@pymthouse/builder-sdk 0.3.1 → 0.4.1-rc.2

package/dist/signer/webhook/adapters/api-key.cjs

@@ -0,0 +1,82 @@
+'use strict';
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/bearer.ts
+var BEARER_PREFIX = "Bearer ";
+function optionalBearerToken(authorization) {
+  const trimmed = authorization.trim();
+  if (!trimmed.startsWith(BEARER_PREFIX)) {
+    return null;
+  }
+  const token = trimmed.slice(BEARER_PREFIX.length).trim();
+  return token || null;
+}
+function bearerTokenFromAuthorization(authorization) {
+  const token = optionalBearerToken(authorization);
+  if (token) {
+    return token;
+  }
+  if (!authorization.trim()) {
+    throw new Error("missing authorization");
+  }
+  throw new Error("authorization must be Bearer token");
+}
+
+// src/signer/webhook/adapters/api-key/verifier.ts
+function createApiKeyEndUserVerifier(config) {
+  const prefix = config.apiKeyPrefix ?? "sk_";
+  const defaultClientId = config.defaultClientId ?? "daydream-scope";
+  const defaultUsageSubjectType = config.defaultUsageSubjectType ?? "clerk_user_id";
+  const ttl = config.expiryTtlSeconds ?? 60;
+  return {
+    kind: "custom",
+    verify: async ({ authorization }) => {
+      const token = bearerTokenFromAuthorization(authorization);
+      if (prefix && !token.startsWith(prefix)) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const resolved = await config.resolveApiKey(token);
+      if (!resolved?.userId) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const identity = {
+        issuer: config.issuer,
+        client_id: resolved.clientId ?? defaultClientId,
+        usage_subject: resolved.userId,
+        usage_subject_type: resolved.usageSubjectType ?? defaultUsageSubjectType
+      };
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + ttl,
+        raw: resolved
+      };
+    }
+  };
+}
+
+exports.createApiKeyEndUserVerifier = createApiKeyEndUserVerifier;
+//# sourceMappingURL=api-key.cjs.map
+//# sourceMappingURL=api-key.cjs.map

