{"version":3,"sources":["../../../src/auth/ee/interfaces/permissions.generated.ts","../../../src/auth/ee/license.ts","../../../src/auth/ee/capabilities.ts","../../../src/auth/ee/defaults/roles.ts","../../../src/auth/ee/defaults/rbac/static.ts"],"names":[],"mappings":";;;AAaO,IAAM,SAAA,GAAY;AAAA,EACvB,KAAA;AAAA,EACA,eAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,qBAAA;AAAA,EACA,YAAA;AAAA,EACA,QAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAgBO,IAAM,OAAA,GAAU,CAAC,QAAA,EAAU,SAAA,EAAW,QAAQ,OAAO;AAWrD,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,GAAA,EAAK,GAAA;AAAA;AAAA,EAEL,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB;AACtB;AAeO,IAAM,WAAA,GAAc;AAAA,EACzB,UAAA;AAAA,EACA,WAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,0BAAA;AAAA,EACA,oBAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,sBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,eAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,qBAAA;AAAA,EACA,eAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,cAAA;AAAA,EACA,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AA8BO,SAAS,yBAAyB,OAAA,EAA+C;AACtF,EAAA,OAAO,OAAA,IAAW,mBAAA;AACpB;AAKO,SAAS,oBAAoB,WAAA,EAA2D;AAC7F,EAAA,OAAO,WAAA,CAAY,MAAM,wBAAwB,CAAA;AACnD;;;ACjTA,IAAI,aAAA,GAAoC,IAAA;AACxC,IAAI,cAAA,GAAiB,CAAA;AACrB,IAAM,YAAY,EAAA,GAAK,GAAA;AAWhB,SAAS,gBAAgB,UAAA,EAAkC;AAChE,EAAA,MAAM,GAAA,GAAM,UAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA;AAEzD,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,EACxB;AAUA,EAAA,IAAI,GAAA,CAAI,SAAS,EAAA,EAAI;AACnB,IAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,IAAA;AAAA,IACP,UAAU,CAAC,MAAA,EAAQ,SAAA,EAAW,KAAA,EAAO,QAAQ,KAAK,CAAA;AAAA,IAClD,IAAA,EAAM;AAAA,GACR;AACF;AAOO,SAAS,cAAA,GAA0B;AACxC,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,EAAA,IAAI,aAAA,IAAiB,GAAA,GAAM,cAAA,GAAiB,SAAA,EAAW;AACrD,IAAA,OAAO,aAAA,CAAc,KAAA;AAAA,EACvB;AAGA,EAAA,aAAA,GAAgB,eAAA,EAAgB;AAChC,EAAA,cAAA,GAAiB,GAAA;AAEjB,EAAA,IAAI,CAAC,aAAA,CAAc,KAAA,IAAS,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG;AAC5D,IAAA,OAAA,CAAQ,KAAK,2EAA2E,CAAA;AAAA,EAC1F;AAEA,EAAA,OAAO,aAAA,CAAc,KAAA;AACvB;AAKO,IAAM,gBAAA,GAAmB;AAQzB,SAAS,iBAAiB,OAAA,EAA0B;AACzD,EAAA,IAAI,CAAC,gBAAe,EAAG;AACrB,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,IAAI,CAAC,eAAe,QAAA,EAAU;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,aAAA,CAAc,QAAA,CAAS,QAAA,CAAS,OAAO,CAAA;AAChD;AAuBO,SAAS,gBAAA,GAA4B;AAC1C,EAAA,OACE,QAAQ,GAAA,CAAI,YAAY,MAAM,MAAA,IAC9B,OAAA,CAAQ,IAAI,YAAY,CAAA,KAAM,GAAA,IAC7B,OAAA,CAAQ,IAAI,UAAU,CAAA,KAAM,gBAAgB,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,KAAM,MAAA;AAE7E;AAMO,SAAS,WAAA,GAAuB;AACrC,EAAA,IAAI,kBAAiB,EAAG;AACtB,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,cAAA,EAAe;AACxB;;;ACpDO,SAAS,gBACd,IAAA,EACmC;AACnC,EAAA,OAAO,MAAA,IAAU,IAAA,IAAQ,IAAA,CAAK,IAAA,KAAS,IAAA;AACzC;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,IAAA,IAAQ,OAAO,IAAA,KAAS,YAAY,MAAA,IAAU,IAAA;AAChE;AAKA,SAAS,kBAAkB,IAAA,EAAwB;AACjD,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAE9C,EAAA,OAAO,mBAAA,IAAuB,IAAA,IAAS,IAAA,CAAwC,iBAAA,KAAsB,IAAA;AACvG;AAMA,SAAS,aAAa,IAAA,EAAwB;AAC5C,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAC9C,EAAA,OAAO,cAAA,IAAkB,IAAA,IAAS,IAAA,CAAmC,YAAA,KAAiB,IAAA;AACxF;AA0CA,eAAsB,iBAAA,CACpB,IAAA,EACA,OAAA,EACA,OAAA,EAC6D;AAE7D,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,EACvC;AAIA,EAAA,MAAM,aAAa,cAAA,EAAe;AAClC,EAAA,MAAM,OAAA,GAAU,kBAAkB,IAAI,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,aAAa,IAAI,CAAA;AAClC,EAAA,MAAM,QAAQ,gBAAA,EAAiB;AAC/B,EAAA,MAAM,iBAAA,GAAoB,UAAA,IAAc,OAAA,IAAW,QAAA,IAAY,KAAA;AAG/D,EAAA,IAAI,KAAA,GAAyC,IAAA;AAE7C,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AACzE,EAAA,MAAM,cAAA,GAAiB,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,IAAK,iBAAA;AAGpF,EAAA,MAAM,GAAA,GAAA,CAAO,OAAA,EAAS,SAAA,IAAa,MAAA,EAAQ,IAAA,EAAK;AAChD,EAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,EAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,EAAA,MAAM,WAAA,GAAc,GAAG,MAAM,CAAA,eAAA,CAAA;AAG7B,EAAA,IAAI,aAAA,GAAgB,IAAA;AACpB,EAAA,IAAI,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AAC7D,IAAA,MAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAA,IAAI,OAAO,mBAAA,CAAoB,eAAA,KAAoB,UAAA,EAAY;AAC7D,MAAA,aAAA,GAAgB,oBAAoB,eAAA,EAAgB;AAAA,IACtD;AAAA,EACF;AAEA,EAAA,IAAI,UAAU,cAAA,EAAgB;AAC5B,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,aAAA;AAAA,MACA,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,MAAA,EAAQ;AACjB,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,cAAA,EAAgB;AAEzB,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAGA,EAAA,IAAI,IAAA,GAAsB,IAAA;AAC1B,EAAA,IAAI,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA,EAAmB;AACnF,IAAA,IAAI;AACF,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;AAAA,IAC1C,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,GAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,KAAA,EAAM;AAAA,EAChC;AAGA,EAAA,MAAM,eAAe,OAAA,EAAS,IAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,CAAC,CAAC,YAAA,IAAgB,iBAAA;AAGlC,EAAA,MAAM,YAAA,GAAgC;AAAA,IACpC,IAAA,EAAM,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA;AAAA,IACpE,OAAA,EAAS,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,iBAAA;AAAA,IACzE,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AAAA,IAC/D,IAAA,EAAM,OAAA;AAAA,IACN,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,WAAW,CAAA,IAAK;AAAA,GAC/D;AAGA,EAAA,IAAI,MAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAW,YAAA,EAAc;AAC3B,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,YAAA,CAAa,QAAA,CAAS,IAAI,CAAA;AAC9C,MAAA,MAAM,WAAA,GAAc,MAAM,YAAA,CAAa,cAAA,CAAe,IAAI,CAAA;AAC1D,MAAA,MAAA,GAAS,EAAE,OAAO,WAAA,EAAY;AAAA,IAChC,CAAA,CAAA,MAAQ;AAEN,MAAA,MAAA,GAAS,IAAA;AAAA,IACX;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,IAAA;AAAA,IACT,KAAA;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,IACA,YAAA;AAAA,IACA;AAAA,GACF;AACF;;;ACtQO,IAAM,aAAA,GAAkC;AAAA,EAC7C;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,0CAAA;AAAA,IACb,WAAA,EAAa,CAAC,GAAG;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,4CAAA;AAAA,IACb,WAAA,EAAa;AAAA,MACX,QAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA;AAAA;AAEF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,8BAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAA,EAAU,WAAW;AAAA,GACrC;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,kBAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAQ;AAAA;AAE1B;AAWO,SAAS,eAAe,MAAA,EAA4C;AACzE,EAAA,OAAO,aAAA,CAAc,IAAA,CAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,OAAO,MAAM,CAAA;AACtD;AAWO,SAAS,kBAAA,CAAmB,OAAA,EAAmB,KAAA,GAA0B,aAAA,EAAyB;AACvG,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAEhC,EAAA,SAAS,YAAY,MAAA,EAAgB;AACnC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AACzB,IAAA,OAAA,CAAQ,IAAI,MAAM,CAAA;AAElB,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAC5C,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,KAAA,MAAW,UAAA,IAAc,KAAK,WAAA,EAAa;AACzC,MAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA,IAC5B;AAGA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,KAAA,MAAW,eAAA,IAAmB,KAAK,QAAA,EAAU;AAC3C,QAAA,WAAA,CAAY,eAAe,CAAA;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAEA,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,IAAA,WAAA,CAAY,MAAM,CAAA;AAAA,EACpB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAGlD,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAAA,EAC5B;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AAAA,IACvB;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AASO,SAAS,aAAA,CAAc,iBAA2B,kBAAA,EAAqC;AAC5F,EAAA,OAAO,gBAAgB,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,kBAAkB,CAAC,CAAA;AAC3E;AA4BO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAC;AAE7C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;;;AClLO,IAAM,qBAAN,MAA0E;AAAA,EACvE,KAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA,uBAAsB,GAAA,EAAsB;AAAA;AAAA,EAGpD,IAAI,WAAA,GAAuC;AACzC,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA,EAEA,YAAY,OAAA,EAA2C;AACrD,IAAA,IAAI,OAAA,IAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,EAAO;AACvC,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AAAA,IACvB;AACA,IAAA,IAAI,aAAA,IAAiB,OAAA,IAAW,OAAA,CAAQ,WAAA,EAAa;AACnD,MAAA,IAAA,CAAK,eAAe,OAAA,CAAQ,WAAA;AAAA,IAC9B;AACA,IAAA,IAAA,CAAK,iBAAiB,OAAA,CAAQ,YAAA;AAAA,EAChC;AAAA,EAEA,MAAM,SAAS,IAAA,EAAgC;AAC7C,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAC9C,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAa,IAAA,EAAgC;AACzD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAgC;AACnD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAGxC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,IAAA,EAAK,CAAE,KAAK,GAAG,CAAA;AACxC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,QAAQ,OAAO,MAAA;AAGnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,YAAA,EAAc;AAErB,MAAA,WAAA,GAAc,6BAAA,CAA8B,OAAA,EAAS,IAAA,CAAK,YAAY,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AAErB,MAAA,WAAA,GAAc,kBAAA,CAAmB,OAAA,EAAS,IAAA,CAAK,KAAK,CAAA;AAAA,IACtD,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,EAAC;AAAA,IACjB;AAGA,IAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAE9C,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAa,UAAA,EAAsC;AACrE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAa,WAAA,EAAyC;AAC5E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAa,WAAA,EAAyC;AAC3E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAA,GAAuC;AACrC,IAAA,OAAO,IAAA,CAAK,SAAS,EAAC;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,MAAA,EAA4C;AAC5D,IAAA,OAAO,KAAK,KAAA,EAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAAA,EAC9C;AACF","file":"index.cjs","sourcesContent":["/**\n * AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY\n *\n * This file is generated by packages/server/scripts/generate-permissions.ts\n * Run `pnpm generate:permissions` from packages/server to regenerate.\n *\n * Source of truth: SERVER_ROUTES in @mastra/server\n */\n\n/**\n * All known API resources.\n * Derived from SERVER_ROUTES paths in @mastra/server.