@mastra/server 1.43.1-alpha.0 → 1.44.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (171) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/dist/{api-schema-manifest-NBXRJVAR.cjs → api-schema-manifest-7QYF5DIK.cjs} +4 -4
  3. package/dist/{api-schema-manifest-NBXRJVAR.cjs.map → api-schema-manifest-7QYF5DIK.cjs.map} +1 -1
  4. package/dist/{api-schema-manifest-5JMRQWHY.js → api-schema-manifest-FGP55GT2.js} +3 -3
  5. package/dist/{api-schema-manifest-5JMRQWHY.js.map → api-schema-manifest-FGP55GT2.js.map} +1 -1
  6. package/dist/{chunk-BB6RVOJY.js → chunk-3D4XT5RX.js} +3 -3
  7. package/dist/{chunk-BB6RVOJY.js.map → chunk-3D4XT5RX.js.map} +1 -1
  8. package/dist/{chunk-KLIW4CDU.cjs → chunk-3DNDVS47.cjs} +5 -5
  9. package/dist/{chunk-KLIW4CDU.cjs.map → chunk-3DNDVS47.cjs.map} +1 -1
  10. package/dist/{chunk-RM4ITWAQ.cjs → chunk-3P3R4Z5I.cjs} +3 -3
  11. package/dist/{chunk-RM4ITWAQ.cjs.map → chunk-3P3R4Z5I.cjs.map} +1 -1
  12. package/dist/{chunk-OHWAEEZJ.js → chunk-3ZAH6OQU.js} +3 -3
  13. package/dist/{chunk-OHWAEEZJ.js.map → chunk-3ZAH6OQU.js.map} +1 -1
  14. package/dist/{chunk-M2ZGNEQS.cjs → chunk-6HC6CCZC.cjs} +4 -4
  15. package/dist/{chunk-M2ZGNEQS.cjs.map → chunk-6HC6CCZC.cjs.map} +1 -1
  16. package/dist/{chunk-AIGB5YCL.js → chunk-AI75K5XV.js} +8 -5
  17. package/dist/chunk-AI75K5XV.js.map +1 -0
  18. package/dist/{chunk-3ARFTVAY.cjs → chunk-B36BCDZ3.cjs} +4 -4
  19. package/dist/{chunk-3ARFTVAY.cjs.map → chunk-B36BCDZ3.cjs.map} +1 -1
  20. package/dist/{chunk-VJDD2ULL.cjs → chunk-BKKJYAT2.cjs} +7 -7
  21. package/dist/{chunk-VJDD2ULL.cjs.map → chunk-BKKJYAT2.cjs.map} +1 -1
  22. package/dist/{chunk-L5AY5PSX.js → chunk-BPICVBDX.js} +4 -4
  23. package/dist/{chunk-L5AY5PSX.js.map → chunk-BPICVBDX.js.map} +1 -1
  24. package/dist/{chunk-U72IZ5BP.cjs → chunk-CELYVWOU.cjs} +4 -4
  25. package/dist/{chunk-U72IZ5BP.cjs.map → chunk-CELYVWOU.cjs.map} +1 -1
  26. package/dist/{chunk-46Y4Y2RB.js → chunk-DPKG24KJ.js} +3 -3
  27. package/dist/{chunk-46Y4Y2RB.js.map → chunk-DPKG24KJ.js.map} +1 -1
  28. package/dist/{chunk-ONBABU5V.cjs → chunk-DVHRHL5N.cjs} +3 -3
  29. package/dist/{chunk-ONBABU5V.cjs.map → chunk-DVHRHL5N.cjs.map} +1 -1
  30. package/dist/{chunk-NIM337G7.cjs → chunk-DY353SJU.cjs} +3 -3
  31. package/dist/{chunk-NIM337G7.cjs.map → chunk-DY353SJU.cjs.map} +1 -1
  32. package/dist/{chunk-JWTDWKDF.cjs → chunk-EKX2MSEX.cjs} +7 -7
  33. package/dist/{chunk-JWTDWKDF.cjs.map → chunk-EKX2MSEX.cjs.map} +1 -1
  34. package/dist/{chunk-R7624SPL.js → chunk-GB67HE2R.js} +4 -4
  35. package/dist/{chunk-R7624SPL.js.map → chunk-GB67HE2R.js.map} +1 -1
  36. package/dist/{chunk-56TEDJND.js → chunk-HZBASZCD.js} +3 -3
  37. package/dist/{chunk-56TEDJND.js.map → chunk-HZBASZCD.js.map} +1 -1
  38. package/dist/{chunk-IJYKXUQT.cjs → chunk-IJ3QZ42Z.cjs} +21 -21
  39. package/dist/{chunk-IJYKXUQT.cjs.map → chunk-IJ3QZ42Z.cjs.map} +1 -1
  40. package/dist/{chunk-6K3PHIDF.cjs → chunk-KHAJSUWO.cjs} +215 -215
  41. package/dist/{chunk-6K3PHIDF.cjs.map → chunk-KHAJSUWO.cjs.map} +1 -1
  42. package/dist/{chunk-W4OKTHH6.js → chunk-KPANUJL7.js} +5 -5
  43. package/dist/{chunk-W4OKTHH6.js.map → chunk-KPANUJL7.js.map} +1 -1
  44. package/dist/{chunk-BTMYAVRX.cjs → chunk-LLXZPATO.cjs} +4 -4
  45. package/dist/{chunk-BTMYAVRX.cjs.map → chunk-LLXZPATO.cjs.map} +1 -1
  46. package/dist/{chunk-WX7XEIYG.cjs → chunk-LPZFNXZ4.cjs} +13 -13
  47. package/dist/{chunk-WX7XEIYG.cjs.map → chunk-LPZFNXZ4.cjs.map} +1 -1
  48. package/dist/{chunk-IZBO5ZFX.js → chunk-LWR3YMQT.js} +5 -5
  49. package/dist/{chunk-IZBO5ZFX.js.map → chunk-LWR3YMQT.js.map} +1 -1
  50. package/dist/{chunk-YD3A4BO6.js → chunk-MHYN6XMP.js} +3 -3
  51. package/dist/{chunk-YD3A4BO6.js.map → chunk-MHYN6XMP.js.map} +1 -1
  52. package/dist/{chunk-B5QILEDQ.js → chunk-NM7LBCW6.js} +4 -4
  53. package/dist/{chunk-B5QILEDQ.js.map → chunk-NM7LBCW6.js.map} +1 -1
  54. package/dist/{chunk-WW4CXOPU.js → chunk-OAEH2ZH7.js} +4 -4
  55. package/dist/{chunk-WW4CXOPU.js.map → chunk-OAEH2ZH7.js.map} +1 -1
  56. package/dist/{chunk-LRSOJJ5T.js → chunk-P7LAK7CJ.js} +3 -3
  57. package/dist/{chunk-LRSOJJ5T.js.map → chunk-P7LAK7CJ.js.map} +1 -1
  58. package/dist/{chunk-XQNAOZJ6.cjs → chunk-PDRMELDM.cjs} +6 -6
  59. package/dist/{chunk-XQNAOZJ6.cjs.map → chunk-PDRMELDM.cjs.map} +1 -1
  60. package/dist/{chunk-E2JNW3QM.js → chunk-PKP37L3H.js} +4 -4
  61. package/dist/{chunk-E2JNW3QM.js.map → chunk-PKP37L3H.js.map} +1 -1
  62. package/dist/{chunk-JZJ3PP2H.cjs → chunk-QDKNDZMW.cjs} +3 -3
  63. package/dist/{chunk-JZJ3PP2H.cjs.map → chunk-QDKNDZMW.cjs.map} +1 -1
  64. package/dist/{chunk-JD3CV3Z6.js → chunk-QGRHXT43.js} +4 -4
  65. package/dist/{chunk-JD3CV3Z6.js.map → chunk-QGRHXT43.js.map} +1 -1
  66. package/dist/{chunk-KBOC52HT.js → chunk-QTWC3NAN.js} +4 -4
  67. package/dist/{chunk-KBOC52HT.js.map → chunk-QTWC3NAN.js.map} +1 -1
  68. package/dist/{chunk-SJPWXUKZ.js → chunk-RABO3TJ4.js} +4 -4
  69. package/dist/{chunk-SJPWXUKZ.js.map → chunk-RABO3TJ4.js.map} +1 -1
  70. package/dist/{chunk-CELN6CUY.js → chunk-RCYDWSCH.js} +5 -5
  71. package/dist/{chunk-CELN6CUY.js.map → chunk-RCYDWSCH.js.map} +1 -1
  72. package/dist/{chunk-BWWBUJB3.js → chunk-RTY5UO5T.js} +3 -3
  73. package/dist/{chunk-BWWBUJB3.js.map → chunk-RTY5UO5T.js.map} +1 -1
  74. package/dist/{chunk-EP6T47YP.cjs → chunk-SZY2NF63.cjs} +5 -5
  75. package/dist/{chunk-EP6T47YP.cjs.map → chunk-SZY2NF63.cjs.map} +1 -1
  76. package/dist/{chunk-H7PCMZDO.cjs → chunk-T6DNAIYV.cjs} +8 -5
  77. package/dist/chunk-T6DNAIYV.cjs.map +1 -0
  78. package/dist/{chunk-UZ43QCIA.cjs → chunk-TFWCZYHH.cjs} +4 -4
  79. package/dist/{chunk-UZ43QCIA.cjs.map → chunk-TFWCZYHH.cjs.map} +1 -1
  80. package/dist/{chunk-ERGSG4B4.js → chunk-THLYTKAB.js} +3 -3
  81. package/dist/{chunk-ERGSG4B4.js.map → chunk-THLYTKAB.js.map} +1 -1
  82. package/dist/{chunk-6EYJHBPH.cjs → chunk-U22DMNOY.cjs} +3 -3
  83. package/dist/{chunk-6EYJHBPH.cjs.map → chunk-U22DMNOY.cjs.map} +1 -1
  84. package/dist/{chunk-42FE4BWR.cjs → chunk-U2EYJ6MW.cjs} +5 -5
  85. package/dist/{chunk-42FE4BWR.cjs.map → chunk-U2EYJ6MW.cjs.map} +1 -1
  86. package/dist/{chunk-KW2BZ5VS.js → chunk-U2PABD63.js} +29 -29
  87. package/dist/{chunk-KW2BZ5VS.js.map → chunk-U2PABD63.js.map} +1 -1
  88. package/dist/{chunk-3PNIWKRR.cjs → chunk-VH3Z6POX.cjs} +5 -5
  89. package/dist/{chunk-3PNIWKRR.cjs.map → chunk-VH3Z6POX.cjs.map} +1 -1
  90. package/dist/{chunk-T32FQPWH.cjs → chunk-VLTKVNN7.cjs} +3 -3
  91. package/dist/{chunk-T32FQPWH.cjs.map → chunk-VLTKVNN7.cjs.map} +1 -1
  92. package/dist/{chunk-HGFJZ44K.cjs → chunk-W4NM3WPA.cjs} +13 -13
  93. package/dist/{chunk-HGFJZ44K.cjs.map → chunk-W4NM3WPA.cjs.map} +1 -1
  94. package/dist/{chunk-TOVVJNOF.js → chunk-WLK45BEV.js} +4 -4
  95. package/dist/{chunk-TOVVJNOF.js.map → chunk-WLK45BEV.js.map} +1 -1
  96. package/dist/{chunk-E4AD2HA2.js → chunk-WVDZYKEG.js} +3 -3
  97. package/dist/{chunk-E4AD2HA2.js.map → chunk-WVDZYKEG.js.map} +1 -1
  98. package/dist/{chunk-5ZC7LW3V.js → chunk-XKR7GYTO.js} +4 -4
  99. package/dist/{chunk-5ZC7LW3V.js.map → chunk-XKR7GYTO.js.map} +1 -1
  100. package/dist/{chunk-3B4FDRBB.js → chunk-XP2KHQUG.js} +6 -6
  101. package/dist/{chunk-3B4FDRBB.js.map → chunk-XP2KHQUG.js.map} +1 -1
  102. package/dist/{chunk-MMY24AC4.js → chunk-XXRCIVFY.js} +3 -3
  103. package/dist/{chunk-MMY24AC4.js.map → chunk-XXRCIVFY.js.map} +1 -1
  104. package/dist/{chunk-GU4AEOGA.cjs → chunk-YGUQ5EQN.cjs} +3 -3
  105. package/dist/{chunk-GU4AEOGA.cjs.map → chunk-YGUQ5EQN.cjs.map} +1 -1
  106. package/dist/{chunk-DZD7RZYY.cjs → chunk-YIS4YSRP.cjs} +4 -4
  107. package/dist/{chunk-DZD7RZYY.cjs.map → chunk-YIS4YSRP.cjs.map} +1 -1
  108. package/dist/{chunk-IRJJ2JJG.cjs → chunk-ZTE226KZ.cjs} +4 -4
  109. package/dist/{chunk-IRJJ2JJG.cjs.map → chunk-ZTE226KZ.cjs.map} +1 -1
  110. package/dist/docs/SKILL.md +1 -1
  111. package/dist/docs/assets/SOURCE_MAP.json +1 -1
  112. package/dist/server/handlers/a2a.cjs +14 -14
  113. package/dist/server/handlers/a2a.js +1 -1
  114. package/dist/server/handlers/agent-builder.cjs +17 -17
  115. package/dist/server/handlers/agent-builder.js +1 -1
  116. package/dist/server/handlers/agent-versions.cjs +8 -8
  117. package/dist/server/handlers/agent-versions.js +1 -1
  118. package/dist/server/handlers/agents.cjs +46 -46
  119. package/dist/server/handlers/agents.js +1 -1
  120. package/dist/server/handlers/auth.cjs +13 -13
  121. package/dist/server/handlers/auth.d.ts.map +1 -1
  122. package/dist/server/handlers/auth.js +1 -1
  123. package/dist/server/handlers/conversations.cjs +5 -5
  124. package/dist/server/handlers/conversations.js +1 -1
  125. package/dist/server/handlers/datasets.cjs +26 -26
  126. package/dist/server/handlers/datasets.js +1 -1
  127. package/dist/server/handlers/editor-builder.cjs +6 -6
  128. package/dist/server/handlers/editor-builder.js +1 -1
  129. package/dist/server/handlers/favorites-enrichment.cjs +4 -4
  130. package/dist/server/handlers/favorites-enrichment.js +1 -1
  131. package/dist/server/handlers/logs.cjs +4 -4
  132. package/dist/server/handlers/logs.js +1 -1
  133. package/dist/server/handlers/mcp-client-versions.cjs +8 -8
  134. package/dist/server/handlers/mcp-client-versions.js +1 -1
  135. package/dist/server/handlers/prompt-block-versions.cjs +8 -8
  136. package/dist/server/handlers/prompt-block-versions.js +1 -1
  137. package/dist/server/handlers/responses.cjs +4 -4
  138. package/dist/server/handlers/responses.js +1 -1
  139. package/dist/server/handlers/scorer-versions.cjs +8 -8
  140. package/dist/server/handlers/scorer-versions.js +1 -1
  141. package/dist/server/handlers/scores.cjs +7 -7
  142. package/dist/server/handlers/scores.js +1 -1
  143. package/dist/server/handlers/stored-agent-favorites.cjs +3 -3
  144. package/dist/server/handlers/stored-agent-favorites.js +1 -1
  145. package/dist/server/handlers/stored-agents.cjs +10 -10
  146. package/dist/server/handlers/stored-agents.js +1 -1
  147. package/dist/server/handlers/stored-mcp-clients.cjs +6 -6
  148. package/dist/server/handlers/stored-mcp-clients.js +1 -1
  149. package/dist/server/handlers/stored-prompt-blocks.cjs +6 -6
  150. package/dist/server/handlers/stored-prompt-blocks.js +1 -1
  151. package/dist/server/handlers/stored-scorers.cjs +6 -6
  152. package/dist/server/handlers/stored-scorers.js +1 -1
  153. package/dist/server/handlers/stored-skill-favorites.cjs +3 -3
  154. package/dist/server/handlers/stored-skill-favorites.js +1 -1
  155. package/dist/server/handlers/stored-skills.cjs +7 -7
  156. package/dist/server/handlers/stored-skills.js +1 -1
  157. package/dist/server/handlers/system.cjs +3 -3
  158. package/dist/server/handlers/system.js +1 -1
  159. package/dist/server/handlers/tools.cjs +6 -6
  160. package/dist/server/handlers/tools.js +1 -1
  161. package/dist/server/handlers/workflows.cjs +27 -27
  162. package/dist/server/handlers/workflows.js +1 -1
  163. package/dist/server/handlers.cjs +29 -29
  164. package/dist/server/handlers.js +11 -11
  165. package/dist/server/schemas/index.cjs +552 -552
  166. package/dist/server/schemas/index.js +8 -8
  167. package/dist/server/server-adapter/index.cjs +13 -13
  168. package/dist/server/server-adapter/index.js +2 -2
  169. package/package.json +5 -5
  170. package/dist/chunk-AIGB5YCL.js.map +0 -1
  171. package/dist/chunk-H7PCMZDO.cjs.map +0 -1
@@ -3,33 +3,33 @@ export { createStoredMCPClientBodySchema, createStoredMCPClientResponseSchema, d
3
3
  export { createStoredPromptBlockBodySchema, createStoredPromptBlockResponseSchema, deleteStoredPromptBlockResponseSchema, getStoredPromptBlockResponseSchema, listStoredPromptBlocksQuerySchema, listStoredPromptBlocksResponseSchema, storedPromptBlockIdPathParams, storedPromptBlockSchema, updateStoredPromptBlockBodySchema, updateStoredPromptBlockResponseSchema } from '../../chunk-BUFXUC67.js';
4
4
  export { createStoredScorerBodySchema, createStoredScorerResponseSchema, deleteStoredScorerResponseSchema, getStoredScorerResponseSchema, listStoredScorersQuerySchema, listStoredScorersResponseSchema, storedScorerIdPathParams, storedScorerSchema, updateStoredScorerBodySchema, updateStoredScorerResponseSchema } from '../../chunk-XJ7WQBFW.js';
5
5
  export { SKILL_ORIGIN_METADATA_KEY, buildOriginMetadata, createStoredSkillBodySchema, createStoredSkillResponseSchema, deleteStoredSkillResponseSchema, getStoredSkillResponseSchema, listStoredSkillsQuerySchema, listStoredSkillsResponseSchema, publishStoredSkillBodySchema, publishStoredSkillResponseSchema, readSkillOrigin, skillOriginSchema, storedSkillIdPathParams, storedSkillSchema, updateStoredSkillBodySchema, updateStoredSkillResponseSchema } from '../../chunk-UIRQU4GW.js';
6
+ export { executeProcessorBodySchema, executeProcessorResponseSchema, listProcessorsResponseSchema, processorConfigurationSchema, processorIdPathParams, serializedProcessorSchema as processorSerializedSchema, serializedProcessorDetailSchema } from '../../chunk-2R5GLZJD.js';
6
7
  export { activatePromptBlockVersionResponseSchema, comparePromptBlockVersionsQuerySchema, comparePromptBlockVersionsResponseSchema, createPromptBlockVersionBodySchema, createPromptBlockVersionResponseSchema, deletePromptBlockVersionResponseSchema, getPromptBlockVersionResponseSchema, listPromptBlockVersionsQuerySchema, listPromptBlockVersionsResponseSchema, promptBlockVersionIdPathParams, promptBlockVersionPathParams, promptBlockVersionSchema, restorePromptBlockVersionResponseSchema } from '../../chunk-3BLT6ISZ.js';
7
8
  export { activateScorerVersionResponseSchema, compareScorerVersionsQuerySchema, compareScorerVersionsResponseSchema, createScorerVersionBodySchema, createScorerVersionResponseSchema, deleteScorerVersionResponseSchema, getScorerVersionResponseSchema, listScorerVersionsQuerySchema, listScorerVersionsResponseSchema, restoreScorerVersionResponseSchema, scorerVersionIdPathParams, scorerVersionPathParams, scorerVersionSchema } from '../../chunk-VK3T6KKQ.js';
8
9
  export { getProcessorProviderResponseSchema, getProcessorProvidersResponseSchema, processorProviderIdPathParams } from '../../chunk-SJOVDYRT.js';
9
- export { executeProcessorBodySchema, executeProcessorResponseSchema, listProcessorsResponseSchema, processorConfigurationSchema, processorIdPathParams, serializedProcessorSchema as processorSerializedSchema, serializedProcessorDetailSchema } from '../../chunk-2R5GLZJD.js';
10
10
  export { addItemBodySchema, batchDeleteItemsBodySchema, batchDeleteItemsResponseSchema, batchInsertItemsBodySchema, batchInsertItemsResponseSchema, clusterFailuresBodySchema, clusterFailuresResponseSchema, compareExperimentsBodySchema, comparisonResponseSchema, createDatasetBodySchema, datasetAndExperimentIdPathParams, datasetAndItemIdPathParams, datasetIdPathParams, datasetItemResponseSchema, datasetItemVersionPathParams, datasetResponseSchema, datasetVersionResponseSchema, experimentIdPathParams, experimentResponseSchema, experimentResultIdPathParams, experimentResultResponseSchema, experimentReviewCountsSchema, experimentSummaryResponseSchema, generateItemsBodySchema, generateItemsResponseSchema, itemIdPathParams, itemVersionResponseSchema, listDatasetVersionsResponseSchema, listDatasetsResponseSchema, listExperimentResultsResponseSchema, listExperimentsResponseSchema, listItemVersionsResponseSchema, listItemsQuerySchema, listItemsResponseSchema, paginationQuerySchema, reviewSummaryResponseSchema, scorerResultSchema, triggerExperimentBodySchema, updateDatasetBodySchema, updateExperimentResultBodySchema, updateItemBodySchema } from '../../chunk-N624P3VO.js';
11
11
  export { agentConfigurationSchema, agentFeaturesSchema, agentModelsSchema, builderAvailableModelsResponseSchema, builderModelPolicySchema, builderPickerSchema, builderSettingsResponseSchema, defaultModelEntrySchema, infrastructureStatusResponseSchema, pickerAllowlistSchema, providerModelEntrySchema } from '../../chunk-4BJSE3LM.js';
12
12
  export { activateMCPClientVersionResponseSchema, compareMCPClientVersionsQuerySchema, compareMCPClientVersionsResponseSchema, createMCPClientVersionBodySchema, createMCPClientVersionResponseSchema, deleteMCPClientVersionResponseSchema, getMCPClientVersionResponseSchema, listMCPClientVersionsQuerySchema, listMCPClientVersionsResponseSchema, mcpClientVersionIdPathParams, mcpClientVersionPathParams, mcpClientVersionSchema, restoreMCPClientVersionResponseSchema } from '../../chunk-EFJIK2PW.js';
13
+ export { agentVersionPathParams, agentVersionSchema, compareVersionsResponseSchema, createVersionResponseSchema, getVersionResponseSchema, listVersionsResponseSchema, restoreVersionResponseSchema, versionIdPathParams } from '../../chunk-ONDWDP2S.js';
