{"version":3,"sources":["../src/auth/ee/interfaces/permissions.generated.ts","../src/auth/ee/capabilities.ts","../src/auth/ee/defaults/roles.ts","../src/auth/ee/defaults/rbac/static.ts"],"names":["getSafeLicenseSummary","captureEEEvent","getEETelemetryFallbackDistinctId","isLicenseValid","isDevEnvironment","warnIfDevEENeedsLicense","isFeatureEnabled"],"mappings":";;;;;;AAaO,IAAM,SAAA,GAAY;AAAA,EACvB,KAAA;AAAA,EACA,eAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,qBAAA;AAAA,EACA,YAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,oBAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,eAAA;AAAA,EACA,mBAAA;AAAA,EACA,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAgBO,IAAM,OAAA,GAAU,CAAC,QAAA,EAAU,QAAA,EAAU,WAAW,SAAA,EAAW,MAAA,EAAQ,SAAS,OAAO;AAWnF,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,GAAA,EAAK,GAAA;AAAA;AAAA,EAEL,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,2BAAA,EAA6B,2BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,4BAAA;AAAA;AAAA,EAE9B,yBAAA,EAA2B,yBAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,6BAAA,EAA+B,6BAAA;AAAA;AAAA,EAE/B,8BAAA,EAAgC,8BAAA;AAAA;AAAA,EAEhC,2BAAA,EAA6B,2BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,4BAAA;AAAA;AAAA,EAE9B,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,yBAAA,EAA2B,yBAAA;AAAA;AAAA,EAE3B,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,qBAAA,EAAuB;AACzB;AAeO,IAAM,WAAA,GAAc;AAAA,EACzB,UAAA;AAAA,EACA,WAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,uBAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,qBAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,0BAAA;AAAA,EACA,oBAAA;AAAA,EACA,iBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,sBAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,2BAAA;AAAA,EACA,4BAAA;AAAA,EACA,yBAAA;AAAA,EACA,0BAAA;AAAA,EACA,6BAAA;AAAA,EACA,8BAAA;AAAA,EACA,2BAAA;AAAA,EACA,4BAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,qBAAA;AAAA,EACA,sBAAA;AAAA,EACA,sBAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,0BAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA,aAAA;AAAA,EACA,uBAAA;AAAA,EACA,qBAAA;AAAA,EACA,sBAAA;AAAA,EACA,eAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,cAAA;AAAA,EACA,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AAaO,IAAM,oBAAA,GAAuB;AAAA;AAAA,EAElC,QAAA,EAAU,UAAA;AAAA;AAAA,EAEV,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,QAAA,EAAU,UAAA;AAAA;AAAA,EAEV,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,yBAAA,EAA2B,2BAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,4BAAA;AAAA;AAAA,EAE5B,uBAAA,EAAyB,yBAAA;AAAA;AAAA,EAEzB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,2BAAA,EAA6B,6BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,8BAAA;AAAA;AAAA,EAE9B,yBAAA,EAA2B,2BAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,4BAAA;AAAA;AAAA,EAE5B,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,sBAAA,EAAwB,wBAAA;AAAA;AAAA,EAExB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,sBAAA,EAAwB,wBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,yBAAA;AAAA;AAAA,EAEzB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,UAAA,EAAY,YAAA;AAAA;AAAA,EAEZ,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB;AACpB;AAoCO,SAAS,yBAAyB,OAAA,EAA+C;AACtF,EAAA,OAAO,OAAA,IAAW,mBAAA;AACpB;AAKO,SAAS,oBAAoB,WAAA,EAA2D;AAC7F,EAAA,OAAO,WAAA,CAAY,MAAM,wBAAwB,CAAA;AACnD;;;AChhBO,SAAS,gBACd,IAAA,EACmC;AACnC,EAAA,OAAO,MAAA,IAAU,IAAA,IAAQ,IAAA,CAAK,IAAA,KAAS,IAAA;AACzC;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,QAAQ,OAAO,IAAA,KAAS,YAAY,OAAQ,IAAA,CAAa,MAAM,CAAA,KAAM,UAAA;AACvF;AAKA,SAAS,kBAAkB,IAAA,EAAwB;AACjD,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAE9C,EAAA,OAAO,mBAAA,IAAuB,IAAA,IAAS,IAAA,CAAwC,iBAAA,KAAsB,IAAA;AACvG;AAMA,SAAS,aAAa,IAAA,EAAwB;AAC5C,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAC9C,EAAA,OAAO,cAAA,IAAkB,IAAA,IAAS,IAAA,CAAmC,YAAA,KAAiB,IAAA;AACxF;AAKA,SAAS,0BAA0B,WAAA,EAAgC;AACjE,EAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,KAAM,GAAA,IAAO,MAAM,KAAK,CAAA;AACvD;AAEA,SAAS,aAAa,OAAA,EAAsC;AAC1D,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,iBAAiB,CAAA;AAC1D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO,aAAa,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAK;AAAA,EAC1C;AAEA,EAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAAK,MAAA;AAC7C;AAEA,SAAS,mBAAA,CAAoB;AAAA,EAC3B,OAAA;AAAA,EACA,IAAA;AAAA,EACA,UAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF,CAAA,EAQS;AACP,EAAA,MAAM,UAAUA,uCAAA,EAAsB;AAEtC,EAAA,IAAI;AACF,IAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,IAAAC,gCAAA,CAAe,oBAAoB,IAAA,EAAM,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAeC,oDAAiC,EAAG;AAAA,MACxG,aAAA,EAAe,UAAA;AAAA,MACf,cAAc,OAAA,CAAQ,WAAA;AAAA,MACtB,kBAAA,EAAoB,KAAA;AAAA,MACpB,QAAA,EAAU,OAAA;AAAA,MACV,cAAA,EAAgB,QAAA;AAAA,MAChB,YAAA;AAAA,MACA,SAAS,IAAA,EAAM,EAAA;AAAA,MACf,GAAA,EAAK,EAAA;AAAA,MACL,kBAAkB,OAAA,CAAQ,QAAA;AAAA,MAC1B,cAAc,OAAA,CAAQ;AAAA,KACvB,CAAA;AAAA,EACH,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAgDA,eAAsB,iBAAA,CACpB,IAAA,EACA,OAAA,EACA,OAAA,EAC6D;AAE7D,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,EACvC;AAIA,EAAA,MAAM,aAAaC,gCAAA,EAAe;AAClC,EAAA,MAAM,OAAA,GAAU,kBAAkB,IAAI,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,aAAa,IAAI,CAAA;AAClC,EAAA,MAAM,QAAQC,kCAAA,EAAiB;AAC/B,EAAA,IAAI,KAAA,IAAS,CAAC,UAAA,EAAY;AACxB,IAAAC,yCAAA,EAAwB;AAAA,EAC1B;AACA,EAAA,MAAM,iBAAA,GAAoB,UAAA,IAAc,OAAA,IAAW,QAAA,IAAY,KAAA;AAI/D,EAAA,MAAM,iBAAA,GAAoB,CAAC,OAAA,KACzB,OAAA,IAAW,YAAY,KAAA,IAAU,UAAA,IAAcC,mCAAiB,OAAO,CAAA;AAGzE,EAAA,IAAI,KAAA,GAAyC,IAAA;AAE7C,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AACzE,EAAA,MAAM,cAAA,GAAiB,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,IAAK,iBAAA;AAGpF,EAAA,MAAM,GAAA,GAAA,CAAO,OAAA,EAAS,SAAA,IAAa,MAAA,EAAQ,IAAA,EAAK;AAChD,EAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,EAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,EAAA,MAAM,WAAA,GAAc,GAAG,MAAM,CAAA,eAAA,CAAA;AAG7B,EAAA,IAAI,aAAA,GAAgB,IAAA;AACpB,EAAA,IAAI,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AAC7D,IAAA,MAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAA,IAAI,OAAO,mBAAA,CAAoB,eAAA,KAAoB,UAAA,EAAY;AAC7D,MAAA,aAAA,GAAgB,oBAAoB,eAAA,EAAgB;AAAA,IACtD;AAAA,EACF;AAEA,EAAA,IAAI,UAAU,cAAA,EAAgB;AAC5B,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,aAAA;AAAA,MACA,aAAa,SAAA,CAAU,WAAA;AAAA,MACvB,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,MAAA,EAAQ;AACjB,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,aAAa,SAAA,CAAU,WAAA;AAAA,MACvB,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,cAAA,EAAgB;AAEzB,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAGA,EAAA,IAAI,IAAA,GAAsB,IAAA;AAC1B,EAAA,IAAI,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA,EAAmB;AACnF,IAAA,IAAI;AACF,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;AAAA,IAC1C,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,GAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,mBAAA,CAAoB,EAAE,OAAA,EAAS,IAAA,EAAM,YAAY,KAAA,EAAO,OAAA,EAAS,UAAU,CAAA;AAC3E,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,KAAA,EAAM;AAAA,EAChC;AAGA,EAAA,MAAM,eAAe,OAAA,EAAS,IAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,CAAC,CAAC,YAAA,IAAgB,kBAAkB,MAAM,CAAA;AAG1D,EAAA,MAAM,SAAS,CAAC,CAAC,OAAA,EAAS,GAAA,IAAO,kBAAkB,KAAK,CAAA;AAGxD,EAAA,MAAM,YAAA,GAAgC;AAAA,IACpC,IAAA,EAAM,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA;AAAA,IACpE,OAAA,EAAS,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,iBAAA;AAAA,IACzE,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AAAA,IAC/D,IAAA,EAAM,OAAA;AAAA,IACN,KAAK,mBAAA,CAAkC,IAAA,EAAM,WAAW,CAAA,IAAK,kBAAkB,KAAK,CAAA;AAAA,IACpF,GAAA,EAAK;AAAA,GACP;AAGA,EAAA,IAAI,MAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAW,YAAA,EAAc;AAC3B,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,YAAA,CAAa,QAAA,CAAS,IAAI,CAAA;AAC9C,MAAA,MAAM,WAAA,GAAc,MAAM,YAAA,CAAa,cAAA,CAAe,IAAI,CAAA;AAC1D,MAAA,MAAA,GAAS,EAAE,OAAO,WAAA,EAAY;AAC9B,MAAA,MAAM,UAAUN,uCAAA,EAAsB;AACtC,MAAA,IAAI;AACF,QAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,QAAAC,gCAAA,CAAe,mBAAmB,IAAA,CAAK,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAeC,oDAAiC,EAAG;AAAA,UACtG,OAAA,EAAS,MAAA;AAAA,UACT,SAAS,IAAA,CAAK,EAAA;AAAA,UACd,0BAAA,EAA4B,IAAA,CAAK,QAAA,GAAW,0BAA0B,CAAA;AAAA,UACtE,YAAY,KAAA,CAAM,MAAA;AAAA,UAClB,kBAAkB,WAAA,CAAY,MAAA;AAAA,UAC9B,GAAA,EAAK,EAAA;AAAA,UACL,eAAe,OAAA,CAAQ,KAAA;AAAA,UACvB,cAAc,OAAA,CAAQ,WAAA;AAAA,UACtB,oBAAoB,OAAA,CAAQ;AAAA,SAC7B,CAAA;AAAA,MACH,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF,CAAA,CAAA,MAAQ;AAEN,MAAA,MAAA,GAAS,IAAA;AAAA,IACX;AAAA,EACF;AAKA,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI,MAAA,IAAU,cAAc,iBAAA,EAAmB;AAC7C,IAAA,IAAI,yBAAA,CAA0B,MAAA,CAAO,WAAW,CAAA,EAAG;AACjD,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,YAAA,CAAa,iBAAA,EAAkB;AACtD,QAAA,MAAM,qBAAA,GAAwB,YAAA,CAAa,qBAAA,EAAuB,IAAA,CAAK,YAAY,CAAA;AACnF,QAAA,IAAI,qBAAA,EAAuB;AAEzB,UAAA,MAAM,eAAA,GAAkB,MAAM,OAAA,CAAQ,UAAA;AAAA,YACpC,QAAA,CAAS,GAAA,CAAI,OAAM,IAAA,MAAS;AAAA,cAC1B,IAAA;AAAA,cACA,KAAA,EAAO,MAAM,qBAAA,CAAsB,IAAA,CAAK,EAAE;AAAA,aAC5C,CAAE;AAAA,WACJ;AACA,UAAA,cAAA,GAAiB,eAAA,CAAgB,QAAQ,CAAA,MAAA,KAAU;AACjD,YAAA,IAAI,MAAA,CAAO,WAAW,WAAA,EAAa;AACjC,cAAA,OAAA,CAAQ,IAAA,CAAK,gDAAA,EAAkD,MAAA,CAAO,MAAM,CAAA;AAC5E,cAAA,OAAO,EAAC;AAAA,YACV;AACA,YAAA,OAAO,yBAAA,CAA0B,MAAA,CAAO,KAAA,CAAM,KAAK,CAAA,GAAI,EAAC,GAAI,CAAC,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA;AAAA,UAChF,CAAC,CAAA;AAAA,QACH,CAAA,MAAO;AACL,UAAA,cAAA,GAAiB,QAAA;AAAA,QACnB;AAAA,MACF,SAAS,KAAA,EAAO;AAGd,QAAA,OAAA,CAAQ,IAAA,CAAK,4DAA4D,KAAK,CAAA;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,mBAAA,CAAoB,EAAE,SAAS,IAAA,EAAM,UAAA,EAAY,OAAO,OAAA,EAAS,QAAA,EAAU,cAAc,CAAA;AAEzF,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,IAAA;AAAA,IACT,KAAA;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,IACA,YAAA;AAAA,IACA,MAAA;AAAA,IACA;AAAA,GACF;AACF;;;ACxZO,IAAM,aAAA,GAAkC;AAAA,EAC7C;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,0CAAA;AAAA,IACb,WAAA,EAAa,CAAC,GAAG;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,4CAAA;AAAA,IACb,WAAA,EAAa;AAAA,MACX,QAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA;AAAA;AAEF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,8BAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAA,EAAU,WAAW;AAAA,GACrC;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,kBAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAQ;AAAA;AAE1B;AAWO,SAAS,eAAe,MAAA,EAA4C;AACzE,EAAA,OAAO,aAAA,CAAc,IAAA,CAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,OAAO,MAAM,CAAA;AACtD;AAWO,SAAS,kBAAA,CAAmB,OAAA,EAAmB,KAAA,GAA0B,aAAA,EAAyB;AACvG,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAEhC,EAAA,SAAS,YAAY,MAAA,EAAgB;AACnC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AACzB,IAAA,OAAA,CAAQ,IAAI,MAAM,CAAA;AAElB,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAC5C,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,KAAA,MAAW,UAAA,IAAc,KAAK,WAAA,EAAa;AACzC,MAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA,IAC5B;AAGA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,KAAA,MAAW,eAAA,IAAmB,KAAK,QAAA,EAAU;AAC3C,QAAA,WAAA,CAAY,eAAe,CAAA;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAEA,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,IAAA,WAAA,CAAY,MAAM,CAAA;AAAA,EACpB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;AAOA,IAAM,mBAAA,GAAyD;AAAA,EAC7D,MAAA,EAAQ;AAAA,IACN,eAAA;AAAA,IACA,oBAAA;AAAA,IACA,sBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA;AAEJ,CAAA;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAIlD,EAAA,MAAM,gBAAA,GAAmB,mBAAA,CAAoB,YAAA,CAAa,CAAC,KAAK,EAAE,CAAA;AAClE,EAAA,IAAI,oBAAoB,gBAAA,CAAiB,QAAA,CAAS,cAAc,CAAC,CAAA,IAAK,EAAE,CAAA,EAAG;AACzE,IAAA,MAAM,OAAA,GAAU,CAAC,aAAA,CAAc,CAAC,CAAA,EAAG,GAAG,YAAA,CAAa,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AACrE,IAAA,OAAO,iBAAA,CAAkB,SAAS,kBAAkB,CAAA;AAAA,EACtD;AAGA,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAAA,EAC5B;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AAAA,IACvB;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AASO,SAAS,aAAA,CAAc,iBAA2B,kBAAA,EAAqC;AAC5F,EAAA,OAAO,gBAAgB,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,kBAAkB,CAAC,CAAA;AAC3E;AA4BO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAC;AAE7C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;;;AC5MO,IAAM,qBAAN,MAA0E;AAAA,EACvE,KAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA,uBAAsB,GAAA,EAAsB;AAAA;AAAA,EAGpD,IAAI,WAAA,GAAuC;AACzC,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA,EAEA,YAAY,OAAA,EAA2C;AACrD,IAAA,IAAI,OAAA,IAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,EAAO;AACvC,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AAAA,IACvB;AACA,IAAA,IAAI,aAAA,IAAiB,OAAA,IAAW,OAAA,CAAQ,WAAA,EAAa;AACnD,MAAA,IAAA,CAAK,eAAe,OAAA,CAAQ,WAAA;AAAA,IAC9B;AACA,IAAA,IAAA,CAAK,iBAAiB,OAAA,CAAQ,YAAA;AAAA,EAChC;AAAA,EAEA,MAAM,SAAS,IAAA,EAAgC;AAC7C,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAC9C,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAa,IAAA,EAAgC;AACzD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAgC;AACnD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAGxC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,IAAA,EAAK,CAAE,KAAK,GAAG,CAAA;AACxC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,QAAQ,OAAO,MAAA;AAGnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,YAAA,EAAc;AAErB,MAAA,WAAA,GAAc,6BAAA,CAA8B,OAAA,EAAS,IAAA,CAAK,YAAY,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AAErB,MAAA,WAAA,GAAc,kBAAA,CAAmB,OAAA,EAAS,IAAA,CAAK,KAAK,CAAA;AAAA,IACtD,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,EAAC;AAAA,IACjB;AAGA,IAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAE9C,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAa,UAAA,EAAsC;AACrE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAa,WAAA,EAAyC;AAC5E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAa,WAAA,EAAyC;AAC3E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAA,GAAuC;AACrC,IAAA,OAAO,IAAA,CAAK,SAAS,EAAC;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,MAAA,EAA4C;AAC5D,IAAA,OAAO,KAAK,KAAA,EAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBAAA,GAA6D;AACjE,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,EAAA,EAAI,CAAA,CAAE,EAAA,EAAI,IAAA,EAAM,CAAA,CAAE,IAAA,EAAK,CAAE,CAAA;AAAA,IACzD;AACA,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,YAAY,CAAA,CACjC,OAAO,CAAA,CAAA,KAAK,CAAA,KAAM,UAAU,CAAA,CAC5B,IAAI,CAAA,CAAA,MAAM,EAAE,IAAI,CAAA,EAAG,IAAA,EAAM,GAAE,CAAE,CAAA;AAAA,IAClC;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,MAAA,EAAmC;AAC7D,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,6BAAA,CAA8B,CAAC,MAAM,CAAA,EAAG,KAAK,YAAY,CAAA;AAAA,IAClE;AACA,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,kBAAA,CAAmB,CAAC,MAAM,CAAA,EAAG,KAAK,KAAK,CAAA;AAAA,IAChD;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AACF","file":"chunk-GBRVBJXF.cjs","sourcesContent":["/**\n * AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY\n *\n * This file is generated by packages/server/scripts/generate-permissions.ts\n * Run `pnpm generate:permissions` from packages/server to regenerate.