var chunk65T6KVYX_cjs = require('./chunk-65T6KVYX.cjs');
+var ee = require('@mastra/core/auth/ee');
+
+function getCallerAuthorId(requestContext) {
+  const resourceId = requestContext.get(chunk65T6KVYX_cjs.MASTRA_RESOURCE_ID_KEY);
+  if (typeof resourceId === "string" && resourceId.length > 0) {
+    return resourceId;
+  }
+  const user = requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_KEY);
+  if (user && typeof user === "object" && "id" in user) {
+    const id = user.id;
+    if (typeof id === "string" && id.length > 0) {
+      return id;
+    }
+  }
+  return null;
+}
+function getCallerPermissions(requestContext) {
+  const raw = requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_PERMISSIONS_KEY);
+  if (Array.isArray(raw)) {
+    return raw.filter((p) => typeof p === "string");
+  }
+  return [];
+}
+function hasAdminBypass(requestContext, resource) {
+  const permissions = getCallerPermissions(requestContext);
+  if (permissions.length === 0) return false;
+  const wildcardAll = "*";
+  const resourceWildcard = `${resource}:*`;
+  const resourceAdmin = `${resource}:admin`;
+  return permissions.some((p) => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);
+}
+function hasScopedPermission(args) {
+  const { requestContext, resource, action, resourceId } = args;
+  const permissions = getCallerPermissions(requestContext);
+  if (permissions.length === 0) return false;
+  if (!resourceId) {
+    const required2 = `${resource}:${action}`;
+    return permissions.some((p) => ee.matchesPermission(p, required2));
+  }
+  const required = `${resource}:${action}:${resourceId}`;
+  return permissions.some((p) => {
+    const parts = p.split(":");
+    if (parts.length < 3) return false;
+    return ee.matchesPermission(p, required);
+  });
+}
+function resolveAuthorFilter(args) {
+  const { requestContext, resource, queryAuthorId, queryVisibility } = args;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  const bypass = hasAdminBypass(requestContext, resource);
+  if (queryVisibility === "public" && !queryAuthorId) {
+    return { kind: "publicOnly" };
+  }
+  if (bypass) {
+    return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" };
+  }
+  if (!callerAuthorId) {
+    return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" };
+  }
+  if (queryAuthorId) {
+    if (queryAuthorId === callerAuthorId) {
+      return { kind: "exact", authorId: callerAuthorId };
+    }
+    return { kind: "ownedOrPublicOthers", callerAuthorId, queryAuthorId };
+  }
+  return { kind: "ownedOrPublic", callerAuthorId };
+}
+function matchesAuthorFilter(record, filter) {
+  const owner = record.authorId ?? null;
+  const isPublic = record.visibility === "public";
+  switch (filter.kind) {
+    case "unrestricted":
+      return true;
+    case "exact":
+      return owner === filter.authorId;
+    case "ownedOrPublic":
+      return owner === null || owner === filter.callerAuthorId || isPublic;
+    case "publicOnly":
+      return owner === null || isPublic;
+    case "ownedOrPublicOthers":
+      return owner === filter.queryAuthorId && isPublic;
+  }
+}
+function assertReadAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (record.visibility === "public") return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) {
+    return;
+  }
+  throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" });
+}
+function assertExecuteAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (record.visibility === "public") return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "execute", resourceId })) {
+    return;
+  }
+  if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) {
+    return;
+  }
+  throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" });
+}
+function assertWriteAccess(args) {
+  const { requestContext, resource, resourceId, action, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action, resourceId })) {
+    return;
+  }
+  throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" });
+}
+function assertShareAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(chunk65T6KVYX_cjs.MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "share", resourceId })) {
+    return;
+  }
+  throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" });
+}
+function assertOwnership(args) {
+  assertWriteAccess({ ...args, action: "edit" });
+}
+
+exports.assertExecuteAccess = assertExecuteAccess;
+exports.assertOwnership = assertOwnership;
+exports.assertReadAccess = assertReadAccess;
+exports.assertShareAccess = assertShareAccess;
+exports.assertWriteAccess = assertWriteAccess;
+exports.getCallerAuthorId = getCallerAuthorId;
+exports.getCallerPermissions = getCallerPermissions;
+exports.hasAdminBypass = hasAdminBypass;
+exports.hasScopedPermission = hasScopedPermission;
+exports.matchesAuthorFilter = matchesAuthorFilter;
+exports.resolveAuthorFilter = resolveAuthorFilter;
+//# sourceMappingURL=chunk-VX3MJR4P.cjs.map
+//# sourceMappingURL=chunk-VX3MJR4P.cjs.map