14
+ export { activateVersionResponseSchema, compareVersionsQuerySchema, createCompareVersionsResponseSchema, createListVersionsResponseSchema, createVersionBodySchema, deleteVersionResponseSchema, listVersionsQuerySchema, versionDiffEntrySchema, versionOrderBySchema } from '../../chunk-3OQMTFIV.js';
13
15
  export { createIndexBodySchema, createIndexResponseSchema, deleteIndexResponseSchema, describeIndexResponseSchema, listEmbeddersResponseSchema, listIndexesResponseSchema, listVectorsResponseSchema, queryVectorsBodySchema, queryVectorsResponseSchema, upsertVectorsBodySchema, upsertVectorsResponseSchema, vectorIndexPathParams, vectorNamePathParams } from '../../chunk-RVICRXZF.js';
14
16
  export { entityPathParams, listScorersResponseSchema, listScoresByEntityIdQuerySchema, listScoresByRunIdQuerySchema, listScoresByScorerIdQuerySchema, saveScoreBodySchema, saveScoreResponseSchema, scorerEntrySchema, scorerIdPathParams, scoresWithPaginationResponseSchema } from '../../chunk-OC4S3EDO.js';
15
- export { listLogTransportsResponseSchema, listLogsQuerySchema, listLogsResponseSchema } from '../../chunk-MXZPGEC2.js';
16
17
  export { getMcpServerDetailQuerySchema, jsonRpcErrorSchema, listMcpServerToolsResponseSchema, listMcpServersQuerySchema, listMcpServersResponseSchema, executeToolBodySchema as mcpExecuteToolBodySchema, executeToolResponseSchema as mcpExecuteToolResponseSchema, mcpServerDetailPathParams, mcpServerIdPathParams, mcpServerToolPathParams, mcpToolInfoSchema, serverDetailSchema, serverInfoSchema, versionDetailSchema } from '../../chunk-356JZOB2.js';
17
18
  export { conversationDeletedSchema, conversationIdPathParams, conversationItemsListSchema, conversationObjectSchema, createConversationBodySchema } from '../../chunk-WOE6XG6B.js';
18
19
  export { conversationItemMessageSchema, conversationItemSchema, conversationMessageContentSchema, createResponseBodySchema, deleteResponseSchema, responseIdPathParams, responseInputMessageSchema, responseInputTextContentSchema, responseInputTextPartSchema, responseObjectSchema, responseOutputFunctionCallOutputSchema, responseOutputFunctionCallSchema, responseOutputItemSchema, responseOutputMessageSchema, responseOutputTextSchema, responseTextFormatSchema, responseToolSchema, responseUsageSchema } from '../../chunk-BIUL4Y6W.js';
19
20
  export { agentIdQuerySchema, awaitBufferStatusBodySchema, awaitBufferStatusResponseSchema, cloneThreadBodySchema, cloneThreadResponseSchema, createThreadBodySchema, createThreadNetworkQuerySchema, deleteMessagesBodySchema, deleteMessagesNetworkQuerySchema, deleteMessagesQuerySchema, deleteMessagesResponseSchema, deleteThreadNetworkQuerySchema, deleteThreadQuerySchema, deleteThreadResponseSchema, getMemoryConfigQuerySchema, getMemoryStatusNetworkQuerySchema, getMemoryStatusQuerySchema, getObservationalMemoryQuerySchema, getObservationalMemoryResponseSchema, getThreadByIdNetworkQuerySchema, getThreadByIdQuerySchema, getThreadByIdResponseSchema, getWorkingMemoryQuerySchema, getWorkingMemoryResponseSchema, listMessagesNetworkQuerySchema, listMessagesQuerySchema, listMessagesResponseSchema, listThreadsNetworkQuerySchema, listThreadsQuerySchema, listThreadsResponseSchema, memoryConfigResponseSchema, memoryStatusResponseSchema, optionalAgentIdQuerySchema, saveMessagesBodySchema, saveMessagesNetworkQuerySchema, saveMessagesResponseSchema, searchMemoryQuerySchema, searchMemoryResponseSchema, threadIdPathParams, updateThreadBodySchema, updateThreadNetworkQuerySchema, updateWorkingMemoryBodySchema, updateWorkingMemoryResponseSchema } from '../../chunk-UZKVYNYR.js';
21
+ export { listLogTransportsResponseSchema, listLogsQuerySchema, listLogsResponseSchema } from '../../chunk-MXZPGEC2.js';
20
22
  export { agentExecutionBodySchema as a2aAgentExecutionBodySchema, a2aAgentIdPathParams, a2aTaskPathParams, agentCardResponseSchema, agentExecutionResponseSchema, messageSendBodySchema, taskQueryBodySchema, taskResponseSchema } from '../../chunk-KEE6UMGC.js';
23
+ export { conditionalFieldSchema, createStoredAgentBodySchema, createStoredAgentResponseSchema, deleteStoredAgentResponseSchema, exportStoredAgentBodySchema, exportStoredAgentResponseSchema, getStoredAgentDependentsResponseSchema, getStoredAgentResponseSchema, instructionsSchema, listStoredAgentsQuerySchema, listStoredAgentsResponseSchema, modelConfigSchema, openStoredAgentChangeRequestBodySchema, openStoredAgentChangeRequestResponseSchema, previewInstructionsBodySchema, previewInstructionsResponseSchema, processorGraphEntrySchema, processorGraphStepSchema, processorPhaseSchema, resolvedAuthorSchema, scorerConfigSchema, semanticRecallSchema, serializedMemoryConfigSchema, serializedObservationConfigSchema, serializedObservationalMemoryConfigObjectSchema, serializedObservationalMemoryConfigSchema, serializedReflectionConfigSchema, snapshotConfigSchema, storedAgentIdPathParams, storedAgentSchema, storedProcessorGraphSchema, titleGenerationSchema, toolConfigSchema, toolsConfigSchema, updateStoredAgentBodySchema, updateStoredAgentResponseSchema } from '../../chunk-SPVKRK56.js';
24
+ export { createStoredWorkspaceBodySchema, createStoredWorkspaceResponseSchema, deleteStoredWorkspaceResponseSchema, getStoredWorkspaceResponseSchema, listStoredWorkspacesQuerySchema, listStoredWorkspacesResponseSchema, storedWorkspaceIdPathParams, storedWorkspaceSchema, updateStoredWorkspaceBodySchema, updateStoredWorkspaceResponseSchema, snapshotConfigSchema as workspaceSnapshotConfigSchema } from '../../chunk-64QFFUEH.js';
25
+ export { authStatusToolProviderResponseSchema, authorizeToolProviderBodySchema, authorizeToolProviderResponseSchema, connectionSchema, connectionScopeSchema, connectionStatusToolProviderBodySchema, connectionStatusToolProviderResponseSchema, connectionUsageQuerySchema, connectionUsageResponseSchema, disconnectConnectionQuerySchema, disconnectConnectionResponseSchema, getToolProviderToolSchemaResponseSchema, listConnectionFieldsQuerySchema, listConnectionFieldsResponseSchema, listConnectionsQuerySchema, listConnectionsResponseSchema, listToolProviderToolkitsResponseSchema, listToolProviderToolsQuerySchema, listToolProviderToolsResponseSchema, listToolProvidersResponseSchema, toolProviderAuthStatusPathParams, toolProviderConfigSchema, toolProviderConnectionPathParams, toolProviderHealthResponseSchema, toolProviderIdPathParams, toolProvidersSchema, toolSlugPathParams, updateConnectionBodySchema, updateConnectionResponseSchema } from '../../chunk-SFAWHLOX.js';
26
+ export { ruleGroupSchema, ruleSchema } from '../../chunk-JA4UAHWP.js';
21
27
  export { authenticatedCapabilitiesSchema, authenticatedUserSchema, capabilitiesResponseSchema, capabilityFlagsSchema, credentialsResponseSchema, credentialsSignInBodySchema, credentialsSignUpBodySchema, currentUserResponseSchema, loginConfigSchema, logoutResponseSchema, permissionPatternsResponseSchema, publicCapabilitiesSchema, refreshResponseSchema, ssoCallbackQuerySchema, ssoCallbackResponseSchema, ssoConfigSchema, ssoLoginQuerySchema, ssoLoginResponseSchema, userAccessSchema } from '../../chunk-LWA65ME7.js';
22
28
  export { fileEntrySchema, fsDeleteQuerySchema, fsDeleteResponseSchema, fsListQuerySchema, fsListResponseSchema, fsMkdirBodySchema, fsMkdirResponseSchema, fsPathParams, fsReadQuerySchema, fsReadResponseSchema, fsStatQuerySchema, fsStatResponseSchema, fsWriteBodySchema, fsWriteResponseSchema, getAgentSkillResponseSchema, getSkillResponseSchema, indexBodySchema, indexResponseSchema, listReferencesResponseSchema, listSkillsResponseSchema, listWorkspacesResponseSchema, mountInfoSchema, searchQuerySchema, searchResponseSchema, searchResultSchema, searchSkillsQuerySchema, searchSkillsResponseSchema, skillDisambiguationQuerySchema, skillMetadataSchema, skillMetadataWithPathSchema, skillNamePathParams, skillReferencePathParams, skillReferenceResponseSchema, skillSchema, skillSearchResultSchema, skillSourceSchema, skillsShInstallBodySchema, skillsShInstallResponseSchema, skillsShListResponseSchema, skillsShPopularQuerySchema, skillsShPreviewQuerySchema, skillsShPreviewResponseSchema, skillsShRemoveBodySchema, skillsShRemoveResponseSchema, skillsShSearchQuerySchema, skillsShSearchResponseSchema, skillsShSkillSchema, skillsShSourceSchema, skillsShUpdateBodySchema, skillsShUpdateResponseSchema, workspaceIdPathParams, workspaceInfoResponseSchema } from '../../chunk-ZHULRNJG.js';
23
29
  export { actionIdPathParams, actionRunPathParams, resumeAgentBuilderBodySchema, startAsyncAgentBuilderBodySchema, streamAgentBuilderBodySchema, streamLegacyAgentBuilderBodySchema } from '../../chunk-AAA3TYIM.js';
24
30
  export { createWorkflowRunResponseSchema, listWorkflowRunsQuerySchema, listWorkflowsResponseSchema, sendWorkflowRunEventBodySchema, workflowControlResponseSchema, workflowExecutionResultSchema, workflowInfoSchema, workflowRunResultQuerySchema, workflowRunResultSchema, workflowRunsResponseSchema } from '../../chunk-J3LTFYRY.js';
25
31
  export { abortAgentThreadBodySchema, abortAgentThreadResponseSchema, agentExecutionBodySchema, agentExecutionLegacyBodySchema, agentIdPathParams, agentSkillPathParams, agentToolPathParams, agentVersionQuerySchema, approveNetworkToolCallBodySchema, approveToolCallBodySchema, declineNetworkToolCallBodySchema, declineToolCallBodySchema, enhanceInstructionsBodySchema, enhanceInstructionsResponseSchema, executeToolBodySchema, executeToolContextBodySchema, executeToolResponseSchema, generateResponseSchema, listAgentsResponseSchema, listToolsResponseSchema, modelConfigIdPathParams, modelManagementResponseSchema, observeAgentBodySchema, observeAgentResponseSchema, providerSchema, providersResponseSchema, queueAgentMessageBodySchema, reorderAgentModelListBodySchema, resumeStreamBodySchema, resumeStreamUntilIdleBodySchema, sendAgentMessageBodySchema, sendAgentSignalBodySchema, sendToolApprovalBodySchema, sendToolApprovalResponseSchema, serializedAgentDefinitionSchema, serializedAgentSchema, serializedAgentWithIdSchema, serializedProcessorSchema, serializedToolSchema, serializedWorkflowSchema, streamResponseSchema, streamUntilIdleBodySchema, subscribeAgentThreadBodySchema, toolCallResponseSchema, toolIdPathParams, updateAgentModelBodySchema, updateAgentModelInModelListBodySchema } from '../../chunk-4JILES3G.js';
26
32
  export { generateSpeechBodySchema, getListenerResponseSchema, speakResponseSchema, transcribeSpeechBodySchema, transcribeSpeechResponseSchema, voiceSpeakersResponseSchema } from '../../chunk-LPT77UR6.js';
27
- export { agentVersionPathParams, agentVersionSchema, compareVersionsResponseSchema, createVersionResponseSchema, getVersionResponseSchema, listVersionsResponseSchema, restoreVersionResponseSchema, versionIdPathParams } from '../../chunk-ONDWDP2S.js';
28
- export { activateVersionResponseSchema, compareVersionsQuerySchema, createCompareVersionsResponseSchema, createListVersionsResponseSchema, createVersionBodySchema, deleteVersionResponseSchema, listVersionsQuerySchema, versionDiffEntrySchema, versionOrderBySchema } from '../../chunk-3OQMTFIV.js';
29
- export { conditionalFieldSchema, createStoredAgentBodySchema, createStoredAgentResponseSchema, deleteStoredAgentResponseSchema, exportStoredAgentBodySchema, exportStoredAgentResponseSchema, getStoredAgentDependentsResponseSchema, getStoredAgentResponseSchema, instructionsSchema, listStoredAgentsQuerySchema, listStoredAgentsResponseSchema, modelConfigSchema, openStoredAgentChangeRequestBodySchema, openStoredAgentChangeRequestResponseSchema, previewInstructionsBodySchema, previewInstructionsResponseSchema, processorGraphEntrySchema, processorGraphStepSchema, processorPhaseSchema, resolvedAuthorSchema, scorerConfigSchema, semanticRecallSchema, serializedMemoryConfigSchema, serializedObservationConfigSchema, serializedObservationalMemoryConfigObjectSchema, serializedObservationalMemoryConfigSchema, serializedReflectionConfigSchema, snapshotConfigSchema, storedAgentIdPathParams, storedAgentSchema, storedProcessorGraphSchema, titleGenerationSchema, toolConfigSchema, toolsConfigSchema, updateStoredAgentBodySchema, updateStoredAgentResponseSchema } from '../../chunk-SPVKRK56.js';
30
- export { createStoredWorkspaceBodySchema, createStoredWorkspaceResponseSchema, deleteStoredWorkspaceResponseSchema, getStoredWorkspaceResponseSchema, listStoredWorkspacesQuerySchema, listStoredWorkspacesResponseSchema, storedWorkspaceIdPathParams, storedWorkspaceSchema, updateStoredWorkspaceBodySchema, updateStoredWorkspaceResponseSchema, snapshotConfigSchema as workspaceSnapshotConfigSchema } from '../../chunk-64QFFUEH.js';
31
- export { authStatusToolProviderResponseSchema, authorizeToolProviderBodySchema, authorizeToolProviderResponseSchema, connectionSchema, connectionScopeSchema, connectionStatusToolProviderBodySchema, connectionStatusToolProviderResponseSchema, connectionUsageQuerySchema, connectionUsageResponseSchema, disconnectConnectionQuerySchema, disconnectConnectionResponseSchema, getToolProviderToolSchemaResponseSchema, listConnectionFieldsQuerySchema, listConnectionFieldsResponseSchema, listConnectionsQuerySchema, listConnectionsResponseSchema, listToolProviderToolkitsResponseSchema, listToolProviderToolsQuerySchema, listToolProviderToolsResponseSchema, listToolProvidersResponseSchema, toolProviderAuthStatusPathParams, toolProviderConfigSchema, toolProviderConnectionPathParams, toolProviderHealthResponseSchema, toolProviderIdPathParams, toolProvidersSchema, toolSlugPathParams, updateConnectionBodySchema, updateConnectionResponseSchema } from '../../chunk-SFAWHLOX.js';
32
- export { ruleGroupSchema, ruleSchema } from '../../chunk-JA4UAHWP.js';
33
33
  export { defaultOptionsSchema } from '../../chunk-TKP6FJQ3.js';
34
34
  export { baseLogMessageSchema, coreMessageSchema, createCombinedPaginationSchema, createPagePaginationSchema, messageResponseSchema, optionalRunIdSchema, paginationInfoSchema, partialQuerySchema, runIdSchema, statusQuerySchema, successResponseSchema, tracingOptionsSchema } from '../../chunk-2YY3EMMS.js';
35
35
  //# sourceMappingURL=index.js.map
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- var chunk6K3PHIDF_cjs = require('../../chunk-6K3PHIDF.cjs');
3
+ var chunkKHAJSUWO_cjs = require('../../chunk-KHAJSUWO.cjs');
4
4
  var chunk4PQR3D5Y_cjs = require('../../chunk-4PQR3D5Y.cjs');
5
5
  var chunkGZ4HWZWE_cjs = require('../../chunk-GZ4HWZWE.cjs');
6
6
  var chunkZ7LCIYK7_cjs = require('../../chunk-Z7LCIYK7.cjs');
@@ -62,7 +62,7 @@ function getBuiltInRouteFGAConfig(route) {
62
62
  if (!isProtectedFGARoute(route) || !route.path || !route.method) {
63
63
  return null;
64
64
  }
65
- const permission = chunk6K3PHIDF_cjs.getEffectivePermission(route);
65
+ const permission = chunkKHAJSUWO_cjs.getEffectivePermission(route);
66
66
  if (!permission) {
67
67
  return null;
68
68
  }
@@ -269,7 +269,7 @@ function getFGARouteInfo(route) {
269
269
  };
270
270
  }
271
271
  function getRoutePermissions(route) {
272
- return [chunk6K3PHIDF_cjs.getEffectivePermission(route), route.fga?.permission].flatMap((value) => Array.isArray(value) ? value : [value]).filter((permission) => Boolean(permission));
272
+ return [chunkKHAJSUWO_cjs.getEffectivePermission(route), route.fga?.permission].flatMap((value) => Array.isArray(value) ? value : [value]).filter((permission) => Boolean(permission));
273
273
  }
274
274
  async function resolveRouteFGAConfig(fgaProvider, route, requestContext, params) {
275
275
  if (route.fga) {
@@ -603,7 +603,7 @@ var MastraServer = class _MastraServer extends server.MastraServerBase {
603
603
  if (!rbacProvider) {
604
604
  return null;
605
605
  }
606
- const requiredPermission = chunk6K3PHIDF_cjs.getEffectivePermission(route);
606
+ const requiredPermission = chunkKHAJSUWO_cjs.getEffectivePermission(route);
607
607
  if (!requiredPermission) {
608
608
  return null;
609
609
  }
@@ -696,7 +696,7 @@ Ensure @mastra/core is updated to a version that includes EE support.`
696
696
  const customRoutes = (this.customApiRoutes ?? serverConfig?.apiRoutes ?? []).filter(
697
697
  (route) => !route._mastraInternal
698
698
  );
699
- const routes = [...chunk6K3PHIDF_cjs.SERVER_ROUTES, ...customRoutes];
699
+ const routes = [...chunkKHAJSUWO_cjs.SERVER_ROUTES, ...customRoutes];
700
700
  if (fgaProvider.validatePermissions) {
701
701
  const permissions = [...new Set(routes.flatMap((route) => getRoutePermissions(route)))];
702
702
  await fgaProvider.validatePermissions(permissions);
@@ -868,7 +868,7 @@ Ensure @mastra/core is updated to a version that includes EE support.`
868
868
  * Builds the OpenAPI spec object with servers field and custom route paths.