package/dist/signer/webhook/adapters/api-key.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/bearer.ts","../../../../src/signer/webhook/adapters/api-key/verifier.ts"],"names":[],"mappings":";;;AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACvBA,IAAM,aAAA,GAAgB,SAAA;AAGf,SAAS,oBAAoB,aAAA,EAAsC;AACxE,EAAA,MAAM,OAAA,GAAU,cAAc,IAAA,EAAK;AACnC,EAAA,IAAI,CAAC,OAAA,CAAQ,UAAA,CAAW,aAAa,CAAA,EAAG;AACtC,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA,CAAM,aAAA,CAAc,MAAM,EAAE,IAAA,EAAK;AACvD,EAAA,OAAO,KAAA,IAAS,IAAA;AAClB;AAEO,SAAS,6BAA6B,aAAA,EAA+B;AAC1E,EAAA,MAAM,KAAA,GAAQ,oBAAoB,aAAa,CAAA;AAC/C,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,IAAI,CAAC,aAAA,CAAc,IAAA,EAAK,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,EACzC;AACA,EAAA,MAAM,IAAI,MAAM,oCAAoC,CAAA;AACtD;;;ACDO,SAAS,4BACd,MAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,OAAO,YAAA,IAAgB,KAAA;AACtC,EAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,IAAmB,gBAAA;AAClD,EAAA,MAAM,uBAAA,GACJ,OAAO,uBAAA,IAA2B,eAAA;AACpC,EAAA,MAAM,GAAA,GAAM,OAAO,gBAAA,IAAoB,EAAA;AAEvC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,MAAA,EAAQ,OAAO,EAAE,aAAA,EAAc,KAAM;AACnC,MAAA,MAAM,KAAA,GAAQ,6BAA6B,aAAa,CAAA;AACxD,MAAA,IAAI,MAAA,IAAU,CAAC,KAAA,CAAM,UAAA,CAAW,MAAM,CAAA,EAAG;AACvC,QAAA,MAAM,IAAI,cAAc,iBAAA,EAAmB;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,aAAA,CAAc,KAAK,CAAA;AACjD,MAAA,IAAI,CAAC,UAAU,MAAA,EAAQ;AACrB,QAAA,MAAM,IAAI,cAAc,iBAAA,EAAmB;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,QAAA,GAA0B;AAAA,QAC9B,QAAQ,MAAA,CAAO,MAAA;AAAA,QACf,SAAA,EAAW,SAAS,QAAA,IAAY,eAAA;AAAA,QAChC,eAAe,QAAA,CAAS,MAAA;AAAA,QACxB,kBAAA,EACE,SAAS,gBAAA,IAAoB;AAAA,OACjC;AAEA,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,QAAQ,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAA;AAAA,QACxC,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAAA,GACF;AACF","file":"api-key.cjs","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","const BEARER_PREFIX = \"Bearer \";\n\n/** Returns the token after `Bearer `, or null when the header is missing or not Bearer. */\nexport function optionalBearerToken(authorization: string): string | null {\n  const trimmed = authorization.trim();\n  if (!trimmed.startsWith(BEARER_PREFIX)) {\n    return null;\n  }\n  const token = trimmed.slice(BEARER_PREFIX.length).trim();\n  return token || null;\n}\n\nexport function bearerTokenFromAuthorization(authorization: string): string {\n  const token = optionalBearerToken(authorization);\n  if (token) {\n    return token;\n  }\n  if (!authorization.trim()) {\n    throw new Error(\"missing authorization\");\n  }\n  throw new Error(\"authorization must be Bearer token\");\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport { bearerTokenFromAuthorization } from \"../../bearer.js\";\nimport type { UsageIdentity } from \"../../types.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport type ApiKeyResolveResult = {\n  userId: string;\n  clientId?: string;\n  usageSubjectType?: string;\n};\n\nexport type ApiKeyEndUserVerifierConfig = {\n  issuer: string;\n  resolveApiKey: (apiKey: string) => Promise<ApiKeyResolveResult | null>;\n  expiryTtlSeconds?: number;\n  apiKeyPrefix?: string;\n  defaultClientId?: string;\n  defaultUsageSubjectType?: string;\n};\n\nexport function createApiKeyEndUserVerifier(\n  config: ApiKeyEndUserVerifierConfig,\n): EndUserAuthVerifier {\n  const prefix = config.apiKeyPrefix ?? \"sk_\";\n  const defaultClientId = config.defaultClientId ?? \"daydream-scope\";\n  const defaultUsageSubjectType =\n    config.defaultUsageSubjectType ?? \"clerk_user_id\";\n  const ttl = config.expiryTtlSeconds ?? 60;\n\n  return {\n    kind: \"custom\",\n    verify: async ({ authorization }) => {\n      const token = bearerTokenFromAuthorization(authorization);\n      if (prefix && !token.startsWith(prefix)) {\n        throw new PmtHouseError(\"invalid api key\", {\n          status: 401,\n          code: \"invalid_api_key\",\n        });\n      }\n\n      const resolved = await config.resolveApiKey(token);\n      if (!resolved?.userId) {\n        throw new PmtHouseError(\"invalid api key\", {\n          status: 401,\n          code: \"invalid_api_key\",\n        });\n      }\n\n      const identity: UsageIdentity = {\n        issuer: config.issuer,\n        client_id: resolved.clientId ?? defaultClientId,\n        usage_subject: resolved.userId,\n        usage_subject_type:\n          resolved.usageSubjectType ?? defaultUsageSubjectType,\n      };\n\n      return {\n        identity,\n        expiry: Math.trunc(Date.now() / 1000) + ttl,\n        raw: resolved,\n      };\n    },\n  };\n}\n"]}

package/dist/signer/webhook/adapters/api-key.d.cts

@@ -0,0 +1,18 @@
+import { E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.cjs';
+
+type ApiKeyResolveResult = {
+    userId: string;
+    clientId?: string;
+    usageSubjectType?: string;
+};
+type ApiKeyEndUserVerifierConfig = {
+    issuer: string;
+    resolveApiKey: (apiKey: string) => Promise<ApiKeyResolveResult | null>;
+    expiryTtlSeconds?: number;
+    apiKeyPrefix?: string;
+    defaultClientId?: string;
+    defaultUsageSubjectType?: string;
+};
+declare function createApiKeyEndUserVerifier(config: ApiKeyEndUserVerifierConfig): EndUserAuthVerifier;
+
+export { type ApiKeyEndUserVerifierConfig, type ApiKeyResolveResult, createApiKeyEndUserVerifier };