package/dist/chunk-VX3MJR4P.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/handlers/authorship.ts"],"names":["MASTRA_RESOURCE_ID_KEY","MASTRA_USER_KEY","MASTRA_USER_PERMISSIONS_KEY","required","matchesPermission","HTTPException"],"mappings":";;;;;;AAsBO,SAAS,kBAAkB,cAAA,EAA+C;AAC/E,EAAA,MAAM,UAAA,GAAa,cAAA,CAAe,GAAA,CAAIA,wCAAsB,CAAA;AAC5D,EAAA,IAAI,OAAO,UAAA,KAAe,QAAA,IAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,cAAA,CAAe,GAAA,CAAIC,iCAAe,CAAA;AAC/C,EAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,IAAY,QAAQ,IAAA,EAAM;AACpD,IAAA,MAAM,KAAM,IAAA,CAAyB,EAAA;AACrC,IAAA,IAAI,OAAO,EAAA,KAAO,QAAA,IAAY,EAAA,CAAG,SAAS,CAAA,EAAG;AAC3C,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBAAqB,cAAA,EAA0C;AAC7E,EAAA,MAAM,GAAA,GAAM,cAAA,CAAe,GAAA,CAAIC,6CAA2B,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,MAAA,CAAO,CAAC,CAAA,KAAmB,OAAO,MAAM,QAAQ,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,EAAC;AACV;AAQO,SAAS,cAAA,CAAe,gBAAgC,QAAA,EAA2B;AACxF,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AACrC,EAAA,MAAM,WAAA,GAAc,GAAA;AACpB,EAAA,MAAM,gBAAA,GAAmB,GAAG,QAAQ,CAAA,EAAA,CAAA;AACpC,EAAA,MAAM,aAAA,GAAgB,GAAG,QAAQ,CAAA,MAAA,CAAA;AACjC,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK,CAAA,KAAM,eAAe,CAAA,KAAM,gBAAA,IAAoB,MAAM,aAAa,CAAA;AACjG;AAeO,SAAS,oBAAoB,IAAA,EAKxB;AACV,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,MAAA,EAAQ,YAAW,GAAI,IAAA;AACzD,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,MAAMC,SAAAA,GAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACtC,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAGD,SAAQ,CAAC,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,WAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,IAAI,UAAU,CAAA,CAAA;AACpD,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK;AAI3B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,KAAA;AAC7B,IAAA,OAAOC,oBAAA,CAAkB,GAAG,QAAQ,CAAA;AAAA,EACtC,CAAC,CAAA;AACH;AAqBO,SAAS,oBAAoB,IAAA,EAKnB;AACf,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,aAAA,EAAe,iBAAgB,GAAI,IAAA;AACrE,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA;AAEtD,EAAA,IAAI,eAAA,KAAoB,QAAA,IAAY,CAAC,aAAA,EAAe;AAClD,IAAA,OAAO,EAAE,MAAM,YAAA,EAAa;AAAA,EAC9B;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAIA,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,QAAA,EAAU,cAAA,EAAe;AAAA,IACnD;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,qBAAA,EAAuB,cAAA,EAAgB,aAAA,EAAc;AAAA,EACtE;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,eAAA,EAAiB,cAAA,EAAe;AACjD;AAQO,SAAS,mBAAA,CAAoB,QAAqB,MAAA,EAA+B;AACtF,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AACjC,EAAA,MAAM,QAAA,GAAW,OAAO,UAAA,KAAe,QAAA;AAEvC,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,cAAA;AACH,MAAA,OAAO,IAAA;AAAA,IACT,KAAK,OAAA;AACH,MAAA,OAAO,UAAU,MAAA,CAAO,QAAA;AAAA,IAC1B,KAAK,eAAA;AACH,MAAA,OAAO,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,CAAO,cAAA,IAAkB,QAAA;AAAA,IAC9D,KAAK,YAAA;AACH,MAAA,OAAO,UAAU,IAAA,IAAQ,QAAA;AAAA,IAC3B,KAAK,qBAAA;AAIH,MAAA,OAAO,KAAA,KAAU,OAAO,aAAA,IAAiB,QAAA;AAAA;AAE/C;AAYO,SAAS,iBAAiB,IAAA,EAKxB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AAKvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAIH,iCAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAII,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,oBAAoB,IAAA,EAK3B;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAIJ,iCAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,SAAA,EAAW,UAAA,EAAY,CAAA,EAAG;AACpF,IAAA;AAAA,EACF;AACA,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAII,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,kBAAkB,IAAA,EAMzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,MAAA,EAAQ,QAAO,GAAI,IAAA;AACjE,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAIJ,iCAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,oBAAoB,EAAE,cAAA,EAAgB,UAAU,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACzE,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAII,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAoBO,SAAS,kBAAkB,IAAA,EAKzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAIJ,iCAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,OAAA,EAAS,UAAA,EAAY,CAAA,EAAG;AAClF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAII,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAMO,SAAS,gBAAgB,IAAA,EAKvB;AACP,EAAA,iBAAA,CAAkB,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,QAAQ,CAAA;AAC/C","file":"chunk-VX3MJR4P.cjs","sourcesContent":["import { matchesPermission } from '@mastra/core/auth/ee';\nimport type { RequestContext } from '@mastra/core/di';\n\nimport { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from '../constants';\nimport { HTTPException } from '../http-exception';\n\n/**\n * Shape of a stored record that carries ownership + visibility metadata.\n * Used by `matchesAuthorFilter` and the access-assertion helpers.\n */\nexport type OwnedRecord = {\n  authorId?: string | null;\n  visibility?: 'private' | 'public';\n};\n\n/**\n * Returns the author id associated with the authenticated caller, or `null`\n * if auth is not configured / the caller cannot be resolved.\n *\n * Prefers `MASTRA_RESOURCE_ID_KEY` (set by `authConfig.mapUserToResourceId`)\n * and falls back to `user.id` on the authenticated user object.