@mastra/server 1.37.0-alpha.8 → 1.37.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +120 -0
- package/dist/docs/SKILL.md +1 -1
- package/dist/docs/assets/SOURCE_MAP.json +1 -1
- package/package.json +7 -7
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,125 @@
|
|
|
1
1
|
# @mastra/server
|
|
2
2
|
|
|
3
|
+
## 1.37.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- Connecting or disconnecting an agent through a channel (e.g. Slack) now requires the same write permission as editing the underlying stored agent. The check runs on `POST /channels/:platform/connect` and `POST /channels/:platform/:agentId/disconnect` whenever the target agent has a record in the stored-agents store. Callers without write access receive a `404 Not found`, matching the behavior of the stored-agent edit routes. Agents defined in code (no stored-agents record) are unaffected and continue to honor only the route's existing auth requirement. ([#16949](https://github.com/mastra-ai/mastra/pull/16949))
|
|
8
|
+
|
|
9
|
+
The caller must either own the stored agent, have admin bypass, or hold `agents:edit` (or a scoped `agents:edit:<agentId>`).
|
|
10
|
+
|
|
11
|
+
```http
|
|
12
|
+
POST /channels/slack/connect
|
|
13
|
+
Authorization: Bearer <token-with-agents:edit>
|
|
14
|
+
Content-Type: application/json
|
|
15
|
+
|
|
16
|
+
{ "agentId": "support-bot" }
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
```http
|
|
20
|
+
POST /channels/slack/support-bot/disconnect
|
|
21
|
+
Authorization: Bearer <token-with-agents:edit>
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
`@mastra/core` is bumped as a patch to ship the regenerated permission definitions that back this check.
|
|
25
|
+
|
|
26
|
+
- Gate stored-workspace handlers by author. Previously any authenticated caller within a tenant could list, read, update, or delete another user's workspace. ([#16974](https://github.com/mastra-ai/mastra/pull/16974))
|
|
27
|
+
|
|
28
|
+
**Behavior changes**
|
|
29
|
+
- `POST /stored/workspaces` — server stamps `authorId` from the authenticated caller; any body-provided `authorId` is ignored.
|
|
30
|
+
- `GET /stored/workspaces/:id`, `PATCH /stored/workspaces/:id`, `DELETE /stored/workspaces/:id` — return `404 Not found` unless the caller is the owner, an admin (`*`), or holds `stored-workspaces:<action>[:<id>]`.
|
|
31
|
+
- `GET /stored/workspaces` — filters to the caller's own rows plus legacy unowned records; admins still see every row.
|
|
32
|
+
- Legacy workspaces created before this change (no `authorId`) remain accessible to any authenticated caller for backwards compatibility.
|
|
33
|
+
|
|
34
|
+
**Example**
|
|
35
|
+
|
|
36
|
+
```ts
|
|
37
|
+
// Client POST body — authorId is ignored if sent
|
|
38
|
+
await fetch('/stored/workspaces', {
|
|
39
|
+
method: 'POST',
|
|
40
|
+
body: JSON.stringify({ name: 'My workspace', authorId: 'someone-else' }),
|
|
41
|
+
});
|
|
42
|
+
|
|
43
|
+
// Stored row — authorId is stamped from the authenticated caller
|
|
44
|
+
// {
|
|
45
|
+
// id: 'my-workspace',
|
|
46
|
+
// name: 'My workspace',
|
|
47
|
+
// authorId: 'user_abc123', // from requestContext, NOT from body
|
|
48
|
+
// ...
|
|
49
|
+
// }
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
**Migration**
|
|
53
|
+
- Existing rows with `authorId === null/undefined` remain readable/writable by any authenticated caller — no action required for backwards compatibility.
|
|
54
|
+
- To lock down legacy rows, backfill `authorId` directly in the `workspaces` table with the original creator's id.
|
|
55
|
+
- For service accounts or tooling that need cross-user access, grant `stored-workspaces:*` (or per-id `stored-workspaces:<action>:<id>`) instead of relying on the legacy unowned bypass.
|
|
56
|
+
- Admins (callers with `*`) continue to see and mutate every row regardless of `authorId`.
|
|
57
|
+
|
|
58
|
+
The `@mastra/core` patch regenerates `permissions.generated.ts` to include the `auth` and `infrastructure` resources that already had routes on `main`.
