{"version":3,"sources":["../../../packages/_internal-core/src/logger/index.ts","../../../packages/_internal-core/src/base/MastraBase.ts","../../../packages/_internals/auth/src/provider/index.ts","../src/session-storage.ts","../src/types.ts","../src/auth-provider.ts","../../../packages/_internals/auth/src/ee/fga-check.ts","../../../packages/_internals/auth/src/ee/defaults/roles.ts","../src/rbac-provider.ts","../src/fga-provider.ts","../src/directory-sync.ts","../src/admin-portal.ts"],"names":["CookieSessionStorage","LRUCache","WorkOS","AuthService","sessionEncryption","auth","verifyJwks","GeneratePortalLinkIntent"],"mappings":";;;;;;;;AAEO,IAAM,gBAAA,GAAmB;EAO9B,GAAA,EAAK,KAcP,CAAA;AAIO,IAAM,QAAA,GAAW;EACtB,KAAA,EAAO,OAAA;EACP,IAAA,EAAM,MAAA;EACN,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAET,CAAA;AAsGO,IAAe,eAAf,MAAqD;AAChD,EAAA,IAAA;AACA,EAAA,KAAA;AACA,EAAA,UAAA;EAEV,WAAA,CACE,OAAA,GAII,EAAA,EACJ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,QAAQ,IAAA,IAAQ,QAAA;AAC5B,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAA,CAAQ,KAAA,IAAS,QAAA,CAAS,KAAA;AACvC,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,GAAA,CAAI,MAAA,CAAO,QAAQ,OAAA,CAAQ,UAAA,IAAc,EAAE,CAAC,CAAA;AACpE,EAAA;EAOA,aAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;AAEA,EAAA,cAAA,CAAe,QAAe,SAAA,EAAqC;AAAC,EAAA;EAEpE,MAAM,QAAA,CACJ,aACA,MAAA,EAQA;AACA,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,EAAG;AACrD,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,MAAA,EAAQ,IAAA,IAAQ,GAAG,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClG,IAAA;AAEA,IAAA,OACE,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,CAAG,QAAA,GAAW,MAAM,CAAA,IAAK;AACtD,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,QAAQ,IAAA,IAAQ,CAAA;AACtB,MAAA,OAAA,EAAS,QAAQ,OAAA,IAAW,GAAA;MAC5B,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AAEA,EAAA,MAAM,eAAA,CAAgB;AACpB,IAAA,WAAA;AACA,IAAA,KAAA;AACA,IAAA,QAAA;AACA,IAAA,MAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAUC;AACD,IAAA,IAAI,CAAC,eAAe,CAAC,IAAA,CAAK,WAAW,GAAA,CAAI,WAAW,CAAA,IAAK,CAAC,KAAA,EAAO;AAC/D,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,KAAA,EAAO,CAAA,EAAG,IAAA,EAAM,IAAA,IAAQ,CAAA,EAAG,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClF,IAAA;AAEA,IAAA,OACE,IAAA,CAAK,UAAA,CACF,GAAA,CAAI,WAAW,EACf,eAAA,GAAkB,EAAE,KAAA,EAAO,QAAA,EAAU,QAAQ,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,OAAA,EAAS,CAAA,IAAK;AACrF,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,IAAA,IAAQ,CAAA;AACd,MAAA,OAAA,EAAS,OAAA,IAAW,GAAA;MACpB,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AACF,CAAA;AAkBO,IAAM,aAAA,GAAN,MAAM,cAAA,SAAsB,YAAA,CAAa;AACpC,EAAA,SAAA;AACA,EAAA,MAAA;EAEV,WAAA,CAAY,OAAA,GAAgC,EAAA,EAAI;AAC9C,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACxB,EAAA;AAEA,EAAA,KAAA,CAAM,mBAAA,EAAgF;AACpF,IAAA,MAAM,YACJ,OAAO,mBAAA,KAAwB,WAC3B,mBAAA,GACE,mBAAA,EAAqB,aAAkC,IAAA,CAAK,SAAA;AACpE,IAAA,OAAO,IAAI,cAAA,CAAc;AACvB,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,KAAA,EAAO,IAAA,CAAK,KAAA;AACZ,MAAA,SAAA;AACA,MAAA,MAAA,EAAQ,IAAA,CAAK;KACd,CAAA;AACH,EAAA;EAEQ,SAAA,CAAU,KAAA,EAAiB,SAAiB,IAAA,EAA0B;AAC5E,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,EAAQ,OAAO,IAAA;AACzB,IAAA,IAAI;AACF,MAAA,OAAO,IAAA,CAAK,OAAO,EAAE,SAAA,EAAW,KAAK,SAAA,EAAW,KAAA,EAAO,OAAA,EAAS,IAAA,EAAM,CAAA;AACxE,IAAA,CAAA,CAAA,OAAS,CAAA,EAAG;AACV,MAAA,OAAA,CAAQ,MAAM,CAAA,oCAAA,EAAuC,IAAA,CAAK,SAAS,CAAA,OAAA,EAAU,KAAK,KAAK,CAAC,CAAA;AACxF,MAAA,OAAO,IAAA;AACT,IAAA;AACF,EAAA;EAEQ,MAAA,GAAiB;AACvB,IAAA,OAAO,IAAA,CAAK,SAAA,GAAY,CAAA,CAAA,EAAI,IAAA,CAAK,SAAS,CAAA,EAAA,CAAA,GAAO,EAAA;AACnD,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,IAAS,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,EAAO,OAAA,EAAS,IAAI,CAAA,EAAG;AAClF,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAA,CACG,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,KAAK,KAAA,KAAU,QAAA,CAAS,KAAA,KACzD,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA,EAAM,OAAA,EAAS,IAAI,CAAA,EAC3C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAA,CACG,KAAK,KAAA,KAAU,QAAA,CAAS,QAAQ,IAAA,CAAK,KAAA,KAAU,SAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,UACzF,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,OAAA,EAAS,IAAI,CAAA,EAC3C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACpD,IAAA;AACF,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAA,CACG,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,IACvB,KAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,QACxB,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,KAC1B,IAAA,CAAK,UAAU,QAAA,CAAS,KAAA,EAAO,OAAA,EAAS,IAAI,CAAA,EAC5C;AACA,MAAA,OAAA,CAAQ,KAAA,CAAM,GAAG,IAAA,CAAK,MAAA,EAAQ,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,GAAG,IAAI,CAAA;AACrD,IAAA;AACF,EAAA;EAEA,MAAM,QAAA,CACJ,cACA,OAAA,EAQA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,GAAG,OAAA,EAAS,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AACpG,EAAA;AAEA,EAAA,MAAM,gBAAgB,KAAA,EASnB;AACD,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,GAAG,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAC9F,EAAA;AACF,CAAA;;;AClVO,IAAM,aAAN,MAAiB;AACtB,EAAA,SAAA,GAA8B,gBAAA,CAAiB,GAAA;AACrC,EAAA,MAAA;AACV,EAAA,IAAA;AACA,EAAA,UAAA;EAEA,WAAA,CAAY;AACV,IAAA,SAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAKC;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,aAAa,gBAAA,CAAiB,GAAA;AAC/C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,aAAA,CAAc,EAAE,IAAA,EAAM,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,GAAA,EAAM,IAAA,CAAK,IAAI,CAAA,CAAA,EAAI,CAAA;AAC9E,EAAA;;;;;EAMA,WAAA,GAAmD;AACjD,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;;;;;AAMA,EAAA,cAAA,CAAe,SAAA,EAA0C;AACvD,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AACpB,EAAA;;;;;AAMA,EAAA,WAAA,CAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GACH,OAAA,IAAW,MAAA,IAAU,OAAQ,OAAe,KAAA,KAAU,UAAA,GACjD,MAAA,CAAe,KAAA,CAAM,EAAE,SAAA,EAAW,IAAA,CAAK,SAAA,EAAW,CAAA,GACnD,MAAA;AACR,EAAA;AACF,CAAA;;;ACtBO,IAAe,kBAAA,GAAf,cAA2D,UAAA,CAAW;AACpE,EAAA,SAAA;AACA,EAAA,MAAA;AAGP,EAAA,WAAA,CAAY,OAAA,EAA4C;AACtD,IAAA,KAAA,CAAM,EAAE,SAAA,EAAW,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,MAAM,CAAA;AAEhD,IAAA,IAAI,SAAS,aAAA,EAAe;AAC1B,MAAA,IAAA,CAAK,aAAA,GAAgB,OAAA,CAAQ,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACtD,IAAA;AAEA,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACvB,IAAA,IAAA,CAAK,sBAAsB,OAAA,EAAS,mBAAA;AACtC,EAAA;AAkBU,EAAA,eAAA,CAAgB,IAAA,EAAyC;AACjE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA,CAAK,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACnD,IAAA;AACA,IAAA,IAAI,MAAM,mBAAA,EAAqB;AAC7B,MAAA,IAAA,CAAK,sBAAsB,IAAA,CAAK,mBAAA;AAClC,IAAA;AACA,IAAA,IAAI,MAAM,SAAA,EAAW;AACnB,MAAA,IAAA,CAAK,YAAY,IAAA,CAAK,SAAA;AACxB,IAAA;AACA,IAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACrB,IAAA;AACF,EAAA;AACF,CAAA;AC3DO,IAAM,iBAAA,GAAN,cAAgCA,mCAAA,CAAwC;AAAA,EAC7E,YAAY,MAAA,EAAuB;AACjC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,SAAA,CAAU,OAAA,EAAkB,IAAA,EAAsC;AACtE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,CAAE,MAAA;AAAA,MACtC,CAAC,KAAK,MAAA,KAAW;AACf,QAAA,MAAM,CAAC,YAAY,GAAG,UAAU,IAAI,MAAA,CAAO,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AAC3D,QAAA,IAAI,UAAA,EAAY;AACd,UAAA,GAAA,CAAI,UAAU,CAAA,GAAI,kBAAA,CAAmB,UAAA,CAAW,IAAA,CAAK,GAAG,CAAC,CAAA;AAAA,QAC3D;AACA,QAAA,OAAO,GAAA;AAAA,MACT,CAAA;AAAA,MACA;AAAC,KACH;AAEA,IAAA,OAAO,OAAA,CAAQ,IAAI,CAAA,IAAK,IAAA;AAAA,EAC1B;AACF;;;ACZO,SAAS,sBAAsB,IAAA,EAAoB;AACxD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,IAAA,EAAM,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,WAAW,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,CAAA,EAAI,IAAA,CAAK,QAAQ,CAAA,CAAA,GAAK,IAAA,CAAK,aAAa,IAAA,CAAK,KAAA;AAAA,IACtG,SAAA,EAAW,KAAK,iBAAA,IAAqB,MAAA;AAAA,IACrC,QAAA,EAAU;AAAA,MACR,UAAU,IAAA,CAAK,EAAA;AAAA,MACf,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;;;ACbA,SAAS,cAAc,OAAA,EAAiD;AACtE,EAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,IAAA,OAAO,OAAA;AAAA,EACT;AAEA,EAAA,OAAO,OAAA,CAAQ,GAAA,YAAe,OAAA,GAAU,OAAA,CAAQ,GAAA,GAAM,MAAA;AACxD;AAUA,IAAM,mBAAA,GAAsB,MAAA,CAAO,UAAA,EAAW,GAAI,OAAO,UAAA,EAAW;AACpE,IAAM,0BAA0B,EAAA,GAAK,GAAA;AACrC,IAAM,yBAAA,GAA4B,GAAA;AAoB3B,IAAM,gBAAA,GAAN,cACG,kBAAA,CAEV;AAAA,EACY,MAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EACA,MAAA;AAAA,EACA,gBAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA;AAAA,EACA,mBAAA;AAAA,EACA,eAAA;AAAA,EAEV,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,UAAU,CAAA;AAEzC,IAAA,MAAM,MAAA,GAAS,OAAA,EAAS,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAClD,IAAA,MAAM,WAAA,GAAc,OAAA,EAAS,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,mBAAA;AACxD,IAAA,MAAM,iBACJ,OAAA,EAAS,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,IAAI,sBAAA,IAA0B,mBAAA;AAE5E,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAI,cAAA,CAAe,SAAS,EAAA,EAAI;AAC9B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AACnB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,GAAA;AAC1B,IAAA,IAAA,CAAK,gBAAA,GAAmB,SAAS,gBAAA,IAAoB,KAAA;AACrD,IAAA,IAAA,CAAK,cAAA,GAAiB,SAAS,cAAA,IAAkB,KAAA;AACjD,IAAA,IAAA,CAAK,kBAAkB,OAAA,EAAS,SAAA;AAChC,IAAA,IAAA,CAAK,sBAAsB,OAAA,EAAS,mBAAA;AACpC,IAAA,IAAA,CAAK,eAAA,GAAkB,IAAIC,iBAAA,CAA2C;AAAA,MACpE,GAAA,EAAK,yBAAA;AAAA,MACL,GAAA,EAAK;AAAA,KACN,CAAA;AAGD,IAAA,IAAA,CAAK,SAAS,IAAIC,WAAA,CAAO,MAAA,EAAQ,EAAE,UAAU,CAAA;AAG7C,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,QAAA;AAAA,MACA,MAAA;AAAA,MACA,WAAA;AAAA,MACA,cAAA;AAAA,MACA,UAAA,EAAY,OAAA,EAAS,OAAA,EAAS,UAAA,IAAc,aAAA;AAAA,MAC5C,cAAc,OAAA,EAAS,OAAA,EAAS,MAAA,IAAU,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;AAAA;AAAA,MACzD,cAAA,EAAgB,OAAA,EAAS,OAAA,EAAS,QAAA,EAAU,WAAA,EAAY;AAAA,MACxD,YAAA,EAAc,MAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACZ;AAGA,IAAA,MAAM,OAAA,GAAU,IAAI,iBAAA,CAAkB,IAAA,CAAK,MAAM,CAAA;AAGjD,IAAA,IAAA,CAAK,WAAA,GAAc,IAAIC,0BAAA,CAAY,IAAA,CAAK,QAAQ,OAAA,EAAS,IAAA,CAAK,QAAeC,gCAAiB,CAAA;AAE9F,IAAA,IAAA,CAAK,gBAAgB,OAAgD,CAAA;AAErE,IAAA,IAAI,mBAAmB,mBAAA,EAAqB;AAC1C,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OAGF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAAwD;AAC7F,IAAA,IAAI;AAEF,MAAA,MAAM,UAAA,GAAa,cAAc,OAAO,CAAA;AACxC,MAAA,MAAM,QAAEC,MAAA,EAAK,GAAI,UAAA,GAAa,MAAM,IAAA,CAAK,WAAA,CAAY,QAAA,CAAS,UAAU,IAAI,EAAE,IAAA,EAAM,EAAE,IAAA,EAAM,MAAK,EAAE;AAEnG,MAAA,IAAIA,OAAK,IAAA,EAAM;AAIb,QAAA,IAAI,WAAA;AACJ,QAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,UAAA,IAAI;AACF,YAAA,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAeA,MAAA,CAAK,KAAK,EAAE,CAAA;AAAA,UACtD,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAEA,QAAA,OAAO;AAAA,UACL,GAAG,qBAAA,CAAsBA,MAAA,CAAK,IAAI,CAAA;AAAA,UAClC,QAAA,EAAUA,OAAK,IAAA,CAAK,EAAA;AAAA,UACpB,gBAAgBA,MAAA,CAAK,cAAA;AAAA,UACrB;AAAA,SACF;AAAA,MACF;AAGA,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,MAAM,UAAU,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,UAAA,CAAW,KAAK,QAAQ,CAAA;AACnE,QAAA,MAAM,OAAA,GAAU,MAAMC,eAAA,CAAW,KAAA,EAAO,OAAO,CAAA;AAC/C,QAAA,MAAM,OAAA,GAAU,IAAA,CAAK,qBAAA,CAAsB,OAAO,CAAA;AAElD,QAAA,IAAI,IAAA,CAAK,cAAA,IAAkB,OAAA,EAAS,EAAA,IAAM,SAAS,QAAA,EAAU;AAC3D,UAAA,OAAO,MAAM,IAAA,CAAK,yBAAA,CAA0B,OAAO,CAAA;AAAA,QACrD;AAEA,QAAA,IAAI,SAAS,GAAA,EAAK;AAChB,UAAA,IAAI;AACF,YAAA,MAAM,OAAO,MAAM,IAAA,CAAK,OAAO,cAAA,CAAe,OAAA,CAAQ,QAAQ,GAAG,CAAA;AACjE,YAAA,IAAI,WAAA;AAGJ,YAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,cAAA,IAAI;AACF,gBAAA,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,EAAE,CAAA;AAAA,cACjD,CAAA,CAAA,MAAQ;AACN,gBAAA,WAAA,GAAc,MAAA;AAAA,cAChB;AAAA,YACF;AAEA,YAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,cACV;AAAA,gBACE,GAAG,sBAAsB,IAAI,CAAA;AAAA,gBAC7B,UAAU,IAAA,CAAK,EAAA;AAAA,gBACf,cAAA,EAAgB,IAAA,CAAK,iCAAA,CAAkC,WAAW,CAAA;AAAA,gBAClE;AAAA,eACF;AAAA,cACA,OAAA;AAAA,cACA,EAAE,uBAAA,EAAyB,IAAA,CAAK,cAAA;AAAe,aACjD;AAAA,UACF,CAAA,CAAA,MAAQ;AACN,YAAA,IAAI,IAAA,CAAK,cAAA,IAAkB,OAAA,EAAS,EAAA,IAAM,SAAS,QAAA,EAAU;AAC3D,cAAA,OAAO,MAAM,IAAA,CAAK,yBAAA,CAA0B,OAAO,CAAA;AAAA,YACrD;AACA,YAAA,OAAO,IAAA;AAAA,UACT;AAAA,QACF;AAEA,QAAA,IAAI,IAAA,CAAK,cAAA,IAAkB,OAAA,EAAS,EAAA,IAAM,SAAS,QAAA,EAAU;AAC3D,UAAA,OAAO,MAAM,IAAA,CAAK,yBAAA,CAA0B,OAAO,CAAA;AAAA,QACrD;AAAA,MACF;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,IAAA,EAAoC;AACtD,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA,IAAM,CAAC,CAAC,IAAA,EAAM,QAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAM,oBAAA,EAAqB,GAAI,MAAM,IAAA,CAAK,WAAA,CAAY,SAAS,OAAO,CAAA;AAE9E,MAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAKA,MAAA,IAAI,iBAAiB,IAAA,CAAK,cAAA;AAC1B,MAAA,IAAI,WAAA;AACJ,MAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,QAAA,IAAI;AACF,UAAA,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAA,CAAK,KAAK,EAAE,CAAA;AACpD,UAAA,cAAA,KAAmB,IAAA,CAAK,kCAAkC,WAAW,CAAA;AAAA,QACvE,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAGA,MAAA,MAAM,IAAA,GAAmB;AAAA,QACvB,GAAG,qBAAA,CAAsB,IAAA,CAAK,IAAI,CAAA;AAAA,QAClC,QAAA,EAAU,KAAK,IAAA,CAAK,EAAA;AAAA,QACpB,cAAA;AAAA,QACA;AAAA,OACF;AAGA,MAAA,IAAI,oBAAA,EAAsB;AACxB,QAAC,KAAa,qBAAA,GAAwB,oBAAA;AAAA,MACxC;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,MAAA,EAA4C;AACxD,IAAA,IAAI;AACF,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,QAAQ,MAAM,CAAA;AAC5D,MAAA,OAAO;AAAA,QACL,GAAG,sBAAsB,IAAI,CAAA;AAAA,QAC7B,UAAU,IAAA,CAAK;AAAA,OACjB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAc,eAAe,MAAA,EAAmD;AAC9E,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,MAAM,CAAA;AAC9C,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,QAC5E;AAAA,OACD,CAAA;AAED,MAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,cAAA,EAAe;AAClD,MAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,MAAA,EAAQ,WAAW,CAAA;AAC5C,MAAA,OAAO,WAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,MAAM,CAAA;AAClC,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAc,0BAA0B,IAAA,EAAuC;AAC7E,IAAA,IAAI,CAAC,IAAA,CAAK,gBAAA,IAAoB,IAAA,CAAK,wBAAA,EAA0B;AAC3D,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,KAAK,QAAQ,CAAA;AAC3D,MAAA,OAAO;AAAA,QACL,GAAG,IAAA;AAAA,QACH,cAAA,EAAgB,IAAA,CAAK,cAAA,IAAkB,IAAA,CAAK,kCAAkC,WAAW,CAAA;AAAA,QACzF;AAAA,OACF;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,kCAAkC,WAAA,EAA4D;AACpG,IAAA,OAAO,aAAa,MAAA,KAAW,CAAA,GAAI,WAAA,CAAY,CAAC,GAAG,cAAA,GAAiB,MAAA;AAAA,EACtE;AAAA,EAEQ,sBAAsB,OAAA,EAA+C;AAC3E,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,sBAAA,CAAuB,OAAO,CAAA;AACxD,IAAA,MAAM,kBAAA,GAAqB,IAAA,CAAK,mBAAA,GAAsB,OAAO,CAAA,IAAK,MAAA;AAClE,IAAA,MAAM,QAAA,GAAW;AAAA,MACf,GAAI,OAAA;AAAA,MACJ,GAAI,gBAAgB,EAAC;AAAA,MACrB,GAAI,sBAAsB;AAAC,KAC7B;AAEA,IAAA,MAAM,KAAK,OAAO,QAAA,CAAS,EAAA,KAAO,QAAA,GAAW,SAAS,EAAA,GAAK,MAAA;AAC3D,IAAA,MAAM,WAAW,OAAO,QAAA,CAAS,QAAA,KAAa,QAAA,GAAW,SAAS,QAAA,GAAW,EAAA;AAC7E,IAAA,IAAI,CAAC,EAAA,IAAM,CAAC,QAAA,EAAU;AACpB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,QAAA,GACJ,QAAA,CAAS,QAAA,IAAY,OAAO,SAAS,QAAA,KAAa,QAAA,IAAY,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAA,CAAS,QAAQ,CAAA,GAC1F,SAAS,QAAA,GACT,MAAA;AAEN,IAAA,OAAO;AAAA,MACL,GAAG,QAAA;AAAA,MACH,EAAA;AAAA,MACA,QAAA;AAAA,MACA,OAAO,OAAO,QAAA,CAAS,KAAA,KAAU,QAAA,GAAW,SAAS,KAAA,GAAQ,MAAA;AAAA,MAC7D,IAAA,EACE,OAAO,QAAA,CAAS,IAAA,KAAS,QAAA,GAAW,QAAA,CAAS,IAAA,GAAO,OAAO,QAAA,CAAS,KAAA,KAAU,QAAA,GAAW,QAAA,CAAS,KAAA,GAAQ,EAAA;AAAA,MAC5G,gBAAgB,OAAO,QAAA,CAAS,cAAA,KAAmB,QAAA,GAAW,SAAS,cAAA,GAAiB,MAAA;AAAA,MACxF,0BACE,OAAO,QAAA,CAAS,wBAAA,KAA6B,QAAA,GAAW,SAAS,wBAAA,GAA2B,MAAA;AAAA,MAC9F,QAAA,EAAU;AAAA,QACR,GAAI,YAAY,EAAC;AAAA,QACjB,QAAA;AAAA,QACA,GAAI,OAAO,QAAA,CAAS,cAAA,KAAmB,QAAA,GAAW,EAAE,cAAA,EAAgB,QAAA,CAAS,cAAA,EAAe,GAAI,EAAC;AAAA,QACjG,GAAI,OAAO,QAAA,CAAS,wBAAA,KAA6B,QAAA,GAC7C,EAAE,wBAAA,EAA0B,QAAA,CAAS,wBAAA,EAAyB,GAC9D;AAAC;AACP,KACF;AAAA,EACF;AAAA,EAEQ,uBAAuB,OAAA,EAAiD;AAC9E,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,IAAA,CAAK,eAAA,EAAiB,MAAM,CAAA,IAAK,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,KAAK,CAAA;AAC3G,IAAA,MAAM,WAAW,IAAA,CAAK,YAAA,CAAa,SAAS,IAAA,CAAK,eAAA,EAAiB,QAAQ,CAAA,IAAK,MAAA;AAE/E,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,MAAA;AAAA,MACJ,QAAA;AAAA,MACA,KAAA,EAAO,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,IAAA,CAAK,eAAA,EAAiB,KAAK,CAAA,IAAK,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,OAAO,CAAA;AAAA,MACpG,IAAA,EAAM,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,IAAA,CAAK,eAAA,EAAiB,IAAI,CAAA,IAAK,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,MAAM,CAAA;AAAA,MACjG,cAAA,EACE,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,IAAA,CAAK,eAAA,EAAiB,cAAc,CAAA,IAAK,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,QAAQ,CAAA;AAAA,MACzG,0BAA0B,IAAA,CAAK,YAAA,CAAa,OAAA,EAAS,IAAA,CAAK,iBAAiB,wBAAwB;AAAA,KACrG;AAAA,EACF;AAAA,EAEQ,mBAAA,CACN,IAAA,EACA,OAAA,EACA,OAAA,EACY;AACZ,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,uBAAA,GAA0B,SAAS,uBAAA,IAA2B,IAAA;AACpE,IAAA,MAAM,cAAc,EAAE,GAAI,OAAA,CAAQ,QAAA,IAAY,EAAC,EAAG;AAClD,IAAA,IAAI,CAAC,uBAAA,EAAyB;AAC5B,MAAA,OAAO,WAAA,CAAY,cAAA;AACnB,MAAA,OAAO,WAAA,CAAY,wBAAA;AAAA,IACrB;AAEA,IAAA,OAAO;AAAA,MACL,GAAG,OAAA;AAAA,MACH,GAAG,IAAA;AAAA,MACH,gBAAgB,uBAAA,GAA2B,OAAA,CAAQ,cAAA,IAAkB,IAAA,CAAK,iBAAkB,IAAA,CAAK,cAAA;AAAA,MACjG,0BAA0B,uBAAA,GACrB,OAAA,CAAQ,wBAAA,IAA4B,IAAA,CAAK,2BAC1C,IAAA,CAAK,wBAAA;AAAA,MACT,aAAa,uBAAA,GAA2B,IAAA,CAAK,WAAA,IAAe,OAAA,CAAQ,cAAe,IAAA,CAAK,WAAA;AAAA,MACxF,QAAA,EAAU;AAAA,QACR,GAAG,WAAA;AAAA,QACH,GAAI,IAAA,CAAK,QAAA,IAAY;AAAC;AACxB,KACF;AAAA,EACF;AAAA,EAEQ,YAAA,CAAa,SAAqB,SAAA,EAAwC;AAChF,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI,OAAA,GAAmB,OAAA;AACvB,IAAA,KAAA,MAAW,OAAA,IAAW,SAAA,CAAU,KAAA,CAAM,GAAG,CAAA,EAAG;AAC1C,MAAA,IAAI,CAAC,OAAA,IAAW,OAAO,YAAY,QAAA,IAAY,EAAE,WAAW,OAAA,CAAA,EAAU;AACpE,QAAA,OAAO,MAAA;AAAA,MACT;AACA,MAAA,OAAA,GAAW,QAAoC,OAAO,CAAA;AAAA,IACxD;AAEA,IAAA,OAAO,OAAO,OAAA,KAAY,QAAA,GAAW,OAAA,GAAU,MAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AACtD,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,WAAA,EAAa,eAAe,IAAA,CAAK,WAAA;AAAA,MACjC;AAAA,KACF;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,UAAA,EAAY;AAC9B,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,YAAA,EAAc,KAAK,SAAA,CAAU;AAAA,OAC9B,CAAA;AAAA,IACH,CAAA,MAAA,IAAW,IAAA,CAAK,SAAA,EAAW,QAAA,EAAU;AACnC,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC1B,CAAA;AAAA,IACH,CAAA,MAAA,IAAW,IAAA,CAAK,SAAA,EAAW,mBAAA,EAAqB;AAC9C,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,cAAA,EAAgB,KAAK,SAAA,CAAU;AAAA,OAChC,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,MACpD,GAAG,WAAA;AAAA,MACH,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAoD;AAErF,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,oBAAA,CAAqB;AAAA,MACzE,UAAU,IAAA,CAAK,QAAA;AAAA,MACf;AAAA,KACD,CAAA;AAED,IAAA,MAAM,IAAA,GAAmB;AAAA,MACvB,GAAG,qBAAA,CAAsB,YAAA,CAAa,IAAI,CAAA;AAAA,MAC1C,QAAA,EAAU,aAAa,IAAA,CAAK,EAAA;AAAA,MAC5B,gBAAgB,YAAA,CAAa;AAAA,KAC/B;AAGA,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,aAAa,YAAA,CAAa,WAAA;AAAA,MAC1B,cAAc,YAAA,CAAa,YAAA;AAAA,MAC3B,MAAM,YAAA,CAAa,IAAA;AAAA,MACnB,gBAAgB,YAAA,CAAa,cAAA;AAAA,MAC7B,cAAc,YAAA,CAAa;AAAA,KAC7B;AAGA,IAAA,MAAM,cAAA,GAAiB,KAAK,MAAA,CAAO,cAAA;AACnC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,MAAA,CAAO,UAAA,IAAc,aAAA;AAC7C,IAAA,IAAI,OAAA;AAEJ,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,MAAM,gBAAA,GAAmB,MAAMF,gCAAA,CAAkB,QAAA,CAAS,aAAa,EAAE,QAAA,EAAU,gBAAgB,CAAA;AAEnG,MAAA,MAAM,aAAA,GAAgB;AAAA,QACpB,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,gBAAgB,CAAA,CAAA;AAAA,QACjC,QAAA;AAAA,QACA,UAAA;AAAA,QACA,CAAA,SAAA,EAAY,IAAA,CAAK,MAAA,CAAO,cAAA,IAAkB,KAAK,CAAA,CAAA;AAAA,QAC/C,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,KAAM,eAAe,QAAA,GAAW;AAAA,OACxD,CACG,MAAA,CAAO,OAAO,CAAA,CACd,KAAK,IAAI,CAAA;AACZ,MAAA,OAAA,GAAU,CAAC,aAAa,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,aAAa,YAAA,CAAa,WAAA;AAAA,QAC1B,cAAc,YAAA,CAAa;AAAA,OAC7B;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,YAAA,CAAa,WAAA,EAAqB,OAAA,EAA2C;AAEjF,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,WAAA,CAAY,SAAS,OAAO,CAAA;AAGxD,MAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,MAAM,GAAG,aAAa,IAAI,IAAA,CAAK,WAAA,CAAY,MAAM,GAAG,CAAA;AACpD,MAAA,IAAI,CAAC,aAAA,EAAe;AAClB,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,aAAa,CAAC,CAAA;AAC9C,MAAA,MAAM,YAAY,OAAA,CAAQ,GAAA;AAE1B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,IAAA,CAAK,OAAO,cAAA,CAAe,YAAA,CAAa,EAAE,SAAA,EAAW,QAAA,EAAU,aAAa,CAAA;AAAA,IACrF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,oBAAA,GAAuC;AACrC,IAAA,IAAI,IAAA,GAAO,SAAA;AACX,IAAA,IAAI,IAAA,CAAK,WAAW,QAAA,EAAU;AAC5B,MAAA,MAAM,aAAA,GAAwC;AAAA,QAC5C,WAAA,EAAa,QAAA;AAAA,QACb,cAAA,EAAgB,WAAA;AAAA,QAChB,WAAA,EAAa,QAAA;AAAA,QACb,UAAA,EAAY;AAAA,OACd;AACA,MAAA,MAAM,YAAA,GAAe,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA;AAC1D,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,IAAA,GAAO,gBAAgB,YAAY,CAAA,CAAA;AAAA,MACrC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,SAAA,GAAY,OAAO,UAAA,EAAW;AACpC,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,IAAA,CAAK,MAAA,CAAO,YAAA,GAAe,GAAI,CAAA;AAE1E,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,MAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,UAAA,EAA6C;AAGjE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,UAAA,EAAmC;AAAA,EAGxD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,UAAA,EAA6C;AAEhE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAwB,QAAA,EAAkC;AAGxD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,OAAA,EAA0C;AAG1D,IAAA,MAAM,gBAAiB,OAAA,CAAgB,cAAA;AACvC,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,EAAE,cAAc,KAAA,CAAM,OAAA,CAAQ,aAAa,CAAA,GAAI,aAAA,CAAc,CAAC,CAAA,GAAI,aAAA,EAAc;AAAA,IACzF;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,WAAA,GAAc,CAAC,CAAA,EAAG,IAAA,CAAK,OAAO,UAAU,CAAA,CAAA,CAAA,EAAK,QAAA,EAAU,WAAA,EAAa,UAAU,CAAA;AACpF,IAAA,OAAO,EAAE,YAAA,EAAc,WAAA,CAAY,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,SAAA,GAAoB;AAClB,IAAA,OAAO,IAAA,CAAK,MAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,cAAA,GAAiD;AAC/C,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,cAAA,GAAyB;AACvB,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AACF;;;ACrkBO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AACxB,EAAA,IAAA;AACA,EAAA,QAAA;AACA,EAAA,UAAA;AACA,EAAA,MAAA;EAEhB,WAAA,CACE,IAAA,EACA,QAAA,EACA,UAAA,EACA,MAAA,EACA;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,EAAM,EAAA,IAAM,IAAA,EAAM,QAAA,IAAY,SAAA;AAC7C,IAAA,MAAM,eAAA,GAAkB,KAAA,CAAM,OAAA,CAAQ,UAAU,CAAA,GAAI,WAAW,UAAA,CAAW,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,GAAM,UAAA;AAC1F,IAAA,KAAA;AACE,MAAA,MAAA,GACI,CAAA,0BAAA,EAA6B,MAAM,CAAA,CAAA,GACnC,CAAA,+BAAA,EAAkC,MAAM,CAAA,QAAA,EAAW,eAAe,CAAA,IAAA,EAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,QAAA,CAAS,EAAE,CAAA;AAAA,KAAA;AAE3G,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,GAAA;AAChB,EAAA;AACF,CAAA;AC1FA,IAAM,mBAAA,GAAyD;EAC7D,MAAA,EAAQ;AACN,IAAA,eAAA;AACA,IAAA,oBAAA;AACA,IAAA,sBAAA;AACA,IAAA,gBAAA;AACA,IAAA,eAAA;AACA,IAAA;AAAA;AAEJ,CAAA;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AACT,EAAA;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAIlD,EAAA,MAAM,gBAAA,GAAmB,mBAAA,CAAoB,YAAA,CAAa,CAAC,KAAK,EAAE,CAAA;AAClE,EAAA,IAAI,oBAAoB,gBAAA,CAAiB,QAAA,CAAS,cAAc,CAAC,CAAA,IAAK,EAAE,CAAA,EAAG;AACzE,IAAA,MAAM,OAAA,GAAU,CAAC,aAAA,CAAc,CAAC,CAAA,EAAG,GAAG,YAAA,CAAa,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AACrE,IAAA,OAAO,iBAAA,CAAkB,SAAS,kBAAkB,CAAA;AACtD,EAAA;AAGA,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAC5B,EAAA;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AACT,MAAA;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AACvB,IAAA;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AACT,EAAA;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AACT,EAAA;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AACT,EAAA;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AAuCO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAA;AACxB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAA;AAE5C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;AACF,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;ACjOA,IAAM,uBAAuB,EAAA,GAAK,GAAA;AAGlC,IAAM,sBAAA,GAAyB,GAAA;AAExB,IAAM,mBAAN,MAA4D;AAAA,EACzD,MAAA;AAAA,EACA,OAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOR,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,OAAA,EAAkC;AAC5C,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAEjD,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,SAAS,IAAIF,WAAAA,CAAO,MAAA,EAAQ,EAAE,UAAU,CAAA;AAC7C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAGf,IAAA,IAAA,CAAK,UAAA,GAAa,IAAID,iBAAAA,CAAoC;AAAA,MACxD,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,OAAA,IAAW,sBAAA;AAAA,MAC/B,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,KAAA,IAAS;AAAA,KAC9B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,SAAS,IAAA,EAAqC;AAElD,IAAA,IAAI,IAAA,CAAK,WAAA,IAAe,IAAA,CAAK,WAAA,CAAY,SAAS,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,4BAA4B,IAAI,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,IAAY,IAAA,CAAK,EAAA;AAGvC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAQ,CAAA;AAC3C,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,oBAAA,CAAqB,IAAI,CAAA;AACnD,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,EAAU,YAAY,CAAA;AAE1C,IAAA,OAAO,YAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,qBAAqB,IAAA,EAAqC;AACtE,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,QAC/E,QAAQ,IAAA,CAAK;AAAA,OACd,CAAA;AAGD,MAAA,MAAM,mBAAA,GAAsB,IAAA,CAAK,OAAA,CAAQ,cAAA,GACrC,YAAY,IAAA,CAAK,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,IAC7E,WAAA,CAAY,IAAA;AAGhB,MAAA,OAAO,mBAAA,CAAoB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,KAAK,IAAI,CAAA;AAAA,IACjD,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,EAAC;AAAA,IACV;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAEtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AAEA,IAAA,OAAO,6BAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAA,GAA6D;AACjE,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA,CACxC,MAAA,CAAO,CAAA,GAAA,KAAO,GAAA,KAAQ,UAAU,CAAA,CAChC,GAAA,CAAI,CAAA,GAAA,MAAQ,EAAE,EAAA,EAAI,GAAA,EAAK,IAAA,EAAM,GAAA,CAAI,MAAA,CAAO,CAAC,CAAA,CAAE,WAAA,EAAY,GAAI,GAAA,CAAI,KAAA,CAAM,CAAC,CAAA,EAAE,CAAE,CAAA;AAAA,EAC/E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,sBAAsB,MAAA,EAAmC;AAC7D,IAAA,OAAO,8BAA8B,CAAC,MAAM,CAAA,EAAG,IAAA,CAAK,QAAQ,WAAW,CAAA;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,MAAA,EAAsB;AACnC,IAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAA,GAAmD;AACjD,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,KAAK,UAAA,CAAW,IAAA;AAAA,MACtB,OAAA,EAAS,KAAK,UAAA,CAAW;AAAA,KAC3B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,4BAA4B,IAAA,EAA4B;AAC9D,IAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,MAAA,OAAO,EAAC;AAAA,IACV;AAGA,IAAA,MAAM,mBAAA,GAAsB,IAAA,CAAK,OAAA,CAAQ,cAAA,GACrC,KAAK,WAAA,CAAY,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,IAC7E,IAAA,CAAK,WAAA;AAET,IAAA,OAAO,mBAAA,CAAoB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,KAAK,IAAI,CAAA;AAAA,EACjD;AACF;ACnRA,IAAM,mCAAA,GAAsC,CAAA;AAE5C,SAAS,8BAA8B,KAAA,EAAqB;AAC1D,EAAA,OAAO,KAAA,EAAO,MAAA,KAAW,GAAA,IAAO,KAAA,EAAO,IAAA,KAAS,kBAAA;AAClD;AAEO,IAAM,8BAAA,GAAN,cAA6C,KAAA,CAAM;AAAA,EAC/C,MAAA,GAAS,GAAA;AAAA,EACT,YAAA;AAAA,EACA,UAAA;AAAA,EAET,WAAA,CAAY,cAAsB,UAAA,EAAoB;AACpD,IAAA,KAAA;AAAA,MACE,+BAA+B,YAAY,CAAA,CAAA,EAAI,UAAU,CAAA,2CAAA,EACxC,YAAY,4DACT,UAAU,CAAA,qHAAA;AAAA,KAEhC;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,gCAAA;AACZ,IAAA,IAAA,CAAK,YAAA,GAAe,YAAA;AACpB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAEO,IAAM,kCAAA,GAAN,cAAiD,KAAA,CAAM;AAAA,EACnD,MAAA,GAAS,GAAA;AAAA,EACT,MAAA;AAAA,EAET,YAAY,IAAA,EAAkB;AAC5B,IAAA,KAAA;AAAA,MACE;AAAA,KAEF;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,oCAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,IAAA,EAAM,EAAA,GAAK,YAAA,GAAe,MAAA;AAAA,EAC1C;AACF;AAyCO,IAAM,kBAAN,MAAyD;AAAA,EACtD,MAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA;AAAA,EACA,iBAAA;AAAA,EACC,yBAAA;AAAA,EACA,oBAAA;AAAA,EACA,eAAA;AAAA,EACA,mBAAA;AAAA,EAET,YAAY,OAAA,EAAiC;AAC3C,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAEjD,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,SAAS,IAAIC,WAAAA,CAAO,MAAA,EAAQ,EAAE,UAAU,CAAA;AAC7C,IAAA,IAAA,CAAK,iBAAiB,OAAA,CAAQ,cAAA;AAC9B,IAAA,IAAA,CAAK,eAAA,GAAkB,OAAA,CAAQ,eAAA,IAAmB,EAAC;AACnD,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAA,CAAQ,iBAAA,IAAqB,EAAC;AACvD,IAAA,IAAA,CAAK,4BAA4B,OAAA,CAAQ,yBAAA;AACzC,IAAA,IAAA,CAAK,uBAAuB,OAAA,CAAQ,oBAAA;AACpC,IAAA,IAAA,CAAK,kBAAkB,OAAA,CAAQ,eAAA;AAC/B,IAAA,IAAA,CAAK,sBAAsB,OAAA,CAAQ,mBAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,KAAA,CAAM,IAAA,EAAkB,MAAA,EAA0C;AACtE,IAAA,MAAM,WAAA,GAAc,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,UAAU,IAAI,MAAA,CAAO,UAAA,GAAa,CAAC,MAAA,CAAO,UAAU,CAAA;AAC7F,IAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAErC,IAAA,KAAA,MAAW,cAAc,WAAA,EAAa;AACpC,MAAA,MAAM,YAAA,GAAe,KAAK,iBAAA,CAAkB,IAAA,EAAM,EAAE,GAAG,MAAA,EAAQ,YAAY,CAAA;AAC3E,MAAA,IAAI,CAAC,YAAA,EAAc;AACnB,MAAA,IAAI;AACF,QAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,MAAM,YAAY,CAAA;AACjE,QAAA,IAAI,MAAA,CAAO,YAAY,OAAO,IAAA;AAAA,MAChC,SAAS,KAAA,EAAY;AACnB,QAAA,IAAI,6BAAA,CAA8B,KAAK,CAAA,EAAG;AAC1C,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAA,CAAQ,IAAA,EAAkB,MAAA,EAAuC;AACrE,IAAA,MAAM,WAAA,GAAc,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,UAAU,IAAI,MAAA,CAAO,UAAA,GAAa,CAAC,MAAA,CAAO,UAAU,CAAA;AAC7F,IAAA,IAAI,WAAA,CAAY,WAAW,CAAA,EAAG;AAC5B,MAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,MAAA,CAAO,QAAA,EAAU,OAAO,UAAU,CAAA;AAAA,IACnE;AAEA,IAAA,IAAI,SAAA;AACJ,IAAA,KAAA,MAAW,cAAc,WAAA,EAAa;AACpC,MAAA,MAAM,eAAe,IAAA,CAAK,iBAAA;AAAA,QACxB,IAAA;AAAA,QACA,EAAE,GAAG,MAAA,EAAQ,UAAA,EAAW;AAAA,QACxB,EAAE,4BAA4B,IAAA;AAAK,OACrC;AACA,MAAA,IAAI,CAAC,YAAA,EAAc;AAEnB,MAAA,IAAI;AACF,QAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,MAAM,YAAY,CAAA;AACjE,QAAA,IAAI,OAAO,UAAA,EAAY;AAAA,MACzB,SAAS,KAAA,EAAY;AACnB,QAAA,IAAI,KAAA,YAAiB,gBAAgB,MAAM,KAAA;AAC3C,QAAA,IAAI,6BAAA,CAA8B,KAAK,CAAA,EAAG;AAC1C,QAAA,SAAA,GAAY,KAAA;AAAA,MACd;AAAA,IACF;AAEA,IAAA,IAAI,WAAW,MAAM,SAAA;AACrB,IAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,MAAA,CAAO,QAAA,EAAU,OAAO,UAAU,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,gBAAA,CACJ,IAAA,EACA,SAAA,EACA,cACA,UAAA,EACc;AACd,IAAA,IAAI,SAAA,CAAU,MAAA,KAAW,CAAA,EAAG,OAAO,EAAC;AAEpC,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,+BAAA,CAAgC,IAAI,CAAA;AAC9D,IAAA,IAAI,CAAC,YAAA,EAAc,OAAO,EAAC;AAE3B,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAA,MAAM,iBAAiB,YAAA,KAAiB,QAAA,GAAW,SAAY,IAAA,CAAK,qBAAA,CAAsB,MAAM,YAAY,CAAA;AAC5G,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,iCAAA,CAAkC;AAAA,QACjE,wBAAA,EAA0B,YAAA;AAAA,QAC1B,cAAA;AAAA,QACA,0BAA0B,cAAA,CAAe,UAAA;AAAA,QACzC,wBAAwB,cAAA,CAAe;AAAA,OACxC,CAAA;AAED,MAAA,OAAO,SAAA,CAAU,OAAO,CAAA,QAAA,KAAY;AAClC,QAAA,MAAM,WAAW,IAAA,CAAK,iBAAA;AAAA,UACpB,IAAA;AAAA,UACA,YAAA;AAAA,UACA,QAAA,CAAS,EAAA;AAAA,UACT,YAAA,IAAgB,QAAA,IAAY,OAAO,QAAA,CAAS,UAAA,KAAe,WACvD,EAAE,UAAA,EAAY,QAAA,CAAS,UAAA,EAAW,GAClC;AAAA,SACN;AACA,QAAA,OAAO,CAAC,CAAC,QAAA,IAAY,aAAA,CAAc,IAAI,QAAQ,CAAA;AAAA,MACjD,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,SAAsD,EAAC;AAC7D,IAAA,KAAA,IAAS,QAAQ,CAAA,EAAG,KAAA,GAAQ,SAAA,CAAU,MAAA,EAAQ,SAAS,mCAAA,EAAqC;AAC1F,MAAA,MAAM,KAAA,GAAQ,SAAA,CAAU,KAAA,CAAM,KAAA,EAAO,QAAQ,mCAAmC,CAAA;AAChF,MAAA,MAAM,WAAA,GAAc,MAAM,OAAA,CAAQ,GAAA;AAAA,QAChC,KAAA,CAAM,GAAA,CAAI,OAAM,QAAA,KAAY;AAC1B,UAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,EAAM;AAAA,YACxC,UAAU,EAAE,IAAA,EAAM,YAAA,EAAc,EAAA,EAAI,SAAS,EAAA,EAAG;AAAA,YAChD,UAAA;AAAA,YACA,OAAA,EACE,YAAA,IAAgB,QAAA,IAAY,OAAO,QAAA,CAAS,UAAA,KAAe,QAAA,GACvD,EAAE,UAAA,EAAY,QAAA,CAAS,UAAA,EAAW,GAClC;AAAA,WACP,CAAA;AACD,UAAA,OAAO,EAAE,UAAU,UAAA,EAAW;AAAA,QAChC,CAAC;AAAA,OACH;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,GAAG,WAAW,CAAA;AAAA,IAC5B;AAEA,IAAA,OAAO,MAAA,CAAO,OAAO,CAAA,CAAA,KAAK,CAAA,CAAE,UAAU,CAAA,CAAE,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,QAAQ,CAAA;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,eAAe,MAAA,EAAuD;AAC1E,IAAA,MAAM,OAAA,GAAe;AAAA,MACnB,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,MAAM,MAAA,CAAO,IAAA;AAAA,MACb,kBAAkB,MAAA,CAAO,gBAAA;AAAA,MACzB,gBAAgB,MAAA,CAAO;AAAA,KACzB;AACA,IAAA,IAAI,MAAA,CAAO,WAAA,KAAgB,MAAA,EAAW,OAAA,CAAQ,cAAc,MAAA,CAAO,WAAA;AACnE,IAAA,IAAI,MAAA,CAAO,gBAAA,EAAkB,OAAA,CAAQ,gBAAA,GAAmB,MAAA,CAAO,gBAAA;AAC/D,IAAA,IAAI,OAAO,wBAAA,EAA0B;AACnC,MAAA,OAAA,CAAQ,2BAA2B,MAAA,CAAO,wBAAA;AAC1C,MAAA,OAAA,CAAQ,yBAAyB,MAAA,CAAO,sBAAA;AAAA,IAC1C;AAEA,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,eAAe,OAAO,CAAA;AACrE,IAAA,OAAO,IAAA,CAAK,yBAAyB,MAAM,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,UAAA,EAA0C;AAC1D,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,YAAY,UAAU,CAAA;AACrE,IAAA,OAAO,IAAA,CAAK,yBAAyB,MAAM,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,OAAA,EAA2D;AAC7E,IAAA,MAAM,cAAmB,EAAC;AAC1B,IAAA,IAAI,OAAA,EAAS,cAAA,EAAgB,WAAA,CAAY,cAAA,GAAiB,OAAA,CAAQ,cAAA;AAClE,IAAA,IAAI,OAAA,EAAS,gBAAA,EAAkB,WAAA,CAAY,gBAAA,GAAmB,OAAA,CAAQ,gBAAA;AACtE,IAAA,IAAI,OAAA,EAAS,gBAAA,EAAkB,WAAA,CAAY,gBAAA,GAAmB,OAAA,CAAQ,gBAAA;AACtE,IAAA,IAAI,OAAA,EAAS,MAAA,EAAQ,WAAA,CAAY,MAAA,GAAS,OAAA,CAAQ,MAAA;AAClD,IAAA,IAAI,OAAA,EAAS,KAAA,EAAO,WAAA,CAAY,KAAA,GAAQ,OAAA,CAAQ,KAAA;AAChD,IAAA,IAAI,OAAA,EAAS,KAAA,EAAO,WAAA,CAAY,KAAA,GAAQ,OAAA,CAAQ,KAAA;AAEhD,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,cAAc,WAAW,CAAA;AACxE,IAAA,OAAO,MAAA,CAAO,KAAK,GAAA,CAAI,CAAC,MAAW,IAAA,CAAK,wBAAA,CAAyB,CAAC,CAAC,CAAA;AAAA,EACrE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,MAAA,EAAuD;AAC1E,IAAA,MAAM,OAAA,GAAe,EAAE,UAAA,EAAY,MAAA,CAAO,UAAA,EAAW;AACrD,IAAA,IAAI,MAAA,CAAO,IAAA,KAAS,MAAA,EAAW,OAAA,CAAQ,OAAO,MAAA,CAAO,IAAA;AACrD,IAAA,IAAI,MAAA,CAAO,WAAA,KAAgB,MAAA,EAAW,OAAA,CAAQ,cAAc,MAAA,CAAO,WAAA;AAEnE,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,eAAe,OAAO,CAAA;AACrE,IAAA,OAAO,IAAA,CAAK,yBAAyB,MAAM,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,MAAA,EAAgD;AACnE,IAAA,IAAI,YAAA,IAAgB,MAAA,IAAU,MAAA,CAAO,UAAA,EAAY;AAC/C,MAAA,MAAM,IAAA,CAAK,OAAO,aAAA,CAAc,cAAA,CAAe,EAAE,UAAA,EAAY,MAAA,CAAO,YAAY,CAAA;AAAA,IAClF,WAAW,YAAA,IAAgB,MAAA,IAAU,MAAA,CAAO,UAAA,IAAc,OAAO,gBAAA,EAAkB;AACjF,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,0BAAA,CAA2B;AAAA,QACzD,YAAY,MAAA,CAAO,UAAA;AAAA,QACnB,kBAAkB,MAAA,CAAO,gBAAA;AAAA,QACzB,gBAAgB,MAAA,CAAO;AAAA,OACxB,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,MAAA,EAAmD;AAClE,IAAA,MAAM,OAAA,GAAe;AAAA,MACnB,0BAA0B,MAAA,CAAO,wBAAA;AAAA,MACjC,UAAU,MAAA,CAAO;AAAA,KACnB;AACA,IAAA,IAAI,MAAA,CAAO,UAAA,EAAY,OAAA,CAAQ,UAAA,GAAa,MAAA,CAAO,UAAA;AACnD,IAAA,IAAI,OAAO,kBAAA,EAAoB;AAC7B,MAAA,OAAA,CAAQ,qBAAqB,MAAA,CAAO,kBAAA;AACpC,MAAA,OAAA,CAAQ,mBAAmB,MAAA,CAAO,gBAAA;AAAA,IACpC;AAEA,IAAA,MAAM,SAAS,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,WAAW,OAAO,CAAA;AACjE,IAAA,OAAO;AAAA,MACL,IAAI,MAAA,CAAO,EAAA;AAAA,MACX,MAAM,MAAA,CAAO,IAAA;AAAA,MACb,QAAA,EAAU;AAAA,QACR,EAAA,EAAI,OAAO,QAAA,CAAS,EAAA;AAAA,QACpB,UAAA,EAAY,OAAO,QAAA,CAAS,UAAA;AAAA,QAC5B,gBAAA,EAAkB,OAAO,QAAA,CAAS;AAAA;AACpC,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,MAAA,EAAsC;AACrD,IAAA,MAAM,OAAA,GAAe;AAAA,MACnB,0BAA0B,MAAA,CAAO,wBAAA;AAAA,MACjC,UAAU,MAAA,CAAO;AAAA,KACnB;AACA,IAAA,IAAI,MAAA,CAAO,UAAA,EAAY,OAAA,CAAQ,UAAA,GAAa,MAAA,CAAO,UAAA;AACnD,IAAA,IAAI,OAAO,kBAAA,EAAoB;AAC7B,MAAA,OAAA,CAAQ,qBAAqB,MAAA,CAAO,kBAAA;AACpC,MAAA,OAAA,CAAQ,mBAAmB,MAAA,CAAO,gBAAA;AAAA,IACpC;AAEA,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,UAAA,CAAW,OAAO,CAAA;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,OAAA,EAAsE;AAC9F,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,mBAAA,CAAoB;AAAA,MACjE,0BAA0B,OAAA,CAAQ,wBAAA;AAAA,MAClC,GAAI,OAAA,CAAQ,KAAA,IAAS,EAAE,KAAA,EAAO,QAAQ,KAAA,EAAM;AAAA,MAC5C,GAAI,OAAA,CAAQ,KAAA,IAAS,EAAE,KAAA,EAAO,QAAQ,KAAA;AAAM,KAC7C,CAAA;AAED,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,GAAA,CAAI,CAAC,EAAA,MAAa;AAAA,MACnC,IAAI,EAAA,CAAG,EAAA;AAAA,MACP,MAAM,EAAA,CAAG,IAAA;AAAA,MACT,QAAA,EAAU;AAAA,QACR,EAAA,EAAI,GAAG,QAAA,CAAS,EAAA;AAAA,QAChB,UAAA,EAAY,GAAG,QAAA,CAAS,UAAA;AAAA,QACxB,gBAAA,EAAkB,GAAG,QAAA,CAAS;AAAA;AAChC,KACF,CAAE,CAAA;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeQ,+BAAA,CACN,MACA,OAAA,EACoB;AACpB,IAAA,IAAI,IAAA,EAAM,wBAAA,EAA0B,OAAO,IAAA,CAAK,wBAAA;AAChD,IAAA,IAAI,CAAC,IAAA,EAAM,WAAA,EAAa,MAAA,EAAQ;AAC9B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OAEF;AACA,MAAA,IAAI,SAAS,0BAAA,EAA4B;AACvC,QAAA,MAAM,IAAI,mCAAmC,IAAI,CAAA;AAAA,MACnD;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,MAAA,MAAM,KAAA,GAAQ,KAAK,WAAA,CAAY,IAAA,CAAK,OAAK,CAAA,CAAE,cAAA,KAAmB,KAAK,cAAc,CAAA;AACjF,MAAA,IAAI,KAAA,SAAc,KAAA,CAAM,EAAA;AAExB,MAAA,OAAA,CAAQ,KAAK,0FAA0F,CAAA;AACvG,MAAA,IAAI,SAAS,0BAAA,EAA4B;AACvC,QAAA,MAAM,IAAI,mCAAmC,IAAI,CAAA;AAAA,MACnD;AACA,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,CAAC,CAAA,CAAG,EAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAkB,UAAA,EAA8C;AACtE,IAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,UAAU,CAAA,IAAK,UAAA;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAA,CACN,MACA,YAAA,EACsD;AACtD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,kBAAA,CAAmB,YAAY,CAAA;AACpD,IAAA,MAAM,UAAA,GAAa,OAAA,EAAS,QAAA,GAAW,EAAE,MAAM,CAAA;AAC/C,IAAA,MAAM,cAAA,GAAiB,OAAA,EAAS,qBAAA,IAAyB,OAAA,EAAS,sBAAA;AAClE,IAAA,IAAI,CAAC,SAAS,eAAA,IAAmB,CAAC,cAAc,CAAC,cAAA,IAAkB,cAAA,KAAmB,OAAA,CAAQ,eAAA,EAAiB;AAC7G,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,UAAA;AAAA,MACA,QAAA,EAAU;AAAA,KACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAAA,CACN,IAAA,EACA,YAAA,EACA,UAAA,EACA,OAAA,EACoB;AACpB,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,kBAAA,CAAmB,YAAY,CAAA;AACpD,IAAA,MAAM,SAAA,GAAY,SAAS,QAAA,GAAW;AAAA,MACpC,IAAA;AAAA,MACA,UAAA,EAAY,SAAS,UAAA,IAAc,UAAA;AAAA,MACnC,gBAAgB,OAAA,EAAS;AAAA,KAC1B,CAAA;AACD,IAAA,OAAO,SAAA,IAAa,UAAA;AAAA,EACtB;AAAA,EAEQ,iBAAA,CACN,IAAA,EACA,MAAA,EACA,OAAA,EACY;AACZ,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,+BAAA,CAAgC,IAAA,EAAM,OAAO,CAAA;AACvE,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,iBAAA,CAAkB,MAAA,CAAO,UAAU,CAAA;AAC/D,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,iBAAA,CAAkB,IAAA,EAAM,MAAA,CAAO,QAAA,CAAS,IAAA,EAAM,MAAA,CAAO,QAAA,CAAS,EAAA,EAAI,MAAA,CAAO,OAAO,CAAA;AAExG,IAAA,MAAM,YAAA,GAAoB;AAAA,MACxB,wBAAA,EAA0B,YAAA;AAAA,MAC1B;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,OAAO,YAAA;AAAA,IACT;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,kBAAA,CAAmB,MAAA,CAAO,SAAS,IAAI,CAAA;AAC5D,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,YAAA,CAAa,kBAAA,GAAqB,UAAA;AAClC,MAAA,YAAA,CAAa,mBAAmB,OAAA,CAAQ,eAAA;AAAA,IAC1C,CAAA,MAAO;AACL,MAAA,YAAA,CAAa,kBAAA,GAAqB,OAAO,QAAA,CAAS,EAAA;AAClD,MAAA,YAAA,CAAa,gBAAA,GAAmB,OAAO,QAAA,CAAS,IAAA;AAAA,IAClD;AAEA,IAAA,OAAO,YAAA;AAAA,EACT;AAAA,EAEQ,mBAAmB,YAAA,EAA2D;AACpF,IAAA,MAAM,OAAA,GACJ,YAAA,KAAiB,OAAA,GACb,CAAC,OAAA,EAAS,QAAQ,CAAA,GAClB,YAAA,KAAiB,UAAA,GACf,CAAC,UAAA,EAAY,WAAW,CAAA,GACxB,YAAA,KAAiB,MAAA,GACf,CAAC,MAAA,EAAQ,OAAO,CAAA,GAChB,YAAA,KAAiB,QAAA,GACf,CAAC,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA,GAC9B,CAAC,YAAY,CAAA;AAEzB,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,eAAA,CAAgB,GAAG,CAAA;AACxC,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,OAAO,OAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