\n */\nexport function getCallerAuthorId(requestContext: RequestContext): string | null {\n  const resourceId = requestContext.get(MASTRA_RESOURCE_ID_KEY);\n  if (typeof resourceId === 'string' && resourceId.length > 0) {\n    return resourceId;\n  }\n\n  const user = requestContext.get(MASTRA_USER_KEY);\n  if (user && typeof user === 'object' && 'id' in user) {\n    const id = (user as { id: unknown }).id;\n    if (typeof id === 'string' && id.length > 0) {\n      return id;\n    }\n  }\n\n  return null;\n}\n\n/**\n * Returns the list of permission strings currently attached to the caller by\n * the RBAC provider. Returns an empty array when RBAC isn't configured.\n */\nexport function getCallerPermissions(requestContext: RequestContext): string[] {\n  const raw = requestContext.get(MASTRA_USER_PERMISSIONS_KEY);\n  if (Array.isArray(raw)) {\n    return raw.filter((p): p is string => typeof p === 'string');\n  }\n  return [];\n}\n\n/**\n * True if the caller holds a wildcard permission that lets them manage a\n * resource they don't own (e.g. admins listing agents across tenants).\n *\n * Recognizes `*`, `<resource>:*`, and `<resource>:admin`.\n */\nexport function hasAdminBypass(requestContext: RequestContext, resource: string): boolean {\n  const permissions = getCallerPermissions(requestContext);\n  if (permissions.length === 0) return false;\n  const wildcardAll = '*';\n  const resourceWildcard = `${resource}:*`;\n  const resourceAdmin = `${resource}:admin`;\n  return permissions.some(p => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);\n}\n\n/**\n * True if the caller holds a permission explicitly scoped to a specific\n * resource id — e.g. `agents:read:agent-123` or `agents:*:agent-123`.\n *\n * Broad grants without a resource-id segment (e.g. the role-default\n * `agents:execute`) are intentionally NOT treated as satisfying ownership\n * overrides. Those broad grants already gate route access at the\n * `requiresPermission` layer; giving them a second life as per-record\n * overrides would defeat the owner/visibility model.\n *\n * When called without `resourceId` (the legacy shape), falls back to the\n * original \"any matching permission\" behavior.\n */\nexport function hasScopedPermission(args: {\n  requestContext: RequestContext;\n  resource: string;\n  action: string;\n  resourceId?: string;\n}): boolean {\n  const { requestContext, resource, action, resourceId } = args;\n  const permissions = getCallerPermissions(requestContext);\n  if (permissions.length === 0) return false;\n\n  if (!resourceId) {\n    const required = `${resource}:${action}`;\n    return permissions.some(p => matchesPermission(p, required));\n  }\n\n  const required = `${resource}:${action}:${resourceId}`;\n  return permissions.some(p => {\n    // Only honor grants that explicitly name a resource id. A granted\n    // permission with just `<resource>:<action>` (no id segment) is\n    // considered a broad role grant, not a per-record override.\n    const parts = p.split(':');\n    if (parts.length < 3) return false;\n    return matchesPermission(p, required);\n  });\n}\n\nexport type AuthorFilter =\n  | { kind: 'unrestricted' }\n  | { kind: 'exact'; authorId: string }\n  | { kind: 'ownedOrPublic'; callerAuthorId: string }\n  | { kind: 'publicOnly' }\n  | { kind: 'ownedOrPublicOthers'; callerAuthorId: string; queryAuthorId: string };\n\n/**\n * Resolves the filter to apply when listing owner-scoped records.\n *\n * Behavior matrix:\n * - Admin bypass + no query overrides           → `unrestricted`.\n * - Admin bypass + `authorId=X`                 → `exact` (all of X's rows).\n * - `visibility=public` (any caller)            → `publicOnly` (aggregate public rows across owners).\n * - `authorId=X`, caller === X                  → `exact` (all of caller's rows).\n * - `authorId=X`, caller !== X (non-admin)      → `ownedOrPublicOthers` (only X's public rows).\n * - No caller (auth off)                        → `unrestricted` (or `exact` if query supplied).\n * - Default                                     → `ownedOrPublic` (caller's rows + legacy unowned + any public rows).\n */\nexport function resolveAuthorFilter(args: {\n  requestContext: RequestContext;\n  resource: string;\n  queryAuthorId?: string;\n  queryVisibility?: 'public';\n}): AuthorFilter {\n  const { requestContext, resource, queryAuthorId, queryVisibility } = args;\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  const bypass = hasAdminBypass(requestContext, resource);\n\n  if (queryVisibility === 'public' && !queryAuthorId) {\n    return { kind: 'publicOnly' };\n  }\n\n  if (bypass) {\n    return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n  }\n\n  // Auth isn't configured (no caller) → treat as unrestricted. The route's\n  // `requiresAuth`/`requiresPermission` is what gates access in that mode.\n  if (!callerAuthorId) {\n    return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n  }\n\n  if (queryAuthorId) {\n    if (queryAuthorId === callerAuthorId) {\n      return { kind: 'exact', authorId: callerAuthorId };\n    }\n    // Non-owner asking about another user: only that user's public rows are visible.