@pymthouse/builder-sdk 0.4.1-rc.2 → 0.4.1

package/dist/{proxy-JrT6raU_.d.cts → proxy-0wa8QZIU.d.cts}

@@ -1,6 +1,10 @@
 import { F as FetchLike } from './types-BORaHW_x.cjs';
 
 type SignerDmzGate = "http" | "cli";
+interface M2MClientCredentials {
+    m2mClientId: string;
+    m2mClientSecret: string;
+}
 interface DirectSignerProxyConfig {
     pymthouseIssuerUrl: string;
     /** Public Builder app client id (`app_…`); used for cache keys and JWT `client_id`. */
@@ -10,6 +14,16 @@ interface DirectSignerProxyConfig {
     remoteSignerUrl: string | URL;
     fetch?: FetchLike;
     allowInsecureHttp?: boolean;
+    /**
+     * Multi-tenant: resolve the M2M credentials used to mint signer JWTs for a
+     * given `publicClientId`. The PymtHouse issuer binds the minted JWT's
+     * `client_id` to the developer app linked to these M2M credentials, so each
+     * tenant's `publicClientId` (from {@link DirectSignerProxyConfig.resolvePublicClientId})
+     * must map to the M2M credentials whose app uses it. The token manager
+     * validates that the minted `client_id` matches the requested `publicClientId`.
+     * Defaults to `pymthouseM2MClientId` / `pymthouseM2MClientSecret`.
+     */
+    resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
      * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
@@ -53,7 +67,7 @@ interface MintUserSignerTokenResponse {
     lifetimeGrantedUsdMicros: string;
 }
 interface SignerTokenManagerOptions {
-    mint: (externalUserId: string) => Promise<CachedSignerToken>;
+    mint: (publicClientId: string, externalUserId: string) => Promise<CachedSignerToken>;
     /** Fraction of TTL after which a proactive refresh runs. Defaults to `0.8`. */
     ttlRefreshRatio?: number;
     fetch?: FetchLike;
@@ -231,4 +245,4 @@ declare function probeSignerHttpReachability(options: ProbeSignerHttpReachabilit
     ethAddress?: string;
 }>;
 
-export { type ApiKeyExchangeHandlerConfig as A, resolveSignerBaseUrl as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, stripSignerUsageFromResponse as G, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type MintUserSignerTokenResponse as q, type SignerDmzGate as r, forwardToSigner as s, getCachedDmzBearerToken as t, normalizeSignerBaseUrl as u, parseSignerUsageSnapshot as v, pickConflictingNumberAliases as w, pickConflictingStringAliases as x, probeSignerHttpReachability as y, readSignerUpstreamBody as z };
+export { type ApiKeyExchangeHandlerConfig as A, readSignerUpstreamBody as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, resolveSignerBaseUrl as G, stripSignerUsageFromResponse as H, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type M2MClientCredentials as q, type MintUserSignerTokenResponse as r, type SignerDmzGate as s, forwardToSigner as t, getCachedDmzBearerToken as u, normalizeSignerBaseUrl as v, parseSignerUsageSnapshot as w, pickConflictingNumberAliases as x, pickConflictingStringAliases as y, probeSignerHttpReachability as z };

package/dist/{proxy-U32DFNuj.d.ts → proxy-KrA1vEmh.d.ts}

@@ -1,6 +1,10 @@
 import { F as FetchLike } from './types-BORaHW_x.js';
 
 type SignerDmzGate = "http" | "cli";
+interface M2MClientCredentials {
+    m2mClientId: string;
+    m2mClientSecret: string;
+}
 interface DirectSignerProxyConfig {
     pymthouseIssuerUrl: string;
     /** Public Builder app client id (`app_…`); used for cache keys and JWT `client_id`. */
@@ -10,6 +14,16 @@ interface DirectSignerProxyConfig {
     remoteSignerUrl: string | URL;
     fetch?: FetchLike;
     allowInsecureHttp?: boolean;
+    /**
+     * Multi-tenant: resolve the M2M credentials used to mint signer JWTs for a
+     * given `publicClientId`. The PymtHouse issuer binds the minted JWT's
+     * `client_id` to the developer app linked to these M2M credentials, so each
+     * tenant's `publicClientId` (from {@link DirectSignerProxyConfig.resolvePublicClientId})
+     * must map to the M2M credentials whose app uses it. The token manager
+     * validates that the minted `client_id` matches the requested `publicClientId`.
+     * Defaults to `pymthouseM2MClientId` / `pymthouseM2MClientSecret`.
+     */
+    resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
      * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
@@ -53,7 +67,7 @@ interface MintUserSignerTokenResponse {
     lifetimeGrantedUsdMicros: string;
 }
 interface SignerTokenManagerOptions {
-    mint: (externalUserId: string) => Promise<CachedSignerToken>;
+    mint: (publicClientId: string, externalUserId: string) => Promise<CachedSignerToken>;
     /** Fraction of TTL after which a proactive refresh runs. Defaults to `0.8`. */
     ttlRefreshRatio?: number;
     fetch?: FetchLike;
@@ -231,4 +245,4 @@ declare function probeSignerHttpReachability(options: ProbeSignerHttpReachabilit
     ethAddress?: string;
 }>;
 
