@pymthouse/builder-sdk 0.4.3 → 0.4.5

package/dist/signer/server.d.cts

@@ -1,6 +1,7 @@
-import { C as CachedSignerToken, a as SignerTokenManagerOptions, F as ForwardDirectSignerRequestOptions, b as SignerJwtIdentity, M as MintUserSignerTokenOptions, D as DeviceExchangeHandlerConfig, c as DeviceExchangeHandlerConfigRemote, E as ExchangeDeviceTokenForSignerOptions, d as DeviceExchangeResponse, e as MintSignerTokenFromDeviceTokenOptions, f as DeviceExchangeMintResult, g as DeviceExchangeRequestBody, A as ApiKeyExchangeHandlerConfig, h as ExchangeApiKeyForSignerOptions, i as ApiKeyExchangeMintResult, j as ApiKeyExchangeRequestBody, k as DirectSignerProxyConfig } from '../proxy-0wa8QZIU.cjs';
-export { l as DeviceExchangeMintContext, m as DirectSignerBeforeSignContext, n as DirectSignerBeforeSignResult, o as ForwardToSignerOptions, p as ForwardToSignerResult, q as M2MClientCredentials, r as MintUserSignerTokenResponse, P as ProbeSignerHttpReachabilityOptions, s as SignerDmzGate, S as SignerUsageSnapshot, t as forwardToSigner, u as getCachedDmzBearerToken, v as normalizeSignerBaseUrl, w as parseSignerUsageSnapshot, x as pickConflictingNumberAliases, y as pickConflictingStringAliases, z as probeSignerHttpReachability, B as readSignerUpstreamBody, G as resolveSignerBaseUrl, H as stripSignerUsageFromResponse } from '../proxy-0wa8QZIU.cjs';
-import '../types-BORaHW_x.cjs';
+import { C as CachedSignerToken, a as SignerTokenManagerOptions, F as ForwardDirectSignerRequestOptions, b as SignerJwtIdentity, M as MintUserSignerTokenOptions, D as DeviceExchangeHandlerConfig, c as DeviceExchangeHandlerConfigRemote, E as ExchangeDeviceTokenForSignerOptions, d as DeviceExchangeResponse, e as MintSignerTokenFromDeviceTokenOptions, f as DeviceExchangeMintResult, g as DeviceExchangeRequestBody, A as ApiKeyExchangeHandlerConfig, h as ExchangeApiKeyForSignerOptions, i as ApiKeyExchangeMintResult, j as ApiKeyExchangeRequestBody, k as DirectSignerProxyConfig } from '../proxy-CZLY0IfL.cjs';
+export { l as DeviceExchangeMintContext, m as DirectSignerBeforeSignContext, n as DirectSignerBeforeSignResult, o as ForwardToSignerOptions, p as ForwardToSignerResult, q as M2MClientCredentials, r as MintUserSignerTokenResponse, P as ProbeSignerHttpReachabilityOptions, s as SignerDmzGate, S as SignerUsageSnapshot, t as forwardToSigner, u as getCachedDmzBearerToken, v as normalizeSignerBaseUrl, w as parseSignerUsageSnapshot, x as pickConflictingNumberAliases, y as pickConflictingStringAliases, z as probeSignerHttpReachability, B as readSignerUpstreamBody, G as resolveSignerBaseUrl, H as stripSignerUsageFromResponse } from '../proxy-CZLY0IfL.cjs';
+export { GatewayTokenAuth, GatewayTokenBundle, GatewayTokenInput, MintGatewayTokenOptions, buildGatewayToken, decodeGatewayToken, mintGatewayToken } from './gateway.cjs';
+import '../types-CcP67AZm.cjs';
 
 interface SignerTokenManager {
     getToken(publicClientId: string, externalUserId: string, options?: {
@@ -59,6 +60,36 @@ declare function mintSignerSessionFromApiKey(input: {
 declare function exchangeApiKeyForSigner(options: ExchangeApiKeyForSignerOptions): Promise<DeviceExchangeResponse>;
 declare function createApiKeyExchangeHandler(config: ApiKeyExchangeHandlerConfig): (request: Request) => Promise<Response>;
 
