{"version":3,"sources":["../../_internals/auth/src/ee/telemetry.ts","../../_internals/auth/src/ee/license.ts","../../_internals/auth/src/ee/capabilities.ts","../../_internals/auth/src/ee/interfaces/permissions.generated.ts","../../_internals/auth/src/ee/fga-check.ts","../../_internals/auth/src/ee/defaults/roles.ts","../../_internals/auth/src/ee/defaults/rbac/static.ts"],"names":["createHash","os"],"mappings":";;;;;;;;;;AASO,SAAS,mBAAmB,KAAA,EAAuB;AACxD,EAAA,OAAOA,kBAAW,QAAQ,CAAA,CAAE,OAAO,KAAK,CAAA,CAAE,OAAO,KAAK,CAAA;AACxD;AAEA,SAAS,iBAAA,GAA4B;AACnC,EAAA,OAAO,kBAAA,CAAmBC,oBAAG,QAAA,EAAA,IAAc,cAAc,CAAA,CAAE,KAAA,CAAM,GAAG,EAAE,CAAA;AACxE;AAEO,SAAS,gCAAA,GAA2C;AACzD,EAAA,OAAO,CAAA,OAAA,EAAU,mBAAmB,CAAA,CAAA;AACtC;AAMA,IAAM,mBAAA,mBAAsB,MAAA,CAAO,GAAA,CAAI,0BAA0B,CAAA;AAEjE,SAAS,kBAAA,GAAoD;AAC3D,EAAA,OAAQ,WAAiF,mBAAmB,CAAA;AAC9G;AAEO,SAAS,cAAA,CACd,KAAA,EACA,UAAA,EACA,UAAA,EACM;AACN,EAAA,kBAAA,EAAA,EAAsB,cAAA,GAAiB,KAAA,EAAO,UAAA,EAAY,UAAU,CAAA;AACtE;ACoBO,IAAM,aAAA,GAAN,MAAM,cAAA,CAAc;EACzB,OAAe,QAAA;AACP,EAAA,MAAA;AAEA,EAAA,UAAA;AACA,EAAA,UAAA;EAEA,IAAA,GAAoB,aAAA;EACpB,MAAA,GAAwB,SAAA;EAExB,YAAA,GAAgD,IAAA;EAChD,WAAA,GAAsB,CAAA;EACtB,cAAA,GAAyB,CAAA;EAEzB,mBAAA,GAA6C,IAAA;EACpC,eAAA,GAAkB,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;;EACjC,cAAA,GAAiB,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;;AAEzC,EAAA,WAAA,CAAY,MAAA,EAAwB;AAC1C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAGd,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,kBAAA,IAAsB,QAAQ,GAAA,CAAI,iBAAA;AAChE,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,kBAAA,IAAsB,2BAAA;AAEpD,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,IAAA,CAAK,IAAA,GAAO,YAAA;IACd,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,IAAA,GAAO,aAAA;AACd,IAAA;AACF,EAAA;AAEA,EAAA,OAAc,YAAY,MAAA,EAAuC;AAC/D,IAAA,IAAI,CAAC,eAAc,QAAA,EAAU;AAC3B,MAAA,cAAA,CAAc,QAAA,GAAW,IAAI,cAAA,CAAc,MAAM,CAAA;AACnD,IAAA,CAAA,MAAA,IAAW,MAAA,EAAQ;AACjB,MAAA,cAAA,CAAc,SAAS,MAAA,GAAS,MAAA;AAClC,IAAA;AACA,IAAA,OAAO,cAAA,CAAc,QAAA;AACvB,EAAA;;;;;AAMA,EAAA,OAAc,aAAA,GAAsB;AAClC,IAAA,IAAI,cAAA,CAAc,UAAU,mBAAA,EAAqB;AAC/C,MAAA,YAAA,CAAa,cAAA,CAAc,SAAS,mBAAmB,CAAA;AACzD,IAAA;AACA,IAAA,cAAA,CAAc,QAAA,GAAW,MAAA;AAC3B,EAAA;EAEiB,kBAAA,GAAqB,GAAA;AAEtC,EAAA,MAAc,cAAA,CAAe,GAAA,EAAa,OAAA,EAAsB,OAAA,GAAkB,CAAA,EAAsB;AACtG,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAGhC,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAA;AACvB,MAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,WAAW,KAAA,EAAA,EAAS,KAAK,kBAAkB,CAAA;AAC1E,MAAA,KAAA,CAAM,KAAA,IAAA;AACN,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,GACnB,WAAA,CAAY,GAAA,CAAI,CAAC,OAAA,CAAQ,MAAA,EAAuB,UAAA,CAAW,MAAM,CAAC,CAAA,GAClE,UAAA,CAAW,MAAA;AACf,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,OAAA,EAAS,QAAQ,CAAA;AACxD,QAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,QAAA,CAAS,UAAU,GAAA,EAAK;AACrD,UAAA,IAAI,CAAA,KAAM,OAAA,GAAU,CAAA,EAAG,OAAO,QAAA;QAChC,CAAA,MAAO;AACL,UAAA,OAAO,QAAA;AACT,QAAA;AACF,MAAA,CAAA,CAAA,OAAS,KAAA,EAAO;AACd,QAAA,IAAI,CAAA,KAAM,OAAA,GAAU,CAAA,EAAG,MAAM,KAAA;MAC/B,CAAA,SAAA;AACE,QAAA,YAAA,CAAa,KAAK,CAAA;AACpB,MAAA;AACA,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,CAAC,CAAA,GAAI,GAAA;AAC/B,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAA,YAAW,UAAA,CAAW,OAAA,EAAS,KAAK,CAAC,CAAA;AACzD,IAAA;AACA,IAAA,MAAM,IAAI,MAAM,aAAa,CAAA;AAC/B,EAAA;EAEQ,iBAAA,GAA6C,IAAA;AAErD,EAAA,MAAa,QAAA,GAA6B;AACxC,IAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,MAAA,OAAO,IAAA;AACT,IAAA;AAGA,IAAA,IAAI,KAAK,YAAA,IAAgB,IAAA,CAAK,GAAA,EAAA,GAAQ,KAAK,WAAA,EAAa;AACtD,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,KAAK,UAAA,EAAA;AACd,EAAA;;;;;;;;EASQ,UAAA,GAA+B;AACrC,IAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,MAAA,IAAA,CAAK,iBAAA,GAAoB,IAAA,CAAK,iBAAA,EAAA,CAAoB,QAAQ,MAAM;AAC9D,QAAA,IAAA,CAAK,iBAAA,GAAoB,IAAA;MAC3B,CAAC,CAAA;AACH,IAAA;AACA,IAAA,OAAO,IAAA,CAAK,iBAAA;AACd,EAAA;AAEA,EAAA,MAAc,iBAAA,GAAsC;AAClD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAA;AAGjB,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,UAAA,EAAY,UAAA,CAAW,UAAU,CAAA,IAAK,CAAC,IAAA,CAAK,UAAA,EAAY,QAAA,CAAS,WAAW,CAAA,EAAG;AACvF,QAAA,IAAA,CAAK,MAAA,EAAQ,KAAK,6DAA6D,CAAA;AACjF,MAAA;AAEA,MAAA,MAAM,WAAW,MAAM,IAAA,CAAK,eAAe,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,SAAA,CAAA,EAAa;QACxE,MAAA,EAAQ,MAAA;QACR,OAAA,EAAS;UACP,cAAA,EAAgB;AAAA,SAAA;AAElB,QAAA,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,UAAA,EAAY,IAAA,CAAK,YAAY;OACrD,CAAA;AAMD,MAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,QAAA,CAAS,UAAU,GAAA,EAAK;AACrD,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,8BAAA,EAAiC,QAAA,CAAS,MAAM,CAAA,CAAE,CAAA;AACpE,MAAA;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAA;AAE7B,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,IAAA,CAAK,MAAA,GAAS,OAAA;AACd,QAAA,IAAA,CAAK,MAAA,EAAQ,IAAA;AACX,UAAA,CAAA,mBAAA,EAAsB,IAAA,CAAK,QAAQ,CAAA,KAAA,EAAQ,IAAA,CAAK,SAAA,GAAY,CAAA,UAAA,EAAa,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,KAAK,EAAE,CAAA;AAAA,SAAA;AAE7G,QAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AAEpB,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,cAAA,GAAiB,GAAA;AACjE,QAAA,IAAA,CAAK,WAAA,GAAc,MAAM,UAAA,GAAa,GAAA;AACtC,QAAA,IAAA,CAAK,cAAA,GAAiB,MAAM,IAAA,CAAK,eAAA;AAEjC,QAAA,IAAA,CAAK,qBAAqB,UAAU,CAAA;AACpC,QAAA,OAAO,IAAA;MACT,CAAA,MAAA,IAAW,IAAA,CAAK,SAAS,cAAA,EAAgB;AAGvC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,IAAA,CAAK,MAAM,CAAA,CAAE,CAAA;MAC/D,CAAA,MAAO;AACL,QAAA,IAAA,CAAK,MAAA,GAAS,SAAA;AACd,QAAA,IAAA,CAAK,MAAA,EAAQ,MAAM,CAAA,2BAAA,EAA8B,IAAA,CAAK,IAAI,CAAA,GAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,CAAA;AAC7E,QAAA,IAAA,CAAK,UAAA,EAAA;AACL,QAAA,OAAO,KAAA;AACT,MAAA;IACF,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAI,IAAA,CAAK,YAAA,IAAgB,GAAA,GAAM,IAAA,CAAK,cAAA,EAAgB;AAClD,QAAA,IAAA,CAAK,MAAA,EAAQ,KAAK,yEAAyE,CAAA;AAC3F,QAAA,IAAA,CAAK,MAAA,GAAS,OAAA;AACd,QAAA,IAAA,CAAK,oBAAA,CAAqB,IAAA,CAAK,cAAA,GAAiB,GAAI,CAAA;AACpD,QAAA,OAAO,IAAA;AACT,MAAA,CAAA,MAAA,IAAW,KAAK,YAAA,EAAc;AAC5B,QAAA,IAAA,CAAK,MAAA,EAAQ,MAAM,qFAAqF,CAAA;AACxG,QAAA,IAAA,CAAK,MAAA,GAAS,SAAA;AACd,QAAA,IAAA,CAAK,UAAA,EAAA;AACL,QAAA,OAAO,KAAA;MACT,CAAA,MAAO;AAEL,QAAA,IAAA,CAAK,MAAA,EAAQ,KAAK,yFAAyF,CAAA;AAG3G,QAAA,IAAA,CAAK,MAAA,GAAS,OAAA;AACd,QAAA,IAAA,CAAK,YAAA,GAAe;UAClB,KAAA,EAAO,IAAA;AACP,UAAA,YAAA,EAAc,EAAA;UACd,QAAA,EAAU,SAAA;UACV,SAAA,EAAW,IAAA;UACX,eAAA,EAAiB;;AAAA,SAAA;AAEnB,QAAA,IAAA,CAAK,WAAA,GAAc,MAAM,GAAA,GAAM,GAAA;AAC/B,QAAA,IAAA,CAAK,cAAA,GAAiB,MAAM,IAAA,CAAK,eAAA;AACjC,QAAA,IAAA,CAAK,qBAAqB,GAAG,CAAA;AAC7B,QAAA,OAAO,IAAA;AACT,MAAA;AACF,IAAA;AACF,EAAA;AAEQ,EAAA,oBAAA,CAAqB,UAAA,EAAoB;AAC/C,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,YAAA,CAAa,KAAK,mBAAmB,CAAA;AACvC,IAAA;AAGA,IAAA,MAAM,YAAA,GAAe,aAAa,GAAA,GAAO,IAAA;AACzC,IAAA,IAAA,CAAK,mBAAA,GAAsB,WAAW,MAAM;AAC1C,MAAA,IAAA,CAAK,MAAA,EAAQ,KAAK,+CAA+C,CAAA;AAGjE,MAAA,IAAA,CAAK,UAAA,EAAA,CAAa,KAAA,CAAM,CAAA,GAAA,KAAO;AAC7B,QAAA,IAAA,CAAK,MAAA,EAAQ,KAAA;AACX,UAAA,CAAA,wCAAA,EAA2C,eAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAAC,CAAA;AAAA,SAAA;MAE/F,CAAC,CAAA;AACH,IAAA,CAAA,EAAG,YAAY,CAAA;AAGf,IAAA,IAAA,CAAK,oBAAoB,KAAA,EAAA;AAC3B,EAAA;EAEQ,UAAA,GAAa;AACnB,IAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AACpB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AACnB,IAAA,IAAA,CAAK,cAAA,GAAiB,CAAA;AACtB,IAAA,IAAA,CAAK,MAAA,GAAS,SAAA;AACd,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,YAAA,CAAa,KAAK,mBAAmB,CAAA;AACrC,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAC7B,IAAA;AACF,EAAA;AAEO,EAAA,UAAA,CAAW,WAAA,EAA8B;AAC9C,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,aAAA,EAAe,OAAO,IAAA;AACxC,IAAA,IAAI,IAAA,CAAK,MAAA,KAAW,SAAA,EAAW,OAAO,IAAA;AACtC,IAAA,IAAI,IAAA,CAAK,MAAA,KAAW,SAAA,EAAW,OAAO,KAAA;AACtC,IAAA,IAAI,CAAC,IAAA,CAAK,YAAA,EAAc,OAAO,KAAA;AAI/B,IAAA,IAAI,IAAA,CAAK,YAAA,CAAa,QAAA,KAAa,SAAA,EAAW,OAAO,IAAA;AAErD,IAAA,OAAO,IAAA,CAAK,YAAA,CAAa,YAAA,CAAa,QAAA,CAAS,WAAW,CAAA;AAC5D,EAAA;EAEO,eAAA,GAAmC;AACxC,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,aAAA,EAAe,OAAO,IAAA;AACxC,IAAA,OAAO,IAAA,CAAK,cAAc,YAAA,IAAgB,IAAA;AAC5C,EAAA;EAEO,WAAA,GAA+B;AACpC,IAAA,OAAO;AACL,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,MAAA,EAAQ,IAAA,CAAK,MAAA;MACb,YAAA,EAAc,IAAA,CAAK,cAAc,YAAA,IAAgB,IAAA;MACjD,QAAA,EAAU,IAAA,CAAK,cAAc,QAAA,IAAY,IAAA;MACzC,SAAA,EAAW,IAAA,CAAK,cAAc,SAAA,IAAa;AAAA,KAAA;AAE/C,EAAA;AACF,CAAA;AA+BA,SAAS,aAAA,GAAoC;AAC3C,EAAA,OAAO,QAAQ,GAAA,CAAI,oBAAoB,CAAA,IAAK,OAAA,CAAQ,IAAI,mBAAmB,CAAA;AAC7E;AAEA,IAAI,iBAAA,GAAoB,KAAA;AACxB,IAAI,wBAAA,GAA2B,KAAA;AAK/B,SAAS,SAAA,GAA2B;AAClC,EAAA,MAAM,MAAA,GAAS,cAAc,WAAA,EAAA;AAC7B,EAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,IAAA,iBAAA,GAAoB,IAAA;AACpB,IAAA,KAAK,MAAA,CAAO,QAAA,EAAA,CAAW,KAAA,CAAM,MAAM;IAGnC,CAAC,CAAA;AACH,EAAA;AACA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,sBAAA,GAA2C;AACzD,EAAA,MAAM,MAAA,GAAS,cAAc,WAAA,EAAA;AAC7B,EAAA,iBAAA,GAAoB,IAAA;AACpB,EAAA,OAAO,OAAO,QAAA,EAAA;AAChB;AAaO,SAAS,gBAAgB,UAAA,EAAkC;AAChE,EAAA,MAAM,gBAAgB,aAAA,EAAA;AACtB,EAAA,MAAM,MAAM,UAAA,IAAc,aAAA;AAE1B,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO,EAAE,OAAO,KAAA,EAAA;AAClB,EAAA;AAIA,EAAA,IAAI,UAAA,KAAe,MAAA,IAAa,UAAA,KAAe,aAAA,EAAe;AAC5D,IAAA,OAAO,EAAE,OAAO,KAAA,EAAA;AAClB,EAAA;AAEA,EAAA,MAAM,IAAA,GAAO,SAAA,EAAA,CAAY,WAAA,EAAA;AAEzB,EAAA,OAAO;AACL,IAAA,KAAA,EAAO,KAAK,MAAA,KAAW,SAAA;AACvB,IAAA,QAAA,EAAU,KAAK,YAAA,IAAgB,MAAA;AAC/B,IAAA,IAAA,EAAM,KAAK,QAAA,IAAY,MAAA;AACvB,IAAA,SAAA,EAAW,KAAK,SAAA,GAAY,IAAI,IAAA,CAAK,IAAA,CAAK,SAAS,CAAA,GAAI;AAAA,GAAA;AAE3D;AAOO,SAAS,cAAA,GAA0B;AACxC,EAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,IAAA,OAAO,KAAA;AACT,EAAA;AAIA,EAAA,OAAO,SAAA,EAAA,CAAY,WAAA,EAAA,CAAc,MAAA,KAAW,SAAA;AAC9C;AAKO,IAAM,gBAAA,GAAmB;AAQzB,SAAS,iBAAiB,OAAA,EAA0B;AACzD,EAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,IAAA,OAAO,KAAA;AACT,EAAA;AAEA,EAAA,OAAO,SAAA,EAAA,CAAY,UAAA,CAAW,OAAO,CAAA;AACvC;AAeO,SAAS,qBAAA,GAA4C;AAC1D,EAAA,MAAM,MAAM,aAAA,EAAA;AACZ,EAAA,MAAM,IAAA,GAAO,gBAAgB,GAAG,CAAA;AAChC,EAAA,MAAM,WAAA,GAAc,GAAA,GAAM,kBAAA,CAAmB,GAAG,CAAA,GAAI,MAAA;AAEpD,EAAA,OAAO;AACL,IAAA,KAAA,EAAO,IAAA,CAAK,KAAA;AACZ,IAAA,gBAAA,EAAkB,gBAAA,EAAA;AAClB,IAAA,WAAA,EAAa,WAAA,GAAc,WAAA,CAAY,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,MAAA;AACtD,IAAA,WAAA,EAAa,cAAc,CAAA,EAAG,WAAA,CAAY,MAAM,CAAA,EAAG,EAAE,CAAC,CAAA,UAAA,CAAA,GAAe,MAAA;AACrE,IAAA,QAAA,EAAU,IAAA,CAAK,QAAA;AACf,IAAA,IAAA,EAAM,IAAA,CAAK;AAAA,GAAA;AAEf;AAEO,SAAS,uBAAA,GAAgC;AAC9C,EAAA,IAAI,wBAAA,IAA4B,CAAC,gBAAA,EAAA,IAAsB,gBAAA,EAAkB;AACvE,IAAA;AACF,EAAA;AAEA,EAAA,wBAAA,GAA2B,IAAA;AAC3B,EAAA,OAAA,CAAQ,IAAA;AACN,IAAA;AAAA,GAAA;AAEJ;AAMO,SAAS,iBAAA,GAA0B;AACxC,EAAA,iBAAA,GAAoB,KAAA;AACpB,EAAA,wBAAA,GAA2B,KAAA;AAC3B,EAAA,aAAA,CAAc,aAAA,EAAA;AAChB;AAMO,SAAS,gBAAA,GAA4B;AAC1C,EAAA,OACE,QAAQ,GAAA,CAAI,YAAY,MAAM,MAAA,IAC9B,OAAA,CAAQ,IAAI,YAAY,CAAA,KAAM,GAAA,IAC7B,OAAA,CAAQ,IAAI,UAAU,CAAA,KAAM,gBAAgB,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,KAAM,MAAA;AAE7E;AAMO,SAAS,WAAA,GAAuB;AACrC,EAAA,IAAI,kBAAA,EAAoB;AACtB,IAAA,uBAAA,EAAA;AACA,IAAA,OAAO,IAAA;AACT,EAAA;AACA,EAAA,OAAO,cAAA,EAAA;AACT;ACzZO,SAAS,gBACd,IAAA,EACmC;AACnC,EAAA,OAAO,MAAA,IAAU,IAAA,IAAQ,IAAA,CAAK,IAAA,KAAS,IAAA;AACzC;AAKA,SAAS,mBAAA,CAAuB,MAAe,MAAA,EAA4B;AACzE,EAAA,OAAO,IAAA,KAAS,QAAQ,OAAO,IAAA,KAAS,YAAY,OAAQ,IAAA,CAAa,MAAM,CAAA,KAAM,UAAA;AACvF;AAKA,SAAS,kBAAkB,IAAA,EAAwB;AACjD,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAE9C,EAAA,OAAO,mBAAA,IAAuB,IAAA,IAAS,IAAA,CAAwC,iBAAA,KAAsB,IAAA;AACvG;AAMA,SAAS,aAAa,IAAA,EAAwB;AAC5C,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,UAAU,OAAO,KAAA;AAC9C,EAAA,OAAO,cAAA,IAAkB,IAAA,IAAS,IAAA,CAAmC,YAAA,KAAiB,IAAA;AACxF;AAKA,SAAS,0BAA0B,WAAA,EAAgC;AACjE,EAAA,OAAO,YAAY,IAAA,CAAK,CAAA,MAAK,CAAA,KAAM,GAAA,IAAO,MAAM,KAAK,CAAA;AACvD;AAEA,SAAS,aAAa,OAAA,EAAsC;AAC1D,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,iBAAiB,CAAA;AAC1D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO,aAAa,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAA;AACrC,EAAA;AAEA,EAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAAK,MAAA;AAC7C;AAEA,SAAS,mBAAA,CAAoB;AAC3B,EAAA,OAAA;AACA,EAAA,IAAA;AACA,EAAA,UAAA;AACA,EAAA,KAAA;AACA,EAAA,OAAA;AACA,EAAA,QAAA;AACA,EAAA;AACF,CAAA,EAQS;AACP,EAAA,MAAM,UAAU,qBAAA,EAAA;AAEhB,EAAA,IAAI;AACF,IAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,IAAA,cAAA,CAAe,oBAAoB,IAAA,EAAM,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAe,kCAAA,EAAoC;MACxG,aAAA,EAAe,UAAA;AACf,MAAA,YAAA,EAAc,OAAA,CAAQ,WAAA;MACtB,kBAAA,EAAoB,KAAA;MACpB,QAAA,EAAU,OAAA;MACV,cAAA,EAAgB,QAAA;AAChB,MAAA,YAAA;AACA,MAAA,OAAA,EAAS,IAAA,EAAM,EAAA;MACf,GAAA,EAAK,EAAA;AACL,MAAA,gBAAA,EAAkB,OAAA,CAAQ,QAAA;AAC1B,MAAA,YAAA,EAAc,OAAA,CAAQ;KACvB,CAAA;EACH,CAAA,CAAA,MAAQ;AAER,EAAA;AACF;AAgDA,eAAsB,iBAAA,CACpB,IAAA,EACA,OAAA,EACA,OAAA,EAC6D;AAE7D,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,IAAA,EAAA;AAClC,EAAA;AAIA,EAAA,MAAM,aAAa,cAAA,EAAA;AACnB,EAAA,MAAM,OAAA,GAAU,kBAAkB,IAAI,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,aAAa,IAAI,CAAA;AAClC,EAAA,MAAM,QAAQ,gBAAA,EAAA;AACd,EAAA,IAAI,KAAA,IAAS,CAAC,UAAA,EAAY;AACxB,IAAA,uBAAA,EAAA;AACF,EAAA;AACA,EAAA,MAAM,iBAAA,GAAoB,UAAA,IAAc,OAAA,IAAW,QAAA,IAAY,KAAA;AAI/D,EAAA,MAAM,iBAAA,GAAoB,CAAC,OAAA,KACzB,OAAA,IAAW,YAAY,KAAA,IAAU,UAAA,IAAc,iBAAiB,OAAO,CAAA;AAGzE,EAAA,IAAI,KAAA,GAAyC,IAAA;AAE7C,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;AACzE,EAAA,MAAM,cAAA,GAAiB,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,IAAK,iBAAA;AAGpF,EAAA,MAAM,GAAA,GAAA,CAAO,OAAA,EAAS,SAAA,IAAa,MAAA,EAAQ,IAAA,EAAA;AAC3C,EAAA,MAAM,YAAY,GAAA,CAAI,UAAA,CAAW,GAAG,CAAA,GAAI,GAAA,GAAM,IAAI,GAAG,CAAA,CAAA;AACrD,EAAA,MAAM,MAAA,GAAS,UAAU,QAAA,CAAS,GAAG,IAAI,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,SAAA;AAClE,EAAA,MAAM,WAAA,GAAc,GAAG,MAAM,CAAA,eAAA,CAAA;AAG7B,EAAA,IAAI,aAAA,GAAgB,IAAA;AACpB,EAAA,IAAI,mBAAA,CAA0C,IAAA,EAAM,QAAQ,CAAA,EAAG;AAC7D,IAAA,MAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAA,IAAI,OAAO,mBAAA,CAAoB,eAAA,KAAoB,UAAA,EAAY;AAC7D,MAAA,aAAA,GAAgB,oBAAoB,eAAA,EAAA;AACtC,IAAA;AACF,EAAA;AAEA,EAAA,IAAI,UAAU,cAAA,EAAgB;AAC5B,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAA;AACzC,IAAA,KAAA,GAAQ;MACN,IAAA,EAAM,MAAA;AACN,MAAA,aAAA;AACA,MAAA,WAAA,EAAa,SAAA,CAAU,WAAA;MACvB,GAAA,EAAK;QACH,GAAG,SAAA;QACH,GAAA,EAAK;AAAA;AACP,KAAA;AAEJ,EAAA,CAAA,MAAA,IAAW,MAAA,EAAQ;AACjB,IAAA,MAAM,SAAA,GAAa,KAAsB,oBAAA,EAAA;AACzC,IAAA,KAAA,GAAQ;MACN,IAAA,EAAM,KAAA;AACN,MAAA,WAAA,EAAa,SAAA,CAAU,WAAA;MACvB,GAAA,EAAK;QACH,GAAG,SAAA;QACH,GAAA,EAAK;AAAA;AACP,KAAA;AAEJ,EAAA,CAAA,MAAA,IAAW,cAAA,EAAgB;AAEzB,IAAA,KAAA,GAAQ;MACN,IAAA,EAAM,aAAA;AACN,MAAA;AAAA,KAAA;AAEJ,EAAA;AAGA,EAAA,IAAI,IAAA,GAAsB,IAAA;AAC1B,EAAA,IAAI,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA,EAAmB;AACnF,IAAA,IAAI;AACF,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAO,CAAA;IAC1C,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,GAAO,IAAA;AACT,IAAA;AACF,EAAA;AAGA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,mBAAA,CAAoB,EAAE,OAAA,EAAS,IAAA,EAAM,YAAY,KAAA,EAAO,OAAA,EAAS,UAAU,CAAA;AAC3E,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,KAAA,EAAA;AAC1B,EAAA;AAGA,EAAA,MAAM,eAAe,OAAA,EAAS,IAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,CAAC,CAAC,YAAA,IAAgB,kBAAkB,MAAM,CAAA;AAG1D,EAAA,MAAM,SAAS,CAAC,CAAC,OAAA,EAAS,GAAA,IAAO,kBAAkB,KAAK,CAAA;AAGxD,EAAA,MAAM,YAAA,GAAgC;IACpC,IAAA,EAAM,mBAAA,CAAmC,IAAA,EAAM,gBAAgB,CAAA,IAAK,iBAAA;IACpE,OAAA,EAAS,mBAAA,CAAsC,IAAA,EAAM,eAAe,CAAA,IAAK,iBAAA;IACzE,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,aAAa,CAAA,IAAK,iBAAA;IAC/D,IAAA,EAAM,OAAA;AACN,IAAA,GAAA,EAAK,mBAAA,CAAkC,IAAA,EAAM,WAAW,CAAA,IAAK,kBAAkB,KAAK,CAAA;IACpF,GAAA,EAAK;AAAA,GAAA;AAIP,EAAA,IAAI,MAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAW,YAAA,EAAc;AAC3B,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,YAAA,CAAa,QAAA,CAAS,IAAI,CAAA;AAC9C,MAAA,MAAM,WAAA,GAAc,MAAM,YAAA,CAAa,cAAA,CAAe,IAAI,CAAA;AAC1D,MAAA,MAAA,GAAS,EAAE,OAAO,WAAA,EAAA;AAClB,MAAA,MAAM,UAAU,qBAAA,EAAA;AAChB,MAAA,IAAI;AACF,QAAA,MAAM,EAAA,GAAK,aAAa,OAAO,CAAA;AAC/B,QAAA,cAAA,CAAe,mBAAmB,IAAA,CAAK,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAe,kCAAA,EAAoC;UACtG,OAAA,EAAS,MAAA;AACT,UAAA,OAAA,EAAS,IAAA,CAAK,EAAA;UACd,0BAAA,EAA4B,IAAA,CAAK,WAAW,0BAA0B,CAAA;AACtE,UAAA,UAAA,EAAY,KAAA,CAAM,MAAA;AAClB,UAAA,gBAAA,EAAkB,WAAA,CAAY,MAAA;UAC9B,GAAA,EAAK,EAAA;AACL,UAAA,aAAA,EAAe,OAAA,CAAQ,KAAA;AACvB,UAAA,YAAA,EAAc,OAAA,CAAQ,WAAA;AACtB,UAAA,kBAAA,EAAoB,OAAA,CAAQ;SAC7B,CAAA;MACH,CAAA,CAAA,MAAQ;AAER,MAAA;IACF,CAAA,CAAA,MAAQ;AAEN,MAAA,MAAA,GAAS,IAAA;AACX,IAAA;AACF,EAAA;AAKA,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI,MAAA,IAAU,cAAc,iBAAA,EAAmB;AAC7C,IAAA,IAAI,yBAAA,CAA0B,MAAA,CAAO,WAAW,CAAA,EAAG;AACjD,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,YAAA,CAAa,iBAAA,EAAA;AACpC,QAAA,MAAM,qBAAA,GAAwB,YAAA,CAAa,qBAAA,EAAuB,IAAA,CAAK,YAAY,CAAA;AACnF,QAAA,IAAI,qBAAA,EAAuB;AAEzB,UAAA,MAAM,eAAA,GAAkB,MAAM,OAAA,CAAQ,UAAA;YACpC,QAAA,CAAS,GAAA,CAAI,OAAM,IAAA,MAAS;AAC1B,cAAA,IAAA;cACA,KAAA,EAAO,MAAM,qBAAA,CAAsB,IAAA,CAAK,EAAE;aAAA,CAC1C;AAAA,WAAA;AAEJ,UAAA,cAAA,GAAiB,eAAA,CAAgB,OAAA,CAAQ,CAAA,MAAA,KAAU;AACjD,YAAA,IAAI,MAAA,CAAO,WAAW,WAAA,EAAa;AACjC,cAAA,OAAA,CAAQ,IAAA,CAAK,gDAAA,EAAkD,MAAA,CAAO,MAAM,CAAA;AAC5E,cAAA,OAAO,EAAA;AACT,YAAA;AACA,YAAA,OAAO,yBAAA,CAA0B,MAAA,CAAO,KAAA,CAAM,KAAK,CAAA,GAAI,EAAA,GAAK,CAAC,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA;UAChF,CAAC,CAAA;QACH,CAAA,MAAO;AACL,UAAA,cAAA,GAAiB,QAAA;AACnB,QAAA;AACF,MAAA,CAAA,CAAA,OAAS,KAAA,EAAO;AAGd,QAAA,OAAA,CAAQ,IAAA,CAAK,4DAA4D,KAAK,CAAA;AAChF,MAAA;AACF,IAAA;AACF,EAAA;AAEA,EAAA,mBAAA,CAAoB,EAAE,SAAS,IAAA,EAAM,UAAA,EAAY,OAAO,OAAA,EAAS,QAAA,EAAU,cAAc,CAAA;AAEzF,EAAA,OAAO;IACL,OAAA,EAAS,IAAA;AACT,IAAA,KAAA;IACA,IAAA,EAAM;AACJ,MAAA,EAAA,EAAI,IAAA,CAAK,EAAA;AACT,MAAA,KAAA,EAAO,IAAA,CAAK,KAAA;AACZ,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,SAAA,EAAW,IAAA,CAAK;AAAA,KAAA;AAElB,IAAA,YAAA;AACA,IAAA,MAAA;AACA,IAAA;AAAA,GAAA;AAEJ;;;AClaO,IAAM,SAAA,GAAY;AACvB,EAAA,KAAA;AACA,EAAA,eAAA;AACA,EAAA,kBAAA;AACA,EAAA,QAAA;AACA,EAAA,MAAA;AACA,EAAA,kBAAA;AACA,EAAA,UAAA;AACA,EAAA,UAAA;AACA,EAAA,WAAA;AACA,EAAA,aAAA;AACA,EAAA,gBAAA;AACA,EAAA,MAAA;AACA,EAAA,KAAA;AACA,EAAA,QAAA;AACA,EAAA,eAAA;AACA,EAAA,qBAAA;AACA,EAAA,YAAA;AACA,EAAA,WAAA;AACA,EAAA,QAAA;AACA,EAAA,eAAA;AACA,EAAA,oBAAA;AACA,EAAA,sBAAA;AACA,EAAA,gBAAA;AACA,EAAA,eAAA;AACA,EAAA,mBAAA;AACA,EAAA,QAAA;AACA,EAAA,gBAAA;AACA,EAAA,OAAA;AACA,EAAA,QAAA;AACA,EAAA,SAAA;AACA,EAAA,WAAA;AACA,EAAA;AACF;AAgBO,IAAM,OAAA,GAAU,CAAC,QAAA,EAAU,QAAA,EAAU,WAAW,SAAA,EAAW,MAAA,EAAQ,SAAS,OAAO;AAWnF,IAAM,mBAAA,GAAsB;;EAEjC,GAAA,EAAK,GAAA;;EAEL,UAAA,EAAY,UAAA;;EAEZ,UAAA,EAAY,UAAA;;EAEZ,WAAA,EAAa,WAAA;;EAEb,WAAA,EAAa,WAAA;;EAEb,QAAA,EAAU,QAAA;;EAEV,SAAA,EAAW,SAAA;;EAEX,SAAA,EAAW,SAAA;;EAEX,OAAA,EAAS,OAAA;;EAET,iBAAA,EAAmB,iBAAA;;EAEnB,oBAAA,EAAsB,oBAAA;;EAEtB,UAAA,EAAY,UAAA;;EAEZ,QAAA,EAAU,QAAA;;EAEV,oBAAA,EAAsB,oBAAA;;EAEtB,YAAA,EAAc,YAAA;;EAEd,YAAA,EAAc,YAAA;;EAEd,aAAA,EAAe,aAAA;;EAEf,eAAA,EAAiB,eAAA;;EAEjB,kBAAA,EAAoB,kBAAA;;EAEpB,QAAA,EAAU,QAAA;;EAEV,OAAA,EAAS,OAAA;;EAET,UAAA,EAAY,UAAA;;EAEZ,iBAAA,EAAmB,iBAAA;;EAEnB,uBAAA,EAAyB,uBAAA;;EAEzB,cAAA,EAAgB,cAAA;;EAEhB,aAAA,EAAe,aAAA;;EAEf,UAAA,EAAY,UAAA;;EAEZ,iBAAA,EAAmB,iBAAA;;EAEnB,sBAAA,EAAwB,sBAAA;;EAExB,wBAAA,EAA0B,wBAAA;;EAE1B,kBAAA,EAAoB,kBAAA;;EAEpB,iBAAA,EAAmB,iBAAA;;EAEnB,qBAAA,EAAuB,qBAAA;;EAEvB,UAAA,EAAY,UAAA;;EAEZ,kBAAA,EAAoB,kBAAA;;EAEpB,SAAA,EAAW,SAAA;;EAEX,UAAA,EAAY,UAAA;;EAEZ,WAAA,EAAa,WAAA;;EAEb,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,UAAA,EAAY,UAAA;;EAEZ,WAAA,EAAa,WAAA;;EAEb,uBAAA,EAAyB,uBAAA;;EAEzB,oBAAA,EAAsB,oBAAA;;EAEtB,qBAAA,EAAuB,qBAAA;;EAEvB,0BAAA,EAA4B,0BAAA;;EAE5B,uBAAA,EAAyB,uBAAA;;EAEzB,eAAA,EAAiB,eAAA;;EAEjB,eAAA,EAAiB,eAAA;;EAEjB,gBAAA,EAAkB,gBAAA;;EAElB,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,WAAA,EAAa,WAAA;;EAEb,uBAAA,EAAyB,uBAAA;;EAEzB,eAAA,EAAiB,eAAA;;EAEjB,gBAAA,EAAkB,gBAAA;;EAElB,iBAAA,EAAmB,iBAAA;;EAEnB,kBAAA,EAAoB,kBAAA;;EAEpB,eAAA,EAAiB,eAAA;;EAEjB,gBAAA,EAAkB,gBAAA;;EAElB,gBAAA,EAAkB,gBAAA;;EAElB,kBAAA,EAAoB,kBAAA;;EAEpB,qBAAA,EAAuB,qBAAA;;EAEvB,WAAA,EAAa,WAAA;;EAEb,aAAA,EAAe,aAAA;;EAEf,UAAA,EAAY,UAAA;;EAEZ,WAAA,EAAa,WAAA;;EAEb,eAAA,EAAiB,eAAA;;EAEjB,gBAAA,EAAkB,gBAAA;;EAElB,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,oBAAA,EAAsB,oBAAA;;EAEtB,qBAAA,EAAuB,qBAAA;;EAEvB,0BAAA,EAA4B,0BAAA;;EAE5B,oBAAA,EAAsB,oBAAA;;EAEtB,iBAAA,EAAmB,iBAAA;;EAEnB,kBAAA,EAAoB,kBAAA;;EAEpB,mBAAA,EAAqB,mBAAA;;EAErB,gBAAA,EAAkB,gBAAA;;EAElB,iBAAA,EAAmB,iBAAA;;EAEnB,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,sBAAA,EAAwB,sBAAA;;EAExB,uBAAA,EAAyB,uBAAA;;EAEzB,oBAAA,EAAsB,oBAAA;;EAEtB,qBAAA,EAAuB,qBAAA;;EAEvB,2BAAA,EAA6B,2BAAA;;EAE7B,4BAAA,EAA8B,4BAAA;;EAE9B,yBAAA,EAA2B,yBAAA;;EAE3B,0BAAA,EAA4B,0BAAA;;EAE5B,6BAAA,EAA+B,6BAAA;;EAE/B,8BAAA,EAAgC,8BAAA;;EAEhC,2BAAA,EAA6B,2BAAA;;EAE7B,4BAAA,EAA8B,4BAAA;;EAE9B,uBAAA,EAAyB,uBAAA;;EAEzB,wBAAA,EAA0B,wBAAA;;EAE1B,qBAAA,EAAuB,qBAAA;;EAEvB,sBAAA,EAAwB,sBAAA;;EAExB,sBAAA,EAAwB,sBAAA;;EAExB,uBAAA,EAAyB,uBAAA;;EAEzB,oBAAA,EAAsB,oBAAA;;EAEtB,qBAAA,EAAuB,qBAAA;;EAEvB,0BAAA,EAA4B,0BAAA;;EAE5B,wBAAA,EAA0B,wBAAA;;EAE1B,yBAAA,EAA2B,yBAAA;;EAE3B,aAAA,EAAe,aAAA;;EAEf,uBAAA,EAAyB,uBAAA;;EAEzB,qBAAA,EAAuB,qBAAA;;EAEvB,sBAAA,EAAwB,sBAAA;;EAExB,eAAA,EAAiB,eAAA;;EAEjB,YAAA,EAAc,YAAA;;EAEd,eAAA,EAAiB,eAAA;;EAEjB,gBAAA,EAAkB,gBAAA;;EAElB,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,cAAA,EAAgB,cAAA;;EAEhB,kBAAA,EAAoB,kBAAA;;EAEpB,mBAAA,EAAqB,mBAAA;;EAErB,gBAAA,EAAkB,gBAAA;;EAElB,iBAAA,EAAmB,iBAAA;;EAEnB,mBAAA,EAAqB,mBAAA;;EAErB,iBAAA,EAAmB,iBAAA;;EAEnB,kBAAA,EAAoB,kBAAA;;EAEpB,UAAA,EAAY,UAAA;;EAEZ,aAAA,EAAe,aAAA;;EAEf,cAAA,EAAgB,cAAA;;EAEhB,eAAA,EAAiB,eAAA;;EAEjB,qBAAA,EAAuB,qBAAA;;EAEvB,qBAAA,EAAuB;AACzB;AAeO,IAAM,WAAA,GAAc;AACzB,EAAA,UAAA;AACA,EAAA,WAAA;AACA,EAAA,uBAAA;AACA,EAAA,oBAAA;AACA,EAAA,qBAAA;AACA,EAAA,0BAAA;AACA,EAAA,uBAAA;AACA,EAAA,eAAA;AACA,EAAA,eAAA;AACA,EAAA,gBAAA;AACA,EAAA,aAAA;AACA,EAAA,cAAA;AACA,EAAA,WAAA;AACA,EAAA,uBAAA;AACA,EAAA,eAAA;AACA,EAAA,gBAAA;AACA,EAAA,iBAAA;AACA,EAAA,kBAAA;AACA,EAAA,eAAA;AACA,EAAA,gBAAA;AACA,EAAA,gBAAA;AACA,EAAA,kBAAA;AACA,EAAA,qBAAA;AACA,EAAA,WAAA;AACA,EAAA,aAAA;AACA,EAAA,UAAA;AACA,EAAA,WAAA;AACA,EAAA,eAAA;AACA,EAAA,gBAAA;AACA,EAAA,aAAA;AACA,EAAA,cAAA;AACA,EAAA,oBAAA;AACA,EAAA,qBAAA;AACA,EAAA,0BAAA;AACA,EAAA,oBAAA;AACA,EAAA,iBAAA;AACA,EAAA,kBAAA;AACA,EAAA,mBAAA;AACA,EAAA,gBAAA;AACA,EAAA,iBAAA;AACA,EAAA,aAAA;AACA,EAAA,cAAA;AACA,EAAA,sBAAA;AACA,EAAA,uBAAA;AACA,EAAA,oBAAA;AACA,EAAA,qBAAA;AACA,EAAA,2BAAA;AACA,EAAA,4BAAA;AACA,EAAA,yBAAA;AACA,EAAA,0BAAA;AACA,EAAA,6BAAA;AACA,EAAA,8BAAA;AACA,EAAA,2BAAA;AACA,EAAA,4BAAA;AACA,EAAA,uBAAA;AACA,EAAA,wBAAA;AACA,EAAA,qBAAA;AACA,EAAA,sBAAA;AACA,EAAA,sBAAA;AACA,EAAA,uBAAA;AACA,EAAA,oBAAA;AACA,EAAA,qBAAA;AACA,EAAA,0BAAA;AACA,EAAA,wBAAA;AACA,EAAA,yBAAA;AACA,EAAA,aAAA;AACA,EAAA,uBAAA;AACA,EAAA,qBAAA;AACA,EAAA,sBAAA;AACA,EAAA,eAAA;AACA,EAAA,YAAA;AACA,EAAA,eAAA;AACA,EAAA,gBAAA;AACA,EAAA,aAAA;AACA,EAAA,cAAA;AACA,EAAA,cAAA;AACA,EAAA,kBAAA;AACA,EAAA,mBAAA;AACA,EAAA,gBAAA;AACA,EAAA,iBAAA;AACA,EAAA,mBAAA;AACA,EAAA,iBAAA;AACA,EAAA;AACF;AAaO,IAAM,oBAAA,GAAuB;;EAElC,QAAA,EAAU,UAAA;;EAEV,SAAA,EAAW,WAAA;;EAEX,qBAAA,EAAuB,uBAAA;;EAEvB,kBAAA,EAAoB,oBAAA;;EAEpB,mBAAA,EAAqB,qBAAA;;EAErB,wBAAA,EAA0B,0BAAA;;EAE1B,qBAAA,EAAuB,uBAAA;;EAEvB,aAAA,EAAe,eAAA;;EAEf,aAAA,EAAe,eAAA;;EAEf,cAAA,EAAgB,gBAAA;;EAEhB,WAAA,EAAa,aAAA;;EAEb,YAAA,EAAc,cAAA;;EAEd,SAAA,EAAW,WAAA;;EAEX,qBAAA,EAAuB,uBAAA;;EAEvB,aAAA,EAAe,eAAA;;EAEf,cAAA,EAAgB,gBAAA;;EAEhB,eAAA,EAAiB,iBAAA;;EAEjB,gBAAA,EAAkB,kBAAA;;EAElB,aAAA,EAAe,eAAA;;EAEf,cAAA,EAAgB,gBAAA;;EAEhB,cAAA,EAAgB,gBAAA;;EAEhB,gBAAA,EAAkB,kBAAA;;EAElB,mBAAA,EAAqB,qBAAA;;EAErB,SAAA,EAAW,WAAA;;EAEX,WAAA,EAAa,aAAA;;EAEb,QAAA,EAAU,UAAA;;EAEV,SAAA,EAAW,WAAA;;EAEX,aAAA,EAAe,eAAA;;EAEf,cAAA,EAAgB,gBAAA;;EAEhB,WAAA,EAAa,aAAA;;EAEb,YAAA,EAAc,cAAA;;EAEd,kBAAA,EAAoB,oBAAA;;EAEpB,mBAAA,EAAqB,qBAAA;;EAErB,wBAAA,EAA0B,0BAAA;;EAE1B,kBAAA,EAAoB,oBAAA;;EAEpB,eAAA,EAAiB,iBAAA;;EAEjB,gBAAA,EAAkB,kBAAA;;EAElB,iBAAA,EAAmB,mBAAA;;EAEnB,cAAA,EAAgB,gBAAA;;EAEhB,eAAA,EAAiB,iBAAA;;EAEjB,WAAA,EAAa,aAAA;;EAEb,YAAA,EAAc,cAAA;;EAEd,oBAAA,EAAsB,sBAAA;;EAEtB,qBAAA,EAAuB,uBAAA;;EAEvB,kBAAA,EAAoB,oBAAA;;EAEpB,mBAAA,EAAqB,qBAAA;;EAErB,yBAAA,EAA2B,2BAAA;;EAE3B,0BAAA,EAA4B,4BAAA;;EAE5B,uBAAA,EAAyB,yBAAA;;EAEzB,wBAAA,EAA0B,0BAAA;;EAE1B,2BAAA,EAA6B,6BAAA;;EAE7B,4BAAA,EAA8B,8BAAA;;EAE9B,yBAAA,EAA2B,2BAAA;;EAE3B,0BAAA,EAA4B,4BAAA;;EAE5B,qBAAA,EAAuB,uBAAA;;EAEvB,sBAAA,EAAwB,wBAAA;;EAExB,mBAAA,EAAqB,qBAAA;;EAErB,oBAAA,EAAsB,sBAAA;;EAEtB,oBAAA,EAAsB,sBAAA;;EAEtB,qBAAA,EAAuB,uBAAA;;EAEvB,kBAAA,EAAoB,oBAAA;;EAEpB,mBAAA,EAAqB,qBAAA;;EAErB,wBAAA,EAA0B,0BAAA;;EAE1B,sBAAA,EAAwB,wBAAA;;EAExB,uBAAA,EAAyB,yBAAA;;EAEzB,WAAA,EAAa,aAAA;;EAEb,qBAAA,EAAuB,uBAAA;;EAEvB,mBAAA,EAAqB,qBAAA;;EAErB,oBAAA,EAAsB,sBAAA;;EAEtB,aAAA,EAAe,eAAA;;EAEf,UAAA,EAAY,YAAA;;EAEZ,aAAA,EAAe,eAAA;;EAEf,cAAA,EAAgB,gBAAA;;EAEhB,WAAA,EAAa,aAAA;;EAEb,YAAA,EAAc,cAAA;;EAEd,YAAA,EAAc,cAAA;;EAEd,gBAAA,EAAkB,kBAAA;;EAElB,iBAAA,EAAmB,mBAAA;;EAEnB,cAAA,EAAgB,gBAAA;;EAEhB,eAAA,EAAiB,iBAAA;;EAEjB,iBAAA,EAAmB,mBAAA;;EAEnB,eAAA,EAAiB,iBAAA;;EAEjB,gBAAA,EAAkB;AACpB;AAoCO,SAAS,yBAAyB,OAAA,EAA+C;AACtF,EAAA,OAAO,OAAA,IAAW,mBAAA;AACpB;AAKO,SAAS,oBAAoB,WAAA,EAA2D;AAC7F,EAAA,OAAO,WAAA,CAAY,MAAM,wBAAwB,CAAA;AACnD;AChnBA,SAAS,eAAA,CAAgB;AACvB,EAAA,OAAA;AACA,EAAA,cAAA;AACA,EAAA;AACF,CAAA,EAAoG;AAClG,EAAA,MAAM,aAAA,GAAiC;IACrC,GAAG;AAAA,GAAA;AAGL,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,aAAA,CAAc,cAAA,GAAiB,cAAA;AACjC,EAAA;AAEA,EAAA,IAAI,QAAA,IAAY,SAAS,QAAA,EAAU;AACjC,IAAA,aAAA,CAAc,QAAA,GAAW;MACvB,GAAI,OAAA,EAAS,YAAY,EAAA;AACzB,MAAA,GAAI,YAAY;AAAC,KAAA;AAErB,EAAA;AAEA,EAAA,OAAO,OAAO,IAAA,CAAK,aAAa,CAAA,CAAE,MAAA,GAAS,IAAI,aAAA,GAAgB,MAAA;AACjE;AAEA,SAAS,cAAc,KAAA,EAAsC;AAC3D,EAAA,IAAI,UAAU,IAAA,EAAM;AAClB,IAAA,OAAO,IAAA;AACT,EAAA;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,IAAA,OAAO,KAAA;AACT,EAAA;AAEA,EAAA,MAAM,SAAA,GAAY,KAAA;AAClB,EAAA,OACE,SAAA,CAAU,cAAc,QAAA,KACvB,SAAA,CAAU,mBAAmB,MAAA,IAAa,OAAO,UAAU,cAAA,KAAmB,QAAA,CAAA;AAEnF;AAEO,SAAS,sBAAsB,OAAA,EAAyB;AAC7D,EAAA,OAAO,OAAA;AACT;AAEO,SAAS,yBAAyB,UAAA,EAA4B;AACnE,EAAA,OAAO,UAAA;AACT;AAEO,SAAS,+BAA+B,QAAA,EAA0B;AACvE,EAAA,OAAO,QAAA;AACT;AAEO,SAAS,yBAAA,CAA0B,SAAiB,QAAA,EAA0B;AACnF,EAAA,OAAO,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,QAAQ,CAAA,CAAA;AAC/B;AAEO,SAAS,uBAAA,CAAwB,YAAoB,QAAA,EAA0B;AACpF,EAAA,OAAO,IAAA,CAAK,SAAA,CAAU,CAAC,UAAA,EAAY,QAAQ,CAAC,CAAA;AAC9C;AAQA,eAAsB,SAAS,OAAA,EAAyC;AACtE,EAAA,MAAM,WAAW,OAAO,CAAA;AAC1B;AAQA,eAAsB,WAAW,OAAA,EAA2C;AAC1E,EAAA,MAAM,EAAE,aAAa,IAAA,EAAM,QAAA,EAAU,YAAY,OAAA,EAAS,cAAA,EAAgB,QAAA,EAAU,KAAA,EAAA,GAAU,OAAA;AAE9F,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA;AACF,EAAA;AAEA,EAAA,MAAM,aAAa,eAAA,CAAgB,EAAE,OAAA,EAAS,cAAA,EAAgB,UAAU,CAAA;AACxE,EAAA,MAAM,UAAU,qBAAA,EAAA;AAEhB,EAAA,IAAI,aAAA,CAAc,KAAK,CAAA,EAAG;AACxB,IAAA,MAAM,oBAAA,GAAuB,UAAA,EAAY,cAAA,EAAgB,GAAA,CAAI,gBAAgB,CAAA;AAC7E,IAAA,IAAI,OAAO,oBAAA,KAAyB,QAAA,IAAY,oBAAA,CAAqB,WAAW,CAAA,EAAG;AACjF,MAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,QAAA,EAAU,YAAY,sDAAsD,CAAA;AAC7G,IAAA;AAEA,IAAA,MAAM,cAAA,GAAA,CACH,KAAA,KAAU,IAAA,GAAO,MAAA,GAAY,MAAM,cAAA,MACnC,OAAO,UAAA,EAAY,QAAA,GAAW,gBAAgB,CAAA,KAAM,QAAA,GACjD,UAAA,CAAW,QAAA,CAAS,gBAAgB,CAAA,GACpC,MAAA,CAAA;AAEN,IAAA,IAAI;AACF,MAAA,cAAA,CAAe,iBAAA,EAAmB,OAAA,CAAQ,WAAA,IAAe,gCAAA,EAAA,EAAoC;QAC3F,OAAA,EAAS,KAAA;QACT,UAAA,EAAY,QAAA;AACZ,QAAA,aAAA,EAAe,QAAA,CAAS,IAAA;AACxB,QAAA,WAAA,EAAa,QAAA,CAAS,EAAA;AACtB,QAAA,UAAA;QACA,OAAA,EAAS,IAAA;QACT,0BAAA,EAA4B,IAAA;QAC5B,eAAA,EAAiB,cAAA;AACjB,QAAA,aAAA,EAAe,OAAA,CAAQ,KAAA;AACvB,QAAA,YAAA,EAAc,OAAA,CAAQ,WAAA;AACtB,QAAA,kBAAA,EAAoB,OAAA,CAAQ;OAC7B,CAAA;IACH,CAAA,CAAA,MAAQ;AAER,IAAA;AACA,IAAA;AACF,EAAA;AAEA,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,MAAM,IAAI,cAAA,CAAe,IAAA,EAAM,QAAA,EAAU,YAAY,gCAAgC,CAAA;AACvF,EAAA;AAEA,EAAA,MAAM,WAAA,CAAY,OAAA;AAChB,IAAA,IAAA;IACA,UAAA,GAAa,EAAE,UAAU,UAAA,EAAY,OAAA,EAAS,YAAA,GAAe,EAAE,UAAU,UAAA;AAAW,GAAA;AAGtF,EAAA,IAAI;AACF,IAAA,cAAA,CAAe,mBAAmB,IAAA,EAAM,EAAA,IAAM,OAAA,CAAQ,WAAA,IAAe,kCAAA,EAAoC;MACvG,OAAA,EAAS,KAAA;MACT,UAAA,EAAY,MAAA;AACZ,MAAA,aAAA,EAAe,QAAA,CAAS,IAAA;AACxB,MAAA,WAAA,EAAa,QAAA,CAAS,EAAA;AACtB,MAAA,UAAA;AACA,MAAA,OAAA,EAAS,MAAM,EAAA,IAAM,IAAA;AACrB,MAAA,0BAAA,EAA4B,MAAM,wBAAA,IAA4B,IAAA;AAC9D,MAAA,aAAA,EAAe,OAAA,CAAQ,KAAA;AACvB,MAAA,YAAA,EAAc,OAAA,CAAQ,WAAA;AACtB,MAAA,kBAAA,EAAoB,OAAA,CAAQ;KAC7B,CAAA;EACH,CAAA,CAAA,MAAQ;AAER,EAAA;AACF;AAKO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AACxB,EAAA,IAAA;AACA,EAAA,QAAA;AACA,EAAA,UAAA;AACA,EAAA,MAAA;EAEhB,WAAA,CACE,IAAA,EACA,QAAA,EACA,UAAA,EACA,MAAA,EACA;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,EAAM,EAAA,IAAM,IAAA,EAAM,QAAA,IAAY,SAAA;AAC7C,IAAA,MAAM,eAAA,GAAkB,KAAA,CAAM,OAAA,CAAQ,UAAU,CAAA,GAAI,WAAW,UAAA,CAAW,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,GAAM,UAAA;AAC1F,IAAA,KAAA;AACE,MAAA,MAAA,GACI,CAAA,0BAAA,EAA6B,MAAM,CAAA,CAAA,GACnC,CAAA,+BAAA,EAAkC,MAAM,CAAA,QAAA,EAAW,eAAe,CAAA,IAAA,EAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,QAAA,CAAS,EAAE,CAAA;AAAA,KAAA;AAE3G,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,GAAA;AAChB,EAAA;AACF;ACrLO,IAAM,aAAA,GAAkC;AAC7C,EAAA;IACE,EAAA,EAAI,OAAA;IACJ,IAAA,EAAM,OAAA;IACN,WAAA,EAAa,0CAAA;AACb,IAAA,WAAA,EAAa,CAAC,GAAG;AAAA,GAAA;AAEnB,EAAA;IACE,EAAA,EAAI,OAAA;IACJ,IAAA,EAAM,OAAA;IACN,WAAA,EAAa,4CAAA;IACb,WAAA,EAAa;AACX,MAAA,QAAA;AACA,MAAA,SAAA;AACA,MAAA,WAAA;AACA,MAAA,WAAA;AACA,MAAA;;AAAA;AAEF,GAAA;AAEF,EAAA;IACE,EAAA,EAAI,QAAA;IACJ,IAAA,EAAM,QAAA;IACN,WAAA,EAAa,8BAAA;IACb,WAAA,EAAa,CAAC,UAAU,WAAW;AAAA,GAAA;AAErC,EAAA;IACE,EAAA,EAAI,QAAA;IACJ,IAAA,EAAM,QAAA;IACN,WAAA,EAAa,kBAAA;AACb,IAAA,WAAA,EAAa,CAAC,QAAQ;AAAA;AAE1B;AAWO,SAAS,eAAe,MAAA,EAA4C;AACzE,EAAA,OAAO,cAAc,IAAA,CAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,OAAO,MAAM,CAAA;AACtD;AAWO,SAAS,kBAAA,CAAmB,OAAA,EAAmB,KAAA,GAA0B,aAAA,EAAyB;AACvG,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAA;AACxB,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAA;AAEpB,EAAA,SAAS,YAAY,MAAA,EAAgB;AACnC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AACzB,IAAA,OAAA,CAAQ,IAAI,MAAM,CAAA;AAElB,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAC5C,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,KAAA,MAAW,UAAA,IAAc,KAAK,WAAA,EAAa;AACzC,MAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAC5B,IAAA;AAGA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,KAAA,MAAW,eAAA,IAAmB,KAAK,QAAA,EAAU;AAC3C,QAAA,WAAA,CAAY,eAAe,CAAA;AAC7B,MAAA;AACF,IAAA;AACF,EAAA;AAEA,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,IAAA,WAAA,CAAY,MAAM,CAAA;AACpB,EAAA;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;AAOA,IAAM,mBAAA,GAAyD;EAC7D,MAAA,EAAQ;AACN,IAAA,eAAA;AACA,IAAA,oBAAA;AACA,IAAA,sBAAA;AACA,IAAA,gBAAA;AACA,IAAA,eAAA;AACA,IAAA;AAAA;AAEJ,CAAA;AAmBO,SAAS,iBAAA,CAAkB,gBAAwB,kBAAA,EAAqC;AAE7F,EAAA,IAAI,mBAAmB,GAAA,EAAK;AAC1B,IAAA,OAAO,IAAA;AACT,EAAA;AAEA,EAAA,MAAM,YAAA,GAAe,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC7C,EAAA,MAAM,aAAA,GAAgB,kBAAA,CAAmB,KAAA,CAAM,GAAG,CAAA;AAIlD,EAAA,MAAM,gBAAA,GAAmB,mBAAA,CAAoB,YAAA,CAAa,CAAC,KAAK,EAAE,CAAA;AAClE,EAAA,IAAI,oBAAoB,gBAAA,CAAiB,QAAA,CAAS,cAAc,CAAC,CAAA,IAAK,EAAE,CAAA,EAAG;AACzE,IAAA,MAAM,OAAA,GAAU,CAAC,aAAA,CAAc,CAAC,CAAA,EAAG,GAAG,YAAA,CAAa,KAAA,CAAM,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AACrE,IAAA,OAAO,iBAAA,CAAkB,SAAS,kBAAkB,CAAA;AACtD,EAAA;AAGA,EAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,aAAA,CAAc,SAAS,CAAA,EAAG;AACvD,IAAA,OAAO,cAAA,KAAmB,kBAAA;AAC5B,EAAA;AAEA,EAAA,MAAM,CAAC,eAAA,EAAiB,aAAA,EAAe,SAAS,CAAA,GAAI,YAAA;AACpD,EAAA,MAAM,CAAC,gBAAA,EAAkB,cAAA,EAAgB,UAAU,CAAA,GAAI,aAAA;AAGvD,EAAA,IAAI,oBAAoB,GAAA,EAAK;AAE3B,IAAA,IAAI,kBAAkB,GAAA,EAAK;AACzB,MAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,QAAA,OAAO,IAAA;AACT,MAAA;AACA,MAAA,OAAO,SAAA,KAAc,UAAA;AACvB,IAAA;AAEA,IAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,oBAAoB,gBAAA,EAAkB;AACxC,IAAA,OAAO,KAAA;AACT,EAAA;AAGA,EAAA,IAAI,kBAAkB,GAAA,EAAK;AAGzB,IAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,MAAA,OAAO,IAAA;AACT,IAAA;AAEA,IAAA,OAAO,SAAA,KAAc,UAAA;AACvB,EAAA;AAGA,EAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,IAAA,OAAO,KAAA;AACT,EAAA;AAIA,EAAA,IAAI,cAAc,MAAA,EAAW;AAC3B,IAAA,OAAO,IAAA;AACT,EAAA;AAGA,EAAA,OAAO,SAAA,KAAc,UAAA;AACvB;AASO,SAAS,aAAA,CAAc,iBAA2B,kBAAA,EAAqC;AAC5F,EAAA,OAAO,gBAAgB,IAAA,CAAK,CAAA,MAAK,iBAAA,CAAkB,CAAA,EAAG,kBAAkB,CAAC,CAAA;AAC3E;AA4BO,SAAS,6BAAA,CAA8B,OAAiB,OAAA,EAAgC;AAC7F,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAA;AACxB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,UAAU,CAAA,IAAK,EAAA;AAE5C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAA,GAAY,QAAQ,IAAI,CAAA;AAC9B,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;IACF,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,QAAQ,YAAA,EAAc;AAC/B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AACtB,MAAA;AACF,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;AC5MO,IAAM,qBAAN,MAA0E;AACvE,EAAA,KAAA;AACA,EAAA,YAAA;AACA,EAAA,cAAA;AACA,EAAA,eAAA,uBAAsB,GAAA,EAAA;;AAG9B,EAAA,IAAI,WAAA,GAAuC;AACzC,IAAA,OAAO,IAAA,CAAK,YAAA;AACd,EAAA;AAEA,EAAA,WAAA,CAAY,OAAA,EAA2C;AACrD,IAAA,IAAI,OAAA,IAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,EAAO;AACvC,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AACvB,IAAA;AACA,IAAA,IAAI,aAAA,IAAiB,OAAA,IAAW,OAAA,CAAQ,WAAA,EAAa;AACnD,MAAA,IAAA,CAAK,eAAe,OAAA,CAAQ,WAAA;AAC9B,IAAA;AACA,IAAA,IAAA,CAAK,iBAAiB,OAAA,CAAQ,YAAA;AAChC,EAAA;AAEA,EAAA,MAAM,SAAS,IAAA,EAAgC;AAC7C,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAC9C,IAAA,OAAO,OAAA;AACT,EAAA;EAEA,MAAM,OAAA,CAAQ,MAAa,IAAA,EAAgC;AACzD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAC5B,EAAA;AAEA,EAAA,MAAM,eAAe,IAAA,EAAgC;AACnD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAGxC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,IAAA,EAAA,CAAO,KAAK,GAAG,CAAA;AACxC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,QAAQ,OAAO,MAAA;AAGnB,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAK,YAAA,EAAc;AAErB,MAAA,WAAA,GAAc,6BAAA,CAA8B,OAAA,EAAS,IAAA,CAAK,YAAY,CAAA;AACxE,IAAA,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AAErB,MAAA,WAAA,GAAc,kBAAA,CAAmB,OAAA,EAAS,IAAA,CAAK,KAAK,CAAA;IACtD,CAAA,MAAO;AAEL,MAAA,WAAA,GAAc,EAAA;AAChB,IAAA;AAGA,IAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,WAAW,CAAA;AAE9C,IAAA,OAAO,WAAA;AACT,EAAA;EAEA,MAAM,aAAA,CAAc,MAAa,UAAA,EAAsC;AACrE,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,MAAK,iBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAC/D,EAAA;EAEA,MAAM,iBAAA,CAAkB,MAAa,WAAA,EAAyC;AAC5E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAChG,EAAA;EAEA,MAAM,gBAAA,CAAiB,MAAa,WAAA,EAAyC;AAC3E,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,CAAA,CAAA,KAAK,iBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAC/F,EAAA;;;;EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,gBAAgB,KAAA,EAAA;AACvB,EAAA;;;;;EAMA,kBAAA,GAAuC;AACrC,IAAA,OAAO,IAAA,CAAK,SAAS,EAAA;AACvB,EAAA;;;;;AAMA,EAAA,iBAAA,CAAkB,MAAA,EAA4C;AAC5D,IAAA,OAAO,KAAK,KAAA,EAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,OAAO,MAAM,CAAA;AAC9C,EAAA;;;;AAKA,EAAA,MAAM,iBAAA,GAA6D;AACjE,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,EAAA,EAAI,CAAA,CAAE,EAAA,EAAI,IAAA,EAAM,CAAA,CAAE,IAAA,EAAA,CAAO,CAAA;AACzD,IAAA;AACA,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,OAAO,IAAA,CAAK,IAAA,CAAK,YAAY,CAAA,CACjC,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,KAAM,UAAU,CAAA,CAC5B,GAAA,CAAI,CAAA,CAAA,MAAM,EAAE,IAAI,CAAA,EAAG,IAAA,EAAM,GAAA,CAAI,CAAA;AAClC,IAAA;AACA,IAAA,OAAO,EAAA;AACT,EAAA;;;;AAKA,EAAA,MAAM,sBAAsB,MAAA,EAAmC;AAC7D,IAAA,IAAI,KAAK,YAAA,EAAc;AACrB,MAAA,OAAO,6BAAA,CAA8B,CAAC,MAAM,CAAA,EAAG,KAAK,YAAY,CAAA;AAClE,IAAA;AACA,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,OAAO,kBAAA,CAAmB,CAAC,MAAM,CAAA,EAAG,KAAK,KAAK,CAAA;AAChD,IAAA;AACA,IAAA,OAAO,EAAA;AACT,EAAA;AACF","file":"chunk-FEIEEVTF.cjs","sourcesContent":["import { createHash } from 'node:crypto';\nimport os from 'node:os';\n\nexport type EEEventName = 'ee_license_check' | 'ee_feature_used';\n\nexport function isEETelemetryEnabled(): boolean {\n  return process.env['MASTRA_TELEMETRY_DISABLED'] !== '1';\n}\n\nexport function hashTelemetryValue(value: string): string {\n  return createHash('sha256').update(value).digest('hex');\n}\n\nfunction getHashedHostname(): string {\n  return hashTelemetryValue(os.hostname() || 'unknown-host').slice(0, 16);\n}\n\nexport function getEETelemetryFallbackDistinctId(): string {\n  return `mastra-${getHashedHostname()}`;\n}\n\ntype EETelemetryBridge = {\n  captureEEEvent?: (event: EEEventName, distinctId: string | undefined, properties?: Record<string, unknown>) => void;\n};\n\nconst EE_TELEMETRY_BRIDGE = Symbol.for('mastra.eeTelemetryBridge');\n\nfunction getTelemetryBridge(): EETelemetryBridge | undefined {\n  return (globalThis as typeof globalThis & { [EE_TELEMETRY_BRIDGE]?: EETelemetryBridge })[EE_TELEMETRY_BRIDGE];\n}\n\nexport function captureEEEvent(\n  event: EEEventName,\n  distinctId: string | undefined,\n  properties?: Record<string, unknown>,\n): void {\n  getTelemetryBridge()?.captureEEEvent?.(event, distinctId, properties);\n}\n\nexport function resetEETelemetryForTests(): void {}\n","/**\n * License validation for EE features.\n *\n * Validation is delegated to the Mastra license server via `LicenseClient`\n * (POST {MASTRA_LICENSE_URL}/validate). The client validates in the\n * background and caches the result; the synchronous helpers in this module\n * read the cached state:\n *\n * - No license key configured → EE features disabled.\n * - Key configured, validation pending → fail open (features enabled) until\n *   the first server response settles the state.\n * - Server says invalid/revoked/expired → EE features disabled.\n * - Server unreachable → fail open with a 72h grace period for previously\n *   validated licenses.\n *\n * `MASTRA_LICENSE_KEY` is the primary env var; `MASTRA_EE_LICENSE` is a\n * supported legacy alias.\n */\n\nimport { hashTelemetryValue } from './telemetry';\n\ninterface IMastraLogger {\n  warn(message: string): void;\n  info(message: string): void;\n  error(message: string): void;\n}\n\nexport interface LicenseValidationSuccess {\n  valid: true;\n  /** Feature entitlements granted by the license (e.g. 'rbac', 'sso', 'fga') */\n  entitlements: string[];\n  /** Plan tier the license was issued for (e.g. 'teams', 'enterprise') */\n  planTier: string;\n  expiresAt: string | null;\n  leaseTtlSeconds: number;\n}\n\nexport interface LicenseValidationError {\n  valid: false;\n  code: 'INVALID_KEY' | 'LICENSE_EXPIRED' | 'LICENSE_REVOKED' | 'RATE_LIMITED';\n  reason: string;\n}\n\nexport type LicenseValidationResponse = LicenseValidationSuccess | LicenseValidationError;\n\nexport type LicenseMode = 'enterprise' | 'open-source';\n\nexport type LicenseStatus = 'pending' | 'valid' | 'invalid';\n\nexport interface LicenseSnapshot {\n  mode: LicenseMode;\n  status: LicenseStatus;\n  entitlements: string[] | null;\n  planTier: string | null;\n  expiresAt: string | null;\n}\n\nexport class LicenseClient {\n  private static instance: LicenseClient | undefined;\n  private logger?: IMastraLogger;\n\n  private licenseKey?: string;\n  private licenseUrl?: string;\n\n  private mode: LicenseMode = 'open-source';\n  private status: LicenseStatus = 'pending';\n\n  private cachedResult: LicenseValidationSuccess | null = null;\n  private cacheExpiry: number = 0;\n  private gracePeriodEnd: number = 0;\n\n  private revalidationTimeout: NodeJS.Timeout | null = null;\n  private readonly GRACE_PERIOD_MS = 72 * 60 * 60 * 1000; // 72 hours\n  private readonly DEFAULT_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\n  private constructor(logger?: IMastraLogger) {\n    this.logger = logger;\n    // MASTRA_LICENSE_KEY is the primary env var; MASTRA_EE_LICENSE is a\n    // supported legacy alias kept for backward compatibility.\n    this.licenseKey = process.env.MASTRA_LICENSE_KEY || process.env.MASTRA_EE_LICENSE;\n    this.licenseUrl = process.env.MASTRA_LICENSE_URL || 'https://license.mastra.ai';\n\n    if (this.licenseKey) {\n      this.mode = 'enterprise';\n    } else {\n      this.mode = 'open-source';\n    }\n  }\n\n  public static getInstance(logger?: IMastraLogger): LicenseClient {\n    if (!LicenseClient.instance) {\n      LicenseClient.instance = new LicenseClient(logger);\n    } else if (logger) {\n      LicenseClient.instance.logger = logger;\n    }\n    return LicenseClient.instance;\n  }\n\n  /**\n   * Reset the singleton so the next getInstance() re-reads env vars.\n   * Intended for tests.\n   */\n  public static resetInstance(): void {\n    if (LicenseClient.instance?.revalidationTimeout) {\n      clearTimeout(LicenseClient.instance.revalidationTimeout);\n    }\n    LicenseClient.instance = undefined;\n  }\n\n  private readonly REQUEST_TIMEOUT_MS = 10_000;\n\n  private async fetchWithRetry(url: string, options: RequestInit, retries: number = 3): Promise<Response> {\n    for (let i = 0; i < retries; i++) {\n      // Bound each attempt so a stalled socket can't hang the in-flight\n      // validation promise that all concurrent callers share.\n      const controller = new AbortController();\n      const timer = setTimeout(() => controller.abort(), this.REQUEST_TIMEOUT_MS);\n      timer.unref?.();\n      try {\n        const signal = options.signal\n          ? AbortSignal.any([options.signal as AbortSignal, controller.signal])\n          : controller.signal;\n        const response = await fetch(url, { ...options, signal });\n        if (response.status === 429 || response.status >= 500) {\n          if (i === retries - 1) return response;\n        } else {\n          return response;\n        }\n      } catch (error) {\n        if (i === retries - 1) throw error;\n      } finally {\n        clearTimeout(timer);\n      }\n      const delay = Math.pow(2, i) * 1000; // 1s, 2s, 4s\n      await new Promise(resolve => setTimeout(resolve, delay));\n    }\n    throw new Error('Unreachable');\n  }\n\n  private validationPromise: Promise<boolean> | null = null;\n\n  public async validate(): Promise<boolean> {\n    if (this.mode === 'open-source') {\n      return true;\n    }\n\n    // Check if cache is valid\n    if (this.cachedResult && Date.now() < this.cacheExpiry) {\n      return true;\n    }\n\n    return this.revalidate();\n  }\n\n  /**\n   * Contact the server regardless of cache freshness, coalescing concurrent\n   * callers (e.g. the Mastra constructor and the auth/ee helpers both kicking\n   * off validation at startup) into a single in-flight request so the server\n   * is contacted — and the outcome logged — only once. Used directly by the\n   * background revalidation timer, which must bypass the cache check.