\n *\n * Source of truth: SERVER_ROUTES in @mastra/server\n */\n\n/**\n * All known API resources.\n * Derived from SERVER_ROUTES paths in @mastra/server.\n */\nexport const RESOURCES = [\n 'a2a',\n 'agent-builder',\n 'agents',\n 'auth',\n 'background-tasks',\n 'channels',\n 'datasets',\n 'embedders',\n 'experiments',\n 'infrastructure',\n 'logs',\n 'mcp',\n 'memory',\n 'observability',\n 'processor-providers',\n 'processors',\n 'schedules',\n 'scores',\n 'stored-agents',\n 'stored-mcp-clients',\n 'stored-prompt-blocks',\n 'stored-scorers',\n 'stored-skills',\n 'stored-workspaces',\n 'system',\n 'tool-providers',\n 'tools',\n 'vector',\n 'vectors',\n 'workflows',\n 'workspaces',\n] as const;\n\n/**\n * Resource type union.\n */\nexport type Resource = (typeof RESOURCES)[number];\n\n/**\n * All permission actions.\n * Derived from HTTP methods and route overrides:\n * - GET → read\n * - POST → write or execute (context-dependent)\n * - PUT/PATCH → write\n * - DELETE → delete\n * - Additional actions from explicit requiresPermission overrides\n */\nexport const ACTIONS = ['create', 'delete', 'execute', 'publish', 'read', 'share', 'write'] as const;\n\n/**\n * Action type union.\n */\nexport type Action = (typeof ACTIONS)[number];\n\n/**\n * All valid permission patterns.\n * Use `keyof typeof PERMISSION_PATTERNS` or the `PermissionPattern` type.\n */\nexport const PERMISSION_PATTERNS = {\n /** Full access to all resources and actions */\n '*': '*',\n /** Create all resources */\n '*:create': '*:create',\n /** Delete all resources */\n '*:delete': '*:delete',\n /** Execute all resources */\n '*:execute': '*:execute',\n /** Publish, activate, or restore all resources */\n '*:publish': '*:publish',\n /** View all resources */\n '*:read': '*:read',\n /** Change visibility/audience all resources */\n '*:share': '*:share',\n /** Create and modify all resources */\n '*:write': '*:write',\n /** Full access to agent-to-agent communication */\n 'a2a:*': 'a2a:*',\n /** Full access to agent builder */\n 'agent-builder:*': 'agent-builder:*',\n /** Full access to agents */\n 'agents:*': 'agents:*',\n /** Full access to auth */\n 'auth:*': 'auth:*',\n /** Full access to background tasks */\n 'background-tasks:*': 'background-tasks:*',\n /** Full access to channels */\n 'channels:*': 'channels:*',\n /** Full access to datasets */\n 'datasets:*': 'datasets:*',\n /** Full access to embedders */\n 'embedders:*': 'embedders:*',\n /** Full access to experiments */\n 'experiments:*': 'experiments:*',\n /** Full access to infrastructure */\n 'infrastructure:*': 'infrastructure:*',\n /** Full access to logs */\n 'logs:*': 'logs:*',\n /** Full access to MCP servers */\n 'mcp:*': 'mcp:*',\n /** Full access to memory and threads */\n 'memory:*': 'memory:*',\n /** Full access to traces and spans */\n 'observability:*': 'observability:*',\n /** Full access to processor-providers */\n 'processor-providers:*': 'processor-providers:*',\n /** Full access to processors */\n 'processors:*': 'processors:*',\n /** Full access to schedules */\n 'schedules:*': 'schedules:*',\n /** Full access to evaluation scores */\n 'scores:*': 'scores:*',\n /** Full access to stored agents */\n 'stored-agents:*': 'stored-agents:*',\n /** Full access to stored MCP clients */\n 'stored-mcp-clients:*': 'stored-mcp-clients:*',\n /** Full access to stored prompt blocks */\n 'stored-prompt-blocks:*': 'stored-prompt-blocks:*',\n /** Full access to stored scorers */\n 'stored-scorers:*': 'stored-scorers:*',\n /** Full access to stored skills */\n 'stored-skills:*': 'stored-skills:*',\n /** Full access to stored workspaces */\n 'stored-workspaces:*': 'stored-workspaces:*',\n /** Full access to system info */\n 'system:*': 'system:*',\n /** Full access to tool-providers */\n 'tool-providers:*': 'tool-providers:*',\n /** Full access to tools */\n 'tools:*': 'tools:*',\n /** Full access to vector stores */\n 'vector:*': 'vector:*',\n /** Full access to vectors */\n 'vectors:*': 'vectors:*',\n /** Full access to workflows */\n 'workflows:*': 'workflows:*',\n /** Full access to workspaces */\n 'workspaces:*': 'workspaces:*',\n /** View agent-to-agent communication */\n 'a2a:read': 'a2a:read',\n /** Create and modify agent-to-agent communication */\n 'a2a:write': 'a2a:write',\n /** Execute agent builder */\n 'agent-builder:execute': 'agent-builder:execute',\n /** View agent builder */\n 'agent-builder:read': 'agent-builder:read',\n /** Create and modify agent builder */\n 'agent-builder:write': 'agent-builder:write',\n /** Create agents */\n 'agents:create': 'agents:create',\n /** Delete agents */\n 'agents:delete': 'agents:delete',\n /** Execute agents */\n 'agents:execute': 'agents:execute',\n /** View agents */\n 'agents:read': 'agents:read',\n /** Create and modify agents */\n 'agents:write': 'agents:write',\n /** View auth */\n 'auth:read': 'auth:read',\n /** View background tasks */\n 'background-tasks:read': 'background-tasks:read',\n /** View channels */\n 'channels:read': 'channels:read',\n /** Create and modify channels */\n 'channels:write': 'channels:write',\n /** Delete datasets */\n 'datasets:delete': 'datasets:delete',\n /** Execute datasets */\n 'datasets:execute': 'datasets:execute',\n /** View datasets */\n 'datasets:read': 'datasets:read',\n /** Create and modify datasets */\n 'datasets:write': 'datasets:write',\n /** View embedders */\n 'embedders:read': 'embedders:read',\n /** View experiments */\n 'experiments:read': 'experiments:read',\n /** View infrastructure */\n 'infrastructure:read': 'infrastructure:read',\n /** View logs */\n 'logs:read': 'logs:read',\n /** Execute MCP servers */\n 'mcp:execute': 'mcp:execute',\n /** View MCP servers */\n 'mcp:read': 'mcp:read',\n /** Create and modify MCP servers */\n 'mcp:write': 'mcp:write',\n /** Delete memory and threads */\n 'memory:delete': 'memory:delete',\n /** Execute memory and threads */\n 'memory:execute': 'memory:execute',\n /** View memory and threads */\n 'memory:read': 'memory:read',\n /** Create and modify memory and threads */\n 'memory:write': 'memory:write',\n /** View traces and spans */\n 'observability:read': 'observability:read',\n /** Create and modify traces and spans */\n 'observability:write': 'observability:write',\n /** View processor-providers */\n 'processor-providers:read': 'processor-providers:read',\n /** Execute processors */\n 'processors:execute': 'processors:execute',\n /** View processors */\n 'processors:read': 'processors:read',\n /** Execute schedules */\n 'schedules:execute': 'schedules:execute',\n /** View schedules */\n 'schedules:read': 'schedules:read',\n /** Create and modify schedules */\n 'schedules:write': 'schedules:write',\n /** View evaluation scores */\n 'scores:read': 'scores:read',\n /** Create and modify evaluation scores */\n 'scores:write': 'scores:write',\n /** Delete stored agents */\n 'stored-agents:delete': 'stored-agents:delete',\n /** Publish, activate, or restore stored agents */\n 'stored-agents:publish': 