@mastra/server 1.36.0-alpha.0 → 1.36.0-alpha.2

package/dist/server/handlers/auth.d.ts

@@ -7,6 +7,7 @@
  * - Handle OAuth callbacks
  * - Logout users
  */
+import { z } from 'zod/v4';
 /**
  * Get the public-facing origin from a request, respecting reverse proxy headers.
  * Behind a proxy (e.g. edge router), request.url contains the internal hostname,
@@ -71,60 +72,60 @@ export declare const GET_AUTH_CAPABILITIES_ROUTE: import("../server-adapter").Se
         roles: string[];
         permissions: string[];
     } | null;
-}, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodUnion<readonly [import("zod").ZodObject<{
-    enabled: import("zod").ZodBoolean;
-    login: import("zod").ZodNullable<import("zod").ZodObject<{
-        type: import("zod").ZodEnum<{
+}, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodUnion<readonly [z.ZodObject<{
+    enabled: z.ZodBoolean;
+    login: z.ZodNullable<z.ZodObject<{
+        type: z.ZodEnum<{
             credentials: "credentials";
             sso: "sso";
             both: "both";
         }>;
-        sso: import("zod").ZodOptional<import("zod").ZodObject<{
-            provider: import("zod").ZodString;
-            text: import("zod").ZodString;
-            icon: import("zod").ZodOptional<import("zod").ZodString>;
-            description: import("zod").ZodOptional<import("zod").ZodString>;
-            url: import("zod").ZodString;
-        }, import("zod/v4/core").$strip>>;
-        signUpEnabled: import("zod").ZodOptional<import("zod").ZodBoolean>;
-        description: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-    user: import("zod").ZodObject<{
-        id: import("zod").ZodString;
-        email: import("zod").ZodOptional<import("zod").ZodString>;
-        name: import("zod").ZodOptional<import("zod").ZodString>;
-        avatarUrl: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>;
-    capabilities: import("zod").ZodObject<{
-        user: import("zod").ZodBoolean;
-        session: import("zod").ZodBoolean;
-        sso: import("zod").ZodBoolean;
-        rbac: import("zod").ZodBoolean;
-        acl: import("zod").ZodBoolean;
-    }, import("zod/v4/core").$strip>;
-    access: import("zod").ZodNullable<import("zod").ZodObject<{
-        roles: import("zod").ZodArray<import("zod").ZodString>;
-        permissions: import("zod").ZodArray<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-}, import("zod/v4/core").$strip>, import("zod").ZodObject<{
-    enabled: import("zod").ZodBoolean;
-    login: import("zod").ZodNullable<import("zod").ZodObject<{
-        type: import("zod").ZodEnum<{
+        sso: z.ZodOptional<z.ZodObject<{
+            provider: z.ZodString;
+            text: z.ZodString;
+            icon: z.ZodOptional<z.ZodString>;
+            description: z.ZodOptional<z.ZodString>;
+            url: z.ZodString;
+        }, z.core.$strip>>;
+        signUpEnabled: z.ZodOptional<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    user: z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatarUrl: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    capabilities: z.ZodObject<{
+        user: z.ZodBoolean;
+        session: z.ZodBoolean;
+        sso: z.ZodBoolean;
+        rbac: z.ZodBoolean;
+        acl: z.ZodBoolean;
+    }, z.core.$strip>;
+    access: z.ZodNullable<z.ZodObject<{
+        roles: z.ZodArray<z.ZodString>;
+        permissions: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    enabled: z.ZodBoolean;
+    login: z.ZodNullable<z.ZodObject<{
+        type: z.ZodEnum<{
             credentials: "credentials";
             sso: "sso";
             both: "both";
         }>;
-        sso: import("zod").ZodOptional<import("zod").ZodObject<{
-            provider: import("zod").ZodString;
-            text: import("zod").ZodString;
-            icon: import("zod").ZodOptional<import("zod").ZodString>;
-            description: import("zod").ZodOptional<import("zod").ZodString>;
-            url: import("zod").ZodString;
-        }, import("zod/v4/core").$strip>>;
-        signUpEnabled: import("zod").ZodOptional<import("zod").ZodBoolean>;
-        description: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-}, import("zod/v4/core").$strip>]>>, "GET", "/auth/capabilities">;
+        sso: z.ZodOptional<z.ZodObject<{
+            provider: z.ZodString;
