{"version":3,"sources":["../src/error.ts","../src/oauth/state.ts","../src/oauth/network.ts","../src/pkce/error.ts","../src/pkce/cookie.ts","../src/pkce/pkce.ts","../src/oauth/oauth.ts","../src/session/cookie.ts","../src/session/session.ts","../src/client.ts","../../../packages/_internal-core/src/logger/index.ts","../../../packages/_internal-core/src/base/MastraBase.ts","../../../packages/_internals/auth/src/provider/index.ts","../src/auth-provider.ts","../../../packages/_internals/auth/src/ee/defaults/roles.ts","../src/rbac/rbac-provider.ts"],"names":["randomBytes","createHash","getRequestHeader"],"mappings":";;;;;AAiCO,IAAM,SAAA,GAAN,MAAM,UAAA,SAAkB,KAAA,CAAM;AAAA,EAC1B,IAAA;AAAA,EACS,KAAA;AAAA,EACT,SAAA;AAAA,EACA,YAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAqB,OAAA,EAAiB,OAAA,EAA4B;AAC5E,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAQ,OAAA,EAAS,KAAA;AACtB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,eAAe,OAAA,EAAS,YAAA;AAE7B,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,YAAA,GAA0B;AAC/B,IAAA,OAAO,IAAI,UAAA,CAAU,eAAA,EAAiB,gDAAgD,CAAA;AAAA,EACxF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,aAAA,GAA2B;AAChC,IAAA,OAAO,IAAI,UAAA,CAAU,gBAAA,EAAkB,6DAA6D,CAAA;AAAA,EACtG;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,WAAA,GAAyB;AAC9B,IAAA,OAAO,IAAI,UAAA,CAAU,cAAA,EAAgB,oDAAoD,CAAA;AAAA,EAC3F;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,oBAAoB,OAAA,EAAuC;AAChE,IAAA,OAAO,IAAI,UAAA,CAAU,uBAAA,EAAyB,mDAAA,EAAqD,OAAO,CAAA;AAAA,EAC5G;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,kBAAA,GAAgC;AACrC,IAAA,OAAO,IAAI,UAAA,CAAU,qBAAA,EAAuB,4BAA4B,CAAA;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAA,GAA4B;AACjC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,yCAAyC,CAAA;AAAA,EACnF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAA,GAA4B;AACjC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,2CAA2C,CAAA;AAAA,EACrF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,aAAa,KAAA,EAA0B;AAC5C,IAAA,OAAO,IAAI,UAAA,CAAU,eAAA,EAAiB,4DAAA,EAA8D,EAAE,OAAO,CAAA;AAAA,EAC/G;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,cAAc,OAAA,EAAuC;AAC1D,IAAA,MAAM,OAAA,GAAU,SAAS,YAAA,IAAgB,8BAAA;AACzC,IAAA,OAAO,IAAI,UAAA,CAAU,iBAAA,EAAmB,OAAA,EAAS,OAAO,CAAA;AAAA,EAC1D;AACF;;;ACpFO,SAAS,WAAA,CAAY,MAAc,QAAA,EAA0B;AAClE,EAAA,MAAM,IAAA,GAAkB,EAAE,IAAA,EAAM,QAAA,EAAS;AACzC,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAChC,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,SAAS,WAAW,CAAA;AAC/C;AASO,SAAS,YAAY,KAAA,EAA0B;AACpD,EAAA,IAAI;AACF,IAAA,MAAM,OAAO,MAAA,CAAO,IAAA,CAAK,KAAA,EAAO,WAAW,EAAE,QAAA,EAAS;AACtD,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAG5B,IAAA,IAAI,OAAO,IAAA,CAAK,IAAA,KAAS,YAAY,OAAO,IAAA,CAAK,aAAa,QAAA,EAAU;AACtE,MAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,IAC3C;AAEA,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,UAAU,YAAA,EAAa;AAAA,EAC/B;AACF;AAaO,SAAS,gBAAA,CAAiB,UAA8B,aAAA,EAA+B;AAE5F,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,GAAA;AAAA,EACT;AAGA,EAAA,IAAI,QAAA,CAAS,WAAW,GAAG,CAAA,IAAK,CAAC,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AAC1D,IAAA,OAAO,QAAA;AAAA,EACT;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,QAAQ,CAAA;AAC/B,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,aAAa,CAAA;AAGpC,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,MAAA,CAAO,MAAA,EAAQ;AACnC,MAAA,OAAO,QAAA;AAAA,IACT;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AAGA,EAAA,OAAO,GAAA;AACT;;;AC1EA,eAAsB,cAAA,CAAe,KAAa,OAAA,EAAyC;AACzF,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,OAAO,CAAA;AAAA,EACjC,CAAA,CAAA,MAAQ;AAEN,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,KAAA,CAAM,GAAA,EAAK,OAAO,CAAA;AAAA,IACjC,SAAS,UAAA,EAAY;AAEnB,MAAA,MAAM,SAAA,CAAU,YAAA,CAAa,UAAA,YAAsB,KAAA,GAAQ,aAAa,MAAS,CAAA;AAAA,IACnF;AAAA,EACF;AACF;;;AClBO,IAAM,SAAA,GAAN,MAAM,UAAA,SAAkB,KAAA,CAAM;AAAA,EAC1B,IAAA;AAAA,EACS,KAAA;AAAA,EAElB,WAAA,CAAY,IAAA,EAAqB,OAAA,EAAiB,KAAA,EAAe;AAC/D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAEb,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,eAAA,GAA6B;AAClC,IAAA,OAAO,IAAI,UAAA;AAAA,MACT,kBAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,OAAA,GAAqB;AAC1B,IAAA,OAAO,IAAI,UAAA,CAAU,SAAA,EAAW,mEAAmE,CAAA;AAAA,EACrG;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,QAAQ,KAAA,EAA0B;AACvC,IAAA,OAAO,IAAI,UAAA,CAAU,SAAA,EAAW,+CAAA,EAAiD,KAAK,CAAA;AAAA,EACxF;AACF,CAAA;;;ACvCO,IAAM,gBAAA,GAAmB,sBAAA;AAmBzB,SAAS,aAAA,CAAc,QAAA,EAAkB,KAAA,EAAe,YAAA,EAA+B;AAC5F,EAAA,MAAM,aAAa,CAAA,GAAI,EAAA;AACvB,EAAA,MAAM,IAAA,GAAuB;AAAA,IAC3B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,UAAA,GAAa;AAAA,GACvC;AAEA,EAAA,MAAM,OAAA,GAAU,kBAAA,CAAmB,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AAEvD,EAAA,IAAI,SAAS,CAAA,EAAG,gBAAgB,CAAA,CAAA,EAAI,OAAO,6CAA6C,UAAU,CAAA,CAAA;AAElG,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAA,IAAU,UAAA;AAAA,EACZ;AAEA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,gBAAgB,YAAA,EAA6C;AAC3E,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,UAAU,eAAA,EAAgB;AAAA,EAClC;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,gBAAgB,UAAU,CAAC,CAAA;AAE1E,EAAA,IAAI,CAAC,KAAA,GAAQ,CAAC,CAAA,EAAG;AACf,IAAA,MAAM,UAAU,eAAA,EAAgB;AAAA,EAClC;AAEA,EAAA,IAAI,IAAA;AACJ,EAAA,IAAI;AACF,IAAA,IAAA,GAAO,KAAK,KAAA,CAAM,kBAAA,CAAmB,KAAA,CAAM,CAAC,CAAC,CAAC,CAAA;AAAA,EAChD,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,SAAA,CAAU,OAAA,CAAQ,CAAA,YAAa,KAAA,GAAQ,IAAI,MAAS,CAAA;AAAA,EAC5D;AAEA,EAAA,IAAI,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAC/B,IAAA,MAAM,UAAU,OAAA,EAAQ;AAAA,EAC1B;AAEA,EAAA,OAAO,IAAA;AACT;AAOO,SAAS,eAAA,GAA0B;AACxC,EAAA,OAAO,GAAG,gBAAgB,CAAA,4CAAA,CAAA;AAC5B;AC1EO,SAAS,oBAAA,GAA+B;AAE7C,EAAA,OAAOA,oBAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA;AAC7C;AAQO,SAAS,qBAAqB,QAAA,EAA0B;AAC7D,EAAA,OAAOC,oBAAW,QAAQ,CAAA,CAAE,OAAO,QAAQ,CAAA,CAAE,OAAO,WAAW,CAAA;AACjE;AAMO,SAAS,aAAA,GAAwB;AAEtC,EAAA,OAAOD,oBAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA;AAC7C;;;ACwBO,SAAS,YAAY,OAAA,EAA0C;AACpE,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,aAAa,QAAA,EAAU,aAAA,EAAe,cAAa,GAAI,OAAA;AAGxF,EAAA,MAAM,WAAW,oBAAA,EAAqB;AACtC,EAAA,MAAM,SAAA,GAAY,qBAAqB,QAAQ,CAAA;AAG/C,EAAA,MAAM,OAAO,aAAA,EAAc;AAG3B,EAAA,MAAM,iBAAA,GAAoB,gBAAA,CAAiB,QAAA,EAAU,aAAa,CAAA;AAGlE,EAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,IAAA,EAAM,iBAAiB,CAAA;AAGjD,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,WAAA,EAAa,YAAY,CAAA;AAC7C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,YAAA,EAAc,SAAS,CAAA;AAC5C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,SAAS,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,MAAM,CAAA;AACpD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,WAAW,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,KAAK,CAAA;AAGnC,EAAA,MAAM,eAAA,GAAkB,YAAA,IAAgB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AACjE,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,QAAA,EAAU,IAAA,EAAM,eAAe,CAAA;AAEhE,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,IAAI,QAAA,EAAS;AAAA,IAClB,OAAA,EAAS,CAAC,UAAU;AAAA,GACtB;AACF;AAeA,eAAsB,eAAe,OAAA,EAAmD;AACtF,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,aAAa,IAAA,EAAM,KAAA,EAAO,cAAa,GAAI,OAAA;AAG5E,EAAA,MAAM,QAAA,GAAW,gBAAgB,YAAY,CAAA;AAG7C,EAAA,MAAM,SAAA,GAAY,YAAY,KAAK,CAAA;AAGnC,EAAA,IAAI,SAAA,CAAU,IAAA,KAAS,QAAA,CAAS,KAAA,EAAO;AACrC,IAAA,MAAM,UAAU,aAAA,EAAc;AAAA,EAChC;AAGA,EAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,cAAA,CAAA,EAAkB;AAAA,IACrE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,cAAA,EAAgB,kBAAA;AAAA,MAChB,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,MACnB,IAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,QAAA,CAAS;AAAA,KACzB;AAAA,GACF,CAAA;AAGD,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK;AACvC,MAAA,SAAA,GAAY,SAAA,CAAU,IAAA;AACtB,MAAA,YAAA,GAAe,SAAA,CAAU,OAAA;AAAA,IAC3B,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,SAAA,CAAU,mBAAA,CAAoB,EAAE,SAAA,EAAW,cAAc,CAAA;AAAA,EACjE;AAGA,EAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAOlC,EAAA,MAAM,cAAA,GAAiB,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,IACzE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,YAAY,CAAA,CAAA;AAAA,MAC1C,cAAA,EAAgB;AAAA;AAClB,GACD,CAAA;AAED,EAAA,IAAI,CAAC,eAAe,EAAA,EAAI;AACtB,IAAA,MAAM,UAAU,kBAAA,EAAmB;AAAA,EACrC;AAGA,EAAA,MAAM,UAAA,GAAc,MAAM,cAAA,CAAe,IAAA,EAAK;AAS9C,EAAA,MAAM,cAAc,eAAA,EAAgB;AAEpC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM;AAAA,MACJ,IAAI,UAAA,CAAW,GAAA;AAAA,MACf,OAAO,UAAA,CAAW,KAAA;AAAA,MAClB,MAAM,UAAA,CAAW,IAAA;AAAA,MACjB,QAAQ,UAAA,CAAW,UAAA;AAAA,MACnB,MAAM,UAAA,CAAW;AAAA,KACnB;AAAA,IACA,aAAa,IAAA,CAAK,YAAA;AAAA,IAClB,UAAU,SAAA,CAAU,QAAA;AAAA,IACpB,OAAA,EAAS,CAAC,WAAW;AAAA,GACvB;AACF;;;AC1LO,IAAM,mBAAA,GAAsB,sBAAA;AAS5B,SAAS,gBAAA,CAAiB,OAAe,YAAA,EAA+B;AAC7E,EAAA,MAAM,UAAA,GAAa,KAAK,EAAA,GAAK,EAAA;AAE7B,EAAA,IAAI,SAAS,CAAA,EAAG,mBAAmB,CAAA,CAAA,EAAI,KAAK,6CAA6C,UAAU,CAAA,CAAA;AAEnG,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAA,IAAU,UAAA;AAAA,EACZ;AAEA,EAAA,OAAO,MAAA;AACT;AAQO,SAAS,mBAAmB,YAAA,EAA4C;AAC7E,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,mBAAmB,UAAU,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AACvB;AAOO,SAAS,kBAAA,GAA6B;AAC3C,EAAA,OAAO,GAAG,mBAAmB,CAAA,4CAAA,CAAA;AAC/B;;;AChBA,eAAsB,YAAY,OAAA,EAAsD;AACtF,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,KAAA,EAAM,GAAI,OAAA;AAE3C,EAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,YAAA,CAAA,EAAgB;AAAA,IACnE,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,KAAK,CAAA,CAAA;AAAA,MAC9B,cAAA,EAAgB;AAAA;AAClB,GACD,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,UAAU,kBAAA,EAAmB;AAAA,EACrC;AAKA,EAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAalC,EAAA,IAAI,IAAA,CAAK,eAAe,mBAAA,EAAqB;AAC3C,IAAA,OAAO;AAAA,MACL,IAAA,EAAM;AAAA,QACJ,EAAA,EAAI,WAAA;AAAA,QACJ,KAAA,EAAO,MAAA;AAAA,QACP,IAAA,EAAM,MAAA;AAAA,QACN,MAAA,EAAQ;AAAA,OACV;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,KACb;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM;AAAA,MACJ,IAAI,IAAA,CAAK,GAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACf;AAAA,IACA,MAAM,IAAA,CAAK;AAAA,GACb;AACF;AAQA,eAAsB,gBAAgB,OAAA,EAAuD;AAC3F,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,YAAA,EAAa,GAAI,OAAA;AAElD,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,sBAAA,CAAA,EAA0B;AAAA,MAC7E,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,aAAA,EAAe,UAAU,YAAY,CAAA,CAAA;AAAA,QACrC,cAAA,EAAgB;AAAA;AAClB,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,EAC9B,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAQA,eAAsB,eAAe,OAAA,EAAwC;AAC3E,EAAA,MAAM,EAAE,YAAA,EAAc,YAAA,EAAa,GAAI,OAAA;AAEvC,EAAA,MAAM,cAAA,CAAe,CAAA,EAAG,YAAY,CAAA,qBAAA,CAAA,EAAyB;AAAA,IAC3D,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,YAAY,CAAA;AAAA;AACvC,GACD,CAAA;AAGH;AAUO,SAAS,YAAA,CAAa,YAAA,EAAsB,qBAAA,EAA+B,WAAA,EAA6B;AAC7G,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,cAAA,EAAgB,YAAY,CAAA;AAChD,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,0BAAA,EAA4B,qBAAqB,CAAA;AACtE,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,WAAW,CAAA;AACjD,EAAA,OAAO,IAAI,QAAA,EAAS;AACtB;;;ACnGO,IAAM,kBAAN,MAAsB;AAAA,EACV,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,YAAY,OAAA,EAAuE;AACjF,IAAA,OAAO,WAAA,CAAY;AAAA,MACjB,SAAA,EAAW,KAAK,MAAA,CAAO,SAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO,YAAA;AAAA,MAC1B,WAAA,EAAa,KAAK,MAAA,CAAO,WAAA;AAAA,MACzB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO;AAAA,KAC3B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,OAAA,EAAgG;AAC7G,IAAA,OAAO,cAAA,CAAe;AAAA,MACpB,SAAA,EAAW,KAAK,MAAA,CAAO,SAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO,YAAA;AAAA,MAC1B,WAAA,EAAa,KAAK,MAAA,CAAO,WAAA;AAAA,MACzB,GAAG;AAAA,KACJ,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,YAAY,KAAA,EAAwC;AAClD,IAAA,OAAO,WAAA,CAAY,EAAE,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,KAAA,EAAO,CAAA;AAAA,EACxG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,gBAAgB,YAAA,EAAoD;AAClE,IAAA,OAAO,eAAA,CAAgB,EAAE,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,CAAA;AAAA,EACnH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,eAAe,YAAA,EAAqC;AAClD,IAAA,OAAO,cAAA,CAAe,EAAoC,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