\n    return { kind: 'ownedOrPublicOthers', callerAuthorId, queryAuthorId };\n  }\n\n  return { kind: 'ownedOrPublic', callerAuthorId };\n}\n\n/**\n * Returns `true` if the record is visible to the caller given the resolved\n * filter. See `resolveAuthorFilter` for the filter semantics.\n *\n * Legacy rows with `authorId == null` are treated as public (visible to all).\n */\nexport function matchesAuthorFilter(record: OwnedRecord, filter: AuthorFilter): boolean {\n  const owner = record.authorId ?? null;\n  const isPublic = record.visibility === 'public';\n\n  switch (filter.kind) {\n    case 'unrestricted':\n      return true;\n    case 'exact':\n      return owner === filter.authorId;\n    case 'ownedOrPublic':\n      return owner === null || owner === filter.callerAuthorId || isPublic;\n    case 'publicOnly':\n      return owner === null || isPublic;\n    case 'ownedOrPublicOthers':\n      // Filtering by another author's rows: only expose their public ones.\n      // Legacy unowned rows match if the query is for `null`; here the query\n      // is always for a concrete id, so unowned rows don't match.\n      return owner === filter.queryAuthorId && isPublic;\n  }\n}\n\n/**\n * Asserts the caller has read access to the record. Throws 404 if not.\n *\n * Read access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:read` or `<resource>:read:<resourceId>`.\n */\nexport function assertReadAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (record.visibility === 'public') return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  // No authenticated user on the request context means auth is not configured\n  // (single-user/dev mode). When auth IS configured, coreAuthMiddleware\n  // rejects unauthenticated requests with 401 before they reach handlers,\n  // so an absent user here genuinely means no auth provider.\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has execute access to the record. Throws 404 if not.\n *\n * Execute access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:execute` / `<resource>:execute:<resourceId>`, OR\n * - The caller holds `<resource>:read` / `<resource>:read:<resourceId>`\n *   (read implies the ability to consume/chat with the resource).\n */\nexport function assertExecuteAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (record.visibility === 'public') return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'execute', resourceId })) {\n    return;\n  }\n  if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has write access (edit or delete) to the record.\n * Throws 404 if not.\n *\n * Write access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record, OR\n * - The caller has admin bypass, OR\n * - The caller holds `<resource>:<action>` or `<resource>:<action>:<resourceId>`.\n *\n * `visibility: 'public'` alone does NOT grant write access.\n */\nexport function assertWriteAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  action: 'edit' | 'delete' | 'write';\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, action, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action, resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has share access to the record. Throws 404 if not.\n *\n * Share access controls who can change a record's audience/visibility\n * (e.g. flipping `private` ↔ `public`). It is intentionally separate from\n * `write`: a caller with only `<resource>:write` MUST NOT be able to flip\n * visibility — that would let any editor expose private records.\n *\n * Share access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record (creators can share their own records), OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:share` / `<resource>:share:<resourceId>`\n *   (or any pattern that matches it, e.g. `*:share`).\n *\n * `visibility: 'public'` does NOT grant share access — being readable doesn't\n * imply the right to change who else can read.\n */\nexport function assertShareAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'share', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Alias for `assertWriteAccess` with `action: 'edit'`. Prefer `assertWriteAccess`\n * in new code so the action is explicit.\n */\nexport function assertOwnership(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  assertWriteAccess({ ...args, action: 'edit' });\n}\n"]}

package/dist/{chunk-2OEEHCXR.js → chunk-WD2L3ZU3.js}

@@ -1,6 +1,6 @@
 import { apiSchemaManifestResponseSchema, systemPackagesResponseSchema } from './chunk-4PB6LUYQ.js';
-import { createRoute } from './chunk-E53AJNZB.js';
-import { handleError } from './chunk-P23KBWKB.js';
+import { handleError } from './chunk-GA4BG5JK.js';
+import { createRoute } from './chunk-F2FAL5CZ.js';
 import { readFileSync } from 'fs';
 
 var GET_API_SCHEMA_ROUTE = createRoute({
@@ -13,7 +13,7 @@ var GET_API_SCHEMA_ROUTE = createRoute({
   tags: ["System"],
   requiresAuth: true,
   handler: async () => {
-    const { buildApiSchemaManifest } = await import('./api-schema-manifest-AUYKZJAA.js');
+    const { buildApiSchemaManifest } = await import('./api-schema-manifest-YS3FEIFG.js');
     return buildApiSchemaManifest();
   }
 });
