@pymthouse/builder-sdk 0.1.0 → 0.3.0

package/dist/gateway/server/index.js

@@ -0,0 +1,1233 @@
+import http from 'http';
+import https from 'https';
+import { createRequire } from 'module';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import tls from 'tls';
+import { createHash, randomUUID } from 'crypto';
+
+// src/string-utils.ts
+function stripTrailingSlashes(value) {
+  let end = value.length;
+  while (end > 0 && (value.codePointAt(end - 1) ?? 0) === 47) {
+    end--;
+  }
+  return value.slice(0, end);
+}
+function endsWithIgnoreCase(value, suffix) {
+  if (suffix.length > value.length) {
+    return false;
+  }
+  const start = value.length - suffix.length;
+  for (let i = 0; i < suffix.length; i++) {
+    const a = value.codePointAt(start + i) ?? 0;
+    const b = suffix.codePointAt(i) ?? 0;
+    if (a !== b && (a | 32) !== (b | 32)) {
+      return false;
+    }
+  }
+  return true;
+}
+function stripSuffixIgnoreCase(value, suffix) {
+  return endsWithIgnoreCase(value, suffix) ? value.slice(0, value.length - suffix.length) : value;
+}
+function stripIssuerOriginFromOidcUrl(issuerUrl) {
+  let base = stripTrailingSlashes(issuerUrl.trim());
+  base = stripSuffixIgnoreCase(base, "/api/v1/oidc");
+  base = stripSuffixIgnoreCase(base, "/oidc");
+  return stripTrailingSlashes(base);
+}
+
+// src/gateway/server/config.ts
+function readGatewayConfigFromEnv(env = process.env) {
+  const enabled = env.GATEWAY_ENABLED === "1" || env.NEXT_PUBLIC_GATEWAY_ENABLED === "1";
+  if (!enabled) {
+    return null;
+  }
+  const issuerUrl = env.PYMTHOUSE_ISSUER_URL?.trim();
+  const signerUrl = env.PYMTHOUSE_SIGNER_URL?.trim() || env.SIGNER_PUBLIC_URL?.trim() || (issuerUrl ? `${stripIssuerOriginFromOidcUrl(issuerUrl)}/api/signer` : "");
+  if (!signerUrl) {
+    return null;
+  }
+  const discoveryUrl = env.LIVEPEER_DISCOVERY_SERVICE_URL?.trim() || env.GATEWAY_DISCOVERY_URL?.trim() || void 0;
+  const discoveryTimeoutMs = Number(env.GATEWAY_DISCOVERY_TIMEOUT_MS ?? "60000");
+  const paymentIntervalMs = Number(env.GATEWAY_PAYMENT_INTERVAL_MS ?? "2000");
+  return {
+    enabled: true,
+    signerUrl,
+    discoveryUrl,
+    discoveryTimeoutMs: Number.isFinite(discoveryTimeoutMs) ? discoveryTimeoutMs : 6e4,
+    useTofu: env.GATEWAY_USE_TOFU !== "0",
+    paymentIntervalMs: Number.isFinite(paymentIntervalMs) ? paymentIntervalMs : 2e3
+  };
+}
+
+// src/gateway/server/auth.ts
+function isAsciiWhitespace(code) {
+  return code <= 32;
+}
+function bearerTokenStart(header) {
+  const prefix = "bearer";
+  if (header.length < prefix.length) {
+    return -1;
+  }
+  for (let i = 0; i < prefix.length; i++) {
+    if (((header.codePointAt(i) ?? 0) | 32) !== prefix.codePointAt(i)) {
+      return -1;
+    }
+  }
+  let start = prefix.length;
+  while (start < header.length && isAsciiWhitespace(header.codePointAt(start) ?? 0)) {
+    start++;
+  }
+  return start < header.length ? start : -1;
+}
+function extractBearerToken(request) {
+  const header = request.headers.get("Authorization")?.trim();
+  if (!header) {
+    return null;
+  }
+  const start = bearerTokenStart(header);
+  if (start < 0) {
+    return null;
+  }
+  let end = header.length;
+  while (end > start && isAsciiWhitespace(header.codePointAt(end - 1) ?? 0)) {
+    end--;
+  }
+  return header.slice(start, end);
+}
+function unauthorizedResponse(message = "unauthorized") {
+  return Response.json({ error: message }, { status: 401 });
+}
+function forbiddenResponse(message = "forbidden") {
+  return Response.json({ error: message }, { status: 403 });
+}
+function disabledResponse() {
+  return Response.json(
+    {
+      error: "gateway_disabled",
+      error_description: "Set GATEWAY_ENABLED=1 to enable the browser gateway relay"
+    },
+    { status: 503 }
+  );
+}
+
+// src/gateway/types.ts
+var LIVE_VIDEO_TO_VIDEO_CAPABILITY_ID = 35;
+var DEFAULT_TRICKLE_MIME_TYPE = "video/mp2t";
+var DEFAULT_DISCOVERY_TIMEOUT_MS = 6e4;
+var TRICKLE_SEQ_LATEST = -1;
+var TRICKLE_SEQ_CURRENT = -2;
+
+// src/gateway/server/capabilities.ts
+function modelCapabilityQuery(modelId) {
+  return `live-video-to-video/${modelId.trim()}`;
+}
+function buildLv2vCapabilitiesMessage(modelId) {
+  const capId = LIVE_VIDEO_TO_VIDEO_CAPABILITY_ID;
+  return {
+    capacities: { [capId]: 1 },
+    constraints: {
+      PerCapability: {
+        [capId]: {
+          models: {
+            [modelId.trim()]: {}
+          }
+        }
+      }
+    }
+  };
+}
+function capabilityForDiscoveryUrl(url, modelId) {
+  if (!url.includes("/v1/discovery/raw")) {
+    return modelCapabilityQuery(modelId);
+  }
+  if (!modelId.includes("/")) {
+    return modelId;
+  }
+  const segment = modelId.split("/").pop();
+  return segment ?? modelId;
+}
+function appendCapabilityQuery(url, modelId) {
+  const parsed = new URL(url);
+  parsed.searchParams.append("caps", capabilityForDiscoveryUrl(url, modelId));