package/dist/signer/webhook/adapters/api-key.d.ts

@@ -0,0 +1,18 @@
+import { E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.js';
+
+type ApiKeyResolveResult = {
+    userId: string;
+    clientId?: string;
+    usageSubjectType?: string;
+};
+type ApiKeyEndUserVerifierConfig = {
+    issuer: string;
+    resolveApiKey: (apiKey: string) => Promise<ApiKeyResolveResult | null>;
+    expiryTtlSeconds?: number;
+    apiKeyPrefix?: string;
+    defaultClientId?: string;
+    defaultUsageSubjectType?: string;
+};
+declare function createApiKeyEndUserVerifier(config: ApiKeyEndUserVerifierConfig): EndUserAuthVerifier;
+
+export { type ApiKeyEndUserVerifierConfig, type ApiKeyResolveResult, createApiKeyEndUserVerifier };

package/dist/signer/webhook/adapters/api-key.js

@@ -0,0 +1,80 @@
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/bearer.ts
+var BEARER_PREFIX = "Bearer ";
+function optionalBearerToken(authorization) {
+  const trimmed = authorization.trim();
+  if (!trimmed.startsWith(BEARER_PREFIX)) {
+    return null;
+  }
+  const token = trimmed.slice(BEARER_PREFIX.length).trim();
+  return token || null;
+}
+function bearerTokenFromAuthorization(authorization) {
+  const token = optionalBearerToken(authorization);
+  if (token) {
+    return token;
+  }
+  if (!authorization.trim()) {
+    throw new Error("missing authorization");
+  }
+  throw new Error("authorization must be Bearer token");
+}
+
+// src/signer/webhook/adapters/api-key/verifier.ts
+function createApiKeyEndUserVerifier(config) {
+  const prefix = config.apiKeyPrefix ?? "sk_";
+  const defaultClientId = config.defaultClientId ?? "daydream-scope";
+  const defaultUsageSubjectType = config.defaultUsageSubjectType ?? "clerk_user_id";
+  const ttl = config.expiryTtlSeconds ?? 60;
+  return {
+    kind: "custom",
+    verify: async ({ authorization }) => {
+      const token = bearerTokenFromAuthorization(authorization);
+      if (prefix && !token.startsWith(prefix)) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const resolved = await config.resolveApiKey(token);
+      if (!resolved?.userId) {
+        throw new PmtHouseError("invalid api key", {
+          status: 401,
+          code: "invalid_api_key"
+        });
+      }
+      const identity = {
+        issuer: config.issuer,
+        client_id: resolved.clientId ?? defaultClientId,
+        usage_subject: resolved.userId,
+        usage_subject_type: resolved.usageSubjectType ?? defaultUsageSubjectType
+      };
+      return {
+        identity,
+        expiry: Math.trunc(Date.now() / 1e3) + ttl,
+        raw: resolved
+      };
+    }
+  };
+}
+
+export { createApiKeyEndUserVerifier };
+//# sourceMappingURL=api-key.js.map
+//# sourceMappingURL=api-key.js.map

