/** * RBAC provider interface for EE authentication. * Enables role-based access control in Studio. * * RBAC is designed to be separate from authentication. * This allows users to mix auth providers with RBAC providers: * - Use Better Auth for authentication + StaticRBACProvider for RBAC * - Use Clerk for both auth and RBAC via MastraRBACClerk * - Use Auth0 for auth + custom RBAC provider */ import type { PermissionPattern } from './permissions.generated.js'; /** * Definition of a role with its permissions. * Uses type-safe permission patterns derived from SERVER_ROUTES. */ export interface RoleDefinition { /** Unique role identifier */ id: string; /** Human-readable role name */ name: string; /** Role description */ description?: string; /** Permissions granted by this role (type-safe) */ permissions: PermissionPattern[]; /** Role IDs this role inherits from */ inherits?: string[]; } /** * Role mapping configuration for translating provider roles to Mastra permissions. * Uses type-safe permission patterns derived from SERVER_ROUTES. * * Use this when your identity provider (WorkOS, Okta, Azure AD, etc.) has its own * roles that need to be translated to Mastra's permission model. * * Special keys: * - `_default`: Permissions for roles not explicitly mapped * * @example * ```typescript * const roleMapping: RoleMapping = { * "Engineering": ["agents:*", "workflows:*"], * "Product": ["agents:read", "workflows:read"], * "Admin": ["*"], * "_default": [], // unmapped roles get no permissions * }; * ``` */ export type RoleMapping = { /** Map role name to array of permission patterns */ [role: string]: PermissionPattern[]; }; /** * Provider interface for role-based access control (read-only). * * Implement this interface to enable: * - Permission-based UI gating * - Role display in user menu * - Access control checks * * RBAC providers can be used independently of auth providers: * * @example Using StaticRBACProvider with Better Auth * ```typescript * // Better Auth handles authentication only * const auth = new MastraAuthBetterAuth({ betterAuth }); * * // Static RBAC handles authorization * const rbac = new StaticRBACProvider({ * roles: DEFAULT_ROLES, * getUserRoles: (user) => [user.role], * }); * * const mastra = new Mastra({ * server: { * auth, * rbac, * }, * }); * ``` * * @example Using MastraRBACClerk with role mapping * ```typescript * const mastra = new Mastra({ * server: { * auth: new MastraAuthClerk({ clerk }), * rbac: new MastraRBACClerk({ * clerk, * roleMapping: { * "org:admin": ["*"], * "org:member": ["agents:read", "workflows:read"], * }, * }), * }, * }); * ``` */ export interface IRBACProvider { /** * Optional role mapping for translating provider roles to Mastra permissions. * If provided, permissions are resolved using this mapping instead of getPermissions(). */ roleMapping?: RoleMapping; /** * Get all roles for a user. * * @param user - User to get roles for * @returns Array of role IDs */ getRoles(user: TUser): Promise; /** * Check if user has a specific role. * * @param user - User to check * @param role - Role ID to check for * @returns True if user has the role */ hasRole(user: TUser, role: string): Promise; /** * Get all permissions for a user (resolved from roles). * * @param user - User to get permissions for * @returns Array of permission strings */ getPermissions(user: TUser): Promise; /** * Check if user has a specific permission. * * @param user - User to check * @param permission - Permission to check for * @returns True if user has the permission */ hasPermission(user: TUser, permission: string): Promise; /** * Check if user has ALL of the specified permissions. * * @param user - User to check * @param permissions - Permissions to check for * @returns True if user has all permissions */ hasAllPermissions(user: TUser, permissions: string[]): Promise; /** * Check if user has ANY of the specified permissions. * * @param user - User to check * @param permissions - Permissions to check for * @returns True if user has at least one permission */ hasAnyPermission(user: TUser, permissions: string[]): Promise; /** * Get all available roles in the system. * Used by the "View as role" feature to list roles an admin can impersonate. * * @returns Array of role descriptors */ getAvailableRoles?(): Promise<{ id: string; name: string; }[]>; /** * Get the resolved permissions for a specific role. * Used by the "View as role" feature to override client-side permissions. * * @param roleId - Role ID to resolve permissions for * @returns Array of permission strings */ getPermissionsForRole?(roleId: string): Promise; } /** * Extended interface for managing roles (write operations). * * Implement this in addition to IRBACProvider to enable role management. */ export interface IRBACManager extends IRBACProvider { /** * Assign a role to a user. * * @param userId - User to assign role to * @param roleId - Role to assign */ assignRole(userId: string, roleId: string): Promise; /** * Remove a role from a user. * * @param userId - User to remove role from * @param roleId - Role to remove */ removeRole(userId: string, roleId: string): Promise; /** * List all available roles. * * @returns Array of role definitions */ listRoles(): Promise; /** * Optional: Create a new role. * * @param role - Role definition to create */ createRole?(role: RoleDefinition): Promise; /** * Optional: Delete a role. * * @param roleId - Role ID to delete */ deleteRole?(roleId: string): Promise; } //# sourceMappingURL=rbac.d.ts.map