@mastra/server 1.36.0-alpha.1 → 1.36.0-alpha.3

package/dist/chunk-7U7OWTR2.js

@@ -0,0 +1,149 @@
+import { HTTPException } from './chunk-6QWQZI4Q.js';
+import { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from './chunk-23S37FLK.js';
+import { matchesPermission } from '@mastra/core/auth/ee';
+
+function getCallerAuthorId(requestContext) {
+  const resourceId = requestContext.get(MASTRA_RESOURCE_ID_KEY);
+  if (typeof resourceId === "string" && resourceId.length > 0) {
+    return resourceId;
+  }
+  const user = requestContext.get(MASTRA_USER_KEY);
+  if (user && typeof user === "object" && "id" in user) {
+    const id = user.id;
+    if (typeof id === "string" && id.length > 0) {
+      return id;
+    }
+  }
+  return null;
+}
+function getCallerPermissions(requestContext) {
+  const raw = requestContext.get(MASTRA_USER_PERMISSIONS_KEY);
+  if (Array.isArray(raw)) {
+    return raw.filter((p) => typeof p === "string");
+  }
+  return [];
+}
+function hasAdminBypass(requestContext, resource) {
+  const permissions = getCallerPermissions(requestContext);
+  if (permissions.length === 0) return false;
+  const wildcardAll = "*";
+  const resourceWildcard = `${resource}:*`;
+  const resourceAdmin = `${resource}:admin`;
+  return permissions.some((p) => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);
+}
+function hasScopedPermission(args) {
+  const { requestContext, resource, action, resourceId } = args;
+  const permissions = getCallerPermissions(requestContext);
+  if (permissions.length === 0) return false;
+  if (!resourceId) {
+    const required2 = `${resource}:${action}`;
+    return permissions.some((p) => matchesPermission(p, required2));
+  }
+  const required = `${resource}:${action}:${resourceId}`;
+  return permissions.some((p) => {
+    const parts = p.split(":");
+    if (parts.length < 3) return false;
+    return matchesPermission(p, required);
+  });
+}
+function resolveAuthorFilter(args) {
+  const { requestContext, resource, queryAuthorId, queryVisibility } = args;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  const bypass = hasAdminBypass(requestContext, resource);
+  if (queryVisibility === "public" && !queryAuthorId) {
+    return { kind: "publicOnly" };
+  }
+  if (bypass) {
+    return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" };
+  }
+  if (!callerAuthorId) {
+    return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" };
+  }
+  if (queryAuthorId) {
+    if (queryAuthorId === callerAuthorId) {
+      return { kind: "exact", authorId: callerAuthorId };
+    }
+    return { kind: "ownedOrPublicOthers", callerAuthorId, queryAuthorId };
+  }
+  return { kind: "ownedOrPublic", callerAuthorId };
+}
+function matchesAuthorFilter(record, filter) {
+  const owner = record.authorId ?? null;
+  const isPublic = record.visibility === "public";
+  switch (filter.kind) {
+    case "unrestricted":
+      return true;
+    case "exact":
+      return owner === filter.authorId;
+    case "ownedOrPublic":
+      return owner === null || owner === filter.callerAuthorId || isPublic;
+    case "publicOnly":
+      return owner === null || isPublic;
+    case "ownedOrPublicOthers":
+      return owner === filter.queryAuthorId && isPublic;
+  }
+}
+function assertReadAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (record.visibility === "public") return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) {
+    return;
+  }
+  throw new HTTPException(404, { message: "Not found" });
+}
+function assertExecuteAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (record.visibility === "public") return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "execute", resourceId })) {
+    return;
+  }
+  if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) {
+    return;
+  }
+  throw new HTTPException(404, { message: "Not found" });
+}
+function assertWriteAccess(args) {
+  const { requestContext, resource, resourceId, action, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action, resourceId })) {
+    return;
+  }
+  throw new HTTPException(404, { message: "Not found" });
+}
+function assertShareAccess(args) {
+  const { requestContext, resource, resourceId, record } = args;
+  const owner = record.authorId ?? null;
+  if (owner === null) return;
+  if (hasAdminBypass(requestContext, resource)) return;
+  const callerAuthorId = getCallerAuthorId(requestContext);
+  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;
+  if (callerAuthorId === owner) return;
+  if (hasScopedPermission({ requestContext, resource, action: "share", resourceId })) {