package/dist/signer/webhook/adapters/api-key.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/bearer.ts","../../../../src/signer/webhook/adapters/api-key/verifier.ts"],"names":[],"mappings":";AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACvBA,IAAM,aAAA,GAAgB,SAAA;AAGf,SAAS,oBAAoB,aAAA,EAAsC;AACxE,EAAA,MAAM,OAAA,GAAU,cAAc,IAAA,EAAK;AACnC,EAAA,IAAI,CAAC,OAAA,CAAQ,UAAA,CAAW,aAAa,CAAA,EAAG;AACtC,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA,CAAM,aAAA,CAAc,MAAM,EAAE,IAAA,EAAK;AACvD,EAAA,OAAO,KAAA,IAAS,IAAA;AAClB;AAEO,SAAS,6BAA6B,aAAA,EAA+B;AAC1E,EAAA,MAAM,KAAA,GAAQ,oBAAoB,aAAa,CAAA;AAC/C,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,IAAI,CAAC,aAAA,CAAc,IAAA,EAAK,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,EACzC;AACA,EAAA,MAAM,IAAI,MAAM,oCAAoC,CAAA;AACtD;;;ACDO,SAAS,4BACd,MAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,OAAO,YAAA,IAAgB,KAAA;AACtC,EAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,IAAmB,gBAAA;AAClD,EAAA,MAAM,uBAAA,GACJ,OAAO,uBAAA,IAA2B,eAAA;AACpC,EAAA,MAAM,GAAA,GAAM,OAAO,gBAAA,IAAoB,EAAA;AAEvC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,MAAA,EAAQ,OAAO,EAAE,aAAA,EAAc,KAAM;AACnC,MAAA,MAAM,KAAA,GAAQ,6BAA6B,aAAa,CAAA;AACxD,MAAA,IAAI,MAAA,IAAU,CAAC,KAAA,CAAM,UAAA,CAAW,MAAM,CAAA,EAAG;AACvC,QAAA,MAAM,IAAI,cAAc,iBAAA,EAAmB;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,aAAA,CAAc,KAAK,CAAA;AACjD,MAAA,IAAI,CAAC,UAAU,MAAA,EAAQ;AACrB,QAAA,MAAM,IAAI,cAAc,iBAAA,EAAmB;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAEA,MAAA,MAAM,QAAA,GAA0B;AAAA,QAC9B,QAAQ,MAAA,CAAO,MAAA;AAAA,QACf,SAAA,EAAW,SAAS,QAAA,IAAY,eAAA;AAAA,QAChC,eAAe,QAAA,CAAS,MAAA;AAAA,QACxB,kBAAA,EACE,SAAS,gBAAA,IAAoB;AAAA,OACjC;AAEA,MAAA,OAAO;AAAA,QACL,QAAA;AAAA,QACA,QAAQ,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAA;AAAA,QACxC,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAAA,GACF;AACF","file":"api-key.js","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","const BEARER_PREFIX = \"Bearer \";\n\n/** Returns the token after `Bearer `, or null when the header is missing or not Bearer. */\nexport function optionalBearerToken(authorization: string): string | null {\n  const trimmed = authorization.trim();\n  if (!trimmed.startsWith(BEARER_PREFIX)) {\n    return null;\n  }\n  const token = trimmed.slice(BEARER_PREFIX.length).trim();\n  return token || null;\n}\n\nexport function bearerTokenFromAuthorization(authorization: string): string {\n  const token = optionalBearerToken(authorization);\n  if (token) {\n    return token;\n  }\n  if (!authorization.trim()) {\n    throw new Error(\"missing authorization\");\n  }\n  throw new Error(\"authorization must be Bearer token\");\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport { bearerTokenFromAuthorization } from \"../../bearer.js\";\nimport type { UsageIdentity } from \"../../types.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport type ApiKeyResolveResult = {\n  userId: string;\n  clientId?: string;\n  usageSubjectType?: string;\n};\n\nexport type ApiKeyEndUserVerifierConfig = {\n  issuer: string;\n  resolveApiKey: (apiKey: string) => Promise<ApiKeyResolveResult | null>;\n  expiryTtlSeconds?: number;\n  apiKeyPrefix?: string;\n  defaultClientId?: string;\n  defaultUsageSubjectType?: string;\n};\n\nexport function createApiKeyEndUserVerifier(\n  config: ApiKeyEndUserVerifierConfig,\n): EndUserAuthVerifier {\n  const prefix = config.apiKeyPrefix ?? \"sk_\";\n  const defaultClientId = config.defaultClientId ?? \"daydream-scope\";\n  const defaultUsageSubjectType =\n    config.defaultUsageSubjectType ?? \"clerk_user_id\";\n  const ttl = config.expiryTtlSeconds ?? 60;\n\n  return {\n    kind: \"custom\",\n    verify: async ({ authorization }) => {\n      const token = bearerTokenFromAuthorization(authorization);\n      if (prefix && !token.startsWith(prefix)) {\n        throw new PmtHouseError(\"invalid api key\", {\n          status: 401,\n          code: \"invalid_api_key\",\n        });\n      }\n\n      const resolved = await config.resolveApiKey(token);\n      if (!resolved?.userId) {\n        throw new PmtHouseError(\"invalid api key\", {\n          status: 401,\n          code: \"invalid_api_key\",\n        });\n      }\n\n      const identity: UsageIdentity = {\n        issuer: config.issuer,\n        client_id: resolved.clientId ?? defaultClientId,\n        usage_subject: resolved.userId,\n        usage_subject_type:\n          resolved.usageSubjectType ?? defaultUsageSubjectType,\n      };\n\n      return {\n        identity,\n        expiry: Math.trunc(Date.now() / 1000) + ttl,\n        raw: resolved,\n      };\n    },\n  };\n}\n"]}

