@pymthouse/builder-sdk 0.0.8 → 0.1.0

package/dist/index.js

@@ -1,6 +1,29 @@
 import { discoveryRequest, processDiscoveryResponse, genericTokenEndpointRequest, processGenericTokenEndpointResponse, clientCredentialsGrantRequest, processClientCredentialsResponse, customFetch, allowInsecureRequests, ResponseBodyError, OperationProcessingError } from 'oauth4webapi';
+import { createHash } from 'crypto';
 
 // src/usage.ts
+function parseSafeBigInt(value, fallback = 0n) {
+  try {
+    return BigInt(value);
+  } catch {
+    return fallback;
+  }
+}
+function getUtcCalendarMonthIsoBounds(now = /* @__PURE__ */ new Date()) {
+  const y = now.getUTCFullYear();
+  const m = now.getUTCMonth();
+  const start = new Date(Date.UTC(y, m, 1, 0, 0, 0, 0));
+  const end = new Date(Date.UTC(y, m + 1, 0, 23, 59, 59, 999));
+  return { startDate: start.toISOString(), endDate: end.toISOString() };
+}
+function parseUsageDateParam(raw) {
+  if (raw == null) return null;
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  const t = Date.parse(trimmed);
+  if (Number.isNaN(t)) return null;
+  return trimmed;
+}
 function aggregateUsageByExternalUserId(byUser, externalUserId) {
   const rows = byUser?.filter((row) => row.externalUserId === externalUserId) ?? [];
   if (rows.length === 0) {
@@ -13,7 +36,9 @@ function aggregateUsageByExternalUserId(byUser, externalUserId) {
   let feeWei = 0n;
   let requestCount = 0;
   for (const row of rows) {
-    feeWei += BigInt(row.feeWei);
+    if (row.feeWei) {
+      feeWei += BigInt(row.feeWei);
+    }
     requestCount += row.requestCount;
   }
   return {
@@ -33,6 +58,107 @@ function listUsageByPipelineModel(usage) {
     return a.modelId.localeCompare(b.modelId);
   });
 }
+function getEndUserIdsForExternalUser(usage, externalUserId) {
+  const userIds = /* @__PURE__ */ new Set();
+  for (const row of usage.byUser ?? []) {
+    if (row.externalUserId === externalUserId && row.endUserId !== "unknown") {
+      userIds.add(row.endUserId);
+    }
+  }
+  return [...userIds];
+}
+var getUsageRecordUserIdsForExternalUser = getEndUserIdsForExternalUser;
+function summarizeUsageFiatForExternalUser(usageByUser, externalUserId) {
+  const rows = usageByUser.byUser ?? [];
+  let requestCount = 0;
+  let networkFeeUsdMicros = 0n;
+  let ownerChargeUsdMicros = 0n;
+  let endUserBillableUsdMicros = 0n;
+  let currency = "USD";
+  for (const row of rows) {
+    if (row.externalUserId !== externalUserId) continue;
+    requestCount += row.requestCount;
+    if (row.currency) currency = row.currency;
+    if (row.networkFeeUsdMicros) {
+      networkFeeUsdMicros += BigInt(row.networkFeeUsdMicros);
+    }
+    if (row.ownerChargeUsdMicros) {
+      ownerChargeUsdMicros += BigInt(row.ownerChargeUsdMicros);
+    }
+    if (row.endUserBillableUsdMicros) {
+      endUserBillableUsdMicros += BigInt(row.endUserBillableUsdMicros);
+    }
+  }
+  return {
+    externalUserId,
+    requestCount,
+    currency,
+    networkFeeUsdMicros: networkFeeUsdMicros.toString(),
+    ownerChargeUsdMicros: ownerChargeUsdMicros.toString(),
+    endUserBillableUsdMicros: endUserBillableUsdMicros.toString()
+  };
+}
+function mergeUsageByPipelineModel(usagePipelineModels) {
+  let responses;
+  if (Array.isArray(usagePipelineModels)) {
+    responses = usagePipelineModels;
+  } else if (usagePipelineModels) {
+    responses = [usagePipelineModels];
+  } else {
+    responses = [];
+  }
+  const byKey = /* @__PURE__ */ new Map();
+  for (const response of responses) {
+    for (const row of response.byPipelineModel ?? []) {
+      const { pipeline, modelId } = row;
+      if (!pipeline || !modelId) continue;
+      const key = JSON.stringify([pipeline, modelId]);
+      const existing = byKey.get(key);
+      const rowCurrency = row.currency ?? "USD";
+      if (!existing) {
+        byKey.set(key, {
+          pipeline,
+          modelId,
+          requestCount: row.requestCount,
+          currency: rowCurrency,
+          networkFeeUsdMicros: row.networkFeeUsdMicros,
+          ownerChargeUsdMicros: row.ownerChargeUsdMicros,
+          endUserBillableUsdMicros: row.endUserBillableUsdMicros
+        });
+        continue;
+      }
+      byKey.set(key, {
+        ...existing,
+        requestCount: existing.requestCount + row.requestCount,
+        networkFeeUsdMicros: (parseSafeBigInt(existing.networkFeeUsdMicros) + parseSafeBigInt(row.networkFeeUsdMicros)).toString(),