-export { type ApiKeyExchangeHandlerConfig as A, resolveSignerBaseUrl as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, stripSignerUsageFromResponse as G, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type MintUserSignerTokenResponse as q, type SignerDmzGate as r, forwardToSigner as s, getCachedDmzBearerToken as t, normalizeSignerBaseUrl as u, parseSignerUsageSnapshot as v, pickConflictingNumberAliases as w, pickConflictingStringAliases as x, probeSignerHttpReachability as y, readSignerUpstreamBody as z };
+export { type ApiKeyExchangeHandlerConfig as A, readSignerUpstreamBody as B, type CachedSignerToken as C, type DeviceExchangeHandlerConfig as D, type ExchangeDeviceTokenForSignerOptions as E, type ForwardDirectSignerRequestOptions as F, resolveSignerBaseUrl as G, stripSignerUsageFromResponse as H, type MintUserSignerTokenOptions as M, type ProbeSignerHttpReachabilityOptions as P, type SignerUsageSnapshot as S, type SignerTokenManagerOptions as a, type SignerJwtIdentity as b, type DeviceExchangeHandlerConfigRemote as c, type DeviceExchangeResponse as d, type MintSignerTokenFromDeviceTokenOptions as e, type DeviceExchangeMintResult as f, type DeviceExchangeRequestBody as g, type ExchangeApiKeyForSignerOptions as h, type ApiKeyExchangeMintResult as i, type ApiKeyExchangeRequestBody as j, type DirectSignerProxyConfig as k, type DeviceExchangeMintContext as l, type DirectSignerBeforeSignContext as m, type DirectSignerBeforeSignResult as n, type ForwardToSignerOptions as o, type ForwardToSignerResult as p, type M2MClientCredentials as q, type MintUserSignerTokenResponse as r, type SignerDmzGate as s, forwardToSigner as t, getCachedDmzBearerToken as u, normalizeSignerBaseUrl as v, parseSignerUsageSnapshot as w, pickConflictingNumberAliases as x, pickConflictingStringAliases as y, probeSignerHttpReachability as z };

package/dist/signer/server.cjs

@@ -21,14 +21,8 @@ var PmtHouseError = class extends Error {
 };
 
 // src/signer/handler-errors.ts
-function isPmtHouseError(error) {
-  if (error instanceof PmtHouseError) {
-    return true;
-  }
-  return error instanceof Error && typeof error.status === "number" && typeof error.code === "string";
-}
 function signerHandlerErrorResponse(error) {
-  if (isPmtHouseError(error)) {
+  if (error instanceof PmtHouseError) {
     return new Response(
       JSON.stringify({
         error: error.code,
@@ -48,62 +42,6 @@ function signerHandlerErrorResponse(error) {
   });
 }
 
-// src/signer/token-manager.ts
-function cacheKey(clientId, externalUserId) {
-  return `${clientId}\0${externalUserId}`;
-}
-function createSignerTokenManager(options) {
-  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
-  const cache = /* @__PURE__ */ new Map();
-  const inflight = /* @__PURE__ */ new Map();
-  function isUsable(entry, now, forceRefresh) {
-    if (forceRefresh) return false;
-    if (now >= entry.expiresAt) return false;
-    if (now >= entry.refreshAt) return false;
-    return true;
-  }
-  async function refresh(publicClientId, externalUserId) {
-    const key = cacheKey(publicClientId, externalUserId);
-    const existing = inflight.get(key);
-    if (existing) {
-      return existing;
-    }
-    const promise = options.mint(externalUserId).then((token) => {
-      const normalized = {
-        ...token,
-        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
-      };
-      cache.set(key, normalized);
-      inflight.delete(key);
-      return normalized;
-    }).catch((error) => {
-      inflight.delete(key);
-      throw error;
-    });
-    inflight.set(key, promise);
-    return promise;
-  }
-  return {
-    peek(publicClientId, externalUserId) {
-      return cache.get(cacheKey(publicClientId, externalUserId));
-    },
-    invalidate(publicClientId, externalUserId) {
-      const key = cacheKey(publicClientId, externalUserId);
-      cache.delete(key);
-      inflight.delete(key);
-    },
-    async getToken(publicClientId, externalUserId, getOptions = {}) {
-      const now = Date.now();
-      const key = cacheKey(publicClientId, externalUserId);
-      const cached = cache.get(key);
-      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
-        return cached;
-      }
-      return refresh(publicClientId, externalUserId);
-    }
-  };
-}
-
 // src/signer/forward.ts
 function base64UrlPayloadToUtf8(payloadB64) {
   const normalized = payloadB64.replaceAll("-", "+").replaceAll("_", "/");
@@ -217,6 +155,70 @@ async function forwardDirectSignerRequest(options) {
   return fetchImpl(target, init);
 }
 