kCAAkC,MAAA,EAKvB;AACvB,IAAA,MAAM,aAAA,uBAAoB,GAAA,EAAY;AACtC,IAAA,IAAI,KAAA;AAEJ,IAAA,GAAG;AACD,MAAA,MAAM,MAAA,GAAc,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,0BAAA,CAA2B;AAAA,QAC7E,0BAA0B,MAAA,CAAO,wBAAA;AAAA,QACjC,gBAAgB,MAAA,CAAO,cAAA;AAAA,QACvB,0BAA0B,MAAA,CAAO,wBAAA;AAAA,QACjC,wBAAwB,MAAA,CAAO,sBAAA;AAAA,QAC/B,GAAI,KAAA,GAAQ,EAAE,KAAA,KAAU,EAAC;AAAA,QACzB,KAAA,EAAO,GAAA;AAAA,QACP,KAAA,EAAO;AAAA,OACR,CAAA;AAED,MAAA,KAAA,MAAW,QAAA,IAAY,MAAA,CAAO,IAAA,IAAQ,EAAC,EAAG;AACxC,QAAA,IAAI,OAAO,QAAA,EAAU,UAAA,KAAe,QAAA,EAAU;AAC5C,UAAA,aAAA,CAAc,GAAA,CAAI,SAAS,UAAU,CAAA;AAAA,QACvC;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,MAAA,CAAO,cAAc,KAAA,IAAS,MAAA;AAAA,IACxC,CAAA,QAAS,KAAA;AAET,IAAA,OAAO,aAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAA,EAA4B;AAC3D,IAAA,OAAO;AAAA,MACL,IAAI,QAAA,CAAS,EAAA;AAAA,MACb,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,MAAM,QAAA,CAAS,IAAA;AAAA,MACf,aAAa,QAAA,CAAS,WAAA;AAAA,MACtB,kBAAkB,QAAA,CAAS,gBAAA;AAAA,MAC3B,gBAAgB,QAAA,CAAS,cAAA;AAAA,MACzB,kBAAkB,QAAA,CAAS;AAAA,KAC7B;AAAA,EACF;AACF;;;ACphBO,IAAM,sBAAN,MAA0B;AAAA,EACvB,MAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASR,WAAA,CAAY,QAAgB,OAAA,EAAqC;AAC/D,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,aAAA,IAAiB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAC3D,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,aAAA,GAAgB,aAAA;AACrB,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,OAAA,EAA0B,SAAA,EAAkC;AAI9E,IAAA,MAAM,gBAAgB,OAAO,OAAA,KAAY,WAAW,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA,GAAI,OAAA;AAC1E,IAAA,MAAM,KAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,SAAS,cAAA,CAAe;AAAA,MACvD,OAAA,EAAS,aAAA;AAAA,MACT,SAAA,EAAW,SAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAGD,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,WAAW,KAAK,CAAA;AAAA,IAC7B,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,2CAAA,EAA8C,KAAA,CAAM,KAAK,KAAK,KAAK,CAAA;AAAA,IACnF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAAW,KAAA,EAA0C;AACjE,IAAA,MAAM,EAAE,KAAA,EAAO,SAAA,EAAW,IAAA,EAAK,GAAI,KAAA;AAEnC,IAAA,QAAQ,SAAA;AAAW,MACjB,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,wBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,gBAAA,EAAkB;AAClC,UAAA,MAAM,IAAA,CAAK,SAAS,gBAAA,CAAiB;AAAA,YACnC,KAAA,EAAO,IAAA,CAAK,YAAA,CAAa,IAAA,CAAK,KAAgC,CAAA;AAAA,YAC9D,IAAA,EAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,IAA+B;AAAA,WAC5D,CAAA;AAAA,QACH;AACA,QAAA;AAAA,MAEF,KAAK,0BAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,kBAAA,EAAoB;AACpC,UAAA,MAAM,IAAA,CAAK,SAAS,kBAAA,CAAmB;AAAA,YACrC,KAAA,EAAO,IAAA,CAAK,YAAA,CAAa,IAAA,CAAK,KAAgC,CAAA;AAAA,YAC9D,IAAA,EAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,IAA+B;AAAA,WAC5D,CAAA;AAAA,QACH;AACA,QAAA;AAAA,MAEF;AAEE,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,0CAAA,EAA6C,SAAS,CAAA,CAAE,CAAA;AAAA;AACzE,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,YAAY,IAAA,EAAsD;AACxE,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,aAAa,IAAA,CAAK,YAAA;AAAA,MAClB,gBAAgB,IAAA,CAAK,eAAA;AAAA,MACrB,OAAO,IAAA,CAAK,MAAA;AAAA,MACZ,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,MAAA,EAAS,IAAA,CAAK,MAAA,IAAwE,EAAC;AAAA,MACvF,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,MAAA,EAAS,IAAA,CAAK,MAAA,IAAkD,EAAC;AAAA,MACjE,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,aAAA,EAAgB,IAAA,CAAK,cAAA,IAA8C,EAAC;AAAA,MACpE,gBAAA,EAAmB,IAAA,CAAK,iBAAA,IAAiD,EAAC;AAAA,MAC1E,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,aAAa,IAAA,EAAuD;AAC1E,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,aAAa,IAAA,CAAK,YAAA;AAAA,MAClB,gBAAgB,IAAA,CAAK,eAAA;AAAA,MACrB,OAAO,IAAA,CAAK,MAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,aAAA,EAAgB,IAAA,CAAK,cAAA,IAA8C;AAAC,KACtE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,gBAAgB,cAAA,EAA8C;AAClE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,eAAA,CAAgB;AAAA,MAC/D;AAAA,KACD,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,mBAAmB,WAAA,EAA+C;AACtE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,SAAA,CAAU;AAAA,MACzD,SAAA,EAAW;AAAA,KACZ,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,oBAAoB,WAAA,EAAgD;AACxE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,UAAA,CAAW;AAAA,MAC1D,SAAA,EAAW;AAAA,KACZ,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AACF;AC9RA,IAAM,UAAA,GAAkE;AAAA,EACtE,KAAKK,6BAAA,CAAyB,GAAA;AAAA,EAC9B,OAAOA,6BAAA,CAAyB,KAAA;AAAA,EAChC,YAAYA,6BAAA,CAAyB,SAAA;AAAA,EACrC,aAAaA,6BAAA,CAAyB;AACxC,CAAA;AA2BO,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQR,WAAA,CAAY,QAAgB,OAAA,EAAoC;AAC9D,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,SAAA,GAAY,SAAS,SAAA,IAAa,GAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,aAAA,CAAc,cAAA,EAAwB,MAAA,EAA6C;AACvF,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,OAAO,YAAA,CAAa;AAAA,MACnD,YAAA,EAAc,cAAA;AAAA,MACd,MAAA,EAAQ,UAAA,CAAW,MAAA,IAAU,KAAK,CAAA;AAAA,MAClC,WAAW,IAAA,CAAK;AAAA,KACjB,CAAA;AAED,IAAA,OAAO,MAAA,CAAO,IAAA;AAAA,EAChB;AACF","file":"index.cjs","sourcesContent":["import { Transform } from 'node:stream';\n\nexport const RegisteredLogger = {\n AGENT: 'AGENT',\n OBSERVABILITY: 'OBSERVABILITY',\n AUTH: 'AUTH',\n BROWSER: 'BROWSER',\n NETWORK: 'NETWORK',\n WORKFLOW: 'WORKFLOW',\n LLM: 'LLM',\n TTS: 'TTS',\n VOICE: 'VOICE',\n VECTOR: 'VECTOR',\n BUNDLER: 'BUNDLER',\n DEPLOYER: 'DEPLOYER',\n MEMORY: 'MEMORY',\n STORAGE: 'STORAGE',\n EMBEDDINGS: 'EMBEDDINGS',\n MCP_SERVER: 'MCP_SERVER',\n SERVER_CACHE: 'SERVER_CACHE',\n SERVER: 'SERVER',\n WORKSPACE: 'WORKSPACE',\n CHANNEL: 'CHANNEL',\n} as const;\n\nexport type RegisteredLogger = (typeof RegisteredLogger)[keyof typeof RegisteredLogger];\n\nexport const LogLevel = {\n DEBUG: 'debug',\n INFO: 'info',\n WARN: 'warn',\n ERROR: 'error',\n NONE: 'silent',\n} as const;\n\nexport type LogLevel = (typeof LogLevel)[keyof typeof LogLevel];\n\nexport interface BaseLogMessage {\n runId?: string;\n msg: string;\n level: LogLevel;\n time: Date;\n pid: number;\n hostname: string;\n name: string;\n}\n\nexport abstract class LoggerTransport extends Transform {\n constructor(opts: any = {}) {\n super({ ...opts, objectMode: true });\n }\n\n async listLogsByRunId(_args: {\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }): Promise<{\n logs: BaseLogMessage[];\n total: number;\n page: number;\n perPage: number;\n hasMore: boolean;\n }> {\n return { logs: [], total: 0, page: _args?.page ?? 1, perPage: _args?.perPage ?? 100, hasMore: false };\n }\n\n async listLogs(_args?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n returnPaginationResults?: boolean;\n page?: number;\n perPage?: number;\n }): Promise<{\n logs: BaseLogMessage[];\n total: number;\n page: number;\n perPage: number;\n hasMore: boolean;\n }> {\n return { logs: [], total: 0, page: _args?.page ?? 1, perPage: _args?.perPage ?? 100, hasMore: false };\n }\n}\n\nexport const createCustomTransport = (\n stream: Transform,\n listLogs?: LoggerTransport['listLogs'],\n listLogsByRunId?: LoggerTransport['listLogsByRunId'],\n) => {\n let transport = stream as LoggerTransport;\n if (listLogs) {\n transport.listLogs = listLogs;\n }\n if (listLogsByRunId) {\n transport.listLogsByRunId = listLogsByRunId;\n }\n return transport as LoggerTransport;\n};\n\nexport interface IMastraLogger {\n debug(message: string, ...args: any[]): void;\n info(message: string, ...args: any[]): void;\n warn(message: string, ...args: any[]): void;\n error(message: string, ...args: any[]): void;\n trackException(error: Error, metadata?: Record): void;\n\n getTransports(): Map;\n listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n}\n\nexport abstract class MastraLogger implements IMastraLogger {\n protected name: string;\n protected level: LogLevel;\n protected transports: Map;\n\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n transports?: Record;\n } = {},\n ) {\n this.name = options.name || 'Mastra';\n this.level = options.level || LogLevel.ERROR;\n this.transports = new Map(Object.entries(options.transports || {}));\n }\n\n abstract debug(message: string, ...args: any[]): void;\n abstract info(message: string, ...args: any[]): void;\n abstract warn(message: string, ...args: any[]): void;\n abstract error(message: string, ...args: any[]): void;\n\n getTransports() {\n return this.transports;\n }\n\n trackException(_error: Error, _metadata?: Record) {}\n\n async listLogs(\n transportId: string,\n params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ) {\n if (!transportId || !this.transports.has(transportId)) {\n return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports.get(transportId)!.listLogs?.(params) ?? {\n logs: [],\n total: 0,\n page: params?.page ?? 1,\n perPage: params?.perPage ?? 100,\n hasMore: false,\n }\n );\n }\n\n async listLogsByRunId({\n transportId,\n runId,\n fromDate,\n toDate,\n logLevel,\n filters,\n page,\n perPage,\n }: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }) {\n if (!transportId || !this.transports.has(transportId) || !runId) {\n return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports\n .get(transportId)!\n .listLogsByRunId?.({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {\n logs: [],\n total: 0,\n page: page ?? 1,\n perPage: perPage ?? 100,\n hasMore: false,\n }\n );\n }\n}\n\nexport type LogFilterContext = {\n component?: RegisteredLogger;\n level: LogLevel;\n message: string;\n args: unknown[];\n};\n\nexport type LogFilter = (ctx: LogFilterContext) => boolean;\n\nexport interface ConsoleLoggerOptions {\n name?: string;\n level?: LogLevel;\n component?: RegisteredLogger;\n filter?: LogFilter;\n}\n\nexport class ConsoleLogger extends MastraLogger {\n protected component?: RegisteredLogger;\n protected filter?: LogFilter;\n\n constructor(options: ConsoleLoggerOptions = {}) {\n super(options);\n this.component = options.component;\n this.filter = options.filter;\n }\n\n child(componentOrBindings: RegisteredLogger | Record): ConsoleLogger {\n const component =\n typeof componentOrBindings === 'string'\n ? componentOrBindings\n : ((componentOrBindings?.component as RegisteredLogger) ?? this.component);\n return new ConsoleLogger({\n name: this.name,\n level: this.level,\n component,\n filter: this.filter,\n });\n }\n\n private shouldLog(level: LogLevel, message: string, args: unknown[]): boolean {\n if (!this.filter) return true;\n try {\n return this.filter({ component: this.component, level, message, args });\n } catch (e) {\n console.error(`[Logger] Filter error for component=${this.component} level=${level}:`, e);\n return true;\n }\n }\n\n private prefix(): string {\n return this.component ? `[${this.component}] ` : '';\n }\n\n debug(message: string, ...args: any[]): void {\n if (this.level === LogLevel.DEBUG && this.shouldLog(LogLevel.DEBUG, message, args)) {\n console.info(`${this.prefix()}${message}`, ...args);\n }\n }\n\n info(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.INFO, message, args)\n ) {\n console.info(`${this.prefix()}${message}`, ...args);\n }\n }\n\n warn(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.WARN, message, args)\n ) {\n console.warn(`${this.prefix()}${message}`, ...args);\n }\n }\n\n error(message: string, ...args: any[]): void {\n if (\n (this.level === LogLevel.ERROR ||\n this.level === LogLevel.WARN ||\n this.level === LogLevel.INFO ||\n this.level === LogLevel.DEBUG) &&\n this.shouldLog(LogLevel.ERROR, message, args)\n ) {\n console.error(`${this.prefix()}${message}`, ...args);\n }\n }\n\n async listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n },\n ) {\n return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };\n }\n\n async listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record;\n page?: number;\n perPage?: number;\n }) {\n return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };\n }\n}\n","import type { IMastraLogger } from '../logger';\nimport { ConsoleLogger, RegisteredLogger } from '../logger';\n\nexport class MastraBase {\n component: RegisteredLogger = RegisteredLogger.LLM;\n protected logger: IMastraLogger;\n name?: string;\n #rawConfig?: Record;\n\n constructor({\n component,\n name,\n rawConfig,\n }: {\n component?: RegisteredLogger;\n name?: string;\n rawConfig?: Record;\n }) {\n this.component = component || RegisteredLogger.LLM;\n this.name = name;\n this.#rawConfig = rawConfig;\n this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });\n }\n\n /**\n * Returns the raw storage configuration this primitive was created from,\n * or undefined if it was created from code.\n */\n toRawConfig(): Record | undefined {\n return this.#rawConfig;\n }\n\n /**\n * Sets the raw storage configuration for this primitive.\n * @internal\n */\n __setRawConfig(rawConfig: Record): void {\n this.#rawConfig = rawConfig;\n }\n\n /**\n * Set the logger for the agent\n * @param logger\n */\n __setLogger(logger: IMastraLogger) {\n this.logger =\n 'child' in logger && typeof (logger as any).child === 'function'\n ? (logger as any).child({ component: this.component })\n : logger;\n }\n}\n","import { MastraBase } from '@internal/core/base';\nimport type {\n CredentialsResult,\n ISSOProvider,\n ISessionProvider,\n IUserProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n User,\n} from '..';\nimport type { AuthorizeUserFn, MastraAuthConfig, MastraAuthRequest } from '../types';\nimport { getRequestHeader } from '../types';\n\nexport interface MastraAuthProviderOptions {\n name?: string;\n authorizeUser?: AuthorizeUserFn;\n mapUserToResourceId?(user: TUser): string | undefined | null;\n /**\n * Protected paths for the auth provider\n */\n protected?: MastraAuthConfig['protected'];\n /**\n * Public paths for the auth provider\n */\n public?: MastraAuthConfig['public'];\n}\n\nexport abstract class MastraAuthProvider extends MastraBase {\n public protected?: MastraAuthConfig['protected'];\n public public?: MastraAuthConfig['public'];\n public mapUserToResourceId?(user: TUser): string | undefined | null;\n\n constructor(options?: MastraAuthProviderOptions) {\n super({ component: 'AUTH', name: options?.name });\n\n if (options?.authorizeUser) {\n this.authorizeUser = options.authorizeUser.bind(this);\n }\n\n this.protected = options?.protected;\n this.public = options?.public;\n this.mapUserToResourceId = options?.mapUserToResourceId;\n }\n\n /**\n * Authenticate a token and return the payload\n * @param token - The token to authenticate\n * @param request - The request\n * @returns The payload\n */\n abstract authenticateToken(token: string, request: MastraAuthRequest): Promise;\n\n /**\n * Authorize a user for a path and method\n * @param user - The user to authorize\n * @param request - The request\n * @returns The authorization result\n */\n abstract authorizeUser(user: TUser, request: MastraAuthRequest): Promise | boolean;\n\n protected registerOptions(opts?: MastraAuthProviderOptions) {\n if (opts?.authorizeUser) {\n this.authorizeUser = opts.authorizeUser.bind(this);\n }\n if (opts?.mapUserToResourceId) {\n this.mapUserToResourceId = opts.mapUserToResourceId;\n }\n if (opts?.protected) {\n this.protected = opts.protected;\n }\n if (opts?.public) {\n this.public = opts.public;\n }\n }\n}\n\ntype PrimitiveAuthUser = string | number | boolean | bigint | symbol | null | undefined;\n\n// Type guards for interface detection\nfunction isSSOProvider(p: unknown): p is ISSOProvider {\n return (\n p !== null &&\n typeof p === 'object' &&\n typeof (p as any).getLoginUrl === 'function' &&\n typeof (p as any).handleCallback === 'function'\n );\n}\n\nfunction isSessionProvider(p: unknown): p is ISessionProvider {\n return (\n p !== null &&\n typeof p === 'object' &&\n typeof (p as any).validateSession === 'function' &&\n typeof (p as any).createSession === 'function'\n );\n}\n\nfunction isUserProvider(p: unknown): p is IUserProvider {\n return p !== null && typeof p === 'object' && typeof (p as any).getCurrentUser === 'function';\n}\nfunction isCredentialsProvider(p: unknown): boolean {\n return p !== null && typeof p === 'object' && typeof (p as any).signIn === 'function';\n}\n\nfunction isObjectLike(value: unknown): value is object {\n return (typeof value === 'object' && value !== null) || typeof value === 'function';\n}\n\nexport class CompositeAuth\n extends MastraAuthProvider\n implements ISSOProvider, ISessionProvider, IUserProvider\n{\n private providers: MastraAuthProvider[];\n private authenticatedProviderByObject = new WeakMap();\n private authenticatedProviderByPrimitive = new Map();\n\n constructor(providers: MastraAuthProvider[]) {\n const combinedPublic = providers.flatMap(provider => provider.public ?? []);\n const combinedProtected = providers.flatMap(provider => provider.protected ?? []);\n\n super({\n public: combinedPublic,\n protected: combinedProtected,\n });\n\n this.providers = providers;\n if (providers.some(provider => typeof provider.mapUserToResourceId === 'function')) {\n this.mapUserToResourceId = user => this.mapAuthenticatedUserToResourceId(user);\n }\n\n // Null out interface methods when no inner provider supports them.\n // This ensures duck-typing checks (typeof auth.method === 'function')\n // accurately reflect the composite's actual capabilities — preventing\n // Studio from showing login options that no provider can handle.\n if (!providers.some(isSSOProvider)) {\n this.getLoginUrl = undefined as any;\n this.handleCallback = undefined as any;\n this.getLoginButtonConfig = undefined as any;\n }\n if (!providers.some(isSessionProvider)) {\n this.createSession = undefined as any;\n this.validateSession = undefined as any;\n this.getSessionIdFromRequest = undefined as any;\n }\n if (!providers.some(isUserProvider)) {\n this.getCurrentUser = undefined as any;\n this.getUser = undefined as any;\n this.getUsers = undefined as any;\n }\n // Proxy credentials provider methods if any inner provider supports them.\n const credProvider = this.findProvider(isCredentialsProvider as (p: unknown) => p is MastraAuthProvider) as any;\n if (credProvider) {\n (this as any).signIn = credProvider.signIn.bind(credProvider);\n if (typeof credProvider.signUp === 'function') {\n (this as any).signUp = credProvider.signUp.bind(credProvider);\n }\n if (typeof credProvider.requestPasswordReset === 'function') {\n (this as any).requestPasswordReset = credProvider.requestPasswordReset.bind(credProvider);\n }\n if (typeof credProvider.resetPassword === 'function') {\n (this as any).resetPassword = credProvider.resetPassword.bind(credProvider);\n }\n (this as any).isSignUpEnabled =\n typeof credProvider.isSignUpEnabled === 'function'\n ? credProvider.isSignUpEnabled.bind(credProvider)\n : () => true;\n } else {\n (this as any).signIn = undefined;\n (this as any).signUp = undefined;\n (this as any).requestPasswordReset = undefined;\n (this as any).resetPassword = undefined;\n (this as any).isSignUpEnabled = undefined;\n }\n }\n\n // Find first provider implementing an interface\n private findProvider(check: (p: unknown) => p is T): T | undefined {\n return this.providers.find(check) as T | undefined;\n }\n\n private rememberAuthenticatedProvider(user: unknown, provider: MastraAuthProvider): void {\n if (isObjectLike(user)) {\n this.authenticatedProviderByObject.set(user, provider);\n return;\n }\n\n this.authenticatedProviderByPrimitive.set(user as PrimitiveAuthUser, provider);\n }\n\n private takeAuthenticatedProvider(user: unknown): MastraAuthProvider | undefined {\n if (isObjectLike(user)) {\n const provider = this.authenticatedProviderByObject.get(user);\n this.authenticatedProviderByObject.delete(user);\n return provider;\n }\n\n const primitiveUser = user as PrimitiveAuthUser;\n const provider = this.authenticatedProviderByPrimitive.get(primitiveUser);\n this.authenticatedProviderByPrimitive.delete(primitiveUser);\n return provider;\n }\n\n private mapAuthenticatedUserToResourceId(user: unknown): string | undefined | null {\n const provider = this.takeAuthenticatedProvider(user);\n return provider?.mapUserToResourceId?.