@mastra/server 1.47.0-alpha.5 → 1.47.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +151 -0
- package/dist/_types/@mastra_schema-compat/dist/schema.types.d.ts +4 -1
- package/dist/{api-schema-manifest-OQOZ53HZ.js → api-schema-manifest-LT57YVGI.js} +3 -3
- package/dist/{api-schema-manifest-OQOZ53HZ.js.map → api-schema-manifest-LT57YVGI.js.map} +1 -1
- package/dist/{api-schema-manifest-SYCCXMOC.cjs → api-schema-manifest-SJMFHZHR.cjs} +4 -4
- package/dist/{api-schema-manifest-SYCCXMOC.cjs.map → api-schema-manifest-SJMFHZHR.cjs.map} +1 -1
- package/dist/{chunk-XOQEKMY2.cjs → chunk-2NGSYVI3.cjs} +34 -34
- package/dist/{chunk-XOQEKMY2.cjs.map → chunk-2NGSYVI3.cjs.map} +1 -1
- package/dist/{chunk-S2HKHYJ3.cjs → chunk-2R52ZPSI.cjs} +9 -9
- package/dist/{chunk-S2HKHYJ3.cjs.map → chunk-2R52ZPSI.cjs.map} +1 -1
- package/dist/{chunk-ZZOHO2FT.js → chunk-34WNPIGV.js} +5 -5
- package/dist/{chunk-ZZOHO2FT.js.map → chunk-34WNPIGV.js.map} +1 -1
- package/dist/{chunk-UZ43QCIA.cjs → chunk-3KBURDTO.cjs} +12 -12
- package/dist/{chunk-UZ43QCIA.cjs.map → chunk-3KBURDTO.cjs.map} +1 -1
- package/dist/{chunk-RVD3DGBZ.cjs → chunk-42M6Y2OD.cjs} +3 -3
- package/dist/{chunk-RVD3DGBZ.cjs.map → chunk-42M6Y2OD.cjs.map} +1 -1
- package/dist/{chunk-Q7EQLQS5.js → chunk-43T7OG7P.js} +16 -9
- package/dist/chunk-43T7OG7P.js.map +1 -0
- package/dist/{chunk-5V2QWK2S.js → chunk-4E7VGBSM.js} +5 -5
- package/dist/{chunk-5V2QWK2S.js.map → chunk-4E7VGBSM.js.map} +1 -1
- package/dist/{chunk-PLWZVSGT.js → chunk-4UZTUQYZ.js} +5 -5
- package/dist/{chunk-PLWZVSGT.js.map → chunk-4UZTUQYZ.js.map} +1 -1
- package/dist/{chunk-V23ANIEC.cjs → chunk-4WRZ6BK4.cjs} +4 -4
- package/dist/{chunk-V23ANIEC.cjs.map → chunk-4WRZ6BK4.cjs.map} +1 -1
- package/dist/{chunk-VRERZRJQ.js → chunk-4ZD4KLXD.js} +4 -4
- package/dist/{chunk-VRERZRJQ.js.map → chunk-4ZD4KLXD.js.map} +1 -1
- package/dist/{chunk-K3FM6RLZ.cjs → chunk-5JVILML3.cjs} +9 -9
- package/dist/{chunk-K3FM6RLZ.cjs.map → chunk-5JVILML3.cjs.map} +1 -1
- package/dist/{chunk-7FIDKZUG.cjs → chunk-6CUVVNHE.cjs} +6 -6
- package/dist/{chunk-7FIDKZUG.cjs.map → chunk-6CUVVNHE.cjs.map} +1 -1
- package/dist/{chunk-QQCQV7ZF.cjs → chunk-7GNT5KQE.cjs} +3 -2
- package/dist/chunk-7GNT5KQE.cjs.map +1 -0
- package/dist/{chunk-4ZHHKMDQ.cjs → chunk-AC4YST2M.cjs} +3 -3
- package/dist/{chunk-4ZHHKMDQ.cjs.map → chunk-AC4YST2M.cjs.map} +1 -1
- package/dist/{chunk-R4O5HVDI.js → chunk-AGWL3ZLU.js} +3 -3
- package/dist/{chunk-R4O5HVDI.js.map → chunk-AGWL3ZLU.js.map} +1 -1
- package/dist/{chunk-C2A2BZFY.js → chunk-AMWGBQZU.js} +4 -4
- package/dist/{chunk-C2A2BZFY.js.map → chunk-AMWGBQZU.js.map} +1 -1
- package/dist/{chunk-TPZFGGU4.cjs → chunk-CCUQDEQW.cjs} +283 -283
- package/dist/chunk-CCUQDEQW.cjs.map +1 -0
- package/dist/{chunk-E2JNW3QM.js → chunk-D6RO4IFO.js} +3 -3
- package/dist/{chunk-E2JNW3QM.js.map → chunk-D6RO4IFO.js.map} +1 -1
- package/dist/{chunk-DULEYONH.cjs → chunk-D7YMTEPI.cjs} +13 -13
- package/dist/{chunk-DULEYONH.cjs.map → chunk-D7YMTEPI.cjs.map} +1 -1
- package/dist/{chunk-2Z3TLC4L.js → chunk-DSHITLJ4.js} +4 -4
- package/dist/{chunk-2Z3TLC4L.js.map → chunk-DSHITLJ4.js.map} +1 -1
- package/dist/{chunk-SJPWXUKZ.js → chunk-DVCCSRFP.js} +3 -3
- package/dist/{chunk-SJPWXUKZ.js.map → chunk-DVCCSRFP.js.map} +1 -1
- package/dist/{chunk-Y3MYKCTO.cjs → chunk-EBUK5R3S.cjs} +13 -13
- package/dist/{chunk-Y3MYKCTO.cjs.map → chunk-EBUK5R3S.cjs.map} +1 -1
- package/dist/{chunk-JY2LHUT4.cjs → chunk-EKRIVYU4.cjs} +22 -22
- package/dist/{chunk-JY2LHUT4.cjs.map → chunk-EKRIVYU4.cjs.map} +1 -1
- package/dist/{chunk-IBUJJIRW.js → chunk-EOGTJIPF.js} +3 -3
- package/dist/{chunk-IBUJJIRW.js.map → chunk-EOGTJIPF.js.map} +1 -1
- package/dist/{chunk-ONBABU5V.cjs → chunk-EYCW4Z4H.cjs} +10 -10
- package/dist/{chunk-ONBABU5V.cjs.map → chunk-EYCW4Z4H.cjs.map} +1 -1
- package/dist/{chunk-GU4AEOGA.cjs → chunk-F6VL25IA.cjs} +7 -7
- package/dist/{chunk-GU4AEOGA.cjs.map → chunk-F6VL25IA.cjs.map} +1 -1
- package/dist/{chunk-JZJ3PP2H.cjs → chunk-GOD4LLZT.cjs} +10 -10
- package/dist/{chunk-JZJ3PP2H.cjs.map → chunk-GOD4LLZT.cjs.map} +1 -1
- package/dist/{chunk-NEPOKWAA.js → chunk-GQI4NKKD.js} +5 -5
- package/dist/{chunk-NEPOKWAA.js.map → chunk-GQI4NKKD.js.map} +1 -1
- package/dist/{chunk-KGUHJRHZ.cjs → chunk-HDIYJI2Z.cjs} +3 -3
- package/dist/{chunk-KGUHJRHZ.cjs.map → chunk-HDIYJI2Z.cjs.map} +1 -1
- package/dist/{chunk-TPGA2ZTS.js → chunk-IEONDWGQ.js} +4 -4
- package/dist/{chunk-TPGA2ZTS.js.map → chunk-IEONDWGQ.js.map} +1 -1
- package/dist/{chunk-6HRGFBAF.cjs → chunk-IY4MNGI3.cjs} +63 -63
- package/dist/{chunk-6HRGFBAF.cjs.map → chunk-IY4MNGI3.cjs.map} +1 -1
- package/dist/{chunk-3ENQND57.js → chunk-JBSUT5XF.js} +3 -3
- package/dist/{chunk-3ENQND57.js.map → chunk-JBSUT5XF.js.map} +1 -1
- package/dist/{chunk-VNWPOCOT.cjs → chunk-JJDLXVWR.cjs} +19 -19
- package/dist/{chunk-VNWPOCOT.cjs.map → chunk-JJDLXVWR.cjs.map} +1 -1
- package/dist/{chunk-F5EEKLC4.js → chunk-KA6FUBC5.js} +6 -6
- package/dist/{chunk-F5EEKLC4.js.map → chunk-KA6FUBC5.js.map} +1 -1
- package/dist/{chunk-E345K7K7.js → chunk-KGJGR6GO.js} +5 -5
- package/dist/{chunk-E345K7K7.js.map → chunk-KGJGR6GO.js.map} +1 -1
- package/dist/{chunk-YLWKZ3VK.cjs → chunk-KIDHIRVO.cjs} +7 -7
- package/dist/{chunk-YLWKZ3VK.cjs.map → chunk-KIDHIRVO.cjs.map} +1 -1
- package/dist/{chunk-T32FQPWH.cjs → chunk-KR7FUFVK.cjs} +10 -10
- package/dist/{chunk-T32FQPWH.cjs.map → chunk-KR7FUFVK.cjs.map} +1 -1
- package/dist/{chunk-RY5RETAD.js → chunk-L4DD3HSB.js} +3 -3
- package/dist/{chunk-RY5RETAD.js.map → chunk-L4DD3HSB.js.map} +1 -1
- package/dist/{chunk-BB6RVOJY.js → chunk-LA4AQGZA.js} +3 -3
- package/dist/{chunk-BB6RVOJY.js.map → chunk-LA4AQGZA.js.map} +1 -1
- package/dist/{chunk-MMY24AC4.js → chunk-LUPNAVPL.js} +3 -3
- package/dist/{chunk-MMY24AC4.js.map → chunk-LUPNAVPL.js.map} +1 -1
- package/dist/{chunk-PSC3HAPW.cjs → chunk-MM7ONP57.cjs} +59 -59
- package/dist/{chunk-PSC3HAPW.cjs.map → chunk-MM7ONP57.cjs.map} +1 -1
- package/dist/{chunk-CIWN2JM4.js → chunk-MX3JQ3ZU.js} +3 -3
- package/dist/{chunk-CIWN2JM4.js.map → chunk-MX3JQ3ZU.js.map} +1 -1
- package/dist/{chunk-M5DAKMVZ.cjs → chunk-OE3KATAT.cjs} +4 -4
- package/dist/{chunk-M5DAKMVZ.cjs.map → chunk-OE3KATAT.cjs.map} +1 -1
- package/dist/{chunk-OT2JWWCT.cjs → chunk-OU4L45LL.cjs} +8 -8
- package/dist/{chunk-OT2JWWCT.cjs.map → chunk-OU4L45LL.cjs.map} +1 -1
- package/dist/{chunk-IRJJ2JJG.cjs → chunk-OZ64QWKA.cjs} +12 -12
- package/dist/{chunk-IRJJ2JJG.cjs.map → chunk-OZ64QWKA.cjs.map} +1 -1
- package/dist/{chunk-PUW3RA3B.js → chunk-P6TSZJ4I.js} +4 -4
- package/dist/{chunk-PUW3RA3B.js.map → chunk-P6TSZJ4I.js.map} +1 -1
- package/dist/{chunk-M25LVAUH.js → chunk-P7HCBIOK.js} +4 -4
- package/dist/{chunk-M25LVAUH.js.map → chunk-P7HCBIOK.js.map} +1 -1
- package/dist/{chunk-3ZV6GYQI.cjs → chunk-PVZX6FFO.cjs} +16 -9
- package/dist/chunk-PVZX6FFO.cjs.map +1 -0
- package/dist/{chunk-UXO4GWPT.js → chunk-Q6TDIK2A.js} +6 -6
- package/dist/{chunk-UXO4GWPT.js.map → chunk-Q6TDIK2A.js.map} +1 -1
- package/dist/{chunk-4BJSE3LM.js → chunk-QECRXNAM.js} +3 -3
- package/dist/{chunk-4BJSE3LM.js.map → chunk-QECRXNAM.js.map} +1 -1