869
869
  */
870
870
  buildOpenAPISpec(config, prefix) {
871
- const openApiSpec = chunkG54X6VE6_cjs.generateOpenAPIDocument(chunk6K3PHIDF_cjs.SERVER_ROUTES, config);
871
+ const openApiSpec = chunkG54X6VE6_cjs.generateOpenAPIDocument(chunkKHAJSUWO_cjs.SERVER_ROUTES, config);
872
872
  if (prefix) {
873
873
  openApiSpec.servers = [{ url: prefix }];
874
874
  }
@@ -903,7 +903,7 @@ Ensure @mastra/core is updated to a version that includes EE support.`
903
903
  await this.registerRoute(app, openApiRoute, { prefix });
904
904
  }
905
905
  async registerRoutes() {
906
- for (const route of chunk6K3PHIDF_cjs.SERVER_ROUTES) {
906
+ for (const route of chunkKHAJSUWO_cjs.SERVER_ROUTES) {
907
907
  await this.registerRoute(this.app, route, { prefix: this.prefix });
908
908
  }
909
909
  if (this.openapiPath) {
@@ -992,7 +992,7 @@ async function checkRouteFGA(mastra, route, requestContext, params) {
992
992
  message: "FGA authorization denied: route FGA metadata is incomplete"
993
993
  };
994
994
  }
995
- const effectivePermission = route.path ? chunk6K3PHIDF_cjs.getEffectivePermission(route) : null;
995
+ const effectivePermission = route.path ? chunkKHAJSUWO_cjs.getEffectivePermission(route) : null;
996
996
  const permission = fgaConfig.permission || effectivePermission || `${getFGAResourcePermissionSlug(fgaConfig.resourceType)}:${deriveFGAAction(route.method)}`;
997
997
  const authorized = await fgaProvider.check(user, {
998
998
  resource: { type: fgaConfig.resourceType, id: resourceId },
@@ -1034,23 +1034,23 @@ function getFGAResourcePermissionSlug(resourceType) {
1034
1034
 
1035
1035
  Object.defineProperty(exports, "SERVER_ROUTES", {
1036
1036
  enumerable: true,
1037
- get: function () { return chunk6K3PHIDF_cjs.SERVER_ROUTES; }
1037
+ get: function () { return chunkKHAJSUWO_cjs.SERVER_ROUTES; }
1038
1038
  });
1039
1039
  Object.defineProperty(exports, "deriveAction", {
1040
1040
  enumerable: true,
1041
- get: function () { return chunk6K3PHIDF_cjs.deriveAction; }
1041
+ get: function () { return chunkKHAJSUWO_cjs.deriveAction; }
1042
1042
  });
1043
1043
  Object.defineProperty(exports, "derivePermission", {
1044
1044
  enumerable: true,
1045
- get: function () { return chunk6K3PHIDF_cjs.derivePermission; }
1045
+ get: function () { return chunkKHAJSUWO_cjs.derivePermission; }
1046
1046
  });
1047
1047
  Object.defineProperty(exports, "extractResource", {
1048
1048
  enumerable: true,
1049
- get: function () { return chunk6K3PHIDF_cjs.extractResource; }
1049
+ get: function () { return chunkKHAJSUWO_cjs.extractResource; }
1050
1050
  });
1051
1051
  Object.defineProperty(exports, "getEffectivePermission", {
1052
1052
  enumerable: true,
1053
- get: function () { return chunk6K3PHIDF_cjs.getEffectivePermission; }
1053
+ get: function () { return chunkKHAJSUWO_cjs.getEffectivePermission; }
1054
1054
  });
1055
1055
  Object.defineProperty(exports, "WorkflowRegistry", {
1056
1056
  enumerable: true,
@@ -1,5 +1,5 @@
1
- import { getEffectivePermission, SERVER_ROUTES } from '../../chunk-KW2BZ5VS.js';
2
- export { SERVER_ROUTES, deriveAction, derivePermission, extractResource, getEffectivePermission } from '../../chunk-KW2BZ5VS.js';
1
+ import { getEffectivePermission, SERVER_ROUTES } from '../../chunk-U2PABD63.js';
2
+ export { SERVER_ROUTES, deriveAction, derivePermission, extractResource, getEffectivePermission } from '../../chunk-U2PABD63.js';
3
3
  import { coreAuthMiddleware } from '../../chunk-HATXNJ4V.js';
4
4
  import { normalizeRoutePath } from '../../chunk-IBUJJIRW.js';
5
5
  export { WorkflowRegistry, normalizeRoutePath } from '../../chunk-IBUJJIRW.js';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mastra/server",
3
- "version": "1.43.1-alpha.0",
3
+ "version": "1.44.0-alpha.1",
4
4
  "description": "",
5
5
  "type": "module",
6
6
  "files": [
@@ -115,15 +115,15 @@
115
115
  "vitest": "4.1.8",
116
116
  "zod": "^4.4.3",
117
117
  "zod-to-ts": "^2.1.0",
118
+ "@internal/lint": "0.0.105",
118
119
  "@internal/core": "0.0.0",
119
120
  "@internal/storage-test-utils": "0.0.101",
120
- "@internal/lint": "0.0.105",
121
121
  "@internal/types-builder": "0.0.80",
122
+ "@internal/test-utils": "0.0.41",
122
123
  "@mastra/agent-builder": "1.0.44-alpha.0",
123
124
  "@internal/voice": "0.0.6",
124
- "@internal/test-utils": "0.0.41",
125
- "@mastra/core": "1.43.1-alpha.0",
126
- "@mastra/schema-compat": "1.2.14-alpha.0"
125
+ "@mastra/schema-compat": "1.2.14-alpha.0",
126
+ "@mastra/core": "1.44.0-alpha.1"
127
127
  },
128
128
  "homepage": "https://mastra.ai",
129
129
  "repository": {
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/server/handlers/auth.ts"],"names":["mastra"],"mappings":";;;;;;;;AA0CA,IAAI,yBAAA;AACJ,SAAS,qBAAA,GAAkE;AACzE,EAAA,IAAI,CAAC,yBAAA,EAA2B;AAC9B,IAAA,yBAAA,GAA4B,OAAO,sBAAsB,CAAA,CACtD,IAAA,CAAK,OAAK,CAAA,CAAE,iBAAwC,CAAA,CACpD,KAAA,CAAM,MAAM;AACX,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN;AAAA,OACF;AACA,MAAA,OAAO,MAAA;AAAA,IACT,CAAC,CAAA;AAAA,EACL;AACA,EAAA,OAAO,yBAAA;AACT;AAEA,IAAI,0BAAA;AACJ,SAAS,sBAAA,GAAuE;AAC9E,EAAA,IAAI,CAAC,0BAAA,EAA4B;AAC/B,IAAA,0BAAA,GAA6B,OAAO,sBAAsB,CAAA,CACvD,IAAA,CAAK,OAAK,CAAA,CAAE,mBAA8C,CAAA,CAC1D,KAAA,CAAM,MAAM;AACX,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN;AAAA,OACF;AACA,MAAA,OAAO,MAAA;AAAA,IACT,CAAC,CAAA;AAAA,EACL;AACA,EAAA,OAAO,0BAAA;AACT;AASA,SAAS,eAAA,CAAgB,QAAa,QAAA,EAA+C;AAEnF,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,MAAM,gBAAgB,YAAA,EAAc,IAAA,IAAQ,OAAO,YAAA,CAAa,KAAK,iBAAA,KAAsB,UAAA;AAG3F,EAAA,IAAI,YAAY,aAAA,EAAe;AAC7B,IAAA,OAAO,YAAA,CAAa,IAAA;AAAA,EACtB;AAIA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,IAAI,CAAC,YAAA,EAAc,IAAA,EAAM,OAAO,IAAA;AAIhC,EAAA,IAAI,OAAO,YAAA,CAAa,IAAA,CAAK,iBAAA,KAAsB,UAAA,EAAY;AAC7D,IAAA,OAAO,YAAA,CAAa,IAAA;AAAA,EACtB;AAEA,EAAA,OAAO,IAAA;AACT;AAKA,SAAS,gBAAgB,OAAA,EAA2B;AAClD,EAAA,OAAO,yBAAyB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,yBAAyB,KAAK,MAAS,CAAA;AAC7F;AAoBO,SAAS,gBAAgB,OAAA,EAA0B;AACxD,EAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK;AACnF,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,OAAO,WAAW,aAAa,CAAA,CAAA;AAAA,EACjC;AAEA,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA;AACvC,EAAA,IAAI,IAAA,EAAM;AACR,IAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK;AACrF,IAAA,MAAM,KAAA,GAAQ,cAAA,IAAkB,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE,QAAA,CAAS,OAAA,CAAQ,GAAA,EAAK,EAAE,CAAA;AAC7E,IAAA,OAAO,CAAA,EAAG,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA,CAAA;AAAA,EAC3B;AAEA,EAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE,MAAA;AAC9B;AAMA,SAAS,eAAA,CAAgB,QAAa,QAAA,EAAuD;AAC3F,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,IAAA,IAAI,cAAc,IAAA,EAAM;AACtB,MAAA,OAAO,YAAA,CAAa,IAAA;AAAA,IACtB;AAAA,EACF;AACA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,OAAO,YAAA,EAAc,IAAA;AACvB;AAMA,SAAS,cAAA,CAAe,QAAa,QAAA,EAAsD;AACzF,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,IAAA,IAAI,cAAc,GAAA,EAAK;AACrB,MAAA,OAAO,YAAA,CAAa,GAAA;AAAA,IACtB;AAAA,EACF;AACA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,OAAO,YAAA,EAAc,GAAA;AACvB;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,QAAQ,OAAO,IAAA,KAAS,YAAY,OAAQ,IAAA,CAAa,MAAM,CAAA,KAAM,UAAA;AACvF;AAMO,IAAM,8BAA8B,iBAAA,CAAkB;AAAA,EAC3D,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,0BAAA;AAAA,EAChB,OAAA,EAAS,uBAAA;AAAA,EACT,WAAA,EACE,2HAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,WAAA,EAAY,GAAI,GAAA;AAGzC,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,EAAM;AACT,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,MACvC;AAEA,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAC7C,MAAA,MAAM,GAAA,GAAM,cAAA,CAAe,MAAA,EAAQ,QAAQ,CAAA;AAE3C,MAAA,MAAM,iBAAA,GAAoB,MAAM,qBAAA,EAAsB;AACtD,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,MACvC;AACA,MAAA,MAAM,YAAA,GAAe,MAAM,iBAAA,CAAkB,IAAA,EAAM,OAAA,EAAS,EAAE,IAAA,EAAM,GAAA,EAAK,SAAA,EAAW,WAAA,EAAa,CAAA;AAIjG,MAAA,IAAI,EAAE,MAAA,IAAU,YAAA,CAAA,IAAiB,sBAAA,CAAuB,IAAI,CAAA,EAAG;AAC7D,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AAC5D,UAAA,IAAI,SAAA,EAAW;AACb,YAAA,MAAM,gBAAA,GAAmB,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,CAAA;AAC5D,YAAA,IAAI,gBAAA,EAAkB;AACpB,cAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,iBAAA,CAAkB,gBAAgB,CAAA;AACpE,cAAA,MAAM,WAAA,GAAc,yBAAyB,cAAc,CAAA;AAC3D,cAAA,IAAI,WAAA,EAAa;AAEf,gBAAA,MAAM,gBAAA,GAAmB,IAAI,OAAA,CAAQ,OAAA,CAAQ,GAAA,EAAK;AAAA,kBAChD,QAAQ,OAAA,CAAQ,MAAA;AAAA,kBAChB,OAAA,EAAS,IAAI,OAAA,CAAQ,OAAA,CAAQ,OAAO;AAAA,iBACrC,CAAA;AACD,gBAAA,gBAAA,CAAiB,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAClD,gBAAA,MAAM,qBAAA,GAAwB,MAAM,iBAAA,CAAkB,IAAA,EAAM,gBAAA,EAAkB;AAAA,kBAC5E,IAAA;AAAA,kBACA,SAAA,EAAW;AAAA,iBACZ,CAAA;AAGD,gBAAA,IAAI,UAAU,qBAAA,EAAuB;AACnC,kBAAC,sBAA8B,gBAAA,GAAmB,cAAA;AAAA,gBACpD;AACA,gBAAA,OAAO,qBAAA;AAAA,cACT;AAAA,YACF;AAAA,UACF;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAO,YAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,iCAAiC,CAAA;AAAA,IAC7D;AAAA,EACF;AACF,CAAC;AAKD,SAAS,yBAAyB,OAAA,EAAgD;AAChF,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,YAAY,CAAA,IAAK,QAAQ,YAAY,CAAA;AAC/D,EAAA,IAAI,CAAC,WAAW,OAAO,IAAA;AAEvB,EAAA,MAAM,KAAA,GAAQ,SAAA,CAAU,KAAA,CAAM,UAAU,CAAA;AACxC,EAAA,OAAO,KAAA,GAAS,KAAA,CAAM,CAAC,CAAA,IAAK,IAAA,GAAQ,IAAA;AACtC;AAMO,IAAM,yBAAyB,iBAAA,CAAkB;AAAA,EACtD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,UAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,yBAAA;AAAA,EAChB,OAAA,EAAS,kBAAA;AAAA,EACT,WAAA,EAAa,yEAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AACxC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAC7C,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AACxE,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,MAAA,IAAI,KAAA;AACJ,MAAA,IAAI,WAAA;AAEJ,MAAA,IAAI,IAAA,EAAM;AACR,QAAA,IAAI;AACF,UAAA,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAChC,UAAA,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAAA,QAC9C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,IAAI,IAAA,CAAK,EAAA;AAAA,QACT,OAAO,IAAA,CAAK,KAAA;AAAA,QACZ,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,WAAW,IAAA,CAAK,SAAA;AAAA,QAChB,KAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,4BAA4B,CAAA;AAAA,IACxD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,sBAAsB,iBAAA,CAAkB;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,iBAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,gBAAA,EAAkB,mBAAA;AAAA,EAClB,OAAA,EAAS,oBAAA;AAAA,EACT,WAAA,EAAa,4DAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,YAAA,EAAc,OAAA,EAAS,aAAY,GAAI,GAAA;AACvD,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AACxC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,EAAG;AACpE,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,sBAAsB,CAAA;AAAA,MAChE;AAGA,MAAA,MAAM,MAAA,GAAS,gBAAgB,OAAO,CAAA;AACtC,MAAA,MAAM,GAAA,GAAA,CAAQ,WAAA,IAA0B,MAAA,EAAQ,IAAA,EAAK;AACrD,MAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,MAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,MAAA,MAAM,gBAAA,GAAmB,CAAA,EAAG,MAAM,CAAA,EAAG,MAAM,CAAA,kBAAA,CAAA;AAO3C,MAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,IAAI,CAAC,YAAA,CAAa,UAAA,CAAW,MAAM,CAAA,EAAG;AAEpC,UAAA,iBAAA,GAAoB,YAAA;AAAA,QACtB,CAAA,MAAO;AACL,UAAA,IAAI;AACF,YAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,YAAY,CAAA;AACxC,YAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,MAAM,CAAA;AACpC,YAAA,MAAM,OAAA,GAAU,WAAA,CAAY,QAAA,KAAa,OAAA,IAAW,YAAY,QAAA,KAAa,QAAA;AAC7E,YAAA,MAAM,YAAA,GAAe,WAAA,CAAY,MAAA,KAAW,aAAA,CAAc,MAAA;AAC1D,YAAA,MAAM,WAAA,GACJ,YAAY,QAAA,KAAa,WAAA,IACzB,YAAY,QAAA,KAAa,WAAA,IACzB,YAAY,QAAA,KAAa,OAAA;AAC3B,YAAA,IAAI,OAAA,KAAY,gBAAgB,WAAA,CAAA,EAAc;AAC5C,cAAA,iBAAA,GAAoB,YAAA;AAAA,YACtB;AAAA,UACF,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF;AACA,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,QAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,kBAAA,CAAmB,iBAAiB,CAAC,CAAA,CAAA;AAEjE,MAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,OAAA,CAAQ,KAAK,WAAA,CAAY,gBAAA,EAAkB,KAAK,CAAC,CAAA;AAGhF,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAGlE,MAAA,IAAI,mBAAA,CAAkC,IAAA,EAAM,iBAAiB,CAAA,IAAK,KAAK,eAAA,EAAiB;AACtF,QAAA,MAAM,OAAA,GAAU,IAAA,CAAK,eAAA,CAAgB,gBAAA,EAAkB,KAAK,CAAA;AAC5D,QAAA,IAAI,SAAS,MAAA,EAAQ;AAEnB,UAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,YAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,UACrC;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU,EAAE,GAAA,EAAK,QAAA,EAAU,CAAA,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IACjF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,4BAA4B,CAAA;AAAA,IACxD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,yBAAyB,iBAAA,CAAkB;AAAA,EACtD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,gBAAA,EAAkB,sBAAA;AAAA,EAClB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,mFAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,IAAA,EAAM,KAAA,EAAO,SAAQ,GAAI,GAAA;AACzC,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAGxC,IAAA,MAAM,OAAA,GAAU,gBAAgB,OAAO,CAAA;AAGvC,IAAA,IAAI,UAAA,GAAa,GAAA;AACjB,IAAA,IAAI,UAAU,KAAA,IAAS,EAAA;AACvB,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,MAAA,MAAM,CAAC,EAAA,EAAI,eAAe,IAAI,KAAA,CAAM,KAAA,CAAM,KAAK,CAAC,CAAA;AAChD,MAAA,OAAA,GAAU,EAAA;AACV,MAAA,IAAI;AACF,QAAA,UAAA,GAAa,mBAAmB,eAAe,CAAA;AAAA,MACjD,CAAA,CAAA,MAAQ;AACN,QAAA,UAAA,GAAa,GAAA;AAAA,MACf;AAAA,IACF;AAMA,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,UAAA,CAAW,UAAA,CAAW,MAAM,CAAA,EAAG;AACjC,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,UAAU,CAAA;AACjC,QAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,OAAO,CAAA;AAClC,QAAA,MAAM,OAAA,GAAU,MAAA,CAAO,QAAA,KAAa,OAAA,IAAW,OAAO,QAAA,KAAa,QAAA;AACnE,QAAA,MAAM,YAAA,GAAe,MAAA,CAAO,MAAA,KAAW,UAAA,CAAW,MAAA;AAClD,QAAA,MAAM,WAAA,GACJ,OAAO,QAAA,KAAa,WAAA,IAAe,OAAO,QAAA,KAAa,WAAA,IAAe,OAAO,QAAA,KAAa,OAAA;AAC5F,QAAA,gBAAA,GAAmB,OAAA,KAAY,YAAA,IAAgB,WAAA,CAAA,GAAe,UAAA,GAAa,GAAG,OAAO,CAAA,CAAA,CAAA;AAAA,MACvF,CAAA,CAAA,MAAQ;AACN,QAAA,gBAAA,GAAmB,GAAG,OAAO,CAAA,CAAA,CAAA;AAAA,MAC/B;AAAA,IACF,CAAA,MAAO;AACL,MAAA,gBAAA,GAAmB,CAAA,EAAG,OAAO,CAAA,EAAG,UAAU,CAAA,CAAA;AAAA,IAC5C;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAkC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AACvE,QAAA,OAAO,QAAA,CAAS,QAAA,CAAS,CAAA,EAAG,gBAAgB,6BAA6B,GAAG,CAAA;AAAA,MAC9E;AAGA,MAAA,MAAM,eAAA,GAAkB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACpD,MAAA,IAAI,OAAQ,IAAA,CAAa,uBAAA,KAA4B,UAAA,EAAY;AAC/D,QAAC,IAAA,CAAa,wBAAwB,eAAe,CAAA;AAAA,MACvD;AAEA,MAAA,MAAM,MAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,MAAM,OAAO,CAAA;AACvD,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAGpB,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,GAAA,CAAI,YAAY,gBAAgB,CAAA;AAGxC,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF,WAAW,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,OAAO,MAAA,EAAQ;AAExF,QAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,EAAA,EAAI;AAAA,UAChD,WAAA,EAAa,OAAO,MAAA,CAAO,WAAA;AAAA,UAC3B,YAAA,EAAc,OAAO,MAAA,CAAO,YAAA;AAAA,UAC5B,SAAA,EAAW,OAAO,MAAA,CAAO,SAAA;AAAA,UACzB,gBAAiB,IAAA,CAAa;AAAA,SAC/B,CAAA;AACD,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,OAAO,CAAA;AACrD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,cAAc,CAAA,EAAG;AACzD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,EAAM;AAAA,QACxB,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AAEd,MAAA,MAAM,eAAe,kBAAA,CAAmB,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,eAAe,CAAA;AAChG,MAAA,OAAO,SAAS,QAAA,CAAS,CAAA,EAAG,gBAAgB,CAAA,OAAA,EAAU,YAAY,IAAI,GAAG,CAAA;AAAA,IAC3E;AAAA,EACF;AACF,CAAC;AAMM,IAAM,oBAAoB,iBAAA,CAAkB;AAAA,EACjD,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,cAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,OAAA,EAAS,QAAA;AAAA,EACT,WAAA,EAAa,4EAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,EAAM;AACT,QAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,CAAA,EAAG;AAAA,UACrD,MAAA,EAAQ,GAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,SAC/C,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,yBAAyB,CAAA,EAAG;AAC1E,