|
|
59
|
+
|
|
60
|
+
- Agent Builder action routes (`/agent-builder/*`) are now registered automatically through the standard server route pipeline. Any adapter built on `@mastra/server` (Hono, Express, Fastify, Koa, etc.) serves the 15 `/agent-builder/*` endpoints without consumers wiring them manually. ([#17085](https://github.com/mastra-ai/mastra/pull/17085))
|
|
61
|
+
|
|
62
|
+
**Example**
|
|
63
|
+
|
|
64
|
+
```ts
|
|
65
|
+
import { MastraClient } from '@mastra/client-js';
|
|
66
|
+
|
|
67
|
+
const client = new MastraClient({ baseUrl: 'http://localhost:4111' });
|
|
68
|
+
|
|
69
|
+
// `/agent-builder/*` routes are now reachable out-of-the-box
|
|
70
|
+
const actions = await client.getAgentBuilderActions();
|
|
71
|
+
|
|
72
|
+
const action = client.getAgentBuilderAction('generate-agent');
|
|
73
|
+
const { runId } = await action.createRun();
|
|
74
|
+
const result = await action.startAsync({ inputData: { prompt: 'Build me an agent' } }, runId);
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
**Why**
|
|
78
|
+
|
|
79
|
+
Previously, `AGENT_BUILDER_ROUTES` was a type-only entry in the route registry to keep `@mastra/agent-builder` out of Cloudflare worker bundles. Consumers had to register the routes themselves to expose Agent Builder functionality. Lazy-loading of `@mastra/agent-builder` is preserved — handlers still resolve the workflow module on first request via dynamic `import()`, so Cloudflare bundles are unaffected.
|
|
80
|
+
|
|
81
|
+
**New EE permissions**
|
|
82
|
+
|
|
83
|
+
The following permissions are added to the EE registry. RBAC consumers with strict allowlists must grant these to retain access to builder action routes:
|
|
84
|
+
- `agent-builder:read`
|
|
85
|
+
- `agent-builder:write`
|
|
86
|
+
- `agent-builder:execute`
|
|
87
|
+
|
|
88
|
+
Two legacy stream routes (`STREAM_LEGACY_AGENT_BUILDER_ACTION_ROUTE`, `OBSERVE_STREAM_LEGACY_AGENT_BUILDER_ACTION_ROUTE`) are now registered through the standard pipeline as well.
|
|
89
|
+
|
|
90
|
+
### Patch Changes
|
|
91
|
+
|
|
92
|
+
- Developers can now cancel long-running custom API route work when clients disconnect. Node-based adapters pass abort signals into custom route handlers, clean up response streams correctly, and still surface upstream response body errors. ([#16335](https://github.com/mastra-ai/mastra/pull/16335))
|
|
93
|
+
|
|
94
|
+
```ts
|
|
95
|
+
registerApiRoute('/stream', {
|
|
96
|
+
method: 'GET',
|
|
97
|
+
handler: async c => {
|
|
98
|
+
const stream = await agent.stream(prompt, {
|
|
99
|
+
abortSignal: c.req.raw.signal,
|
|
100
|
+
});
|
|
101
|
+
|
|
102
|
+
return stream.toTextStreamResponse();
|
|
103
|
+
},
|
|
104
|
+
});
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
- Made optional memory response fields optional in server schemas and generated client types. ([#17070](https://github.com/mastra-ai/mastra/pull/17070))
|
|
108
|
+
|
|
109
|
+
- Improved agent thread subscription resilience by keeping server streams active during idle periods and allowing the JavaScript client to reconnect when subscription streams close or resubscribe requests fail. ([#17045](https://github.com/mastra-ai/mastra/pull/17045))
|
|
110
|
+
|
|
111
|
+
Enable automatic reconnection with `subscription.processDataStream({ onChunk: chunk => console.log(chunk), reconnect: true })`.