'stored-agents:publish',\n /** View stored agents */\n 'stored-agents:read': 'stored-agents:read',\n /** Create and modify stored agents */\n 'stored-agents:write': 'stored-agents:write',\n /** Delete stored MCP clients */\n 'stored-mcp-clients:delete': 'stored-mcp-clients:delete',\n /** Publish, activate, or restore stored MCP clients */\n 'stored-mcp-clients:publish': 'stored-mcp-clients:publish',\n /** View stored MCP clients */\n 'stored-mcp-clients:read': 'stored-mcp-clients:read',\n /** Create and modify stored MCP clients */\n 'stored-mcp-clients:write': 'stored-mcp-clients:write',\n /** Delete stored prompt blocks */\n 'stored-prompt-blocks:delete': 'stored-prompt-blocks:delete',\n /** Publish, activate, or restore stored prompt blocks */\n 'stored-prompt-blocks:publish': 'stored-prompt-blocks:publish',\n /** View stored prompt blocks */\n 'stored-prompt-blocks:read': 'stored-prompt-blocks:read',\n /** Create and modify stored prompt blocks */\n 'stored-prompt-blocks:write': 'stored-prompt-blocks:write',\n /** Delete stored scorers */\n 'stored-scorers:delete': 'stored-scorers:delete',\n /** Publish, activate, or restore stored scorers */\n 'stored-scorers:publish': 'stored-scorers:publish',\n /** View stored scorers */\n 'stored-scorers:read': 'stored-scorers:read',\n /** Create and modify stored scorers */\n 'stored-scorers:write': 'stored-scorers:write',\n /** Delete stored skills */\n 'stored-skills:delete': 'stored-skills:delete',\n /** Publish, activate, or restore stored skills */\n 'stored-skills:publish': 'stored-skills:publish',\n /** View stored skills */\n 'stored-skills:read': 'stored-skills:read',\n /** Create and modify stored skills */\n 'stored-skills:write': 'stored-skills:write',\n /** Delete stored workspaces */\n 'stored-workspaces:delete': 'stored-workspaces:delete',\n /** View stored workspaces */\n 'stored-workspaces:read': 'stored-workspaces:read',\n /** Create and modify stored workspaces */\n 'stored-workspaces:write': 'stored-workspaces:write',\n /** View system info */\n 'system:read': 'system:read',\n /** Delete tool-providers */\n 'tool-providers:delete': 'tool-providers:delete',\n /** View tool-providers */\n 'tool-providers:read': 'tool-providers:read',\n /** Create and modify tool-providers */\n 'tool-providers:write': 'tool-providers:write',\n /** Execute tools */\n 'tools:execute': 'tools:execute',\n /** View tools */\n 'tools:read': 'tools:read',\n /** Delete vector stores */\n 'vector:delete': 'vector:delete',\n /** Execute vector stores */\n 'vector:execute': 'vector:execute',\n /** View vector stores */\n 'vector:read': 'vector:read',\n /** Create and modify vector stores */\n 'vector:write': 'vector:write',\n /** View vectors */\n 'vectors:read': 'vectors:read',\n /** Delete workflows */\n 'workflows:delete': 'workflows:delete',\n /** Execute workflows */\n 'workflows:execute': 'workflows:execute',\n /** View workflows */\n 'workflows:read': 'workflows:read',\n /** Create and modify workflows */\n 'workflows:write': 'workflows:write',\n /** Delete workspaces */\n 'workspaces:delete': 'workspaces:delete',\n /** View workspaces */\n 'workspaces:read': 'workspaces:read',\n /** Create and modify workspaces */\n 'workspaces:write': 'workspaces:write',\n /** Full access to all stored resource families */\n 'stored:*': 'stored:*',\n /** View all stored resource families */\n 'stored:read': 'stored:read',\n /** Create and modify all stored resource families */\n 'stored:write': 'stored:write',\n /** Delete all stored resource families */\n 'stored:delete': 'stored:delete',\n /** Change visibility/audience stored agents */\n 'stored-agents:share': 'stored-agents:share',\n /** Change visibility/audience stored skills */\n 'stored-skills:share': 'stored-skills:share',\n} as const;\n\n/**\n * Permission pattern that can be used in role definitions.\n * Supports:\n * - Specific permissions: 'agents:read', 'workflows:execute'\n * - Resource wildcards: 'agents:*', 'workflows:*' (all actions on a resource)\n * - Action wildcards: '*:read', '*:write' (an action across all resources)\n * - Global wildcard: '*' (full access)\n */\nexport type PermissionPattern = keyof typeof PERMISSION_PATTERNS;\n\n/**\n * All valid resource:action permission combinations (excludes wildcards).\n */\nexport const PERMISSIONS = [\n 'a2a:read',\n 'a2a:write',\n 'agent-builder:execute',\n 'agent-builder:read',\n 'agent-builder:write',\n 'agents:create',\n 'agents:delete',\n 'agents:execute',\n 'agents:read',\n 'agents:write',\n 'auth:read',\n 'background-tasks:read',\n 'channels:read',\n 'channels:write',\n 'datasets:delete',\n 'datasets:execute',\n 'datasets:read',\n 'datasets:write',\n 'embedders:read',\n 'experiments:read',\n 'infrastructure:read',\n 'logs:read',\n 'mcp:execute',\n 'mcp:read',\n 'mcp:write',\n 'memory:delete',\n 'memory:execute',\n 'memory:read',\n 'memory:write',\n 'observability:read',\n 'observability:write',\n 'processor-providers:read',\n 'processors:execute',\n 'processors:read',\n 'schedules:execute',\n 'schedules:read',\n 'schedules:write',\n 'scores:read',\n 'scores:write',\n 'stored-agents:delete',\n 'stored-agents:publish',\n 'stored-agents:read',\n 'stored-agents:write',\n 'stored-mcp-clients:delete',\n 'stored-mcp-clients:publish',\n 'stored-mcp-clients:read',\n 'stored-mcp-clients:write',\n 'stored-prompt-blocks:delete',\n 'stored-prompt-blocks:publish',\n 'stored-prompt-blocks:read',\n 'stored-prompt-blocks:write',\n 'stored-scorers:delete',\n 'stored-scorers:publish',\n 'stored-scorers:read',\n 'stored-scorers:write',\n 'stored-skills:delete',\n 'stored-skills:publish',\n 'stored-skills:read',\n 'stored-skills:write',\n 'stored-workspaces:delete',\n 'stored-workspaces:read',\n 'stored-workspaces:write',\n 'system:read',\n 'tool-providers:delete',\n 'tool-providers:read',\n 'tool-providers:write',\n 'tools:execute',\n 'tools:read',\n 'vector:delete',\n 'vector:execute',\n 'vector:read',\n 'vector:write',\n 'vectors:read',\n 'workflows:delete',\n 'workflows:execute',\n 'workflows:read',\n 'workflows:write',\n 'workspaces:delete',\n 'workspaces:read',\n 'workspaces:write',\n] as const;\n\n/**\n * Specific permission type (e.g., 'agents:read', 'workflows:execute').\n */\nexport type Permission = (typeof PERMISSIONS)[number];\n\n/**\n * Type-safe constants for Mastra-owned FGA permissions.\n *\n * These values are generated from server routes and can be used wherever\n * Mastra checks or maps FGA permissions.