\n */\nexport const RESOURCES = [\n  'a2a',\n  'agent-builder',\n  'agents',\n  'datasets',\n  'embedders',\n  'experiments',\n  'logs',\n  'mcp',\n  'memory',\n  'observability',\n  'processor-providers',\n  'processors',\n  'scores',\n  'stored',\n  'stored-agents',\n  'system',\n  'tool-providers',\n  'tools',\n  'vector',\n  'vectors',\n  'workflows',\n  'workspaces',\n] as const;\n\n/**\n * Resource type union.\n */\nexport type Resource = (typeof RESOURCES)[number];\n\n/**\n * All permission actions.\n * Derived from HTTP methods and route overrides:\n * - GET → read\n * - POST → write or execute (context-dependent)\n * - PUT/PATCH → write\n * - DELETE → delete\n * - Additional actions from explicit requiresPermission overrides\n */\nexport const ACTIONS = ['delete', 'execute', 'read', 'write'] as const;\n\n/**\n * Action type union.\n */\nexport type Action = (typeof ACTIONS)[number];\n\n/**\n * All valid permission patterns.\n * Use `keyof typeof PERMISSION_PATTERNS` or the `PermissionPattern` type.\n */\nexport const PERMISSION_PATTERNS = {\n  /** Full access to all resources and actions */\n  '*': '*',\n  /** Delete all resources */\n  '*:delete': '*:delete',\n  /** Execute all resources */\n  '*:execute': '*:execute',\n  /** View all resources */\n  '*:read': '*:read',\n  /** Create and modify all resources */\n  '*:write': '*:write',\n  /** Full access to agent-to-agent communication */\n  'a2a:*': 'a2a:*',\n  /** Full access to agent builder */\n  'agent-builder:*': 'agent-builder:*',\n  /** Full access to agents */\n  'agents:*': 'agents:*',\n  /** Full access to datasets */\n  'datasets:*': 'datasets:*',\n  /** Full access to embedders */\n  'embedders:*': 'embedders:*',\n  /** Full access to experiments */\n  'experiments:*': 'experiments:*',\n  /** Full access to logs */\n  'logs:*': 'logs:*',\n  /** Full access to MCP servers */\n  'mcp:*': 'mcp:*',\n  /** Full access to memory and threads */\n  'memory:*': 'memory:*',\n  /** Full access to traces and spans */\n  'observability:*': 'observability:*',\n  /** Full access to processor-providers */\n  'processor-providers:*': 'processor-providers:*',\n  /** Full access to processors */\n  'processors:*': 'processors:*',\n  /** Full access to evaluation scores */\n  'scores:*': 'scores:*',\n  /** Full access to stored */\n  'stored:*': 'stored:*',\n  /** Full access to stored agents */\n  'stored-agents:*': 'stored-agents:*',\n  /** Full access to system info */\n  'system:*': 'system:*',\n  /** Full access to tool-providers */\n  'tool-providers:*': 'tool-providers:*',\n  /** Full access to tools */\n  'tools:*': 'tools:*',\n  /** Full access to vector stores */\n  'vector:*': 'vector:*',\n  /** Full access to vectors */\n  'vectors:*': 'vectors:*',\n  /** Full access to workflows */\n  'workflows:*': 'workflows:*',\n  /** Full access to workspaces */\n  'workspaces:*': 'workspaces:*',\n  /** View agent-to-agent communication */\n  'a2a:read': 'a2a:read',\n  /** Create and modify agent-to-agent communication */\n  'a2a:write': 'a2a:write',\n  /** Execute agent builder */\n  'agent-builder:execute': 'agent-builder:execute',\n  /** View agent builder */\n  'agent-builder:read': 'agent-builder:read',\n  /** Create and modify agent builder */\n  'agent-builder:write': 'agent-builder:write',\n  /** Execute agents */\n  'agents:execute': 'agents:execute',\n  /** View agents */\n  'agents:read': 'agents:read',\n  /** Create and modify agents */\n  'agents:write': 'agents:write',\n  /** Delete datasets */\n  'datasets:delete': 'datasets:delete',\n  /** Execute datasets */\n  'datasets:execute': 'datasets:execute',\n  /** View datasets */\n  'datasets:read': 'datasets:read',\n  /** Create and modify datasets */\n  'datasets:write': 'datasets:write',\n  /** View embedders */\n  'embedders:read': 'embedders:read',\n  /** View experiments */\n  'experiments:read': 'experiments:read',\n  /** View logs */\n  'logs:read': 'logs:read',\n  /** Execute MCP servers */\n  'mcp:execute': 'mcp:execute',\n  /** View MCP servers */\n  'mcp:read': 'mcp:read',\n  /** Create and modify MCP servers */\n  'mcp:write': 'mcp:write',\n  /** Delete memory and threads */\n  'memory:delete': 'memory:delete',\n  /** Execute memory and threads */\n  'memory:execute': 'memory:execute',\n  /** View memory and threads */\n  'memory:read': 'memory:read',\n  /** Create and modify memory and threads */\n  'memory:write': 'memory:write',\n  /** View traces and spans */\n  'observability:read': 'observability:read',\n  /** Create and modify traces and spans */\n  'observability:write': 'observability:write',\n  /** View processor-providers */\n  'processor-providers:read': 'processor-providers:read',\n  /** Execute processors */\n  'processors:execute': 'processors:execute',\n  /** View processors */\n  'processors:read': 'processors:read',\n  /** View evaluation scores */\n  'scores:read': 'scores:read',\n  /** Create and modify evaluation scores */\n  'scores:write': 'scores:write',\n  /** Delete stored agents */\n  'stored-agents:delete': 'stored-agents:delete',\n  /** View stored agents */\n  