+/** Remote signer paths clients call directly after exchange (never via dashboard proxy). */
+declare const DIRECT_SIGNER_PATHS: {
+    readonly signOrchestratorInfo: "sign-orchestrator-info";
+    readonly generateLivePayment: "generate-live-payment";
+    readonly discoverOrchestrators: "discover-orchestrators";
+};
+type DirectSignerPath = (typeof DIRECT_SIGNER_PATHS)[keyof typeof DIRECT_SIGNER_PATHS];
+/**
+ * Build a direct remote-signer URL from a DMZ base returned by exchange handlers.
+ * The base must be the signer service origin (e.g. `https://signer.example`), not a
+ * dashboard `/api/signer/*` proxy route.
+ */
+declare function signerEndpointUrl(signerBaseUrl: string, path: DirectSignerPath | (string & {})): string;
+/** Read `signerUrl` from an exchange response envelope. */
+declare function signerUrlFromExchangeResponse(response: Pick<DeviceExchangeResponse, "signerUrl">): string | undefined;
+/**
+ * Reject dashboard-style signer proxy bases. Exchange facades mint JWTs only;
+ * signing RPCs must target the remote signer DMZ directly.
+ *
+ * Parses the URL and inspects its pathname rather than running a regex over the
+ * raw string, which both avoids super-linear backtracking on adversarial input
+ * and rejects every `/api/signer` and `/api/signer/*` route (not just the three
+ * known endpoint suffixes).
+ *
+ * @param signerBaseUrl - Absolute signer base URL to validate.
+ * @throws {PmtHouseError} When the URL is not absolute or points at a dashboard
+ * `/api/signer` proxy path.
+ */
+declare function assertDirectSignerBaseUrl(signerBaseUrl: string): void;
+
 interface DirectSignerProxyHandler {
     (request: Request): Promise<Response>;
     getCachedUsage(publicClientId: string, externalUserId: string): CachedSignerToken | undefined;
@@ -66,4 +97,4 @@ interface DirectSignerProxyHandler {
 }
 declare function createDirectSignerProxyHandler(config: DirectSignerProxyConfig): DirectSignerProxyHandler;
 
-export { ApiKeyExchangeHandlerConfig, ApiKeyExchangeMintResult, ApiKeyExchangeRequestBody, CachedSignerToken, DeviceExchangeHandlerConfig, DeviceExchangeHandlerConfigRemote, DeviceExchangeMintResult, DeviceExchangeRequestBody, DeviceExchangeResponse, DirectSignerProxyConfig, type DirectSignerProxyHandler, ExchangeApiKeyForSignerOptions, ExchangeDeviceTokenForSignerOptions, ForwardDirectSignerRequestOptions, LIVEPEER_REMOTE_SIGNER_AUDIENCE, MintSignerTokenFromDeviceTokenOptions, MintUserSignerTokenOptions, SIGN_MINT_USER_TOKEN_SCOPE, SignerJwtIdentity, type SignerTokenManager, SignerTokenManagerOptions, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, signerJwtAudience };
+export { ApiKeyExchangeHandlerConfig, ApiKeyExchangeMintResult, ApiKeyExchangeRequestBody, CachedSignerToken, DIRECT_SIGNER_PATHS, DeviceExchangeHandlerConfig, DeviceExchangeHandlerConfigRemote, DeviceExchangeMintResult, DeviceExchangeRequestBody, DeviceExchangeResponse, type DirectSignerPath, DirectSignerProxyConfig, type DirectSignerProxyHandler, ExchangeApiKeyForSignerOptions, ExchangeDeviceTokenForSignerOptions, ForwardDirectSignerRequestOptions, LIVEPEER_REMOTE_SIGNER_AUDIENCE, MintSignerTokenFromDeviceTokenOptions, MintUserSignerTokenOptions, SIGN_MINT_USER_TOKEN_SCOPE, SignerJwtIdentity, type SignerTokenManager, SignerTokenManagerOptions, assertDirectSignerBaseUrl, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, signerEndpointUrl, signerJwtAudience, signerUrlFromExchangeResponse };