+    return;
+  }
+  throw new HTTPException(404, { message: "Not found" });
+}
+function assertOwnership(args) {
+  assertWriteAccess({ ...args, action: "edit" });
+}
+
+export { assertExecuteAccess, assertOwnership, assertReadAccess, assertShareAccess, assertWriteAccess, getCallerAuthorId, getCallerPermissions, hasAdminBypass, hasScopedPermission, matchesAuthorFilter, resolveAuthorFilter };
+//# sourceMappingURL=chunk-7U7OWTR2.js.map
+//# sourceMappingURL=chunk-7U7OWTR2.js.map

package/dist/chunk-7U7OWTR2.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/handlers/authorship.ts"],"names":["required"],"mappings":";;;;AAsBO,SAAS,kBAAkB,cAAA,EAA+C;AAC/E,EAAA,MAAM,UAAA,GAAa,cAAA,CAAe,GAAA,CAAI,sBAAsB,CAAA;AAC5D,EAAA,IAAI,OAAO,UAAA,KAAe,QAAA,IAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA;AAC/C,EAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,IAAY,QAAQ,IAAA,EAAM;AACpD,IAAA,MAAM,KAAM,IAAA,CAAyB,EAAA;AACrC,IAAA,IAAI,OAAO,EAAA,KAAO,QAAA,IAAY,EAAA,CAAG,SAAS,CAAA,EAAG;AAC3C,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBAAqB,cAAA,EAA0C;AAC7E,EAAA,MAAM,GAAA,GAAM,cAAA,CAAe,GAAA,CAAI,2BAA2B,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,MAAA,CAAO,CAAC,CAAA,KAAmB,OAAO,MAAM,QAAQ,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,EAAC;AACV;AAQO,SAAS,cAAA,CAAe,gBAAgC,QAAA,EAA2B;AACxF,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AACrC,EAAA,MAAM,WAAA,GAAc,GAAA;AACpB,EAAA,MAAM,gBAAA,GAAmB,GAAG,QAAQ,CAAA,EAAA,CAAA;AACpC,EAAA,MAAM,aAAA,GAAgB,GAAG,QAAQ,CAAA,MAAA,CAAA;AACjC,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK,CAAA,KAAM,eAAe,CAAA,KAAM,gBAAA,IAAoB,MAAM,aAAa,CAAA;AACjG;AAeO,SAAS,oBAAoB,IAAA,EAKxB;AACV,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,MAAA,EAAQ,YAAW,GAAI,IAAA;AACzD,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,MAAMA,SAAAA,GAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACtC,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAGA,SAAQ,CAAC,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,WAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,IAAI,UAAU,CAAA,CAAA;AACpD,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK;AAI3B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,KAAA;AAC7B,IAAA,OAAO,iBAAA,CAAkB,GAAG,QAAQ,CAAA;AAAA,EACtC,CAAC,CAAA;AACH;AAqBO,SAAS,oBAAoB,IAAA,EAKnB;AACf,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,aAAA,EAAe,iBAAgB,GAAI,IAAA;AACrE,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA;AAEtD,EAAA,IAAI,eAAA,KAAoB,QAAA,IAAY,CAAC,aAAA,EAAe;AAClD,IAAA,OAAO,EAAE,MAAM,YAAA,EAAa;AAAA,EAC9B;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAIA,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,QAAA,EAAU,cAAA,EAAe;AAAA,IACnD;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,qBAAA,EAAuB,cAAA,EAAgB,aAAA,EAAc;AAAA,EACtE;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,eAAA,EAAiB,cAAA,EAAe;AACjD;AAQO,SAAS,mBAAA,CAAoB,QAAqB,MAAA,EAA+B;AACtF,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AACjC,EAAA,MAAM,QAAA,GAAW,OAAO,UAAA,KAAe,QAAA;AAEvC,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,cAAA;AACH,MAAA,OAAO,IAAA;AAAA,IACT,KAAK,OAAA;AACH,MAAA,OAAO,UAAU,MAAA,CAAO,QAAA;AAAA,IAC1B,KAAK,eAAA;AACH,MAAA,OAAO,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,CAAO,cAAA,IAAkB,QAAA;AAAA,IAC9D,KAAK,YAAA;AACH,MAAA,OAAO,UAAU,IAAA,IAAQ,QAAA;AAAA,IAC3B,KAAK,qBAAA;AAIH,MAAA,OAAO,KAAA,KAAU,OAAO,aAAA,IAAiB,QAAA;AAAA;AAE/C;AAYO,SAAS,iBAAiB,IAAA,EAKxB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AAKvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,oBAAoB,IAAA,EAK3B;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,SAAA,EAAW,UAAA,EAAY,CAAA,EAAG;AACpF,IAAA;AAAA,EACF;AACA,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,kBAAkB,IAAA,EAMzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,MAAA,EAAQ,QAAO,GAAI,IAAA;AACjE,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,oBAAoB,EAAE,cAAA,EAAgB,UAAU,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACzE,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAoBO,SAAS,kBAAkB,IAAA,EAKzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,OAAA,EAAS,UAAA,EAAY,CAAA,EAAG;AAClF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAMO,SAAS,gBAAgB,IAAA,EAKvB;AACP,EAAA,iBAAA,CAAkB,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,QAAQ,CAAA;AAC/C","file":"chunk-7U7OWTR2.js","sourcesContent":["import { matchesPermission } from '@mastra/core/auth/ee';\nimport type { RequestContext } from '@mastra/core/di';\n\nimport { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from '../constants';\nimport { HTTPException } from '../http-exception';\n\n/**\n * Shape of a stored record that carries ownership + visibility metadata.