|
|
112
|
+
|
|
113
|
+
- Updated dependencies [[`cfa2e3a`](https://github.com/mastra-ai/mastra/commit/cfa2e3a5292322f48bb28b4d257d631da7f9d3cc), [`0cbece9`](https://github.com/mastra-ai/mastra/commit/0cbece9d832cb134a74cdbf3682d390a058215a4), [`2f5f58a`](https://github.com/mastra-ai/mastra/commit/2f5f58a9a8bb13bcdc6789db221eef7c9bf1ff02), [`7dfe1bc`](https://github.com/mastra-ai/mastra/commit/7dfe1bcfe71d261a6fd6bbf29b1dec49d78fb98f), [`ac442a4`](https://github.com/mastra-ai/mastra/commit/ac442a42fda0354ac2bcea772bf6691cb3e9dbb3), [`b7286f4`](https://github.com/mastra-ai/mastra/commit/b7286f4308267f5fd70e6bfee10dba9472640906), [`6096445`](https://github.com/mastra-ai/mastra/commit/60964459733f0ab384584d95e19c36607ffdf7b0), [`d72dc4b`](https://github.com/mastra-ai/mastra/commit/d72dc4b12d832546c05c20255fa96fe4eb515900), [`a481027`](https://github.com/mastra-ai/mastra/commit/a481027b549ba1018414990c8f045eaee7b9f413), [`1e5c067`](https://github.com/mastra-ai/mastra/commit/1e5c067d2e20a781af670578180d1ee249806d41), [`168fa09`](https://github.com/mastra-ai/mastra/commit/168fa09d6b39114cb8c13bd06f1dccb9bc81c6cd), [`df1947a`](https://github.com/mastra-ai/mastra/commit/df1947affa40f742067542251fac7ca759492ef4), [`ee59b74`](https://github.com/mastra-ai/mastra/commit/ee59b743ce73ad11784b4d9c6fbba8568edee1c8), [`a97b1a0`](https://github.com/mastra-ai/mastra/commit/a97b1a0abaed83946c3519d1e0f680d0815b8a67), [`008baaf`](https://github.com/mastra-ai/mastra/commit/008baafd8d851f831407045aebead5a2e3342eff), [`801baa0`](https://github.com/mastra-ai/mastra/commit/801baa07cccdbaec1d00942a92bdc831111744a2), [`8116436`](https://github.com/mastra-ai/mastra/commit/81164363eb225d774e41ff27da6a5ea611406688), [`c35b962`](https://github.com/mastra-ai/mastra/commit/c35b9625c7e854fcfdeee226a3338a750d0ff211), [`c27c4b9`](https://github.com/mastra-ai/mastra/commit/c27c4b9f137df5414fca4e45896aceccff6b0ed5), [`08b3b59`](https://github.com/mastra-ai/mastra/commit/08b3b590dd960dee6c9a6e39272f8927d803db6e), [`b3c3b18`](https://github.com/mastra-ai/mastra/commit/b3c3b189121489a3a51a8fd8204b569be9a89fe5), [`4084113`](https://github.com/mastra-ai/mastra/commit/408411370fc48a822e8b616b3b63f9409774e0e9), [`70cb714`](https://github.com/mastra-ai/mastra/commit/70cb7149c8f16f478e15b58498254a53181750a4), [`91cf0e0`](https://github.com/mastra-ai/mastra/commit/91cf0e027e511b871481a8576b56b7af83b15afd), [`7f9da22`](https://github.com/mastra-ai/mastra/commit/7f9da22efd5aa595e138a31de55a5f0f2f28b33d)]:
|
|
114
|
+
- @mastra/core@1.37.0
|
|
115
|
+
|
|
116
|
+
## 1.37.0-alpha.9
|
|
117
|
+
|
|
118
|
+
### Patch Changes
|
|
119
|
+
|
|
120
|
+
- Updated dependencies [[`d72dc4b`](https://github.com/mastra-ai/mastra/commit/d72dc4b12d832546c05c20255fa96fe4eb515900)]:
|
|
121
|
+
- @mastra/core@1.37.0-alpha.9
|
|
122
|
+
|
|
3
123
|
## 1.37.0-alpha.8
|
|
4
124
|
|
|
5
125
|
### Minor Changes
|
package/dist/docs/SKILL.md
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mastra/server",
|
|
3
|
-
"version": "1.37.0
|
|
3
|
+
"version": "1.37.0",
|
|
4
4
|
"description": "",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"files": [
|
|
@@ -114,13 +114,13 @@
|
|
|
114
114
|
"vitest": "4.1.5",
|
|
115
115
|
"zod": "^4.4.3",
|
|
116
116
|
"zod-to-ts": "^2.0.0",
|
|
117
|
-
"@internal/lint": "0.0.
|
|
118
|
-
"@internal/storage-test-utils": "0.0.93",
|
|
119
|
-
"@internal/test-utils": "0.0.33",
|
|
117
|
+
"@internal/lint": "0.0.98",
|
|
120
118
|
"@internal/core": "0.0.0",
|
|
121
|
-
"@internal/
|
|
122
|
-
"@
|
|
123
|
-
"@
|
|
119
|
+
"@internal/storage-test-utils": "0.0.94",
|
|
120
|
+
"@internal/test-utils": "0.0.34",
|
|
121
|
+
"@internal/types-builder": "0.0.73",
|
|
122
|
+
"@mastra/core": "1.37.0",
|
|
123
|
+
"@mastra/agent-builder": "1.0.38",
|
|
124
124
|
"@mastra/schema-compat": "1.2.10"
|
|
125
125
|
},
|
|
126
126
|
"homepage": "https://mastra.ai",
|