+        ownerChargeUsdMicros: (parseSafeBigInt(existing.ownerChargeUsdMicros) + parseSafeBigInt(row.ownerChargeUsdMicros)).toString(),
+        endUserBillableUsdMicros: (parseSafeBigInt(existing.endUserBillableUsdMicros) + parseSafeBigInt(row.endUserBillableUsdMicros)).toString()
+      });
+    }
+  }
+  return [...byKey.values()].sort((a, b) => {
+    if (a.pipeline === b.pipeline) return a.modelId.localeCompare(b.modelId);
+    return a.pipeline.localeCompare(b.pipeline);
+  });
+}
+function buildMeScopeUsagePayload(usageByUser, externalUserId, usagePipelineModel) {
+  const summary = summarizeUsageFiatForExternalUser(usageByUser, externalUserId);
+  const pipelineModels = mergeUsageByPipelineModel(usagePipelineModel);
+  return {
+    clientId: usageByUser.clientId,
+    period: usageByUser.period,
+    currentUser: {
+      externalUserId: summary.externalUserId,
+      requestCount: summary.requestCount,
+      currency: summary.currency,
+      networkFeeUsdMicros: summary.networkFeeUsdMicros,
+      ownerChargeUsdMicros: summary.ownerChargeUsdMicros,
+      endUserBillableUsdMicros: summary.endUserBillableUsdMicros,
+      pipelineModels
+    }
+  };
+}
+var DEFAULT_MAX_END_USER_IDS = 25;
 
 // src/encoding.ts
 function encodeClientSecretBasic(clientId, clientSecret) {
@@ -179,6 +305,103 @@ function mapDiscoveryNetworkError(error) {
     code: "oidc_discovery_failed"
   });
 }
+function parseAppManifestResponse(json) {
+  if (!json || typeof json !== "object" || Array.isArray(json)) {
+    return { capabilities: [], excludedCapabilities: [] };
+  }
+  const record = json;
+  const capabilities = parseCapabilityArray(record.capabilities);
+  const excludedCapabilities = parseCapabilityArray(record.excludedCapabilities);
+  const manifestVersion = typeof record.manifestVersion === "string" && record.manifestVersion.trim() ? record.manifestVersion.trim() : void 0;
+  return { capabilities, excludedCapabilities, manifestVersion };
+}
+function parseCapabilityArray(raw) {
+  if (!Array.isArray(raw)) return [];
+  return raw.filter(
+    (c) => !!c && typeof c === "object" && typeof c.pipeline === "string" && typeof c.modelId === "string"
+  );
+}
+function sortedCaps(caps) {
+  return [...caps].sort((a, b) => {
+    const p = a.pipeline.localeCompare(b.pipeline);
+    return p === 0 ? a.modelId.localeCompare(b.modelId) : p;
+  });
+}
+function computeManifestRevision(data) {
+  if (data == null) {
+    return "unavailable";
+  }
+  if (data.manifestVersion?.trim()) {
+    return data.manifestVersion.trim();
+  }
+  const caps = sortedCaps(data.capabilities ?? []);
+  const excl = sortedCaps(data.excludedCapabilities ?? []);
+  if (caps.length === 0 && excl.length === 0) {
+    return "empty";
+  }
+  return createHash("sha256").update(JSON.stringify({ capabilities: caps, excludedCapabilities: excl })).digest("hex").slice(0, 24);
+}
+
+// src/tokens.ts
+var SIGNER_SESSION_TTL_MS = 90 * 24 * 60 * 60 * 1e3;
+var SIGNER_SESSION_EXPIRES_IN_SEC = Math.floor(SIGNER_SESSION_TTL_MS / 1e3);
+var SIGN_JOB_SCOPE = "sign:job";
+var PYMTHOUSE_SIGNER_SESSION_TTL_MS = SIGNER_SESSION_TTL_MS;
+function computeSignerSessionExpiry(input) {
+  const createdAt = input instanceof Date ? input : new Date(input);
+  return new Date(createdAt.getTime() + SIGNER_SESSION_TTL_MS);
+}
+var computePymthouseExpiry = computeSignerSessionExpiry;
+function isLikelyOidcJwt(rawToken) {
+  const t = rawToken.trim();
+  return t.startsWith("eyJ") && t.split(".").length >= 3;
+}
+function isOpaqueSignerSessionToken(rawToken) {
+  const t = rawToken.trim();
+  return t.length > 0 && !isLikelyOidcJwt(t);
+}
+function base64UrlPayloadToUtf8(payloadB64) {
+  const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
+  const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, "=");
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(padded, "base64").toString("utf8");
+  }
+  return atob(padded);
+}
+function decodeJwtExp(rawToken) {
+  try {
+    const parts = rawToken.split(".");
+    if (parts.length < 2) return null;
+    const payloadJson = base64UrlPayloadToUtf8(parts[1]);
+    const payload = JSON.parse(payloadJson);
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) return null;
+    const expMs = Math.floor(payload.exp * 1e3);
+    if (expMs <= 0) return null;
+    return new Date(expMs);
+  } catch {
+    return null;
+  }
+}
+function parseSignerSessionExchange(res) {
