{"version":3,"sources":["../../src/auth/defaults/session/memory.ts","../../src/auth/defaults/session/cookie.ts"],"names":["escapeRegExp","createHmac"],"mappings":";;;;;AAQA,SAAS,aAAa,GAAA,EAAqB;AACzC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AA6BO,IAAM,wBAAN,MAAwD;AAAA,EACrD,QAAA,uBAAe,GAAA,EAAqB;AAAA,EACpC,GAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA,GAAsD,IAAA;AAAA,EAE9D,WAAA,CAAY,OAAA,GAAwC,EAAC,EAAG;AACtD,IAAA,IAAA,CAAK,MAAM,OAAA,CAAQ,GAAA,IAAO,CAAA,GAAI,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;AAC7C,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,gBAAA;AACxC,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,GAAA;AAGxC,IAAA,MAAM,eAAA,GAAkB,QAAQ,eAAA,IAAmB,GAAA;AACnD,IAAA,IAAA,CAAK,eAAe,WAAA,CAAY,MAAM,IAAA,CAAK,OAAA,IAAW,eAAe,CAAA;AAGrE,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KAGF;AAAA,EACF;AAAA,EAEA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,OAAA,GAAmB;AAAA,MACvB,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,MACtB,MAAA;AAAA,MACA,WAAW,IAAI,IAAA,CAAK,KAAK,GAAA,EAAI,GAAI,KAAK,GAAG,CAAA;AAAA,MACzC,SAAA,sBAAe,IAAA,EAAK;AAAA,MACpB;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,EAAA,EAAI,OAAO,CAAA;AACrC,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,SAAA,EAA4C;AAChE,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAE3C,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,OAAA,CAAQ,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AAClC,MAAA,IAAA,CAAK,QAAA,CAAS,OAAO,SAAS,CAAA;AAC9B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,eAAe,SAAA,EAAkC;AACrD,IAAA,IAAA,CAAK,QAAA,CAAS,OAAO,SAAS,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,eAAe,SAAA,EAA4C;AAC/D,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA;AAEpD,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAA,CAAQ,YAAY,IAAI,IAAA,CAAK,KAAK,GAAA,EAAI,GAAI,KAAK,GAAG,CAAA;AAClD,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,SAAA,EAAW,OAAO,CAAA;AAEpC,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,MAAM,WAAA,GAAc,YAAA,CAAa,IAAA,CAAK,UAAU,CAAA;AAChD,IAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,WAAW,UAAU,CAAC,CAAA;AACrE,IAAA,OAAO,KAAA,GAAQ,CAAC,CAAA,IAAK,IAAA;AAAA,EACvB;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAA,CAAO,OAAA,CAAQ,SAAA,CAAU,SAAQ,GAAI,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAA;AAC3E,IAAA,OAAO;AAAA,MACL,YAAA,EAAc,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,CAAA,EAAI,OAAA,CAAQ,EAAE,CAAA,+BAAA,EAAkC,IAAA,CAAK,UAAU,CAAA,UAAA,EAAa,MAAM,CAAA;AAAA,KACpH;AAAA,EACF;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,OAAO;AAAA,MACL,cAAc,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,gCAAA,EAAmC,KAAK,UAAU,CAAA,WAAA;AAAA,KACpF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,OAAA,GAAgB;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,KAAK,QAAA,EAAU;AACzC,MAAA,IAAI,OAAA,CAAQ,YAAY,GAAA,EAAK;AAC3B,QAAA,IAAA,CAAK,QAAA,CAAS,OAAO,EAAE,CAAA;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAA,GAAgB;AACd,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,aAAA,CAAc,KAAK,YAAY,CAAA;AAC/B,MAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AAAA,IACtB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,eAAA,GAA0B;AACxB,IAAA,OAAO,KAAK,QAAA,CAAS,IAAA;AAAA,EACvB;AACF;ACtJA,SAASA,cAAa,GAAA,EAAqB;AACzC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AA6CO,IAAM,wBAAN,MAAwD;AAAA,EACrD,MAAA;AAAA,EACA,GAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,MAAA;AAAA,EAER,YAAY,OAAA,EAAuC;AACjD,IAAA,IAAI,CAAC,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,MAAA,CAAO,SAAS,EAAA,EAAI;AACjD,MAAA,MAAM,IAAI,MAAM,mEAAmE,CAAA;AAAA,IACrF;AAEA,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,MAAM,OAAA,CAAQ,GAAA,IAAO,CAAA,GAAI,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;AAC7C,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,gBAAA;AACxC,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,GAAA;AACxC,IAAA,IAAA,CAAK,eAAe,OAAA,CAAQ,YAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,KAAM,YAAA;AAAA,EAC9D;AAAA,EAEA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,OAAA,GAAmB;AAAA,MACvB,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,MACtB,MAAA;AAAA,MACA,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