{"version":3,"sources":["../src/auth/ee/interfaces/permissions.generated.ts","../src/auth/ee/capabilities.ts","../src/auth/ee/defaults/roles.ts","../src/auth/ee/defaults/rbac/static.ts"],"names":["getSafeLicenseSummary","captureEEEvent","getEETelemetryFallbackDistinctId","isLicenseValid","isDevEnvironment"],"mappings":";;;;;AAaO,IAAM,SAAA,GAAY;AAAA,EACvB,KAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,qBAAA;AAAA,EACA,YAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,eAAA;AAAA,EACA,oBAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,eAAA;AAAA,EACA,mBAAA;AAAA,EACA,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAgBO,IAAM,OAAA,GAAU,CAAC,QAAA,EAAU,QAAA,EAAU,WAAW,SAAA,EAAW,MAAA,EAAQ,SAAS,OAAO;AAWnF,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,GAAA,EAAK,GAAA;AAAA;AAAA,EAEL,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,QAAA,EAAU,QAAA;AAAA;AAAA,EAEV,OAAA,EAAS,OAAA;AAAA;AAAA,EAET,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,SAAA,EAAW,SAAA;AAAA;AAAA,EAEX,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,WAAA;AAAA;AAAA,EAEb,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,2BAAA,EAA6B,2BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,4BAAA;AAAA;AAAA,EAE9B,yBAAA,EAA2B,yBAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,6BAAA,EAA+B,6BAAA;AAAA;AAAA,EAE/B,8BAAA,EAAgC,8BAAA;AAAA;AAAA,EAEhC,2BAAA,EAA6B,2BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,4BAAA;AAAA;AAAA,EAE9B,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,sBAAA,EAAwB,sBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,uBAAA;AAAA;AAAA,EAEzB,oBAAA,EAAsB,oBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,0BAAA,EAA4B,0BAAA;AAAA;AAAA,EAE5B,wBAAA,EAA0B,wBAAA;AAAA;AAAA,EAE1B,yBAAA,EAA2B,yBAAA;AAAA;AAAA,EAE3B,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,gBAAA,EAAkB,gBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,mBAAA,EAAqB,mBAAA;AAAA;AAAA,EAErB,iBAAA,EAAmB,iBAAA;AAAA;AAAA,EAEnB,kBAAA,EAAoB,kBAAA;AAAA;AAAA,EAEpB,UAAA,EAAY,UAAA;AAAA;AAAA,EAEZ,aAAA,EAAe,aAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,cAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,eAAA;AAAA;AAAA,EAEjB,qBAAA,EAAuB,qBAAA;AAAA;AAAA,EAEvB,qBAAA,EAAuB;AACzB;AAeO,IAAM,WAAA,GAAc;AAAA,EACzB,UAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,uBAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,0BAAA;AAAA,EACA,oBAAA;AAAA,EACA,iBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,sBAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,2BAAA;AAAA,EACA,4BAAA;AAAA,EACA,yBAAA;AAAA,EACA,0BAAA;AAAA,EACA,6BAAA;AAAA,EACA,8BAAA;AAAA,EACA,2BAAA;AAAA,EACA,4BAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,qBAAA;AAAA,EACA,sBAAA;AAAA,EACA,sBAAA;AAAA,EACA,uBAAA;AAAA,EACA,oBAAA;AAAA,EACA,qBAAA;AAAA,EACA,0BAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA,aAAA;AAAA,EACA,qBAAA;AAAA,EACA,eAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,cAAA;AAAA,EACA,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AAaO,IAAM,oBAAA,GAAuB;AAAA;AAAA,EAElC,QAAA,EAAU,UAAA;AAAA;AAAA,EAEV,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,QAAA,EAAU,UAAA;AAAA;AAAA,EAEV,SAAA,EAAW,WAAA;AAAA;AAAA,EAEX,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,yBAAA,EAA2B,2BAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,4BAAA;AAAA;AAAA,EAE5B,uBAAA,EAAyB,yBAAA;AAAA;AAAA,EAEzB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,2BAAA,EAA6B,6BAAA;AAAA;AAAA,EAE7B,4BAAA,EAA8B,8BAAA;AAAA;AAAA,EAE9B,yBAAA,EAA2B,2BAAA;AAAA;AAAA,EAE3B,0BAAA,EAA4B,4BAAA;AAAA;AAAA,EAE5B,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,sBAAA,EAAwB,wBAAA;AAAA;AAAA,EAExB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,oBAAA,EAAsB,sBAAA;AAAA;AAAA,EAEtB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,kBAAA,EAAoB,oBAAA;AAAA;AAAA,EAEpB,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,wBAAA,EAA0B,0BAAA;AAAA;AAAA,EAE1B,sBAAA,EAAwB,wBAAA;AAAA;AAAA,EAExB,uBAAA,EAAyB,yBAAA;AAAA;AAAA,EAEzB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,mBAAA,EAAqB,qBAAA;AAAA;AAAA,EAErB,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,UAAA,EAAY,YAAA;AAAA;AAAA,EAEZ,aAAA,EAAe,eAAA;AAAA;AAAA,EAEf,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,WAAA,EAAa,aAAA;AAAA;AAAA,EAEb,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,YAAA,EAAc,cAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAEhB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,iBAAA,EAAmB,mBAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,iBAAA;AAAA;AAAA,EAEjB,gBAAA,EAAkB;AACpB;AAoCO,SAAS,yBAAyB,OAAA,EAA+C;AACtF,EAAA,OAAO,OAAA,IAAW,mBAAA;AACpB;AAKO,SAAS,oBAAoB,WAAA,EAA2D;AAC7F,EAAA,OAAO,WAAA,CAAY,MAAM,wBAAwB,CAAA;AACnD;;;AC1eO,SAAS,gBACd,IAAA,EACmC;AACnC,EAAA,OAAO,MAAA,IAAU,IAAA,IAAQ,IAAA,CAAK,IAAA,KAAS,IAAA;AACzC;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,QAAQ,OAAO,IAAA,KAAS,YAAY,OAAQ,IAAA,CAAa,MAAM,CAAA,KAAM,UAAA;AACvF;AAKA,SAAS,kBAAkB,IAAA,EAAwB;AACjD,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAE9C,EAAA,OAAO,mBAAA,IAAuB,IAAA,IAAS,IAAA,CAAwC,iBAAA,KAAsB,IAAA;AACvG;AAMA,SAAS,aAAa,IAAA,EAAwB;AAC5C,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAC9C,EAAA,OAAO,cAAA,IAAkB,IAAA,IAAS,IAAA,CAAmC,YAAA,KAAiB,IAAA;AACxF;AAKA,SAAS,0BAA0B,WAAA,EAAgC;AACjE,EAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,KAAM,GAAA,IAAO,MAAM,KAAK,CAAA;AACvD;AAEA,SAAS,aAAa,OAAA,EAAsC;AAC1D,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,iBAAiB,CAAA;AAC1D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO,aAAa,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAK;AAAA,EAC1C;AAEA,EAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAAK,MAAA;AAC7C;AAEA,SAAS,mBAAA,CAAoB;AAAA,EAC3B,OAAA;AAAA,EACA,IAAA;AAAA,EACA,UAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF,CAAA,EAQS;AACP,EAAA,MAAM,UAAUA,uCAAA,EAAsB;AAEtC,EAAA,IAAI;AACF,IAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,IAAAC,gCAAA,CAAe,oBAAoB,IAAA,EAAM,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAeC,oDAAiC,EAAG;AAAA,MACxG,aAAA,EAAe,UAAA;AAAA,MACf,cAAc,OAAA,CAAQ,WAAA;AAAA,MACtB,kBAAA,EAAoB,KAAA;AAAA,MACpB,QAAA,EAAU,OAAA;AAAA,MACV,cAAA,EAAgB,QAAA;AAAA,MAChB,YAAA;AAAA,MACA,SAAS,IAAA,EAAM,EAAA;AAAA,MACf,GAAA,EAAK,EAAA;AAAA,MACL,kBAAkB,OAAA,CAAQ,QAAA;AAAA,MAC1B,cAAc,OAAA,CAAQ;AAAA,KACvB,CAAA;AAAA,EACH,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAgDA,eAAsB,iBAAA,CACpB,IAAA,EACA,OAAA,EACA,OAAA,EAC6D;AAE7D,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAK;AAAA,EACvC;AAIA,EAAA,MAAM,aAAaC,gCAAA,EAAe;AAClC,EAAA,MAAM,OAAA,GAAU,kBAAkB,IAAI,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,aAAa,IAAI,CAAA;AAClC,EAAA,MAAM,QAAQC,kCAAA,EAAiB;AAC/B,EAAA,MAAM,iBAAA,GAAoB,UAAA,IAAc,OAAA,IAAW,QAAA,IAAY,KAAA;AAG/D,EAAA,IAAI,KAAA,GAAyC,IAAA;AAE7C,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AACzE,EAAA,MAAM,cAAA,GAAiB,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,IAAK,iBAAA;AAGpF,EAAA,MAAM,GAAA,GAAA,CAAO,OAAA,EAAS,SAAA,IAAa,MAAA,EAAQ,IAAA,EAAK;AAChD,EAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,EAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,EAAA,MAAM,WAAA,GAAc,GAAG,MAAM,CAAA,eAAA,CAAA;AAG7B,EAAA,IAAI,aAAA,GAAgB,IAAA;AACpB,EAAA,IAAI,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AAC7D,IAAA,MAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAA,IAAI,OAAO,mBAAA,CAAoB,eAAA,KAAoB,UAAA,EAAY;AAC7D,MAAA,aAAA,GAAgB,oBAAoB,eAAA,EAAgB;AAAA,IACtD;AAAA,EACF;AAEA,EAAA,IAAI,UAAU,cAAA,EAAgB;AAC5B,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,aAAA;AAAA,MACA,aAAa,SAAA,CAAU,WAAA;AAAA,MACvB,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