@pymthouse/builder-sdk 0.0.8 → 0.3.0

package/dist/index.cjs

@@ -1,40 +1,17 @@
 'use strict';
 
 var oauth4webapi = require('oauth4webapi');
+var crypto = require('crypto');
 
-// src/usage.ts
-function aggregateUsageByExternalUserId(byUser, externalUserId) {
-  const rows = byUser?.filter((row) => row.externalUserId === externalUserId) ?? [];
-  if (rows.length === 0) {
-    return {
-      externalUserId,
-      requestCount: 0,
-      feeWei: "0"
-    };
-  }
-  let feeWei = 0n;
-  let requestCount = 0;
-  for (const row of rows) {
-    feeWei += BigInt(row.feeWei);
-    requestCount += row.requestCount;
-  }
-  return {
-    externalUserId,
-    requestCount,
-    feeWei: feeWei.toString()
-  };
-}
-function summarizeUsageForExternalUser(usage, externalUserId) {
-  return aggregateUsageByExternalUserId(usage.byUser, externalUserId);
-}
-function listUsageByPipelineModel(usage) {
-  const rows = usage.byPipelineModel ?? [];
-  return [...rows].sort((a, b) => {
-    const p = a.pipeline.localeCompare(b.pipeline);
-    if (p !== 0) return p;
-    return a.modelId.localeCompare(b.modelId);
-  });
-}
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 
 // src/encoding.ts
 function encodeClientSecretBasic(clientId, clientSecret) {
@@ -42,55 +19,94 @@ function encodeClientSecretBasic(clientId, clientSecret) {
   const b64 = typeof Buffer !== "undefined" ? Buffer.from(raw, "utf8").toString("base64") : btoa(Array.from(new TextEncoder().encode(raw), (c) => String.fromCharCode(c)).join(""));
   return `Basic ${b64}`;
 }
+var init_encoding = __esm({
+  "src/encoding.ts"() {
+  }
+});
 
 // src/errors.ts
-var PmtHouseError = class extends Error {
-  status;
-  code;
-  details;
-  constructor(message, {
-    status = 500,
-    code = "pymthouse_error",
-    details
-  } = {}) {
-    super(message);
-    this.name = "PmtHouseError";
-    this.status = status;
-    this.code = code;
-    this.details = details;
-  }
-};
 function toPmtHouseError(error, fallbackMessage) {
-  if (error instanceof PmtHouseError) {
+  if (error instanceof exports.PmtHouseError) {
     return error;
   }
   if (error instanceof Error) {
-    return new PmtHouseError(error.message || fallbackMessage, {
+    return new exports.PmtHouseError(error.message || fallbackMessage, {
       code: "unexpected_error",
       status: 500
     });
   }
-  return new PmtHouseError(fallbackMessage, {
+  return new exports.PmtHouseError(fallbackMessage, {
     code: "unexpected_error",
     status: 500
   });
 }
+exports.PmtHouseError = void 0;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    exports.PmtHouseError = class extends Error {
+      status;
+      code;
+      details;
+      constructor(message, {
+        status = 500,
+        code = "pymthouse_error",
+        details
+      } = {}) {
+        super(message);
+        this.name = "PmtHouseError";
+        this.status = status;
+        this.code = code;
+        this.details = details;
+      }
+    };
+  }
+});
 
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
-  while (end > 0 && value.charCodeAt(end - 1) === 47) {
+  while (end > 0 && (value.codePointAt(end - 1) ?? 0) === 47) {
     end--;
   }
   return value.slice(0, end);
 }
-
-// src/discovery.ts
+function endsWithIgnoreCase(value, suffix) {
+  if (suffix.length > value.length) {
+    return false;
+  }
+  const start = value.length - suffix.length;
+  for (let i = 0; i < suffix.length; i++) {
+    const a = value.codePointAt(start + i) ?? 0;
+    const b = suffix.codePointAt(i) ?? 0;
+    if (a !== b && (a | 32) !== (b | 32)) {
+      return false;
+    }
+  }
+  return true;
+}
+function stripSuffixIgnoreCase(value, suffix) {
+  return endsWithIgnoreCase(value, suffix) ? value.slice(0, value.length - suffix.length) : value;
+}
+function stripOidcPathSuffix(issuerUrl) {
+  let base = stripTrailingSlashes(issuerUrl.trim());
+  base = stripSuffixIgnoreCase(base, "/oidc");
+  return stripTrailingSlashes(base);
+}
+function stripIssuerOriginFromOidcUrl(issuerUrl) {
+  let base = stripTrailingSlashes(issuerUrl.trim());
+  base = stripSuffixIgnoreCase(base, "/api/v1/oidc");
+  base = stripSuffixIgnoreCase(base, "/oidc");
+  return stripTrailingSlashes(base);
+}
+var init_string_utils = __esm({
+  "src/string-utils.ts"() {
+  }
+});
 function authorizationServerToOidcDocument(as) {
   const tokenEndpoint = as.token_endpoint;
   const jwksUri = as.jwks_uri;
   if (!tokenEndpoint || !jwksUri) {
-    throw new PmtHouseError("OIDC discovery document is missing token_endpoint or jwks_uri", {
+    throw new exports.PmtHouseError("OIDC discovery document is missing token_endpoint or jwks_uri", {
       status: 500,
       code: "oidc_discovery_invalid"
     });
@@ -104,8 +120,6 @@ function authorizationServerToOidcDocument(as) {
     device_authorization_endpoint: as.device_authorization_endpoint
   };
 }
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var discoveryCache = /* @__PURE__ */ new Map();
 function normalizedIssuerKey(issuerUrl) {
   return stripTrailingSlashes(issuerUrl);
 }
@@ -151,42 +165,945 @@ function clearDiscoveryCache(issuerUrl) {
   discoveryCache.delete(normalizedIssuerKey(issuerUrl));
 }
 function mapOAuthDiscoveryError(error) {
-  if (error instanceof PmtHouseError) {
+  if (error instanceof exports.PmtHouseError) {
     return error;
   }
   if (error instanceof Error) {
-    return new PmtHouseError(error.message, {
+    return new exports.PmtHouseError(error.message, {
       status: 500,
       code: "oidc_discovery_invalid",
       details: { cause: error.cause }
     });
   }
-  return new PmtHouseError("OIDC discovery failed", {
+  return new exports.PmtHouseError("OIDC discovery failed", {
     status: 500,
     code: "oidc_discovery_invalid"
   });
 }
 function mapDiscoveryNetworkError(error) {
-  if (error instanceof PmtHouseError) {
+  if (error instanceof exports.PmtHouseError) {
     return error;
   }
   if (error instanceof Error) {
-    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
+    return new exports.PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
       status: 502,
       code: "oidc_discovery_failed"
     });
   }
-  return new PmtHouseError("Failed to load OIDC discovery", {
+  return new exports.PmtHouseError("Failed to load OIDC discovery", {
     status: 502,
     code: "oidc_discovery_failed"
   });
 }
+var CACHE_TTL_MS, discoveryCache;
+var init_discovery = __esm({
+  "src/discovery.ts"() {
+    init_errors();
+    init_string_utils();
+    CACHE_TTL_MS = 5 * 60 * 1e3;
+    discoveryCache = /* @__PURE__ */ new Map();
+  }
+});
+
+// src/signer/fetch-json.ts
+function oauthFailureDescription(parsed, failureLabel, status) {
+  if (typeof parsed.error_description === "string") {
+    return parsed.error_description;
+  }
+  if (typeof parsed.error === "string") {
+    return parsed.error;
+  }
+  return `${failureLabel} (${status})`;
+}
+async function readJsonObjectFromResponse(response, options) {
+  const text = await response.text();
+  let parsed;
+  try {
+    parsed = text ? JSON.parse(text) : {};
+  } catch {
+    throw new exports.PmtHouseError(options.invalidJsonMessage, {
+      status: 502,
+      code: options.invalidJsonCode,
+      details: { status: response.status }
+    });
+  }
+  if (!response.ok) {
+    const description = oauthFailureDescription(parsed, options.failureLabel, response.status);
+    throw new exports.PmtHouseError(description, {
+      status: response.status,
+      code: typeof parsed.error === "string" ? parsed.error : options.defaultErrorCode,
+      details: parsed
+    });
+  }
+  return parsed;
+}
+var init_fetch_json = __esm({
+  "src/signer/fetch-json.ts"() {
+    init_errors();
+  }
+});
+
+// src/signer/handler-errors.ts
+function signerHandlerErrorResponse(error) {
+  if (error instanceof exports.PmtHouseError) {
+    return new Response(
+      JSON.stringify({
+        error: error.code,
+        error_description: error.message,
+        details: error.details
+      }),
+      {
+        status: error.status,
+        headers: { "Content-Type": "application/json" }
+      }
+    );
+  }
+  const message = error instanceof Error ? error.message : "Internal error";
+  return new Response(JSON.stringify({ error: "internal_error", error_description: message }), {