'stored-agents:read': 'stored-agents:read',\n  /** Create and modify stored agents */\n  'stored-agents:write': 'stored-agents:write',\n  /** Delete stored */\n  'stored:delete': 'stored:delete',\n  /** View stored */\n  'stored:read': 'stored:read',\n  /** Create and modify stored */\n  'stored:write': 'stored:write',\n  /** View system info */\n  'system:read': 'system:read',\n  /** View tool-providers */\n  'tool-providers:read': 'tool-providers:read',\n  /** Execute tools */\n  'tools:execute': 'tools:execute',\n  /** View tools */\n  'tools:read': 'tools:read',\n  /** Delete vector stores */\n  'vector:delete': 'vector:delete',\n  /** Execute vector stores */\n  'vector:execute': 'vector:execute',\n  /** View vector stores */\n  'vector:read': 'vector:read',\n  /** Create and modify vector stores */\n  'vector:write': 'vector:write',\n  /** View vectors */\n  'vectors:read': 'vectors:read',\n  /** Delete workflows */\n  'workflows:delete': 'workflows:delete',\n  /** Execute workflows */\n  'workflows:execute': 'workflows:execute',\n  /** View workflows */\n  'workflows:read': 'workflows:read',\n  /** Create and modify workflows */\n  'workflows:write': 'workflows:write',\n  /** Delete workspaces */\n  'workspaces:delete': 'workspaces:delete',\n  /** View workspaces */\n  'workspaces:read': 'workspaces:read',\n  /** Create and modify workspaces */\n  'workspaces:write': 'workspaces:write',\n} as const;\n\n/**\n * Permission pattern that can be used in role definitions.\n * Supports:\n * - Specific permissions: 'agents:read', 'workflows:execute'\n * - Resource wildcards: 'agents:*', 'workflows:*' (all actions on a resource)\n * - Action wildcards: '*:read', '*:write' (an action across all resources)\n * - Global wildcard: '*' (full access)\n */\nexport type PermissionPattern = keyof typeof PERMISSION_PATTERNS;\n\n/**\n * All valid resource:action permission combinations (excludes wildcards).\n */\nexport const PERMISSIONS = [\n  'a2a:read',\n  'a2a:write',\n  'agent-builder:execute',\n  'agent-builder:read',\n  'agent-builder:write',\n  'agents:execute',\n  'agents:read',\n  'agents:write',\n  'datasets:delete',\n  'datasets:execute',\n  'datasets:read',\n  'datasets:write',\n  'embedders:read',\n  'experiments:read',\n  'logs:read',\n  'mcp:execute',\n  'mcp:read',\n  'mcp:write',\n  'memory:delete',\n  'memory:execute',\n  'memory:read',\n  'memory:write',\n  'observability:read',\n  'observability:write',\n  'processor-providers:read',\n  'processors:execute',\n  'processors:read',\n  'scores:read',\n  'scores:write',\n  'stored-agents:delete',\n  'stored-agents:read',\n  'stored-agents:write',\n  'stored:delete',\n  'stored:read',\n  'stored:write',\n  'system:read',\n  'tool-providers:read',\n  'tools:execute',\n  'tools:read',\n  'vector:delete',\n  'vector:execute',\n  'vector:read',\n  'vector:write',\n  'vectors:read',\n  'workflows:delete',\n  'workflows:execute',\n  'workflows:read',\n  'workflows:write',\n  'workspaces:delete',\n  'workspaces:read',\n  'workspaces:write',\n] as const;\n\n/**\n * Specific permission type (e.g., 'agents:read', 'workflows:execute').\n */\nexport type Permission = (typeof PERMISSIONS)[number];\n\n/**\n * Type-safe role mapping configuration.\n *\n * Maps role names (from your identity provider) to Mastra permission patterns.\n *\n * @example\n * ```typescript\n * const roleMapping: TypedRoleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\", \"workflows:read\"],\n *   \"Admin\": [\"*\"],\n *   \"_default\": [],\n * };\n * ```\n */\nexport type TypedRoleMapping = {\n  [role: string]: PermissionPattern[];\n};\n\n/**\n * Validates that a string is a valid permission pattern.\n * Useful for runtime validation of permission strings.\n */\nexport function isValidPermissionPattern(pattern: string): pattern is PermissionPattern {\n  return pattern in PERMISSION_PATTERNS;\n}\n\n/**\n * Validates that all permissions in an array are valid patterns.\n */\nexport function validatePermissions(permissions: string[]): permissions is PermissionPattern[] {\n  return permissions.every(isValidPermissionPattern);\n}\n","/**\n * License validation for EE features.\n */\n\n/**\n * License information.\n */\nexport interface LicenseInfo {\n  /** Whether the license is valid */\n  valid: boolean;\n  /** License expiration date */\n  expiresAt?: Date;\n  /** Features enabled by this license */\n  features?: string[];\n  /** Organization name */\n  organization?: string;\n  /** License tier */\n  tier?: 'standard' | 'enterprise';\n}\n\n// Cached license validation result\nlet cachedLicense: LicenseInfo | null = null;\nlet cacheTimestamp = 0;\nconst CACHE_TTL = 60 * 1000; // 1 minute\n\n/**\n * Validate a license key and return license information.\n *\n * Currently implements a simple check for the presence of the license key.\n * In production, this would validate against a license server.