+  return parsed.toString();
+}
+var insecureHttpsAgent = new https.Agent({
+  rejectUnauthorized: false
+});
+function encodeRequestBody(raw) {
+  if (raw === void 0) {
+    return void 0;
+  }
+  if (raw instanceof Buffer) {
+    return raw;
+  }
+  return Buffer.from(raw);
+}
+async function insecureFetch(url, init = {}) {
+  const parsed = new URL(url.includes("://") ? url : `https://${url}`);
+  const isHttps = parsed.protocol === "https:";
+  const lib = isHttps ? https : http;
+  const timeoutMs = init.timeoutMs ?? 6e4;
+  const body = encodeRequestBody(init.body);
+  const defaultMethod = body === void 0 ? "GET" : "POST";
+  return new Promise((resolve, reject) => {
+    const headers = { ...init.headers };
+    if (body !== void 0 && !headers["Content-Length"]) {
+      headers["Content-Length"] = String(body.length);
+    }
+    const req = lib.request(
+      parsed,
+      {
+        method: init.method ?? defaultMethod,
+        headers,
+        agent: isHttps ? insecureHttpsAgent : void 0,
+        rejectUnauthorized: false
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const merged = Buffer.concat(chunks);
+          const responseHeaders = new Headers();
+          for (const [key, value] of Object.entries(res.headers)) {
+            if (value === void 0) {
+              continue;
+            }
+            if (Array.isArray(value)) {
+              for (const item of value) {
+                responseHeaders.append(key, item);
+              }
+            } else {
+              responseHeaders.set(key, value);
+            }
+          }
+          resolve(
+            new Response(merged, {
+              status: res.statusCode ?? 0,
+              headers: responseHeaders
+            })
+          );
+        });
+      }
+    );
+    const timer = setTimeout(() => {
+      req.destroy(new Error(`Request timed out after ${timeoutMs}ms`));
+    }, timeoutMs);
+    if (init.signal) {
+      init.signal.addEventListener("abort", () => {
+        req.destroy(new Error("aborted"));
+      });
+    }
+    req.on("error", (err) => {
+      clearTimeout(timer);
+      reject(err);
+    });
+    req.on("close", () => clearTimeout(timer));
+    if (body !== void 0) {
+      req.write(body);
+    }
+    req.end();
+  });
+}
+async function readJsonResponse(response) {
+  const text = await response.text();
+  if (!text.trim()) {
+    return {};
+  }
+  return JSON.parse(text);
+}
+function httpOrigin(url) {
+  const parsed = new URL(url.includes("://") ? url : `https://${url}`);
+  return `${parsed.protocol}//${parsed.host}`;
+}
+
+// src/gateway/server/discovery.ts
+var DISCOVERY_SERVICE_RAW_PATH = "/v1/discovery/raw";
+function isDiscoveryServiceEndpoint(url) {
+  return url.includes(DISCOVERY_SERVICE_RAW_PATH);
+}
+function normalizeDiscoveryServiceUrl(url) {
+  const parsed = new URL(url.trim());
+  let path2 = parsed.pathname.replace(/\/$/, "");
+  if (!path2.endsWith(DISCOVERY_SERVICE_RAW_PATH)) {
+    if (path2.endsWith("/v1/discovery") || !path2) {
+      path2 = DISCOVERY_SERVICE_RAW_PATH;
+    }
+  }
+  parsed.pathname = path2;
+  if (!parsed.searchParams.has("serviceType")) {
+    parsed.searchParams.set("serviceType", "legacy");
+  }
+  return parsed.toString();
+}
+function resolveDiscoveryEndpoint(input) {
+  if (input.orchestratorUrl?.trim()) {
+    const list = input.orchestratorUrl.split(",").map((s) => s.trim()).filter(Boolean);
+    if (list.length > 0) {
+      return { url: "", headers: input.signerHeaders, discoveryService: false };
+    }
+  }
+  if (input.discoveryUrl?.trim()) {
+    let url = input.discoveryUrl.trim();
+    const discoveryService = isDiscoveryServiceEndpoint(url);
+    if (discoveryService) {
+      url = normalizeDiscoveryServiceUrl(url);
+    }
+    url = appendCapabilityQuery(url, input.modelId);
+    return {
+      url,
+      headers: input.signerHeaders,
+      discoveryService
+    };
+  }
+  if (input.signerUrl?.trim()) {
+    const url = appendCapabilityQuery(
+      `${httpOrigin(input.signerUrl)}/discover-orchestrators`,
+      input.modelId
+    );
+    return { url, headers: input.signerHeaders, discoveryService: false };
+  }
+  throw new Error("discovery requires orchestratorUrl, discoveryUrl, or signerUrl");
+}
+function pickDiscoveryAddress(record) {
+  if (typeof record.address === "string") {
+    return record.address;
+  }
+  if (typeof record.url === "string") {
+    return record.url;
+  }
+  return void 0;
+}
+function parseDiscoveryList(data) {
+  if (!Array.isArray(data)) {
+    throw new TypeError(`Discovery response must be a JSON list, got ${typeof data}`);
+  }
+  const urls = [];
+  for (const item of data) {
+    if (!item || typeof item !== "object") {
+      continue;
+    }
+    const record = item;
+    const trimmed = pickDiscoveryAddress(record)?.trim();
+    if (trimmed) {