,CAAA;AAAA,EAClH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAA,CAAa,uBAA+B,WAAA,EAA6B;AACvE,IAAA,OAAO,YAAA,CAAa,IAAA,CAAK,MAAA,CAAO,YAAA,EAAc,uBAAuB,WAAW,CAAA;AAAA,EAClF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,iBAAiB,KAAA,EAAuB;AACtC,IAAA,OAAO,gBAAA,CAAiB,OAAO,IAAA,CAAK,MAAA,CAAO,gBAAgB,OAAA,CAAQ,GAAA,CAAI,aAAa,YAAY,CAAA;AAAA,EAClG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,kBAAA,GAA6B;AAC3B,IAAA,OAAO,kBAAA,EAAmB;AAAA,EAC5B;AACF;;;ACtJO,IAAM,gBAAA,GAAmB;EAO9B,GAAA,EAAK,KAcP,CAAA;AAIO,IAAM,QAAA,GAAW;EACtB,KAAA,EAAO,OAAA;EACP,IAAA,EAAM,MAAA;EACN,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAET,CAAA;AAsGO,IAAe,eAAf,MAAqD;AAChD,EAAA,IAAA;AACA,EAAA,KAAA;AACA,EAAA,UAAA;EAEV,WAAA,CACE,OAAA,GAII,EAAA,EACJ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,QAAQ,IAAA,IAAQ,QAAA;AAC5B,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAA,CAAQ,KAAA,IAAS,QAAA,CAAS,KAAA;AACvC,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,GAAA,CAAI,MAAA,CAAO,QAAQ,OAAA,CAAQ,UAAA,IAAc,EAAE,CAAC,CAAA;AACpE,EAAA;EAOA,aAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;AAEA,EAAA,cAAA,CAAe,QAAe,SAAA,EAAqC;AAAC,EAAA;EAEpE,MAAM,QAAA,CACJ,aACA,MAAA,EAQA;AACA,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,EAAG;AACrD,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,MAAA,EAAQ,IAAA,IAAQ,GAAG,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClG,IAAA;AAEA,IAAA,OACE,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,CAAG,QAAA,GAAW,MAAM,CAAA,IAAK;AACtD,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,QAAQ,IAAA,IAAQ,CAAA;AACtB,MAAA,OAAA,EAAS,QAAQ,OAAA,IAAW,GAAA;MAC5B,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AAEA,EAAA,MAAM,eAAA,CAAgB;AACpB,IAAA,WAAA;AACA,IAAA,KAAA;AACA,IAAA,QAAA;AACA,IAAA,MAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAUC;AACD,IAAA,IAAI,CAAC,eAAe,CAAC,IAAA,CAAK,WAAW,GAAA,CAAI,WAAW,CAAA,IAAK,CAAC,KAAA,EAAO;AAC/D,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,KAAA,EAAO,CAAA,EAAG,IAAA,EAAM,IAAA,IAAQ,CAAA,EAAG,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClF,IAAA;AAEA,IAAA,OACE,IAAA,CAAK,UAAA,CACF,GAAA,CAAI,WAAW,EACf,eAAA,GAAkB,EAAE,KAAA,EAAO,QAAA,EAAU,QAAQ,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,OAAA,EAAS,CAAA,IAAK;AACrF,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,IAAA,IAAQ,CAAA;AACd,MAAA,OAAA,EAAS,OAAA,IAAW,GAAA;MACpB,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AACF,CAAA;AAkBO,IAAM,aAAA,GAAN,MAAM,cAAA,SAAsB,YAAA,CAAa;AACpC,EAAA,SAAA;AACA,EAAA,MAAA;EAEV,WAAA,CAAY,OAAA,GAAgC,EAAA,EAAI;AAC9C,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACxB,EAAA;AAEA,EAAA,KAAA,CAAM,mBAAA,EAAgF;AACpF,IAAA,MAAM,YACJ,OAAO,mBAAA,KAAwB,WAC3B,mBAAA,GACE,mBAAA,EAAqB,aAAkC,IAAA,CAAK,SAAA;AACpE,IAAA,OAAO,IAAI,cAAA,CAAc;AACvB,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,KAAA,EAAO,IAAA,CAAK,KAAA;AACZ,MAAA,SAAA;AACA,MAAA,MAAA,EAAQ,IAAA,CAAK;KACd,CAAA;AACH,EAAA;EAEQ,SAAA,CAAU,KAAA,EAAiB,SAAiB,IAAA,EAA0B;AAC5E,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,EAAQ,OAAO,IAAA;AACzB,IAAA,IAAI;AACF,MAAA,OAAO,IAAA,CAAK,OAAO,EAAE,SAAA,EAAW,KAAK,SAAA,EAAW,KAAA,EAAO,OAAA,EAAS,IAAA,EAAM,CAAA;AACxE,IAAA,CAAA,CAAA,OAAS,CAAA,EAAG;AACV,MAAA,OAAA,CAAQ,MAAM,CAAA,oCAAA,EAAuC,IAAA,CAAK,SAAS,CAAA,OAAA,EAAU,KAAK,KAAK,CAAC,CAAA;AACxF,MAAA,OAAO,IAAA;AACT,IAAA;AACF,EAAA;EAEQ,MAAA,GAAiB;AACvB,IAAA,OAAO,IAAA,CAAK,SAAA,GAAY,CAAA,CAAA,EAAI,IAAA,CAAK,SAAS,CAAA,EAAA,CAAA,GAAO,EAAA;AACnD,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,IAAS,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,EAAO,OAAA,EAAS,IAAI,CAAA,EAAG;AAClF,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAA,CACG,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,KAAK,KAAA,KAAU,QAAA,CAAS,KAAA,KACzD,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA,EAAM,OAAA,EAAS,IAAI,CAAA,EAC3C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAA,CACG,KAAK,KAAA,KAAU,QAAA,CAAS,QAAQ,IAAA,CAAK,KAAA,KAAU,SAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,UACzF,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,OAAA,EAAS,IAAI,CAAA,EAC3C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAA,CACG,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,IACvB,KAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,QACxB,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,KAC1B,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,EAAO,OAAA,EAAS,IAAI,CAAA,EAC5C;AACA,MAAA,OAAA,CAAQ,KAAA,CAAM,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACrD,IAAA;AACF,EAAA;EAEA,MAAM,QAAA,CACJ,cACA,OAAA,EAQA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,GAAG,OAAA,EAAS,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AACpG,EAAA;AAEA,EAAA,MAAM,gBAAgB,KAAA,EASnB;AACD,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,GAAG,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAC9F,EAAA;AACF,CAAA;;;AClVO,IAAM,aAAN,MAAiB;AACtB,EAAA,SAAA,GAA8B,gBAAA,CAAiB,GAAA;AACrC,EAAA,MAAA;AACV,EAAA,IAAA;AACA,EAAA,UAAA;EAEA,WAAA,CAAY;AACV,IAAA,SAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAKC;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,aAAa,gBAAA,CAAiB,GAAA;AAC/C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,aAAA,CAAc,EAAE,IAAA,EAAM,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,GAAA,EAAM,IAAA,CAAK,IAAI,CAAA,CAAA,EAAI,CAAA;AAC9E,EAAA;;;;;EAMA,WAAA,GAAmD;AACjD,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;;;;;AAMA,EAAA,cAAA,CAAe,SAAA,EAA0C;AACvD,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AACpB,EAAA;;;;;AAMA,EAAA,WAAA,CAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GACH,OAAA,IAAW,MAAA,IAAU,OAAQ,OAAe,KAAA,KAAU,UAAA,GACjD,MAAA,CAAe,KAAA,CAAM,EAAE,SAAA,EAAW,IAAA,CAAK,SAAA,EAAW,CAAA,GACnD,MAAA;AACR,EAAA;AACF,CAAA;;;ACtBO,IAAe,kBAAA,GAAf,cAA2D,UAAA,CAAW;AACpE,EAAA,SAAA;AACA,EAAA,MAAA;AAGP,EAAA,WAAA,CAAY,OAAA,EAA4C;AACtD,IAAA,KAAA,CAAM,EAAE,SAAA,EAAW,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,MAAM,CAAA;AAEhD,IAAA,IAAI,SAAS,aAAA,EAAe;AAC1B,MAAA,IAAA,CAAK,aAAA,GAAgB,OAAA,CAAQ,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACtD,IAAA;AAEA,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACvB,IAAA,IAAA,CAAK,sBAAsB,OAAA,EAAS,mBAAA;AACtC,EAAA;AAkBU,EAAA,eAAA,CAAgB,IAAA,EAAyC;AACjE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA,CAAK,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACnD,IAAA;AACA,IAAA,IAAI,MAAM,mBAAA,EAAqB;AAC7B,MAAA,IAAA,CAAK,sBAAsB,IAAA,CAAK,mBAAA;AAClC,IAAA;AACA,IAAA,IAAI,MAAM,SAAA,EAAW;AACnB,MAAA,IAAA,CAAK,YAAY,IAAA,CAAK,SAAA;AACxB,IAAA;AACA,IAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACrB,IAAA;AACF,EAAA;AACF,CAAA;;;AC1CA,SAASE,iBAAAA,CAAiB,SAA4B,IAAA,EAA6B;AACjF,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,OAAA,EAAS,GAAA,CAAI,IAAI,CAAA,IAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA,IAAK,IAAA;AACjG;AAsCO,IAAM,uBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACU,MAAA;AAAA;AAAA,EAGC,iBAAA,GAAoB,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOrB,yBAAA,GAA2C,IAAA;AAAA,EAEnD,YAAY,OAAA,EAAyC;AACnD,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,SAAS,CAAA;AAExC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,MAChC,WAAW,OAAA,CAAQ,SAAA;AAAA,MACnB,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,MACrB,cAAc,OAAA,CAAQ;AAAA,KACvB,CAAA;AAED,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAAwB,YAAA,EAAmC;AACzD,IAAA,IAAA,CAAK,yBAAA,GAA4B,YAAA;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAuD;AAC5F,IAAA,IAAI;AACF,MAAA,MAAM,YAAA,GAAeA,iBAAAA,CAAiB,OAAA,EAAS,QAAQ,CAAA;AAGvD,MAAA,MAAM,YAAA,GAAe,mBAAmB,YAAY,CAAA;AAEpD,MAAA,IAAI,YAAA,EAAc;AAEhB,QAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,YAAY,CAAA;AACjE,QAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,MACzB;AAGA,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,KAAK,CAAA;AAC1D,QAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,MACzB;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,cAAc,IAAA,EAA0B;AACtC,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAA,GAA8D,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAStE,WAAA,CAAY,aAAqB,KAAA,EAAuB;AAEtD,IAAA,IAAI,iBAAA,GAAoB,GAAA;AACxB,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,MAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAA,EAAK,CAAC,CAAA;AAChC,MAAA,MAAM,eAAA,GAAkB,MAAM,CAAC,CAAA;AAC/B,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,mBAAmB,eAAe,CAAA;AAAA,QACxD,CAAA,CAAA,MAAQ;AACN,UAAA,iBAAA,GAAoB,GAAA;AAAA,QACtB;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,WAAW,CAAA;AACvC,IAAA,MAAM,SAAS,WAAA,CAAY,MAAA;AAG3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY;AAAA,MACrC,QAAA,EAAU,iBAAA;AAAA,MACV,aAAA,EAAe;AAAA,KAChB,CAAA;AAGD,IAAA,IAAA,CAAK,gBAAA,GAAmB,MAAA;AAExB,IAAA,OAAO,MAAA,CAAO,GAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAA,GAAwC;AACtC,IAAA,MAAM,OAAA,GAAU,KAAK,gBAAA,EAAkB,OAAA;AACvC,IAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AACxB,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,cAAA,CAAe,IAAA,EAAc,KAAA,EAAmD;AAEpF,IAAA,MAAM,eAAe,IAAA,CAAK,yBAAA;AAC1B,IAAA,IAAA,CAAK,yBAAA,GAA4B,IAAA;AAGjC,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe;AAAA,MAC9C,IAAA;AAAA,MACA,KAAA;AAAA,MACA;AAAA,KACD,CAAA;AAGD,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,OAAO,WAAW,CAAA;AAErE,IAAA,OAAO;AAAA,MACL,MAAM,MAAA,CAAO,IAAA;AAAA;AAAA,MACb,MAAA,EAAQ;AAAA,QACN,aAAa,MAAA,CAAO;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,SAAS,aAAa;AAAA,KAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,oBAAA,GAAuC;AACrC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,YAAA,CAAa,aAAqB,OAAA,EAAkC;AAElE,IAAA,MAAM,YAAA,GAAe,OAAA,GAAU,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA,GAAI,IAAA;AACvE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,YAAA,CAAa,WAAA,EAAa,YAAY,CAAA;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAE9D,IAAA,OAAO;AAAA,MACL,EAAA,EAAK,QAAA,EAAU,WAAA,IAA0B,MAAA,CAAO,UAAA,EAAW;AAAA,MAC3D,MAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,MAAA,CAAO,gBAAgB,SAAS,CAAA;AAC3D,IAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AAErB,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,MACrC,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS;AAAA,KACvC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,SAAS,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,OAAO,IAAA,CAAK,gBAAgB,SAAS,CAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,OAAO,kBAAA,CAAmB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,OAAO,EAAE,YAAA,EAAc,IAAA,CAAK,OAAO,gBAAA,CAAiB,OAAA,CAAQ,EAAE,CAAA,EAAE;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,sBAAA,GAAiD;AAC/C,IAAA,OAAO,EAAE,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,oBAAmB,EAAE;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,eAAe,OAAA,EAA6C;AAChE,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,uBAAA,CAAwB,OAAO,CAAA;AACzD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAM,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,YAAY,YAAY,CAAA;AACjE,MAAA,OAAO,EAAE,GAAG,IAAA,EAAM,IAAA,EAAK;AAAA,IACzB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,QAAQ,OAAA,EAA4C;AACxD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;;;AC3SA,IAAM,mBAAA,GAAyD;EAC7D,MAAA,EAAQ;AACN,IAAA,eAAA;AACA,IAAA,oBAAA;AACA,IAAA,sBAAA;AACA,IAAA,gBAAA;AACA,IAAA,eAAA;AACA,IAAA;AAAA;AAEJ,CAAA;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AACT,EAAA;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAIlD,EAAA,MAAM,gBAAA,GAAmB,mBAAA,CAAoB,YAAA,CAAa,CAAC,KAAK,EAAE,CAAA;AAClE,EAAA,IAAI,oBAAoB,gBAAA,CAAiB,QAAA,CAAS,cAAc,CAAC,CAAA,IAAK,EAAE,CAAA,EAAG;AACzE,IAAA,MAAM,OAAA,GAAU,CAAC,aAAA,CAAc,CAAC,CAAA,EAAG,GAAG,YAAA,CAAa,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AACrE,IAAA,OAAO,iBAAA,CAAkB,SAAS,kBAAkB,CAAA;AACtD,EAAA;AAGA,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAC5B,EAAA;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AACT,MAAA;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AACvB,IAAA;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AACT,EAAA;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AACT,EAAA;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AACT,EAAA;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AAuCO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAA;AACxB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAA;AAE5C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;AACF,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;;;AC5NO,IAAM,kBAAN,MAA0D;AAAA,EACvD,OAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOR,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,OAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,SAAS,IAAA,EAAoC;AAEjD,IAAA,OAAO,KAAK,IAAA,GAAO,CAAC,IAAA,CAAK,IAAI,IAAI,EAAC;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAA,CAAQ,IAAA,EAAiB,IAAA,EAAgC;AAC7D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,eAAe,IAAA,EAAoC;AACvD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAEtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AAEA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,IAAA,EAAiB,UAAA,EAAsC;AACzE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,iBAAA,CAAkB,IAAA,EAAiB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAA,CAAiB,IAAA,EAAiB,WAAA,EAAyC;AAC/E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AACF","file":"index.cjs","sourcesContent":["/**\n * Auth error types and error class.