package/dist/signer/webhook/adapters/composite.cjs

@@ -0,0 +1,60 @@
+'use strict';
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/adapters/composite/verifier.ts
+function createFirstMatchEndUserVerifier(verifiers) {
+  if (verifiers.length === 0) {
+    throw new PmtHouseError("at least one verifier is required", {
+      status: 500,
+      code: "invalid_verifier_config"
+    });
+  }
+  return {
+    kind: "custom",
+    verify: async (context) => {
+      let lastError;
+      for (const verifier of verifiers) {
+        try {
+          return await verifier.verify(context);
+        } catch (err) {
+          lastError = err;
+        }
+      }
+      if (lastError instanceof PmtHouseError) {
+        throw lastError;
+      }
+      if (lastError instanceof Error) {
+        throw new PmtHouseError(lastError.message, {
+          status: 401,
+          code: "invalid_credentials"
+        });
+      }
+      throw new PmtHouseError("invalid credentials", {
+        status: 401,
+        code: "invalid_credentials"
+      });
+    },
+    adminRoutes: verifiers.flatMap((verifier) => verifier.adminRoutes ?? [])
+  };
+}
+
+exports.createFirstMatchEndUserVerifier = createFirstMatchEndUserVerifier;
+//# sourceMappingURL=composite.cjs.map
+//# sourceMappingURL=composite.cjs.map

package/dist/signer/webhook/adapters/composite.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/adapters/composite/verifier.ts"],"names":[],"mappings":";;;AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACpBO,SAAS,gCACd,SAAA,EACqB;AACrB,EAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,IAAA,MAAM,IAAI,cAAc,mCAAA,EAAqC;AAAA,MAC3D,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,MAAA,EAAQ,OAAO,OAAA,KAAY;AACzB,MAAA,IAAI,SAAA;AACJ,MAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,QAAA,IAAI;AACF,UAAA,OAAO,MAAM,QAAA,CAAS,MAAA,CAAO,OAAO,CAAA;AAAA,QACtC,SAAS,GAAA,EAAK;AACZ,UAAA,SAAA,GAAY,GAAA;AAAA,QACd;AAAA,MACF;AAEA,MAAA,IAAI,qBAAqB,aAAA,EAAe;AACtC,QAAA,MAAM,SAAA;AAAA,MACR;AACA,MAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,QAAA,MAAM,IAAI,aAAA,CAAc,SAAA,CAAU,OAAA,EAAS;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AACA,MAAA,MAAM,IAAI,cAAc,qBAAA,EAAuB;AAAA,QAC7C,MAAA,EAAQ,GAAA;AAAA,QACR,IAAA,EAAM;AAAA,OACP,CAAA;AAAA,IACH,CAAA;AAAA,IACA,WAAA,EAAa,UAAU,OAAA,CAAQ,CAAC,aAAa,QAAA,CAAS,WAAA,IAAe,EAAE;AAAA,GACzE;AACF","file":"composite.cjs","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport function createFirstMatchEndUserVerifier(\n  verifiers: EndUserAuthVerifier[],\n): EndUserAuthVerifier {\n  if (verifiers.length === 0) {\n    throw new PmtHouseError(\"at least one verifier is required\", {\n      status: 500,\n      code: \"invalid_verifier_config\",\n    });\n  }\n\n  return {\n    kind: \"custom\",\n    verify: async (context) => {\n      let lastError: unknown;\n      for (const verifier of verifiers) {\n        try {\n          return await verifier.verify(context);\n        } catch (err) {\n          lastError = err;\n        }\n      }\n\n      if (lastError instanceof PmtHouseError) {\n        throw lastError;\n      }\n      if (lastError instanceof Error) {\n        throw new PmtHouseError(lastError.message, {\n          status: 401,\n          code: \"invalid_credentials\",\n        });\n      }\n      throw new PmtHouseError(\"invalid credentials\", {\n        status: 401,\n        code: \"invalid_credentials\",\n      });\n    },\n    adminRoutes: verifiers.flatMap((verifier) => verifier.adminRoutes ?? []),\n  };\n}\n"]}

package/dist/signer/webhook/adapters/composite.d.cts

@@ -0,0 +1,5 @@
+import { E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.cjs';
+
+declare function createFirstMatchEndUserVerifier(verifiers: EndUserAuthVerifier[]): EndUserAuthVerifier;
+
+export { createFirstMatchEndUserVerifier };

package/dist/signer/webhook/adapters/composite.d.ts

@@ -0,0 +1,5 @@
+import { E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.js';
+
+declare function createFirstMatchEndUserVerifier(verifiers: EndUserAuthVerifier[]): EndUserAuthVerifier;
+
+export { createFirstMatchEndUserVerifier };