+    status: 500,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+var init_handler_errors = __esm({
+  "src/signer/handler-errors.ts"() {
+    init_errors();
+  }
+});
+
+// src/signer/json-fields.ts
+function readStringField(body, key, errorCode, messagePrefix = "Response") {
+  const value = body[key];
+  if (typeof value !== "string" || !value.trim()) {
+    throw new exports.PmtHouseError(`${messagePrefix} missing ${key}`, {
+      status: 502,
+      code: errorCode
+    });
+  }
+  return value.trim();
+}
+function readExpiresIn(body, errorCode) {
+  const expiresIn = body.expires_in;
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new exports.PmtHouseError("Response missing expires_in", {
+      status: 502,
+      code: errorCode
+    });
+  }
+  return Math.floor(expiresIn);
+}
+var init_json_fields = __esm({
+  "src/signer/json-fields.ts"() {
+    init_errors();
+  }
+});
+
+// src/signer/mint-token.ts
+function parseMintUserSignerTokenResponse(body, ttlRefreshRatio = DEFAULT_TTL_REFRESH_RATIO) {
+  const accessToken = readStringField(body, "access_token", TOKEN_RESPONSE_ERROR, "Token response");
+  const expiresIn = readExpiresIn(body, TOKEN_RESPONSE_ERROR);
+  const balanceUsdMicros = readStringField(
+    body,
+    "balanceUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const lifetimeGrantedUsdMicros = readStringField(
+    body,
+    "lifetimeGrantedUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const now = Date.now();
+  const expiresAt = now + expiresIn * 1e3;
+  const refreshAt = now + Math.floor(expiresIn * 1e3 * ttlRefreshRatio);
+  return {
+    jwt: accessToken,
+    expiresAt,
+    refreshAt,
+    balanceUsdMicros,
+    lifetimeGrantedUsdMicros
+  };
+}
+var LIVEPEER_REMOTE_SIGNER_AUDIENCE, DEFAULT_TTL_REFRESH_RATIO, TOKEN_RESPONSE_ERROR;
+var init_mint_token = __esm({
+  "src/signer/mint-token.ts"() {
+    init_json_fields();
+    LIVEPEER_REMOTE_SIGNER_AUDIENCE = "livepeer-remote-signer";
+    DEFAULT_TTL_REFRESH_RATIO = 0.8;
+    TOKEN_RESPONSE_ERROR = "invalid_token_response";
+  }
+});
+
+// src/signer/device-exchange.ts
+function extractSignerAccessTokenFromExchangeBody(body) {
+  const tokenObj = body.token;
+  if (tokenObj !== null && typeof tokenObj === "object" && !Array.isArray(tokenObj)) {
+    const nested = tokenObj;
+    for (const key of ["accessToken", "access_token"]) {
+      const value = nested[key];
+      if (typeof value === "string" && value.trim()) {
+        return value.trim();
+      }
+    }
+  }
+  for (const key of ["accessToken", "access_token"]) {
+    const value = body[key];
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  throw new exports.PmtHouseError("Device exchange response missing signer access token", {
+    status: 502,
+    code: "invalid_exchange_response"
+  });
+}
+function normalizeDeviceExchangeResponse(minted, options) {
+  const scope = minted.scope.trim() || "sign:job";
+  const body = {
+    access_token: minted.access_token,
+    token_type: "Bearer",
+    expires_in: minted.expires_in,
+    scope,
+    balanceUsdMicros: minted.balanceUsdMicros,
+    lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros,
+    token: {
+      accessToken: minted.access_token,
+      access_token: minted.access_token,
+      expiresIn: minted.expires_in,
+      expires_in: minted.expires_in,
+      scope,
+      balanceUsdMicros: minted.balanceUsdMicros,
+      lifetimeGrantedUsdMicros: minted.lifetimeGrantedUsdMicros
+    }
+  };
+  const signerUrl = options?.signerUrl?.trim();
+  if (signerUrl) {
+    body.signerUrl = signerUrl;
+  }
+  return body;
+}
+async function mintSignerTokenFromDeviceToken(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
+  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const tokenEndpoint = as.token_endpoint;
+  if (!tokenEndpoint) {
+    throw new exports.PmtHouseError("OIDC discovery document is missing token_endpoint", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
+  }
+  const audience = options.audience?.trim() || LIVEPEER_REMOTE_SIGNER_AUDIENCE;
+  const params = new URLSearchParams({
+    grant_type: TOKEN_EXCHANGE_GRANT,
+    subject_token: options.deviceToken,
+    subject_token_type: SUBJECT_ACCESS_TOKEN_TYPE,
+    audience,
+    resource: audience
+  });
+  if (options.scope?.trim()) {
+    params.set("scope", options.scope.trim());
+  }
+  const response = await fetchImpl(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString(),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Token endpoint returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "Signer JWT exchange failed",
+    defaultErrorCode: "token_exchange_failed"
+  });
+  const cached = parseMintUserSignerTokenResponse(parsed);
+  return {
+    access_token: cached.jwt,
+    expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
+    scope: readStringField(parsed, "scope", EXCHANGE_RESPONSE_ERROR),
+    balanceUsdMicros: cached.balanceUsdMicros,
+    lifetimeGrantedUsdMicros: cached.lifetimeGrantedUsdMicros
+  };
+}
+var TOKEN_EXCHANGE_GRANT, SUBJECT_ACCESS_TOKEN_TYPE, EXCHANGE_RESPONSE_ERROR;
+var init_device_exchange = __esm({
+  "src/signer/device-exchange.ts"() {
+    init_discovery();
+    init_encoding();
+    init_errors();
+    init_string_utils();
+    init_fetch_json();
+    init_json_fields();
+    init_mint_token();
+    TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
+    SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+    EXCHANGE_RESPONSE_ERROR = "invalid_exchange_response";
+  }
+});
+
+// src/signer/api-key-exchange.ts
+var api_key_exchange_exports = {};
+__export(api_key_exchange_exports, {
+  createApiKeyExchangeHandler: () => createApiKeyExchangeHandler,
+  exchangeApiKeyForSigner: () => exchangeApiKeyForSigner,
+  mintSignerSessionFromApiKey: () => mintSignerSessionFromApiKey,
+  mintUserAccessTokenFromApiKey: () => mintUserAccessTokenFromApiKey,
+  parseApiKeyExchangeRequestBody: () => parseApiKeyExchangeRequestBody
+});
+async function parseApiKeyExchangeRequestBody(request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    throw new exports.PmtHouseError("Request body must be JSON", {
+      status: 400,
+      code: "invalid_request"
+    });
+  }
+  if (body === null || typeof body !== "object" || Array.isArray(body)) {
+    throw new exports.PmtHouseError("Request body must be a JSON object", {
+      status: 400,
+      code: "invalid_request"
+    });
+  }
+  const record = body;
+  const apiKeyRaw = record.apiKey;
+  if (typeof apiKeyRaw !== "string" || !apiKeyRaw.trim()) {
+    throw new exports.PmtHouseError("Request body must include apiKey", {
+      status: 400,
+      code: "invalid_request"
+    });
+  }
+  const scope = typeof record.scope === "string" && record.scope.trim() ? record.scope.trim() : void 0;
+  const clientId = typeof record.clientId === "string" && record.clientId.trim() ? record.clientId.trim() : void 0;
+  return { apiKey: apiKeyRaw.trim(), scope, clientId };
+}
+async function mintUserAccessTokenFromApiKey(input) {
+  const fetchImpl = input.fetch ?? fetch;
+  const issuerOrigin = stripIssuerOriginFromOidcUrl(input.issuerUrl);
+  const url = `${issuerOrigin}/api/v1/apps/${encodeURIComponent(input.publicClientId)}/auth/api-key/token`;
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${input.apiKey}`,
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(input.scope ? { scope: input.scope } : {}),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "API key token exchange returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "API key token exchange failed",
+    defaultErrorCode: "api_key_token_exchange_failed"
+  });
+  const accessToken = parsed.access_token;
+  if (typeof accessToken !== "string" || !accessToken.trim()) {
+    throw new exports.PmtHouseError("API key token exchange missing access_token", {
+      status: 502,
+      code: EXCHANGE_RESPONSE_ERROR2
+    });
+  }
+  const expiresIn = typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 900;
+  const scope = typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : input.scope?.trim() || "sign:job";
+  return {
+    access_token: accessToken.trim(),
+    expires_in: expiresIn,
+    scope
+  };
+}
+async function mintSignerSessionFromApiKey(input) {