\n   */\n  private revalidate(): Promise<boolean> {\n    if (!this.validationPromise) {\n      this.validationPromise = this.performValidation().finally(() => {\n        this.validationPromise = null;\n      });\n    }\n    return this.validationPromise;\n  }\n\n  private async performValidation(): Promise<boolean> {\n    const now = Date.now();\n\n    // Attempt to validate against server\n    try {\n      if (!this.licenseUrl?.startsWith('https://') && !this.licenseUrl?.includes('localhost')) {\n        this.logger?.warn('License URL is not HTTPS. Proceeding, but this is insecure.');\n      }\n\n      const response = await this.fetchWithRetry(`${this.licenseUrl}/validate`, {\n        method: 'POST',\n        headers: {\n          'content-type': 'application/json',\n        },\n        body: JSON.stringify({ licenseKey: this.licenseKey }),\n      });\n\n      // A 429 or 5xx that survived the retries is a transient server\n      // condition, not a verdict on the license — treat it like an\n      // unreachable server so the lease/grace semantics below apply\n      // instead of invalidating the key.\n      if (response.status === 429 || response.status >= 500) {\n        throw new Error(`License server responded with ${response.status}`);\n      }\n\n      const data = (await response.json()) as LicenseValidationResponse;\n\n      if (data.valid) {\n        this.status = 'valid';\n        this.logger?.info(\n          `License validated: ${data.planTier} tier${data.expiresAt ? `, expires ${data.expiresAt.slice(0, 10)}` : ''}`,\n        );\n        this.cachedResult = data;\n\n        const ttlSeconds = data.leaseTtlSeconds || this.DEFAULT_TTL_MS / 1000;\n        this.cacheExpiry = now + ttlSeconds * 1000;\n        this.gracePeriodEnd = now + this.GRACE_PERIOD_MS;\n\n        this.scheduleRevalidation(ttlSeconds);\n        return true;\n      } else if (data.code === 'RATE_LIMITED') {\n        // Defensive: a throttle marker in the body without a 429 status is\n        // still transient, not a license verdict.\n        throw new Error(`License server rate limited: ${data.reason}`);\n      } else {\n        this.status = 'invalid';\n        this.logger?.error(`License validation failed: ${data.code} - ${data.reason}`);\n        this.clearCache();\n        return false;\n      }\n    } catch {\n      // Network error or server unreachable\n      if (this.cachedResult && now < this.gracePeriodEnd) {\n        this.logger?.warn('License server unreachable. Using cached license (within grace period).');\n        this.status = 'valid';\n        this.scheduleRevalidation(this.DEFAULT_TTL_MS / 1000); // Retry later\n        return true;\n      } else if (this.cachedResult) {\n        this.logger?.error('License server unreachable and grace period expired. Disabling enterprise features.');\n        this.status = 'invalid';\n        this.clearCache();\n        return false;\n      } else {\n        // First call failed\n        this.logger?.warn('License server unreachable on startup. Failing open (allowing features) and will retry.');\n\n        // Mock a success to fail open, but set a short TTL to force quick retry\n        this.status = 'valid';\n        this.cachedResult = {\n          valid: true,\n          entitlements: [],\n          planTier: 'unknown',\n          expiresAt: null,\n          leaseTtlSeconds: 300, // 5 minutes\n        };\n        this.cacheExpiry = now + 300 * 1000;\n        this.gracePeriodEnd = now + this.GRACE_PERIOD_MS;\n        this.scheduleRevalidation(300);\n        return true;\n      }\n    }\n  }\n\n  private scheduleRevalidation(ttlSeconds: number) {\n    if (this.revalidationTimeout) {\n      clearTimeout(this.revalidationTimeout);\n    }\n\n    // Revalidate at 75% of TTL\n    const revalidateMs = ttlSeconds * 1000 * 0.75;\n    this.revalidationTimeout = setTimeout(() => {\n      this.logger?.info('Performing background license revalidation...');\n      // revalidate(), not validate(): at 75% of TTL the cache is still fresh,\n      // so validate()'s early return would skip the refresh entirely.\n      this.revalidate().catch(err => {\n        this.logger?.error(\n          `Background license revalidation failed: ${err instanceof Error ? err.message : String(err)}`,\n        );\n      });\n    }, revalidateMs);\n\n    // Ensure the timeout doesn't keep the Node process alive\n    this.revalidationTimeout.unref();\n  }\n\n  private clearCache() {\n    this.cachedResult = null;\n    this.cacheExpiry = 0;\n    this.gracePeriodEnd = 0;\n    this.status = 'invalid';\n    if (this.revalidationTimeout) {\n      clearTimeout(this.revalidationTimeout);\n      this.revalidationTimeout = null;\n    }\n  }\n\n  public hasFeature(featureName: string): boolean {\n    if (this.mode === 'open-source') return true;\n    if (this.status === 'pending') return true;\n    if (this.status === 'invalid') return false;\n    if (!this.cachedResult) return false;\n\n    // While failing open (server unreachable on startup) the entitlements\n    // list is empty but the unknown planTier marks the result as tentative.\n    if (this.cachedResult.planTier === 'unknown') return true;\n\n    return this.cachedResult.entitlements.includes(featureName);\n  }\n\n  public getEntitlements(): string[] | null {\n    if (this.mode === 'open-source') return null;\n    return this.cachedResult?.entitlements || null;\n  }\n\n  public getSnapshot(): LicenseSnapshot {\n    return {\n      mode: this.mode,\n      status: this.status,\n      entitlements: this.cachedResult?.entitlements ?? null,\n      planTier: this.cachedResult?.planTier ?? null,\n      expiresAt: this.cachedResult?.expiresAt ?? null,\n    };\n  }\n}\n\n/**\n * License information.\n */\nexport interface LicenseInfo {\n  /** Whether the license is valid */\n  valid: boolean;\n  /** License expiration date */\n  expiresAt?: Date;\n  /** Features enabled by this license */\n  features?: string[];\n  /** Organization name */\n  organization?: string;\n  /** License plan tier (e.g. 'teams', 'enterprise') */\n  tier?: string;\n}\n\nexport interface SafeLicenseSummary {\n  valid: boolean;\n  isDevEnvironment: boolean;\n  licenseHash?: string;\n  anonymousId?: string;\n  features?: string[];\n  tier?: string;\n}\n\n/**\n * Resolve the configured license key.\n * `MASTRA_LICENSE_KEY` is primary; `MASTRA_EE_LICENSE` is a supported legacy alias.\n */\nfunction getLicenseKey(): string | undefined {\n  return process.env['MASTRA_LICENSE_KEY'] || process.env['MASTRA_EE_LICENSE'];\n}\n\nlet validationStarted = false;\nlet hasWarnedAboutDevLicense = false;\n\n/**\n * Get the shared LicenseClient and kick off background validation on first use.\n */\nfunction getClient(): LicenseClient {\n  const client = LicenseClient.getInstance();\n  if (!validationStarted) {\n    validationStarted = true;\n    void client.validate().catch(() => {\n      // Background validation failures are handled inside LicenseClient\n      // (grace period / fail-open). Never let them surface here.\n    });\n  }\n  return client;\n}\n\n/**\n * Start license validation against the license server.\n *\n * Safe to call multiple times — the underlying client caches results and\n * schedules its own background revalidation. Resolves to whether the license\n * is currently considered valid.\n */\nexport function startLicenseValidation(): Promise<boolean> {\n  const client = LicenseClient.getInstance();\n  validationStarted = true;\n  return client.validate();\n}\n\n/**\n * Validate the configured license and return license information.\n *\n * Reflects the current server-backed validation state. The actual network\n * validation happens in the background via `LicenseClient`, and only the\n * configured key (env var) is ever validated — passing any other key\n * returns invalid.\n *\n * @param licenseKey - Optional key to check; must match the configured key.\n * @returns License information\n */\nexport function validateLicense(licenseKey?: string): LicenseInfo {\n  const configuredKey = getLicenseKey();\n  const key = licenseKey ?? configuredKey;\n\n  if (!key) {\n    return { valid: false };\n  }\n\n  // The client only ever validates the configured key, so its snapshot can't\n  // vouch for any other key the caller supplies.\n  if (licenseKey !== undefined && licenseKey !== configuredKey) {\n    return { valid: false };\n  }\n\n  const snap = getClient().getSnapshot();\n\n  return {\n    valid: snap.status !== 'invalid',\n    features: snap.entitlements ?? undefined,\n    tier: snap.planTier ?? undefined,\n    expiresAt: snap.expiresAt ? new Date(snap.expiresAt) : undefined,\n  };\n}\n\n/**\n * Check if EE features are enabled (valid or pending server validation).\n *\n * @returns True if EE features should be enabled\n */\nexport function isLicenseValid(): boolean {\n  if (!getLicenseKey()) {\n    return false;\n  }\n\n  // 'valid' or 'pending' (fail open until the first server response).\n  // LicenseClient logs the failure reason when the server rejects the key.\n  return getClient().getSnapshot().status !== 'invalid';\n}\n\n/**\n * @deprecated Use `isLicenseValid()` instead. This alias is provided for backward compatibility.\n */\nexport const isEELicenseValid = isLicenseValid;\n\n/**\n * Check if a specific EE feature is enabled by the license entitlements.\n *\n * @param feature - Feature name to check (e.g. 'rbac', 'fga', 'sso')\n * @returns True if the feature is enabled\n */\nexport function isFeatureEnabled(feature: string): boolean {\n  if (!getLicenseKey()) {\n    return false;\n  }\n\n  return getClient().hasFeature(feature);\n}\n\n/**\n * Get the current license information.\n *\n * @returns License info or null if no license key is configured\n */\nexport function getLicenseInfo(): LicenseInfo | null {\n  if (!getLicenseKey()) {\n    return null;\n  }\n\n  return validateLicense();\n}\n\nexport function getSafeLicenseSummary(): SafeLicenseSummary {\n  const key = getLicenseKey();\n  const info = validateLicense(key);\n  const licenseHash = key ? hashTelemetryValue(key) : undefined;\n\n  return {\n    valid: info.valid,\n    isDevEnvironment: isDevEnvironment(),\n    licenseHash: licenseHash ? licenseHash.slice(0, 16) : undefined,\n    anonymousId: licenseHash ? `${licenseHash.slice(0, 16)}-anonymous` : undefined,\n    features: info.features,\n    tier: info.tier,\n  };\n}\n\nexport function warnIfDevEENeedsLicense(): void {\n  if (hasWarnedAboutDevLicense || !isDevEnvironment() || isLicenseValid()) {\n    return;\n  }\n\n  hasWarnedAboutDevLicense = true;\n  console.warn(\n    '[mastra/auth-ee] Mastra Enterprise features are enabled for local development, but no valid MASTRA_LICENSE_KEY is configured. These features will be disabled in production without a valid license. Contact us to get a production license: https://mastra.ai/contact',\n  );\n}\n\n/**\n * Clear the license cache (useful for testing).\n * Resets the shared client so the next check re-reads env vars.\n */\nexport function clearLicenseCache(): void {\n  validationStarted = false;\n  hasWarnedAboutDevLicense = false;\n  LicenseClient.resetInstance();\n}\n\n/**\n * Check if running in a development/testing environment.\n * In dev, EE features work without a license per the ee/LICENSE terms.\n */\nexport function isDevEnvironment(): boolean {\n  return (\n    process.env['MASTRA_DEV'] === 'true' ||\n    process.env['MASTRA_DEV'] === '1' ||\n    (process.env['NODE_ENV'] !== 'production' && process.env['NODE_ENV'] !== 'prod')\n  );\n}\n\n/**\n * Check if EE features should be active.\n * Returns true if running in dev/test environment (always allowed) or if a valid license is present.\n */\nexport function isEEEnabled(): boolean {\n  if (isDevEnvironment()) {\n    warnIfDevEENeedsLicense();\n    return true;\n  }\n  return isLicenseValid();\n}\n","/**\n * Capabilities detection and response building for EE authentication.\n */\n\nimport type { IUserProvider, ISSOProvider, ISessionProvider, ICredentialsProvider } from '..';\nimport type { MastraAuthProvider } from '../provider';\nimport type { IACLProvider } from './interfaces/acl';\nimport type { IFGAProvider } from './interfaces/fga';\nimport type { IRBACProvider } from './interfaces/rbac';\nimport type { EEUser } from './interfaces/user';\nimport {\n  isLicenseValid,\n  isDevEnvironment,\n  isFeatureEnabled,\n  getSafeLicenseSummary,\n  warnIfDevEENeedsLicense,\n} from './license';\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from './telemetry';\n\n/**\n * Public capabilities response (no authentication required).\n * Contains just enough info to render the login page.\n */\nexport interface PublicAuthCapabilities {\n  /** Whether auth is enabled */\n  enabled: boolean;\n  /** Login configuration (null if no auth or no SSO) */\n  login: {\n    /** Type of login available */\n    type: 'sso' | 'credentials' | 'both';\n    /** Whether sign-up is enabled (defaults to true) */\n    signUpEnabled?: boolean;\n    /** Optional description explaining the auth requirement and what credentials to use */\n    description?: string;\n    /** SSO configuration */\n    sso?: {\n      /** Provider name */\n      provider: string;\n      /** Button text */\n      text: string;\n      /** Icon URL */\n      icon?: string;\n      /** Description of the auth requirement */\n      description?: string;\n      /** Login URL */\n      url: string;\n    };\n  } | null;\n}\n\n/**\n * User info for authenticated response.