'use strict'; var chunkOEW7GS6U_cjs = require('./chunk-OEW7GS6U.cjs'); var chunk6LWJF7BY_cjs = require('./chunk-6LWJF7BY.cjs'); // src/auth/ee/license.ts function getLicenseKey() { return process.env["MASTRA_LICENSE_KEY"] || process.env["MASTRA_EE_LICENSE"]; } var validationStarted = false; var hasWarnedAboutDevLicense = false; function getClient() { const client = chunk6LWJF7BY_cjs.LicenseClient.getInstance(); if (!validationStarted) { validationStarted = true; void client.validate().catch(() => { }); } return client; } function startLicenseValidation() { const client = chunk6LWJF7BY_cjs.LicenseClient.getInstance(); validationStarted = true; return client.validate(); } function validateLicense(licenseKey) { const configuredKey = getLicenseKey(); const key = licenseKey ?? configuredKey; if (!key) { return { valid: false }; } if (licenseKey !== void 0 && licenseKey !== configuredKey) { return { valid: false }; } const snap = getClient().getSnapshot(); return { valid: snap.status !== "invalid", features: snap.entitlements ?? void 0, tier: snap.planTier ?? void 0, expiresAt: snap.expiresAt ? new Date(snap.expiresAt) : void 0 }; } function isLicenseValid() { if (!getLicenseKey()) { return false; } return getClient().getSnapshot().status !== "invalid"; } var isEELicenseValid = isLicenseValid; function isFeatureEnabled(feature) { if (!getLicenseKey()) { return false; } return getClient().hasFeature(feature); } function getSafeLicenseSummary() { const key = getLicenseKey(); const info = validateLicense(key); const licenseHash = key ? chunkOEW7GS6U_cjs.hashTelemetryValue(key) : void 0; return { valid: info.valid, isDevEnvironment: isDevEnvironment(), licenseHash: licenseHash ? licenseHash.slice(0, 16) : void 0, anonymousId: licenseHash ? `${licenseHash.slice(0, 16)}-anonymous` : void 0, features: info.features, tier: info.tier }; } function warnIfDevEENeedsLicense() { if (hasWarnedAboutDevLicense || !isDevEnvironment() || isLicenseValid()) { return; } hasWarnedAboutDevLicense = true; console.warn( "[mastra/auth-ee] Mastra Enterprise features are enabled for local development, but no valid MASTRA_LICENSE_KEY is configured. These features will be disabled in production without a valid license. Contact us to get a production license: https://mastra.ai/contact" ); } function clearLicenseCache() { validationStarted = false; hasWarnedAboutDevLicense = false; chunk6LWJF7BY_cjs.LicenseClient.resetInstance(); } function isDevEnvironment() { return process.env["MASTRA_DEV"] === "true" || process.env["MASTRA_DEV"] === "1" || process.env["NODE_ENV"] !== "production" && process.env["NODE_ENV"] !== "prod"; } function isEEEnabled() { if (isDevEnvironment()) { warnIfDevEENeedsLicense(); return true; } return isLicenseValid(); } // src/auth/ee/fga-check.ts function mergeFGAContext({ context, requestContext, metadata }) { const mergedContext = { ...context }; if (requestContext) { mergedContext.requestContext = requestContext; } if (metadata || context?.metadata) { mergedContext.metadata = { ...context?.metadata ?? {}, ...metadata ?? {} }; } return Object.keys(mergedContext).length > 0 ? mergedContext : void 0; } function isActorSignal(actor) { if (actor === true) { return true; } if (typeof actor !