@mastra/core/dist/chunk-4JAF3O7W.js

Mastra is a framework for building AI-powered applications and agents with a modern TypeScript stack.

import { createHash } from 'crypto';
import os from 'os';
import { PostHog } from 'posthog-node';

// src/telemetry/posthog.ts
var POSTHOG_API_KEY = "phc_SBLpZVAB6jmHOct9CABq3PF0Yn5FU3G2FgT4xUr2XrT";
var POSTHOG_HOST = "https://us.posthog.com";
var client = null;
function isEETelemetryEnabled() {
  return process.env["MASTRA_TELEMETRY_DISABLED"] !== "1";
}
function hashTelemetryValue(value) {
  return createHash("sha256").update(value).digest("hex");
}
function getHashedHostname() {
  return hashTelemetryValue(os.hostname() || "unknown-host").slice(0, 16);
}
function getEETelemetryFallbackDistinctId() {
  return `mastra-${getHashedHostname()}`;
}
function getClient() {
  if (!isEETelemetryEnabled()) {
    return null;
  }
  if (!client) {
    client = new PostHog(POSTHOG_API_KEY, {
      host: POSTHOG_HOST,
      flushAt: 1,
      flushInterval: 0,
      disableGeoip: false
    });
  }
  return client;
}
function getSystemProperties() {
  return {
    os: process.platform,
    os_version: os.release(),
    node_version: process.version,
    platform: process.arch,
    machine_id: getHashedHostname(),
    mastra_version: process.env["npm_package_version"] || "unknown"
  };
}
function captureEEEvent(event, distinctId, properties) {
  try {
    const posthog = getClient();
    if (!posthog) {
      return;
    }
    posthog.capture({
      distinctId: distinctId || getEETelemetryFallbackDistinctId(),
      event,
      properties: {
        ...getSystemProperties(),
        ...properties
      }
    });
  } catch {
  }
}

// src/auth/ee/license.ts
var cachedLicense = null;
var cacheTimestamp = 0;
var CACHE_TTL = 60 * 1e3;
function validateLicense(licenseKey) {
  const key = licenseKey ?? process.env["MASTRA_EE_LICENSE"];
  if (!key) {
    return { valid: false };
  }
  if (key.length < 32) {
    return { valid: false };
  }
  return {
    valid: true,
    features: ["user", "session", "sso", "rbac", "acl", "fga", "agent-builder"],
    tier: "enterprise"
  };
}
function isLicenseValid() {
  const now = Date.now();
  if (cachedLicense && now - cacheTimestamp < CACHE_TTL) {
    return cachedLicense.valid;
  }
  cachedLicense = validateLicense();
  cacheTimestamp = now;
  if (!cachedLicense.valid && process.env["MASTRA_EE_LICENSE"]) {
    console.warn("[mastra/auth-ee] Invalid or expired EE license. EE features are disabled.");
  }
  return cachedLicense.valid;
}
var isEELicenseValid = isLicenseValid;
function isFeatureEnabled(feature) {
  if (!isLicenseValid()) {
    return false;
  }
  if (!cachedLicense?.features) {
    return true;
  }
  return cachedLicense.features.includes(feature);
}
function getSafeLicenseSummary() {
  const key = process.env["MASTRA_EE_LICENSE"];
  const info = cachedLicense ?? validateLicense(key);
  const licenseHash = key ? hashTelemetryValue(key) : void 0;
  return {
    valid: info.valid,
    isDevEnvironment: isDevEnvironment(),
    licenseHash: licenseHash ? licenseHash.slice(0, 16) : void 0,
    anonymousId: licenseHash ? `${licenseHash.slice(0, 16)}-anonymous` : void 0,
    features: info.features,
    tier: info.tier
  };
}
function isDevEnvironment() {
  return process.env["MASTRA_DEV"] === "true" || process.env["MASTRA_DEV"] === "1" || process.env["NODE_ENV"] !== "production" && process.env["NODE_ENV"] !== "prod";
}
function isEEEnabled() {
  if (isDevEnvironment()) {
    return true;
  }
  return isLicenseValid();
}

// src/auth/ee/fga-check.ts
function mergeFGAContext({
  context,
  requestContext,
  metadata
}) {
  const mergedContext = {
    ...context
  };
  if (requestContext) {
    mergedContext.requestContext = requestContext;
  }
  if (metadata || context?.metadata) {
    mergedContext.metadata = {
      ...context?.metadata ?? {},
      ...metadata ?? {}
    };
  }
  return Object.keys(mergedContext).length > 0 ? mergedContext : void 0;
}
function getAgentFGAResourceId(agentId) {
  return agentId;
}
function getWorkflowFGAResourceId(workflowId) {
  return workflowId;
}
function getStandaloneToolFGAResourceId(toolName) {
  return toolName;
}
function getAgentToolFGAResourceId(agentId, toolName) {
  return `${agentId}:${toolName}`;
}
function getMCPToolFGAResourceId(serverName, toolName) {
  return JSON.stringify([serverName, toolName]);
}
async function checkFGA(options) {
  await requireFGA(options);
}
async function requireFGA(options) {
  const { fgaProvider, user, resource, permission, context, requestContext, metadata } = options;
  if (!fgaProvider) {
    return;
  }
  const fgaContext = mergeFGAContext({ context, requestContext, metadata });
  if (!user) {
    throw new FGADeniedError(user, resource, permission, "authenticated user is required");
  }
  await fgaProvider.require(
    user,
    fgaContext ? { resource, permission, context: fgaContext } : { resource, permission }
  );
  const license = getSafeLicenseSummary();
  try {
    captureEEEvent("ee_feature_used", user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {
      feature: "fga",
      resource_type: resource.type,
      resource_id: resource.id,
      permission,
      user_id: user?.id,
      organization_membership_id: user?.organizationMembershipId,
      license_valid: license.valid,
      license_hash: license.licenseHash,
      is_dev_environment: license.isDevEnvironment
    });
  } catch {
  }
}
var FGADeniedError = class extends Error {
  user;
  resource;
  permission;
  status;
  constructor(user, resource, permission, reason) {
    const userId = user?.id || user?.workosId || "unknown";
    const permissionLabel = Array.isArray(permission) ? `any of [${permission.join(", ")}]` : permission;
    super(
      reason ? `FGA authorization denied: ${reason}` : `FGA authorization denied: user ${userId} cannot ${permissionLabel} on ${resource.type}:${resource.id}`
    );
    this.name = "FGADeniedError";
    this.user = user;
    this.resource = resource;
    this.permission = permission;
    this.status = 403;
  }
};
/**
 * FGA enforcement utility for checking fine-grained authorization.
 *
 * @license Mastra Enterprise License - see ee/LICENSE
 */

export { FGADeniedError, captureEEEvent, checkFGA, getAgentFGAResourceId, getAgentToolFGAResourceId, getEETelemetryFallbackDistinctId, getMCPToolFGAResourceId, getSafeLicenseSummary, getStandaloneToolFGAResourceId, getWorkflowFGAResourceId, isDevEnvironment, isEEEnabled, isEELicenseValid, isFeatureEnabled, isLicenseValid, requireFGA, validateLicense };
//# sourceMappingURL=chunk-4JAF3O7W.js.map
//# sourceMappingURL=chunk-4JAF3O7W.js.map