\n */\nexport interface AuthenticatedUser {\n  /** User ID */\n  id: string;\n  /** User email */\n  email?: string;\n  /** Display name */\n  name?: string;\n  /** Avatar URL */\n  avatarUrl?: string;\n}\n\n/**\n * Capability flags indicating which EE features are available.\n */\nexport interface CapabilityFlags {\n  /** IUserProvider is implemented and licensed */\n  user: boolean;\n  /** ISessionProvider is implemented and licensed */\n  session: boolean;\n  /** ISSOProvider is implemented and licensed */\n  sso: boolean;\n  /** IRBACProvider is implemented and licensed */\n  rbac: boolean;\n  /** IACLProvider is implemented and licensed */\n  acl: boolean;\n  /** IFGAProvider is implemented and licensed */\n  fga: boolean;\n}\n\n/**\n * User's access (roles and permissions).\n */\nexport interface UserAccess {\n  /** User's roles */\n  roles: string[];\n  /** User's resolved permissions */\n  permissions: string[];\n}\n\n/**\n * Authenticated capabilities response.\n * Extends public capabilities with user context and feature flags.\n */\nexport interface AuthenticatedCapabilities extends PublicAuthCapabilities {\n  /** Current authenticated user */\n  user: AuthenticatedUser;\n  /** Available EE capabilities */\n  capabilities: CapabilityFlags;\n  /** User's access (if RBAC available) */\n  access: UserAccess | null;\n  /** Available roles in the system (only present for admin users) */\n  availableRoles?: { id: string; name: string }[];\n}\n\n/**\n * Type guard to check if response is authenticated.\n */\nexport function isAuthenticated(\n  caps: PublicAuthCapabilities | AuthenticatedCapabilities,\n): caps is AuthenticatedCapabilities {\n  return 'user' in caps && caps.user !== null;\n}\n\n/**\n * Check if an auth provider implements a specific interface.\n */\nfunction implementsInterface<T>(auth: unknown, method: keyof T): auth is T {\n  return auth !== null && typeof auth === 'object' && typeof (auth as any)[method] === 'function';\n}\n\n/**\n * Check if auth provider is MastraCloudAuth (exempt from license requirement).\n */\nfunction isMastraCloudAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  // Check for the MastraCloudAuth marker\n  return 'isMastraCloudAuth' in auth && (auth as { isMastraCloudAuth: boolean }).isMastraCloudAuth === true;\n}\n\n/**\n * Check if auth provider is SimpleAuth (exempt from license requirement).\n * SimpleAuth is for development/testing and should work without a license.\n */\nfunction isSimpleAuth(auth: unknown): boolean {\n  if (!auth || typeof auth !== 'object') return false;\n  return 'isSimpleAuth' in auth && (auth as { isSimpleAuth: boolean }).isSimpleAuth === true;\n}\n\n/**\n * Check if a set of permissions includes admin bypass (`*` or `*:*`).\n */\nfunction hasAdminBypassPermissions(permissions: string[]): boolean {\n  return permissions.some(p => p === '*' || p === '*:*');\n}\n\nfunction getRequestIp(request: Request): string | undefined {\n  const forwardedFor = request.headers.get('x-forwarded-for');\n  if (forwardedFor) {\n    return forwardedFor.split(',')[0]?.trim();\n  }\n\n  return request.headers.get('x-real-ip') ?? undefined;\n}\n\nfunction captureLicenseCheck({\n  request,\n  user,\n  hasLicense,\n  isDev,\n  isCloud,\n  isSimple,\n  capabilities,\n}: {\n  request: Request;\n  user?: EEUser | null;\n  hasLicense: boolean;\n  isDev: boolean;\n  isCloud: boolean;\n  isSimple: boolean;\n  capabilities?: CapabilityFlags;\n}): void {\n  const license = getSafeLicenseSummary();\n\n  try {\n    const ip = getRequestIp(request);\n    captureEEEvent('ee_license_check', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n      license_valid: hasLicense,\n      license_hash: license.licenseHash,\n      is_dev_environment: isDev,\n      is_cloud: isCloud,\n      is_simple_auth: isSimple,\n      capabilities,\n      user_id: user?.id,\n      $ip: ip,\n      license_features: license.features,\n      license_tier: license.tier,\n    });\n  } catch {\n    // Telemetry must never affect auth or EE feature behavior.\n  }\n}\n\n/**\n * Options for building capabilities.\n */\nexport interface BuildCapabilitiesOptions {\n  /**\n   * RBAC provider for role-based access control (EE feature).\n   * Separate from the auth provider to allow mixing different providers.\n   *\n   * @example\n   * ```typescript\n   * const rbac = new StaticRBACProvider({\n   *   roles: DEFAULT_ROLES,\n   *   getUserRoles: (user) => [user.role],\n   * });\n   *\n   * buildCapabilities(auth, request, { rbac });\n   * ```\n   */\n  rbac?: IRBACProvider<EEUser>;\n\n  /**\n   * FGA provider for fine-grained authorization (EE feature).\n   * Separate from the auth provider to allow mixing different providers.\n   */\n  fga?: IFGAProvider<EEUser>;\n\n  /**\n   * API route prefix used to construct SSO login URLs.\n   * Defaults to `/api` when not provided.\n   *\n   * @example `/mastra` results in SSO URL `/mastra/auth/sso/login`\n   */\n  apiPrefix?: string;\n}\n\n/**\n * Build capabilities response based on auth configuration and request state.\n *\n * This function determines what capabilities are available and, if the user\n * is authenticated, includes their user info and access permissions.\n *\n * @param auth - Auth provider (or null if no auth configured)\n * @param request - Incoming HTTP request\n * @param options - Optional configuration (roleMapping, etc.)\n * @returns Capabilities response (public or authenticated)\n */\nexport async function buildCapabilities(\n  auth: MastraAuthProvider | null,\n  request: Request,\n  options?: BuildCapabilitiesOptions,\n): Promise<PublicAuthCapabilities | AuthenticatedCapabilities> {\n  // No auth configured - disabled\n  if (!auth) {\n    return { enabled: false, login: null };\n  }\n\n  // Determine if EE features are available\n  // SimpleAuth, MastraCloudAuth, and dev environments are exempt from license requirement\n  const hasLicense = isLicenseValid();\n  const isCloud = isMastraCloudAuth(auth);\n  const isSimple = isSimpleAuth(auth);\n  const isDev = isDevEnvironment();\n  if (isDev && !hasLicense) {\n    warnIfDevEENeedsLicense();\n  }\n  const isLicensedOrCloud = hasLicense || isCloud || isSimple || isDev;\n\n  // Per-feature license gating: rbac/acl/fga additionally require the license\n  // entitlement (e.g. enterprise tier). Cloud, SimpleAuth and dev are exempt.\n  const isFeatureLicensed = (feature: string) =>\n    isCloud || isSimple || isDev || (hasLicense && isFeatureEnabled(feature));\n\n  // Build login configuration (always public)\n  let login: PublicAuthCapabilities['login'] = null;\n\n  const hasSSO = implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud;\n  const hasCredentials = implementsInterface<ICredentialsProvider>(auth, 'signIn') && isLicensedOrCloud;\n\n  // Build SSO login URL using the configured prefix (default: /api)\n  const raw = (options?.apiPrefix || '/api').trim();\n  const withSlash = raw.startsWith('/') ? raw : `/${raw}`;\n  const prefix = withSlash.endsWith('/') ? withSlash.slice(0, -1) : withSlash;\n  const ssoLoginUrl = `${prefix}/auth/sso/login`;\n\n  // Check if sign-up is enabled (defaults to true)\n  let signUpEnabled = true;\n  if (implementsInterface<ICredentialsProvider>(auth, 'signIn')) {\n    const credentialsProvider = auth as ICredentialsProvider;\n    if (typeof credentialsProvider.isSignUpEnabled === 'function') {\n      signUpEnabled = credentialsProvider.isSignUpEnabled();\n    }\n  }\n\n  if (hasSSO && hasCredentials) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'both',\n      signUpEnabled,\n      description: ssoConfig.description,\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasSSO) {\n    const ssoConfig = (auth as ISSOProvider).getLoginButtonConfig();\n    login = {\n      type: 'sso',\n      description: ssoConfig.description,\n      sso: {\n        ...ssoConfig,\n        url: ssoLoginUrl,\n      },\n    };\n  } else if (hasCredentials) {\n    // Credentials-only auth (e.g., Better Auth with email/password)\n    login = {\n      type: 'credentials',\n      signUpEnabled,\n    };\n  }\n\n  // Try to get current user (requires session)\n  let user: EEUser | null = null;\n  if (implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud) {\n    try {\n      user = await auth.getCurrentUser(request);\n    } catch {\n      // Session invalid or expired\n      user = null;\n    }\n  }\n\n  // If no user, return public response only\n  if (!user) {\n    captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple });\n    return { enabled: true, login };\n  }\n\n  // Get RBAC provider from options (if configured)\n  const rbacProvider = options?.rbac;\n  const hasRBAC = !!rbacProvider && isFeatureLicensed('rbac');\n\n  // Get FGA provider from options (if configured)\n  const hasFGA = !!options?.fga && isFeatureLicensed('fga');\n\n  // Build capability flags\n  const capabilities: CapabilityFlags = {\n    user: implementsInterface<IUserProvider>(auth, 'getCurrentUser') && isLicensedOrCloud,\n    session: implementsInterface<ISessionProvider>(auth, 'createSession') && isLicensedOrCloud,\n    sso: implementsInterface<ISSOProvider>(auth, 'getLoginUrl') && isLicensedOrCloud,\n    rbac: hasRBAC,\n    acl: implementsInterface<IACLProvider>(auth, 'canAccess') && isFeatureLicensed('acl'),\n    fga: hasFGA,\n  };\n\n  // Get roles/permissions from RBAC provider (if available)\n  let access: UserAccess | null = null;\n  if (hasRBAC && rbacProvider) {\n    try {\n      const roles = await rbacProvider.getRoles(user);\n      const permissions = await rbacProvider.getPermissions(user);\n      access = { roles, permissions };\n      const license = getSafeLicenseSummary();\n      try {\n        const ip = getRequestIp(request);\n        captureEEEvent('ee_feature_used', user.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n          feature: 'rbac',\n          user_id: user.id,\n          organization_membership_id: user.metadata?.['organizationMembershipId'],\n          role_count: roles.length,\n          permission_count: permissions.length,\n          $ip: ip,\n          license_valid: license.valid,\n          license_hash: license.licenseHash,\n          is_dev_environment: license.isDevEnvironment,\n        });\n      } catch {\n        // Telemetry must never affect auth or EE feature behavior.\n      }\n    } catch {\n      // RBAC failed, continue without access info\n      access = null;\n    }\n  }\n\n  // Expose available roles for admin users (for \"View as role\" feature).\n  // Exclude roles with admin-bypass permissions since previewing as admin\n  // is the same as the current experience.\n  let availableRoles: { id: string; name: string }[] | undefined;\n  if (access && rbacProvider?.getAvailableRoles) {\n    if (hasAdminBypassPermissions(access.permissions)) {\n      try {\n        const allRoles = await rbacProvider.getAvailableRoles();\n        const getPermissionsForRole = rbacProvider.getPermissionsForRole?.bind(rbacProvider);\n        if (getPermissionsForRole) {\n          // Use allSettled so one failing role lookup doesn't drop the whole picker.\n          const rolePermissions = await Promise.allSettled(\n            allRoles.map(async role => ({\n              role,\n              perms: await getPermissionsForRole(role.id),\n            })),\n          );\n          availableRoles = rolePermissions.flatMap(result => {\n            if (result.status !== 'fulfilled') {\n              console.warn('[auth/ee] failed to list permissions for role:', result.reason);\n              return [];\n            }\n            return hasAdminBypassPermissions(result.value.perms) ? [] : [result.value.role];\n          });\n        } else {\n          availableRoles = allRoles;\n        }\n      } catch (error) {\n        // Degrade gracefully: omit availableRoles so the \"View as role\" feature\n        // simply doesn't show options. Log so operators can diagnose RBAC issues.\n        console.warn('[auth/ee] failed to list available roles for admin user:', error);\n      }\n    }\n  }\n\n  captureLicenseCheck({ request, user, hasLicense, isDev, isCloud, isSimple, capabilities });\n\n  return {\n    enabled: true,\n    login,\n    user: {\n      id: user.id,\n      email: user.email,\n      name: user.name,\n      avatarUrl: user.avatarUrl,\n    },\n    capabilities,\n    access,\n    availableRoles,\n  };\n}\n","/**\n * AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY\n *\n * This file is generated by packages/server/scripts/generate-permissions.ts\n * Run `pnpm generate:permissions` from packages/server to regenerate.\n *\n * Source of truth: SERVER_ROUTES in @mastra/server\n */\n\n/**\n * All known API resources.\n * Derived from SERVER_ROUTES paths in @mastra/server.\n */\nexport const RESOURCES = [\n  'a2a',\n  'agent-builder',\n  'agent-controller',\n  'agents',\n  'auth',\n  'background-tasks',\n  'channels',\n  'datasets',\n  'embedders',\n  'experiments',\n  'infrastructure',\n  'logs',\n  'mcp',\n  'memory',\n  'observability',\n  'processor-providers',\n  'processors',\n  'schedules',\n  'scores',\n  'stored-agents',\n  'stored-mcp-clients',\n  'stored-prompt-blocks',\n  'stored-scorers',\n  'stored-skills',\n  'stored-workspaces',\n  'system',\n  'tool-providers',\n  'tools',\n  'vector',\n  'vectors',\n  'workflows',\n  'workspaces',\n] as const;\n\n/**\n * Resource type union.\n */\nexport type Resource = (typeof RESOURCES)[number];\n\n/**\n * All permission actions.\n * Derived from HTTP methods and route overrides:\n * - GET → read\n * - POST → write or execute (context-dependent)\n * - PUT/PATCH → write\n * - DELETE → delete\n * - Additional actions from explicit requiresPermission overrides\n */\nexport const ACTIONS = ['create', 'delete', 'execute', 'publish', 'read', 'share', 'write'] as const;\n\n/**\n * Action type union.