,GAAM,KAAK,GAAG,CAAA;AAAA,MAClC,SAAA,EAAW,IAAI,IAAA,CAAK,GAAG,CAAA;AAAA,MACvB;AAAA,KACF;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,UAAA,EAA6C;AAGjE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,eAAe,UAAA,EAAmC;AAAA,EAGxD;AAAA,EAEA,MAAM,eAAe,UAAA,EAA6C;AAGhE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,wBAAwB,OAAA,EAAiC;AACvD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,oBAAA,CAAqB,OAAO,CAAA;AACjD,IAAA,OAAO,SAAS,EAAA,IAAM,IAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,qBAAqB,OAAA,EAAkC;AACrD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAE1B,IAAA,MAAM,WAAA,GAAcA,aAAAA,CAAa,IAAA,CAAK,UAAU,CAAA;AAChD,IAAA,MAAM,KAAA,GAAQ,aAAa,KAAA,CAAM,IAAI,OAAO,CAAA,EAAG,WAAW,UAAU,CAAC,CAAA;AACrE,IAAA,IAAI,CAAC,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,IAAA;AAExB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,eAAA,CAAgB,KAAA,CAAM,CAAC,CAAC,CAAA;AAC7C,MAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AAGrB,MAAA,IAAI,OAAA,CAAQ,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAClC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,IAAI,OAAA,CAAQ,EAAA;AAAA,QACZ,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,QACrC,SAAA,EAAW,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,QACrC,UAAU,OAAA,CAAQ;AAAA,OACpB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,kBAAkB,OAAA,EAA0C;AAC1D,IAAA,MAAM,IAAA,GAA0B;AAAA,MAC9B,IAAI,OAAA,CAAQ,EAAA;AAAA,MACZ,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,SAAA,EAAW,OAAA,CAAQ,SAAA,CAAU,OAAA,EAAQ;AAAA,MACrC,SAAA,EAAW,OAAA,CAAQ,SAAA,CAAU,OAAA,EAAQ;AAAA,MACrC,UAAU,OAAA,CAAQ;AAAA,KACpB;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,IAAI,CAAA;AACvC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAA,CAAO,OAAA,CAAQ,SAAA,CAAU,SAAQ,GAAI,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAA;AAE3E,IAAA,IAAI,MAAA,GAAS,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,CAAA,EAAI,OAAO,CAAA,+BAAA,EAAkC,IAAA,CAAK,UAAU,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA;AAE9G,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,MAAA,IAAU,CAAA,SAAA,EAAY,KAAK,YAAY,CAAA,CAAA;AAAA,IACzC;AAEA,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,MAAA,IAAU,UAAA;AAAA,IACZ;AAEA,IAAA,OAAO,EAAE,cAAc,MAAA,EAAO;AAAA,EAChC;AAAA,EAEA,sBAAA,GAAiD;AAC/C,IAAA,IAAI,SAAS,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,gCAAA,EAAmC,KAAK,UAAU,CAAA,WAAA,CAAA;AAEjF,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,MAAA,IAAU,CAAA,SAAA,EAAY,KAAK,YAAY,CAAA,CAAA;AAAA,IACzC;AAEA,IAAA,OAAO,EAAE,cAAc,MAAA,EAAO;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAc,IAAA,EAAiC;AACrD,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAChC,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAChC,IAAA,MAAM,UAAU,CAAA,EAAG,IAAA,CAAK,aAAa,IAAI,CAAC,IAAI,SAAS,CAAA,CAAA;AACvD,IAAA,OAAO,mBAAmB,OAAO,CAAA;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,MAAA,EAA0C;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,mBAAmB,MAAM,CAAA;AACzC,MAAA,MAAM,CAAC,IAAA,EAAM,SAAS,CAAA,GAAI,OAAA,CAAQ,MAAM,GAAG,CAAA;AAE3C,MAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,SAAA,EAAW,OAAO,IAAA;AAEhC,MAAA,MAAM,IAAA,GAAO,IAAA,CAAK,YAAA,CAAa,IAAI,CAAA;AACnC,MAAA,MAAM,iBAAA,GAAoB,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA;AAGxC,MAAA,IAAI,CAAC,IAAA,CAAK,aAAA,CAAc,SAAA,EAAW,iBAAiB,CAAA,EAAG;AACrD,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,IACxB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,KAAK,IAAA,EAAsB;AACjC,IAAA,OAAOC,mBAAA,CAAW,UAAU,IAAA,CAAK,MAAM,EAAE,MAAA,CAAO,IAAI,CAAA,CAAE,MAAA,CAAO,WAAW,CAAA;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,GAAA,EAAqB;AAExC,IAAA,MAAM,KAAA,GAAQ,IAAI,WAAA,EAAY,CAAE,OAAO,GAAG,CAAA;AAC1C,IAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,MAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,QAAQ,CAAA;AAAA,IAC7C;AAEA,IAAA,IAAI,MAAA,GAAS,EAAA;AACb,IAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,MAAA,MAAA,IAAU,MAAA,CAAO,aAAa,IAAI,CAAA;AAAA,IACpC;AACA,IAAA,OAAO,KAAK,MAAM,CAAA;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,GAAA,EAAqB;AACxC,IAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,MAAA,OAAO,OAAO,IAAA,CAAK,GAAA,EAAK,QAAQ,CAAA,CAAE,SAAS,OAAO,CAAA;AAAA,IACpD;AAEA,IAAA,MAAM,MAAA,GAAS,KAAK,GAAG,CAAA;AACvB,IAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,MAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,IAChC;AACA,IAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAA,CAAc,GAAW,CAAA,EAAoB;AACnD,IAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAElC,IAAA,IAAI,MAAA,GAAS,CAAA;AACb,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,MAAA,MAAA,IAAU,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,IAC5C;AAEA,IAAA,OAAO,MAAA,KAAW,CAAA;AAAA,EACpB;AACF","file":"index.cjs","sourcesContent":["/**\n * In-memory session provider for development.