@pymthouse/builder-sdk 0.4.4 → 0.4.6

package/dist/index.d.cts

@@ -1,8 +1,8 @@
 export { NETWORK_USD_PER_MICRO, applyRetailRateToNetworkMicros, defaultRetailRateUsd, markupPercentToRetailRateUsd, parseMarkupPercentInput, parseRetailRateUsd, retailRateUsdPerMillion, retailRateUsdToMarkupPercent } from './plan-pricing.cjs';
-import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-BORaHW_x.cjs';
-export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-BORaHW_x.cjs';
-import { S as SignerUsageSnapshot } from './proxy-0wa8QZIU.cjs';
-export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-C0HgAugK.cjs';
+import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-CcP67AZm.cjs';
+export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-CcP67AZm.cjs';
+import { S as SignerUsageSnapshot } from './proxy-CZLY0IfL.cjs';
+export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-CEBVgCD7.cjs';
 export { P as PmtHouseError, t as toPmtHouseError } from './errors-C9-V_zSi.cjs';
 export { PYMTHOUSE_NOT_CONFIGURED_MESSAGE, getBuilderApiV1BaseFromIssuerUrl, getPymthouseIssuerOrigin, getPymthouseIssuerUrlFromEnv, getPymthousePublicClientIdFromEnv, isPymthouseConfigured, readPymthouseEnv } from './config.cjs';
 import { AuthorizationServer } from 'oauth4webapi';

package/dist/index.d.ts

@@ -1,8 +1,8 @@
 export { NETWORK_USD_PER_MICRO, applyRetailRateToNetworkMicros, defaultRetailRateUsd, markupPercentToRetailRateUsd, parseMarkupPercentInput, parseRetailRateUsd, retailRateUsdPerMillion, retailRateUsdToMarkupPercent } from './plan-pricing.js';
-import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-BORaHW_x.js';
-export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-BORaHW_x.js';
-import { S as SignerUsageSnapshot } from './proxy-KrA1vEmh.js';
-export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-zCskUJag.js';
+import { S as SignedTicketIngestInput, F as FetchLike, f as SignedTicketIngestResult, r as UsageByUserRow, s as UsageForExternalUser, e as UsageApiResponse, n as MeScopeUsagePayload, t as UsageByPipelineModelRow, u as UsageByPipelineModelFiatRow, O as OidcDiscoveryDocument, v as AppManifestResponse } from './types-CcP67AZm.js';
+export { w as AllowancePolicy, x as AppManifestCapability, A as AppUserRecord, q as ApproveDeviceLoginInput, B as BillingProduct, y as BillingSyncState, z as BillingSyncStatus, E as CapabilityPriceRule, C as ClientCredentialsTokenResponse, D as DeviceApprovalInput, o as GetAppManifestResult, G as GetDiscoveryOptions, l as GrantSource, L as ListBillingProductsResult, p as MintSignerSessionForExternalUserInput, M as MintUserAccessTokenInput, b as MintUserAccessTokenResponse, c as MintUserSignerSessionTokenInput, a as ParsedDeviceApprovalRedirect, h as PlanSyncResult, P as PmtHouseClientOptions, H as SignerRoutingConfig, g as SignerRoutingResponse, T as TokenExchangeResponse, U as UpsertAppUserInput, i as UsageBalanceResponse, I as UsageDailyPipelineRow, d as UsageQueryInput, J as UsageTotals, k as UserAllowanceGrantInput, j as UserAllowancesResponse, K as UserCreditGrantInput, N as UserCreditsResponse, m as UserSubscriptionResponse } from './types-CcP67AZm.js';
+import { S as SignerUsageSnapshot } from './proxy-D36SpZ6k.js';
+export { P as PmtHouseClient, b as buildDeviceCodeResource, n as normalizeUserCode } from './client-D-p6v8ju.js';
 export { P as PmtHouseError, t as toPmtHouseError } from './errors-C9-V_zSi.js';
 export { PYMTHOUSE_NOT_CONFIGURED_MESSAGE, getBuilderApiV1BaseFromIssuerUrl, getPymthouseIssuerOrigin, getPymthouseIssuerUrlFromEnv, getPymthousePublicClientIdFromEnv, isPymthouseConfigured, readPymthouseEnv } from './config.js';
 import { AuthorizationServer } from 'oauth4webapi';

package/dist/index.js

@@ -336,6 +336,32 @@ var init_mint_token = __esm({
   }
 });
 