- package/dist/{chunk-RM4ITWAQ.cjs → chunk-QRTZCP42.cjs} +10 -10
- package/dist/{chunk-RM4ITWAQ.cjs.map → chunk-QRTZCP42.cjs.map} +1 -1
- package/dist/{chunk-KBOC52HT.js → chunk-RETWAY24.js} +3 -3
- package/dist/{chunk-KBOC52HT.js.map → chunk-RETWAY24.js.map} +1 -1
- package/dist/{chunk-3WE5YAL5.js → chunk-RLAOC73C.js} +330 -327
- package/dist/chunk-RLAOC73C.js.map +1 -0
- package/dist/{chunk-MLLGO6XZ.js → chunk-S57DVRYK.js} +3 -3
- package/dist/{chunk-MLLGO6XZ.js.map → chunk-S57DVRYK.js.map} +1 -1
- package/dist/{chunk-XQ5INMFW.js → chunk-SK2BQPVT.js} +5 -5
- package/dist/{chunk-XQ5INMFW.js.map → chunk-SK2BQPVT.js.map} +1 -1
- package/dist/{chunk-7DKSWNOM.cjs → chunk-SOQPH6H2.cjs} +182 -182
- package/dist/{chunk-7DKSWNOM.cjs.map → chunk-SOQPH6H2.cjs.map} +1 -1
- package/dist/{chunk-56AYHXOU.js → chunk-SXZS6VZ3.js} +3 -3
- package/dist/{chunk-56AYHXOU.js.map → chunk-SXZS6VZ3.js.map} +1 -1
- package/dist/{chunk-OHWAEEZJ.js → chunk-UACKERCG.js} +3 -3
- package/dist/{chunk-OHWAEEZJ.js.map → chunk-UACKERCG.js.map} +1 -1
- package/dist/{chunk-4LQSGGSH.cjs → chunk-UGI45E76.cjs} +363 -360
- package/dist/chunk-UGI45E76.cjs.map +1 -0
- package/dist/{chunk-DEK4ZGUR.cjs → chunk-UQWJQWSK.cjs} +15 -15
- package/dist/{chunk-DEK4ZGUR.cjs.map → chunk-UQWJQWSK.cjs.map} +1 -1
- package/dist/{chunk-46Y4Y2RB.js → chunk-VEKFI5QZ.js} +3 -3
- package/dist/{chunk-46Y4Y2RB.js.map → chunk-VEKFI5QZ.js.map} +1 -1
- package/dist/{chunk-4JILES3G.js → chunk-VJYMPHQQ.js} +3 -2
- package/dist/chunk-VJYMPHQQ.js.map +1 -0
- package/dist/{chunk-C4U5EL4H.js → chunk-VQQSMW6M.js} +7 -7
- package/dist/{chunk-C4U5EL4H.js.map → chunk-VQQSMW6M.js.map} +1 -1
- package/dist/{chunk-BTMYAVRX.cjs → chunk-WUT3UHD6.cjs} +12 -12
- package/dist/{chunk-BTMYAVRX.cjs.map → chunk-WUT3UHD6.cjs.map} +1 -1
- package/dist/{chunk-HZWJL5Y4.js → chunk-XILM7MA7.js} +4 -4
- package/dist/{chunk-HZWJL5Y4.js.map → chunk-XILM7MA7.js.map} +1 -1
- package/dist/{chunk-73MURMD2.cjs → chunk-XLSJQAEP.cjs} +6 -6
- package/dist/{chunk-73MURMD2.cjs.map → chunk-XLSJQAEP.cjs.map} +1 -1
- package/dist/{chunk-WKSF3TVK.js → chunk-XRE4KFIZ.js} +7 -7
- package/dist/{chunk-WKSF3TVK.js.map → chunk-XRE4KFIZ.js.map} +1 -1
- package/dist/{chunk-TCWIDHH6.cjs → chunk-XTRPN52A.cjs} +3 -3
- package/dist/{chunk-TCWIDHH6.cjs.map → chunk-XTRPN52A.cjs.map} +1 -1
- package/dist/{chunk-UD7JBYUI.cjs → chunk-YIBM2OYI.cjs} +38 -38
- package/dist/{chunk-UD7JBYUI.cjs.map → chunk-YIBM2OYI.cjs.map} +1 -1
- package/dist/{chunk-UITLSJUW.cjs → chunk-YOHMEY6Q.cjs} +24 -24
- package/dist/{chunk-UITLSJUW.cjs.map → chunk-YOHMEY6Q.cjs.map} +1 -1
- package/dist/{chunk-56TEDJND.js → chunk-YUQSGB5C.js} +3 -3
- package/dist/{chunk-56TEDJND.js.map → chunk-YUQSGB5C.js.map} +1 -1
- package/dist/{chunk-GZ4HWZWE.cjs → chunk-YWUVDFQZ.cjs} +3 -3
- package/dist/{chunk-GZ4HWZWE.cjs.map → chunk-YWUVDFQZ.cjs.map} +1 -1
- package/dist/{chunk-EQ7LRJEB.cjs → chunk-Z6YXO2T6.cjs} +48 -48
- package/dist/{chunk-EQ7LRJEB.cjs.map → chunk-Z6YXO2T6.cjs.map} +1 -1
- package/dist/{chunk-TS5QYSEZ.js → chunk-Z7C226TD.js} +6 -6
- package/dist/{chunk-TS5QYSEZ.js.map → chunk-Z7C226TD.js.map} +1 -1
- package/dist/{chunk-M43CP74T.js → chunk-ZQSX425Q.js} +70 -70
- package/dist/chunk-ZQSX425Q.js.map +1 -0
- package/dist/{chunk-BTIK5TXF.cjs → chunk-ZVZBZOBY.cjs} +8 -8
- package/dist/{chunk-BTIK5TXF.cjs.map → chunk-ZVZBZOBY.cjs.map} +1 -1
- package/dist/{dist-OWZWIJZY.js → dist-EWY5C2JK.js} +5 -5
- package/dist/{dist-OWZWIJZY.js.map → dist-EWY5C2JK.js.map} +1 -1
- package/dist/{dist-TXDLPF66.cjs → dist-VNWFQ5X6.cjs} +20 -20
- package/dist/{dist-TXDLPF66.cjs.map → dist-VNWFQ5X6.cjs.map} +1 -1
- package/dist/docs/SKILL.md +1 -1
- package/dist/docs/assets/SOURCE_MAP.json +1 -1
- package/dist/{observational-memory-Y5T2OR2Y-XDEBXWNA.cjs → observational-memory-NC6DQQWD-JNRVNM7E.cjs} +26 -26
- package/dist/{observational-memory-Y5T2OR2Y-XDEBXWNA.cjs.map → observational-memory-NC6DQQWD-JNRVNM7E.cjs.map} +1 -1
- package/dist/{observational-memory-Y5T2OR2Y-QDHR4QEU.js → observational-memory-NC6DQQWD-WWE3XZFF.js} +3 -3
- package/dist/{observational-memory-Y5T2OR2Y-QDHR4QEU.js.map → observational-memory-NC6DQQWD-WWE3XZFF.js.map} +1 -1
- package/dist/server/handlers/a2a.cjs +14 -14
- package/dist/server/handlers/a2a.js +1 -1
- package/dist/server/handlers/agent-builder.cjs +17 -17
- package/dist/server/handlers/agent-builder.js +1 -1
- package/dist/server/handlers/agent-controller.cjs +144 -0
- package/dist/server/handlers/agent-controller.cjs.map +1 -0
- package/dist/server/handlers/{harness.d.ts → agent-controller.d.ts} +141 -141
- package/dist/server/handlers/agent-controller.d.ts.map +1 -0
- package/dist/server/handlers/agent-controller.js +3 -0
- package/dist/server/handlers/agent-controller.js.map +1 -0
- package/dist/server/handlers/agent-versions.cjs +8 -8
- package/dist/server/handlers/agent-versions.js +1 -1
- package/dist/server/handlers/agents.cjs +46 -46
- package/dist/server/handlers/agents.d.ts +2 -0
- package/dist/server/handlers/agents.d.ts.map +1 -1
- package/dist/server/handlers/agents.js +1 -1
- package/dist/server/handlers/auth.cjs +13 -13
- package/dist/server/handlers/auth.js +1 -1
- package/dist/server/handlers/authorship.cjs +12 -12
- package/dist/server/handlers/authorship.js +1 -1
- package/dist/server/handlers/builder-registry.cjs +6 -6
- package/dist/server/handlers/builder-registry.js +1 -1
- package/dist/server/handlers/channels.cjs +5 -5
- package/dist/server/handlers/channels.js +1 -1
- package/dist/server/handlers/conversations.cjs +5 -5
- package/dist/server/handlers/conversations.js +1 -1
- package/dist/server/handlers/editor-builder.cjs +6 -6
- package/dist/server/handlers/editor-builder.js +1 -1
- package/dist/server/handlers/favorites-enrichment.cjs +4 -4
- package/dist/server/handlers/favorites-enrichment.js +1 -1
- package/dist/server/handlers/logs.cjs +4 -4
- package/dist/server/handlers/logs.js +1 -1
- package/dist/server/handlers/mcp-client-versions.cjs +8 -8
- package/dist/server/handlers/mcp-client-versions.js +1 -1
- package/dist/server/handlers/memory.cjs +27 -27
- package/dist/server/handlers/memory.js +1 -1
- package/dist/server/handlers/prompt-block-versions.cjs +8 -8
- package/dist/server/handlers/prompt-block-versions.js +1 -1
- package/dist/server/handlers/responses.cjs +4 -4
- package/dist/server/handlers/responses.js +1 -1
- package/dist/server/handlers/responses.storage.cjs +8 -8
- package/dist/server/handlers/responses.storage.js +1 -1
- package/dist/server/handlers/scorer-versions.cjs +8 -8
- package/dist/server/handlers/scorer-versions.js +1 -1
- package/dist/server/handlers/scores.cjs +7 -7
- package/dist/server/handlers/scores.js +1 -1
- package/dist/server/handlers/stored-agent-favorites.cjs +3 -3
- package/dist/server/handlers/stored-agent-favorites.js +1 -1
- package/dist/server/handlers/stored-agents.cjs +10 -10
- package/dist/server/handlers/stored-agents.js +1 -1
- package/dist/server/handlers/stored-mcp-clients.cjs +6 -6
- package/dist/server/handlers/stored-mcp-clients.js +1 -1
- package/dist/server/handlers/stored-prompt-blocks.cjs +6 -6