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACtD,QAAA,IAAI,SAAA,IAAa,mBAAA,CAAsC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AAC9E,UAAA,MAAM,IAAA,CAAK,eAAe,SAAS,CAAA;AAAA,QACrC;AAAA,MACF;AAGA,MAAA,IAAI,UAAA;AACJ,MAAA,IAAI,mBAAA,CAAkC,IAAA,EAAM,cAAc,CAAA,IAAK,KAAK,YAAA,EAAc;AAEhF,QAAA,MAAM,MAAA,GAAS,gBAAgB,OAAO,CAAA;AACtC,QAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,YAAA,CAAa,QAAQ,OAAO,CAAA;AACzD,QAAA,UAAA,GAAa,SAAA,IAAa,MAAA;AAAA,MAC5B;AAGA,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAGlE,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,wBAAwB,CAAA,EAAG;AACzE,QAAA,MAAM,YAAA,GAAe,KAAK,sBAAA,EAAuB;AACjD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AACvD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,UAAA,EAAY,CAAA,EAAG;AAAA,QACjE,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,mBAAmB,CAAA;AAAA,IAC/C;AAAA,EACF;AACF,CAAC;AAMM,IAAM,qBAAqB,iBAAA,CAAkB;AAAA,EAClD,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,eAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,cAAA,EAAgB,qBAAA;AAAA,EAChB,OAAA,EAAS,iBAAA;AAAA,EACT,WAAA,EAAa,4FAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IACE,CAAC,IAAA,IACD,CAAC,mBAAA,CAAsC,IAAA,EAAM,gBAAgB,CAAA,IAC7D,CAAC,mBAAA,CAAsC,IAAA,EAAM,yBAAyB,CAAA,EACtE;AACA,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,kCAAkC,CAAA;AAAA,MAC5E;AAGA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACtD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,cAAc,CAAA;AAAA,MACxD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,CAAA;AACtD,MAAA,IAAI,CAAC,UAAA,EAAY;AACf,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,mBAAmB,CAAA;AAAA,MAC7D;AAGA,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAClE,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,mBAAmB,CAAA,EAAG;AACpE,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,UAAU,CAAA;AACxD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,cAAc,CAAA,EAAG;AACzD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,CAAA,EAAG;AAAA,QACrD,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,eAAe,MAAM,KAAA;AAC1C,MAAA,OAAO,WAAA,CAAY,OAAO,0BAA0B,CAAA;AAAA,IACtD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,iCAAiC,iBAAA,CAAkB;AAAA,EAC9D,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,UAAA,EAAY,2BAAA;AAAA,EACZ,OAAA,EAAS,0BAAA;AAAA,EACT,WAAA,EAAa,+CAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,KAAA,EAAO,UAAS,GAAI,GAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AACvE,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6CAA6C,CAAA;AAAA,MACvF;AAEA,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,KAAA,EAAO,UAAU,OAAO,CAAA;AACzD,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,MAAA,MAAM,YAAA,GAAe,KAAK,SAAA,CAAU;AAAA,QAClC,IAAA,EAAM;AAAA,UACJ,IAAI,IAAA,CAAK,EAAA;AAAA,UACT,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,WAAW,IAAA,CAAK;AAAA,SAClB;AAAA,QACA,OAAO,MAAA,CAAO;AAAA,OACf,CAAA;AAGD,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC1B,cAAA,EAAgB;AAAA,OACjB,CAAA;AAGD,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,YAAA,EAAc,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IAC5D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,eAAe,MAAM,KAAA;AAE1C,MAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6BAA6B,CAAA;AAAA,IACvE;AAAA,EACF;AACF,CAAC;AAMM,IAAM,iCAAiC,iBAAA,CAAkB;AAAA,EAC9D,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,UAAA,EAAY,2BAAA;AAAA,EACZ,OAAA,EAAS,0BAAA;AAAA,EACT,WAAA,EAAa,qDAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,KAAA,EAAO,QAAA,EAAU,MAAK,GAAI,GAAA;AACnD,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AACvE,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6CAA6C,CAAA;AAAA,MACvF;AAEA,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,OAAO,KAAA,EAAO,QAAA,EAAU,MAAM,OAAO,CAAA;AAC/D,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,MAAA,MAAM,YAAA,GAAe,KAAK,SAAA,CAAU;AAAA,QAClC,IAAA,EAAM;AAAA,UACJ,IAAI,IAAA,CAAK,EAAA;AAAA,UACT,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,WAAW,IAAA,CAAK;AAAA,SAClB;AAAA,QACA,OAAO,MAAA,CAAO;AAAA,OACf,CAAA;AAGD,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC1B,cAAA,EAAgB;AAAA,OACjB,CAAA;AAGD,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,YAAA,EAAc,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IAC5D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,eAAe,MAAM,KAAA;AAC1C,MAAA,MAAMA,UAAU,GAAA,CAAY,MAAA;AAC5B,MAAAA,OAAAA,EAAQ,SAAA,IAAY,EAAG,KAAA,CAAM,eAAA,EAAiB;AAAA,QAC5C,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,MAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI;AAAA,OAClF,CAAA;AACD,MAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,4BAA4B,CAAA;AAAA,IACtE;AAAA,EACF;AACF,CAAC;AAMD,IAAM,yBAAA,GAA4B,EAAE,MAAA,CAAO,EAAE,QAAQ,CAAA,CAAE,MAAA,IAAU,CAAA;AACjE,IAAM,6BAAA,GAAgC,CAAA,CAAE,MAAA,CAAO,EAAE,QAAQ,CAAA,CAAE,MAAA,EAAO,EAAG,WAAA,EAAa,EAAE,KAAA,CAAM,CAAA,CAAE,MAAA,EAAQ,GAAG,CAAA;AAEhG,IAAM,6BAA6B,WAAA,CAAY;AAAA,EACpD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,iCAAA;AAAA,EACN,YAAA,EAAc,IAAA;AAAA,EACd,YAAA,EAAc,MAAA;AAAA,EACd,eAAA,EAAiB,yBAAA;AAAA,EACjB,cAAA,EAAgB,6BAAA;AAAA,EAChB,OAAA,EAAS,4BAAA;AAAA,EACT,WAAA,EACE,2HAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,cAAA,EAAgB,MAAA,EAAO,GAAI,GAAA;AAG3C,MAAA,MAAM,iBAAA,GAA8B,cAAA,EAAgB,GAAA,CAAI,2BAA2B,KAAK,EAAC;AACzF,MAAA,MAAM,OAAA,GAAU,kBAAkB,IAAA,CAAK,CAAC,MAAc,CAAA,KAAM,GAAA,IAAO,MAAM,KAAK,CAAA;AAC9E,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,yBAAyB,CAAA;AAAA,MACnE;AAEA,MAAA,MAAM,IAAA,GAAO,gBAAgB,MAAM,CAAA;AACnC,MAAA,IAAI,CAAC,MAAM,qBAAA,EAAuB;AAChC,QAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6DAA6D,CAAA;AAAA,MACvG;AAEA,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,qBAAA,CAAsB,MAAM,CAAA;AAC3D,MAAA,OAAO,EAAE,QAAQ,WAAA,EAAY;AAAA,IAC/B,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,eAAe,MAAM,KAAA;AAC1C,MAAA,OAAO,WAAA,CAAY,OAAO,gCAAgC,CAAA;AAAA,IAC5D;AAAA,EACF;AACF,CAAC;AAMM,IAAM,gCAAgC,WAAA,CAAY;AAAA,EACvD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,IAAA;AAAA,EACd,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,gCAAA;AAAA,EAChB,OAAA,EAAS,gCAAA;AAAA,EACT,WAAA,EACE,qKAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,SAAS,YAAY;AACnB,IAAA,MAAM,QAAA,GAAW,MAAM,sBAAA,EAAuB;AAC9C,IAAA,OAAO,EAAE,QAAA,EAAU,MAAA,CAAO,KAAK,QAAA,IAAY,EAAE,CAAA,EAAE;AAAA,EACjD;AACF,CAAC;AAMM,IAAM,WAAA,GAAc;AAAA,EACzB,2BAAA;AAAA,EACA,sBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,8BAAA;AAAA,EACA,8BAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACF","file":"chunk-AIGB5YCL.js","sourcesContent":["/**\n * Auth handlers for EE authentication capabilities.\n *\n * These routes enable Studio to:\n * - Detect available auth capabilities\n * - Initiate SSO login flows\n * - Handle OAuth callbacks\n * - Logout users\n */\n\nimport type {\n IUserProvider,\n ISessionProvider,\n ISSOProvider,\n ICredentialsProvider,\n SSOCallbackResult,\n} from '@mastra/core/auth';\nimport type { IRBACProvider, IFGAProvider, EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProvider } from '@mastra/core/server';\n\nimport { z } from 'zod/v4';\nimport { supportsSessionRefresh } from '../auth/helpers';\nimport { MASTRA_USER_PERMISSIONS_KEY, MASTRA_CLIENT_TYPE_HEADER, isStudioClientTypeHeader } from '../constants';\nimport { HTTPException } from '../http-exception';\nimport {\n capabilitiesResponseSchema,\n ssoLoginQuerySchema,\n ssoCallbackQuerySchema,\n currentUserResponseSchema,\n credentialsSignInBodySchema,\n credentialsSignUpBodySchema,\n refreshResponseSchema,\n permissionPatternsResponseSchema,\n} from '../schemas/auth';\nimport { createPublicRoute, createRoute } from '../server-adapter/routes/route-builder';\nimport { handleError } from './error';\n\ntype BuildCapabilitiesFn = (\n auth: any,\n request: Request,\n options?: { rbac?: any; fga?: any; apiPrefix?: string },\n) => Promise<any>;\nlet _buildCapabilitiesPromise: Promise<BuildCapabilitiesFn | undefined> | undefined;\nfunction loadBuildCapabilities(): Promise<BuildCapabilitiesFn | undefined> {\n if (!_buildCapabilitiesPromise) {\n _buildCapabilitiesPromise = import('@mastra/core/auth/ee')\n .then(m => m.buildCapabilities as BuildCapabilitiesFn)\n .catch(() => {\n console.error(\n '[@mastra/server] EE auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest',\n );\n return undefined;\n });\n }\n return _buildCapabilitiesPromise;\n}\n\nlet _permissionPatternsPromise: Promise<Record<string, unknown> | undefined> | undefined;\nfunction loadPermissionPatterns(): Promise<Record<string, unknown> | undefined> {\n if (!_permissionPatternsPromise) {\n _permissionPatternsPromise = import('@mastra/core/auth/ee')\n .then(m => m.PERMISSION_PATTERNS as Record<string, unknown>)\n .catch(() => {\n console.error(\n '[@mastra/server] EE auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest',\n );\n return undefined;\n });\n }\n return _permissionPatternsPromise;\n}\n\n/**\n * Helper to get auth provider from Mastra instance.\n *\n * Dual auth is OPT-IN: if studio.auth is explicitly configured, Studio requests\n * use it exclusively. Otherwise, Studio requests fall back to server.auth for\n * backward compatibility.\n */\nfunction getAuthProvider(mastra: any, isStudio?: boolean): MastraAuthProvider | null {\n // Check if studio.auth is explicitly configured\n const studioConfig = mastra.getStudio?.();\n const hasStudioAuth = studioConfig?.auth && typeof studioConfig.auth.authenticateToken === 'function';\n\n // If this is a Studio request AND studio.auth is configured, use it exclusively\n if (isStudio && hasStudioAuth) {\n return studioConfig.auth as MastraAuthProvider;\n }\n\n // Otherwise (non-studio request, OR studio request without studio.auth configured),\n // fall back to server.auth for backward compatibility\n const serverConfig = mastra.getServer?.();\n if (!serverConfig?.auth) return null;\n\n // Auth can be either MastraAuthConfig or MastraAuthProvider\n // If it has authenticateToken method, it's a provider\n if (typeof serverConfig.auth.authenticateToken === 'function') {\n return serverConfig.auth as MastraAuthProvider;\n }\n\n return null;\n}\n\n/**\n * Check if the request is from Studio (via x-mastra-client-type header).\n */\nfunction isStudioRequest(request: Request): boolean {\n return isStudioClientTypeHeader(request.headers.get(MASTRA_CLIENT_TYPE_HEADER) ?? undefined);\n}\n\n/**\n * Get the public-facing origin from a request, respecting reverse proxy headers.\n * Behind a proxy (e.g. edge router), request.url contains the internal hostname,\n * so we rely on forwarded headers to reconstruct the real public origin.\n *\n * Assumes the server is behind a trusted proxy (or running locally). When\n * exposed directly to untrusted clients, the Host header is attacker-controlled\n * and must be validated upstream.\n *\n * Priority:\n * 1. X-Forwarded-Host (traditional reverse proxy) → always HTTPS. Knative's\n * queue-proxy overwrites X-Forwarded-Proto based on the internal HTTP\n * connection, so X-Forwarded-Proto is ignored here.\n * 2. Host header with X-Forwarded-Proto (AWS ALB, some proxies) → respect proto.\n * 3. Host header alone → use the scheme from request.url (covers both direct\n * HTTP access and proxies that preserve Host but don't set a proto header).\n * 4. No Host header → fall back to request.url.origin (local dev / direct access).\n */\nexport function getPublicOrigin(request: Request): string {\n const forwardedHost = request.headers.get('x-forwarded-host')?.split(',')[0]?.trim();\n if (forwardedHost) {\n return `https://${forwardedHost}`;\n }\n\n const host = request.headers.get('host');\n if (host) {\n const forwardedProto = request.headers.get('x-forwarded-proto')?.split(',')[0]?.trim();\n const proto = forwardedProto || new URL(request.url).protocol.replace(':', '');\n return `${proto}://${host}`;\n }\n\n return new URL(request.url).origin;\n}\n\n/**\n * Helper to get RBAC provider from Mastra config.\n * Checks studio config first when isStudio is true.\n */\nfunction getRBACProvider(mastra: any, isStudio?: boolean): IRBACProvider<EEUser> | undefined {\n if (isStudio) {\n const studioConfig = mastra.getStudio?.();\n if (studioConfig?.rbac) {\n return studioConfig.rbac as IRBACProvider<EEUser>;\n }\n }\n const serverConfig = mastra.getServer?.();\n return serverConfig?.rbac as IRBACProvider<EEUser> | undefined;\n}\n\n/**\n * Helper to get FGA provider from Mastra config.\n * Checks studio config first when isStudio is true.\n */\nfunction getFGAProvider(mastra: any, isStudio?: boolean): IFGAProvider<EEUser> | undefined {\n if (isStudio) {\n const studioConfig = mastra.getStudio?.();\n if (studioConfig?.fga) {\n return studioConfig.fga as IFGAProvider<EEUser>;\n }\n }\n const serverConfig = mastra.getServer?.();\n return serverConfig?.fga as IFGAProvider<EEUser> | undefined;\n}\n\n/**\n * Type guard to check if auth provider implements an interface.\n */\nfunction implementsInterface<T>(auth: unknown, method: keyof T): auth is T {\n return auth !== null && typeof auth === 'object' && typeof (auth as any)[method] === 'function';\n}\n\n// ============================================================================\n// GET /auth/capabilities\n// ============================================================================\n\nexport const GET_AUTH_CAPABILITIES_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/capabilities',\n responseType: 'json',\n responseSchema: capabilitiesResponseSchema,\n summary: 'Get auth capabilities',\n description:\n 'Returns authentication capabilities and current user info. Used by Studio to determine available features and user state.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, request, routePrefix } = ctx as any;\n\n // Check if this is a Studio request (via x-mastra-client-type header)\n const isStudio = isStudioRequest(request);\n\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth) {\n return { enabled: false, login: null };\n }\n\n const rbac = getRBACProvider(mastra, isStudio);\n const fga = getFGAProvider(mastra, isStudio);\n\n const buildCapabilities = await loadBuildCapabilities();\n if (!buildCapabilities) {\n return { enabled: false, login: null };\n }\n const capabilities = await buildCapabilities(auth, request, { rbac, fga, apiPrefix: routePrefix });\n\n // If capabilities came back without a user, the session may have expired.\n // Attempt a transparent refresh (same logic as coreAuthMiddleware) and retry.\n if (!('user' in capabilities) && supportsSessionRefresh(auth)) {\n try {\n const sessionId = await auth.getSessionIdFromRequest(request);\n if (sessionId) {\n const refreshedSession = await auth.refreshSession(sessionId);\n if (refreshedSession) {\n const sessionHeaders = await auth.getSessionHeaders(refreshedSession);\n const cookieValue = extractCookieFromHeaders(sessionHeaders);\n if (cookieValue) {\n // Rebuild capabilities with the refreshed cookie\n const refreshedRequest = new Request(request.url, {\n method: request.method,\n headers: new Headers(request.headers),\n });\n refreshedRequest.headers.set('Cookie', cookieValue);\n const refreshedCapabilities = await buildCapabilities(auth, refreshedRequest, {\n rbac,\n apiPrefix: routePrefix,\n });\n\n // Attach refresh headers so the adapter can set the new cookie\n if ('user' in refreshedCapabilities) {\n (refreshedCapabilities as any).__refreshHeaders = sessionHeaders;\n }\n return refreshedCapabilities;\n }\n }\n }\n } catch {\n // Refresh failed — return original unauthenticated capabilities\n }\n }\n\n return capabilities;\n } catch (error) {\n return handleError(error, 'Error getting auth capabilities');\n }\n },\n});\n\n/**\n * Extract a full cookie string from session headers (e.g. Set-Cookie → Cookie).\n */\nfunction extractCookieFromHeaders(headers: Record<string, string>): string | null {\n const setCookie = headers['Set-Cookie'] || headers['set-cookie'];\n if (!setCookie) return null;\n // Set-Cookie value is \"name=value; Path=/; ...