@@ -60,5 +60,5 @@ var GET_SYSTEM_PACKAGES_ROUTE = createRoute({
 });
 
 export { GET_API_SCHEMA_ROUTE, GET_SYSTEM_PACKAGES_ROUTE };
-//# sourceMappingURL=chunk-2OEEHCXR.js.map
-//# sourceMappingURL=chunk-2OEEHCXR.js.map
+//# sourceMappingURL=chunk-WD2L3ZU3.js.map
+//# sourceMappingURL=chunk-WD2L3ZU3.js.map

package/dist/{chunk-2OEEHCXR.js.map → chunk-WD2L3ZU3.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/server/handlers/system.ts"],"names":[],"mappings":";;;;;AAOO,IAAM,uBAAuB,WAAA,CAAY;AAAA,EAC9C,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,+BAAA;AAAA,EAChB,OAAA,EAAS,yBAAA;AAAA,EACT,WAAA,EAAa,qFAAA;AAAA,EACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,EACf,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,YAAY;AAEnB,IAAA,MAAM,EAAE,sBAAA,EAAuB,GAAI,MAAM,OAAO,mCAAuC,CAAA;AACvF,IAAA,OAAO,sBAAA,EAAuB;AAAA,EAChC;AACF,CAAC;AAEM,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,kBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,4BAAA;AAAA,EAChB,OAAA,EAAS,+BAAA;AAAA,EACT,WAAA,EAAa,qFAAA;AAAA,EACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,EACf,YAAA,EAAc,IAAA;AAAA,EACd,OAAA,EAAS,OAAO,EAAE,MAAA,EAAO,KAAM;AAC7B,IAAA,IAAI;AACF,MAAA,MAAM,gBAAA,GAAmB,QAAQ,GAAA,CAAI,oBAAA;AAErC,MAAA,IAAI,WAA4B,EAAC;AAEjC,MAAA,IAAI,gBAAA,EAAkB;AACpB,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,YAAA,CAAa,gBAAA,EAAkB,OAAO,CAAA;AAC1D,UAAA,QAAA,GAAW,IAAA,CAAK,MAAM,WAAW,CAAA;AAAA,QACnC,CAAA,CAAA,MAAQ;AACN,UAAA,QAAA,GAAW,EAAC;AAAA,QACd;AAAA,MACF;AAEA,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,cAAc,OAAA,EAAS,IAAA;AAC7B,MAAA,MAAM,oBAAA,GAAuB,SAAS,MAAA,EAAQ,aAAA;AAC9C,MAAA,MAAM,wBAAA,GAA2B,sBAAsB,WAAA,CAAY,IAAA;AACnE,MAAA,MAAM,+BAA+B,oBAAA,EAAsB,sBAAA;AAC3D,MAAA,MAAM,oBAAA,GAAuB,CAAC,CAAC,MAAA,CAAO,cAAc,kBAAA,EAAmB;AAEvE,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,KAAA,EAAO,OAAA,CAAQ,GAAA,CAAI,UAAA,KAAe,MAAA;AAAA,QAClC,UAAA,EAAY,CAAC,CAAC,MAAA,CAAO,SAAA,EAAU;AAAA,QAC/B,oBAAA;AAAA,QACA,WAAA;AAAA,QACA,wBAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,+BAA+B,CAAA;AAAA,IAC3D;AAAA,EACF;AACF,CAAC","file":"chunk-2OEEHCXR.js","sourcesContent":["import { readFileSync } from 'node:fs';\n\nimport type { MastraPackage } from '../schemas/system';\nimport { apiSchemaManifestResponseSchema, systemPackagesResponseSchema } from '../schemas/system';\nimport { createRoute } from '../server-adapter/routes/route-builder';\nimport { handleError } from './error';\n\nexport const GET_API_SCHEMA_ROUTE = createRoute({\n  method: 'GET',\n  path: '/system/api-schema',\n  responseType: 'json',\n  responseSchema: apiSchemaManifestResponseSchema,\n  summary: 'Get API schema manifest',\n  description: 'Returns the route-contract-derived API schema manifest for the machine-readable CLI',\n  tags: ['System'],\n  requiresAuth: true,\n  handler: async () => {\n    // Dynamic import to avoid circular dependency issues\n    const { buildApiSchemaManifest } = await import('../server-adapter/api-schema-manifest');\n    return buildApiSchemaManifest();\n  },\n});\n\nexport const GET_SYSTEM_PACKAGES_ROUTE = createRoute({\n  method: 'GET',\n  path: '/system/packages',\n  responseType: 'json',\n  responseSchema: systemPackagesResponseSchema,\n  summary: 'Get installed Mastra packages',\n  description: 'Returns a list of all installed Mastra packages and their versions from the project',\n  tags: ['System'],\n  requiresAuth: true,\n  handler: async ({ mastra }) => {\n    try {\n      const packagesFilePath = process.env.MASTRA_PACKAGES_FILE;\n\n      let packages: MastraPackage[] = [];\n\n      if (packagesFilePath) {\n        try {\n          const fileContent = readFileSync(packagesFilePath, 'utf-8');\n          packages = JSON.parse(fileContent);\n        } catch {\n          packages = [];\n        }\n      }\n\n      const storage = mastra.getStorage();\n      const storageType = storage?.name;\n      const observabilityStorage = storage?.stores?.observability;\n      const observabilityStorageType = observabilityStorage?.constructor.name;\n      const observabilityRuntimeStrategy = observabilityStorage?.runtimeTracingStrategy;\n      const observabilityEnabled = !!mastra.observability.getDefaultInstance();\n\n      return {\n        packages,\n        isDev: process.env.MASTRA_DEV === 'true',\n        cmsEnabled: !!mastra.getEditor(),\n        observabilityEnabled,\n        storageType,\n        observabilityStorageType,\n        observabilityRuntimeStrategy,\n      };\n    } catch (error) {\n      return handleError(error, 'Error getting system packages');\n    }\n  },\n});\n"]}