+            text: z.ZodString;
+            icon: z.ZodOptional<z.ZodString>;
+            description: z.ZodOptional<z.ZodString>;
+            url: z.ZodString;
+        }, z.core.$strip>>;
+        signUpEnabled: z.ZodOptional<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>]>>, "GET", "/auth/capabilities">;
 export declare const GET_CURRENT_USER_ROUTE: import("../server-adapter").ServerRoute<{}, {
     id: string;
     email?: string | undefined;
@@ -132,48 +133,59 @@ export declare const GET_CURRENT_USER_ROUTE: import("../server-adapter").ServerR
     avatarUrl?: string | undefined;
     roles?: string[] | undefined;
     permissions?: string[] | undefined;
-} | null, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodNullable<import("zod").ZodObject<{
-    id: import("zod").ZodString;
-    email: import("zod").ZodOptional<import("zod").ZodString>;
-    name: import("zod").ZodOptional<import("zod").ZodString>;
-    avatarUrl: import("zod").ZodOptional<import("zod").ZodString>;
-    roles: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
-    permissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
-}, import("zod/v4/core").$strip>>>, "GET", "/auth/me">;
+} | null, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodNullable<z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    avatarUrl: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>>>, "GET", "/auth/me">;
 export declare const GET_SSO_LOGIN_ROUTE: import("../server-adapter").ServerRoute<{
     redirect_uri?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, import("zod").ZodObject<{
-    redirect_uri: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined, undefined>, "GET", "/auth/sso/login">;
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, z.ZodObject<{
+    redirect_uri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined, undefined>, "GET", "/auth/sso/login">;
 export declare const GET_SSO_CALLBACK_ROUTE: import("../server-adapter").ServerRoute<{
     code: string;
     state?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, import("zod").ZodObject<{
-    code: import("zod").ZodString;
-    state: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined, undefined>, "GET", "/auth/sso/callback">;
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, z.ZodObject<{
+    code: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined, undefined>, "GET", "/auth/sso/callback">;
 export declare const POST_LOGOUT_ROUTE: import("../server-adapter").ServerRoute<{}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, undefined>, "POST", "/auth/logout">;
 export declare const POST_REFRESH_ROUTE: import("../server-adapter").ServerRoute<{}, {
     success: boolean;
-}, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodObject<{
-    success: import("zod").ZodBoolean;
-}, import("zod/v4/core").$strip>>, "POST", "/auth/refresh">;
+}, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodObject<{
+    success: z.ZodBoolean;
+}, z.core.$strip>>, "POST", "/auth/refresh">;
 export declare const POST_CREDENTIALS_SIGN_IN_ROUTE: import("../server-adapter").ServerRoute<{
     email: string;
     password: string;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, import("zod").ZodObject<{
-    email: import("zod").ZodString;
-    password: import("zod").ZodString;
-}, import("zod/v4/core").$strip>, undefined>, "POST", "/auth/credentials/sign-in">;
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, z.core.$strip>, undefined>, "POST", "/auth/credentials/sign-in">;
 export declare const POST_CREDENTIALS_SIGN_UP_ROUTE: import("../server-adapter").ServerRoute<{
     email: string;
     password: string;
     name?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, import("zod").ZodObject<{
-    email: import("zod").ZodString;
-    password: import("zod").ZodString;
-    name: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined>, "POST", "/auth/credentials/sign-up">;
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined>, "POST", "/auth/credentials/sign-up">;
+export declare const GET_ROLE_PERMISSIONS_ROUTE: import("../server-adapter").ServerRoute<{
+    roleId: string;
+}, {
+    roleId: string;
+    permissions: string[];
+}, "json", import("../server-adapter").RouteSchemas<z.ZodObject<{
+    roleId: z.ZodString;
+}, z.core.$strip>, undefined, undefined, z.ZodObject<{
+    roleId: z.ZodString;