package/dist/signer/server.d.ts

@@ -1,6 +1,7 @@
-import { C as CachedSignerToken, a as SignerTokenManagerOptions, F as ForwardDirectSignerRequestOptions, b as SignerJwtIdentity, M as MintUserSignerTokenOptions, D as DeviceExchangeHandlerConfig, c as DeviceExchangeHandlerConfigRemote, E as ExchangeDeviceTokenForSignerOptions, d as DeviceExchangeResponse, e as MintSignerTokenFromDeviceTokenOptions, f as DeviceExchangeMintResult, g as DeviceExchangeRequestBody, A as ApiKeyExchangeHandlerConfig, h as ExchangeApiKeyForSignerOptions, i as ApiKeyExchangeMintResult, j as ApiKeyExchangeRequestBody, k as DirectSignerProxyConfig } from '../proxy-KrA1vEmh.js';
-export { l as DeviceExchangeMintContext, m as DirectSignerBeforeSignContext, n as DirectSignerBeforeSignResult, o as ForwardToSignerOptions, p as ForwardToSignerResult, q as M2MClientCredentials, r as MintUserSignerTokenResponse, P as ProbeSignerHttpReachabilityOptions, s as SignerDmzGate, S as SignerUsageSnapshot, t as forwardToSigner, u as getCachedDmzBearerToken, v as normalizeSignerBaseUrl, w as parseSignerUsageSnapshot, x as pickConflictingNumberAliases, y as pickConflictingStringAliases, z as probeSignerHttpReachability, B as readSignerUpstreamBody, G as resolveSignerBaseUrl, H as stripSignerUsageFromResponse } from '../proxy-KrA1vEmh.js';
-import '../types-BORaHW_x.js';
+import { C as CachedSignerToken, a as SignerTokenManagerOptions, F as ForwardDirectSignerRequestOptions, b as SignerJwtIdentity, M as MintUserSignerTokenOptions, D as DeviceExchangeHandlerConfig, c as DeviceExchangeHandlerConfigRemote, E as ExchangeDeviceTokenForSignerOptions, d as DeviceExchangeResponse, e as MintSignerTokenFromDeviceTokenOptions, f as DeviceExchangeMintResult, g as DeviceExchangeRequestBody, A as ApiKeyExchangeHandlerConfig, h as ExchangeApiKeyForSignerOptions, i as ApiKeyExchangeMintResult, j as ApiKeyExchangeRequestBody, k as DirectSignerProxyConfig } from '../proxy-D36SpZ6k.js';
+export { l as DeviceExchangeMintContext, m as DirectSignerBeforeSignContext, n as DirectSignerBeforeSignResult, o as ForwardToSignerOptions, p as ForwardToSignerResult, q as M2MClientCredentials, r as MintUserSignerTokenResponse, P as ProbeSignerHttpReachabilityOptions, s as SignerDmzGate, S as SignerUsageSnapshot, t as forwardToSigner, u as getCachedDmzBearerToken, v as normalizeSignerBaseUrl, w as parseSignerUsageSnapshot, x as pickConflictingNumberAliases, y as pickConflictingStringAliases, z as probeSignerHttpReachability, B as readSignerUpstreamBody, G as resolveSignerBaseUrl, H as stripSignerUsageFromResponse } from '../proxy-D36SpZ6k.js';
+export { GatewayTokenAuth, GatewayTokenBundle, GatewayTokenInput, MintGatewayTokenOptions, buildGatewayToken, decodeGatewayToken, mintGatewayToken } from './gateway.js';
+import '../types-CcP67AZm.js';
 
 interface SignerTokenManager {
     getToken(publicClientId: string, externalUserId: string, options?: {
@@ -59,6 +60,36 @@ declare function mintSignerSessionFromApiKey(input: {
 declare function exchangeApiKeyForSigner(options: ExchangeApiKeyForSignerOptions): Promise<DeviceExchangeResponse>;
 declare function createApiKeyExchangeHandler(config: ApiKeyExchangeHandlerConfig): (request: Request) => Promise<Response>;
 
