/** * WorkOS FGA provider for Mastra. * * Integrates WorkOS Authorization API with Mastra's FGA interface * for permission-based, resource-level authorization. * * @license Mastra Enterprise License - see ee/LICENSE */ import type { IFGAManager, FGACheckParams, FGAResource, FGACreateResourceParams, FGAUpdateResourceParams, FGADeleteResourceParams, FGAListResourcesOptions, FGARoleAssignment, FGARoleParams, FGAListRoleAssignmentsOptions, MastraFGAPermissionInput } from './_types/@internal_auth/dist/ee/index.d.ts'; import type { MastraFGAWorkosOptions, WorkOSUser } from './types.js'; export declare class WorkOSFGAResourceNotFoundError extends Error { readonly status = 404; readonly resourceType: string; readonly resourceId: string; constructor(resourceType: string, resourceId: string); } export declare class WorkOSFGAMembershipResolutionError extends Error { readonly status = 500; readonly userId?: string; constructor(user: WorkOSUser); } /** * WorkOS FGA provider using the new Authorization API. * * Uses `resourceMapping` to translate Mastra resource types to WorkOS FGA resource types * and `permissionMapping` to translate Mastra permissions to WorkOS permission slugs. * * @example Basic usage * ```typescript * import { MastraFGAWorkos } from '@mastra/auth-workos'; * import { MastraFGAPermissions } from '@internal/auth/ee'; * * const fga = new MastraFGAWorkos({ * resourceMapping: { * agent: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId }, * workflow: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId }, * thread: { fgaResourceType: 'workspace-thread', deriveId: ({ resourceId }) => resourceId }, * }, * permissionMapping: { * [MastraFGAPermissions.AGENTS_EXECUTE]: 'manage-workflows', * [MastraFGAPermissions.WORKFLOWS_EXECUTE]: 'manage-workflows', * [MastraFGAPermissions.MEMORY_READ]: 'read', * [MastraFGAPermissions.MEMORY_WRITE]: 'update', * }, * }); * ``` * * @example With Mastra server config * ```typescript * const mastra = new Mastra({ * server: { * auth: new MastraAuthWorkos({ ... }), * fga: new MastraFGAWorkos({ * resourceMapping: { ... }, * permissionMapping: { ... }, * }), * }, * }); * ``` */ export declare class MastraFGAWorkos implements IFGAManager { private workos; private organizationId?; private resourceMapping; private permissionMapping; readonly requireForProtectedRoutes?: boolean; readonly auditProtectedRoutes?: boolean | 'warn' | 'error'; readonly resolveRouteFGA?: MastraFGAWorkosOptions['resolveRouteFGA']; readonly validatePermissions?: MastraFGAWorkosOptions['validatePermissions']; constructor(options: MastraFGAWorkosOptions); /** * Check if a user has permission on a resource. * * Resolves the user's organization membership ID, maps the permission * via `permissionMapping`, and delegates to `workos.authorization.check()`. * * When `params.permission` is an array, ANY-of semantics apply: returns true * if any single permission in the array authorizes the user. */ check(user: WorkOSUser, params: FGACheckParams): Promise; /** * Require that a user has permission, throwing FGADeniedError if not. * * When `params.permission` is an array, ANY-of semantics apply: passes if any * single permission authorizes the user; throws if none do. */ require(user: WorkOSUser, params: FGACheckParams): Promise; /** * Filter resources to only those the user has permission to access. * * Uses WorkOS `listResourcesForMembership()` when the resource mapping can * resolve a parent resource from user context. This avoids one check per * resource for list endpoints like agents/workflows/tools. * * Falls back to per-resource `check()` calls when no parent resource can be * resolved from the configured mapping. */ filterAccessible(user: WorkOSUser, resources: T[], resourceType: string, permission: MastraFGAPermissionInput): Promise; /** * Create an authorization resource in WorkOS. */ createResource(params: FGACreateResourceParams): Promise; /** * Get an authorization resource by ID. */ getResource(resourceId: string): Promise; /** * List authorization resources with optional filters. */ listResources(options?: FGAListResourcesOptions): Promise; /** * Update an authorization resource. */ updateResource(params: FGAUpdateResourceParams): Promise; /** * Delete an authorization resource. */ deleteResource(params: FGADeleteResourceParams): Promise; /** * Assign a role to an organization membership on a resource. */ assignRole(params: FGARoleParams): Promise; /** * Remove a role assignment. */ removeRole(params: FGARoleParams): Promise; /** * List role assignments for an organization membership. */ listRoleAssignments(options: FGAListRoleAssignmentsOptions): Promise; /** * Resolve the organization membership ID from a user object. * Looks for organizationMembershipId, then finds membership matching * configured organizationId, then falls back to first membership. * * Returns undefined if no membership can be resolved, which causes * authorization checks to deny access. Enable `fetchMemberships: true` * on MastraAuthWorkos to populate the memberships field. */ private resolveOrganizationMembershipId; /** * Map a Mastra permission string to a WorkOS permission slug via permissionMapping. * Falls back to the original permission if no mapping is found. */ private resolvePermission; /** * Resolve the parent resource context needed for WorkOS resource discovery. */ private resolveParentResource; /** * Resolve the FGA resource ID using resourceMapping's deriveId function. * Falls back to the original resource ID if no mapping is found. */ private resolveResourceId; private buildCheckOptions; private getResourceMapping; /** * List accessible child resources for a membership, following pagination. */ private listAccessibleResourceExternalIds; /** * Map a WorkOS AuthorizationResource to Mastra's FGAResource type. */ private mapAuthorizationResource; } //# sourceMappingURL=fga-provider.d.ts.map