== "object" || actor === null) { return false; } const candidate = actor; return candidate.actorKind === "system" && (candidate.sourceWorkflow === void 0 || typeof candidate.sourceWorkflow === "string"); } function getAgentFGAResourceId(agentId) { return agentId; } function getWorkflowFGAResourceId(workflowId) { return workflowId; } function getStandaloneToolFGAResourceId(toolName) { return toolName; } function getAgentToolFGAResourceId(agentId, toolName) { return `${agentId}:${toolName}`; } function getMCPToolFGAResourceId(serverName, toolName) { return JSON.stringify([serverName, toolName]); } async function checkFGA(options) { await requireFGA(options); } async function requireFGA(options) { const { fgaProvider, user, resource, permission, context, requestContext, metadata, actor } = options; if (!fgaProvider) { return; } const fgaContext = mergeFGAContext({ context, requestContext, metadata }); const license = getSafeLicenseSummary(); if (isActorSignal(actor)) { const tenantOrganizationId = fgaContext?.requestContext?.get("organizationId"); if (typeof tenantOrganizationId !== "string" || tenantOrganizationId.length === 0) { throw new FGADeniedError(user, resource, permission, "trusted actor requires organizationId / tenant scope"); } const sourceWorkflow = (actor === true ? void 0 : actor.sourceWorkflow) ?? (typeof fgaContext?.metadata?.["sourceWorkflow"] === "string" ? fgaContext.metadata["sourceWorkflow"] : void 0); try { chunkOEW7GS6U_cjs.captureEEEvent("ee_feature_used", license.anonymousId || chunkOEW7GS6U_cjs.getEETelemetryFallbackDistinctId(), { feature: "fga", actor_kind: "system", resource_type: resource.type, resource_id: resource.id, permission, user_id: null, organization_membership_id: null, source_workflow: sourceWorkflow, license_valid: license.valid, license_hash: license.licenseHash, is_dev_environment: license.isDevEnvironment }); } catch { } return; } if (!user) { throw new FGADeniedError(user, resource, permission, "authenticated user is required"); } await fgaProvider.require( user, fgaContext ? { resource, permission, context: fgaContext } : { resource, permission } ); try { chunkOEW7GS6U_cjs.captureEEEvent("ee_feature_used", user?.id || license.anonymousId || chunkOEW7GS6U_cjs.getEETelemetryFallbackDistinctId(), { feature: "fga", actor_kind: "user", resource_type: resource.type, resource_id: resource.id, permission, user_id: user?.id ?? null, organization_membership_id: user?.organizationMembershipId ?? null, license_valid: license.valid, license_hash: license.licenseHash, is_dev_environment: license.isDevEnvironment }); } catch { } } var FGADeniedError = class extends Error { user; resource; permission; status; constructor(user, resource, permission, reason) { const userId = user?.id || user?.workosId || "unknown"; const permissionLabel = Array.isArray(permission) ? `any of [${permission.join(", ")}]` : permission; super( reason ? `FGA authorization denied: ${reason}` : `FGA authorization denied: user ${userId} cannot ${permissionLabel} on ${resource.type}:${resource.id}` ); this.name = "FGADeniedError"; this.user = user; this.resource = resource; this.permission = permission; this.status = 403; } }; /** * FGA enforcement utility for checking fine-grained authorization. * * @license Mastra Enterprise License - see ee/LICENSE */ exports.FGADeniedError = FGADeniedError; exports.checkFGA = checkFGA; exports.clearLicenseCache = clearLicenseCache; exports.getAgentFGAResourceId = getAgentFGAResourceId; exports.getAgentToolFGAResourceId = getAgentToolFGAResourceId; exports.getMCPToolFGAResourceId = getMCPToolFGAResourceId; exports.getSafeLicenseSummary = getSafeLicenseSummary; exports.getStandaloneToolFGAResourceId = getStandaloneToolFGAResourceId; exports.getWorkflowFGAResourceId = getWorkflowFGAResourceId; exports.isDevEnvironment = isDevEnvironment; exports.isEEEnabled = isEEEnabled; exports.isEELicenseValid = isEELicenseValid; exports.isFeatureEnabled = isFeatureEnabled; exports.isLicenseValid = isLicenseValid; exports.requireFGA = requireFGA; exports.startLicenseValidation = startLicenseValidation; exports.validateLicense = validateLicense; exports.warnIfDevEENeedsLicense = warnIfDevEENeedsLicense; //# sourceMappingURL=chunk-TKFSM674.cjs.map //# sourceMappingURL=chunk-TKFSM674.cjs.map