\n *\n * @param licenseKey - License key to validate\n * @returns License information\n */\nexport function validateLicense(licenseKey?: string): LicenseInfo {\n  const key = licenseKey ?? process.env['MASTRA_EE_LICENSE'];\n\n  if (!key) {\n    return { valid: false };\n  }\n\n  // TODO: Implement actual license validation\n  // For now, any non-empty key is considered valid\n  // In production, this would:\n  // 1. Verify signature of the license key\n  // 2. Check expiration date embedded in key\n  // 3. Optionally validate against license server\n\n  // Simple validation: key should be at least 32 characters\n  if (key.length < 32) {\n    return { valid: false };\n  }\n\n  return {\n    valid: true,\n    features: ['user', 'session', 'sso', 'rbac', 'acl'],\n    tier: 'enterprise',\n  };\n}\n\n/**\n * Check if EE features are enabled (valid license or cache).\n *\n * @returns True if EE features should be enabled\n */\nexport function isLicenseValid(): boolean {\n  const now = Date.now();\n\n  // Return cached result if still valid\n  if (cachedLicense && now - cacheTimestamp < CACHE_TTL) {\n    return cachedLicense.valid;\n  }\n\n  // Validate and cache\n  cachedLicense = validateLicense();\n  cacheTimestamp = now;\n\n  if (!cachedLicense.valid && process.env['MASTRA_EE_LICENSE']) {\n    console.warn('[mastra/auth-ee] Invalid or expired EE license. EE features are disabled.');\n  }\n\n  return cachedLicense.valid;\n}\n\n/**\n * @deprecated Use `isLicenseValid()` instead. This alias is provided for backward compatibility.\n */\nexport const isEELicenseValid = isLicenseValid;\n\n/**\n * Check if a specific EE feature is enabled.\n *\n * @param feature - Feature name to check\n * @returns True if the feature is enabled\n */\nexport function isFeatureEnabled(feature: string): boolean {\n  if (!isLicenseValid()) {\n    return false;\n  }\n\n  // If license is valid but no features array, all features are enabled\n  if (!cachedLicense?.features) {\n    return true;\n  }\n\n  return cachedLicense.features.includes(feature);\n}\n\n/**\n * Get the current license information.\n *\n * @returns License info or null if not validated yet\n */\nexport function getLicenseInfo(): LicenseInfo | null {\n  return cachedLicense;\n}\n\n/**\n * Clear the license cache (useful for testing).\n */\nexport function clearLicenseCache(): void {\n  cachedLicense = null;\n  cacheTimestamp = 0;\n}\n\n/**\n * Check if running in a development/testing environment.\n * In dev, EE features work without a license per the ee/LICENSE terms.\n */\nexport function isDevEnvironment(): boolean {\n  return (\n    process.env['MASTRA_DEV'] === 'true' ||\n    process.env['MASTRA_DEV'] === '1' ||\n    (process.env['NODE_ENV'] !== 'production' && process.env['NODE_ENV'] !== 'prod')\n  );\n}\n\n/**\n * Check if EE features should be active.\n * Returns true if running in dev/test environment (always allowed) or if a valid license is present.\n */\nexport function isEEEnabled(): boolean {\n  if (isDevEnvironment()) {\n    return true;\n  }\n  return isLicenseValid();\n}\n","/**\n * Capabilities detection and response building for EE authentication.\n */\n\nimport type { MastraAuthProvider } from '../../server';\nimport type { IUserProvider, ISSOProvider, ISessionProvider, ICredentialsProvider } from '../interfaces';\nimport type { IACLProvider } from './interfaces/acl';\nimport type { IRBACProvider } from './interfaces/rbac';\nimport type { EEUser } from './interfaces/user';\nimport { isLicenseValid, isDevEnvironment } from './license';\n\n/**\n * Public capabilities response (no authentication required).\n * Contains just enough info to render the login page.\n */\nexport interface PublicAuthCapabilities {\n  /** Whether auth is enabled */\n  enabled: boolean;\n  /** Login configuration (null if no auth or no SSO) */\n  login: {\n    /** Type of login available */\n    type: 'sso' | 'credentials' | 'both';\n    /** Whether sign-up is enabled (defaults to true) */\n    signUpEnabled?: boolean;\n    /** SSO configuration */\n    sso?: {\n      /** Provider name */\n      provider: string;\n      /** Button text */\n      text: string;\n      /** Icon URL */\n      icon?: string;\n      /** Login URL */\n      url: string;\n    };\n  } | null;\n}\n\n/**\n * User info for authenticated response.\n */\nexport interface AuthenticatedUser {\n  /** User ID */\n  id: string;\n  /** User email */\n  email?: string;\n  /** Display name */\n  name?: string;\n  /** Avatar URL */\n  avatarUrl?: string;\n}\n\n/**\n * Capability flags indicating which EE features are available.\n */\nexport interface CapabilityFlags {\n  /** IUserProvider is implemented and licensed */\n  user: boolean;\n  /** ISessionProvider is implemented and licensed */\n  session: boolean;\n  /** ISSOProvider is implemented and licensed */\n  sso: boolean;\n  /** IRBACProvider is implemented and licensed */\n  rbac: boolean;\n  /** IACLProvider is implemented and licensed */\n  acl: boolean;\n}\n\n/**\n * User's access (roles and permissions).\n */\nexport interface UserAccess {\n  /** User's roles */\n  roles: string[];\n  /** User's resolved permissions */\n  permissions: string[];\n}\n\n/**\n * Authenticated capabilities response.