npm - @pymthouse/builder-sdk - Versions diffs - 0.4.4 → 0.4.6 - Mend

@pymthouse/builder-sdk 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/README.md +120 -5
package/dist/{client-C0HgAugK.d.cts → client-CEBVgCD7.d.cts} +28 -4
package/dist/{client-zCskUJag.d.ts → client-D-p6v8ju.d.ts} +28 -4
package/dist/device.d.cts +1 -1
package/dist/device.d.ts +1 -1
package/dist/env.cjs +64 -9
package/dist/env.cjs.map +1 -1
package/dist/env.d.cts +2 -2
package/dist/env.d.ts +2 -2
package/dist/env.js +64 -9
package/dist/env.js.map +1 -1
package/dist/{index-CAIAYJv7.d.cts → index-M0tsyotJ.d.cts} +1 -1
package/dist/{index-BL1wpOki.d.ts → index-rC8smShg.d.ts} +1 -1
package/dist/index.cjs +64 -9
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +4 -4
package/dist/index.d.ts +4 -4
package/dist/index.js +64 -9
package/dist/index.js.map +1 -1
package/dist/{proxy-KrA1vEmh.d.ts → proxy-CZLY0IfL.d.cts} +5 -2
package/dist/{proxy-0wa8QZIU.d.cts → proxy-D36SpZ6k.d.ts} +5 -2
package/dist/signer/gateway.cjs +542 -0
package/dist/signer/gateway.cjs.map +1 -0
package/dist/signer/gateway.d.cts +81 -0
package/dist/signer/gateway.d.ts +81 -0
package/dist/signer/gateway.js +538 -0
package/dist/signer/gateway.js.map +1 -0
package/dist/signer/server.cjs +225 -0
package/dist/signer/server.cjs.map +1 -1
package/dist/signer/server.d.cts +35 -4
package/dist/signer/server.d.ts +35 -4
package/dist/signer/server.js +219 -1
package/dist/signer/server.js.map +1 -1
package/dist/signer/webhook/adapters/oidc.d.cts +2 -2
package/dist/signer/webhook/adapters/oidc.d.ts +2 -2
package/dist/signer/webhook.d.cts +3 -3
package/dist/signer/webhook.d.ts +3 -3
package/dist/tokens.d.cts +1 -1
package/dist/tokens.d.ts +1 -1
package/dist/{types-BORaHW_x.d.cts → types-CcP67AZm.d.cts} +2 -0
package/dist/{types-BORaHW_x.d.ts → types-CcP67AZm.d.ts} +2 -0
package/dist/verify.d.cts +1 -1
package/dist/verify.d.ts +1 -1
package/package.json +6 -1

package/dist/{index-CAIAYJv7.d.cts → index-M0tsyotJ.d.cts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { F as FetchLike } from './types-BORaHW_x.cjs';
+import { F as FetchLike } from './types-CcP67AZm.cjs';
 import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-D8z3spC0.cjs';
 import { TrustedHeadersEndUserAuthConfig } from './signer/webhook/adapters/trusted-headers.cjs';

package/dist/{index-BL1wpOki.d.ts → index-rC8smShg.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { F as FetchLike } from './types-BORaHW_x.js';
+import { F as FetchLike } from './types-CcP67AZm.js';
 import { U as UsageIdentity, P as PaymentWebhookRequest, V as VerifiedEndUserAuth, E as EndUserAuthVerifier } from './verifier-D8z3spC0.js';
 import { TrustedHeadersEndUserAuthConfig } from './signer/webhook/adapters/trusted-headers.js';