\n *\n * WARNING: Sessions are lost on server restart. Not for production use.\n */\n\nimport type { Session, ISessionProvider } from '../../interfaces';\n\nfunction escapeRegExp(str: string): string {\n  return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\n/**\n * Options for MemorySessionProvider.\n */\nexport interface MemorySessionProviderOptions {\n  /** Session TTL in milliseconds (default: 7 days) */\n  ttl?: number;\n  /** Cookie name (default: 'mastra_session') */\n  cookieName?: string;\n  /** Cookie path (default: '/') */\n  cookiePath?: string;\n  /** Cleanup interval in milliseconds (default: 60000) */\n  cleanupInterval?: number;\n}\n\n/**\n * In-memory session provider.\n *\n * Stores sessions in a Map. Useful for development but not suitable\n * for production as sessions are lost on restart.\n *\n * @example\n * ```typescript\n * const sessionProvider = new MemorySessionProvider({\n *   ttl: 24 * 60 * 60 * 1000, // 24 hours\n * });\n * ```\n */\nexport class MemorySessionProvider implements ISessionProvider {\n  private sessions = new Map<string, Session>();\n  private ttl: number;\n  private cookieName: string;\n  private cookiePath: string;\n  private cleanupTimer: ReturnType<typeof setInterval> | null = null;\n\n  constructor(options: MemorySessionProviderOptions = {}) {\n    this.ttl = options.ttl ?? 7 * 24 * 60 * 60 * 1000; // 7 days\n    this.cookieName = options.cookieName ?? 'mastra_session';\n    this.cookiePath = options.cookiePath ?? '/';\n\n    // Start cleanup timer\n    const cleanupInterval = options.cleanupInterval ?? 60000;\n    this.cleanupTimer = setInterval(() => this.cleanup(), cleanupInterval);\n\n    // Log warning\n    console.warn(\n      '[MemorySessionProvider] Using in-memory sessions. ' +\n        'Sessions will be lost on server restart. ' +\n        'Use a persistent session provider in production.',\n    );\n  }\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const session: Session = {\n      id: crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(Date.now() + this.ttl),\n      createdAt: new Date(),\n      metadata,\n    };\n\n    this.sessions.set(session.id, session);\n    return session;\n  }\n\n  async validateSession(sessionId: string): Promise<Session | null> {\n    const session = this.sessions.get(sessionId);\n\n    if (!session) {\n      return null;\n    }\n\n    // Check expiration\n    if (session.expiresAt < new Date()) {\n      this.sessions.delete(sessionId);\n      return null;\n    }\n\n    return session;\n  }\n\n  async destroySession(sessionId: string): Promise<void> {\n    this.sessions.delete(sessionId);\n  }\n\n  async refreshSession(sessionId: string): Promise<Session | null> {\n    const session = await this.validateSession(sessionId);\n\n    if (!session) {\n      return null;\n    }\n\n    // Extend expiration\n    session.expiresAt = new Date(Date.now() + this.ttl);\n    this.sessions.set(sessionId, session);\n\n    return session;\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const cookieHeader = request.headers.get('cookie');\n    if (!cookieHeader) return null;\n\n    const escapedName = escapeRegExp(this.cookieName);\n    const match = cookieHeader.match(new RegExp(`${escapedName}=([^;]+)`));\n    return match?.[1] ?? null;\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const maxAge = Math.floor((session.expiresAt.getTime() - Date.now()) / 1000);\n    return {\n      'Set-Cookie': `${this.cookieName}=${session.id}; HttpOnly; SameSite=Lax; Path=${this.cookiePath}; Max-Age=${maxAge}`,\n    };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    return {\n      'Set-Cookie': `${this.cookieName}=; HttpOnly; SameSite=Lax; Path=${this.cookiePath}; Max-Age=0`,\n    };\n  }\n\n  /**\n   * Clean up expired sessions.