+    permissions: z.ZodArray<z.ZodString>;
+}, z.core.$strip>>, "GET", "/auth/roles/:roleId/permissions">;
 export declare const AUTH_ROUTES: readonly [import("../server-adapter").ServerRoute<{}, {
     enabled: boolean;
     login: {
@@ -219,100 +231,110 @@ export declare const AUTH_ROUTES: readonly [import("../server-adapter").ServerRo
         roles: string[];
         permissions: string[];
     } | null;
-}, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodUnion<readonly [import("zod").ZodObject<{
-    enabled: import("zod").ZodBoolean;
-    login: import("zod").ZodNullable<import("zod").ZodObject<{
-        type: import("zod").ZodEnum<{
+}, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodUnion<readonly [z.ZodObject<{
+    enabled: z.ZodBoolean;
+    login: z.ZodNullable<z.ZodObject<{
+        type: z.ZodEnum<{
             credentials: "credentials";
             sso: "sso";
             both: "both";
         }>;
-        sso: import("zod").ZodOptional<import("zod").ZodObject<{
-            provider: import("zod").ZodString;
-            text: import("zod").ZodString;
-            icon: import("zod").ZodOptional<import("zod").ZodString>;
-            description: import("zod").ZodOptional<import("zod").ZodString>;
-            url: import("zod").ZodString;
-        }, import("zod/v4/core").$strip>>;
-        signUpEnabled: import("zod").ZodOptional<import("zod").ZodBoolean>;
-        description: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-    user: import("zod").ZodObject<{
-        id: import("zod").ZodString;
-        email: import("zod").ZodOptional<import("zod").ZodString>;
-        name: import("zod").ZodOptional<import("zod").ZodString>;
-        avatarUrl: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>;
-    capabilities: import("zod").ZodObject<{
-        user: import("zod").ZodBoolean;
-        session: import("zod").ZodBoolean;
-        sso: import("zod").ZodBoolean;
-        rbac: import("zod").ZodBoolean;
-        acl: import("zod").ZodBoolean;
-    }, import("zod/v4/core").$strip>;
-    access: import("zod").ZodNullable<import("zod").ZodObject<{
-        roles: import("zod").ZodArray<import("zod").ZodString>;
-        permissions: import("zod").ZodArray<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-}, import("zod/v4/core").$strip>, import("zod").ZodObject<{
-    enabled: import("zod").ZodBoolean;
-    login: import("zod").ZodNullable<import("zod").ZodObject<{
-        type: import("zod").ZodEnum<{
+        sso: z.ZodOptional<z.ZodObject<{
+            provider: z.ZodString;
+            text: z.ZodString;
+            icon: z.ZodOptional<z.ZodString>;
+            description: z.ZodOptional<z.ZodString>;
+            url: z.ZodString;
+        }, z.core.$strip>>;
+        signUpEnabled: z.ZodOptional<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    user: z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        avatarUrl: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
+    capabilities: z.ZodObject<{
+        user: z.ZodBoolean;
+        session: z.ZodBoolean;
+        sso: z.ZodBoolean;
+        rbac: z.ZodBoolean;
+        acl: z.ZodBoolean;
+    }, z.core.$strip>;
+    access: z.ZodNullable<z.ZodObject<{
+        roles: z.ZodArray<z.ZodString>;
+        permissions: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>, z.ZodObject<{
+    enabled: z.ZodBoolean;
+    login: z.ZodNullable<z.ZodObject<{
+        type: z.ZodEnum<{
             credentials: "credentials";
             sso: "sso";
             both: "both";
         }>;
-        sso: import("zod").ZodOptional<import("zod").ZodObject<{
-            provider: import("zod").ZodString;
-            text: import("zod").ZodString;
-            icon: import("zod").ZodOptional<import("zod").ZodString>;
-            description: import("zod").ZodOptional<import("zod").ZodString>;
-            url: import("zod").ZodString;
-        }, import("zod/v4/core").$strip>>;
-        signUpEnabled: import("zod").ZodOptional<import("zod").ZodBoolean>;
-        description: import("zod").ZodOptional<import("zod").ZodString>;
-    }, import("zod/v4/core").$strip>>;
-}, import("zod/v4/core").$strip>]>>, "GET", "/auth/capabilities">, import("../server-adapter").ServerRoute<{}, {
+        sso: z.ZodOptional<z.ZodObject<{
+            provider: z.ZodString;
