{"version":3,"sources":["../src/auth/ee/license.ts","../src/auth/ee/fga-check.ts"],"names":["hashTelemetryValue","captureEEEvent","getEETelemetryFallbackDistinctId"],"mappings":";;;;;AAgCA,IAAI,aAAA,GAAoC,IAAA;AACxC,IAAI,cAAA,GAAiB,CAAA;AACrB,IAAI,wBAAA,GAA2B,KAAA;AAC/B,IAAM,YAAY,EAAA,GAAK,GAAA;AAWhB,SAAS,gBAAgB,UAAA,EAAkC;AAChE,EAAA,MAAM,GAAA,GAAM,UAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA;AAEzD,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,EACxB;AAUA,EAAA,IAAI,GAAA,CAAI,SAAS,EAAA,EAAI;AACnB,IAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,IAAA;AAAA,IACP,QAAA,EAAU,CAAC,MAAA,EAAQ,SAAA,EAAW,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,eAAe,CAAA;AAAA,IAC1E,IAAA,EAAM;AAAA,GACR;AACF;AAOO,SAAS,cAAA,GAA0B;AACxC,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,EAAA,IAAI,aAAA,IAAiB,GAAA,GAAM,cAAA,GAAiB,SAAA,EAAW;AACrD,IAAA,OAAO,aAAA,CAAc,KAAA;AAAA,EACvB;AAGA,EAAA,aAAA,GAAgB,eAAA,EAAgB;AAChC,EAAA,cAAA,GAAiB,GAAA;AAEjB,EAAA,IAAI,CAAC,aAAA,CAAc,KAAA,IAAS,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG;AAC5D,IAAA,OAAA,CAAQ,KAAK,2EAA2E,CAAA;AAAA,EAC1F;AAEA,EAAA,OAAO,aAAA,CAAc,KAAA;AACvB;AAKO,IAAM,gBAAA,GAAmB;AAQzB,SAAS,iBAAiB,OAAA,EAA0B;AACzD,EAAA,IAAI,CAAC,gBAAe,EAAG;AACrB,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,IAAI,CAAC,eAAe,QAAA,EAAU;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,aAAA,CAAc,QAAA,CAAS,QAAA,CAAS,OAAO,CAAA;AAChD;AAWO,SAAS,qBAAA,GAA4C;AAC1D,EAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA;AAC3C,EAAA,MAAM,IAAA,GAAO,aAAA,IAAiB,eAAA,CAAgB,GAAG,CAAA;AACjD,EAAA,MAAM,WAAA,GAAc,GAAA,GAAMA,oCAAA,CAAmB,GAAG,CAAA,GAAI,MAAA;AAEpD,EAAA,OAAO;AAAA,IACL,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,kBAAkB,gBAAA,EAAiB;AAAA,IACnC,aAAa,WAAA,GAAc,WAAA,CAAY,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,MAAA;AAAA,IACtD,WAAA,EAAa,cAAc,CAAA,EAAG,WAAA,CAAY,MAAM,CAAA,EAAG,EAAE,CAAC,CAAA,UAAA,CAAA,GAAe,MAAA;AAAA,IACrE,UAAU,IAAA,CAAK,QAAA;AAAA,IACf,MAAM,IAAA,CAAK;AAAA,GACb;AACF;AAEO,SAAS,uBAAA,GAAgC;AAC9C,EAAA,IAAI,wBAAA,IAA4B,CAAC,gBAAA,EAAiB,IAAK,gBAAe,EAAG;AACvE,IAAA;AAAA,EACF;AAEA,EAAA,wBAAA,GAA2B,IAAA;AAC3B,EAAA,OAAA,CAAQ,IAAA;AAAA,IACN;AAAA,GACF;AACF;AAKO,SAAS,iBAAA,GAA0B;AACxC,EAAA,aAAA,GAAgB,IAAA;AAChB,EAAA,cAAA,GAAiB,CAAA;AACjB,EAAA,wBAAA,GAA2B,KAAA;AAC7B;AAMO,SAAS,gBAAA,GAA4B;AAC1C,EAAA,OACE,QAAQ,GAAA,CAAI,YAAY,MAAM,MAAA,IAC9B,OAAA,CAAQ,IAAI,YAAY,CAAA,KAAM,GAAA,IAC7B,OAAA,CAAQ,IAAI,UAAU,CAAA,KAAM,gBAAgB,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,KAAM,MAAA;AAE7E;AAMO,SAAS,WAAA,GAAuB;AACrC,EAAA,IAAI,kBAAiB,EAAG;AACtB,IAAA,uBAAA,EAAwB;AACxB,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,cAAA,EAAe;AACxB;;;AC1JA,SAAS,eAAA,CAAgB;AAAA,EACvB,OAAA;AAAA,EACA,cAAA;AAAA,EACA;AACF,CAAA,EAAoG;AAClG,EAAA,MAAM,aAAA,GAAiC;AAAA,IACrC,GAAG;AAAA,GACL;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,aAAA,CAAc,cAAA,GAAiB,cAAA;AAAA,EACjC;AAEA,EAAA,IAAI,QAAA,IAAY,SAAS,QAAA,EAAU;AACjC,IAAA,aAAA,CAAc,QAAA,GAAW;AAAA,MACvB,GAAI,OAAA,EAAS,QAAA,IAAY,EAAC;AAAA,MAC1B,GAAI,YAAY;AAAC,KACnB;AAAA