+  const accessToken = typeof res.access_token === "string" ? res.access_token.trim() : "";
+  if (!accessToken) {
+    throw new Error("PymtHouse signer session exchange returned no access_token");
+  }
+  if (isLikelyOidcJwt(accessToken)) {
+    throw new Error(
+      "PymtHouse signer session exchange returned a JWT; expected opaque signer session token"
+    );
+  }
+  const tokenType = typeof res.token_type === "string" && res.token_type.trim() ? res.token_type.trim() : "Bearer";
+  const expiresIn = typeof res.expires_in === "number" && Number.isFinite(res.expires_in) && res.expires_in > 0 ? Math.floor(res.expires_in) : SIGNER_SESSION_EXPIRES_IN_SEC;
+  const scope = typeof res.scope === "string" && res.scope.trim() ? res.scope.trim() : SIGN_JOB_SCOPE;
+  return {
+    accessToken,
+    tokenType,
+    expiresIn,
+    scope
+  };
+}
 var ACCEPTED_ISSUED_TOKEN_TYPES = /* @__PURE__ */ new Set([
   "urn:ietf:params:oauth:token-type:access_token",
   "urn:pmth:token-type:remote-signer-session"
@@ -534,6 +757,126 @@ var PmtHouseClient = class {
       cache: "no-store"
     });
   }
+  /**
+   * Session-scoped usage for one `externalUserId`: user rollup plus merged pipeline/model breakdown.
+   */
+  async fetchUsageForExternalUser(input) {
+    const usageByUser = await this.getUsage({
+      startDate: input.startDate,
+      endDate: input.endDate,
+      groupBy: "user"
+    });
+    const userIds = getEndUserIdsForExternalUser(usageByUser, input.externalUserId);
+    const cap = input.maxEndUserIds ?? DEFAULT_MAX_END_USER_IDS;
+    const cappedUserIds = userIds.slice(0, cap);
+    const usagePipelineModels = await Promise.all(
+      cappedUserIds.map(
+        (userId) => this.getUsage({
+          startDate: input.startDate,
+          endDate: input.endDate,
+          groupBy: "pipeline_model",
+          userId
+        })
+      )
+    );
+    return buildMeScopeUsagePayload(usageByUser, input.externalUserId, usagePipelineModels);
+  }
+  async getAppManifest(opts) {
+    const url = `${this.getAppsBaseUrl()}/manifest`;
+    const headers = {
+      ...this.builderHeadersRecord()
+    };
+    if (opts?.ifNoneMatch) {
+      headers["If-None-Match"] = opts.ifNoneMatch;
+    }
+    this.logger?.debug?.("PmtHouse request", { method: "GET", url });
+    const response = await this.fetchImpl(url, {
+      method: "GET",
+      headers,
+      signal: opts?.signal,
+      cache: "no-store"
+    });
+    const etag = response.headers.get("etag")?.trim() ?? null;
+    if (response.status === 304) {
+      return {
+        manifest: null,
+        etag: etag ?? opts?.ifNoneMatch ?? null,
+        notModified: true
+      };
+    }
+    const raw = await response.text();
+    const ct = response.headers.get("content-type") ?? "";
+    const looksJson = ct.includes("application/json") || ct.includes("json");
+    const parsed = raw && looksJson ? this.safeParseJson(raw) : null;
+    if (!response.ok) {
+      const details = parsed ?? {};
+      let description;
+      if (typeof details.error_description === "string") {
+        description = details.error_description;
+      } else if (typeof details.error === "string") {
+        description = details.error;
+      } else {
+        description = `Request failed (${response.status})`;
+      }
+      throw new PmtHouseError(description, {
+        status: response.status,
+        code: typeof details.error === "string" ? details.error : "pymthouse_http_error",
+        details
+      });
+    }
+    if (!looksJson || parsed === null) {
+      throw new PmtHouseError("Expected JSON response from Builder manifest endpoint", {
+        status: 502,
+        code: "invalid_response",
+        details: { contentType: ct, preview: raw.slice(0, 200) }
+      });
+    }
+    return {
+      manifest: parseAppManifestResponse(parsed),
+      etag,
+      notModified: false
+    };
+  }
+  /**
+   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   */
+  async mintSignerSessionForExternalUser(input) {
+    await this.upsertAppUser({
+      externalUserId: input.externalUserId,
+      email: input.email,
+      status: "active"
+    });
+    const exchange = await this.mintUserSignerSessionToken({
+      externalUserId: input.externalUserId,
+      scope: input.scope ?? SIGN_JOB_SCOPE,
+      resource: this.issuerUrl
+    });
+    return parseSignerSessionExchange(exchange);
+  }
+  /**
+   * Approve a pending RFC 8628 device code for an external user (Option B).