(user);\n }\n\n // ============================================================================\n // License Exemption Markers\n // Expose these if any underlying provider has them\n // ============================================================================\n\n /**\n * True if any provider is MastraCloudAuth (exempt from license requirement).\n */\n get isMastraCloudAuth(): boolean {\n return this.providers.some(\n p => 'isMastraCloudAuth' in p && (p as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true,\n );\n }\n\n /**\n * True if any provider is SimpleAuth (exempt from license requirement).\n */\n get isSimpleAuth(): boolean {\n return this.providers.some(p => 'isSimpleAuth' in p && (p as { isSimpleAuth: boolean }).isSimpleAuth === true);\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n for (const provider of this.providers) {\n try {\n const user = await provider.authenticateToken(token, request);\n if (user) {\n this.rememberAuthenticatedProvider(user, provider);\n return user;\n }\n } catch {\n // ignore error, try next provider\n }\n }\n return null;\n }\n\n async authorizeUser(user: unknown, request: MastraAuthRequest): Promise {\n for (const provider of this.providers) {\n const authorized = await provider.authorizeUser(user, request);\n if (authorized) {\n return true;\n }\n }\n return false;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Forward cookie header to SSO provider for PKCE validation.\n * Called by auth handler before handleCallback().\n */\n setCallbackCookieHeader(cookieHeader: string | null): void {\n const sso = this.findProvider(isSSOProvider);\n if (sso && typeof (sso as any).setCallbackCookieHeader === 'function') {\n (sso as any).setCallbackCookieHeader(cookieHeader);\n }\n }\n\n getLoginUrl(redirectUri: string, state: string): string | Promise {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) throw new Error('No SSO provider configured in CompositeAuth');\n return sso.getLoginUrl(redirectUri, state);\n }\n\n getLoginCookies(redirectUri: string, state: string): string[] | undefined {\n const sso = this.findProvider(isSSOProvider);\n return sso?.getLoginCookies?.(redirectUri, state);\n }\n\n async handleCallback(code: string, state: string): Promise> {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) throw new Error('No SSO provider configured in CompositeAuth');\n return sso.handleCallback(code, state) as Promise>;\n }\n\n getLoginButtonConfig(): SSOLoginConfig {\n const sso = this.findProvider(isSSOProvider);\n if (!sso) return { provider: 'unknown', text: 'Sign in' };\n return sso.getLoginButtonConfig();\n }\n\n async getLogoutUrl(redirectUri: string, request?: Request): Promise {\n // Try each SSO provider until one returns a logout URL\n for (const provider of this.providers) {\n if (isSSOProvider(provider) && provider.getLogoutUrl) {\n try {\n const url = await provider.getLogoutUrl(redirectUri, request);\n if (url) return url;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n async createSession(userId: string, metadata?: Record): Promise {\n const session = this.findProvider(isSessionProvider);\n if (!session) throw new Error('No session provider configured in CompositeAuth');\n return session.createSession(userId, metadata);\n }\n\n async validateSession(sessionId: string): Promise {\n // Try each session provider until one validates\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const session = await provider.validateSession(sessionId);\n if (session) return session;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async destroySession(sessionId: string): Promise {\n // Destroy session on ALL providers (user may have sessions in multiple stores)\n const destroyPromises: Promise[] = [];\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n destroyPromises.push(\n provider.destroySession(sessionId).catch(() => {\n // Ignore errors, session may not exist in this provider\n }),\n );\n }\n }\n await Promise.all(destroyPromises);\n }\n\n async refreshSession(sessionId: string): Promise {\n // Try each session provider until one refreshes\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const session = await provider.refreshSession(sessionId);\n if (session) return session;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n getSessionIdFromRequest(request: Request): string | null {\n // Try each session provider until one finds a session ID\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const sessionId = provider.getSessionIdFromRequest(request);\n if (sessionId) return sessionId;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n getSessionHeaders(session: Session): Record {\n // Intentionally uses only the first session provider: a session is created by one\n // provider, so we only set its cookie. clearSession clears ALL providers to ensure\n // no stale cookies remain.\n const sessionProvider = this.findProvider(isSessionProvider);\n return sessionProvider?.getSessionHeaders(session) ?? {};\n }\n\n getClearSessionHeaders(): Record {\n // Merge clear headers from ALL providers to ensure no stale session cookies remain\n const headers: Record = {};\n for (const provider of this.providers) {\n if (isSessionProvider(provider)) {\n try {\n const providerHeaders = provider.getClearSessionHeaders();\n Object.assign(headers, providerHeaders);\n } catch {\n // Ignore errors\n }\n }\n }\n return headers;\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // Try each provider until one returns a user (like authenticateToken)\n // ============================================================================\n\n async getCurrentUser(request: Request): Promise {\n for (const provider of this.providers) {\n if (isUserProvider(provider)) {\n try {\n const user = await provider.getCurrentUser(request);\n if (user) return user;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async getUser(userId: string): Promise {\n for (const provider of this.providers) {\n if (isUserProvider(provider)) {\n try {\n const user = await provider.getUser(userId);\n if (user) return user;\n } catch {\n // Try next provider\n }\n }\n }\n return null;\n }\n\n async getUsers(userIds: string[]): Promise> {\n return Promise.all(userIds.map(userId => this.getUser(userId)));\n }\n}\n\nconst DEFAULT_HEADERS = ['Authorization', 'X-Playground-Access'];\n\ntype TokenToUser = Record;\n\nexport interface SimpleAuthOptions extends MastraAuthProviderOptions {\n /**\n * Valid tokens to authenticate against\n */\n tokens: TokenToUser;\n /**\n * Headers to check for authentication\n * @default ['Authorization', 'X-Playground-Access']\n */\n headers?: string | string[];\n}\n\nexport class SimpleAuth extends MastraAuthProvider {\n /**\n * Marker to exempt SimpleAuth from EE license requirement.\n * SimpleAuth is for development/testing and should work without a license.\n */\n readonly isSimpleAuth = true;\n\n private tokens: TokenToUser;\n private headers: string[];\n private users: TUser[];\n private userById: Map;\n\n constructor(options: SimpleAuthOptions) {\n super(options);\n this.tokens = options.tokens;\n this.users = Object.values(this.tokens);\n this.headers = [...DEFAULT_HEADERS].concat(options.headers || []);\n this.userById = new Map(this.users.map(u => [String((u as any)?.id), u]));\n }\n\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n const requestTokens = this.getTokensFromHeaders(token, request);\n\n for (const requestToken of requestTokens) {\n const tokenToUser = this.tokens[requestToken];\n if (tokenToUser) {\n return tokenToUser;\n }\n }\n\n return this.getUserFromCookie(getRequestHeader(request, 'Cookie'));\n }\n\n async authorizeUser(user: TUser, _request: MastraAuthRequest): Promise {\n return this.users.includes(user);\n }\n\n /** Get current user from request headers or cookie. */\n async getCurrentUser(request: Request): Promise {\n // Check headers first\n for (const headerName of this.headers) {\n const headerValue = request.headers.get(headerName);\n if (headerValue) {\n const token = this.stripBearerPrefix(headerValue);\n const user = this.tokens[token];\n if (user) {\n return user;\n }\n }\n }\n\n return this.getUserFromCookie(request.headers.get('Cookie'));\n }\n\n private getUserFromCookie(cookieHeader: string | null | undefined): TUser | null {\n if (!cookieHeader) return null;\n\n const cookies = cookieHeader.split(';').map(c => c.trim());\n for (const cookie of cookies) {\n if (cookie.startsWith('mastra-token=')) {\n const token = cookie.slice('mastra-token='.length);\n const user = this.tokens[token];\n if (user) {\n return user;\n }\n }\n }\n return null;\n }\n\n /** Get user by ID. */\n async getUser(userId: string): Promise {\n return this.userById.get(userId) ?? null;\n }\n\n async getUsers(userIds: string[]): Promise> {\n return userIds.map(userId => this.userById.get(userId) ?? null);\n }\n\n /**\n * Sign in with token (passed as password field).\n * The email field is ignored - only the token matters.\n */\n async signIn(_email: string, password: string, _request: Request): Promise> {\n const token = password;\n const user = this.tokens[token];\n\n if (!user) {\n throw new Error('Invalid token');\n }\n\n // Set cookie so the token persists across requests\n const cookie = `mastra-token=${token}; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400`;\n\n return {\n user,\n token,\n cookies: [cookie],\n };\n }\n\n async signUp(): Promise> {\n throw new Error('Sign up is not supported with SimpleAuth. Use pre-configured tokens.');\n }\n\n isSignUpEnabled(): boolean {\n return false;\n }\n\n /**\n * Get headers to clear the session cookie on logout.\n * Partial ISessionProvider implementation for logout support.\n */\n getClearSessionHeaders(): Record {\n return {\n 'Set-Cookie': 'mastra-token=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0',\n };\n }\n\n private stripBearerPrefix(token: string): string {\n return token.startsWith('Bearer ') ? token.slice(7) : token;\n }\n\n private getTokensFromHeaders(token: string, request: MastraAuthRequest): string[] {\n const tokens = [token];\n for (const headerName of this.headers) {\n const headerValue = getRequestHeader(request, headerName);\n if (headerValue) {\n tokens.push(this.stripBearerPrefix(headerValue));\n }\n }\n return tokens;\n }\n}\n","/**\n * Hono/Web Request session storage adapter for WorkOS AuthKit.\n *\n * Implements the SessionStorage interface for standard Web Request/Response\n * objects used by Hono and other modern frameworks.\n */\n\nimport { CookieSessionStorage } from '@workos/authkit-session';\nimport type { AuthKitConfig } from '@workos/authkit-session';\n\n/**\n * Session storage adapter for Web Request/Response (used by Hono).\n *\n * Extracts session cookies from standard Request objects and\n * builds Set-Cookie headers for Response objects.\n */\nexport class WebSessionStorage extends CookieSessionStorage {\n constructor(config: AuthKitConfig) {\n super(config);\n }\n\n /**\n * Extract a named cookie from a Request.\n *\n * @param request - Standard Web Request object\n * @param name - Cookie name\n * @returns The decoded cookie value or null if not present\n */\n async getCookie(request: Request, name: string): Promise {\n const cookieHeader = request.headers.get('Cookie');\n if (!cookieHeader) {\n return null;\n }\n\n const cookies = cookieHeader.split(';').reduce(\n (acc, cookie) => {\n const [cookieName, ...valueParts] = cookie.trim().split('=');\n if (cookieName) {\n acc[cookieName] = decodeURIComponent(valueParts.join('='));\n }\n return acc;\n },\n {} as Record,\n );\n\n return cookies[name] ?? null;\n }\n}\n","/**\n * Shared types for WorkOS integration.\n */\n\nimport type {\n EEUser,\n FGARouteResolver,\n MastraFGAPermission,\n MastraFGAPermissionInput,\n RoleMapping,\n} from '@internal/auth/ee';\nimport type { JwtPayload } from '@mastra/auth';\nimport type { User, OrganizationMembership } from '@workos-inc/node';\n\n// ============================================================================\n// User Types\n// ============================================================================\n\n/**\n * Extended EEUser with WorkOS-specific fields.\n */\nexport interface WorkOSUser extends EEUser {\n /** WorkOS user ID */\n workosId: string;\n /** Primary organization ID (if any) */\n organizationId?: string;\n /** Organization memberships with roles */\n memberships?: OrganizationMembership[];\n /** Pre-resolved organization membership ID (if available) */\n organizationMembershipId?: string;\n}\n\n/**\n * Maps a WorkOS User to EEUser format.\n */\nexport function mapWorkOSUserToEEUser(user: User): EEUser {\n return {\n id: user.id,\n email: user.email,\n name: user.firstName && user.lastName ? `${user.firstName} ${user.lastName}` : user.firstName || user.email,\n avatarUrl: user.profilePictureUrl ?? undefined,\n metadata: {\n workosId: user.id,\n emailVerified: user.emailVerified,\n createdAt: user.createdAt,\n },\n };\n}\n\n// ============================================================================\n// Auth Provider Options\n// ============================================================================\n\n/**\n * SSO configuration options.\n */\nexport interface WorkOSSSOConfig {\n /** Default organization for SSO (if not using org selector) */\n defaultOrganization?: string;\n /** Connection ID for direct SSO (bypasses org selector) */\n connection?: string;\n /** Identity provider for OAuth (e.g., 'GoogleOAuth', 'MicrosoftOAuth') */\n provider?: 'GoogleOAuth' | 'MicrosoftOAuth' | 'GitHubOAuth' | 'AppleOAuth';\n}\n\n/**\n * Session configuration options.\n */\nexport interface WorkOSSessionConfig {\n /** Cookie name for session storage */\n cookieName?: string;\n /**\n * Password for encrypting session cookies.\n * Must be at least 32 characters.\n * Defaults to WORKOS_COOKIE_PASSWORD env var.\n */\n cookiePassword?: string;\n /** Session duration in seconds (default: 400 days) */\n maxAge?: number;\n /** Use secure cookies (HTTPS only, default: true in production) */\n secure?: boolean;\n /** Cookie path (default: '/') */\n path?: string;\n /** SameSite attribute (default: 'Lax') */\n sameSite?: 'Strict' | 'Lax' | 'None';\n}\n\n/**\n * Mapping from a verified bearer JWT payload into a WorkOSUser.\n *\n * Use this when your WorkOS JWT template includes custom claims such as\n * `organizationMembershipId`, tenant IDs, or service-account identifiers.\n */\nexport interface WorkOSJwtClaimsConfig {\n /** Claim path for the Mastra user ID. Defaults to `sub`. */\n userId?: string;\n /** Claim path for the WorkOS user ID. Defaults to the resolved userId. */\n workosId?: string;\n /** Claim path for the user's email. Defaults to `email`. */\n email?: string;\n /** Claim path for the user's display name. Defaults to `name`. */\n name?: string;\n /** Claim path for the organization ID. Defaults to `org_id`. */\n organizationId?: string;\n /** Claim path for the organization membership ID used by FGA. */\n organizationMembershipId?: string;\n}\n\n/**\n * Options for MastraAuthWorkos.\n */\nexport interface MastraAuthWorkosOptions {\n /** WorkOS API key (defaults to WORKOS_API_KEY env var) */\n apiKey?: string;\n /** WorkOS Client ID (defaults to WORKOS_CLIENT_ID env var) */\n clientId?: string;\n /** OAuth redirect URI (defaults to WORKOS_REDIRECT_URI env var) */\n redirectUri?: string;\n /** SSO configuration */\n sso?: WorkOSSSOConfig;\n /** Session configuration */\n session?: WorkOSSessionConfig;\n /** Custom provider name (default: 'workos') */\n name?: string;\n /**\n * Whether to fetch organization memberships during authentication.\n *\n * Memberships are required for FGA (Fine-Grained Authorization) checks.\n * When FGA is not configured, set this to `false` to skip the extra\n * network call to `listOrganizationMemberships` on every authenticated request.\n *\n * Defaults to `false`. Set to `true` when using `MastraFGAWorkos`.\n */\n fetchMemberships?: boolean;\n /**\n * Claim mapping for verified bearer JWTs.\n *\n * This is useful when your WorkOS JWT template includes custom claims such as\n * `organizationMembershipId`, team IDs, or service-account identity fields.\n */\n jwtClaims?: WorkOSJwtClaimsConfig;\n /**\n * When `true`, trust the verified bearer JWT claims enough to construct a\n * `WorkOSUser` even if `workos.userManagement.getUser()` does not apply.\n *\n * Use this for machine-to-machine or service-account tokens backed by a\n * WorkOS custom JWT template.\n *\n * Defaults to `false`.\n */\n trustJwtClaims?: boolean;\n /**\n * Optional escape hatch for advanced bearer-token claim mapping.\n * Runs after `jwtClaims` mapping and can override or augment the resolved user.\n */\n mapJwtPayloadToUser?: (payload: JwtPayload) => Partial | null | undefined;\n}\n\n// ============================================================================\n// RBAC Provider Options\n// ============================================================================\n\n/**\n * Cache configuration options for RBAC permission caching.\n */\nexport interface PermissionCacheOptions {\n /** Maximum number of users to cache (default: 1000) */\n maxSize?: number;\n /** Time-to-live in milliseconds (default: 60000) */\n ttlMs?: number;\n}\n\n/**\n * Options for MastraRBACWorkos.\n */\nexport interface MastraRBACWorkosOptions {\n /** WorkOS API key (defaults to WORKOS_API_KEY env var) */\n apiKey?: string;\n /** WorkOS Client ID (defaults to WORKOS_CLIENT_ID env var) */\n clientId?: string;\n\n /**\n * Map WorkOS organization roles to Mastra permissions.\n *\n * @example\n * ```typescript\n * roleMapping: {\n * 'admin': ['*'],\n * 'member': ['agents:read', 'workflows:*'],\n * 'viewer': ['agents:read', 'workflows:read'],\n * '_default': [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n\n /**\n * Organization ID to check roles for.\n * If not provided, uses the first organization the user belongs to.\n */\n organizationId?: string;\n\n /** Permission cache configuration */\n cache?: PermissionCacheOptions;\n}\n\n// ============================================================================\n// FGA Types\n// ============================================================================\n\n/**\n * Configuration for mapping Mastra resource types to FGA resource types.\n *\n * @example\n * ```typescript\n * {\n * agent: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId },\n * workflow: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId },\n * thread: { fgaResourceType: 'workspace-thread', deriveId: ({ resourceId }) => resourceId },\n * }\n * ```\n */\nexport interface FGAResourceMappingEntry {\n /** The FGA resource type slug in WorkOS */\n fgaResourceType: string;\n /**\n * Parent FGA resource type slug used for batched WorkOS resource discovery.\n *\n * Set this when `deriveId` returns a parent resource ID without a concrete\n * child resource ID. For example, an agent mapping with\n * `fgaResourceType: 'team-agent'` can use `parentFgaResourceType: 'team'`.\n */\n parentFgaResourceType?: string;\n /** Alias for parentFgaResourceType. */\n parentResourceTypeSlug?: string;\n /**\n * Derive the FGA resource ID from request/user context.