'use strict'; var chunk64ITUOXI_cjs = require('./chunk-64ITUOXI.cjs'); var chunkSXKQ7CSX_cjs = require('./chunk-SXKQ7CSX.cjs'); var ee = require('@mastra/core/auth/ee'); function getCallerAuthorId(requestContext) { const resourceId = requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_RESOURCE_ID_KEY); if (typeof resourceId === "string" && resourceId.length > 0) { return resourceId; } const user = requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_KEY); if (user && typeof user === "object" && "id" in user) { const id = user.id; if (typeof id === "string" && id.length > 0) { return id; } } return null; } function getCallerPermissions(requestContext) { const raw = requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_PERMISSIONS_KEY); if (Array.isArray(raw)) { return raw.filter((p) => typeof p === "string"); } return []; } function hasAdminBypass(requestContext, resource) { const permissions = getCallerPermissions(requestContext); if (permissions.length === 0) return false; const wildcardAll = "*"; const resourceWildcard = `${resource}:*`; const resourceAdmin = `${resource}:admin`; return permissions.some((p) => p === wildcardAll || p === resourceWildcard || p === resourceAdmin); } function hasScopedPermission(args) { const { requestContext, resource, action, resourceId } = args; const permissions = getCallerPermissions(requestContext); if (permissions.length === 0) return false; if (!resourceId) { const required2 = `${resource}:${action}`; return permissions.some((p) => ee.matchesPermission(p, required2)); } const required = `${resource}:${action}:${resourceId}`; return permissions.some((p) => { const parts = p.split(":"); if (parts.length < 3) return false; return ee.matchesPermission(p, required); }); } function resolveAuthorFilter(args) { const { requestContext, resource, queryAuthorId, queryVisibility } = args; const callerAuthorId = getCallerAuthorId(requestContext); const bypass = hasAdminBypass(requestContext, resource); if (queryVisibility === "public" && !queryAuthorId) { return { kind: "publicOnly" }; } if (bypass) { return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" }; } if (!callerAuthorId) { return queryAuthorId ? { kind: "exact", authorId: queryAuthorId } : { kind: "unrestricted" }; } if (queryAuthorId) { if (queryAuthorId === callerAuthorId) { return { kind: "exact", authorId: callerAuthorId }; } return { kind: "ownedOrPublicOthers", callerAuthorId, queryAuthorId }; } return { kind: "ownedOrPublic", callerAuthorId }; } function matchesAuthorFilter(record, filter) { const owner = record.authorId ?? null; const isPublic = record.visibility === "public"; switch (filter.kind) { case "unrestricted": return true; case "exact": return owner === filter.authorId; case "ownedOrPublic": return owner === null || owner === filter.callerAuthorId || isPublic; case "publicOnly": return owner === null || isPublic; case "ownedOrPublicOthers": return owner === filter.queryAuthorId && isPublic; } } function assertReadAccess(args) { const { requestContext, resource, resourceId, record } = args; const owner = record.authorId ?? null; if (owner === null) return; if (record.visibility === "public") return; if (hasAdminBypass(requestContext, resource)) return; const callerAuthorId = getCallerAuthorId(requestContext); if (!callerAuthorId && !requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_KEY)) return; if (callerAuthorId === owner) return; if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) { return; } throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" }); } function assertExecuteAccess(args) { const { requestContext, resource, resourceId, record } = args; const owner = record.authorId ?? null; if (owner === null) return; if (record.visibility === "public") return; if (hasAdminBypass(requestContext, resource)) return; const callerAuthorId = getCallerAuthorId(requestContext); if (!callerAuthorId && !requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_KEY)) return; if (callerAuthorId === owner) return; if (hasScopedPermission({ requestContext, resource, action: "execute", resourceId })) { return; } if (hasScopedPermission({ requestContext, resource, action: "read", resourceId })) { return; } throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" }); } function assertWriteAccess(args) { const { requestContext, resource, resourceId, action, record } = args; const owner = record.authorId ?? null; if (owner === null) return; if (hasAdminBypass(requestContext, resource)) return; const callerAuthorId = getCallerAuthorId(requestContext); if (!callerAuthorId && !requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_KEY)) return; if (callerAuthorId === owner) return; if (hasScopedPermission({ requestContext, resource, action, resourceId })) { return; } throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" }); } function assertShareAccess(args) { const { requestContext, resource, resourceId, record } = args; const owner = record.authorId ?? null; if (owner === null) return; if (hasAdminBypass(requestContext, resource)) return; const callerAuthorId = getCallerAuthorId(requestContext); if (!callerAuthorId && !requestContext.get(chunkSXKQ7CSX_cjs.MASTRA_USER_KEY)) return; if (callerAuthorId === owner) return; if (hasScopedPermission({ requestContext, resource, action: "share", resourceId })) { return; } throw new chunk64ITUOXI_cjs.HTTPException(404, { message: "Not found" }); } function assertOwnership(args) { assertWriteAccess({ ...args, action: "edit" }); } exports.assertExecuteAccess = assertExecuteAccess; exports.assertOwnership = assertOwnership; exports.assertReadAccess = assertReadAccess; exports.assertShareAccess = assertShareAccess; exports.assertWriteAccess = assertWriteAccess; exports.getCallerAuthorId = getCallerAuthorId; exports.getCallerPermissions = getCallerPermissions; exports.hasAdminBypass = hasAdminBypass; exports.hasScopedPermission = hasScopedPermission; exports.matchesAuthorFilter = matchesAuthorFilter; exports.resolveAuthorFilter = resolveAuthorFilter; //# sourceMappingURL=chunk-KGUHJRHZ.cjs.map //# sourceMappingURL=chunk-KGUHJRHZ.cjs.map