/** * Capabilities detection and response building for EE authentication. */ import type { MastraAuthProvider } from '../../server/index.js'; import type { IFGAProvider } from './interfaces/fga.js'; import type { IRBACProvider } from './interfaces/rbac.js'; import type { EEUser } from './interfaces/user.js'; /** * Public capabilities response (no authentication required). * Contains just enough info to render the login page. */ export interface PublicAuthCapabilities { /** Whether auth is enabled */ enabled: boolean; /** Login configuration (null if no auth or no SSO) */ login: { /** Type of login available */ type: 'sso' | 'credentials' | 'both'; /** Whether sign-up is enabled (defaults to true) */ signUpEnabled?: boolean; /** Optional description explaining the auth requirement and what credentials to use */ description?: string; /** SSO configuration */ sso?: { /** Provider name */ provider: string; /** Button text */ text: string; /** Icon URL */ icon?: string; /** Description of the auth requirement */ description?: string; /** Login URL */ url: string; }; } | null; } /** * User info for authenticated response. */ export interface AuthenticatedUser { /** User ID */ id: string; /** User email */ email?: string; /** Display name */ name?: string; /** Avatar URL */ avatarUrl?: string; } /** * Capability flags indicating which EE features are available. */ export interface CapabilityFlags { /** IUserProvider is implemented and licensed */ user: boolean; /** ISessionProvider is implemented and licensed */ session: boolean; /** ISSOProvider is implemented and licensed */ sso: boolean; /** IRBACProvider is implemented and licensed */ rbac: boolean; /** IACLProvider is implemented and licensed */ acl: boolean; /** IFGAProvider is implemented and licensed */ fga: boolean; } /** * User's access (roles and permissions). */ export interface UserAccess { /** User's roles */ roles: string[]; /** User's resolved permissions */ permissions: string[]; } /** * Authenticated capabilities response. * Extends public capabilities with user context and feature flags. */ export interface AuthenticatedCapabilities extends PublicAuthCapabilities { /** Current authenticated user */ user: AuthenticatedUser; /** Available EE capabilities */ capabilities: CapabilityFlags; /** User's access (if RBAC available) */ access: UserAccess | null; /** Available roles in the system (only present for admin users) */ availableRoles?: { id: string; name: string; }[]; } /** * Type guard to check if response is authenticated. */ export declare function isAuthenticated(caps: PublicAuthCapabilities | AuthenticatedCapabilities): caps is AuthenticatedCapabilities; /** * Options for building capabilities. */ export interface BuildCapabilitiesOptions { /** * RBAC provider for role-based access control (EE feature). * Separate from the auth provider to allow mixing different providers. * * @example * ```typescript * const rbac = new StaticRBACProvider({ * roles: DEFAULT_ROLES, * getUserRoles: (user) => [user.role], * }); * * buildCapabilities(auth, request, { rbac }); * ``` */ rbac?: IRBACProvider; /** * FGA provider for fine-grained authorization (EE feature). * Separate from the auth provider to allow mixing different providers. */ fga?: IFGAProvider; /** * API route prefix used to construct SSO login URLs. * Defaults to `/api` when not provided. * * @example `/mastra` results in SSO URL `/mastra/auth/sso/login` */ apiPrefix?: string; } /** * Build capabilities response based on auth configuration and request state. * * This function determines what capabilities are available and, if the user * is authenticated, includes their user info and access permissions. * * @param auth - Auth provider (or null if no auth configured) * @param request - Incoming HTTP request * @param options - Optional configuration (roleMapping, etc.) * @returns Capabilities response (public or authenticated) */ export declare function buildCapabilities(auth: MastraAuthProvider | null, request: Request, options?: BuildCapabilitiesOptions): Promise; //# sourceMappingURL=capabilities.d.ts.map