+  const userToken = await mintUserAccessTokenFromApiKey({
+    issuerUrl: input.issuerUrl,
+    publicClientId: input.publicClientId,
+    apiKey: input.apiKey,
+    scope: input.scope,
+    fetch: input.fetch
+  });
+  return mintSignerTokenFromDeviceToken({
+    issuerUrl: input.issuerUrl,
+    m2mClientId: input.m2mClientId,
+    m2mClientSecret: input.m2mClientSecret,
+    deviceToken: userToken.access_token,
+    scope: userToken.scope,
+    audience: input.audience,
+    fetch: input.fetch,
+    allowInsecureHttp: input.allowInsecureHttp
+  });
+}
+async function exchangeApiKeyForSigner(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const url = `${stripTrailingSlashes(options.facadeUrl)}/api/pymthouse/keys/exchange`;
+  const body = { apiKey: options.apiKey };
+  if (options.scope?.trim()) {
+    body.scope = options.scope.trim();
+  }
+  if (options.clientId?.trim()) {
+    body.clientId = options.clientId.trim();
+  }
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "API key exchange returned invalid JSON",
+    invalidJsonCode: EXCHANGE_RESPONSE_ERROR2,
+    failureLabel: "API key exchange failed",
+    defaultErrorCode: "api_key_exchange_failed"
+  });
+  const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
+  const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
+  const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  return normalizeDeviceExchangeResponse(
+    {
+      access_token: accessToken,
+      expires_in: typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 3600,
+      scope: typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : "sign:job",
+      balanceUsdMicros: typeof parsed.balanceUsdMicros === "string" ? parsed.balanceUsdMicros : "0",
+      lifetimeGrantedUsdMicros: typeof parsed.lifetimeGrantedUsdMicros === "string" ? parsed.lifetimeGrantedUsdMicros : "0"
+    },
+    { signerUrl }
+  );
+}
+function createApiKeyExchangeHandler(config) {
+  const publicClientId = config.publicClientId.trim();
+  return async function apiKeyExchangeHandler(request) {
+    try {
+      if (request.method !== "POST") {
+        return new Response(JSON.stringify({ error: "method_not_allowed" }), {
+          status: 405,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      const parsed = await parseApiKeyExchangeRequestBody(request);
+      const effectiveClientId = parsed.clientId?.trim() || publicClientId;
+      if (effectiveClientId !== publicClientId) {
+        throw new exports.PmtHouseError("clientId does not match configured public client", {
+          status: 400,
+          code: "invalid_request"
+        });
+      }
+      const minted = await mintSignerSessionFromApiKey({
+        issuerUrl: config.issuerUrl,
+        publicClientId,
+        m2mClientId: config.m2mClientId,
+        m2mClientSecret: config.m2mClientSecret,
+        apiKey: parsed.apiKey,
+        scope: parsed.scope,
+        audience: config.audience,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+      const signerUrlValue = typeof config.signerUrl === "string" && config.signerUrl.trim() ? config.signerUrl.trim() : void 0;
+      const body = normalizeDeviceExchangeResponse(minted, { signerUrl: signerUrlValue });
+      return new Response(JSON.stringify(body), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-store"
+        }
+      });
+    } catch (error) {
+      return signerHandlerErrorResponse(error);
+    }
+  };
+}
+var EXCHANGE_RESPONSE_ERROR2;
+var init_api_key_exchange = __esm({
+  "src/signer/api-key-exchange.ts"() {
+    init_string_utils();
+    init_errors();
+    init_fetch_json();
+    init_handler_errors();
+    init_device_exchange();
+    EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
+  }
+});
+
+// src/plan-pricing.ts
+var NETWORK_USD_PER_MICRO = 1e-6;
+var RETAIL_RATE_DECIMALS = 9;
+function trimFixedDecimalZeros(fixed) {
+  const dotIndex = fixed.indexOf(".");
+  if (dotIndex === -1) {
+    return fixed;
+  }
+  let end = fixed.length;
+  while (end > dotIndex + 1 && fixed[end - 1] === "0") {
+    end -= 1;
+  }
+  if (end === dotIndex + 1) {
+    end = dotIndex;
+  }
+  const trimmed = fixed.slice(0, end);
+  return trimmed.length > 0 ? trimmed : "0";
+}
+function defaultRetailRateUsd() {
+  return formatRetailRateUsd(NETWORK_USD_PER_MICRO);
+}
+function formatRetailRateUsd(value) {
+  if (!Number.isFinite(value) || value < 0) {
+    return defaultRetailRateUsd();
+  }
+  return trimFixedDecimalZeros(value.toFixed(RETAIL_RATE_DECIMALS));
+}
+function parseRetailRateUsd(raw) {
+  if (raw === null || raw === void 0) {
+    return null;
+  }
+  const trimmed = String(raw).trim();
+  if (!trimmed) {
+    return null;
+  }
+  const n = Number(trimmed);
+  if (!Number.isFinite(n) || n < 0) {
+    return null;
+  }
+  return formatRetailRateUsd(n);
+}
+function markupPercentToRetailRateUsd(markupPercent) {
+  const pct = Number.isFinite(markupPercent) ? Math.max(0, markupPercent) : 0;
+  return formatRetailRateUsd(NETWORK_USD_PER_MICRO * (1 + pct / 100));
+}
+function retailRateUsdToMarkupPercent(raw) {
+  const rate = parseRetailRateUsd(raw);
+  if (!rate) {
+    return "";
+  }
+  const n = Number(rate);
+  if (!Number.isFinite(n) || n <= NETWORK_USD_PER_MICRO) {
+    return n === NETWORK_USD_PER_MICRO ? "0" : "";
+  }
+  const pct = (n / NETWORK_USD_PER_MICRO - 1) * 100;
+  if (!Number.isFinite(pct) || pct <= 0) {
+    return "";
+  }
+  return pct % 1 === 0 ? String(Math.round(pct)) : pct.toFixed(1);
+}
+function retailRateUsdPerMillion(raw) {
+  const rate = parseRetailRateUsd(raw);
+  if (!rate) {
+    return "";
+  }
+  const perM = Number(rate) * 1e6;
+  if (!Number.isFinite(perM)) {
+    return "";
+  }
+  return perM.toFixed(2);
+}
+function parseMarkupPercentInput(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const n = Number(trimmed);
+  if (!Number.isFinite(n) || n < 0) {
+    return null;
+  }
+  return n;
+}
+function applyRetailRateToNetworkMicros(networkFeeUsdMicros, retailRateUsd) {
+  const networkPerMicro = NETWORK_USD_PER_MICRO;
+  const retail = Number(retailRateUsd);
+  if (!Number.isFinite(retail) || retail <= 0) {
+    return networkFeeUsdMicros;
+  }
+  const ratio = retail / networkPerMicro;
+  if (!Number.isFinite(ratio) || ratio <= 0) {
+    return networkFeeUsdMicros;
+  }
+  return networkFeeUsdMicros * BigInt(Math.round(ratio * 1e6)) / 1000000n;
+}
+
+// src/ingest.ts
+init_encoding();
+init_errors();
+init_string_utils();
+function signerSnapshotToIngestPayload(input) {
+  return {
+    requestId: input.snapshot.requestId,
+    externalUserId: input.externalUserId,
+    networkFeeUsdMicros: input.snapshot.computedFeeUsdMicros.toString(),
+    feeWei: input.snapshot.computedFeeWei,
+    pixels: input.snapshot.pixels,
+    pipeline: input.snapshot.pipeline,
+    modelId: input.snapshot.modelId,
+    gatewayRequestId: input.gatewayRequestId,
+    ethUsdPrice: input.snapshot.ethUsdPrice,
+    ethUsdRoundId: input.snapshot.ethUsdRoundId,
+    ethUsdObservedAt: input.snapshot.ethUsdObservedAt
+  };
+}
+function ingestUrl(issuerUrl, publicClientId) {
+  const origin = new URL(stripTrailingSlashes(issuerUrl)).origin;
+  return `${origin}/api/v1/apps/${encodeURIComponent(publicClientId)}/usage/signed-tickets`;
+}
+async function readJsonResponse(response) {
+  const text = await response.text();
+  if (!text.trim()) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(text);
+    return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+async function ingestSignedTicket(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const url = ingestUrl(options.issuerUrl, options.publicClientId);
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(options.ticket),
+    cache: "no-store"
+  });
+  const body = await readJsonResponse(response);
+  if (!response.ok) {
+    const message = typeof body.error === "string" ? body.error : `Signed-ticket ingest failed (${response.status})`;
+    throw new exports.PmtHouseError(message, {
+      status: response.status,
+      code: "ingest_failed",
+      details: body
+    });
+  }
+  return {
+    ingested: Boolean(body.ingested),
+    duplicate: Boolean(body.duplicate),
+    source: body.source === "openmeter" ? "openmeter" : "disabled"
+  };
+}