- package/dist/server/handlers/stored-prompt-blocks.js +1 -1
- package/dist/server/handlers/stored-scorers.cjs +6 -6
- package/dist/server/handlers/stored-scorers.js +1 -1
- package/dist/server/handlers/stored-skill-favorites.cjs +3 -3
- package/dist/server/handlers/stored-skill-favorites.js +1 -1
- package/dist/server/handlers/stored-skills.cjs +7 -7
- package/dist/server/handlers/stored-skills.js +1 -1
- package/dist/server/handlers/stored-workspaces.cjs +6 -6
- package/dist/server/handlers/stored-workspaces.js +1 -1
- package/dist/server/handlers/system.cjs +3 -3
- package/dist/server/handlers/system.js +1 -1
- package/dist/server/handlers/tool-providers.cjs +14 -14
- package/dist/server/handlers/tool-providers.js +1 -1
- package/dist/server/handlers/tools.cjs +6 -6
- package/dist/server/handlers/tools.js +1 -1
- package/dist/server/handlers/utils.cjs +10 -10
- package/dist/server/handlers/utils.js +1 -1
- package/dist/server/handlers/workflows.cjs +27 -27
- package/dist/server/handlers/workflows.js +1 -1
- package/dist/server/handlers.cjs +22 -22
- package/dist/server/handlers.js +10 -10
- package/dist/server/schemas/agents.d.ts +1 -0
- package/dist/server/schemas/agents.d.ts.map +1 -1
- package/dist/server/schemas/index.cjs +536 -536
- package/dist/server/schemas/index.js +9 -9
- package/dist/server/server-adapter/index.cjs +42 -42
- package/dist/server/server-adapter/index.js +6 -6
- package/dist/server/server-adapter/routes/agent-controller.d.ts +6 -0
- package/dist/server/server-adapter/routes/agent-controller.d.ts.map +1 -0
- package/dist/server/server-adapter/routes/index.d.ts.map +1 -1
- package/package.json +10 -10
- package/dist/chunk-3WE5YAL5.js.map +0 -1
- package/dist/chunk-3ZV6GYQI.cjs.map +0 -1
- package/dist/chunk-4JILES3G.js.map +0 -1
- package/dist/chunk-4LQSGGSH.cjs.map +0 -1
- package/dist/chunk-M43CP74T.js.map +0 -1
- package/dist/chunk-Q7EQLQS5.js.map +0 -1
- package/dist/chunk-QQCQV7ZF.cjs.map +0 -1
- package/dist/chunk-TPZFGGU4.cjs.map +0 -1
- package/dist/server/handlers/harness.cjs +0 -144
- package/dist/server/handlers/harness.cjs.map +0 -1
- package/dist/server/handlers/harness.d.ts.map +0 -1
- package/dist/server/handlers/harness.js +0 -3
- package/dist/server/handlers/harness.js.map +0 -1
- package/dist/server/server-adapter/routes/harness.d.ts +0 -3
- package/dist/server/server-adapter/routes/harness.d.ts.map +0 -1
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { HTTPException } from './chunk-6QWQZI4Q.js';
|
|
2
1
|
import { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from './chunk-5FOSK5R3.js';
|
|
2
|
+
import { HTTPException } from './chunk-6QWQZI4Q.js';
|
|
3
3
|
import { matchesPermission } from '@mastra/core/auth/ee';
|
|
4
4
|
|
|
5
5
|
function getCallerAuthorId(requestContext) {
|
|
@@ -145,5 +145,5 @@ function assertOwnership(args) {
|
|
|
145
145
|
}
|
|
146
146
|
|
|
147
147
|
export { assertExecuteAccess, assertOwnership, assertReadAccess, assertShareAccess, assertWriteAccess, getCallerAuthorId, getCallerPermissions, hasAdminBypass, hasScopedPermission, matchesAuthorFilter, resolveAuthorFilter };
|
|
148
|
-
//# sourceMappingURL=chunk-
|
|
149
|
-
//# sourceMappingURL=chunk-
|
|
148
|
+
//# sourceMappingURL=chunk-SXZS6VZ3.js.map
|
|
149
|
+
//# sourceMappingURL=chunk-SXZS6VZ3.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/server/handlers/authorship.ts"],"names":["required"],"mappings":";;;;AAsBO,SAAS,kBAAkB,cAAA,EAA+C;AAC/E,EAAA,MAAM,UAAA,GAAa,cAAA,CAAe,GAAA,CAAI,sBAAsB,CAAA;AAC5D,EAAA,IAAI,OAAO,UAAA,KAAe,QAAA,IAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA;AAC/C,EAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,IAAY,QAAQ,IAAA,EAAM;AACpD,IAAA,MAAM,KAAM,IAAA,CAAyB,EAAA;AACrC,IAAA,IAAI,OAAO,EAAA,KAAO,QAAA,IAAY,EAAA,CAAG,SAAS,CAAA,EAAG;AAC3C,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBAAqB,cAAA,EAA0C;AAC7E,EAAA,MAAM,GAAA,GAAM,cAAA,CAAe,GAAA,CAAI,2BAA2B,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,MAAA,CAAO,CAAC,CAAA,KAAmB,OAAO,MAAM,QAAQ,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,EAAC;AACV;AAQO,SAAS,cAAA,CAAe,gBAAgC,QAAA,EAA2B;AACxF,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AACrC,EAAA,MAAM,WAAA,GAAc,GAAA;AACpB,EAAA,MAAM,gBAAA,GAAmB,GAAG,QAAQ,CAAA,EAAA,CAAA;AACpC,EAAA,MAAM,aAAA,GAAgB,GAAG,QAAQ,CAAA,MAAA,CAAA;AACjC,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK,CAAA,KAAM,eAAe,CAAA,KAAM,gBAAA,IAAoB,MAAM,aAAa,CAAA;AACjG;AAeO,SAAS,oBAAoB,IAAA,EAKxB;AACV,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,MAAA,EAAQ,YAAW,GAAI,IAAA;AACzD,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,MAAMA,SAAAA,GAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACtC,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAGA,SAAQ,CAAC,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,WAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,IAAI,UAAU,CAAA,CAAA;AACpD,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK;AAI3B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,KAAA;AAC7B,IAAA,OAAO,iBAAA,CAAkB,GAAG,QAAQ,CAAA;AAAA,EACtC,CAAC,CAAA;AACH;AAqBO,SAAS,oBAAoB,IAAA,EAKnB;AACf,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,aAAA,EAAe,iBAAgB,GAAI,IAAA;AACrE,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA;AAEtD,EAAA,IAAI,eAAA,KAAoB,QAAA,IAAY,CAAC,aAAA,EAAe;AAClD,IAAA,OAAO,EAAE,MAAM,YAAA,EAAa;AAAA,EAC9B;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAIA,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,QAAA,EAAU,cAAA,EAAe;AAAA,IACnD;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,qBAAA,EAAuB,cAAA,EAAgB,aAAA,EAAc;AAAA,EACtE;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,eAAA,EAAiB,cAAA,EAAe;AACjD;AAQO,SAAS,mBAAA,CAAoB,QAAqB,MAAA,EAA+B;AACtF,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AACjC,EAAA,MAAM,QAAA,GAAW,OAAO,UAAA,KAAe,QAAA;AAEvC,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,cAAA;AACH,MAAA,OAAO,IAAA;AAAA,IACT,KAAK,OAAA;AACH,MAAA,OAAO,UAAU,MAAA,CAAO,QAAA;AAAA,IAC1B,KAAK,eAAA;AACH,MAAA,OAAO,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,CAAO,cAAA,IAAkB,QAAA;AAAA,IAC9D,KAAK,YAAA;AACH,MAAA,OAAO,UAAU,IAAA,IAAQ,QAAA;AAAA,IAC3B,KAAK,qBAAA;AAIH,MAAA,OAAO,KAAA,KAAU,OAAO,aAAA,IAAiB,QAAA;AAAA;AAE/C;AAYO,SAAS,iBAAiB,IAAA,EAKxB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AAKvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,oBAAoB,IAAA,EAK3B;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,SAAA,EAAW,UAAA,EAAY,CAAA,EAAG;AACpF,IAAA;AAAA,EACF;AACA,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,kBAAkB,IAAA,EAMzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,MAAA,EAAQ,QAAO,GAAI,IAAA;AACjE,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,oBAAoB,EAAE,cAAA,EAAgB,UAAU,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACzE,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAoBO,SAAS,kBAAkB,IAAA,EAKzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,OAAA,EAAS,UAAA,EAAY,CAAA,EAAG;AAClF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAMO,SAAS,gBAAgB,IAAA,EAKvB;AACP,EAAA,iBAAA,CAAkB,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,QAAQ,CAAA;AAC/C","file":"chunk-56AYHXOU.js","sourcesContent":["import { matchesPermission } from '@mastra/core/auth/ee';\nimport type { RequestContext } from '@mastra/core/di';\n\nimport { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from '../constants';\nimport { HTTPException } from '../http-exception';\n\n/**\n * Shape of a stored record that carries ownership + visibility metadata.