\" — extract \"name=value\"\n const match = setCookie.match(/^([^;]+)/);\n return match ? (match[1] ?? null) : null;\n}\n\n// ============================================================================\n// GET /auth/me\n// ============================================================================\n\nexport const GET_CURRENT_USER_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/me',\n responseType: 'json',\n responseSchema: currentUserResponseSchema,\n summary: 'Get current user',\n description: 'Returns the currently authenticated user, or null if not authenticated.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n const auth = getAuthProvider(mastra, isStudio);\n const rbac = getRBACProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<IUserProvider>(auth, 'getCurrentUser')) {\n return null;\n }\n\n const user = await auth.getCurrentUser(request);\n if (!user) return null;\n\n // Get roles/permissions from RBAC provider if available\n let roles: string[] | undefined;\n let permissions: string[] | undefined;\n\n if (rbac) {\n try {\n roles = await rbac.getRoles(user);\n permissions = await rbac.getPermissions(user);\n } catch {\n // RBAC not available or failed\n }\n }\n\n return {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n roles,\n permissions,\n };\n } catch (error) {\n return handleError(error, 'Error getting current user');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/sso/login\n// ============================================================================\n\nexport const GET_SSO_LOGIN_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/sso/login',\n responseType: 'datastream-response',\n queryParamSchema: ssoLoginQuerySchema,\n summary: 'Initiate SSO login',\n description: 'Returns the SSO login URL and sets PKCE cookies if needed.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, redirect_uri, request, routePrefix } = ctx as any;\n const isStudio = isStudioRequest(request);\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ISSOProvider>(auth, 'getLoginUrl')) {\n throw new HTTPException(404, { message: 'SSO not configured' });\n }\n\n // Build OAuth callback URI using the configured route prefix\n const origin = getPublicOrigin(request);\n const raw = ((routePrefix as string) || '/api').trim();\n const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n const oauthCallbackUri = `${origin}${prefix}/auth/sso/callback`;\n\n // Encode the post-login redirect in state (where user goes after auth completes)\n // State format: uuid|postLoginRedirect\n // Validate redirect_uri to prevent open-redirect attacks: allow relative paths,\n // same-origin URLs, and localhost URLs (for dev setups where Studio runs on a\n // different port).\n let postLoginRedirect = '/';\n if (redirect_uri) {\n if (!redirect_uri.startsWith('http')) {\n // Relative path — always safe\n postLoginRedirect = redirect_uri;\n } else {\n try {\n const redirectUrl = new URL(redirect_uri);\n const requestOrigin = new URL(origin);\n const isHttps = redirectUrl.protocol === 'http:' || redirectUrl.protocol === 'https:';\n const isSameOrigin = redirectUrl.origin === requestOrigin.origin;\n const isLocalhost =\n redirectUrl.hostname === 'localhost' ||\n redirectUrl.hostname === '127.0.0.1' ||\n redirectUrl.hostname === '[::1]';\n if (isHttps && (isSameOrigin || isLocalhost)) {\n postLoginRedirect = redirect_uri;\n }\n } catch {\n // Malformed URL — fall back to /\n }\n }\n }\n const stateId = crypto.randomUUID();\n const state = `${stateId}|${encodeURIComponent(postLoginRedirect)}`;\n\n const loginUrl = await Promise.resolve(auth.getLoginUrl(oauthCallbackUri, state));\n\n // Build response with optional PKCE cookies\n const headers = new Headers({ 'Content-Type': 'application/json' });\n\n // Check for PKCE cookies (e.g., MastraCloudAuthProvider)\n if (implementsInterface<ISSOProvider>(auth, 'getLoginCookies') && auth.getLoginCookies) {\n const cookies = auth.getLoginCookies(oauthCallbackUri, state);\n if (cookies?.length) {\n // PKCE cookies set for SSO state management\n for (const cookie of cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n }\n\n return new Response(JSON.stringify({ url: loginUrl }), { status: 200, headers });\n } catch (error) {\n return handleError(error, 'Error initiating SSO login');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/sso/callback\n// ============================================================================\n\nexport const GET_SSO_CALLBACK_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/sso/callback',\n responseType: 'datastream-response',\n queryParamSchema: ssoCallbackQuerySchema,\n summary: 'Handle SSO callback',\n description: 'Handles the OAuth callback, exchanges code for session, and redirects to the app.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, code, state, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n // Build base URL for redirects (Response.redirect requires absolute URL)\n const baseUrl = getPublicOrigin(request);\n\n // Extract post-login redirect from state (format: uuid|encodedRedirect)\n let redirectTo = '/';\n let stateId = state || '';\n if (state && state.includes('|')) {\n const [id, encodedRedirect] = state.split('|', 2);\n stateId = id;\n try {\n redirectTo = decodeURIComponent(encodedRedirect);\n } catch {\n redirectTo = '/';\n }\n }\n\n // Build absolute redirect URL.\n // The redirect_uri was validated at the login endpoint (same-origin or localhost\n // only), so the state should only contain safe URLs. We still apply defense-in-depth\n // checks here: allow http(s) same-origin or localhost, reject everything else.\n let absoluteRedirect: string;\n if (redirectTo.startsWith('http')) {\n try {\n const parsed = new URL(redirectTo);\n const baseOrigin = new URL(baseUrl);\n const isHttps = parsed.protocol === 'http:' || parsed.protocol === 'https:';\n const isSameOrigin = parsed.origin === baseOrigin.origin;\n const isLocalhost =\n parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1' || parsed.hostname === '[::1]';\n absoluteRedirect = isHttps && (isSameOrigin || isLocalhost) ? redirectTo : `${baseUrl}/`;\n } catch {\n absoluteRedirect = `${baseUrl}/`;\n }\n } else {\n absoluteRedirect = `${baseUrl}${redirectTo}`;\n }\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ISSOProvider>(auth, 'handleCallback')) {\n return Response.redirect(`${absoluteRedirect}?error=sso_not_configured`, 302);\n }\n\n // Pass cookie header to provider for PKCE validation (if supported)\n const reqCookieHeader = request.headers.get('cookie');\n if (typeof (auth as any).setCallbackCookieHeader === 'function') {\n (auth as any).setCallbackCookieHeader(reqCookieHeader);\n }\n\n const result = (await auth.handleCallback(code, stateId)) as SSOCallbackResult<EEUser>;\n const user = result.user as EEUser;\n\n // Build response headers (session cookies, etc.)\n const headers = new Headers();\n headers.set('Location', absoluteRedirect);\n\n // Set session cookies from the SSO result\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n } else if (implementsInterface<ISessionProvider>(auth, 'createSession') && result.tokens) {\n // Fallback: Create session manually for providers without cookie support\n const session = await auth.createSession(user.id, {\n accessToken: result.tokens.accessToken,\n refreshToken: result.tokens.refreshToken,\n expiresAt: result.tokens.expiresAt,\n organizationId: (user as any).organizationId,\n });\n const sessionHeaders = auth.getSessionHeaders(session);\n for (const [key, value] of Object.entries(sessionHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(null, {\n status: 302,\n headers,\n });\n } catch (error) {\n // Redirect with error (use absolute URL)\n const errorMessage = encodeURIComponent(error instanceof Error ? error.message : 'Unknown error');\n return Response.redirect(`${absoluteRedirect}?error=${errorMessage}`, 302);\n }\n },\n});\n\n// ============================================================================\n// POST /auth/logout\n// ============================================================================\n\nexport const POST_LOGOUT_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/logout',\n responseType: 'datastream-response',\n summary: 'Logout',\n description: 'Destroys the current session and returns logout redirect URL if available.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth) {\n return new Response(JSON.stringify({ success: true }), {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n });\n }\n\n // Get session ID and destroy it\n if (implementsInterface<ISessionProvider>(auth, 'getSessionIdFromRequest')) {\n const sessionId = auth.getSessionIdFromRequest(request);\n if (sessionId && implementsInterface<ISessionProvider>(auth, 'destroySession')) {\n await auth.destroySession(sessionId);\n }\n }\n\n // Get logout URL if available\n let redirectTo: string | undefined;\n if (implementsInterface<ISSOProvider>(auth, 'getLogoutUrl') && auth.getLogoutUrl) {\n // Use public origin (respects X-Forwarded-Host behind reverse proxy)\n const origin = getPublicOrigin(request);\n const logoutUrl = await auth.getLogoutUrl(origin, request);\n redirectTo = logoutUrl ?? undefined;\n }\n\n // Build response with session clearing headers\n const headers = new Headers({ 'Content-Type': 'application/json' });\n\n // Clear session cookie\n if (implementsInterface<ISessionProvider>(auth, 'getClearSessionHeaders')) {\n const clearHeaders = auth.getClearSessionHeaders();\n for (const [key, value] of Object.entries(clearHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(JSON.stringify({ success: true, redirectTo }), {\n status: 200,\n headers,\n });\n } catch (error) {\n return handleError(error, 'Error logging out');\n }\n },\n});\n\n// ============================================================================\n// POST /auth/refresh\n// ============================================================================\n\nexport const POST_REFRESH_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/refresh',\n responseType: 'datastream-response',\n responseSchema: refreshResponseSchema,\n summary: 'Refresh session',\n description: 'Refreshes the current session, extending its expiry. Sets a new session cookie on success.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (\n !auth ||\n !implementsInterface<ISessionProvider>(auth, 'refreshSession') ||\n !implementsInterface<ISessionProvider>(auth, 'getSessionIdFromRequest')\n ) {\n throw new HTTPException(404, { message: 'Session refresh not configured' });\n }\n\n // Get session ID from request\n const sessionId = auth.getSessionIdFromRequest(request);\n if (!sessionId) {\n throw new HTTPException(401, { message: 'No session' });\n }\n\n // Refresh the session\n const newSession = await auth.refreshSession(sessionId);\n if (!newSession) {\n throw new HTTPException(401, { message: 'Session expired' });\n }\n\n // Build response with new session headers\n const headers = new Headers({ 'Content-Type': 'application/json' });\n if (implementsInterface<ISessionProvider>(auth, 'getSessionHeaders')) {\n const sessionHeaders = auth.getSessionHeaders(newSession);\n for (const [key, value] of Object.entries(sessionHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(JSON.stringify({ success: true }), {\n status: 200,\n headers,\n });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n return handleError(error, 'Error refreshing session');\n }\n },\n});\n\n// ============================================================================\n// POST /auth/credentials/sign-in\n// ============================================================================\n\nexport const POST_CREDENTIALS_SIGN_IN_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/credentials/sign-in',\n responseType: 'datastream-response',\n bodySchema: credentialsSignInBodySchema,\n summary: 'Sign in with credentials',\n description: 'Authenticates a user with email and password.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request, email, password } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ICredentialsProvider>(auth, 'signIn')) {\n throw new HTTPException(404, { message: 'Credentials authentication not configured' });\n }\n\n const result = await auth.signIn(email, password, request);\n const user = result.user as EEUser;\n\n const responseBody = JSON.stringify({\n user: {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n },\n token: result.token,\n });\n\n // Build response headers, including cookies from the auth provider\n const headers = new Headers({\n 'Content-Type': 'application/json',\n });\n\n // Forward session cookies from the auth provider\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n\n return new Response(responseBody, { status: 200, headers });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n // Return a generic error for auth failures to avoid leaking info\n throw new HTTPException(401, { message: 'Invalid email or password' });\n }\n },\n});\n\n// ============================================================================\n// POST /auth/credentials/sign-up\n// ============================================================================\n\nexport const POST_CREDENTIALS_SIGN_UP_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/credentials/sign-up',\n responseType: 'datastream-response',\n bodySchema: credentialsSignUpBodySchema,\n summary: 'Sign up with credentials',\n description: 'Creates a new user account with email and password.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request, email, password, name } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ICredentialsProvider>(auth, 'signUp')) {\n throw new HTTPException(404, { message: 'Credentials authentication not configured' });\n }\n\n const result = await auth.signUp(email, password, name, request);\n const user = result.user as EEUser;\n\n const responseBody = JSON.stringify({\n user: {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n },\n token: result.token,\n });\n\n // Build response headers, including cookies from the auth provider\n const headers = new Headers({\n 'Content-Type': 'application/json',\n });\n\n // Forward session cookies from the auth provider\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n\n return new Response(responseBody, { status: 200, headers });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n const mastra = (ctx as any).mastra;\n mastra?.getLogger?.()?.error('Sign-up error', {\n error: error instanceof Error ? { message: error.message, stack: error.stack } : error,\n });\n throw new HTTPException(400, { message: 'Failed to create account' });\n }\n },\n});\n\n// ============================================================================\n// GET /auth/roles/:roleId/permissions\n// ============================================================================\n\nconst rolePermissionsPathSchema = z.object({ roleId: z.string() });\nconst rolePermissionsResponseSchema = z.object({ roleId: z.string(), permissions: z.array(z.string()) });\n\nexport const GET_ROLE_PERMISSIONS_ROUTE = createRoute({\n method: 'GET',\n path: '/auth/roles/:roleId/permissions',\n requiresAuth: true,\n responseType: 'json',\n pathParamSchema: rolePermissionsPathSchema,\n responseSchema: rolePermissionsResponseSchema,\n summary: 'Get permissions for a role',\n description:\n 'Returns the resolved permissions for a specific role. Only accessible by admin users. Used by the \"View as role\" feature.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, requestContext, roleId } = ctx as any;\n\n // Check that the caller is an admin\n const callerPermissions: string[] = requestContext?.get(MASTRA_USER_PERMISSIONS_KEY) ?? [];\n const isAdmin = callerPermissions.some((p: string) => p === '*' || p === '*:*');\n if (!isAdmin) {\n throw new HTTPException(403, { message: 'Admin access required' });\n }\n\n const rbac = getRBACProvider(mastra);\n if (!rbac?.getPermissionsForRole) {\n throw new HTTPException(404, { message: 'RBAC provider does not support role permission resolution' });\n }\n\n const permissions = await rbac.getPermissionsForRole(roleId);\n return { roleId, permissions };\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n return handleError(error, 'Error getting role permissions');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/permission-patterns\n// ============================================================================\n\nexport const GET_PERMISSION_PATTERNS_ROUTE = createRoute({\n method: 'GET',\n path: '/auth/permission-patterns',\n requiresAuth: true,\n responseType: 'json',\n responseSchema: permissionPatternsResponseSchema,\n summary: 'List valid permission patterns',\n description:\n 'Returns the authoritative list of valid permission-pattern strings. Used by Studio to validate the route→permission literals it ships and to gate the sidebar.',\n tags: ['Auth'],\n handler: async () => {\n const patterns = await loadPermissionPatterns();\n return { patterns: Object.keys(patterns ?? {}) };\n },\n});\n\n// ============================================================================\n// Export all auth routes\n// ============================================================================\n\nexport const AUTH_ROUTES = [\n GET_AUTH_CAPABILITIES_ROUTE,\n GET_CURRENT_USER_ROUTE,\n GET_SSO_LOGIN_ROUTE,\n GET_SSO_CALLBACK_ROUTE,\n POST_LOGOUT_ROUTE,\n POST_REFRESH_ROUTE,\n POST_CREDENTIALS_SIGN_IN_ROUTE,\n POST_CREDENTIALS_SIGN_UP_ROUTE,\n GET_ROLE_PERMISSIONS_ROUTE,\n GET_PERMISSION_PATTERNS_ROUTE,\n] as const;\n"]}