+async function ingestSignedTicketsBatch(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const url = ingestUrl(options.issuerUrl, options.publicClientId);
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify({ tickets: options.tickets }),
+    cache: "no-store"
+  });
+  const body = await readJsonResponse(response);
+  if (!response.ok) {
+    const message = typeof body.error === "string" ? body.error : `Signed-ticket batch ingest failed (${response.status})`;
+    throw new exports.PmtHouseError(message, {
+      status: response.status,
+      code: "ingest_failed",
+      details: body
+    });
+  }
+  const rawResults = Array.isArray(body.results) ? body.results : [];
+  return {
+    results: rawResults.map((entry) => {
+      const row = entry ?? {};
+      return {
+        requestId: typeof row.requestId === "string" ? row.requestId : void 0,
+        ok: row.ok === true,
+        ingested: Boolean(row.ingested),
+        duplicate: Boolean(row.duplicate),
+        source: row.source === "openmeter" ? "openmeter" : "disabled"
+      };
+    })
+  };
+}
+
+// src/usage.ts
+function parseSafeBigInt(value, fallback = 0n) {
+  try {
+    return BigInt(value);
+  } catch {
+    return fallback;
+  }
+}
+function getUtcCalendarMonthIsoBounds(now = /* @__PURE__ */ new Date()) {
+  const y = now.getUTCFullYear();
+  const m = now.getUTCMonth();
+  const start = new Date(Date.UTC(y, m, 1, 0, 0, 0, 0));
+  const end = new Date(Date.UTC(y, m + 1, 0, 23, 59, 59, 999));
+  return { startDate: start.toISOString(), endDate: end.toISOString() };
+}
+function parseUsageDateParam(raw) {
+  if (raw == null) return null;
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  const t = Date.parse(trimmed);
+  if (Number.isNaN(t)) return null;
+  return trimmed;
+}
+function aggregateUsageByExternalUserId(byUser, externalUserId) {
+  const rows = byUser?.filter((row) => row.externalUserId === externalUserId) ?? [];
+  if (rows.length === 0) {
+    return {
+      externalUserId,
+      requestCount: 0,
+      feeWei: "0"
+    };
+  }
+  let feeWei = 0n;
+  let requestCount = 0;
+  for (const row of rows) {
+    if (row.feeWei) {
+      feeWei += BigInt(row.feeWei);
+    }
+    requestCount += row.requestCount;
+  }
+  return {
+    externalUserId,
+    requestCount,
+    feeWei: feeWei.toString()
+  };
+}
+function summarizeUsageForExternalUser(usage, externalUserId) {
+  return aggregateUsageByExternalUserId(usage.byUser, externalUserId);
+}
+function listUsageByPipelineModel(usage) {
+  const rows = usage.byPipelineModel ?? [];
+  return [...rows].sort((a, b) => {
+    const p = a.pipeline.localeCompare(b.pipeline);
+    if (p !== 0) return p;
+    return a.modelId.localeCompare(b.modelId);
+  });
+}
+function getEndUserIdsForExternalUser(usage, externalUserId) {
+  const userIds = /* @__PURE__ */ new Set();
+  for (const row of usage.byUser ?? []) {
+    if (row.externalUserId === externalUserId && row.endUserId !== "unknown") {
+      userIds.add(row.endUserId);
+    }
+  }
+  return [...userIds];
+}
+var getUsageRecordUserIdsForExternalUser = getEndUserIdsForExternalUser;
+function summarizeUsageFiatForExternalUser(usageByUser, externalUserId) {
+  const rows = usageByUser.byUser ?? [];
+  let requestCount = 0;
+  let networkFeeUsdMicros = 0n;
+  let ownerChargeUsdMicros = 0n;
+  let endUserBillableUsdMicros = 0n;
+  let currency = "USD";
+  for (const row of rows) {
+    if (row.externalUserId !== externalUserId) continue;
+    requestCount += row.requestCount;
+    if (row.currency) currency = row.currency;
+    if (row.networkFeeUsdMicros) {
+      networkFeeUsdMicros += BigInt(row.networkFeeUsdMicros);
+    }
+    if (row.ownerChargeUsdMicros) {
+      ownerChargeUsdMicros += BigInt(row.ownerChargeUsdMicros);
+    }
+    if (row.endUserBillableUsdMicros) {
+      endUserBillableUsdMicros += BigInt(row.endUserBillableUsdMicros);
+    }
+  }
+  return {
+    externalUserId,
+    requestCount,
+    currency,
+    networkFeeUsdMicros: networkFeeUsdMicros.toString(),
+    ownerChargeUsdMicros: ownerChargeUsdMicros.toString(),
+    endUserBillableUsdMicros: endUserBillableUsdMicros.toString()
+  };
+}
+function mergeUsageByPipelineModel(usagePipelineModels) {
+  let responses;
+  if (Array.isArray(usagePipelineModels)) {
+    responses = usagePipelineModels;
+  } else if (usagePipelineModels) {
+    responses = [usagePipelineModels];
+  } else {
+    responses = [];
+  }
+  const byKey = /* @__PURE__ */ new Map();
+  for (const response of responses) {
+    for (const row of response.byPipelineModel ?? []) {
+      const { pipeline, modelId } = row;
+      if (!pipeline || !modelId) continue;
+      const key = JSON.stringify([pipeline, modelId]);
+      const existing = byKey.get(key);
+      const rowCurrency = row.currency ?? "USD";
+      const networkFee = row.networkFeeUsdMicros ?? "0";
+      const ownerCharge = row.ownerChargeUsdMicros ?? "0";
+      const endUserBillable = row.endUserBillableUsdMicros ?? "0";
+      if (!existing) {
+        byKey.set(key, {
+          pipeline,
+          modelId,
+          requestCount: row.requestCount,
+          currency: rowCurrency,
+          networkFeeUsdMicros: networkFee,
+          ownerChargeUsdMicros: ownerCharge,
+          endUserBillableUsdMicros: endUserBillable
+        });
+        continue;
+      }
+      byKey.set(key, {
+        ...existing,
+        requestCount: existing.requestCount + row.requestCount,
+        networkFeeUsdMicros: (parseSafeBigInt(existing.networkFeeUsdMicros) + parseSafeBigInt(networkFee)).toString(),
+        ownerChargeUsdMicros: (parseSafeBigInt(existing.ownerChargeUsdMicros) + parseSafeBigInt(ownerCharge)).toString(),
+        endUserBillableUsdMicros: (parseSafeBigInt(existing.endUserBillableUsdMicros) + parseSafeBigInt(endUserBillable)).toString()
+      });
+    }
+  }
+  return [...byKey.values()].sort((a, b) => {
+    if (a.pipeline === b.pipeline) return a.modelId.localeCompare(b.modelId);
+    return a.pipeline.localeCompare(b.pipeline);
+  });
+}
+function buildMeScopeUsagePayload(usageByUser, externalUserId, usagePipelineModel, usageDaily) {
+  const summary = summarizeUsageFiatForExternalUser(usageByUser, externalUserId);
+  const pipelineModels = mergeUsageByPipelineModel(usagePipelineModel);
+  const dailyByPipeline = usageDaily?.byDailyPipeline ?? [];
+  return {
+    clientId: usageByUser.clientId,
+    period: usageByUser.period,
+    currentUser: {
+      externalUserId: summary.externalUserId,
+      requestCount: summary.requestCount,
+      currency: summary.currency,
+      networkFeeUsdMicros: summary.networkFeeUsdMicros,
+      ownerChargeUsdMicros: summary.ownerChargeUsdMicros,
+      endUserBillableUsdMicros: summary.endUserBillableUsdMicros,
+      pipelineModels,
+      dailyByPipeline
+    }
+  };
+}
+var DEFAULT_MAX_END_USER_IDS = 25;
+
+// src/client.ts
+init_encoding();
+init_discovery();
+init_errors();
+function parseAppManifestResponse(json) {
+  if (!json || typeof json !== "object" || Array.isArray(json)) {
+    return { capabilities: [], excludedCapabilities: [] };
+  }
+  const record = json;
+  const capabilities = parseCapabilityArray(record.capabilities);
+  const excludedCapabilities = parseCapabilityArray(record.excludedCapabilities);
+  const manifestVersion = typeof record.manifestVersion === "string" && record.manifestVersion.trim() ? record.manifestVersion.trim() : void 0;
+  return { capabilities, excludedCapabilities, manifestVersion };
+}
+function parseCapabilityArray(raw) {
+  if (!Array.isArray(raw)) return [];
+  return raw.filter(
+    (c) => !!c && typeof c === "object" && typeof c.pipeline === "string" && typeof c.modelId === "string"
+  );
+}
+function sortedCaps(caps) {
+  return [...caps].sort((a, b) => {
+    const p = a.pipeline.localeCompare(b.pipeline);
+    return p === 0 ? a.modelId.localeCompare(b.modelId) : p;
+  });
+}
+function computeManifestRevision(data) {
+  if (data == null) {
+    return "unavailable";
+  }
+  if (data.manifestVersion?.trim()) {
+    return data.manifestVersion.trim();
+  }
+  const caps = sortedCaps(data.capabilities ?? []);
+  const excl = sortedCaps(data.excludedCapabilities ?? []);
+  if (caps.length === 0 && excl.length === 0) {
+    return "empty";
+  }