\n * Used by `matchesAuthorFilter` and the access-assertion helpers.\n */\nexport type OwnedRecord = {\n  authorId?: string | null;\n  visibility?: 'private' | 'public';\n};\n\n/**\n * Returns the author id associated with the authenticated caller, or `null`\n * if auth is not configured / the caller cannot be resolved.\n *\n * Prefers `MASTRA_RESOURCE_ID_KEY` (set by `authConfig.mapUserToResourceId`)\n * and falls back to `user.id` on the authenticated user object.\n */\nexport function getCallerAuthorId(requestContext: RequestContext): string | null {\n  const resourceId = requestContext.get(MASTRA_RESOURCE_ID_KEY);\n  if (typeof resourceId === 'string' && resourceId.length > 0) {\n    return resourceId;\n  }\n\n  const user = requestContext.get(MASTRA_USER_KEY);\n  if (user && typeof user === 'object' && 'id' in user) {\n    const id = (user as { id: unknown }).id;\n    if (typeof id === 'string' && id.length > 0) {\n      return id;\n    }\n  }\n\n  return null;\n}\n\n/**\n * Returns the list of permission strings currently attached to the caller by\n * the RBAC provider. Returns an empty array when RBAC isn't configured.\n */\nexport function getCallerPermissions(requestContext: RequestContext): string[] {\n  const raw = requestContext.get(MASTRA_USER_PERMISSIONS_KEY);\n  if (Array.isArray(raw)) {\n    return raw.filter((p): p is string => typeof p === 'string');\n  }\n  return [];\n}\n\n/**\n * True if the caller holds a wildcard permission that lets them manage a\n * resource they don't own (e.g. admins listing agents across tenants).\n *\n * Recognizes `*`, `<resource>:*`, and `<resource>:admin`.\n */\nexport function hasAdminBypass(requestContext: RequestContext, resource: string): boolean {\n  const permissions = getCallerPermissions(requestContext);\n  if (permissions.length === 0) return false;\n  const wildcardAll = '*';\n  const resourceWildcard = `${resource}:*`;\n  const resourceAdmin = `${resource}:admin`;\n  return permissions.some(p => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);\n}\n\n/**\n * True if the caller holds a permission explicitly scoped to a specific\n * resource id — e.g. `agents:read:agent-123` or `agents:*:agent-123`.\n *\n * Broad grants without a resource-id segment (e.g. the role-default\n * `agents:execute`) are intentionally NOT treated as satisfying ownership\n * overrides. Those broad grants already gate route access at the\n * `requiresPermission` layer; giving them a second life as per-record\n * overrides would defeat the owner/visibility model.\n *\n * When called without `resourceId` (the legacy shape), falls back to the\n * original \"any matching permission\" behavior.\n */\nexport function hasScopedPermission(args: {\n  requestContext: RequestContext;\n  resource: string;\n  action: string;\n  resourceId?: string;\n}): boolean {\n  const { requestContext, resource, action, resourceId } = args;\n  const permissions = getCallerPermissions(requestContext);\n  if (permissions.length === 0) return false;\n\n  if (!resourceId) {\n    const required = `${resource}:${action}`;\n    return permissions.some(p => matchesPermission(p, required));\n  }\n\n  const required = `${resource}:${action}:${resourceId}`;\n  return permissions.some(p => {\n    // Only honor grants that explicitly name a resource id. A granted\n    // permission with just `<resource>:<action>` (no id segment) is\n    // considered a broad role grant, not a per-record override.\n    const parts = p.split(':');\n    if (parts.length < 3) return false;\n    return matchesPermission(p, required);\n  });\n}\n\nexport type AuthorFilter =\n  | { kind: 'unrestricted' }\n  | { kind: 'exact'; authorId: string }\n  | { kind: 'ownedOrPublic'; callerAuthorId: string }\n  | { kind: 'publicOnly' }\n  | { kind: 'ownedOrPublicOthers'; callerAuthorId: string; queryAuthorId: string };\n\n/**\n * Resolves the filter to apply when listing owner-scoped records.\n *\n * Behavior matrix:\n * - Admin bypass + no query overrides           → `unrestricted`.\n * - Admin bypass + `authorId=X`                 → `exact` (all of X's rows).\n * - `visibility=public` (any caller)            → `publicOnly` (aggregate public rows across owners).\n * - `authorId=X`, caller === X                  → `exact` (all of caller's rows).\n * - `authorId=X`, caller !== X (non-admin)      → `ownedOrPublicOthers` (only X's public rows).\n * - No caller (auth off)                        → `unrestricted` (or `exact` if query supplied).