\n *\n * Provides typed error handling for OAuth flow and session management.\n */\n\n/**\n * Error codes for authentication-related failures.\n */\nexport type AuthErrorCode =\n | 'invalid_state'\n | 'state_mismatch'\n | 'missing_code'\n | 'token_exchange_failed'\n | 'verification_failed'\n | 'session_invalid'\n | 'session_expired'\n | 'network_error'\n | 'cloud_api_error';\n\n/**\n * Options for AuthError constructor.\n */\nexport interface AuthErrorOptions {\n cause?: Error;\n cloudCode?: string;\n cloudMessage?: string;\n}\n\n/**\n * Error class for authentication-related failures.\n * Uses a code discriminator for programmatic error handling.\n */\nexport class AuthError extends Error {\n readonly code: AuthErrorCode;\n override readonly cause?: Error;\n readonly cloudCode?: string;\n readonly cloudMessage?: string;\n\n constructor(code: AuthErrorCode, message: string, options?: AuthErrorOptions) {\n super(message);\n this.name = 'AuthError';\n this.code = code;\n this.cause = options?.cause;\n this.cloudCode = options?.cloudCode;\n this.cloudMessage = options?.cloudMessage;\n // Required for instanceof checks in TypeScript\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /**\n * Factory: OAuth state parameter is invalid or malformed.\n */\n static invalidState(): AuthError {\n return new AuthError('invalid_state', 'OAuth state parameter is invalid or malformed.');\n }\n\n /**\n * Factory: OAuth state parameter does not match expected value.\n */\n static stateMismatch(): AuthError {\n return new AuthError('state_mismatch', 'OAuth state parameter does not match. Possible CSRF attack.');\n }\n\n /**\n * Factory: Authorization code is missing from callback.\n */\n static missingCode(): AuthError {\n return new AuthError('missing_code', 'Authorization code is missing from OAuth callback.');\n }\n\n /**\n * Factory: Token exchange with Cloud API failed.\n */\n static tokenExchangeFailed(options?: AuthErrorOptions): AuthError {\n return new AuthError('token_exchange_failed', 'Failed to exchange authorization code for tokens.', options);\n }\n\n /**\n * Factory: Token verification failed.\n */\n static verificationFailed(): AuthError {\n return new AuthError('verification_failed', 'Token verification failed.');\n }\n\n /**\n * Factory: Session is invalid.\n */\n static sessionInvalid(): AuthError {\n return new AuthError('session_invalid', 'Session is invalid or has been revoked.');\n }\n\n /**\n * Factory: Session has expired.\n */\n static sessionExpired(): AuthError {\n return new AuthError('session_expired', 'Session has expired. Please log in again.');\n }\n\n /**\n * Factory: Network error during API call.\n */\n static networkError(cause?: Error): AuthError {\n return new AuthError('network_error', 'Network error occurred while communicating with Cloud API.', { cause });\n }\n\n /**\n * Factory: Cloud API returned an error.\n */\n static cloudApiError(options?: AuthErrorOptions): AuthError {\n const message = options?.cloudMessage ?? 'Cloud API returned an error.';\n return new AuthError('cloud_api_error', message, options);\n }\n}\n","/**\n * OAuth state parameter encoding/decoding.\n *\n * The state parameter carries:\n * - csrf: CSRF token for validation\n * - returnTo: URL to redirect after successful login\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\n\n/**\n * Data encoded in the OAuth state parameter.\n */\nexport interface StateData {\n /** CSRF token for state validation */\n csrf: string;\n /** URL to redirect to after login */\n returnTo: string;\n}\n\n/**\n * Encode state data into a base64url string for OAuth state parameter.\n *\n * @param csrf - CSRF token to include\n * @param returnTo - URL to redirect to after login\n * @returns Base64url encoded state string\n */\nexport function encodeState(csrf: string, returnTo: string): string {\n const data: StateData = { csrf, returnTo };\n const json = JSON.stringify(data);\n return Buffer.from(json).toString('base64url');\n}\n\n/**\n * Decode state parameter back to StateData.\n *\n * @param state - Base64url encoded state string\n * @returns Decoded state data\n * @throws AuthError with code 'invalid_state' if decoding fails\n */\nexport function decodeState(state: string): StateData {\n try {\n const json = Buffer.from(state, 'base64url').toString();\n const data = JSON.parse(json) as StateData;\n\n // Validate required fields exist\n if (typeof data.csrf !== 'string' || typeof data.returnTo !== 'string') {\n throw new Error('Missing required fields');\n }\n\n return data;\n } catch {\n throw AuthError.invalidState();\n }\n}\n\n/**\n * Validate and sanitize returnTo URL to prevent open redirect attacks.\n *\n * Safe values:\n * - Relative paths starting with '/' (but not '//')\n * - Absolute URLs with same origin as request\n *\n * @param returnTo - URL from user input (may be undefined)\n * @param requestOrigin - Origin of the current request (e.g., 'https://example.com')\n * @returns Safe redirect URL, defaults to '/' if invalid\n */\nexport function validateReturnTo(returnTo: string | undefined, requestOrigin: string): string {\n // Default to root for empty/undefined values\n if (!returnTo) {\n return '/';\n }\n\n // Relative paths starting with '/' are safe (but not protocol-relative '//')\n if (returnTo.startsWith('/') && !returnTo.startsWith('//')) {\n return returnTo;\n }\n\n // For absolute URLs, validate same origin\n try {\n const parsed = new URL(returnTo);\n const origin = new URL(requestOrigin);\n\n // Same origin check: protocol + host must match\n if (parsed.origin === origin.origin) {\n return returnTo;\n }\n } catch {\n // Invalid URL, fall through to default\n }\n\n // Default to root for invalid or cross-origin URLs\n return '/';\n}\n","/**\n * Network utilities for OAuth flow.\n *\n * Provides fetch wrapper with single retry for transient network errors.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\n\n/**\n * Fetch with single retry on network errors.\n *\n * Retries ONLY on network failures (fetch throws), not HTTP error responses.\n * Caller is responsible for handling HTTP status codes.\n *\n * @param url - URL to fetch\n * @param options - Fetch options\n * @returns Response (may have error status code)\n * @throws AuthError with code 'network_error' if both attempts fail\n */\nexport async function fetchWithRetry(url: string, options: RequestInit): Promise {\n try {\n return await fetch(url, options);\n } catch {\n // Network error - retry once\n try {\n return await fetch(url, options);\n } catch (retryError) {\n // Both attempts failed\n throw AuthError.networkError(retryError instanceof Error ? retryError : undefined);\n }\n }\n}\n","/**\n * PKCE error types and error class.\n *\n * @internal This module is not exported from the main package.\n */\n\n/**\n * Error codes for PKCE-related failures.\n */\nexport type PKCEErrorCode = 'MISSING_VERIFIER' | 'EXPIRED' | 'INVALID';\n\n/**\n * Error class for PKCE-related failures.\n * Uses a code discriminator for programmatic error handling.\n */\nexport class PKCEError extends Error {\n readonly code: PKCEErrorCode;\n override readonly cause?: Error;\n\n constructor(code: PKCEErrorCode, message: string, cause?: Error) {\n super(message);\n this.name = 'PKCEError';\n this.code = code;\n this.cause = cause;\n // Required for instanceof checks in TypeScript\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /**\n * Factory: PKCE verifier cookie not found.\n */\n static missingVerifier(): PKCEError {\n return new PKCEError(\n 'MISSING_VERIFIER',\n 'PKCE verifier cookie not found. Authorization flow may have expired or was not initiated properly.',\n );\n }\n\n /**\n * Factory: PKCE verifier has expired.\n */\n static expired(): PKCEError {\n return new PKCEError('EXPIRED', 'PKCE verifier has expired. Please restart the authorization flow.');\n }\n\n /**\n * Factory: PKCE verifier cookie is malformed.\n */\n static invalid(cause?: Error): PKCEError {\n return new PKCEError('INVALID', 'PKCE verifier cookie is malformed or invalid.', cause);\n }\n}\n","/**\n * PKCE cookie storage utilities.\n * Handles serialization, parsing, and clearing of PKCE verifier cookies.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { PKCEError } from './error';\n\n/**\n * Cookie name for PKCE verifier storage.\n */\nexport const PKCE_COOKIE_NAME = 'mastra_pkce_verifier';\n\n/**\n * Data stored in the PKCE cookie.\n */\nexport interface PKCECookieData {\n verifier: string;\n state: string;\n expiresAt: number; // Unix timestamp in milliseconds\n}\n\n/**\n * Create a Set-Cookie header value for storing PKCE verifier and state.\n *\n * @param verifier - The code verifier for PKCE\n * @param state - The state parameter for CSRF protection\n * @param isProduction - Whether to add Secure flag (required for HTTPS)\n * @returns Set-Cookie header value\n */\nexport function setPKCECookie(verifier: string, state: string, isProduction: boolean): string {\n const ttlSeconds = 5 * 60; // 5 minutes\n const data: PKCECookieData = {\n verifier,\n state,\n expiresAt: Date.now() + ttlSeconds * 1000,\n };\n\n const encoded = encodeURIComponent(JSON.stringify(data));\n\n let cookie = `${PKCE_COOKIE_NAME}=${encoded}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;\n\n if (isProduction) {\n cookie += '; Secure';\n }\n\n return cookie;\n}\n\n/**\n * Parse the PKCE cookie from a Cookie header.\n *\n * @param cookieHeader - The Cookie header value (may be null)\n * @returns Parsed cookie data\n * @throws PKCEError if cookie is missing, expired, or malformed\n */\nexport function parsePKCECookie(cookieHeader: string | null): PKCECookieData {\n if (!cookieHeader) {\n throw PKCEError.missingVerifier();\n }\n\n const match = cookieHeader.match(new RegExp(`${PKCE_COOKIE_NAME}=([^;]+)`));\n\n if (!match?.[1]) {\n throw PKCEError.missingVerifier();\n }\n\n let data: PKCECookieData;\n try {\n data = JSON.parse(decodeURIComponent(match[1])) as PKCECookieData;\n } catch (e) {\n throw PKCEError.invalid(e instanceof Error ? e : undefined);\n }\n\n if (data.expiresAt < Date.now()) {\n throw PKCEError.expired();\n }\n\n return data;\n}\n\n/**\n * Create a Set-Cookie header value to clear the PKCE cookie.\n *\n * @returns Set-Cookie header value that expires the cookie\n */\nexport function clearPKCECookie(): string {\n return `${PKCE_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;\n}\n","/**\n * PKCE (Proof Key for Code Exchange) cryptographic utilities.\n * Implements RFC 7636 S256 challenge method.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { randomBytes, createHash } from 'node:crypto';\n\n/**\n * Generate a code verifier for PKCE.\n * Uses 32 random bytes encoded as base64url (43 characters).\n *\n * Per RFC 7636: code_verifier must be 43-128 characters using unreserved characters.\n */\nexport function generateCodeVerifier(): string {\n // 32 bytes -> 43 chars base64url\n return randomBytes(32).toString('base64url');\n}\n\n/**\n * Compute the S256 code challenge from a verifier.\n * challenge = BASE64URL(SHA256(verifier))\n *\n * Per RFC 7636: S256 method uses SHA-256 hash of the verifier.