\n */\nexport const MastraFGAPermissions = {\n /** View agent-to-agent communication */\n A2A_READ: 'a2a:read',\n /** Create and modify agent-to-agent communication */\n A2A_WRITE: 'a2a:write',\n /** Execute agent builder */\n AGENT_BUILDER_EXECUTE: 'agent-builder:execute',\n /** View agent builder */\n AGENT_BUILDER_READ: 'agent-builder:read',\n /** Create and modify agent builder */\n AGENT_BUILDER_WRITE: 'agent-builder:write',\n /** Create agents */\n AGENTS_CREATE: 'agents:create',\n /** Delete agents */\n AGENTS_DELETE: 'agents:delete',\n /** Execute agents */\n AGENTS_EXECUTE: 'agents:execute',\n /** View agents */\n AGENTS_READ: 'agents:read',\n /** Create and modify agents */\n AGENTS_WRITE: 'agents:write',\n /** View auth */\n AUTH_READ: 'auth:read',\n /** View background tasks */\n BACKGROUND_TASKS_READ: 'background-tasks:read',\n /** View channels */\n CHANNELS_READ: 'channels:read',\n /** Create and modify channels */\n CHANNELS_WRITE: 'channels:write',\n /** Delete datasets */\n DATASETS_DELETE: 'datasets:delete',\n /** Execute datasets */\n DATASETS_EXECUTE: 'datasets:execute',\n /** View datasets */\n DATASETS_READ: 'datasets:read',\n /** Create and modify datasets */\n DATASETS_WRITE: 'datasets:write',\n /** View embedders */\n EMBEDDERS_READ: 'embedders:read',\n /** View experiments */\n EXPERIMENTS_READ: 'experiments:read',\n /** View infrastructure */\n INFRASTRUCTURE_READ: 'infrastructure:read',\n /** View logs */\n LOGS_READ: 'logs:read',\n /** Execute MCP servers */\n MCP_EXECUTE: 'mcp:execute',\n /** View MCP servers */\n MCP_READ: 'mcp:read',\n /** Create and modify MCP servers */\n MCP_WRITE: 'mcp:write',\n /** Delete memory and threads */\n MEMORY_DELETE: 'memory:delete',\n /** Execute memory and threads */\n MEMORY_EXECUTE: 'memory:execute',\n /** View memory and threads */\n MEMORY_READ: 'memory:read',\n /** Create and modify memory and threads */\n MEMORY_WRITE: 'memory:write',\n /** View traces and spans */\n OBSERVABILITY_READ: 'observability:read',\n /** Create and modify traces and spans */\n OBSERVABILITY_WRITE: 'observability:write',\n /** View processor-providers */\n PROCESSOR_PROVIDERS_READ: 'processor-providers:read',\n /** Execute processors */\n PROCESSORS_EXECUTE: 'processors:execute',\n /** View processors */\n PROCESSORS_READ: 'processors:read',\n /** Execute schedules */\n SCHEDULES_EXECUTE: 'schedules:execute',\n /** View schedules */\n SCHEDULES_READ: 'schedules:read',\n /** Create and modify schedules */\n SCHEDULES_WRITE: 'schedules:write',\n /** View evaluation scores */\n SCORES_READ: 'scores:read',\n /** Create and modify evaluation scores */\n SCORES_WRITE: 'scores:write',\n /** Delete stored agents */\n STORED_AGENTS_DELETE: 'stored-agents:delete',\n /** Publish, activate, or restore stored agents */\n STORED_AGENTS_PUBLISH: 'stored-agents:publish',\n /** View stored agents */\n STORED_AGENTS_READ: 'stored-agents:read',\n /** Create and modify stored agents */\n STORED_AGENTS_WRITE: 'stored-agents:write',\n /** Delete stored MCP clients */\n STORED_MCP_CLIENTS_DELETE: 'stored-mcp-clients:delete',\n /** Publish, activate, or restore stored MCP clients */\n STORED_MCP_CLIENTS_PUBLISH: 'stored-mcp-clients:publish',\n /** View stored MCP clients */\n STORED_MCP_CLIENTS_READ: 'stored-mcp-clients:read',\n /** Create and modify stored MCP clients */\n STORED_MCP_CLIENTS_WRITE: 'stored-mcp-clients:write',\n /** Delete stored prompt blocks */\n STORED_PROMPT_BLOCKS_DELETE: 'stored-prompt-blocks:delete',\n /** Publish, activate, or restore stored prompt blocks */\n STORED_PROMPT_BLOCKS_PUBLISH: 'stored-prompt-blocks:publish',\n /** View stored prompt blocks */\n STORED_PROMPT_BLOCKS_READ: 'stored-prompt-blocks:read',\n /** Create and modify stored prompt blocks */\n STORED_PROMPT_BLOCKS_WRITE: 'stored-prompt-blocks:write',\n /** Delete stored scorers */\n STORED_SCORERS_DELETE: 'stored-scorers:delete',\n /** Publish, activate, or restore stored scorers */\n STORED_SCORERS_PUBLISH: 'stored-scorers:publish',\n /** View stored scorers */\n STORED_SCORERS_READ: 'stored-scorers:read',\n /** Create and modify stored scorers */\n STORED_SCORERS_WRITE: 'stored-scorers:write',\n /** Delete stored skills */\n STORED_SKILLS_DELETE: 'stored-skills:delete',\n /** Publish, activate, or restore stored skills */\n STORED_SKILLS_PUBLISH: 'stored-skills:publish',\n /** View stored skills */\n STORED_SKILLS_READ: 'stored-skills:read',\n /** Create and modify stored skills */\n STORED_SKILLS_WRITE: 'stored-skills:write',\n /** Delete stored workspaces */\n STORED_WORKSPACES_DELETE: 'stored-workspaces:delete',\n /** View stored workspaces */\n STORED_WORKSPACES_READ: 'stored-workspaces:read',\n /** Create and modify stored workspaces */\n STORED_WORKSPACES_WRITE: 'stored-workspaces:write',\n /** View system info */\n SYSTEM_READ: 'system:read',\n /** Delete tool-providers */\n TOOL_PROVIDERS_DELETE: 'tool-providers:delete',\n /** View tool-providers */\n TOOL_PROVIDERS_READ: 'tool-providers:read',\n /** Create and modify tool-providers */\n TOOL_PROVIDERS_WRITE: 'tool-providers:write',\n /** Execute tools */\n TOOLS_EXECUTE: 'tools:execute',\n /** View tools */\n TOOLS_READ: 'tools:read',\n /** Delete vector stores */\n VECTOR_DELETE: 'vector:delete',\n /** Execute vector stores */\n VECTOR_EXECUTE: 'vector:execute',\n /** View vector stores */\n VECTOR_READ: 'vector:read',\n /** Create and modify vector stores */\n VECTOR_WRITE: 'vector:write',\n /** View vectors */\n VECTORS_READ: 'vectors:read',\n /** Delete workflows */\n WORKFLOWS_DELETE: 'workflows:delete',\n /** Execute workflows */\n WORKFLOWS_EXECUTE: 'workflows:execute',\n /** View workflows */\n WORKFLOWS_READ: 'workflows:read',\n /** Create and modify workflows */\n WORKFLOWS_WRITE: 'workflows:write',\n /** Delete workspaces */\n WORKSPACES_DELETE: 'workspaces:delete',\n /** View workspaces */\n WORKSPACES_READ: 'workspaces:read',\n /** Create and modify workspaces */\n WORKSPACES_WRITE: 'workspaces:write',\n} as const satisfies Record;\n\n/**\n * Mastra-owned FGA permission values.\n */\nexport type MastraFGAPermission = (typeof MastraFGAPermissions)[keyof typeof MastraFGAPermissions];\n\n/**\n * FGA permission input accepted by public config and provider APIs.\n * Keeps autocomplete for Mastra-owned permissions while allowing custom provider strings.\n */\nexport type MastraFGAPermissionInput = MastraFGAPermission | (string & {});\n\n/**\n * Type-safe role mapping configuration.\n *\n * Maps role names (from your identity provider) to Mastra permission patterns.\n *\n * @example\n * ```typescript\n * const roleMapping: TypedRoleMapping = {\n * \"Engineering\": [\"agents:*\", \"workflows:*\"],\n * \"Product\": [\"agents:read\", \"workflows:read\"],\n * \"Admin\": [\"*\"],\n * \"_default\": [],\n * };\n * ```\n */\nexport type TypedRoleMapping = {\n [role: string]: PermissionPattern[];\n};\n\n/**\n * Validates that a string is a valid permission pattern.\n * Useful for runtime validation of permission strings.\n */\nexport function isValidPermissionPattern(pattern: string): pattern is PermissionPattern {\n return pattern in PERMISSION_PATTERNS;\n}\n\n/**\n * Validates that all permissions in an array are valid patterns.\n */\nexport function validatePermissions(permissions: string[]): permissions is PermissionPattern[] {\n return permissions.every(isValidPermissionPattern);\n}\n","/**\n * Capabilities detection and response building for EE authentication.\n */\n\nimport type { MastraAuthProvider } from '../../server';\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from '../../telemetry/posthog';\nimport type { IUserProvider, ISSOProvider, ISessionProvider, ICredentialsProvider } from '../interfaces';\nimport type { IACLProvider } from './interfaces/acl';\nimport type { IFGAProvider } from './interfaces/fga';\nimport type { IRBACProvider } from './interfaces/rbac';\nimport type { EEUser } from './interfaces/user';\nimport {\n isLicenseValid,\n isDevEnvironment,\n isFeatureEnabled,\n getSafeLicenseSummary,\n warnIfDevEENeedsLicense,\n} from './license';\n\n/**\n * Public capabilities response (no authentication required).\n * Contains just enough info to render the login page.