package/dist/index.cjs CHANGED Viewed

@@ -338,6 +338,32 @@ var init_mint_token = __esm({
   }
 });
+// src/signer/direct-signer.ts
+function assertDirectSignerBaseUrl(signerBaseUrl) {
+  let parsed;
+  try {
+    parsed = new URL(signerBaseUrl.trim());
+  } catch {
+    throw new exports.PmtHouseError("signer URL must be an absolute http(s) URL", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const pathname = stripTrailingSlashes(parsed.pathname);
+  if (pathname === "/api/signer" || pathname.startsWith("/api/signer/")) {
+    throw new exports.PmtHouseError(
+      "signer URL must be the remote signer DMZ base, not a dashboard /api/signer/* proxy path. Exchange at the platform facade, then call signer endpoints directly using signerUrl from the exchange response.",
+      { status: 400, code: "invalid_signer_url" }
+    );
+  }
+}
+var init_direct_signer = __esm({
+  "src/signer/direct-signer.ts"() {
+    init_string_utils();
+    init_errors();
+  }
+});
 // src/signer/device-exchange.ts
 function extractSignerAccessTokenFromExchangeBody(body) {
   const tokenObj = body.token;
@@ -570,6 +596,9 @@ async function exchangeApiKeyForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -632,6 +661,7 @@ var init_api_key_exchange = __esm({
     init_fetch_json();
     init_handler_errors();
     init_device_exchange();
+    init_direct_signer();
     EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
   }
 });
@@ -1340,8 +1370,14 @@ var PmtHouseClient = class {
     });
   }
   /**
-   * Exchange a dashboard API key for a signer session via a trusted facade (recommended)
-   * or directly when M2M credentials are available on this client.
+   * Exchange a dashboard API key for a short-lived signer JWT via a trusted facade.
+   *
+   * `facadeUrl` is used only for `POST {facadeUrl}/api/pymthouse/keys/exchange`.
+   * After exchange, call signer RPCs directly at `signerUrl` from the response
+   * (e.g. `{signerUrl}/sign-orchestrator-info`), not via dashboard `/api/signer/*`.
+   *
+   * When M2M credentials are available on this client, omit `facadeUrl` to exchange
+   * directly against the PymtHouse issuer.
    */
   async exchangeApiKeyForSignerSession(input) {
     if (input.facadeUrl?.trim()) {
@@ -1358,7 +1394,8 @@ var PmtHouseClient = class {
         token_type: exchanged.token_type,
         expires_in: exchanged.expires_in,
         scope: exchanged.scope,
-        issued_token_type: "urn:ietf:params:oauth:token-type:access_token"
+        issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
+        signerUrl: exchanged.signerUrl
       };
     }
     const userToken = await this.exchangeApiKeyForUserAccessToken({
@@ -1432,8 +1469,13 @@ var PmtHouseClient = class {
     params.set("subject_token", input.userJwt);
     params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
-    const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
-    params.set("resource", stripTrailingSlashes(resourceCandidate));
+    if (typeof input.scope === "string" && input.scope.trim() !== "") {
+      params.set("scope", input.scope.trim());
+    }
+    if (!input.omitResource) {
+      const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
+      params.set("resource", stripTrailingSlashes(resourceCandidate));
+    }
     try {
       const response = await oauth4webapi.genericTokenEndpointRequest(
         as,
@@ -1719,18 +1761,31 @@ var PmtHouseClient = class {
     };
   }
   /**
-   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   * Upsert an external user, mint a short-lived JWT, and exchange it for a
+   * long-lived opaque (`pmth_*`) signer session.
+   *
+   * Performs the *documented* remote-signer-session exchange (see
+   * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+   * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+   * which selects the PymtHouse gateway/opaque path. A prior implementation set
+   * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+   * that {@link parseSignerSessionExchange} then rejected as non-opaque.
    */
   async mintSignerSessionForExternalUser(input) {
+    const scope = input.scope ?? SIGN_JOB_SCOPE;
     await this.upsertAppUser({
       externalUserId: input.externalUserId,
       email: input.email,
       status: "active"
     });
-    const exchange = await this.mintUserSignerSessionToken({
+    const userToken = await this.mintUserAccessToken({
       externalUserId: input.externalUserId,
-      scope: input.scope ?? SIGN_JOB_SCOPE,
-      resource: this.issuerUrl
+      scope
+    });
+    const exchange = await this.exchangeForSignerSession({
+      userJwt: userToken.access_token,
+      omitResource: true,
+      scope
     });
     return parseSignerSessionExchange(exchange);
   }