\n * - Default                                     → `ownedOrPublic` (caller's rows + legacy unowned + any public rows).\n */\nexport function resolveAuthorFilter(args: {\n  requestContext: RequestContext;\n  resource: string;\n  queryAuthorId?: string;\n  queryVisibility?: 'public';\n}): AuthorFilter {\n  const { requestContext, resource, queryAuthorId, queryVisibility } = args;\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  const bypass = hasAdminBypass(requestContext, resource);\n\n  if (queryVisibility === 'public' && !queryAuthorId) {\n    return { kind: 'publicOnly' };\n  }\n\n  if (bypass) {\n    return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n  }\n\n  // Auth isn't configured (no caller) → treat as unrestricted. The route's\n  // `requiresAuth`/`requiresPermission` is what gates access in that mode.\n  if (!callerAuthorId) {\n    return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n  }\n\n  if (queryAuthorId) {\n    if (queryAuthorId === callerAuthorId) {\n      return { kind: 'exact', authorId: callerAuthorId };\n    }\n    // Non-owner asking about another user: only that user's public rows are visible.\n    return { kind: 'ownedOrPublicOthers', callerAuthorId, queryAuthorId };\n  }\n\n  return { kind: 'ownedOrPublic', callerAuthorId };\n}\n\n/**\n * Returns `true` if the record is visible to the caller given the resolved\n * filter. See `resolveAuthorFilter` for the filter semantics.\n *\n * Legacy rows with `authorId == null` are treated as public (visible to all).\n */\nexport function matchesAuthorFilter(record: OwnedRecord, filter: AuthorFilter): boolean {\n  const owner = record.authorId ?? null;\n  const isPublic = record.visibility === 'public';\n\n  switch (filter.kind) {\n    case 'unrestricted':\n      return true;\n    case 'exact':\n      return owner === filter.authorId;\n    case 'ownedOrPublic':\n      return owner === null || owner === filter.callerAuthorId || isPublic;\n    case 'publicOnly':\n      return owner === null || isPublic;\n    case 'ownedOrPublicOthers':\n      // Filtering by another author's rows: only expose their public ones.\n      // Legacy unowned rows match if the query is for `null`; here the query\n      // is always for a concrete id, so unowned rows don't match.\n      return owner === filter.queryAuthorId && isPublic;\n  }\n}\n\n/**\n * Asserts the caller has read access to the record. Throws 404 if not.\n *\n * Read access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:read` or `<resource>:read:<resourceId>`.\n */\nexport function assertReadAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (record.visibility === 'public') return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  // No authenticated user on the request context means auth is not configured\n  // (single-user/dev mode). When auth IS configured, coreAuthMiddleware\n  // rejects unauthenticated requests with 401 before they reach handlers,\n  // so an absent user here genuinely means no auth provider.\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has execute access to the record. Throws 404 if not.\n *\n * Execute access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:execute` / `<resource>:execute:<resourceId>`, OR\n * - The caller holds `<resource>:read` / `<resource>:read:<resourceId>`\n *   (read implies the ability to consume/chat with the resource).\n */\nexport function assertExecuteAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (record.visibility === 'public') return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'execute', resourceId })) {\n    return;\n  }\n  if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has write access (edit or delete) to the record.\n * Throws 404 if not.\n *\n * Write access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record, OR\n * - The caller has admin bypass, OR\n * - The caller holds `<resource>:<action>` or `<resource>:<action>:<resourceId>`.\n *\n * `visibility: 'public'` alone does NOT grant write access.\n */\nexport function assertWriteAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  action: 'edit' | 'delete' | 'write';\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, action, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action, resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has share access to the record. Throws 404 if not.\n *\n * Share access controls who can change a record's audience/visibility\n * (e.g. flipping `private` ↔ `public`). It is intentionally separate from\n * `write`: a caller with only `<resource>:write` MUST NOT be able to flip\n * visibility — that would let any editor expose private records.