\n */\nexport interface PublicAuthCapabilities {\n /** Whether auth is enabled */\n enabled: boolean;\n /** Login configuration (null if no auth or no SSO) */\n login: {\n /** Type of login available */\n type: 'sso' | 'credentials' | 'both';\n /** Whether sign-up is enabled (defaults to true) */\n signUpEnabled?: boolean;\n /** Optional description explaining the auth requirement and what credentials to use */\n description?: string;\n /** SSO configuration */\n sso?: {\n /** Provider name */\n provider: string;\n /** Button text */\n text: string;\n /** Icon URL */\n icon?: string;\n /** Description of the auth requirement */\n description?: string;\n /** Login URL */\n url: string;\n };\n } | null;\n}\n\n/**\n * User info for authenticated response.\n */\nexport interface AuthenticatedUser {\n /** User ID */\n id: string;\n /** User email */\n email?: string;\n /** Display name */\n name?: string;\n /** Avatar URL */\n avatarUrl?: string;\n}\n\n/**\n * Capability flags indicating which EE features are available.\n */\nexport interface CapabilityFlags {\n /** IUserProvider is implemented and licensed */\n user: boolean;\n /** ISessionProvider is implemented and licensed */\n session: boolean;\n /** ISSOProvider is implemented and licensed */\n sso: boolean;\n /** IRBACProvider is implemented and licensed */\n rbac: boolean;\n /** IACLProvider is implemented and licensed */\n acl: boolean;\n /** IFGAProvider is implemented and licensed */\n fga: boolean;\n}\n\n/**\n * User's access (roles and permissions).\n */\nexport interface UserAccess {\n /** User's roles */\n roles: string[];\n /** User's resolved permissions */\n permissions: string[];\n}\n\n/**\n * Authenticated capabilities response.\n * Extends public capabilities with user context and feature flags.\n */\nexport interface AuthenticatedCapabilities extends PublicAuthCapabilities {\n /** Current authenticated user */\n user: AuthenticatedUser;\n /** Available EE capabilities */\n capabilities: CapabilityFlags;\n /** User's access (if RBAC available) */\n access: UserAccess | null;\n /** Available roles in the system (only present for admin users) */\n availableRoles?: { id: string; name: string }[];\n}\n\n/**\n * Type guard to check if response is authenticated.\n */\nexport function isAuthenticated(\n caps: PublicAuthCapabilities | AuthenticatedCapabilities,\n): caps is AuthenticatedCapabilities {\n return 'user' in caps && caps.user !== null;\n}\n\n/**\n * Check if an auth provider implements a specific interface.\n */\nfunction implementsInterface(auth: unknown, method: keyof T): auth is T {\n return auth !== null && typeof auth === 'object' && typeof (auth as any)[method] === 'function';\n}\n\n/**\n * Check if auth provider is MastraCloudAuth (exempt from license requirement).\n */\nfunction isMastraCloudAuth(auth: unknown): boolean {\n if (!auth || typeof auth !== 'object') return false;\n // Check for the MastraCloudAuth marker\n return 'isMastraCloudAuth' in auth && (auth as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true;\n}\n\n/**\n * Check if auth provider is SimpleAuth (exempt from license requirement).\n * SimpleAuth is for development/testing and should work without a license.\n */\nfunction isSimpleAuth(auth: unknown): boolean {\n if (!auth || typeof auth !== 'object') return false;\n return 'isSimpleAuth' in auth && (auth as { isSimpleAuth: boolean }).isSimpleAuth === true;\n}\n\n/**\n * Check if a set of permissions includes admin bypass (`*` or `*:*`).\n */\nfunction hasAdminBypassPermissions(permissions: string[]): boolean {\n return permissions.some(p => p === '*' || p === '*:*');\n}\n\nfunction getRequestIp(request: Request): string | undefined {\n const forwardedFor = request.headers.get('x-forwarded-for');\n if (forwardedFor) {\n return forwardedFor.split(',')[0]?.trim();\n }\n\n return request.headers.get('x-real-ip') ?? undefined;\n}\n\nfunction captureLicenseCheck({\n request,\n user,\n hasLicense,\n isDev,\n isCloud,\n isSimple,\n capabilities,\n}: {\n request: Request;\n user?: EEUser | null;\n hasLicense: boolean;\n isDev: boolean;\n isCloud: boolean;\n isSimple: boolean;\n capabilities?: CapabilityFlags;\n}): void {\n const license = getSafeLicenseSummary();\n\n try {\n const ip = getRequestIp(request);\n captureEEEvent('ee_license_check', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n license_valid: hasLicense,\n license_hash: license.licenseHash,\n is_dev_environment: isDev,\n is_cloud: isCloud,\n is_simple_auth: isSimple,\n capabilities,\n user_id: user?.id,\n $ip: ip,\n license_features: license.features,\n license_tier: license.tier,\n });\n } catch {\n // Telemetry must never affect auth or EE feature behavior.\n }\n}\n\n/**\n * Options for building capabilities.\n */\nexport interface BuildCapabilitiesOptions {\n /**\n * RBAC provider for role-based access control (EE feature).\n * Separate from the auth provider to allow mixing different providers.\n *\n * @example\n * ```typescript\n * const rbac = new StaticRBACProvider({\n * roles: DEFAULT_ROLES,\n * getUserRoles: (user) => [user.role],\n * });\n *\n * buildCapabilities(auth, request, { rbac });\n * ```\n */\n rbac?: IRBACProvider;\n\n /**\n * FGA provider for fine-grained authorization (EE feature).\n * Separate from the auth provider to allow mixing different providers.\n */\n fga?: IFGAProvider;\n\n /**\n * API route prefix used to construct SSO login URLs.\n * Defaults to `/api` when not provided.\n *\n * @example `/mastra` results in SSO URL `/mastra/auth/sso/login`\n */\n apiPrefix?: string;\n}\n\n/**\n * Build capabilities response based on auth configuration and request state.\n *\n * This function determines what capabilities are available and, if the user\n * is authenticated, includes their user info and access permissions.\n *\n * @param auth - Auth provider (or null if no auth configured)\n * @param request - Incoming HTTP request\n * @param options - Optional configuration (roleMapping, etc.)\n * @returns Capabilities response (public or authenticated)\n */\nexport async function buildCapabilities(\n auth: MastraAuthProvider | null,\n request: Request,\n options?: BuildCapabilitiesOptions,\n): Promise {\n // No auth configured - disabled\n if (!auth) {\n return { enabled: false, login: null };\n }\n\n // Determine if EE features are available\n // SimpleAuth, MastraCloudAuth, and dev environments are exempt from license requirement\n const hasLicense = isLicenseValid();\n const isCloud = isMastraCloudAuth(auth);\n const isSimple = isSimpleAuth(auth);\n const isDev = isDevEnvironment();\n if (isDev && !hasLicense) {\n warnIfDevEENeedsLicense();\n }\n const isLicensedOrCloud = hasLicense || isCloud || isSimple || isDev;\n\n // Per-feature license gating: rbac/acl/fga additionally require the license\n // entitlement (e.g. enterprise tier). Cloud, SimpleAuth and dev are exempt.