+   */
+  async approveDeviceLogin(input) {
+    if (input.publicClientId && input.publicClientId !== this.publicClientId) {
+      throw new PmtHouseError(
+        "publicClientId does not match configured public client id",
+        { status: 400, code: "invalid_client" }
+      );
+    }
+    await this.upsertAppUser({
+      externalUserId: input.externalUserId,
+      email: input.email,
+      status: "active"
+    });
+    const userToken = await this.mintUserAccessToken({
+      externalUserId: input.externalUserId,
+      scope: SIGN_JOB_SCOPE
+    });
+    await this.completeDeviceApproval({
+      userJwt: userToken.access_token,
+      userCode: input.userCode
+    });
+  }
   tokenEndpointFetchOptions() {
     const o = {
       [customFetch]: this.fetchImpl
@@ -550,6 +893,9 @@ var PmtHouseClient = class {
     return new URL(this.issuerUrl).origin;
   }
   builderHeaders() {
+    return this.builderHeadersRecord();
+  }
+  builderHeadersRecord() {
     return {
       Authorization: encodeClientSecretBasic(this.m2mClientId, this.m2mClientSecret),
       "Content-Type": "application/json",
@@ -573,7 +919,14 @@ var PmtHouseClient = class {
     const parsed = raw && looksJson ? this.safeParseJson(raw) : raw ? null : null;
     if (!response.ok) {
       const details = parsed ?? {};
-      const description = typeof details.error_description === "string" ? details.error_description : typeof details.error === "string" ? details.error : `Request failed (${response.status})`;
+      let description;
+      if (typeof details.error_description === "string") {
+        description = details.error_description;
+      } else if (typeof details.error === "string") {
+        description = details.error;
+      } else {
+        description = `Request failed (${response.status})`;
+      }
       throw new PmtHouseError(description, {
         status: response.status,
         code: typeof details.error === "string" ? details.error : "pymthouse_http_error",
@@ -616,55 +969,52 @@ var PmtHouseClient = class {
   }
 };
 
-// src/env.ts
-function assertEnvModuleServerOnly() {
-  if (typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined") {
-    throw new Error(
-      "@pymthouse/builder-sdk/env is server-only: do not import createPmtHouseClientFromEnv or getPymthouseBaseUrl in client-side code. Use a Route Handler, Server Action, or other server/runtime; keep M2M credentials out of the browser bundle."