\n *\n * Share access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record (creators can share their own records), OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:share` / `<resource>:share:<resourceId>`\n *   (or any pattern that matches it, e.g. `*:share`).\n *\n * `visibility: 'public'` does NOT grant share access — being readable doesn't\n * imply the right to change who else can read.\n */\nexport function assertShareAccess(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  const { requestContext, resource, resourceId, record } = args;\n  const owner = record.authorId ?? null;\n\n  if (owner === null) return;\n  if (hasAdminBypass(requestContext, resource)) return;\n\n  const callerAuthorId = getCallerAuthorId(requestContext);\n  if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n  if (callerAuthorId === owner) return;\n\n  if (hasScopedPermission({ requestContext, resource, action: 'share', resourceId })) {\n    return;\n  }\n\n  throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Alias for `assertWriteAccess` with `action: 'edit'`. Prefer `assertWriteAccess`\n * in new code so the action is explicit.\n */\nexport function assertOwnership(args: {\n  requestContext: RequestContext;\n  resource: string;\n  resourceId?: string;\n  record: OwnedRecord;\n}): void {\n  assertWriteAccess({ ...args, action: 'edit' });\n}\n"]}

package/dist/{chunk-SR6QNILC.cjs → chunk-A4FTF4A7.cjs}

@@ -1,10 +1,10 @@
 'use strict';
 
 var chunkKME4O3RJ_cjs = require('./chunk-KME4O3RJ.cjs');
-var chunkAZORAK4H_cjs = require('./chunk-AZORAK4H.cjs');
-var chunkB34S64RC_cjs = require('./chunk-B34S64RC.cjs');
-var chunk64ITUOXI_cjs = require('./chunk-64ITUOXI.cjs');
 var chunkDIG2K5CV_cjs = require('./chunk-DIG2K5CV.cjs');
+var chunkYNSUYESL_cjs = require('./chunk-YNSUYESL.cjs');
+var chunkXTFWFQZ7_cjs = require('./chunk-XTFWFQZ7.cjs');
+var chunk64ITUOXI_cjs = require('./chunk-64ITUOXI.cjs');
 var agent = require('@mastra/core/agent');
 var error = require('@mastra/core/error');
 var features = require('@mastra/core/features');
@@ -34,7 +34,7 @@ function getHttpStatusForMastraError(errorId) {
       return 500;
   }
 }
-var LIST_DATASETS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_DATASETS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets",
   responseType: "json",
@@ -57,11 +57,11 @@ var LIST_DATASETS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing datasets");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing datasets");
     }
   }
 });
-var CREATE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var CREATE_DATASET_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets",
   responseType: "json",
@@ -102,11 +102,11 @@ var CREATE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error creating dataset");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error creating dataset");
     }
   }
 });
-var GET_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GET_DATASET_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId",
   responseType: "json",
@@ -125,11 +125,11 @@ var GET_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error getting dataset");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error getting dataset");
     }
   }
 });
-var UPDATE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var UPDATE_DATASET_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "PATCH",
   path: "/datasets/:datasetId",
   responseType: "json",
@@ -185,11 +185,11 @@ var UPDATE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error updating dataset");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error updating dataset");
     }
   }
 });
-var DELETE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var DELETE_DATASET_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "DELETE",
   path: "/datasets/:datasetId",
   responseType: "json",
@@ -209,11 +209,11 @@ var DELETE_DATASET_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error deleting dataset");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error deleting dataset");
     }
   }
 });
-var LIST_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_ITEMS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/items",
   responseType: "json",
@@ -243,11 +243,11 @@ var LIST_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing dataset items");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing dataset items");
     }
   }
 });
-var ADD_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var ADD_ITEM_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/:datasetId/items",