\n * Used by `matchesAuthorFilter` and the access-assertion helpers.\n */\nexport type OwnedRecord = {\n authorId?: string | null;\n visibility?: 'private' | 'public';\n};\n\n/**\n * Returns the author id associated with the authenticated caller, or `null`\n * if auth is not configured / the caller cannot be resolved.\n *\n * Prefers `MASTRA_RESOURCE_ID_KEY` (set by `authConfig.mapUserToResourceId`)\n * and falls back to `user.id` on the authenticated user object.\n */\nexport function getCallerAuthorId(requestContext: RequestContext): string | null {\n const resourceId = requestContext.get(MASTRA_RESOURCE_ID_KEY);\n if (typeof resourceId === 'string' && resourceId.length > 0) {\n return resourceId;\n }\n\n const user = requestContext.get(MASTRA_USER_KEY);\n if (user && typeof user === 'object' && 'id' in user) {\n const id = (user as { id: unknown }).id;\n if (typeof id === 'string' && id.length > 0) {\n return id;\n }\n }\n\n return null;\n}\n\n/**\n * Returns the list of permission strings currently attached to the caller by\n * the RBAC provider. Returns an empty array when RBAC isn't configured.\n */\nexport function getCallerPermissions(requestContext: RequestContext): string[] {\n const raw = requestContext.get(MASTRA_USER_PERMISSIONS_KEY);\n if (Array.isArray(raw)) {\n return raw.filter((p): p is string => typeof p === 'string');\n }\n return [];\n}\n\n/**\n * True if the caller holds a wildcard permission that lets them manage a\n * resource they don't own (e.g. admins listing agents across tenants).\n *\n * Recognizes `*`, `<resource>:*`, and `<resource>:admin`.\n */\nexport function hasAdminBypass(requestContext: RequestContext, resource: string): boolean {\n const permissions = getCallerPermissions(requestContext);\n if (permissions.length === 0) return false;\n const wildcardAll = '*';\n const resourceWildcard = `${resource}:*`;\n const resourceAdmin = `${resource}:admin`;\n return permissions.some(p => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);\n}\n\n/**\n * True if the caller holds a permission explicitly scoped to a specific\n * resource id — e.g. `agents:read:agent-123` or `agents:*:agent-123`.\n *\n * Broad grants without a resource-id segment (e.g. the role-default\n * `agents:execute`) are intentionally NOT treated as satisfying ownership\n * overrides. Those broad grants already gate route access at the\n * `requiresPermission` layer; giving them a second life as per-record\n * overrides would defeat the owner/visibility model.\n *\n * When called without `resourceId` (the legacy shape), falls back to the\n * original \"any matching permission\" behavior.\n */\nexport function hasScopedPermission(args: {\n requestContext: RequestContext;\n resource: string;\n action: string;\n resourceId?: string;\n}): boolean {\n const { requestContext, resource, action, resourceId } = args;\n const permissions = getCallerPermissions(requestContext);\n if (permissions.length === 0) return false;\n\n if (!resourceId) {\n const required = `${resource}:${action}`;\n return permissions.some(p => matchesPermission(p, required));\n }\n\n const required = `${resource}:${action}:${resourceId}`;\n return permissions.some(p => {\n // Only honor grants that explicitly name a resource id. A granted\n // permission with just `<resource>:<action>` (no id segment) is\n // considered a broad role grant, not a per-record override.\n const parts = p.split(':');\n if (parts.length < 3) return false;\n return matchesPermission(p, required);\n });\n}\n\nexport type AuthorFilter =\n | { kind: 'unrestricted' }\n | { kind: 'exact'; authorId: string }\n | { kind: 'ownedOrPublic'; callerAuthorId: string }\n | { kind: 'publicOnly' }\n | { kind: 'ownedOrPublicOthers'; callerAuthorId: string; queryAuthorId: string };\n\n/**\n * Resolves the filter to apply when listing owner-scoped records.\n *\n * Behavior matrix:\n * - Admin bypass + no query overrides → `unrestricted`.\n * - Admin bypass + `authorId=X` → `exact` (all of X's rows).\n * - `visibility=public` (any caller) → `publicOnly` (aggregate public rows across owners).\n * - `authorId=X`, caller === X → `exact` (all of caller's rows).\n * - `authorId=X`, caller !== X (non-admin) → `ownedOrPublicOthers` (only X's public rows).\n * - No caller (auth off) → `unrestricted` (or `exact` if query supplied).\n * - Default → `ownedOrPublic` (caller's rows + legacy unowned + any public rows).\n */\nexport function resolveAuthorFilter(args: {\n requestContext: RequestContext;\n resource: string;\n queryAuthorId?: string;\n queryVisibility?: 'public';\n}): AuthorFilter {\n const { requestContext, resource, queryAuthorId, queryVisibility } = args;\n const callerAuthorId = getCallerAuthorId(requestContext);\n const bypass = hasAdminBypass(requestContext, resource);\n\n if (queryVisibility === 'public' && !queryAuthorId) {\n return { kind: 'publicOnly' };\n }\n\n if (bypass) {\n return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n }\n\n // Auth isn't configured (no caller) → treat as unrestricted. The route's\n // `requiresAuth`/`requiresPermission` is what gates access in that mode.\n if (!callerAuthorId) {\n return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n }\n\n if (queryAuthorId) {\n if (queryAuthorId === callerAuthorId) {\n return { kind: 'exact', authorId: callerAuthorId };\n }\n // Non-owner asking about another user: only that user's public rows are visible.\n return { kind: 'ownedOrPublicOthers', callerAuthorId, queryAuthorId };\n }\n\n return { kind: 'ownedOrPublic', callerAuthorId };\n}\n\n/**\n * Returns `true` if the record is visible to the caller given the resolved\n * filter. See `resolveAuthorFilter` for the filter semantics.\n *\n * Legacy rows with `authorId == null` are treated as public (visible to all).\n */\nexport function matchesAuthorFilter(record: OwnedRecord, filter: AuthorFilter): boolean {\n const owner = record.authorId ?? null;\n const isPublic = record.visibility === 'public';\n\n switch (filter.kind) {\n case 'unrestricted':\n return true;\n case 'exact':\n return owner === filter.authorId;\n case 'ownedOrPublic':\n return owner === null || owner === filter.callerAuthorId || isPublic;\n case 'publicOnly':\n return owner === null || isPublic;\n case 'ownedOrPublicOthers':\n // Filtering by another author's rows: only expose their public ones.\n // Legacy unowned rows match if the query is for `null`; here the query\n // is always for a concrete id, so unowned rows don't match.\n return owner === filter.queryAuthorId && isPublic;\n }\n}\n\n/**\n * Asserts the caller has read access to the record. Throws 404 if not.