\n */\nexport function computeCodeChallenge(verifier: string): string {\n return createHash('sha256').update(verifier).digest('base64url');\n}\n\n/**\n * Generate a state parameter for CSRF protection.\n * Uses 16 random bytes encoded as base64url (22 characters).\n */\nexport function generateState(): string {\n // 16 bytes -> 22 chars base64url\n return randomBytes(16).toString('base64url');\n}\n","/**\n * OAuth authorization flow functions.\n *\n * Implements login URL generation and callback handling for\n * Mastra Cloud authentication with PKCE.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\nimport { setPKCECookie, parsePKCECookie, clearPKCECookie } from '../pkce/cookie';\nimport { generateCodeVerifier, computeCodeChallenge, generateState } from '../pkce/pkce';\nimport type { LoginUrlResult, CallbackResult } from '../types';\nimport { fetchWithRetry } from './network';\nimport { encodeState, decodeState, validateReturnTo } from './state';\n\n/**\n * Options for generating login URL.\n */\nexport interface LoginUrlOptions {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API (e.g., 'https://cloud.mastra.ai') */\n cloudBaseUrl: string;\n /** OAuth callback URL (e.g., 'https://myapp.com/auth/callback') */\n callbackUrl: string;\n /** URL to redirect to after successful login */\n returnTo?: string;\n /** Origin of the current request (e.g., 'https://myapp.com') */\n requestOrigin: string;\n /** Whether running in production (affects cookie Secure flag) */\n isProduction?: boolean;\n}\n\n/**\n * Options for handling OAuth callback.\n */\nexport interface CallbackOptions {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API */\n cloudBaseUrl: string;\n /** OAuth callback URL (must match what was sent to /auth/oss) */\n redirectUri: string;\n /** Authorization code from OAuth callback */\n code: string;\n /** State parameter from OAuth callback */\n state: string;\n /** Cookie header from request (may be null) */\n cookieHeader: string | null;\n}\n\n/**\n * Generate a login URL for Mastra Cloud OAuth flow.\n *\n * Creates a URL with PKCE challenge and state parameter for CSRF protection.\n * Returns a PKCE cookie that must be set on the response.\n *\n * @param options - Login URL options\n * @returns URL to redirect to and cookies to set\n */\nexport function getLoginUrl(options: LoginUrlOptions): LoginUrlResult {\n const { projectId, cloudBaseUrl, callbackUrl, returnTo, requestOrigin, isProduction } = options;\n\n // Generate PKCE verifier and challenge\n const verifier = generateCodeVerifier();\n const challenge = computeCodeChallenge(verifier);\n\n // Generate CSRF token for state\n const csrf = generateState();\n\n // Validate returnTo to prevent open redirect attacks\n const validatedReturnTo = validateReturnTo(returnTo, requestOrigin);\n\n // Encode state with CSRF and returnTo\n const state = encodeState(csrf, validatedReturnTo);\n\n // Build authorization URL\n const url = new URL('/auth/oss', cloudBaseUrl);\n url.searchParams.set('project_id', projectId);\n url.searchParams.set('code_challenge', challenge);\n url.searchParams.set('code_challenge_method', 'S256');\n url.searchParams.set('redirect_uri', callbackUrl);\n url.searchParams.set('state', state);\n\n // Create PKCE cookie (stores verifier and CSRF token)\n const isProductionEnv = isProduction ?? process.env.NODE_ENV === 'production';\n const pkceCookie = setPKCECookie(verifier, csrf, isProductionEnv);\n\n return {\n url: url.toString(),\n cookies: [pkceCookie],\n };\n}\n\n/**\n * Handle OAuth callback from Mastra Cloud.\n *\n * Validates state for CSRF, exchanges code for tokens, and returns user info.\n * Returns a cookie to clear the PKCE state.\n *\n * Note: Session cookie is NOT set here - caller (session module) handles that.\n *\n * @param options - Callback options\n * @returns User info, access token, and redirect URL\n * @throws PKCEError if PKCE cookie is missing or expired\n * @throws AuthError if state validation fails or token exchange fails\n */\nexport async function handleCallback(options: CallbackOptions): Promise {\n const { projectId, cloudBaseUrl, redirectUri, code, state, cookieHeader } = options;\n\n // Parse PKCE cookie (throws PKCEError if missing/expired)\n const pkceData = parsePKCECookie(cookieHeader);\n\n // Decode state parameter (throws AuthError if malformed)\n const stateData = decodeState(state);\n\n // Validate CSRF token matches\n if (stateData.csrf !== pkceData.state) {\n throw AuthError.stateMismatch();\n }\n\n // Exchange code for tokens\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/callback`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-Project-ID': projectId,\n },\n body: JSON.stringify({\n code,\n redirect_uri: redirectUri,\n code_verifier: pkceData.verifier,\n }),\n });\n\n // Handle error responses\n if (!response.ok) {\n let cloudCode: string | undefined;\n let cloudMessage: string | undefined;\n\n try {\n const errorBody = (await response.json()) as { code?: string; message?: string };\n cloudCode = errorBody.code;\n cloudMessage = errorBody.message;\n } catch {\n // Could not parse error body\n }\n\n throw AuthError.tokenExchangeFailed({ cloudCode, cloudMessage });\n }\n\n // Parse successful response - Cloud returns token only, no user\n const body = (await response.json()) as {\n access_token: string;\n token_type: string;\n expires_in: number;\n };\n\n // Get user info from /auth/verify endpoint\n const verifyResponse = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${body.access_token}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!verifyResponse.ok) {\n throw AuthError.verificationFailed();\n }\n\n // Cloud returns: { sub, email, name?, avatar_url?, role }\n const verifyBody = (await verifyResponse.json()) as {\n sub: string;\n email: string;\n name?: string;\n avatar_url?: string;\n role: string;\n };\n\n // Clear PKCE cookie (no longer needed)\n const clearCookie = clearPKCECookie();\n\n return {\n user: {\n id: verifyBody.sub,\n email: verifyBody.email,\n name: verifyBody.name,\n avatar: verifyBody.avatar_url,\n role: verifyBody.role,\n },\n accessToken: body.access_token,\n returnTo: stateData.returnTo,\n cookies: [clearCookie],\n };\n}\n","/**\n * Session cookie utilities.\n * Handles setting, parsing, and clearing of session cookies.\n *\n * @internal This module is not exported from the main package.\n */\n\n/**\n * Cookie name for session token storage.\n */\nexport const SESSION_COOKIE_NAME = 'mastra_cloud_session';\n\n/**\n * Create a Set-Cookie header value for storing session token.\n *\n * @param token - The session token\n * @param isProduction - Whether to add Secure flag (required for HTTPS)\n * @returns Set-Cookie header value\n */\nexport function setSessionCookie(token: string, isProduction: boolean): string {\n const ttlSeconds = 24 * 60 * 60; // 24 hours\n\n let cookie = `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;\n\n if (isProduction) {\n cookie += '; Secure';\n }\n\n return cookie;\n}\n\n/**\n * Parse the session token from a Cookie header.\n *\n * @param cookieHeader - The Cookie header value (may be null)\n * @returns Session token or null if not present\n */\nexport function parseSessionCookie(cookieHeader: string | null): string | null {\n if (!cookieHeader) {\n return null;\n }\n\n const match = cookieHeader.match(new RegExp(`${SESSION_COOKIE_NAME}=([^;]+)`));\n return match?.[1] ?? null;\n}\n\n/**\n * Create a Set-Cookie header value to clear the session cookie.\n *\n * @returns Set-Cookie header value that expires the cookie\n */\nexport function clearSessionCookie(): string {\n return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;\n}\n","/**\n * Session lifecycle functions.\n * Handles token verification, session validation, and logout.\n *\n * @internal This module is not exported from the main package.\n */\n\nimport { AuthError } from '../error';\nimport { fetchWithRetry } from '../oauth/network';\nimport type { CloudSession, VerifyResponse } from '../types';\n\n/**\n * Options for verifyToken.\n */\nexport interface VerifyTokenOptions {\n projectId: string;\n cloudBaseUrl: string;\n token: string;\n}\n\n/**\n * Options for validateSession and destroySession.\n */\nexport interface SessionOptions {\n projectId: string;\n cloudBaseUrl: string;\n sessionToken: string;\n}\n\n/**\n * Verify an access token with Cloud API.\n *\n * @param options - Verification options\n * @returns User and role information\n * @throws AuthError with code 'verification_failed' if verification fails\n * @throws AuthError with code 'network_error' if network request fails\n */\nexport async function verifyToken(options: VerifyTokenOptions): Promise {\n const { projectId, cloudBaseUrl, token } = options;\n\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${token}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!response.ok) {\n throw AuthError.verificationFailed();\n }\n\n // Cloud returns different shapes for user tokens vs project API tokens:\n // User token: { sub, email, name?, avatar_url?, role }\n // Project API token: { valid: true, role: \"api\", token_type: \"project_api_token\" }\n const body = (await response.json()) as {\n // User token fields\n sub?: string;\n email?: string;\n name?: string;\n avatar_url?: string;\n role: string;\n // Project API token fields\n valid?: boolean;\n token_type?: string;\n };\n\n // Project API token - no user info, just role\n if (body.token_type === 'project_api_token') {\n return {\n user: {\n id: 'api-token',\n email: undefined,\n name: undefined,\n avatar: undefined,\n },\n role: body.role,\n };\n }\n\n // User token - full user info\n return {\n user: {\n id: body.sub!,\n email: body.email!,\n name: body.name,\n avatar: body.avatar_url,\n },\n role: body.role,\n };\n}\n\n/**\n * Validate an existing session with Cloud API.\n *\n * @param options - Session options\n * @returns Session data if valid, null otherwise\n */\nexport async function validateSession(options: SessionOptions): Promise {\n const { projectId, cloudBaseUrl, sessionToken } = options;\n\n try {\n const response = await fetchWithRetry(`${cloudBaseUrl}/auth/session/validate`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${sessionToken}`,\n 'X-Project-ID': projectId,\n },\n });\n\n if (!response.ok) {\n return null;\n }\n\n return (await response.json()) as CloudSession;\n } catch {\n // Any error (network, parsing) returns null\n return null;\n }\n}\n\n/**\n * Destroy a session with Cloud API.\n * Note: X-Project-ID not required for this endpoint.\n *\n * @param options - Session options\n */\nexport async function destroySession(options: SessionOptions): Promise {\n const { cloudBaseUrl, sessionToken } = options;\n\n await fetchWithRetry(`${cloudBaseUrl}/auth/session/destroy`, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${sessionToken}`,\n },\n });\n\n // Ignore response - void return per spec\n}\n\n/**\n * Get the logout URL for redirecting users.\n *\n * @param cloudBaseUrl - Cloud API base URL\n * @param postLogoutRedirectUri - URL to redirect to after logout (required)\n * @param idTokenHint - The access token (required by Cloud)\n * @returns Full logout URL with redirect and token parameters\n */\nexport function getLogoutUrl(cloudBaseUrl: string, postLogoutRedirectUri: string, idTokenHint: string): string {\n const url = new URL('/auth/logout', cloudBaseUrl);\n url.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);\n url.searchParams.set('id_token_hint', idTokenHint);\n return url.toString();\n}\n","/**\n * MastraCloudAuth client class.\n * Facade composing OAuth and session modules into unified API.\n */\n\nimport { getLoginUrl, handleCallback } from './oauth';\nimport {\n verifyToken,\n validateSession,\n destroySession,\n getLogoutUrl,\n setSessionCookie,\n clearSessionCookie,\n} from './session';\nimport type { LoginUrlResult, CallbackResult, VerifyResponse, CloudSession } from './types';\n\n/**\n * Configuration for MastraCloudAuth client.