+      urls.push(trimmed);
+    }
+  }
+  return urls;
+}
+async function discoverOrchestrators(input) {
+  if (input.orchestratorUrl?.trim()) {
+    return input.orchestratorUrl.split(",").map((s) => s.trim()).filter(Boolean);
+  }
+  const { url, headers } = resolveDiscoveryEndpoint(input);
+  const response = await insecureFetch(url, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      ...headers
+    },
+    timeoutMs: input.discoveryTimeoutMs ?? DEFAULT_DISCOVERY_TIMEOUT_MS
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Discovery failed HTTP ${response.status}: ${body.slice(0, 500)}`);
+  }
+  const data = await readJsonResponse(response);
+  return parseDiscoveryList(data);
+}
+var cachedRoot = null;
+function protoPath() {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  return path.resolve(here, "../../../gateway/proto/lp_rpc.proto");
+}
+function requireGrpcPeer(label, load) {
+  try {
+    return load();
+  } catch {
+    throw new Error(
+      `${label} is required for @pymthouse/builder-sdk/gateway/server. Install peer dependencies: @grpc/grpc-js @grpc/proto-loader`
+    );
+  }
+}
+function loadProtoRoot() {
+  const grpc = requireGrpcPeer(
+    "@grpc/grpc-js",
+    () => createRequire(import.meta.url)("@grpc/grpc-js")
+  );
+  if (cachedRoot) {
+    return { grpc, root: cachedRoot };
+  }
+  const protoLoader = requireGrpcPeer(
+    "@grpc/proto-loader",
+    () => createRequire(import.meta.url)("@grpc/proto-loader")
+  );
+  const packageDefinition = protoLoader.loadSync(protoPath(), {
+    keepCase: true,
+    longs: String,
+    enums: String,
+    defaults: true,
+    oneofs: true
+  });
+  cachedRoot = grpc.loadPackageDefinition(packageDefinition);
+  return { grpc, root: cachedRoot };
+}
+function loadOrchestratorGrpc() {
+  const { grpc, root } = loadProtoRoot();
+  return { grpc, Orchestrator: root.net.Orchestrator };
+}
+function encodeCapabilitiesBase64(modelId) {
+  const { root } = loadProtoRoot();
+  const bytes = root.net.Capabilities.serialize(buildLv2vCapabilitiesMessage(modelId));
+  return Buffer.from(bytes).toString("base64");
+}
+
+// src/gateway/server/signer-material.ts
+var signerMaterialCache = /* @__PURE__ */ new Map();
+function cacheKey(signerUrl, headers) {
+  const headerPart = headers ? JSON.stringify(Object.entries(headers).sort(([a], [b]) => a.localeCompare(b))) : "";
+  return `${httpOrigin(signerUrl)}|${headerPart}`;
+}
+async function getSignerMaterial(signerUrl, signerHeaders) {
+  if (!signerUrl.trim()) {
+    return { address: "", sig: "" };
+  }
+  const key = cacheKey(signerUrl, signerHeaders);
+  const cached = signerMaterialCache.get(key);
+  if (cached) {
+    return cached;
+  }
+  const url = `${httpOrigin(signerUrl)}/sign-orchestrator-info`;
+  const response = await insecureFetch(url, {
+    method: "POST",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+      ...signerHeaders
+    },
+    body: Buffer.from("{}"),
+    timeoutMs: 5e3
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Signer error HTTP ${response.status}: ${body.slice(0, 500)}`);
+  }
+  const data = await readJsonResponse(response);
+  const address = data.address?.trim() ?? "";
+  const sig = data.signature?.trim() ?? "";
+  if (!address || !sig) {
+    throw new Error("Signer response missing address or signature");
+  }
+  const material = { address, sig };
+  signerMaterialCache.set(key, material);
+  return material;
+}
+function hexToBytes(hex) {
+  let value = hex.trim();
+  if (value.startsWith("0x") || value.startsWith("0X")) {
+    value = value.slice(2);
+  }
+  if (value.length % 2 === 1) {
+    value = `0${value}`;
+  }
+  return Buffer.from(value, "hex");
+}
+function signerMaterialToGrpcFields(material) {
+  return {
+    address: hexToBytes(material.address),
+    sig: hexToBytes(material.sig)
+  };
+}
+var tofuCache = /* @__PURE__ */ new Map();
+function splitHostPort(target) {
+  const trimmed = target.trim();
+  if (trimmed.startsWith("[")) {
+    const host2 = trimmed.slice(1, trimmed.indexOf("]"));
+    const port = Number(trimmed.slice(trimmed.indexOf("]") + 2));
+    return { host: host2, port };
+  }
+  const [host, portRaw] = trimmed.split(":");
+  return { host, port: Number(portRaw) };
+}
+function isIpAddress(host) {
+  return /^\d{1,3}(\.\d{1,3}){3}$/.test(host) || host.includes(":");
+}
+function authorityFromSan(san) {
+  for (const entry of san) {
+    if (entry.typ === "DNS" && entry.val) {
+      return entry.val;
+    }
+  }
+  for (const entry of san) {
+    if (entry.typ === "IP" && entry.val) {
+      return entry.val;
+    }
+  }
+  return void 0;
+}
+function authorityFromSubject(cn) {
+  if (typeof cn === "string") {
+    return cn;
+  }
+  if (Array.isArray(cn) && cn.length > 0) {
+    return cn[0] ?? "";
+  }
+  return "";
+}
+function pickCertAuthority(cert) {
+  const san = cert.subjectaltname?.split(", ").map((entry) => {