\n */\nexport type Action = (typeof ACTIONS)[number];\n\n/**\n * All valid permission patterns.\n * Use `keyof typeof PERMISSION_PATTERNS` or the `PermissionPattern` type.\n */\nexport const PERMISSION_PATTERNS = {\n  /** Full access to all resources and actions */\n  '*': '*',\n  /** Create all resources */\n  '*:create': '*:create',\n  /** Delete all resources */\n  '*:delete': '*:delete',\n  /** Execute all resources */\n  '*:execute': '*:execute',\n  /** Publish, activate, or restore all resources */\n  '*:publish': '*:publish',\n  /** View all resources */\n  '*:read': '*:read',\n  /** Change visibility/audience all resources */\n  '*:share': '*:share',\n  /** Create and modify all resources */\n  '*:write': '*:write',\n  /** Full access to agent-to-agent communication */\n  'a2a:*': 'a2a:*',\n  /** Full access to agent builder */\n  'agent-builder:*': 'agent-builder:*',\n  /** Full access to agent controller sessions */\n  'agent-controller:*': 'agent-controller:*',\n  /** Full access to agents */\n  'agents:*': 'agents:*',\n  /** Full access to auth */\n  'auth:*': 'auth:*',\n  /** Full access to background tasks */\n  'background-tasks:*': 'background-tasks:*',\n  /** Full access to channels */\n  'channels:*': 'channels:*',\n  /** Full access to datasets */\n  'datasets:*': 'datasets:*',\n  /** Full access to embedders */\n  'embedders:*': 'embedders:*',\n  /** Full access to experiments */\n  'experiments:*': 'experiments:*',\n  /** Full access to infrastructure */\n  'infrastructure:*': 'infrastructure:*',\n  /** Full access to logs */\n  'logs:*': 'logs:*',\n  /** Full access to MCP servers */\n  'mcp:*': 'mcp:*',\n  /** Full access to memory and threads */\n  'memory:*': 'memory:*',\n  /** Full access to traces and spans */\n  'observability:*': 'observability:*',\n  /** Full access to processor-providers */\n  'processor-providers:*': 'processor-providers:*',\n  /** Full access to processors */\n  'processors:*': 'processors:*',\n  /** Full access to schedules */\n  'schedules:*': 'schedules:*',\n  /** Full access to evaluation scores */\n  'scores:*': 'scores:*',\n  /** Full access to stored agents */\n  'stored-agents:*': 'stored-agents:*',\n  /** Full access to stored MCP clients */\n  'stored-mcp-clients:*': 'stored-mcp-clients:*',\n  /** Full access to stored prompt blocks */\n  'stored-prompt-blocks:*': 'stored-prompt-blocks:*',\n  /** Full access to stored scorers */\n  'stored-scorers:*': 'stored-scorers:*',\n  /** Full access to stored skills */\n  'stored-skills:*': 'stored-skills:*',\n  /** Full access to stored workspaces */\n  'stored-workspaces:*': 'stored-workspaces:*',\n  /** Full access to system info */\n  'system:*': 'system:*',\n  /** Full access to tool-providers */\n  'tool-providers:*': 'tool-providers:*',\n  /** Full access to tools */\n  'tools:*': 'tools:*',\n  /** Full access to vector stores */\n  'vector:*': 'vector:*',\n  /** Full access to vectors */\n  'vectors:*': 'vectors:*',\n  /** Full access to workflows */\n  'workflows:*': 'workflows:*',\n  /** Full access to workspaces */\n  'workspaces:*': 'workspaces:*',\n  /** View agent-to-agent communication */\n  'a2a:read': 'a2a:read',\n  /** Create and modify agent-to-agent communication */\n  'a2a:write': 'a2a:write',\n  /** Execute agent builder */\n  'agent-builder:execute': 'agent-builder:execute',\n  /** View agent builder */\n  'agent-builder:read': 'agent-builder:read',\n  /** Create and modify agent builder */\n  'agent-builder:write': 'agent-builder:write',\n  /** Execute agent controller sessions */\n  'agent-controller:execute': 'agent-controller:execute',\n  /** View agent controller sessions */\n  'agent-controller:read': 'agent-controller:read',\n  /** Create agents */\n  'agents:create': 'agents:create',\n  /** Delete agents */\n  'agents:delete': 'agents:delete',\n  /** Execute agents */\n  'agents:execute': 'agents:execute',\n  /** View agents */\n  'agents:read': 'agents:read',\n  /** Create and modify agents */\n  'agents:write': 'agents:write',\n  /** View auth */\n  'auth:read': 'auth:read',\n  /** View background tasks */\n  'background-tasks:read': 'background-tasks:read',\n  /** View channels */\n  'channels:read': 'channels:read',\n  /** Create and modify channels */\n  'channels:write': 'channels:write',\n  /** Delete datasets */\n  'datasets:delete': 'datasets:delete',\n  /** Execute datasets */\n  'datasets:execute': 'datasets:execute',\n  /** View datasets */\n  'datasets:read': 'datasets:read',\n  /** Create and modify datasets */\n  'datasets:write': 'datasets:write',\n  /** View embedders */\n  'embedders:read': 'embedders:read',\n  /** View experiments */\n  'experiments:read': 'experiments:read',\n  /** View infrastructure */\n  'infrastructure:read': 'infrastructure:read',\n  /** View logs */\n  'logs:read': 'logs:read',\n  /** Execute MCP servers */\n  'mcp:execute': 'mcp:execute',\n  /** View MCP servers */\n  'mcp:read': 'mcp:read',\n  /** Create and modify MCP servers */\n  'mcp:write': 'mcp:write',\n  /** Delete memory and threads */\n  'memory:delete': 'memory:delete',\n  /** Execute memory and threads */\n  'memory:execute': 'memory:execute',\n  /** View memory and threads */\n  'memory:read': 'memory:read',\n  /** Create and modify memory and threads */\n  'memory:write': 'memory:write',\n  /** View traces and spans */\n  'observability:read': 'observability:read',\n  /** Create and modify traces and spans */\n  'observability:write': 'observability:write',\n  /** View processor-providers */\n  'processor-providers:read': 'processor-providers:read',\n  /** Execute processors */\n  'processors:execute': 'processors:execute',\n  /** View processors */\n  'processors:read': 'processors:read',\n  /** Delete schedules */\n  'schedules:delete': 'schedules:delete',\n  /** Execute schedules */\n  'schedules:execute': 'schedules:execute',\n  /** View schedules */\n  'schedules:read': 'schedules:read',\n  /** Create and modify schedules */\n  'schedules:write': 'schedules:write',\n  /** View evaluation scores */\n  'scores:read': 'scores:read',\n  /** Create and modify evaluation scores */\n  'scores:write': 'scores:write',\n  /** Delete stored agents */\n  'stored-agents:delete': 'stored-agents:delete',\n  /** Publish, activate, or restore stored agents */\n  'stored-agents:publish': 'stored-agents:publish',\n  /** View stored agents */\n  'stored-agents:read': 'stored-agents:read',\n  /** Create and modify stored agents */\n  'stored-agents:write': 'stored-agents:write',\n  /** Delete stored MCP clients */\n  'stored-mcp-clients:delete': 'stored-mcp-clients:delete',\n  /** Publish, activate, or restore stored MCP clients */\n  'stored-mcp-clients:publish': 'stored-mcp-clients:publish',\n  /** View stored MCP clients */\n  'stored-mcp-clients:read': 'stored-mcp-clients:read',\n  /** Create and modify stored MCP clients */\n  'stored-mcp-clients:write': 'stored-mcp-clients:write',\n  /** Delete stored prompt blocks */\n  'stored-prompt-blocks:delete': 'stored-prompt-blocks:delete',\n  /** Publish, activate, or restore stored prompt blocks */\n  'stored-prompt-blocks:publish': 'stored-prompt-blocks:publish',\n  /** View stored prompt blocks */\n  'stored-prompt-blocks:read': 'stored-prompt-blocks:read',\n  /** Create and modify stored prompt blocks */\n  'stored-prompt-blocks:write': 'stored-prompt-blocks:write',\n  /** Delete stored scorers */\n  'stored-scorers:delete': 'stored-scorers:delete',\n  /** Publish, activate, or restore stored scorers */\n  'stored-scorers:publish': 'stored-scorers:publish',\n  /** View stored scorers */\n  'stored-scorers:read': 'stored-scorers:read',\n  /** Create and modify stored scorers */\n  'stored-scorers:write': 'stored-scorers:write',\n  /** Delete stored skills */\n  'stored-skills:delete': 'stored-skills:delete',\n  /** Publish, activate, or restore stored skills */\n  'stored-skills:publish': 'stored-skills:publish',\n  /** View stored skills */\n  'stored-skills:read': 'stored-skills:read',\n  /** Create and modify stored skills */\n  'stored-skills:write': 'stored-skills:write',\n  /** Delete stored workspaces */\n  'stored-workspaces:delete': 'stored-workspaces:delete',\n  /** View stored workspaces */\n  'stored-workspaces:read': 'stored-workspaces:read',\n  /** Create and modify stored workspaces */\n  'stored-workspaces:write': 'stored-workspaces:write',\n  /** View system info */\n  'system:read': 'system:read',\n  /** Delete tool-providers */\n  'tool-providers:delete': 'tool-providers:delete',\n  /** View tool-providers */\n  'tool-providers:read': 'tool-providers:read',\n  /** Create and modify tool-providers */\n  'tool-providers:write': 'tool-providers:write',\n  /** Execute tools */\n  'tools:execute': 'tools:execute',\n  /** View tools */\n  'tools:read': 'tools:read',\n  /** Delete vector stores */\n  'vector:delete': 'vector:delete',\n  /** Execute vector stores */\n  'vector:execute': 'vector:execute',\n  /** View vector stores */\n  'vector:read': 'vector:read',\n  /** Create and modify vector stores */\n  'vector:write': 'vector:write',\n  /** View vectors */\n  'vectors:read': 'vectors:read',\n  /** Delete workflows */\n  'workflows:delete': 'workflows:delete',\n  /** Execute workflows */\n  'workflows:execute': 'workflows:execute',\n  /** View workflows */\n  'workflows:read': 'workflows:read',\n  /** Create and modify workflows */\n  'workflows:write': 'workflows:write',\n  /** Delete workspaces */\n  'workspaces:delete': 'workspaces:delete',\n  /** View workspaces */\n  'workspaces:read': 'workspaces:read',\n  /** Create and modify workspaces */\n  'workspaces:write': 'workspaces:write',\n  /** Full access to all stored resource families */\n  'stored:*': 'stored:*',\n  /** View all stored resource families */\n  'stored:read': 'stored:read',\n  /** Create and modify all stored resource families */\n  'stored:write': 'stored:write',\n  /** Delete all stored resource families */\n  'stored:delete': 'stored:delete',\n  /** Change visibility/audience stored agents */\n  'stored-agents:share': 'stored-agents:share',\n  /** Change visibility/audience stored skills */\n  'stored-skills:share': 'stored-skills:share',\n} as const;\n\n/**\n * Permission pattern that can be used in role definitions.\n * Supports:\n * - Specific permissions: 'agents:read', 'workflows:execute'\n * - Resource wildcards: 'agents:*', 'workflows:*' (all actions on a resource)\n * - Action wildcards: '*:read', '*:write' (an action across all resources)\n * - Global wildcard: '*' (full access)\n */\nexport type PermissionPattern = keyof typeof PERMISSION_PATTERNS;\n\n/**\n * All valid resource:action permission combinations (excludes wildcards).\n */\nexport const PERMISSIONS = [\n  'a2a:read',\n  'a2a:write',\n  'agent-builder:execute',\n  'agent-builder:read',\n  'agent-builder:write',\n  'agent-controller:execute',\n  'agent-controller:read',\n  'agents:create',\n  'agents:delete',\n  'agents:execute',\n  'agents:read',\n  'agents:write',\n  'auth:read',\n  'background-tasks:read',\n  'channels:read',\n  'channels:write',\n  'datasets:delete',\n  'datasets:execute',\n  'datasets:read',\n  'datasets:write',\n  'embedders:read',\n  'experiments:read',\n  'infrastructure:read',\n  'logs:read',\n  'mcp:execute',\n  'mcp:read',\n  'mcp:write',\n  'memory:delete',\n  'memory:execute',\n  'memory:read',\n  'memory:write',\n  'observability:read',\n  'observability:write',\n  'processor-providers:read',\n  'processors:execute',\n  'processors:read',\n  'schedules:delete',\n  'schedules:execute',\n  'schedules:read',\n  'schedules:write',\n  'scores:read',\n  'scores:write',\n  'stored-agents:delete',\n  'stored-agents:publish',\n  'stored-agents:read',\n  'stored-agents:write',\n  'stored-mcp-clients:delete',\n  'stored-mcp-clients:publish',\n  'stored-mcp-clients:read',\n  'stored-mcp-clients:write',\n  'stored-prompt-blocks:delete',\n  'stored-prompt-blocks:publish',\n  'stored-prompt-blocks:read',\n  'stored-prompt-blocks:write',\n  'stored-scorers:delete',\n  'stored-scorers:publish',\n  'stored-scorers:read',\n  'stored-scorers:write',\n  'stored-skills:delete',\n  'stored-skills:publish',\n  'stored-skills:read',\n  'stored-skills:write',\n  'stored-workspaces:delete',\n  'stored-workspaces:read',\n  'stored-workspaces:write',\n  'system:read',\n  'tool-providers:delete',\n  'tool-providers:read',\n  'tool-providers:write',\n  'tools:execute',\n  'tools:read',\n  'vector:delete',\n  'vector:execute',\n  'vector:read',\n  'vector:write',\n  'vectors:read',\n  'workflows:delete',\n  'workflows:execute',\n  'workflows:read',\n  'workflows:write',\n  'workspaces:delete',\n  'workspaces:read',\n  'workspaces:write',\n] as const;\n\n/**\n * Specific permission type (e.g., 'agents:read', 'workflows:execute').\n */\nexport type Permission = (typeof PERMISSIONS)[number];\n\n/**\n * Type-safe constants for Mastra-owned FGA permissions.\n *\n * These values are generated from server routes and can be used wherever\n * Mastra checks or maps FGA permissions.