\n const isFeatureLicensed = (feature: string) =>\n isCloud || isSimple || isDev || (hasLicense && isFeatureEnabled(feature));\n\n // Build login configuration (always public)\n let login: PublicAuthCapabilities['login'] = null;\n\n const hasSSO = implementsInterface(auth, 'getLoginUrl') && isLicensedOrCloud;\n const hasCredentials = implementsInterface(auth, 'signIn') && isLicensedOrCloud;\n\n // Build SSO login URL using the configured prefix (default: /api)\n const raw = (options?.apiPrefix || '/api').trim();\n const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n const ssoLoginUrl = `${prefix}/auth/sso/login`;\n\n // Check if sign-up is enabled (defaults to true)\n let signUpEnabled = true;\n if (implementsInterface(auth, 'signIn')) {\n const credentialsProvider = auth as ICredentialsProvider;\n if (typeof credentialsProvider.isSignUpEnabled === 'function') {\n signUpEnabled = credentialsProvider.isSignUpEnabled();\n }\n }\n\n if (hasSSO && hasCredentials) {\n const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n login = {\n type: 'both',\n signUpEnabled,\n description: ssoConfig.description,\n sso: {\n ...ssoConfig,\n url: ssoLoginUrl,\n },\n };\n } else if (hasSSO) {\n const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n login = {\n type: 'sso',\n description: ssoConfig.description,\n sso: {\n ...ssoConfig,\n url: ssoLoginUrl,\n },\n };\n } else if (hasCredentials) {\n // Credentials-only auth (e.g., Better Auth with email/password)\n login = {\n type: 'credentials',\n signUpEnabled,\n };\n }\n\n // Try to get current user (requires session)\n let user: EEUser | null = null;\n if (implementsInterface(auth, 'getCurrentUser') && isLicensedOrCloud) {\n try {\n user = await auth.getCurrentUser(request);\n } catch {\n // Session invalid or expired\n user = null;\n }\n }\n\n // If no user, return public response only\n if (!user) {\n captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple });\n return { enabled: true, login };\n }\n\n // Get RBAC provider from options (if configured)\n const rbacProvider = options?.rbac;\n const hasRBAC = !!rbacProvider && isFeatureLicensed('rbac');\n\n // Get FGA provider from options (if configured)\n const hasFGA = !!options?.fga && isFeatureLicensed('fga');\n\n // Build capability flags\n const capabilities: CapabilityFlags = {\n user: implementsInterface(auth, 'getCurrentUser') && isLicensedOrCloud,\n session: implementsInterface(auth, 'createSession') && isLicensedOrCloud,\n sso: implementsInterface(auth, 'getLoginUrl') && isLicensedOrCloud,\n rbac: hasRBAC,\n acl: implementsInterface(auth, 'canAccess') && isFeatureLicensed('acl'),\n fga: hasFGA,\n };\n\n // Get roles/permissions from RBAC provider (if available)\n let access: UserAccess | null = null;\n if (hasRBAC && rbacProvider) {\n try {\n const roles = await rbacProvider.getRoles(user);\n const permissions = await rbacProvider.getPermissions(user);\n access = { roles, permissions };\n const license = getSafeLicenseSummary();\n try {\n const ip = getRequestIp(request);\n captureEEEvent('ee_feature_used', user.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n feature: 'rbac',\n user_id: user.id,\n organization_membership_id: user.metadata?.['organizationMembershipId'],\n role_count: roles.length,\n permission_count: permissions.length,\n $ip: ip,\n license_valid: license.valid,\n license_hash: license.licenseHash,\n is_dev_environment: license.isDevEnvironment,\n });\n } catch {\n // Telemetry must never affect auth or EE feature behavior.\n }\n } catch {\n // RBAC failed, continue without access info\n access = null;\n }\n }\n\n // Expose available roles for admin users (for \"View as role\" feature).\n // Exclude roles with admin-bypass permissions since previewing as admin\n // is the same as the current experience.\n let availableRoles: { id: string; name: string }[] | undefined;\n if (access && rbacProvider?.getAvailableRoles) {\n if (hasAdminBypassPermissions(access.permissions)) {\n try {\n const allRoles = await rbacProvider.getAvailableRoles();\n const getPermissionsForRole = rbacProvider.getPermissionsForRole?.bind(rbacProvider);\n if (getPermissionsForRole) {\n // Use allSettled so one failing role lookup doesn't drop the whole picker.\n const rolePermissions = await Promise.allSettled(\n allRoles.map(async role => ({\n role,\n perms: await getPermissionsForRole(role.id),\n })),\n );\n availableRoles = rolePermissions.flatMap(result => {\n if (result.status !== 'fulfilled') {\n console.warn('[auth/ee] failed to list permissions for role:', result.reason);\n return [];\n }\n return hasAdminBypassPermissions(result.value.perms) ? [] : [result.value.role];\n });\n } else {\n availableRoles = allRoles;\n }\n } catch (error) {\n // Degrade gracefully: omit availableRoles so the \"View as role\" feature\n // simply doesn't show options. Log so operators can diagnose RBAC issues.\n console.warn('[auth/ee] failed to list available roles for admin user:', error);\n }\n }\n }\n\n captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple, capabilities });\n\n return {\n enabled: true,\n login,\n user: {\n id: user.id,\n email: user.email,\n name: user.name,\n avatarUrl: user.avatarUrl,\n },\n capabilities,\n access,\n availableRoles,\n };\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n {\n id: 'owner',\n name: 'Owner',\n description: 'Full access to all features and settings',\n permissions: ['*'],\n },\n {\n id: 'admin',\n name: 'Admin',\n description: 'Manage agents, workflows, and team members',\n permissions: [\n '*:read',\n '*:write',\n '*:execute',\n '*:publish',\n '*:share',\n // Note: admins cannot delete resources\n ],\n },\n {\n id: 'member',\n name: 'Member',\n description: 'Execute agents and workflows',\n permissions: ['*:read', '*:execute'],\n },\n {\n id: 'viewer',\n name: 'Viewer',\n description: 'Read-only access',\n permissions: ['*:read'],\n },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n const permissions = new Set();\n const visited = new Set();\n\n function resolveRole(roleId: string) {\n if (visited.has(roleId)) return;\n visited.add(roleId);\n\n const role = roles.find(r => r.id === roleId);\n if (!role) return;\n\n for (const permission of role.permissions) {\n permissions.add(permission);\n }\n\n // Resolve inherited roles\n if (role.inherits) {\n for (const inheritedRoleId of role.inherits) {\n resolveRole(inheritedRoleId);\n }\n }\n }\n\n for (const roleId of roleIds) {\n resolveRole(roleId);\n }\n\n return Array.from(permissions);\n}\n\n/**\n * Compound resource keys that expand to a set of per-family resources.\n * A granted `stored:` is treated as matching any `stored-:`\n * (and `stored:*` matches any `stored-:*`).\n */\nconst RESOURCE_EXPANSIONS: Record = {\n stored: [\n 'stored-agents',\n 'stored-mcp-clients',\n 'stored-prompt-blocks',\n 'stored-scorers',\n 'stored-skills',\n 'stored-workspaces',\n ],\n};\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n // Wildcard matches everything\n if (userPermission === '*') {\n return true;\n }\n\n const grantedParts = userPermission.split(':');\n const requiredParts = requiredPermission.split(':');\n\n // Compound resource alias: expand granted `stored:` into its per-family equivalents.\n // Only applies when the required permission targets one of the expanded families.\n const expandedFamilies = RESOURCE_EXPANSIONS[grantedParts[0] ?? ''];\n if (expandedFamilies && expandedFamilies.includes(requiredParts[0] ?? '')) {\n const aliased = [requiredParts[0], ...grantedParts.slice(1)].join(':');\n return matchesPermission(aliased, requiredPermission);\n }\n\n // Must have at least resource:action\n if (grantedParts.length < 2 || requiredParts.length < 2) {\n return userPermission === requiredPermission;\n }\n\n const [grantedResource, grantedAction, grantedId] = grantedParts;\n const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n if (grantedResource === '*') {\n // \"*:*\" is a full wildcard - matches everything\n if (grantedAction === '*') {\n if (grantedId === undefined) {\n return true;\n }\n return grantedId === requiredId;\n }\n // Action must match for resource wildcards with specific action\n if (grantedAction !