\n   */\n  private cleanup(): void {\n    const now = new Date();\n    for (const [id, session] of this.sessions) {\n      if (session.expiresAt < now) {\n        this.sessions.delete(id);\n      }\n    }\n  }\n\n  /**\n   * Stop the cleanup timer.\n   */\n  dispose(): void {\n    if (this.cleanupTimer) {\n      clearInterval(this.cleanupTimer);\n      this.cleanupTimer = null;\n    }\n  }\n\n  /**\n   * Get the number of active sessions (for debugging).\n   */\n  getSessionCount(): number {\n    return this.sessions.size;\n  }\n}\n","/**\n * Signed cookie session provider.\n *\n * Stores session data in signed cookies. No server-side storage required.\n */\n\nimport { createHmac } from 'node:crypto';\n\nimport type { Session, ISessionProvider } from '../../interfaces';\n\nfunction escapeRegExp(str: string): string {\n  return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\n/**\n * Options for CookieSessionProvider.\n */\nexport interface CookieSessionProviderOptions {\n  /** Secret for signing cookies (required) */\n  secret: string;\n  /** Session TTL in milliseconds (default: 7 days) */\n  ttl?: number;\n  /** Cookie name (default: 'mastra_session') */\n  cookieName?: string;\n  /** Cookie path (default: '/') */\n  cookiePath?: string;\n  /** Cookie domain */\n  cookieDomain?: string;\n  /** Use secure cookies (default: true in production) */\n  secure?: boolean;\n}\n\n/**\n * Session data stored in cookie.\n */\ninterface CookieSessionData {\n  id: string;\n  userId: string;\n  expiresAt: number; // Timestamp\n  createdAt: number; // Timestamp\n  metadata?: Record<string, unknown>;\n}\n\n/**\n * Signed cookie session provider.\n *\n * Stores session data in signed cookies. The session is validated\n * by verifying the signature on each request.\n *\n * @example\n * ```typescript\n * const sessionProvider = new CookieSessionProvider({\n *   secret: process.env.SESSION_SECRET!,\n *   ttl: 7 * 24 * 60 * 60 * 1000, // 7 days\n * });\n * ```\n */\nexport class CookieSessionProvider implements ISessionProvider {\n  private secret: string;\n  private ttl: number;\n  private cookieName: string;\n  private cookiePath: string;\n  private cookieDomain?: string;\n  private secure: boolean;\n\n  constructor(options: CookieSessionProviderOptions) {\n    if (!options.secret || options.secret.length < 32) {\n      throw new Error('CookieSessionProvider requires a secret of at least 32 characters');\n    }\n\n    this.secret = options.secret;\n    this.ttl = options.ttl ?? 7 * 24 * 60 * 60 * 1000; // 7 days\n    this.cookieName = options.cookieName ?? 'mastra_session';\n    this.cookiePath = options.cookiePath ?? '/';\n    this.cookieDomain = options.cookieDomain;\n    this.secure = options.secure ?? process.env['NODE_ENV'] === 'production';\n  }\n\n  async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n    const now = Date.now();\n    const session: Session = {\n      id: crypto.randomUUID(),\n      userId,\n      expiresAt: new Date(now + this.ttl),\n      createdAt: new Date(now),\n      metadata,\n    };\n\n    return session;\n  }\n\n  async validateSession(_sessionId: string): Promise<Session | null> {\n    // For cookie sessions, validation happens in getSessionFromCookie\n    // This method is here for interface compliance\n    return null;\n  }\n\n  async destroySession(_sessionId: string): Promise<void> {\n    // Cookie sessions are destroyed by clearing the cookie\n    // This is a no-op on the server side\n  }\n\n  async refreshSession(_sessionId: string): Promise<Session | null> {\n    // For cookie sessions, we need the full session to refresh\n    // This would be called with the session from getSessionFromCookie\n    return null;\n  }\n\n  getSessionIdFromRequest(request: Request): string | null {\n    const session = this.getSessionFromCookie(request);\n    return session?.id ?? null;\n  }\n\n  /**\n   * Get full session from cookie.