\n */\nexport const MastraFGAPermissions = {\n  /** View agent-to-agent communication */\n  A2A_READ: 'a2a:read',\n  /** Create and modify agent-to-agent communication */\n  A2A_WRITE: 'a2a:write',\n  /** Execute agent builder */\n  AGENT_BUILDER_EXECUTE: 'agent-builder:execute',\n  /** View agent builder */\n  AGENT_BUILDER_READ: 'agent-builder:read',\n  /** Create and modify agent builder */\n  AGENT_BUILDER_WRITE: 'agent-builder:write',\n  /** Execute agent controller sessions */\n  AGENT_CONTROLLER_EXECUTE: 'agent-controller:execute',\n  /** View agent controller sessions */\n  AGENT_CONTROLLER_READ: 'agent-controller:read',\n  /** Create agents */\n  AGENTS_CREATE: 'agents:create',\n  /** Delete agents */\n  AGENTS_DELETE: 'agents:delete',\n  /** Execute agents */\n  AGENTS_EXECUTE: 'agents:execute',\n  /** View agents */\n  AGENTS_READ: 'agents:read',\n  /** Create and modify agents */\n  AGENTS_WRITE: 'agents:write',\n  /** View auth */\n  AUTH_READ: 'auth:read',\n  /** View background tasks */\n  BACKGROUND_TASKS_READ: 'background-tasks:read',\n  /** View channels */\n  CHANNELS_READ: 'channels:read',\n  /** Create and modify channels */\n  CHANNELS_WRITE: 'channels:write',\n  /** Delete datasets */\n  DATASETS_DELETE: 'datasets:delete',\n  /** Execute datasets */\n  DATASETS_EXECUTE: 'datasets:execute',\n  /** View datasets */\n  DATASETS_READ: 'datasets:read',\n  /** Create and modify datasets */\n  DATASETS_WRITE: 'datasets:write',\n  /** View embedders */\n  EMBEDDERS_READ: 'embedders:read',\n  /** View experiments */\n  EXPERIMENTS_READ: 'experiments:read',\n  /** View infrastructure */\n  INFRASTRUCTURE_READ: 'infrastructure:read',\n  /** View logs */\n  LOGS_READ: 'logs:read',\n  /** Execute MCP servers */\n  MCP_EXECUTE: 'mcp:execute',\n  /** View MCP servers */\n  MCP_READ: 'mcp:read',\n  /** Create and modify MCP servers */\n  MCP_WRITE: 'mcp:write',\n  /** Delete memory and threads */\n  MEMORY_DELETE: 'memory:delete',\n  /** Execute memory and threads */\n  MEMORY_EXECUTE: 'memory:execute',\n  /** View memory and threads */\n  MEMORY_READ: 'memory:read',\n  /** Create and modify memory and threads */\n  MEMORY_WRITE: 'memory:write',\n  /** View traces and spans */\n  OBSERVABILITY_READ: 'observability:read',\n  /** Create and modify traces and spans */\n  OBSERVABILITY_WRITE: 'observability:write',\n  /** View processor-providers */\n  PROCESSOR_PROVIDERS_READ: 'processor-providers:read',\n  /** Execute processors */\n  PROCESSORS_EXECUTE: 'processors:execute',\n  /** View processors */\n  PROCESSORS_READ: 'processors:read',\n  /** Delete schedules */\n  SCHEDULES_DELETE: 'schedules:delete',\n  /** Execute schedules */\n  SCHEDULES_EXECUTE: 'schedules:execute',\n  /** View schedules */\n  SCHEDULES_READ: 'schedules:read',\n  /** Create and modify schedules */\n  SCHEDULES_WRITE: 'schedules:write',\n  /** View evaluation scores */\n  SCORES_READ: 'scores:read',\n  /** Create and modify evaluation scores */\n  SCORES_WRITE: 'scores:write',\n  /** Delete stored agents */\n  STORED_AGENTS_DELETE: 'stored-agents:delete',\n  /** Publish, activate, or restore stored agents */\n  STORED_AGENTS_PUBLISH: 'stored-agents:publish',\n  /** View stored agents */\n  STORED_AGENTS_READ: 'stored-agents:read',\n  /** Create and modify stored agents */\n  STORED_AGENTS_WRITE: 'stored-agents:write',\n  /** Delete stored MCP clients */\n  STORED_MCP_CLIENTS_DELETE: 'stored-mcp-clients:delete',\n  /** Publish, activate, or restore stored MCP clients */\n  STORED_MCP_CLIENTS_PUBLISH: 'stored-mcp-clients:publish',\n  /** View stored MCP clients */\n  STORED_MCP_CLIENTS_READ: 'stored-mcp-clients:read',\n  /** Create and modify stored MCP clients */\n  STORED_MCP_CLIENTS_WRITE: 'stored-mcp-clients:write',\n  /** Delete stored prompt blocks */\n  STORED_PROMPT_BLOCKS_DELETE: 'stored-prompt-blocks:delete',\n  /** Publish, activate, or restore stored prompt blocks */\n  STORED_PROMPT_BLOCKS_PUBLISH: 'stored-prompt-blocks:publish',\n  /** View stored prompt blocks */\n  STORED_PROMPT_BLOCKS_READ: 'stored-prompt-blocks:read',\n  /** Create and modify stored prompt blocks */\n  STORED_PROMPT_BLOCKS_WRITE: 'stored-prompt-blocks:write',\n  /** Delete stored scorers */\n  STORED_SCORERS_DELETE: 'stored-scorers:delete',\n  /** Publish, activate, or restore stored scorers */\n  STORED_SCORERS_PUBLISH: 'stored-scorers:publish',\n  /** View stored scorers */\n  STORED_SCORERS_READ: 'stored-scorers:read',\n  /** Create and modify stored scorers */\n  STORED_SCORERS_WRITE: 'stored-scorers:write',\n  /** Delete stored skills */\n  STORED_SKILLS_DELETE: 'stored-skills:delete',\n  /** Publish, activate, or restore stored skills */\n  STORED_SKILLS_PUBLISH: 'stored-skills:publish',\n  /** View stored skills */\n  STORED_SKILLS_READ: 'stored-skills:read',\n  /** Create and modify stored skills */\n  STORED_SKILLS_WRITE: 'stored-skills:write',\n  /** Delete stored workspaces */\n  STORED_WORKSPACES_DELETE: 'stored-workspaces:delete',\n  /** View stored workspaces */\n  STORED_WORKSPACES_READ: 'stored-workspaces:read',\n  /** Create and modify stored workspaces */\n  STORED_WORKSPACES_WRITE: 'stored-workspaces:write',\n  /** View system info */\n  SYSTEM_READ: 'system:read',\n  /** Delete tool-providers */\n  TOOL_PROVIDERS_DELETE: 'tool-providers:delete',\n  /** View tool-providers */\n  TOOL_PROVIDERS_READ: 'tool-providers:read',\n  /** Create and modify tool-providers */\n  TOOL_PROVIDERS_WRITE: 'tool-providers:write',\n  /** Execute tools */\n  TOOLS_EXECUTE: 'tools:execute',\n  /** View tools */\n  TOOLS_READ: 'tools:read',\n  /** Delete vector stores */\n  VECTOR_DELETE: 'vector:delete',\n  /** Execute vector stores */\n  VECTOR_EXECUTE: 'vector:execute',\n  /** View vector stores */\n  VECTOR_READ: 'vector:read',\n  /** Create and modify vector stores */\n  VECTOR_WRITE: 'vector:write',\n  /** View vectors */\n  VECTORS_READ: 'vectors:read',\n  /** Delete workflows */\n  WORKFLOWS_DELETE: 'workflows:delete',\n  /** Execute workflows */\n  WORKFLOWS_EXECUTE: 'workflows:execute',\n  /** View workflows */\n  WORKFLOWS_READ: 'workflows:read',\n  /** Create and modify workflows */\n  WORKFLOWS_WRITE: 'workflows:write',\n  /** Delete workspaces */\n  WORKSPACES_DELETE: 'workspaces:delete',\n  /** View workspaces */\n  WORKSPACES_READ: 'workspaces:read',\n  /** Create and modify workspaces */\n  WORKSPACES_WRITE: 'workspaces:write',\n} as const satisfies Record<string, Permission>;\n\n/**\n * Mastra-owned FGA permission values.\n */\nexport type MastraFGAPermission = (typeof MastraFGAPermissions)[keyof typeof MastraFGAPermissions];\n\n/**\n * FGA permission input accepted by public config and provider APIs.\n * Keeps autocomplete for Mastra-owned permissions while allowing custom provider strings.\n */\nexport type MastraFGAPermissionInput = MastraFGAPermission | (string & {});\n\n/**\n * Type-safe role mapping configuration.\n *\n * Maps role names (from your identity provider) to Mastra permission patterns.\n *\n * @example\n * ```typescript\n * const roleMapping: TypedRoleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\", \"workflows:read\"],\n *   \"Admin\": [\"*\"],\n *   \"_default\": [],\n * };\n * ```\n */\nexport type TypedRoleMapping = {\n  [role: string]: PermissionPattern[];\n};\n\n/**\n * Validates that a string is a valid permission pattern.\n * Useful for runtime validation of permission strings.\n */\nexport function isValidPermissionPattern(pattern: string): pattern is PermissionPattern {\n  return pattern in PERMISSION_PATTERNS;\n}\n\n/**\n * Validates that all permissions in an array are valid patterns.\n */\nexport function validatePermissions(permissions: string[]): permissions is PermissionPattern[] {\n  return permissions.every(isValidPermissionPattern);\n}\n","/**\n * FGA enforcement utility for checking fine-grained authorization.\n *\n * @license Mastra Enterprise License - see ee/LICENSE\n */\n\nimport type { FGACheckContext, IFGAProvider } from './interfaces/fga';\nimport type { MastraFGAPermissionInput } from './interfaces/permissions.generated';\nimport { getSafeLicenseSummary } from './license';\nimport { captureEEEvent, getEETelemetryFallbackDistinctId } from './telemetry';\n\nexport type ActorSignal =\n  | true\n  | {\n      actorKind: 'system';\n      sourceWorkflow?: string;\n    };\n\nexport interface CheckFGAOptions {\n  fgaProvider: IFGAProvider | undefined;\n  user: any;\n  resource: { type: string; id: string };\n  permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n  context?: FGACheckContext;\n  requestContext?: FGACheckContext['requestContext'];\n  actor?: ActorSignal;\n}\n\nexport interface RequireFGAOptions extends CheckFGAOptions {\n  metadata?: Record<string, unknown>;\n}\n\nfunction mergeFGAContext({\n  context,\n  requestContext,\n  metadata,\n}: Pick<RequireFGAOptions, 'context' | 'requestContext' | 'metadata'>): FGACheckContext | undefined {\n  const mergedContext: FGACheckContext = {\n    ...context,\n  };\n\n  if (requestContext) {\n    mergedContext.requestContext = requestContext;\n  }\n\n  if (metadata || context?.metadata) {\n    mergedContext.metadata = {\n      ...(context?.metadata ?? {}),\n      ...(metadata ?? {}),\n    };\n  }\n\n  return Object.keys(mergedContext).length > 0 ? mergedContext : undefined;\n}\n\nfunction isActorSignal(actor: unknown): actor is ActorSignal {\n  if (actor === true) {\n    return true;\n  }\n\n  if (typeof actor !== 'object' || actor === null) {\n    return false;\n  }\n\n  const candidate = actor as { actorKind?: unknown; sourceWorkflow?: unknown };\n  return (\n    candidate.actorKind === 'system' &&\n    (candidate.sourceWorkflow === undefined || typeof candidate.sourceWorkflow === 'string')\n  );\n}\n\nexport function getAgentFGAResourceId(agentId: string): string {\n  return agentId;\n}\n\nexport function getWorkflowFGAResourceId(workflowId: string): string {\n  return workflowId;\n}\n\nexport function getStandaloneToolFGAResourceId(toolName: string): string {\n  return toolName;\n}\n\nexport function getAgentToolFGAResourceId(agentId: string, toolName: string): string {\n  return `${agentId}:${toolName}`;\n}\n\nexport function getMCPToolFGAResourceId(serverName: string, toolName: string): string {\n  return JSON.stringify([serverName, toolName]);\n}\n\n/**\n * Check fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured (backward compatibility).\n * Delegates to fgaProvider.require() which throws FGADeniedError if denied.\n */\nexport async function checkFGA(options: CheckFGAOptions): Promise<void> {\n  await requireFGA(options);\n}\n\n/**\n * Require fine-grained authorization for a resource.\n *\n * No-op if no FGA provider is configured. When FGA is configured, a missing\n * user fails closed.\n */\nexport async function requireFGA(options: RequireFGAOptions): Promise<void> {\n  const { fgaProvider, user, resource, permission, context, requestContext, metadata, actor } = options;\n\n  if (!fgaProvider) {\n    return;\n  }\n\n  const fgaContext = mergeFGAContext({ context, requestContext, metadata });\n  const license = getSafeLicenseSummary();\n\n  if (isActorSignal(actor)) {\n    const tenantOrganizationId = fgaContext?.requestContext?.get('organizationId');\n    if (typeof tenantOrganizationId !== 'string' || tenantOrganizationId.length === 0) {\n      throw new FGADeniedError(user, resource, permission, 'trusted actor requires organizationId / tenant scope');\n    }\n\n    const sourceWorkflow =\n      (actor === true ? undefined : actor.sourceWorkflow) ??\n      (typeof fgaContext?.metadata?.['sourceWorkflow'] === 'string'\n        ? fgaContext.metadata['sourceWorkflow']\n        : undefined);\n\n    try {\n      captureEEEvent('ee_feature_used', license.anonymousId || getEETelemetryFallbackDistinctId(), {\n        feature: 'fga',\n        actor_kind: 'system',\n        resource_type: resource.type,\n        resource_id: resource.id,\n        permission,\n        user_id: null,\n        organization_membership_id: null,\n        source_workflow: sourceWorkflow,\n        license_valid: license.valid,\n        license_hash: license.licenseHash,\n        is_dev_environment: license.isDevEnvironment,\n      });\n    } catch {\n      // Telemetry must never affect auth or EE feature behavior.\n    }\n    return;\n  }\n\n  if (!user) {\n    throw new FGADeniedError(user, resource, permission, 'authenticated user is required');\n  }\n\n  await fgaProvider.require(\n    user,\n    fgaContext ? { resource, permission, context: fgaContext } : { resource, permission },\n  );\n\n  try {\n    captureEEEvent('ee_feature_used', user?.id || license.anonymousId || getEETelemetryFallbackDistinctId(), {\n      feature: 'fga',\n      actor_kind: 'user',\n      resource_type: resource.type,\n      resource_id: resource.id,\n      permission,\n      user_id: user?.id ?? null,\n      organization_membership_id: user?.organizationMembershipId ?? null,\n      license_valid: license.valid,\n      license_hash: license.licenseHash,\n      is_dev_environment: license.isDevEnvironment,\n    });\n  } catch {\n    // Telemetry must never affect auth or EE feature behavior.\n  }\n}\n\n/**\n * Error thrown when an FGA authorization check is denied.\n */\nexport class FGADeniedError extends Error {\n  public readonly user: any;\n  public readonly resource: { type: string; id: string };\n  public readonly permission: MastraFGAPermissionInput | MastraFGAPermissionInput[];\n  public readonly status: number;\n\n  constructor(\n    user: any,\n    resource: { type: string; id: string },\n    permission: MastraFGAPermissionInput | MastraFGAPermissionInput[],\n    reason?: string,\n  ) {\n    const userId = user?.id || user?.workosId || 'unknown';\n    const permissionLabel = Array.isArray(permission) ? `any of [${permission.join(', ')}]` : permission;\n    super(\n      reason\n        ? `FGA authorization denied: ${reason}`\n        : `FGA authorization denied: user ${userId} cannot ${permissionLabel} on ${resource.type}:${resource.id}`,\n    );\n    this.name = 'FGADeniedError';\n    this.user = user;\n    this.resource = resource;\n    this.permission = permission;\n    this.status = 403;\n  }\n}\n","/**\n * Default roles and permissions for Mastra Studio.\n */\n\nimport type { RoleDefinition, RoleMapping } from '../interfaces';\n\n// Re-export RoleMapping for backward compatibility\nexport type { RoleMapping };\n\n/**\n * Default role definitions for Studio.