\n * Return `undefined` to fall back to the raw Mastra resource ID.\n */\n deriveId?: (ctx: { user: any; resourceId?: string; requestContext?: unknown }) => string | undefined;\n}\n\nexport type MastraFGAPermissionMapping = Partial> & Record;\n\n/**\n * Options for MastraFGAWorkos provider.\n *\n * @example\n * ```typescript\n * import { MastraFGAPermissions } from '@internal/auth/ee';\n *\n * new MastraFGAWorkos({\n * resourceMapping: {\n * agent: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId },\n * },\n * permissionMapping: {\n * [MastraFGAPermissions.AGENTS_EXECUTE]: 'manage-workflows',\n * },\n * requireForProtectedRoutes: true,\n * auditProtectedRoutes: 'warn',\n * });\n * ```\n */\nexport interface MastraFGAWorkosOptions {\n /** WorkOS API key (defaults to WORKOS_API_KEY env var) */\n apiKey?: string;\n /** WorkOS Client ID (defaults to WORKOS_CLIENT_ID env var) */\n clientId?: string;\n /**\n * Organization ID to scope FGA checks to.\n * When a user has multiple organization memberships, this determines\n * which membership to use for authorization checks.\n * If not provided, uses the first membership found on the user object.\n */\n organizationId?: string;\n /**\n * Map Mastra resource types to WorkOS FGA resource types.\n * Keys are Mastra resource types (e.g., 'agent', 'workflow', 'thread').\n * Legacy aliases such as 'agents', 'workflows', and 'memory' are also accepted.\n */\n resourceMapping?: Record;\n /**\n * Map Mastra permission strings to WorkOS permission slugs.\n * Keys are Mastra permissions such as MastraFGAPermissions.AGENTS_EXECUTE,\n * values are WorkOS permission slugs.\n */\n permissionMapping?: MastraFGAPermissionMapping;\n /**\n * When true, protected routes without route-level FGA metadata or resolver\n * output are denied instead of being allowed through.\n *\n * @default false\n */\n requireForProtectedRoutes?: boolean;\n /**\n * Audits protected routes that do not have built-in FGA metadata.\n * Use `true` or `'warn'` to log a startup warning, `'error'` to fail startup,\n * or `false` to disable the audit.\n *\n * @default false\n */\n auditProtectedRoutes?: boolean | 'warn' | 'error';\n /**\n * Global route FGA resolver. Prefer route-level `fga` metadata for custom\n * routes. Use this when metadata must be derived centrally from route,\n * params, or request context.\n */\n resolveRouteFGA?: FGARouteResolver;\n /**\n * Optional startup validation for provider-specific permission mappings.\n * Throw when a permission Mastra may emit is not configured for WorkOS.\n */\n validatePermissions?: (permissions: MastraFGAPermissionInput[]) => void | Promise;\n}\n\n// ============================================================================\n// Directory Sync Types\n// ============================================================================\n\n/**\n * Handlers for Directory Sync webhook events.\n */\nexport interface DirectorySyncHandlers {\n /** Called when a user is created in the directory */\n onUserCreated?: (data: DirectorySyncUserData) => Promise;\n /** Called when a user is updated in the directory */\n onUserUpdated?: (data: DirectorySyncUserData) => Promise;\n /** Called when a user is deleted from the directory */\n onUserDeleted?: (data: DirectorySyncUserData) => Promise;\n /** Called when a group is created */\n onGroupCreated?: (data: DirectorySyncGroupData) => Promise;\n /** Called when a group is updated */\n onGroupUpdated?: (data: DirectorySyncGroupData) => Promise;\n /** Called when a group is deleted */\n onGroupDeleted?: (data: DirectorySyncGroupData) => Promise;\n /** Called when a user is added to a group */\n onGroupUserAdded?: (data: { group: DirectorySyncGroupData; user: DirectorySyncUserData }) => Promise;\n /** Called when a user is removed from a group */\n onGroupUserRemoved?: (data: { group: DirectorySyncGroupData; user: DirectorySyncUserData }) => Promise;\n}\n\n/**\n * User data from Directory Sync events.\n */\nexport interface DirectorySyncUserData {\n id: string;\n directoryId: string;\n organizationId?: string;\n idpId: string;\n firstName?: string;\n lastName?: string;\n jobTitle?: string;\n emails: Array<{ primary: boolean; type?: string; value: string }>;\n username?: string;\n groups: Array<{ id: string; name: string }>;\n state: 'active' | 'inactive';\n rawAttributes: Record;\n customAttributes: Record;\n createdAt: string;\n updatedAt: string;\n}\n\n/**\n * Group data from Directory Sync events.\n */\nexport interface DirectorySyncGroupData {\n id: string;\n directoryId: string;\n organizationId?: string;\n idpId: string;\n name: string;\n createdAt: string;\n updatedAt: string;\n rawAttributes: Record;\n}\n\n/**\n * Options for WorkOSDirectorySync.\n */\nexport interface WorkOSDirectorySyncOptions {\n /** Webhook secret for signature verification (defaults to WORKOS_WEBHOOK_SECRET env var) */\n webhookSecret?: string;\n /** Event handlers */\n handlers: DirectorySyncHandlers;\n}\n\n// ============================================================================\n// Admin Portal Types\n// ============================================================================\n\n/**\n * Admin Portal intent - what the user wants to configure.\n */\nexport type AdminPortalIntent = 'sso' | 'dsync' | 'audit_logs' | 'log_streams';\n\n/**\n * Options for WorkOSAdminPortal.\n */\nexport interface WorkOSAdminPortalOptions {\n /** Return URL after portal configuration is complete */\n returnUrl?: string;\n}\n","/**\n * MastraAuthWorkos - WorkOS authentication provider for Mastra.\n *\n * Uses @workos/authkit-session for session management with encrypted\n * cookie-based sessions that persist across server restarts.\n */\n\nimport type {\n IUserProvider,\n ISSOProvider,\n ISessionProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@internal/auth';\nimport type { EEUser } from '@internal/auth/ee';\nimport type { MastraAuthProviderOptions } from '@internal/auth/provider';\nimport { MastraAuthProvider } from '@internal/auth/provider';\nimport { verifyJwks } from '@mastra/auth';\nimport type { JwtPayload } from '@mastra/auth';\nimport { AuthService, sessionEncryption } from '@workos/authkit-session';\nimport type { AuthKitConfig } from '@workos/authkit-session';\nimport { WorkOS } from '@workos-inc/node';\nimport type { OrganizationMembership } from '@workos-inc/node';\nimport { LRUCache } from 'lru-cache';\n\ntype HonoRequestLike = {\n raw?: Request;\n headers?: Headers;\n header(name: string): string | undefined;\n};\n\ntype MastraAuthRequest = Request | HonoRequestLike;\n\nfunction getWebRequest(request: MastraAuthRequest): Request | undefined {\n if (request instanceof Request) {\n return request;\n }\n\n return request.raw instanceof Request ? request.raw : undefined;\n}\n\nimport { WebSessionStorage } from './session-storage.js';\nimport type { WorkOSUser, MastraAuthWorkosOptions } from './types.js';\nimport { mapWorkOSUserToEEUser } from './types.js';\n\n/**\n * Default cookie password for development (MUST be overridden in production).\n * Generated once per process to ensure consistency during dev.\n */\nconst DEV_COOKIE_PASSWORD = crypto.randomUUID() + crypto.randomUUID(); // 72 chars\nconst MEMBERSHIP_CACHE_TTL_MS = 60 * 1000;\nconst MEMBERSHIP_CACHE_MAX_SIZE = 1000;\n\n/**\n * Mastra authentication provider for WorkOS.\n *\n * Uses WorkOS AuthKit with encrypted cookie-based sessions.\n * Sessions are stored in cookies, so they persist across server restarts.\n *\n * @example Basic usage with SSO\n * ```typescript\n * import { MastraAuthWorkos } from '@mastra/auth-workos';\n *\n * const auth = new MastraAuthWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * redirectUri: 'https://myapp.com/auth/callback',\n * cookiePassword: process.env.WORKOS_COOKIE_PASSWORD, // min 32 chars\n * });\n * ```\n */\nexport class MastraAuthWorkos\n extends MastraAuthProvider\n implements IUserProvider, ISSOProvider, ISessionProvider\n{\n protected workos: WorkOS;\n protected clientId: string;\n protected redirectUri: string;\n protected ssoConfig: MastraAuthWorkosOptions['sso'];\n protected authService: AuthService;\n protected config: AuthKitConfig;\n protected fetchMemberships: boolean;\n protected trustJwtClaims: boolean;\n protected jwtClaimOptions?: MastraAuthWorkosOptions['jwtClaims'];\n protected mapJwtPayloadToUser?: MastraAuthWorkosOptions['mapJwtPayloadToUser'];\n protected membershipCache: LRUCache;\n\n constructor(options?: MastraAuthWorkosOptions) {\n super({ name: options?.name ?? 'workos' });\n\n const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;\n const redirectUri = options?.redirectUri ?? process.env.WORKOS_REDIRECT_URI;\n const cookiePassword =\n options?.session?.cookiePassword ?? process.env.WORKOS_COOKIE_PASSWORD ?? DEV_COOKIE_PASSWORD;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required. ' +\n 'Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables.',\n );\n }\n\n if (!redirectUri) {\n throw new Error(\n 'WorkOS redirect URI is required. ' +\n 'Provide it in the options or set WORKOS_REDIRECT_URI environment variable.',\n );\n }\n\n if (cookiePassword.length < 32) {\n throw new Error(\n 'Cookie password must be at least 32 characters. ' +\n 'Set WORKOS_COOKIE_PASSWORD environment variable or provide session.cookiePassword option.',\n );\n }\n\n this.clientId = clientId;\n this.redirectUri = redirectUri;\n this.ssoConfig = options?.sso;\n this.fetchMemberships = options?.fetchMemberships ?? false;\n this.trustJwtClaims = options?.trustJwtClaims ?? false;\n this.jwtClaimOptions = options?.jwtClaims;\n this.mapJwtPayloadToUser = options?.mapJwtPayloadToUser;\n this.membershipCache = new LRUCache({\n max: MEMBERSHIP_CACHE_MAX_SIZE,\n ttl: MEMBERSHIP_CACHE_TTL_MS,\n });\n\n // Create WorkOS client\n this.workos = new WorkOS(apiKey, { clientId });\n\n // Create AuthKit config\n this.config = {\n clientId,\n apiKey,\n redirectUri,\n cookiePassword,\n cookieName: options?.session?.cookieName ?? 'wos_session',\n cookieMaxAge: options?.session?.maxAge ?? 60 * 60 * 24 * 400, // 400 days\n cookieSameSite: options?.session?.sameSite?.toLowerCase() as 'lax' | 'strict' | 'none' | undefined,\n cookieDomain: undefined,\n apiHttps: true,\n };\n\n // Create session storage and auth service\n const storage = new WebSessionStorage(this.config);\n // Cast needed: @workos/authkit-session pins @workos-inc/node@8.0.0 but we use 8.8.0.\n // The runtime API is compatible; only private HttpClient types differ.\n this.authService = new AuthService(this.config, storage, this.workos as any, sessionEncryption);\n\n this.registerOptions(options as MastraAuthProviderOptions);\n\n if (cookiePassword === DEV_COOKIE_PASSWORD) {\n console.warn(\n '[WorkOS] Using auto-generated cookie password for development. ' +\n 'Sessions will not persist across server restarts. ' +\n 'Set WORKOS_COOKIE_PASSWORD for persistent sessions.',\n );\n }\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n /**\n * Authenticate a bearer token or session cookie.\n *\n * Uses AuthKit's withAuth() for cookie-based sessions, falls back to\n * JWT verification for bearer tokens.\n */\n async authenticateToken(token: string, request: MastraAuthRequest): Promise {\n try {\n // First try session-based auth via AuthKit\n const webRequest = getWebRequest(request);\n const { auth } = webRequest ? await this.authService.withAuth(webRequest) : { auth: { user: null } };\n\n if (auth.user) {\n // Fetch memberships only when FGA is configured (fetchMemberships: true).\n // Skipping this call avoids an extra network round-trip on every\n // authenticated request when FGA is not in use.\n let memberships: OrganizationMembership[] | undefined;\n if (this.fetchMemberships) {\n try {\n memberships = await this.getMemberships(auth.user.id);\n } catch {\n // Ignore membership fetch errors — FGA will gracefully degrade\n }\n }\n\n return {\n ...mapWorkOSUserToEEUser(auth.user),\n workosId: auth.user.id,\n organizationId: auth.organizationId,\n memberships,\n };\n }\n\n // Fall back to JWT verification for bearer tokens\n if (token) {\n const jwksUri = this.workos.userManagement.getJwksUrl(this.clientId);\n const payload = await verifyJwks(token, jwksUri);\n const jwtUser = this.resolveJwtPayloadUser(payload);\n\n if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {\n return await this.attachMembershipsIfNeeded(jwtUser);\n }\n\n if (payload?.sub) {\n try {\n const user = await this.workos.userManagement.getUser(payload.sub);\n let memberships: OrganizationMembership[] | undefined;\n\n // Fetch memberships only when FGA is configured (fetchMemberships: true).\n if (this.fetchMemberships) {\n try {\n memberships = await this.getMemberships(user.id);\n } catch {\n memberships = undefined;\n }\n }\n\n return this.mergeJwtPayloadUser(\n {\n ...mapWorkOSUserToEEUser(user),\n workosId: user.id,\n organizationId: this.getSingleMembershipOrganizationId(memberships),\n memberships,\n },\n jwtUser,\n { trustOrganizationClaims: this.trustJwtClaims },\n );\n } catch {\n if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {\n return await this.attachMembershipsIfNeeded(jwtUser);\n }\n return null;\n }\n }\n\n if (this.trustJwtClaims && jwtUser?.id && jwtUser?.workosId) {\n return await this.attachMembershipsIfNeeded(jwtUser);\n }\n }\n\n return null;\n } catch {\n return null;\n }\n }\n\n /**\n * Authorize a user for access.\n */\n async authorizeUser(user: WorkOSUser): Promise {\n return !!user?.id && !!user?.workosId;\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // ============================================================================\n\n /**\n * Get the current user from the request using AuthKit session.\n */\n async getCurrentUser(request: Request): Promise {\n try {\n const { auth, refreshedSessionData } = await this.authService.withAuth(request);\n\n if (!auth.user) {\n return null;\n }\n\n // Get organizationId from JWT claims, or fall back to fetching from memberships.\n // The fallback fetch is skipped when fetchMemberships is false (FGA not configured)\n // to avoid an extra network call on every authenticated request.\n let organizationId = auth.organizationId;\n let memberships: OrganizationMembership[] | undefined;\n if (this.fetchMemberships) {\n try {\n memberships = await this.getMemberships(auth.user.id);\n organizationId ??= this.getSingleMembershipOrganizationId(memberships);\n } catch {\n // Ignore membership fetch errors\n }\n }\n\n // Build user with session data\n const user: WorkOSUser = {\n ...mapWorkOSUserToEEUser(auth.user),\n workosId: auth.user.id,\n organizationId,\n memberships,\n };\n\n // If session was refreshed, attach to user object for caller to save\n if (refreshedSessionData) {\n (user as any)._refreshedSessionData = refreshedSessionData;\n }\n\n return user;\n } catch {\n return null;\n }\n }\n\n /**\n * Get a user by their ID.\n */\n async getUser(userId: string): Promise {\n try {\n const user = await this.workos.userManagement.getUser(userId);\n return {\n ...mapWorkOSUserToEEUser(user),\n workosId: user.id,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * Get the URL to the user's profile page.\n */\n getUserProfileUrl(user: EEUser): string {\n return `/profile/${user.id}`;\n }\n\n private async getMemberships(userId: string): Promise {\n const cached = this.membershipCache.get(userId);\n if (cached) {\n return cached;\n }\n\n try {\n const response = await this.workos.userManagement.listOrganizationMemberships({\n userId,\n });\n\n const memberships = await response.autoPagination();\n this.membershipCache.set(userId, memberships);\n return memberships;\n } catch (error) {\n this.membershipCache.delete(userId);\n throw error;\n }\n }\n\n private async attachMembershipsIfNeeded(user: WorkOSUser): Promise {\n if (!this.fetchMemberships || user.organizationMembershipId) {\n return user;\n }\n\n try {\n const memberships = await this.getMemberships(user.workosId);\n return {\n ...user,\n organizationId: user.organizationId ?? this.getSingleMembershipOrganizationId(memberships),\n memberships,\n };\n } catch {\n return user;\n }\n }\n\n private getSingleMembershipOrganizationId(memberships?: OrganizationMembership[]): string | undefined {\n return memberships?.length === 1 ? memberships[0]?.organizationId : undefined;\n }\n\n private resolveJwtPayloadUser(payload: JwtPayload | null): WorkOSUser | null {\n if (!payload) {\n return null;\n }\n\n const mappedClaims = this.buildUserFromJwtClaims(payload);\n const customMappedClaims = this.mapJwtPayloadToUser?.(payload) ?? undefined;\n const combined = {\n ...(payload as Record),\n ...(mappedClaims ?? {}),\n ...(customMappedClaims ?? {}),\n } as Partial & Record;\n\n const id = typeof combined.id === 'string' ? combined.id : undefined;\n const workosId = typeof combined.workosId === 'string' ? combined.workosId : id;\n if (!id || !workosId) {\n return null;\n }\n\n const metadata =\n combined.metadata && typeof combined.metadata === 'object' && !Array.isArray(combined.metadata)\n ? combined.metadata\n : undefined;\n\n return {\n ...combined,\n id,\n workosId,\n email: typeof combined.email === 'string' ? combined.email : undefined,\n name:\n typeof combined.name === 'string' ? combined.name : typeof combined.email === 'string' ? combined.email : id,\n organizationId: typeof combined.organizationId === 'string' ? combined.organizationId : undefined,\n organizationMembershipId:\n typeof combined.organizationMembershipId === 'string' ? combined.organizationMembershipId : undefined,\n metadata: {\n ...(metadata ?? {}),\n workosId,\n ...(typeof combined.organizationId === 'string' ? { organizationId: combined.organizationId } : {}),\n ...(typeof combined.organizationMembershipId === 'string'\n ? { organizationMembershipId: combined.organizationMembershipId }\n : {}),\n },\n };\n }\n\n private buildUserFromJwtClaims(payload: JwtPayload): Partial | null {\n const userId = this.readJwtClaim(payload, this.jwtClaimOptions?.userId) ?? this.readJwtClaim(payload, 'sub');\n const workosId = this.readJwtClaim(payload, this.jwtClaimOptions?.workosId) ?? userId;\n\n if (!userId || !workosId) {\n return null;\n }\n\n return {\n id: userId,\n workosId,\n email: this.readJwtClaim(payload, this.jwtClaimOptions?.email) ?? this.readJwtClaim(payload, 'email'),\n name: this.readJwtClaim(payload, this.jwtClaimOptions?.name) ?? this.readJwtClaim(payload, 'name'),\n organizationId:\n this.readJwtClaim(payload, this.jwtClaimOptions?.organizationId) ?? this.readJwtClaim(payload, 'org_id'),\n organizationMembershipId: this.readJwtClaim(payload, this.jwtClaimOptions?.organizationMembershipId),\n };\n }\n\n private mergeJwtPayloadUser(\n user: WorkOSUser,\n jwtUser: WorkOSUser | null,\n options?: { trustOrganizationClaims?: boolean },\n ): WorkOSUser {\n if (!jwtUser) {\n return user;\n }\n\n const trustOrganizationClaims = options?.trustOrganizationClaims ?? true;\n const jwtMetadata = { ...(jwtUser.metadata ?? {}) };\n if (!trustOrganizationClaims) {\n delete jwtMetadata.organizationId;\n delete jwtMetadata.organizationMembershipId;\n }\n\n return {\n ...jwtUser,\n ...user,\n organizationId: trustOrganizationClaims ? (jwtUser.organizationId ?? user.organizationId) : user.organizationId,\n organizationMembershipId: trustOrganizationClaims\n ? (jwtUser.organizationMembershipId ?? user.organizationMembershipId)\n : user.organizationMembershipId,\n memberships: trustOrganizationClaims ? (user.memberships ?? jwtUser.memberships) : user.memberships,\n metadata: {\n ...jwtMetadata,\n ...