,MAAA,EAAQ;AACjB,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAqB;AAC9D,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,aAAa,SAAA,CAAU,WAAA;AAAA,MACvB,GAAA,EAAK;AAAA,QACH,GAAG,SAAA;AAAA,QACH,GAAA,EAAK;AAAA;AACP,KACF;AAAA,EACF,WAAW,cAAA,EAAgB;AAEzB,IAAA,KAAA,GAAQ;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAGA,EAAA,IAAI,IAAA,GAAsB,IAAA;AAC1B,EAAA,IAAI,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA,EAAmB;AACnF,IAAA,IAAI;AACF,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;AAAA,IAC1C,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,GAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,mBAAA,CAAoB,EAAE,OAAA,EAAS,IAAA,EAAM,YAAY,KAAA,EAAO,OAAA,EAAS,UAAU,CAAA;AAC3E,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,KAAA,EAAM;AAAA,EAChC;AAGA,EAAA,MAAM,eAAe,OAAA,EAAS,IAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,CAAC,CAAC,YAAA,IAAgB,iBAAA;AAGlC,EAAA,MAAM,MAAA,GAAS,CAAC,CAAC,OAAA,EAAS,GAAA,IAAO,iBAAA;AAGjC,EAAA,MAAM,YAAA,GAAgC;AAAA,IACpC,IAAA,EAAM,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA;AAAA,IACpE,OAAA,EAAS,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,iBAAA;AAAA,IACzE,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AAAA,IAC/D,IAAA,EAAM,OAAA;AAAA,IACN,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,WAAW,CAAA,IAAK,iBAAA;AAAA,IAC7D,GAAA,EAAK;AAAA,GACP;AAGA,EAAA,IAAI,MAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAW,YAAA,EAAc;AAC3B,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,YAAA,CAAa,QAAA,CAAS,IAAI,CAAA;AAC9C,MAAA,MAAM,WAAA,GAAc,MAAM,YAAA,CAAa,cAAA,CAAe,IAAI,CAAA;AAC1D,MAAA,MAAA,GAAS,EAAE,OAAO,WAAA,EAAY;AAC9B,MAAA,MAAM,UAAUJ,uCAAA,EAAsB;AACtC,MAAA,IAAI;AACF,QAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,QAAAC,gCAAA,CAAe,mBAAmB,IAAA,CAAK,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAeC,oDAAiC,EAAG;AAAA,UACtG,OAAA,EAAS,MAAA;AAAA,UACT,SAAS,IAAA,CAAK,EAAA;AAAA,UACd,0BAAA,EAA4B,IAAA,CAAK,QAAA,GAAW,0BAA0B,CAAA;AAAA,UACtE,YAAY,KAAA,CAAM,MAAA;AAAA,UAClB,kBAAkB,WAAA,CAAY,MAAA;AAAA,UAC9B,GAAA,EAAK,EAAA;AAAA,UACL,eAAe,OAAA,CAAQ,KAAA;AAAA,UACvB,cAAc,OAAA,CAAQ,WAAA;AAAA,UACtB,oBAAoB,OAAA,CAAQ;AAAA,SAC7B,CAAA;AAAA,MACH,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF,CAAA,CAAA,MAAQ;AAEN,MAAA,MAAA,GAAS,IAAA;AAAA,IACX;AAAA,EACF;AAKA,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI,MAAA,IAAU,cAAc,iBAAA,EAAmB;AAC7C,IAAA,IAAI,yBAAA,CAA0B,MAAA,CAAO,WAAW,CAAA,EAAG;AACjD,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,YAAA,CAAa,iBAAA,EAAkB;AACtD,QAAA,MAAM,wBAAwB,YAAA,CAAa,qBAAA;AAC3C,QAAA,IAAI,qBAAA,EAAuB;AAEzB,UAAA,MAAM,eAAA,GAAkB,MAAM,OAAA,CAAQ,UAAA;AAAA,YACpC,QAAA,CAAS,GAAA,CAAI,OAAM,IAAA,MAAS;AAAA,cAC1B,IAAA;AAAA,cACA,KAAA,EAAO,MAAM,qBAAA,CAAsB,IAAA,CAAK,EAAE;AAAA,aAC5C,CAAE;AAAA,WACJ;AACA,UAAA,cAAA,GAAiB,eAAA,CAAgB,QAAQ,CAAA,MAAA,KAAU;AACjD,YAAA,IAAI,MAAA,CAAO,WAAW,WAAA,EAAa;AACjC,cAAA,OAAA,CAAQ,IAAA,CAAK,gDAAA,EAAkD,MAAA,CAAO,MAAM,CAAA;AAC5E,cAAA,OAAO,EAAC;AAAA,YACV;AACA,YAAA,OAAO,yBAAA,CAA0B,MAAA,CAAO,KAAA,CAAM,KAAK,CAAA,GAAI,EAAC,GAAI,CAAC,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA;AAAA,UAChF,CAAC,CAAA;AAAA,QACH,CAAA,MAAO;AACL,UAAA,cAAA,GAAiB,QAAA;AAAA,QACnB;AAAA,MACF,SAAS,KAAA,EAAO;AAGd,QAAA,OAAA,CAAQ,IAAA,CAAK,4DAA4D,KAAK,CAAA;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,mBAAA,CAAoB,EAAE,SAAS,IAAA,EAAM,UAAA,EAAY,OAAO,OAAA,EAAS,QAAA,EAAU,cAAc,CAAA;AAEzF,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,IAAA;AAAA,IACT,KAAA;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,IACA,YAAA;AAAA,IACA,MAAA;AAAA,IACA;AAAA,GACF;AACF;;;AC1YO,IAAM,aAAA,GAAkC;AAAA,EAC7C;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,0CAAA;AAAA,IACb,WAAA,EAAa,CAAC,GAAG;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,OAAA;AAAA,IACJ,IAAA,EAAM,OAAA;AAAA,IACN,WAAA,EAAa,4CAAA;AAAA,IACb,WAAA,EAAa;AAAA,MACX,QAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,WAAA;AAAA,MACA;AAAA;AAAA;AAEF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,8BAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAA,EAAU,WAAW;AAAA,GACrC;AAAA,EACA;AAAA,IACE,EAAA,EAAI,QAAA;AAAA,IACJ,IAAA,EAAM,QAAA;AAAA,IACN,WAAA,EAAa,kBAAA;AAAA,IACb,WAAA,EAAa,CAAC,QAAQ;AAAA;AAE1B;AAWO,SAAS,eAAe,MAAA,EAA4C;AACzE,EAAA,OAAO,aAAA,CAAc,IAAA,CAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,OAAO,MAAM,CAAA;AACtD;AAWO,SAAS,kBAAA,CAAmB,OAAA,EAAmB,KAAA,GAA0B,aAAA,EAAyB;AACvG,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAEhC,EAAA,SAAS,YAAY,MAAA,EAAgB;AACnC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AACzB,IAAA,OAAA,CAAQ,IAAI,MAAM,CAAA;AAElB,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAC5C,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,KAAA,MAAW,UAAA,IAAc,KAAK,WAAA,EAAa;AACzC,MAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA,IAC5B;AAGA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,KAAA,MAAW,eAAA,IAAmB,KAAK,QAAA,EAAU;AAC3C,QAAA,WAAA,CAAY,eAAe,CAAA;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAEA,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,IAAA,WAAA,CAAY,MAAM,CAAA;AAAA,EACpB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;AAOA,IAAM,mBAAA,GAAyD;AAAA,EAC7D,MAAA,EAAQ;AAAA,IACN,eAAA;AAAA,IACA,oBAAA;AAAA,IACA,sBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA;AAEJ,CAAA;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAIlD,EAAA,MAAM,gBAAA,GAAmB,mBAAA,CAAoB,YAAA,CAAa,CAAC,KAAK,EAAE,CAAA;AAClE,EAAA,IAAI,oBAAoB,gBAAA,CAAiB,QAAA,CAAS,cAAc,CAAC,CAAA,IAAK,EAAE,CAAA,EAAG;AACzE,IAAA,MAAM,OAAA,GAAU,CAAC,aAAA,CAAc,CAAC,CAAA,EAAG,GAAG,YAAA,CAAa,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AACrE,IAAA,OAAO,iBAAA,CAAkB,SAAS,kBAAkB,CAAA;AAAA,EACtD;AAGA,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAAA,EAC5B;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AAAA,IACvB;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AAAA,EACvB;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AAAA,EACT;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AASO,SAAS,aAAA,CAAc,iBAA2B,kBAAA,EAAqC;AAC5F,EAAA,OAAO,gBAAgB,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,kBAAkB,CAAC,CAAA;AAC3E;AA4BO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AACpC,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAC;AAE7C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;;;AC5MO,IAAM,qBAAN,MAA0E;AAAA,EACvE,KAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA,uBAAsB,GAAA,EAAsB;AAAA;AAAA,EAGpD,IAAI,WAAA,GAAuC;AACzC,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA,EAEA,YAAY,OAAA,EAA2C;AACrD,IAAA,IAAI,OAAA,IAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,EAAO;AACvC,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AAAA,IACvB;AACA,IAAA,IAAI,aAAA,IAAiB,OAAA,IAAW,OAAA,CAAQ,WAAA,EAAa;AACnD,MAAA,IAAA,CAAK,eAAe,OAAA,CAAQ,WAAA;AAAA,IAC9B;AACA,IAAA,IAAA,CAAK,iBAAiB,OAAA,CAAQ,YAAA;AAAA,EAChC;AAAA,EAEA,MAAM,SAAS,IAAA,EAAgC;AAC7C,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAC9C,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEA,MAAM,OAAA,CAAQ,IAAA,EAAa,IAAA,EAAgC;AACzD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,eAAe,IAAA,EAAgC;AACnD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAGxC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,IAAA,EAAK,CAAE,KAAK,GAAG,CAAA;AACxC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,QAAQ,OAAO,MAAA;AAGnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,YAAA,EAAc;AAErB,MAAA,WAAA,GAAc,6BAAA,CAA8B,OAAA,EAAS,IAAA,CAAK,YAAY,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AAErB,MAAA,WAAA,GAAc,kBAAA,CAAmB,OAAA,EAAS,IAAA,CAAK,KAAK,CAAA;AAAA,IACtD,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