\n *\n * These roles provide a sensible starting point for most applications:\n * - **owner**: Full access to everything\n * - **admin**: Manage agents, workflows, and users\n * - **member**: Execute agents and workflows, read-only settings\n * - **viewer**: Read-only access\n *\n * Permission patterns:\n * - `*` - Full access to everything\n * - `resource:*` - All actions on a specific resource\n * - `*:action` - An action across all resources (e.g., `*:read` for read-only)\n */\nexport const DEFAULT_ROLES: RoleDefinition[] = [\n  {\n    id: 'owner',\n    name: 'Owner',\n    description: 'Full access to all features and settings',\n    permissions: ['*'],\n  },\n  {\n    id: 'admin',\n    name: 'Admin',\n    description: 'Manage agents, workflows, and team members',\n    permissions: [\n      '*:read',\n      '*:write',\n      '*:execute',\n      '*:publish',\n      '*:share',\n      // Note: admins cannot delete resources\n    ],\n  },\n  {\n    id: 'member',\n    name: 'Member',\n    description: 'Execute agents and workflows',\n    permissions: ['*:read', '*:execute'],\n  },\n  {\n    id: 'viewer',\n    name: 'Viewer',\n    description: 'Read-only access',\n    permissions: ['*:read'],\n  },\n];\n\n// Re-export Permission types from generated file\nexport type { Permission, PermissionPattern } from '../interfaces/permissions.generated';\n\n/**\n * Get role by ID from default roles.\n *\n * @param roleId - Role ID to find\n * @returns Role definition or undefined\n */\nexport function getDefaultRole(roleId: string): RoleDefinition | undefined {\n  return DEFAULT_ROLES.find(role => role.id === roleId);\n}\n\n/**\n * Resolve all permissions for a set of role IDs.\n *\n * Handles role inheritance and deduplication.\n *\n * @param roleIds - Role IDs to resolve\n * @param roles - Role definitions (defaults to DEFAULT_ROLES)\n * @returns Array of resolved permissions\n */\nexport function resolvePermissions(roleIds: string[], roles: RoleDefinition[] = DEFAULT_ROLES): string[] {\n  const permissions = new Set<string>();\n  const visited = new Set<string>();\n\n  function resolveRole(roleId: string) {\n    if (visited.has(roleId)) return;\n    visited.add(roleId);\n\n    const role = roles.find(r => r.id === roleId);\n    if (!role) return;\n\n    for (const permission of role.permissions) {\n      permissions.add(permission);\n    }\n\n    // Resolve inherited roles\n    if (role.inherits) {\n      for (const inheritedRoleId of role.inherits) {\n        resolveRole(inheritedRoleId);\n      }\n    }\n  }\n\n  for (const roleId of roleIds) {\n    resolveRole(roleId);\n  }\n\n  return Array.from(permissions);\n}\n\n/**\n * Compound resource keys that expand to a set of per-family resources.\n * A granted `stored:<action>` is treated as matching any `stored-<family>:<action>`\n * (and `stored:*` matches any `stored-<family>:*`).\n */\nconst RESOURCE_EXPANSIONS: Record<string, readonly string[]> = {\n  stored: [\n    'stored-agents',\n    'stored-mcp-clients',\n    'stored-prompt-blocks',\n    'stored-scorers',\n    'stored-skills',\n    'stored-workspaces',\n  ],\n};\n\n/**\n * Check if a permission matches (including wildcard support).\n *\n * Permission format: `{resource}:{action}[:{resource-id}]`\n *\n * Examples:\n * - `*` matches everything\n * - `agents:*` matches `agents:read`, `agents:read:my-agent`\n * - `*:read` matches `agents:read`, `workflows:read` (action across all resources)\n * - `agents:read` matches `agents:read`, `agents:read:my-agent`\n * - `agents:read:my-agent` matches only `agents:read:my-agent`\n * - `agents:*:my-agent` matches `agents:read:my-agent`, `agents:write:my-agent`\n *\n * @param userPermission - Permission the user has\n * @param requiredPermission - Permission being checked\n * @returns True if permission matches\n */\nexport function matchesPermission(userPermission: string, requiredPermission: string): boolean {\n  // Wildcard matches everything\n  if (userPermission === '*') {\n    return true;\n  }\n\n  const grantedParts = userPermission.split(':');\n  const requiredParts = requiredPermission.split(':');\n\n  // Compound resource alias: expand granted `stored:<action>` into its per-family equivalents.\n  // Only applies when the required permission targets one of the expanded families.\n  const expandedFamilies = RESOURCE_EXPANSIONS[grantedParts[0] ?? ''];\n  if (expandedFamilies && expandedFamilies.includes(requiredParts[0] ?? '')) {\n    const aliased = [requiredParts[0], ...grantedParts.slice(1)].join(':');\n    return matchesPermission(aliased, requiredPermission);\n  }\n\n  // Must have at least resource:action\n  if (grantedParts.length < 2 || requiredParts.length < 2) {\n    return userPermission === requiredPermission;\n  }\n\n  const [grantedResource, grantedAction, grantedId] = grantedParts;\n  const [requiredResource, requiredAction, requiredId] = requiredParts;\n\n  // Resource wildcard: \"*:*\" matches everything, \"*:read\" matches any resource with that action\n  if (grantedResource === '*') {\n    // \"*:*\" is a full wildcard - matches everything\n    if (grantedAction === '*') {\n      if (grantedId === undefined) {\n        return true;\n      }\n      return grantedId === requiredId;\n    }\n    // Action must match for resource wildcards with specific action\n    if (grantedAction !== requiredAction) {\n      return false;\n    }\n    // If no granted ID, matches all instances\n    if (grantedId === undefined) {\n      return true;\n    }\n    // *:read:my-id would match agents:read:my-id (unusual but consistent)\n    return grantedId === requiredId;\n  }\n\n  // Resource must match (for non-wildcard resources)\n  if (grantedResource !== requiredResource) {\n    return false;\n  }\n\n  // Action wildcard: \"agents:*\" matches any action\n  if (grantedAction === '*') {\n    // If no granted ID, matches all resources\n    // If granted ID specified (agents:*:my-agent), must match required ID\n    if (grantedId === undefined) {\n      return true;\n    }\n    // agents:*:my-agent matches agents:read:my-agent but not agents:read:other\n    return grantedId === requiredId;\n  }\n\n  // Action must match\n  if (grantedAction !== requiredAction) {\n    return false;\n  }\n\n  // No resource ID in granted permission = access to all resources of this type\n  // \"agents:read\" matches \"agents:read\" and \"agents:read:specific-id\"\n  if (grantedId === undefined) {\n    return true;\n  }\n\n  // Both have resource IDs - must match exactly\n  return grantedId === requiredId;\n}\n\n/**\n * Check if a user has a specific permission.\n *\n * @param userPermissions - Permissions the user has\n * @param requiredPermission - Permission being checked\n * @returns True if user has the permission\n */\nexport function hasPermission(userPermissions: string[], requiredPermission: string): boolean {\n  return userPermissions.some(p => matchesPermission(p, requiredPermission));\n}\n\n/**\n * Resolve permissions from user roles using a role mapping.\n *\n * This function translates provider-defined roles (from WorkOS, Okta, etc.)\n * to Mastra permissions using a configurable mapping.\n *\n * @example\n * ```typescript\n * const roleMapping = {\n *   \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *   \"Product\": [\"agents:read\"],\n *   \"_default\": [],\n * };\n *\n * // User has \"Engineering\" and \"QA\" roles\n * const permissions = resolvePermissionsFromMapping(\n *   [\"Engineering\", \"QA\"],\n *   roleMapping\n * );\n * // Result: [\"agents:*\", \"workflows:*\"] (QA is unmapped, gets _default)\n * ```\n *\n * @param roles - User's roles from the identity provider\n * @param mapping - Role to permission mapping\n * @returns Array of resolved permissions\n */\nexport function resolvePermissionsFromMapping(roles: string[], mapping: RoleMapping): string[] {\n  const permissions = new Set<string>();\n  const defaultPerms = mapping['_default'] ?? [];\n\n  for (const role of roles) {\n    const rolePerms = mapping[role];\n    if (rolePerms) {\n      for (const perm of rolePerms) {\n        permissions.add(perm);\n      }\n    } else {\n      // Apply default permissions for unmapped roles\n      for (const perm of defaultPerms) {\n        permissions.add(perm);\n      }\n    }\n  }\n\n  return Array.from(permissions);\n}\n","/**\n * Static RBAC provider with config-based roles.\n */\n\nimport type { RoleDefinition, RoleMapping, IRBACProvider } from '../../interfaces';\nimport { resolvePermissions, matchesPermission, resolvePermissionsFromMapping } from '../roles';\n\n/**\n * Options for StaticRBACProvider.\n *\n * Use ONE of the following approaches:\n * - `roles`: Define role structures with permissions (Mastra's native role system)\n * - `roleMapping`: Map provider roles directly to permissions (simpler for external providers)\n */\nexport type StaticRBACProviderOptions<TUser = unknown> =\n  | {\n      /** Role definitions (Mastra's native role system) */\n      roles: RoleDefinition[];\n      /** Function to get user's role IDs */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roleMapping?: never;\n    }\n  | {\n      /**\n       * Role mapping for translating provider roles to permissions.\n       * Use this when your identity provider has roles that need to be\n       * mapped to Mastra permissions.\n       */\n      roleMapping: RoleMapping;\n      /** Function to get user's role IDs from the provider */\n      getUserRoles: (user: TUser) => string[] | Promise<string[]>;\n      roles?: never;\n    };\n\n/**\n * Static RBAC provider.\n *\n * Supports two modes:\n * 1. **Role definitions**: Use Mastra's native role system with structured roles\n * 2. **Role mapping**: Directly map provider roles to permissions\n *\n * @example Using role definitions (Mastra's native system)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: (user) => [user.role],\n * });\n * ```\n *\n * @example Using role mapping (for external providers)\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roleMapping: {\n *     \"Engineering\": [\"agents:*\", \"workflows:*\"],\n *     \"Product\": [\"agents:read\", \"workflows:read\"],\n *     \"_default\": [],\n *   },\n *   getUserRoles: (user) => user.providerRoles,\n * });\n * ```\n *\n * @example Async role lookup\n * ```typescript\n * const rbac = new StaticRBACProvider({\n *   roles: DEFAULT_ROLES,\n *   getUserRoles: async (user) => {\n *     return db.getUserRoles(user.id);\n *   },\n * });\n * ```\n */\nexport class StaticRBACProvider<TUser = unknown> implements IRBACProvider<TUser> {\n  private roles?: RoleDefinition[];\n  private _roleMapping?: RoleMapping;\n  private getUserRolesFn: (user: TUser) => string[] | Promise<string[]>;\n  private permissionCache = new Map<string, string[]>();\n\n  /** Expose roleMapping for middleware access */\n  get roleMapping(): RoleMapping | undefined {\n    return this._roleMapping;\n  }\n\n  constructor(options: StaticRBACProviderOptions<TUser>) {\n    if ('roles' in options && options.roles) {\n      this.roles = options.roles;\n    }\n    if ('roleMapping' in options && options.roleMapping) {\n      this._roleMapping = options.roleMapping;\n    }\n    this.getUserRolesFn = options.getUserRoles;\n  }\n\n  async getRoles(user: TUser): Promise<string[]> {\n    const roleIds = await this.getUserRolesFn(user);\n    return roleIds;\n  }\n\n  async hasRole(user: TUser, role: string): Promise<boolean> {\n    const roles = await this.getRoles(user);\n    return roles.includes(role);\n  }\n\n  async getPermissions(user: TUser): Promise<string[]> {\n    const roleIds = await this.getRoles(user);\n\n    // Check cache\n    const cacheKey = roleIds.sort().join(',');\n    const cached = this.permissionCache.get(cacheKey);\n    if (cached) return cached;\n\n    // Resolve permissions based on mode\n    let permissions: string[];\n    if (this._roleMapping) {\n      // Role mapping mode: translate provider roles to permissions\n      permissions = resolvePermissionsFromMapping(roleIds, this._roleMapping);\n    } else if (this.roles) {\n      // Role definitions mode: use Mastra's native role system\n      permissions = resolvePermissions(roleIds, this.roles);\n    } else {\n      // No roles or mapping configured\n      permissions = [];\n    }\n\n    // Cache result\n    this.permissionCache.set(cacheKey, permissions);\n\n    return permissions;\n  }\n\n  async hasPermission(user: TUser, permission: string): Promise<boolean> {\n    const permissions = await this.getPermissions(user);\n    return permissions.some(p => matchesPermission(p, permission));\n  }\n\n  async hasAllPermissions(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  async hasAnyPermission(user: TUser, permissions: string[]): Promise<boolean> {\n    const userPermissions = await this.getPermissions(user);\n    return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n  }\n\n  /**\n   * Clear the permission cache.\n   */\n  clearCache(): void {\n    this.permissionCache.clear();\n  }\n\n  /**\n   * Get all role definitions.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinitions(): RoleDefinition[] {\n    return this.roles ?? [];\n  }\n\n  /**\n   * Get a specific role definition.\n   * Only available when using role definitions mode (not role mapping).\n   */\n  getRoleDefinition(roleId: string): RoleDefinition | undefined {\n    return this.roles?.find(r => r.id === roleId);\n  }\n\n  /**\n   * Get all available roles in the system.\n   */\n  async getAvailableRoles(): Promise<{ id: string; name: string }[]> {\n    if (this.roles) {\n      return this.roles.map(r => ({ id: r.id, name: r.name }));\n    }\n    if (this._roleMapping) {\n      return Object.keys(this._roleMapping)\n        .filter(k => k !== '_default')\n        .map(k => ({ id: k, name: k }));\n    }\n    return [];\n  }\n\n  /**\n   * Get the resolved permissions for a specific role.\n   */\n  async getPermissionsForRole(roleId: string): Promise<string[]> {\n    if (this._roleMapping) {\n      return resolvePermissionsFromMapping([roleId], this._roleMapping);\n    }\n    if (this.roles) {\n      return resolvePermissions([roleId], this.roles);\n    }\n    return [];\n  }\n}\n"]}