+  return crypto.createHash("sha256").update(JSON.stringify({ capabilities: caps, excludedCapabilities: excl })).digest("hex").slice(0, 24);
+}
+
+// src/client.ts
+init_string_utils();
+
+// src/tokens.ts
+var SIGNER_SESSION_TTL_MS = 90 * 24 * 60 * 60 * 1e3;
+var SIGNER_SESSION_EXPIRES_IN_SEC = Math.floor(SIGNER_SESSION_TTL_MS / 1e3);
+var SIGN_JOB_SCOPE = "sign:job";
+var PYMTHOUSE_SIGNER_SESSION_TTL_MS = SIGNER_SESSION_TTL_MS;
+function computeSignerSessionExpiry(input) {
+  const createdAt = input instanceof Date ? input : new Date(input);
+  return new Date(createdAt.getTime() + SIGNER_SESSION_TTL_MS);
+}
+var computePymthouseExpiry = computeSignerSessionExpiry;
+function isLikelyOidcJwt(rawToken) {
+  const t = rawToken.trim();
+  return t.startsWith("eyJ") && t.split(".").length >= 3;
+}
+function isOpaqueSignerSessionToken(rawToken) {
+  const t = rawToken.trim();
+  return t.length > 0 && !isLikelyOidcJwt(t);
+}
+function base64UrlPayloadToUtf8(payloadB64) {
+  const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
+  const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, "=");
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(padded, "base64").toString("utf8");
+  }
+  return atob(padded);
+}
+function decodeJwtExp(rawToken) {
+  try {
+    const parts = rawToken.split(".");
+    if (parts.length < 2) return null;
+    const payloadJson = base64UrlPayloadToUtf8(parts[1]);
+    const payload = JSON.parse(payloadJson);
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) return null;
+    const expMs = Math.floor(payload.exp * 1e3);
+    if (expMs <= 0) return null;
+    return new Date(expMs);
+  } catch {
+    return null;
+  }
+}
+function parseSignerSessionExchange(res) {
+  const accessToken = typeof res.access_token === "string" ? res.access_token.trim() : "";
+  if (!accessToken) {
+    throw new Error("PymtHouse signer session exchange returned no access_token");
+  }
+  if (isLikelyOidcJwt(accessToken)) {
+    throw new Error(
+      "PymtHouse signer session exchange returned a JWT; expected opaque signer session token"
+    );
+  }
+  const tokenType = typeof res.token_type === "string" && res.token_type.trim() ? res.token_type.trim() : "Bearer";
+  const expiresIn = typeof res.expires_in === "number" && Number.isFinite(res.expires_in) && res.expires_in > 0 ? Math.floor(res.expires_in) : SIGNER_SESSION_EXPIRES_IN_SEC;
+  const scope = typeof res.scope === "string" && res.scope.trim() ? res.scope.trim() : SIGN_JOB_SCOPE;
+  return {
+    accessToken,
+    tokenType,
+    expiresIn,
+    scope
+  };
+}
+
+// src/oauth-map.ts
+init_errors();
 var ACCEPTED_ISSUED_TOKEN_TYPES = /* @__PURE__ */ new Set([
   "urn:ietf:params:oauth:token-type:access_token",
   "urn:pmth:token-type:remote-signer-session"
 ]);
 function mapOAuthError(error) {
-  if (error instanceof PmtHouseError) {
+  if (error instanceof exports.PmtHouseError) {
     return error;
   }
   if (error instanceof oauth4webapi.ResponseBodyError) {
@@ -196,26 +1113,26 @@ function mapOAuthError(error) {
     if (typeof cause.error_uri === "string") {
       details.error_uri = cause.error_uri;
     }
-    return new PmtHouseError(description, {
+    return new exports.PmtHouseError(description, {
       status: error.status,
       code: error.error,
       details
     });
   }
   if (error instanceof oauth4webapi.OperationProcessingError) {
-    return new PmtHouseError(error.message, {
+    return new exports.PmtHouseError(error.message, {
       status: 502,
       code: error.code ?? "oauth_processing_error",
       details: { cause: error.cause }
     });
   }
   if (error instanceof Error) {
-    return new PmtHouseError(error.message, {
+    return new exports.PmtHouseError(error.message, {
       status: 500,
       code: "unexpected_error"
     });
   }
-  return new PmtHouseError("Unexpected error", {
+  return new exports.PmtHouseError("Unexpected error", {
     status: 500,
     code: "unexpected_error"
   });
@@ -223,7 +1140,7 @@ function mapOAuthError(error) {
 function tokenEndpointResponseToExchange(tr) {
   const issued = tr.issued_token_type;
   if (typeof issued !== "string" || !ACCEPTED_ISSUED_TOKEN_TYPES.has(issued)) {
-    throw new PmtHouseError("Token exchange returned an unexpected issued_token_type", {
+    throw new exports.PmtHouseError("Token exchange returned an unexpected issued_token_type", {
       status: 502,
       code: "invalid_token_response",
       details: { issued_token_type: issued }
@@ -231,7 +1148,7 @@ function tokenEndpointResponseToExchange(tr) {
   }
   const tt = tr.token_type;
   if (typeof tt !== "string" || tt.toLowerCase() !== "bearer") {
-    throw new PmtHouseError("Token endpoint returned a non-Bearer token_type", {
+    throw new exports.PmtHouseError("Token endpoint returned a non-Bearer token_type", {
       status: 502,
       code: "invalid_token_response",
       details: { token_type: tt }
@@ -239,7 +1156,7 @@ function tokenEndpointResponseToExchange(tr) {
   }
   const expiresIn = tr.expires_in;
   if (typeof expiresIn !== "number") {
-    throw new PmtHouseError("Token response missing expires_in", {
+    throw new exports.PmtHouseError("Token response missing expires_in", {
       status: 502,
       code: "invalid_token_response"
     });
@@ -256,7 +1173,7 @@ function tokenEndpointResponseToExchange(tr) {
 function tokenEndpointResponseToClientCredentials(tr) {
   const tt = tr.token_type;
   if (typeof tt !== "string" || tt.toLowerCase() !== "bearer") {
-    throw new PmtHouseError("Token endpoint returned a non-Bearer token_type", {
+    throw new exports.PmtHouseError("Token endpoint returned a non-Bearer token_type", {
       status: 502,
       code: "invalid_token_response",
       details: { token_type: tt }
@@ -274,8 +1191,8 @@ function m2mClient(clientId) {
 }
 
 // src/client.ts
-var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
-var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+var TOKEN_EXCHANGE_GRANT2 = "urn:ietf:params:oauth:grant-type:token-exchange";
+var SUBJECT_ACCESS_TOKEN_TYPE2 = "urn:ietf:params:oauth:token-type:access_token";
 var REQUESTED_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
 var DEVICE_RESOURCE_PREFIX = "urn:pmth:device_code:";
 function normalizeUserCode(value) {
@@ -316,13 +1233,13 @@ var PmtHouseClient = class {
     const issuer = searchParams.get("iss")?.trim() ?? "";
     const targetLinkUri = searchParams.get("target_link_uri")?.trim() ?? "";
     if (!issuer || !targetLinkUri) {
-      throw new PmtHouseError("Missing iss or target_link_uri", {
+      throw new exports.PmtHouseError("Missing iss or target_link_uri", {
         status: 400,
         code: "invalid_request"
       });
     }
     if (!this.verifyIssuer(issuer)) {
-      throw new PmtHouseError("Issuer mismatch for initiate login", {
+      throw new exports.PmtHouseError("Issuer mismatch for initiate login", {
         status: 400,
         code: "invalid_issuer"
       });
@@ -331,14 +1248,14 @@ var PmtHouseClient = class {
     try {
       targetUrl = new URL(targetLinkUri);
     } catch {
-      throw new PmtHouseError("target_link_uri is not a valid URL", {
+      throw new exports.PmtHouseError("target_link_uri is not a valid URL", {
         status: 400,
         code: "invalid_target"
       });
     }
     const issuerOrigin = new URL(this.issuerUrl).origin;
     if (targetUrl.origin !== issuerOrigin || targetUrl.pathname !== "/oidc/device") {
-      throw new PmtHouseError(
+      throw new exports.PmtHouseError(
         "target_link_uri does not point to the issuer device path",
         {
           status: 400,
@@ -349,7 +1266,7 @@ var PmtHouseClient = class {
     const userCode = normalizeUserCode(targetUrl.searchParams.get("user_code") ?? "");
     const clientId = targetUrl.searchParams.get("client_id")?.trim() ?? "";
     if (!userCode || !clientId) {
-      throw new PmtHouseError("target_link_uri is missing user_code or client_id", {
+      throw new exports.PmtHouseError("target_link_uri is missing user_code or client_id", {
         status: 400,
         code: "invalid_target"
       });
@@ -402,6 +1319,50 @@ var PmtHouseClient = class {
       cache: "no-store"
     });
   }
+  /**
+   * Exchange a long-lived dashboard API key (`pmth_*`) for a short-lived user JWT.