,EAAC;AAAA,IACjB;AAGA,IAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAE9C,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEA,MAAM,aAAA,CAAc,IAAA,EAAa,UAAA,EAAsC;AACrE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA,EAEA,MAAM,iBAAA,CAAkB,IAAA,EAAa,WAAA,EAAyC;AAC5E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA,EAEA,MAAM,gBAAA,CAAiB,IAAA,EAAa,WAAA,EAAyC;AAC3E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAA,GAAuC;AACrC,IAAA,OAAO,IAAA,CAAK,SAAS,EAAC;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,MAAA,EAA4C;AAC5D,IAAA,OAAO,KAAK,KAAA,EAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBAAA,GAA6D;AACjE,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,EAAA,EAAI,CAAA,CAAE,EAAA,EAAI,IAAA,EAAM,CAAA,CAAE,IAAA,EAAK,CAAE,CAAA;AAAA,IACzD;AACA,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,YAAY,CAAA,CACjC,OAAO,CAAA,CAAA,KAAK,CAAA,KAAM,UAAU,CAAA,CAC5B,IAAI,CAAA,CAAA,MAAM,EAAE,IAAI,CAAA,EAAG,IAAA,EAAM,GAAE,CAAE,CAAA;AAAA,IAClC;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,MAAA,EAAmC;AAC7D,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,6BAAA,CAA8B,CAAC,MAAM,CAAA,EAAG,KAAK,YAAY,CAAA;AAAA,IAClE;AACA,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,kBAAA,CAAmB,CAAC,MAAM,CAAA,EAAG,KAAK,KAAK,CAAA;AAAA,IAChD;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AACF","file":"chunk-BJ6L3GE6.cjs","sourcesContent":["/**\n * AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY\n *\n * This file is generated by packages/server/scripts/generate-permissions.ts\n * Run `pnpm generate:permissions` from packages/server to regenerate.\n *\n * Source of truth: SERVER_ROUTES in @mastra/server\n */\n\n/**\n * All known API resources.\n * Derived from SERVER_ROUTES paths in @mastra/server.\n */\nexport const RESOURCES = [\n  'a2a',\n  'agents',\n  'background-tasks',\n  'channels',\n  'datasets',\n  'embedders',\n  'experiments',\n  'logs',\n  'mcp',\n  'memory',\n  'observability',\n  'processor-providers',\n  'processors',\n  'schedules',\n  'scores',\n  'stored-agents',\n  'stored-mcp-clients',\n  'stored-prompt-blocks',\n  'stored-scorers',\n  'stored-skills',\n  'stored-workspaces',\n  'system',\n  'tool-providers',\n  'tools',\n  'vector',\n  'vectors',\n  'workflows',\n  'workspaces',\n] as const;\n\n/**\n * Resource type union.\n */\nexport type Resource = (typeof RESOURCES)[number];\n\n/**\n * All permission actions.\n * Derived from HTTP methods and route overrides:\n * - GET → read\n * - POST → write or execute (context-dependent)\n * - PUT/PATCH → write\n * - DELETE → delete\n * - Additional actions from explicit requiresPermission overrides\n */\nexport const ACTIONS = ['create', 'delete', 'execute', 'publish', 'read', 'share', 'write'] as const;\n\n/**\n * Action type union.\n */\nexport type Action = (typeof ACTIONS)[number];\n\n/**\n * All valid permission patterns.\n * Use `keyof typeof PERMISSION_PATTERNS` or the `PermissionPattern` type.\n */\nexport const PERMISSION_PATTERNS = {\n  /** Full access to all resources and actions */\n  '*': '*',\n  /** Create all resources */\n  '*:create': '*:create',\n  /** Delete all resources */\n  '*:delete': '*:delete',\n  /** Execute all resources */\n  '*:execute': '*:execute',\n  /** Publish, activate, or restore all resources */\n  '*:publish': '*:publish',\n  /** View all resources */\n  '*:read': '*:read',\n  /** Change visibility/audience all resources */\n  '*:share': '*:share',\n  /** Create and modify all resources */\n  '*:write': '*:write',\n  /** Full access to agent-to-agent communication */\n  'a2a:*': 'a2a:*',\n  /** Full access to agents */\n  'agents:*': 'agents:*',\n  /** Full access to background tasks */\n  'background-tasks:*': 'background-tasks:*',\n  /** Full access to channels */\n  'channels:*': 'channels:*',\n  /** Full access to datasets */\n  'datasets:*': 'datasets:*',\n  /** Full access to embedders */\n  'embedders:*': 'embedders:*',\n  /** Full access to experiments */\n  'experiments:*': 'experiments:*',\n  /** Full access to logs */\n  'logs:*': 'logs:*',\n  /** Full access to MCP servers */\n  'mcp:*': 'mcp:*',\n  /** Full access to memory and threads */\n  'memory:*': 'memory:*',\n  /** Full access to traces and spans */\n  'observability:*': 'observability:*',\n  /** Full access to processor-providers */\n  'processor-providers:*': 'processor-providers:*',\n  /** Full access to processors */\n  'processors:*': 'processors:*',\n  /** Full access to schedules */\n  'schedules:*': 'schedules:*',\n  /** Full access to evaluation scores */\n  'scores:*': 'scores:*',\n  /** Full access to stored agents */\n  'stored-agents:*': 'stored-agents:*',\n  /** Full access to stored MCP clients */\n  'stored-mcp-clients:*': 'stored-mcp-clients:*',\n  /** Full access to stored prompt blocks */\n  'stored-prompt-blocks:*': 'stored-prompt-blocks:*',\n  /** Full access to stored scorers */\n  'stored-scorers:*': 'stored-scorers:*',\n  /** Full access to stored skills */\n  'stored-skills:*': 'stored-skills:*',\n  /** Full access to stored workspaces */\n  'stored-workspaces:*': 'stored-workspaces:*',\n  /** Full access to system info */\n  'system:*': 'system:*',\n  /** Full access to tool-providers */\n  'tool-providers:*': 'tool-providers:*',\n  /** Full access to tools */\n  'tools:*': 'tools:*',\n  /** Full access to vector stores */\n  'vector:*': 'vector:*',\n  /** Full access to vectors */\n  'vectors:*': 'vectors:*',\n  /** Full access to workflows */\n  'workflows:*': 'workflows:*',\n  /** Full access to workspaces */\n  'workspaces:*': 'workspaces:*',\n  /** View agent-to-agent communication */\n  'a2a:read': 'a2a:read',\n  /** Create and modify agent-to-agent communication */\n  'a2a:write': 'a2a:write',\n  /** Create agents */\n  'agents:create': 'agents:create',\n  /** Delete agents */\n  'agents:delete': 'agents:delete',\n  /** Execute agents */\n  'agents:execute': 'agents:execute',\n  /** View agents */\n  'agents:read': 'agents:read',\n  /** Create and modify agents */\n  'agents:write': 'agents:write',\n  /** View background tasks */\n  'background-tasks:read': 'background-tasks:read',\n  /** View channels */\n  'channels:read': 'channels:read',\n  /** Create and modify channels */\n  'channels:write': 'channels:write',\n  /** Delete datasets */\n  'datasets:delete': 'datasets:delete',\n  /** Execute datasets */\n  'datasets:execute': 'datasets:execute',\n  /** View datasets */\n  'datasets:read': 'datasets:read',\n  /** Create and modify datasets */\n  'datasets:write': 'datasets:write',\n  /** View embedders */\n  'embedders:read': 'embedders:read',\n  /** View experiments */\n  'experiments:read': 'experiments:read',\n  /** View logs */\n  'logs:read': 'logs:read',\n  /** Execute MCP servers */\n  'mcp:execute': 'mcp:execute',\n  /** View MCP servers */\n  'mcp:read': 'mcp:read',\n  /** Create and modify MCP servers */\n  'mcp:write': 'mcp:write',\n  /** Delete memory and threads */\n  'memory:delete': 'memory:delete',\n  /** Execute memory and threads */\n  'memory:execute': 'memory:execute',\n  /** View memory and threads */\n  'memory:read': 'memory:read',\n  /** Create and modify memory and threads */\n  'memory:write': 'memory:write',\n  /** View traces and spans */\n  'observability:read': 'observability:read',\n  /** Create and modify traces and spans */\n  'observability:write': 'observability:write',\n  /** View processor-providers */\n  'processor-providers:read': 'processor-providers:read',\n  /** Execute processors */\n  'processors:execute': 'processors:execute',\n  /** View processors */\n  'processors:read': 'processors:read',\n  /** Execute schedules */\n  'schedules:execute': 'schedules:execute',\n  /** View schedules */\n  'schedules:read': 'schedules:read',\n  /** Create and modify schedules */\n  'schedules:write': 'schedules:write',\n  /** View evaluation scores */\n  'scores:read': 'scores:read',\n  /** Create and modify evaluation scores */\n  'scores:write': 'scores:write',\n  /** Delete stored agents */\n  'stored-agents:delete': 'stored-agents:delete',\n  /** Publish, activate, or restore stored agents */\n  'stored-agents:publish': 'stored-agents:publish',\n  /** View stored agents */\n  'stored-agents:read': 'stored-agents:read',\n  /** Create and modify stored agents */\n  'stored-agents:write': 'stored-agents:write',\n  /** Delete stored MCP clients */\n  'stored-mcp-clients:delete': 'stored-mcp-clients:delete',\n  /** Publish, activate, or restore stored MCP clients */\n  'stored-mcp-clients:publish': 'stored-mcp-clients:publish',\n  /** View stored MCP clients */\n  'stored-mcp-clients:read': 'stored-mcp-clients:read',\n  /** Create and modify stored MCP clients */\n  'stored-mcp-clients:write': 'stored-mcp-clients:write',\n  /** Delete stored prompt blocks */\n  'stored-prompt-blocks:delete': 'stored-prompt-blocks:delete',\n  /** Publish, activate, or restore stored prompt blocks */\n  'stored-prompt-blocks:publish': 'stored-prompt-blocks:publish',\n  /** View stored prompt blocks */\n  'stored-prompt-blocks:read': 'stored-prompt-blocks:read',\n  /** Create and modify stored prompt blocks */\n  'stored-prompt-blocks:write': 'stored-prompt-blocks:write',\n  /** Delete stored scorers */\n  'stored-scorers:delete': 'stored-scorers:delete',\n  /** Publish, activate, or restore stored scorers */\n  'stored-scorers:publish': 'stored-scorers:publish',\n  /** View stored scorers */\n  'stored-scorers:read': 'stored-scorers:read',\n  /** Create and modify stored scorers */\n  'stored-scorers:write': 'stored-scorers:write',\n  /** Delete stored skills */\n  'stored-skills:delete': 'stored-skills:delete',\n  /** Publish, activate, or restore stored skills */\n  'stored-skills:publish': 'stored-skills:publish',\n  /** View stored skills */\n  'stored-skills:read': 'stored-skills:read',\n  /** Create and modify stored skills */\n  'stored-skills:write': 'stored-skills:write',\n  /** Delete stored workspaces */\n  'stored-workspaces:delete': 'stored-workspaces:delete',\n  /** View stored workspaces */\n  'stored-workspaces:read': 'stored-workspaces:read',\n  /** Create and modify stored workspaces */\n  'stored-workspaces:write': 'stored-workspaces:write',\n  /** View system info */\n  'system:read': 'system:read',\n  /** View tool-providers */\n  'tool-providers:read': 'tool-providers:read',\n  /** Execute tools */\n  'tools:execute': 'tools:execute',\n  /** View tools */\n  'tools:read': 'tools:read',\n  /** Delete vector stores */\n  'vector:delete': 'vector:delete',\n  /** Execute vector stores */\n  'vector:execute': 'vector:execute',\n  /** View vector stores */\n  'vector:read': 'vector:read',\n  /** Create and modify vector stores */\n  'vector:write': 'vector:write',\n  /** View vectors */\n  'vectors:read': 'vectors:read',\n  /** Delete workflows */\n  'workflows:delete': 'workflows:delete',\n  /** Execute workflows */\n  'workflows:execute': 'workflows:execute',\n  /** View workflows */\n  'workflows:read': 'workflows:read',\n  /** Create and modify workflows */\n  'workflows:write': 'workflows:write',\n  /** Delete workspaces */\n  'workspaces:delete': 'workspaces:delete',\n  /** View workspaces */\n  'workspaces:read': 'workspaces:read',\n  /** Create and modify workspaces */\n  'workspaces:write': 'workspaces:write',\n  /** Full access to all stored resource families */\n  'stored:*': 'stored:*',\n  /** View all stored resource families */\n  'stored:read': 'stored:read',\n  /** Create and modify all stored resource families */\n  'stored:write': 'stored:write',\n  /** Delete all stored resource families */\n  'stored:delete': 'stored:delete',\n  /** Change visibility/audience stored agents */\n  'stored-agents:share': 'stored-agents:share',\n  /** Change visibility/audience stored skills */\n  'stored-skills:share': 'stored-skills:share',\n} as const;\n\n/**\n * Permission pattern that can be used in role definitions.\n * Supports:\n * - Specific permissions: 'agents:read', 'workflows:execute'\n * - Resource wildcards: 'agents:*', 'workflows:*' (all actions on a resource)\n * - Action wildcards: '*:read', '*:write' (an action across all resources)\n * - Global wildcard: '*' (full access)\n */\nexport type PermissionPattern = keyof typeof PERMISSION_PATTERNS;\n\n/**\n * All valid resource:action permission combinations (excludes wildcards).\n */\nexport const PERMISSIONS = [\n  'a2a:read',\n  'a2a:write',\n  'agents:create',\n  'agents:delete',\n  'agents:execute',\n  'agents:read',\n  'agents:write',\n  'background-tasks:read',\n  'channels:read',\n  'channels:write',\n  'datasets:delete',\n  'datasets:execute',\n  'datasets:read',\n  'datasets:write',\n  'embedders:read',\n  'experiments:read',\n  'logs:read',\n  'mcp:execute',\n  'mcp:read',\n  'mcp:write',\n  'memory:delete',\n  'memory:execute',\n  'memory:read',\n  'memory:write',\n  'observability:read',\n  'observability:write',\n  'processor-providers:read',\n  'processors:execute',\n  'processors:read',\n  'schedules:execute',\n  'schedules:read',\n  'schedules:write',\n  'scores:read',\n  'scores:write',\n  'stored-agents:delete',\n  'stored-agents:publish',\n  'stored-agents:read',\n  'stored-agents:write',\n  'stored-mcp-clients:delete',\n  'stored-mcp-clients:publish',\n  'stored-mcp-clients:read',\n  'stored-mcp-clients:write',\n  'stored-prompt-blocks:delete',\n  'stored-prompt-blocks:publish',\n  'stored-prompt-blocks:read',\n  'stored-prompt-blocks:write',\n  'stored-scorers:delete',\n  'stored-scorers:publish',\n  'stored-scorers:read',\n  'stored-scorers:write',\n  'stored-skills:delete',\n  'stored-skills:publish',\n  'stored-skills:read',\n  'stored-skills:write',\n  'stored-workspaces:delete',\n  'stored-workspaces:read',\n  'stored-workspaces:write',\n  'system:read',\n  'tool-providers:read',\n  'tools:execute',\n  'tools:read',\n  'vector:delete',\n  'vector:execute',\n  'vector:read',\n  'vector:write',\n  'vectors:read',\n  'workflows:delete',\n  'workflows:execute',\n  'workflows:read',\n  'workflows:write',\n  'workspaces:delete',\n  'workspaces:read',\n  'workspaces:write',\n] as const;\n\n/**\n * Specific permission type (e.g., 'agents:read', 'workflows:execute').\n */\nexport type Permission = (typeof PERMISSIONS)[number];\n\n/**\n * Type-safe constants for Mastra-owned FGA permissions.\n *\n * These values are generated from server routes and can be used wherever\n * Mastra checks or maps FGA permissions.