UNPKG

@mastra/core

Version:

Mastra is a framework for building AI-powered applications and agents with a modern TypeScript stack.

mastra.ai

mastra-ai/mastra

351 lines • 12.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
/** * FGA (Fine-Grained Authorization) provider interface for EE authentication. * Enables relationship-based, resource-level authorization. * * FGA complements RBAC by answering "Can this user do this action on this specific resource?" * rather than "Can this role do this action?" * * @license Mastra Enterprise License - see ee/LICENSE */ import type { RequestContext } from '../../../di/index.js'; import type { MastraFGAPermissionInput } from './permissions.generated.js'; /** * Optional context for an authorization check. */ export interface FGACheckContext { /** * The owning application resource ID for the target resource. * Useful when the authorization resource ID differs from the route-level ID, * such as thread checks scoped by a thread's owning tenant/resource. */ resourceId?: string; /** * Optional request context for providers that need additional request-scoped * data to derive the authorization resource identifier. */ requestContext?: RequestContext<any>; /** * Optional provider-specific metadata about the attempted action. */ metadata?: Record<string, unknown>; } /** * Parameters for an authorization check. */ export interface FGACheckParams { /** The resource being accessed */ resource: { type: string; id: string; }; /** * The permission(s) being checked. * When an array is provided, the user needs ANY ONE of the listed permissions * (the check passes if any single permission resolves to allow). */ permission: MastraFGAPermissionInput | MastraFGAPermissionInput[]; /** Optional provider-specific context for resource resolution */ context?: FGACheckContext; } /** * Route-level FGA metadata. */ export interface FGARouteConfig { /** Resource type slug to authorize against, e.g. `agent`, `workflow`, or `thread`. */ resourceType: string; /** Path/body/query parameter name that contains the resource ID. */ resourceIdParam?: string; /** Static or dynamic resource ID resolver. */ resourceId?: string | ((params: Record<string, unknown>, context: { requestContext?: RequestContext<any>; }) => string | undefined); /** * Permission(s) to check for this route. Falls back to the route permission when omitted. * When an array is provided, the user needs ANY ONE of the listed permissions. */ permission?: MastraFGAPermissionInput | MastraFGAPermissionInput[]; } /** * Minimal route information exposed to global FGA route resolvers. */ export interface FGARouteInfo { path: string; method: string; requiresAuth?: boolean; /** * Permission(s) required by this route. * When an array is provided, the user needs ANY ONE of the listed permissions. */ requiresPermission?: MastraFGAPermissionInput | MastraFGAPermissionInput[]; fga?: FGARouteConfig; } /** * Context passed to global FGA route resolvers. */ export interface FGARouteResolverContext { route: FGARouteInfo; params: Record<string, unknown>; requestContext?: RequestContext<any>; } /** * Resolves route-level FGA metadata without mutating each route registration. */ export type FGARouteResolver = (context: FGARouteResolverContext) => FGARouteConfig | null | undefined | Promise<FGARouteConfig | null | undefined>; /** * An authorization resource in the FGA system. */ export interface FGAResource { /** Internal resource ID */ id: string; /** External ID (your application's resource identifier) */ externalId: string; /** Display name */ name: string; /** Optional description */ description?: string | null; /** Resource type slug (e.g., 'team', 'project', 'workspace') */ resourceTypeSlug: string; /** Organization ID the resource belongs to */ organizationId: string; /** Parent resource ID for hierarchical resources */ parentResourceId?: string | null; } /** * Parameters for creating an authorization resource. */ export interface FGACreateResourceParams { /** External ID (your application's resource identifier) */ externalId: string; /** Display name */ name: string; /** Optional description */ description?: string | null; /** Resource type slug */ resourceTypeSlug: string; /** Organization ID */ organizationId: string; /** Parent resource ID (by internal ID) */ parentResourceId?: string; /** Parent resource external ID (alternative to parentResourceId) */ parentResourceExternalId?: string; /** Parent resource type slug (required with parentResourceExternalId) */ parentResourceTypeSlug?: string; } /** * Parameters for updating an authorization resource. */ export interface FGAUpdateResourceParams { /** Internal resource ID */ resourceId: string; /** New name */ name?: string; /** New description */ description?: string | null; } /** * Parameters for deleting an authorization resource. */ export interface FGADeleteResourceParams { /** Delete by internal resource ID */ resourceId?: string; /** Delete by external ID (use with resourceTypeSlug and organizationId) */ externalId?: string; /** Resource type slug (required when using externalId) */ resourceTypeSlug?: string; /** Organization ID (required when using externalId) */ organizationId?: string; } /** * A role assignment binding a membership to a role on a resource. */ export interface FGARoleAssignment { /** Assignment ID */ id: string; /** The role */ role: { slug: string; }; /** The resource the role is assigned on */ resource: { id: string; externalId: string; resourceTypeSlug: string; }; } /** * Parameters for assigning or removing a role on a resource. */ export interface FGARoleParams { /** Organization membership ID */ organizationMembershipId: string; /** Role slug to assign/remove */ roleSlug: string; /** Resource ID to scope the role to */ resourceId?: string; /** Resource external ID (alternative to resourceId) */ resourceExternalId?: string; /** Resource type slug (required when using resourceExternalId) */ resourceTypeSlug?: string; } /** * Options for listing role assignments. */ export interface FGAListRoleAssignmentsOptions { /** Organization membership ID */ organizationMembershipId: string; /** Pagination limit */ limit?: number; /** Pagination cursor */ after?: string; } /** * Options for listing authorization resources. */ export interface FGAListResourcesOptions { /** Filter by organization */ organizationId?: string; /** Filter by resource type */ resourceTypeSlug?: string; /** Filter by parent resource */ parentResourceId?: string; /** Search by name */ search?: string; /** Pagination limit */ limit?: number; /** Pagination cursor */ after?: string; } /** * Provider interface for fine-grained authorization (read-only). * * This interface follows a user-centric model: * - `check()` answers "Can this user perform this permission on this resource?" * - `require()` throws if the user lacks permission * - `filterAccessible()` filters a list of resources to only those the user can access * * The provider is responsible for translating between Mastra's resource/permission * model and the underlying FGA provider's API (e.g., WorkOS Authorization). * * @example * ```typescript * import { MastraFGAPermissions } from '@mastra/core/auth/ee'; * * const fga = new MastraFGAWorkos({ * resourceMapping: { * agent: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId }, * workflow: { fgaResourceType: 'team', deriveId: (ctx) => ctx.user.teamId }, * thread: { fgaResourceType: 'user', deriveId: (ctx) => ctx.resourceId ?? ctx.user.userId }, * }, * permissionMapping: { * [MastraFGAPermissions.AGENTS_READ]: 'read', * [MastraFGAPermissions.AGENTS_EXECUTE]: 'manage-workflows', * [MastraFGAPermissions.WORKFLOWS_EXECUTE]: 'manage-workflows', * [MastraFGAPermissions.MEMORY_READ]: 'read', * [MastraFGAPermissions.MEMORY_WRITE]: 'update', * }, * }); * * // Check if a user can execute an agent * const allowed = await fga.check(user, { * resource: { type: 'agent', id: 'chef-agent' }, * permission: MastraFGAPermissions.AGENTS_EXECUTE, * }); * ``` */ export interface IFGAProvider<TUser = unknown> { /** * When true, protected routes without route-level FGA metadata or resolver * output are denied instead of being allowed through. * * @default false */ requireForProtectedRoutes?: boolean; /** * Audits protected routes that do not have built-in FGA metadata. * Use `true` or `'warn'` to log a startup warning, `'error'` to fail startup, * or `false` to disable the audit. * * @default false */ auditProtectedRoutes?: boolean | 'warn' | 'error'; /** * Global route FGA resolver. This can derive resource type, resource ID, and * permission from the route, parsed params, and request context. */ resolveRouteFGA?: FGARouteResolver; /** * Optional startup validation for provider-specific permission mappings. * Providers can throw when a permission Mastra may emit is not mapped. */ validatePermissions?: (permissions: MastraFGAPermissionInput[]) => void | Promise<void>; /** * Check if a user has a specific permission on a resource. * * @param user - The user to check * @param params - The resource and permission to check * @returns true if the user has permission, false otherwise */ check(user: TUser, params: FGACheckParams): Promise<boolean>; /** * Require that a user has a specific permission on a resource. * Throws FGADeniedError if the user does not have permission. * * @param user - The user to check * @param params - The resource and permission to check * @throws FGADeniedError if the user does not have permission */ require(user: TUser, params: FGACheckParams): Promise<void>; /** * Filter a list of resources to only those the user can access. * * @param user - The user to check * @param resources - The resources to filter * @param resourceType - The type of resources being filtered * @param permission - The permission to check for * @returns The filtered list of resources the user can access */ filterAccessible<T extends { id: string; }>(user: TUser, resources: T[], resourceType: string, permission: MastraFGAPermissionInput): Promise<T[]>; } /** * Extended FGA interface with write operations for managing resources and role assignments. * * Implement this interface when the FGA provider also manages the authorization * model (creating resources, assigning roles, etc.). */ export interface IFGAManager<TUser = unknown> extends IFGAProvider<TUser> { /** * Create an authorization resource. */ createResource(params: FGACreateResourceParams): Promise<FGAResource>; /** * Get an authorization resource by ID. */ getResource(resourceId: string): Promise<FGAResource>; /** * List authorization resources. */ listResources(options?: FGAListResourcesOptions): Promise<FGAResource[]>; /** * Update an authorization resource. */ updateResource(params: FGAUpdateResourceParams): Promise<FGAResource>; /** * Delete an authorization resource. */ deleteResource(params: FGADeleteResourceParams): Promise<void>; /** * Assign a role to an organization membership on a specific resource. */ assignRole(params: FGARoleParams): Promise<FGARoleAssignment>; /** * Remove a role assignment. */ removeRole(params: FGARoleParams): Promise<void>; /** * List role assignments for an organization membership. */ listRoleAssignments(options: FGAListRoleAssignmentsOptions): Promise<FGARoleAssignment[]>; } //# sourceMappingURL=fga.d.ts.map