@pymthouse/builder-sdk 0.4.4 → 0.4.6

package/dist/env.d.cts

@@ -1,6 +1,6 @@
-import { P as PmtHouseClient } from './client-C0HgAugK.cjs';
+import { P as PmtHouseClient } from './client-CEBVgCD7.cjs';
 import './tokens.cjs';
-import './types-BORaHW_x.cjs';
+import './types-CcP67AZm.cjs';
 
 /**
  * Site origin for the PymtHouse deployment (e.g. https://pymthouse.com), derived

package/dist/env.d.ts

@@ -1,6 +1,6 @@
-import { P as PmtHouseClient } from './client-zCskUJag.js';
+import { P as PmtHouseClient } from './client-D-p6v8ju.js';
 import './tokens.js';
-import './types-BORaHW_x.js';
+import './types-CcP67AZm.js';
 
 /**
  * Site origin for the PymtHouse deployment (e.g. https://pymthouse.com), derived

package/dist/env.js

@@ -305,6 +305,32 @@ var init_mint_token = __esm({
   }
 });
 
+// src/signer/direct-signer.ts
+function assertDirectSignerBaseUrl(signerBaseUrl) {
+  let parsed;
+  try {
+    parsed = new URL(signerBaseUrl.trim());
+  } catch {
+    throw new PmtHouseError("signer URL must be an absolute http(s) URL", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const pathname = stripTrailingSlashes(parsed.pathname);
+  if (pathname === "/api/signer" || pathname.startsWith("/api/signer/")) {
+    throw new PmtHouseError(
+      "signer URL must be the remote signer DMZ base, not a dashboard /api/signer/* proxy path. Exchange at the platform facade, then call signer endpoints directly using signerUrl from the exchange response.",
+      { status: 400, code: "invalid_signer_url" }
+    );
+  }
+}
+var init_direct_signer = __esm({
+  "src/signer/direct-signer.ts"() {
+    init_string_utils();
+    init_errors();
+  }
+});
+
 // src/signer/device-exchange.ts
 function extractSignerAccessTokenFromExchangeBody(body) {
   const tokenObj = body.token;
@@ -537,6 +563,9 @@ async function exchangeApiKeyForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -599,6 +628,7 @@ var init_api_key_exchange = __esm({
     init_fetch_json();
     init_handler_errors();
     init_device_exchange();
+    init_direct_signer();
     EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
   }
 });
@@ -1095,8 +1125,14 @@ var PmtHouseClient = class {
     });
   }
   /**
-   * Exchange a dashboard API key for a signer session via a trusted facade (recommended)
-   * or directly when M2M credentials are available on this client.
+   * Exchange a dashboard API key for a short-lived signer JWT via a trusted facade.
+   *
+   * `facadeUrl` is used only for `POST {facadeUrl}/api/pymthouse/keys/exchange`.
+   * After exchange, call signer RPCs directly at `signerUrl` from the response
+   * (e.g. `{signerUrl}/sign-orchestrator-info`), not via dashboard `/api/signer/*`.
+   *
+   * When M2M credentials are available on this client, omit `facadeUrl` to exchange
+   * directly against the PymtHouse issuer.
    */
   async exchangeApiKeyForSignerSession(input) {
     if (input.facadeUrl?.trim()) {
@@ -1113,7 +1149,8 @@ var PmtHouseClient = class {
         token_type: exchanged.token_type,
         expires_in: exchanged.expires_in,
         scope: exchanged.scope,
-        issued_token_type: "urn:ietf:params:oauth:token-type:access_token"
+        issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
+        signerUrl: exchanged.signerUrl
       };
     }
     const userToken = await this.exchangeApiKeyForUserAccessToken({
@@ -1187,8 +1224,13 @@ var PmtHouseClient = class {
     params.set("subject_token", input.userJwt);
     params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
-    const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
-    params.set("resource", stripTrailingSlashes(resourceCandidate));
+    if (typeof input.scope === "string" && input.scope.trim() !== "") {
+      params.set("scope", input.scope.trim());
+    }
+    if (!input.omitResource) {
+      const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
+      params.set("resource", stripTrailingSlashes(resourceCandidate));
+    }
     try {
       const response = await genericTokenEndpointRequest(
         as,
@@ -1474,18 +1516,31 @@ var PmtHouseClient = class {
     };
   }
   /**
-   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   * Upsert an external user, mint a short-lived JWT, and exchange it for a
+   * long-lived opaque (`pmth_*`) signer session.
+   *
+   * Performs the *documented* remote-signer-session exchange (see
+   * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+   * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+   * which selects the PymtHouse gateway/opaque path. A prior implementation set
+   * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+   * that {@link parseSignerSessionExchange} then rejected as non-opaque.
    */
   async mintSignerSessionForExternalUser(input) {
+    const scope = input.scope ?? SIGN_JOB_SCOPE;
     await this.upsertAppUser({
       externalUserId: input.externalUserId,
       email: input.email,
       status: "active"
     });
-    const exchange = await this.mintUserSignerSessionToken({
+    const userToken = await this.mintUserAccessToken({
       externalUserId: input.externalUserId,
-      scope: input.scope ?? SIGN_JOB_SCOPE,
-      resource: this.issuerUrl
+      scope
+    });
+    const exchange = await this.exchangeForSignerSession({
+      userJwt: userToken.access_token,
+      omitResource: true,
+      scope
     });
     return parseSignerSessionExchange(exchange);
   }