\n */\nexport const MastraFGAPermissions = {\n  /** View agent-to-agent communication */\n  A2A_READ: 'a2a:read',\n  /** Create and modify agent-to-agent communication */\n  A2A_WRITE: 'a2a:write',\n  /** Create agents */\n  AGENTS_CREATE: 'agents:create',\n  /** Delete agents */\n  AGENTS_DELETE: 'agents:delete',\n  /** Execute agents */\n  AGENTS_EXECUTE: 'agents:execute',\n  /** View agents */\n  AGENTS_READ: 'agents:read',\n  /** Create and modify agents */\n  AGENTS_WRITE: 'agents:write',\n  /** View background tasks */\n  BACKGROUND_TASKS_READ: 'background-tasks:read',\n  /** View channels */\n  CHANNELS_READ: 'channels:read',\n  /** Create and modify channels */\n  CHANNELS_WRITE: 'channels:write',\n  /** Delete datasets */\n  DATASETS_DELETE: 'datasets:delete',\n  /** Execute datasets */\n  DATASETS_EXECUTE: 'datasets:execute',\n  /** View datasets */\n  DATASETS_READ: 'datasets:read',\n  /** Create and modify datasets */\n  DATASETS_WRITE: 'datasets:write',\n  /** View embedders */\n  EMBEDDERS_READ: 'embedders:read',\n  /** View experiments */\n  EXPERIMENTS_READ: 'experiments:read',\n  /** View logs */\n  LOGS_READ: 'logs:read',\n  /** Execute MCP servers */\n  MCP_EXECUTE: 'mcp:execute',\n  /** View MCP servers */\n  MCP_READ: 'mcp:read',\n  /** Create and modify MCP servers */\n  MCP_WRITE: 'mcp:write',\n  /** Delete memory and threads */\n  MEMORY_DELETE: 'memory:delete',\n  /** Execute memory and threads */\n  MEMORY_EXECUTE: 'memory:execute',\n  /** View memory and threads */\n  MEMORY_READ: 'memory:read',\n  /** Create and modify memory and threads */\n  MEMORY_WRITE: 'memory:write',\n  /** View traces and spans */\n  OBSERVABILITY_READ: 'observability:read',\n  /** Create and modify traces and spans */\n  OBSERVABILITY_WRITE: 'observability:write',\n  /** View processor-providers */\n  PROCESSOR_PROVIDERS_READ: 'processor-providers:read',\n  /** Execute processors */\n  PROCESSORS_EXECUTE: 'processors:execute',\n  /** View processors */\n  PROCESSORS_READ: 'processors:read',\n  /** Execute schedules */\n  SCHEDULES_EXECUTE: 'schedules:execute',\n  /** View schedules */\n  SCHEDULES_READ: 'schedules:read',\n  /** Create and modify schedules */\n  SCHEDULES_WRITE: 'schedules:write',\n  /** View evaluation scores */\n  SCORES_READ: 'scores:read',\n  /** Create and modify evaluation scores */\n  SCORES_WRITE: 'scores:write',\n  /** Delete stored agents */\n  STORED_AGENTS_DELETE: 'stored-agents:delete',\n  /** Publish, activate, or restore stored agents */\n  STORED_AGENTS_PUBLISH: 'stored-agents:publish',\n  /** View stored agents */\n  STORED_AGENTS_READ: 'stored-agents:read',\n  /** Create and modify stored agents */\n  STORED_AGENTS_WRITE: 'stored-agents:write',\n  /** Delete stored MCP clients */\n  STORED_MCP_CLIENTS_DELETE: 'stored-mcp-clients:delete',\n  /** Publish, activate, or restore stored MCP clients */\n  STORED_MCP_CLIENTS_PUBLISH: 'stored-mcp-clients:publish',\n  /** View stored MCP clients */\n  STORED_MCP_CLIENTS_READ: 'stored-mcp-clients:read',\n  /** Create and modify stored MCP clients */\n  STORED_MCP_CLIENTS_WRITE: 'stored-mcp-clients:write',\n  /** Delete stored prompt blocks */\n  STORED_PROMPT_BLOCKS_DELETE: 'stored-prompt-blocks:delete',\n  /** Publish, activate, or restore stored prompt blocks */\n  STORED_PROMPT_BLOCKS_PUBLISH: 'stored-prompt-blocks:publish',\n  /** View stored prompt blocks */\n  STORED_PROMPT_BLOCKS_READ: 'stored-prompt-blocks:read',\n  /** Create and modify stored prompt blocks */\n  STORED_PROMPT_BLOCKS_WRITE: 'stored-prompt-blocks:write',\n  /** Delete stored scorers */\n  STORED_SCORERS_DELETE: 'stored-scorers:delete',\n  /** Publish, activate, or restore stored scorers */\n  STORED_SCORERS_PUBLISH: 'stored-scorers:publish',\n  /** View stored scorers */\n  STORED_SCORERS_READ: 'stored-scorers:read',\n  /** Create and modify stored scorers */\n  STORED_SCORERS_WRITE: 'stored-scorers:write',\n  /** Delete stored skills */\n  STORED_SKILLS_DELETE: 'stored-skills:delete',\n  /** Publish, activate, or restore stored skills */\n  STORED_SKILLS_PUBLISH: 'stored-skills:publish',\n  /** View stored skills */\n  STORED_SKILLS_READ: 'stored-skills:read',\n  /** Create and modify stored skills */\n  STORED_SKILLS_WRITE: 'stored-skills:write',\n  /** Delete stored workspaces */\n  STORED_WORKSPACES_DELETE: 'stored-workspaces:delete',\n  /** View stored workspaces */\n  STORED_WORKSPACES_READ: 'stored-workspaces:read',\n  /** Create and modify stored workspaces */\n  STORED_WORKSPACES_WRITE: 'stored-workspaces:write',\n  /** View system info */\n  SYSTEM_READ: 'system:read',\n  /** View tool-providers */\n  TOOL_PROVIDERS_READ: 'tool-providers:read',\n  /** Execute tools */\n  TOOLS_EXECUTE: 'tools:execute',\n  /** View tools */\n  TOOLS_READ: 'tools:read',\n  /** Delete vector stores */\n  VECTOR_DELETE: 'vector:delete',\n  /** Execute vector stores */\n  VECTOR_EXECUTE: 'vector:execute',\n  /** View vector stores */\n  VECTOR_READ: 'vector:read',\n  /** Create and modify vector stores */\n  VECTOR_WRITE: 'vector:write',\n  /** View vectors */\n  VECTORS_READ: 'vectors:read',\n  /** Delete workflows */\n  WORKFLOWS_DELETE: 'workflows:delete',\n  /** Execute workflows */\n  WORKFLOWS_EXECUTE: 'workflows:execute',\n  /** View workflows */\n  WORKFLOWS_READ: 'workflows:read',\n  /** Create and modify workflows */\n  WORKFLOWS_WRITE: 'workflows:write',\n  /** Delete workspaces */\n  WORKSPACES_DELETE: 'workspaces:delete',\n  /** View workspaces */\n  WORKSPACES_READ: 'workspaces:read',\n  /** Create and modify workspaces */\n  WORKSPACES_WRITE: 'workspaces:write',\n} as const satisfies Record<string, Permission>;\n\n/**\n * Mastra-owned FGA permission values.\n */\nexport type MastraFGAPermission = (typeof MastraFGAPermissions)[keyof typeof MastraFGAPermissions];\n\n/**\n * FGA permission input accepted by public config and provider APIs.\n * Keeps autocomplete for Mastra-owned permissions while allowing custom provider strings.\n */\nexport type MastraFGAPermissionInput = MastraFGAPermission | (string & {});\n\n/**\n * Type-safe role mapping configuration.\n *\n * Maps role names (from your identity provider) to Mastra permission patterns.\n *\n * @example\n * ```typescript\n * const roleMapping: TypedRoleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\", \"workflows:read\"],\n *   \"Admin\": [\"*\"],\n *   \"_default\": [],\n * };\n * ```\n */\nexport type TypedRoleMapping = {\n  [role: string]: PermissionPattern[];\n};\n\n/**\n * Validates that a string is a valid permission pattern.\n * Useful for runtime validation of permission strings.\n */\nexport function isValidPermissionPattern(pattern: string): pattern is PermissionPattern {\n  return pattern in PERMISSION_PATTERNS;\n}\n\n/**\n * Validates that all permissions in an array are valid patterns.\n */\nexport function validatePermissions(permissions: string[]): permissions is PermissionPattern[] {\n  return permissions.every(isValidPermissionPattern);\n}\n","/**\n * Capabilities detection and response building for EE authentication.\n */\n\nimport type { MastraAuthProvider } from '../../server';\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from '../../telemetry/posthog';\nimport type { IUserProvider, ISSOProvider, ISessionProvider, ICredentialsProvider } from '../interfaces';\nimport type { IACLProvider } from './interfaces/acl';\nimport type { IFGAProvider } from './interfaces/fga';\nimport type { IRBACProvider } from './interfaces/rbac';\nimport type { EEUser } from './interfaces/user';\nimport { isLicenseValid, isDevEnvironment, getSafeLicenseSummary } from './license';\n\n/**\n * Public capabilities response (no authentication required).\n * Contains just enough info to render the login page.\n */\nexport interface PublicAuthCapabilities {\n  /** Whether auth is enabled */\n  enabled: boolean;\n  /** Login configuration (null if no auth or no SSO) */\n  login: {\n    /** Type of login available */\n    type: 'sso' | 'credentials' | 'both';\n    /** Whether sign-up is enabled (defaults to true) */\n    signUpEnabled?: boolean;\n    /** Optional description explaining the auth requirement and what credentials to use */\n    description?: string;\n    /** SSO configuration */\n    sso?: {\n      /** Provider name */\n      provider: string;\n      /** Button text */\n      text: string;\n      /** Icon URL */\n      icon?: string;\n      /** Description of the auth requirement */\n      description?: string;\n      /** Login URL */\n      url: string;\n    };\n  } | null;\n}\n\n/**\n * User info for authenticated response.