+   */
+  async exchangeApiKeyForUserAccessToken(input) {
+    const url = `${this.getAppsBaseUrl()}/auth/api-key/token`;
+    return this.requestJson(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.apiKey.trim()}`,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify(input.scope ? { scope: input.scope } : {}),
+      cache: "no-store"
+    });
+  }
+  /**
+   * Exchange a dashboard API key for a signer session via a trusted facade (recommended)
+   * or directly when M2M credentials are available on this client.
+   */
+  async exchangeApiKeyForSignerSession(input) {
+    if (input.facadeUrl?.trim()) {
+      const { exchangeApiKeyForSigner: exchangeApiKeyForSigner2 } = await Promise.resolve().then(() => (init_api_key_exchange(), api_key_exchange_exports));
+      const exchanged = await exchangeApiKeyForSigner2({
+        facadeUrl: input.facadeUrl.trim(),
+        apiKey: input.apiKey,
+        scope: input.scope,
+        clientId: this.publicClientId,
+        fetch: this.fetchImpl
+      });
+      return {
+        access_token: exchanged.access_token,
+        token_type: exchanged.token_type,
+        expires_in: exchanged.expires_in,
+        scope: exchanged.scope,
+        issued_token_type: "urn:ietf:params:oauth:token-type:access_token"
+      };
+    }
+    const userToken = await this.exchangeApiKeyForUserAccessToken({
+      apiKey: input.apiKey,
+      scope: input.scope
+    });
+    return this.exchangeForSignerSession({ userJwt: userToken.access_token });
+  }
   async completeDeviceApproval(input) {
     const as = await loadAuthorizationServer(this.issuerUrl, this.fetchImpl, {
       allowInsecureHttp: this.allowInsecureHttp
@@ -410,14 +1371,14 @@ var PmtHouseClient = class {
     const clientAuth = this.m2mClientAuth();
     const params = new URLSearchParams();
     params.set("subject_token", input.userJwt);
-    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE);
+    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("resource", buildDeviceCodeResource(input.userCode));
     try {
       const response = await oauth4webapi.genericTokenEndpointRequest(
         as,
         client,
         clientAuth,
-        TOKEN_EXCHANGE_GRANT,
+        TOKEN_EXCHANGE_GRANT2,
         params,
         this.tokenEndpointFetchOptions()
       );
@@ -465,7 +1426,7 @@ var PmtHouseClient = class {
     const clientAuth = this.m2mClientAuth();
     const params = new URLSearchParams();
     params.set("subject_token", input.userJwt);
-    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE);
+    params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
     const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
     params.set("resource", stripTrailingSlashes(resourceCandidate));
@@ -474,7 +1435,7 @@ var PmtHouseClient = class {
         as,
         client,
         clientAuth,
-        TOKEN_EXCHANGE_GRANT,
+        TOKEN_EXCHANGE_GRANT2,
         params,
         this.tokenEndpointFetchOptions()
       );
@@ -516,7 +1477,7 @@ var PmtHouseClient = class {
     }
     const machineToken = await this.issueMachineAccessToken("sign:job");
     if (!machineToken.access_token) {
-      throw new PmtHouseError("Client credentials flow did not return access_token", {
+      throw new exports.PmtHouseError("Client credentials flow did not return access_token", {
         status: 502,
         code: "invalid_token_response"
       });
@@ -530,12 +1491,267 @@ var PmtHouseClient = class {
     if (input.groupBy) url.searchParams.set("groupBy", input.groupBy);
     if (input.userId) url.searchParams.set("userId", input.userId);
     if (input.gatewayRequestId) url.searchParams.set("gatewayRequestId", input.gatewayRequestId);
+    if (input.includeRetail) url.searchParams.set("include", "retail");
     return this.requestJson(url.toString(), {
       method: "GET",
       headers: this.builderHeaders(),
       cache: "no-store"
     });
   }
+  /**
+   * Session-scoped usage for one `externalUserId`: user rollup plus merged pipeline/model breakdown.
+   */
+  async ingestSignedTicket(ticket) {
+    return ingestSignedTicket({
+      issuerUrl: this.issuerUrl,
+      publicClientId: this.publicClientId,
+      m2mClientId: this.m2mClientId,
+      m2mClientSecret: this.m2mClientSecret,
+      ticket,
+      fetch: this.fetchImpl
+    });
+  }
+  async ingestSignedTickets(tickets) {
+    return ingestSignedTicketsBatch({
+      issuerUrl: this.issuerUrl,
+      publicClientId: this.publicClientId,
+      m2mClientId: this.m2mClientId,
+      m2mClientSecret: this.m2mClientSecret,
+      tickets,
+      fetch: this.fetchImpl
+    });
+  }
+  async getSignerRouting() {
+    return this.requestJson(
+      `${this.getAppsBaseUrl()}/signer/routing`,
+      {
+        method: "GET",
+        headers: this.builderHeaders(),
+        cache: "no-store"
+      }
+    );
+  }
+  async listBillingProducts() {
+    const url = `${this.getAppsBaseUrl()}/plans?apiVersion=2`;
+    const body = await this.requestJson(
+      url,
+      {
+        method: "GET",
+        headers: this.builderHeaders(),
+        cache: "no-store"
+      }
+    );
+    return {
+      apiVersion: body.apiVersion ?? 2,
+      products: body.products ?? body.plans ?? []
+    };
+  }
+  async syncBillingProduct(planId) {
+    return this.requestJson(
+      `${this.getAppsBaseUrl()}/plans/${encodeURIComponent(planId)}/sync`,
+      {
+        method: "POST",
+        headers: this.builderHeaders(),
+        cache: "no-store"
+      }
+    );
+  }
+  async getUsageBalance(externalUserId) {
+    const url = new URL(`${this.getAppsBaseUrl()}/usage/balance`);
+    url.searchParams.set("externalUserId", externalUserId);
+    return this.requestJson(url.toString(), {
+      method: "GET",
+      headers: this.builderHeaders(),
+      cache: "no-store"
+    });
+  }
+  async getUserAllowances(externalUserId) {
+    return this.requestJson(
+      `${this.getAppsBaseUrl()}/users/${encodeURIComponent(externalUserId)}/allowances`,
+      {
+        method: "GET",
+        headers: this.builderHeaders(),
+        cache: "no-store"
+      }
+    );
+  }
+  async grantUserAllowance(externalUserId, input) {
+    return this.requestJson(
+      `${this.getAppsBaseUrl()}/users/${encodeURIComponent(externalUserId)}/allowances`,
+      {
+        method: "POST",
+        headers: this.builderHeaders(),
+        body: JSON.stringify(input),
+        cache: "no-store"
+      }
+    );
+  }
+  /**
+   * @deprecated Removed from PymtHouse — use {@link getUsageBalance} or {@link getUserAllowances}.