+            text: z.ZodString;
+            icon: z.ZodOptional<z.ZodString>;
+            description: z.ZodOptional<z.ZodString>;
+            url: z.ZodString;
+        }, z.core.$strip>>;
+        signUpEnabled: z.ZodOptional<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>]>>, "GET", "/auth/capabilities">, import("../server-adapter").ServerRoute<{}, {
     id: string;
     email?: string | undefined;
     name?: string | undefined;
     avatarUrl?: string | undefined;
     roles?: string[] | undefined;
     permissions?: string[] | undefined;
-} | null, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodNullable<import("zod").ZodObject<{
-    id: import("zod").ZodString;
-    email: import("zod").ZodOptional<import("zod").ZodString>;
-    name: import("zod").ZodOptional<import("zod").ZodString>;
-    avatarUrl: import("zod").ZodOptional<import("zod").ZodString>;
-    roles: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
-    permissions: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
-}, import("zod/v4/core").$strip>>>, "GET", "/auth/me">, import("../server-adapter").ServerRoute<{
+} | null, "json", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodNullable<z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    avatarUrl: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>>>, "GET", "/auth/me">, import("../server-adapter").ServerRoute<{
     redirect_uri?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, import("zod").ZodObject<{
-    redirect_uri: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined, undefined>, "GET", "/auth/sso/login">, import("../server-adapter").ServerRoute<{
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, z.ZodObject<{
+    redirect_uri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined, undefined>, "GET", "/auth/sso/login">, import("../server-adapter").ServerRoute<{
     code: string;
     state?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, import("zod").ZodObject<{
-    code: import("zod").ZodString;
-    state: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined, undefined>, "GET", "/auth/sso/callback">, import("../server-adapter").ServerRoute<{}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, undefined>, "POST", "/auth/logout">, import("../server-adapter").ServerRoute<{}, {
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, z.ZodObject<{
+    code: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined, undefined>, "GET", "/auth/sso/callback">, import("../server-adapter").ServerRoute<{}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, undefined>, "POST", "/auth/logout">, import("../server-adapter").ServerRoute<{}, {
     success: boolean;
-}, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, import("zod").ZodObject<{
-    success: import("zod").ZodBoolean;
-}, import("zod/v4/core").$strip>>, "POST", "/auth/refresh">, import("../server-adapter").ServerRoute<{
+}, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, undefined, z.ZodObject<{
+    success: z.ZodBoolean;
+}, z.core.$strip>>, "POST", "/auth/refresh">, import("../server-adapter").ServerRoute<{
     email: string;
     password: string;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, import("zod").ZodObject<{
-    email: import("zod").ZodString;
-    password: import("zod").ZodString;
-}, import("zod/v4/core").$strip>, undefined>, "POST", "/auth/credentials/sign-in">, import("../server-adapter").ServerRoute<{
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, z.core.$strip>, undefined>, "POST", "/auth/credentials/sign-in">, import("../server-adapter").ServerRoute<{
     email: string;
     password: string;
     name?: string | undefined;
-}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, import("zod").ZodObject<{
-    email: import("zod").ZodString;
-    password: import("zod").ZodString;
-    name: import("zod").ZodOptional<import("zod").ZodString>;
-}, import("zod/v4/core").$strip>, undefined>, "POST", "/auth/credentials/sign-up">];
+}, unknown, "datastream-response", import("../server-adapter").RouteSchemas<undefined, undefined, z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, undefined>, "POST", "/auth/credentials/sign-up">, import("../server-adapter").ServerRoute<{
+    roleId: string;
+}, {
+    roleId: string;
+    permissions: string[];
+}, "json", import("../server-adapter").RouteSchemas<z.ZodObject<{