\n * Extends public capabilities with user context and feature flags.\n */\nexport interface AuthenticatedCapabilities extends PublicAuthCapabilities {\n  /** Current authenticated user */\n  user: AuthenticatedUser;\n  /** Available EE capabilities */\n  capabilities: CapabilityFlags;\n  /** User's access (if RBAC available) */\n  access: UserAccess | null;\n}\n\n/**\n * Type guard to check if response is authenticated.\n */\nexport function isAuthenticated(\n  caps: PublicAuthCapabilities | AuthenticatedCapabilities,\n): caps is AuthenticatedCapabilities {\n  return 'user' in caps && caps.user !== null;\n}\n\n/**\n * Check if an auth provider implements a specific interface.\n */\nfunction implementsInterface<T>(auth: unknown, method: keyof T): auth is T {\n  return auth !== null && typeof auth === 'object' && method in auth;\n}\n\n/**\n * Check if auth provider is MastraCloudAuth (exempt from license requirement).\n */\nfunction isMastraCloudAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  // Check for the MastraCloudAuth marker\n  return 'isMastraCloudAuth' in auth && (auth as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true;\n}\n\n/**\n * Check if auth provider is SimpleAuth (exempt from license requirement).\n * SimpleAuth is for development/testing and should work without a license.\n */\nfunction isSimpleAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  return 'isSimpleAuth' in auth && (auth as { isSimpleAuth: boolean }).isSimpleAuth === true;\n}\n\n/**\n * Options for building capabilities.\n */\nexport interface BuildCapabilitiesOptions {\n  /**\n   * RBAC provider for role-based access control (EE feature).\n   * Separate from the auth provider to allow mixing different providers.\n   *\n   * @example\n   * ```typescript\n   * const rbac = new StaticRBACProvider({\n   *   roles: DEFAULT_ROLES,\n   *   getUserRoles: (user) => [user.role],\n   * });\n   *\n   * buildCapabilities(auth, request, { rbac });\n   * ```\n   */\n  rbac?: IRBACProvider<EEUser>;\n\n  /**\n   * API route prefix used to construct SSO login URLs.\n   * Defaults to `/api` when not provided.\n   *\n   * @example `/mastra` results in SSO URL `/mastra/auth/sso/login`\n   */\n  apiPrefix?: string;\n}\n\n/**\n * Build capabilities response based on auth configuration and request state.\n *\n * This function determines what capabilities are available and, if the user\n * is authenticated, includes their user info and access permissions.\n *\n * @param auth - Auth provider (or null if no auth configured)\n * @param request - Incoming HTTP request\n * @param options - Optional configuration (roleMapping, etc.)\n * @returns Capabilities response (public or authenticated)\n */\nexport async function buildCapabilities(\n  auth: MastraAuthProvider | null,\n  request: Request,\n  options?: BuildCapabilitiesOptions,\n): Promise<PublicAuthCapabilities | AuthenticatedCapabilities> {\n  // No auth configured - disabled\n  if (!auth) {\n    return { enabled: false, login: null };\n  }\n\n  // Determine if EE features are available\n  // SimpleAuth, MastraCloudAuth, and dev environments are exempt from license requirement\n  const hasLicense = isLicenseValid();\n  const isCloud = isMastraCloudAuth(auth);\n  const isSimple = isSimpleAuth(auth);\n  const isDev = isDevEnvironment();\n  const isLicensedOrCloud = hasLicense || isCloud || isSimple || isDev;\n\n  // Build login configuration (always public)\n  let login: PublicAuthCapabilities['login'] = null;\n\n  const hasSSO = implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud;\n  const hasCredentials = implementsInterface<ICredentialsProvider>(auth, 'signIn') && isLicensedOrCloud;\n\n  // Build SSO login URL using the configured prefix (default: /api)\n  const raw = (options?.apiPrefix || '/api').trim();\n  const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n  const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n  const ssoLoginUrl = `${prefix}/auth/sso/login`;\n\n  // Check if sign-up is enabled (defaults to true)\n  let signUpEnabled = true;\n  if (implementsInterface<ICredentialsProvider>(auth, 'signIn')) {\n    const credentialsProvider = auth as ICredentialsProvider;\n    if (typeof credentialsProvider.isSignUpEnabled === 'function') {\n      signUpEnabled = credentialsProvider.isSignUpEnabled();\n    }\n  }\n\n  if (hasSSO && hasCredentials) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'both',\n      signUpEnabled,\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasSSO) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'sso',\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasCredentials) {\n    // Credentials-only auth (e.g., Better Auth with email/password)\n    login = {\n      type: 'credentials',\n      signUpEnabled,\n    };\n  }\n\n  // Try to get current user (requires session)\n  let user: EEUser | null = null;\n  if (implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud) {\n    try {\n      user = await auth.getCurrentUser(request);\n    } catch {\n      // Session invalid or expired\n      user = null;\n    }\n  }\n\n  // If no user, return public response only\n  if (!user) {\n    return { enabled: true, login };\n  }\n\n  // Get RBAC provider from options (if configured)\n  const rbacProvider = options?.rbac;\n  const hasRBAC = !!rbacProvider && isLicensedOrCloud;\n\n  // Build capability flags\n  const capabilities: CapabilityFlags = {\n    user: implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud,\n    session: implementsInterface<ISessionProvider>(auth, 'createSession') && isLicensedOrCloud,\n    sso: implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud,\n    rbac: hasRBAC,\n    acl: implementsInterface<IACLProvider>(auth, 'canAccess') && isLicensedOrCloud,\n  };\n\n  // Get roles/permissions from RBAC provider (if available)\n  let access: UserAccess | null = null;\n  if (hasRBAC && rbacProvider) {\n    try {\n      const roles = await rbacProvider.getRoles(user);\n      const permissions = await rbacProvider.getPermissions(user);\n      access = { roles, permissions };\n    } catch {\n      // RBAC failed, continue without access info\n      access = null;\n    }\n  }\n\n  return {\n    enabled: true,\n    login,\n    user: {\n      id: user.id,\n      email: user.email,\n      name: user.name,\n      avatarUrl: user.avatarUrl,\n    },\n    capabilities,\n    access,\n  };\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n  {\n    id: 'owner',\n    name: 'Owner',\n    description: 'Full access to all features and settings',\n    permissions: ['*'],\n  },\n  {\n    id: 'admin',\n    name: 'Admin',\n    description: 'Manage agents, workflows, and team members',\n    permissions: [\n      '*:read',\n      '*:write',\n      '*:execute',\n      // Note: admins cannot delete resources\n    ],\n  },\n  {\n    id: 'member',\n    name: 'Member',\n    description: 'Execute agents and workflows',\n    permissions: ['*:read', '*:execute'],\n  },\n  {\n    id: 'viewer',\n    name: 'Viewer',\n    description: 'Read-only access',\n    permissions: ['*:read'],\n  },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n  return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n  const permissions = new Set<string>();\n  const visited = new Set<string>();\n\n  function resolveRole(roleId: string) {\n    if (visited.has(roleId)) return;\n    visited.add(roleId);\n\n    const role = roles.find(r => r.id === roleId);\n    if (!role) return;\n\n    for (const permission of role.permissions) {\n      permissions.add(permission);\n    }\n\n    // Resolve inherited roles\n    if (role.inherits) {\n      for (const inheritedRoleId of role.inherits) {\n        resolveRole(inheritedRoleId);\n      }\n    }\n  }\n\n  for (const roleId of roleIds) {\n    resolveRole(roleId);\n  }\n\n  return Array.from(permissions);\n}\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n  // Wildcard matches everything\n  if (userPermission === '*') {\n    return true;\n  }\n\n  const grantedParts = userPermission.split(':');\n  const requiredParts = requiredPermission.split(':');\n\n  // Must have at least resource:action\n  if (grantedParts.length < 2 || requiredParts.length < 2) {\n    return userPermission === requiredPermission;\n  }\n\n  const [grantedResource, grantedAction, grantedId] = grantedParts;\n  const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n  // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n  if (grantedResource === '*') {\n    // \"*:*\" is a full wildcard - matches everything\n    if (grantedAction === '*') {\n      if (grantedId === undefined) {\n        return true;\n      }\n      return grantedId === requiredId;\n    }\n    // Action must match for resource wildcards with specific action\n    if (grantedAction !== requiredAction) {\n      return false;\n    }\n    // If no granted ID, matches all instances\n    if (grantedId === undefined) {\n      return true;\n    }\n    // *:read:my-id would match agents:read:my-id (unusual but consistent)\n    return grantedId === requiredId;\n  }\n\n  // Resource must match (for non-wildcard resources)\n  if (grantedResource !== requiredResource) {\n    return false;\n  }\n\n  // Action wildcard: \"agents:*\" matches any action\n  if (grantedAction === '*') {\n    // If no granted ID, matches all resources\n    // If granted ID specified (agents:*:my-agent), must match required ID\n    if (grantedId === undefined) {\n      return true;\n    }\n    // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n    return grantedId === requiredId;\n  }\n\n  // Action must match\n  if (grantedAction !