+   */
+  async getUserCredits(externalUserId) {
+    return this.getUsageBalance(externalUserId);
+  }
+  /**
+   * @deprecated Removed from PymtHouse — use {@link grantUserAllowance} (`POST .../allowances`).
+   */
+  async grantUserCredits(externalUserId, input) {
+    const result = await this.grantUserAllowance(externalUserId, {
+      amountUsdMicros: input.amountUsdMicros,
+      source: input.source ?? "manual",
+      featureKey: input.featureKey
+    });
+    const flat = result;
+    const nested = result.allowances;
+    return {
+      externalUserId: result.externalUserId,
+      balanceUsdMicros: flat.balanceUsdMicros ?? nested?.balanceUsdMicros ?? "0",
+      consumedUsdMicros: flat.consumedUsdMicros ?? nested?.consumedUsdMicros ?? "0",
+      lifetimeGrantedUsdMicros: flat.lifetimeGrantedUsdMicros ?? nested?.lifetimeGrantedUsdMicros ?? "0",
+      hasAccess: flat.hasAccess ?? nested?.hasAccess ?? false,
+      remainingUsdMicros: flat.balanceUsdMicros ?? nested?.balanceUsdMicros,
+      grantedUsdMicros: flat.grantedUsdMicros,
+      featureKey: flat.featureKey
+    };
+  }
+  async getUserSubscription(externalUserId) {
+    return this.requestJson(
+      `${this.getAppsBaseUrl()}/users/${encodeURIComponent(externalUserId)}/subscription`,
+      {
+        method: "GET",
+        headers: this.builderHeaders(),
+        cache: "no-store"
+      }
+    );
+  }
+  async fetchUsageForExternalUser(input) {
+    const usageByUser = await this.getUsage({
+      startDate: input.startDate,
+      endDate: input.endDate,
+      groupBy: "user"
+    });
+    const userIds = getEndUserIdsForExternalUser(usageByUser, input.externalUserId);
+    const cap = input.maxEndUserIds ?? DEFAULT_MAX_END_USER_IDS;
+    const cappedUserIds = userIds.slice(0, cap);
+    const usagePipelineModels = await Promise.all(
+      cappedUserIds.map(
+        (userId) => this.getUsage({
+          startDate: input.startDate,
+          endDate: input.endDate,
+          groupBy: "pipeline_model",
+          userId
+        })
+      )
+    );
+    const usageDaily = await this.getUsage({
+      startDate: input.startDate,
+      endDate: input.endDate,
+      groupBy: "daily_pipeline",
+      userId: input.externalUserId
+    });
+    return buildMeScopeUsagePayload(
+      usageByUser,
+      input.externalUserId,
+      usagePipelineModels,
+      usageDaily
+    );
+  }
+  async getAppManifest(opts) {
+    const url = `${this.getAppsBaseUrl()}/manifest`;
+    const headers = {
+      ...this.builderHeadersRecord()
+    };
+    if (opts?.ifNoneMatch) {
+      headers["If-None-Match"] = opts.ifNoneMatch;
+    }
+    this.logger?.debug?.("PmtHouse request", { method: "GET", url });
+    const response = await this.fetchImpl(url, {
+      method: "GET",
+      headers,
+      signal: opts?.signal,
+      cache: "no-store"
+    });
+    const etag = response.headers.get("etag")?.trim() ?? null;
+    if (response.status === 304) {
+      return {
+        manifest: null,
+        etag: etag ?? opts?.ifNoneMatch ?? null,
+        notModified: true
+      };
+    }
+    const raw = await response.text();
+    const ct = response.headers.get("content-type") ?? "";
+    const looksJson = ct.includes("application/json") || ct.includes("json");
+    const parsed = raw && looksJson ? this.safeParseJson(raw) : null;
+    if (!response.ok) {
+      const details = parsed ?? {};
+      let description;
+      if (typeof details.error_description === "string") {
+        description = details.error_description;
+      } else if (typeof details.error === "string") {
+        description = details.error;
+      } else {
+        description = `Request failed (${response.status})`;
+      }
+      throw new exports.PmtHouseError(description, {
+        status: response.status,
+        code: typeof details.error === "string" ? details.error : "pymthouse_http_error",
+        details
+      });
+    }
+    if (!looksJson || parsed === null) {
+      throw new exports.PmtHouseError("Expected JSON response from Builder manifest endpoint", {
+        status: 502,
+        code: "invalid_response",
+        details: { contentType: ct, preview: raw.slice(0, 200) }
+      });
+    }
+    return {
+      manifest: parseAppManifestResponse(parsed),
+      etag,
+      notModified: false
+    };
+  }
+  /**
+   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   */
+  async mintSignerSessionForExternalUser(input) {
+    await this.upsertAppUser({
+      externalUserId: input.externalUserId,
+      email: input.email,
+      status: "active"
+    });
+    const exchange = await this.mintUserSignerSessionToken({
+      externalUserId: input.externalUserId,
+      scope: input.scope ?? SIGN_JOB_SCOPE,
+      resource: this.issuerUrl
+    });
+    return parseSignerSessionExchange(exchange);
+  }
+  /**
+   * Approve a pending RFC 8628 device code for an external user (Option B).
+   */
+  async approveDeviceLogin(input) {
+    if (input.publicClientId && input.publicClientId !== this.publicClientId) {
+      throw new exports.PmtHouseError(
+        "publicClientId does not match configured public client id",
+        { status: 400, code: "invalid_client" }
+      );
+    }
+    await this.upsertAppUser({
+      externalUserId: input.externalUserId,
+      email: input.email,
+      status: "active"
+    });
+    const userToken = await this.mintUserAccessToken({
+      externalUserId: input.externalUserId,
+      scope: SIGN_JOB_SCOPE
+    });
+    await this.completeDeviceApproval({
+      userJwt: userToken.access_token,
+      userCode: input.userCode
+    });
+  }
   tokenEndpointFetchOptions() {
     const o = {
       [oauth4webapi.customFetch]: this.fetchImpl
@@ -552,6 +1768,9 @@ var PmtHouseClient = class {
     return new URL(this.issuerUrl).origin;
   }
   builderHeaders() {
+    return this.builderHeadersRecord();
+  }
+  builderHeadersRecord() {
     return {
       Authorization: encodeClientSecretBasic(this.m2mClientId, this.m2mClientSecret),
       "Content-Type": "application/json",
@@ -575,15 +1794,22 @@ var PmtHouseClient = class {
     const parsed = raw && looksJson ? this.safeParseJson(raw) : raw ? null : null;
     if (!response.ok) {
       const details = parsed ?? {};
-      const description = typeof details.error_description === "string" ? details.error_description : typeof details.error === "string" ? details.error : `Request failed (${response.status})`;
-      throw new PmtHouseError(description, {
+      let description;
+      if (typeof details.error_description === "string") {
+        description = details.error_description;
+      } else if (typeof details.error === "string") {
+        description = details.error;
+      } else {
+        description = `Request failed (${response.status})`;
+      }
+      throw new exports.PmtHouseError(description, {
         status: response.status,
         code: typeof details.error === "string" ? details.error : "pymthouse_http_error",
         details
       });
     }
     if (!looksJson || parsed === null) {
-      throw new PmtHouseError("Expected JSON response from Builder or Usage API", {
+      throw new exports.PmtHouseError("Expected JSON response from Builder or Usage API", {
         status: 502,
         code: "invalid_response",
         details: { contentType: ct, preview: raw.slice(0, 200) }
@@ -602,83 +1828,121 @@ var PmtHouseClient = class {
     }
   }
   asError(error) {
-    if (error instanceof PmtHouseError) {
+    if (error instanceof exports.PmtHouseError) {
       return error;
     }
     if (error instanceof Error) {
-      return new PmtHouseError(error.message, {
+      return new exports.PmtHouseError(error.message, {
         code: "unexpected_error",
         status: 500
       });
     }
-    return new PmtHouseError("Unexpected error", {
+    return new exports.PmtHouseError("Unexpected error", {
       code: "unexpected_error",
       status: 500
     });
   }
 };
 
-// src/env.ts
-function assertEnvModuleServerOnly() {
-  if (typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined") {
-    throw new Error(
-      "@pymthouse/builder-sdk/env is server-only: do not import createPmtHouseClientFromEnv or getPymthouseBaseUrl in client-side code. Use a Route Handler, Server Action, or other server/runtime; keep M2M credentials out of the browser bundle."