\n */\nexport interface MastraCloudAuthConfig {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of the Cloud API (e.g., https://cloud.mastra.ai) */\n cloudBaseUrl: string;\n /** OAuth callback URL for your application */\n callbackUrl: string;\n /** Whether running in production (adds Secure flag to cookies) */\n isProduction?: boolean;\n}\n\n/**\n * Mastra Cloud authentication client.\n *\n * Provides unified API for OAuth flow and session management.\n *\n * @example\n * ```typescript\n * const auth = new MastraCloudAuth({\n * cloudBaseUrl: 'https://cloud.mastra.ai',\n * callbackUrl: 'https://myapp.com/auth/callback',\n * });\n *\n * // Start login flow\n * const { url, cookies } = auth.getLoginUrl({\n * requestOrigin: 'https://myapp.com',\n * });\n *\n * // After callback\n * const result = await auth.handleCallback({\n * code: 'auth_code',\n * state: 'state_param',\n * cookieHeader: request.headers.get('cookie'),\n * });\n * ```\n */\nexport class MastraCloudAuth {\n private readonly config: MastraCloudAuthConfig;\n\n constructor(config: MastraCloudAuthConfig) {\n this.config = config;\n }\n\n /**\n * Generate login URL for OAuth authorization.\n *\n * @param options - Login options\n * @returns URL to redirect to and cookies to set\n */\n getLoginUrl(options: { returnTo?: string; requestOrigin: string }): LoginUrlResult {\n return getLoginUrl({\n projectId: this.config.projectId,\n cloudBaseUrl: this.config.cloudBaseUrl,\n callbackUrl: this.config.callbackUrl,\n returnTo: options.returnTo,\n requestOrigin: options.requestOrigin,\n isProduction: this.config.isProduction,\n });\n }\n\n /**\n * Handle OAuth callback after authorization.\n *\n * @param options - Callback parameters\n * @returns User info, tokens, and redirect URL\n */\n handleCallback(options: { code: string; state: string; cookieHeader: string | null }): Promise {\n return handleCallback({\n projectId: this.config.projectId,\n cloudBaseUrl: this.config.cloudBaseUrl,\n redirectUri: this.config.callbackUrl,\n ...options,\n });\n }\n\n /**\n * Verify an access token.\n *\n * @param token - Access token to verify\n * @returns User and role information\n */\n verifyToken(token: string): Promise {\n return verifyToken({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, token });\n }\n\n /**\n * Validate an existing session.\n *\n * @param sessionToken - Session token to validate\n * @returns Session data if valid, null otherwise\n */\n validateSession(sessionToken: string): Promise {\n return validateSession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });\n }\n\n /**\n * Destroy a session (server-side logout).\n *\n * @param sessionToken - Session token to destroy\n */\n destroySession(sessionToken: string): Promise {\n return destroySession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });\n }\n\n /**\n * Get the logout URL for client-side redirect.\n *\n * @param postLogoutRedirectUri - URL to redirect to after logout\n * @param idTokenHint - The access token\n * @returns Full logout URL with redirect and token parameters\n */\n getLogoutUrl(postLogoutRedirectUri: string, idTokenHint: string): string {\n return getLogoutUrl(this.config.cloudBaseUrl, postLogoutRedirectUri, idTokenHint);\n }\n\n /**\n * Create Set-Cookie header value for session token.\n *\n * @param token - Session token to store\n * @returns Set-Cookie header value\n */\n setSessionCookie(token: string): string {\n return setSessionCookie(token, this.config.isProduction ?? process.env.NODE_ENV === 'production');\n }\n\n /**\n * Create Set-Cookie header value to clear session cookie.\n *\n * @returns Set-Cookie header value\n */\n clearSessionCookie(): string {\n return clearSessionCookie();\n }\n}\n","import { Transform } from 'node:stream';\n\nexport const RegisteredLogger = {\n AGENT: 'AGENT',\n OBSERVABILITY: 'OBSERVABILITY',\n AUTH: 'AUTH',\n BROWSER: 'BROWSER',\n NETWORK: 'NETWORK',\n WORKFLOW: 'WORKFLOW',\n LLM: 'LLM',\n TTS: 'TTS',\n VOICE: 'VOICE',\n VECTOR: 'VECTOR',\n BUNDLER: 'BUNDLER',\n DEPLOYER: 'DEPLOYER',\n MEMORY: 'MEMORY',\n STORAGE: 'STORAGE',\n EMBEDDINGS: 'EMBEDDINGS',\n MCP_SERVER: 'MCP_SERVER',\n SERVER_CACHE: 'SERVER_CACHE',\n SERVER: 'SERVER',\n WORKSPACE: 'WORKSPACE',\n CHANNEL: 'CHANNEL',\n} as const;\n\nexport type RegisteredLogger = (typeof RegisteredLogger)[keyof typeof RegisteredLogger];\n\nexport const LogLevel = {\n DEBUG: 'debug',\n INFO: 'info',\n WARN: 'warn',\n ERROR: 'error',\n NONE: 'silent',\n} as const;\n\nexport type LogLevel = (typeof LogLevel)[keyof typeof LogLevel];\n\nexport interface BaseLogMessage {\n runId?: string;\n msg: string;\n level: LogLevel;\n time: Date;\n pid: number;\n hostname: string;\n name: string;\n}\n\nexport abstract class LoggerTransport extends Transform {\n constructor(opts: any = {}) {\n super({ ...opts, objectMode: true });\n }\n\n async listLogsByRunId(_args: {\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }): Promise<{\n logs: BaseLogMessage[];\n total: number;\n page: number;\n perPage: number;\n hasMore: boolean;\n }> {\n return { logs: [], total: 0, page: _args?.page ?? 1, perPage: _args?.perPage ?? 100, hasMore: false };\n }\n\n async listLogs(_args?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n returnPaginationResults?: boolean;\n page?: number;\n perPage?: number;\n }): Promise<{\n logs: BaseLogMessage[];\n total: number;\n page: number;\n perPage: number;\n hasMore: boolean;\n }> {\n return { logs: [], total: 0, page: _args?.page ?? 1, perPage: _args?.perPage ?? 100, hasMore: false };\n }\n}\n\nexport const createCustomTransport = (\n stream: Transform,\n listLogs?: LoggerTransport['listLogs'],\n listLogsByRunId?: LoggerTransport['listLogsByRunId'],\n) => {\n let transport = stream as LoggerTransport;\n if (listLogs) {\n transport.listLogs = listLogs;\n }\n if (listLogsByRunId) {\n transport.listLogsByRunId = listLogsByRunId;\n }\n return transport as LoggerTransport;\n};\n\nexport interface IMastraLogger {\n debug(message: string, ...args: any[]): void;\n info(message: string, ...args: any[]): void;\n warn(message: string, ...args: any[]): void;\n error(message: string, ...args: any[]): void;\n trackException(error: Error, metadata?: Record): void;\n\n getTransports(): Map;\n listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n}\n\nexport abstract class MastraLogger implements IMastraLogger {\n protected name: string;\n protected level: LogLevel;\n protected transports: Map;\n\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n transports?: Record;\n } = {},\n ) {\n this.name = options.name || 'Mastra';\n this.level = options.level || LogLevel.ERROR;\n this.transports = new Map(Object.entries(options.transports || {}));\n }\n\n abstract debug(message: string, ...args: any[]): void;\n abstract info(message: string, ...args: any[]): void;\n abstract warn(message: string, ...args: any[]): void;\n abstract error(message: string, ...args: any[]): void;\n\n getTransports() {\n return this.transports;\n }\n\n trackException(_error: Error, _metadata?: Record) {}\n\n async listLogs(\n transportId: string,\n params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ) {\n if (!transportId || !this.transports.has(transportId)) {\n return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports.get(transportId)!.listLogs?.(params) ?? {\n logs: [],\n total: 0,\n page: params?.page ?? 1,\n perPage: params?.perPage ?? 100,\n hasMore: false,\n }\n );\n }\n\n async listLogsByRunId({\n transportId,\n runId,\n fromDate,\n toDate,\n logLevel,\n filters,\n page,\n perPage,\n }: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }) {\n if (!transportId || !this.transports.has(transportId) || !runId) {\n return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports\n .get(transportId)!\n .listLogsByRunId?.({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {\n logs: [],\n total: 0,\n page: page ?? 1,\n perPage: perPage ?? 100,\n hasMore: false,\n }\n );\n }\n}\n\nexport type LogFilterContext = {\n component?: RegisteredLogger;\n level: LogLevel;\n message: string;\n args: unknown[];\n};\n\nexport type LogFilter = (ctx: LogFilterContext) => boolean;\n\nexport interface ConsoleLoggerOptions {\n name?: string;\n level?: LogLevel;\n component?: RegisteredLogger;\n filter?: LogFilter;\n}\n\nexport class ConsoleLogger extends MastraLogger {\n protected component?: RegisteredLogger;\n protected filter?: LogFilter;\n\n constructor(options: ConsoleLoggerOptions = {}) {\n super(options);\n this.component = options.component;\n this.filter = options.filter;\n }\n\n child(componentOrBindings: RegisteredLogger | Record): ConsoleLogger {\n const component =\n typeof componentOrBindings === 'string'\n ? componentOrBindings\n : ((componentOrBindings?.component as RegisteredLogger) ?? this.component);\n return new ConsoleLogger({\n name: this.name,\n level: this.level,\n component,\n filter: this.filter,\n });\n }\n\n private shouldLog(level: LogLevel, message: string, args: unknown[]): boolean {\n if (!this.filter) return true;\n try {\n return this.filter({ component: this.component, level, message, args });\n } catch (e) {\n console.error(`[Logger] Filter error for component=${this.component} level=${level}:`, e);\n return true;\n }\n }\n\n private prefix(): string {\n return this.component ? `[${this.component}] ` : '';\n }\n\n debug(message: string, ...args: any[]): void {\n if (this.level === LogLevel.DEBUG && this.shouldLog(LogLevel.DEBUG, message, args)) {\n console.info(`${this.prefix()}${message}`, ...args);\n }\n }\n\n info(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.INFO, message, args)\n ) {\n console.info(`${this.prefix()}${message}`, ...args);\n }\n }\n\n warn(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.WARN, message, args)\n ) {\n console.warn(`${this.prefix()}${message}`, ...args);\n }\n }\n\n error(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.ERROR ||\n this.level === LogLevel.WARN ||\n this.level === LogLevel.INFO ||\n this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.ERROR, message, args)\n ) {\n console.error(`${this.prefix()}${message}`, ...args);\n }\n }\n\n async listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ) {\n return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };\n }\n\n async listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }) {\n return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };\n }\n}\n","import type { IMastraLogger } from '../logger';\nimport { ConsoleLogger, RegisteredLogger } from '../logger';\n\nexport class MastraBase {\n component: RegisteredLogger = RegisteredLogger.LLM;\n protected logger: IMastraLogger;\n name?: string;\n #rawConfig?: Record;\n\n constructor({\n component,\n name,\n rawConfig,\n }: {\n component?: RegisteredLogger;\n name?: string;\n rawConfig?: Record;\n }) {\n this.component = component || RegisteredLogger.LLM;\n this.name = name;\n this.#rawConfig = rawConfig;\n this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });\n }\n\n /**\n * Returns the raw storage configuration this primitive was created from,\n * or undefined if it was created from code.\n */\n toRawConfig(): Record | undefined {\n return this.#rawConfig;\n }\n\n /**\n * Sets the raw storage configuration for this primitive.\n * @internal\n */\n __setRawConfig(rawConfig: Record): void {\n this.#rawConfig = rawConfig;\n }\n\n /**\n * Set the logger for the agent\n * @param logger\n */\n __setLogger(logger: IMastraLogger) {\n this.logger =\n 'child' in logger && typeof (logger as any).child === 'function'\n ? (logger as any).child({ component: this.component })\n : logger;\n }\n}\n","import { MastraBase } from '@internal/core/base';\nimport type {\n CredentialsResult,\n ISSOProvider,\n ISessionProvider,\n IUserProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n User,\n} from '..';\nimport type { AuthorizeUserFn, MastraAuthConfig, MastraAuthRequest } from '../types';\nimport { getRequestHeader } from '../types';\n\nexport interface MastraAuthProviderOptions {\n name?: string;\n authorizeUser?: AuthorizeUserFn;\n mapUserToResourceId?(user: TUser): string | undefined | null;\n /**\n * Protected paths for the auth provider\n */\n protected?: MastraAuthConfig['protected'];\n /**\n * Public paths for the auth provider\n */\n public?: MastraAuthConfig['public'];\n}\n\nexport abstract class MastraAuthProvider extends MastraBase {\n public protected?: MastraAuthConfig['protected'];\n public public?: MastraAuthConfig['public'];\n public mapUserToResourceId?