\n   */\n  getSessionFromCookie(request: Request): Session | null {\n    const cookieHeader = request.headers.get('cookie');\n    if (!cookieHeader) return null;\n\n    const escapedName = escapeRegExp(this.cookieName);\n    const match = cookieHeader.match(new RegExp(`${escapedName}=([^;]+)`));\n    if (!match?.[1]) return null;\n\n    try {\n      const decoded = this.decodeAndVerify(match[1]);\n      if (!decoded) return null;\n\n      // Check expiration\n      if (decoded.expiresAt < Date.now()) {\n        return null;\n      }\n\n      return {\n        id: decoded.id,\n        userId: decoded.userId,\n        expiresAt: new Date(decoded.expiresAt),\n        createdAt: new Date(decoded.createdAt),\n        metadata: decoded.metadata,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  getSessionHeaders(session: Session): Record<string, string> {\n    const data: CookieSessionData = {\n      id: session.id,\n      userId: session.userId,\n      expiresAt: session.expiresAt.getTime(),\n      createdAt: session.createdAt.getTime(),\n      metadata: session.metadata,\n    };\n\n    const encoded = this.signAndEncode(data);\n    const maxAge = Math.floor((session.expiresAt.getTime() - Date.now()) / 1000);\n\n    let cookie = `${this.cookieName}=${encoded}; HttpOnly; SameSite=Lax; Path=${this.cookiePath}; Max-Age=${maxAge}`;\n\n    if (this.cookieDomain) {\n      cookie += `; Domain=${this.cookieDomain}`;\n    }\n\n    if (this.secure) {\n      cookie += '; Secure';\n    }\n\n    return { 'Set-Cookie': cookie };\n  }\n\n  getClearSessionHeaders(): Record<string, string> {\n    let cookie = `${this.cookieName}=; HttpOnly; SameSite=Lax; Path=${this.cookiePath}; Max-Age=0`;\n\n    if (this.cookieDomain) {\n      cookie += `; Domain=${this.cookieDomain}`;\n    }\n\n    return { 'Set-Cookie': cookie };\n  }\n\n  /**\n   * Sign and encode session data.\n   */\n  private signAndEncode(data: CookieSessionData): string {\n    const json = JSON.stringify(data);\n    const signature = this.sign(json);\n    const payload = `${this.base64Encode(json)}.${signature}`;\n    return encodeURIComponent(payload);\n  }\n\n  /**\n   * Decode and verify session cookie.\n   */\n  private decodeAndVerify(cookie: string): CookieSessionData | null {\n    try {\n      const decoded = decodeURIComponent(cookie);\n      const [data, signature] = decoded.split('.');\n\n      if (!data || !signature) return null;\n\n      const json = this.base64Decode(data);\n      const expectedSignature = this.sign(json);\n\n      // Constant-time comparison\n      if (!this.secureCompare(signature, expectedSignature)) {\n        return null;\n      }\n\n      return JSON.parse(json);\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Create HMAC-SHA256 signature.\n   */\n  private sign(data: string): string {\n    return createHmac('sha256', this.secret).update(data).digest('base64url');\n  }\n\n  /**\n   * Base64 encode (consistent across Node.js and browser runtimes).\n   */\n  private base64Encode(str: string): string {\n    // Use TextEncoder for consistent UTF-8 handling across runtimes\n    const bytes = new TextEncoder().encode(str);\n    if (typeof Buffer !== 'undefined') {\n      return Buffer.from(bytes).toString('base64');\n    }\n    // Browser fallback: btoa only handles Latin1, so convert bytes to a binary string\n    let binary = '';\n    for (const byte of bytes) {\n      binary += String.fromCharCode(byte);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Base64 decode (consistent across Node.js and browser runtimes).\n   */\n  private base64Decode(str: string): string {\n    if (typeof Buffer !== 'undefined') {\n      return Buffer.from(str, 'base64').toString('utf-8');\n    }\n    // Browser fallback: atob returns a binary string, convert back to UTF-8\n    const binary = atob(str);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return new TextDecoder().decode(bytes);\n  }\n\n  /**\n   * Constant-time string comparison.\n   */\n  private secureCompare(a: string, b: string): boolean {\n    if (a.length !== b.length) return false;\n\n    let result = 0;\n    for (let i = 0; i < a.length; i++) {\n      result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n    }\n\n    return result === 0;\n  }\n}\n"]}