+// src/signer/token-manager.ts
+function cacheKey(clientId, externalUserId) {
+  return `${clientId}\0${externalUserId}`;
+}
+function createSignerTokenManager(options) {
+  const ttlRefreshRatio = options.ttlRefreshRatio ?? 0.8;
+  const cache = /* @__PURE__ */ new Map();
+  const inflight = /* @__PURE__ */ new Map();
+  function isUsable(entry, now, forceRefresh) {
+    if (forceRefresh) return false;
+    if (now >= entry.expiresAt) return false;
+    if (now >= entry.refreshAt) return false;
+    return true;
+  }
+  async function refresh(publicClientId, externalUserId) {
+    const key = cacheKey(publicClientId, externalUserId);
+    const existing = inflight.get(key);
+    if (existing) {
+      return existing;
+    }
+    const promise = options.mint(publicClientId, externalUserId).then((token) => {
+      const identity = identityFromJwtPayload(decodeJwtPayload(token.jwt));
+      if (identity.clientId !== publicClientId) {
+        throw new PmtHouseError("minted JWT client_id does not match public client id", {
+          status: 500,
+          code: "invalid_client_id",
+          details: { expected: publicClientId, actual: identity.clientId }
+        });
+      }
+      const normalized = {
+        ...token,
+        refreshAt: token.refreshAt || Date.now() + Math.floor((token.expiresAt - Date.now()) * ttlRefreshRatio)
+      };
+      cache.set(key, normalized);
+      inflight.delete(key);
+      return normalized;
+    }).catch((error) => {
+      inflight.delete(key);
+      throw error;
+    });
+    inflight.set(key, promise);
+    return promise;
+  }
+  return {
+    peek(publicClientId, externalUserId) {
+      return cache.get(cacheKey(publicClientId, externalUserId));
+    },
+    invalidate(publicClientId, externalUserId) {
+      const key = cacheKey(publicClientId, externalUserId);
+      cache.delete(key);
+      inflight.delete(key);
+    },
+    async getToken(publicClientId, externalUserId, getOptions = {}) {
+      const now = Date.now();
+      const key = cacheKey(publicClientId, externalUserId);
+      const cached = cache.get(key);
+      if (cached && isUsable(cached, now, getOptions.forceRefresh === true)) {
+        return cached;
+      }
+      return refresh(publicClientId, externalUserId);
+    }
+  };
+}
+
 // src/string-utils.ts
 function stripTrailingSlashes(value) {
   let end = value.length;
@@ -543,7 +545,7 @@ async function mintSignerTokenFromDeviceToken(options) {
       code: "oidc_discovery_invalid"
     });
   }
-  const audience = options.audience?.trim() || signerJwtAudience(issuerUrl);
+  const audience = options.audience?.trim() || LIVEPEER_REMOTE_SIGNER_AUDIENCE;
   const params = new URLSearchParams({
     grant_type: TOKEN_EXCHANGE_GRANT,
     subject_token: options.deviceToken,
@@ -1157,15 +1159,30 @@ function toResponse(result) {
   });
 }
 function createDirectSignerProxyHandler(config) {
-  const tokenManager = createSignerTokenManager({
-    mint: (externalUserId) => mintUserSignerToken({
-      issuerUrl: config.pymthouseIssuerUrl,
+  async function resolveM2MCredentials(publicClientId) {
+    if (config.resolveM2MCredentials) {
+      return config.resolveM2MCredentials(publicClientId);
+    }
+    return {
       m2mClientId: config.pymthouseM2MClientId,
-      m2mClientSecret: config.pymthouseM2MClientSecret,
-      externalUserId,
-      fetch: config.fetch,
-      allowInsecureHttp: config.allowInsecureHttp
-    })
+      m2mClientSecret: config.pymthouseM2MClientSecret
+    };
+  }
+  const tokenManager = createSignerTokenManager({
+    // `publicClientId` selects the M2M credentials so the minted JWT's
+    // `client_id` matches the cache partition key. The token manager rejects any
+    // minted token whose `client_id` diverges from `publicClientId`.
+    mint: async (publicClientId, externalUserId) => {
+      const { m2mClientId, m2mClientSecret } = await resolveM2MCredentials(publicClientId);
+      return mintUserSignerToken({
+        issuerUrl: config.pymthouseIssuerUrl,
+        m2mClientId,
+        m2mClientSecret,
+        externalUserId,
+        fetch: config.fetch,
+        allowInsecureHttp: config.allowInsecureHttp
+      });
+    }
   });
   async function runBeforeSign(token, externalUserId, request) {
     if (!config.beforeSign) {