package/dist/signer/webhook/adapters/composite.js

@@ -0,0 +1,58 @@
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/signer/webhook/adapters/composite/verifier.ts
+function createFirstMatchEndUserVerifier(verifiers) {
+  if (verifiers.length === 0) {
+    throw new PmtHouseError("at least one verifier is required", {
+      status: 500,
+      code: "invalid_verifier_config"
+    });
+  }
+  return {
+    kind: "custom",
+    verify: async (context) => {
+      let lastError;
+      for (const verifier of verifiers) {
+        try {
+          return await verifier.verify(context);
+        } catch (err) {
+          lastError = err;
+        }
+      }
+      if (lastError instanceof PmtHouseError) {
+        throw lastError;
+      }
+      if (lastError instanceof Error) {
+        throw new PmtHouseError(lastError.message, {
+          status: 401,
+          code: "invalid_credentials"
+        });
+      }
+      throw new PmtHouseError("invalid credentials", {
+        status: 401,
+        code: "invalid_credentials"
+      });
+    },
+    adminRoutes: verifiers.flatMap((verifier) => verifier.adminRoutes ?? [])
+  };
+}
+
+export { createFirstMatchEndUserVerifier };
+//# sourceMappingURL=composite.js.map
+//# sourceMappingURL=composite.js.map

package/dist/signer/webhook/adapters/composite.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/errors.ts","../../../../src/signer/webhook/adapters/composite/verifier.ts"],"names":[],"mappings":";AAAO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,MAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EAET,YACE,OAAA,EACA;AAAA,IACE,MAAA,GAAS,GAAA;AAAA,IACT,IAAA,GAAO,iBAAA;AAAA,IACP;AAAA,GACF,GAII,EAAC,EACL;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;ACpBO,SAAS,gCACd,SAAA,EACqB;AACrB,EAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,IAAA,MAAM,IAAI,cAAc,mCAAA,EAAqC;AAAA,MAC3D,MAAA,EAAQ,GAAA;AAAA,MACR,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,MAAA,EAAQ,OAAO,OAAA,KAAY;AACzB,MAAA,IAAI,SAAA;AACJ,MAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,QAAA,IAAI;AACF,UAAA,OAAO,MAAM,QAAA,CAAS,MAAA,CAAO,OAAO,CAAA;AAAA,QACtC,SAAS,GAAA,EAAK;AACZ,UAAA,SAAA,GAAY,GAAA;AAAA,QACd;AAAA,MACF;AAEA,MAAA,IAAI,qBAAqB,aAAA,EAAe;AACtC,QAAA,MAAM,SAAA;AAAA,MACR;AACA,MAAA,IAAI,qBAAqB,KAAA,EAAO;AAC9B,QAAA,MAAM,IAAI,aAAA,CAAc,SAAA,CAAU,OAAA,EAAS;AAAA,UACzC,MAAA,EAAQ,GAAA;AAAA,UACR,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AACA,MAAA,MAAM,IAAI,cAAc,qBAAA,EAAuB;AAAA,QAC7C,MAAA,EAAQ,GAAA;AAAA,QACR,IAAA,EAAM;AAAA,OACP,CAAA;AAAA,IACH,CAAA;AAAA,IACA,WAAA,EAAa,UAAU,OAAA,CAAQ,CAAC,aAAa,QAAA,CAAS,WAAA,IAAe,EAAE;AAAA,GACzE;AACF","file":"composite.js","sourcesContent":["export class PmtHouseError extends Error {\n  readonly status: number;\n  readonly code: string;\n  readonly details?: unknown;\n\n  constructor(\n    message: string,\n    {\n      status = 500,\n      code = \"pymthouse_error\",\n      details,\n    }: {\n      status?: number;\n      code?: string;\n      details?: unknown;\n    } = {},\n  ) {\n    super(message);\n    this.name = \"PmtHouseError\";\n    this.status = status;\n    this.code = code;\n    this.details = details;\n  }\n}\n\nexport function toPmtHouseError(\n  error: unknown,\n  fallbackMessage: string,\n): PmtHouseError {\n  if (error instanceof PmtHouseError) {\n    return error;\n  }\n\n  if (error instanceof Error) {\n    return new PmtHouseError(error.message || fallbackMessage, {\n      code: \"unexpected_error\",\n      status: 500,\n    });\n  }\n\n  return new PmtHouseError(fallbackMessage, {\n    code: \"unexpected_error\",\n    status: 500,\n  });\n}\n","import { PmtHouseError } from \"../../../../errors.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport function createFirstMatchEndUserVerifier(\n  verifiers: EndUserAuthVerifier[],\n): EndUserAuthVerifier {\n  if (verifiers.length === 0) {\n    throw new PmtHouseError(\"at least one verifier is required\", {\n      status: 500,\n      code: \"invalid_verifier_config\",\n    });\n  }\n\n  return {\n    kind: \"custom\",\n    verify: async (context) => {\n      let lastError: unknown;\n      for (const verifier of verifiers) {\n        try {\n          return await verifier.verify(context);\n        } catch (err) {\n          lastError = err;\n        }\n      }\n\n      if (lastError instanceof PmtHouseError) {\n        throw lastError;\n      }\n      if (lastError instanceof Error) {\n        throw new PmtHouseError(lastError.message, {\n          status: 401,\n          code: \"invalid_credentials\",\n        });\n      }\n      throw new PmtHouseError(\"invalid credentials\", {\n        status: 401,\n        code: \"invalid_credentials\",\n      });\n    },\n    adminRoutes: verifiers.flatMap((verifier) => verifier.adminRoutes ?? []),\n  };\n}\n"]}