+    const [typ, val] = entry.split(":");
+    return { typ, val };
+  });
+  if (san) {
+    const fromSan = authorityFromSan(san);
+    if (fromSan) {
+      return fromSan;
+    }
+  }
+  return authorityFromSubject(cert.subject?.CN);
+}
+async function fetchTofuRootCert(target) {
+  const { host, port } = splitHostPort(target);
+  return new Promise((resolve, reject) => {
+    const servername = isIpAddress(host) ? void 0 : host;
+    const socket = tls.connect(
+      {
+        host,
+        port,
+        servername,
+        rejectUnauthorized: false,
+        ALPNProtocols: ["h2"]
+      },
+      () => {
+        const peer = socket.getPeerCertificate();
+        socket.end();
+        if (!peer?.raw) {
+          reject(new Error("No peer certificate"));
+          return;
+        }
+        const pem = `-----BEGIN CERTIFICATE-----
+${peer.raw.toString("base64").match(/.{1,64}/g)?.join("\n")}
+-----END CERTIFICATE-----
+`;
+        const authority = pickCertAuthority(peer) || host;
+        resolve({ rootPem: Buffer.from(pem), authority });
+      }
+    );
+    socket.on("error", reject);
+    socket.setTimeout(5e3, () => {
+      socket.destroy(new Error("TLS probe timeout"));
+    });
+  });
+}
+function parseGrpcTarget(orchUrl) {
+  const url = orchUrl.includes("://") ? orchUrl : `https://${orchUrl}`;
+  const parsed = new URL(url);
+  if (parsed.protocol !== "https:") {
+    throw new Error(`Only https orchestrator URLs are supported (got ${parsed.protocol})`);
+  }
+  return parsed.host;
+}
+async function trustOnFirstUse(target) {
+  const cached = tofuCache.get(target);
+  if (cached) {
+    return cached;
+  }
+  const material = await fetchTofuRootCert(target);
+  tofuCache.set(target, material);
+  return material;
+}
+function evictTofuCache(target) {
+  tofuCache.delete(target);
+}
+function isCertVerifyError(message) {
+  return message.includes("CERTIFICATE_VERIFY_FAILED");
+}
+
+// src/gateway/server/orch-grpc.ts
+async function getOrchestratorInfo(input) {
+  const useTofu = input.useTofu !== false;
+  const target = parseGrpcTarget(input.orchUrl);
+  const signer = await getSignerMaterial(input.signerUrl, input.signerHeaders);
+  const { address, sig } = signerMaterialToGrpcFields(signer);
+  const request = {
+    address,
+    sig,
+    capabilities: buildLv2vCapabilitiesMessage(input.modelId),
+    ignoreCapacityCheck: true
+  };
+  const maxAttempts = useTofu ? 2 : 1;
+  let lastError = null;
+  for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+    try {
+      return await callGetOrchestrator(target, request, useTofu);
+    } catch (err) {
+      lastError = err instanceof Error ? err : new Error(String(err));
+      if (useTofu && attempt === 0 && isCertVerifyError(lastError.message)) {
+        evictTofuCache(target);
+        continue;
+      }
+      throw lastError;
+    }
+  }
+  throw lastError ?? new Error("GetOrchestrator failed");
+}
+function callGetOrchestrator(target, request, useTofu) {
+  return new Promise((resolve, reject) => {
+    void (async () => {
+      try {
+        const { grpc, Orchestrator } = loadOrchestratorGrpc();
+        let credentials;
+        let options = {};
+        if (useTofu) {
+          const { rootPem, authority } = await trustOnFirstUse(target);
+          credentials = grpc.credentials.createSsl(rootPem);
+          options = {
+            "grpc.ssl_target_name_override": authority,
+            "grpc.default_authority": authority
+          };
+        } else {
+          credentials = grpc.credentials.createSsl();
+        }
+        const client = new Orchestrator(target, credentials, options);
+        client.GetOrchestrator(request, (err, response) => {
+          if (err) {
+            reject(err);
+            return;
+          }
+          resolve(response);
+        });
+      } catch (e) {
+        reject(e);
+      }
+    })();
+  });
+}
+function serializeOrchestratorInfo(info) {
+  if (typeof info.SerializeToString === "function") {
+    return Buffer.from(info.SerializeToString());
+  }
+  const { root } = loadProtoRoot();
+  return Buffer.from(root.net.OrchestratorInfo.serialize({ ...info }));
+}
+
+// src/gateway/server/payment-session.ts
+var PaymentSession = class {
+  constructor(signerUrl, orchestratorInfo, signerHeaders, modelId, useTofu) {
+    this.signerUrl = signerUrl;
+    this.signerHeaders = signerHeaders;
+    this.modelId = modelId;
+    this.useTofu = useTofu;
+    this.orchestratorInfo = orchestratorInfo;
+  }
+  signerUrl;
+  signerHeaders;
+  modelId;
+  useTofu;
+  manifestId = null;
+  state = null;
+  orchestratorInfo;
+  setManifestId(manifestId) {
+    this.manifestId = manifestId.trim();
+  }
+  get transcoderUrl() {
+    const url = this.orchestratorInfo.transcoder?.trim();
+    if (!url) {
+      throw new Error("OrchestratorInfo missing transcoder URL");