+{"version":3,"sources":["../src/server/handlers/system.ts"],"names":[],"mappings":";;;;;AAOO,IAAM,uBAAuB,WAAA,CAAY;AAAA,EAC9C,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,+BAAA;AAAA,EAChB,OAAA,EAAS,yBAAA;AAAA,EACT,WAAA,EAAa,qFAAA;AAAA,EACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,EACf,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,YAAY;AAEnB,IAAA,MAAM,EAAE,sBAAA,EAAuB,GAAI,MAAM,OAAO,mCAAuC,CAAA;AACvF,IAAA,OAAO,sBAAA,EAAuB;AAAA,EAChC;AACF,CAAC;AAEM,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,kBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,4BAAA;AAAA,EAChB,OAAA,EAAS,+BAAA;AAAA,EACT,WAAA,EAAa,qFAAA;AAAA,EACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,EACf,YAAA,EAAc,IAAA;AAAA,EACd,OAAA,EAAS,OAAO,EAAE,MAAA,EAAO,KAAM;AAC7B,IAAA,IAAI;AACF,MAAA,MAAM,gBAAA,GAAmB,QAAQ,GAAA,CAAI,oBAAA;AAErC,MAAA,IAAI,WAA4B,EAAC;AAEjC,MAAA,IAAI,gBAAA,EAAkB;AACpB,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,YAAA,CAAa,gBAAA,EAAkB,OAAO,CAAA;AAC1D,UAAA,QAAA,GAAW,IAAA,CAAK,MAAM,WAAW,CAAA;AAAA,QACnC,CAAA,CAAA,MAAQ;AACN,UAAA,QAAA,GAAW,EAAC;AAAA,QACd;AAAA,MACF;AAEA,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,cAAc,OAAA,EAAS,IAAA;AAC7B,MAAA,MAAM,oBAAA,GAAuB,SAAS,MAAA,EAAQ,aAAA;AAC9C,MAAA,MAAM,wBAAA,GAA2B,sBAAsB,WAAA,CAAY,IAAA;AACnE,MAAA,MAAM,+BAA+B,oBAAA,EAAsB,sBAAA;AAC3D,MAAA,MAAM,oBAAA,GAAuB,CAAC,CAAC,MAAA,CAAO,cAAc,kBAAA,EAAmB;AAEvE,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,KAAA,EAAO,OAAA,CAAQ,GAAA,CAAI,UAAA,KAAe,MAAA;AAAA,QAClC,UAAA,EAAY,CAAC,CAAC,MAAA,CAAO,SAAA,EAAU;AAAA,QAC/B,oBAAA;AAAA,QACA,WAAA;AAAA,QACA,wBAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,+BAA+B,CAAA;AAAA,IAC3D;AAAA,EACF;AACF,CAAC","file":"chunk-WD2L3ZU3.js","sourcesContent":["import { readFileSync } from 'node:fs';\n\nimport type { MastraPackage } from '../schemas/system';\nimport { apiSchemaManifestResponseSchema, systemPackagesResponseSchema } from '../schemas/system';\nimport { createRoute } from '../server-adapter/routes/route-builder';\nimport { handleError } from './error';\n\nexport const GET_API_SCHEMA_ROUTE = createRoute({\n  method: 'GET',\n  path: '/system/api-schema',\n  responseType: 'json',\n  responseSchema: apiSchemaManifestResponseSchema,\n  summary: 'Get API schema manifest',\n  description: 'Returns the route-contract-derived API schema manifest for the machine-readable CLI',\n  tags: ['System'],\n  requiresAuth: true,\n  handler: async () => {\n    // Dynamic import to avoid circular dependency issues\n    const { buildApiSchemaManifest } = await import('../server-adapter/api-schema-manifest');\n    return buildApiSchemaManifest();\n  },\n});\n\nexport const GET_SYSTEM_PACKAGES_ROUTE = createRoute({\n  method: 'GET',\n  path: '/system/packages',\n  responseType: 'json',\n  responseSchema: systemPackagesResponseSchema,\n  summary: 'Get installed Mastra packages',\n  description: 'Returns a list of all installed Mastra packages and their versions from the project',\n  tags: ['System'],\n  requiresAuth: true,\n  handler: async ({ mastra }) => {\n    try {\n      const packagesFilePath = process.env.MASTRA_PACKAGES_FILE;\n\n      let packages: MastraPackage[] = [];\n\n      if (packagesFilePath) {\n        try {\n          const fileContent = readFileSync(packagesFilePath, 'utf-8');\n          packages = JSON.parse(fileContent);\n        } catch {\n          packages = [];\n        }\n      }\n\n      const storage = mastra.getStorage();\n      const storageType = storage?.name;\n      const observabilityStorage = storage?.stores?.observability;\n      const observabilityStorageType = observabilityStorage?.constructor.name;\n      const observabilityRuntimeStrategy = observabilityStorage?.runtimeTracingStrategy;\n      const observabilityEnabled = !!mastra.observability.getDefaultInstance();\n\n      return {\n        packages,\n        isDev: process.env.MASTRA_DEV === 'true',\n        cmsEnabled: !!mastra.getEditor(),\n        observabilityEnabled,\n        storageType,\n        observabilityStorageType,\n        observabilityRuntimeStrategy,\n      };\n    } catch (error) {\n      return handleError(error, 'Error getting system packages');\n    }\n  },\n});\n"]}

package/dist/{chunk-M7VWAJP3.cjs → chunk-WLGC3IWY.cjs}

@@ -1,10 +1,11 @@
 'use strict';
 
-var chunk73MISLDN_cjs = require('./chunk-73MISLDN.cjs');
+var chunkD774EZRN_cjs = require('./chunk-D774EZRN.cjs');
 var chunkGFP7IMFR_cjs = require('./chunk-GFP7IMFR.cjs');
 var chunk2XZ2466F_cjs = require('./chunk-2XZ2466F.cjs');
-var chunkAZORAK4H_cjs = require('./chunk-AZORAK4H.cjs');
-var chunkB34S64RC_cjs = require('./chunk-B34S64RC.cjs');
+var chunkQZ6UFQ7V_cjs = require('./chunk-QZ6UFQ7V.cjs');
+var chunkYNSUYESL_cjs = require('./chunk-YNSUYESL.cjs');
+var chunkXTFWFQZ7_cjs = require('./chunk-XTFWFQZ7.cjs');
 var chunk64ITUOXI_cjs = require('./chunk-64ITUOXI.cjs');
 
 // src/server/handlers/agent-versions.ts
@@ -25,18 +26,18 @@ var SNAPSHOT_CONFIG_FIELDS = [
   "requestContextSchema",
   "mcpClients"
 ];
-var LIST_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_AGENT_VERSIONS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/stored/agents/:agentId/versions",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.agentVersionPathParams,
+  pathParamSchema: chunkD774EZRN_cjs.agentVersionPathParams,
   queryParamSchema: chunkGFP7IMFR_cjs.listVersionsQuerySchema,
-  responseSchema: chunk73MISLDN_cjs.listVersionsResponseSchema,
+  responseSchema: chunkD774EZRN_cjs.listVersionsResponseSchema,
   summary: "List agent versions",
   description: "Returns a paginated list of all versions for a stored agent",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, page, perPage, orderBy }) => {