+// src/signer/direct-signer.ts
+function assertDirectSignerBaseUrl(signerBaseUrl) {
+  let parsed;
+  try {
+    parsed = new URL(signerBaseUrl.trim());
+  } catch {
+    throw new PmtHouseError("signer URL must be an absolute http(s) URL", {
+      status: 400,
+      code: "invalid_signer_url"
+    });
+  }
+  const pathname = stripTrailingSlashes(parsed.pathname);
+  if (pathname === "/api/signer" || pathname.startsWith("/api/signer/")) {
+    throw new PmtHouseError(
+      "signer URL must be the remote signer DMZ base, not a dashboard /api/signer/* proxy path. Exchange at the platform facade, then call signer endpoints directly using signerUrl from the exchange response.",
+      { status: 400, code: "invalid_signer_url" }
+    );
+  }
+}
+var init_direct_signer = __esm({
+  "src/signer/direct-signer.ts"() {
+    init_string_utils();
+    init_errors();
+  }
+});
+
 // src/signer/device-exchange.ts
 function extractSignerAccessTokenFromExchangeBody(body) {
   const tokenObj = body.token;
@@ -568,6 +594,9 @@ async function exchangeApiKeyForSigner(options) {
   const accessToken = extractSignerAccessTokenFromExchangeBody(parsed);
   const signerUrlRaw = parsed.signerUrl ?? parsed.signer_url;
   const signerUrl = typeof signerUrlRaw === "string" && signerUrlRaw.trim() ? signerUrlRaw.trim() : void 0;
+  if (signerUrl) {
+    assertDirectSignerBaseUrl(signerUrl);
+  }
   return normalizeDeviceExchangeResponse(
     {
       access_token: accessToken,
@@ -630,6 +659,7 @@ var init_api_key_exchange = __esm({
     init_fetch_json();
     init_handler_errors();
     init_device_exchange();
+    init_direct_signer();
     EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
   }
 });
@@ -1338,8 +1368,14 @@ var PmtHouseClient = class {
     });
   }
   /**
-   * Exchange a dashboard API key for a signer session via a trusted facade (recommended)
-   * or directly when M2M credentials are available on this client.
+   * Exchange a dashboard API key for a short-lived signer JWT via a trusted facade.
+   *
+   * `facadeUrl` is used only for `POST {facadeUrl}/api/pymthouse/keys/exchange`.
+   * After exchange, call signer RPCs directly at `signerUrl` from the response
+   * (e.g. `{signerUrl}/sign-orchestrator-info`), not via dashboard `/api/signer/*`.
+   *
+   * When M2M credentials are available on this client, omit `facadeUrl` to exchange
+   * directly against the PymtHouse issuer.
    */
   async exchangeApiKeyForSignerSession(input) {
     if (input.facadeUrl?.trim()) {
@@ -1356,7 +1392,8 @@ var PmtHouseClient = class {
         token_type: exchanged.token_type,
         expires_in: exchanged.expires_in,
         scope: exchanged.scope,
-        issued_token_type: "urn:ietf:params:oauth:token-type:access_token"
+        issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
+        signerUrl: exchanged.signerUrl
       };
     }
     const userToken = await this.exchangeApiKeyForUserAccessToken({
@@ -1430,8 +1467,13 @@ var PmtHouseClient = class {
     params.set("subject_token", input.userJwt);
     params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
-    const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
-    params.set("resource", stripTrailingSlashes(resourceCandidate));
+    if (typeof input.scope === "string" && input.scope.trim() !== "") {
+      params.set("scope", input.scope.trim());
+    }
+    if (!input.omitResource) {
+      const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
+      params.set("resource", stripTrailingSlashes(resourceCandidate));
+    }
     try {
       const response = await genericTokenEndpointRequest(
         as,
@@ -1717,18 +1759,31 @@ var PmtHouseClient = class {
     };
   }
   /**
-   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   * Upsert an external user, mint a short-lived JWT, and exchange it for a
+   * long-lived opaque (`pmth_*`) signer session.
+   *
+   * Performs the *documented* remote-signer-session exchange (see
+   * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+   * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+   * which selects the PymtHouse gateway/opaque path. A prior implementation set
+   * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+   * that {@link parseSignerSessionExchange} then rejected as non-opaque.
    */
   async mintSignerSessionForExternalUser(input) {
+    const scope = input.scope ?? SIGN_JOB_SCOPE;
     await this.upsertAppUser({
       externalUserId: input.externalUserId,
       email: input.email,
       status: "active"
     });
-    const exchange = await this.mintUserSignerSessionToken({
+    const userToken = await this.mintUserAccessToken({
       externalUserId: input.externalUserId,
-      scope: input.scope ?? SIGN_JOB_SCOPE,
-      resource: this.issuerUrl
+      scope
+    });
+    const exchange = await this.exchangeForSignerSession({
+      userJwt: userToken.access_token,
+      omitResource: true,
+      scope
     });
     return parseSignerSessionExchange(exchange);
   }