\n *\n * Read access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:read` or `<resource>:read:<resourceId>`.\n */\nexport function assertReadAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (record.visibility === 'public') return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n // No authenticated user on the request context means auth is not configured\n // (single-user/dev mode). When auth IS configured, coreAuthMiddleware\n // rejects unauthenticated requests with 401 before they reach handlers,\n // so an absent user here genuinely means no auth provider.\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has execute access to the record. Throws 404 if not.\n *\n * Execute access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:execute` / `<resource>:execute:<resourceId>`, OR\n * - The caller holds `<resource>:read` / `<resource>:read:<resourceId>`\n * (read implies the ability to consume/chat with the resource).\n */\nexport function assertExecuteAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (record.visibility === 'public') return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'execute', resourceId })) {\n return;\n }\n if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has write access (edit or delete) to the record.\n * Throws 404 if not.\n *\n * Write access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record, OR\n * - The caller has admin bypass, OR\n * - The caller holds `<resource>:<action>` or `<resource>:<action>:<resourceId>`.\n *\n * `visibility: 'public'` alone does NOT grant write access.\n */\nexport function assertWriteAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n action: 'edit' | 'delete' | 'write';\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, action, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action, resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has share access to the record. Throws 404 if not.\n *\n * Share access controls who can change a record's audience/visibility\n * (e.g. flipping `private` ↔ `public`). It is intentionally separate from\n * `write`: a caller with only `<resource>:write` MUST NOT be able to flip\n * visibility — that would let any editor expose private records.\n *\n * Share access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record (creators can share their own records), OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:share` / `<resource>:share:<resourceId>`\n * (or any pattern that matches it, e.g. `*:share`).\n *\n * `visibility: 'public'` does NOT grant share access — being readable doesn't\n * imply the right to change who else can read.\n */\nexport function assertShareAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'share', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Alias for `assertWriteAccess` with `action: 'edit'`. Prefer `assertWriteAccess`\n * in new code so the action is explicit.\n */\nexport function assertOwnership(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n assertWriteAccess({ ...args, action: 'edit' });\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/server/handlers/authorship.ts"],"names":["required"],"mappings":";;;;AAsBO,SAAS,kBAAkB,cAAA,EAA+C;AAC/E,EAAA,MAAM,UAAA,GAAa,cAAA,CAAe,GAAA,CAAI,sBAAsB,CAAA;AAC5D,EAAA,IAAI,OAAO,UAAA,KAAe,QAAA,IAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA;AAC/C,EAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,IAAY,QAAQ,IAAA,EAAM;AACpD,IAAA,MAAM,KAAM,IAAA,CAAyB,EAAA;AACrC,IAAA,IAAI,OAAO,EAAA,KAAO,QAAA,IAAY,EAAA,CAAG,SAAS,CAAA,EAAG;AAC3C,MAAA,OAAO,EAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBAAqB,cAAA,EAA0C;AAC7E,EAAA,MAAM,GAAA,GAAM,cAAA,CAAe,GAAA,CAAI,2BAA2B,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,MAAA,CAAO,CAAC,CAAA,KAAmB,OAAO,MAAM,QAAQ,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,EAAC;AACV;AAQO,SAAS,cAAA,CAAe,gBAAgC,QAAA,EAA2B;AACxF,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AACrC,EAAA,MAAM,WAAA,GAAc,GAAA;AACpB,EAAA,MAAM,gBAAA,GAAmB,GAAG,QAAQ,CAAA,EAAA,CAAA;AACpC,EAAA,MAAM,aAAA,GAAgB,GAAG,QAAQ,CAAA,MAAA,CAAA;AACjC,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK,CAAA,KAAM,eAAe,CAAA,KAAM,gBAAA,IAAoB,MAAM,aAAa,CAAA;AACjG;AAeO,SAAS,oBAAoB,IAAA,EAKxB;AACV,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,MAAA,EAAQ,YAAW,GAAI,IAAA;AACzD,EAAA,MAAM,WAAA,GAAc,qBAAqB,cAAc,CAAA;AACvD,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,MAAMA,SAAAA,GAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACtC,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAGA,SAAQ,CAAC,CAAA;AAAA,EAC7D;AAEA,EAAA,MAAM,WAAW,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,MAAM,IAAI,UAAU,CAAA,CAAA;AACpD,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK;AAI3B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,KAAA;AAC7B,IAAA,OAAO,iBAAA,CAAkB,GAAG,QAAQ,CAAA;AAAA,EACtC,CAAC,CAAA;AACH;AAqBO,SAAS,oBAAoB,IAAA,EAKnB;AACf,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,aAAA,EAAe,iBAAgB,GAAI,IAAA;AACrE,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA;AAEtD,EAAA,IAAI,eAAA,KAAoB,QAAA,IAAY,CAAC,aAAA,EAAe;AAClD,IAAA,OAAO,EAAE,MAAM,YAAA,EAAa;AAAA,EAC9B;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAIA,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAO,aAAA,GAAgB,EAAE,IAAA,EAAM,OAAA,EAAS,UAAU,aAAA,EAAc,GAAI,EAAE,IAAA,EAAM,cAAA,EAAe;AAAA,EAC7F;AAEA,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,QAAA,EAAU,cAAA,EAAe;AAAA,IACnD;AAEA,IAAA,OAAO,EAAE,IAAA,EAAM,qBAAA,EAAuB,cAAA,EAAgB,aAAA,EAAc;AAAA,EACtE;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,eAAA,EAAiB,cAAA,EAAe;AACjD;AAQO,SAAS,mBAAA,CAAoB,QAAqB,MAAA,EAA+B;AACtF,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AACjC,EAAA,MAAM,QAAA,GAAW,OAAO,UAAA,KAAe,QAAA;AAEvC,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,cAAA;AACH,MAAA,OAAO,IAAA;AAAA,IACT,KAAK,OAAA;AACH,MAAA,OAAO,UAAU,MAAA,CAAO,QAAA;AAAA,IAC1B,KAAK,eAAA;AACH,MAAA,OAAO,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,CAAO,cAAA,IAAkB,QAAA;AAAA,IAC9D,KAAK,YAAA;AACH,MAAA,OAAO,UAAU,IAAA,IAAQ,QAAA;AAAA,IAC3B,KAAK,qBAAA;AAIH,MAAA,OAAO,KAAA,KAAU,OAAO,aAAA,IAAiB,QAAA;AAAA;AAE/C;AAYO,SAAS,iBAAiB,IAAA,EAKxB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AAKvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,oBAAoB,IAAA,EAK3B;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,MAAA,CAAO,eAAe,QAAA,EAAU;AACpC,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,SAAA,EAAW,UAAA,EAAY,CAAA,EAAG;AACpF,IAAA;AAAA,EACF;AACA,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACjF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAcO,SAAS,kBAAkB,IAAA,EAMzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,MAAA,EAAQ,QAAO,GAAI,IAAA;AACjE,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,oBAAoB,EAAE,cAAA,EAAgB,UAAU,MAAA,EAAQ,UAAA,EAAY,CAAA,EAAG;AACzE,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAoBO,SAAS,kBAAkB,IAAA,EAKzB;AACP,EAAA,MAAM,EAAE,cAAA,EAAgB,QAAA,EAAU,UAAA,EAAY,QAAO,GAAI,IAAA;AACzD,EAAA,MAAM,KAAA,GAAQ,OAAO,QAAA,IAAY,IAAA;AAEjC,EAAA,IAAI,UAAU,IAAA,EAAM;AACpB,EAAA,IAAI,cAAA,CAAe,cAAA,EAAgB,QAAQ,CAAA,EAAG;AAE9C,EAAA,MAAM,cAAA,GAAiB,kBAAkB,cAAc,CAAA;AACvD,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA,EAAG;AAC7D,EAAA,IAAI,mBAAmB,KAAA,EAAO;AAE9B,EAAA,IAAI,mBAAA,CAAoB,EAAE,cAAA,EAAgB,QAAA,EAAU,QAAQ,OAAA,EAAS,UAAA,EAAY,CAAA,EAAG;AAClF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,aAAA,CAAc,GAAA,EAAK,EAAE,OAAA,EAAS,aAAa,CAAA;AACvD;AAMO,SAAS,gBAAgB,IAAA,EAKvB;AACP,EAAA,iBAAA,CAAkB,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,QAAQ,CAAA;AAC/C","file":"chunk-SXZS6VZ3.js","sourcesContent":["import { matchesPermission } from '@mastra/core/auth/ee';\nimport type { RequestContext } from '@mastra/core/di';\n\nimport { MASTRA_RESOURCE_ID_KEY, MASTRA_USER_KEY, MASTRA_USER_PERMISSIONS_KEY } from '../constants';\nimport { HTTPException } from '../http-exception';\n\n/**\n * Shape of a stored record that carries ownership + visibility metadata.