+  handler: async ({ mastra, agentId, page, perPage, orderBy, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -56,6 +57,7 @@ var LIST_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!storedAgent && !codeAgentExists) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Agent with id ${agentId} not found` });
       }
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(storedAgent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       const result = await agentsStore.listVersions({
         agentId,
         page,
@@ -64,22 +66,22 @@ var LIST_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       });
       return result;
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error listing agent versions");
+      return chunkYNSUYESL_cjs.handleError(error, "Error listing agent versions");
     }
   }
 });
-var CREATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var CREATE_AGENT_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/stored/agents/:agentId/versions",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.agentVersionPathParams,
+  pathParamSchema: chunkD774EZRN_cjs.agentVersionPathParams,
   bodySchema: chunkGFP7IMFR_cjs.createVersionBodySchema,
-  responseSchema: chunk73MISLDN_cjs.createVersionResponseSchema,
+  responseSchema: chunkD774EZRN_cjs.createVersionResponseSchema,
   summary: "Create agent version",
   description: "Creates a new version snapshot of the current agent configuration",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, changeMessage }) => {
+  handler: async ({ mastra, agentId, changeMessage, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -93,6 +95,7 @@ var CREATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!agent) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Agent with id ${agentId} not found` });
       }
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       let currentConfig = {};
       if (agent.activeVersionId) {
         const activeVersion = await agentsStore.getVersion(agent.activeVersionId);
@@ -132,21 +135,21 @@ var CREATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       );
       return version;
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error creating agent version");
+      return chunkYNSUYESL_cjs.handleError(error, "Error creating agent version");
     }
   }
 });
-var GET_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GET_AGENT_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/stored/agents/:agentId/versions/:versionId",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.versionIdPathParams,
-  responseSchema: chunk73MISLDN_cjs.getVersionResponseSchema,
+  pathParamSchema: chunkD774EZRN_cjs.versionIdPathParams,
+  responseSchema: chunkD774EZRN_cjs.getVersionResponseSchema,
   summary: "Get agent version",
   description: "Returns a specific version of an agent by its version ID",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, versionId }) => {
+  handler: async ({ mastra, agentId, versionId, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -163,23 +166,25 @@ var GET_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (version.agentId !== agentId) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Version with id ${versionId} not found for agent ${agentId}` });
       }
+      const agent = await agentsStore.getById(agentId);
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       return version;
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error getting agent version");
+      return chunkYNSUYESL_cjs.handleError(error, "Error getting agent version");
     }
   }
 });
-var ACTIVATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var ACTIVATE_AGENT_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/stored/agents/:agentId/versions/:versionId/activate",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.versionIdPathParams,
+  pathParamSchema: chunkD774EZRN_cjs.versionIdPathParams,
   responseSchema: chunkGFP7IMFR_cjs.activateVersionResponseSchema,
   summary: "Activate agent version",
   description: "Sets a specific version as the active version for the agent",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, versionId }) => {
+  handler: async ({ mastra, agentId, versionId, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -193,6 +198,7 @@ var ACTIVATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!agent) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Agent with id ${agentId} not found` });
       }
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       const version = await agentsStore.getVersion(versionId);
       if (!version) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Version with id ${versionId} not found` });
@@ -212,21 +218,21 @@ var ACTIVATE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
         activeVersionId: versionId
       };
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error activating agent version");
+      return chunkYNSUYESL_cjs.handleError(error, "Error activating agent version");
     }
   }
 });
-var RESTORE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var RESTORE_AGENT_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/stored/agents/:agentId/versions/:versionId/restore",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.versionIdPathParams,