,EACF;AAEA,EAAA,OAAO,OAAO,IAAA,CAAK,aAAa,CAAA,CAAE,MAAA,GAAS,IAAI,aAAA,GAAgB,MAAA;AACjE;AAEA,SAAS,cAAc,KAAA,EAAsC;AAC3D,EAAA,IAAI,UAAU,IAAA,EAAM;AAClB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,MAAM,SAAA,GAAY,KAAA;AAClB,EAAA,OACE,SAAA,CAAU,cAAc,QAAA,KACvB,SAAA,CAAU,mBAAmB,MAAA,IAAa,OAAO,UAAU,cAAA,KAAmB,QAAA,CAAA;AAEnF;AAEO,SAAS,sBAAsB,OAAA,EAAyB;AAC7D,EAAA,OAAO,OAAA;AACT;AAEO,SAAS,yBAAyB,UAAA,EAA4B;AACnE,EAAA,OAAO,UAAA;AACT;AAEO,SAAS,+BAA+B,QAAA,EAA0B;AACvE,EAAA,OAAO,QAAA;AACT;AAEO,SAAS,yBAAA,CAA0B,SAAiB,QAAA,EAA0B;AACnF,EAAA,OAAO,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,QAAQ,CAAA,CAAA;AAC/B;AAEO,SAAS,uBAAA,CAAwB,YAAoB,QAAA,EAA0B;AACpF,EAAA,OAAO,IAAA,CAAK,SAAA,CAAU,CAAC,UAAA,EAAY,QAAQ,CAAC,CAAA;AAC9C;AAQA,eAAsB,SAAS,OAAA,EAAyC;AACtE,EAAA,MAAM,WAAW,OAAO,CAAA;AAC1B;AAQA,eAAsB,WAAW,OAAA,EAA2C;AAC1E,EAAA,MAAM,EAAE,aAAa,IAAA,EAAM,QAAA,EAAU,YAAY,OAAA,EAAS,cAAA,EAAgB,QAAA,EAAU,KAAA,EAAM,GAAI,OAAA;AAE9F,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,aAAa,eAAA,CAAgB,EAAE,OAAA,EAAS,cAAA,EAAgB,UAAU,CAAA;AACxE,EAAA,MAAM,UAAU,qBAAA,EAAsB;AAEtC,EAAA,IAAI,aAAA,CAAc,KAAK,CAAA,EAAG;AACxB,IAAA,MAAM,oBAAA,GAAuB,UAAA,EAAY,cAAA,EAAgB,GAAA,CAAI,gBAAgB,CAAA;AAC7E,IAAA,IAAI,OAAO,oBAAA,KAAyB,QAAA,IAAY,oBAAA,CAAqB,WAAW,CAAA,EAAG;AACjF,MAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,QAAA,EAAU,YAAY,sDAAsD,CAAA;AAAA,IAC7G;AAEA,IAAA,MAAM,cAAA,GAAA,CACH,KAAA,KAAU,IAAA,GAAO,MAAA,GAAY,MAAM,cAAA,MACnC,OAAO,UAAA,EAAY,QAAA,GAAW,gBAAgB,CAAA,KAAM,QAAA,GACjD,UAAA,CAAW,QAAA,CAAS,gBAAgB,CAAA,GACpC,MAAA,CAAA;AAEN,IAAA,IAAI;AACF,MAAAC,gCAAA,CAAe,iBAAA,EAAmB,OAAA,CAAQ,WAAA,IAAeC,kDAAA,EAAiC,EAAG;AAAA,QAC3F,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,QAAA;AAAA,QACZ,eAAe,QAAA,CAAS,IAAA;AAAA,QACxB,aAAa,QAAA,CAAS,EAAA;AAAA,QACtB,UAAA;AAAA,QACA,OAAA,EAAS,IAAA;AAAA,QACT,0BAAA,EAA4B,IAAA;AAAA,QAC5B,eAAA,EAAiB,cAAA;AAAA,QACjB,eAAe,OAAA,CAAQ,KAAA;AAAA,QACvB,cAAc,OAAA,CAAQ,WAAA;AAAA,QACtB,oBAAoB,OAAA,CAAQ;AAAA,OAC7B,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,QAAA,EAAU,YAAY,gCAAgC,CAAA;AAAA,EACvF;AAEA,EAAA,MAAM,WAAA,CAAY,OAAA;AAAA,IAChB,IAAA;AAAA,IACA,UAAA,GAAa,EAAE,QAAA,EAAU,UAAA,EAAY,SAAS,UAAA,EAAW,GAAI,EAAE,QAAA,EAAU,UAAA;AAAW,GACtF;AAEA,EAAA,IAAI;AACF,IAAAD,gCAAA,CAAe,mBAAmB,IAAA,EAAM,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAeC,oDAAiC,EAAG;AAAA,MACvG,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,MAAA;AAAA,MACZ,eAAe,QAAA,CAAS,IAAA;AAAA,MACxB,aAAa,QAAA,CAAS,EAAA;AAAA,MACtB,UAAA;AAAA,MACA,OAAA,EAAS,MAAM,EAAA,IAAM,IAAA;AAAA,MACrB,0BAAA,EAA4B,MAAM,wBAAA,IAA4B,IAAA;AAAA,MAC9D,eAAe,OAAA,CAAQ,KAAA;AAAA,MACvB,cAAc,OAAA,CAAQ,WAAA;AAAA,MACtB,oBAAoB,OAAA,CAAQ;AAAA,KAC7B,CAAA;AAAA,EACH,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAKO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AAAA,EACxB,IAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EAEhB,WAAA,CACE,IAAA,EACA,QAAA,EACA,UAAA,EACA,MAAA,EACA;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,EAAM,EAAA,IAAM,IAAA,EAAM,QAAA,IAAY,SAAA;AAC7C,IAAA,MAAM,eAAA,GAAkB,KAAA,CAAM,OAAA,CAAQ,UAAU,CAAA,GAAI,WAAW,UAAA,CAAW,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,GAAM,UAAA;AAC1F,IAAA,KAAA;AAAA,MACE,MAAA,GACI,CAAA,0BAAA,EAA6B,MAAM,CAAA,CAAA,GACnC,CAAA,+BAAA,EAAkC,MAAM,CAAA,QAAA,EAAW,eAAe,CAAA,IAAA,EAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,SAAS,EAAE,CAAA;AAAA,KAC3G;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,GAAA;AAAA,EAChB;AACF","file":"chunk-ETRMQ4H5.cjs","sourcesContent":["/**\n * License validation for EE features.\n */\n\n/**\n * License information.\n */\nimport { hashTelemetryValue } from '../../telemetry/posthog';\n\nexport interface LicenseInfo {\n  /** Whether the license is valid */\n  valid: boolean;\n  /** License expiration date */\n  expiresAt?: Date;\n  /** Features enabled by this license */\n  features?: string[];\n  /** Organization name */\n  organization?: string;\n  /** License tier */\n  tier?: 'standard' | 'enterprise';\n}\n\nexport interface SafeLicenseSummary {\n  valid: boolean;\n  isDevEnvironment: boolean;\n  licenseHash?: string;\n  anonymousId?: string;\n  features?: string[];\n  tier?: 'standard' | 'enterprise';\n}\n\n// Cached license validation result\nlet cachedLicense: LicenseInfo | null = null;\nlet cacheTimestamp = 0;\nlet hasWarnedAboutDevLicense = false;\nconst CACHE_TTL = 60 * 1000; // 1 minute\n\n/**\n * Validate a license key and return license information.\n *\n * Currently implements a simple check for the presence of the license key.\n * In production, this would validate against a license server.\n *\n * @param licenseKey - License key to validate\n * @returns License information\n */\nexport function validateLicense(licenseKey?: string): LicenseInfo {\n  const key = licenseKey ?? process.env['MASTRA_EE_LICENSE'];\n\n  if (!key) {\n    return { valid: false };\n  }\n\n  // TODO: Implement actual license validation\n  // For now, any non-empty key is considered valid\n  // In production, this would:\n  // 1. Verify signature of the license key\n  // 2. Check expiration date embedded in key\n  // 3. Optionally validate against license server\n\n  // Simple validation: key should be at least 32 characters\n  if (key.length < 32) {\n    return { valid: false };\n  }\n\n  return {\n    valid: true,\n    features: ['user', 'session', 'sso', 'rbac', 'acl', 'fga', 'agent-builder'],\n    tier: 'enterprise',\n  };\n}\n\n/**\n * Check if EE features are enabled (valid license or cache).\n *\n * @returns True if EE features should be enabled\n */\nexport function isLicenseValid(): boolean {\n  const now = Date.now();\n\n  // Return cached result if still valid\n  if (cachedLicense && now - cacheTimestamp < CACHE_TTL) {\n    return cachedLicense.valid;\n  }\n\n  // Validate and cache\n  cachedLicense = validateLicense();\n  cacheTimestamp = now;\n\n  if (!cachedLicense.valid && process.env['MASTRA_EE_LICENSE']) {\n    console.warn('[mastra/auth-ee] Invalid or expired EE license. EE features are disabled.');\n  }\n\n  return cachedLicense.valid;\n}\n\n/**\n * @deprecated Use `isLicenseValid()` instead. This alias is provided for backward compatibility.