+    }
+    return url;
+  }
+  async getPaymentHeaders() {
+    if (!this.signerUrl.trim()) {
+      return { payment: "", segCreds: "" };
+    }
+    let attempts = 0;
+    while (true) {
+      try {
+        return await this.requestPayment();
+      } catch (err) {
+        if (attempts >= 3 || !(err instanceof SignerRefreshRequired)) {
+          throw err;
+        }
+        this.orchestratorInfo = await getOrchestratorInfo({
+          orchUrl: this.transcoderUrl,
+          signerUrl: this.signerUrl,
+          signerHeaders: this.signerHeaders,
+          modelId: this.modelId,
+          useTofu: this.useTofu
+        });
+        attempts += 1;
+      }
+    }
+  }
+  async sendPayment(orchestratorUrl) {
+    const headers = await this.getPaymentHeaders();
+    const target = orchestratorUrl?.trim() || this.transcoderUrl;
+    const url = `${httpOrigin(target)}/payment`;
+    const response = await insecureFetch(url, {
+      method: "POST",
+      headers: {
+        "Livepeer-Payment": headers.payment,
+        "Livepeer-Segment": headers.segCreds
+      },
+      body: Buffer.alloc(0),
+      timeoutMs: 5e3
+    });
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`Payment POST failed HTTP ${response.status}: ${body.slice(0, 300)}`);
+    }
+  }
+  async requestPayment() {
+    const url = `${httpOrigin(this.signerUrl)}/generate-live-payment`;
+    const orchB64 = serializeOrchestratorInfo(this.orchestratorInfo).toString("base64");
+    const capsB64 = encodeCapabilitiesBase64(this.modelId);
+    const payload = {
+      orchestrator: orchB64,
+      type: "lv2v",
+      capabilities: capsB64
+    };
+    if (this.manifestId) {
+      payload.ManifestID = this.manifestId;
+    }
+    if (this.state) {
+      payload.state = this.state;
+    }
+    const response = await insecureFetch(url, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json",
+        ...this.signerHeaders
+      },
+      body: Buffer.from(JSON.stringify(payload)),
+      timeoutMs: 1e4
+    });
+    if (response.status === 480) {
+      const orchHeader = response.headers.get("Livepeer-Orchestrator-URL")?.trim();
+      throw new SignerRefreshRequired(orchHeader ?? "");
+    }
+    if (!response.ok) {
+      const body = await response.text();
+      throw new Error(`generate-live-payment HTTP ${response.status}: ${body.slice(0, 500)}`);
+    }
+    const data = await readJsonResponse(response);
+    const payment = data.payment ?? "";
+    const segCreds = data.segCreds ?? "";
+    if (!payment) {
+      throw new Error("generate-live-payment missing payment field");
+    }
+    if (!data.state || typeof data.state !== "object") {
+      throw new Error("generate-live-payment missing state object");
+    }
+    this.state = data.state;
+    return { payment, segCreds };
+  }
+};
+var SignerRefreshRequired = class extends Error {
+  constructor(orchestratorUrl) {
+    super("Signer refresh required (HTTP 480)");
+    this.orchestratorUrl = orchestratorUrl;
+    this.name = "SignerRefreshRequired";
+  }
+  orchestratorUrl;
+};
+
+// src/gateway/server/lv2v.ts
+async function startLv2vSession(input) {
+  const orchList = await discoverOrchestrators({
+    orchestratorUrl: input.request.orchestratorUrl,
+    discoveryUrl: input.request.discoveryUrl ?? input.discoveryUrl,
+    signerUrl: input.signerUrl,
+    signerHeaders: input.signerHeaders,
+    modelId: input.request.modelId,
+    discoveryTimeoutMs: input.discoveryTimeoutMs
+  });
+  if (orchList.length === 0) {
+    throw new Error("No orchestrators discovered");
+  }
+  const rejections = [];
+  for (const orchUrl of orchList) {
+    try {
+      return await startLv2vOnOrchestrator(orchUrl, input);
+    } catch (err) {
+      rejections.push({
+        url: orchUrl,
+        reason: err instanceof Error ? err.message : String(err)
+      });
+    }
+  }
+  throw new Error(
+    `All orchestrators failed (${rejections.length} tried): ${rejections.map((r) => `${r.url}: ${r.reason}`).join("; ")}`
+  );
+}
+async function startLv2vOnOrchestrator(orchUrl, input) {
+  const info = await getOrchestratorInfo({
+    orchUrl,
+    signerUrl: input.signerUrl,
+    signerHeaders: input.signerHeaders,
+    modelId: input.request.modelId,
+    useTofu: input.useTofu
+  });
+  const paymentSession = new PaymentSession(
+    input.signerUrl,
+    info,
+    input.signerHeaders,
+    input.request.modelId,
+    input.useTofu !== false
+  );
+  const paymentHeaders = await paymentSession.getPaymentHeaders();
+  const transcoder = paymentSession.transcoderUrl;
+  const url = `${httpOrigin(transcoder)}/live-video-to-video`;
+  const body = {
+    model_id: input.request.modelId
+  };
+  if (input.request.params) {
+    body.params = input.request.params;
+  }
+  if (input.request.streamId) {
+    body.stream_id = input.request.streamId;
+  }