== requiredAction) {\n    return false;\n  }\n\n  // No resource ID in granted permission = access to all resources of this type\n  // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n  if (grantedId === undefined) {\n    return true;\n  }\n\n  // Both have resource IDs - must match exactly\n  return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n  return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\"],\n *   \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n *   [\"Engineering\", \"QA\"],\n *   roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n  const permissions = new Set<string>();\n  const defaultPerms = mapping['_default'] ?? [];\n\n  for (const role of roles) {\n    const rolePerms = mapping[role];\n    if (rolePerms) {\n      for (const perm of rolePerms) {\n        permissions.add(perm);\n      }\n    } else {\n      // Apply default permissions for unmapped roles\n      for (const perm of defaultPerms) {\n        permissions.add(perm);\n      }\n    }\n  }\n\n  return Array.from(permissions);\n}\n","/**\n * Static RBAC provider with config-based roles.\n */\n\nimport type { RoleDefinition, RoleMapping, IRBACProvider } from '../../interfaces';\nimport { resolvePermissions, matchesPermission, resolvePermissionsFromMapping } from '../roles';\n\n/**\n * Options for StaticRBACProvider.\n *\n * Use ONE of the following approaches:\n * - `roles`: Define role structures with permissions (Mastra's native role system)\n * - `roleMapping`: Map provider roles directly to permissions (simpler for external providers)\n */\nexport type StaticRBACProviderOptions<TUser = unknown> =\n  | {\n      /** Role definitions (Mastra's native role system) */\n      roles: RoleDefinition[];\n      /** Function to get user's role IDs */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roleMapping?: never;\n    }\n  | {\n      /**\n       * Role mapping for translating provider roles to permissions.\n       * Use this when your identity provider has roles that need to be\n       * mapped to Mastra permissions.\n       */\n      roleMapping: RoleMapping;\n      /** Function to get user's role IDs from the provider */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roles?: never;\n    };\n\n/**\n * Static RBAC provider.\n *\n * Supports two modes:\n * 1. **Role definitions**: Use Mastra's native role system with structured roles\n * 2. **Role mapping**: Directly map provider roles to permissions\n *\n * @example Using role definitions (Mastra's native system)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: (user) => [user.role],\n * });\n * ```\n *\n * @example Using role mapping (for external providers)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roleMapping: {\n *     \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *     \"Product\": [\"agents:read\", \"workflows:read\"],\n *     \"_default\": [],\n *   },\n *   getUserRoles: (user) => user.providerRoles,\n * });\n * ```\n *\n * @example Async role lookup\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: async (user) => {\n *     return db.getUserRoles(user.id);\n *   },\n * });\n * ```\n */\nexport class StaticRBACProvider<TUser = unknown> implements IRBACProvider<TUser> {\n  private roles?: RoleDefinition[];\n  private _roleMapping?: RoleMapping;\n  private getUserRolesFn: (user: TUser) => string[] | Promise<string[]>;\n  private permissionCache = new Map<string, string[]>();\n\n  /** Expose roleMapping for middleware access */\n  get roleMapping(): RoleMapping | undefined {\n    return this._roleMapping;\n  }\n\n  constructor(options: StaticRBACProviderOptions<TUser>) {\n    if ('roles' in options && options.roles) {\n      this.roles = options.roles;\n    }\n    if ('roleMapping' in options && options.roleMapping) {\n      this._roleMapping = options.roleMapping;\n    }\n    this.getUserRolesFn = options.getUserRoles;\n  }\n\n  async getRoles(user: TUser): Promise<string[]> {\n    const roleIds = await this.getUserRolesFn(user);\n    return roleIds;\n  }\n\n  async hasRole(user: TUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: TUser): Promise<string[]> {\n    const roleIds = await this.getRoles(user);\n\n    // Check cache\n    const cacheKey = roleIds.sort().join(',');\n    const cached = this.permissionCache.get(cacheKey);\n    if (cached) return cached;\n\n    // Resolve permissions based on mode\n    let permissions: string[];\n    if (this._roleMapping) {\n      // Role mapping mode: translate provider roles to permissions\n      permissions = resolvePermissionsFromMapping(roleIds, this._roleMapping);\n    } else if (this.roles) {\n      // Role definitions mode: use Mastra's native role system\n      permissions = resolvePermissions(roleIds, this.roles);\n    } else {\n      // No roles or mapping configured\n      permissions = [];\n    }\n\n    // Cache result\n    this.permissionCache.set(cacheKey, permissions);\n\n    return permissions;\n  }\n\n  async hasPermission(user: TUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  /**\n   * Clear the permission cache.\n   */\n  clearCache(): void {\n    this.permissionCache.clear();\n  }\n\n  /**\n   * Get all role definitions.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinitions(): RoleDefinition[] {\n    return this.roles ?? [];\n  }\n\n  /**\n   * Get a specific role definition.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinition(roleId: string): RoleDefinition | undefined {\n    return this.roles?.find(r => r.id === roleId);\n  }\n}\n"]}