package/dist/signer/webhook/adapters/oauth1.cjs

@@ -0,0 +1,18 @@
+'use strict';
+
+// src/signer/webhook/adapters/oauth1/verifier.ts
+function createOAuth1EndUserVerifier(config) {
+  return {
+    kind: "oauth1",
+    verify: async () => {
+      if (!config.consumerKey.trim() || !config.consumerSecret.trim()) {
+        throw new Error("OAuth 1.0 consumer credentials are required");
+      }
+      throw new Error("OAuth 1.0 webhook verification is not implemented yet");
+    }
+  };
+}
+
+exports.createOAuth1EndUserVerifier = createOAuth1EndUserVerifier;
+//# sourceMappingURL=oauth1.cjs.map
+//# sourceMappingURL=oauth1.cjs.map

package/dist/signer/webhook/adapters/oauth1.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/signer/webhook/adapters/oauth1/verifier.ts"],"names":[],"mappings":";;;AAkBO,SAAS,4BACd,MAAA,EACqB;AACrB,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,QAAQ,YAAY;AAClB,MAAA,IAAI,CAAC,OAAO,WAAA,CAAY,IAAA,MAAU,CAAC,MAAA,CAAO,cAAA,CAAe,IAAA,EAAK,EAAG;AAC/D,QAAA,MAAM,IAAI,MAAM,6CAA6C,CAAA;AAAA,MAC/D;AACA,MAAA,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAA,IACzE;AAAA,GACF;AACF","file":"oauth1.cjs","sourcesContent":["import type { UsageIdentity } from \"../../types.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport type OAuth1EndUserAuthConfig = {\n  consumerKey: string;\n  consumerSecret: string;\n  /** Resolve oauth_token → UsageIdentity (platform-owned store). */\n  resolveIdentity: (oauthToken: string) => Promise<UsageIdentity>;\n  tokenSecretLookup?: (oauthToken: string) => Promise<string | undefined>;\n};\n\n/**\n * OAuth 1.0a end-user auth verifier (stub).\n *\n * A full implementation will parse `Authorization: OAuth …` from\n * `context.authorization`, validate the signature using `context.payload.headers`\n * and the request URL, then call `resolveIdentity`.\n */\nexport function createOAuth1EndUserVerifier(\n  config: OAuth1EndUserAuthConfig,\n): EndUserAuthVerifier {\n  return {\n    kind: \"oauth1\",\n    verify: async () => {\n      if (!config.consumerKey.trim() || !config.consumerSecret.trim()) {\n        throw new Error(\"OAuth 1.0 consumer credentials are required\");\n      }\n      throw new Error(\"OAuth 1.0 webhook verification is not implemented yet\");\n    },\n  };\n}\n"]}