\n * Used by `matchesAuthorFilter` and the access-assertion helpers.\n */\nexport type OwnedRecord = {\n authorId?: string | null;\n visibility?: 'private' | 'public';\n};\n\n/**\n * Returns the author id associated with the authenticated caller, or `null`\n * if auth is not configured / the caller cannot be resolved.\n *\n * Prefers `MASTRA_RESOURCE_ID_KEY` (set by `authConfig.mapUserToResourceId`)\n * and falls back to `user.id` on the authenticated user object.\n */\nexport function getCallerAuthorId(requestContext: RequestContext): string | null {\n const resourceId = requestContext.get(MASTRA_RESOURCE_ID_KEY);\n if (typeof resourceId === 'string' && resourceId.length > 0) {\n return resourceId;\n }\n\n const user = requestContext.get(MASTRA_USER_KEY);\n if (user && typeof user === 'object' && 'id' in user) {\n const id = (user as { id: unknown }).id;\n if (typeof id === 'string' && id.length > 0) {\n return id;\n }\n }\n\n return null;\n}\n\n/**\n * Returns the list of permission strings currently attached to the caller by\n * the RBAC provider. Returns an empty array when RBAC isn't configured.\n */\nexport function getCallerPermissions(requestContext: RequestContext): string[] {\n const raw = requestContext.get(MASTRA_USER_PERMISSIONS_KEY);\n if (Array.isArray(raw)) {\n return raw.filter((p): p is string => typeof p === 'string');\n }\n return [];\n}\n\n/**\n * True if the caller holds a wildcard permission that lets them manage a\n * resource they don't own (e.g. admins listing agents across tenants).\n *\n * Recognizes `*`, `<resource>:*`, and `<resource>:admin`.\n */\nexport function hasAdminBypass(requestContext: RequestContext, resource: string): boolean {\n const permissions = getCallerPermissions(requestContext);\n if (permissions.length === 0) return false;\n const wildcardAll = '*';\n const resourceWildcard = `${resource}:*`;\n const resourceAdmin = `${resource}:admin`;\n return permissions.some(p => p === wildcardAll || p === resourceWildcard || p === resourceAdmin);\n}\n\n/**\n * True if the caller holds a permission explicitly scoped to a specific\n * resource id — e.g. `agents:read:agent-123` or `agents:*:agent-123`.\n *\n * Broad grants without a resource-id segment (e.g. the role-default\n * `agents:execute`) are intentionally NOT treated as satisfying ownership\n * overrides. Those broad grants already gate route access at the\n * `requiresPermission` layer; giving them a second life as per-record\n * overrides would defeat the owner/visibility model.\n *\n * When called without `resourceId` (the legacy shape), falls back to the\n * original \"any matching permission\" behavior.\n */\nexport function hasScopedPermission(args: {\n requestContext: RequestContext;\n resource: string;\n action: string;\n resourceId?: string;\n}): boolean {\n const { requestContext, resource, action, resourceId } = args;\n const permissions = getCallerPermissions(requestContext);\n if (permissions.length === 0) return false;\n\n if (!resourceId) {\n const required = `${resource}:${action}`;\n return permissions.some(p => matchesPermission(p, required));\n }\n\n const required = `${resource}:${action}:${resourceId}`;\n return permissions.some(p => {\n // Only honor grants that explicitly name a resource id. A granted\n // permission with just `<resource>:<action>` (no id segment) is\n // considered a broad role grant, not a per-record override.\n const parts = p.split(':');\n if (parts.length < 3) return false;\n return matchesPermission(p, required);\n });\n}\n\nexport type AuthorFilter =\n | { kind: 'unrestricted' }\n | { kind: 'exact'; authorId: string }\n | { kind: 'ownedOrPublic'; callerAuthorId: string }\n | { kind: 'publicOnly' }\n | { kind: 'ownedOrPublicOthers'; callerAuthorId: string; queryAuthorId: string };\n\n/**\n * Resolves the filter to apply when listing owner-scoped records.\n *\n * Behavior matrix:\n * - Admin bypass + no query overrides → `unrestricted`.\n * - Admin bypass + `authorId=X` → `exact` (all of X's rows).\n * - `visibility=public` (any caller) → `publicOnly` (aggregate public rows across owners).\n * - `authorId=X`, caller === X → `exact` (all of caller's rows).\n * - `authorId=X`, caller !== X (non-admin) → `ownedOrPublicOthers` (only X's public rows).\n * - No caller (auth off) → `unrestricted` (or `exact` if query supplied).\n * - Default → `ownedOrPublic` (caller's rows + legacy unowned + any public rows).\n */\nexport function resolveAuthorFilter(args: {\n requestContext: RequestContext;\n resource: string;\n queryAuthorId?: string;\n queryVisibility?: 'public';\n}): AuthorFilter {\n const { requestContext, resource, queryAuthorId, queryVisibility } = args;\n const callerAuthorId = getCallerAuthorId(requestContext);\n const bypass = hasAdminBypass(requestContext, resource);\n\n if (queryVisibility === 'public' && !queryAuthorId) {\n return { kind: 'publicOnly' };\n }\n\n if (bypass) {\n return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n }\n\n // Auth isn't configured (no caller) → treat as unrestricted. The route's\n // `requiresAuth`/`requiresPermission` is what gates access in that mode.\n if (!callerAuthorId) {\n return queryAuthorId ? { kind: 'exact', authorId: queryAuthorId } : { kind: 'unrestricted' };\n }\n\n if (queryAuthorId) {\n if (queryAuthorId === callerAuthorId) {\n return { kind: 'exact', authorId: callerAuthorId };\n }\n // Non-owner asking about another user: only that user's public rows are visible.\n return { kind: 'ownedOrPublicOthers', callerAuthorId, queryAuthorId };\n }\n\n return { kind: 'ownedOrPublic', callerAuthorId };\n}\n\n/**\n * Returns `true` if the record is visible to the caller given the resolved\n * filter. See `resolveAuthorFilter` for the filter semantics.\n *\n * Legacy rows with `authorId == null` are treated as public (visible to all).\n */\nexport function matchesAuthorFilter(record: OwnedRecord, filter: AuthorFilter): boolean {\n const owner = record.authorId ?? null;\n const isPublic = record.visibility === 'public';\n\n switch (filter.kind) {\n case 'unrestricted':\n return true;\n case 'exact':\n return owner === filter.authorId;\n case 'ownedOrPublic':\n return owner === null || owner === filter.callerAuthorId || isPublic;\n case 'publicOnly':\n return owner === null || isPublic;\n case 'ownedOrPublicOthers':\n // Filtering by another author's rows: only expose their public ones.