(user: TUser): string | undefined | null;\n\n constructor(options?: MastraAuthProviderOptions) {\n super({ component: 'AUTH', name: options?.name });\n\n if (options?.authorizeUser) {\n this.authorizeUser = options.authorizeUser.bind(this);\n }\n\n this.protected = options?.protected;\n this.public = options?.public;\n this.mapUserToResourceId = options?.mapUserToResourceId;\n }\n\n /**\n * Authenticate a token and return the payload\n * @param token - The token to authenticate\n * @param request - The request\n * @returns The payload\n */\n abstract authenticateToken(token: string, request: MastraAuthRequest): Promise;\n\n /**\n * Authorize a user for a path and method\n * @param user - The user to authorize\n * @param request - The request\n * @returns The authorization result\n */\n abstract authorizeUser(user: TUser, request: MastraAuthRequest): Promise | boolean;\n\n protected registerOptions(opts?: MastraAuthProviderOptions) {\n if (opts?.authorizeUser) {\n this.authorizeUser = opts.authorizeUser.bind(this);\n }\n if (opts?.mapUserToResourceId) {\n this.mapUserToResourceId = opts.mapUserToResourceId;\n }\n if (opts?.protected) {\n this.protected = opts.protected;\n }\n if (opts?.public) {\n this.public = opts.public;\n }\n }\n}\n\ntype PrimitiveAuthUser = string | number | boolean | bigint | symbol | null | undefined;\n\n// Type guards for interface detection\nfunction isSSOProvider(p: unknown): p is ISSOProvider {\n return (\n p !== null &&\n typeof p === 'object' &&\n typeof (p as any).getLoginUrl === 'function' &&\n typeof (p as any).handleCallback === 'function'\n );\n}\n\nfunction isSessionProvider(p: unknown): p is ISessionProvider {\n return (\n p !== null &&\n typeof p === 'object' &&\n typeof (p as any).validateSession === 'function' &&\n typeof (p as any).createSession === 'function'\n );\n}\n\nfunction isUserProvider(p: unknown): p is IUserProvider {\n return p !== null && typeof p === 'object' && typeof (p as any).getCurrentUser === 'function';\n}\nfunction isCredentialsProvider(p: unknown): boolean {\n return p !== null && typeof p === 'object' && typeof (p as any).signIn === 'function';\n}\n\nfunction isObjectLike(value: unknown): value is object {\n return (typeof value === 'object' && value !== null) || typeof value === 'function';\n}\n\nexport class CompositeAuth\n extends MastraAuthProvider\n implements ISSOProvider, ISessionProvider, IUserProvider\n{\n private providers: MastraAuthProvider[];\n private authenticatedProviderByObject = new WeakMap();\n private authenticatedProviderByPrimitive = new Map();\n\n constructor(providers: MastraAuthProvider[]) {\n const combinedPublic = providers.flatMap(provider => provider.public ?? []);\n const combinedProtected = providers.flatMap(provider => provider.protected ?? []);\n\n super({\n public: combinedPublic,\n protected: combinedProtected,\n });\n\n this.providers = providers;\n if (providers.some(provider => typeof provider.mapUserToResourceId === 'function')) {\n this.mapUserToResourceId = user => this.mapAuthenticatedUserToResourceId(user);\n }\n\n // Null out interface methods when no inner provider supports them.\n // This ensures duck-typing checks (typeof auth.method === 'function')\n // accurately reflect the composite's actual capabilities — preventing\n // Studio from showing login options that no provider can handle.\n if (!providers.some(isSSOProvider)) {\n this.getLoginUrl = undefined as any;\n this.handleCallback = undefined as any;\n this.getLoginButtonConfig = undefined as any;\n }\n if (!providers.some(isSessionProvider)) {\n this.createSession = undefined as any;\n this.validateSession = undefined as any;\n this.getSessionIdFromRequest = undefined as any;\n }\n if (!providers.some(isUserProvider)) {\n this.getCurrentUser = undefined as any;\n this.getUser = undefined as any;\n this.getUsers = undefined as any;\n }\n // Proxy credentials provider methods if any inner provider supports them.\n const credProvider = this.findProvider(isCredentialsProvider as (p: unknown) => p is MastraAuthProvider) as any;\n if (credProvider) {\n (this as any).signIn = credProvider.signIn.bind(credProvider);\n if (typeof credProvider.signUp === 'function') {\n (this as any).signUp = credProvider.signUp.bind(credProvider);\n }\n if (typeof credProvider.requestPasswordReset === 'function') {\n (this as any).requestPasswordReset = credProvider.requestPasswordReset.bind(credProvider);\n }\n if (typeof credProvider.resetPassword === 'function') {\n (this as any).resetPassword = credProvider.resetPassword.bind(credProvider);\n }\n (this as any).isSignUpEnabled =\n typeof credProvider.isSignUpEnabled === 'function'\n ? credProvider.isSignUpEnabled.bind(credProvider)\n : () => true;\n } else {\n (this as any).signIn = undefined;\n (this as any).signUp = undefined;\n (this as any).requestPasswordReset = undefined;\n (this as any).resetPassword = undefined;\n (this as any).isSignUpEnabled = undefined;\n }\n }\n\n // Find first provider implementing an interface\n private findProvider(check: (p: unknown) => p is T): T | undefined {\n return this.providers.find(check) as T | undefined;\n }\n\n private rememberAuthenticatedProvider(user: unknown, provider: MastraAuthProvider): void {\n if (isObjectLike(user)) {\n this.authenticatedProviderByObject.set(user, provider);\n return;\n }\n\n this.authenticatedProviderByPrimitive.set(user as PrimitiveAuthUser, provider);\n }\n\n private takeAuthenticatedProvider(user: unknown): MastraAuthProvider | undefined {\n if (isObjectLike(user)) {\n const provider = this.authenticatedProviderByObject.get(user);\n this.authenticatedProviderByObject.delete(user);\n return provider;\n }\n\n const primitiveUser = user as PrimitiveAuthUser;\n const provider = this.authenticatedProviderByPrimitive.get(primitiveUser);\n this.authenticatedProviderByPrimitive.delete(primitiveUser);\n return provider;\n }\n\n private mapAuthenticatedUserToResourceId(user: unknown): string | undefined | null {\n const provider = this.takeAuthenticatedProvider(user);\n return provider?.mapUserToResourceId?.(user);\n }\n\n // ============================================================================\n // License Exemption Markers\n // Expose these if any underlying provider has them\n // ============================================================================\n\n /**\n * True if any provider is MastraCloudAuth (exempt from license requirement).\n */\n get isMastraCloudAuth(): boolean {\n return this.providers.some(\n p => 'isMastraCloudAuth' in p && (p as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true,\n );\n }\n\n /**\n * True if any provider is SimpleAuth (exempt from license requirement).\n */\n get isSimpleAuth(): boolean {\n return this.providers.some(p => 'isSimpleAuth' in p && (p as { isSimpleAuth: boolean }).isSimpleAuth === true);\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n for (const provider of this.providers) {\n try {\n const user = await provider.authenticateToken(token, request);\n if (user) {\n this.rememberAuthenticatedProvider(user, provider);\n return user;\n }\n } catch {\n // ignore error, try next provider\n }\n }\n return null;\n }\n\n async authorizeUser(user: unknown, request: MastraAuthRequest): Promise {\n for (const provider of this.providers) {\n const authorized = await provider.authorizeUser(user, request);\n if (authorized) {\n return true;\n }\n }\n return false;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Forward cookie header to SSO provider for PKCE validation.\n * Called by auth handler before handleCallback().\n */\n setCallbackCookieHeader(cookieHeader: string | null): void {\n const sso = this.findProvider(isSSOProvider);\n if (sso && typeof (sso as any).setCallbackCookieHeader === 'function') {\n (sso as any).setCallbackCookieHeader(cookieHeader);\n }\n }\n\n getLoginUrl(redirectUri: string, state: string): string | Promise {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) throw new Error('No SSO provider configured in CompositeAuth');\n return sso.getLoginUrl(redirectUri, state);\n }\n\n getLoginCookies(redirectUri: string, state: string): string[] | undefined {\n const sso = this.findProvider(isSSOProvider);\n return sso?.getLoginCookies?.(redirectUri, state);\n }\n\n async handleCallback(code: string, state: string): Promise> {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) throw new Error('No SSO provider configured in CompositeAuth');\n return sso.handleCallback(code, state) as Promise>;\n }\n\n getLoginButtonConfig(): SSOLoginConfig {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) return { provider: 'unknown', text: 'Sign in' };\n return sso.getLoginButtonConfig();\n }\n\n async getLogoutUrl(redirectUri: string, request?: Request): Promise {\n // Try each SSO provider until one returns a logout URL\n for (const provider of this.providers) {\n if (isSSOProvider(provider) && provider.getLogoutUrl) {\n try {\n const url = await provider.getLogoutUrl(redirectUri, request);\n if (url) return url;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n async createSession(userId: string, metadata?: Record): Promise {\n const session = this.findProvider(isSessionProvider);\n if (!session) throw new Error('No session provider configured in CompositeAuth');\n return session.createSession(userId, metadata);\n }\n\n async validateSession(sessionId: string): Promise {\n // Try each session provider until one validates\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const session = await provider.validateSession(sessionId);\n if (session) return session;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async destroySession(sessionId: string): Promise {\n // Destroy session on ALL providers (user may have sessions in multiple stores)\n const destroyPromises: Promise[] = [];\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n destroyPromises.push(\n provider.destroySession(sessionId).catch(() => {\n // Ignore errors, session may not exist in this provider\n }),\n );\n }\n }\n await Promise.all(destroyPromises);\n }\n\n async refreshSession(sessionId: string): Promise {\n // Try each session provider until one refreshes\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const session = await provider.refreshSession(sessionId);\n if (session) return session;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n getSessionIdFromRequest(request: Request): string | null {\n // Try each session provider until one finds a session ID\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const sessionId = provider.getSessionIdFromRequest(request);\n if (sessionId) return sessionId;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n getSessionHeaders(session: Session): Record {\n // Intentionally uses only the first session provider: a session is created by one\n // provider, so we only set its cookie. clearSession clears ALL providers to ensure\n // no stale cookies remain.\n const sessionProvider = this.findProvider(isSessionProvider);\n return sessionProvider?.getSessionHeaders(session) ?? {};\n }\n\n getClearSessionHeaders(): Record {\n // Merge clear headers from ALL providers to ensure no stale session cookies remain\n const headers: Record = {};\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const providerHeaders = provider.getClearSessionHeaders();\n Object.assign(headers, providerHeaders);\n } catch {\n // Ignore errors\n }\n }\n }\n return headers;\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // Try each provider until one returns a user (like authenticateToken)\n // ============================================================================\n\n async getCurrentUser(request: Request): Promise {\n for (const provider of this.providers) {\n if (isUserProvider(provider)) {\n try {\n const user = await provider.getCurrentUser(request);\n if (user) return user;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async getUser(userId: string): Promise {\n for (const provider of this.providers) {\n if (isUserProvider(provider)) {\n try {\n const user = await provider.getUser(userId);\n if (user) return user;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async getUsers(userIds: string[]): Promise> {\n return Promise.all(userIds.map(userId => this.getUser(userId)));\n }\n}\n\nconst DEFAULT_HEADERS = ['Authorization', 'X-Playground-Access'];\n\ntype TokenToUser = Record;\n\nexport interface SimpleAuthOptions extends MastraAuthProviderOptions {\n /**\n * Valid tokens to authenticate against\n */\n tokens: TokenToUser;\n /**\n * Headers to check for authentication\n * @default ['Authorization', 'X-Playground-Access']\n */\n headers?: string | string[];\n}\n\nexport class SimpleAuth extends MastraAuthProvider {\n /**\n * Marker to exempt SimpleAuth from EE license requirement.