package/dist/signer/webhook/adapters/oauth1.d.cts

@@ -0,0 +1,19 @@
+import { U as UsageIdentity, E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.cjs';
+
+type OAuth1EndUserAuthConfig = {
+    consumerKey: string;
+    consumerSecret: string;
+    /** Resolve oauth_token → UsageIdentity (platform-owned store). */
+    resolveIdentity: (oauthToken: string) => Promise<UsageIdentity>;
+    tokenSecretLookup?: (oauthToken: string) => Promise<string | undefined>;
+};
+/**
+ * OAuth 1.0a end-user auth verifier (stub).
+ *
+ * A full implementation will parse `Authorization: OAuth …` from
+ * `context.authorization`, validate the signature using `context.payload.headers`
+ * and the request URL, then call `resolveIdentity`.
+ */
+declare function createOAuth1EndUserVerifier(config: OAuth1EndUserAuthConfig): EndUserAuthVerifier;
+
+export { type OAuth1EndUserAuthConfig, createOAuth1EndUserVerifier };

package/dist/signer/webhook/adapters/oauth1.d.ts

@@ -0,0 +1,19 @@
+import { U as UsageIdentity, E as EndUserAuthVerifier } from '../../../verifier-B-WFDMz6.js';
+
+type OAuth1EndUserAuthConfig = {
+    consumerKey: string;
+    consumerSecret: string;
+    /** Resolve oauth_token → UsageIdentity (platform-owned store). */
+    resolveIdentity: (oauthToken: string) => Promise<UsageIdentity>;
+    tokenSecretLookup?: (oauthToken: string) => Promise<string | undefined>;
+};
+/**
+ * OAuth 1.0a end-user auth verifier (stub).
+ *
+ * A full implementation will parse `Authorization: OAuth …` from
+ * `context.authorization`, validate the signature using `context.payload.headers`
+ * and the request URL, then call `resolveIdentity`.
+ */
+declare function createOAuth1EndUserVerifier(config: OAuth1EndUserAuthConfig): EndUserAuthVerifier;
+
+export { type OAuth1EndUserAuthConfig, createOAuth1EndUserVerifier };

package/dist/signer/webhook/adapters/oauth1.js

@@ -0,0 +1,16 @@
+// src/signer/webhook/adapters/oauth1/verifier.ts
+function createOAuth1EndUserVerifier(config) {
+  return {
+    kind: "oauth1",
+    verify: async () => {
+      if (!config.consumerKey.trim() || !config.consumerSecret.trim()) {
+        throw new Error("OAuth 1.0 consumer credentials are required");
+      }
+      throw new Error("OAuth 1.0 webhook verification is not implemented yet");
+    }
+  };
+}
+
+export { createOAuth1EndUserVerifier };
+//# sourceMappingURL=oauth1.js.map
+//# sourceMappingURL=oauth1.js.map

package/dist/signer/webhook/adapters/oauth1.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/signer/webhook/adapters/oauth1/verifier.ts"],"names":[],"mappings":";AAkBO,SAAS,4BACd,MAAA,EACqB;AACrB,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAA;AAAA,IACN,QAAQ,YAAY;AAClB,MAAA,IAAI,CAAC,OAAO,WAAA,CAAY,IAAA,MAAU,CAAC,MAAA,CAAO,cAAA,CAAe,IAAA,EAAK,EAAG;AAC/D,QAAA,MAAM,IAAI,MAAM,6CAA6C,CAAA;AAAA,MAC/D;AACA,MAAA,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAA,IACzE;AAAA,GACF;AACF","file":"oauth1.js","sourcesContent":["import type { UsageIdentity } from \"../../types.js\";\nimport type { EndUserAuthVerifier } from \"../../verifier.js\";\n\nexport type OAuth1EndUserAuthConfig = {\n  consumerKey: string;\n  consumerSecret: string;\n  /** Resolve oauth_token → UsageIdentity (platform-owned store). */\n  resolveIdentity: (oauthToken: string) => Promise<UsageIdentity>;\n  tokenSecretLookup?: (oauthToken: string) => Promise<string | undefined>;\n};\n\n/**\n * OAuth 1.0a end-user auth verifier (stub).\n *\n * A full implementation will parse `Authorization: OAuth …` from\n * `context.authorization`, validate the signature using `context.payload.headers`\n * and the request URL, then call `resolveIdentity`.\n */\nexport function createOAuth1EndUserVerifier(\n  config: OAuth1EndUserAuthConfig,\n): EndUserAuthVerifier {\n  return {\n    kind: \"oauth1\",\n    verify: async () => {\n      if (!config.consumerKey.trim() || !config.consumerSecret.trim()) {\n        throw new Error(\"OAuth 1.0 consumer credentials are required\");\n      }\n      throw new Error(\"OAuth 1.0 webhook verification is not implemented yet\");\n    },\n  };\n}\n"]}