(user.metadata ?? {}),\n },\n };\n }\n\n private readJwtClaim(payload: JwtPayload, claimPath?: string): string | undefined {\n if (!claimPath) {\n return undefined;\n }\n\n let current: unknown = payload;\n for (const segment of claimPath.split('.')) {\n if (!current || typeof current !== 'object' || !(segment in current)) {\n return undefined;\n }\n current = (current as Record)[segment];\n }\n\n return typeof current === 'string' ? current : undefined;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Get the URL to redirect users to for SSO login.\n */\n getLoginUrl(redirectUri: string, state: string): string {\n const baseOptions = {\n clientId: this.clientId,\n redirectUri: redirectUri || this.redirectUri,\n state,\n };\n\n if (this.ssoConfig?.connection) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n connectionId: this.ssoConfig.connection,\n });\n } else if (this.ssoConfig?.provider) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n provider: this.ssoConfig.provider,\n });\n } else if (this.ssoConfig?.defaultOrganization) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n organizationId: this.ssoConfig.defaultOrganization,\n });\n }\n\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n provider: 'authkit',\n });\n }\n\n /**\n * Handle the OAuth callback from WorkOS.\n *\n * Uses WorkOS SDK's authenticateWithCode directly instead of AuthKit's handleCallback.\n * AuthKit's handleCallback requires PKCE cookies that must be set during getLoginUrl()\n * and read during handleCallback(), but our ISSOProvider interface separates these\n * calls across different requests without cookie propagation.\n *\n * This approach was the original implementation before commit 6e4d4f5cf3 introduced\n * a regression by switching to AuthKit's handleCallback with dummy Request/Response\n * objects that couldn't provide the required PKCE cookies.\n */\n async handleCallback(code: string, _state: string): Promise> {\n // Use WorkOS SDK directly to exchange code for tokens (server-side, no PKCE required)\n const authResponse = await this.workos.userManagement.authenticateWithCode({\n clientId: this.clientId,\n code,\n });\n\n const user: WorkOSUser = {\n ...mapWorkOSUserToEEUser(authResponse.user),\n workosId: authResponse.user.id,\n organizationId: authResponse.organizationId,\n };\n\n // Create encrypted session cookie using AuthKit's encryption\n const sessionData = {\n accessToken: authResponse.accessToken,\n refreshToken: authResponse.refreshToken,\n user: authResponse.user,\n organizationId: authResponse.organizationId,\n impersonator: authResponse.impersonator,\n };\n\n // Use this.config for cookie settings to ensure consistency with read/clear paths\n const cookiePassword = this.config.cookiePassword;\n const cookieName = this.config.cookieName ?? 'wos_session';\n let cookies: string[] | undefined;\n\n if (cookiePassword) {\n const encryptedSession = await sessionEncryption.sealData(sessionData, { password: cookiePassword });\n // Set cookie with secure defaults matching AuthKit config\n const cookieOptions = [\n `${cookieName}=${encryptedSession}`,\n 'Path=/',\n 'HttpOnly',\n `SameSite=${this.config.cookieSameSite ?? 'Lax'}`,\n process.env['NODE_ENV'] === 'production' ? 'Secure' : '',\n ]\n .filter(Boolean)\n .join('; ');\n cookies = [cookieOptions];\n }\n\n return {\n user,\n tokens: {\n accessToken: authResponse.accessToken,\n refreshToken: authResponse.refreshToken,\n },\n cookies,\n };\n }\n\n /**\n * Get the URL to redirect users to for logout.\n * Extracts session ID from the request's JWT to build a valid WorkOS logout URL.\n *\n * @param redirectUri - URL to redirect to after logout\n * @param request - Request containing session cookie (needed to extract sid)\n * @returns Logout URL or null if no active session\n */\n async getLogoutUrl(redirectUri: string, request?: Request): Promise {\n // WorkOS logout requires session_id from the JWT's sid claim\n if (!request) {\n return null;\n }\n\n try {\n const { auth } = await this.authService.withAuth(request);\n\n // No active session\n if (!auth.user) {\n return null;\n }\n\n // Decode JWT to extract sid claim (don't verify, just decode)\n const [, payloadBase64] = auth.accessToken.split('.');\n if (!payloadBase64) {\n return null;\n }\n\n const payload = JSON.parse(atob(payloadBase64));\n const sessionId = payload.sid;\n\n if (!sessionId) {\n return null;\n }\n\n return this.workos.userManagement.getLogoutUrl({ sessionId, returnTo: redirectUri });\n } catch {\n return null;\n }\n }\n\n /**\n * Get the configuration for rendering the login button.\n */\n getLoginButtonConfig(): SSOLoginConfig {\n let text = 'Sign in';\n if (this.ssoConfig?.provider) {\n const providerNames: Record = {\n GoogleOAuth: 'Google',\n MicrosoftOAuth: 'Microsoft',\n GitHubOAuth: 'GitHub',\n AppleOAuth: 'Apple',\n };\n const providerName = providerNames[this.ssoConfig.provider];\n if (providerName) {\n text = `Sign in with ${providerName}`;\n }\n }\n\n return {\n provider: 'workos',\n text,\n };\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n /**\n * Create a new session for a user.\n *\n * Note: With AuthKit, sessions are created via handleCallback.\n * This method is kept for interface compatibility.\n */\n async createSession(userId: string, metadata?: Record): Promise {\n const sessionId = crypto.randomUUID();\n const now = new Date();\n const expiresAt = new Date(now.getTime() + this.config.cookieMaxAge * 1000);\n\n return {\n id: sessionId,\n userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n /**\n * Validate a session.\n *\n * With AuthKit, sessions are validated via withAuth().\n */\n async validateSession(_sessionId: string): Promise {\n // AuthKit handles validation internally via withAuth()\n // This method is kept for interface compatibility\n return null;\n }\n\n /**\n * Destroy a session.\n */\n async destroySession(_sessionId: string): Promise {\n // AuthKit handles session clearing via signOut()\n // The actual cookie clearing happens in the response headers\n }\n\n /**\n * Refresh a session.\n */\n async refreshSession(_sessionId: string): Promise {\n // AuthKit handles refresh automatically in withAuth()\n return null;\n }\n\n /**\n * Extract session ID from a request.\n */\n getSessionIdFromRequest(_request: Request): string | null {\n // With AuthKit, we don't expose the session ID directly\n // The session is managed via encrypted cookies\n return null;\n }\n\n /**\n * Get response headers to set the session cookie.\n */\n getSessionHeaders(session: Session): Record {\n // AuthKit handles cookie setting via saveSession()\n // Check for _sessionCookie from handleCallback\n const sessionCookie = (session as any)._sessionCookie;\n if (sessionCookie) {\n return { 'Set-Cookie': Array.isArray(sessionCookie) ? sessionCookie[0] : sessionCookie };\n }\n return {};\n }\n\n /**\n * Get response headers to clear the session cookie.\n */\n getClearSessionHeaders(): Record {\n const cookieParts = [`${this.config.cookieName}=`, 'Path=/', 'Max-Age=0', 'HttpOnly'];\n return { 'Set-Cookie': cookieParts.join('; ') };\n }\n\n // ============================================================================\n // Helper Methods\n // ============================================================================\n\n /**\n * Get the underlying WorkOS client.\n */\n getWorkOS(): WorkOS {\n return this.workos;\n }\n\n /**\n * Get the AuthKit AuthService.\n */\n getAuthService(): AuthService {\n return this.authService;\n }\n\n /**\n * Get the configured client ID.\n */\n getClientId(): string {\n return this.clientId;\n }\n\n /**\n * Get the configured redirect URI.\n */\n getRedirectUri(): string {\n return this.redirectUri;\n }\n}\n","/**\n * FGA enforcement utility for checking fine-grained authorization.\n *\n * @license Mastra Enterprise License - see ee/LICENSE\n */\n\nimport type { FGACheckContext, IFGAProvider } from './interfaces/fga';\nimport type { MastraFGAPermissionInput } from './interfaces/permissions.generated';\nimport { getSafeLicenseSummary } from './license';\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from './telemetry';\n\nexport type ActorSignal =\n | true\n | {\n actorKind: 'system';\n sourceWorkflow?: string;\n };\n\nexport interface CheckFGAOptions {\n fgaProvider: IFGAProvider | undefined;\n user: any;\n resource: { type: string; id: string };\n permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n context?: FGACheckContext;\n requestContext?: FGACheckContext['requestContext'];\n actor?: ActorSignal;\n}\n\nexport interface RequireFGAOptions extends CheckFGAOptions {\n metadata?: Record;\n}\n\nfunction mergeFGAContext({\n context,\n requestContext,\n metadata,\n}: Pick): FGACheckContext | undefined {\n const mergedContext: FGACheckContext = {\n ...context,\n };\n\n if (requestContext) {\n mergedContext.requestContext = requestContext;\n }\n\n if (metadata || context?.metadata) {\n mergedContext.metadata = {\n ...(context?.metadata ?? {}),\n ...(metadata ?? {}),\n };\n }\n\n return Object.keys(mergedContext).length > 0 ? mergedContext : undefined;\n}\n\nfunction isActorSignal(actor: unknown): actor is ActorSignal {\n if (actor === true) {\n return true;\n }\n\n if (typeof actor !== 'object' || actor === null) {\n return false;\n }\n\n const candidate = actor as { actorKind?: unknown; sourceWorkflow?: unknown };\n return (\n candidate.actorKind === 'system' &&\n (candidate.sourceWorkflow === undefined || typeof candidate.sourceWorkflow === 'string')\n );\n}\n\nexport function getAgentFGAResourceId(agentId: string): string {\n return agentId;\n}\n\nexport function getWorkflowFGAResourceId(workflowId: string): string {\n return workflowId;\n}\n\nexport function getStandaloneToolFGAResourceId(toolName: string): string {\n return toolName;\n}\n\nexport function getAgentToolFGAResourceId(agentId: string, toolName: string): string {\n return `${agentId}:${toolName}`;\n}\n\nexport function getMCPToolFGAResourceId(serverName: string, toolName: string): string {\n return JSON.stringify([serverName, toolName]);\n}\n\n/**\n * Check fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured (backward compatibility).\n * Delegates to fgaProvider.require() which throws FGADeniedError if denied.\n */\nexport async function checkFGA(options: CheckFGAOptions): Promise {\n await requireFGA(options);\n}\n\n/**\n * Require fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured. When FGA is configured, a missing\n * user fails closed.\n */\nexport async function requireFGA(options: RequireFGAOptions): Promise {\n const { fgaProvider, user, resource, permission, context, requestContext, metadata, actor } = options;\n\n if (!fgaProvider) {\n return;\n }\n\n const fgaContext = mergeFGAContext({ context, requestContext, metadata });\n const license = getSafeLicenseSummary();\n\n if (isActorSignal(actor)) {\n const tenantOrganizationId = fgaContext?.requestContext?.get('organizationId');\n if (typeof tenantOrganizationId !== 'string' || tenantOrganizationId.length === 0) {\n throw new FGADeniedError(user, resource, permission, 'trusted actor requires organizationId / tenant scope');\n }\n\n const sourceWorkflow =\n (actor === true ? undefined : actor.sourceWorkflow) ??\n (typeof fgaContext?.metadata?.['sourceWorkflow'] === 'string'\n ? fgaContext.metadata['sourceWorkflow']\n : undefined);\n\n try {\n captureEEEvent('ee_feature_used', license.anonymousId || getEETelemetryFallbackDistinctId(), {\n feature: 'fga',\n actor_kind: 'system',\n resource_type: resource.type,\n resource_id: resource.id,\n permission,\n user_id: null,\n organization_membership_id: null,\n source_workflow: sourceWorkflow,\n license_valid: license.valid,\n license_hash: license.licenseHash,\n is_dev_environment: license.isDevEnvironment,\n });\n } catch {\n // Telemetry must never affect auth or EE feature behavior.\n }\n return;\n }\n\n if (!user) {\n throw new FGADeniedError(user, resource, permission, 'authenticated user is required');\n }\n\n await fgaProvider.require(\n user,\n fgaContext ? { resource, permission, context: fgaContext } : { resource, permission },\n );\n\n try {\n captureEEEvent('ee_feature_used', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n feature: 'fga',\n actor_kind: 'user',\n resource_type: resource.type,\n resource_id: resource.id,\n permission,\n user_id: user?.id ?? null,\n organization_membership_id: user?.organizationMembershipId ?? null,\n license_valid: license.valid,\n license_hash: license.licenseHash,\n is_dev_environment: license.isDevEnvironment,\n });\n } catch {\n // Telemetry must never affect auth or EE feature behavior.\n }\n}\n\n/**\n * Error thrown when an FGA authorization check is denied.\n */\nexport class FGADeniedError extends Error {\n public readonly user: any;\n public readonly resource: { type: string; id: string };\n public readonly permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n public readonly status: number;\n\n constructor(\n user: any,\n resource: { type: string; id: string },\n permission: MastraFGAPermissionInput | MastraFGAPermissionInput[],\n reason?: string,\n ) {\n const userId = user?.id || user?.workosId || 'unknown';\n const permissionLabel = Array.isArray(permission) ? `any of [${permission.join(', ')}]` : permission;\n super(\n reason\n ? `FGA authorization denied: ${reason}`\n : `FGA authorization denied: user ${userId} cannot ${permissionLabel} on ${resource.type}:${resource.id}`,\n );\n this.name = 'FGADeniedError';\n this.user = user;\n this.resource = resource;\n this.permission = permission;\n this.status = 403;\n }\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n {\n id: 'owner',\n name: 'Owner',\n description: 'Full access to all features and settings',\n permissions: ['*'],\n },\n {\n id: 'admin',\n name: 'Admin',\n description: 'Manage agents, workflows, and team members',\n permissions: [\n '*:read',\n '*:write',\n '*:execute',\n '*:publish',\n '*:share',\n // Note: admins cannot delete resources\n ],\n },\n {\n id: 'member',\n name: 'Member',\n description: 'Execute agents and workflows',\n permissions: ['*:read', '*:execute'],\n },\n {\n id: 'viewer',\n name: 'Viewer',\n description: 'Read-only access',\n permissions: ['*:read'],\n },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n const permissions = new Set();\n const visited = new Set();\n\n function resolveRole(roleId: string) {\n if (visited.has(roleId)) return;\n visited.add(roleId);\n\n const role = roles.find(r => r.id === roleId);\n if (!role) return;\n\n for (const permission of role.permissions) {\n permissions.add(permission);\n }\n\n // Resolve inherited roles\n if (role.inherits) {\n for (const inheritedRoleId of role.inherits) {\n resolveRole(inheritedRoleId);\n }\n }\n }\n\n for (const roleId of roleIds) {\n resolveRole(roleId);\n }\n\n return Array.from(permissions);\n}\n\n/**\n * Compound resource keys that expand to a set of per-family resources.\n * A granted `stored:` is treated as matching any `stored-:`\n * (and `stored:*` matches any `stored-:*`).\n */\nconst RESOURCE_EXPANSIONS: Record = {\n stored: [\n 'stored-agents',\n 'stored-mcp-clients',\n 'stored-prompt-blocks',\n 'stored-scorers',\n 'stored-skills',\n 'stored-workspaces',\n ],\n};\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n // Wildcard matches everything\n if (userPermission === '*') {\n return true;\n }\n\n const grantedParts = userPermission.split(':');\n const requiredParts = requiredPermission.split(':');\n\n // Compound resource alias: expand granted `stored:` into its per-family equivalents.\n // Only applies when the required permission targets one of the expanded families.\n const expandedFamilies = RESOURCE_EXPANSIONS[grantedParts[0] ?? ''];\n if (expandedFamilies && expandedFamilies.includes(requiredParts[0] ?? '')) {\n const aliased = [requiredParts[0], ...grantedParts.slice(1)].join(':');\n return matchesPermission(aliased, requiredPermission);\n }\n\n // Must have at least resource:action\n if (grantedParts.length < 2 || requiredParts.length < 2) {\n return userPermission === requiredPermission;\n }\n\n const [grantedResource, grantedAction, grantedId] = grantedParts;\n const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n if (grantedResource === '*') {\n // \"*:*\" is a full wildcard - matches everything\n if (grantedAction === '*') {\n if (grantedId === undefined) {\n return true;\n }\n return grantedId === requiredId;\n }\n // Action must match for resource wildcards with specific action\n if (grantedAction !== requiredAction) {\n return false;\n }\n // If no granted ID, matches all instances\n if (grantedId === undefined) {\n return true;\n }\n // *:read:my-id would match agents:read:my-id (unusual but consistent)\n return grantedId === requiredId;\n }\n\n // Resource must match (for non-wildcard resources)\n if (grantedResource !== requiredResource) {\n return false;\n }\n\n // Action wildcard: \"agents:*\" matches any action\n if (grantedAction === '*') {\n // If no granted ID, matches all resources\n // If granted ID specified (agents:*:my-agent), must match required ID\n if (grantedId === undefined) {\n return true;\n }\n // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n return grantedId === requiredId;\n }\n\n // Action must match\n if (grantedAction !== requiredAction) {\n return false;\n }\n\n // No resource ID in granted permission = access to all resources of this type\n // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n if (grantedId === undefined) {\n return true;\n }\n\n // Both have resource IDs - must match exactly\n return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n * \"Engineering\": [\"agents:*\", \"workflows:*\"],\n * \"Product\": [\"agents:read\"],\n * \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n * [\"Engineering\", \"QA\"],\n * roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n const permissions = new Set();\n const defaultPerms = mapping['_default'] ?? [];\n\n for (const role of roles) {\n const rolePerms = mapping[role];\n if (rolePerms) {\n for (const perm of rolePerms) {\n permissions.add(perm);\n }\n } else {\n // Apply default permissions for unmapped roles\n for (const perm of defaultPerms) {\n permissions.add(perm);\n }\n }\n }\n\n return Array.from(permissions);\n}\n","/**\n * WorkOS RBAC provider for Mastra.\n *\n * Integrates WorkOS organization memberships and roles with Mastra's\n * permission-based access control system.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@internal/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@internal/auth/ee';\nimport { WorkOS } from '@workos-inc/node';\nimport { LRUCache } from 'lru-cache';\n\nimport type { WorkOSUser, MastraRBACWorkosOptions } from './types';\n\n/**\n * WorkOS RBAC provider that maps organization roles to Mastra permissions.\n *\n * This provider fetches organization memberships from WorkOS and translates\n * role slugs into Mastra permissions using a configurable role mapping.\n *\n * @example Basic usage\n * ```typescript\n * import { MastraRBACWorkos } from '@mastra/auth-workos';\n *\n * const rbac = new MastraRBACWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * },\n * });\n * ```\n *\n * @example With specific organization\n * ```typescript\n * const rbac = new MastraRBACWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * organizationId: 'org_123456',\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:*'],\n * },\n * });\n * ```\n */\n/** Default cache TTL in milliseconds (60 seconds) */\nconst DEFAULT_CACHE_TTL_MS = 60 * 1000;\n\n/** Default max cache size (number of users) */\nconst DEFAULT_CACHE_MAX_SIZE = 1000;\n\nexport class MastraRBACWorkos implements IRBACProvider {\n private workos: WorkOS;\n private options: MastraRBACWorkosOptions;\n /**\n * Single cache for roles (the expensive WorkOS API call).