+    roleId: z.ZodString;
+}, z.core.$strip>, undefined, undefined, z.ZodObject<{
+    roleId: z.ZodString;
+    permissions: z.ZodArray<z.ZodString>;
+}, z.core.$strip>>, "GET", "/auth/roles/:roleId/permissions">];
 //# sourceMappingURL=auth.d.ts.map

package/dist/server/handlers/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/handlers/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA8DH;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAcxD;AA6BD,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iEAoEtC,CAAC;AAiBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;sDA8CjC,CAAC;AAMH,eAAO,MAAM,mBAAmB;;;;kFA4E9B,CAAC;AAMH,eAAO,MAAM,sBAAsB;;;;;;qFAiGjC,CAAC;AAMH,eAAO,MAAM,iBAAiB,2LAwD5B,CAAC;AAMH,eAAO,MAAM,kBAAkB;;;;2DAoD7B,CAAC;AAMH,eAAO,MAAM,8BAA8B;;;;;;kFAkDzC,CAAC;AAMH,eAAO,MAAM,8BAA8B;;;;;;;;kFAqDzC,CAAC;AAMH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mFASd,CAAC"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/handlers/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAYH,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAoD3B;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAcxD;AA6BD,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kDAoEtC,CAAC;AAiBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;uCA8CjC,CAAC;AAMH,eAAO,MAAM,mBAAmB;;;;mEA4E9B,CAAC;AAMH,eAAO,MAAM,sBAAsB;;;;;;sEAiGjC,CAAC;AAMH,eAAO,MAAM,iBAAiB,2LAwD5B,CAAC;AAMH,eAAO,MAAM,kBAAkB;;;;4CAoD7B,CAAC;AAMH,eAAO,MAAM,8BAA8B;;;;;;mEAkDzC,CAAC;AAMH,eAAO,MAAM,8BAA8B;;;;;;;;mEAqDzC,CAAC;AASH,eAAO,MAAM,0BAA0B;;;;;;;;;;6DAkCrC,CAAC;AAMH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8DAUd,CAAC"}

package/dist/server/handlers/auth.js

@@ -1,3 +1,3 @@
-export { AUTH_ROUTES, GET_AUTH_CAPABILITIES_ROUTE, GET_CURRENT_USER_ROUTE, GET_SSO_CALLBACK_ROUTE, GET_SSO_LOGIN_ROUTE, POST_CREDENTIALS_SIGN_IN_ROUTE, POST_CREDENTIALS_SIGN_UP_ROUTE, POST_LOGOUT_ROUTE, POST_REFRESH_ROUTE, getPublicOrigin } from '../../chunk-3Y7SOTAS.js';
+export { AUTH_ROUTES, GET_AUTH_CAPABILITIES_ROUTE, GET_CURRENT_USER_ROUTE, GET_ROLE_PERMISSIONS_ROUTE, GET_SSO_CALLBACK_ROUTE, GET_SSO_LOGIN_ROUTE, POST_CREDENTIALS_SIGN_IN_ROUTE, POST_CREDENTIALS_SIGN_UP_ROUTE, POST_LOGOUT_ROUTE, POST_REFRESH_ROUTE, getPublicOrigin } from '../../chunk-2SMGXJZJ.js';
 //# sourceMappingURL=auth.js.map
 //# sourceMappingURL=auth.js.map

package/dist/server/handlers/authorship.cjs

@@ -0,0 +1,52 @@
+'use strict';
+
+var chunkVX3MJR4P_cjs = require('../../chunk-VX3MJR4P.cjs');
+
+
+
+Object.defineProperty(exports, "assertExecuteAccess", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.assertExecuteAccess; }
+});
+Object.defineProperty(exports, "assertOwnership", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.assertOwnership; }
+});
+Object.defineProperty(exports, "assertReadAccess", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.assertReadAccess; }
+});
+Object.defineProperty(exports, "assertShareAccess", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.assertShareAccess; }
+});
+Object.defineProperty(exports, "assertWriteAccess", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.assertWriteAccess; }
+});
+Object.defineProperty(exports, "getCallerAuthorId", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.getCallerAuthorId; }
+});
+Object.defineProperty(exports, "getCallerPermissions", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.getCallerPermissions; }
+});
+Object.defineProperty(exports, "hasAdminBypass", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.hasAdminBypass; }
+});
+Object.defineProperty(exports, "hasScopedPermission", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.hasScopedPermission; }
+});
+Object.defineProperty(exports, "matchesAuthorFilter", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.matchesAuthorFilter; }
+});
+Object.defineProperty(exports, "resolveAuthorFilter", {
+  enumerable: true,
+  get: function () { return chunkVX3MJR4P_cjs.resolveAuthorFilter; }
+});
+//# sourceMappingURL=authorship.cjs.map
+//# sourceMappingURL=authorship.cjs.map

package/dist/server/handlers/authorship.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"authorship.cjs"}

package/dist/server/handlers/authorship.d.ts

@@ -0,0 +1,176 @@
+import type { RequestContext } from '@mastra/core/di';
+/**
+ * Shape of a stored record that carries ownership + visibility metadata.