+  if (input.request.requestId) {
+    body.gateway_request_id = input.request.requestId;
+  }
+  const response = await insecureFetch(url, {
+    method: "POST",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/json",
+      "Livepeer-Payment": paymentHeaders.payment,
+      "Livepeer-Segment": paymentHeaders.segCreds
+    },
+    body: Buffer.from(JSON.stringify(body)),
+    timeoutMs: 1e4
+  });
+  if (!response.ok) {
+    const text = await response.text();
+    throw new Error(`live-video-to-video HTTP ${response.status}: ${text.slice(0, 500)}`);
+  }
+  const data = await readJsonResponse(response);
+  const manifestId = data.manifest_id?.trim();
+  const publishUrl = data.publish_url?.trim();
+  const subscribeUrl = data.subscribe_url?.trim();
+  if (!manifestId) {
+    throw new Error("live-video-to-video response missing manifest_id");
+  }
+  if (!publishUrl) {
+    throw new Error("live-video-to-video response missing publish_url");
+  }
+  if (!subscribeUrl) {
+    throw new Error("live-video-to-video response missing subscribe_url");
+  }
+  paymentSession.setManifestId(manifestId);
+  return {
+    manifestId,
+    publishUrl,
+    subscribeUrl,
+    controlUrl: data.control_url?.trim(),
+    eventsUrl: data.events_url?.trim(),
+    mimeType: DEFAULT_TRICKLE_MIME_TYPE,
+    paymentSession,
+    orchestratorUrl: orchUrl
+  };
+}
+var SESSIONS_GLOBAL_KEY = /* @__PURE__ */ Symbol.for("@pymthouse/builder-sdk/gateway-sessions");
+function sessionsMap() {
+  const globalStore = globalThis;
+  globalStore[SESSIONS_GLOBAL_KEY] ??= /* @__PURE__ */ new Map();
+  return globalStore[SESSIONS_GLOBAL_KEY];
+}
+function hashBearerToken(token) {
+  return createHash("sha256").update(token.trim()).digest("hex");
+}
+function createSessionId() {
+  return randomUUID();
+}
+function putSession(record) {
+  sessionsMap().set(record.id, record);
+}
+function getSession(sessionId) {
+  return sessionsMap().get(sessionId);
+}
+function deleteSession(sessionId) {
+  return sessionsMap().delete(sessionId);
+}
+function assertSessionOwner(record, ownerTokenHash) {
+  if (record.ownerTokenHash !== ownerTokenHash) {
+    throw new Error("Forbidden: session does not belong to this bearer token");
+  }
+}
+function closeSessionRecord(record) {
+  if (record.closed) {
+    return;
+  }
+  record.closed = true;
+  if (record.paymentInterval) {
+    clearInterval(record.paymentInterval);
+    record.paymentInterval = void 0;
+  }
+}
+
+// src/gateway/server/trickle-relay.ts
+function parseTrickleIntHeader(headers, name) {
+  const raw = headers.get(name);
+  if (raw === null) {
+    return null;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+function publishBaseUrl(record) {
+  return record.publishUrl.replace(/\/$/, "");
+}
+function subscribeBaseUrl(record) {
+  return record.subscribeUrl.replace(/\/$/, "");
+}
+async function ensureTrickleChannel(record) {
+  if (record.trickleCreated) {
+    return;
+  }
+  const response = await insecureFetch(record.publishUrl, {
+    method: "POST",
+    headers: {
+      "Expect-Content": record.mimeType
+    },
+    body: Buffer.alloc(0),
+    timeoutMs: 1e4
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Trickle create failed HTTP ${response.status}: ${body.slice(0, 300)}`);
+  }
+  record.trickleCreated = true;
+}
+async function resolveTricklePublishSeq(record) {
+  await ensureTrickleChannel(record);
+  const url = `${publishBaseUrl(record)}/next`;
+  const response = await insecureFetch(url, {
+    method: "GET",
+    timeoutMs: 1e4
+  });
+  if (!response.ok) {
+    return 0;
+  }
+  const latest = response.headers.get("Lp-Trickle-Latest");
+  if (latest !== null) {
+    const parsed = Number.parseInt(latest, 10);
+    if (Number.isFinite(parsed)) {
+      return parsed;
+    }
+  }
+  return 0;
+}
+async function prepareTricklePublish(record) {
+  await ensureTrickleChannel(record);
+  if (record.publishSeq < 0) {
+    record.publishSeq = await resolveTricklePublishSeq(record);
+  }
+}
+async function publishTrickleSegment(record, seq, bytes, contentType) {
+  await prepareTricklePublish(record);
+  const url = `${publishBaseUrl(record)}/${seq}`;
+  const headers = {
+    "Content-Type": contentType
+  };
+  if (!record.trickleResetSent) {
+    headers["Lp-Trickle-Reset"] = "1";
+    record.trickleResetSent = true;
+  }
+  const response = await insecureFetch(url, {
+    method: "POST",
+    headers,
+    body: bytes,
+    timeoutMs: 12e4
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Trickle publish failed HTTP ${response.status}: ${body.slice(0, 300)}`);
+  }
+  record.publishSeq = Math.max(record.publishSeq, seq + 1);
+}
+async function resolveTrickleSubscribeSeq(record) {
+  const url = `${subscribeBaseUrl(record)}/next`;
+  const response = await insecureFetch(url, {
+    method: "GET",
+    timeoutMs: 1e4
+  });
+  if (!response.ok) {