\n */\nexport const isEELicenseValid = isLicenseValid;\n\n/**\n * Check if a specific EE feature is enabled.\n *\n * @param feature - Feature name to check\n * @returns True if the feature is enabled\n */\nexport function isFeatureEnabled(feature: string): boolean {\n  if (!isLicenseValid()) {\n    return false;\n  }\n\n  // If license is valid but no features array, all features are enabled\n  if (!cachedLicense?.features) {\n    return true;\n  }\n\n  return cachedLicense.features.includes(feature);\n}\n\n/**\n * Get the current license information.\n *\n * @returns License info or null if not validated yet\n */\nexport function getLicenseInfo(): LicenseInfo | null {\n  return cachedLicense;\n}\n\nexport function getSafeLicenseSummary(): SafeLicenseSummary {\n  const key = process.env['MASTRA_EE_LICENSE'];\n  const info = cachedLicense ?? validateLicense(key);\n  const licenseHash = key ? hashTelemetryValue(key) : undefined;\n\n  return {\n    valid: info.valid,\n    isDevEnvironment: isDevEnvironment(),\n    licenseHash: licenseHash ? licenseHash.slice(0, 16) : undefined,\n    anonymousId: licenseHash ? `${licenseHash.slice(0, 16)}-anonymous` : undefined,\n    features: info.features,\n    tier: info.tier,\n  };\n}\n\nexport function warnIfDevEENeedsLicense(): void {\n  if (hasWarnedAboutDevLicense || !isDevEnvironment() || isLicenseValid()) {\n    return;\n  }\n\n  hasWarnedAboutDevLicense = true;\n  console.warn(\n    '[mastra/auth-ee] Mastra Enterprise features are enabled for local development, but no valid MASTRA_EE_LICENSE is configured. These features will be disabled in production without a valid license. Contact us to get a production license: https://mastra.ai/contact',\n  );\n}\n\n/**\n * Clear the license cache (useful for testing).\n */\nexport function clearLicenseCache(): void {\n  cachedLicense = null;\n  cacheTimestamp = 0;\n  hasWarnedAboutDevLicense = false;\n}\n\n/**\n * Check if running in a development/testing environment.\n * In dev, EE features work without a license per the ee/LICENSE terms.\n */\nexport function isDevEnvironment(): boolean {\n  return (\n    process.env['MASTRA_DEV'] === 'true' ||\n    process.env['MASTRA_DEV'] === '1' ||\n    (process.env['NODE_ENV'] !== 'production' && process.env['NODE_ENV'] !== 'prod')\n  );\n}\n\n/**\n * Check if EE features should be active.\n * Returns true if running in dev/test environment (always allowed) or if a valid license is present.\n */\nexport function isEEEnabled(): boolean {\n  if (isDevEnvironment()) {\n    warnIfDevEENeedsLicense();\n    return true;\n  }\n  return isLicenseValid();\n}\n","/**\n * FGA enforcement utility for checking fine-grained authorization.