-    );
+// src/index.ts
+init_errors();
+
+// src/config.ts
+init_string_utils();
+var PYMTHOUSE_NOT_CONFIGURED_MESSAGE = "PymtHouse is not configured. Set PYMTHOUSE_ISSUER_URL, PYMTHOUSE_PUBLIC_CLIENT_ID, PYMTHOUSE_M2M_CLIENT_ID, and PYMTHOUSE_M2M_CLIENT_SECRET, then restart.";
+function trimEnv(name) {
+  const value = process.env[name];
+  if (!value) return null;
+  const trimmed = value.trim();
+  return trimmed || null;
+}
+function readPymthouseEnv() {
+  const issuerUrl = trimEnv("PYMTHOUSE_ISSUER_URL");
+  const publicClientId = trimEnv("PYMTHOUSE_PUBLIC_CLIENT_ID");
+  const m2mClientId = trimEnv("PYMTHOUSE_M2M_CLIENT_ID");
+  const m2mClientSecret = trimEnv("PYMTHOUSE_M2M_CLIENT_SECRET");
+  if (!issuerUrl || !publicClientId || !m2mClientId || !m2mClientSecret) {
+    return null;
   }
+  return {
+    issuerUrl: stripTrailingSlashes(issuerUrl),
+    publicClientId,
+    m2mClientId,
+    m2mClientSecret
+  };
 }
-assertEnvModuleServerOnly();
-var cachedClient = null;
-function requiredEnv(name) {
-  const value = process.env[name];
-  if (value && value.trim()) {
-    return value.trim();
+function getPymthouseIssuerUrlFromEnv() {
+  const raw = trimEnv("PYMTHOUSE_ISSUER_URL");
+  if (!raw) return null;
+  try {
+    return stripTrailingSlashes(new URL(raw).href);
+  } catch {
+    return null;
   }
-  throw new PmtHouseError(`Missing required environment variable: ${name}`, {
-    status: 500,
-    code: "missing_env"
-  });
 }
-function getPymthouseBaseUrl() {
-  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
-  return new URL(stripTrailingSlashes(issuerUrl)).origin;
-}
-function createPmtHouseClientFromEnv() {
-  if (cachedClient) {
-    return cachedClient;
-  }
-  const issuerUrl = requiredEnv("PYMTHOUSE_ISSUER_URL");
-  cachedClient = new PmtHouseClient({
-    issuerUrl,
-    publicClientId: requiredEnv("PYMTHOUSE_PUBLIC_CLIENT_ID"),
-    m2mClientId: requiredEnv("PYMTHOUSE_M2M_CLIENT_ID"),
-    m2mClientSecret: requiredEnv("PYMTHOUSE_M2M_CLIENT_SECRET"),
-    allowInsecureHttp: issuerUrl.startsWith("http:"),
-    logger: {
-      debug: (message, details) => {
-        if (process.env.NODE_ENV !== "production") {
-          console.debug(`[pymthouse] ${message}`, details ?? {});
-        }
-      },
-      warn: (message, details) => {
-        console.warn(`[pymthouse] ${message}`, details ?? {});
-      }
-    }
-  });
-  return cachedClient;
+function getPymthousePublicClientIdFromEnv() {
+  return trimEnv("PYMTHOUSE_PUBLIC_CLIENT_ID");
+}
+function isPymthouseConfigured() {
+  return readPymthouseEnv() !== null;
 }
+function getBuilderApiV1BaseFromIssuerUrl(issuerUrl) {
+  return stripOidcPathSuffix(issuerUrl);
+}
+function getPymthouseIssuerOrigin(issuerUrl) {
+  return new URL(stripTrailingSlashes(issuerUrl.trim())).origin;
+}
+
+// src/index.ts
+init_discovery();
 
+exports.DEFAULT_MAX_END_USER_IDS = DEFAULT_MAX_END_USER_IDS;
+exports.NETWORK_USD_PER_MICRO = NETWORK_USD_PER_MICRO;
+exports.PYMTHOUSE_NOT_CONFIGURED_MESSAGE = PYMTHOUSE_NOT_CONFIGURED_MESSAGE;
+exports.PYMTHOUSE_SIGNER_SESSION_TTL_MS = PYMTHOUSE_SIGNER_SESSION_TTL_MS;
 exports.PmtHouseClient = PmtHouseClient;
-exports.PmtHouseError = PmtHouseError;
+exports.SIGNER_SESSION_EXPIRES_IN_SEC = SIGNER_SESSION_EXPIRES_IN_SEC;
+exports.SIGNER_SESSION_TTL_MS = SIGNER_SESSION_TTL_MS;
+exports.SIGN_JOB_SCOPE = SIGN_JOB_SCOPE;
 exports.aggregateUsageByExternalUserId = aggregateUsageByExternalUserId;
+exports.applyRetailRateToNetworkMicros = applyRetailRateToNetworkMicros;
 exports.authorizationServerToOidcDocument = authorizationServerToOidcDocument;
 exports.buildDeviceCodeResource = buildDeviceCodeResource;
+exports.buildMeScopeUsagePayload = buildMeScopeUsagePayload;
 exports.clearDiscoveryCache = clearDiscoveryCache;
-exports.createPmtHouseClientFromEnv = createPmtHouseClientFromEnv;
+exports.computeManifestRevision = computeManifestRevision;
+exports.computePymthouseExpiry = computePymthouseExpiry;
+exports.computeSignerSessionExpiry = computeSignerSessionExpiry;
+exports.decodeJwtExp = decodeJwtExp;
+exports.defaultRetailRateUsd = defaultRetailRateUsd;
 exports.fetchDiscoveryDocument = fetchDiscoveryDocument;
-exports.getPymthouseBaseUrl = getPymthouseBaseUrl;
+exports.getBuilderApiV1BaseFromIssuerUrl = getBuilderApiV1BaseFromIssuerUrl;
+exports.getEndUserIdsForExternalUser = getEndUserIdsForExternalUser;
+exports.getPymthouseIssuerOrigin = getPymthouseIssuerOrigin;
+exports.getPymthouseIssuerUrlFromEnv = getPymthouseIssuerUrlFromEnv;
+exports.getPymthousePublicClientIdFromEnv = getPymthousePublicClientIdFromEnv;
+exports.getUsageRecordUserIdsForExternalUser = getUsageRecordUserIdsForExternalUser;
+exports.getUtcCalendarMonthIsoBounds = getUtcCalendarMonthIsoBounds;
+exports.ingestSignedTicket = ingestSignedTicket;
+exports.ingestSignedTicketsBatch = ingestSignedTicketsBatch;
+exports.isLikelyOidcJwt = isLikelyOidcJwt;
+exports.isOpaqueSignerSessionToken = isOpaqueSignerSessionToken;
+exports.isPymthouseConfigured = isPymthouseConfigured;
 exports.listUsageByPipelineModel = listUsageByPipelineModel;
 exports.loadAuthorizationServer = loadAuthorizationServer;
+exports.markupPercentToRetailRateUsd = markupPercentToRetailRateUsd;
+exports.mergeUsageByPipelineModel = mergeUsageByPipelineModel;
 exports.normalizeUserCode = normalizeUserCode;
+exports.parseAppManifestResponse = parseAppManifestResponse;
+exports.parseMarkupPercentInput = parseMarkupPercentInput;
+exports.parseRetailRateUsd = parseRetailRateUsd;
+exports.parseSignerSessionExchange = parseSignerSessionExchange;
+exports.parseUsageDateParam = parseUsageDateParam;
+exports.readPymthouseEnv = readPymthouseEnv;
+exports.retailRateUsdPerMillion = retailRateUsdPerMillion;
+exports.retailRateUsdToMarkupPercent = retailRateUsdToMarkupPercent;
+exports.signerSnapshotToIngestPayload = signerSnapshotToIngestPayload;
+exports.summarizeUsageFiatForExternalUser = summarizeUsageFiatForExternalUser;
 exports.summarizeUsageForExternalUser = summarizeUsageForExternalUser;
 exports.toPmtHouseError = toPmtHouseError;
 //# sourceMappingURL=index.cjs.map