\n // Legacy unowned rows match if the query is for `null`; here the query\n // is always for a concrete id, so unowned rows don't match.\n return owner === filter.queryAuthorId && isPublic;\n }\n}\n\n/**\n * Asserts the caller has read access to the record. Throws 404 if not.\n *\n * Read access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:read` or `<resource>:read:<resourceId>`.\n */\nexport function assertReadAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (record.visibility === 'public') return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n // No authenticated user on the request context means auth is not configured\n // (single-user/dev mode). When auth IS configured, coreAuthMiddleware\n // rejects unauthenticated requests with 401 before they reach handlers,\n // so an absent user here genuinely means no auth provider.\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return;\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has execute access to the record. Throws 404 if not.\n *\n * Execute access is granted when:\n * - The record has no owner (legacy/public), OR\n * - The record is marked `visibility: 'public'`, OR\n * - The caller owns the record, OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:execute` / `<resource>:execute:<resourceId>`, OR\n * - The caller holds `<resource>:read` / `<resource>:read:<resourceId>`\n * (read implies the ability to consume/chat with the resource).\n */\nexport function assertExecuteAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (record.visibility === 'public') return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'execute', resourceId })) {\n return;\n }\n if (hasScopedPermission({ requestContext, resource, action: 'read', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has write access (edit or delete) to the record.\n * Throws 404 if not.\n *\n * Write access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record, OR\n * - The caller has admin bypass, OR\n * - The caller holds `<resource>:<action>` or `<resource>:<action>:<resourceId>`.\n *\n * `visibility: 'public'` alone does NOT grant write access.\n */\nexport function assertWriteAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n action: 'edit' | 'delete' | 'write';\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, action, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action, resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Asserts the caller has share access to the record. Throws 404 if not.\n *\n * Share access controls who can change a record's audience/visibility\n * (e.g. flipping `private` ↔ `public`). It is intentionally separate from\n * `write`: a caller with only `<resource>:write` MUST NOT be able to flip\n * visibility — that would let any editor expose private records.\n *\n * Share access is granted when:\n * - The record has no owner (legacy), OR\n * - The caller owns the record (creators can share their own records), OR\n * - The caller has admin bypass (`*`, `<resource>:*`, `<resource>:admin`), OR\n * - The caller holds `<resource>:share` / `<resource>:share:<resourceId>`\n * (or any pattern that matches it, e.g. `*:share`).\n *\n * `visibility: 'public'` does NOT grant share access — being readable doesn't\n * imply the right to change who else can read.\n */\nexport function assertShareAccess(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n const { requestContext, resource, resourceId, record } = args;\n const owner = record.authorId ?? null;\n\n if (owner === null) return;\n if (hasAdminBypass(requestContext, resource)) return;\n\n const callerAuthorId = getCallerAuthorId(requestContext);\n if (!callerAuthorId && !requestContext.get(MASTRA_USER_KEY)) return; // No auth configured (see assertReadAccess)\n if (callerAuthorId === owner) return;\n\n if (hasScopedPermission({ requestContext, resource, action: 'share', resourceId })) {\n return;\n }\n\n throw new HTTPException(404, { message: 'Not found' });\n}\n\n/**\n * Alias for `assertWriteAccess` with `action: 'edit'`. Prefer `assertWriteAccess`\n * in new code so the action is explicit.\n */\nexport function assertOwnership(args: {\n requestContext: RequestContext;\n resource: string;\n resourceId?: string;\n record: OwnedRecord;\n}): void {\n assertWriteAccess({ ...args, action: 'edit' });\n}\n"]}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { listLogTransportsResponseSchema, listLogsResponseSchema, listLogsQuerySchema } from './chunk-MXZPGEC2.js';
|
|
2
|
-
import { validateBody, parseFilters } from './chunk-
|
|
2
|
+
import { validateBody, parseFilters } from './chunk-JBSUT5XF.js';
|
|
3
3
|
import { runIdSchema } from './chunk-2YY3EMMS.js';
|
|
4
4
|
import { handleError } from './chunk-7ZWJX3AN.js';
|
|
5
5
|
import { createRoute } from './chunk-BRC4XSFG.js';
|
|
@@ -96,5 +96,5 @@ var LIST_LOGS_BY_RUN_ID_ROUTE = createRoute({
|
|
|
96
96
|
});
|
|
97
97
|
|
|
98
98
|
export { LIST_LOGS_BY_RUN_ID_ROUTE, LIST_LOGS_ROUTE, LIST_LOG_TRANSPORTS_ROUTE, logs_exports };
|
|
99
|
-
//# sourceMappingURL=chunk-
|
|
100
|
-
//# sourceMappingURL=chunk-
|
|
99
|
+
//# sourceMappingURL=chunk-UACKERCG.js.map
|
|
100
|
+
//# sourceMappingURL=chunk-UACKERCG.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/server/handlers/logs.ts"],"names":[],"mappings":";;;;;;;;AAAA,IAAA,YAAA,GAAA;AAAA,QAAA,CAAA,YAAA,EAAA;AAAA,EAAA,yBAAA,EAAA,MAAA,yBAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,yBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUO,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,kBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,+BAAA;AAAA,EAChB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,gDAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,OAAA,EAAS,OAAO,EAAE,MAAA,EAAO,KAAM;AAC7B,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,OAAO,SAAA,EAAU;AAChC,MAAA,MAAM,UAAA,GAAa,OAAO,aAAA,EAAc;AAExC,MAAA,OAAO;AAAA,QACL,UAAA,EAAY,aAAa,CAAC,GAAG,WAAW,IAAA,EAAM,IAAI;AAAC,OACrD;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,8BAA8B,CAAA;AAAA,IAC1D;AAAA,EACF;AACF,CAAC;AAEM,IAAM,kBAAkB,WAAA,CAAY;AAAA,EACzC,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,OAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,gBAAA,EAAkB,mBAAA;AAAA,EAClB,cAAA,EAAgB,sBAAA;AAAA,EAChB,OAAA,EAAS,WAAA;AAAA,EACT,WAAA,EACE,6GAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,OAAO,EAAE,MAAA,EAAQ,GAAG,QAAO,KAAM;AACxC,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,aAAa,QAAA,EAAU,MAAA,EAAQ,UAAU,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAQ,GAAI,MAAA;AAEtF,MAAA,YAAA,CAAa,EAAE,aAAa,CAAA;AAG5B,MAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,QAAA,CAAS,WAAA,EAAc;AAAA,QAC/C,QAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,IAAA,GAAO,MAAA,CAAO,IAAI,CAAA,GAAI,MAAA;AAAA,QAC5B,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,OAAO,CAAA,GAAI;AAAA,OACtC,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,oBAAoB,CAAA;AAAA,IAChD;AAAA,EACF;AACF,CAAC;AAEM,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,cAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,eAAA,EAAiB,WAAA;AAAA,EACjB,gBAAA,EAAkB,mBAAA;AAAA,EAClB,cAAA,EAAgB,sBAAA;AAAA,EAChB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,gEAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,OAAO,EAAE,QAAQ,KAAA,EAAO,GAAG,QAAO,KAAM;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,aAAa,QAAA,EAAU,MAAA,EAAQ,UAAU,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAQ,GAAI,MAAA;AAEtF,MAAA,YAAA,CAAa,EAAE,KAAA,EAAO,WAAA,EAAa,CAAA;AAGnC,MAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,eAAA,CAAgB;AAAA,QACxC,KAAA;AAAA,QACA,WAAA;AAAA,QACA,QAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,IAAA,GAAO,MAAA,CAAO,IAAI,CAAA,GAAI,MAAA;AAAA,QAC5B,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,OAAO,CAAA,GAAI;AAAA,OACtC,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,8BAA8B,CAAA;AAAA,IAC1D;AAAA,EACF;AACF,CAAC","file":"chunk-