\n *\n * @license Mastra Enterprise License - see ee/LICENSE\n */\n\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from '../../telemetry/posthog';\nimport type { FGACheckContext, IFGAProvider } from './interfaces/fga';\nimport type { MastraFGAPermissionInput } from './interfaces/permissions.generated';\nimport { getSafeLicenseSummary } from './license';\n\nexport type ActorSignal =\n  | true\n  | {\n      actorKind: 'system';\n      sourceWorkflow?: string;\n    };\n\nexport interface CheckFGAOptions {\n  fgaProvider: IFGAProvider | undefined;\n  user: any;\n  resource: { type: string; id: string };\n  permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n  context?: FGACheckContext;\n  requestContext?: FGACheckContext['requestContext'];\n  actor?: ActorSignal;\n}\n\nexport interface RequireFGAOptions extends CheckFGAOptions {\n  metadata?: Record<string, unknown>;\n}\n\nfunction mergeFGAContext({\n  context,\n  requestContext,\n  metadata,\n}: Pick<RequireFGAOptions, 'context' | 'requestContext' | 'metadata'>): FGACheckContext | undefined {\n  const mergedContext: FGACheckContext = {\n    ...context,\n  };\n\n  if (requestContext) {\n    mergedContext.requestContext = requestContext;\n  }\n\n  if (metadata || context?.metadata) {\n    mergedContext.metadata = {\n      ...(context?.metadata ?? {}),\n      ...(metadata ?? {}),\n    };\n  }\n\n  return Object.keys(mergedContext).length > 0 ? mergedContext : undefined;\n}\n\nfunction isActorSignal(actor: unknown): actor is ActorSignal {\n  if (actor === true) {\n    return true;\n  }\n\n  if (typeof actor !== 'object' || actor === null) {\n    return false;\n  }\n\n  const candidate = actor as { actorKind?: unknown; sourceWorkflow?: unknown };\n  return (\n    candidate.actorKind === 'system' &&\n    (candidate.sourceWorkflow === undefined || typeof candidate.sourceWorkflow === 'string')\n  );\n}\n\nexport function getAgentFGAResourceId(agentId: string): string {\n  return agentId;\n}\n\nexport function getWorkflowFGAResourceId(workflowId: string): string {\n  return workflowId;\n}\n\nexport function getStandaloneToolFGAResourceId(toolName: string): string {\n  return toolName;\n}\n\nexport function getAgentToolFGAResourceId(agentId: string, toolName: string): string {\n  return `${agentId}:${toolName}`;\n}\n\nexport function getMCPToolFGAResourceId(serverName: string, toolName: string): string {\n  return JSON.stringify([serverName, toolName]);\n}\n\n/**\n * Check fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured (backward compatibility).\n * Delegates to fgaProvider.require() which throws FGADeniedError if denied.\n */\nexport async function checkFGA(options: CheckFGAOptions): Promise<void> {\n  await requireFGA(options);\n}\n\n/**\n * Require fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured. When FGA is configured, a missing\n * user fails closed.\n */\nexport async function requireFGA(options: RequireFGAOptions): Promise<void> {\n  const { fgaProvider, user, resource, permission, context, requestContext, metadata, actor } = options;\n\n  if (!fgaProvider) {\n    return;\n  }\n\n  const fgaContext = mergeFGAContext({ context, requestContext, metadata });\n  const license = getSafeLicenseSummary();\n\n  if (isActorSignal(actor)) {\n    const tenantOrganizationId = fgaContext?.requestContext?.get('organizationId');\n    if (typeof tenantOrganizationId !