+ * Used by `matchesAuthorFilter` and the access-assertion helpers.
+ */
+export type OwnedRecord = {
+    authorId?: string | null;
+    visibility?: 'private' | 'public';
+};
+/**
+ * Returns the author id associated with the authenticated caller, or `null`
+ * if auth is not configured / the caller cannot be resolved.
+ *
+ * Prefers `MASTRA_RESOURCE_ID_KEY` (set by `authConfig.mapUserToResourceId`)
+ * and falls back to `user.id` on the authenticated user object.
+ */
+export declare function getCallerAuthorId(requestContext: RequestContext): string | null;
+/**
+ * Returns the list of permission strings currently attached to the caller by
+ * the RBAC provider. Returns an empty array when RBAC isn't configured.
+ */
+export declare function getCallerPermissions(requestContext: RequestContext): string[];
+/**
+ * True if the caller holds a wildcard permission that lets them manage a
+ * resource they don't own (e.g. admins listing agents across tenants).
+ *
+ * Recognizes `*`, `<resource>:*`, and `<resource>:admin`.
+ */
+export declare function hasAdminBypass(requestContext: RequestContext, resource: string): boolean;
+/**
+ * True if the caller holds a permission explicitly scoped to a specific
+ * resource id — e.g. `agents:read:agent-123` or `agents:*:agent-123`.
+ *
+ * Broad grants without a resource-id segment (e.g. the role-default
+ * `agents:execute`) are intentionally NOT treated as satisfying ownership
+ * overrides. Those broad grants already gate route access at the
+ * `requiresPermission` layer; giving them a second life as per-record
+ * overrides would defeat the owner/visibility model.
+ *
+ * When called without `resourceId` (the legacy shape), falls back to the
+ * original "any matching permission" behavior.
+ */
+export declare function hasScopedPermission(args: {
+    requestContext: RequestContext;
+    resource: string;
+    action: string;
+    resourceId?: string;
+}): boolean;
+export type AuthorFilter = {
+    kind: 'unrestricted';
+} | {
+    kind: 'exact';
+    authorId: string;
+} | {
+    kind: 'ownedOrPublic';
+    callerAuthorId: string;
+} | {
+    kind: 'publicOnly';
+} | {
+    kind: 'ownedOrPublicOthers';
+    callerAuthorId: string;
+    queryAuthorId: string;
+};
+/**
+ * Resolves the filter to apply when listing owner-scoped records.
+ *
+ * Behavior matrix:
+ * - Admin bypass + no query overrides           → `unrestricted`.
+ * - Admin bypass + `authorId=X`                 → `exact` (all of X's rows).
+ * - `visibility=public` (any caller)            → `publicOnly` (aggregate public rows across owners).
+ * - `authorId=X`, caller === X                  → `exact` (all of caller's rows).
+ * - `authorId=X`, caller !== X (non-admin)      → `ownedOrPublicOthers` (only X's public rows).