+    return TRICKLE_SEQ_LATEST;
+  }
+  const fromHeader = parseTrickleIntHeader(response.headers, "Lp-Trickle-Latest");
+  if (fromHeader !== null) {
+    return fromHeader;
+  }
+  const body = (await response.text()).trim();
+  const fromBody = Number.parseInt(body, 10);
+  return Number.isFinite(fromBody) ? fromBody : TRICKLE_SEQ_LATEST;
+}
+async function subscribeTrickleSegment(record, seq) {
+  const url = `${subscribeBaseUrl(record)}/${seq}`;
+  const response = await insecureFetch(url, {
+    method: "GET",
+    headers: record.trickleCreated ? { Connection: "close" } : void 0,
+    timeoutMs: 3e4
+  });
+  if (response.status === 404) {
+    const latest = await resolveTrickleSubscribeSeq(record);
+    return { wait: true, latestSeq: latest };
+  }
+  if (response.status === 470) {
+    const latestHeader = response.headers.get("Lp-Trickle-Latest");
+    const parsedLatest = latestHeader ? Number.parseInt(latestHeader, 10) : Number.NaN;
+    const latest = Number.isFinite(parsedLatest) ? parsedLatest : await resolveTrickleSubscribeSeq(record);
+    if (latest < seq) {
+      return { wait: true, latestSeq: latest };
+    }
+    if (latest === seq) {
+      return { wait: true, latestSeq: latest };
+    }
+    return subscribeTrickleSegment(record, latest);
+  }
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(`Trickle subscribe failed HTTP ${response.status}: ${body.slice(0, 300)}`);
+  }
+  const data = response.body;
+  if (!data) {
+    throw new Error("Trickle subscribe response missing body stream");
+  }
+  const contentType = response.headers.get("Content-Type") ?? record.mimeType;
+  const segmentSeq = parseTrickleIntHeader(response.headers, "Lp-Trickle-Seq") ?? Math.max(seq, 0);
+  const latestSeq = parseTrickleIntHeader(response.headers, "Lp-Trickle-Latest") ?? segmentSeq;
+  return { data, contentType, segmentSeq, nextSeq: segmentSeq + 1, latestSeq };
+}
+async function closeTricklePublish(record) {
+  if (!record.trickleCreated) {
+    return;
+  }
+  await insecureFetch(record.publishUrl, {
+    method: "DELETE",
+    timeoutMs: 5e3
+  }).catch(() => void 0);
+  record.trickleCreated = false;
+}
+
+// src/gateway/server/handlers.ts
+function signerHeadersFromBearer(token) {
+  return { Authorization: `Bearer ${token}` };
+}
+function startPaymentLoop(config, record) {
+  if (!record || record.paymentInterval) {
+    return;
+  }
+  record.paymentInterval = setInterval(() => {
+    void record.paymentSession.sendPayment(record.orchestratorUrl).catch(() => void 0);
+  }, config.paymentIntervalMs);
+}
+async function parseStartGatewaySessionRequest(request, config) {
+  try {
+    const parsed = await request.json();
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return Response.json({ error: "invalid_request" }, { status: 400 });
+    }
+    const record = parsed;
+    const modelId = typeof record.modelId === "string" ? record.modelId.trim() : "";
+    if (!modelId) {
+      return Response.json({ error: "modelId is required" }, { status: 400 });
+    }
+    return {
+      modelId,
+      orchestratorUrl: typeof record.orchestratorUrl === "string" ? record.orchestratorUrl : void 0,
+      discoveryUrl: typeof record.discoveryUrl === "string" ? record.discoveryUrl : config.discoveryUrl,
+      params: record.params && typeof record.params === "object" && !Array.isArray(record.params) ? record.params : void 0,
+      streamId: typeof record.streamId === "string" ? record.streamId : void 0,
+      requestId: typeof record.requestId === "string" ? record.requestId : void 0
+    };
+  } catch {
+    return Response.json({ error: "invalid_json" }, { status: 400 });
+  }
+}
+async function startGatewaySessionRecord(config, token, body) {
+  try {
+    const job = await startLv2vSession({
+      request: body,
+      signerUrl: config.signerUrl,
+      signerHeaders: signerHeadersFromBearer(token),
+      discoveryUrl: config.discoveryUrl,
+      discoveryTimeoutMs: config.discoveryTimeoutMs,
+      useTofu: config.useTofu
+    });
+    const sessionId = createSessionId();
+    const ownerTokenHash = hashBearerToken(token);
+    const sessionRecord = {
+      id: sessionId,
+      ownerTokenHash,
+      manifestId: job.manifestId,
+      publishUrl: job.publishUrl,
+      subscribeUrl: job.subscribeUrl,
+      controlUrl: job.controlUrl,
+      mimeType: job.mimeType,
+      paymentSession: job.paymentSession,
+      orchestratorUrl: job.orchestratorUrl,
+      publishSeq: -1,
+      subscribeSeq: TRICKLE_SEQ_CURRENT,
+      trickleCreated: false,
+      trickleResetSent: false,
+      closed: false
+    };
+    putSession(sessionRecord);
+    startPaymentLoop(config, sessionRecord);
+    let publishSeq = 0;
+    try {
+      await prepareTricklePublish(sessionRecord);
+      publishSeq = Math.max(0, sessionRecord.publishSeq);
+    } catch (prepareErr) {