\n * Permissions are derived from roles on-the-fly (cheap, synchronous).\n * Storing promises handles concurrent request deduplication.\n */\n private rolesCache: LRUCache>;\n\n /**\n * Expose roleMapping for middleware access.\n * This allows the authorization middleware to resolve permissions\n * without needing to call the async methods.\n */\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n /**\n * Create a new WorkOS RBAC provider.\n *\n * @param options - RBAC configuration options\n */\n constructor(options: MastraRBACWorkosOptions) {\n const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required. ' +\n 'Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables.',\n );\n }\n\n this.workos = new WorkOS(apiKey, { clientId });\n this.options = options;\n\n // Initialize LRU cache with configurable size and TTL\n this.rolesCache = new LRUCache>({\n max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,\n ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS,\n });\n }\n\n /**\n * Get all roles for a user from their WorkOS organization memberships.\n *\n * Fetches organization memberships from WorkOS and extracts role slugs.\n * If an organizationId is configured, only returns roles from that organization.\n * Otherwise, returns roles from all organizations the user belongs to.\n *\n * Results are cached and concurrent requests are deduplicated.\n *\n * @param user - WorkOS user to get roles for\n * @returns Array of role slugs\n */\n async getRoles(user: WorkOSUser): Promise {\n // If memberships are already present on the user object, use them\n if (user.memberships && user.memberships.length > 0) {\n return this.extractRolesFromMemberships(user);\n }\n\n const cacheKey = user.workosId ?? user.id;\n\n // Check cache - returns existing promise (resolved or in-flight)\n const cached = this.rolesCache.get(cacheKey);\n if (cached) {\n return cached;\n }\n\n // Create and cache the role fetch promise\n const rolesPromise = this.fetchRolesFromWorkOS(user);\n this.rolesCache.set(cacheKey, rolesPromise);\n\n return rolesPromise;\n }\n\n /**\n * Fetch roles from WorkOS API.\n */\n private async fetchRolesFromWorkOS(user: WorkOSUser): Promise {\n try {\n const memberships = await this.workos.userManagement.listOrganizationMemberships({\n userId: user.workosId,\n });\n\n // Filter by organization if specified\n const relevantMemberships = this.options.organizationId\n ? memberships.data.filter(m => m.organizationId === this.options.organizationId)\n : memberships.data;\n\n // Extract role slugs\n return relevantMemberships.map(m => m.role.slug);\n } catch {\n // Return empty roles on error - _default permissions will be applied\n return [];\n }\n }\n\n /**\n * Check if a user has a specific role.\n *\n * @param user - WorkOS user to check\n * @param role - Role slug to check for\n * @returns True if user has the role\n */\n async hasRole(user: WorkOSUser, role: string): Promise {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n /**\n * Get all permissions for a user by mapping their WorkOS roles.\n *\n * Uses the configured roleMapping to translate WorkOS role slugs\n * into Mastra permission strings. Roles are cached; permissions\n * are derived on-the-fly (cheap, synchronous operation).\n *\n * If the user has no roles (no organization memberships), the\n * _default permissions from the role mapping are applied.\n *\n * @param user - WorkOS user to get permissions for\n * @returns Array of permission strings\n */\n async getPermissions(user: WorkOSUser): Promise {\n const roles = await this.getRoles(user);\n\n if (roles.length === 0) {\n return this.options.roleMapping['_default'] ?? [];\n }\n\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n /**\n * Check if a user has a specific permission.\n *\n * Uses wildcard matching to check if any of the user's permissions\n * grant access to the required permission.\n *\n * @param user - WorkOS user to check\n * @param permission - Permission to check for (e.g., 'agents:read')\n * @returns True if user has the permission\n */\n async hasPermission(user: WorkOSUser, permission: string): Promise {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n /**\n * Check if a user has ALL of the specified permissions.\n *\n * @param user - WorkOS user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has all permissions\n */\n async hasAllPermissions(user: WorkOSUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Check if a user has ANY of the specified permissions.\n *\n * @param user - WorkOS user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has at least one permission\n */\n async hasAnyPermission(user: WorkOSUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Get all available roles defined in the role mapping.\n *\n * Returns role IDs and names derived from the roleMapping keys,\n * excluding the `_default` fallback entry.\n */\n async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n return Object.keys(this.options.roleMapping)\n .filter(key => key !== '_default')\n .map(key => ({ id: key, name: key.charAt(0).toUpperCase() + key.slice(1) }));\n }\n\n /**\n * Get resolved permissions for a specific role.\n *\n * Looks up the role in the roleMapping and returns its permissions.\n */\n async getPermissionsForRole(roleId: string): Promise {\n return resolvePermissionsFromMapping([roleId], this.options.roleMapping);\n }\n\n /**\n * Clear the roles cache.\n *\n * Call this when system-wide role changes occur.\n * For individual user changes, prefer clearUserCache() instead.\n */\n clearCache(): void {\n this.rolesCache.clear();\n }\n\n /**\n * Clear cached roles for a specific user.\n *\n * Call this when a user's roles change to ensure fresh permission resolution\n * on their next request. This is more efficient than clearing the entire cache.\n *\n * @param userId - The user ID to clear from cache\n */\n clearUserCache(userId: string): void {\n this.rolesCache.delete(userId);\n }\n\n /**\n * Get cache statistics for monitoring.\n *\n * @returns Object with cache size and max size\n */\n getCacheStats(): { size: number; maxSize: number } {\n return {\n size: this.rolesCache.size,\n maxSize: this.rolesCache.max,\n };\n }\n\n /**\n * Extract role slugs from memberships attached to the user object.\n *\n * @param user - WorkOS user with memberships\n * @returns Array of role slugs\n */\n private extractRolesFromMemberships(user: WorkOSUser): string[] {\n if (!user.memberships) {\n return [];\n }\n\n // Filter by organization if specified\n const relevantMemberships = this.options.organizationId\n ? user.memberships.filter(m => m.organizationId === this.options.organizationId)\n : user.memberships;\n\n return relevantMemberships.map(m => m.role.slug);\n }\n}\n","/**\n * WorkOS FGA provider for Mastra.\n *\n * Integrates WorkOS Authorization API with Mastra's FGA interface\n * for permission-based, resource-level authorization.\n *\n * @license Mastra Enterprise License - see ee/LICENSE\n */\n\nimport type {\n IFGAManager,\n FGACheckParams,\n FGAResource,\n FGACreateResourceParams,\n FGAUpdateResourceParams,\n FGADeleteResourceParams,\n FGAListResourcesOptions,\n FGARoleAssignment,\n FGARoleParams,\n FGAListRoleAssignmentsOptions,\n MastraFGAPermissionInput,\n} from '@internal/auth/ee';\nimport { FGADeniedError } from '@internal/auth/ee';\nimport { WorkOS } from '@workos-inc/node';\n\nimport type { MastraFGAWorkosOptions, FGAResourceMappingEntry, WorkOSUser } from './types';\n\nconst FILTER_ACCESSIBLE_CHECK_CONCURRENCY = 5;\n\nfunction isWorkOSResourceNotFoundError(error: any): boolean {\n return error?.status === 404 || error?.code === 'entity_not_found';\n}\n\nexport class WorkOSFGAResourceNotFoundError extends Error {\n readonly status = 404;\n readonly resourceType: string;\n readonly resourceId: string;\n\n constructor(resourceType: string, resourceId: string) {\n super(\n `[MastraFGAWorkos] Resource '${resourceType}/${resourceId}' is not registered in WorkOS. ` +\n `Create the '${resourceType}' resource type in your WorkOS dashboard, ` +\n `then register '${resourceId}' using MastraFGAWorkos.createResource() or your seed script. ` +\n `See https://workos.com/docs/fga for setup instructions.`,\n );\n this.name = 'WorkOSFGAResourceNotFoundError';\n this.resourceType = resourceType;\n this.resourceId = resourceId;\n }\n}\n\nexport class WorkOSFGAMembershipResolutionError extends Error {\n readonly status = 500;\n readonly userId?: string;\n\n constructor(user: WorkOSUser) {\n super(\n '[MastraFGAWorkos] Cannot resolve organization membership for user . ' +\n 'Ensure fetchMemberships is enabled on MastraAuthWorkos or provide organizationMembershipId on the user.',\n );\n this.name = 'WorkOSFGAMembershipResolutionError';\n this.userId = user?.id ? '' : undefined;\n }\n}\n\n/**\n * WorkOS FGA provider using the new Authorization API.\n *\n * Uses `resourceMapping` to translate Mastra resource types to WorkOS FGA resource types\n * and `permissionMapping` to translate Mastra permissions to WorkOS permission slugs.\n *\n * @example Basic usage\n * ```typescript\n * import { MastraFGAWorkos } from '@mastra/auth-workos';\n * import { MastraFGAPermissions } from '@internal/auth/ee';\n *\n * const fga = new MastraFGAWorkos({\n * resourceMapping: {\n * agent: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId },\n * workflow: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId },\n * thread: { fgaResourceType: 'workspace-thread', deriveId: ({ resourceId }) => resourceId },\n * },\n * permissionMapping: {\n * [MastraFGAPermissions.AGENTS_EXECUTE]: 'manage-workflows',\n * [MastraFGAPermissions.WORKFLOWS_EXECUTE]: 'manage-workflows',\n * [MastraFGAPermissions.MEMORY_READ]: 'read',\n * [MastraFGAPermissions.MEMORY_WRITE]: 'update',\n * },\n * });\n * ```\n *\n * @example With Mastra server config\n * ```typescript\n * const mastra = new Mastra({\n * server: {\n * auth: new MastraAuthWorkos({ ... }),\n * fga: new MastraFGAWorkos({\n * resourceMapping: { ... },\n * permissionMapping: { ... },\n * }),\n * },\n * });\n * ```\n */\nexport class MastraFGAWorkos implements IFGAManager {\n private workos: WorkOS;\n private organizationId?: string;\n private resourceMapping: Record;\n private permissionMapping: Record;\n readonly requireForProtectedRoutes?: boolean;\n readonly auditProtectedRoutes?: boolean | 'warn' | 'error';\n readonly resolveRouteFGA?: MastraFGAWorkosOptions['resolveRouteFGA'];\n readonly validatePermissions?: MastraFGAWorkosOptions['validatePermissions'];\n\n constructor(options: MastraFGAWorkosOptions) {\n const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required. ' +\n 'Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables.',\n );\n }\n\n this.workos = new WorkOS(apiKey, { clientId });\n this.organizationId = options.organizationId;\n this.resourceMapping = options.resourceMapping ?? {};\n this.permissionMapping = options.permissionMapping ?? {};\n this.requireForProtectedRoutes = options.requireForProtectedRoutes;\n this.auditProtectedRoutes = options.auditProtectedRoutes;\n this.resolveRouteFGA = options.resolveRouteFGA;\n this.validatePermissions = options.validatePermissions;\n }\n\n // ──────────────────────────────────────────────────────────────\n // IFGAProvider — Read-only checks\n // ──────────────────────────────────────────────────────────────\n\n /**\n * Check if a user has permission on a resource.\n *\n * Resolves the user's organization membership ID, maps the permission\n * via `permissionMapping`, and delegates to `workos.authorization.check()`.\n *\n * When `params.permission` is an array, ANY-of semantics apply: returns true\n * if any single permission in the array authorizes the user.\n */\n async check(user: WorkOSUser, params: FGACheckParams): Promise {\n const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];\n if (permissions.length === 0) return false;\n\n for (const permission of permissions) {\n const checkOptions = this.buildCheckOptions(user, { ...params, permission });\n if (!checkOptions) continue;\n try {\n const result = await this.workos.authorization.check(checkOptions);\n if (result.authorized) return true;\n } catch (error: any) {\n if (isWorkOSResourceNotFoundError(error)) continue;\n throw error;\n }\n }\n return false;\n }\n\n /**\n * Require that a user has permission, throwing FGADeniedError if not.\n *\n * When `params.permission` is an array, ANY-of semantics apply: passes if any\n * single permission authorizes the user; throws if none do.\n */\n async require(user: WorkOSUser, params: FGACheckParams): Promise {\n const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];\n if (permissions.length === 0) {\n throw new FGADeniedError(user, params.resource, params.permission);\n }\n\n let lastError: unknown;\n for (const permission of permissions) {\n const checkOptions = this.buildCheckOptions(\n user,\n { ...params, permission },\n { strictMembershipResolution: true },\n );\n if (!checkOptions) continue;\n\n try {\n const result = await this.workos.authorization.check(checkOptions);\n if (result.authorized) return;\n } catch (error: any) {\n if (error instanceof FGADeniedError) throw error;\n if (isWorkOSResourceNotFoundError(error)) continue;\n lastError = error;\n }\n }\n\n if (lastError) throw lastError;\n throw new FGADeniedError(user, params.resource, params.permission);\n }\n\n /**\n * Filter resources to only those the user has permission to access.\n *\n * Uses WorkOS `listResourcesForMembership()` when the resource mapping can\n * resolve a parent resource from user context. This avoids one check per\n * resource for list endpoints like agents/workflows/tools.\n *\n * Falls back to per-resource `check()` calls when no parent resource can be\n * resolved from the configured mapping.\n */\n async filterAccessible(\n user: WorkOSUser,\n resources: T[],\n resourceType: string,\n permission: MastraFGAPermissionInput,\n ): Promise {\n if (resources.length === 0) return [];\n\n const membershipId = this.resolveOrganizationMembershipId(user);\n if (!membershipId) return [];\n\n const permissionSlug = this.resolvePermission(permission);\n const parentResource = resourceType === 'thread' ? undefined : this.resolveParentResource(user, resourceType);\n if (parentResource) {\n const accessibleIds = await this.listAccessibleResourceExternalIds({\n organizationMembershipId: membershipId,\n permissionSlug,\n parentResourceExternalId: parentResource.externalId,\n parentResourceTypeSlug: parentResource.typeSlug,\n });\n\n return resources.filter(resource => {\n const mappedId = this.resolveResourceId(\n user,\n resourceType,\n resource.id,\n 'resourceId' in resource && typeof resource.resourceId === 'string'\n ? { resourceId: resource.resourceId }\n : undefined,\n );\n return !!mappedId && accessibleIds.has(mappedId);\n });\n }\n\n const checks: Array<{ resource: T; authorized: boolean }> = [];\n for (let start = 0; start < resources.length; start += FILTER_ACCESSIBLE_CHECK_CONCURRENCY) {\n const batch = resources.slice(start, start + FILTER_ACCESSIBLE_CHECK_CONCURRENCY);\n const batchChecks = await Promise.all(\n batch.map(async resource => {\n const authorized = await this.check(user, {\n resource: { type: resourceType, id: resource.id },\n permission,\n context:\n 'resourceId' in resource && typeof resource.resourceId === 'string'\n ? { resourceId: resource.resourceId }\n : undefined,\n });\n return { resource, authorized };\n }),\n );\n checks.push(...batchChecks);\n }\n\n return checks.filter(c => c.authorized).map(c => c.resource);\n }\n\n // ──────────────────────────────────────────────────────────────\n // IFGAManager — Write operations\n // ──────────────────────────────────────────────────────────────\n\n /**\n * Create an authorization resource in WorkOS.\n */\n async createResource(params: FGACreateResourceParams): Promise {\n const options: any = {\n externalId: params.externalId,\n name: params.name,\n resourceTypeSlug: params.resourceTypeSlug,\n organizationId: params.organizationId,\n };\n if (params.description !== undefined) options.description = params.description;\n if (params.parentResourceId) options.parentResourceId = params.parentResourceId;\n if (params.parentResourceExternalId) {\n options.parentResourceExternalId = params.parentResourceExternalId;\n options.parentResourceTypeSlug = params.parentResourceTypeSlug;\n }\n\n const result = await this.workos.authorization.createResource(options);\n return this.mapAuthorizationResource(result);\n }\n\n /**\n * Get an authorization resource by ID.\n */\n async getResource(resourceId: string): Promise {\n const result = await this.workos.authorization.getResource(resourceId);\n return this.mapAuthorizationResource(result);\n }\n\n /**\n * List authorization resources with optional filters.\n */\n async listResources(options?: FGAListResourcesOptions): Promise {\n const listOptions: any = {};\n if (options?.organizationId) listOptions.organizationId = options.organizationId;\n if (options?.resourceTypeSlug) listOptions.resourceTypeSlug = options.resourceTypeSlug;\n if (options?.parentResourceId) listOptions.parentResourceId = options.parentResourceId;\n if (options?.search) listOptions.search = options.search;\n if (options?.limit) listOptions.limit = options.limit;\n if (options?.after) listOptions.after = options.after;\n\n const result = await this.workos.authorization.listResources(listOptions);\n return result.data.map((r: any) => this.mapAuthorizationResource(r));\n }\n\n /**\n * Update an authorization resource.\n */\n async updateResource(params: FGAUpdateResourceParams): Promise {\n const options: any = { resourceId: params.resourceId };\n if (params.name !== undefined) options.name = params.name;\n if (params.description !== undefined) options.description = params.description;\n\n const result = await this.workos.authorization.updateResource(options);\n return this.mapAuthorizationResource(result);\n }\n\n /**\n * Delete an authorization resource.\n */\n async deleteResource(params: FGADeleteResourceParams): Promise {\n if ('resourceId' in params && params.resourceId) {\n await this.workos.authorization.deleteResource({ resourceId: params.resourceId });\n } else if ('externalId' in params && params.externalId && params.resourceTypeSlug) {\n await this.workos.authorization.deleteResourceByExternalId({\n externalId: params.externalId,\n resourceTypeSlug: params.resourceTypeSlug!,\n organizationId: params.organizationId!,\n });\n }\n }\n\n /**\n * Assign a role to an organization membership on a resource.\n */\n async assignRole(params: FGARoleParams): Promise {\n const options: any = {\n organizationMembershipId: params.organizationMembershipId,\n roleSlug: params.roleSlug,\n };\n if (params.resourceId) options.resourceId = params.resourceId;\n if (params.resourceExternalId) {\n options.resourceExternalId = params.resourceExternalId;\n options.resourceTypeSlug = params.resourceTypeSlug;\n }\n\n const result = await this.workos.authorization.assignRole(options);\n return {\n id: result.id,\n role: result.role,\n resource: {\n id: result.resource.id,\n externalId: result.resource.externalId,\n resourceTypeSlug: result.resource.resourceTypeSlug,\n },\n };\n }\n\n /**\n * Remove a role assignment.