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/server/handlers/auth.ts"],"names":["isStudioClientTypeHeader","MASTRA_CLIENT_TYPE_HEADER","createPublicRoute","capabilitiesResponseSchema","supportsSessionRefresh","handleError","currentUserResponseSchema","ssoLoginQuerySchema","HTTPException","ssoCallbackQuerySchema","refreshResponseSchema","credentialsSignInBodySchema","credentialsSignUpBodySchema","mastra","z","createRoute","MASTRA_USER_PERMISSIONS_KEY","permissionPatternsResponseSchema"],"mappings":";;;;;;;;;;AA0CA,IAAI,yBAAA;AACJ,SAAS,qBAAA,GAAkE;AACzE,EAAA,IAAI,CAAC,yBAAA,EAA2B;AAC9B,IAAA,yBAAA,GAA4B,OAAO,sBAAsB,CAAA,CACtD,IAAA,CAAK,OAAK,CAAA,CAAE,iBAAwC,CAAA,CACpD,KAAA,CAAM,MAAM;AACX,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN;AAAA,OACF;AACA,MAAA,OAAO,MAAA;AAAA,IACT,CAAC,CAAA;AAAA,EACL;AACA,EAAA,OAAO,yBAAA;AACT;AAEA,IAAI,0BAAA;AACJ,SAAS,sBAAA,GAAuE;AAC9E,EAAA,IAAI,CAAC,0BAAA,EAA4B;AAC/B,IAAA,0BAAA,GAA6B,OAAO,sBAAsB,CAAA,CACvD,IAAA,CAAK,OAAK,CAAA,CAAE,mBAA8C,CAAA,CAC1D,KAAA,CAAM,MAAM;AACX,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN;AAAA,OACF;AACA,MAAA,OAAO,MAAA;AAAA,IACT,CAAC,CAAA;AAAA,EACL;AACA,EAAA,OAAO,0BAAA;AACT;AASA,SAAS,eAAA,CAAgB,QAAa,QAAA,EAA+C;AAEnF,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,MAAM,gBAAgB,YAAA,EAAc,IAAA,IAAQ,OAAO,YAAA,CAAa,KAAK,iBAAA,KAAsB,UAAA;AAG3F,EAAA,IAAI,YAAY,aAAA,EAAe;AAC7B,IAAA,OAAO,YAAA,CAAa,IAAA;AAAA,EACtB;AAIA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,IAAI,CAAC,YAAA,EAAc,IAAA,EAAM,OAAO,IAAA;AAIhC,EAAA,IAAI,OAAO,YAAA,CAAa,IAAA,CAAK,iBAAA,KAAsB,UAAA,EAAY;AAC7D,IAAA,OAAO,YAAA,CAAa,IAAA;AAAA,EACtB;AAEA,EAAA,OAAO,IAAA;AACT;AAKA,SAAS,gBAAgB,OAAA,EAA2B;AAClD,EAAA,OAAOA,2CAAyB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAIC,2CAAyB,KAAK,MAAS,CAAA;AAC7F;AAoBO,SAAS,gBAAgB,OAAA,EAA0B;AACxD,EAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK;AACnF,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,OAAO,WAAW,aAAa,CAAA,CAAA;AAAA,EACjC;AAEA,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA;AACvC,EAAA,IAAI,IAAA,EAAM;AACR,IAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK;AACrF,IAAA,MAAM,KAAA,GAAQ,cAAA,IAAkB,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE,QAAA,CAAS,OAAA,CAAQ,GAAA,EAAK,EAAE,CAAA;AAC7E,IAAA,OAAO,CAAA,EAAG,KAAK,CAAA,GAAA,EAAM,IAAI,CAAA,CAAA;AAAA,EAC3B;AAEA,EAAA,OAAO,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE,MAAA;AAC9B;AAMA,SAAS,eAAA,CAAgB,QAAa,QAAA,EAAuD;AAC3F,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,IAAA,IAAI,cAAc,IAAA,EAAM;AACtB,MAAA,OAAO,YAAA,CAAa,IAAA;AAAA,IACtB;AAAA,EACF;AACA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,OAAO,YAAA,EAAc,IAAA;AACvB;AAMA,SAAS,cAAA,CAAe,QAAa,QAAA,EAAsD;AACzF,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,IAAA,IAAI,cAAc,GAAA,EAAK;AACrB,MAAA,OAAO,YAAA,CAAa,GAAA;AAAA,IACtB;AAAA,EACF;AACA,EAAA,MAAM,YAAA,GAAe,OAAO,SAAA,IAAY;AACxC,EAAA,OAAO,YAAA,EAAc,GAAA;AACvB;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,QAAQ,OAAO,IAAA,KAAS,YAAY,OAAQ,IAAA,CAAa,MAAM,CAAA,KAAM,UAAA;AACvF;AAMO,IAAM,8BAA8BC,mCAAA,CAAkB;AAAA,EAC3D,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgBC,4CAAA;AAAA,EAChB,OAAA,EAAS,uBAAA;AAAA,EACT,WAAA,EACE,2HAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,WAAA,EAAY,GAAI,GAAA;AAGzC,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,EAAM;AACT,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,MACvC;AAEA,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAC7C,MAAA,MAAM,GAAA,GAAM,cAAA,CAAe,MAAA,EAAQ,QAAQ,CAAA;AAE3C,MAAA,MAAM,iBAAA,GAAoB,MAAM,qBAAA,EAAsB;AACtD,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,MACvC;AACA,MAAA,MAAM,YAAA,GAAe,MAAM,iBAAA,CAAkB,IAAA,EAAM,OAAA,EAAS,EAAE,IAAA,EAAM,GAAA,EAAK,SAAA,EAAW,WAAA,EAAa,CAAA;AAIjG,MAAA,IAAI,EAAE,MAAA,IAAU,YAAA,CAAA,IAAiBC,wCAAA,CAAuB,IAAI,CAAA,EAAG;AAC7D,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AAC5D,UAAA,IAAI,SAAA,EAAW;AACb,YAAA,MAAM,gBAAA,GAAmB,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,CAAA;AAC5D,YAAA,IAAI,gBAAA,EAAkB;AACpB,cAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,iBAAA,CAAkB,gBAAgB,CAAA;AACpE,cAAA,MAAM,WAAA,GAAc,yBAAyB,cAAc,CAAA;AAC3D,cAAA,IAAI,WAAA,EAAa;AAEf,gBAAA,MAAM,gBAAA,GAAmB,IAAI,OAAA,CAAQ,OAAA,CAAQ,GAAA,EAAK;AAAA,kBAChD,QAAQ,OAAA,CAAQ,MAAA;AAAA,kBAChB,OAAA,EAAS,IAAI,OAAA,CAAQ,OAAA,CAAQ,OAAO;AAAA,iBACrC,CAAA;AACD,gBAAA,gBAAA,CAAiB,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAClD,gBAAA,MAAM,qBAAA,GAAwB,MAAM,iBAAA,CAAkB,IAAA,EAAM,gBAAA,EAAkB;AAAA,kBAC5E,IAAA;AAAA,kBACA,SAAA,EAAW;AAAA,iBACZ,CAAA;AAGD,gBAAA,IAAI,UAAU,qBAAA,EAAuB;AACnC,kBAAC,sBAA8B,gBAAA,GAAmB,cAAA;AAAA,gBACpD;AACA,gBAAA,OAAO,qBAAA;AAAA,cACT;AAAA,YACF;AAAA,UACF;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAO,YAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAOC,6BAAA,CAAY,OAAO,iCAAiC,CAAA;AAAA,IAC7D;AAAA,EACF;AACF,CAAC;AAKD,SAAS,yBAAyB,OAAA,EAAgD;AAChF,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,YAAY,CAAA,IAAK,QAAQ,YAAY,CAAA;AAC/D,EAAA,IAAI,CAAC,WAAW,OAAO,IAAA;AAEvB,EAAA,MAAM,KAAA,GAAQ,SAAA,CAAU,KAAA,CAAM,UAAU,CAAA;AACxC,EAAA,OAAO,KAAA,GAAS,KAAA,CAAM,CAAC,CAAA,IAAK,IAAA,GAAQ,IAAA;AACtC;AAMO,IAAM,yBAAyBH,mCAAA,CAAkB;AAAA,EACtD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,UAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgBI,2CAAA;AAAA,EAChB,OAAA,EAAS,kBAAA;AAAA,EACT,WAAA,EAAa,yEAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AACxC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAC7C,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AACxE,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;AAC9C,MAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,MAAA,IAAI,KAAA;AACJ,MAAA,IAAI,WAAA;AAEJ,MAAA,IAAI,IAAA,EAAM;AACR,QAAA,IAAI;AACF,UAAA,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAChC,UAAA,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAAA,QAC9C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,IAAI,IAAA,CAAK,EAAA;AAAA,QACT,OAAO,IAAA,CAAK,KAAA;AAAA,QACZ,MAAM,IAAA,CAAK,IAAA;AAAA,QACX,WAAW,IAAA,CAAK,SAAA;AAAA,QAChB,KAAA;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAOD,6BAAA,CAAY,OAAO,4BAA4B,CAAA;AAAA,IACxD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,sBAAsBH,mCAAA,CAAkB;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,iBAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,gBAAA,EAAkBK,qCAAA;AAAA,EAClB,OAAA,EAAS,oBAAA;AAAA,EACT,WAAA,EAAa,4DAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,YAAA,EAAc,OAAA,EAAS,aAAY,GAAI,GAAA;AACvD,MAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AACxC,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,EAAG;AACpE,QAAA,MAAM,IAAIC,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,sBAAsB,CAAA;AAAA,MAChE;AAGA,MAAA,MAAM,MAAA,GAAS,gBAAgB,OAAO,CAAA;AACtC,MAAA,MAAM,GAAA,GAAA,CAAQ,WAAA,IAA0B,MAAA,EAAQ,IAAA,EAAK;AACrD,MAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,MAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,MAAA,MAAM,gBAAA,GAAmB,CAAA,EAAG,MAAM,CAAA,EAAG,MAAM,CAAA,kBAAA,CAAA;AAO3C,MAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,IAAI,CAAC,YAAA,CAAa,UAAA,CAAW,MAAM,CAAA,EAAG;AAEpC,UAAA,iBAAA,GAAoB,YAAA;AAAA,QACtB,CAAA,MAAO;AACL,UAAA,IAAI;AACF,YAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,YAAY,CAAA;AACxC,YAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,MAAM,CAAA;AACpC,YAAA,MAAM,OAAA,GAAU,WAAA,CAAY,QAAA,KAAa,OAAA,IAAW,YAAY,QAAA,KAAa,QAAA;AAC7E,YAAA,MAAM,YAAA,GAAe,WAAA,CAAY,MAAA,KAAW,aAAA,CAAc,MAAA;AAC1D,YAAA,MAAM,WAAA,GACJ,YAAY,QAAA,KAAa,WAAA,IACzB,YAAY,QAAA,KAAa,WAAA,IACzB,YAAY,QAAA,KAAa,OAAA;AAC3B,YAAA,IAAI,OAAA,KAAY,gBAAgB,WAAA,CAAA,EAAc;AAC5C,cAAA,iBAAA,GAAoB,YAAA;AAAA,YACtB;AAAA,UACF,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF;AACA,MAAA,MAAM,OAAA,GAAU,OAAO,UAAA,EAAW;AAClC,MAAA,MAAM,QAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,kBAAA,CAAmB,iBAAiB,CAAC,CAAA,CAAA;AAEjE,MAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,OAAA,CAAQ,KAAK,WAAA,CAAY,gBAAA,EAAkB,KAAK,CAAC,CAAA;AAGhF,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAGlE,MAAA,IAAI,mBAAA,CAAkC,IAAA,EAAM,iBAAiB,CAAA,IAAK,KAAK,eAAA,EAAiB;AACtF,QAAA,MAAM,OAAA,GAAU,IAAA,CAAK,eAAA,CAAgB,gBAAA,EAAkB,KAAK,CAAA;AAC5D,QAAA,IAAI,SAAS,MAAA,EAAQ;AAEnB,UAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,YAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,UACrC;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU,EAAE,GAAA,EAAK,QAAA,EAAU,CAAA,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IACjF,SAAS,KAAA,EAAO;AACd,MAAA,OAAOH,6BAAA,CAAY,OAAO,4BAA4B,CAAA;AAAA,IACxD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,yBAAyBH,mCAAA,CAAkB;AAAA,EACtD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,oBAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,gBAAA,EAAkBO,wCAAA;AAAA,EAClB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,mFAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,IAAA,EAAM,KAAA,EAAO,SAAQ,GAAI,GAAA;AACzC,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAGxC,IAAA,MAAM,OAAA,GAAU,gBAAgB,OAAO,CAAA;AAGvC,IAAA,IAAI,UAAA,GAAa,GAAA;AACjB,IAAA,IAAI,UAAU,KAAA,IAAS,EAAA;AACvB,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,MAAA,MAAM,CAAC,EAAA,EAAI,eAAe,IAAI,KAAA,CAAM,KAAA,CAAM,KAAK,CAAC,CAAA;AAChD,MAAA,OAAA,GAAU,EAAA;AACV,MAAA,IAAI;AACF,QAAA,UAAA,GAAa,mBAAmB,eAAe,CAAA;AAAA,MACjD,CAAA,CAAA,MAAQ;AACN,QAAA,UAAA,GAAa,GAAA;AAAA,MACf;AAAA,IACF;AAMA,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,UAAA,CAAW,UAAA,CAAW,MAAM,CAAA,EAAG;AACjC,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,UAAU,CAAA;AACjC,QAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,OAAO,CAAA;AAClC,QAAA,MAAM,OAAA,GAAU,MAAA,CAAO,QAAA,KAAa,OAAA,IAAW,OAAO,QAAA,KAAa,QAAA;AACnE,QAAA,MAAM,YAAA,GAAe,MAAA,CAAO,MAAA,KAAW,UAAA,CAAW,MAAA;AAClD,QAAA,MAAM,WAAA,GACJ,OAAO,QAAA,KAAa,WAAA,IAAe,OAAO,QAAA,KAAa,WAAA,IAAe,OAAO,QAAA,KAAa,OAAA;AAC5F,QAAA,gBAAA,GAAmB,OAAA,KAAY,YAAA,IAAgB,WAAA,CAAA,GAAe,UAAA,GAAa,GAAG,OAAO,CAAA,CAAA,CAAA;AAAA,MACvF,CAAA,CAAA,MAAQ;AACN,QAAA,gBAAA,GAAmB,GAAG,OAAO,CAAA,CAAA,CAAA;AAAA,MAC/B;AAAA,IACF,CAAA,MAAO;AACL,MAAA,gBAAA,GAAmB,CAAA,EAAG,OAAO,CAAA,EAAG,UAAU,CAAA,CAAA;AAAA,IAC5C;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAAkC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AACvE,QAAA,OAAO,QAAA,CAAS,QAAA,CAAS,CAAA,EAAG,gBAAgB,6BAA6B,GAAG,CAAA;AAAA,MAC9E;AAGA,MAAA,MAAM,eAAA,GAAkB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACpD,MAAA,IAAI,OAAQ,IAAA,CAAa,uBAAA,KAA4B,UAAA,EAAY;AAC/D,QAAC,IAAA,CAAa,wBAAwB,eAAe,CAAA;AAAA,MACvD;AAEA,MAAA,MAAM,MAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,MAAM,OAAO,CAAA;AACvD,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAGpB,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,GAAA,CAAI,YAAY,gBAAgB,CAAA;AAGxC,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF,WAAW,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,OAAO,MAAA,EAAQ;AAExF,QAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,aAAA,CAAc,KAAK,EAAA,EAAI;AAAA,UAChD,WAAA,EAAa,OAAO,MAAA,CAAO,WAAA;AAAA,UAC3B,YAAA,EAAc,OAAO,MAAA,CAAO,YAAA;AAAA,UAC5B,SAAA,EAAW,OAAO,MAAA,CAAO,SAAA;AAAA,UACzB,gBAAiB,IAAA,CAAa;AAAA,SAC/B,CAAA;AACD,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,OAAO,CAAA;AACrD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,cAAc,CAAA,EAAG;AACzD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,EAAM;AAAA,QACxB,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AAEd,MAAA,MAAM,eAAe,kBAAA,CAAmB,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,eAAe,CAAA;AAChG,MAAA,OAAO,SAAS,QAAA,CAAS,CAAA,EAAG,gBAAgB,CAAA,OAAA,EAAU,YAAY,IAAI,GAAG,CAAA;AAAA,IAC3E;AAAA,EACF;AACF,CAAC;AAMM,IAAM,oBAAoBP,mCAAA,CAAkB;AAAA,EACjD,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,cAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,OAAA,EAAS,QAAA;AAAA,EACT,WAAA,EAAa,4EAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,EAAM;AACT,QAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,CAAA,EAAG;AAAA,UACrD,MAAA,EAAQ,GAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,SAC/C,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,yBAAyB,CAAA,EAAG;AAC1E,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACtD,QAAA,IAAI,SAAA,IAAa,mBAAA,CAAsC,IAAA,EAAM,gBAAgB,CAAA,EAAG;AAC9E,UAAA,MAAM,IAAA,CAAK,eAAe,SAAS,CAAA;AAAA,QACrC;AAAA,MACF;AAGA,MAAA,IAAI,UAAA;AACJ,MAAA,IAAI,mBAAA,CAAkC,IAAA,EAAM,cAAc,CAAA,IAAK,KAAK,YAAA,EAAc;AAEhF,QAAA,MAAM,MAAA,GAAS,gBAAgB,OAAO,CAAA;AACtC,QAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,YAAA,CAAa,QAAQ,OAAO,CAAA;AACzD,QAAA,UAAA,GAAa,SAAA,IAAa,MAAA;AAAA,MAC5B;AAGA,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAGlE,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,wBAAwB,CAAA,EAAG;AACzE,QAAA,MAAM,YAAA,GAAe,KAAK,sBAAA,EAAuB;AACjD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,EAAG;AACvD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,UAAA,EAAY,CAAA,EAAG;AAAA,QACjE,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AACd,MAAA,OAAOG,6BAAA,CAAY,OAAO,mBAAmB,CAAA;AAAA,IAC/C;AAAA,EACF;AACF,CAAC;AAMM,IAAM,qBAAqBH,mCAAA,CAAkB;AAAA,EAClD,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,eAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,cAAA,EAAgBQ,uCAAA;AAAA,EAChB,OAAA,EAAS,iBAAA;AAAA,EACT,WAAA,EAAa,4FAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAQ,GAAI,GAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IACE,CAAC,IAAA,IACD,CAAC,mBAAA,CAAsC,IAAA,EAAM,gBAAgB,CAAA,IAC7D,CAAC,mBAAA,CAAsC,IAAA,EAAM,yBAAyB,CAAA,EACtE;AACA,QAAA,MAAM,IAAIF,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,kCAAkC,CAAA;AAAA,MAC5E;AAGA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACtD,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,MAAM,IAAIA,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,cAAc,CAAA;AAAA,MACxD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,CAAA;AACtD,MAAA,IAAI,CAAC,UAAA,EAAY;AACf,QAAA,MAAM,IAAIA,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,mBAAmB,CAAA;AAAA,MAC7D;AAGA,MAAA,MAAM,UAAU,IAAI,OAAA,CAAQ,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AAClE,MAAA,IAAI,mBAAA,CAAsC,IAAA,EAAM,mBAAmB,CAAA,EAAG;AACpE,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,UAAU,CAAA;AACxD,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,cAAc,CAAA,EAAG;AACzD,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,QAC3B;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,IAAA,EAAM,CAAA,EAAG;AAAA,QACrD,MAAA,EAAQ,GAAA;AAAA,QACR;AAAA,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiBA,iCAAe,MAAM,KAAA;AAC1C,MAAA,OAAOH,6BAAA,CAAY,OAAO,0BAA0B,CAAA;AAAA,IACtD;AAAA,EACF;AACF,CAAC;AAMM,IAAM,iCAAiCH,mCAAA,CAAkB;AAAA,EAC9D,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,UAAA,EAAYS,6CAAA;AAAA,EACZ,OAAA,EAAS,0BAAA;