+      const message = prepareErr instanceof Error ? prepareErr.message : String(prepareErr);
+      return Response.json({ error: "trickle_prepare_failed", message }, { status: 502 });
+    }
+    return Response.json({
+      sessionId,
+      manifestId: job.manifestId,
+      mimeType: job.mimeType,
+      publishSeq,
+      subscribeSeq: sessionRecord.subscribeSeq
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return Response.json({ error: "start_session_failed", message }, { status: 502 });
+  }
+}
+function createGatewayStartSessionHandler(config) {
+  return async (request) => {
+    if (!config) {
+      return disabledResponse();
+    }
+    const token = extractBearerToken(request);
+    if (!token) {
+      return unauthorizedResponse();
+    }
+    const body = await parseStartGatewaySessionRequest(request, config);
+    if (body instanceof Response) {
+      return body;
+    }
+    return startGatewaySessionRecord(config, token, body);
+  };
+}
+function createGatewayPublishSegmentHandler(config) {
+  return async (request, context) => {
+    if (!config) {
+      return disabledResponse();
+    }
+    const token = extractBearerToken(request);
+    if (!token) {
+      return unauthorizedResponse();
+    }
+    const { id, seq: seqRaw } = await context.params;
+    const seq = Number.parseInt(seqRaw, 10);
+    if (!Number.isFinite(seq)) {
+      return Response.json({ error: "invalid_seq" }, { status: 400 });
+    }
+    const record = getSession(id);
+    if (!record || record.closed) {
+      return Response.json({ error: "session_not_found" }, { status: 404 });
+    }
+    try {
+      assertSessionOwner(record, hashBearerToken(token));
+    } catch {
+      return forbiddenResponse();
+    }
+    const bytes = Buffer.from(await request.arrayBuffer());
+    const contentType = request.headers.get("Content-Type")?.trim() || record.mimeType;
+    try {
+      await publishTrickleSegment(record, seq, bytes, contentType);
+      record.publishSeq = Math.max(record.publishSeq, seq);
+      return Response.json({ seq, ok: true });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return Response.json({ error: "publish_failed", message }, { status: 502 });
+    }
+  };
+}
+function createGatewaySubscribeSegmentHandler(config) {
+  return async (request, context) => {
+    if (!config) {
+      return disabledResponse();
+    }
+    const token = extractBearerToken(request);
+    if (!token) {
+      return unauthorizedResponse();
+    }
+    const { id } = await context.params;
+    const record = getSession(id);
+    if (!record || record.closed) {
+      return Response.json({ error: "session_not_found" }, { status: 404 });
+    }
+    try {
+      assertSessionOwner(record, hashBearerToken(token));
+    } catch {
+      return forbiddenResponse();
+    }
+    const url = new URL(request.url);
+    const seqParam = url.searchParams.get("seq");
+    const seq = seqParam === null ? record.subscribeSeq : Number.parseInt(seqParam, 10);
+    try {
+      const segment = await subscribeTrickleSegment(record, seq);
+      if (!segment) {
+        return new Response(null, { status: 204 });
+      }
+      if ("wait" in segment) {
+        return new Response(null, {
+          status: 204,
+          headers: {
+            "X-Gateway-Latest-Seq": String(segment.latestSeq),
+            "X-Gateway-Wait": "1"
+          }
+        });
+      }
+      record.subscribeSeq = segment.nextSeq;
+      return new Response(segment.data, {
+        status: 200,
+        headers: {
+          "Content-Type": segment.contentType,
+          "X-Gateway-Segment-Seq": String(segment.segmentSeq),
+          "X-Gateway-Next-Seq": String(segment.nextSeq),
+          "X-Gateway-Latest-Seq": String(segment.latestSeq)
+        }
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return Response.json({ error: "subscribe_failed", message }, { status: 502 });
+    }
+  };
+}
+function createGatewayStopSessionHandler(config) {
+  return async (request, context) => {
+    if (!config) {
+      return disabledResponse();
+    }
+    const token = extractBearerToken(request);
+    if (!token) {
+      return unauthorizedResponse();
+    }
+    const { id } = await context.params;
+    const record = getSession(id);
+    if (!record) {
+      return new Response(null, { status: 204 });
+    }
+    try {
+      assertSessionOwner(record, hashBearerToken(token));
+    } catch {
+      return forbiddenResponse();
+    }
+    closeSessionRecord(record);
+    await closeTricklePublish(record).catch(() => void 0);
+    deleteSession(id);
+    return new Response(null, { status: 204 });
+  };
+}
+
+export { createGatewayPublishSegmentHandler, createGatewayStartSessionHandler, createGatewayStopSessionHandler, createGatewaySubscribeSegmentHandler, hashBearerToken, readGatewayConfigFromEnv };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map