== 'string' || tenantOrganizationId.length === 0) {\n      throw new FGADeniedError(user, resource, permission, 'trusted actor requires organizationId / tenant scope');\n    }\n\n    const sourceWorkflow =\n      (actor === true ? undefined : actor.sourceWorkflow) ??\n      (typeof fgaContext?.metadata?.['sourceWorkflow'] === 'string'\n        ? fgaContext.metadata['sourceWorkflow']\n        : undefined);\n\n    try {\n      captureEEEvent('ee_feature_used', license.anonymousId || getEETelemetryFallbackDistinctId(), {\n        feature: 'fga',\n        actor_kind: 'system',\n        resource_type: resource.type,\n        resource_id: resource.id,\n        permission,\n        user_id: null,\n        organization_membership_id: null,\n        source_workflow: sourceWorkflow,\n        license_valid: license.valid,\n        license_hash: license.licenseHash,\n        is_dev_environment: license.isDevEnvironment,\n      });\n    } catch {\n      // Telemetry must never affect auth or EE feature behavior.\n    }\n    return;\n  }\n\n  if (!user) {\n    throw new FGADeniedError(user, resource, permission, 'authenticated user is required');\n  }\n\n  await fgaProvider.require(\n    user,\n    fgaContext ? { resource, permission, context: fgaContext } : { resource, permission },\n  );\n\n  try {\n    captureEEEvent('ee_feature_used', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n      feature: 'fga',\n      actor_kind: 'user',\n      resource_type: resource.type,\n      resource_id: resource.id,\n      permission,\n      user_id: user?.id ?? null,\n      organization_membership_id: user?.organizationMembershipId ?? null,\n      license_valid: license.valid,\n      license_hash: license.licenseHash,\n      is_dev_environment: license.isDevEnvironment,\n    });\n  } catch {\n    // Telemetry must never affect auth or EE feature behavior.\n  }\n}\n\n/**\n * Error thrown when an FGA authorization check is denied.\n */\nexport class FGADeniedError extends Error {\n  public readonly user: any;\n  public readonly resource: { type: string; id: string };\n  public readonly permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n  public readonly status: number;\n\n  constructor(\n    user: any,\n    resource: { type: string; id: string },\n    permission: MastraFGAPermissionInput | MastraFGAPermissionInput[],\n    reason?: string,\n  ) {\n    const userId = user?.id || user?.workosId || 'unknown';\n    const permissionLabel = Array.isArray(permission) ? `any of [${permission.join(', ')}]` : permission;\n    super(\n      reason\n        ? `FGA authorization denied: ${reason}`\n        : `FGA authorization denied: user ${userId} cannot ${permissionLabel} on ${resource.type}:${resource.id}`,\n    );\n    this.name = 'FGADeniedError';\n    this.user = user;\n    this.resource = resource;\n    this.permission = permission;\n    this.status = 403;\n  }\n}\n"]}