AAAA,EACT,WAAA,EAAa,+CAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,KAAA,EAAO,UAAS,GAAI,GAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AACvE,QAAA,MAAM,IAAIH,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6CAA6C,CAAA;AAAA,MACvF;AAEA,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,KAAA,EAAO,UAAU,OAAO,CAAA;AACzD,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,MAAA,MAAM,YAAA,GAAe,KAAK,SAAA,CAAU;AAAA,QAClC,IAAA,EAAM;AAAA,UACJ,IAAI,IAAA,CAAK,EAAA;AAAA,UACT,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,WAAW,IAAA,CAAK;AAAA,SAClB;AAAA,QACA,OAAO,MAAA,CAAO;AAAA,OACf,CAAA;AAGD,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC1B,cAAA,EAAgB;AAAA,OACjB,CAAA;AAGD,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,YAAA,EAAc,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IAC5D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiBA,iCAAe,MAAM,KAAA;AAE1C,MAAA,MAAM,IAAIA,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6BAA6B,CAAA;AAAA,IACvE;AAAA,EACF;AACF,CAAC;AAMM,IAAM,iCAAiCN,mCAAA,CAAkB;AAAA,EAC9D,MAAA,EAAQ,MAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,qBAAA;AAAA,EACd,UAAA,EAAYU,6CAAA;AAAA,EACZ,OAAA,EAAS,0BAAA;AAAA,EACT,WAAA,EAAa,qDAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,KAAA,EAAO,QAAA,EAAU,MAAK,GAAI,GAAA;AACnD,IAAA,MAAM,QAAA,GAAW,gBAAgB,OAAO,CAAA;AAExC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,MAAA,EAAQ,QAAQ,CAAA;AAE7C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AACvE,QAAA,MAAM,IAAIJ,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6CAA6C,CAAA;AAAA,MACvF;AAEA,MAAA,MAAM,SAAS,MAAM,IAAA,CAAK,OAAO,KAAA,EAAO,QAAA,EAAU,MAAM,OAAO,CAAA;AAC/D,MAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,MAAA,MAAM,YAAA,GAAe,KAAK,SAAA,CAAU;AAAA,QAClC,IAAA,EAAM;AAAA,UACJ,IAAI,IAAA,CAAK,EAAA;AAAA,UACT,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,WAAW,IAAA,CAAK;AAAA,SAClB;AAAA,QACA,OAAO,MAAA,CAAO;AAAA,OACf,CAAA;AAGD,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC1B,cAAA,EAAgB;AAAA,OACjB,CAAA;AAGD,MAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,QAAA,KAAA,MAAW,MAAA,IAAU,OAAO,OAAA,EAAS;AACnC,UAAA,OAAA,CAAQ,MAAA,CAAO,cAAc,MAAM,CAAA;AAAA,QACrC;AAAA,MACF;AAEA,MAAA,OAAO,IAAI,QAAA,CAAS,YAAA,EAAc,EAAE,MAAA,EAAQ,GAAA,EAAK,SAAS,CAAA;AAAA,IAC5D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiBA,iCAAe,MAAM,KAAA;AAC1C,MAAA,MAAMK,UAAU,GAAA,CAAY,MAAA;AAC5B,MAAAA,OAAAA,EAAQ,SAAA,IAAY,EAAG,KAAA,CAAM,eAAA,EAAiB;AAAA,QAC5C,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,EAAE,OAAA,EAAS,MAAM,OAAA,EAAS,KAAA,EAAO,KAAA,CAAM,KAAA,EAAM,GAAI;AAAA,OAClF,CAAA;AACD,MAAA,MAAM,IAAIL,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,4BAA4B,CAAA;AAAA,IACtE;AAAA,EACF;AACF,CAAC;AAMD,IAAM,yBAAA,GAA4BM,KAAE,MAAA,CAAO,EAAE,QAAQA,IAAA,CAAE,MAAA,IAAU,CAAA;AACjE,IAAM,6BAAA,GAAgCA,IAAA,CAAE,MAAA,CAAO,EAAE,QAAQA,IAAA,CAAE,MAAA,EAAO,EAAG,WAAA,EAAaA,KAAE,KAAA,CAAMA,IAAA,CAAE,MAAA,EAAQ,GAAG,CAAA;AAEhG,IAAM,6BAA6BC,6BAAA,CAAY;AAAA,EACpD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,iCAAA;AAAA,EACN,YAAA,EAAc,IAAA;AAAA,EACd,YAAA,EAAc,MAAA;AAAA,EACd,eAAA,EAAiB,yBAAA;AAAA,EACjB,cAAA,EAAgB,6BAAA;AAAA,EAChB,OAAA,EAAS,4BAAA;AAAA,EACT,WAAA,EACE,2HAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,OAAA,EAAS,OAAM,GAAA,KAAO;AACpB,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAQ,cAAA,EAAgB,MAAA,EAAO,GAAI,GAAA;AAG3C,MAAA,MAAM,iBAAA,GAA8B,cAAA,EAAgB,GAAA,CAAIC,6CAA2B,KAAK,EAAC;AACzF,MAAA,MAAM,OAAA,GAAU,kBAAkB,IAAA,CAAK,CAAC,MAAc,CAAA,KAAM,GAAA,IAAO,MAAM,KAAK,CAAA;AAC9E,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,MAAM,IAAIR,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,yBAAyB,CAAA;AAAA,MACnE;AAEA,MAAA,MAAM,IAAA,GAAO,gBAAgB,MAAM,CAAA;AACnC,MAAA,IAAI,CAAC,MAAM,qBAAA,EAAuB;AAChC,QAAA,MAAM,IAAIA,+BAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,6DAA6D,CAAA;AAAA,MACvG;AAEA,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,qBAAA,CAAsB,MAAM,CAAA;AAC3D,MAAA,OAAO,EAAE,QAAQ,WAAA,EAAY;AAAA,IAC/B,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiBA,iCAAe,MAAM,KAAA;AAC1C,MAAA,OAAOH,6BAAA,CAAY,OAAO,gCAAgC,CAAA;AAAA,IAC5D;AAAA,EACF;AACF,CAAC;AAMM,IAAM,gCAAgCU,6BAAA,CAAY;AAAA,EACvD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,2BAAA;AAAA,EACN,YAAA,EAAc,IAAA;AAAA,EACd,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgBE,kDAAA;AAAA,EAChB,OAAA,EAAS,gCAAA;AAAA,EACT,WAAA,EACE,qKAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,SAAS,YAAY;AACnB,IAAA,MAAM,QAAA,GAAW,MAAM,sBAAA,EAAuB;AAC9C,IAAA,OAAO,EAAE,QAAA,EAAU,MAAA,CAAO,KAAK,QAAA,IAAY,EAAE,CAAA,EAAE;AAAA,EACjD;AACF,CAAC;AAMM,IAAM,WAAA,GAAc;AAAA,EACzB,2BAAA;AAAA,EACA,sBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,8BAAA;AAAA,EACA,8BAAA;AAAA,EACA,0BAAA;AAAA,EACA;AACF","file":"chunk-H7PCMZDO.cjs","sourcesContent":["/**\n * Auth handlers for EE authentication capabilities.\n *\n * These routes enable Studio to:\n * - Detect available auth capabilities\n * - Initiate SSO login flows\n * - Handle OAuth callbacks\n * - Logout users\n */\n\nimport type {\n IUserProvider,\n ISessionProvider,\n ISSOProvider,\n ICredentialsProvider,\n SSOCallbackResult,\n} from '@mastra/core/auth';\nimport type { IRBACProvider, IFGAProvider, EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProvider } from '@mastra/core/server';\n\nimport { z } from 'zod/v4';\nimport { supportsSessionRefresh } from '../auth/helpers';\nimport { MASTRA_USER_PERMISSIONS_KEY, MASTRA_CLIENT_TYPE_HEADER, isStudioClientTypeHeader } from '../constants';\nimport { HTTPException } from '../http-exception';\nimport {\n capabilitiesResponseSchema,\n ssoLoginQuerySchema,\n ssoCallbackQuerySchema,\n currentUserResponseSchema,\n credentialsSignInBodySchema,\n credentialsSignUpBodySchema,\n refreshResponseSchema,\n permissionPatternsResponseSchema,\n} from '../schemas/auth';\nimport { createPublicRoute, createRoute } from '../server-adapter/routes/route-builder';\nimport { handleError } from './error';\n\ntype BuildCapabilitiesFn = (\n auth: any,\n request: Request,\n options?: { rbac?: any; fga?: any; apiPrefix?: string },\n) => Promise<any>;\nlet _buildCapabilitiesPromise: Promise<BuildCapabilitiesFn | undefined> | undefined;\nfunction loadBuildCapabilities(): Promise<BuildCapabilitiesFn | undefined> {\n if (!_buildCapabilitiesPromise) {\n _buildCapabilitiesPromise = import('@mastra/core/auth/ee')\n .then(m => m.buildCapabilities as BuildCapabilitiesFn)\n .catch(() => {\n console.error(\n '[@mastra/server] EE auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest',\n );\n return undefined;\n });\n }\n return _buildCapabilitiesPromise;\n}\n\nlet _permissionPatternsPromise: Promise<Record<string, unknown> | undefined> | undefined;\nfunction loadPermissionPatterns(): Promise<Record<string, unknown> | undefined> {\n if (!_permissionPatternsPromise) {\n _permissionPatternsPromise = import('@mastra/core/auth/ee')\n .then(m => m.PERMISSION_PATTERNS as Record<string, unknown>)\n .catch(() => {\n console.error(\n '[@mastra/server] EE auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest',\n );\n return undefined;\n });\n }\n return _permissionPatternsPromise;\n}\n\n/**\n * Helper to get auth provider from Mastra instance.\n *\n * Dual auth is OPT-IN: if studio.auth is explicitly configured, Studio requests\n * use it exclusively. Otherwise, Studio requests fall back to server.auth for\n * backward compatibility.\n */\nfunction getAuthProvider(mastra: any, isStudio?: boolean): MastraAuthProvider | null {\n // Check if studio.auth is explicitly configured\n const studioConfig = mastra.getStudio?.();\n const hasStudioAuth = studioConfig?.auth && typeof studioConfig.auth.authenticateToken === 'function';\n\n // If this is a Studio request AND studio.auth is configured, use it exclusively\n if (isStudio && hasStudioAuth) {\n return studioConfig.auth as MastraAuthProvider;\n }\n\n // Otherwise (non-studio request, OR studio request without studio.auth configured),\n // fall back to server.auth for backward compatibility\n const serverConfig = mastra.getServer?.();\n if (!serverConfig?.auth) return null;\n\n // Auth can be either MastraAuthConfig or MastraAuthProvider\n // If it has authenticateToken method, it's a provider\n if (typeof serverConfig.auth.authenticateToken === 'function') {\n return serverConfig.auth as MastraAuthProvider;\n }\n\n return null;\n}\n\n/**\n * Check if the request is from Studio (via x-mastra-client-type header).\n */\nfunction isStudioRequest(request: Request): boolean {\n return isStudioClientTypeHeader(request.headers.get(MASTRA_CLIENT_TYPE_HEADER) ?? undefined);\n}\n\n/**\n * Get the public-facing origin from a request, respecting reverse proxy headers.\n * Behind a proxy (e.g. edge router), request.url contains the internal hostname,\n * so we rely on forwarded headers to reconstruct the real public origin.\n *\n * Assumes the server is behind a trusted proxy (or running locally). When\n * exposed directly to untrusted clients, the Host header is attacker-controlled\n * and must be validated upstream.\n *\n * Priority:\n * 1. X-Forwarded-Host (traditional reverse proxy) → always HTTPS. Knative's\n * queue-proxy overwrites X-Forwarded-Proto based on the internal HTTP\n * connection, so X-Forwarded-Proto is ignored here.\n * 2. Host header with X-Forwarded-Proto (AWS ALB, some proxies) → respect proto.\n * 3. Host header alone → use the scheme from request.url (covers both direct\n * HTTP access and proxies that preserve Host but don't set a proto header).\n * 4. No Host header → fall back to request.url.origin (local dev / direct access).\n */\nexport function getPublicOrigin(request: Request): string {\n const forwardedHost = request.headers.get('x-forwarded-host')?.split(',')[0]?.trim();\n if (forwardedHost) {\n return `https://${forwardedHost}`;\n }\n\n const host = request.headers.get('host');\n if (host) {\n const forwardedProto = request.headers.get('x-forwarded-proto')?.split(',')[0]?.trim();\n const proto = forwardedProto || new URL(request.url).protocol.replace(':', '');\n return `${proto}://${host}`;\n }\n\n return new URL(request.url).origin;\n}\n\n/**\n * Helper to get RBAC provider from Mastra config.\n * Checks studio config first when isStudio is true.\n */\nfunction getRBACProvider(mastra: any, isStudio?: boolean): IRBACProvider<EEUser> | undefined {\n if (isStudio) {\n const studioConfig = mastra.getStudio?.();\n if (studioConfig?.rbac) {\n return studioConfig.rbac as IRBACProvider<EEUser>;\n }\n }\n const serverConfig = mastra.getServer?.();\n return serverConfig?.rbac as IRBACProvider<EEUser> | undefined;\n}\n\n/**\n * Helper to get FGA provider from Mastra config.\n * Checks studio config first when isStudio is true.\n */\nfunction getFGAProvider(mastra: any, isStudio?: boolean): IFGAProvider<EEUser> | undefined {\n if (isStudio) {\n const studioConfig = mastra.getStudio?.();\n if (studioConfig?.fga) {\n return studioConfig.fga as IFGAProvider<EEUser>;\n }\n }\n const serverConfig = mastra.getServer?.();\n return serverConfig?.fga as IFGAProvider<EEUser> | undefined;\n}\n\n/**\n * Type guard to check if auth provider implements an interface.\n */\nfunction implementsInterface<T>(auth: unknown, method: keyof T): auth is T {\n return auth !== null && typeof auth === 'object' && typeof (auth as any)[method] === 'function';\n}\n\n// ============================================================================\n// GET /auth/capabilities\n// ============================================================================\n\nexport const GET_AUTH_CAPABILITIES_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/capabilities',\n responseType: 'json',\n responseSchema: capabilitiesResponseSchema,\n summary: 'Get auth capabilities',\n description:\n 'Returns authentication capabilities and current user info. Used by Studio to determine available features and user state.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, request, routePrefix } = ctx as any;\n\n // Check if this is a Studio request (via x-mastra-client-type header)\n const isStudio = isStudioRequest(request);\n\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth) {\n return { enabled: false, login: null };\n }\n\n const rbac = getRBACProvider(mastra, isStudio);\n const fga = getFGAProvider(mastra, isStudio);\n\n const buildCapabilities = await loadBuildCapabilities();\n if (!buildCapabilities) {\n return { enabled: false, login: null };\n }\n const capabilities = await buildCapabilities(auth, request, { rbac, fga, apiPrefix: routePrefix });\n\n // If capabilities came back without a user, the session may have expired.\n // Attempt a transparent refresh (same logic as coreAuthMiddleware) and retry.\n if (!('user' in capabilities) && supportsSessionRefresh(auth)) {\n try {\n const sessionId = await auth.getSessionIdFromRequest(request);\n if (sessionId) {\n const refreshedSession = await auth.refreshSession(sessionId);\n if (refreshedSession) {\n const sessionHeaders = await auth.getSessionHeaders(refreshedSession);\n const cookieValue = extractCookieFromHeaders(sessionHeaders);\n if (cookieValue) {\n // Rebuild capabilities with the refreshed cookie\n const refreshedRequest = new Request(request.url, {\n method: request.method,\n headers: new Headers(request.headers),\n });\n refreshedRequest.headers.set('Cookie', cookieValue);\n const refreshedCapabilities = await buildCapabilities(auth, refreshedRequest, {\n rbac,\n apiPrefix: routePrefix,\n });\n\n // Attach refresh headers so the adapter can set the new cookie\n if ('user' in refreshedCapabilities) {\n (refreshedCapabilities as any).__refreshHeaders = sessionHeaders;\n }\n return refreshedCapabilities;\n }\n }\n }\n } catch {\n // Refresh failed — return original unauthenticated capabilities\n }\n }\n\n return capabilities;\n } catch (error) {\n return handleError(error, 'Error getting auth capabilities');\n }\n },\n});\n\n/**\n * Extract a full cookie string from session headers (e.g. Set-Cookie → Cookie).\n */\nfunction extractCookieFromHeaders(headers: Record<string, string>): string | null {\n const setCookie = headers['Set-Cookie'] || headers['set-cookie'];\n if (!setCookie) return null;\n // Set-Cookie value is \"name=value; Path=/; ...\" — extract \"name=value\"\n const match = setCookie.match(/^([^;]+)/);\n return match ? (match[1] ?? null) : null;\n}\n\n// ============================================================================\n// GET /auth/me\n// ============================================================================\n\nexport const GET_CURRENT_USER_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/me',\n responseType: 'json',\n responseSchema: currentUserResponseSchema,\n summary: 'Get current user',\n description: 'Returns the currently authenticated user, or null if not authenticated.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n const auth = getAuthProvider(mastra, isStudio);\n const rbac = getRBACProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<IUserProvider>(auth, 'getCurrentUser')) {\n return null;\n }\n\n const user = await auth.getCurrentUser(request);\n if (!user) return null;\n\n // Get roles/permissions from RBAC provider if available\n let roles: string[] | undefined;\n let permissions: string[] | undefined;\n\n if (rbac) {\n try {\n roles = await rbac.getRoles(user);\n permissions = await rbac.getPermissions(user);\n } catch {\n // RBAC not available or failed\n }\n }\n\n return {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n roles,\n permissions,\n };\n } catch (error) {\n return handleError(error, 'Error getting current user');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/sso/login\n// ============================================================================\n\nexport const GET_SSO_LOGIN_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/sso/login',\n responseType: 'datastream-response',\n queryParamSchema: ssoLoginQuerySchema,\n summary: 'Initiate SSO login',\n description: 'Returns the SSO login URL and sets PKCE cookies if needed.