-    );
+// src/config.ts
+var PYMTHOUSE_NOT_CONFIGURED_MESSAGE = "PymtHouse is not configured. Set PYMTHOUSE_ISSUER_URL, PYMTHOUSE_PUBLIC_CLIENT_ID, PYMTHOUSE_M2M_CLIENT_ID, and PYMTHOUSE_M2M_CLIENT_SECRET, then restart.";
+function trimEnv(name) {
+  const value = process.env[name];
+  if (!value) return null;
+  const trimmed = value.trim();
+  return trimmed || null;
+}
+function readPymthouseEnv() {
+  const issuerUrl = trimEnv("PYMTHOUSE_ISSUER_URL");
+  const publicClientId = trimEnv("PYMTHOUSE_PUBLIC_CLIENT_ID");
+  const m2mClientId = trimEnv("PYMTHOUSE_M2M_CLIENT_ID");
+  const m2mClientSecret = trimEnv("PYMTHOUSE_M2M_CLIENT_SECRET");
+  if (!issuerUrl || !publicClientId || !m2mClientId || !m2mClientSecret) {
+    return null;
   }
+  return {
+    issuerUrl: stripTrailingSlashes(issuerUrl),
+    publicClientId,
+    m2mClientId,
+    m2mClientSecret
+  };
 }
-assertEnvModuleServerOnly();
-var cachedClient = null;
-function requiredEnv(name) {
-  const value = process.env[name];
-  if (value && value.trim()) {
-    return value.trim();
+function getPymthouseIssuerUrlFromEnv() {
+  const raw = trimEnv("PYMTHOUSE_ISSUER_URL");
+  if (!raw) return null;
+  try {
+    return stripTrailingSlashes(new URL(raw).href);
+  } catch {
+    return null;
   }
-  throw new PmtHouseError(`Missing required environment variable: ${name}`, {
-    status: 500,
-    code: "missing_env"
-  });
 }
-function getPymthouseBaseUrl() {
-  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
-  return new URL(stripTrailingSlashes(issuerUrl)).origin;
-}
-function createPmtHouseClientFromEnv() {
-  if (cachedClient) {
-    return cachedClient;
-  }
-  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
-  cachedClient = new PmtHouseClient({
-    issuerUrl,
-    publicClientId: requiredEnv("PYMTHOUSE_PUBLIC_CLIENT_ID"),
-    m2mClientId: requiredEnv("PYMTHOUSE_M2M_CLIENT_ID"),
-    m2mClientSecret: requiredEnv("PYMTHOUSE_M2M_CLIENT_SECRET"),
-    allowInsecureHttp: issuerUrl.startsWith("http:"),
-    logger: {
-      debug: (message, details) => {
-        if (process.env.NODE_ENV !== "production") {
-          console.debug(`[pymthouse] ${message}`, details ?? {});
-        }
-      },
-      warn: (message, details) => {
-        console.warn(`[pymthouse] ${message}`, details ?? {});
-      }
-    }
-  });
-  return cachedClient;
+function getPymthousePublicClientIdFromEnv() {
+  return trimEnv("PYMTHOUSE_PUBLIC_CLIENT_ID");
+}
+function isPymthouseConfigured() {
+  return readPymthouseEnv() !== null;
+}
+function getBuilderApiV1BaseFromIssuerUrl(issuerUrl) {
+  const noTrail = stripTrailingSlashes(issuerUrl.trim());
+  return noTrail.replace(/\/oidc\/?$/i, "");
+}
+function getPymthouseIssuerOrigin(issuerUrl) {
+  return new URL(stripTrailingSlashes(issuerUrl.trim())).origin;
 }
 
-export { PmtHouseClient, PmtHouseError, aggregateUsageByExternalUserId, authorizationServerToOidcDocument, buildDeviceCodeResource, clearDiscoveryCache, createPmtHouseClientFromEnv, fetchDiscoveryDocument, getPymthouseBaseUrl, listUsageByPipelineModel, loadAuthorizationServer, normalizeUserCode, summarizeUsageForExternalUser, toPmtHouseError };
+export { DEFAULT_MAX_END_USER_IDS, PYMTHOUSE_NOT_CONFIGURED_MESSAGE, PYMTHOUSE_SIGNER_SESSION_TTL_MS, PmtHouseClient, PmtHouseError, SIGNER_SESSION_EXPIRES_IN_SEC, SIGNER_SESSION_TTL_MS, SIGN_JOB_SCOPE, aggregateUsageByExternalUserId, authorizationServerToOidcDocument, buildDeviceCodeResource, buildMeScopeUsagePayload, clearDiscoveryCache, computeManifestRevision, computePymthouseExpiry, computeSignerSessionExpiry, decodeJwtExp, fetchDiscoveryDocument, getBuilderApiV1BaseFromIssuerUrl, getEndUserIdsForExternalUser, getPymthouseIssuerOrigin, getPymthouseIssuerUrlFromEnv, getPymthousePublicClientIdFromEnv, getUsageRecordUserIdsForExternalUser, getUtcCalendarMonthIsoBounds, isLikelyOidcJwt, isOpaqueSignerSessionToken, isPymthouseConfigured, listUsageByPipelineModel, loadAuthorizationServer, mergeUsageByPipelineModel, normalizeUserCode, parseAppManifestResponse, parseSignerSessionExchange, parseUsageDateParam, readPymthouseEnv, summarizeUsageFiatForExternalUser, summarizeUsageForExternalUser, toPmtHouseError };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map