\n */\nexport interface AuthenticatedUser {\n  /** User ID */\n  id: string;\n  /** User email */\n  email?: string;\n  /** Display name */\n  name?: string;\n  /** Avatar URL */\n  avatarUrl?: string;\n}\n\n/**\n * Capability flags indicating which EE features are available.\n */\nexport interface CapabilityFlags {\n  /** IUserProvider is implemented and licensed */\n  user: boolean;\n  /** ISessionProvider is implemented and licensed */\n  session: boolean;\n  /** ISSOProvider is implemented and licensed */\n  sso: boolean;\n  /** IRBACProvider is implemented and licensed */\n  rbac: boolean;\n  /** IACLProvider is implemented and licensed */\n  acl: boolean;\n  /** IFGAProvider is implemented and licensed */\n  fga: boolean;\n}\n\n/**\n * User's access (roles and permissions).\n */\nexport interface UserAccess {\n  /** User's roles */\n  roles: string[];\n  /** User's resolved permissions */\n  permissions: string[];\n}\n\n/**\n * Authenticated capabilities response.\n * Extends public capabilities with user context and feature flags.\n */\nexport interface AuthenticatedCapabilities extends PublicAuthCapabilities {\n  /** Current authenticated user */\n  user: AuthenticatedUser;\n  /** Available EE capabilities */\n  capabilities: CapabilityFlags;\n  /** User's access (if RBAC available) */\n  access: UserAccess | null;\n  /** Available roles in the system (only present for admin users) */\n  availableRoles?: { id: string; name: string }[];\n}\n\n/**\n * Type guard to check if response is authenticated.\n */\nexport function isAuthenticated(\n  caps: PublicAuthCapabilities | AuthenticatedCapabilities,\n): caps is AuthenticatedCapabilities {\n  return 'user' in caps && caps.user !== null;\n}\n\n/**\n * Check if an auth provider implements a specific interface.\n */\nfunction implementsInterface<T>(auth: unknown, method: keyof T): auth is T {\n  return auth !== null && typeof auth === 'object' && typeof (auth as any)[method] === 'function';\n}\n\n/**\n * Check if auth provider is MastraCloudAuth (exempt from license requirement).\n */\nfunction isMastraCloudAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  // Check for the MastraCloudAuth marker\n  return 'isMastraCloudAuth' in auth && (auth as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true;\n}\n\n/**\n * Check if auth provider is SimpleAuth (exempt from license requirement).\n * SimpleAuth is for development/testing and should work without a license.\n */\nfunction isSimpleAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  return 'isSimpleAuth' in auth && (auth as { isSimpleAuth: boolean }).isSimpleAuth === true;\n}\n\n/**\n * Check if a set of permissions includes admin bypass (`*` or `*:*`).\n */\nfunction hasAdminBypassPermissions(permissions: string[]): boolean {\n  return permissions.some(p => p === '*' || p === '*:*');\n}\n\nfunction getRequestIp(request: Request): string | undefined {\n  const forwardedFor = request.headers.get('x-forwarded-for');\n  if (forwardedFor) {\n    return forwardedFor.split(',')[0]?.trim();\n  }\n\n  return request.headers.get('x-real-ip') ?? undefined;\n}\n\nfunction captureLicenseCheck({\n  request,\n  user,\n  hasLicense,\n  isDev,\n  isCloud,\n  isSimple,\n  capabilities,\n}: {\n  request: Request;\n  user?: EEUser | null;\n  hasLicense: boolean;\n  isDev: boolean;\n  isCloud: boolean;\n  isSimple: boolean;\n  capabilities?: CapabilityFlags;\n}): void {\n  const license = getSafeLicenseSummary();\n\n  try {\n    const ip = getRequestIp(request);\n    captureEEEvent('ee_license_check', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n      license_valid: hasLicense,\n      license_hash: license.licenseHash,\n      is_dev_environment: isDev,\n      is_cloud: isCloud,\n      is_simple_auth: isSimple,\n      capabilities,\n      user_id: user?.id,\n      $ip: ip,\n      license_features: license.features,\n      license_tier: license.tier,\n    });\n  } catch {\n    // Telemetry must never affect auth or EE feature behavior.\n  }\n}\n\n/**\n * Options for building capabilities.\n */\nexport interface BuildCapabilitiesOptions {\n  /**\n   * RBAC provider for role-based access control (EE feature).\n   * Separate from the auth provider to allow mixing different providers.\n   *\n   * @example\n   * ```typescript\n   * const rbac = new StaticRBACProvider({\n   *   roles: DEFAULT_ROLES,\n   *   getUserRoles: (user) => [user.role],\n   * });\n   *\n   * buildCapabilities(auth, request, { rbac });\n   * ```\n   */\n  rbac?: IRBACProvider<EEUser>;\n\n  /**\n   * FGA provider for fine-grained authorization (EE feature).\n   * Separate from the auth provider to allow mixing different providers.\n   */\n  fga?: IFGAProvider<EEUser>;\n\n  /**\n   * API route prefix used to construct SSO login URLs.\n   * Defaults to `/api` when not provided.\n   *\n   * @example `/mastra` results in SSO URL `/mastra/auth/sso/login`\n   */\n  apiPrefix?: string;\n}\n\n/**\n * Build capabilities response based on auth configuration and request state.\n *\n * This function determines what capabilities are available and, if the user\n * is authenticated, includes their user info and access permissions.\n *\n * @param auth - Auth provider (or null if no auth configured)\n * @param request - Incoming HTTP request\n * @param options - Optional configuration (roleMapping, etc.)\n * @returns Capabilities response (public or authenticated)\n */\nexport async function buildCapabilities(\n  auth: MastraAuthProvider | null,\n  request: Request,\n  options?: BuildCapabilitiesOptions,\n): Promise<PublicAuthCapabilities | AuthenticatedCapabilities> {\n  // No auth configured - disabled\n  if (!auth) {\n    return { enabled: false, login: null };\n  }\n\n  // Determine if EE features are available\n  // SimpleAuth, MastraCloudAuth, and dev environments are exempt from license requirement\n  const hasLicense = isLicenseValid();\n  const isCloud = isMastraCloudAuth(auth);\n  const isSimple = isSimpleAuth(auth);\n  const isDev = isDevEnvironment();\n  const isLicensedOrCloud = hasLicense || isCloud || isSimple || isDev;\n\n  // Build login configuration (always public)\n  let login: PublicAuthCapabilities['login'] = null;\n\n  const hasSSO = implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud;\n  const hasCredentials = implementsInterface<ICredentialsProvider>(auth, 'signIn') && isLicensedOrCloud;\n\n  // Build SSO login URL using the configured prefix (default: /api)\n  const raw = (options?.apiPrefix || '/api').trim();\n  const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n  const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n  const ssoLoginUrl = `${prefix}/auth/sso/login`;\n\n  // Check if sign-up is enabled (defaults to true)\n  let signUpEnabled = true;\n  if (implementsInterface<ICredentialsProvider>(auth, 'signIn')) {\n    const credentialsProvider = auth as ICredentialsProvider;\n    if (typeof credentialsProvider.isSignUpEnabled === 'function') {\n      signUpEnabled = credentialsProvider.isSignUpEnabled();\n    }\n  }\n\n  if (hasSSO && hasCredentials) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'both',\n      signUpEnabled,\n      