+/** Remote signer paths clients call directly after exchange (never via dashboard proxy). */
+declare const DIRECT_SIGNER_PATHS: {
+    readonly signOrchestratorInfo: "sign-orchestrator-info";
+    readonly generateLivePayment: "generate-live-payment";
+    readonly discoverOrchestrators: "discover-orchestrators";
+};
+type DirectSignerPath = (typeof DIRECT_SIGNER_PATHS)[keyof typeof DIRECT_SIGNER_PATHS];
+/**
+ * Build a direct remote-signer URL from a DMZ base returned by exchange handlers.
+ * The base must be the signer service origin (e.g. `https://signer.example`), not a
+ * dashboard `/api/signer/*` proxy route.
+ */
+declare function signerEndpointUrl(signerBaseUrl: string, path: DirectSignerPath | (string & {})): string;
+/** Read `signerUrl` from an exchange response envelope. */
+declare function signerUrlFromExchangeResponse(response: Pick<DeviceExchangeResponse, "signerUrl">): string | undefined;
+/**
+ * Reject dashboard-style signer proxy bases. Exchange facades mint JWTs only;
+ * signing RPCs must target the remote signer DMZ directly.
+ *
+ * Parses the URL and inspects its pathname rather than running a regex over the
+ * raw string, which both avoids super-linear backtracking on adversarial input
+ * and rejects every `/api/signer` and `/api/signer/*` route (not just the three
+ * known endpoint suffixes).
+ *
+ * @param signerBaseUrl - Absolute signer base URL to validate.
+ * @throws {PmtHouseError} When the URL is not absolute or points at a dashboard
+ * `/api/signer` proxy path.
+ */
+declare function assertDirectSignerBaseUrl(signerBaseUrl: string): void;
+
 interface DirectSignerProxyHandler {
     (request: Request): Promise<Response>;
     getCachedUsage(publicClientId: string, externalUserId: string): CachedSignerToken | undefined;
@@ -66,4 +97,4 @@ interface DirectSignerProxyHandler {
 }
 declare function createDirectSignerProxyHandler(config: DirectSignerProxyConfig): DirectSignerProxyHandler;
 
-export { ApiKeyExchangeHandlerConfig, ApiKeyExchangeMintResult, ApiKeyExchangeRequestBody, CachedSignerToken, DeviceExchangeHandlerConfig, DeviceExchangeHandlerConfigRemote, DeviceExchangeMintResult, DeviceExchangeRequestBody, DeviceExchangeResponse, DirectSignerProxyConfig, type DirectSignerProxyHandler, ExchangeApiKeyForSignerOptions, ExchangeDeviceTokenForSignerOptions, ForwardDirectSignerRequestOptions, LIVEPEER_REMOTE_SIGNER_AUDIENCE, MintSignerTokenFromDeviceTokenOptions, MintUserSignerTokenOptions, SIGN_MINT_USER_TOKEN_SCOPE, SignerJwtIdentity, type SignerTokenManager, SignerTokenManagerOptions, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, signerJwtAudience };
+export { ApiKeyExchangeHandlerConfig, ApiKeyExchangeMintResult, ApiKeyExchangeRequestBody, CachedSignerToken, DIRECT_SIGNER_PATHS, DeviceExchangeHandlerConfig, DeviceExchangeHandlerConfigRemote, DeviceExchangeMintResult, DeviceExchangeRequestBody, DeviceExchangeResponse, type DirectSignerPath, DirectSignerProxyConfig, type DirectSignerProxyHandler, ExchangeApiKeyForSignerOptions, ExchangeDeviceTokenForSignerOptions, ForwardDirectSignerRequestOptions, LIVEPEER_REMOTE_SIGNER_AUDIENCE, MintSignerTokenFromDeviceTokenOptions, MintUserSignerTokenOptions, SIGN_MINT_USER_TOKEN_SCOPE, SignerJwtIdentity, type SignerTokenManager, SignerTokenManagerOptions, assertDirectSignerBaseUrl, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, signerEndpointUrl, signerJwtAudience, signerUrlFromExchangeResponse };

package/dist/signer/server.js

@@ -450,6 +450,46 @@ async function mintUserSignerToken(options) {
   return parseMintUserSignerTokenResponse(parsed);
 }
 