   responseType: "json",
@@ -274,11 +274,11 @@ var ADD_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error adding item to dataset");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error adding item to dataset");
     }
   }
 });
-var GET_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GET_ITEM_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/items/:itemId",
   responseType: "json",
@@ -301,11 +301,11 @@ var GET_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error getting dataset item");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error getting dataset item");
     }
   }
 });
-var UPDATE_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var UPDATE_ITEM_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "PATCH",
   path: "/datasets/:datasetId/items/:itemId",
   responseType: "json",
@@ -336,11 +336,11 @@ var UPDATE_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error updating dataset item");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error updating dataset item");
     }
   }
 });
-var DELETE_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var DELETE_ITEM_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "DELETE",
   path: "/datasets/:datasetId/items/:itemId",
   responseType: "json",
@@ -364,11 +364,11 @@ var DELETE_ITEM_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error deleting dataset item");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error deleting dataset item");
     }
   }
 });
-var LIST_ALL_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_ALL_EXPERIMENTS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/experiments",
   responseType: "json",
@@ -398,11 +398,11 @@ var LIST_ALL_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing experiments");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing experiments");
     }
   }
 });
-var EXPERIMENT_REVIEW_SUMMARY_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var EXPERIMENT_REVIEW_SUMMARY_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/experiments/review-summary",
   responseType: "json",
@@ -428,11 +428,11 @@ var EXPERIMENT_REVIEW_SUMMARY_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error getting review summary");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error getting review summary");
     }
   }
 });
-var LIST_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_EXPERIMENTS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/experiments",
   responseType: "json",
@@ -454,11 +454,11 @@ var LIST_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing experiments");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing experiments");
     }
   }
 });
-var TRIGGER_EXPERIMENT_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var TRIGGER_EXPERIMENT_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/:datasetId/experiments",
   responseType: "json",
@@ -508,11 +508,11 @@ var TRIGGER_EXPERIMENT_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error triggering experiment");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error triggering experiment");
     }
   }
 });
-var GET_EXPERIMENT_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GET_EXPERIMENT_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/experiments/:experimentId",
   responseType: "json",
@@ -535,11 +535,11 @@ var GET_EXPERIMENT_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error getting experiment");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error getting experiment");
     }
   }
 });
-var LIST_EXPERIMENT_RESULTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_EXPERIMENT_RESULTS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/experiments/:experimentId/results",
   responseType: "json",
@@ -568,11 +568,11 @@ var LIST_EXPERIMENT_RESULTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing experiment results");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing experiment results");
     }
   }
 });
-var UPDATE_EXPERIMENT_RESULT_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var UPDATE_EXPERIMENT_RESULT_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "PATCH",
   path: "/datasets/:datasetId/experiments/:experimentId/results/:resultId",
   responseType: "json",
@@ -605,11 +605,11 @@ var UPDATE_EXPERIMENT_RESULT_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error updating experiment result");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error updating experiment result");
     }
   }
 });
-var COMPARE_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var COMPARE_EXPERIMENTS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/:datasetId/compare",