|
|
1
|
+
{"version":3,"sources":["../src/server/handlers/logs.ts"],"names":[],"mappings":";;;;;;;;AAAA,IAAA,YAAA,GAAA;AAAA,QAAA,CAAA,YAAA,EAAA;AAAA,EAAA,yBAAA,EAAA,MAAA,yBAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,yBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUO,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,kBAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,cAAA,EAAgB,+BAAA;AAAA,EAChB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,gDAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,OAAA,EAAS,OAAO,EAAE,MAAA,EAAO,KAAM;AAC7B,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,OAAO,SAAA,EAAU;AAChC,MAAA,MAAM,UAAA,GAAa,OAAO,aAAA,EAAc;AAExC,MAAA,OAAO;AAAA,QACL,UAAA,EAAY,aAAa,CAAC,GAAG,WAAW,IAAA,EAAM,IAAI;AAAC,OACrD;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,8BAA8B,CAAA;AAAA,IAC1D;AAAA,EACF;AACF,CAAC;AAEM,IAAM,kBAAkB,WAAA,CAAY;AAAA,EACzC,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,OAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,gBAAA,EAAkB,mBAAA;AAAA,EAClB,cAAA,EAAgB,sBAAA;AAAA,EAChB,OAAA,EAAS,WAAA;AAAA,EACT,WAAA,EACE,6GAAA;AAAA,EACF,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,OAAO,EAAE,MAAA,EAAQ,GAAG,QAAO,KAAM;AACxC,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,aAAa,QAAA,EAAU,MAAA,EAAQ,UAAU,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAQ,GAAI,MAAA;AAEtF,MAAA,YAAA,CAAa,EAAE,aAAa,CAAA;AAG5B,MAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,QAAA,CAAS,WAAA,EAAc;AAAA,QAC/C,QAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,IAAA,GAAO,MAAA,CAAO,IAAI,CAAA,GAAI,MAAA;AAAA,QAC5B,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,OAAO,CAAA,GAAI;AAAA,OACtC,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,oBAAoB,CAAA;AAAA,IAChD;AAAA,EACF;AACF,CAAC;AAEM,IAAM,4BAA4B,WAAA,CAAY;AAAA,EACnD,MAAA,EAAQ,KAAA;AAAA,EACR,IAAA,EAAM,cAAA;AAAA,EACN,YAAA,EAAc,MAAA;AAAA,EACd,eAAA,EAAiB,WAAA;AAAA,EACjB,gBAAA,EAAkB,mBAAA;AAAA,EAClB,cAAA,EAAgB,sBAAA;AAAA,EAChB,OAAA,EAAS,qBAAA;AAAA,EACT,WAAA,EAAa,gEAAA;AAAA,EACb,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,EACb,YAAA,EAAc,IAAA;AAAA,EACd,SAAS,OAAO,EAAE,QAAQ,KAAA,EAAO,GAAG,QAAO,KAAM;AAC/C,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,aAAa,QAAA,EAAU,MAAA,EAAQ,UAAU,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAQ,GAAI,MAAA;AAEtF,MAAA,YAAA,CAAa,EAAE,KAAA,EAAO,WAAA,EAAa,CAAA;AAGnC,MAAA,MAAM,OAAA,GAAU,aAAa,QAAQ,CAAA;AAErC,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,eAAA,CAAgB;AAAA,QACxC,KAAA;AAAA,QACA,WAAA;AAAA,QACA,QAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,OAAA;AAAA,QACA,IAAA,EAAM,IAAA,GAAO,MAAA,CAAO,IAAI,CAAA,GAAI,MAAA;AAAA,QAC5B,OAAA,EAAS,OAAA,GAAU,MAAA,CAAO,OAAO,CAAA,GAAI;AAAA,OACtC,CAAA;AACD,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,WAAA,CAAY,OAAO,8BAA8B,CAAA;AAAA,IAC1D;AAAA,EACF;AACF,CAAC","file":"chunk-UACKERCG.js","sourcesContent":["import { runIdSchema } from '../schemas/common';\nimport { listLogsQuerySchema, listLogsResponseSchema, listLogTransportsResponseSchema } from '../schemas/logs';\nimport { createRoute } from '../server-adapter/routes/route-builder';\nimport { handleError } from './error';\nimport { parseFilters, validateBody } from './utils';\n\n// ============================================================================\n// Route Definitions (new pattern - handlers defined inline with createRoute)\n// ============================================================================\n\nexport const LIST_LOG_TRANSPORTS_ROUTE = createRoute({\n method: 'GET',\n path: '/logs/transports',\n responseType: 'json',\n responseSchema: listLogTransportsResponseSchema,\n summary: 'List log transports',\n description: 'Returns a list of all available log transports',\n tags: ['Logs'],\n requiresAuth: true,\n handler: async ({ mastra }) => {\n try {\n const logger = mastra.getLogger();\n const transports = logger.getTransports();\n\n return {\n transports: transports ? [...transports.keys()] : [],\n };\n } catch (error) {\n return handleError(error, 'Error getting log Transports');\n }\n },\n});\n\nexport const LIST_LOGS_ROUTE = createRoute({\n method: 'GET',\n path: '/logs',\n responseType: 'json',\n queryParamSchema: listLogsQuerySchema,\n responseSchema: listLogsResponseSchema,\n summary: 'List logs',\n description:\n 'Returns logs from a specific transport with optional filtering by date range, log level, and custom filters',\n tags: ['Logs'],\n requiresAuth: true,\n handler: async ({ mastra, ...params }) => {\n try {\n const { transportId, fromDate, toDate, logLevel, filters: _filters, page, perPage } = params;\n\n validateBody({ transportId });\n\n // Parse filter query parameter if present\n const filters = parseFilters(_filters);\n\n const logs = await mastra.listLogs(transportId!, {\n fromDate,\n toDate,\n logLevel,\n filters,\n page: page ? Number(page) : undefined,\n perPage: perPage ? Number(perPage) : undefined,\n });\n return logs;\n } catch (error) {\n return handleError(error, 'Error getting logs');\n }\n },\n});\n\nexport const LIST_LOGS_BY_RUN_ID_ROUTE = createRoute({\n method: 'GET',\n path: '/logs/:runId',\n responseType: 'json',\n pathParamSchema: runIdSchema,\n queryParamSchema: listLogsQuerySchema,\n responseSchema: listLogsResponseSchema,\n summary: 'List logs by run ID',\n description: 'Returns all logs for a specific execution run from a transport',\n tags: ['Logs'],\n requiresAuth: true,\n handler: async ({ mastra, runId, ...params }) => {\n try {\n const { transportId, fromDate, toDate, logLevel, filters: _filters, page, perPage } = params;\n\n validateBody({ runId, transportId });\n\n // Parse filter query parameter if present\n const filters = parseFilters(_filters);\n\n const logs = await mastra.listLogsByRunId({\n runId: runId!,\n transportId: transportId!,\n fromDate,\n toDate,\n logLevel,\n filters,\n page: page ? Number(page) : undefined,\n perPage: perPage ? Number(perPage) : undefined,\n });\n return logs;\n } catch (error) {\n return handleError(error, 'Error getting logs by run ID');\n }\n },\n});\n"]}
|