+// src/signer/direct-signer.ts
+var DIRECT_SIGNER_PATHS = {
+  signOrchestratorInfo: "sign-orchestrator-info",
+  generateLivePayment: "generate-live-payment",
+  discoverOrchestrators: "discover-orchestrators"
+};
+function signerEndpointUrl(signerBaseUrl, path) {
+  const base = stripTrailingSlashes(signerBaseUrl.trim());
+  if (!base) {
+    throw new PmtHouseError("signerBaseUrl is required", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const suffix = path.replace(/^\/+/, "");
+  return `${base}/${suffix}`;
+}
+function signerUrlFromExchangeResponse(response) {
+  const url = response.signerUrl?.trim();
+  return url || void 0;
+}
+function assertDirectSignerBaseUrl(signerBaseUrl) {
+  let parsed;
+  try {
+    parsed = new URL(signerBaseUrl.trim());
+  } catch {
+    throw new PmtHouseError("signer URL must be an absolute http(s) URL", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const pathname = stripTrailingSlashes(parsed.pathname);
+  if (pathname === "/api/signer" || pathname.startsWith("/api/signer/")) {
+    throw new PmtHouseError(
+      "signer URL must be the remote signer DMZ base, not a dashboard /api/signer/* proxy path. Exchange at the platform facade, then call signer endpoints directly using signerUrl from the exchange response.",
+      { status: 400, code: "invalid_signer_url" }
+    );
+  }
+}
+
 // src/signer/device-exchange.ts
 var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
 var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
@@ -607,6 +647,9 @@ async function exchangeDeviceTokenForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -786,6 +829,9 @@ async function exchangeApiKeyForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -841,6 +887,178 @@ function createApiKeyExchangeHandler(config) {
   };
 }
 
+// src/signer/gateway-token.ts
+function requireString(value, label) {
+  if (typeof value !== "string") {
+    throw new PmtHouseError(`${label} must be a string`, {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return value.trim();
+}
+function optionalString(value, label) {
+  if (value === void 0 || value === null) {
+    return void 0;
+  }
+  return requireString(value, label) || void 0;
+}
+function encodeBase64Json(value) {
+  const json = JSON.stringify(value);
+  if (typeof Buffer === "undefined") {
+    const binary = Array.from(
+      new TextEncoder().encode(json),
+      (c) => String.fromCodePoint(c)
+    ).join("");
+    return btoa(binary);
+  }
+  return Buffer.from(json, "utf8").toString("base64");
+}
+function decodeBase64Json(token) {
+  const trimmed = requireString(token, "gateway token");
+  let json;
+  try {
+    if (typeof Buffer === "undefined") {
+      json = new TextDecoder().decode(
+        Uint8Array.from(atob(trimmed), (c) => c.codePointAt(0) ?? 0)
+      );
+    } else {
+      json = Buffer.from(trimmed, "base64").toString("utf8");
+    }
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected base64-encoded JSON", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  try {
+    return JSON.parse(json);
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected UTF-8 JSON payload", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+}
+function normalizeStringMap(map) {
+  if (!map) {
+    return void 0;
+  }
+  const entries = Object.entries(map).filter(
+    ([key, value]) => key.trim() && typeof value === "string"
+  );
+  return entries.length > 0 ? Object.fromEntries(entries) : void 0;
+}
+function buildGatewayToken(input) {
+  if (input === null || typeof input !== "object") {
+    throw new PmtHouseError("buildGatewayToken requires an input object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signer = requireString(input.signer, "signer URL");
+  if (!signer) {
+    throw new PmtHouseError("buildGatewayToken requires a non-empty signer URL", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signerHeaders = { ...input.signerHeaders };
+  const bundle = { signer };
+  const discovery = optionalString(input.discovery, "discovery URL");
+  if (discovery) {
+    bundle.discovery = discovery;
+  }
+  const rawOrchestrators = input.orchestrators ?? [];
+  if (!Array.isArray(rawOrchestrators)) {
+    throw new PmtHouseError("orchestrators must be an array of strings", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const orchestrators = rawOrchestrators.map((entry) => requireString(entry, "orchestrator entry")).filter((entry) => entry.length > 0);
+  if (orchestrators.length > 0) {
+    bundle.orchestrators = orchestrators;
+  }
+  if (input.auth?.kind === "signerJwt") {
+    const accessToken = requireString(input.auth.accessToken, "signerJwt accessToken");
+    if (!accessToken) {
+      throw new PmtHouseError("signerJwt auth requires a non-empty accessToken", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    signerHeaders.Authorization = `Bearer ${accessToken}`;
+  } else if (input.auth?.kind === "pmthApiKey") {
+    const apiKey = requireString(input.auth.apiKey, "pmthApiKey apiKey");
+    if (!apiKey) {
+      throw new PmtHouseError("pmthApiKey auth requires a non-empty apiKey", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    bundle.api_key = apiKey;
+    const billing = optionalString(input.auth.billing, "pmthApiKey billing URL");
+    if (billing) {
+      bundle.billing = billing;
+    }
+  }
+  const normalizedSignerHeaders = normalizeStringMap(signerHeaders);
+  if (normalizedSignerHeaders) {
+    bundle.signer_headers = normalizedSignerHeaders;
+  }
+  const normalizedDiscoveryHeaders = normalizeStringMap(input.discoveryHeaders);
+  if (normalizedDiscoveryHeaders) {
+    bundle.discovery_headers = normalizedDiscoveryHeaders;
+  }
+  return encodeBase64Json(bundle);
+}
+function decodeGatewayToken(token) {
+  const payload = decodeBase64Json(token);
+  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+    throw new PmtHouseError("Invalid gateway token: payload must be a JSON object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return payload;
+}
+async function mintGatewayToken(options) {
+  let accessToken;
+  if (options.source === "m2m") {
+    const minted = await mintUserSignerToken({
+      issuerUrl: options.issuerUrl,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      externalUserId: options.externalUserId,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.jwt;
+  } else {
+    const minted = await mintSignerSessionFromApiKey({
+      issuerUrl: options.issuerUrl,
+      publicClientId: options.publicClientId,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      apiKey: options.apiKey,
+      scope: options.scope,
+      audience: options.audience,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.access_token;
+  }
+  return buildGatewayToken({
+    signer: options.signer,
+    discovery: options.discovery,
+    orchestrators: options.orchestrators,
+    signerHeaders: options.signerHeaders,
+    discoveryHeaders: options.discoveryHeaders,
+    auth: { kind: "signerJwt", accessToken }
+  });
+}
+
 // src/signer/proxy.ts
 var HTTP_DMZ_TOKEN_MAX_ENTRIES = 100;
 var HTTP_DMZ_TOKEN_TTL_MS = 3.5 * 60 * 1e3;
@@ -1249,6 +1467,6 @@ function createDirectSignerProxyHandler(config) {
   return handler;
 }
 