-  responseSchema: chunk73MISLDN_cjs.restoreVersionResponseSchema,
+  pathParamSchema: chunkD774EZRN_cjs.versionIdPathParams,
+  responseSchema: chunkD774EZRN_cjs.restoreVersionResponseSchema,
   summary: "Restore agent version",
   description: "Restores the agent configuration from a version, creating a new version",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, versionId }) => {
+  handler: async ({ mastra, agentId, versionId, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -240,6 +246,7 @@ var RESTORE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!agent) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Agent with id ${agentId} not found` });
       }
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       const versionToRestore = await agentsStore.getVersion(versionId);
       if (!versionToRestore) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Version with id ${versionId} not found` });
@@ -281,21 +288,21 @@ var RESTORE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       mastra.getEditor()?.agent.clearCache(agentId);
       return newVersion;
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error restoring agent version");
+      return chunkYNSUYESL_cjs.handleError(error, "Error restoring agent version");
     }
   }
 });
-var DELETE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var DELETE_AGENT_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "DELETE",
   path: "/stored/agents/:agentId/versions/:versionId",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.versionIdPathParams,
+  pathParamSchema: chunkD774EZRN_cjs.versionIdPathParams,
   responseSchema: chunkGFP7IMFR_cjs.deleteVersionResponseSchema,
   summary: "Delete agent version",
   description: "Deletes a specific version (cannot delete the active version)",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, versionId }) => {
+  handler: async ({ mastra, agentId, versionId, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -309,6 +316,7 @@ var DELETE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!agent) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Agent with id ${agentId} not found` });
       }
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       const version = await agentsStore.getVersion(versionId);
       if (!version) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Version with id ${versionId} not found` });
@@ -328,22 +336,22 @@ var DELETE_AGENT_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
         message: `Version ${version.versionNumber} deleted successfully`
       };
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error deleting agent version");
+      return chunkYNSUYESL_cjs.handleError(error, "Error deleting agent version");
     }
   }
 });
-var COMPARE_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var COMPARE_AGENT_VERSIONS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/stored/agents/:agentId/versions/compare",
   requiresAuth: true,
   responseType: "json",
-  pathParamSchema: chunk73MISLDN_cjs.agentVersionPathParams,
+  pathParamSchema: chunkD774EZRN_cjs.agentVersionPathParams,
   queryParamSchema: chunkGFP7IMFR_cjs.compareVersionsQuerySchema,
-  responseSchema: chunk73MISLDN_cjs.compareVersionsResponseSchema,
+  responseSchema: chunkD774EZRN_cjs.compareVersionsResponseSchema,
   summary: "Compare agent versions",
   description: "Compares two versions and returns the differences between them",
   tags: ["Agent Versions"],
-  handler: async ({ mastra, agentId, from, to }) => {
+  handler: async ({ mastra, agentId, from, to, requestContext }) => {
     try {
       const storage = mastra.getStorage();
       if (!storage) {
@@ -353,6 +361,8 @@ var COMPARE_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (!agentsStore) {
         throw new chunk64ITUOXI_cjs.HTTPException(500, { message: "Agents storage domain is not available" });
       }
+      const agent = await agentsStore.getById(agentId);
+      chunkQZ6UFQ7V_cjs.assertStoredResourceScope(agent, await chunkQZ6UFQ7V_cjs.getStoredResourceScope(mastra, requestContext));
       const fromVersion = await agentsStore.getVersion(from);
       if (!fromVersion) {
         throw new chunk64ITUOXI_cjs.HTTPException(404, { message: `Version with id ${from} not found` });
@@ -382,7 +392,7 @@ var COMPARE_AGENT_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
         toVersion
       };
     } catch (error) {
-      return chunkB34S64RC_cjs.handleError(error, "Error comparing agent versions");
+      return chunkYNSUYESL_cjs.handleError(error, "Error comparing agent versions");
     }
   }
 });
@@ -394,5 +404,5 @@ exports.DELETE_AGENT_VERSION_ROUTE = DELETE_AGENT_VERSION_ROUTE;
 exports.GET_AGENT_VERSION_ROUTE = GET_AGENT_VERSION_ROUTE;
 exports.LIST_AGENT_VERSIONS_ROUTE = LIST_AGENT_VERSIONS_ROUTE;
 exports.RESTORE_AGENT_VERSION_ROUTE = RESTORE_AGENT_VERSION_ROUTE;
-//# sourceMappingURL=chunk-M7VWAJP3.cjs.map
-//# sourceMappingURL=chunk-M7VWAJP3.cjs.map
+//# sourceMappingURL=chunk-WLGC3IWY.cjs.map
+//# sourceMappingURL=chunk-WLGC3IWY.cjs.map