description: ssoConfig.description,\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasSSO) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'sso',\n      description: ssoConfig.description,\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasCredentials) {\n    // Credentials-only auth (e.g., Better Auth with email/password)\n    login = {\n      type: 'credentials',\n      signUpEnabled,\n    };\n  }\n\n  // Try to get current user (requires session)\n  let user: EEUser | null = null;\n  if (implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud) {\n    try {\n      user = await auth.getCurrentUser(request);\n    } catch {\n      // Session invalid or expired\n      user = null;\n    }\n  }\n\n  // If no user, return public response only\n  if (!user) {\n    captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple });\n    return { enabled: true, login };\n  }\n\n  // Get RBAC provider from options (if configured)\n  const rbacProvider = options?.rbac;\n  const hasRBAC = !!rbacProvider && isLicensedOrCloud;\n\n  // Get FGA provider from options (if configured)\n  const hasFGA = !!options?.fga && isLicensedOrCloud;\n\n  // Build capability flags\n  const capabilities: CapabilityFlags = {\n    user: implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud,\n    session: implementsInterface<ISessionProvider>(auth, 'createSession') && isLicensedOrCloud,\n    sso: implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud,\n    rbac: hasRBAC,\n    acl: implementsInterface<IACLProvider>(auth, 'canAccess') && isLicensedOrCloud,\n    fga: hasFGA,\n  };\n\n  // Get roles/permissions from RBAC provider (if available)\n  let access: UserAccess | null = null;\n  if (hasRBAC && rbacProvider) {\n    try {\n      const roles = await rbacProvider.getRoles(user);\n      const permissions = await rbacProvider.getPermissions(user);\n      access = { roles, permissions };\n      const license = getSafeLicenseSummary();\n      try {\n        const ip = getRequestIp(request);\n        captureEEEvent('ee_feature_used', user.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n          feature: 'rbac',\n          user_id: user.id,\n          organization_membership_id: user.metadata?.['organizationMembershipId'],\n          role_count: roles.length,\n          permission_count: permissions.length,\n          $ip: ip,\n          license_valid: license.valid,\n          license_hash: license.licenseHash,\n          is_dev_environment: license.isDevEnvironment,\n        });\n      } catch {\n        // Telemetry must never affect auth or EE feature behavior.\n      }\n    } catch {\n      // RBAC failed, continue without access info\n      access = null;\n    }\n  }\n\n  // Expose available roles for admin users (for \"View as role\" feature).\n  // Exclude roles with admin-bypass permissions since previewing as admin\n  // is the same as the current experience.\n  let availableRoles: { id: string; name: string }[] | undefined;\n  if (access && rbacProvider?.getAvailableRoles) {\n    if (hasAdminBypassPermissions(access.permissions)) {\n      try {\n        const allRoles = await rbacProvider.getAvailableRoles();\n        const getPermissionsForRole = rbacProvider.getPermissionsForRole;\n        if (getPermissionsForRole) {\n          // Use allSettled so one failing role lookup doesn't drop the whole picker.\n          const rolePermissions = await Promise.allSettled(\n            allRoles.map(async role => ({\n              role,\n              perms: await getPermissionsForRole(role.id),\n            })),\n          );\n          availableRoles = rolePermissions.flatMap(result => {\n            if (result.status !== 'fulfilled') {\n              console.warn('[auth/ee] failed to list permissions for role:', result.reason);\n              return [];\n            }\n            return hasAdminBypassPermissions(result.value.perms) ? [] : [result.value.role];\n          });\n        } else {\n          availableRoles = allRoles;\n        }\n      } catch (error) {\n        // Degrade gracefully: omit availableRoles so the \"View as role\" feature\n        // simply doesn't show options. Log so operators can diagnose RBAC issues.\n        console.warn('[auth/ee] failed to list available roles for admin user:', error);\n      }\n    }\n  }\n\n  captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple, capabilities });\n\n  return {\n    enabled: true,\n    login,\n    user: {\n      id: user.id,\n      email: user.email,\n      name: user.name,\n      avatarUrl: user.avatarUrl,\n    },\n    capabilities,\n    access,\n    availableRoles,\n  };\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n  {\n    id: 'owner',\n    name: 'Owner',\n    description: 'Full access to all features and settings',\n    permissions: ['*'],\n  },\n  {\n    id: 'admin',\n    name: 'Admin',\n    description: 'Manage agents, workflows, and team members',\n    permissions: [\n      '*:read',\n      '*:write',\n      '*:execute',\n      '*:publish',\n      '*:share',\n      // Note: admins cannot delete resources\n    ],\n  },\n  {\n    id: 'member',\n    name: 'Member',\n    description: 'Execute agents and workflows',\n    permissions: ['*:read', '*:execute'],\n  },\n  {\n    id: 'viewer',\n    name: 'Viewer',\n    description: 'Read-only access',\n    permissions: ['*:read'],\n  },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n  return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n  const permissions = new Set<string>();\n  const visited = new Set<string>();\n\n  function resolveRole(roleId: string) {\n    if (visited.has(roleId)) return;\n    visited.add(roleId);\n\n    const role = roles.find(r => r.id === roleId);\n    if (!role) return;\n\n    for (const permission of role.permissions) {\n      permissions.add(permission);\n    }\n\n    // Resolve inherited roles\n    if (role.inherits) {\n      for (const inheritedRoleId of role.inherits) {\n        resolveRole(inheritedRoleId);\n      }\n    }\n  }\n\n  for (const roleId of roleIds) {\n    resolveRole(roleId);\n  }\n\n  return Array.from(permissions);\n}\n\n/**\n * Compound resource keys that expand to a set of per-family resources.\n * A granted `stored:<action>` is treated as matching any `stored-<family>:<action>`\n * (and `stored:*` matches any `stored-<family>:*`).\n */\nconst RESOURCE_EXPANSIONS: Record<string, readonly string[]> = {\n  stored: [\n    'stored-agents',\n    'stored-mcp-clients',\n    'stored-prompt-blocks',\n    'stored-scorers',\n    'stored-skills',\n    'stored-workspaces',\n  ],\n};\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n  // Wildcard matches everything\n  if (userPermission === '*') {\n    return true;\n  }\n\n  const grantedParts = userPermission.split(':');\n  const requiredParts = requiredPermission.split(':');\n\n  // Compound resource alias: expand granted `stored:<action>` into its per-family equivalents.\n  // Only applies when the required permission targets one of the expanded families.\n  const expandedFamilies = RESOURCE_EXPANSIONS[grantedParts[0] ?? ''];\n  if (expandedFamilies && expandedFamilies.includes(requiredParts[0] ?? '')) {\n    const aliased = [requiredParts[0], ...grantedParts.slice(1)].join(':');\n    return matchesPermission(aliased, requiredPermission);\n  }\n\n  // Must have at least resource:action\n  if (grantedParts.length < 2 || requiredParts.length < 2) {\n    return userPermission === requiredPermission;\n  }\n\n  const [grantedResource, grantedAction, grantedId] = grantedParts;\n  const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n  // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n  if (grantedResource === '*') {\n    // \"*:*\" is a full wildcard - matches everything\n    if (grantedAction === '*') {\n      if (grantedId === undefined) {\n        return true;\n      }\n      return grantedId === requiredId;\n    }\n    // Action must match for resource wildcards with specific action\n    if (grantedAction !