\n */\n async removeRole(params: FGARoleParams): Promise {\n const options: any = {\n organizationMembershipId: params.organizationMembershipId,\n roleSlug: params.roleSlug,\n };\n if (params.resourceId) options.resourceId = params.resourceId;\n if (params.resourceExternalId) {\n options.resourceExternalId = params.resourceExternalId;\n options.resourceTypeSlug = params.resourceTypeSlug;\n }\n\n await this.workos.authorization.removeRole(options);\n }\n\n /**\n * List role assignments for an organization membership.\n */\n async listRoleAssignments(options: FGAListRoleAssignmentsOptions): Promise {\n const result = await this.workos.authorization.listRoleAssignments({\n organizationMembershipId: options.organizationMembershipId,\n ...(options.limit && { limit: options.limit }),\n ...(options.after && { after: options.after }),\n });\n\n return result.data.map((ra: any) => ({\n id: ra.id,\n role: ra.role,\n resource: {\n id: ra.resource.id,\n externalId: ra.resource.externalId,\n resourceTypeSlug: ra.resource.resourceTypeSlug,\n },\n }));\n }\n\n // ──────────────────────────────────────────────────────────────\n // Internal helpers\n // ──────────────────────────────────────────────────────────────\n\n /**\n * Resolve the organization membership ID from a user object.\n * Looks for organizationMembershipId, then finds membership matching\n * configured organizationId, then falls back to first membership.\n *\n * Returns undefined if no membership can be resolved, which causes\n * authorization checks to deny access. Enable `fetchMemberships: true`\n * on MastraAuthWorkos to populate the memberships field.\n */\n private resolveOrganizationMembershipId(\n user: WorkOSUser,\n options?: { strictMembershipResolution?: boolean },\n ): string | undefined {\n if (user?.organizationMembershipId) return user.organizationMembershipId;\n if (!user?.memberships?.length) {\n console.warn(\n '[MastraFGAWorkos] Cannot resolve organization membership for user . ' +\n 'Ensure fetchMemberships is enabled on MastraAuthWorkos when using FGA.',\n );\n if (options?.strictMembershipResolution) {\n throw new WorkOSFGAMembershipResolutionError(user);\n }\n return undefined;\n }\n\n // If organizationId is configured, find the matching membership\n if (this.organizationId) {\n const match = user.memberships.find(m => m.organizationId === this.organizationId);\n if (match) return match.id;\n\n console.warn('[MastraFGAWorkos] User does not belong to configured organization .');\n if (options?.strictMembershipResolution) {\n throw new WorkOSFGAMembershipResolutionError(user);\n }\n return undefined;\n }\n\n // Fall back to first membership\n return user.memberships[0]!.id;\n }\n\n /**\n * Map a Mastra permission string to a WorkOS permission slug via permissionMapping.\n * Falls back to the original permission if no mapping is found.\n */\n private resolvePermission(permission: MastraFGAPermissionInput): string {\n return this.permissionMapping[permission] ?? permission;\n }\n\n /**\n * Resolve the parent resource context needed for WorkOS resource discovery.\n */\n private resolveParentResource(\n user: WorkOSUser,\n resourceType: string,\n ): { externalId: string; typeSlug: string } | undefined {\n const mapping = this.getResourceMapping(resourceType);\n const externalId = mapping?.deriveId?.({ user });\n const parentTypeSlug = mapping?.parentFgaResourceType ?? mapping?.parentResourceTypeSlug;\n if (!mapping?.fgaResourceType || !externalId || !parentTypeSlug || parentTypeSlug === mapping.fgaResourceType) {\n return undefined;\n }\n\n return {\n externalId,\n typeSlug: parentTypeSlug,\n };\n }\n\n /**\n * Resolve the FGA resource ID using resourceMapping's deriveId function.\n * Falls back to the original resource ID if no mapping is found.\n */\n private resolveResourceId(\n user: WorkOSUser,\n resourceType: string,\n resourceId: string,\n context?: FGACheckParams['context'],\n ): string | undefined {\n const mapping = this.getResourceMapping(resourceType);\n const derivedId = mapping?.deriveId?.({\n user,\n resourceId: context?.resourceId ?? resourceId,\n requestContext: context?.requestContext,\n });\n return derivedId ?? resourceId;\n }\n\n private buildCheckOptions(\n user: WorkOSUser,\n params: Omit & { permission: MastraFGAPermissionInput },\n options?: { strictMembershipResolution?: boolean },\n ): any | null {\n const membershipId = this.resolveOrganizationMembershipId(user, options);\n if (!membershipId) return null;\n\n const permissionSlug = this.resolvePermission(params.permission);\n const resourceId = this.resolveResourceId(user, params.resource.type, params.resource.id, params.context);\n\n const checkOptions: any = {\n organizationMembershipId: membershipId,\n permissionSlug,\n };\n\n if (!resourceId) {\n return checkOptions;\n }\n\n const mapping = this.getResourceMapping(params.resource.type);\n if (mapping) {\n checkOptions.resourceExternalId = resourceId;\n checkOptions.resourceTypeSlug = mapping.fgaResourceType;\n } else {\n checkOptions.resourceExternalId = params.resource.id;\n checkOptions.resourceTypeSlug = params.resource.type;\n }\n\n return checkOptions;\n }\n\n private getResourceMapping(resourceType: string): FGAResourceMappingEntry | undefined {\n const aliases =\n resourceType === 'agent'\n ? ['agent', 'agents']\n : resourceType === 'workflow'\n ? ['workflow', 'workflows']\n : resourceType === 'tool'\n ? ['tool', 'tools']\n : resourceType === 'thread'\n ? ['thread', 'threads', 'memory']\n : [resourceType];\n\n for (const key of aliases) {\n const mapping = this.resourceMapping[key];\n if (mapping) {\n return mapping;\n }\n }\n\n return undefined;\n }\n\n /**\n * List accessible child resources for a membership, following pagination.\n */\n private async listAccessibleResourceExternalIds(params: {\n organizationMembershipId: string;\n permissionSlug: string;\n parentResourceExternalId: string;\n parentResourceTypeSlug: string;\n }): Promise> {\n const accessibleIds = new Set();\n let after: string | undefined;\n\n do {\n const result: any = await this.workos.authorization.listResourcesForMembership({\n organizationMembershipId: params.organizationMembershipId,\n permissionSlug: params.permissionSlug,\n parentResourceExternalId: params.parentResourceExternalId,\n parentResourceTypeSlug: params.parentResourceTypeSlug,\n ...(after ? { after } : {}),\n limit: 100,\n order: 'asc',\n });\n\n for (const resource of result.data ?? []) {\n if (typeof resource?.externalId === 'string') {\n accessibleIds.add(resource.externalId);\n }\n }\n\n after = result.listMetadata?.after ?? undefined;\n } while (after);\n\n return accessibleIds;\n }\n\n /**\n * Map a WorkOS AuthorizationResource to Mastra's FGAResource type.\n */\n private mapAuthorizationResource(resource: any): FGAResource {\n return {\n id: resource.id,\n externalId: resource.externalId,\n name: resource.name,\n description: resource.description,\n resourceTypeSlug: resource.resourceTypeSlug,\n organizationId: resource.organizationId,\n parentResourceId: resource.parentResourceId,\n };\n }\n}\n","/**\n * WorkOS Directory Sync integration for automated user provisioning via SCIM.\n *\n * This class handles SCIM webhook events from WorkOS, enabling automated\n * user and group management when integrated with identity providers.\n */\n\nimport type { WorkOS, Directory, DirectoryUser, DirectoryGroup } from '@workos-inc/node';\n\nimport type {\n WorkOSDirectorySyncOptions,\n DirectorySyncHandlers,\n DirectorySyncUserData,\n DirectorySyncGroupData,\n} from './types.js';\n\n/**\n * Directory Sync event types from WorkOS webhooks.\n */\ntype DirectorySyncEventType =\n | 'dsync.user.created'\n | 'dsync.user.updated'\n | 'dsync.user.deleted'\n | 'dsync.group.created'\n | 'dsync.group.updated'\n | 'dsync.group.deleted'\n | 'dsync.group.user_added'\n | 'dsync.group.user_removed';\n\n/**\n * WorkOS webhook event structure for directory sync.\n */\ninterface DirectorySyncEvent {\n id: string;\n event: DirectorySyncEventType;\n data: Record;\n created_at: string;\n}\n\n/**\n * WorkOSDirectorySync handles SCIM webhook events from WorkOS for automated\n * user provisioning and deprovisioning.\n *\n * @example\n * ```typescript\n * import { WorkOS } from '@workos-inc/node';\n * import { WorkOSDirectorySync } from '@mastra/auth-workos';\n *\n * const workos = new WorkOS(process.env.WORKOS_API_KEY);\n *\n * const directorySync = new WorkOSDirectorySync(workos, {\n * webhookSecret: process.env.WORKOS_WEBHOOK_SECRET,\n * handlers: {\n * onUserCreated: async (user) => {\n * await db.users.create({ email: user.emails[0]?.value });\n * },\n * onUserDeleted: async (user) => {\n * await db.users.delete({ id: user.id });\n * },\n * },\n * });\n *\n * // In your webhook endpoint:\n * app.post('/webhooks/workos', async (req, res) => {\n * const signature = req.headers['workos-signature'] as string;\n * await directorySync.handleWebhook(req.body, signature);\n * res.status(200).send('OK');\n * });\n * ```\n */\nexport class WorkOSDirectorySync {\n private workos: WorkOS;\n private webhookSecret: string;\n private handlers: DirectorySyncHandlers;\n\n /**\n * Creates a new WorkOSDirectorySync instance.\n *\n * @param workos - WorkOS client instance\n * @param options - Configuration options including webhook secret and event handlers\n * @throws Error if webhook secret is not provided\n */\n constructor(workos: WorkOS, options: WorkOSDirectorySyncOptions) {\n this.workos = workos;\n\n const webhookSecret = options.webhookSecret ?? process.env.WORKOS_WEBHOOK_SECRET;\n if (!webhookSecret) {\n throw new Error(\n 'WorkOS webhook secret is required. Provide it in options or set WORKOS_WEBHOOK_SECRET environment variable.',\n );\n }\n\n this.webhookSecret = webhookSecret;\n this.handlers = options.handlers;\n }\n\n /**\n * Handles incoming webhook events from WorkOS Directory Sync.\n *\n * This method verifies the webhook signature for security, parses the event,\n * and routes it to the appropriate handler based on the event type.\n *\n * @param payload - Raw webhook payload (string or object)\n * @param signature - WorkOS signature header for verification\n * @throws Error if signature verification fails\n */\n async handleWebhook(payload: string | object, signature: string): Promise {\n // Verify the webhook signature and construct the event\n // Cast through unknown since WorkOS Event type is a union of many event types\n // Parse string payloads for the new SDK which expects objects\n const parsedPayload = typeof payload === 'string' ? JSON.parse(payload) : payload;\n const event = (await this.workos.webhooks.constructEvent({\n payload: parsedPayload as Record,\n sigHeader: signature,\n secret: this.webhookSecret,\n })) as unknown as DirectorySyncEvent;\n\n // Route to appropriate handler based on event type\n try {\n await this.routeEvent(event);\n } catch (error) {\n // Log but don't crash - webhook handlers should be resilient\n console.error(`[WorkOSDirectorySync] Error handling event ${event.event}:`, error);\n }\n }\n\n /**\n * Routes a directory sync event to the appropriate handler.\n *\n * @param event - The verified webhook event\n */\n private async routeEvent(event: DirectorySyncEvent): Promise {\n const { event: eventType, data } = event;\n\n switch (eventType) {\n case 'dsync.user.created':\n if (this.handlers.onUserCreated) {\n await this.handlers.onUserCreated(this.mapUserData(data));\n }\n break;\n\n case 'dsync.user.updated':\n if (this.handlers.onUserUpdated) {\n await this.handlers.onUserUpdated(this.mapUserData(data));\n }\n break;\n\n case 'dsync.user.deleted':\n if (this.handlers.onUserDeleted) {\n await this.handlers.onUserDeleted(this.mapUserData(data));\n }\n break;\n\n case 'dsync.group.created':\n if (this.handlers.onGroupCreated) {\n await this.handlers.onGroupCreated(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.updated':\n if (this.handlers.onGroupUpdated) {\n await this.handlers.onGroupUpdated(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.deleted':\n if (this.handlers.onGroupDeleted) {\n await this.handlers.onGroupDeleted(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.user_added':\n if (this.handlers.onGroupUserAdded) {\n await this.handlers.onGroupUserAdded({\n group: this.mapGroupData(data.group as Record),\n user: this.mapUserData(data.user as Record),\n });\n }\n break;\n\n case 'dsync.group.user_removed':\n if (this.handlers.onGroupUserRemoved) {\n await this.handlers.onGroupUserRemoved({\n group: this.mapGroupData(data.group as Record),\n user: this.mapUserData(data.user as Record),\n });\n }\n break;\n\n default:\n // Unknown event type - log for debugging but don't fail\n console.warn(`[WorkOSDirectorySync] Unknown event type: ${eventType}`);\n }\n }\n\n /**\n * Maps raw webhook user data to the DirectorySyncUserData type.\n *\n * @param data - Raw user data from webhook\n * @returns Typed user data\n */\n private mapUserData(data: Record): DirectorySyncUserData {\n return {\n id: data.id as string,\n directoryId: data.directory_id as string,\n organizationId: data.organization_id as string | undefined,\n idpId: data.idp_id as string,\n firstName: data.first_name as string | undefined,\n lastName: data.last_name as string | undefined,\n jobTitle: data.job_title as string | undefined,\n emails: (data.emails as Array<{ primary: boolean; type?: string; value: string }>) ?? [],\n username: data.username as string | undefined,\n groups: (data.groups as Array<{ id: string; name: string }>) ?? [],\n state: data.state as 'active' | 'inactive',\n rawAttributes: (data.raw_attributes as Record) ?? {},\n customAttributes: (data.custom_attributes as Record) ?? {},\n createdAt: data.created_at as string,\n updatedAt: data.updated_at as string,\n };\n }\n\n /**\n * Maps raw webhook group data to the DirectorySyncGroupData type.\n *\n * @param data - Raw group data from webhook\n * @returns Typed group data\n */\n private mapGroupData(data: Record): DirectorySyncGroupData {\n return {\n id: data.id as string,\n directoryId: data.directory_id as string,\n organizationId: data.organization_id as string | undefined,\n idpId: data.idp_id as string,\n name: data.name as string,\n createdAt: data.created_at as string,\n updatedAt: data.updated_at as string,\n rawAttributes: (data.raw_attributes as Record) ?? {},\n };\n }\n\n // ===========================================================================\n // Helper Methods for Directory Sync Operations\n // ===========================================================================\n\n /**\n * Lists all directories for an organization.\n *\n * @param organizationId - The WorkOS organization ID\n * @returns Array of directories\n *\n * @example\n * ```typescript\n * const directories = await directorySync.listDirectories('org_123');\n * for (const dir of directories) {\n * console.log(`Directory: ${dir.name} (${dir.type})`);\n * }\n * ```\n */\n async listDirectories(organizationId: string): Promise {\n const response = await this.workos.directorySync.listDirectories({\n organizationId,\n });\n return response.data;\n }\n\n /**\n * Lists all users in a directory.\n *\n * @param directoryId - The directory ID\n * @returns Array of directory users\n *\n * @example\n * ```typescript\n * const users = await directorySync.listDirectoryUsers('directory_123');\n * for (const user of users) {\n * console.log(`User: ${user.firstName} ${user.lastName}`);\n * }\n * ```\n */\n async listDirectoryUsers(directoryId: string): Promise {\n const response = await this.workos.directorySync.listUsers({\n directory: directoryId,\n });\n return response.data;\n }\n\n /**\n * Lists all groups in a directory.\n *\n * @param directoryId - The directory ID\n * @returns Array of directory groups\n *\n * @example\n * ```typescript\n * const groups = await directorySync.listDirectoryGroups('directory_123');\n * for (const group of groups) {\n * console.log(`Group: ${group.name}`);\n * }\n * ```\n */\n async listDirectoryGroups(directoryId: string): Promise {\n const response = await this.workos.directorySync.listGroups({\n directory: directoryId,\n });\n return response.data;\n }\n}\n","/**\n * WorkOS Admin Portal integration for customer self-service configuration.\n *\n * The Admin Portal allows enterprise customers to configure their own:\n * - SSO connections (SAML, OIDC)\n * - Directory Sync (SCIM)\n * - Audit log viewing and export\n * - Log streaming to SIEM systems\n *\n * @module\n */\n\nimport { GeneratePortalLinkIntent } from '@workos-inc/node';\nimport type { WorkOS } from '@workos-inc/node';\n\nimport type { AdminPortalIntent, WorkOSAdminPortalOptions } from './types.js';\n\n/**\n * Maps our AdminPortalIntent type to WorkOS GeneratePortalLinkIntent enum.\n */\nconst INTENT_MAP: Record = {\n sso: GeneratePortalLinkIntent.SSO,\n dsync: GeneratePortalLinkIntent.DSync,\n audit_logs: GeneratePortalLinkIntent.AuditLogs,\n log_streams: GeneratePortalLinkIntent.LogStreams,\n};\n\n/**\n * Generates links to the WorkOS Admin Portal for customer self-service configuration.\n *\n * The Admin Portal provides a pre-built UI where enterprise customers can manage\n * their own identity configuration without developer intervention.\n *\n * @example\n * ```typescript\n * import { WorkOS } from '@workos-inc/node';\n * import { WorkOSAdminPortal } from '@mastra/workos';\n *\n * const workos = new WorkOS(process.env.WORKOS_API_KEY);\n * const adminPortal = new WorkOSAdminPortal(workos, {\n * returnUrl: 'https://app.example.com/settings',\n * });\n *\n * // Generate a link for SSO configuration\n * const ssoLink = await adminPortal.getPortalLink('org_01H...', 'sso');\n *\n * // Generate a link for Directory Sync configuration\n * const dsyncLink = await adminPortal.getPortalLink('org_01H...', 'dsync');\n *\n * // Redirect the user to the generated link\n * ```\n */\nexport class WorkOSAdminPortal {\n private workos: WorkOS;\n private returnUrl: string;\n\n /**\n * Creates a new WorkOSAdminPortal instance.\n *\n * @param workos - The WorkOS client instance\n * @param options - Configuration options for the Admin Portal\n */\n constructor(workos: WorkOS, options?: WorkOSAdminPortalOptions) {\n this.workos = workos;\n this.returnUrl = options?.returnUrl ?? '/';\n }\n\n /**\n * Generates a link to the WorkOS Admin Portal for a specific organization.\n *\n * The generated link is a one-time use URL that expires after a short period.\n * Users should be redirected to this link immediately after generation.\n *\n * @param organizationId - The WorkOS organization ID (e.g., 'org_01H...')\n * @param intent - The portal section to open. Determines what the user can configure:\n * - `'sso'`: Configure SSO connections (SAML, OIDC providers)\n * - `'dsync'`: Configure Directory Sync (SCIM provisioning)\n * - `'audit_logs'`: View and export audit logs\n * - `'log_streams'`: Configure log streaming to external SIEM systems\n * @returns A promise that resolves to the Admin Portal URL\n *\n * @example\n * ```typescript\n * // SSO configuration (default)\n * const link = await adminPortal.getPortalLink('org_01H...');\n *\n * // Directory Sync configuration\n * const link = await adminPortal.getPortalLink('org_01H...', 'dsync');\n *\n * // Audit logs viewing\n * const link = await adminPortal.getPortalLink('org_01H...', 'audit_logs');\n * ```\n */\n async getPortalLink(organizationId: string, intent?: AdminPortalIntent): Promise {\n const result = await this.workos.portal.generateLink({\n organization: organizationId,\n intent: INTENT_MAP[intent ?? 'sso'],\n returnUrl: this.returnUrl,\n });\n\n return result.link;\n }\n}\n"]}