== requiredAction) {\n return false;\n }\n // If no granted ID, matches all instances\n if (grantedId === undefined) {\n return true;\n }\n // *:read:my-id would match agents:read:my-id (unusual but consistent)\n return grantedId === requiredId;\n }\n\n // Resource must match (for non-wildcard resources)\n if (grantedResource !== requiredResource) {\n return false;\n }\n\n // Action wildcard: \"agents:*\" matches any action\n if (grantedAction === '*') {\n // If no granted ID, matches all resources\n // If granted ID specified (agents:*:my-agent), must match required ID\n if (grantedId === undefined) {\n return true;\n }\n // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n return grantedId === requiredId;\n }\n\n // Action must match\n if (grantedAction !== requiredAction) {\n return false;\n }\n\n // No resource ID in granted permission = access to all resources of this type\n // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n if (grantedId === undefined) {\n return true;\n }\n\n // Both have resource IDs - must match exactly\n return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n * \"Engineering\": [\"agents:*\", \"workflows:*\"],\n * \"Product\": [\"agents:read\"],\n * \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n * [\"Engineering\", \"QA\"],\n * roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n const permissions = new Set();\n const defaultPerms = mapping['_default'] ?? [];\n\n for (const role of roles) {\n const rolePerms = mapping[role];\n if (rolePerms) {\n for (const perm of rolePerms) {\n permissions.add(perm);\n }\n } else {\n // Apply default permissions for unmapped roles\n for (const perm of defaultPerms) {\n permissions.add(perm);\n }\n }\n }\n\n return Array.from(permissions);\n}\n","/**\n * Static RBAC provider with config-based roles.\n */\n\nimport type { RoleDefinition, RoleMapping, IRBACProvider } from '../../interfaces';\nimport { resolvePermissions, matchesPermission, resolvePermissionsFromMapping } from '../roles';\n\n/**\n * Options for StaticRBACProvider.\n *\n * Use ONE of the following approaches:\n * - `roles`: Define role structures with permissions (Mastra's native role system)\n * - `roleMapping`: Map provider roles directly to permissions (simpler for external providers)\n */\nexport type StaticRBACProviderOptions =\n | {\n /** Role definitions (Mastra's native role system) */\n roles: RoleDefinition[];\n /** Function to get user's role IDs */\n getUserRoles: (user: TUser) => string[] | Promise;\n roleMapping?: never;\n }\n | {\n /**\n * Role mapping for translating provider roles to permissions.\n * Use this when your identity provider has roles that need to be\n * mapped to Mastra permissions.\n */\n roleMapping: RoleMapping;\n /** Function to get user's role IDs from the provider */\n getUserRoles: (user: TUser) => string[] | Promise;\n roles?: never;\n };\n\n/**\n * Static RBAC provider.\n *\n * Supports two modes:\n * 1. **Role definitions**: Use Mastra's native role system with structured roles\n * 2. **Role mapping**: Directly map provider roles to permissions\n *\n * @example Using role definitions (Mastra's native system)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n * roles: DEFAULT_ROLES,\n * getUserRoles: (user) => [user.role],\n * });\n * ```\n *\n * @example Using role mapping (for external providers)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n * roleMapping: {\n * \"Engineering\": [\"agents:*\", \"workflows:*\"],\n * \"Product\": [\"agents:read\", \"workflows:read\"],\n * \"_default\": [],\n * },\n * getUserRoles: (user) => user.providerRoles,\n * });\n * ```\n *\n * @example Async role lookup\n * ```typescript\n * const rbac = new StaticRBACProvider({\n * roles: DEFAULT_ROLES,\n * getUserRoles: async (user) => {\n * return db.getUserRoles(user.id);\n * },\n * });\n * ```\n */\nexport class StaticRBACProvider implements IRBACProvider {\n private roles?: RoleDefinition[];\n private _roleMapping?: RoleMapping;\n private getUserRolesFn: (user: TUser) => string[] | Promise;\n private permissionCache = new Map();\n\n /** Expose roleMapping for middleware access */\n get roleMapping(): RoleMapping | undefined {\n return this._roleMapping;\n }\n\n constructor(options: StaticRBACProviderOptions) {\n if ('roles' in options && options.roles) {\n this.roles = options.roles;\n }\n if ('roleMapping' in options && options.roleMapping) {\n this._roleMapping = options.roleMapping;\n }\n this.getUserRolesFn = options.getUserRoles;\n }\n\n async getRoles(user: TUser): Promise {\n const roleIds = await this.getUserRolesFn(user);\n return roleIds;\n }\n\n async hasRole(user: TUser, role: string): Promise {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n async getPermissions(user: TUser): Promise {\n const roleIds = await this.getRoles(user);\n\n // Check cache\n const cacheKey = roleIds.sort().join(',');\n const cached = this.permissionCache.get(cacheKey);\n if (cached) return cached;\n\n // Resolve permissions based on mode\n let permissions: string[];\n if (this._roleMapping) {\n // Role mapping mode: translate provider roles to permissions\n permissions = resolvePermissionsFromMapping(roleIds, this._roleMapping);\n } else if (this.roles) {\n // Role definitions mode: use Mastra's native role system\n permissions = resolvePermissions(roleIds, this.roles);\n } else {\n // No roles or mapping configured\n permissions = [];\n }\n\n // Cache result\n this.permissionCache.set(cacheKey, permissions);\n\n return permissions;\n }\n\n async hasPermission(user: TUser, permission: string): Promise {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n async hasAllPermissions(user: TUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n async hasAnyPermission(user: TUser, permissions: string[]): Promise {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Clear the permission cache.\n */\n clearCache(): void {\n this.permissionCache.clear();\n }\n\n /**\n * Get all role definitions.\n * Only available when using role definitions mode (not role mapping).\n */\n getRoleDefinitions(): RoleDefinition[] {\n return this.roles ?? [];\n }\n\n /**\n * Get a specific role definition.\n * Only available when using role definitions mode (not role mapping).\n */\n getRoleDefinition(roleId: string): RoleDefinition | undefined {\n return this.roles?.find(r => r.id === roleId);\n }\n\n /**\n * Get all available roles in the system.\n */\n async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n if (this.roles) {\n return this.roles.map(r => ({ id: r.id, name: r.name }));\n }\n if (this._roleMapping) {\n return Object.keys(this._roleMapping)\n .filter(k => k !== '_default')\n .map(k => ({ id: k, name: k }));\n }\n return [];\n }\n\n /**\n * Get the resolved permissions for a specific role.\n */\n async getPermissionsForRole(roleId: string): Promise {\n if (this._roleMapping) {\n return resolvePermissionsFromMapping([roleId], this._roleMapping);\n }\n if (this.roles) {\n return resolvePermissions([roleId], this.roles);\n }\n return [];\n }\n}\n"]}