-export { LIVEPEER_REMOTE_SIGNER_AUDIENCE, SIGN_MINT_USER_TOKEN_SCOPE, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, forwardToSigner, getCachedDmzBearerToken, identityFromJwtPayload, livepeerIdentityHeaders, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, normalizeSignerBaseUrl, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, parseSignerUsageSnapshot, pickConflictingNumberAliases, pickConflictingStringAliases, probeSignerHttpReachability, readSignerUpstreamBody, resolveSignerBaseUrl, signerJwtAudience, stripSignerUsageFromResponse };
+export { DIRECT_SIGNER_PATHS, LIVEPEER_REMOTE_SIGNER_AUDIENCE, SIGN_MINT_USER_TOKEN_SCOPE, assertDirectSignerBaseUrl, buildGatewayToken, createApiKeyExchangeHandler, createDeviceExchangeHandler, createDirectSignerProxyHandler, createSignerTokenManager, decodeGatewayToken, decodeJwtPayload, exchangeApiKeyForSigner, exchangeDeviceTokenForSigner, extractSignerAccessTokenFromExchangeBody, forwardDirectSignerRequest, forwardToSigner, getCachedDmzBearerToken, identityFromJwtPayload, livepeerIdentityHeaders, mintGatewayToken, mintSignerSessionFromApiKey, mintSignerTokenFromDeviceToken, mintUserAccessTokenFromApiKey, mintUserSignerToken, normalizeDeviceExchangeResponse, normalizeSignerBaseUrl, parseApiKeyExchangeRequestBody, parseDeviceExchangeRequestBody, parseMintUserSignerTokenResponse, parseSignerUsageSnapshot, pickConflictingNumberAliases, pickConflictingStringAliases, probeSignerHttpReachability, readSignerUpstreamBody, resolveSignerBaseUrl, signerEndpointUrl, signerJwtAudience, signerUrlFromExchangeResponse, stripSignerUsageFromResponse };
 //# sourceMappingURL=server.js.map
 //# sourceMappingURL=server.js.map