== requiredAction) {\n      return false;\n    }\n    // If no granted ID, matches all instances\n    if (grantedId === undefined) {\n      return true;\n    }\n    // *:read:my-id would match agents:read:my-id (unusual but consistent)\n    return grantedId === requiredId;\n  }\n\n  // Resource must match (for non-wildcard resources)\n  if (grantedResource !== requiredResource) {\n    return false;\n  }\n\n  // Action wildcard: \"agents:*\" matches any action\n  if (grantedAction === '*') {\n    // If no granted ID, matches all resources\n    // If granted ID specified (agents:*:my-agent), must match required ID\n    if (grantedId === undefined) {\n      return true;\n    }\n    // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n    return grantedId === requiredId;\n  }\n\n  // Action must match\n  if (grantedAction !== requiredAction) {\n    return false;\n  }\n\n  // No resource ID in granted permission = access to all resources of this type\n  // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n  if (grantedId === undefined) {\n    return true;\n  }\n\n  // Both have resource IDs - must match exactly\n  return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n  return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\"],\n *   \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n *   [\"Engineering\", \"QA\"],\n *   roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n  const permissions = new Set<string>();\n  const defaultPerms = mapping['_default'] ?? [];\n\n  for (const role of roles) {\n    const rolePerms = mapping[role];\n    if (rolePerms) {\n      for (const perm of rolePerms) {\n        permissions.add(perm);\n      }\n    } else {\n      // Apply default permissions for unmapped roles\n      for (const perm of defaultPerms) {\n        permissions.add(perm);\n      }\n    }\n  }\n\n  return Array.from(permissions);\n}\n","/**\n * Static RBAC provider with config-based roles.\n */\n\nimport type { RoleDefinition, RoleMapping, IRBACProvider } from '../../interfaces';\nimport { resolvePermissions, matchesPermission, resolvePermissionsFromMapping } from '../roles';\n\n/**\n * Options for StaticRBACProvider.\n *\n * Use ONE of the following approaches:\n * - `roles`: Define role structures with permissions (Mastra's native role system)\n * - `roleMapping`: Map provider roles directly to permissions (simpler for external providers)\n */\nexport type StaticRBACProviderOptions<TUser = unknown> =\n  | {\n      /** Role definitions (Mastra's native role system) */\n      roles: RoleDefinition[];\n      /** Function to get user's role IDs */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roleMapping?: never;\n    }\n  | {\n      /**\n       * Role mapping for translating provider roles to permissions.\n       * Use this when your identity provider has roles that need to be\n       * mapped to Mastra permissions.\n       */\n      roleMapping: RoleMapping;\n      /** Function to get user's role IDs from the provider */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roles?: never;\n    };\n\n/**\n * Static RBAC provider.\n *\n * Supports two modes:\n * 1. **Role definitions**: Use Mastra's native role system with structured roles\n * 2. **Role mapping**: Directly map provider roles to permissions\n *\n * @example Using role definitions (Mastra's native system)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: (user) => [user.role],\n * });\n * ```\n *\n * @example Using role mapping (for external providers)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roleMapping: {\n *     \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *     \"Product\": [\"agents:read\", \"workflows:read\"],\n *     \"_default\": [],\n *   },\n *   getUserRoles: (user) => user.providerRoles,\n * });\n * ```\n *\n * @example Async role lookup\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: async (user) => {\n *     return db.getUserRoles(user.id);\n *   },\n * });\n * ```\n */\nexport class StaticRBACProvider<TUser = unknown> implements IRBACProvider<TUser> {\n  private roles?: RoleDefinition[];\n  private _roleMapping?: RoleMapping;\n  private getUserRolesFn: (user: TUser) => string[] | Promise<string[]>;\n  private permissionCache = new Map<string, string[]>();\n\n  /** Expose roleMapping for middleware access */\n  get roleMapping(): RoleMapping | undefined {\n    return this._roleMapping;\n  }\n\n  constructor(options: StaticRBACProviderOptions<TUser>) {\n    if ('roles' in options && options.roles) {\n      this.roles = options.roles;\n    }\n    if ('roleMapping' in options && options.roleMapping) {\n      this._roleMapping = options.roleMapping;\n    }\n    this.getUserRolesFn = options.getUserRoles;\n  }\n\n  async getRoles(user: TUser): Promise<string[]> {\n    const roleIds = await this.getUserRolesFn(user);\n    return roleIds;\n  }\n\n  async hasRole(user: TUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: TUser): Promise<string[]> {\n    const roleIds = await this.getRoles(user);\n\n    // Check cache\n    const cacheKey = roleIds.sort().join(',');\n    const cached = this.permissionCache.get(cacheKey);\n    if (cached) return cached;\n\n    // Resolve permissions based on mode\n    let permissions: string[];\n    if (this._roleMapping) {\n      // Role mapping mode: translate provider roles to permissions\n      permissions = resolvePermissionsFromMapping(roleIds, this._roleMapping);\n    } else if (this.roles) {\n      // Role definitions mode: use Mastra's native role system\n      permissions = resolvePermissions(roleIds, this.roles);\n    } else {\n      // No roles or mapping configured\n      permissions = [];\n    }\n\n    // Cache result\n    this.permissionCache.set(cacheKey, permissions);\n\n    return permissions;\n  }\n\n  async hasPermission(user: TUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  /**\n   * Clear the permission cache.\n   */\n  clearCache(): void {\n    this.permissionCache.clear();\n  }\n\n  /**\n   * Get all role definitions.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinitions(): RoleDefinition[] {\n    return this.roles ?? [];\n  }\n\n  /**\n   * Get a specific role definition.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinition(roleId: string): RoleDefinition | undefined {\n    return this.roles?.find(r => r.id === roleId);\n  }\n\n  /**\n   * Get all available roles in the system.\n   */\n  async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n    if (this.roles) {\n      return this.roles.map(r => ({ id: r.id, name: r.name }));\n    }\n    if (this._roleMapping) {\n      return Object.keys(this._roleMapping)\n        .filter(k => k !== '_default')\n        .map(k => ({ id: k, name: k }));\n    }\n    return [];\n  }\n\n  /**\n   * Get the resolved permissions for a specific role.\n   */\n  async getPermissionsForRole(roleId: string): Promise<string[]> {\n    if (this._roleMapping) {\n      return resolvePermissionsFromMapping([roleId], this._roleMapping);\n    }\n    if (this.roles) {\n      return resolvePermissions([roleId], this.roles);\n    }\n    return [];\n  }\n}\n"]}