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, redirect_uri, request, routePrefix } = ctx as any;\n const isStudio = isStudioRequest(request);\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ISSOProvider>(auth, 'getLoginUrl')) {\n throw new HTTPException(404, { message: 'SSO not configured' });\n }\n\n // Build OAuth callback URI using the configured route prefix\n const origin = getPublicOrigin(request);\n const raw = ((routePrefix as string) || '/api').trim();\n const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n const oauthCallbackUri = `${origin}${prefix}/auth/sso/callback`;\n\n // Encode the post-login redirect in state (where user goes after auth completes)\n // State format: uuid|postLoginRedirect\n // Validate redirect_uri to prevent open-redirect attacks: allow relative paths,\n // same-origin URLs, and localhost URLs (for dev setups where Studio runs on a\n // different port).\n let postLoginRedirect = '/';\n if (redirect_uri) {\n if (!redirect_uri.startsWith('http')) {\n // Relative path — always safe\n postLoginRedirect = redirect_uri;\n } else {\n try {\n const redirectUrl = new URL(redirect_uri);\n const requestOrigin = new URL(origin);\n const isHttps = redirectUrl.protocol === 'http:' || redirectUrl.protocol === 'https:';\n const isSameOrigin = redirectUrl.origin === requestOrigin.origin;\n const isLocalhost =\n redirectUrl.hostname === 'localhost' ||\n redirectUrl.hostname === '127.0.0.1' ||\n redirectUrl.hostname === '[::1]';\n if (isHttps && (isSameOrigin || isLocalhost)) {\n postLoginRedirect = redirect_uri;\n }\n } catch {\n // Malformed URL — fall back to /\n }\n }\n }\n const stateId = crypto.randomUUID();\n const state = `${stateId}|${encodeURIComponent(postLoginRedirect)}`;\n\n const loginUrl = await Promise.resolve(auth.getLoginUrl(oauthCallbackUri, state));\n\n // Build response with optional PKCE cookies\n const headers = new Headers({ 'Content-Type': 'application/json' });\n\n // Check for PKCE cookies (e.g., MastraCloudAuthProvider)\n if (implementsInterface<ISSOProvider>(auth, 'getLoginCookies') && auth.getLoginCookies) {\n const cookies = auth.getLoginCookies(oauthCallbackUri, state);\n if (cookies?.length) {\n // PKCE cookies set for SSO state management\n for (const cookie of cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n }\n\n return new Response(JSON.stringify({ url: loginUrl }), { status: 200, headers });\n } catch (error) {\n return handleError(error, 'Error initiating SSO login');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/sso/callback\n// ============================================================================\n\nexport const GET_SSO_CALLBACK_ROUTE = createPublicRoute({\n method: 'GET',\n path: '/auth/sso/callback',\n responseType: 'datastream-response',\n queryParamSchema: ssoCallbackQuerySchema,\n summary: 'Handle SSO callback',\n description: 'Handles the OAuth callback, exchanges code for session, and redirects to the app.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, code, state, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n // Build base URL for redirects (Response.redirect requires absolute URL)\n const baseUrl = getPublicOrigin(request);\n\n // Extract post-login redirect from state (format: uuid|encodedRedirect)\n let redirectTo = '/';\n let stateId = state || '';\n if (state && state.includes('|')) {\n const [id, encodedRedirect] = state.split('|', 2);\n stateId = id;\n try {\n redirectTo = decodeURIComponent(encodedRedirect);\n } catch {\n redirectTo = '/';\n }\n }\n\n // Build absolute redirect URL.\n // The redirect_uri was validated at the login endpoint (same-origin or localhost\n // only), so the state should only contain safe URLs. We still apply defense-in-depth\n // checks here: allow http(s) same-origin or localhost, reject everything else.\n let absoluteRedirect: string;\n if (redirectTo.startsWith('http')) {\n try {\n const parsed = new URL(redirectTo);\n const baseOrigin = new URL(baseUrl);\n const isHttps = parsed.protocol === 'http:' || parsed.protocol === 'https:';\n const isSameOrigin = parsed.origin === baseOrigin.origin;\n const isLocalhost =\n parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1' || parsed.hostname === '[::1]';\n absoluteRedirect = isHttps && (isSameOrigin || isLocalhost) ? redirectTo : `${baseUrl}/`;\n } catch {\n absoluteRedirect = `${baseUrl}/`;\n }\n } else {\n absoluteRedirect = `${baseUrl}${redirectTo}`;\n }\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ISSOProvider>(auth, 'handleCallback')) {\n return Response.redirect(`${absoluteRedirect}?error=sso_not_configured`, 302);\n }\n\n // Pass cookie header to provider for PKCE validation (if supported)\n const reqCookieHeader = request.headers.get('cookie');\n if (typeof (auth as any).setCallbackCookieHeader === 'function') {\n (auth as any).setCallbackCookieHeader(reqCookieHeader);\n }\n\n const result = (await auth.handleCallback(code, stateId)) as SSOCallbackResult<EEUser>;\n const user = result.user as EEUser;\n\n // Build response headers (session cookies, etc.)\n const headers = new Headers();\n headers.set('Location', absoluteRedirect);\n\n // Set session cookies from the SSO result\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n } else if (implementsInterface<ISessionProvider>(auth, 'createSession') && result.tokens) {\n // Fallback: Create session manually for providers without cookie support\n const session = await auth.createSession(user.id, {\n accessToken: result.tokens.accessToken,\n refreshToken: result.tokens.refreshToken,\n expiresAt: result.tokens.expiresAt,\n organizationId: (user as any).organizationId,\n });\n const sessionHeaders = auth.getSessionHeaders(session);\n for (const [key, value] of Object.entries(sessionHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(null, {\n status: 302,\n headers,\n });\n } catch (error) {\n // Redirect with error (use absolute URL)\n const errorMessage = encodeURIComponent(error instanceof Error ? error.message : 'Unknown error');\n return Response.redirect(`${absoluteRedirect}?error=${errorMessage}`, 302);\n }\n },\n});\n\n// ============================================================================\n// POST /auth/logout\n// ============================================================================\n\nexport const POST_LOGOUT_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/logout',\n responseType: 'datastream-response',\n summary: 'Logout',\n description: 'Destroys the current session and returns logout redirect URL if available.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth) {\n return new Response(JSON.stringify({ success: true }), {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n });\n }\n\n // Get session ID and destroy it\n if (implementsInterface<ISessionProvider>(auth, 'getSessionIdFromRequest')) {\n const sessionId = auth.getSessionIdFromRequest(request);\n if (sessionId && implementsInterface<ISessionProvider>(auth, 'destroySession')) {\n await auth.destroySession(sessionId);\n }\n }\n\n // Get logout URL if available\n let redirectTo: string | undefined;\n if (implementsInterface<ISSOProvider>(auth, 'getLogoutUrl') && auth.getLogoutUrl) {\n // Use public origin (respects X-Forwarded-Host behind reverse proxy)\n const origin = getPublicOrigin(request);\n const logoutUrl = await auth.getLogoutUrl(origin, request);\n redirectTo = logoutUrl ?? undefined;\n }\n\n // Build response with session clearing headers\n const headers = new Headers({ 'Content-Type': 'application/json' });\n\n // Clear session cookie\n if (implementsInterface<ISessionProvider>(auth, 'getClearSessionHeaders')) {\n const clearHeaders = auth.getClearSessionHeaders();\n for (const [key, value] of Object.entries(clearHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(JSON.stringify({ success: true, redirectTo }), {\n status: 200,\n headers,\n });\n } catch (error) {\n return handleError(error, 'Error logging out');\n }\n },\n});\n\n// ============================================================================\n// POST /auth/refresh\n// ============================================================================\n\nexport const POST_REFRESH_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/refresh',\n responseType: 'datastream-response',\n responseSchema: refreshResponseSchema,\n summary: 'Refresh session',\n description: 'Refreshes the current session, extending its expiry. Sets a new session cookie on success.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (\n !auth ||\n !implementsInterface<ISessionProvider>(auth, 'refreshSession') ||\n !implementsInterface<ISessionProvider>(auth, 'getSessionIdFromRequest')\n ) {\n throw new HTTPException(404, { message: 'Session refresh not configured' });\n }\n\n // Get session ID from request\n const sessionId = auth.getSessionIdFromRequest(request);\n if (!sessionId) {\n throw new HTTPException(401, { message: 'No session' });\n }\n\n // Refresh the session\n const newSession = await auth.refreshSession(sessionId);\n if (!newSession) {\n throw new HTTPException(401, { message: 'Session expired' });\n }\n\n // Build response with new session headers\n const headers = new Headers({ 'Content-Type': 'application/json' });\n if (implementsInterface<ISessionProvider>(auth, 'getSessionHeaders')) {\n const sessionHeaders = auth.getSessionHeaders(newSession);\n for (const [key, value] of Object.entries(sessionHeaders)) {\n headers.append(key, value);\n }\n }\n\n return new Response(JSON.stringify({ success: true }), {\n status: 200,\n headers,\n });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n return handleError(error, 'Error refreshing session');\n }\n },\n});\n\n// ============================================================================\n// POST /auth/credentials/sign-in\n// ============================================================================\n\nexport const POST_CREDENTIALS_SIGN_IN_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/credentials/sign-in',\n responseType: 'datastream-response',\n bodySchema: credentialsSignInBodySchema,\n summary: 'Sign in with credentials',\n description: 'Authenticates a user with email and password.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request, email, password } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ICredentialsProvider>(auth, 'signIn')) {\n throw new HTTPException(404, { message: 'Credentials authentication not configured' });\n }\n\n const result = await auth.signIn(email, password, request);\n const user = result.user as EEUser;\n\n const responseBody = JSON.stringify({\n user: {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n },\n token: result.token,\n });\n\n // Build response headers, including cookies from the auth provider\n const headers = new Headers({\n 'Content-Type': 'application/json',\n });\n\n // Forward session cookies from the auth provider\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n\n return new Response(responseBody, { status: 200, headers });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n // Return a generic error for auth failures to avoid leaking info\n throw new HTTPException(401, { message: 'Invalid email or password' });\n }\n },\n});\n\n// ============================================================================\n// POST /auth/credentials/sign-up\n// ============================================================================\n\nexport const POST_CREDENTIALS_SIGN_UP_ROUTE = createPublicRoute({\n method: 'POST',\n path: '/auth/credentials/sign-up',\n responseType: 'datastream-response',\n bodySchema: credentialsSignUpBodySchema,\n summary: 'Sign up with credentials',\n description: 'Creates a new user account with email and password.',\n tags: ['Auth'],\n handler: async ctx => {\n const { mastra, request, email, password, name } = ctx as any;\n const isStudio = isStudioRequest(request);\n\n try {\n const auth = getAuthProvider(mastra, isStudio);\n\n if (!auth || !implementsInterface<ICredentialsProvider>(auth, 'signUp')) {\n throw new HTTPException(404, { message: 'Credentials authentication not configured' });\n }\n\n const result = await auth.signUp(email, password, name, request);\n const user = result.user as EEUser;\n\n const responseBody = JSON.stringify({\n user: {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n },\n token: result.token,\n });\n\n // Build response headers, including cookies from the auth provider\n const headers = new Headers({\n 'Content-Type': 'application/json',\n });\n\n // Forward session cookies from the auth provider\n if (result.cookies?.length) {\n for (const cookie of result.cookies) {\n headers.append('Set-Cookie', cookie);\n }\n }\n\n return new Response(responseBody, { status: 200, headers });\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n const mastra = (ctx as any).mastra;\n mastra?.getLogger?.()?.error('Sign-up error', {\n error: error instanceof Error ? { message: error.message, stack: error.stack } : error,\n });\n throw new HTTPException(400, { message: 'Failed to create account' });\n }\n },\n});\n\n// ============================================================================\n// GET /auth/roles/:roleId/permissions\n// ============================================================================\n\nconst rolePermissionsPathSchema = z.object({ roleId: z.string() });\nconst rolePermissionsResponseSchema = z.object({ roleId: z.string(), permissions: z.array(z.string()) });\n\nexport const GET_ROLE_PERMISSIONS_ROUTE = createRoute({\n method: 'GET',\n path: '/auth/roles/:roleId/permissions',\n requiresAuth: true,\n responseType: 'json',\n pathParamSchema: rolePermissionsPathSchema,\n responseSchema: rolePermissionsResponseSchema,\n summary: 'Get permissions for a role',\n description:\n 'Returns the resolved permissions for a specific role. Only accessible by admin users. Used by the \"View as role\" feature.',\n tags: ['Auth'],\n handler: async ctx => {\n try {\n const { mastra, requestContext, roleId } = ctx as any;\n\n // Check that the caller is an admin\n const callerPermissions: string[] = requestContext?.get(MASTRA_USER_PERMISSIONS_KEY) ?? [];\n const isAdmin = callerPermissions.some((p: string) => p === '*' || p === '*:*');\n if (!isAdmin) {\n throw new HTTPException(403, { message: 'Admin access required' });\n }\n\n const rbac = getRBACProvider(mastra);\n if (!rbac?.getPermissionsForRole) {\n throw new HTTPException(404, { message: 'RBAC provider does not support role permission resolution' });\n }\n\n const permissions = await rbac.getPermissionsForRole(roleId);\n return { roleId, permissions };\n } catch (error) {\n if (error instanceof HTTPException) throw error;\n return handleError(error, 'Error getting role permissions');\n }\n },\n});\n\n// ============================================================================\n// GET /auth/permission-patterns\n// ============================================================================\n\nexport const GET_PERMISSION_PATTERNS_ROUTE = createRoute({\n method: 'GET',\n path: '/auth/permission-patterns',\n requiresAuth: true,\n responseType: 'json',\n responseSchema: permissionPatternsResponseSchema,\n summary: 'List valid permission patterns',\n description:\n 'Returns the authoritative list of valid permission-pattern strings. Used by Studio to validate the route→permission literals it ships and to gate the sidebar.',\n tags: ['Auth'],\n handler: async () => {\n const patterns = await loadPermissionPatterns();\n return { patterns: Object.keys(patterns ?? {}) };\n },\n});\n\n// ============================================================================\n// Export all auth routes\n// ============================================================================\n\nexport const AUTH_ROUTES = [\n GET_AUTH_CAPABILITIES_ROUTE,\n GET_CURRENT_USER_ROUTE,\n GET_SSO_LOGIN_ROUTE,\n GET_SSO_CALLBACK_ROUTE,\n POST_LOGOUT_ROUTE,\n POST_REFRESH_ROUTE,\n POST_CREDENTIALS_SIGN_IN_ROUTE,\n POST_CREDENTIALS_SIGN_UP_ROUTE,\n GET_ROLE_PERMISSIONS_ROUTE,\n GET_PERMISSION_PATTERNS_ROUTE,\n] as const;\n"]}