\n * SimpleAuth is for development/testing and should work without a license.\n */\n readonly isSimpleAuth = true;\n\n private tokens: TokenToUser;\n private headers: string[];\n private users: TUser[];\n private userById: Map;\n\n constructor(options: SimpleAuthOptions) {\n super(options);\n this.tokens = options.tokens;\n this.users = Object.values(this.tokens);\n this.headers = [...DEFAULT_HEADERS].concat(options.headers || []);\n this.userById = new Map(this.users.map(u => [String((u as any)?.id), u]));\n }\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n const requestTokens = this.getTokensFromHeaders(token, request);\n\n for (const requestToken of requestTokens) {\n const tokenToUser = this.tokens[requestToken];\n if (tokenToUser) {\n return tokenToUser;\n }\n }\n\n return this.getUserFromCookie(getRequestHeader(request, 'Cookie'));\n }\n\n async authorizeUser(user: TUser, _request: MastraAuthRequest): Promise {\n return this.users.includes(user);\n }\n\n /** Get current user from request headers or cookie. */\n async getCurrentUser(request: Request): Promise {\n // Check headers first\n for (const headerName of this.headers) {\n const headerValue = request.headers.get(headerName);\n if (headerValue) {\n const token = this.stripBearerPrefix(headerValue);\n const user = this.tokens[token];\n if (user) {\n return user;\n }\n }\n }\n\n return this.getUserFromCookie(request.headers.get('Cookie'));\n }\n\n private getUserFromCookie(cookieHeader: string | null | undefined): TUser | null {\n if (!cookieHeader) return null;\n\n const cookies = cookieHeader.split(';').map(c => c.trim());\n for (const cookie of cookies) {\n if (cookie.startsWith('mastra-token=')) {\n const token = cookie.slice('mastra-token='.length);\n const user = this.tokens[token];\n if (user) {\n return user;\n }\n }\n }\n return null;\n }\n\n /** Get user by ID. */\n async getUser(userId: string): Promise {\n return this.userById.get(userId) ?? null;\n }\n\n async getUsers(userIds: string[]): Promise> {\n return userIds.map(userId => this.userById.get(userId) ?? null);\n }\n\n /**\n * Sign in with token (passed as password field).\n * The email field is ignored - only the token matters.\n */\n async signIn(_email: string, password: string, _request: Request): Promise> {\n const token = password;\n const user = this.tokens[token];\n\n if (!user) {\n throw new Error('Invalid token');\n }\n\n // Set cookie so the token persists across requests\n const cookie = `mastra-token=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400`;\n\n return {\n user,\n token,\n cookies: [cookie],\n };\n }\n\n async signUp(): Promise> {\n throw new Error('Sign up is not supported with SimpleAuth. Use pre-configured tokens.');\n }\n\n isSignUpEnabled(): boolean {\n return false;\n }\n\n /**\n * Get headers to clear the session cookie on logout.\n * Partial ISessionProvider implementation for logout support.\n */\n getClearSessionHeaders(): Record {\n return {\n 'Set-Cookie': 'mastra-token=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0',\n };\n }\n\n private stripBearerPrefix(token: string): string {\n return token.startsWith('Bearer ') ? token.slice(7) : token;\n }\n\n private getTokensFromHeaders(token: string, request: MastraAuthRequest): string[] {\n const tokens = [token];\n for (const headerName of this.headers) {\n const headerValue = getRequestHeader(request, headerName);\n if (headerValue) {\n tokens.push(this.stripBearerPrefix(headerValue));\n }\n }\n return tokens;\n }\n}\n","/**\n * MastraCloudAuthProvider - Server integration for Mastra Cloud authentication.\n *\n * Extends MastraAuthProvider and implements ISSOProvider, ISessionProvider,\n * and IUserProvider interfaces to integrate with Mastra server middleware.\n *\n * @packageDocumentation\n */\n\nimport type {\n IUserProvider,\n ISSOProvider,\n ISessionProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@internal/auth';\nimport type { EEUser } from '@internal/auth/ee';\nimport type { MastraAuthProviderOptions } from '@internal/auth/provider';\nimport { MastraAuthProvider } from '@internal/auth/provider';\n\nimport { MastraCloudAuth } from './client';\nimport { parseSessionCookie } from './session/cookie';\nimport type { CloudUser } from './types';\n\ntype HonoRequestLike = {\n raw?: Request;\n headers?: Headers;\n header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getRequestHeader(request: MastraAuthRequest, name: string): string | null {\n if (request instanceof Request) {\n return request.headers.get(name);\n }\n\n return request.raw?.headers.get(name) ?? request.headers?.get(name) ?? request.header(name) ?? null;\n}\n\n/**\n * Configuration options for MastraCloudAuthProvider.\n */\nexport interface MastraCloudAuthProviderOptions extends MastraAuthProviderOptions {\n /** Mastra Cloud project ID */\n projectId: string;\n /** Base URL of Mastra Cloud API (e.g., https://cloud.mastra.ai) */\n cloudBaseUrl: string;\n /** OAuth callback URL for your application */\n callbackUrl: string;\n /** Whether running in production (adds Secure flag to cookies) */\n isProduction?: boolean;\n}\n\n/**\n * Mastra Cloud authentication provider for server integration.\n *\n * Wraps the MastraCloudAuth client and implements the required interfaces\n * for Mastra server middleware. Provides SSO login, session management,\n * and user awareness.\n *\n * @example\n * ```typescript\n * import { MastraCloudAuthProvider } from '@mastra/auth-cloud';\n *\n * const auth = new MastraCloudAuthProvider({\n * cloudBaseUrl: 'https://cloud.mastra.ai',\n * callbackUrl: 'https://myapp.com/auth/callback',\n * });\n *\n * const mastra = new Mastra({\n * auth,\n * // ...\n * });\n * ```\n */\nexport class MastraCloudAuthProvider\n extends MastraAuthProvider\n implements IUserProvider, ISSOProvider, ISessionProvider\n{\n private client: MastraCloudAuth;\n\n /** Marker for EE license exemption - MastraCloudAuth is exempt */\n readonly isMastraCloudAuth = true;\n\n /**\n * Cookie header for handleCallback PKCE validation.\n * Set via setCallbackCookieHeader() before handleCallback() is called.\n * @internal\n */\n private _lastCallbackCookieHeader: string | null = null;\n\n constructor(options: MastraCloudAuthProviderOptions) {\n super({ name: options?.name ?? 'cloud' });\n\n this.client = new MastraCloudAuth({\n projectId: options.projectId,\n cloudBaseUrl: options.cloudBaseUrl,\n callbackUrl: options.callbackUrl,\n isProduction: options.isProduction,\n });\n\n this.registerOptions(options);\n }\n\n /**\n * Set cookie header for handleCallback PKCE validation.\n * Must be called before handleCallback() to pass cookie header.\n *\n * @param cookieHeader - Cookie header from original request\n */\n setCallbackCookieHeader(cookieHeader: string | null): void {\n this._lastCallbackCookieHeader = cookieHeader;\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n /**\n * Authenticate a bearer token or session cookie.\n *\n * Checks session cookie first, falls back to bearer token for API clients.\n *\n * @param token - Bearer token (from Authorization header)\n * @param request - Request used for cookie access\n * @returns Authenticated user with role, or null if invalid\n */\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n try {\n const cookieHeader = getRequestHeader(request, 'cookie');\n\n // Parse session token from cookie\n const sessionToken = parseSessionCookie(cookieHeader);\n\n if (sessionToken) {\n // Verify session token with Cloud API\n const { user, role } = await this.client.verifyToken(sessionToken);\n return { ...user, role };\n }\n\n // Fall back to bearer token if no cookie\n if (token) {\n const { user, role } = await this.client.verifyToken(token);\n return { ...user, role };\n }\n\n return null;\n } catch {\n // Per Phase 10 decision: return null on any error\n return null;\n }\n }\n\n /**\n * Authorize a user for access.\n *\n * Simple validation - detailed permission checking happens in server\n * middleware via checkRoutePermission(), not authorizeUser().\n *\n * @param user - Authenticated user\n * @returns True if user has valid id\n */\n authorizeUser(user: CloudUser): boolean {\n return !!user?.id;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Cached login result for getLoginCookies() to retrieve cookies.\n * @internal\n */\n private _lastLoginResult: { url: string; cookies: string[] } | null = null;\n\n /**\n * Get URL to redirect user to for SSO login.\n *\n * @param redirectUri - Callback URL after authentication\n * @param state - State parameter (format: uuid|encodedPostLoginRedirect)\n * @returns Full authorization URL\n */\n getLoginUrl(redirectUri: string, state: string): string {\n // Extract postLoginRedirect from state (format: uuid|encodedPostLoginRedirect)\n let postLoginRedirect = '/';\n if (state && state.includes('|')) {\n const parts = state.split('|', 2);\n const encodedRedirect = parts[1];\n if (encodedRedirect) {\n try {\n postLoginRedirect = decodeURIComponent(encodedRedirect);\n } catch {\n postLoginRedirect = '/';\n }\n }\n }\n\n // Parse origin from redirectUri for PKCE cookie origin validation\n const redirectUrl = new URL(redirectUri);\n const origin = redirectUrl.origin;\n\n // Generate login URL with PKCE\n const result = this.client.getLoginUrl({\n returnTo: postLoginRedirect,\n requestOrigin: origin,\n });\n\n // Cache result for getLoginCookies() to retrieve\n this._lastLoginResult = result;\n\n return result.url;\n }\n\n /**\n * Get cookies to set during login redirect (PKCE verifier).\n * Must be called after getLoginUrl() in same request.\n *\n * @returns Array of Set-Cookie header values\n */\n getLoginCookies(): string[] | undefined {\n const cookies = this._lastLoginResult?.cookies;\n this._lastLoginResult = null; // Clear after retrieval\n return cookies;\n }\n\n /**\n * Handle OAuth callback, exchange code for tokens and user.\n *\n * @param code - Authorization code from callback\n * @param state - State parameter for CSRF validation\n * @returns User, tokens, and session cookies\n */\n async handleCallback(code: string, state: string): Promise> {\n // Get cookie header for PKCE validation, then clear\n const cookieHeader = this._lastCallbackCookieHeader;\n this._lastCallbackCookieHeader = null;\n\n // Exchange code for tokens and get user (includes /auth/verify call)\n const result = await this.client.handleCallback({\n code,\n state,\n cookieHeader,\n });\n\n // Build session cookie\n const sessionCookie = this.client.setSessionCookie(result.accessToken);\n\n return {\n user: result.user, // Already has role from handleCallback\n tokens: {\n accessToken: result.accessToken,\n },\n cookies: [...result.cookies, sessionCookie],\n };\n }\n\n /**\n * Get configuration for rendering login button in UI.\n *\n * @returns Login button configuration\n */\n getLoginButtonConfig(): SSOLoginConfig {\n return {\n provider: 'mastra',\n text: 'Sign in with Mastra Cloud',\n };\n }\n\n /**\n * Get logout URL for client-side redirect.\n * Requires the request to extract the session token for id_token_hint.