   responseType: "json",
@@ -634,11 +634,11 @@ var COMPARE_EXPERIMENTS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error comparing experiments");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error comparing experiments");
     }
   }
 });
-var LIST_DATASET_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_DATASET_VERSIONS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/versions",
   responseType: "json",
@@ -660,11 +660,11 @@ var LIST_DATASET_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing dataset versions");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing dataset versions");
     }
   }
 });
-var LIST_ITEM_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var LIST_ITEM_VERSIONS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/items/:itemId/history",
   responseType: "json",
@@ -687,11 +687,11 @@ var LIST_ITEM_VERSIONS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error listing item history");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error listing item history");
     }
   }
 });
-var GET_ITEM_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GET_ITEM_VERSION_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "GET",
   path: "/datasets/:datasetId/items/:itemId/versions/:datasetVersion",
   responseType: "json",
@@ -717,11 +717,11 @@ var GET_ITEM_VERSION_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error getting item version");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error getting item version");
     }
   }
 });
-var BATCH_INSERT_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var BATCH_INSERT_ITEMS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/:datasetId/items/batch",
   responseType: "json",
@@ -749,11 +749,11 @@ var BATCH_INSERT_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error batch inserting items");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error batch inserting items");
     }
   }
 });
-var BATCH_DELETE_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var BATCH_DELETE_ITEMS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "DELETE",
   path: "/datasets/:datasetId/items/batch",
   responseType: "json",
@@ -775,7 +775,7 @@ var BATCH_DELETE_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error bulk deleting items");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error bulk deleting items");
     }
   }
 });
@@ -792,7 +792,7 @@ Generate test items that:
 6. Test different aspects of the agent's capabilities based on its tools and instructions
 
 Return the items as a JSON array.`;
-var GENERATE_ITEMS_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var GENERATE_ITEMS_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/:datasetId/generate-items",
   responseType: "json",
@@ -873,7 +873,7 @@ ${agentContextSection}` : null,
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error generating dataset items");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error generating dataset items");
     }
   }
 });
@@ -895,7 +895,7 @@ Guidelines:
 - IMPORTANT: If existing tags are provided, PREFER reusing them over creating new ones. Only create new tags when no existing tag fits.
 - Items may already have tags \u2014 consider those when assigning new ones and avoid duplicating existing tags on an item.
 - The "reason" field should be 1-2 sentences explaining the specific evidence for each tag assignment.`;
-var CLUSTER_FAILURES_ROUTE = chunkAZORAK4H_cjs.createRoute({
+var CLUSTER_FAILURES_ROUTE = chunkXTFWFQZ7_cjs.createRoute({
   method: "POST",
   path: "/datasets/cluster-failures",
   responseType: "json",
@@ -972,7 +972,7 @@ Return both "clusters" (grouping items by pattern) and "proposedTags" (a list ma
       if (error$1 instanceof error.MastraError) {
         throw new chunk64ITUOXI_cjs.HTTPException(getHttpStatusForMastraError(error$1.id), { message: error$1.message });
       }
-      return chunkB34S64RC_cjs.handleError(error$1, "Error clustering failures");
+      return chunkYNSUYESL_cjs.handleError(error$1, "Error clustering failures");
     }
   }
 });
@@ -1002,5 +1002,5 @@ exports.TRIGGER_EXPERIMENT_ROUTE = TRIGGER_EXPERIMENT_ROUTE;
 exports.UPDATE_DATASET_ROUTE = UPDATE_DATASET_ROUTE;
 exports.UPDATE_EXPERIMENT_RESULT_ROUTE = UPDATE_EXPERIMENT_RESULT_ROUTE;
 exports.UPDATE_ITEM_ROUTE = UPDATE_ITEM_ROUTE;
-//# sourceMappingURL=chunk-SR6QNILC.cjs.map
-//# sourceMappingURL=chunk-SR6QNILC.cjs.map
+//# sourceMappingURL=chunk-A4FTF4A7.cjs.map
+//# sourceMappingURL=chunk-A4FTF4A7.cjs.map