+ * - No caller (auth off)                        → `unrestricted` (or `exact` if query supplied).
+ * - Default                                     → `ownedOrPublic` (caller's rows + legacy unowned + any public rows).
+ */
+export declare function resolveAuthorFilter(args: {
+    requestContext: RequestContext;
+    resource: string;
+    queryAuthorId?: string;
+    queryVisibility?: 'public';
+}): AuthorFilter;
+/**
+ * Returns `true` if the record is visible to the caller given the resolved
+ * filter. See `resolveAuthorFilter` for the filter semantics.
+ *
+ * Legacy rows with `authorId == null` are treated as public (visible to all).
+ */
+export declare function matchesAuthorFilter(record: OwnedRecord, filter: AuthorFilter): boolean;
+/**
+ * Asserts the caller has read access to the record. Throws 404 if not.
+ *
+ * Read access is granted when:
+ * - The record has no owner (legacy/public), OR
+ * - The record is marked `visibility: 'public'`, OR
+ * - The caller owns the record, OR
+ * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR
+ * - The caller holds `<resource>:read` or `<resource>:read:<resourceId>`.
+ */
+export declare function assertReadAccess(args: {
+    requestContext: RequestContext;
+    resource: string;
+    resourceId?: string;
+    record: OwnedRecord;
+}): void;
+/**
+ * Asserts the caller has execute access to the record. Throws 404 if not.
+ *
+ * Execute access is granted when:
+ * - The record has no owner (legacy/public), OR
+ * - The record is marked `visibility: 'public'`, OR
+ * - The caller owns the record, OR
+ * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR
+ * - The caller holds `<resource>:execute` / `<resource>:execute:<resourceId>`, OR
+ * - The caller holds `<resource>:read` / `<resource>:read:<resourceId>`
+ *   (read implies the ability to consume/chat with the resource).
+ */
+export declare function assertExecuteAccess(args: {
+    requestContext: RequestContext;
+    resource: string;
+    resourceId?: string;
+    record: OwnedRecord;
+}): void;
+/**
+ * Asserts the caller has write access (edit or delete) to the record.
+ * Throws 404 if not.
+ *
+ * Write access is granted when:
+ * - The record has no owner (legacy), OR
+ * - The caller owns the record, OR
+ * - The caller has admin bypass, OR
+ * - The caller holds `<resource>:<action>` or `<resource>:<action>:<resourceId>`.
+ *
+ * `visibility: 'public'` alone does NOT grant write access.
+ */
+export declare function assertWriteAccess(args: {
+    requestContext: RequestContext;
+    resource: string;
+    resourceId?: string;
+    action: 'edit' | 'delete' | 'write';
+    record: OwnedRecord;
+}): void;
+/**
+ * Asserts the caller has share access to the record. Throws 404 if not.
+ *
+ * Share access controls who can change a record's audience/visibility
+ * (e.g. flipping `private` ↔ `public`). It is intentionally separate from
+ * `write`: a caller with only `<resource>:write` MUST NOT be able to flip
+ * visibility — that would let any editor expose private records.
+ *
+ * Share access is granted when:
+ * - The record has no owner (legacy), OR
+ * - The caller owns the record (creators can share their own records), OR
+ * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR
+ * - The caller holds `<resource>:share` / `<resource>:share:<resourceId>`
+ *   (or any pattern that matches it, e.g. `*:share`).
+ *
+ * `visibility: 'public'` does NOT grant share access — being readable doesn't
+ * imply the right to change who else can read.
+ */
+export declare function assertShareAccess(args: {
+    requestContext: RequestContext;
+    resource: string;
+    resourceId?: string;
+    record: OwnedRecord;
+}): void;
+/**
+ * Alias for `assertWriteAccess` with `action: 'edit'`. Prefer `assertWriteAccess`
+ * in new code so the action is explicit.
+ */
+export declare function assertOwnership(args: {
+    requestContext: RequestContext;
+    resource: string;
+    resourceId?: string;
+    record: OwnedRecord;
+}): void;
+//# sourceMappingURL=authorship.d.ts.map