\n *\n * @param redirectUri - URL to redirect to after logout\n * @param request - Request to extract session token from\n * @returns Logout URL with redirect and token parameters, or null if no session\n */\n getLogoutUrl(redirectUri: string, request?: Request): string | null {\n // Get session token from request cookies for id_token_hint\n const sessionToken = request ? this.getSessionIdFromRequest(request) : null;\n if (!sessionToken) {\n return null; // No active session, nothing to logout\n }\n return this.client.getLogoutUrl(redirectUri, sessionToken);\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n /**\n * Create a new session for a user.\n *\n * For Cloud auth, sessions are created via handleCallback.\n * This method builds a Session object for interface compatibility.\n *\n * @param userId - User to create session for\n * @param metadata - Optional metadata (accessToken can be passed here)\n * @returns Session object\n */\n async createSession(userId: string, metadata?: Record): Promise {\n const now = new Date();\n const expiresAt = new Date(now.getTime() + 24 * 60 * 60 * 1000); // 24 hours\n\n return {\n id: (metadata?.accessToken as string) ?? crypto.randomUUID(),\n userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n /**\n * Validate a session and return it if valid.\n *\n * @param sessionId - Session token to validate\n * @returns Session object or null if invalid/expired\n */\n async validateSession(sessionId: string): Promise {\n const session = await this.client.validateSession(sessionId);\n if (!session) return null;\n\n return {\n id: sessionId,\n userId: session.userId,\n createdAt: new Date(session.createdAt),\n expiresAt: new Date(session.expiresAt),\n };\n }\n\n /**\n * Destroy a session (logout).\n *\n * @param sessionId - Session token to destroy\n */\n async destroySession(sessionId: string): Promise {\n await this.client.destroySession(sessionId);\n }\n\n /**\n * Refresh a session, extending its expiry.\n * Cloud handles refresh internally, so just validate.\n *\n * @param sessionId - Session token to refresh\n * @returns Session object or null if invalid\n */\n async refreshSession(sessionId: string): Promise {\n return this.validateSession(sessionId);\n }\n\n /**\n * Extract session ID from an incoming request.\n *\n * @param request - Incoming HTTP request\n * @returns Session token or null if not present\n */\n getSessionIdFromRequest(request: Request): string | null {\n return parseSessionCookie(request.headers.get('cookie'));\n }\n\n /**\n * Create response headers to set session cookie.\n *\n * @param session - Session to encode (id is the access token)\n * @returns Headers object with Set-Cookie\n */\n getSessionHeaders(session: Session): Record {\n return { 'Set-Cookie': this.client.setSessionCookie(session.id) };\n }\n\n /**\n * Create response headers to clear session (for logout).\n *\n * @returns Headers object to clear session cookie\n */\n getClearSessionHeaders(): Record {\n return { 'Set-Cookie': this.client.clearSessionCookie() };\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // ============================================================================\n\n /**\n * Get current user from request (session cookie).\n *\n * @param request - Incoming HTTP request\n * @returns User with role or null if not authenticated\n */\n async getCurrentUser(request: Request): Promise {\n const sessionToken = this.getSessionIdFromRequest(request);\n if (!sessionToken) return null;\n\n try {\n const { user, role } = await this.client.verifyToken(sessionToken);\n return { ...user, role };\n } catch {\n return null;\n }\n }\n\n /**\n * Get user by ID.\n * Cloud API doesn't have a /users/:id endpoint.\n *\n * @returns Always null (not supported)\n */\n async getUser(_userId: string): Promise {\n return null;\n }\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n {\n id: 'owner',\n name: 'Owner',\n description: 'Full access to all features and settings',\n permissions: ['*'],\n },\n {\n id: 'admin',\n name: 'Admin',\n description: 'Manage agents, workflows, and team members',\n permissions: [\n '*:read',\n '*:write',\n '*:execute',\n '*:publish',\n '*:share',\n // Note: admins cannot delete resources\n ],\n },\n {\n id: 'member',\n name: 'Member',\n description: 'Execute agents and workflows',\n permissions: ['*:read', '*:execute'],\n },\n {\n id: 'viewer',\n name: 'Viewer',\n description: 'Read-only access',\n permissions: ['*:read'],\n },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n const permissions = new Set();\n const visited = new Set();\n\n function resolveRole(roleId: string) {\n if (visited.has(roleId)) return;\n visited.add(roleId);\n\n const role = roles.find(r => r.id === roleId);\n if (!role) return;\n\n for (const permission of role.permissions) {\n permissions.add(permission);\n }\n\n // Resolve inherited roles\n if (role.inherits) {\n for (const inheritedRoleId of role.inherits) {\n resolveRole(inheritedRoleId);\n }\n }\n }\n\n for (const roleId of roleIds) {\n resolveRole(roleId);\n }\n\n return Array.from(permissions);\n}\n\n/**\n * Compound resource keys that expand to a set of per-family resources.\n * A granted `stored:` is treated as matching any `stored-:`\n * (and `stored:*` matches any `stored-:*`).\n */\nconst RESOURCE_EXPANSIONS: Record = {\n stored: [\n 'stored-agents',\n 'stored-mcp-clients',\n 'stored-prompt-blocks',\n 'stored-scorers',\n 'stored-skills',\n 'stored-workspaces',\n ],\n};\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n // Wildcard matches everything\n if (userPermission === '*') {\n return true;\n }\n\n const grantedParts = userPermission.split(':');\n const requiredParts = requiredPermission.split(':');\n\n // Compound resource alias: expand granted `stored:` into its per-family equivalents.\n // Only applies when the required permission targets one of the expanded families.\n const expandedFamilies = RESOURCE_EXPANSIONS[grantedParts[0] ?? ''];\n if (expandedFamilies && expandedFamilies.includes(requiredParts[0] ?? '')) {\n const aliased = [requiredParts[0], ...grantedParts.slice(1)].join(':');\n return matchesPermission(aliased, requiredPermission);\n }\n\n // Must have at least resource:action\n if (grantedParts.length < 2 || requiredParts.length < 2) {\n return userPermission === requiredPermission;\n }\n\n const [grantedResource, grantedAction, grantedId] = grantedParts;\n const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n if (grantedResource === '*') {\n // \"*:*\" is a full wildcard - matches everything\n if (grantedAction === '*') {\n if (grantedId === undefined) {\n return true;\n }\n return grantedId === requiredId;\n }\n // Action must match for resource wildcards with specific action\n if (grantedAction !== requiredAction) {\n return false;\n }\n // If no granted ID, matches all instances\n if (grantedId === undefined) {\n return true;\n }\n // *:read:my-id would match agents:read:my-id (unusual but consistent)\n return grantedId === requiredId;\n }\n\n // Resource must match (for non-wildcard resources)\n if (grantedResource !== requiredResource) {\n return false;\n }\n\n // Action wildcard: \"agents:*\" matches any action\n if (grantedAction === '*') {\n // If no granted ID, matches all resources\n // If granted ID specified (agents:*:my-agent), must match required ID\n if (grantedId === undefined) {\n return true;\n }\n // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n return grantedId === requiredId;\n }\n\n // Action must match\n if (grantedAction !== requiredAction) {\n return false;\n }\n\n // No resource ID in granted permission = access to all resources of this type\n // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n if (grantedId === undefined) {\n return true;\n }\n\n // Both have resource IDs - must match exactly\n return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n * \"Engineering\": [\"agents:*\", \"workflows:*\"],\n * \"Product\": [\"agents:read\"],\n * \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n * [\"Engineering\", \"QA\"],\n * roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n const permissions = new Set();\n const defaultPerms = mapping['_default'] ?? [];\n\n for (const role of roles) {\n const rolePerms = mapping[role];\n if (rolePerms) {\n for (const perm of rolePerms) {\n permissions.add(perm);\n }\n } else {\n // Apply default permissions for unmapped roles\n for (const perm of defaultPerms) {\n permissions.add(perm);\n }\n }\n }\n\n return Array.from(permissions);\n}\n","/**\n * Mastra Cloud RBAC provider.\n *\n * Provides role-based permission checking for Cloud-authenticated users\n * using configurable role-to-permission mappings.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@internal/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@internal/auth/ee';\n\nimport type { CloudUser } from '../types';\n\n/**\n * Configuration options for MastraRBACCloud.\n */\nexport interface MastraRBACCloudOptions {\n /**\n * Mapping from role names to permission arrays.\n *\n * @example\n * ```typescript\n * {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n}\n\n/**\n * RBAC provider for Mastra Cloud authentication.\n *\n * Maps user roles (from /verify endpoint) to Mastra permissions\n * using a configurable role mapping. This is a simpler implementation\n * than WorkOS RBAC since Cloud uses a single-role model.\n *\n * @example Basic usage\n * ```typescript\n * import { MastraRBACCloud } from '@mastra/auth-cloud';\n *\n * const rbac = new MastraRBACCloud({\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * },\n * });\n *\n * const hasAccess = await rbac.hasPermission(user, 'agents:read');\n * ```\n */\nexport class MastraRBACCloud implements IRBACProvider {\n private options: MastraRBACCloudOptions;\n\n /**\n * Expose roleMapping for middleware access.\n * This allows the authorization middleware to resolve permissions\n * without needing to call the async methods.\n */\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n /**\n * Create a new Mastra Cloud RBAC provider.\n *\n * @param options - RBAC configuration options\n */\n constructor(options: MastraRBACCloudOptions) {\n this.options = options;\n }\n\n /**\n * Get all roles for a user.\n *\n * Returns the user's role as a single-element array, or empty array if no role.\n * Cloud uses a single-role model (role is attached via verifyToken()).\n *\n * @param user - Cloud user to get roles for\n * @returns Array containing user's role, or empty array\n */\n async getRoles(user: CloudUser): Promise {\n // Role attached to user from verifyToken() call\n return user.role ? [user.role] : [];\n }\n\n /**\n * Check if a user has a specific role.\n *\n * @param user - Cloud user to check\n * @param role - Role name to check for\n * @returns True if user has the role\n */\n async hasRole(user: CloudUser, role: string): Promise {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n /**\n * Get all permissions for a user by mapping their role.\n *\n * Uses the configured roleMapping to translate the user's role\n * into Mastra permission strings.\n *\n * If the user has no role, the _default permissions from the\n * role mapping are applied.\n *\n * @param user - Cloud user to get permissions for\n * @returns Array of permission strings\n */\n async getPermissions(user: CloudUser): Promise {\n const roles = await this.getRoles(user);\n\n if (roles.length === 0) {\n return this.options.roleMapping['_default'] ?? [];\n }\n\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n /**\n * Check if a user has a specific permission.\n *\n * Uses wildcard matching to check if the user's permissions\n * grant access to the required permission.\n *\n * @param user - Cloud user to check\n * @param permission - Permission to check for (e.g., 'agents:read')\n * @returns True if user has the permission\n */\n async hasPermission(user: CloudUser, permission: string): Promise {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n /**\n * Check if a user has ALL of the specified permissions.\n *\n * @param user - Cloud user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has all permissions\n */\n async hasAllPermissions(user: CloudUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Check if a user has ANY of the specified permissions.\n *\n * @param user - Cloud user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has at least one permission\n */\n async hasAnyPermission(user: CloudUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n}\n"]}